Senetas Corporation Ltd. CN6000 Series Encryptors: CN6040 1G Ethernet / 4G Fibre Channel Encryptor, CN6100 10G Ethernet Encryptor FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation July 2013 Model: CN6040 Model: CN6100 © 2013 Senetas Corporation Ltd. All rights reserved. (Doc No.) v1.1 Once released this document may be freely reproduced and distributed whole and intact including this copyright notice. www.senetas.com Table of Contents 1. Introduction ...................................................................................................................................... 3 1.1 References ............................................................................................................................... 3 1.2 Document History ..................................................................................................................... 4 1.3 Acronyms and Abbreviations .................................................................................................... 4 1.4 Definitions ................................................................................................................................. 5 2. Product Description.......................................................................................................................... 6 2.1 Module Identification ................................................................................................................. 7 2.2 Operational Overview ............................................................................................................... 8 2.2.1 General .............................................................................................................................. 8 2.2.2 Encryptor deployment ....................................................................................................... 9 2.2.3 Encryptor management ................................................................................................... 10 2.2.4 Ethernet implementation ................................................................................................. 11 2.2.5 Fibre Channel implementation ........................................................................................ 13 3. Module Ports and Interfaces .......................................................................................................... 14 3.1 CN6000 Series Ports .............................................................................................................. 14 3.2 CN6000 Series Interfaces ...................................................................................................... 17 4. Administrative Roles, Services and Authentication ....................................................................... 20 4.1 Identification and Authentication............................................................................................. 21 4.2 Roles and Services ................................................................................................................. 22 5. Physical Security............................................................................................................................ 24 6. Cryptographic Key Management ................................................................................................... 26 6.1 Cryptographic Keys and CSPs ............................................................................................... 26 6.2 Key and CSP zeroization ........................................................................................................ 29 6.2.1 Zeroization sequence ...................................................................................................... 29 6.2.2 Erase command and key press sequence ...................................................................... 29 6.2.3 Approved mode of operation ........................................................................................... 29 6.2.4 Tamper initiated zeroization ............................................................................................ 30 6.2.5 “Emergency” Erase ......................................................................................................... 30 6.3 Data privacy ............................................................................................................................ 30 6.4 Cryptographic Algorithms ....................................................................................................... 31 7. Self Tests ....................................................................................................................................... 34 8. Crypto-Officer and User Guidance ................................................................................................ 36 8.1 Delivery ................................................................................................................................... 37 8.2 Location .................................................................................................................................. 37 8.3 Configuration – FIPS140-Approved mode ............................................................................. 37 8.4 Configuration - non-Approved mode ...................................................................................... 39 9. Mitigation of Other Attacks ............................................................................................................. 40 Senetas Corporation Ltd Version 1.1 Page 2 of 40 CN6000 Series Non-Proprietary Security Policy 1. Introduction This is a non-proprietary FIPS 140-2 Security Policy for the Senetas Corporation Ltd. CN6000 Series Encryption devices comprising both the CN6040 and CN6100 (version 2.2.0) cryptographic models. This Security Policy specifies the security rules under which the module operates to meet the FIPS 140-2 Level 3 requirements. FIPS 140-2 (Federal Information Processing Standards Publication 140-2), Security Requirements for Cryptographic Modules, specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive but unclassified information. Based on four security levels for cryptographic modules this standard identifies requirements in eleven sections. For more information about the NIST/CSEC Cryptographic Module Validation Program (CMVP) and the FIPS 140-2 standard, visit www.nist.gov/cmvp . This Security Policy, using the terminology contained in the FIPS 140-2 specification, describes how the CN6040 1G Ethernet / 4G Fibre Channel Encryptor and the CN6100 10G Ethernet Encryptor models comply with the eleven sections of the standard. In this document, the CN6040 and CN6100 Encryptors are collectively referred to as the “CN6000 Series” and individually as the “the module” or “the encryptor”. This Security Policy contains only non-proprietary information. Any other documentation associated with FIPS 140-2 conformance testing and validation is proprietary and confidential to Senetas Corporation Ltd., and is releasable only under appropriate non-disclosure agreements. For more information describing the CN Series systems, visit http://www.senetas.com. References 1.1 For more information on the FIPS 140-2 standard and validation program please refer to the National Institute of Standards and Technology website at www.nist.gov/cmvp. The following standards from NIST are all available via the URL: www.nist.gov/cmvp . [1] FIPS PUB 140-2: Security Requirements for Cryptographic Modules. [2] FIPS 140-2 Annex A: Approved Security Functions. [3] FIPS 140-2 Annex B: Approved Protection Profiles. [4] FIPS 140-2 Annex C: Approved Random Number Generators. [5] FIPS 140-2 Annex D: Approved Key Establishment. [6] Derived Test Requirements (DTR) for FIPS PUB 140-2, Security Requirements for Cryptographic Modules. [7] Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197. [8] Data Encryption Standard (DES), Federal Information Processing Standards Publication 46-3. [9] DES Modes of Operation, Federal Information Processing Standards Publication 81. [10] Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2. [11] Secure Hash Standard (SHS), Federal Information Processing Standards Publication 180-3. [12] ATM Security Specification (Version 1.1), af-sec-0100.002, The ATM Forum Technical Committee, March, 2001. [13] NIST Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, January 2011 Senetas Corporation Ltd Version 1.1 Page 3 of 40 CN6000 Series Non-Proprietary Security Policy Document History 1.2 Authors Date Version Comment Senetas Corporation Ltd 20-Nov-2012 1.0 Release for CMVP comment Senetas Corporation Ltd 8-Jul-2013 1.1 Annotations added to flag transitioned algorithms and key sizes in line with SP800-131A First page logo updated Acronyms and Abbreviations 1.3 AES Advanced Encryption Standard ATM Asynchronous Transfer Mode CA Certification Authority CBC Cipher Block Chaining CFB Cipher Feedback CM Senetas Encryptor Remote Management Application Software CI Connection Identifier (used interchangeably with Tunnel) CLI Command Line Interface CMP Certificate Management Protocol CMVP Cryptographic Module Validation Program CSE Communications Security Establishment CSP Critical Security Parameter CTR Counter Mode DEK Data Encrypting Key(s) DES Data Encryption Standard DRBG Deterministic Random Bit Generator EDC Error Detection Code EMC Electromagnetic Compatibility EMI Electromagnetic Interference FC Fibre Channel FCC Federal Communication Commission FIPS Federal Information Processing Standard Gbps Gigabits per second HMAC Keyed-Hash Message Authentication Code IGMP Internet Group Management Protocol IP Internet Protocol IV Initialization Vector KAT Known Answer Test KEK Key Encrypting Key(s) Senetas Corporation Ltd Version 1.1 Page 4 of 40 CN6000 Series Non-Proprietary Security Policy LED Light Emitting Diode Mbps Megabits per second MLD Multicast Listener Protocol NC Network Certificate NIST National Institute of Standards and Technology NTU Network Termination Unit NVLAP National Voluntary Laboratory Accreditation Program OCSP Online Certificate Status Protocol PKCS Public Key Cryptography Standards PKI Public Key Infrastructure PUB Publication RAM Random Access Memory RFC Request for Comment ROM Read Only Memory RNG Random Number Generator RSA Rivest Shamir and Adleman Public Key Algorithm RTC Real Time Clock SAN Storage Area Network SFP Small Form-factor Pluggable (transceiver) SMK System Master Key SHA-n Secure Hash Algorithm XFP 10 Gigabit Small Form Factor Pluggable (transceiver) X.509 Digital Certificate Standard RFC 2459 Definitions 1.4 Senetas CN Series Encryptor Range CN1000 Ethernet/SONET/E1/T1 FIPS140-2 Level 3 validated, certificate 1267 CN1000 4G Fibre Channel Encryptor FIPS140-2 Level 3 validated, certificate 1549 CN3000 10G Ethernet/SONET FIPS140-2 Level 3 validated, certificate 1268 CN6040 1G Ethernet / 4G Fibre Channel Encryptor, subject of this submission CN6100 10G Ethernet Encryptor, subject of this submission (CN Series Refers to the CN1000, CN3000, CN6040 and CN6100 encryptor variants) Senetas Corporation Ltd Version 1.1 Page 5 of 40 CN6000 Series Non-Proprietary Security Policy 2. Product Description CN6000 Series Encryptors are multiple-chip standalone cryptographic modules consisting of production-grade components contained, in accordance with FIPS 140-2 Level 3, in a physically protected enclosure. Excluding the pluggable transceivers (SFP or XFP), dual redundant power supplies and replaceable fan tray module, the module’s outer casing defines the cryptographic boundary. The encryptor is completely enclosed in a steel case which is protected from tampering by internal tamper protection circuitry and external tamper response seals. Any attempt to remove the cover automatically erases all sensitive information stored internally in the cryptographic module. The module meets the overall requirements applicable to Level 3 security for FIPS 140-2. Table 1 Module Compliance Table Security Requirements Section Level Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 3 Roles and Services and Authentication 3 Finite State Machine Model 3 Physical Security 3 Operational Environment N/A Cryptographic Key Management 3 EMI/EMC 3 Self-Tests 3 Design Assurance 3 Mitigation of Other Attacks N/A Cryptographic Module Security Policy 3 Senetas Corporation Ltd Version 1.1 Page 6 of 40 CN6000 Series Non-Proprietary Security Policy Module Identification 2.1 CN6000 Series Encryptors, with firmware version 2.2.0, provide data privacy and access control services for Ethernet and Fibre Channel networks. See model details summarized in Table 2. Data privacy is provided by FIPS approved AES and Triple-DES algorithms. The complete list of approved module algorithms is included in the Approved Security Function table. Table 2 CN6000 Hardware/Firmware Versions Hardware Interface / Protocol (Cryptographic Module) Firmware Versions Version A6040B (AC) 1G Ethernet / 1, 2 and 4G Fibre Channel 2.2.0 A6041B (DC) This model supports pluggable SFP transceivers, dual power supplies and removable fan tray which are A6042B (AC/DC) considered to be outside the cryptographic boundary. A6100B (AC) 10G – Ethernet 2.2.0 This model supports pluggable XFP transceivers, dual A6101B (DC) power supplies and removable fan tray which are considered to be outside the cryptographic boundary. A6102B (AC/DC) Senetas Corporation Ltd Version 1.1 Page 7 of 40 CN6000 Series Non-Proprietary Security Policy Operational Overview 2.2 2.2.1 General CN6000 Series Encryptors operate in point-to-point and point-to-multipoint network topologies and at data rates ranging from 10Mb/s to 10Gb/s. Encryptors are typically installed between an operators’ private network equipment and public network connection and are used to secure data travelling over either fibre optic or CAT5/6 cables. Securing a data link that connects two remote office sites is a common installation application. Figure 1 provides an operational overview of two CN6040 encryptors positioned in the network. Figure 1 – CN6040 Operational Overview Devices establish one or more encrypted data paths referred to as `connections`. The term refers to a connection that has been securely established and is processing data according to a defined encryption policy. Each `connection` has an `connection identifier` (CI) and associated CI mode that defines how data is processed for each policy. Connections are interchangeably referred to as ‘tunnels’. CN6000 Series Encryptors support CI Modes of ‘Secure’, ‘Discard’ and ‘Bypass’. These CI Modes can be applied to all data carried on a connection or to a selected subset or grouping which can be user configured in accordance the specific protocol being carried on the network connection. A typical example in the case of an Ethernet network would be to make policy decisions based upon an Ethernet packet’s VLAN ID. The default CI Mode negotiated between a pair of connected encryptors is `Discard`. In this mode user data is not transmitted to the public network. In order to enter `Secure` mode and pass information securely, each encryptor must be `Certified` by the same trusted body and exchange a secret `Session Key` (DEK) using the RSA key exchange process (as specified in the ATM Forum’s ATM Security Specification version 1.1). If the session key exchange is successful this results in a separate secure session per connection, without the need for secret session keys (DEKs) to be displayed or manually transported and installed. Senetas Corporation Ltd Version 1.1 Page 8 of 40 CN6000 Series Non-Proprietary Security Policy Figure 2. illustrates the conceptual data flow through a CN6000 Series Encryptor. 1. A data packet arrives at the encryptor’s interface ports. When operating in Line mode data packets are processed according to a single CI policy, otherwise, 2. The encryptor looks up the appropriate packet header field, e.g. MAC address or VLAN ID and determines whether the field has been associated with an existing CI, 3. If a match is found, the encryptor will process the data packet according to the policy setting for that CI and send the data out the opposite port. If a match cannot be found, the data packet is processed according to the default policy setting. encrypted payload hdr clear payload hdr Decryption hdr encrypted payload hdr clear payload Network Encryption Local Physical Physical encrypted bit stream clear bit stream interface interface Control and encrypted bit stream clear bit stream Management Unprotected Network Protected Network Figure 2 - Data Flow through the Encryptor 2.2.2 Encryptor deployment Figure 3 illustrates a point-to-point (or link) configuration in which each module connects with a single far end module and encrypts the entire bit stream. If a location maintains secure connections with multiple remote facilities, it will need a separate pair of encryptor’s for each physical connection (link). Figure 3 - Link Configuration Senetas Corporation Ltd Version 1.1 Page 9 of 40 CN6000 Series Non-Proprietary Security Policy Figure 4 illustrates a meshed network configuration. Ethernet models will generally operate in this configuration. Each CN6000 Series Encryptor is able to maintain simultaneous secured connections with many far end encryptors. Figure 4 - Meshed Configuration 2.2.3 Encryptor management Encryptors can be centrally controlled or managed across local and remote stations using Senetas’ CM Remote Management application. Encryptors support both in-band and out-of-band SNMPv3 management. In-band management interleaves management messages with user data on the encryptor’s network interface port whilst out-of-band management uses the dedicated front panel Ethernet port. A Command Line Interface (CLI) is also available via the console RS-232 port. FIPS-Approved mode of operation enforces the use of SNMPv3 privacy and authentication. Management messages are encrypted using AES128. Non-Approved mode allows message privacy rd to be disabled in order to interwork with 3 partly legacy management applications. Senetas Corporation Ltd Version 1.1 Page 10 of 40 CN6000 Series Non-Proprietary Security Policy 2.2.4 Ethernet implementation Basic operation The Ethernet encryptor provides layer 2 security services by encrypting the contents of data frames across Ethernet networks. The encryptor connects between a local (protected) network and a remote (protected) network across the public (unprotected) network. An encryptor is paired with one or more remote Ethernet encryptors to provide secure data transfer over encrypted connections as shown in Figure 5 below. Figure 5 – Layer 2 Ethernet connections The encryptor’s Ethernet receiver receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. Allowable policy actions are: Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration • CN Series tunnels are encrypted using CAVP validated AES algorithms. The CN6040 1G Ethernet encryptor supports AES encryption with a key size of 128 or 256 bits in cipher feedback (CFB) or counter (CTR) modes. The CN6100 10G Ethernet encryptor supports AES encryption with a key size of 128 or 256 bits in CTR mode. Connections between encryptors use a unique key pair with a separate key for each direction. Unicast traffic can be encrypted using AES CFB or CTR modes whereas Multicast/VLAN traffic in a meshed network must use AES CTR mode. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. For details about Unicast and Multicast network topologies supported by the modules see next section. Senetas Corporation Ltd Version 1.1 Page 11 of 40 CN6000 Series Non-Proprietary Security Policy Unicast operation Unicast traffic is encrypted using a key pair for each of the established connections. When operating in line mode there is just one entry in the connection table. When operating in multipoint mode, connection table entries are managed by MAC address or VLAN ID and can be added manually, or if ‘Auto discovery’ is enabled, they will be automatically added based on the observed traffic. Entries do not age and will remain in the table. Multicast and broadcast operation Multicast traffic between encryptors connected in line mode shares the same single key pair that is used by unicast traffic. Multicast encryption is used to encrypt traffic sent from a host to all members of a multicast group. Unlike unicast encryption (which encrypts traffic from a single sender to a single receiver and uses a unique pair of keys per encrypted connection), multicast encryption within a multipoint network requires a group key management infrastructure to ensure that each encryptor can share a set of encryption keys per multicast MAC address. The Senetas group key management scheme which is used for both multicast and VLAN based encryption is responsible for ensuring group keys are maintained across the visible network. The Senetas group key management scheme is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. If communications problems segment the network, the group key management scheme will automatically maintain/establish new group key managers within each segment. Senetas Corporation Ltd Version 1.1 Page 12 of 40 CN6000 Series Non-Proprietary Security Policy 2.2.5 Fibre Channel implementation Fibre Channel is the de-facto interconnection technology for storage networking and is optimised for the efficient movement of data between server and storage systems in a Storage Area Network (SAN). Acting as a `Bump in the Fibre`, the CN6040 operating in Fibre Channel mode can secure point-to- point Fibre Channel network connections operating at speeds up to 4.25Gbps. Figure 6 shows a typical Fibre Channel installation in which the encryptors are deployed to secure a public network link. In this example the encryptors provide a secure connection between two SAN components; a File Server and remote Disk Array. Fibre Channel information is sent in discrete frames as per the Fibre Channel ANSI standard (ANSI INCITS 424-2007). The standard defines a multi-layer hierarchy of which the CN6040 Fibre Channel encryptor implements FC-0, FC-1 and the required FC-2 layer functionality to enable network interoperability with Direct Fibre, Fibre with Repeater, GFP-T and GFP-F connections. In order to interwork with Fibre Channel network devices the FC-2 header is only partially encrypted. The Source identifier, Destination identifier and Frame Type fields of the frame header are left unencrypted. The remaining header fields and payload are encrypted. Figure 6 – Fibre Channel Configuration Senetas Corporation Ltd Version 1.1 Page 13 of 40 CN6000 Series Non-Proprietary Security Policy 3. Module Ports and Interfaces CN6000 Series Ports 3.1 The CN6000 Series data and management ports are located on the encryptor’s front panel. The encryptor data ports include a Local Port which connects to the physically secure private network and the Network Port which connects to an unsecured public network. In the case of the CN6040 operating in Ethernet encryption mode, the operator can select either the RJ45 electrical or SFP optical physical interface to connect to the network. The encryptor user access management ports, LCD display and Keypad are located on the front of the module as presented in Figure 7. Port LEDs (2)x4 System LEDs (4) Ethernet ports LCD Erase RJ45 SFP SFP RJ45 Keypad USB Serial console port port Network ports port port Local & Figure 7 - Front View of the CN6040 Encryptor Port LEDs (4)x2 System LEDs (4) LCD Erase Ethernet ports Local & Network XFP ports Keypad USB Serial console Figure 8 - Front View of the CN6100 Encryptor Senetas Corporation Ltd Version 1.1 Page 14 of 40 CN6000 Series Non-Proprietary Security Policy CN6000 Series Encryptors support dual redundant power supplies which are available in two variants, an AC version for typical installs and a DC version for telecoms applications. Any power supply combination i.e. AC/AC, AC/DC or DC/DC is supported. Details of each can be seen in Figure 9. AC ON/OFF switch Power LED Power LED Fan Tray AC Power DC Power receptacle receptacle Figure 9 - Rear View of the CN6000 Series Encryptor pictured with AC and DC supplies installed Figure 10 – A6100B 10G Ethernet port label close-up Figure 11 – A6040B 1G Ethernet / 4G Fibre Channel port label close-up Figure 12 – Blocked LAN (AUX) RJ45 close-up Senetas Corporation Ltd Version 1.1 Page 15 of 40 CN6000 Series Non-Proprietary Security Policy Table 3 defines the Physical Ports. Table 3 CN6000 Series Physical Ports Port Location Purpose RJ-45 Ethernet Front Panel Allows secure and authenticated remote management by the CM Remote Management (LAN) application. RJ-45 Ethernet Front Panel Not enabled and physically blocked - port reserved for future use. See Figure 12. (AUX) RJ-45 RS-232 Serial Front Panel The Serial Console port connects to a local terminal Console and provides a simple command line interface (CLI) for initialization prior to authentication and operation in the approved mode. This port also allows administrative access and monitoring of operations. User name and password authentication is required to access this port. USB Front Panel The USB port provides the Crypto Officer with a mechanism for applying approved and properly signed firmware updates to the module. Keypad Front Panel Allows entry of initialization commands. LCD Front Panel Displays configuration information in response to commands entered via the keypad. Also indicates the state of RSA keys and certificates. System LEDs Front Panel Indicate the system state, including alarms. Port LEDs Front Panel Indicate local and network port status and activity. Network Port Front Panel The Network Port connects to the public network; access is protected by RSA certificates. The Network Port is of the same interface type as the Local Port. CN6040 Supports SFP and RJ45 media CN6100 Supports XFP media Local Port Front Panel The Local Port connects to the private network; access is protected by RSA certificates. The Local Port is of the same interface type as the Network Port. CN6040 Supports SFP and RJ45 media CN6100 Supports XFP media Erase Front Panel The concealed front panel “Emergency” Erase feature can be activated using a paperclip or similar tool and will immediately delete the System Master Key. The Erase functions irrespective of the powered state of the module. Power Connectors Rear Panel Provides AC and/or DC power to the module depending upon which power modules have been installed Power LEDs Rear Panel Indicates whether power is ON or OFF. Senetas Corporation Ltd Version 1.1 Page 16 of 40 CN6000 Series Non-Proprietary Security Policy CN6000 Series Interfaces 3.2 Table 4 summarizes the FIPS 140-2 defined Logical Interfaces. Table 4 Logical Interfaces Interface Explanation Data Input Interface through which data is input to the module. Data Output Interface by which data is output from the module. Control Input Interface through which commands are input to configure or control the operation of the module. Status Output Interface by which status information is output from the module. Senetas Corporation Ltd Version 1.1 Page 17 of 40 CN6000 Series Non-Proprietary Security Policy The FIPS 140-2 Logical Interfaces map to the Physical Ports as outlined in Table 5. Table 5 FIPS 140-2 Logical Interface to Physical Port Mapping FIPS 140-2 Logical CN6000 Series Interface Physical Port Interface Data Input Private Network Interface Local Port Public Network Interface Network Port Data Output Private Network Interface Local Port Public Network Interface Network Port Control Input Local Console RJ-45 RS-232 Serial Console Keypad & Display Keypad / LCD CM Remote Management Management RJ-45 Ethernet Interface Port (LAN) Private Network Interface Local Port Public Network Interface Network Port Status Output Local Console RJ-45 RS-232 Serial Console Keypad & Display Keypad / LCD CM Remote Management Management RJ-45 Ethernet Interface Port (LAN) Private Network Interface Local Port Public Network Interface Network Port LEDs Front & Rear LEDs Power Power Switch Power Connector CN6000 Series Encryptors support the FIPS 140-2 Logical Interfaces as outlined in Table 6. Table 6 Interface Support Logical Interface Support Data Input & Local Interface: Data Output Connects to the local (private) network; sends and receives • plaintext user data to and from the local network. Network Interface: Connects to the public network; sends and receives ciphertext • user data, via the public network, to and from a far end cryptographic module. Authenticates with the far end cryptographic module(s); sends • and receives authentication data and RSA key exchange components to and from a far end module. The module can be set to bypass allowing it to send and receive plaintext user data for selected connections. Control Input Control Input is provided by the Local Console, Keypad & Display, and the CM Remote Management Interface as follows: The Keypad supports module initialization prior to authentication • Senetas Corporation Ltd Version 1.1 Page 18 of 40 CN6000 Series Non-Proprietary Security Policy Logical Interface Support and operation in the approved mode. A Crypto Officer sets the IP address for remote administration by Senetas’ CM application; sets the system clock; and loads, in conjunction with the CM application, the module’s certificate. As an alternative to using the Keypad, the Local Console may • be used for initialization prior to certification and operation in the approved mode. The Local Console receives control input from a locally connected terminal. Following initialization and authentication, the CM application • can communicate with the module to receive out-of-band control input. When configured for in-band management, the Private and Public Network Interfaces may also receive control input. In this mode, the CM application sends control input by way of the Local or Network Port rather than the RJ-45 Ethernet. Status Output Status output is provided by the Keypad & Display, LEDs, Local Console and the CM Remote Management Interface as follows The Display presents the Crypto Officer with the command data • being entered via the Keypad. It also indicates the state of the RSA keys and certificates. The System LEDs indicate the system and tunnel state as well a • combined alarm status covering network and local ports. The Port LEDs indicate the state of the local and network • interfaces and the presence of network traffic. As an alternative to using the Keypad & Display, the Local • Console may be used for initialization prior to certification and operation in the approved mode. The Local Console may also be used for monitoring some operations; status output is sent to a locally connected terminal. Following initialization and authentication, the module sends • out-of-band status output to the CM Remote Management application. When configured for in-band management, the Private and Public Network Interfaces may also send status output. In this mode, the module status output is sent to the CM application by way of the Local or Network Port rather than the RJ-45 Ethernet Port. The encryptor does permit logically distinct categories of information to share the Local and Network Ports. If the module is configured to allow in-band management traffic, then the control/status information (key exchange or management commands) and user data enter and exit the module via the Network Interfaces. The module separates these two logically distinct categories of information, using the mechanisms specific to the operational protocols. Senetas Corporation Ltd Version 1.1 Page 19 of 40 CN6000 Series Non-Proprietary Security Policy 4. Administrative Roles, Services and Authentication The cryptographic module supports four roles: Crypto Officer, Operator, Upgrader and User. Crypto Officers are assigned permissions based on one of two subcategories: Administrator and Supervisor. The supported roles are summarized in Table 7. Table 7 Roles Role Description Crypto Officer Administrator: Provides cryptographic initialization and management functions. Crypto Officer functions are available via the CM Remote Management application. Limited functions are also available via the Console interface. Supervisor: Provides limited operational management functions. Functions are available via the CM Remote Management application. Limited functions are also available via the Console interface. Services for the CO are accessible directly via the Local Console CLI or remotely via the CM Remote Management Interface and the CM Remote Management application. User Restricted to read-only access to module configuration data. Operator: The Operator role is intended to provide sufficient restricted module access for an IT professional to monitor and ensure the network infrastructure to which the encryptor is connected is intact and operational. Services for the Operator are accessible directly via the Local Console CLI or remotely via the CM Remote Management Interface and the CM Remote Management application. Upgrader: The Upgrader Role is limited to applying field upgrades to the module firmware. Additional access is restricted to read-only access to module configuration data. Services for the Upgrader are accessible directly via the Local Console CLI or remotely via the CM Remote Management application. Roles cannot be changed while authenticated to the module; however, the module permits multiple concurrent operators. While only one operator may connect to the Local Console at a time, multiple concurrent remote sessions are permitted. CM based management is not session oriented; thus, multiple operators may be issuing commands with each command processed individually as it is received by the module. In a meshed network the system architecture supports simultaneous interactions with many far end modules; the multiple users (remote modules) all sending data to the data input port. The module’s access control rules, system timing, and internal controls maintain separation of the multiple concurrent COs, Operators, Upgraders and Users. The module does not support a maintenance role. Since there are no field services requiring removal of the cover, physical maintenance is performed at the factory. Note: A Crypto Officer should zeroize the module before it is returned to the factory. The module can be zeroized using several methods. When the module is powered on, the module can be zeroized by command or by performing the Erase key press sequence defined in the user manual. An immediate erase can be achieved, powered or un-powered, by depressing the concealed front panel Erase button, accessed using a “paperclip” or other suitable tool. Refer to Figure 7 for location. Senetas Corporation Ltd Version 1.1 Page 20 of 40 CN6000 Series Non-Proprietary Security Policy Identification and Authentication 4.1 The module employs Identity-Based Authentication. Access is restricted as indicated in Table 8. Up to 30 unique names and passwords may be defined for operators (COs, Operators, Upgraders) of the module. Operators using the Local Console enter their name and password to authenticate directly with the module. Operators using Senetas’ CM Remote Management application issue commands to the encryptor. Password based authentication and Diffie-Hellman Key Agreement allow the transport of secure messages to the module. Commands from the CM application are individually authenticated to ensure Data Origin Authentication and Data Integrity. Data Origin Authentication, based on the names and passwords, ensures the authenticity of the user claiming to have sent the command. Users employing the module’s security functions and cryptographic algorithms, over the Data Input and Output ports, authenticate via certificates that have been generated and signed by a common Certificate Authority (CA). The modules exchange Key and Data Encryption keys using RSA public key wrapping. Table 8 Authentication Type Role Type of Authentication Authentication Data Crypto Officer Identity-based Crypto Officers using the Local Console present unique user names and passwords to log in to Administrator the CLI. Supervisor Crypto Officers using the CM Remote Management application have unique identities embedded in the command protocol. Each issued command is individually authenticated. Operator Identity-based Operators follow the same authentication rules as Crypto Officers. Upgrader Identity-based Upgraders follow the same authentication rules as Crypto Officers. The strength of the authentication mechanisms is detailed in Table 9. Table 9 Strength of Authentication Authentication Mechanism Strength COs, Operators, and Upgraders accessing the module CLI, Password via the Local Console, must authenticate using a password that is at least 8 characters and at most 16 characters in length. The characters used in the password must be from the ASCII character set of alphanumeric and special (shift- 8 number) characters. This yields a minimum of 62 (over 14.5 million) possible combinations. The possibility of correctly guessing a password is less than 1 in 1,000,000. After three failed authentication attempts via the CLI, the Local Console port access is locked for 3 minutes. With the 3 minute lockout, the possibility of randomly guessing a password in 60 seconds is less than 1 in 100,000. Note: The module also suppresses feedback of authentication data, being entered into the Local Console, by returning blank characters. Senetas Corporation Ltd Version 1.1 Page 21 of 40 CN6000 Series Non-Proprietary Security Policy Authentication Mechanism Strength Far end modules (Users) authenticate using an RSA User Certificates authentication certificate based on a 1024 or 2048 bit keys. The possibility of deriving a private RSA key is less than 1 in 1,000,000. Based on the multi-step handshaking process between modules, the possibility of randomly guessing the passphrase in 60 seconds is less than 1 in 100,000. Roles and Services 4.2 CN6000 Series Encryptors support the services listed in the following tables. The tables group the authorized services by the module’s defined roles and identify the Cryptographic Keys and CSPs associated with the services. The modes of access are also identified per the explanation. R - The item is read or referenced by the service. W - The item is written or updated by the service. E - The item is executed by the service (the item is used as part of a cryptographic function) D - The item is deleted by the service. The module’s services are described in more detail in the CN Series documentation. Note access to and behaviour of module services are identical when operating in FIPS-Approved or non-Approved modes. Once authenticated, the operator has access to the services required to initialize, configure and monitor the module. With the exception of passwords associated with user accounts, the operator never enters Cryptographic Keys or CSPs directly into the module (an Administrator CO will enter passwords when working with user accounts). Table 10 Operator – Roles and Services Crypto Officer User Authorized Cryptographic Keys and Access Service CSPs Type Admin Supv Oper Upgr Set Real Time none W Clock RSA Public and Private Keys W Load Module Certificate RSA Public Key Certificate W Password W Create User Account Modify User Password E, W Account Delete User Password D Account View User none R Account Edit Connection none W Action Table Senetas Corporation Ltd Version 1.1 Page 22 of 40 CN6000 Series Non-Proprietary Security Policy Crypto Officer User Authorized Cryptographic Keys and Access Service CSPs Type Admin Supv Oper Upgr (Bypass) View Connection none R Action Table Show Firmware none R Version Clear Audit Trail Password W View Audit Trail none R Clear Event Log Password W View Event Log none R View FIPS Mode none R Status Change FIPS Password W Mode Status Run Self Test Password E (Reboot Command) Install Firmware none E Update Generate AES DEKs W [1] [1] Session Key (DEK) Generate Initialization Vector W [1] [1] Initialization Vector RSA signature RSA Private Key R, E [1] [1] generation RSA signature RSA Public Key R, E [1] [1] verification Erase Module – System Master Key and all W Zeroize (Console CSP data stored in non- Command) volatile memory Establish a Privacy Key R, W, E [2] [2] Remote Session [1] Restarting a connection causes new DEKs to be generated. [2] Privacy keys are established when a remote session is initiated and used to encrypt and decrypt all subsequent directives. Note: Plaintext Cryptographic Keys and CSPs are never output from the module regardless of the operative role or the mode of operation. Senetas Corporation Ltd Version 1.1 Page 23 of 40 CN6000 Series Non-Proprietary Security Policy 5. Physical Security CN6000 Series Encryptors employ the following physical security mechanisms: 1. The encryptor is made of commercially available, production grade components meeting commercial specifications for power, temperature, reliability, shock and vibration. All Integrated Circuit (IC) chips have passivation applied to them. The steel enclosure is opaque to the visible spectrum. The ventilation holes on the encryptor’s front panel are factory fitted with baffles to obscure visual access and to prevent undetected physical probing inside the enclosure. Attempts to enter the module without removing the cover will cause visible damage to the module, while removing the cover will trigger the tamper circuitry. 2. Access to the internal circuitry is restricted by the use of tamper detection and response circuitry which is operational whether or not power is applied to the module. Attempting to remove the enclosure’s cover immediately causes the module to be set into ‘Discard’ mode and initiates the zeroization of all Keys and CSPs. For further details refer to Section 6.2. 3. Two tamper evident seals are pre-installed (at factory). Both are placed between the top cover and underside of the main enclosure (refer Figure 13). Attempting to remove the top cover to obtain access to the internal components of the module will irreparably disturb these seals, thus providing visible evidence of the tamper attempt. Replacement tamper seals cannot be ordered from Senetas. A module with damaged tamper evident seals should be returned to the manufacturer by the Crypto Officer. Figure 13 – Factory installed tamper seals Senetas Corporation Ltd Version 1.1 Page 24 of 40 CN6000 Series Non-Proprietary Security Policy While the physical security mechanisms protect the integrity of the module and its keys and CSPs, it is strongly recommend that the cryptographic module be maintained within a physically secure, limited access room or environment. Table 11 outlines the recommended inspection practices and/or testing of the physical security mechanisms. Table 11 Physical Security Inspection & Test Security Mechanism Inspection & Test Guidance Frequency Tamper Evidence Tamper indication is available to all user In accordance with roles via the alarm mechanism and organization’s Security evidence by the physical tamper labels. Policy. The Crypto Officer is responsible for the physical security inspection. During normal operation, the Secure LED is illuminated green. When the unit is not activated and/or uncertified (has no loaded certificate as either the default factory manufactured state or user erase operation has been executed) or in the tampered state, the Secure LED is illuminated red and all traffic is blocked. Inspect the enclosure and tamper evident seals for physical signs of tampering or attempted access to the cryptographic module. Tamper Circuit The module enters the tampered state No direct inspection or test when the circuit is triggered. Once in this is required; triggering the state, the module blocks all user traffic circuit will block all data until the module re-activated and re- flow. certified. Senetas Corporation Ltd Version 1.1 Page 25 of 40 CN6000 Series Non-Proprietary Security Policy 6. Cryptographic Key Management Cryptographic Keys and CSPs 6.1 The following table identifies the Cryptographic Keys and Critical Security Parameters (CSPs) employed within the module. Table 12 Cryptographic Keys and CSPs Key/CSP Key Type and Use Key/CSP Key/CSP Key/CSP Key/CSP Entry Output Destruction Archiving Origin Storage Sourced Format System Master Key On initialization, the module generates a 168-bit Internal Plaintext, in a No NA On tamper or Erase No symmetric key. This key encrypts, using 3-key tamper protected the System Master Electronic Triple-DES CFB8, the module’s public and private memory device Key is zeroized. RSA keys and the user table stored in the configuration flash memory. RSA Private Key(s) A Private 1024 or 2048 bit key is the secret Internal 3-key Triple- No NA On tamper or Erase No component of the module’s RSA Key pair. It is DES-encrypted the Triple-DES Electronic generated when the module receives a Load format, non- System Master Key is Certificate command from CM application. The RSA volatile system zeroized, rendering Private Key(s) are used to authenticate connections memory. the encrypted RSA with other encryptors and to unwrap master session Private Key keys (KEKs) and session keys (DEKs) received undecipherable. Eacb from far-end encryptors. event also deletes the RSA from non volatile memory. RSA Public Key(s) This Public 1024 or 2048 bit key is the public Internal 3-key Triple- Electronic Plaintext within On tamper or Erase No component of a module’s RSA Key pair. They reside DES-encrypted X.509 certificate the Triple-DES Electronic in the Network Certificate, and are used for format, in non- signed by System Master Key is authenticating connections with other encryptors. volatile system trusted CA zeroized, rendering memory. the encrypted RSA Public Key undecipherable. Each event also deletes the RSA keys from non volatile memory. Senetas Corporation Ltd Version 1.1 Page 26 of 40 CN6000 Series Non-Proprietary Security Policy Key/CSP Key Type and Use Key/CSP Key/CSP Key/CSP Key/CSP Entry Output Destruction Archiving Origin Storage Sourced Format No Module Certificate(s) A X.509 certificate is associated with a session in an Internal Stored, in the Electronic Plaintext signed The certificate is operational environment. It is produced, upon plaintext, in non- by trusted CA deleted from non Electronic request from the module, and signed by the volatile system volatile system Certificate Authority (CA) to establish root trust memory memory on tamper or between encryptors. Once a certificate has been Erase command from authenticated, Far-end encryptors use the signed a Crypto Officer. RSA Public Key to wrap the initial session keys (KEKs) used to encrypt a session. Authentication Password Up to 30 unique Crypto Officers (Administrator, Internal Passwords and No NA On tamper or Erase, No Supervisor or Operator) may be defined, with their associated the Triple-DES Electronic associated passwords, within the module. Usernames are System Master Key is hashed and zeroized, rendering The CLI uses the Authentication Password to stored in the the encrypted authenticate Crypto Officers accessing the system User Table Passwords via the Local Console. which is stored undecipherable. Each The CM application requires an operator password 3-key Triple- event also deletes the that is used to uniquely authenticate each command DES-encrypted User Table including to the module. format in non- passwords from non volatile system volatile system memory memory Key Encrypting Key For each session (CI), the module generates a Internal KEK is stored in Yes Wrapped for Zeroized at the end of No symmetric KEK using the NIST SP800-90A DRBG plaintext, in transport using a session, on tamper Electronic and other input in accordance with ATM Security volatile SDRAM the far-end or Erase and when Specification reference [12]. The seed key and seed system memory module’s public power is removed value are not part of the stored CSP data, but are RSA key from unit generated on demand as required. RSA key transport is used to transfer this key to a far-end module. The KEK persists for the life of the session and is used to secure the DEK that may be changed periodically during the session. No Data Encrypting Key For each session (CI), the module also generates Internal DEK is stored in Yes Encrypted using Zeroized at the end of two DEK for each data flow path in the secure plaintext, in KEK in a session, on tamper Electronic connection (one for the Initiator-Responder path and volatile SDRAM accordance with or Erase and when another for the Responder-Initiator path) using the system memory ATM Security power is removed NIST SP800-90A DRBG. Specification, from unit reference [12] These keys AES encrypt and decrypt the user data transferred between the Encryptors. These active session keys are normally changed periodically based on the duration of the session. Senetas Corporation Ltd Version 1.1 Page 27 of 40 CN6000 Series Non-Proprietary Security Policy Key/CSP Key Type and Use Key/CSP Key/CSP Key/CSP Key/CSP Entry Output Destruction Archiving Origin Storage Sourced Format No Privacy Keys For each remote management session, the module Internal All privacy keys No NA Destroyed at the end uses an AES privacy key as part of the Diffie- are stored in of a remote Electronic Hellman key agreement process to secure the plaintext, in management session control / flow path in the secure connection. volatile system and when power is memory removed from unit. Note Erase, reboot and tamper will end a remote session DRBG Seed The DRBG seed is generated in accordance with Internal Not stored No NA NA No NIST SP800-90A and NIST SP800-131A DRBG Electronic guidelines. Diffie Hellman Keys For each remote management session the CM Internal Stored in No NA Destroyed at the end No application will use Oakley Group 2 base and prime plaintext, in of a remote Electronic values to generate the required local and private volatile system management session values to enable privacy key exchange. memory and when power is removed from unit Note: Erase, reboot and tamper will end a remote session Note 1: While the certificates, maintained within the module, are listed as CSPs, they contain only public information. Note 2: All random data including cryptographic Key material is sourced from the NIST SP800-90A DRBG as required Senetas Corporation Ltd Version 1.1 Page 28 of 40 CN6000 Series Non-Proprietary Security Policy Key and CSP zeroization 6.2 Zeroization of cryptographic Keys and CSPs is a critical module function that can be initiated by a Crypto Officer or under defined conditions, carried out automatically. Zeroization is achieved using the “Zeroization sequence” defined in section 6.2.1 below. Crypto Officer initiated zeroization will occur when the: 1. Module Erase command issued from the CLI or CM application 2. Front Panel key press Erase sequence is selected 3. Concealed front panel “Emergency” Erase button is depressed Automatic zeroization will occur when the module is: 1. Switched from an Approved to non-Approved mode of operation 2. Switched from an non-Approved to Approved mode of operation 3. Physically tampered The following sections describe the specific events that occur when zeroization initiated. Note zeroization behaviour is the same whether the module is configured to run in FIPS-Approved or non- Approved mode. 6.2.1 Zeroization sequence The module Zeroization sequence achieves the following: Sets each session (CI) to DISCARD, before zeroizing the DEKs • Zeroizes the System Master Key rendering the RSA Private Key, User table (including • authentication passwords) and other CSPs (Certificates, RSA keys) indecipherable Deletes all Certificate information • 1 Deletes RSA Private and Public keys, module Configuration and User table • Automatically REBOOTs the module destroying KEKs, Privacy and Diffie Hellman keys • residing in volatile system memory 6.2.2 Erase command and key press sequence A Crypto officer can initiate a module Erase remotely using the CM application or when physically in the presence of the module using the management console CLI interface or Front Panel key press Erase sequence. Zeroization of the module Keys and CSPs and is achieved using the zeroization sequence as defined in section 6.2.1. 6.2.3 Approved mode of operation Switching the module to and from the FIPS Approved mode of operation will automatically initiate an Zeroization sequence to as defined in section 6.2.1 above. 1 The RSA Private and Public keys, Configuration details and User table are encrypted by the System Master Key which, during an Erase, is the first CSP to be zeroized. Deleting the aforementioned CSPs is deemed good practise. Senetas Corporation Ltd Version 1.1 Page 29 of 40 CN6000 Series Non-Proprietary Security Policy 6.2.4 Tamper initiated zeroization Zeroization will be initiated upon detection of a tamper event. The Tamper Circuit is active at all times; the specific tamper response differs slightly based on the module’s power state. From a practical standpoint the effect on the Keys and CSPs is the same. The tamper initiated zeroization process achieves the following: 1. Zeroization of the System Master Key (SMK) rendering the RSA Private Key, User table and other CSPs indecipherable. Zeroization of the SMK occurs irrespective of the powered state of the module. 2. When powered on and the Tamper Circuit is triggered, the module will automatically: a. Set the encryption mode for each session (CI) to DISCARD ensuring no user data is output from the module, b. Log the tamper event to the Audit Log, c. Set the System, Secure and Alarm LEDs to flash RED on the front panel and herald the tamper event via the internal speaker, d. Initiate the Zeroization sequence zeroizing all Session Keys (DEKs) and CSPs in volatile system memory and non-volatile Configuration and User account data, e. REBOOT the module. 3. When powered off and the Tamper Circuit is triggered, there are no Session Keys (DEKs) or CSPs in system volatile memory to be zeroized however upon re-powering the module, the zeroised System Master Key will indicate that the system has been tampered. The module will: a. Log the tamper event to the Audit log, b. Initiate the Zeroization sequence, c. Continue to the BOOT, returning the module to the un-Activated factory default state. 4. When the BOOT sequence has completed the module will have: a. Generated a new System Master Key, b. Re-created the default administration account, c. Set the encryption mode to DISCARD, d. Entered the factory default state ready for Configuration (as described in Section 8.3 below). 6.2.5 “Emergency” Erase The “Emergency” Erase feature is initiated when the concealed front panel button is depressed and follows the behaviour defined in section 6.2.4 Tamper initiated zeroization above. Data privacy 6.3 To ensure user data privacy the module prevents data output during system initialization. No data is output until the module is successfully authenticated (activated) and the module certificate has been properly loaded. Following system initialization, the module prevents data output during the self tests associated with a power cycle or reboot event. No data is output until all self tests have completed successfully. The module also prevents data output during and after zeroization of data plane cryptographic keys and CSPs; zeroization occurs when the tamper circuit is triggered. In addition, the system’s underlying operational environment logically separates key management functions and CSP data from the data plane. Senetas Corporation Ltd Version 1.1 Page 30 of 40 CN6000 Series Non-Proprietary Security Policy Cryptographic Algorithms 6.4 CN6000 Series Encryptors employ the following approved cryptographic algorithms. Table 13 lists approved embedded software algorithms that are common to the CN6000 Series. Table 14 lists approved firmware algorithms that are specific to the CN6040 and CN6100 hardware versions. Table 13 FIPS Approved Algorithms – CN6000 Series Common Crypto Library Algorithm Algorithm FIPS Target Model Notes Type Validation Certificate CN Series Crypto Library CN6040 / CN6100 Symmetric Triple-DES Key TCFB8 (e/d; KO 1) TDES # 1412 Module Public & Private RSA keys, User table encryption AES CFB128 (e/d; 128,256) AES # 2258 SNMP message privacy Asymmetric RSA Data Session Establishment Key Key(gen) (MOD: 1024, 2048 PubKey Values: 65537) ALG[RSASSA- RSA # 1157 PKCS1_V1_5]; SIG(gen); 1. SIG(ver); 1024 , 2048, SHS: SHA-1, SHA-256 Hashing SHA-1 (BYTE only) SHS # 1945 File system integrity SHA-256 (BYTE only) Data Session update HMAC HMAC-SHA-1 (Key Sizes HMAC # 1385 SNMP message Ranges Tested: KS fips CN6100> fips FIPS mode enabled The CM application screen for reporting the FIPS status is found on the User Management screen, in the Access tab under FIPS PUB 140-2 Mode. Figure 14 – FIPS Approved and non-Approved mode selection Note: Read all of the instructions in this section before installing, configuring, and operating the CN6000 Series Encryptors. Senetas Corporation Ltd Version 1.1 Page 36 of 40 CN6000 Series Non-Proprietary Security Policy Delivery 8.1 When a CN6000 Series Encryptor is delivered, the CO can verify that the model and serial numbers on the outside of the packaging, the model and serial numbers attached to the encryptor itself, and the numbers listed on the order acknowledgement, all match. The CO can also verify that the encryptor has not been modified by examining the tamper evident seal on the outside of the unit. If the seal is broken, then the integrity of the encryptor cannot be assured and Senetas should be informed immediately. Upon receipt of a CN6000 Series Encryptor, the following steps should be undertaken: 1. Inspect the shipping label as well as the label on the bottom of the system to ensure it is the correct FIPS-approved version of the hardware. 2. Inspect the encryptor for signs of tampering. Check that the tamper evident tape and the covers of the device do not show any signs of tampering. If tampering is detected, return the device to the manufacturer. Do not install the encryptor if it shows signs of tampering or has an incorrect label. Contact your organization’s Security Officer for instructions on how to proceed. If the device has the correct label and shows no signs of tampering, proceed to the next section. Location 8.2 The encryptor must be installed in a secure location to ensure that it cannot be physically bypassed or tampered with. Ultimately the security of the network is only as good as the physical security around the encryptor. Always maintain and operate the CN6000 Series Encryptor in a protected/secure environment. If it is configured in a staging area, and then relocated to its operational location, never leave the unit unsecured and unattended. Ideally the encryptor will be installed in a climate-controlled environment with other sensitive electronic equipment (e.g. a telecommunications room, computer room or wiring closet). The encryptor can be installed in a standard 19-inch rack or alternatively mounted on any flat surface. Choose a location that is as dry and clean as possible. Ensure that the front and rear of the encryptor are unobstructed to allow a good flow of air through the fan vents. The encryptor is intended to be located between a trusted and an untrusted network. The Local Interface of the encryptor is connected to appropriate equipment on the trusted network and the Network Interface of the encryptor is connected to the untrusted (often public) network. Depending on the topology of your network, the Local Interface will often connect directly to a router, switch, or Add/Drop Multiplexer, while the Network Interface will connect to the NTU provided by the network carrier. Configuration – FIPS140-Approved mode 8.3 Full configuration instructions are provided in the User Manual. Use the guidance here to constrain the configuration so that the device is not compromised during the configuration phase. This will ensure the device boots properly and enters FIPS 140-2 approved mode. When powering up the module for the first time, use the front panel to configure the system for network connectivity. Then use the CM Remote Management application to initialize the module and perform the configuration operations. 1. Power on the unit. The system boot-up sequence is entered each time the module is powered on and after a firmware restart. The CN6000 Series Encryptor automatically completes its self tests and verifies the authenticity of its firmware as part of the initialization process. The results of these tests are reported on the front panel LCD and are also logged in the system audit log. If errors are detected during the diagnostic phase, the firmware will not complete the power up sequence but will instead enter a Secure shutdown state and Halt (“Secure Halt”) . If this occurs the first time power is applied or any time in the future, the module is notifying the CO Senetas Corporation Ltd Version 1.1 Page 37 of 40 CN6000 Series Non-Proprietary Security Policy that a persistent (hard) error has occurred and that the module must be returned for inspection and repair. 2. Follow the User Manual’s Commissioning section to set the system’s IP Address, Date and Time. 3. If the CM application is being run for the first time, it will ask if the installation will act as the Certification Authority (CA) for the secure network. If the user selects yes a private and public RSA key pair that will be used to sign X.509 certificates is generated. 4. Activate the cryptographic module. A newly manufactured or erased cryptographic module must be Activated before X.509 certificate requests can be processed. See the User Manual’s Commissioning section for details. Activation ensures that the default credentials of the ‘admin’ account are replaced with those specified by the customer prior to loading signed X.509 certificates in to the module. The updated user credentials (username and password) are transmitted to the encryptor using RSA 2048 public key encryption, and a hashing mechanism is used by the local administrator CO to authenticate the message. 5. Install a signed X.509 certificate into the cryptographic module. Version 2.2.0 and later CN Series cryptographic modules support V1/V2 and V3 X.509 Certificate Signing Requests (CSRs) and will accept certificates signed by Senetas’ CM Remote Management application (when acting as a CA) as well as certificates signed by External CAs. In both cases each CN Series cryptographic module supplies upon request an unsigned X.509 certificate containing the module’s details and 1024 or 2048 bit Public RSA key. The administrator then takes the CSR and has it signed by either the trusted local CA (Senetas’ CM Remote Management application for V1/2/3 certificates) or an external CA for V3 certificates. For a typical deployment this procedure is repeated for all cryptographic modules in the network and the signed certificates are installed in to each module. After an X.509 certificate has been installed into CN Series module the administrator can create supervisor and operator accounts. At this point the CN6000 Series Encryptor is able to encrypt in accordance with the configured security policy; the ENT key on the front panel is disabled; and the default factory account has been removed. 6. Ensure the encryptor is in FIPS 140-2 mode (default setting) via the CM applications’ Management-Access tab. See Figure 14 for details. 7. Configure the security policy to enable encrypted tunnels with other CN Series modules. Configuration of the security policy is network specific; refer to the User Manual for specific details. Senetas Corporation Ltd Version 1.1 Page 38 of 40 CN6000 Series Non-Proprietary Security Policy Configuration - non-Approved mode 8.4 Non-approved mode of operation is provided to interwork with legacy management systems that are unable to support SNMPv3 privacy. All other module services are identical and no additional Keys/CSPs are accessible. The installation procedure for non-Approved operation is as described in section 8.3 above except for configuring the non-Approved mode of operation. 2. Non-Approved mode of operation can be invoked through the CM Application or via the management console. Upon changing to FIPS approved mode or to the non-Approved mode the module will automatically erase and restart. i. Navigate to the FIPS PUB 140-2 setting in Management-Access tab within the CM Application and SET the Disable FIPS PUB 140-2 Mode checkbox – OR - ii. Login via the front panel management console and execute the console command e.g. “CN6100> fips off”. See Figure 14 for details. 2. Upon restart, the FIPS mode state can be checked using the CM Application or management console. Senetas Corporation Ltd Version 1.1 Page 39 of 40 CN6000 Series Non-Proprietary Security Policy 9. Mitigation of Other Attacks The module does not mitigate specific attacks. End Senetas Corporation Ltd Version 1.1 Page 40 of 40 CN6000 Series Non-Proprietary Security Policy