CoCo Cryptographic Module 2.0 FIPS 140-2 Security Policy Version No.: 2.13 Date: October 8, 2013 Prepared by: CoCo Communications Corp. www.cococorp.com 800 5th Avenue, Suite 3700 Seattle, WA 98104 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy Table of Contents 1 Introduction ......................................................................................................................................... 1 1.1 Purpose of the Security Policy ...................................................................................................... 1 1.2 Target Audience ............................................................................................................................ 1 2 Cryptographic Module Specification ................................................................................................ 2 2.1 Module Description ...................................................................................................................... 2 2.2 Description of Approved Mode .................................................................................................... 3 2.3 Cryptographic Module Boundary ................................................................................................. 3 3 Cryptographic Module Ports and Interfaces .................................................................................... 5 4 Roles, Services, and Authentication .................................................................................................. 6 4.1 Roles ............................................................................................................................................. 6 4.2 Services ......................................................................................................................................... 6 4.3 Operator Authentication................................................................................................................ 9 4.4 Mechanism and Authentication Strength ...................................................................................... 9 5 Physical Security ............................................................................................................................... 10 6 Operational Environment ................................................................................................................ 11 6.1 Policy .......................................................................................................................................... 11 7 Cryptographic Key Management .................................................................................................... 12 7.1 Key/CSP Generation ................................................................................................................... 12 7.2 Key Entry and Output ................................................................................................................. 12 7.3 Key Storage ................................................................................................................................. 12 7.4 Key Zeroization .......................................................................................................................... 12 8 Electromagnetic Interference/Compatibility .................................................................................. 14 9 Self Tests ............................................................................................................................................ 15 9.1 Integrity test ................................................................................................................................ 15 9.2 Power-up Tests............................................................................................................................ 15 9.3 On-demand Tests ........................................................................................................................ 15 i ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 10 Design Assurance .......................................................................................................................... 16 10.1 Configuration Management ........................................................................................................ 16 10.2 Delivery and Operation ............................................................................................................... 16 11 Mitigation of Other Attacks ......................................................................................................... 17 12 Abbreviations ................................................................................................................................ 18 13 References ...................................................................................................................................... 19 ii ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy List of Figures Figure 1: Software Block Diagram ............................................................................................................... 3 Figure 2: Hardware Block Diagram .............................................................................................................. 4 iii ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy List of Tables Table 1: Security Levels ............................................................................................................................... 2 Table 2: Tested Platforms ............................................................................................................................. 2 Table 3: Ports and Interfaces......................................................................................................................... 5 Table 4: Services ........................................................................................................................................... 8 Table 5: Key Management Details.............................................................................................................. 13 Table 6: EMI and EMC............................................................................................................................... 14 iv ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 1 Introduction This document is a non-proprietary FIPS 140-2 Security Policy for the CoCo Cryptographic Module 2.0 (the Module). It contains a specification of the rules under which the Module must operate and describes how the Module meets the requirements as specified in Federal Information Processing Standards Publication 140-2 (FIPS PUB 140-2) for a Security Level 1, multi-chip, standalone software module. 1.1 Purpose of the Security Policy There are three major reasons why a security policy is requested:  It is required for FIPS 140-2 validation.  It allows individuals and organizations to determine whether the cryptographic module, as implemented, satisfies the stated security policy.  It describes the capabilities, protections, and access rights provided by the cryptographic module that will allow individuals and organizations to determine whether it meets their security requirements. 1.2 Target Audience This document will be one of many that are submitted as a package for FIPS validation; it is intended for the following people:  Developers working on the release.  The FIPS 140-2 testing lab.  Cryptographic Module Validation Program (CMVP).  Consumers. 1 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 2 Cryptographic Module Specification This document is the non-proprietary security policy for the CoCo Cryptographic Module 2.0, and was prepared as part of the requirements process that will ensure its conformance with Federal Information Processing Standard (FIPS) 140-2, Level 1. The following section describes the Module and how it complies with the FIPS 140-2 standard in each of the required areas. 2.1 Module Description Table 1: Security Levels provides an overview of the security level required for each validation section. Security Component Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Table 1: Security Levels The Module has been tested on the platforms shown in Table 2: Tested Platforms . Module/Implementation Processor OS and Version Test Platform CoCo Crypto Module 2.0 AMD Linux 2.6 32-bit oMG 2000 Geode (single-user mode) CoCo Crypto Module 2.0 Intel x86 Vyatta 6.4 32-bit Dell PowerEdge R210 (single-user mode) Table 2: Tested Platforms 2 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 2.2 Description of Approved Mode The Module supports only the Approved mode and provides support for the following approved functions:  AES (CCM, ECB , CBC, CTR, GCM)  TDES(ECB, CBC)  HMAC (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)  SHS (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)  SHA-1 (for integrity check only, Cert.#1982, Cert.#1983 )  HMAC-SHA-1 (for integrity check only, Cert.#1413, Cert.#1414 ) 2.3 Cryptographic Module Boundary The logical boundary of the module is the binary code of the CoCo Cryptographic Module 2.0. Its distribution package file is : crypto-loader_2.0.831_i386.deb for Vyatta 6.4 and crypto-loader-2.0-831coco.i586.rpm for Linux 2.6 Figure 1 shows the logical boundary of the module’s software components. Figure 1: Software Block Diagram 3 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy The physical boundary of the module is the enclosure of the test platform on which the software module executes. Figure 2 shows the physical boundary of the module and hardware components of the platforms on which the module executes. Figure 2: Hardware Block Diagram 4 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 3 Cryptographic Module Ports and Interfaces Table 3: Ports and Interfaces shows which FIPS interfaces and ports the Module utilizes. FIPS Interface Ports Data Input API input parameters Data Output API output parameters Control Input API function calls, HMAC-SHA-1 value in the binary code Status Output API return codes, kernel log files, kernel process files Power Input Physical power connector Table 3: Ports and Interfaces 5 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 4 Roles, Services, and Authentication 4.1 Roles The User and Crypto Officer roles are implicitly assumed by the entity that is accessing services implemented by the Module, so no further authentication is required. The services associated with each role are explained in the next section. 4.2 Services FIPS Service Roles CSP Modes API Functions Approved Standard (Cert #) User CO Service Provided via Symmetric Algorithms  AES 128-, 192-, ECB, (Cert # 2299) FIPS 197 All API functions with 256-bit keys CBC, prefix -AMD Geode CTR fips_crypto_cipher_, Encryption fips_crypto_ablkcipher_ Input: (Cert # 2300) and fips_crypto_blkcipher_ plaintext, IV, -Intel x86 key ablkcipher_request_set_t fm Output: ablkcipher_request_free ciphertext ablkcipher_request_set_ callback Decryption ablkcipher_request_set_ Input : crypt ciphertext, IV, crypto_free_blkcipher key crypto_has_blkcipher Output: plaintext  TDES K1, K2, K3 ECB, (Cert # 1446) SP 800-67 All API functions with independent CBC -AMD Geode the prefix of fips_cryp- to_cipher_, fips_cryp- (Cert # 1447) Encryption to_ablkcipher_ and -Intel x86 Input: fips_crypto_blkcipher_ plaintext, IV, cryp-to_free_ablkcipher key crypto_has_ablkcipher ablkciph- Output: er_request_set_tfm ciphertext ablkciph-er_request_free ablkciph- Decryption er_request_set_callback ablkciph- Input : 6 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy ciphertext, IV, er_request_set_crypt key crypto_free_blkcipher Output: crypto_has_blkcipher plaintext  GCM 128-, 192-, Tag (Cert # SP 800- All API functions with 256-bit keys length 2299) 38D prefix fips_crypto_gcm 96-bit IV supports -AMD Geode Encryption supported 32, 63, (Cert # 2300) Input: 96, 104, Max IV -Intel x86 112, 120, plaintext, IV, length: 1024 and 128 key, AAD Output: Ciphertext Decryption Input : ciphertext, IV, key, AAD Output: plaintext Hash Function Services  SHA-1 N/A (Cert # 1980) FIPS 180-4 All API functions with prefix fips_crypto_hash SHA-224 -AMD Geode SHA-256 (Cert # 1981) fips_crypto_free_hash SHA-384 -Intel x86 SHA-512 Input: message Output: message digest Message Authentication Code (MAC) Services  HMAC-SHA-1 (Cert # 1411) FIPS 198 API functions with prefix fips_crypto_shash HMAC-SHA- -AMD Geode ,hmac_ 224 (Cert # 1412) HMAC-SHA- -Intel x86 225 fips_crypto_free_hash HMAC-SHA- 384 HMAC-SHA- 512 Input: HMAC key, message 7 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy Output: HMAC value of the message  CCM 128-, 192-, Tag len: (Cert # 2299) FIPS SP API functions with and 256-bit 4, 6, 8, 800-38C prefix fips_crypto_ccm -AMD Geode key sizes 10, 12, Encryption (Cert # 2300) Nonce len: 14, 16 Input: -Intel x86 7–13 plaintext, IV, key, AAD Output: ciphertext Decryption Input : ciphertext, IV, key, AAD Output: plaintext Other non-Security Services  N/A Initialization N/A N/A fips_crypto_module_init Input: N/A Output: N/A  N/A Self Test N/A N/A Run_self_test Input: N/A Output: Return code Kernel log  N/A Get status N/A N/A Input: N/A Output: Module messages Table 4: Services 8 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 4.3 Operator Authentication There is no operator authentication; assumption of role is implicit by action. 4.4 Mechanism and Authentication Strength No authentication is required at security level 1; authentication is implicit by assumption of the role. 9 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 5 Physical Security This is a software module and provides no physical security. 10 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 6 Operational Environment The Module operates in a modifiable operational environment. 6.1 Policy The Module prevents access by other processes to keys and CSPs during the time the cryptographic module is in the Approved mode. The Module provides a private context per process for key and CSP storage, which is then destroyed upon request by the process or when the Module is powered off. The application that uses the Module is the single user of the Module. No concurrent operators are allowed. The ptrace(2) system call, the debugger (gdb(1)) and strace(1) shall not be used. In addition, other tracing mechanisms offered by the Linux environment such as ftrace or systemtap shall not be used. 11 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 7 Cryptographic Key Management 7.1 Key/CSP Generation The Module neither generates keys in general nor performs key generation for any of its approved algorithms; instead, keys are passed in from clients by way of algorithm APIs. 7.2 Key Entry and Output All CSPs enter the Module's logical boundary as cryptographic algorithm API parameters in plaintext. They are associated with memory locations and do not persist across power cycles. The Module does not output intermediate key generation values or other CSPs. 7.3 Key Storage The Module does not provide persistent key storage for keys or CSPs and they also are not stored inside the Module. Instead, pointers to plaintext keys are passed through the Module and keys/CSPs exist only in the volatile memory that is assigned to the process within which the Module runs. 7.4 Key Zeroization Whenever CSPs are de-allocated, zeroization is done using different kernel memory zeroization APIs, with a value of 0 and a size equal to that of the CSP. The APIs listed in the table below internally call memset()function for performing zeroization. Table 5 summarizes details regarding what key management the Module provides. Key/CSP Name Details Authentication Roles: User, Crypto Officer Generation: N/A Type: Encrypt and decrypt 128-, 192-, and 256-bit AES keys Entry: API parameter Output: N/A Storage: N/A Zeroization API: fips_crypto_free_tfm() Authentication Roles: User, Crypto Officer Generation: N/A Type: Encrypt and decrypt TDES 3-Key Entry: API parameter Output: N/A Storage: N/A Zeroization API: fips_crypto_free_tfm() Authentication Roles: User, Crypto Officer HMAC keys Generation: N/A 12 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy Key/CSP Name Details Type: Keyed-Hash Message Authentication Entry: API function Output: N/A Storage: N/A Zeroization API: fips_crypto_free_ahash() Authentication Roles: Crypto Officer Generation: N/A Type: Keyed-Hash Message Authentication HMAC key for Module integrity check Entry: API function Output: N/A Storage: module binary Zeroization: zeroization is not required per FIPS IG 7.4. Table 5: Key Management Details 13 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 8 Electromagnetic Interference/Compatibility The Module's electromagnetic interference (EMI) and electromagnetic compatibility (EMC) features are summarized in Table 6: EMI and EMC . Testing Platform Product Name/Model Model Number EMI/EMC Notes Compliant to FCC part 15 Class oMG oMG 2000 A per FCC report Compliant to FCC part 15 Class Dell PowerEdge R210 A per “PowerEdge R210 Dell Technical Guide” Table 6: EMI and EMC 14 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 9 Self Tests The Module includes known-answer tests that are invoked when the Module is loaded into the kernel. If the known-answer tests fail, error messages are logged in the kernel log file and the Module causes a kernel panic that prevents it from performing further functions. The operating system will be rebooted to recover from the ERROR state. If the tests pass, the file /sys/kernel/crypto_module/fips_initialized will then contain a "1", which indicates the Module is in FIPS mode. The directory /proc/crypto-fips provides a list of the approved algorithms. 9.1 Integrity test During the software build process, the Module is used to compute a HMAC-SHA-1 message authentication code (MAC) of the Module binary—the MAC and the required key are then stored with the Module. Prior to loading the Module, a HMAC-SHA-1 MAC of the binary is again computed and compared to the original. If the comparison passes, the Module is loaded and the Power-up Tests are run; if the tests pass, the Module enters the FIPS Approved mode. If the comparison fails, the Module is not loaded and is unavailable. 9.2 Power-up Tests At module start-up, known-answer tests (also referred to as cryptographic algorithm tests)—which are based on the following algorithms—are performed automatically without requiring operator intervention. When the module is performing self tests, no API functions are available and no data output is possible until the module has completed performing the self test. If the value calculated and the known answer do not match, the Module causes a kernel panic.  AES encryption and decryption are tested separately for ECB, CBC, CTR, GCM and CCM modes  Triple-DES encryption and decryption are tested separately for ECB and CBC modes  HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512  SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 9.3 On-demand Tests Self tests may be invoked by restarting the operating system causing the power-up tests to run. 15 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 10 Design Assurance 10.1 Configuration Management The source code for the Module is stored on a server that is connected to a private corporate intranet. Changes to the source code, and other required files, are managed with the git distributed version control system, which provides traceability between developers, the source code, and the released binary module. Each binary is tracked with an embedded build number that has a matching tag in the revision control system, which identifies the source files that were used to produce the binary. 10.2 Delivery and Operation This module is delivered as a kernel module that is loaded into the kernel after an integrity check is performed. During the kernel module initialization process, the module invokes the Self Tests and upon success, enters FIPS mode. The module is then loaded into the kernel before any client can request the cryptographic services it provides. 16 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 11 Mitigation of Other Attacks No other attacks are mitigated. 17 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 12 Abbreviations Advanced Encryption Specification AES Cryptographic Algorithm Validation Program CAVP Cipher Block Chaining CBC Counter with Cipher Block Chaining-Message Authentication CCM Code Cipher Feedback CFB Cryptographic Module Validation Program CMVP Critical Security Parameter CSP Component Verification Testing CVT Data Encryption Standard DES Digital Signature Algorithm DSA Finite State Model FSM Galois Counter Mode GCM Hash Message Authentication Code HMAC Known Answer Test KAT Message Authentication Code MAC National Institute of Science and Technology NIST Output Feedback OFB Operating System O/S Random Number Generator RNG Rivest, Shamir, Addleman RSA Secure Hash Algorithm SHA Secure Hash Standard SHS Scenario Verification Testing SVT Triple DES TDES 18 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice. CoCo Cryptographic Module FIPS 140-2 Security Policy 13 References [1] FIPS 140-2 Standard, [2] FIPS 140-2 Implementation Guidance, [3] FIPS 140-2 Derived Test Requirements, [4] FIPS 197 Advanced Encryption Standard, [5] FIPS 180-4 Secure Hash Standard, [6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC), [7] NIST SP 800-38C Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, [8] NIST SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800- 38D.pdf 19 ©2012 CoCo Communications Corp. This document can be reproduced and distributed only whole and intact, including this copyright notice.