3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy 3e Technologies International, Inc. FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation 3e-636M-HSE CyberFence Cryptographic Module HW Version (1.0) FW Version (5.0) Security Policy Version 1.3 February 2015 Copyright ©2014 by 3e Technologies International. This document may freely be reproduced and distributed in its entirety. i 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Revision History Date Document Description Author(s) Version 10-June-2014 1.0 For External Release Chris Guo September-15- 1.1 Updated after Cygnacom review Chris Guo 2014 September-19- 1.2 Updated for release to CMVP Chris Guo 2014 February-23- 1.3 Updated after NIST review Chris Guo 2015 ii 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Introduction ............................................................................................................................. 1 1.1 Cryptographic Module Definition ................................................................................................. 1 1.2 Cryptographic Module Validation ................................................................................................. 2 2. Ports & Interfaces ................................................................................................................... 2 3. Roles & services ..................................................................................................................... 3 3.1 End User role ............................................................................................................................... 4 3.2 Crypto Officer and Administrator Roles ....................................................................................... 4 4. Operational Environment ........................................................................................................ 7 5. Cryptographic Algorithms ...................................................................................................... 7 6. Cryptographic Keys and SRDIs .............................................................................................. 8 7. Self-Tests .............................................................................................................................. 10 8. Tamper Evidence .................................................................................................................. 11 9. Secure Rules & Configuration .............................................................................................. 12 10. Design Assurance.............................................................................................................. 12 11. Mitigation of Other Attack................................................................................................ 13 iii 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy 1. Introduction This is a non-proprietary Cryptographic Module Security Policy for the 3e-636M-HSE CyberFence Cryptographic Module from 3e Technologies International. This Security Policy describes how the 3e-636M-HSE meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. 1.1 Cryptographic Module Definition The 3e-636M-HSE Crypto Module primarily acts as an inline encryptor device. Using AES/Triple-DES encryption, it secures IEEE 802.3 MAC layer data between nodes in a local area network or across multiple Virtual Local Area Networks (VLANs). Furthermore, it employs firewall and packet inspection to provide defense-in-depth capabilities to prevent malicious attacks. The crypto module includes one FreeScale PowQUICC 8378E processor as a multi-function host processor, network processor, and cryptographic processor. The cryptographic module consists of electronic hardware, embedded firmware and enclosure. It is a multiple-chip embedded module for the purposes of FIPS 140-2. Figure 1 below shows the picture of the 3e-636M-HSE Crypto Module: Figure 1 – 3e-636M-HSE Crypto Module 1 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy The critical circuits of the 3e-636M-HSE Crypto Module are enclosed in a tamper-resistant opaque metal enclosure, protected by tamper evidence tape intended to provide physical security. The module’s cryptographic boundary is the metal enclosure. The components attached to the underside of the PCB and the components (RTC, reset delay chip, logic gates, and resistors, underside of chip pads, impedance beads and capacitors) are outside the cryptographic boundary and non-security relevant. 1.2 Cryptographic Module Validation The module is validated at the FIPS 140-2 Section levels listed in Table 1 below. The overall security level of the module is 2. Section Section Title Level Cryptographic Module 1 2 Specification Cryptographic Module Ports and 2 2 Interfaces Roles, Services, and 3 2 Authentication Finite State Model 4 2 Physical Security 5 2 Operational Environment 6 N/A Cryptographic Key Management 7 2 EMI/EMC11 8 2 Self-tests 9 2 Design Assurance 10 3 Mitigation of Other Attacks 11 N/A Table 1: Module Security Level 2. Ports & Interfaces The 3e-636M-HSE Crypto Module contains a simple set of interfaces, as shown in the Figure 2 below: 2 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy RGMII G-bit Enet PHY Configuration EEPROM Ethernet SGMII Interface Real Time RGMII Header G-bit Enet Clock PHY Random SGMII Noise Generator Freescale MPC8378E Local Bus GPIO Flash Memory Power Input & Power DDR2 SDRAM I/O Header NVRAM CRYPTO BOUNDARY ENCLOSED IN METAL SHEILD Figure 2 – 3e-636M-HSE Crypto Module High Level Block Diagram The logical ports: a. Status output: Ethernet port pins and GPIO (LED) connector pins b. Data output: Ethernet port pins c. Data input: Ethernet port pins d. Control input: Ethernet port pins e. Power input pin 3. Roles & services The module supports three separate roles. There are two operator roles and one end user role. The set of services available to each role is defined in this section. The following table identifies the strength of authentication for each authentication mechanism supported: 3 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Role Authentication Mechanism Strength of Mechanism Crypto Officer Identity-based , Username (8-30 chars) Minimum 8 characters and password => 1:94^8 = 1.641E-16 Administrator Identity-based , Username (8-30 chars) Minimum 8 characters and password => 1:94^8 = 1.641E-16 End User Role-based, 128/192/256 bits key for AES, 168 Encryption/Decryption Key bits key for Triple-DES (equivalent to 112 bits strength) Table 2: Authentication & Strength of Authentication The module halts (introduces a delay) for one second after each unsuccessful authentication attempt by Crypto Officer or Administrator. The highest rate of authentication attempts to the module is one attempt per second. This translates to 60 attempts per minute. Therefore the probability for multiple attempts to use the module's authentication mechanism during a one- minute period is 60/(94^8), or less than (9.84E-15). The module does allow the Crypto Officer to configure particular VLAN into bypass mode; in that case, the End User device on that VLAN is not authenticated by the module. The End User does not use any cryptographic services of the module either. Data in plaintext form is passed from one port to another. 3.1 End User role The end user of the device can send or receive data to and from the module. End user can only use the cryptographic service but can’t configure the device. The End User is authenticated via its possession of the symmetric encryption key. Using conservative estimates, for an end user possessing the 112 bit symmetric key (Triple-DES 192 bits key), the probability for a random attempt to succeed is 1:2112. The fastest network connection supported by the module is 1 Gbps. Hence at most (1 ×109 × 60 = 6 × 1010) 60,000,000,000 bits of data can be transmitted in one minute. The number of possible attacks per minutes is 6 × 1010/112. Therefore, the probability that a random attempt will succeed or a false acceptance will occur in one minute is less than 1: (2112 x112/ 60×109), which is less than 100,000 as required by FIPS 140-2. When the device is in End User role, authentication of the End User is performed via its possession of the symmetric key. Per packet integrity check can be optionally turned on by using HMAC-SHA1 or AES_CCM. 3.2 Crypto Officer and Administrator Roles When a Crypto Officer or Administrator logs into the module using a username and a password through HTTP over TLS secure channel, the device assumes the role of a Crypto Officer or Administrator. The Crypto Officer is responsible for performing all cryptographic configurations for the module which include loading Web Server certificate and private key, input VLAN encryption keys, 4 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy setting Firewall and deep package inspection policies, managing Administrator users, uploading new firmware and bootloader, setting the password policy and performing self-tests on demand, and performing key zeroization. The Administrator user can configure non-security related parameter of the system such as host name and IP address, view status, and reset the module to factory default settings. The following table describes the 3e-636M-HSE services, including purpose and functions, and the details about the service: Table 3: Services and User Access Service and Details Crypto Officer Administrator End User Purpose Input of Keys Per VLAN X encryption key, SNMPv3 encryption key, SNMPv3 authentication key Input Web server Web server X certificate and certificate, certificate private key private key and root certificate Configure VLAN Configure a particular X into bypass mode VLAN into bypass mode, under which, the end user is not authenticated to the module nor does it use any cryptographic service of the module. The data is passed from one port to another Create and manage Support up to 5 X Administrator user administrator users Change Administrator change X X administrator his own password password only Change password of Crypto Officer X Crypto Officer change his own password Show system status View traffic status , X X VLAN configurations (VLAN encryption mode or bypass mode) and systems log excluding security audit log Reboot Zeroize all keys in X X RAM Factory default Delete all X X configurations and set device back to factory default state Perform Self Test Run algorithm KAT X X 5 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Load New Firmware Upload 3eTI digital X signed firmware SNMP Management All SNMP setting X X including SNMPv3 encryption key, SNMPv3 authentication key VLAN data Module performs X encryption & data decryption encryption/decryption for each End User VLAN Bypass X The table below shows the services and their access rights to the Critical Security Parameters (CSPs) Table 4- CSPs and Access by Services Service and Purpose CSPs Access Input of Keys Per VLAN data encryption key, Write SNMPv3 encryption key, SNMPv3 authentication key Input Module Web server Web Server certificate, private Read and Write certificate and private key key Configure VLAN into bypass Per VLAN data encryption key Write (zeroize prior keys) mode Create and manage Administrator Administrator Password Read and Write user Change administrator password Crypto Officer, Administrator Read and Write Change password of Crypto Crypto Officer password Read and Write Officer Show system status None None Reboot All Write Factory default Delete all configurations and set Write device back to factory default state Perform Self Test None None Load new firmware Firmware signing public key Read SNMP management SNMPv3 encryption key Read SNMPv3 authentication key SNMP Community Name VLAN data encryption & Per VLAN data encryption key Execute decryption VLAN Bypass None N/A 6 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy 4. Operational Environment The crypto module firmware runs on FreeScale PowQUICC 8378E processor. The firmware is embedded within and it is limited-modifiable. In that an operator cannot reconfigure the internal firmware to add/delete/modify functionality. 3eTI allows a single case in which firmware can ever be modified: an upload image can be loaded if a bug is found or an enhancement to the 3e- 636M-HSE needs to be added. The current version of the firmware is 5.0. The module uses digital signature to validate the upload firmware. Non-validated firmware will result in invalidated module. 5. Cryptographic Algorithms The product supports the following FIPS-approved cryptographic algorithms. The algorithms are listed below, along with their corresponding CAVP certificate numbers. 3e Technologies International Inc. 3eTI OpenSSL Algorithm Implementation 1.0.1-a Triple-DES #1327 AES #2060 SHS #1801 RSA #1491 HMAC #1253 ECDSA verify with P256 #303 RNG #1076 CVL (TLS 1.0/1.1/1.2 with SHA-256/SHA-384) #285 The TLS KDF is CAVP validated, however the TLS protocol is neither reviewed nor tested by CMVP or CAVP. 3e Technologies International Inc. 3e-520 Accelerated Crypto Core 1.0 Triple-DES #1329 AES (ECB, CBC, CCM) #2078 SHS #1807 HMAC #1259 The product supports the following non-Approved cryptographic algorithms: • MD5 • NDRNG • RSA (key wrapping; key establishment methodology provides 112-128 bits of encryption strength) 7 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Triple-DES (Cert. #1327, key wrapping; key establishment methodology provides 112 • bits of encryption strength; non-compliant less than 112 bits of encryption strength) AES (Cert. #2060, key wrapping; key establishment methodology provides between 128 • and 256 bits of encryption strength) SNMPv3 KDF (non-compliant) • 6. Cryptographic Keys and SRDIs All keys are entered encrypted using HTTP over TLS through the Module Web interface. Below is the Cryptographic Key and Security Relevant Data Item (SRDI) table: Table 5: SRDI Table Non-Protocol Keys/CSPs Key/CSP Type Generation/ Output Storage Zeroization Use Input Operator ASCII string Input Not output PKCS5 hash Zeroized Used to passwords encrypted in flash when reset to authenticate (using TLS factory CO and session key) settings. Admin role operators Firmware ECDSA Embedded in Not output Plaintext in Zeroized Used for verification public key firmware at flash when firmware key (256 bits) compile time. firmware is digital Firmware upgraded. signature upgrade is verification through encrypted (using TLS session key) SNMPv3 HMAC key Input Not output Ciphertext in Zeroized Use for authentication (ASCII string, encrypted flash, when reset to SNMP keys 128-256 bits) (using TLS encrypted factory message session key) with “system settings. authentication config AES in non-FIPS key” mode only SNMPv3 90 bits AES Input Not output Ciphertext in Zeroized Use for encryption key encrypted flash, when reset to SNMP key (using TLS encrypted factory message session key) with “system settings. encryption in config AES non-FIPS key” mode only system config AES key Hardcoded in Not output Plaintext in Zeroized Used to AES key (256 (HEX string) FLASH FLASH when encrypt the bit) firmware is configuration upgraded. file RNG Keys/CSPs Key/CSP Type Generation/ Output Storage Zeroization Use Input FIPS ANSI 16-byte value 16 bytes from Not output Plaintext in Zeroized Used to X9.31RNG /dev/hw_rand RAM every time a initialize FIPS Seed Key om which is new random RNG fed by number is hardware generated 8 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy noise using the generator FIPS PRNG after it is used. RNG Seed 16-byte value 16 bytes from Not output Plaintext in Zeroized Used as seed /dev/hw_rand RAM every time a for FIPS om which is new random RNG. fed by number is hardware generated noise using the generator FIPS PRNG after it is used. VLAN Data Encryption Key/CSP Type Generation/ Output Storage Zeroization Use Input VLAN Data 128/192/256 Input Not output Ciphertext in Zeroized at Used to Encryption bits AES encrypted flash, factory default encrypt/decry key ( one per symmetric key (using TLS encrypted reset pt data per VLAN, up to Or 192 bits session key) with “system VLAN 16 VLANs) Triple-DES config AES symmetric key key” HMAC-SHA1 160 bits key Input Not output Ciphertext in Zeroized at Used to key encrypted flash, factory default generate (using TLS encrypted reset keyed digest session key) with “system for the config AES encrypted key” VLAN data, adding integrity for AES/Triple- DES ECB or CBC mode. RFC 2818 HTTPS Keys/CSPs Key/CSP Type Generation/ Output Storage Zeroization Use Input Web Server RSA installed at Not output Plaintext in Zeroized Used to private key (2048/3072) factory, can be flash when new support CO (key loaded by private key is and Admin wrapping; key Crypto uploaded HTTPS establishment Officer. interfaces. methodology Input provides 112- encrypted 128 bits of (using TLS encryption session key) strength) TLS session Triple-DES Not input, Not output Plaintext in Zeroized Used to key for (192) derived using RAM when a page protect encryption AES TLS protocol of the web HTTPS (128/192/256) GUI is served session. after it is used. Public Security Parameter D During TLS Web Server RSA installed at Plaintext in Zeroized Used to setup Public (2048/3072) factory, can be session setup flash when new TLS session certificate loaded by certificate is for HTTPS Crypto Officer loaded Input encrypted (using TLS session key) 9 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Web Server RSA installed at Not output Plaintext in Zeroized Used to setup root certificate (2048/3072/40 factory, can be flash when new root TLS session 96) loaded by certificate is for HTTPS Crypto Officer loaded Input encrypted (using TLS session key) 7. Self-Tests The 3e-636M-HSE Accelerated Crypto Module performs the following power-on self-tests: Firmware Integrity Test • Bootloader Integrity Test • Firmware Integrity Test FreeScale PowerQUICC Crypto Engine Power-on self-tests: • AES ECB encrypt KAT • AES ECB decrypt KAT • AES CBC encrypt KAT • AES CBC decrypt KAT • Triple-DES CBC encrypt KAT • Triple-DES CBC decrypt KAT • Triple-DES ECB encrypt KAT • Triple-DES ECB decrypt KAT • AES_CCM encrypt KAT • AES_CCM decrypt KAT • SHA-1 KAT • HMAC SHA-1, SHA224, SHA256, SHA384, SHA512 KAT 3eTI OpenSSL library Power-on self-tests: AES ECB encrypt KAT • AES ECB decrypt KAT • Triple-DES CBC encrypt KAT • Triple-DES CBC decrypt KAT • HMAC SHA-1, SHA224, SHA256, SHA384, SHA512 KAT • SHA-1 KAT • ANSI X9.31 RNG KAT • RSA sign KAT • RSA verify KAT • After device is powered on, the first thing done by bootloader is to check its own integrity. If the integrity is broken, firmware won’t boot. Firmware integrity is performed at firmware boot up. Both firmware and bootloader are digitally signed with ECDSA. As for firmware upgrade via 10 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Web GUI, the firmware’s digital signature is verified via ECDSA prior to its acceptance. If the ECDSA verification fails, the firmware upload will be rejected. Conditional self-tests: • Continuous Random Number Generator Test (CRNGT) on Approved RNG • Continuous Number Generator Test (CRNGT) on NDRNG • Firmware load test • VLAN bypass test Upon self-tests or conditional tests failure, the system will halt and the module will not be operable. The status output LED GPIO pins will be set high to indicate the system halt condition. 8. Tamper Evidence The cryptographic boundary is protected by two self-destructive tamper evidence tapes, as shown in the figure below. Figure 3 – 3e-636M-HSE Crypto Module Tamper Evidence Tape Tamper evidence tapes are applied to the module at manufacturing time. Crypto Officer is responsible for checking tamper evidence tapes. It’s recommended that Crypto Officer inspect the tamper evidence at every 6 months interval. Checking for Tamper Evidence Tamper evidence tapes should be checked for nicks and scratches that make the metal case visible through the nicked or scratched seal. 11 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy Tamper evidence tapes may show any of the following as evidence of tampering or removal: Tape is not preset in the positions prescribed (as shown above) • Tape has been cut • Tape is not stuck down well, or loose • Self destruction of the tape (broken bits or shreds) present as from an attempt of removal. • Tracking numbers do not match those recorded • In case of notification of tamper evidence, Crypto Officer shall not power on this module and shall contact 3eTI for factory repair. 9. Secure Rules & Configuration Security Rules The following product security rules must be followed by the operator in order to ensure secure operation: 1. The Crypto Officer shall not share any key, or SRDI used by the product with any other operator or entity. 2. The Crypto officer is responsible for inspecting the tamper evidence tapes. Other signs of tamper include wrinkles, tears and marks on or around the tape. 3. The Crypto Officer shall change the default password when configuring the product for the first time. The default password shall not be used. The module firmware also enforces the password change upon Crypto Officer’s first log in. 4. The Crypto Officer shall login to make sure CSPs and keys are configured and applied in the device. 5. The Crypto Officer shall make sure the key size of the Web server certificate is equal or greater than 2048 bits. 6. The Crypto Officer shall make sure the SNMP is disabled. Security Configuration The Crypto Officer shall properly configure the module following the steps listed below: 1. Log in the module over HTTPS and change the default password (If this is the first time of use). 2. Configure the VLAN encryption keys. 3. Configure the Web Server certificate and private key. After configuration of the above items, reboot the device and the device will come back operate in full approved mode of operation. 10. Design Assurance All source code and design documentation for this module are stored in version control system CVS. The module is coded in C with module’s components directly corresponding to the security policy’s rules of operation. Functional Specification is also provided. 12 3e Technologies International (3eTI) FIPS 140-2 Non-Proprietary Security Policy 11. Mitigation of Other Attack The module does not mitigate other attack. 13