Cisco Aironet 1142, 1262, 1532e/i, 1552e/i, 1572, 1602e/i, 1702, 2602e/i, 2702e/i, 3502e/i, 3602e/i/p and 3702e/i/p Wireless LAN Access Points FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.6 August 3, 2015 © Copyright 2012 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION .................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 MODELS ............................................................................................................................. 3 1.3 MODULE VALIDATION LEVEL ............................................................................................ 4 1.4 REFERENCES ....................................................................................................................... 4 1.5 TERMINOLOGY ................................................................................................................... 5 1.6 DOCUMENT ORGANIZATION ............................................................................................... 5 2 CISCO AIRONET 1142, 1262, 1532E/I, 1552E/I, 1572, 1602E/I, 1702, 2602E/I, 2702E/I, 3502E/I, 3602E/I/P AND 3702E/I/P WIRELESS LAN ACCESS POINTS ............................. 5 2.1 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS .................................................. 6 2.2 MODULE INTERFACES ......................................................................................................... 6 2.3 ROLES AND SERVICES ....................................................................................................... 27 2.4 UNAUTHENTICATED SERVICES ......................................................................................... 29 2.5 PHYSICAL SECURITY ........................................................................................................ 29 2.6 CRYPTOGRAPHIC ALGORITHMS ........................................................................................ 63 2.7 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................. 64 2.8 SELF-TESTS ...................................................................................................................... 68 POWER ON SELF-TESTS PERFORMED: ......................................................................................... 68 3 SECURE OPERATION OF THE CISCO AIRONET ACCESS POINTS .................... 69 © Copyright 2013 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Cisco Aironet 1142, 1262, 1532e/i, 1552e/i, 1572, 1602e/i, 1702, 2602e/i, 2702e/i, 3502e/i, 3602e/i/p and 3702e/i/p Wireless LAN Access Points, Firmware version 8.0 with IC2M v2.0 referred to in this document as Access Points (APs). This security policy describes how the modules meet the security requirements of FIPS 140-2 Level 2 and may be freely distributed. 1.2 Models Cisco Aironet 1142 Access Point with Marvell 88W8363P (HW: 1142) Cisco Aironet 1262 Access Point with Marvell 88W8364 (HW: 1262) Cisco Aironet 1532e Access Point with Qualcomm Atheros AES-128w10i (HW: 1532e) Cisco Aironet 1532i Access Point with Qualcomm Atheros AES-128w10i (HW: 1532i) Cisco Aironet 1552e Access Point with Marvell 88W8364 (HW: 1552e) Cisco Aironet 1552i Access Point with Marvell 88W8364 (HW: 1552i) Cisco Aironet 1572 Access Point with Marvell 88W8764C (HW: 1572) Cisco Aironet 1602e Access Point with Marvell 88W8763C (HW: 1602e) Cisco Aironet 1602i Access Point with Marvell 88W8763C (HW: 1602i) Cisco Aironet 1702 Access Point with Marvell 88W8764C (HW: 1702) Cisco Aironet 2602e Access Point with Marvell 88W8764C (HW: 2602e) Cisco Aironet 2602i Access Point with Marvell 88W8764C (HW: 2602i) Cisco Aironet 2702e Access Point with Marvell 88W8764C (HW: 2702e) Cisco Aironet 2702i Access Point with Marvell 88W8764C (HW: 2702i) Cisco Aironet 3502e Access Point with Marvell 88W8364 (HW: 3502e) Cisco Aironet 3502i Access Point with Marvell 88W8364 (HW: 3502i) Cisco Aironet 3602e Access Point with Marvell 88W8764C (HW: 3602e) with Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module (HW: AIR- RM3000M) Cisco Aironet 3602p Access Point with Marvell 88W8764C (HW: 3602p) with Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module (HW: AIR- RM3000M) Cisco Aironet 3602i Access Point with Marvell 88W8764C (HW: 3602i) with Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module (HW: AIR- RM3000M) Cisco Aironet 3702e Access Point with Marvell 88W8764C (HW: 3702e) with Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module (HW: AIR- RM3000M) Cisco Aironet 3702i Access Point with Marvell 88W8764C (HW: 3702i) with Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module (HW: AIR- RM3000M) © Copyright 2013 Cisco Systems, Inc. 3 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Cisco Aironet 3702p Access Point with Marvell 88W8764C (HW: 3702p) with Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module (HW: AIR- RM3000M) Please notice that if any substitutions or modifications to the particular hardware versions (e.g., Marvell hardware) listed above in any way would void the validation of the subject module. Please note that Cisco AIR-RM3000M Wireless Security and Spectrum Intelligence Module listed above is referred to the AIR-RM3000M monitor module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. 1.3 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140-2. No. Area Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key management 2 8 Electromagnetic Interface/Electromagnetic Compatibility 2 9 Self-Tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Overall Overall module validation level 2 Table 1 Module Validation Level 1.4 References This document deals only with operations and capabilities of the Cisco Aironet 1142, 1262, 1532e/i, 1552e/i, 1572, 1602e/i, 1702, 2602e/i, 2702e/i, 3502e/i, 3602e/i/p and 3702e/i/p Wireless LAN Access Points cryptographic module security policy. More information is available on the routers from the following sources: The Cisco Systems website contains information on the full line of Cisco Systems security. Please refer to the following website: © Copyright 2013 Cisco Systems, Inc. 4 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet 0900aecd802930c5.html http://www.cisco.com/en/US/products/ps6120/index.html For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. The NIST Validated Modules website (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains contact information for answers to technical or sales-related questions for the module. 1.5 Terminology In this document, the Cisco Aironet 1142, 1262, 1532e/i, 1552e/i, 1572, 1602e/i, 1702, 2602e/i, 2702e/i, 3502e/i, 3602e/i/p and 3702e/i/p Wireless LAN Access Points are referred to as access points, APs or the modules. 1.6 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco Aironet 1142, 1262, 1532e/i, 1552e/i, 1572, 1602e/i, 1702, 2602e/i, 2702e/i, 3502e/i, 3602e/i/p and 3702e/i/p Wireless LAN Access Points and explains the secure configuration and operation of the module. This introduction section is followed by Section 2, which details the general features and functionality of the appliances. Section 3 specifically addresses the required configuration for secure operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Cisco Systems. 2 Cisco Aironet 1142, 1262, 1532e/i, 1552e/i, 1572, 1602e/i, 1702, 2602e/i, 2702e/i, 3502e/i, 3602e/i/p and 3702e/i/p Wireless LAN Access Points Get industry-leading performance with Cisco Aironet access points for highly secure and reliable wireless connections for both indoor and outdoor environments. Cisco offers a broad portfolio of access points targeted to the specific needs of all industries, business types, and topologies. Cisco Aironet access points can be deployed in a distributed or centralized network for a branch office, campus, or a large enterprise. To help ensure an exceptional end-user experience on the wireless network, they provide a variety of capabilities, including: © Copyright 2013 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Cisco CleanAir Technology, for a self-healing, self-optimizing network that avoids RF interference Cisco ClientLink to improve reliability and coverage for existing clients Cisco BandSelect to improve 5 GHz client connections in mixed client environments Cisco VideoStream, which uses multicast to improve multimedia applications Whether you need entry-level wireless for a small enterprise or mission-critical coverage at thousands of locations, Cisco Aironet is the solution you have been looking for. The Cisco® Wireless Security module (WSM) AIR-RM3000M, taking advantage of the flexible modular design introduced with the Cisco Aironet® 3602 Series Access Points and carried forward with the Cisco Aironet® 3702 Series Access Points, delivers unprecedented, always-on security scanning and spectrum intelligence, which helps you avoid RF interference so that you get better coverage and performance on your wireless network. 2.1 Cryptographic Module Physical Characteristics Each access point is a multi-chip standalone security appliance, and the cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case. 2.2 Module Interfaces The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to the following FIPS 140-2 defined logical interfaces: data input, data output, control input, status output, and power. The logical interfaces and their mapping are described in the following tables: Router Physical Interface FIPS 140-2 Logical Interface 802.11a/b/g/n Radio Data Input Interface 802.11a/b/g/n Radio Data Output Interface 802.11a/b/g/n Radio, Ethernet port Control Input Interface 802.11a/b/g/n Radio, LEDs, Ethernet Port Status Output Interface Power Plug Power Interface Module Physical Interface/Logical Interface Mapping © Copyright 2013 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 1 - Cisco Aironet 1142 Front Figure 2 - Cisco Aironet 1142 Rear © Copyright 2013 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 3 - Cisco Aironet 1142 Ports and interfaces Figure 4 - Cisco Aironet 1262 Top view © Copyright 2013 Cisco Systems, Inc. 8 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 5 - Cisco Aironet 1262 Bottom view © Copyright 2013 Cisco Systems, Inc. 9 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 6 - Cisco Aironet 1532i/e Top view © Copyright 2013 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 7a - Cisco Aironet 1532i Bottom view Figure 7b - Cisco Aironet 1532e Bottom view © Copyright 2013 Cisco Systems, Inc. 11 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 8a - Cisco Aironet 1552e Top view Figure 8b - Cisco Aironet 1552i Top view © Copyright 2013 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 9a - Cisco Aironet 1552e Bottom view Figure 10 - Cisco Aironet 1552i Bottom view © Copyright 2013 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 11 - Cisco Aironet 1572 Front view Figure 12 - Cisco Aironet 1572 Rear view © Copyright 2013 Cisco Systems, Inc. 14 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 13 - Cisco Aironet 1572 Left view Figure 14 - Cisco Aironet 1572 Right view © Copyright 2013 Cisco Systems, Inc. 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 15a - Cisco Aironet 1602i Top view © Copyright 2013 Cisco Systems, Inc. 16 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 15b - Cisco Aironet 1602e Top view © Copyright 2013 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 16 - Cisco Aironet 1602i/e Bottom view © Copyright 2013 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 17 - Cisco Aironet 1702 Top view Figure 18 - Cisco Aironet 1702 Bottom view © Copyright 2013 Cisco Systems, Inc. 19 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 19a - Cisco Aironet 2602e Top view Figure 19b - Cisco Aironet 2602i Top view © Copyright 2013 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 20 - Cisco Aironet 2602i/e Bottom view Figure 21a - Cisco Aironet 2702e Top view © Copyright 2013 Cisco Systems, Inc. 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 21b - Cisco Aironet 2702i Top view Figure 22 - Cisco Aironet 2702i/e Bottom view © Copyright 2013 Cisco Systems, Inc. 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 23a - Cisco Aironet 3702e/p with the AIR-RM3000M monitor module top view Figure 23b - Cisco Aironet 3702i with the AIR-RM3000M monitor module top view © Copyright 2013 Cisco Systems, Inc. 23 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 24 - Cisco Aironet 3702i/e/p with the AIR-RM3000M monitor module bottom view Figure 25a - Cisco Aironet 3502e Top view © Copyright 2013 Cisco Systems, Inc. 24 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 25b - Cisco Aironet 3502i Top view Figure 26 - Cisco Aironet 3502i/e Bottom view © Copyright 2013 Cisco Systems, Inc. 25 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 27a - Cisco Aironet 3602e/p with the AIR-RM3000M monitor module top view Figure 27b - Cisco Aironet 3602i with the AIR-RM3000M monitor module top view © Copyright 2013 Cisco Systems, Inc. 26 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 28 - Cisco Aironet 3602i/e/p with the AIR-RM3000M monitor module bottom view 2.3 Roles and Services The module supports the roles of Crypto Officer and User. The CO role is fulfilled by the wireless LAN controller on the network that the module communicates with, and performs routine management and configuration services, including loading session keys and zeroization of the module. The User role is fulfilled by wireless clients. The module does not support a maintenance role. CO Authentication The Crypto Officer (Wireless LAN Controller) authenticates to the module through the CAPWAP protocol, using an RSA key pair with 2048 bits modulus, which has an equivalent symmetric key strength of 112 bits. An attacker would have a 1 in 2^112 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140- 2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 7.9x10^23 attempts per minute, which far exceeds the operational capabilities of the modules to support. © Copyright 2013 Cisco Systems, Inc. 27 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. User Authentication The module performs mutual authentication with a wireless client through EAP-TLS or EAP- FAST protocols. EAP-FAST is based on EAP-TLS and uses EAP-TLS key pair and certificates. The RSA key pair for the EAP-TLS credentials has modulus size of 1024 bits or 2048 bits, thus providing 80 bits or 112 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 2^80 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 1.8 x 10^21 attempts per minute, which far exceeds the operational capabilities of the modules to support. Please notice that RSA used in CO role (RSA 2048 bits) or User role (RSA 1024 bits or 2048 bits) authentication above only performs RSA signature verification. More information can be obtained in section 2.6 in this document. User Services The services available to the User role consist of the following: Services & Description Keys & CSPs Access Run Network MFP N/A (No keys/CSPs are accessible) Functions Validating one AP with a neighboring AP's management frames using infrastructure MFP Encrypt and sign management frames between AP and wireless client using client MFP CCKM Establishment and subsequent data transfer of a CCKM session for use between the wireless client and the AP. 802.11i Establishment and subsequent data transfer of an 802.11i session for use between the wireless client and the AP. Table 2 - User Services Crypto Officer Services The Crypto Officer services consist of the following: Services & Access Description Keys & CSPs Configure the AP Configure the AP based on the steps detailed N/A (no keys/CSPs are accessible) in section 3 (Secure Operation of the Cisco Aironet Access Points) of this document. © Copyright 2013 Cisco Systems, Inc. 28 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. View Status Functions View the configuration, routing tables, active N/A (no keys/CSPs are accessible) sessions, memory status, packet statistics, review accounting logs, and view physical interface status. Manage the AP Log off users, view complete configurations, N/A (no keys/CSPs are accessible) view full status, manage user access, and restore configurations. Perform Self-Tests Execute Known Answer Test on Algorithms N/A (no keys/CSPs are accessible) within the cryptographic module. DTLS Data Encrypt Enabling DTLS data path encryption between DTLS Pre-Master Secret, DTLS controller and AP. Master Secret, DTLS Encryption Key (CAPWAP session key), DTLS Integrity Key, Infrastructure MFP MIC Key ­ (w, d) Configure 802.11i Establishment and subsequent data transfer of 802.11i Pairwise Transient Key an 802.11i session for use between the client (PTK), 802.11i Group Temporal and the access point. Key (GTK), Key Confirmation Key (KCK) Key Encryption Key (KEK), CCKM Pairwise Transient Key (PTK) ­ (w, d) Zeroization Zeroize CSPs and cryptographic keys by All Keys and CSPs will be destroyed calling `switchconfig key-zeroize controller' command or cycling power (shutdown and reload) to zeroize all cryptographic keys stored in SDRAM. The CSPs (Cisco Mfg CA publc key and Cisco root CA public key) stored in Flash can be zeroized by overwriting with a new value. Table 3 - Crypto Officer Services (w = write, d = delete) Please note that the detailed cryptographic algorithms actively used by each Key or CSP associated with each service listed in Tables 2 and 3 are detailed in Table 5 in this document. 2.4 Unauthenticated Services An unauthenticated operator may observe the System Status by viewing the LEDs on the module, which show network activity and overall operational status. A solid green LED indicates normal operation and the successful completion of self-tests. The module does not support a bypass capability. 2.5 Physical Security This section describes placement of tamper-evident labels on the module. Labels must be placed on the device(s) and maintained by the Crypto Officer in order to operate in a FIPS approved state. Please note that the placement of tamper-evident labels on the module is not required for FIPS 140 security Level 1 deployments. For FIPS 140 security level 2 scenarios, the tamper- evident labels are required to meet physical security requirements. © Copyright 2013 Cisco Systems, Inc. 29 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The APs (Access Points) are required to have Tamper Evident Labels (TELs) applied in order to meet the FIPS requirements. Specifically, AIRLAP-FIPSKIT=, VERSION B0 contains the necessary TELs required for the AP. The CO on premise is responsible for securing and having control at all times of any unused tamper evident labels. Below are the instructions to TEL placement on the AP's. 2 1 3 1 2 © Copyright 2013 Cisco Systems, Inc. 30 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Figure 29 Cisco Aironet 1142 Tamper Evident Label Placement (Top, Bottom, Left, Right) 1 2 2 1 © Copyright 2013 Cisco Systems, Inc. 31 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 3 2 Figure 30 Cisco Aironet 1262 Tamper Evident Label Placement (Top, Left, Right, Bottom) 1 2 © Copyright 2013 Cisco Systems, Inc. 32 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 10 4-8 8 4 6 5 7 3 1 9 10 © Copyright 2013 Cisco Systems, Inc. 33 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Figure 31 Cisco Aironet 1532e Tamper Evident Label Placement (Front, Back, Bottom, Top, Left, Right) 1 2 4 5 3 6 © Copyright 2013 Cisco Systems, Inc. 34 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 9 7 8 1 10 2-5 © Copyright 2013 Cisco Systems, Inc. 35 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 11 10 8 Figure 32 Cisco Aironet 1532i Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) 4 13 1 5 2 3 6 12 9 8 10 7 11 © Copyright 2013 Cisco Systems, Inc. 36 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 4 12 12 13 © Copyright 2013 Cisco Systems, Inc. 37 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 5 15 Figure 33 Cisco Aironet 1552e Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) 4 5 1 7 9 2 3 6 8 14 1 11 17 12 13 16 15 14 © Copyright 2013 Cisco Systems, Inc. 38 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 16 18 11 15 17 1 16 2 13 16 7 9 8 18 Figure 34 Cisco Aironet 1552i Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) © Copyright 2013 Cisco Systems, Inc. 39 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 3 4 6 5 7 8 1 10 9 4 5 © Copyright 2013 Cisco Systems, Inc. 40 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 3 11 12 Figure 35 Cisco Aironet 1572 Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) 1 © Copyright 2013 Cisco Systems, Inc. 41 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 1 3 4 4 1 3 2 © Copyright 2013 Cisco Systems, Inc. 42 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 4 Figure 36 Cisco Aironet 1602i Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) 1 © Copyright 2013 Cisco Systems, Inc. 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 3 3 2 © Copyright 2013 Cisco Systems, Inc. 44 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 3 2 4 Figure 37 Cisco Aironet 1602e Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) © Copyright 2013 Cisco Systems, Inc. 45 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 3 © Copyright 2013 Cisco Systems, Inc. 46 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 2 2 3 1 Figure 38 Cisco Aironet 1702 Tamper Evident Label Placement (Front, Back, Top, Bottom, Left, Right) © Copyright 2013 Cisco Systems, Inc. 47 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 1 3 2 1 2 3 © Copyright 2013 Cisco Systems, Inc. 48 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 39 Cisco Aironet 2602e Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 2 1 3 2 © Copyright 2013 Cisco Systems, Inc. 49 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 3 Figure 40 Cisco Aironet 2602i Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 2 © Copyright 2013 Cisco Systems, Inc. 50 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 3 2 1 2 3 © Copyright 2013 Cisco Systems, Inc. 51 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 41 Cisco Aironet 2702e Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 2 1 3 2 © Copyright 2013 Cisco Systems, Inc. 52 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 3 © Copyright 2013 Cisco Systems, Inc. 53 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 42 Cisco Aironet 2702i Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 2 1 3 2 © Copyright 2013 Cisco Systems, Inc. 54 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 Figure 43 Cisco Aironet 3502e Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 2 © Copyright 2013 Cisco Systems, Inc. 55 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 3 2 2 1 Figure 44 Cisco Aironet 3502i Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) © Copyright 2013 Cisco Systems, Inc. 56 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 2 1 4 3 5 2 1 3 © Copyright 2013 Cisco Systems, Inc. 57 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 4 2 5 Figure 45 Cisco Aironet 3602e/p Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 2 1 4 3 5 2 © Copyright 2013 Cisco Systems, Inc. 58 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 3 4 2 Figure 46 Cisco Aironet 3602i Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) © Copyright 2013 Cisco Systems, Inc. 59 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 4 3 2 1 4 3 5 2 1 3 © Copyright 2013 Cisco Systems, Inc. 60 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 4 Figure 47 Cisco Aironet 3702e/p Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) 1 4 3 2 © Copyright 2013 Cisco Systems, Inc. 61 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 4 3 5 2 4 2 1 3 Figure 48 Cisco Aironet 3702i Tamper Evident Label Placement (Top, Bottom, Front, Back, Left, Right) © Copyright 2013 Cisco Systems, Inc. 62 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The tamper evident seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the device will damage the tamper evident seals or the material of the security appliance cover. Because the tamper evident seals have non-repeated serial numbers, they may be inspected for damage and compared against the applied serial numbers to verify that the security appliance has not been tampered with. Tamper evident seals can also be inspected for signs of tampering, which include the following: curled corners, rips, and slices. The word "OPEN" may appear if the label was peeled back. The crypto officer is required to regularly check for any evidence of tampering. If evidence of tampering is found with the TELs, the module must immediately be powered down and all administrators must be made aware of a physical security breach. NOTE: Any unused TELs must be securely stored, accounted for, and maintained by the CO in a protected location. 2.6 Cryptographic Algorithms The module supports both firmware and hardware algorithm implementations in each module to implement individual FIPS approved algorithm, detailed as below: Firmware algorithm implementation o IC2M v2.0 Hardware algorithm implementation o Hardware Algorithm Implementation on 1142 (Marvell 88W8363P) o Hardware Algorithm Implementation on 1262, 3502i/e and 1552i/e (Marvell 88W8364) o Hardware Algorithm Implementation on 1532i/e (Qualcomm Atheros AES-128w10i) o Hardware Algorithm Implementation on 1602i/e (Marvell 88W8763C) o Hardware Algorithm Implementation on 1572, 1702, 2602i/e, 2702i/e, 3602i/e/p with AIR-RM3000M and 3702i/e/p with AIR-RM3000M (Marvell 88W8764C) In addition, table 4 below details the FIPS approved algorithms from each algorithm implementation Algorithms Firmware Firmware HW HW HW Algorithm HW HW Algorithm Algorithm Algorithm Algorithm Algorithm Implementation Algorithm Implementation Implementation Implementation Implement Implementa (Qualcomm Implementa (Marvell (IC2M v2.0) (IC2M v2.0) ation tion Atheros AES- tion 88W8764C) on on 1142, 1262, on 1602i/e, (Marvell (Marvell 128w10i) on (Marvell 1572, 1702, 3502i/e, 1532i/e 1572,1702, 88W8363P 88W8364) 1532i/e 88W8763C) 2602i/e, and 1552i/e 2602i/e, ) on 1142 on 1262, on 1602i/e 2702i/e, 2702i/e, 3502i/e and 3602i/e/p with 3602i/e/p with 1552i/e AIR-RM3000M AIR-RM3000M and 3702i/e/p and 3702i/e/p with AIR- with AIR- RM3000M RM3000M AES #2817 1 #2901 #2336 #2335 #2450 #2846 #2334 1 Note that only AES-CBC, AES-CTR, AES-CMAC are active on this module © Copyright 2013 Cisco Systems, Inc. 63 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. AES-CCM N/A N/A #2336 #2335 #2450 #2846 #2334 AES- #2901 #2817 #2336 #2335 N/A #2846 #2334 CMAC SHS #2361 #2441 N/A N/A N/A N/A N/A HMAC #1764 #1836 N/A N/A N/A N/A N/A DRBG #481 #534 N/A N/A N/A N/A N/A RSA #14712 #1529 N/A N/A N/A N/A N/A CVL #2533 #536 N/A N/A N/A N/A N/A Table 4 Approved Cryptographic Algorithms Non-Approved but Allowed Cryptographic Algorithms The module supports the following non-approved, but allowed cryptographic algorithms: AES (Certs. #2817 and #2901, key wrapping; key establishment methodology provides 128 bits of encryption strength)4 Diffie-Hellman (key agreement; key establishment methodology provides 112 bits of encryption strength) MD5 (MD5 is allowed for use in DTLS v1.0) NDRNG SHA-512 (non-compliant) Note: The KDF (key derivation function) used in TLS protocol was certified by CAVP with CVL Cert. #253 and #536. TLS protocol has not been reviewed or tested by the CAVP and CMVP. Please refer IG D.11, bullet 2 for more information. Note that the TLS KDF CVL cert is only listed because the module supports DTLS 2.7 Cryptographic Key Management Cryptographic keys are stored in either Flash or in SDRAM for active keys. The DTLS Pre-Master Secret is generated in the AP using the approved DRBG. The DTLS Pre- Master Secret is used to derive the DTLS Encryption and Integrity Key. All other keys are input into the module from the controller encrypted over a CAPWAP session. During a CAPWAP session, the APs first authenticate to the Wireless LAN controller using an RSA public key. All traffic between the AP and the controller is encrypted in the DTLS tunnel. Keys such as the 2 RSA cert. #1471 only support RSA Signature verification in this module 3 Only the TLS KDF applies for this module 4 Note that the keys are transported into the module using a tunnel with security strength of 112 bits © Copyright 2013 Cisco Systems, Inc. 64 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 802.11i, CCKM and MFP keys are input into the module encrypted with the DTLS session key over the CAPWAP session. The module does not output any plain text cryptographic keys. Table 4 lists the secret and private cryptographic keys and CSPs used by the module. Table 5 lists the public keys used by the module. Table 6 lists the access to the keys by service. Key/CSP Name Algorithm Description Storage Zeroization General Keys/CSPs DRBG entropy input SP 800-90 256 bit. HW based SDRAM (plaintext) `switchconfig CTR_DRBG entropy source output key-zeroize used to construct seed controller' command or Power cycle DRBG seed SP 800-90 384-bits. Input to the SDRAM (plaintext) `switchconfig CTR_DRBG DRBG that determines key-zeroize the internal state of the controller' DRBG. Generated using command or DRBG derivation Power cycle function that includes the entropy input from hardware-based entropy source. DRBG V SP 800-90 The DRBG V is one of SDRAM (plain text) `switchconfig CTR_DRBG the critical values of the key-zeroize internal state upon which controller' the security of this command or DRBG mechanism Power cycle depends. Generated during DRBG instantiation and then subsequently updated using the DRBG update function. DRBG Key SP 800-90 256-bits DRBG key used SDRAM (plaintext) `switchconfig CTR_DRBG for SP 800-90 key-zeroize CTR_DRBG. controller' Established per SP 800- command or 90A CTR_DRBG Power cycle Diffie-Hellman public key Diffie- 2048 bits DH public key SDRAM (plaintext) `switchconfig Hellman used in Diffie-Hellman key-zeroize (Group 14) (DH) exchange. This key controller' is derived per the Diffie- command or Hellman key agreement. Power cycle Diffie-Hellman private key Diffie- 224 bits DH private key SDRAM (plaintext) `switchconfig Hellman used in Diffie-Hellman key-zeroize (Group 14) (DH) exchange. controller' Generated by calling the command or SP 800-90A CTR- Power cycle DRBG. © Copyright 2013 Cisco Systems, Inc. 65 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key/CSP Name Algorithm Description Storage Zeroization Diffie-Hellman shared secret Diffie- 2048 bits DH shared SDRAM (plaintext) `switchconfig Hellman secret derived in Diffie- key-zeroize (Group 14) Hellman (DH) exchange. controller' command or Power cycle Cisco Mfg CA public key rsa-pkcs1- Public Key used with Flash (plain text) Overwrite sha2 CAPWAP to with new authenticate the AP. This public key is the RSA public key used for signature verification. This key is loaded into the module at manufacturing. Cisco Root CA public key rsa-pkcs1- Public Key used with Flash (plain text) Overwrite sha2 CAPWAP to with new authenticate the AP This public key is the RSA public key used for signature verification. This key is loaded into the module at manufacturing. DTLS DTLS Pre-Master Secret Shared Secret As seen in SP 800-135 SDRAM (plain text) `switchconfig section 4.2, this key is key-zeroize refer to Diffie-Hellman controller' shared secret. command or Power cycle DTLS Master Secret Shared Secret 48 bytes. Derived from SDRAM (plain text) `switchconfig DTLS Pre-Master Secret. key-zeroize Used to derive DTLS controller' encryption key and command or DTLS integrity key. Power cycle DTLS Encryption Key AES-CBC 128 bit DTLS session SDRAM (plain text) `switchconfig (CAPWAP session key) Key used to protect key-zeroize CAPWAP control controller' messages. It is derived command or from DTLS Master Power cycle Secret via key derivation function defined in SP800-135 (TLS). DTLS Integrity Key HMAC- 160 bit Session key used SDRAM (plain text) `switchconfig SHA1 for integrity checks on key-zeroize CAPWAP control controller' messages. It is derived command or from DTLS Master Power cycle Secret via key derivation function defined in SP800-135 (TLS). Infrastructure MFP MIC Key AES-CMAC This 128-bit AES key is SDRAM (plain text) `switchconfig generated in the key-zeroize controller using controller' approved DRBG. This command or key is sent to the AP Power cycle encrypted with the DTLS encryption key. This key © Copyright 2013 Cisco Systems, Inc. 66 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key/CSP Name Algorithm Description Storage Zeroization is used by the AP to sign management frames when infrastructure MFP is enabled. 802.11i 802.11i Pairwise Transient AES-CCM The PTK is the 128 bit SDRAM (plain text) `switchconfig Key (PTK) 802.11i session key for key-zeroize unicast communications. controller' This key is generated in command or the WLAN controller Power cycle (outside the cryptographic boundary) and is transported into the module encrypted by DTLS Encryption Key. 802.11i Group Temporal Key AES-CCM The GTK is the 128 bit SDRAM (plain text) `switchconfig (GTK) 802.11i session key for key-zeroize broadcast controller' communications. This command or key is generated in the Power cycle WLAN controller (outside the cryptographic boundary) and is transported into the module encrypted by DTLS Encryption Key. Key Confirmation Key (KCK) HMAC- 160 bit HMAC-SHA1 SDRAM (plain text) `switchconfig SHA1 Key. The KCK is used to key-zeroize provide data origin controller' authenticity in the 4-Way command or Handshake and Group Power cycle Key Handshake messages. This key is generated in the WLAN controller (outside the cryptographic boundary) and is transported into the module encrypted by DTLS Encryption Key. Key Encryption Key (KEK) AES Key 128 bit AES KEK. The SDRAM (plain text) `switchconfig Wrap KEK is used by the key-zeroize EAPOL-Key frames to controller' provide confidentiality in command or the 4-Way Handshake Power cycle and Group Key Handshake messages. This key is generated in the WLAN controller (outside the cryptographic boundary) and is transported into the module encrypted by DTLS Encryption Key. © Copyright 2013 Cisco Systems, Inc. 67 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key/CSP Name Algorithm Description Storage Zeroization CCKM Pairwise Transient Key AES-CCM The CCKM PTK is 128 SDRAM (plain text) `switchconfig (PTK) bit session key for key-zeroize unicast communications controller' This key is generated command or outside the cryptographic Power cycle boundary and is transported into the module encrypted by DTLS Encryption Key. Table 5 Cryptographic Keys and CSPs Note: The KDF infrastructure used in DTLS v1.0 was tested against the SP 800-135 TLS KDF requirements and was certified by CVL Certs. #253 and #536. 2.8 Self-Tests The modules include an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to insure all components are functioning correctly. Power On Self-Tests performed: AES CBC, ECB, CMAC (encryption/decryption) KATs (firmware) o AES CBC, CMAC and CCM (encryption/decryption) KATs (hardware) o AES CBC (encryption/decryption) KATs (hardware) o AES ECB, CCM (encryption/decryption) KATs on AIR-RM3000M (on 3602 and 3702 series APs) (hardware) o SHA-1 KAT (firmware) o SHA-256 KAT (firmware) o SHA-384 KAT (firmware) o SHA-512 KAT (firmware) o HMAC SHA-1 KAT (firmware) o DRBG KAT (firmware) o RSA signature verify KAT (firmware) o Firmware Integrity Test with SHA-512 (treated as an EDC) (firmware) 5 The access points perform all power-on self-tests automatically at boot. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The power-on self-tests are performed after the cryptographic systems are initialized but prior to the initialization of the LAN's interfaces; this prevents the AP's from passing any data during a power-on self-test failure. 5 Note that for 1602i/e, 1572, 1702, 2602i/e, 2702i/e, 3602i/e/p and 3702i/e/p, SHA-512 was not tested by CAVP but is still allowed for use as a Firmware Integrity Test as it is being treated as an EDC (Error Detection Code) © Copyright 2013 Cisco Systems, Inc. 68 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Conditional Tests performed: o Continuous Random Number Generator Test to FIPS-approved DRBG o Continuous Random Number Generator Test to NDRNG 3 Secure Operation of the Cisco Aironet Access Points This section details the steps used to securely configure the modules. The administrator configures the modules from the wireless LAN controller with which the access point is associated. The wireless LAN controller shall be placed in FIPS 140-2 mode of operation prior to secure configuration of the access points. The Cisco Wireless LAN controller Security Policy contains instructions for configuring the controller to operate in the FIPS 140-2 approved mode of operation. Crypto Officer Guidance - System Initialization The Cisco Aironet Access Points series security appliances were validated with firmware version 8.0 with IC2M v2.0. This is the only allowable image for use in FIPS. Configuring the module without maintaining the following settings will make the module be non-operational (Hard Error). The Crypto Officer must configure and enforce the following initialization steps: 1. Configure CCKM (Cisco Centralized Key Management) a. CCKM is Cisco's wireless key management permitted by this security policy. It uses the same cipher suite as 802.11i. The following controller CLI command configures CCKM on a given WLAN: > config wlan security wpa akm cckm enable index Refer to the Cisco Wireless LAN Controller Configuration Guide for additional instructions. 2. Connect AP to a controller a. Establish an Ethernet connection between the AP Cryptographic Module and a LAN controller configured for the FIPS 140-2 approved mode of operation. 3. Set Primary Controller a. Enter the following controller CLI command from a wireless LAN controller with which the access point is associated to configure the access point to communicate with trusted wireless LAN controllers: © Copyright 2013 Cisco Systems, Inc. 69 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. > config ap primary-base controller-name access-point Enter this command once for each trusted controller. Enter show ap summary to find the access point name. Enter show sysinfo to find the name of a controller. 4. Save and Reboot a. After executing the above commands, you must save the configuration and reboot the wireless LAN controller: > save config > reset system © Copyright 2013 Cisco Systems, Inc. 70 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.