Harris Corporation Harris AES Load Module Firmware Version: R06A02 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 0.7 Prepared for: Prepared by: Harris Corporation Corsec Security, Inc. 1680 University Avenue 13921 Park Center Road, Suite 460 Rochester, NY 14610 Herndon, VA 22033 United States of America United States of America Phone: +1 585 242-3214 Phone: +1 703 267-6050 Email: RFComm@harris.com Email: info@corsec.com http://www.harris.com http://www.corsec.com Security Policy, Version 0.7 September 28, 2015 Table of Contents 1 INTRODUCTION ................................................................................................................... 3 1.1 PURPOSE ................................................................................................................................................................ 3 1.2 REFERENCES .......................................................................................................................................................... 3 1.3 DOCUMENT ORGANIZATION ............................................................................................................................ 3 2 HALM OVERVIEW ................................................................................................................. 4 2.1 OVERVIEW ............................................................................................................................................................. 4 2.2 MODULE SPECIFICATION..................................................................................................................................... 4 2.3 MODULE INTERFACES .......................................................................................................................................... 6 2.4 ROLES AND SERVICES ........................................................................................................................................... 7 2.4.1 Crypto-Officer Role................................................................................................................................................. 7 2.4.2 User Role ................................................................................................................................................................... 8 2.5 PHYSICAL SECURITY ............................................................................................................................................. 9 2.6 OPERATIONAL ENVIRONMENT........................................................................................................................... 9 2.7 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................................................. 9 2.8 SELF-TESTS ..........................................................................................................................................................12 2.9 MITIGATION OF OTHER ATTACKS ..................................................................................................................12 3 SECURE OPERATION ......................................................................................................... 13 3.1 SECURE MANAGEMENT .....................................................................................................................................13 3.1.1 Initialization ........................................................................................................................................................... 13 3.1.2 Management ........................................................................................................................................................ 13 3.1.3 Zeroization ............................................................................................................................................................ 13 3.2 USER GUIDANCE ................................................................................................................................................13 4 ACRONYMS .......................................................................................................................... 14 Table of Figures FIGURE 1 ­ LOGICAL CRYPTOGRAPHIC BOUNDARY ...........................................................................................................5 FIGURE 2 ­ PHYSICAL CRYPTOGRAPHIC BOUNDARY ..........................................................................................................6 List of Tables TABLE 1 ­ SECURITY LEVEL PER FIPS 140-2 SECTION .........................................................................................................4 TABLE 2 ­ FIPS 140-2 LOGICAL INTERFACES ........................................................................................................................7 TABLE 3 ­ CRYPTO-OFFICER ROLE'S SERVICES .....................................................................................................................7 TABLE 4 ­ USER ROLE'S SERVICES ...........................................................................................................................................8 TABLE 5 ­ FIPS-APPROVED ALGORITHM IMPLEMENTATIONS .............................................................................................9 TABLE 6 ­ LIST OF CRYPTOGRAPHIC KEYS AND CSPS ..................................................................................................... 10 TABLE 7 ­ LIST OF POWER-UP SELF-TESTS ......................................................................................................................... 12 TABLE 8 ­ ACRONYMS .......................................................................................................................................................... 14 Harris AES Load Module Page 2 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 1 Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Harris AES Load Module from Harris Corporation. This Security Policy describes how the Harris AES Load Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in a secure FIPS-Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. The Harris AES Load Module is referred to in this document as the HALM, the crypto module, or the module. 1.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information about the products incorporating the module is available from the following sources: The Harris website (http://www.harris.com) contains information on the full line of products from Harris. The CMVP website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) contains contact information for individuals to answer technical or sales-related questions for the module. 1.3 Document Organization The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Model document Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Harris. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Submission Package is proprietary to Harris and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Harris. Harris AES Load Module Page 3 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 2 HALM Overview 2.1 Overview Harris is a leading supplier of systems and equipment for public safety, federal, utility, commercial, and transportation markets. Their products range from the most advanced IP1 voice and data networks, to industry-leading multiband/multimode radios, and even public safety-grade broadband video and data solutions. Their comprehensive line of software-defined radio products and systems support the critical missions of countless public and private agencies, federal and state agencies, and government, defense, and peacekeeping organizations throughout the world. This Security Policy documents the security features of the Harris AES Load Module (HALM), which is incorporated into terminal products provided by Harris Corporation, such as the XL family of radios, in order to provide FIPS-Approved security functions. The Harris AES Load Module provides support to secure voice and data communications by providing Advanced Encryption Standard (AES) algorithm encryption/decryption as specified in FIPS 197. The HALM ensures data integrity using a Cipher-based Message Authentication Code (CMAC) algorithm as specified in Special Publication 800-38B. The HALM interacts with a Digital Signal Processor (DSP) application executing on the Harris XL family of radios and other terminal products in order to provide its services to those terminals. The Harris AES Load Module is validated at the FIPS 140-2 Section levels shown in Table 1. Table 1 ­ Security Level Per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key Management 1 8 EMI/EMC2 1 9 Self-tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A 2.2 Module Specification The Harris AES Load Module is a Level 1 firmware module with a multiple-chip standalone physical embodiment. The physical cryptographic boundary of the HALM is the outer chassis of the terminal in which it is stored and executed. The logical cryptographic boundary of the Harris AES Load Module is defined by a single executable (HALM.bin; Firmware Version: R06A02) running on Harris BIOS3 Kernel 1 IP ­ Internet Protocol 2 EMI/EMC ­ Electromagnetic Interference / Electromagnetic Compatibility 3 BIOS ­ Basic Input/Output System Harris AES Load Module Page 4 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 v1 within the Harris terminals. The Harris BIOS Kernel v1 acts as the module's operating system, and is provided by the internal Blackfin BF707 DSP. The kernel is a non-modifiable operational environment. The HALM is stored in flash memory while the host terminal is powered off. When power is supplied to the radio, the terminal's Freescale Vybrid VF5xx GPP4 transfers the HALM from flash memory to the SRAM5of the DSP. Figure 1 shows the module executing in SRAM memory. The module is entirely encapsulated by the logical cryptographic boundary, shown in Figure 1 below. The logical cryptographic boundary of the module is shown with a red-colored dotted line. Flash Memory Freescale Vybrid VF5xx GPP Key Store Harris BIOS Keysets of Traffic Encryption Keys & Kernel SWI Key Encryption Keys CMAC MACKey Harris AES Load Module (HALM) DSP Application Code AES Algorithm Key Acronyms Control Input AES ­ Advanced Encryption Algorithm Data Input BIOS ­ Basic Input Output System Data Output CMAC ­ Cipher-based Message Authentication Code Status Output DSP ­ Digital Signal Processor GPP ­ General Purpose Processor Data Traffic SWI ­ Software Interrupt Cryptographic Boundary Figure 1 ­ Logical Cryptographic Boundary As a firmware cryptographic module, the Harris AES Load Module has a physical cryptographic boundary in addition to its logical cryptographic boundary. The Harris terminal hardware that uses the HALM is 4 GPP ­ General Purpose Processor 5 SRAM ­ Static Random Access Memory Harris AES Load Module Page 5 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 designed around the Freescale VF5xx GPP. The enclosure of the terminal is considered to be the physical cryptographic boundary of the module as shown with a red-colored dotted line in Figure 2 below. Speaker Mic Serial PTT Keypad Knobs Antenna Audio Codec Digital 2 Analog ------------------ Analog 2 Digial Freescale Vybrid VF5xx GPP text Flash Memory Digital Signal SRAM Processor Key Control Input Status Output Data Input Data Flow Data Output Cryptographic Boundary Figure 2 ­ Physical Cryptographic Boundary 2.3 Module Interfaces The HALM implements a single module interface in its firmware design. This interface is the module's logical interface and is provided by a single Application Programming Interface (API). The API is accessed by an application running on the DSP. Physically, the module ports and interfaces are considered to be those of the Harris terminals on which the firmware executes. Both the API and the physical ports and interfaces can be categorized into the following logical interfaces defined by FIPS 140-2: Data Input Interface Data Output Interface Control Input Interface Status Output Interface Harris AES Load Module Page 6 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 Table 2 maps the FIPS 140-2 Logical Interfaces to the physical interfaces of the terminal and the logical interface of the module. Table 2 ­ FIPS 140-2 Logical Interfaces FIPS 140-2 Logical Interface Terminal Physical Harris AES Load Module Interface Port/Interface Data Input Interface Antenna Arguments for an API to be used or Microphone processed by the module Data Output Interface Antenna Arguments for an API call that specify Speaker where the result of the API call is stored Control Input Interface Antenna API call and accompanying arguments Keypad used to control the operation of the Knobs: Voice Group module Selection Knob, Power On- Off/Volume Knob PTT6 Button Status Output Interface Antenna Port Return values for API calls Serial Port (DB9) Speaker 2.4 Roles and Services There are two roles in the module (as required by FIPS 140-2) that operators may assume: a Crypto-Officer (CO) role and a User role. The operator implicitly assumes one of these roles when selecting each command documented in this section. 2.4.1 Crypto-Officer Role The CO role is responsible for initializing the module, self-test execution, and status monitoring. Descriptions of the services available to the CO are provided in Table 3 below. Please note that the keys and CSPs listed in the table indicate the type of access required: R ­ Read access: The Critical Security Parameter (CSP) may be read. W ­ Write access: The CSP may be established, generated, modified, or zeroized. X ­ Execute access: The CSP may be used within an Approved security function. Table 3 ­ Crypto-Officer Role's Services Service Description CSP and Type of Access HALM_INITIALIZE Performs self-tests on None demand HALM_SEND_STATUS The status of the last None function called from the HALM_API is returned Harris AES Load Module Page 7 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 Service Description CSP and Type of Access HALM_WRAP_KEY Wraps a key AES Key Wrap Key ­ X AES Unwrapped Key ­ R HALM_UNWRAP_KEY Unwraps a key AES Key Wrap Key ­ X AES Wrapped Key ­ R ZEROIZE Zeroizes keys in volatile AES-256 Cipher Key ­ W memory via power cycle AES-128 Cipher Key ­ W AES CMAC Key ­ W AES Key Wrap Key ­ W 2.4.2 User Role The User role has the ability to perform the module's cipher operation, and data encryption/decryption services. Descriptions of the services available to the role are provided in Table 4 below. Type of access is defined in section 2.4.1 of this document. Table 4 ­ User Role's Services Service Description CSP and Type of Access HALM_GEN_KEYSTREAM Generates key stream data AES-256 Cipher Key ­ X HALM_GEN_PRIVATE_MI Generates a Message AES-256 Cipher Key ­ X Indicator (MI) from the Initialization Vector (IV) value specified in the data input buffer HALM_P25_XOR Performs logical Exclusive None OR (XOR) operation HALM_LOAD_KEY Load key into the module AES-256 Cipher Key ­ R AES-128 Cipher Key ­ R HALM_AES_OFB AES OFB7 Encryption AES-256 Cipher Key ­ X operation HALM_AES_OFB_PASSTHRU AES OFB Encrypt/Decrypt AES-256 Cipher Key ­ X HALM_AES_ECB AES ECB Encryption AES-256 Cipher Key ­ X operation AES-128 Cipher Key ­ X HALM_AES_ECB_DECRYPT AES ECB Decryption AES-256 Cipher Key ­ X operation AES-128 Cipher Key ­ X HALM_AES_CBC AES CBC Encryption AES-256 Cipher Key ­ X operation HALM_MAC_GENERATION Generates a Message AES CMAC Key ­ X Authentication Code (MAC) 7 OFB ­ Output Feedback Harris AES Load Module Page 8 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 Service Description CSP and Type of Access HALM_AES_CMAC AES CMAC operation AES CMAC Key ­ X 2.5 Physical Security The firmware module relies on the physical embodiment of the radios, which store the module within their enclosure. The radios meet Level 1 physical security requirements, and are made of production grade material, opaque within the visible spectrum. 2.6 Operational Environment Per Implementation Guidance Section G.3, the operational environment requirements do not apply to the Harris AES Load Module. The cryptographic boundary of the module includes the entire Harris AES Load Module image (HALM.bin). The firmware image runs on a non-modifiable operational environment, the Harris BIOS Kernel v1. The kernel does not allow the loading of any new applications. Hence, the operational environment of the module is a non-modifiable operational environment. 2.7 Cryptographic Key Management The module implements the FIPS-Approved algorithms listed in Table 5. Table 5 ­ FIPS-Approved Algorithm Implementations Algorithm Certificate Number AES 128- and 256-bit encrypt/decrypt in ECB8 mode #3338 9 AES 256-bit encrypt in CBC mode #3338 AES 256-bit encrypt/decrypt in OFB mode #3338 AES 256-bit CMAC generation/verification #3338 AES 256-bit Key Wrap #3338 8 ECB ­ Electronic Code Book 9 CBC ­ Cipher Block Chaining Harris AES Load Module Page 9 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 The Harris AES Load Module is not responsible for the permanent storage of any cryptographic keys. Keys that enter the module are stored temporarily in volatile memory. Zeroization of keying material in volatile memory occurs at shutdown or reboot of the radio hosting the module. Keys are either passed into the module in plaintext or wrapped with an AES key. The AES-128 and AES-256 Cipher Keys, the AES CMAC Key, and the AES Key Wrap Key are passed into the module in plaintext are used for encryption, decryption, CMAC, wrapping, and unwrapping services. These keys are generated externally and are stored in a key store external to the module (See Figure 1). The AES Wrapped Key is passed into the module encrypted, or wrapped by an AES key wrap key. The key is unwrapped by the AES Key Wrap Key and then sent to the logical Data Output Interface in plaintext. This newly unwrapped key will be a new AES-128 or AES-256 Cipher Key. The AES Unwrapped Key is passed into the module in plaintext in order to be wrapped by the AES Key Wrap Key. The newly wrapped key then exits the module encrypted in order to be transmitted by the radio. The module supports the critical security parameters listed in Table 6: Table 6 ­ List of Cryptographic Keys and CSPs Key/CSP Key/CSP Type Generation / Output Storage Zeroization Use Input AES-256 Cipher Key 256-bit AES Key Generated Never exits the The key resides in Power cycle Used as input into the externally; Input module plaintext in volatile zeroizes volatile ECB, CBC, and OFB Electronically in memory while in memory cipher operations Plaintext via GPC10 use by the module; INT11 Path The key is not actively stored by the module AES-128 Cipher Key 128-bit AES Key Generated Never exits the The key resides in Power cycle Used as input into the externally; Input module plaintext in volatile zeroizes volatile ECB cipher operation Electronically in memory while in memory Plaintext via GPC use by the module; INT Path The key is not actively stored by the module 10 GPC ­ General Purpose Computer 11 INT - Internal Harris AES Load Module Page 10 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 Key/CSP Key/CSP Type Generation / Output Storage Zeroization Use Input AES CMAC Key 256-bit AES Key Generated Never exits the The key resides in Power cycle Used as input into the externally; Input module plaintext in volatile zeroizes volatile CMAC operation Electronically in memory while in memory Plaintext via GPC use by the module; INT Path The key is not actively stored by the module AES Key Wrap Key 256-bit AES Key Generated Never exits the The key resides in Power cycle Used as input into the externally; Input module plaintext in volatile zeroizes volatile key wrapping and Electronically in memory while in memory unwrapping Plaintext via GPC use by the module; operations INT Path The key is not actively stored by the module AES Wrapped Key 128- or 256-bit AES Generated Exits the module in The key is not Not applicable The key is passed in Key externally; Input plaintext via GPC stored by the to the module to be Electronically INT Path module unwrapped by the Encrypted module and passed back to the terminal AES Unwrapped 128- or 256-bit AES Generated Exits the module The key is not Not applicable The key is passed in Key Key externally; Input encrypted stored by the to the module to be Electronically in module wrapped by the Plaintext via GPC module and passed INT Path back to the terminal Harris AES Load Module Page 11 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 2.8 Self-Tests Self-tests are performed by the module at power-up after the module is loaded into SRAM memory. The module checks its integrity using a CMAC and ensures the correct performance of the AES cryptographic algorithm by performing a Known Answer Test. The Harris AES Load Module performs the self-tests listed in Table 7 at power-up. Table 7 ­ List of Power-Up Self-Tests Start-Up Test Description AES Known Answer Test The AES KAT takes a known key and encrypts a known plaintext value. The (KAT) encrypted value is compared to the expected ciphertext value. If the values differ, the test is failed. The AES KAT then reverses this process by taking the ciphertext value and key; performing decryption; and comparing the result to the known plaintext value. If the values differ, the test is failed. If they are the same, the test is passed. Firmware Integrity Test The module checks the integrity of the binary (using a CMAC checksum value) at the start-up. If the MAC verifies correctly (i.e., the newly-computed MAC is the same as the stored MAC value), the test passes. Otherwise, it fails. The module is not required to perform any conditional self-tests. The module enters an error state if it fails either power-up self-test listed above. To attempt to clear the error state, an operator may restart the terminal (thereby restarting the module and re-running the power-up self-tests). If the self-tests fail upon restart, the operator must return the terminal containing the module to Harris for repair or reinstallation. 2.9 Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any additional attacks in an approved FIPS mode of operation. Harris AES Load Module Page 12 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 3 Secure Operation The Harris AES Load Module meets Level 1 requirements for FIPS 140-2. The sections below describe how to place and keep the module in a FIPS-approved mode of operation. 3.1 Secure Management The Harris AES Load Module is provided to the Crypto-Officer preloaded in the Harris terminals and is not distributed as a separate executable. The CO does not have to perform any action in order to install or configure the module in the terminals. The HALM is installed and always operates in a FIPS-Approved mode of operation. In order to operate the module, the CO shall turn on the Harris terminal. 3.1.1 Initialization The Harris AES Load Module is initialized by the DSP when the host terminal is powered on. The DSP uses the HALM's initialization routines to load the HALM into memory, allocate memory for operation, and start the module's power-up self-test. Until the module's power-up self-tests have been performed, the module is not operational. The services listed in Section 2.4 (Roles and Services) of this document are not available until the module performs and passes its power-up self-test. Operator intervention is not required in order to initialize the module. 3.1.2 Management The Crypto-Officer should monitor the module's status regularly. If any irregular activity is noticed or the module is consistently reporting errors, then Harris customer support should be contacted. The operator can determine that the module is operating in the FIPS-Approved mode of operation when the module returns the HALM_INITIALIZE_OK status. This status is passed to the operator after the module passes all of its power-up self-tests. The operator can also determine the status of the module by performing the "HALM_SEND_STATUS" service. 3.1.3 Zeroization The module does not store any keys or CSPs within its logical boundary. All ephemeral keys that are used by the module are zeroized upon shutdown or reboot of the host terminal. 3.2 User Guidance Users can only access the module's cryptographic functionalities that are available to them. The User should report to the Crypto-Officer if any irregular activity is noticed. Harris AES Load Module Page 13 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Policy, Version 0.7 September 28, 2015 4 Acronyms This section defines the acronyms used in this document. Table 8 ­ Acronyms Acronym Definition AES Advanced Encryption Standard API Application Programming Interface BIOS Basic Input/Output System CBC Cipher Block Chaining CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CO Crypto-Officer CSE Communications Security Establishment CSP Critical Security Parameter DSP Digital Signal Processor ECB Electronic Code Book EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard GPC General Purpose Computer GPP General Purpose Processor HALM Harris AES Load Module INT Internal IP Internet Protocol IV Initialization Vector KAT Known Answer Test MAC Message Authentication Code MI Message Indicator NIST National Institute of Standards and Technology OFB Output Feedback OS Operating System PTT Push-to-talk SRAM Static Random Access Memory XOR Exclusive OR Harris AES Load Module Page 14 of 15 © 2015 Harris Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Prepared by: Corsec Security, Inc. 13921 Park Center Road, Suite 460 Herndon, VA 20171 United States of America Phone: +1 703 267-6050 Email: info@corsec.com http://www.corsec.com