Information Assurance Specialists, Inc. IAS Router Non-Proprietary FIPS 140-2 Cryptographic Module Security Policy Version: 2 Date: June 21, 2016 Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 1 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction .................................................................................................................... 5 Hardware and Physical Cryptographic Boundary ................................................................................6 1.1 Modes of Operation ................................................................................................................ 11 2 Cryptographic Functionality ........................................................................................... 12 2.1 Critical Security Parameters .................................................................................................... 16 2.2 Public Keys .............................................................................................................................. 17 3 Roles, Authentication and Services ................................................................................ 17 3.1 Assumption of Roles ............................................................................................................... 17 3.2 Authentication Methods ......................................................................................................... 18 3.2.1 Password-based Authentication ............................................................................................. 18 3.2.2 IPSec Authentication ............................................................................................................... 18 3.3 Services ................................................................................................................................... 19 4 Self-tests........................................................................................................................ 22 5 Physical Security Policy .................................................................................................. 23 5.1 IAS STEW ................................................................................................................................. 23 5.2 KG-RU ...................................................................................................................................... 25 5.3 IAS Router Micro ..................................................................................................................... 28 6 Operational Environment .............................................................................................. 30 7 Mitigation of Other Attacks Policy ................................................................................. 30 8 Security Rules and Guidance .......................................................................................... 31 9 References and Definitions ............................................................................................ 32 Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 2 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). List of Tables Table 1 – IAS Router Configurations ............................................................................................................. 5 Table 2 – Security Level of Security Requirements ....................................................................................... 5 Table 3 – IAS Router Micro Port and Interface Identification....................................................................... 7 Table 4 – IAS STEW Ports and Interfaces ...................................................................................................... 9 Table 5 – IAS KG-RU Ports and Interfaces ................................................................................................... 11 Table 6 – Approved and CAVP Validated Cryptographic Functions ............................................................ 12 Table 7 – Approved Cryptographic Functions Tested with Vendor Affirmation......................................... 13 Table 8 – Non-Approved but Allowed Cryptographic Functions ................................................................ 13 Table 9 – Protocols Allowed in FIPS Mode.................................................................................................. 14 Table 10 – Critical Security Parameters (CSPs) ........................................................................................... 16 Table 11 – Public Keys ................................................................................................................................. 17 Table 12 – Roles Description ....................................................................................................................... 17 Table 13 – Authentication Description ....................................................................................................... 19 Table 14 – Authenticated Services .............................................................................................................. 19 Table 15 – Unauthenticated Services ......................................................................................................... 19 Table 16 – CSP Access Rights within Services ............................................................................................. 20 Table 17 – Power Up Self-tests ................................................................................................................... 22 Table 18 – Conditional Self-tests ................................................................................................................ 22 Table 19 – Physical Security Inspection Guidelines .................................................................................... 30 Table 20 – References ................................................................................................................................. 32 Table 21 – Acronyms and Definitions ......................................................................................................... 32 List of Figures Figure 1: IAS Router Micro Port and Interface Identification ....................................................................... 6 Figure 2: IAS STEW Ports and Interfaces ....................................................................................................... 8 Figure 3: IAS KG-RU Rear Panel Ports and Interfaces ................................................................................. 10 Figure 4: IAS KG-RU Front Panel Ports and Interfaces ................................................................................ 10 Figure 5: IAS STEW Top View ...................................................................................................................... 23 Figure 6: IAS STEW Right Side ..................................................................................................................... 24 Figure 7: IAS STEW Left Side ....................................................................................................................... 24 Figure 8: IAS STEW Bottom ......................................................................................................................... 25 Figure 9: IAS KG-RU Top Image ................................................................................................................... 26 Figure 10: IAS KG-RU Top Corner ................................................................................................................ 26 Figure 11: IAS KG-RU Side View .................................................................................................................. 27 Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 3 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 12: IAS KG-RU bottom ...................................................................................................................... 27 Figure 13: IAS Router Micro Bottom View .................................................................................................. 28 Figure 14: IAS Router Micro Right Side ....................................................................................................... 29 Figure 15: IAS Router Micro Left Side ......................................................................................................... 29 Figure 16: Tamper Evidence........................................................................................................................ 30 Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 4 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 1 Introduction This document defines the Security Policy for the Information Assurance Specialists, Inc. IAS Router module. The IAS Router is an IPSec VPN gateway. The IAS Router meets FIPS 140-2 overall Level 2 requirements. Table 1 – IAS Router Configurations Module HW P/N and Version FW Version 1 IAS Router IAS STEW Rev 1.0 50e8756 – 2015-11-24 2 IAS Router IAS KG-RU Rev 1.0 50e8756 – 2015-11-24 3 IAS Router IAS Router Micro Rev 1.0 50e8756 – 2015-11-24 The IAS Router is intended for use by US Federal agencies and other markets that require FIPS 140-2 validated cryptographic implementations in a VPN gateway. The IAS Router is a Multi-Chip Standalone embodiment; the cryptographic boundary is defined as the device enclosure. The IAS STEW Rev 1.0 and IAS KG-RU Rev 1.0 exclude the Cisco ESR5915 component from the requirements of FIPS 140-2. The Cisco ESR5915 has been FIPS 140-2 Validated (Cert. #2241); however, the KG-RU treats all data to/from the Cisco ESR5915 component as plaintext. The Cisco ESR5915 component cannot affect the security of the Module. The IAS Router Micro Rev 1.0 excludes the Unicom 4GT24-57INL component from the requirements of FIPS 140-2. This is a passive component and has no security functionality. The FIPS 140-2 security levels for the IAS Router are as follows: Table 2 – Security Level of Security Requirements Security Requirement Security Level Cryptographic Module Specification 3 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 5 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Hardware and Physical Cryptographic Boundary The physical form of the IAS Router is depicted in Section 5; the physical cryptographic boundary is the enclosure. The IAS Router provides network connectivity over its Ethernet, Wi-Fi, and USB interfaces. Figure 1 through Figure 4 depict the ports and interfaces provided by the IAS Router. The Network interface consists of the FIPS 140-2 Data Input, Data Output, Control Input, and Status Output interfaces. A B C D E F G H I K L M N O P J Figure 1: IAS Router Micro Port and Interface Identification Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 6 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 3: IAS Router Micro Port and Interface Identification Ref Port Type Subsystem Port Identifier Logical Interface A RP-SMA Wi-Fi Antenna IAS Router Network B Power In Power 9-36VDC Input Power (input) C Gigabit Ethernet Port IAS Router ETH5 Network D Gigabit Ethernet Port IAS Router ETH1 Network E Gigabit Ethernet Port IAS Router ETH3 Network F Console Port IAS Router CONSOLE Control (input) Status (output) G Fast Ethernet Port IAS Router ETH0 Network H RP-SMA Wi-Fi Antenna IAS Router Network I Status (top) and Power IAS Router Status (bottom) LED J Power Button IAS Router PWR Control (input) K Reset to Factory Defaults IAS Router Reset to Control (input) Button Factory Default L USB 3.0 ports IAS Router USB3.0 Network M Gigabit Ethernet Port IAS Router ETH2 Network N Gigabit Ethernet Port with IAS Router ETH4 Network Power over Ethernet 802.3af O USB 2.0 Ports IAS Router USB 2.0 Network P Auxiliary Serial Port IAS Router SERIAL Control (output) Q Power Out (on rear, not Power Power (output) shown) Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 7 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). A B C D E F G H I J K L N O P Q R S T U V W X Y Z M Figure 2: IAS STEW Ports and Interfaces Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 8 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 4: IAS STEW Ports and Interfaces Ref Port Type Subsystem Port Identifier Logical Interface A RP-SMA Wi-Fi Antenna IAS Router Network B Gigabit Ethernet Port IAS Router ETH5 Network C Gigabit Ethernet Port IAS Router ETH1 Network D Gigabit Ethernet Port IAS Router ETH3 Network E Console Port IAS Router CONSOLE Control (input) Status (output) F Fast Ethernet Port IAS Router ETH0 Network G Power Out (optional) Power Power (output) H Fast Ethernet Port Cisco FE0/0 Network I Fast Ethernet Port Cisco FE0/1 Network J Fast Ethernet Port Cisco FE0/3 Network K RP-SMA Wi-Fi Antenna Cisco Network L Status (top) and Power IAS Router Status (bottom) LED M Power Button IAS Router Control (input) N Reset to Factory Defaults IAS Router Control (input) Button O USB 3.0 ports IAS Router Network P Gigabit Ethernet Port IAS Router ETH2 Network Q Gigabit Ethernet Port with IAS Router ETH4 Network Power over Ethernet 802.3af R USB 2.0 Ports IAS Router Network S Auxiliary Serial Port IAS Router SERIAL Control (output) T Power In Power Power (input) U Console Port Cisco CONSOLE Control (input) Status (output) V Fast Ethernet Port Cisco FE0/2 Network W Fast Ethernet Port with Power Cisco FE0/4 Network over Ethernet 802.3af X Reset to Factory Defaults Cisco Control (input) Button Y Power Switch Cisco Control (input) Z Status (top) and Power Cisco Status (output) (bottom) LEDs Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 9 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). A B C D E F G H I J Figure 3: IAS KG-RU Rear Panel Ports and Interfaces K L M N P Q R S O T Figure 4: IAS KG-RU Front Panel Ports and Interfaces Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 10 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 5: IAS KG-RU Ports and Interfaces Ref Port Type Subsystem Port Identifier Logical Interface A Fast Ethernet Port Cisco FE0/1 Network B Fast Ethernet Port Cisco FE0/3 Network C Gigabit Ethernet Port Cisco ETH2 Network D Gigabit Ethernet Port Cisco ETH3 Network E Fast Ethernet Port Cisco FE0/2 Network F Fast Ethernet Port with Power Cisco FE0/4 Network over Ethernet 802.3af G Power In Power 9-36VDC Input Power (input) H Gigabit Ethernet Port IAS Router ETH4 Network I Gigabit Ethernet Port IAS Router ETH5 Network J Gigabit Ethernet Port IAS Router ETH1 Network K Status (top) and Power IAS Router STATUS, PWR Status (output) (bottom) LEDs L Power Switch IAS Router PWR Control (input) M Power Switch Cisco PWR Control (input) N Status (top) and Power Cisco STATUS, PWR Status (output) (bottom) LEDs O Reset to Factory Defaults IAS Router RESET Control (input) Button P Console Port IAS Router CONSOLE Control (input) Status (output) Q USB 3.0 ports IAS Router USB Network R USB 2.0 Ports IAS Router USB Network S Console Port Cisco CONSOLE Control (input) Status (output) T Reset to Factory Defaults Cisco RESET Control (input) Button 1.1 Modes of Operation The Module operates in three (3) distinct modes of operation: Standard Mode, FIPS Mode, and CSfC Mode. The Standard Mode is a non-FIPS mode of operation. The FIPS Mode and CSfC Mode are FIPS Approved modes of operation. The non-Approved mode of operation, Standard Mode, supports the identical services as FIPS Mode and CSfC Mode; however, it supports the non-Approved algorithms listed in Table 9. To verify that a module is in the Approved mode of operation, authenticate to the web management page and check the mode indicator on the System Configuration page as depicted below. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 11 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 2 Cryptographic Functionality The IAS Router implements the FIPS Approved and Non-Approved but Allowed cryptographic functions listed in the table below. Table 6 – Approved and CAVP Validated Cryptographic Functions Algorithm Description Cert # 1935 Triple-DES [FIPS 46-3, SP 800-67] Functions: Encryption, Decryption Modes: DES-EDE3-CBC Key sizes: 168 bits (DES-EDE3) AES [FIPS 197, SP 800-38A, SP800-38D] 3430 Functions: Encryption, Decryption Modes: CBC, CTR, GCM Key sizes: 128, 256 bits 782 DRBG [SP 800-90A] Functions: AES 256 CTR DRBG Security Strengths: 256 bits ECDSA [FIPS 186-4] 663 Functions: Key Pair Generation, Signature Generation, Signature Verification, Public Key Validation Curves/Key sizes: P-256, P-384, P-521 HMAC [FIPS 198-1] 2182 Functions: Generation, Verification SHA: 1, 256, 384, 512 Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 12 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Algorithm Description Cert # KDF, Existing [SP 800-135] 493 Application- (CVL) Functions: IKE v1 KDF, IKEv2 KDF Specific KDF, Existing [SP 800-135] 523 Application- (CVL) Functions: TLS v1.0/1.1 KDF, TLS 1.2 KDF Specific RSA [FIPS 186-4, PKCS #1 v2.1 (PKCS1.5)] 1756 Functions: Key Pair Generation, Signature Generation, Signature Verification Key sizes: 2048, 3072 bits SHA [FIPS 180-4] 2830 Functions: Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications SHA sizes: SHA-1, SHA-256, SHA-384, SHA-512 Table 7 – Approved Cryptographic Functions Tested with Vendor Affirmation Algorithm Description IG Ref. Key Transport [SP 800-56B] Vendor Using RSA Affirmed IG Key sizes: 2048, 3072, 4096, 6144, 8192 bits D.4 Table 8 – Non-Approved but Allowed Cryptographic Functions Algorithm Description Non-SP 800-56A [IG D.8] Compliant DH Diffie-Hellman (key agreement; key establishment methodology provides 112, 128, or 192 bits of encryption strength) Non-SP 800-56A [IG D.8] Compliant ECDH EC Diffie-Hellman (key agreement; key establishment methodology provides 128, 192, or 256 bits of encryption strength) NDRNG [Annex C] Hardware Non-Deterministic RNG; minimum of 256 bits per access. The NDRNG output is used to seed the FIPS Approved AES 256 CTR DRBG. MD5 [IG G.13] TLSv1.0 and TLSv1.1 KDF. No security is provided by this algorithm. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 13 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 9 – Protocols Allowed in FIPS Mode Standard FIPS CSFC Protocol/Operation Algorithm Mode Mode Mode 1 2 3 IKE 3des x X Encryption AES128CBC x X x AES256CBC x x x md5 x Integrity Sha x sha256 x x x sha384 x x x sha512 x x dh1 - modp768 x Key Exchange dh2 – modp1024 x dh5 – modp1536 x dh14 – modp2048 x x x dh15 – modp3072 x x dh16 – modp4096 x x dh17 – modp6144 x x dh18 – modp8192 x x dh19 – ecp256 x x x dh20 – ecp384 x x x dh21 – ecp521 x x x matches selected IKE integrity algo PRF ESP 3des x x Encryption AES128CBC x x x AES256CBC x x x AES128CTR x x AES256CTR x x AES128GCM16 x x AES256GCM16 x x md5 x Integrity Sha x sha256 x x x sha384 x x x sha512 x x x No PFS x PFS Key Exchange dh1 - modp768 x dh2 – modp1024 x dh5 – modp1536 x dh14 – modp2048 x x x Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 14 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Standard FIPS CSFC Protocol/Operation Algorithm Mode Mode Mode 1 2 3 dh15 – modp3072 x x dh16 – modp4096 x x dh17 – modp6144 x x dh18 – modp8192 x x dh19 – ecp256 x x x dh20 – ecp384 x x x dh21 – ecp521 x x x IKE Authentication adhere to password complexity rules x x x PSK Certificate signature rsa_with_sha1 x algorithms rsa_with_sha256 x x rsa_with_sha384 x x rsa_with_sha512 x x ecdsa_with_sha1 x ecdsa_with_sha256 x x x ecdsa_with_sha384 x x x ecdsa_with_sha512 x x Certificate private RSA 1024 x key types RSA 2048 x x RSA 4096 x x EC on p256 x x X EC on p384 x x X Protocol/ Standard FIPS CSFC Operation Algorithm (RFC) Mode Mode Mode TLS 1.0/1.1/1.2 Ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 x x x TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 x x x TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 x x x TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 x x x TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x x x TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x x x TLS_RSA_WITH_AES_256_CBC_SHA256 x x x TLS_RSA_WITH_AES_128_CBC_SHA256 x x x Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 15 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Protocol/ Standard FIPS CSFC Operation Algorithm (RFC) Mode Mode Mode TLS_DHE_RSA_WITH_AES_256_CBC_SHA x x x TLS_DHE_RSA_WITH_AES_128_CBC_SHA x x x TLS_RSA_WITH_AES_256_CBC_SHA x x x TLS_RSA_WITH_AES_128_CBC_SHA x x x These protocols have not been reviewed or tested by the CAVP or CMVP. Non-Approved Cryptographic Functions for use in non-FIPS mode only: • MD5 (outside of the TLS KDF) • Diffie-Hellman (modp < 2048, provides less than 112 bits of encryption strength) • RSA (any size) with SHA-1 • RSA 1024 2.1 Critical Security Parameters All CSPs used by the Module are described in this section. All usage of these CSPs by the Module (including all CSP lifecycle states) are described in the services detailed in Section 4. Table 10 – Critical Security Parameters (CSPs) Number CSP Description / Usage 1 Used to agree upon a secret that is used as input TLS DH/ECDH Private Key to the pre_master_secret 2 RSA TLS_pre_master_secret TLS secret used to derive the master_secret 3 DH/ECDH TLS_pre_master_secret TLS secret used to derive the master_secret 4 TLS_master_secret TLS secret used to derive the session_key 5 TLS_session_key TLS session secret key 6 Certificate private key used to negotiate session TLS_PKI_private keys for TLS sessions 7 Used to agree upon a secret that is used as input IKE DH/ECDH Private Key to derive the IKE Session key 8 Shared secret value used in IKE and ESP session IPSec_PSK keys negotiation 9 Certificate private key used to negotiate ESP and IPSec_PKI_private IKE session keys 10 IPSec_IKE_key IKE session secret key 11 IPSec_ESP_key ESP session secret key Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 16 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Number CSP Description / Usage 12 Administrator PW Used to authenticate administrative users 2.2 Public Keys Table 11 – Public Keys Key Description / Usage TLS DH/ECDH Public Key Used to agree upon a secret that is used as input to the pre_master_secret TLS_PKI_public Certificate public key used to negotiate session keys for TLS sessions IKE DH/ECDH Public Key Used to agree upon a secret that is used as input to derive the IKE session key IPSec_PKI_public Certificate public key used to negotiate ESP and IKE session keys IPSec_PKI_CA_public CA certificates 3 Roles, Authentication and Services 3.1 Assumption of Roles The Module supports two (2) distinct operator roles, User and Cryptographic Officer (CO). The cryptographic module enforces the separation of roles by requiring the CO to authenticate to gain access to CO operations. Table 12 lists all operator roles supported by the IAS Router. The IAS Router supports concurrent operators. Operators can login via the web management interface. Authenticated operator sessions can be manually terminated using the logout feature or if the device is reboot all authenticated sessions are automatically terminated. User authentication passwords are protected within the device via a hash mechanism, are masked while the user is entering the value, and are protected in transmission by TLS. The IAS Router does not support a maintenance role. Table 12 – Roles Description Role ID Role Description Authentication Type Authentication Data CO Cryptographic Officer – The Identity based Username and password Crypto Officer configures the services provided by the module and is authenticated by password-based authentication User User – The User is a network Role based IKE PSK, RSA signature, entity that can establish an ECDSA signature IPSec VPN Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 17 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 3.2 Authentication Methods All authentication data is protected from modification and substitution within the IAS Router by restricting physical access to the internal storage media. When performing remote administration authentication data is protected in flight through the HTTPS/SSL/TLS encrypted management web page. Authentication data is protected during entry by masking all authentication data entry fields. 3.2.1 Password-based Authentication Passwords are required to have a minimum length of 8 characters in FIPS mode. Of the 8 characters there must be a capital letter, a lowercase letter, a number, and a special character. The module supports the following special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. Characters can repeat within the password. Therefore the possibility of randomly guessing the correct characters of a minimum length password (independent of sequence) is 1 in 262 * 10 * 10 * 724 = 1,816,672,665,600. On the GUI, Authentication attempts are limited to 1-19 successive incorrect attempts results in a 1-19 minute authentication attempt lockout. Therefore, the maximum number of attempts in a 1 minute window is 19 and the probability of successfully guessing the password in a One (1) minute period of time is approximately 1 in 85,425,052,631. On the rescue terminal, successive authentication attempts are limited to every 4 seconds. Therefore, a maximum of 15 authentication attempts can be made within a minute and the probability of guessing the password within a one (1) minute period of time is approximately 1 in 108,205,066,667. 3.2.2 IPSec Authentication The module supports RSA-based, ECDSA-based and Pre Shared Key authentication for IPSec. On IPSec, authentication attempts occur within a session. Each IPSec authentication session remains active until it either succeeds or times out after 30 seconds. There are several limits to the number of simultaneous authentication attempts in place. Simultaneous authentication attempts from a peer (defined as an IP source address) are limited to 5. System wide simultaneous authentication attempts are limited to 50. Therefore, the theoretical maximum of authentication attempts in a 1 minute window is 100 and the probability of successfully guessing the worst case IPsec authentication method (Pre-Shared Key) is 100 in 1,623,076,000,000 or 1 in 16,230,760,000. 3.2.2.1 RSA-based Authentication When using RSA based authentication the smallest modulus allowed is 2048, which has 112-bits of strength. Therefore, the probability of successfully randomly guessing the authentication value is 1 in 2112. 3.2.2.2 ECDSA-based Authentication When using ECDSA based authentication the weakest curve is P-256 which has 128-bits of strength. Therefore, the probability of successfully randomly guessing the authentication value is 1 in 2128. 3.2.2.3 Pre Shared Key (PSK)-based Authentication When using PSK based authentication the minimum PSK length is eight (8) characters. The same complexity rules apply as the password-based authentication mechanism. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 18 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 13 – Authentication Description Authentication Method Probability of false acceptance (1.0 x 10-6 required) 1 / 262 * 105 * 8 = 5.4 x 10-8 Password Auth 1 / 262 * 105 * 8 = 5.4 x 10-8 PSK Auth 1 / 2112 RSA Auth 1 / 2128 ECDSA Auth 3.3 Services All services implemented by the Module are listed in the tables below. Table 14 – Authenticated Services Service Role Description Reset to Defaults / CO Destroys all CSPs Zeroize Configure the CO Define networks/interfaces, firewall behavior, routing, user accounts, Router user permissions, set the time, enable/disable protocols, etc. Configure VPN CO Manage authentication credentials, IPSec security policies, and IPSec security associations Show status CO View network and interface statistics, active IPSec sessions, and other system status items Establish/Maintain User Authenticate, establish, maintain, and terminate an IPSec VPN (phase IPSec VPN 1 and 2, IKE and CHILD) with another network entity The Authenticated Services require an administrator or peering IPSec router to authenticate using one if the methods outlined in Section 3.2 prior to accessing the service. Table 15 – Unauthenticated Services Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 19 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Service Description Route Traffic Provides processing for user traffic Module Reset Reset the IAS Router and invoke a self-test (Self-test) LED Status View VPN status LED and power status LED The Unauthenticated Services are provided for users and administrators. Table 16 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: • G = Generate: The Module generates the CSP. • R = Read: The Module reads the CSP. The read access is typically performed before the Module uses the CSP. • E = Execute: The Module executes using the CSP. • W = Write: The Module writes the CSP. The write access is typically performed after a CSP is imported into the Module, when the Module generates a CSP, or when the Module overwrites an existing CSP. • Z = Zeroize: The Module zeroizes the CSP. Table 16 – CSP Access Rights within Services Service CSPs (as identified in Table 10) Reset to Defaults / Zeroize Z – 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 Configure the Router G – 3, 4, 5, 6 R – 1, 2, 3, 4, 5, 6, 8, 12 E – 1, 2, 3, 4, 5, 6, 12 W – 6, 8, 9, 12 Z – 2, 3, 4, 5, 6, 8, 9, 12 Configure VPN G–9 R – 8, 9 E–9 W – 8, 9 Z – 8, 9 Show status –N/A Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 20 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Service CSPs (as identified in Table 10) Establish/Maintain IPSec VPN G–7 R – 7, 8, 9, 10, 11 E – 7, 8, 9, 10, 11 W – 7, 10, 11 Z – 7, 10, 11 Route Traffic G– R – 11 E – 11 W– Z– Module Reset G– (Self-test) R– E– W– Z – 1, 2, 3, 4, 5, 7, 10, 11 LED Status N/A Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 21 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 4 Self-tests Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data have not been damaged. Power up self-tests are available on demand by power cycling the Module. On power up or reset, the Module performs the self-tests described in Table 17 below. All KATs must be completed successfully prior to any other use of cryptography by the Module. If the module successfully completes self-tests, it creates a syslog entry indicating successful completion of the self-tests. If one of the KATs fails, the Module enters the Critical Error state, which then causes the Module to reboot. Table 17 – Power Up Self-tests Test Target Description Firmware ECDSA P-256 signature check of a SHA256 message digest is performed on each Integrity executable file, the kernel, all kernel modules, and all interpreted php code resident in the image. AES KATs: Encryption, Decryption Modes: ECB Key sizes: 128 bits DRBG KATs: CTR DRBG Security Strengths: 256 bits ECDSA PCT: Signature Generation, Signature Verification Curves/Key sizes: P-256 RSA KATs: Signature Generation, Signature Verification Key sizes: 2048 bits SHA KATs: SHA-1, SHA-256, SHA-384, SHA-512 HMAC KATs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 TDES KATs: Encryption, Decryption Modes: TECB, Key sizes: 3-key Key Transport KATs: SP 800-56B specific KATs per IG D.4 Using RSA Key sizes: 2048 bits Table 18 – Conditional Self-tests Test Target Description NDRNG NDRNG Continuous Test performed when a random value is requested from the NDRNG. DRBG DRBG Continuous Test performed when a random value is requested from the DRBG. ECDSA ECDSA Pairwise Consistency Test performed on every ECDSA key pair generation. RSA RSA Pairwise Consistency Test performed on every RSA key pair generation. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 22 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Test Target Description Firmware Load ECDSA P-256 signature check of a SHA256 message digest is performed when firmware is loaded. DRBG Health Performed conditionally per SP 800-90A Section 11.3. Required per IG C.1. Checks Bypass Test SHA256 checksum validated whenever the bypass configuration (firewall) is altered. 5 Physical Security Policy Tamper seals are applied during the manufacturing process. A subsection is used for each model of the IAS Router covered under this validation. 5.1 IAS STEW The IAS STEW is housed in an industrial quality enclosure using production grade components and materials. The IAS STEW utilizes tamper evident seals to ensure physical security of the Module’s internal components. The STEW enclosure has 5 pieces and the application and location of the six tamper evident seals ensures that the 5 pieces remain intact as a complete enclosure and none of the pieces can be surreptitious opened or removed. Ideally, tamper evident measures should be inspected whenever physical access control of the Module has been lost or interrupted. Devices under kept under physical access control should be inspected monthly. Figure 5: IAS STEW Top View Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 23 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 6: IAS STEW Right Side Figure 7: IAS STEW Left Side Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 24 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 8: IAS STEW Bottom 5.2 KG-RU The KG-RU utilizes tamper evident seals to ensure physical security of the Module’s internal components. The KG-RU enclosure has three (3) pieces and the application and location of the three (3) tamper evident seals ensures that the three (3) pieces remain intact as a complete enclosure and none of the pieces can be surreptitious opened or removed. Ideally, tamper evident measures should be inspected whenever physical access control of the Module has been lost or interrupted. Devices kept under physical access control should be inspected monthly. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 25 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 9: IAS KG-RU Top Image Figure 10: IAS KG-RU Top Corner Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 26 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 11: IAS KG-RU Side View Figure 12: IAS KG-RU bottom Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 27 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 5.3 IAS Router Micro The IAS Router Micro utilizes tamper evident seals to ensure physical security of the Module’s internal components. The IAS Router Micro enclosure has four (4) pieces and the application and location of the three tamper evident seals ensures that the four (4) pieces remain intact as a complete enclosure and none of the pieces can be surreptitious opened or removed. Ideally, tamper evident measures should be inspected whenever physical access control of the Module has been lost or interrupted. Devices under kept under physical access control should be inspected monthly. Figure 13: IAS Router Micro Bottom View Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 28 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 14: IAS Router Micro Right Side Figure 15: IAS Router Micro Left Side Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 29 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 19 – Physical Security Inspection Guidelines Physical Security Recommended Frequency Inspection/Test Guidance Details Mechanism of Inspection/Test Tamper evident seals Monthly Verify that all of the tamper seals are present and in the correct locations as depicted above. Inspect each seal to verify that the word “VOID” does not appear (even faintly). See Figure 16. In the event tamper seals indicate “VOID” (even faintly), the device should be removed from use and returned to IAS for inspection and application of new tamper seals. Figure 16: Tamper Evidence 6 Operational Environment The Module is designated as a limited operational environment under the FIPS 140-2 definitions. The Module includes a firmware update service to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of the scope of this validation and require a separate FIPS 140-2 validation. 7 Mitigation of Other Attacks Policy This module does not implement mitigation for any other attacks. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 30 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 8 Security Rules and Guidance The Module design corresponds to the Module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 2 module. 1. The Module provides two (2) distinct operator roles: User and Cryptographic Officer. 2. The Module clears previous authentications on power cycle. 3. The operator can command the module to perform the power up self-tests by cycling power or resetting the Module. 4. Power up self-tests do not require any operator action. 5. Data output is inhibited during key generation, self-tests, zeroization, and error states. 6. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 7. The Module does not support a maintenance interface or role. 8. The Module does not output intermediate key values. 9. The Module performs a bypass test when the mechanism governing bypass is modified. Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 31 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision). 9 References and Definitions The following standards are referred to in this Security Policy. Table 20 – References Abbreviation Full Specification Name Security Requirements for Cryptographic Modules, May 25, 2001 [FIPS140-2] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms [SP800-131A] and Key Lengths, January 2011 [IG] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program , December 28, 2015 Table 21 – Acronyms and Definitions Acronym Definition AES Advanced Encryption Standard DRBG Deterministic Random Bit Generator ECDSA Elliptic Curve Digital Signature Algorithm ESP Encapsulating Security Payload FIPS Federal Information Processing Standard HMAC Keyed-Hash Message Authentication Code IKE Internet Key Exchange Protocol IPsec Internet Protocol Security NDRNG Non-Deterministic Random Number Generator PSK Pre-Shared Key RSA Rivest Shamir Adleman (public-key cryptosystem) SHA Secure Hash Algorithms TLS Transport Layer Security VPN Virtual Private Network Copyright Information Assurance Specialists, Inc., 2016 Version 2 Page 32 of 32 Information Assurance Specialists, Inc. Public Material – May be reproduced only in its original entirety (without revision).