Bluesocket® WG-2100 Wireless Gateway (Hardware Versions: 870-212FF-002, 870-212FT-002, 870-212TF-002, and 870-212TT-002, and Firmware Version 4.1.0.11.fips.7) FIPS 140-2 Non-proprietary Security Policy Level 2 Validation Part Number: 870-21000-S01 Revision: 1.7 September 2006 Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 1 of 28 Contents 1 Introduction.......................................................................................................................... 3 1.1 Purpose ......................................................................................................................... 3 1.2 References..................................................................................................................... 3 1.3 Terminology................................................................................................................. 3 1.4 Document Organization............................................................................................. 3 2 The Bluesocket WG-2100 ................................................................................................... 4 2.1 FIPS 140-2 Applicability ............................................................................................. 5 2.2 Cryptographic Module Specification ....................................................................... 5 2.3 Cryptographic Module Interfaces............................................................................. 7 2.4 Roles and Services....................................................................................................... 9 2.5 Physical Security ....................................................................................................... 12 2.6 Operational Environment ........................................................................................ 13 2.7 Electromagnetic Compatibility (EMI/EMC)......................................................... 13 2.8 Cryptographic Algorithms and Protocols ............................................................. 13 2.9 Cryptographic Key Management ........................................................................... 14 2.10 Self-Tests..................................................................................................................... 22 2.11 Design Assurance...................................................................................................... 23 2.12 Mitigation of Other Attacks..................................................................................... 23 3 Secure Operation of the WG-2100 .................................................................................. 23 3.1 Physically Securing the WG-2100 ........................................................................... 23 3.2 Crypto-Officer Guidance ......................................................................................... 26 3.3 User Guidance ........................................................................................................... 27 4 Acronym and Abbreviation List ..................................................................................... 27 Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 2 of 28 1 Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for Hardware Versions: 870-212FF-002, 870-212FT-002, 870-212TF-002, and 870-212TT-002, and Firmware Version 4.1.0.11.fips.7 of the WG-2100 Wireless Gateway from Bluesocket, Incorporated. This security policy describes how the WG-2100 meets the security requirements of FIPS 140-2, and how to operate the WG-2100 in a secure FIPS 140-2-compliant mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Bluesocket WG- 2100. This document is non-proprietary, and may be copied in its entirety and without modification. All copies must include the copyright notice on the front page. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. 1.2 References Refer to the Bluesocket, Incorporated website at http://www.bluesocket.com for complete details about the entire line of Bluesocket Wireless Gateways. You can find specific information about the Bluesocket WG-2100 Wireless Gateway at http://www.bluesocket.com/solutions/WG-2100.pdf. 1.3 Terminology In this document, the terms Bluesocket WG-2100 and WG-2100 refer to version 4.1.0.11.fips.7 of the Bluesocket WG-2100 Wireless Gateway. 1.4 Document Organization This Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package includes: · Proprietary security policy · Vendor evidence document · Finite state machine · Module firmware listing · Other supporting documentation as additional references Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 3 of 28 This Security Policy and other Validation Submission Documentation was produced by Bluesocket, Incorporated. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Bluesocket, Incorporated. This document provides an overview of the Bluesocket WG-2100 and explains the secure configuration and operation of the module. This introductory section is followed by Section 2, which details the general features and functionality of the Bluesocket WG- 2100 and describes how the WG-2100 meets all Level 2 FIPS 140-2 requirements. Section 3 specifically addresses the required configuration for the FIPS 140-2-compliant operation. Section 4 defines the acronyms and abbreviations used in this document. 2 The Bluesocket WG-2100 The Bluesocket WG-2100 Wireless Gateway provides a single scalable solution to the security, quality of service (QoS), and management issues facing institutions, enterprises, and service providers who deploy 802.11 and Bluetooth-based wireless networks. The WG-2100 resides between the wireless LAN access points and the wired LAN as shown in Figure 1, and requires no changes to the existing wired LAN or user client software. Figure 1: The Role of the Bluesocket WG-2100 in a Wireless LAN The WG-2100 mediates access between the wireless access points (the managed side of the network) and the enterprise network or Internet (the protected side of the network). Two WG-2100s may be coupled to provide a hot failover capability, and multiple WG- 2100s may be installed for large sites with higher data density requirements. To verify the identity of a user, the WG-2100 uses authentication. The user submits a username and password, or other credential from his or her wireless device. The WG- Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 4 of 28 2100 first checks its internal user database (for stand-alone use) and then an external RADIUS or LDAP/Active Directory server in turn for a valid match. If a match is found, the WG-2100 grants the user access to the network. If the WG-2100 cannot authenticate the user, the user is denied access. After the user is authenticated, the WG-2100 defines which network resources and destinations in the enterprise the user can access, the bandwidth they can use. The Crypto-officer implements authorization by defining a role and assigning it to the user. 2.1 FIPS 140-2 Applicability The Bluesocket WG-2100 is classified as a multi-chip standalone module as defined in the Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules. The Bluesocket WG-2100 meets all the Level 2 requirements for FIPS 140-2 as summarized in Table 1. Table 1: Bluesocket WG-2100 FIPS 140-2 Security Levels FIPS 140-2 Security Requirements Section Security Level 1. Cryptographic Module Specification 2 2. Module Ports and Interfaces 2 3. Roles, Services, and Authentication 2 4. Finite State Model 2 5. Physical Security 2 6. Operational Environment N/A 7. Cryptographic Key Management 2 8. EMI/EMC 3 9. Self Tests 2 10. Design Assurance 2 11. Mitigation of Other Attacks N/A 2.2 Cryptographic Module Specification The Bluesocket WG-2100 operates in a FIPS 140-2-compliant mode. The cryptographic boundary for the WG-2100 is the defined as the metal case enclosing all of the hardware and firmware system components as shown in Figure 2. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 5 of 28 The WG-2100 cryptographic module consists of the following generic components: · A commercially available general-purpose hardware computing platform based on the Intel Pentium IV CPU and the Intel 82845 Chipset. A Block Diagram is provided in Figure 1. · Linux OS running on the hardware platform. WG-2100 FIPS 140-2 compliance was tested on Linux OS version 2.4.18. Other Linux OS versions may run on the hardware platform without affecting overall FIPS 140-2 compliance of the crypto- module. · Bluesocket/AdmitOne IPSec engine, running on the above platform under the operating system in Kernel Space. · Bluesocket/AdmitOne IKE service running on the above platform, under the above OS in User Space memory. · Bluesocket Application code running on the above platform, under the above OS in User Space memory. Figure 2 shows a block diagram of the WG-2100 cryptographic module. Management Status Output Cryptographic Video Port Interface Interface CPU Serial Boundary 2.8 GHz E DDR SDRAM z E P Peripheral Highspeed R Device Peripheral Bus Chipset DDR Bus controller O M Firmware HUB (BIOS) PCI 33bit/33MHz Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet MAC/PHY blade MAC/PHY blade MAC/PHY Cryptography Protected 10/100/1000 Managed 10/100/1000 Blade FailOver 10/100 Figure 2: WG-2100 Cryptographic Module Block Diagram Figure 3 shows a block diagram representing the WG-2100 major firmware components. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 6 of 28 User Space Application User Space Application "Blue" "Blue" Officer Administration User Login User Space Application AdmitOne IKE Service Kernel Space Admit One IPSec engine Driver Layer Protected NIC Driver Managed NIC Driver BCM Crypto Figure 3: WG-2100 Firmware Layer Block Diagram 2.3 Cryptographic Module Interfaces The WG-2100 cryptographic module is accessible only through well-defined physical ports including: two standard copper 10/100/1000 Mbps Ethernet ports (or optional 1000 Based-SX fiber ports) for network connectivity, a single copper 10/100 Mbps Ethernet port for failover connectivity to another WG-2100, a serial port for local console management of the WG-2100, front-panel Power and Reset controls, front-panel LEDs and LCD for status, and an AC power plug and switch. Additionally, the module has a parallel port, and a video port. The parallel port is disabled and is not used in FIPS 140-2 compliant operation of the WG-2100. The LEDs and LCD on the front of the module provide status information. The Power and Reset controls provide the ability to power down and rest the module. The AC power switch and power connector provide the ability to connect and disconnect the module from source power. The network connectors provide the ability to connect and disconnect the module from the network. The physical ports to the units are described as follows: · The Parallel port is disabled at the BIOS level and cannot be used to access the hardware or firmware. This port is not used in FIPS 140-2 compliant operation of the WG-2100. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 7 of 28 · The Video port may monitor activity at boot time to ensure the WG-2100 boots properly. The Video port is used for status output only and does not accept user input. · The Failover Port (Ethernet Port 2) is used to provide stateful information to a redundant unit for high-availability purposes. · The Managed Port (Ethernet Port 1) provides Ethernet access to the managed clients. This port may be used to provide an IPSec tunnel to clients secured by IPSec. · The Protected Port (Ethernet Port 0) provides an Ethernet link to the physically secured LAN. Packets are transmitted in the clear to and from this interface. · The Serial port is RS232 compliant and provides a minimal set of management capabilities. Table 2 maps the logical interfaces described by the FIPS 140-2 standard to physical ports on the WG-2100. Table 2: FIPS Logical Interfaces Mapped to WG-2100 Physical Ports FIPS 140-2 Logical Interface WG-2100 Physical Port Data Input Interface Managed Port (Ethernet Port 0) Protected Port (Ethernet Port 1) Failover Port (Ethernet Port 2) Data Output Interface Managed Port Protected Port Failover Port Control Input Interface Managed Port Protected Port Serial Port Power Control Reset Control Status Output Interface Front Panel LCD Front Panel LEDs Serial Port Video Port Power Interface Power Plug Power Switch N/A Parallel Port Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 8 of 28 2.4 Roles and Services The WG-2100 supports role-based authentication. There are three roles in the module that operators may assume: a Local Crypto-Officer role, a Crypto-Officer role, and a User role. The Local Crypto-Officer accesses the module using a command line interface (CLI) over the serial port. The Local Crypto-Officer authenticates with a password and is able to perform minimal configuration and management of the module. The Crypto-Officer accesses the module through an Ethernet port over a TLS link to the Bluesocket Administration page served by the WG-2100 Web Server Application. The Crypto-Officer authenticates with a User ID and password. The Crypto-Officer has the ability to fully configure and manage the module. The User role accesses the module through the Managed Interface Ethernet port to pass IPSec-secured data or plaintext through the WG-2100. To pass IPSec traffic through the module, the User must authenticate with a pre-shared key or by presenting a digital certificate for mutual authentication against the module's own digital certificate. To transfer packets through the module in plaintext, without IPSec processing, the User authenticates with a User ID and password. Transfer of packets in plaintext through the module is not allowed in FIPS approved mode of operation. 2.4.1 Local Crypto-Officer Role The Local Crypto-Officer is able to perform a limited set of WG-2100 configuration and management tasks. These tasks include resetting the WG-2100 internal database, rebooting and restarting the WG-2100, displaying a variety of status information. Generally, the Local Crypto-Officer performs management tasks via the WG-2100 serial port only in the rare event that Crypto-Officer access to the WG-2100 is lost. Table 3 details the Local Crypto-Officer's set of services in FIPS mode. Table 3: Local Crypto-Officer Services, Descriptions, Inputs, and Outputs Service Description Input Output dbinit Restore all database settings to Command Command status their default value ifconfig Show interface settings for Command Command status Protected, Managed, and Failover interfaces processes Show a list of all running Command Command status processes restart Restart the WG-2100 Command Command status Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 9 of 28 Service Description Input Output switch Switch to the alternate firmware Command Command status image reboot Reboot the WG-2100 Command Command status clean Delete event logs Command Command status exit Exit the CLI Command Command status interface Set protected interface address Command Command status self-tests Invoke the WG-2100 self tests Command or Self-test status Cycle power to the WG-2100 2.4.2 Crypto-Officer Role The Crypto-Officer role, accesses the module over a TLS session. The Crypto-Officer has the ability to fully configure and manage the module. Table 4 details the Crypto-Officer's set of services in FIPS mode. Table 4: Crypto-Officer Services, Descriptions, Inputs, and Outputs Service Description Input Output IPSec SA Install IPSec SAs on the module Command and Status of command over TLS configuration IPSec SA session for Users information over TLS session TLS Access the crypto-module via an Password over a Access to HTML-based TLS session over an https link secured link configuration interface IPSec SA Delete IPSec SAs on the module Command and Status of command over TLS deletion IPSec SA session information over TLS session Network Configure the network settings Command and New network configuration configuration of the module network settings for the module and status of of the module over TLS session command over TLS session QoS Configure the QoS settings of the Command and OoS New QoS configuration for configuration module settings over TLS the module and status of session command over TLS session Device Modify port forwarding and Command and Modified device Administration address translation settings on administration administration settings for the module settings over TLS the module and status of session command over TLS session Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 10 of 28 Service Description Input Output Module Configure the logging settings of Command and New logging configuration Logging the module logging settings for the module and status of configuration over TLS session command over TLS session Administer Add, delete, or edit User account Command and Modified User account User accounts settings User account settings for the module and settings over TLS status of command over TLS session session reboot Reboot the WG-2100 Command over Command status over TLS TLS session session restart Restart the WG-2100. Command over Command status over TLS TLS session session shutdown Shut down the WG-2100 Command over Command status over TLS TLS session session self-tests Initiate the WG-2100 self tests Cycle power to the Self-test status WG-2100 2.4.3 User Role The User role accesses the module through the Managed Interface Ethernet port to pass IPSec-secured data or plaintext through the WG-2100. Transfer of plaintext traffic through the module is not allowed in FIPS approved mode of operation. To pass IPSec traffic through the module, the User must authenticate with a pre-shared key or by presenting a digital certificate for mutual authentication against the module's own digital certificate. User and data security are provided by a combination of SHA-1 and one of the following cryptographic protocols, DES (transitional phase only - valid until May 19, 2007), 3DES, or AES. To transfer packets through the module in plaintext, without IPSec processing, the User authenticates with a User ID and password but this is not allowed in FIPS mode. Table 5 details the User role's set of services in FIPS mode. Table 5: User Services, Descriptions, Inputs, and Outputs Service Description Input Output IPSec Access the module's IPSec services IPSec inputs, IPSec outputs, status, and to secure communications between commands, and data the User and the module data Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 11 of 28 2.4.4 Authentication Mechanisms The module implements password-based authentication and digital certificate/RSA- based authentication as summarized in Table 6. Table 6: WG-2100 Authentication Methods Authentication Type Use/Strength Password-based authentication Local Crypto-Officer password is a fixed seven-character password configured at the factory. Considering only the alphanumeric character set, the number of potential passwords is 627. Crypto-Officer password must be at least eight characters in length and may be any combination of alphanumeric characters. Considering only the alphanumeric character set, the number of potential passwords is 628. User passwords must be at least eight characters in length and may be any combination of alphanumeric characters. Considering only the alphanumeric character set, the number of potential passwords is 628. IPSec Pre-shared Secret must be at least eight characters in length and may be any combination of alphanumeric characters. Considering only the alphanumeric character set, the number of potential passwords is 628. Digital Certificate/RSA-based Authenticate User to pass IPSec-encrypted data. Certificate is Authentication secured by RSA. RSA is used by the Crypto-Officer to initially authenticate to the module using a TLS handshake. The mechanism, using a 1024-bit key size, provides a work factor of roughly 280 (cryptographic strength provided by 1024-bit RSA). 2.4.5 Unauthenticated Services N/Athe module does not provide any unauthenticated services. 2.4.6 Finite State Machine Model The WG-2100 is designed around a Finite State Machine (FSM), which is detailed in a Bluesocket proprietary document (FIPS 140-2 Proprietary Finite State Machine). Parties interested in reviewing this document should contact Bluesocket through the sources listed in Section 1.2. 2.5 Physical Security The Bluesocket WG-2100 is housed in a FIPS 140-2 Level 2-compliant case. The WG-2100 housing is made of a two-piece, tamper-resistant metal shell with a front-panel polycarbonate bezel. The WG-2100 case is fitted with an inner louvered metal shield that renders the case opaque and resistant to probing. The only components exposed from the case are the front-panel LCD, LEDs, Power Switch and Reset Switch, and the rear- panel AC power receptacle, network interface connectors, serial port connector, video port connector, and parallel port connector. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 12 of 28 Tamper-evident labels are placed across the WG-2100's top cover and case, and on the back panel at the factory as shown in Figure 4. Any attempt to access the WG-2100's internal components will result in the tamper- evident labels being damaged. 2.6 Operational Environment FIPS 140-2 operational environment requirements do not apply to the Bluesocket WG-2100 Wireless Gateway as the WG-2100 is characterized as having a non-modifiable operational environment (OS). 2.7 Electromagnetic Compatibility (EMI/EMC) The WG-2100 has been tested for and meets applicable Federal Communication Commission (FCC) Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements as defined in Subpart B of FCC Part 15, (Class B for home use). 2.8 Cryptographic Algorithms and Protocols The WG-2100 implements the following approved cryptographic algorithms: · SHA-1 (Certificate #228, #229) ­ per FIPS PUB 180-1 · HMAC-SHA-1 (Certificate #11, #12) · Triple-DES-ECB, CBC (Certificate #187) and Triple-DES-CBC (Certificate #250) ­ per FIPS PUB 46-3 · DES-ECB, CBC, CFB8, CFB64, OFB (transitional phase only - valid until May 19, 2007) (Certificate #223) ­ per FIPS PUB 46-3 · AES-CFB128 (Certificate #76, #253) ­ per FIPS PUB 197 · RSA Digital Signatures (Generation/Verification) ­ per PKCS#1, RSA Key generation (ANSI X9.31) (Certificate #14) · RNG (FIPS 186-2, Appendix 3.1, Change Notice 1) (Certificate #16) The module implements the following non-FIPS 140-2-approved algorithms: · MD5 · HMAC-MD5 · Diffie-Hellman Groups 1, 2, and 3 (Key agreement) ­ Permitted for use in a FIPS 140-2-approved mode of operation. The Diffie-Hellman implementation uses a 160-bit key length. · RSA Key Transport ­ as per PKCS#1 during TLS ­ Permitted for use in a FIPS 140-2 approved mode of operation. The RSA Key Transport implementation uses a 1024-bit key length. The Key establishment methodology provides 80-bits of encryption strength. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 13 of 28 The module supports the following protocols for use in an approved mode of operation: · IPSec · TLS These cryptographic algorithms are implemented in firmware for TLS and implemented in both hardware and firmware for IPSec. The WG-2100 uses a FIPS 186-2 Appendix 3.1 change notice 1-compliant random number generator. 2.9 Cryptographic Key Management This section describes cryptographic keys and other critical security parameters (CSPs) contained in the WG-2100. 2.9.1 Local Crypto-Officer Password The Local Crypto-Officer access password is a pre-configured factory-default value that cannot be modified. The password is stored in the WG-2100 module EEPROM and is used to authenticate the Local Crypto-Officer. Type Fixed seven-character password Use Authenticate Local Crypto-Officer Storage In non-volatile EEPROM (plaintext) Applicable Service All Local Crypto-Officer Commands Access by Role* Local Crypto-Officer - R Generation Factory-default Destruction Crypto-Officer overwrites EEPROM * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.9.2 Crypto-Officer Password The Crypto-Officer access password is used to authenticate the Crypto-Officer over a TLS connection. The password is created by and may be modified the Crypto-Officer. The password is stored in the WG-2100 module EEPROM. Type Eight-character password Use Authenticate Crypto-Officer Storage In non-volatile EEPROM (plaintext) Applicable Service All Crypto-Officer Services Access by Role* Crypto-Officer ­ W, R, D Generation Outside of module (input by Crypto-Officer) Destruction Reset module to factory default values * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 14 of 28 2.9.3 User Access Password The User access password is used to authenticate a user for plaintext data transfer through the module. The password is created by and may be modified the Crypto- Officer. The user access password is stored in the WG-2100 module EEPROM. Note: Plaintext data transfer through the module is not allowed in FIPS mode. Type Eight-character password Use Authenticate User for Plaintext Traffic Storage In non-volatile EEPROM (plaintext) Applicable Service Plaintext Traffic Access by Role* Crypto-Officer ­ W, R, D; User - R Generation Outside of module (input by Crypto-Officer) Destruction Reset module to factory default values * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.9.4 IPSec Pre-Shared Secret The WG-2100 uses the IKE protocol (RFC-2409) for key establishment. IKE authentication of a User can be done with digital certificates using the RSA signature algorithm or a pre-shared secret. The IPSec Pre-shared Secret is used to authenticate a User to pass IPSec encrypted data through the module. The password is created by and may be modified the Crypto- Officer. The IPSec Pre-shared Secret is stored in the WG-2100 module EEPROM. Type Eight-character password Use Authenticate User for IPSec Traffic Storage In non-volatile EEPROM (plaintext) Applicable Service IPSec Access by Role Crypto-Officer ­ W, R, D; User - R Generation Outside of module (input by Crypto-Officer) Destruction Reset module to factory default values * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 15 of 28 2.9.5 IPSec Server Certificate The WG-2100 uses the IKE protocol (RFC-2409) for key establishment. IKE authentication of a User can be done with digital certificates using the RSA signature algorithm or a pre-shared secret. The WG-2100 uses a certificate protected with a private key to authenticate the IPSec Server running on the WG-2100. The certificate is stored in RAM, in non-volatile EEPROM, and in the WG-2100 database. The IPSec Server Certificate is deleted from EEPROM on restart and is deleted from the WG-2100 database upon administrator command. Type Digital Certificate with RSA signature Use Authenticate IPSec Server running on WG-2100 Storage In volatile memory, in non-volatile EEPROM in X.509 certificate, and in WG-2100 Database Applicable Service IPSec Access by Role* Crypto-Officer ­ W, R, D; User - R Generation Outside of module (X.509 specification) Destruction Deleted from EEPROM on restart, and deleted from WG-2100 database upon Crypto-Officer command * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.9.6 Enrollment CA Certificate The WG-2100 uses the IKE protocol (RFC-2409) for key establishment. IKE authentication of a User can be done with digital certificates using the RSA signature algorithm or a pre-shared secret. The trusted Bluesocket CA public key certificate is loaded on the module by the manufacturer at production and is not generated by the module. This certificate is used to sign IPSec client requests. Type Digital Certificate with RSA signature Use Sign IPSec client certificate requests Storage In non-volatile EEPROM in X.509 certificate and in WG-2100 Database Applicable Service IPSec Access by Role* Crypto-Officer ­ R; User - R Generation Outside of module (X.509 specification) Destruction Deleted from EEPROM upon restart and from WG-2100 Database upon Crypto-Officer command * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 16 of 28 2.9.7 IPSec Diffie-Hellman Key Pairs The WG-2100 uses the IKE protocol (RFC-2409) for key establishment. During IKE Phase 1 negotiation, the WG-2100 establishes a Security Association (SA) with a User that defines methods for protecting future communications. The Diffie-Hellman method is used to generate key material to encrypt and authenticate further IKE negotiations, and to generate keying material for User IPSec services. Type Diffie-Hellman Use Encrypt and authenticate IKE negotiations Storage RAM Applicable Service IPSec Access by Role User - R Generation Generated using the PRNG specified in FIPS 186-2 Appendix 3.1 change notice 1. Destruction Deleted from memory by restarting the module * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.9.8 IPSec Session Keys The WG-2100 uses the IKE protocol (RFC-2409) for key establishment. IPSec session keys are generated during IKE Phase 2 negotiations. The session keys are derived from the keying material established with the Diffie-Hellman exchange in Phase 1. If the Crypto- Officer has configured the WG-2100 to use IKE perfect secrecy mode, the session keys are established using a Diffie-Hellman exchange. The Crypto-Officer can configure a lifetime for the IPSec session keys. When the configured lifetime expires, new session keys are negotiated. Type 3DES, DES (transitional phase only - valid until May 19, 2007), or AES/HMAC-SHA-1 key Use Encrypt IPSec Traffic Storage In volatile memory Applicable Service IPSec Access by Role* User - R Generation Oakley algorithms using Diffie-Hellman groups 1 to 3 Destruction Deleted from memory by restarting the module * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 17 of 28 2.9.9 TLS Server Certificate The WG-2100 uses TLS to protect data during administration of the WG-2100 by the Crypto-Officer over HTTPS. The WG-2100 uses a certificate protected with a private key to provide server authentication. The WG-2100 also uses the RSA private key to decrypt the pre-master secret from the TLS client during TLS handshaking. The WG-2100 uses the RSA key transport for key establishment during TLS. The TLS Server Private Key is generated using standard Open TLS commands and is stored in RAM and in non-volatile EEPROM. The TLS Server Private Key is zeroized in memory after the TLS session has terminated. Type RSA private key Use TLS Server Certificate is used to Authenticate the server and the RSA private key is used to decrypt the pre-master secret from the TLS client Storage In volatile memory and in non-volatile EEPROM Applicable Service TLS Access by Role* Crypto-Officer - R Generation Generated using the PRNG specified in FIPS 186-2 Appendix 3.1 change notice 1. Destruction Crypto-Officer overwrites EEPROM * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.9.10 TLS Write Key The WG-2100 uses TLS to protect data during administration of the WG-2100 by the Crypto-Officer over HTTPS. The WG-2100 uses a symmetric secret key to encrypt TLS application data for each TLS connection. The TLS Write Key is generated using a TLS standard algorithm and is stored in RAM. The TLS Write Key is zeroized after the TLS session has terminated. Type 3DES Use To encrypt TLS Application data for each TLS connection Storage In volatile memory Applicable Service TLS Access by Role Crypto-Officer - R Generation Via standard TLS algorithm Destruction Zeroized after the TLS session has terminated * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 18 of 28 2.9.11 TLS MAC Secret The WG-2100 uses TLS to protect data during administration of the WG-2100 by the Crypto-Officer over HTTPS. The WG-2100 uses a message authentication code (MAC) key to secure TLS application data for each TLS connection. The TLS MAC Secret Key is generated using a TLS standard algorithm and is stored in RAM. The key is zeroized after the TLS session has terminated. Type HMAC-SHA-1 Use Secure TLS application data Storage In volatile memory Applicable Service TLS Access by Role Crypto-Officer ­R Generation Via standard TLS algorithm Destruction Zeroized after the TLS session has terminated * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.9.12 Configuration Files The configuration files store the WG-2100's settings for network configuration, QoS configuration, device administration, module logging, user accounts, and other module configurations. The configuration files are created by the Crypto-Officer and are stored in the module's non-volatile EEPROM. Type Plaintext files Use Define QoS, device administration, and other module settings. Storage In non-volatile memory Applicable Service Device administration and configuration Access by Role Crypto-Officer ­ W, R, D; User - R Generation Outside of module (Input by Crypto-Officer) Destruction Reset module to factory default values * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 19 of 28 2.9.13 HMAC-SHA-1 Key The WG-2100 verifies the integrity of its system firmware upon power up using an HMAC-SHA-1 checksum. Type HMAC-SHA-1 Key Use Verify integrity of WG-2100 system firmware. Storage In non-volatile memory Applicable Service Firmware integrity power-up self test Access by Role Crypto-Officer ­ W, R, D Generation HMAC-SHA-1 algorithm Destruction Deleted from EEPROM on restart * W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP Table 8 lists the Critical Security Parameters employed by the Bluesocket WG-2100 Wireless Gateway Cryptographic Module. Table 8: Critical Security Parameters Employed by the Bluesocket WG-2100 Key Key Type Key Generation Storage Key usage Applicable Access by Location Service Role* IPSec 8-character Outside of Stored in plain Authenticate IPSec CO-W, R, D Password module text in non- user for Pre-shared User- R volatile IPSec traffic secret EEPROM IPSec server Digital Outside of Stored in Authenticate IPSec CO-W, R, D certificate Certificate with module (X.509 memory, in IPSec Server User- R RSA Signature specification) non-volatile running on EEPROM in WG-2100 X.509 certificate and in WG-2100 database Enrollment Digital Outside of Stored in non- Sign IPSec IPSec CO- R CA Certificate Certificate with module (X.509 volatile client User- R RSA signature specification) EEPROM in certificate X.509 requests certificate and in WG-2100 Database IPSec Diffie- Diffie-Hellman Generated using Stored in plain Encrypt and IPSec User- R Hellman Key Private/public the FIPS-186.2 text in RAM authenticate pairs Key pair Appendix 3.1 IKE (Change Notice negotiations 1) PRNG Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 20 of 28 Key Key Type Key Generation Storage Key usage Applicable Access by Location Service Role* IPSec Session TDES, DES, Oakley Stored in plain Encrypt IPSec User- R Keys AES/ HMAC- algorithms using text in volatile IPSec traffic SHA-1 Key DH groups 1 to 3 memory TLS Server RSA Key pair Generated using Stored in TLS server TLS CO- R Certificate the FIPS-186.2 plaintext in certificate is Appendix 3.1 volatile used to (Change Notice memory and Authenticate 1) PRNG in non-volatile the server EEPROM and the RSA private key is used to decrypt the pre-master secret from the TLS client TLS Write TDES Via standard TLS Stored in plain To encrypt TLS CO- R Key algorithms text in volatile TLS memory application data for each TLS connection TLS MAC HMAC-SHA-1 Via standard TLS Stored in plain Secure TLS TLS CO -R Secret Key algorithm text in volatile application memory data Firmware HMAC-SHA-1 HMAC-SHA-1 Stored in plain Verify Firmware CO- W, R, D Integrity Key Key Algorithm text in non- integrity of Integrity volatile WG-2100 Power-up self EEPROM system test firmware Configuration Plain text files Outside of Stored in plain Define QoS, Device CO-W, R, D Files module text in non- Device administration User- R volatile administratio & memory n and other Configuration module settings Local Crypto- Fixed 7-character Factory Default Stored in plain Authenticate All Local Local CO- R Officer password text in non- Local Crypto officer Password volatile Crypto- services EEPROM Officer Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 21 of 28 Key Key Type Key Generation Storage Key usage Applicable Access by Location Service Role* Crypto- 8-character Outside of Stored in Authenticate All Crypto- CO-W, R, D Officer password module plaintext in Crypto- officer services Password non-volatile Officer EEPROM User Access 8-character Outside of Stored in plain Authenticate Plain text CO-W, R, D Password password module text in non- User for traffic User- R volatile Plaintext EEPROM traffic · * - W ­ Write (input or generate) key or CSP, R ­ Read (use) key or CSP, D ­ Delete (zeroize) key or CSP 2.10 Self-Tests As required by FIPS 140-2, the WG-2100 performs a number of startup and conditional self-tests to ensure proper operation. Self-tests include integrity checks over each binary component, cryptographic algorithm tests, and a continuous random number generator test that monitors output from the module's FIPS-approved and non-approved random number generators. The Local Crypto-Officer and the Crypto-Officer can initiate the WG-2100's self-tests by power-cycling the WG-2100. 2.10.1 Power On Self Tests The WG-2100 executes several power-on-self-tests including: · Triple-DES Known Answer Test (KAT) · DES* KAT · AES KAT · SHA-1 KAT · RSA KAT for key transport and authentication · System Firmware Integrity Check Using HMAC-SHA-1 · Critical Functions Test o Hardware Integrity check The WG-2100 performs the Cryptographic Algorithm tests on all the implementations of the FIPS-approved algorithms used by the module. * DES is used for transitional phase only - valid until May 19, 2007. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 22 of 28 2.10.2 Conditional Self Tests The WG-2100 executes the following conditional self-test: · Continuous RNG Test on both the FIPS-approved PRNG and the non- deterministic RNG used to the seed the PRNG · RSA Pair-wise Consistency Test for key transport and authentication 2.11 Design Assurance The development process for the Bluesocket WG-2100 Wireless Gateway includes a configuration management (CM) system. The system in use is CVS and Bluesocket employs a branching methodology for release management. The CVS tagging mechanism is utilized to mark reproducible states in the source tree. CVS also handles all versioning of the various source code files and documentation for the WG-2100. 2.12 Mitigation of Other Attacks The module does not implement mechanisms to mitigate any other specific attacks. 3 Secure Operation of the WG-2100 The Bluesocket WG-2100 is classified as a multi-chip standalone module as defined in the Federal Information Processing Standards Publication 140-2 - Security Requirements for Cryptographic Modules. The cryptographic boundary for the WG-2100 is the defined as the metal case enclosing all of the hardware and firmware system components. This section provides guidance information to ensure FIPS 140-2-compliant operation of the WG-2100 and includes: · Physically Securing the WG-2100 · Crypto-Officer Guidance · User Guidance 3.1 Physically Securing the WG-2100 Periodically, the Crypto-Operator should inspect the WG-2100 to verify that its chassis has not been tampered with and the device is physically secure. This chapter provides information about verifying the physical security of the WG-2100 and includes: · WG-2100 Tamper-evident Labels · Inspecting the WG-2100 Chassis 3.1.1 WG-2100 Tamper-evident Labels The Bluesocket WG-2100 is housed in a FIPS 140-2 Level 2-compliant case and is shipped from the factory in a secure condition. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 23 of 28 The WG-2100 housing is made of a two-piece, tamper-resistant metal shell with a front- panel polycarbonate bezel. The WG-2100 case is fitted with an inner louvered metal shield that renders the case opaque and resistant to probing. The only components exposed from the case are the front-panel LCD, LEDs, Power Switch and Reset Switch, and the rear-panel AC power receptacle, network interface connectors, serial port connector, video port connector, and parallel port connector. Access to the WG-2100's internal components can only be gained by removing the WG-2100's top cover. Tamper-evident labels are placed across the WG-2100's top cover and case, and on the back panel at the factory as shown in Figure 4. Any attempt to access the WG-2100's internal components will result in the tamper- evident labels being damaged. 3.1.2 Inspecting the WG-2100 Chassis The WG-2100 is not FIPS 140-2-compliant if its internal components have been modified in any way. The Crypto-Officer should regularly inspect the WG-2100 chassis for signs of tampering, including deep scratches on the surface, cracks, and any physical damage to the appearance of the module, especially around the power and port connectors. Verify that the tamper-evident labels are fully intact. If evidence of tampering is discovered, the Crypto-Officer should power off the WG-2100 and contact Bluesocket, Inc. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 24 of 28 Figure 4: Location of the Tamper-evident Labels on the WG-2100 Case Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 25 of 28 3.2 Crypto-Officer Guidance In addition to verifying the physical security of the WG-2100 (as described in Section 3.1), the Crypto-Officer is responsible for initialization of the module, configuration and management of the module, and termination (shutdown) of the module. Detailed information for the Local Crypto-Officer and Crypto-Officer services can be found in the Bluesocket WG-2100 Wireless Gateway Crypto-Officer's Guide and the Bluesocket Wireless Gateway Setup and Administration Guide. 3.2.1 Initialization The operator(s) assuming the Crypto-Officer role receives the module from Bluesocket via a secure delivery mechanism. The Crypto-Officer can either pick the module up directly from a Bluesocket facility, or the module can be securely shipped to the Crypto- Officer using a bonded courier. The module is shipped in a box sealed with tape. If the module is shipped to the Crypto-Officer, the Crypto-Officer should examine the box and tape used to seal the box for evidence of tampering. Additionally, the Crypto- Officer should carefully examine the shipping container containing the module for signs of tampering, which can include tears, scratches, and other irregularities in packaging. Before the initial configuration of the module, there is no access control provided by the module. The Crypto-Officer must maintain control of the module and restrict any access to the module until configuration is completed and the module is fully initialized for FIPS 140-2-compliant operations. Once the WG-2100 is unpacked, the Crypto-Officer must follow Bluesocket guidance for setting up the module. These steps include assuming the Crypto-Officer role to set the access control password for the module and configure the module's network settings. After this process is complete, an operator can assume full Crypto-Officer responsibilities and begin managing the module via its HTML-based administrator interface and can configure it for use by Users. 3.2.2 Management Once the initial configuration has been completed, the Crypto-Officer role is responsible for configuring the WG-2100 to operate in a FIPS 140-2-compliant mode by completing these steps: 1. Access the WG-2100 HTML-based administrator interface. 2. Verify that the FIPS 140-2-compliant system firmware image has been installed the WG-2100. 3. Disable the WG-2100 SSH capabilities. 4. Disable the WG-2100 PPTP capabilities. 5. Disable the WG-2100 L2TP capabilities. Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 26 of 28 6. Configure IPSEC to use only FIPS 140-2-compliant encryption algorithms (AES, DES (used for transitional phase only - valid until May 19, 2007), 3DES, or SHA- 1). 7. Deactivate any IPSEC configurations using algorithms that are not FIPS 140-2- compliant. 8. Configure the WG-2100 such that plaintext data transfer through the module is not allowed. 9. Restart the WG-2100 to effect the configuration changes that have been made. Refer to the Bluesocket WG-2100 Wireless Gateway Crypto-Officer's Guide for detailed procedures to complete the steps above. Additionally, the Crypto-Officer is responsible for deletion of IPSec SAs for the Crypto- Officer and Users, changing the module's settings as appropriate, and monitoring the module's status logs. The Crypto-Officer is responsible for keeping track of the module, and this includes viewing the log entries for any suspicious activities. The Crypto-Officer is required to routinely check the module's tamper-evident labels for signs of tampering. Such indications include warping or tearing, of the label. If strange activity or damage to labels is found, the Crypto-Officer should take the module offline and investigate. If the module consistently malfunctions or otherwise repeatedly enters an error state, the manufacturer should be contacted. 3.2.3 Termination When use of the WG-2100 has been completed, the Crypto-Officer should delete all IPSec SAs, and fully power down the module to delete all remaining keys in volatile memory. 3.3 User Guidance The User accesses the module's User services as configured by the Crypto-Officer. The User should be careful not to provide his or her IPSec session keys or access passwords to other parties. 4 Acronym and Abbreviation List Table 8 lists the acronyms and abbreviations are used in this document. Table 8: Acronyms and Abbreviations Used in this Document Acronym/Abbreviation Definition 3DES Triple DES (see DES) API Application Programming Interface CA Certification Authority CO Crypto Officer Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 27 of 28 Acronym/Abbreviation Definition DES Data Encryption Standard DSA Digital Signature Algorithm ESP Encapsulating Security Payload FIPS Federal Information Processing Standard FSM Finite State Machine FTP File Transfer Protocol HMAC Hashing Message Authentication Cryptography HTTP HyperText Transfer Protocol HTTPS HyperText Transmission Protocol, Secure IKE Internet Key Exchange IPSec IP Secure KEK Key Encryption Keys LCD Liquid Crystal Dial LDAP Lightweight Directory Access Protocol LED Light Emitting Diode MD5 Message Digest Algorithm NIST National Institute of Standards and Technology NTLM NT LanMan OS Operating System PC Personal Computer PPTP Point-to-Point Tunneling Protocol RADIUS Remote Authentication Dial-In User Service RSA Encryption A public-key cryptosystem for both encryption and authentication SHA-1 Secure Hash Algorithm SSH Secure SHell SSL Secure Sockets Layer TLS Transport Layer Security Protocol VPN Virtual Private Network Copyright © 2006 Bluesocket, Inc. This document may be copied whole and intact including this copyright notice. Page 28 of 28