Transcription
Nokia Cryptographic ModuleFIPS 140-2 Security PolicyVersion No.: 2.24Date: June 14, 2018Prepared by:Nokia of America Corporation (NoAC)800 5th Avenue, Suite 3700Seattle, WA 98104 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security PolicyTable of Contents12Introduction . 11.1Purpose of the Security Policy . 11.2Target Audience . 1Cryptographic Module Specification . 22.1Module Description . 22.2Description of Approved Mode . 42.3Cryptographic Module Boundary. 43Cryptographic Module Ports and Interfaces . 64Roles, Services, and Authentication . 74.1Roles . 74.2Services. 74.3Operator Authentication . 104.4Mechanism and Authentication Strength. 105Physical Security . 116Operational Environment. 126.17Policy. 12Cryptographic Key Management . 137.1Key/CSP Generation . 137.2Key Entry and Output. 137.3Key Storage . 137.4Key Zeroization. 138Electromagnetic Interference/Compatibility . 159Self Tests . 169.1Integrity test . 169.2Power-up Tests. 169.3On-demand Tests . 16i 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module10FIPS 140-2 Security PolicyDesign Assurance . 1710.1Configuration Management . 1710.2Delivery and Operation . 1711Mitigation of Other Attacks. 1812Abbreviations . 1913References . 20ii 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security PolicyList of FiguresFigure 1: Software Block Diagram. 4Figure 2: Hardware Block Diagram . 5iii 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security PolicyList of TablesTable 1: Security Levels . 2Table 2: Tested Platforms . 2Table 3: Ports and Interfaces . 6Table 4: Services . 9Table 5: Key Management Details . 14Table 6: EMI and EMC . 15iv 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module1FIPS 140-2 Security PolicyIntroductionThis document is a non-proprietary FIPS 140-2 Security Policy for the Nokia Cryptographic Module (the Module)with version 2.0, 3.0 and 3.0.1. It contains a specification of the rules under which the Module must operate anddescribes how the Module meets the requirements as specified in Federal Information Processing StandardsPublication 140-2 (FIPS PUB 140-2) for a Security Level 1, multi-chip, standalone software module.1.1 Purpose of the Security PolicyThere are three major reasons why a security policy is requested: It is required for FIPS 140-2 validation.It allows individuals and organizations to determine whether the cryptographic module, as implemented,satisfies the stated security policy.It describes the capabilities, protections, and access rights provided by the cryptographic module that willallow individuals and organizations to determine whether it meets their security requirements.1.2 Target AudienceThis document will be one of many that are submitted as a package for FIPS validation; it is intended for thefollowing people: Developers working on the release.The FIPS 140-2 testing lab.Cryptographic Module Validation Program (CMVP).Consumers.1 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module2FIPS 140-2 Security PolicyCryptographic Module SpecificationThis document is the non-proprietary security policy for the Nokia Cryptographic Module, and was prepared aspart of the requirements process that will ensure its conformance with Federal Information Processing Standard(FIPS) 140-2, Level 1. The following section describes the Module and how it complies with the FIPS 140-2standard in each of the required areas.2.1 Module DescriptionTable 1: Security Levels provides an overview of the security level required for each validation section.Security ComponentSecurity LevelCryptographic Module Specification1Cryptographic Module Ports and Interfaces1Roles, Services, and Authentication1Finite State Model1Physical SecurityN/AOperational Environment1Cryptographic Key Management1EMI/EMC1Self Tests1Design Assurance1Mitigation of Other AttacksN/ATable 1: Security LevelsThe Module has been tested by laboratory on the platforms shown in Table 2 Tested PlatformsModule/ImplementationProcessorOS and VersionTest PlatformNokia Crypto Module 2.0AMD GeodeLinux 2.6 32-bit (singleuser mode)oMG 2000Nokia Crypto Module 2.0Intel x86Vyatta 6.4 32-bit (singleuser mode)Dell PowerEdge R210Nokia Crypto Module 3.0Intel x64 withAES-NILinux 3.6 64-bitPeplink Balance 2500Nokia Crypto Module 3.0.1Intel(R)Xeon(R) E31220Linux Kernel 4.4 VyOS 1.6Sierra WirelessAirlink ConnectionManager DellPowerEdge R230Table 2: Tested PlatformsThe version 3.0.1 introduces non-security relevant changes in order to adapt to kernel version 4.4 and 3.0 introducesnon-security relevant changes in order to adapt to MIPS and PowerPC platforms2 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policywith newer kernel version. It is functionally equivalent to Nokia Crypto Module 2.0. In addition to theconfigurations tested by the laboratory, vendor-affirmed testing was performed using Nokia Crypto Module 2.0 onthe following platforms: Dell PowerEdge R220 with Intel x86 and Vyatta 6.4 32-bit Cisco UCS C220 M3 with Intel Xeon E5 x86-64 and RHEL 6.6 running on VMware ESXi 5.1 Hypervisor.oMG 2000 with AMD Geode and linux kernel 3.4.86Cisco UCS C220 M3 with Intel Xeon E5 x86-64 & RHEL 6.7 64-bit running on VMware ESXi 5.1Hypervisor.Cisco UCS C220 M3 with Intel Xeon E5 i686 & RHEL 6.7 64-bit running on VMware ESXi 5.1Hypervisor.Vendor-affirmed testing was performed on the following platforms with Nokia Crypto Module 3.0. Linux 3.6 32-bit with PowerPC running on Pepwave MAX HD4 MediaFastLinux 3.6 32-bit with MIPS running on Pepwave MAX BR1 MK2Linux 3.6 64-bit with Intel Core i5 with AES-NI running on Peplink FusionHub VMware ESXi 5.5.0HypervisorVendor-affirmed testing was performed on the following platforms with Nokia Crypto Module 3.0.1. VyOS 1.6 with Linux kernel 4.4 on Intel Xeon E3-1220 running on Sierra Wireless Airlink ConnectionManager Dell PowerEdge R220NetCloud OS 6 with Linux kernel 3.14 on ARM Cortex-A7 running on Cradlepoint IBR900 Series RoutersNetCloud OS 6 with Linux kernel 3.14 on ARM Cortex-A7 running on Cradlepoint IBR1700 SeriesRoutersNetCloud OS 6 with Linux kernel 3.14 on ARM Cortex-A7 running on Cradlepoint AER2200 SeriesRoutersNetCloud OS 7 with Linux kernel 4.4.100 on ARM Cortex-A7 running on Cradlepoint IBR900 SeriesRoutersNetCloud OS 7 with Linux kernel 4.4.100 on ARM Cortex-A7 running on Cradlepoint IBR1700 SeriesRoutersNetCloud OS 7 with Linux kernel 4.4.100 on ARM Cortex-A7 running on Cradlepoint AER2200 SeriesRoutersNote: Per IG G.5, the CMVP makes no statement as to the correct operation of the module or the security strengths of thegenerated keys when the module is ported to the vendor affirmed platforms that are not listed on the validation certificate.3 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policy2.2 Description of Approved ModeThe Module supports only the Approved mode and provides support for the following approved functions: AES (CCM, ECB , CBC, CTR, GCM)TDES(ECB, CBC)HMAC (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)SHS (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)SHA-1 (for integrity check only, Cert.#1982, Cert.#1983, Cert.#3552, Cert #3759)HMAC-SHA-1 (for integrity check only, Cert.#1413, Cert.#1414, Cert.#2849, Cert #3033)2.3 Cryptographic Module BoundaryThe logical boundary of the module is the binary code of the Nokia Cryptographic Module 2.0, 3.0, 3.0.1. Itsdistribution package file is :crypto-loader 2.0.831 i386.deb for Vyatta 6.4crypto-loader-2.0-831coco.i586.rpm for Linux 2.620161026-coco-kernel-crypto-2005.tar.gz for Linux 3.6crypto-loader 3.0.1.3004 amd64.deb for Linux 4.4Figure 1 shows the logical boundary of the module’s software components.Figure 1: Software Block Diagram4 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security PolicyThe physical boundary of the module is the enclosure of the test platform on which the software module executes.Figure 2 shows the physical boundary of the module and hardware components of the platforms on which themodule executes.Figure 2: Hardware Block Diagram5 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module3FIPS 140-2 Security PolicyCryptographic Module Ports and InterfacesTable 3: Ports and Interfaces shows which FIPS interfaces and ports the Module utilizes.FIPS InterfacePortsData InputAPI input parametersData OutputAPI output parametersControl InputAPI function calls, HMAC-SHA-1 value in thebinary codeStatus OutputAPI return codes, kernel log files, kernel processfilesPower InputPhysical power connectorTable 3: Ports and Interfaces6 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module4FIPS 140-2 Security PolicyRoles, Services, and Authentication4.1 RolesThe User and Crypto Officer roles are implicitly assumed by the entity that is accessing services implemented bythe Module, so no further authentication is required. The services associated with each role are explained in thenext section.4.2 ServicesCSPModesFIPSApproved(Cert #)1API FunctionsStandardCORolesUserServiceService Provided via Symmetric AlgorithmsAESü128-, 192-,256-bit keysEncryptionInput:plaintext, plaintext, IV,keyOutput:ciphertextFIPS 197All API functions withprefixfips crypto cipher ,fips crypto ablkcipherandfips crypto blkcipherablkcipher request set tfmablkcipher request freeablkcipher request setcallbackablkcipher request setcryptcrypto free blkciphercrypto has blkcipherSP 800-67All API functions withthe prefix of fips crypto cipher , fips crypto ablkcipher andfips crypto blkciphercryp-to free ablkciphercrypto has ablkcipherablkcipher request set tfmablkciph-er request free(Cert # 2300)-Intel x86(Cert # 4317)-Intel x64DecryptionInput :ciphertext, IV,keyOutput:plaintextTDES(Cert # 2299)-AMD Geode(Cert # 4582)-Intel XeonüK1, K2, K3independentECB,CBC(Cert # 1446)-AMD Geode(Cert # 1447)-Intel x86(Cert # 2333)-Intel x64(Cert # 2435)-Intel Xeon1CAVS certificate refers to the vendor name Coco Communications Corp., which is a prior name for Unium Inc,acquired by Nokia of America Corporation (NoAC)7 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policyablkcipher request set callbackablkcipher request set cryptcrypto free blkciphercrypto has blkcipherDecryptionInput :ciphertext, xt, IV,key, AADOutput:Ciphertext128-, 192-,256-bit keys96-bit IVsupportedMax IVlength: 1024Taglengthsupports32, 63,96, 104,112, 120,and 128(Cert #2299)-AMD Geode(Cert # 2300)-Intel x86(Cert # 4317)-Intel x64(Cert # 4582)-Intel XeonSP 80038DAll API functions withprefix fips crypto gcmN/A(Cert # 1980)-AMD Geode(Cert # 1981)-Intel x86(Cert #3553)-Intel x64(Cert # 3758)-Intel XeonFIPS 180-4All API functions withprefix fips crypto hash(Cert # 1411)-AMD Geode(Cert # 1412)-Intel x86(Cert # 2850)-Intel x64(Cert # 3032)-Intel XeonFIPS 198DecryptionInput :ciphertext, IV,key, AADOutput:plaintextHash Function essageOutput:message digestfips crypto free hashMessage Authentication Code (MAC) 4HMAC-SHA512üAPI functions withprefix fips crypto shash,hmacfips crypto free hash8 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security PolicyInput:HMAC key,messageOutput:HMAC value ofthe messageCCMü128-, 192-,and 256-bitkey sizesNonce len:7–13EncryptionInput:plaintext, IV,key, AADOutput:ciphertextTag len:4, 6, 8,10, 12,14, 16(Cert # 2299)-AMD Geode(Cert # 2300)-Intel x86(Cert # 4317)-Intel x64(Cert # 4582)-Intel XeonFIPS SP800-38CAPI functions withprefix fips crypto ccmDecryptionInput :ciphertext, IV,key, AADOutput:plaintextOther non-Security ServicesInitializationüN/AN/AN/Afips crypto module initüN/AN/AN/ARun self testüN/AN/AN/AKernel logInput:N/AOutput:N/ASelf TestInput:N/AOutput:Return codeGet statusInput:N/AOutput:ModulemessagesTable 4: Services9 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policy4.3 Operator AuthenticationThere is no operator authentication; assumption of role is implicit by action.4.4 Mechanism and Authentication StrengthNo authentication is required at security level 1; authentication is implicit by assumption of the role.10 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module5FIPS 140-2 Security PolicyPhysical SecurityThis is a software module and provides no physical security.11 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module6FIPS 140-2 Security PolicyOperational EnvironmentThe Module operates in a modifiable operational environment.6.1 PolicyThe Module prevents access by other processes to keys and CSPs during the time the cryptographic module is inthe Approved mode. The Module provides a private context per process for key and CSP storage, which is thendestroyed upon request by the process or when the Module is powered off. The application that uses the Module isthe single user of the Module. No concurrent operators are allowed.The ptrace(2) system call, the debugger (gdb(1)) and strace(1) shall not be used. In addition, other tracingmechanisms offered by the Linux environment such as ftrace or systemtap shall not be used.12 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module7FIPS 140-2 Security PolicyCryptographic Key Management7.1 Key/CSP GenerationThe Module neither generates keys in general nor performs key generation for any of its approved algorithms;instead, keys are passed in from clients by way of algorithm APIs.7.2 Key Entry and OutputAll CSPs enter the Module's logical boundary as cryptographic algorithm API parameters in plaintext. They areassociated with memory locations and do not persist across power cycles. The Module does not outputintermediate key generation values or other CSPs.7.3 Key StorageThe Module does not provide persistent key storage for keys or CSPs and they also are not stored inside theModule. Instead, pointers to plaintext keys are passed through the Module and keys/CSPs exist only in the volatilememory that is assigned to the process within which the Module runs.7.4 Key ZeroizationWhenever CSPs are de-allocated, zeroization is done using different kernel memory zeroization APIs, with a valueof 0 and a size equal to that of the CSP. The APIs listed in the table below internally call memset()function forperforming zeroization. Table 5 summarizes details regarding what key management the Module provides.Key/CSP NameDetailsAuthentication Roles: User, Crypto OfficerGeneration: N/A128-, 192-, and 256-bit AES keysTDES 3-KeyHMAC keysType: Encrypt and decryptEntry: API parameterOutput: N/AStorage: N/AZeroization API: fips crypto free tfm()Authentication Roles: User, Crypto OfficerGeneration: N/AType: Encrypt and decryptEntry: API parameterOutput: N/AStorage: N/AZeroization API: fips crypto free tfm()Authentication Roles: User, Crypto OfficerGeneration: N/A13 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleKey/CSP NameHMAC key for Module integrity checkFIPS 140-2 Security PolicyDetailsType: Keyed-Hash Message Authentication Entry: API functionOutput: N/AStorage: N/AZeroization API: fips crypto free ahash()Authentication Roles: Crypto OfficerGeneration: N/AType: Keyed-Hash Message AuthenticationEntry: API functionOutput: N/AStorage: module binaryZeroization: zeroization is not required per FIPS IG 7.4.Table 5: Key Management Details14 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module8FIPS 140-2 Security PolicyElectromagnetic Interference/CompatibilityThe Module's electromagnetic interference (EMI) and electromagnetic compatibility (EMC) features aresummarized in Table 6: EMI and EMC.Testing PlatformProduct Name/ModelModel NumberEMI/EMC NotesoMGoMG2000Compliant to FCC part 15 ClassA per FCC reportDellPowerEdgeR210PeplinkBalance2500Compliant to FCC part 15 ClassA per “PowerEdge R210 DellTechnical Guide”Compliance to FCC part 15Class A per FCC reportCompliance to FCC part 15Class A per “PowerEdge R230Guide”Sierra Wireless Airlink Connection Manager DellPowerEdgeR230Table 6: EMI and EMC15 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic Module9FIPS 140-2 Security PolicySelf TestsThe Module includes known-answer tests that are invoked when the Module is loaded into the kernel. If theknown-answer tests fail, error messages are logged in the kernel log file and the Module causes a kernel panic thatprevents it from performing further functions. The operating system will be rebooted to recover from the ERRORstate. If the tests pass, the file /sys/kernel/crypto module/fips initialized will then contain a "1", which indicatesthe Module is in FIPS mode. The directory /proc/crypto-fips provides a list of the approved algorithms.9.1 Integrity testDuring the software build process, the Module is used to compute a HMAC-SHA-1 message authentication code(MAC) of the Module binary—the MAC and the required key are then stored with the Module. Prior to loadingthe Module, a HMAC-SHA-1 MAC of the binary is again computed and compared to the original. If thecomparison passes, the Module is loaded and the Power-up Tests are run; if the tests pass, the Module enters theFIPS Approved mode. If the comparison fails, the Module is not loaded and is unavailable.9.2 Power-up TestsAt module start-up, known-answer tests (also referred to as cryptographic algorithm tests)—which are based onthe following algorithms—are performed automatically without requiring operator intervention. When the moduleis performing self tests, no API functions are available and no data output is possible until the module hascompleted performing the self test. If the value calculated and the known answer do not match, the Module causesa kernel panic. AES encryption and decryption are tested separately for ECB, CBC, CTR, GCM and CCMmodesTriple-DES encryption and decryption are tested separately for ECB and CBC modesHMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512SHA-1, SHA-224, SHA-256, SHA-384, SHA-5129.3 On-demand TestsSelf tests may be invoked by restarting the operating system causing the power-up tests to run.16 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policy10 Design Assurance10.1 Configuration ManagementThe source code for the Module is stored on a server that is connected to a private corporate intranet. Changes tothe source code, and other required files, are managed with the git distributed version control system, whichprovides traceability between developers, the source code, and the released binary module. Each binary is trackedwith an embedded build number that has a matching tag in the revision control system, which identifies the sourcefiles that were used to produce the binary.10.2 Delivery and OperationThis module is delivered as a kernel module that is loaded into the kernel after an integrity check is performed.During the kernel module initialization process, the module invokes the Self Tests and upon success, enters FIPSmode. The module is then loaded into the kernel before any client can request the cryptographic services itprovides.17 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policy11 Mitigation of Other AttacksNo other attacks are mitigated.18 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policy12 AbbreviationsAESAdvanced Encryption SpecificationCAVPCryptographic Algorithm Validation ProgramCBCCipher Block ChainingCCMCounter with Cipher Block Chaining-Message AuthenticationCodeCFBCipher FeedbackCMVPCryptographic Module Validation ProgramCSPCritical Security ParameterCVTComponent Verification TestingDESData Encryption StandardDSADigital Signature AlgorithmFSMFinite State ModelGCMGalois Counter ModeHMACHash Message Authentication CodeKATKnown Answer TestMACMessage Authentication CodeNISTNational Institute of Science and TechnologyOFBOutput FeedbackO/SOperating SystemRNGRandom Number GeneratorRSARivest, Shamir, AddlemanSHASecure Hash AlgorithmSHSSecure Hash StandardSVTScenario Verification TestingTDESTriple DES19 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Cryptographic ModuleFIPS 140-2 Security Policy13 References[1] FIPS 140-2 Standard, ips1402.pdf [2] FIPS 140-2 Implementation Guidance, s1402/FIPS1402IG.pdf [3] FIPS 140-2 Derived Test Requirements, s1402/FIPS1402DTR.pdf [4] FIPS 197 Advanced Encryption Standard, s-197.pdf [5] FIPS 180-4 Secure Hash Standard, ips-180-4.pdf [6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC), IPS-198-1 final.pdf [7] NIST SP 800-38C Recommendation for Block Cipher Modes of Operation: The CCM Mode forAuthentication and Confidentiality, /SP800-38C updatedJuly20 2007.pdf [8] NIST SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) andGMAC, /SP-80038D.pdf /SP800-38C updated-July20 2007.pdf 20 2018 Nokia of America Corporation (NoAC). This document can be reproduced and distributed only whole andintact, including this copyright notice.
Nokia Crypto Module 2.0 Intel x86 Vyatta 6.4 32-bit (single-user mode) Dell PowerEdge R210 Nokia Crypto Module 3.0 Intel x64 with AES-NI Linux 3.6 64-bit Peplink Balance 2500 Nokia Crypto Module 3.0.1 Intel(R) Xeon(R) E3-1220 Linux Kernel 4.4 VyOS 1.6 Sierra Wireless Airlink Connection Manager Dell PowerEdge R230 Table 2: Tested Platforms
