Transcription
Blue Coat Systems, Inc.Blue Coat Systems, Software Cryptographic ModuleSW Version: 1.0FIPS 140-2 Non-Proprietary Security PolicyFIPS Security Level: 1Document Version: 1.9Prepared for:Prepared by:Blue Coat Systems, Inc.420 N. Mary AvenueSunnyvale, CA 94085United States of AmericaCorsec Security, Inc.13135 Lee Jackson Memorial HwySuite 220Fairfax, VA 22033Phone: 1 (801) 545-4100Email: omPhone: 1 (703) 267-6050Email: info@corsec.comhttp://www.corsec.com
Security Policy, Version 1.9April 24, 2014Table of Contents1INTRODUCTION . 41.1PURPOSE . 41.2REFERENCES . 41.3DOCUMENT ORGANIZATION . 42BLUE COAT SYSTEMS, SOFTWARE CRYPTOGRAPHIC MODULE . 52.1OVERVIEW. 52.1.1Software Cryptographic Module . 62.2MODULE SPECIFICATION . 72.2.1Physical Cryptographic Boundary . 72.2.2Logical Cryptographic Boundary . 82.3MODULE INTERFACES . 102.4ROLES AND SERVICES . 112.4.1Crypto-Officer Role .112.4.2User Role .122.4.3Non-Approved Services .132.5PHYSICAL SECURITY . 142.6OPERATIONAL ENVIRONMENT . 142.7CRYPTOGRAPHIC KEY MANAGEMENT . 142.7.1Key Generation .172.7.2Key Entry and Output .172.7.3Key/CSP Storage and Zeroization .172.8EMI/EMC . 182.9SELF-TESTS . 182.9.1Power-Up Self-Tests .182.9.2Conditional Self-Tests .182.10MITIGATION OF OTHER ATTACKS . 193SECURE OPERATION . 203.1INITIAL SETUP . 203.2SECURE MANAGEMENT. 203.2.1Initialization .203.2.2Management .203.2.3Zeroization .203.2.4User Guidance .204ACRONYMS . 21Table of FiguresFIGURE 1 – TYPICAL DEPLOYMENT CONFIGURATION OF SOLERA DEEPSEE SOFTWARE . 6FIGURE 2 – DELL R720 BLOCK DIAGRAM . 8FIGURE 3 – LOGICAL BLOCK DIAGRAM AND CRYPTOGRAPHIC BOUNDARY FOR HARDWARE CONFIGURATION . 9FIGURE 4 – LOGICAL BLOCK DIAGRAM AND CRYPTOGRAPHIC BOUNDARY FOR VIRTUAL CONFIGURATION . 10List of TablesTABLE 1 – SECURITY LEVEL PER FIPS 140-2 SECTION . 6TABLE 2 – FIPS 140-2 LOGICAL INTERFACE MAPPINGS . 10TABLE 3 – CRYPTO-OFFICER SERVICES . 11TABLE 4 – USER SERVICES . 12TABLE 5 – NON-APPROVED SERVICES . 13TABLE 6 – FIPS-APPROVED ALGORITHM IMPLEMENTATIONS . 14Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 2 of 23
Security Policy, Version 1.9April 24, 2014TABLE 7 – LIST OF CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS . 15TABLE 8 – ACRONYMS . 21Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 3 of 23
Security Policy, Version 1.91April 24, 2014Introduction1.1 PurposeThis is a non-proprietary Cryptographic Module Security Policy for the Blue Coat Systems, SoftwareCryptographic Module from Blue Coat Systems, Inc. This Security Policy describes how the Blue CoatSystems, Software Cryptographic Module meets the security requirements of Federal InformationProcessing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Governmentrequirements for cryptographic modules. More information about the FIPS 140-2 standard and validationprogram is available on the National Institute of Standards and Technology (NIST) and theCommunications Security Establishment Canada (CSEC) Cryptographic Module Validation Program(CMVP) website at http://csrc.nist.gov/groups/STM/cmvp.This document also describes how to run the module in a secure FIPS-Approved mode of operation. Thispolicy was prepared as part of the Level 1 FIPS 140-2 validation of the module. The Blue Coat Systems,Software Cryptographic Module is referred to in this document as the Software Cryptographic Module,cryptographic module, or the module.1.2 ReferencesThis document deals only with operations and capabilities of the module in the technical terms of a FIPS140-2 cryptographic module security policy. More information is available on the module from thefollowing sources: The Solera Networks, a Blue Coat company website (http://www.soleranetworks.com) containsinformation on the full line of products from Solera Networks, a Blue Coat company.The CMVP website 0-1/140val-all.htm)contains contact information for individuals to answer technical or sales-related questions for themodule.1.3 Document OrganizationThe Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to thisdocument, the Submission Package contains: Vendor Evidence documentFinite State Model documentSubmission SummaryOther supporting documentation as additional referencesThis Security Policy and the other validation submission documentation were produced by Corsec Security,Inc. under contract to Blue Coat. With the exception of this Non-Proprietary Security Policy, the FIPS140-2 Submission Package is proprietary to Blue Coat and is releasable only under appropriate nondisclosure agreements. For access to these documents, please contact Blue Coat.Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 4 of 23
Security Policy, Version 1.92April 24, 2014Blue Coat Systems, SoftwareCryptographic Module2.1 OverviewBlue Coat develops tools that combine security intelligence and big data analytics to help organizationsbattle Advanced Persistent Threats (APTs) and Advanced Targeted Attacks (ATAs). This is accomplishedthrough a combination of data collection, correlation, and enrichment that is made available to securityanalysts to help them stay ahead of today’s evolving threat landscape. The Solera Networks DeepSeeplatform captures packets, indexes flows, and extracts files, from Layer 2 through Layer 7 data. Thisprovides near real-time and retrospective visibility into security relevant network events.The Software Cryptographic Module is incorporated in Solera DeepSee Software. Solera DeepSeeSoftware acts as an unobtrusive network traffic recorder. Data crossing the network is captured and savedto storage. Once in storage, data can be played back to analysis applications, or can be sent to any otherlocation on the network or to multiple applications and locations. It creates a complete record of networktraffic (including both packet headers and payloads), facilitating regeneration, filtering, and playback forlater analysis. Filtering and analysis tools can be applied during data capture or playback.The major features of the Solera DeepSee Software are: Improved network security – Network administrators have comprehensive evidence to betterprotect against intruders, data leakage, and internal misuse.Flexible Deployment Technology – Solera DeepSee Software provides the flexibility to bedeployed on any hardware platform allowing organizations of all sizes to benefit from deep packetcapture and analysis to improve network performance and security.Increased network tool options – Solera DeepSee Software works with many management,analysis, and forensic tools (commercial, custom, and open source) to monitor, manage, andsecure the network.Figure 1 below shows the details of the typical deployment configuration of the Solera DeepSee Software.The following previously undefined acronyms appear in Figure 1: API – Application Programming Interface GBPS – Gigabits per second PCAP – Packet CaptureBlue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 5 of 23
Security Policy, Version 1.9April 24, 2014Figure 1 – Typical Deployment Configuration of Solera DeepSee Software2.1.1 Software Cryptographic ModuleThe Blue Coat Systems, Software Cryptographic Module is a software shared library that is included withSolera DeepSee Software v6.5.0. It provides the primitive cryptographic services required by TLS1 forsecure communications. The module includes implementations of the following FIPS-Approvedalgorithms: Advanced Encryption Standard (AES)Triple Data Encryption Algorithm (TDES)Secure Hash Algorithm (SHA)Keyed-Hash Message Authentication Code (HMAC)Digital Signature Algorithm (DSA)RSA2 signature generation and verificationANSI3 X9.31 Pseudo Random Number Generator (PRNG)The Software Cryptographic Module operates in a FIPS-Approved mode of operation when configuredaccording to the Crypto-Officer guidance in this Security Policy and does not support a non-Approvedmode of operation. It is validated at the FIPS 140-2 Section levels as indicated in Table 1 below.Table 1 – Security Level per FIPS 140-2 SectionSectionSection TitleLevel1Cryptographic Module Specification12Cryptographic Module Ports and Interfaces13Roles, Services, and Authentication14Finite State Model15Physical SecurityN/A1TLS – Transport Layer SecurityRSA – Rivest, Shamir, Adleman3ANSI - American National Standards Institute2Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 6 of 23
Security Policy, Version 1.9April 24, 2014SectionSection TitleLevel6Operational Environment17Cryptographic Key Management18EMI/EMC419Self-tests110Design Assurance111Mitigation of Other AttacksN/A2.2 Module SpecificationThe Software Cryptographic Module is a software module with a multi-chip standalone embodiment. Theoverall security level of the module is 1. The Software Cryptographic Module is implemented in the Cprogramming language and consists of a shared library that links to Solera DeepSee Software applicationcomponents. The Solera DeepSee Software includes Solera Operating Environment v6.5.0 or v6.6.9 as itsoperating system. It is designed to execute on a host platform with a General Purpose Computer (GPC)hardware platform. The Blue Coat Systems, Software Cryptographic Module can also be installed on asupported virtual machine hypervisor. The cryptographic module was tested and found compliant on theVMware ESXi Server 5.0 on a Dell PowerEdge R720 and on VMware ESXi Server 5.5 on a DellPowerEdge R720 and on a Dell PowerEdge R720 with dual Intel Xeon processors. The following sectionsdefine the physical and logical boundary of the Software Cryptographic Module.While no claim can be made as to the correct operation of the module or the security strengths of thegenerated keys when ported to an operational environment which is not listed on the validation certificate,the vendor affirms that the module remains FIPS-compliant when executed on any of the supportedplatforms and environments: Dell model R620 Dell model MD1200 VMware Workstation VMware Player2.2.1 Physical Cryptographic BoundaryAs a software cryptographic module, there are no physical protection mechanisms implemented.Therefore, the module must rely on the physical characteristics of the host platform. The physicalboundary of the cryptographic module, whether running on a virtual hypervisor or on Dell R720 hardware,is defined by the hard enclosure around the host platform on which it runs. The module supports thephysical interfaces of on the host platform. These interfaces include the integrated circuits of the systemboard, the CPU5, network adapters, RAM6, hard disk, device case, power supply, and fans. See Figure 2for a Dell R720 block diagram.4EMI/EMC – Electromagnetic Interference / Electromagnetic CompatibilityCPU – Central Processing Unit6RAM – Random Access Memory5Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 7 of 23
Security Policy, Version 1.9April 24, 2014Figure 2 – Dell R720 Block Diagram2.2.2 Logical Cryptographic BoundaryFigure 3 shows a logical block diagram of the module executing in memory and its interactions withsurrounding software components when in the hardware configuration. Figure 3 also shows the module’slogical cryptographic boundary. The module’s services are designed to be called by other Solera softwarecomponents.Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 8 of 23
Security Policy, Version 1.9April 24, 2014Figure 3 – Logical Block Diagram and Cryptographic Boundary for Hardware ConfigurationFigure 4 shows a logical block diagram of the module executing in memory and its interactions withsurrounding software components when in the virtual configuration. Figure 4 also shows the module’slogical cryptographic boundary in the virtual configuration. The module’s services are designed to becalled by other Solera software components.Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 9 of 23
Security Policy, Version 1.9April 24, 2014Figure 4 – Logical Block Diagram and Cryptographic Boundary for Virtual Configuration2.3 Module InterfacesThe module’s logical interfaces exist at a low level in the software as an API. Both the API and physicalinterfaces can be categorized into the following interfaces defined by FIPS 140-2: Data Input, Data Output,Control Input, and Status Output. A mapping of the FIPS 140-2 logical interfaces, the physical interfaces,and the module interfaces can be found in Table 2 below.Table 2 – FIPS 140-2 Logical Interface MappingsFIPS InterfaceData InputPhysical InterfaceUSB ports (keyboard, mouse,data), network ports, serialports, SCSI/SATA portsModule Interface (API)Arguments for API calls that containdata to be used or processed by themodule.Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 10 of 23
Security Policy, Version 1.9FIPS InterfaceApril 24, 2014Physical InterfaceModule Interface (API)Data OutputMonitor, USB ports, network Arguments for API calls that contain orports, serial ports,point to where the result of the functionSCSI/SATA portsis stored.Control InputUSB ports (keyboard,mouse), network ports,serial ports, power switchAPI Function calls and parameters thatinitiate and control the operation of themodule.Status OutputMonitor, network ports,serial portsReturn values from API function calls anderror messages.Power InputPower InterfaceN/A2.4 Roles and ServicesThe Software Cryptographic Module supports the following two roles for operators, as required by FIPS140-2: Crypto-Officer (CO) role and User role. As allowed by FIPS 140-2, the module does not performauthentication of any operators. Both roles are implicitly assumed when services are executed.Note 1: Table 3 and Table 4 use the following definitions for entries in the “CSP7 and Type of Access”column.R – Read: The plaintext CSP is read by the service.W – Write: The CSP is established, generated, modified, or zeroized by the service.X – Execute: The CSP is used within an Approved (or allowed) security function or authenticationmechanism.Note 2: Input parameters of an API call that are not specifically a signature, hash, message, plaintext,ciphertext, or a key are NOT itemized in the “Input” column, since it is assumed that most API calls willhave such parameters.Note 3: The “Input” and “Output” columns are with respect to the module’s logical boundary.2.4.1 Crypto-Officer RoleThe operator in the Crypto-Officer role installs, uninstalls, and administers the module via the SoleraDeepSee Software interfaces. An operator assumes the CO role by invoking one of the following services:Table 3 – Crypto-Officer ServicesService7DescriptionInputInitialize FIPSmodePerforms integrity checks andpower-up self-tests. Sets theFIPS mode flag to on.API callparametersShow statusReturns the current mode ofNonethe module (FIPS or non-FIPS).OutputCSP and Type ofAccessStatusIntegrity checkHMAC key, ANSIX9.31 PRNG seed,ANSI X9.31 PRNGseed keyStatusNoneCSP – Critical Security ParameterBlue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 11 of 23
Security Policy, Version 1.9April 24, 2014ServiceDescriptionRun self-tests on Performs power-up self-tests.demandInputNoneOutputStatusCSP and Type ofAccessIntegrity checkHMAC key2.4.2 User RoleThe operator in the User role is a consumer of the module’s security services. The role is assumed byinvoking one of the following cryptographic services:Table 4 – User ServicesServiceDescriptionInputOutputCSP and Type ofAccessGenerate randomnumber (ANSIX9.31)Returns the specified numberof random bits to callingapplication.API callparametersStatus,ANSI X9.31 RNG8random bits seed – RWXANSI X9.31 seed key– RXGenerate asymmetric keyGenerate and return asymmetric key (AES, TDES).API callparameters,ANSI X9.31,RNG seedStatus, keyGenerate messagedigest (SHS9)Compute and return amessage digest using SHSalgorithms.API callparameters,messageStatus, hash NoneGenerate keyedhash (HMAC)Compute and return amessage authentication codeusing HMAC-SHAx.API callparameters,key, messageStatus, hash HMAC key – RXZeroize keyZeroizes and de-allocatesmemory containing sensitivedata.Reboot orpower cycleStatusSymmetricencryptionEncrypt plaintext usingsupplied key and algorithmspecification (TDES or AES)API callStatus,parameters, ciphertextkey, plaintextANSI X9.31 RNGseed – RXANSI X9.31 seed key– RXAES – R,WTDES – R, WAES key – WTDES key – WHMAC key – WRSA private/publickey – WDSA private/publickey – WDH10 components –WRNG seed – WAES key – RXTDES key – RX8RNG – Random Number GeneratorSHS – Secure Hash Standard10DH – Diffie-Hellman9Blue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 12 of 23
Security Policy, Version 1.9April 24, 2014ServiceDescriptionInputOutputCSP and Type ofAccessSymmetricdecryptionDecrypt ciphertext usingsupplied key and algorithmspecification (TDES or AES)API callparameters,key,ciphertextStatus,plaintextAES key – RXTDES key – RXGenerateasymmetrickey pairGenerate and return thespecified type of asymmetrickey pair (RSA or DSA)API callparametersStatus, keypairRSA private/publickey – WDSA private/publickey – WRSA key wrappingWrap plaintext using RSApublic key (used for keytransport)API callStatus,parameters, ciphertextkey, plaintextRSA keyunwrappingUnwrap ciphertext using RSA API callprivate key (used for textDiffie-Hellmanprimitiveimplementation*Perform Diffie-Hellmanprimitive implementationAPI callparameterStatus, key DH components – WcomponentsSignatureGenerationGenerate a signature for thesupplied message using thespecified key and algorithm(RSA or DSA)API callparameters,key, messageStatus,signatureRSA private key – RX,DSA private key – RXSignatureVerificationVerify the signature on thesupplied message using thespecified key and algorithm(RSA or DSA)API callparameters,key,signature,messageStatusRSA public key – RXDSA public key – RXRSA public key – RXRSA private key – RX*Diffie-Hellman primitive is implemented to perform in accordance with scenario 6 in section D.8 of FIPS140-2 Implementation Guidance. This service is provided for calling process use and is not used toestablish keys into the module.2.4.3 Non-Approved ServicesThe following cryptographic services listed in Table 5 are not allowed in FIPS-Approved mode.Table 5 – Non-Approved ServicesServiceCryptographic FunctionSymmetric encryption/decryptionAES CFB1Key establishmentElliptic Curve Diffie-HellmanSignature generation and verificationElliptic Curve DSABlue Coat Systems, Software Cryptographic Module 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 13 of 23
Security Policy, Version 1.9April 24, 20142.5 Physical SecurityThe Blue Coat Systems, Software Cryptographic Module is a software module, which FIPS defines as amulti-chip standalone cryptographic module. As such, it does not include physical security mechanisms.Thus, the FIPS 140-2 requirements for physical security are not applicable.2.6 Operational EnvironmentThe module was tested and found compliant on Solera Operating Environment v6.5.0, which is aproprietary OS and a Dell PowerEdge model R720 with dual Intel Xeon processors. The module was alsotested and found compliant on Solera Operating Environment v6.5.0 running on VMware ESXi v5.0 on aDell PowerEdge model R720 with dual Intel Xeon processors. The module was also tested and foundcompliant on Solera Operating Environment v6.6.9, which is a proprietary OS and a Dell PowerEdgemodel R720 with dual Intel Xeon processors. The module was also tested and found compliant on SoleraOperating Environment v6.6.9 running on VMware ESXi v5.5 on a Dell PowerEdge model R720 with dualIntel Xeon processors. All cryptographic keys and CSPs are under the control of the operating system,which protects the CSPs against unauthorized disclosure, modification, and substitution. The module onlyallows access to CSPs through its well-defined API. The tested operating system segregates user processesinto separate process spaces. Each process space is an independent virtual memory area that is logicallyseparated from all other processes. The Module functions entirely within the process space of the processthat invokes it, and thus satisfies the FIPS 140-2 requirement for a single user mode of operation.2.7 Cryptographic Key ManagementThe module implements the FIPS-Approved algorithms listed in Table 6 below.Table 6 – FIPS-Approved Algorithm ImplementationsAlgorithmCertificate NumberAES in ECB11, CBC12, CFB813, CFB128 and OFB14 modes (128-,192-, 256-bits)2153Triple-DES in ECB, CBC, CFB8, CFB64, and OFB modes with 168-bit keys1364Symmetric Key AlgorithmAsymmetric Key AlgorithmRSA (ANSI X9.31) key generation (1024-, 1536-, 2048-, 3072-, 4096-bit keys)and signature generation/verification (1024-, 1536-, 2048-, 3072-, 4096-bitkeys)RSA (PKCS15 #1.5) signature generation/verification (1024-, 1536-, 2048-,3072-, 4096-bit keys)RSA (PSS16) signature generation/verification (1024-, 1536-, 2048-, 3072-,4096-bit keys)DSA signature generation/verification and key generation 1024-bit key110811081108669Secure Hashing Algorithm (SHA)SHA-1, SHA-224, SHA-256, SHA-384, SHA-5121873Message Authentication Code (MAC)11ECB – Electronic CodebookCBC – Cipher-Block Chaining13CFB – Cipher Feedback14OFB – Output Feedback15PKCS – Public-Key Cryptography Standards16PSS – Probabilistic Signature SchemeBlue Coat Systems, Software Cryptographic Module12 2014 Blue Coat Systems, Inc.This document may be freely reproduced and distributed whole and intact including this copyright notice.Page 14 of 23
Security Policy, Version 1.9April 24, 2014AlgorithmCertificate NumberHMAC- SHA-1, -SHA-224, -SHA-256, -SHA-384, -SHA-5121318Pseudo Random Number Generation (PRNG)ANSI X9.31 Appendix A.2.4 PRNG with AES 128-, 192-, and 256-bit keys1101NOTE: The following security functions have been deemed “deprecated” or “restricted” by NIST. Please refer to NISTSpecial Publication 800-131A for further details. two-key Triple DES for encryption ANSI X9.31 PRNG key lengths providing no more than 80 bits of security strength for digital signature generationThe module provides the following non-FIPS-Approved algorithms that are allowed in the FIPS-Approvedmode: RSA key wrapping; key establishment methodology provides between 80 and 150 bits ofencryption strength Diffie-Hellman primitive implementation provides between 80 and 219 bits of encryption strengthThe module provides the following algorithms that are not allowed in the FIPS-Approved mode: Elliptic Curve Diffie-Hellman Elliptic Curve DSA AES CFB1The module supports the CSPs listed below in Table 7.Table 7 – List of Cryptographic Keys, Cryptographic Key Components, and CSPsKeyKey TypeRSA PrivatekeyGeneration /InputOutputStorageAPI callparameterPlaintext involatilememoryBy API call,power cycle,or hostrebootKey exchangeNever exits Plaintext inthe module volatilememoryBy API call,power cycle,or hostrebootSignaturegeneration,keyunwrapping1API callparameterPlaintext involatilememoryBy API call,power cycle,or host
Blue Coat Systems, Inc. Blue Coat Systems, Software Cryptographic Module SW Version: 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.9 Prepared for: Prepared by: Blue Coat Systems, Inc. Corsec Security, Inc. 420 N. Mary Avenue Sunnyvale, CA 94085 United States of America 13135 Lee Jackson Memorial Hwy
