Transcription
FIPS 140-2 Non-Proprietary Security PolicyAcme Packet VMEFIPS 140-2 Level 1 ValidationSoftware Version: ECz 7.5.0Date: December 11, 2017Document Version 1.3 Oracle CorporationThis document may be reproduced whole and intact including the Copyright notice.
Title: Acme Packet VME Security PolicyDate: December 11, 2017Author: Acumen Security, LLC.Contributing Authors:Oracle Communications EngineeringOracle Security Evaluations – Global Product SecurityOracle CorporationWorld Headquarters500 Oracle ParkwayRedwood Shores, CA 94065U.S.A.Worldwide Inquiries:Phone: 1.650.506.7000Fax: 1.650.506.7200oracle.comCopyright 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only andthe contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any otherwarranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantabilityorfitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligationsare formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact includingthis copyright notice.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Oracle Acme Packet VME Security Policyi
TABLE OF CONTENTSSection1.1.11.22.PageOverview .1Document Organization .1Acme Packet VME . 22.13.TitleIntroduction . 1Functional Overview .2Cryptographic Module Specification . 33.13.23.33.43.53.6Definition of the Cryptographic Module .3Definition of the Physical Cryptographic Boundary .3FIPS 140-2 Validation Scope .4Approved or Allowed Security Functions .4Non-Approved But Allowed Security Functions .5Non-Approved Security Functions .64.Module Ports and Interfaces . 75.Physical Security . 76.Roles and Services . 27.1.37.27.38.8.18.29.Operator Services and Descriptions .8Unauthenticated Services and Descriptions .10Operator Authentication.11Crypto-Officer: Password-Based Authentication .11User: Certificate-Based Authentication.11Key and CSP Management .12Power-Up Self-Tests .16Software Integrity Test .16Mocana Self-tests .16OpenSSL Self-Tests .16Critical Functions Self-Tests.16Conditional Self-Tests.17Crypto-Officer and User Guidance.18Secure Setup and Initialization.18AES-GCM IV Construction/Usage .18Mitigation of Other Attacks .1910 Operational Environment.20Appendices .21Acronyms, Terms and Abbreviations .21References .22Oracle Acme Packet VME Security Policyii
List of TablesTable 1: FIPS 140-2 Security Requirements. 4Table 2: FIPS Approved or Allowed Security Functions . 5Table 3: Non-Approved but Allowed Security Functions . 5Table 4: Non-Approved Disallowed Functions . 6Table 5 – Mapping of FIPS 140 Logical Interfaces to Logical Ports . 7Table 6 – Service Summary . 8Table 7 – Operator Services and Descriptions . 10Table 8 – Unauthenticated Operator Services and Descriptions . 10Table 9 – Crypto-Officer Authentication. 11Table 10 – Crypto-Officer Authentication . 12Table 11 – CSP Table . 15Table 12 – Operating Environment. 20Table 13 – Acronyms . 21Table 14 – References . 22List of FiguresFigure 1 – VME Logical Cryptographic Boundary . 3Oracle Acme Packet VME Security Policyiii
1. Introduction1.1 OverviewThis document is the Security Policy for the Acme Packet VME developed by Oracle Corporation. Acme PacketVME is also referred to as “the module or module”. This Security Policy specifies the security rules under whichthe module shall operate to meet the requirements of FIPS 140-2 Level 1. It also describes how the Acme PacketVME functions in order to meet the FIPS requirements, and the actions that operators must take to maintain thesecurity of the module.This Security Policy describes the features and design of the Acme Packet VME module using the terminologycontained in the FIPS 140-2 specification. FIPS 140-2, Security Requirements for Cryptographic Module specifiesthe security requirements that will be satisfied by a cryptographic module utilized within a security systemprotecting sensitive but unclassified information. The NIST/CSEC Cryptographic Module Validation Program(CMVP) validates cryptographic module to FIPS 140-2. Validated products are accepted by the Federal agencies ofboth the USA and Canada for the protection of sensitive or designated information.1.2 Document OrganizationThe Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document,the Submission Package contains: Oracle Non-Proprietary Security PolicyOracle Vendor Evidence documentFinite State MachineEntropy Assessment DocumentOther supporting documentation as additional referencesWith the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation isproprietary to Oracle and is releasable only under appropriate non-disclosure agreements. For access to thesedocuments, please contact Oracle.Oracle Acme Packet VME Security PolicyPage 1 of 22
2. Acme Packet VME2.1 Functional OverviewThe Acme Packet VME is specifically designed to meet the unique price performance and manageabilityrequirements of the small to medium sized enterprise and remote office/ branch office. Ideal for small siteborder control and Session Initiation Protocol (SIP) trunking service termination applications, the Acme PacketVME deliver Oracle’s industry leading ESBC capabilities in binary packaged executable that can be run in a virtualenvironment.Acme Packet VME addresses the unique connectivity, security, and control challenges enterprises oftenencounter when extending real-time voice, video, and UC sessions to smaller sites. The appliance also helpsenterprises contain voice transport costs and overcome the unique regulatory compliance challenges associatedwith IP telephony. An embedded browser based graphical user interface (GUI) simplifies setup andadministration.Oracle Acme Packet VME Security PolicyPage 2 of 22
3. Cryptographic Module Specification3.1 Definition of the Cryptographic ModuleThe logical cryptographic boundary of the module consists of the Oracle VME ISO image called nnECZ750-img.isoversion ECz7.5.0.Figure 1 shows the logical block diagram (red-dotted line) of the module executing in memory and its interactionswith the hypervisor through the module’s defined logical cryptographic boundary. The module interacts directlywith the hypervisor, which runs directly on the host system.Cryptographic ProviderVME Application SoftwareLinux Operating SystemHypervisorHost HardwareFigure 1 – VME Logical Cryptographic BoundaryData OutputData InputControl InputStatus OutputCryptographic Boundary3.2 Definition of the Physical Cryptographic BoundaryThe module consists of binary packaged into an executable that can be run in a virtual environment. The moduleis classified as a multi-chip standalone cryptographic module. The physical cryptographic boundary is defined asthe hard enclosure of the host system on which it runs and no components are excluded from the requirementsof FIPS PUB 140-2.Oracle Acme Packet VME Security PolicyPage 3 of 22
3.3 FIPS 140-2 Validation ScopeThe Acme Packet VME appliances are being validated to overall FIPS 140-2 Level 1 requirements. See Table 1below.Security Requirements SectionCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles and Services and AuthenticationFinite State Machine ModelPhysical SecurityOperational EnvironmentCryptographic Key ManagementEMI/EMCSelf-TestsDesign AssuranceMitigation of Other AttacksLevel1121N/A11113N/ATable 1: FIPS 140-2 Security Requirements3.4 Approved or Allowed Security FunctionsThe Acme Packet VME contains the following FIPS Approved Algorithms listed in Table 2:Approved or Allowed Security FunctionsCertificateSymmetric AlgorithmsAESTriple DESOpenSSL: (CBC, GCM); Encrypt/Decrypt; Key Size 128, 2564577Mocana: (CBC); Encrypt/Decrypt; Key Size 128, 2564597OpenSSL: (CBC); Encrypt/Decrypt; Key Size 1922460Mocana: (CBC); Encrypt/Decrypt; Key Size 1922447Secure Hash Standard (SHS)SHSOpenSSL: SHA-1, SHA-256, SHA-3843754Mocana: SHA-1, SHA-2563775Data Authentication CodeHMACOpenSSL: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-3843028Mocana: HMAC-SHA-1, HMAC-SHA-2563049Asymmetric AlgorithmsRSAOpenSSL:FIPS186-2:ALG[ANSIX9.31]: SIG(gen) (4096 SHS: SHA-256, SHA-384)RSA: FIPS186-4:186-4KEY(gen): FIPS186-4 Random eALG[ANSIX9.31] SIG(gen) (2048 SHA(256 , 384))SIG(Ver) (2048 SHA(1, 256, 384))2496RSA: FIPS186-2 (not used by the module)Signature Generation 9.31:Oracle Acme Packet VME Security PolicyPage 4 of 22
Approved or Allowed Security FunctionsCertificateModulus lengths: 4096SHAs: SHA-256, SHA-384ECDSAMocana:RSA: 186-4:186-4KEY(gen): FIPS186-4 Random eSIG(Ver) (1024 SHA(1); (2048 SHA (1))2508OpenSSL:FIPS186-4:PKG: CURVES( P-256 P-384 Testing Candidates )SigGen: CURVES( P-256: (SHA-256, 384) P-384: (SHA-256, 384)SigVer: CURVES( P-256: (SHA-256, 384) P-384: (SHA-256, 384) )1134Random Number GenerationDRBGOpenSSL:CTR DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher Use df: ( AES256 )]Hash Based DRBG: [ Prediction Resistance Tested: Not Enabled ( SHA-1 )1524Note: While implemented, CTR DRBG is not used by the module.Key EstablishmentKey DerivationOpenSSL: SNMP KDF, SRTP KDF, TLS KDFCVL 1255Mocana: IKEv1 KDF (tested but not used by the module), SSH KDFCVL 1269Table 2: FIPS Approved or Allowed Security Functions3.5 Non-Approved But Allowed Security FunctionsThe following are considered non-Approved but allowed security functions:AlgorithmUsageDiffie-HellmanKey agreement, key establishment methodology provides 112-bits of encryption strength,non-compliant less than 112 bits of encryption strength.RSA Key WrappingKey wrapping, key establishment methodology provides 112-bits of encryption strength,non-compliant less than 112 bits of encryption strength.NDRNGUsed for seeding NIST SP 800-90A DRBG.MD5Used within the TLS protocolTable 3: Non-Approved but Allowed Security FunctionsOracle Acme Packet VME Security PolicyPage 5 of 22
3.6 Non-Approved Security FunctionsThe following services are considered non-Approved and may not be used in a FIPS-approved mode of operation:ServiceNon-Approved Security FunctionsSSHHashing: MD5, MACing: HMAC MD5 Symmetric: DESTLSMACing: HMAC MD5 Symmetric: DESIKE/IPsecHashing: MD5, MACing: HMAC MD5SNMPHashing: MD5, MACing: HMAC MD5 Symmetric: DESDiffie-HellmanKey agreement, less than 112 bits of encryption strength.RSA Key WrappingKey wrapping, less than 112 bits of encryption strength.Table 4: Non-Approved Disallowed FunctionsServices listed in the previous table make use non-compliant cryptographic algorithms. Use of thesealgorithms is prohibited in a FIPS-approved mode of operation. These services are allowed in FIPS mode whenusing allowed algorithms (as specified in section 8.1)Oracle Acme Packet VME Security PolicyPage 6 of 22
4. Module Ports and InterfacesOracle Virtual Machine edition is a virtualized cryptographic module that meets the overall Level 1 FIPS 140-2requirements. The module interfaces can be categorized as follows: Data Input InterfaceData Output InterfaceControl Input interfaceStatus Output InterfacePower InterfaceThe table below provides the mapping of ports as per FIPS 140-2 Standard.FIPS 140InterfacePhysical PortData InputHost System Ethernet(10/100/1000) PortsData OutputHost System Ethernet(10/100/1000) PortsControl InputHost System Ethernet(10/100/1000) PortsStatus OutputHost System Ethernet(10/100/1000) PortsPowerPower PlugVM Port Virtual Ethernet Ports,Virtual USB Ports,Virtual Serial Ports.Virtual Ethernet Ports,Virtual USB Ports,Virtual Serial Ports.Virtual Ethernet Ports,Virtual USB Ports,Virtual Serial Ports. Virtual Ethernet Ports, Virtual USB Ports, Virtual Serial Ports.NALogical InterfaceInformation Input/OutputAPI Input Data andParameters,Cipher textAPI Output Data andParametersCipher textAPI Command InputParametersAPI Status Output Parameters Plaintext control input viaconsole port (configurationcommands, operatorpasswords) Ciphertext control input vianetwork management (EMScontrol, CDR accounting,CLI management)Plaintext Status Output.N/AN/ATable 5 – Mapping of FIPS 140 Logical Interfaces to Logical Ports5. Physical SecurityThe module is comprised of software only and thus does not claim any physical security.Oracle Acme Packet VME Security PolicyPage 7 of 22
6. Roles and ServicesAs required by FIPS 140-2 Level 2, there are three roles (a Crypto Officer Role, User Role, and Unauthenticated Role) in the module thatoperators may assume. The module supports role-based authentication, and the respective services for each role are described in thefollowing sections.The below table gives a high level description of all services provided by the module and lists the roles allowed to invoke each service.Operator RoleSummary of ServicesUser Crypto-OfficerUnauthenticatedAllowed access to all system commands and configuration privileges Show Status Initiate self-testsView configuration versions and system performance dataHandle certificate information for TLS, IKE functionsTest pattern rules, local policies, and session translationsDisplay system alarms.Set the display dimensions for the terminalConnect to module for data transmissionTable 6 – Service Summary6.1 Operator Services and DescriptionsThe below table provides a full description of all services provided by the module and lists the roles allowed to invoke each service.UXCOService NameXXXXConfigureZeroize CSP’sSoftware UpdateBypassXDecryptService DescriptionInitializes the module for FIPS mode of operationClears keys/CSPs from memory and diskUpdates softwareConfigure bypass using TCP or UDP and viewing bypass servicestatusDecrypts a block of data Using AES or Triple-DES in FIPS ModeKeys and CSP(s)Access Type(s)HMAC-SHA-256 key, FIPS LicenseAll CSP’sSoftware Integrity Key (RSA)HMAC-SHA-256 KeyR, W, XZR, XR, W, XTLS Session Keys (Triple-DES)TLS Session Keys (AES128)TLS Session Keys (AES256)XXXOracle Acme Packet VME Security PolicyPage 8 of 22
UCOService NameService DescriptionKeys and CSP(s)Access Type(s)SSH Session Key (Triple-DES)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)XXXXXXXEncryptEncrypts a block of data Using AES or Triple-DES in FIPS ModeTLS Session Keys (Triple-DES)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (Triple-DES)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)XXXXXXXXXXGenerate KeysGenerates AES or Triple-DES keys for encrypt/decryptoperations. Generates Diffie-Hellman and RSA keys for keytransport/key establishment.TLS Session Keys (Triple-DES)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (Triple-DES)SSH Session Key (AES128)R, WR, WR, WR, WR, WSSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)R, WR, WR, WDiffie-Hellman Public Key (DH)Diffie-Hellman Private Key (DH)R, WR, WSSH authentication private Key (RSA)SSH authentication public key (RSA)TLS authentication private Key(ECDSA/RSA)TLS authentication public key(ECDSA/RSA)R, WR, WR, WR, WOracle Acme Packet VME Security PolicyPage 9 of 22
UCOXXVerifyService NameUsed as part of the TLS, SSH, protocol negotiationService DescriptionXXGenerate SeedGenerate an entropy input for Hash DrbgXXGenerate random number.XXGenerate RandomNumberHMACKeys and CSP(s)SSH authentication private Key (RSA)SSH authentication public key (RSA)TLS authentication private Key(ECDSA/RSA)TLS authentication public key(ECDSA/RSA)DRBG SeedDRBG Entropy Input StringDRBG CDRBG VSNMP Authentication KeySRTP Authentication KeySSH Integrity KeysTLS Integrity KeysGenerate HMACAccess Type(s)XXXXXR, W, XR, W, XR, W, XXXXXR – Read, W – Write, X – Execute, Z - ZeroizeTable 7 – Operator Services and Descriptions6.2 Unauthenticated Services and DescriptionsThe below table provides a full description of the unauthenticated services provided by the module:Service NameOn-Demand Self-Test InitializationShow StatusService DescriptionThis service provides for the running of on-demand self-testsThis service shows the operational status of the moduleTable 8 – Unauthenticated Operator Services and DescriptionsOracle Acme Packet VME Security PolicyPage 10 of 22
6.3 Operator Authentication6.3.1Crypto-Officer: Password-Based AuthenticationIn FIPS-approved mode of operation, the module is accessed via Command Line Interface over the Console ports or via SSH or SNMPv3 overthe Network Management Ports. Other than status functions available by viewing the Status LEDs, the services described are available onlyto authenticated engeResponse)Probability of a Single Successful Random AttemptProbability of a Successful Attempt within a MinutePasswords must be a minimum of 8 characters. The passwordcan consist of alphanumeric values, {a-z, A-Z, 0-9, and specialcharacters], yielding 94 choices per character. Theprobability of a successful random attempt is 1/94 8, whichis less than 1/1,000,000. Assuming 10 attempts per secondvia a scripted or automatic attack, the probability of asuccess with multiple attempts in a one-minute period is600/94 8, which is less than 1/100,000.Passwords must be a minimum of 12 numeric characters. 0-9,yielding 10 choices per character. The probability of asuccessful random attempt is 1/10 12, which is less than1/1,000,000. Assuming 10 attempts per second via a scriptedor automatic attack, the probability of a success withmultiple attempts in a one-minute period is 600/10 12,which is less than 1/100,000.Passwords must be a minimum of 8 characters. The password canconsist of alphanumeric values, {a-z, A-Z, 0-9, and special characters],yielding 94 choices per character. The module will lock an accountafter 3 failed authentication attempts; thus, the maximumnumber of attempts in one minute is 3. Therefore, theprobability of a success with multiple consecutive attempts in aone-minute period is 3/948 which is less than 1/100,000.Passwords must be a minimum of 12 numeric characters. 0-9, yielding10 choices per character. The module will lock an account after 3failed authentication attempts; thus, the maximum number ofattempts in one minute is 3. Therefore, the probability of asuccess with multiple consecutive attempts in a one-minuteperiod is 3/1012 which is less than 1/100,000.Table 9 – Crypto-Officer Authentication6.3.2User: Certificate-Based AuthenticationThe module also supports authentication via digital certificates for the User Role as implemented by the TLS and SSH protocols. The modulesupports a public key based authentication with 2048-bit RSA keys.MethodCertificate-BasedProbability of a Single Successful Random AttemptA 2048-bit RSA key has at least 112-bits of equivalentstrength. The probability of a successful random attempt is 1/2 112, which is less than 1/1,000,000.Probability of a Successful Attempt within a MinuteAssuming the module can support 60 authentication attempts in oneminute, the probability of a success with multiple consecutiveattempts in a one-minute period is 60/2 112, which is less than1/100,000.Oracle Acme Packet VME Security PolicyPage 11 of 22
Table 10 – Crypto-Officer Authentication6.4 Key and CSP ManagementThe following keys, cryptographic key components and other critical security parameters are contained in the module. No parts of the SSH, TLS,or SNMP protocol, other than the KDF, have been tested by the CAVP and CMVP.CSP NameOperator PasswordsSoftware Integrity Key(RSA)DRBG Entropy InputStringGeneration/InputGenerated by the cryptoofficer as per the modulepolicyGenerated externallyGenerated internally fromhardware sourcesEstablishment/ ExportAgreement: NAStorageUseVirtual Hard DiskAuthentication of the cryptoofficer and userVirtual Hard DiskPublic key used to verify theintegrity of software and updatesVirtual Hard DiskUsed in the random bitgeneration processVirtual Hard DiskEntropy used in the random bitgeneration processVirtual Hard DiskUsed in the random bitgeneration processVirtual Hard DiskUsed in the random bitgeneration processEntry: Manual entry via consoleor SSH management sessionOutput: Not OutputEntry: RSA (2048 bits) enteredas part of Software imageAgreement: NAEntry: NADRBG SeedGenerated internally fromhardware sourcesOutput: NoneAgreement: NAEntry: NADRBG CInternal value used as part ofSP 800-90a HASH DRBGOutput: NoneAgreement: NAEntry: NADRBG VInternal value used as part ofSP 800-90a HASH DRBGOutput: NoneAgreement: NAOracle Acme Packet VME Security PolicyPage 12 of 22
CSP NameGeneration/InputEstablishment/ ExportStorageUseEntry: NADiffie-Hellman PublicKey (DH)Diffie-Hellman PrivateKey (DH)Internal generation by FIPSapproved Hash DRBG insoftwareInternal generation by FIPSapproved Hash DRBGOutput: NoneAgreement: NAVirtual Hard DiskDiffie-Hellman secret key (2048bits)Virtual Hard DiskUsed to derive the secret sessionkey during DH key agreementprotocolVirtual Hard DiskFor encryption / encryption ofSNMP session trafficOutput: NoneAgreement: NAVirtual Hard DiskAgreement: Diffie-HellmanVirtual Hard Disk160-bit HMAC-SHA-1 for messageauthentication and verification inSNMPGeneration of SRTP session keysEntry: NAOutput: NoneAgreement: NAEntry: NASNMP Privacy Key(AES-128)NIST SP 800-135 KDFOutput: NoneAgreement: NIST SP 800-135KDFEntry: NASNMP AuthenticationKey (HMAC-SHA1)SRTP Master Key (AES128)SRTP Session Key (AES128)Internal generation by FIPSapproved Hash DRBG insoftwareInternal generation by FIPSapproved Hash DRBG insoftwareNIST SP 800-135 KDFEntry: NAOutput: encryptedAgreement: NIST SP 800-135KDFVirtual Hard DiskFor encryption / decryption ofSRTP session trafficEntry: NAOutput: NoneOracle Acme Packet VME Security PolicyPage 13 of 22
CSP NameGeneration/InputEstablishment/ ExportStorageUseSRTP AuthenticationKey (HMAC-SHA1)derived from the master keyAgreement: NAVirtual Hard DiskSSH AuthenticationPrivate Key (RSA)SSH AuthenticationPublic Key (RSA)SSH Session Keys(Triple-DES, AES-128,AES-256)Internal generation by FIPSapproved Hash DRBGInternal generation by FIPSapproved Hash DRBGDerived via SSH KDF.Agreement: RSA (2048 bits)Virtual Hard DiskAgreement: RSA (2048 bits)Virtual Hard DiskAgreement: Diffie-HellmanVirtual Hard DiskNote: These keys aregenerated via SSH (IETF RFC4251). This protocol enforceslimits on the the number oftotal possibleencryption/decryptionoperations.Derived via SSH KDF.Agreement: NAVirtual Hard DiskInternal generation by FIPSapproved Hash DRBGAgreement: RSA (2048bits);ECDS
This document is the Security Policy for the Acme Packet VME developed by Oracle Corporation. Acme Packet VME is also referred to as "the module or module". This Security Policy specifies the security rules under which the module shall operate to meet the requirements of FIPS 140-2 Level 1. It also describes how the Acme Packet
![FIPS 140-2 Non-Proprietary Security Policy Acme Packet 1100 [1] and .](/img/49/140sp3490-5601486.jpg)
