Transcription
FIPS 140-2 Non-Proprietary Security PolicyAcme Packet 1100 [1] and Acme Packet 3900 [2]FIPS 140-2 Level 2 ValidationHardware Version: 1100 [1] and 3900 [2]Firmware Version: E-CZ 8.0.0Date: July 20, 2018Document Version 2.2 Oracle CommunicationsThis document may be reproduced whole and intact including the Copyright notice.
Title: Acme Packet 1100 and Acme Packet 3900 Security PolicyDate: July 20, 2018Author: Acumen Security, LLC.Contributing Authors:Oracle Communications EngineeringOracle Security Evaluations – Global Product SecurityOracle CorporationWorld Headquarters500 Oracle ParkwayRedwood Shores, CA 94065U.S.A.Worldwide Inquiries:Phone: 1.650.506.7000Fax: 1.650.506.7200oracle.comCopyright 2018, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only andthe contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any otherwarranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability orfitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations areformed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyrightnotice.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Acme Packet 1100 and 3900 Security Policyi
TABLE OF CONTENTSSectionTitlePage1. Introduction . 11.11.2Overview . 1Document Organization . 12. Acme Packet 1100 & 3900 . 22.1Functional Overview . 23. Cryptographic Module Specification . 33.13.23.33.43.5Definition of the Cryptographic Module . 3FIPS 140-2 Validation Scope . 3Approved or Allowed Security Functions . 4Non-Approved But Allowed Security Functions . 5Non-Approved Security Functions . 64. Module Ports and Interfaces. 75. Physical Security . 106. Roles and Services . 146.16.26.36.3.16.4Operator Services and Descriptions . 14Unauthenticated Services and Descriptions . 16Operator Authentication . 17Crypto-Officer and User: Password-Based Authentication . 17Key and CSP Management . 187. Self-Tests . 247.17.1.17.1.27.1.37.27.3Power-Up Self-Tests. 24Firmware Integrity Test . 24Mocana Self-Tests. 24OpenSSL Self-tests . 24Critical Functions Self-Tests . 24Conditional Self-Tests . 258. Crypto-Officer and User Guidance . 268.18.2Secure Setup and Initialization . 26AES-GCM IV Construction/Usage. 279. Mitigation of Other Attacks . 2710. Appendices. 2810.110.1Acronyms, Terms and Abbreviations . 28References . 29Acme Packet 1100 and 3900 Security Policyii
List of TablesTable 1: FIPS 140-2 Security Requirements . 4Table 2: FIPS Approved or Allowed Security Functions . 5Table 3: Non-Approved but Allowed Security Functions . 5Table 4: Non-Approved Disallowed Functions . 6Table 5 – Mapping of FIPS 140 Logical Interfaces to Physical Ports. 7Table 6 – Physical Ports . 8Table 7 - Security Mechanism Inspection and Test . 10Table 8 – Service Summary . 14Table 9 – Operator Services and Descriptions . 16Table 10 – Operator Services and Descriptions . 17Table 11 – Crypto-Officer and User Authentication . 17Table 12 – CSP Table . 22Table 13 – Acronyms . 28Table 14 – References . 29List of FiguresFigure 1: Acme Packet 1100 . 3Figure 2: Acme Packet 3900 . 3Figure 3: Acme Packet 1100 – Front View. 8Figure 4: Acme Packet 1100 – Rear View . 8Figure 5: Acme Packet 3900 – Front View. 8Figure 6: Acme Packet 3900 – Rear View . 9Acme Packet 1100 and 3900 Security Policyiii
1. Introduction1.1 OverviewThis document is the Security Policy for the Acme Packet 1100 and 3900 appliances manufactured by OracleCommunications. Acme Packet 1100 and 3900 are also referred to as “the module or module”. This SecurityPolicy specifies the security rules under which the module shall operate to meet the requirements of FIPS 140-2Level 2. It also describes how the Acme Packet 1100 and 3900 appliances function in order to meet the FIPSrequirements, and the actions that operators must take to maintain the security of the modules.This Security Policy describes the features and design of the Acme Packet 1100 and 3900 modules using theterminology contained in the FIPS 140-2 specification. FIPS 140-2, Security Requirements for CryptographicModules specifies the security requirements that will be satisfied by a cryptographic module utilized within asecurity system protecting sensitive but unclassified information. The NIST/CSEC Cryptographic Module ValidationProgram (CMVP) validates cryptographic modules to FIPS 140-2. Validated products are accepted by the Federalagencies of both the USA and Canada for the protection of sensitive or designated information.1.2 Document OrganizationThe Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document,the Submission Package contains: Oracle Non-Proprietary Security PolicyOracle Vendor Evidence documentFinite State MachineEntropy Assessment DocumentOther supporting documentation as additional referencesWith the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation is proprietaryto Oracle and is releasable only under appropriate non-disclosure agreements. For access to these documents,please contact Oracle.Acme Packet 1100 and 3900 Security PolicyPage 1 of 27
2. Acme Packet 1100 & 39002.1 Functional OverviewThe Acme Packet 1100 and 3900 appliances are specifically designed to meet the unique price performance andmanageability requirements of the small to medium sized enterprise and remote office/ branch office. Ideal forsmall site border control and Session Initiation Protocol (SIP) trunking service termination applications, the AcmePacket 1100 and 3900 appliances deliver Oracle’s industry leading ESBC capabilities in a small form factorappliance. With support for high availability (HA) configurations, TDM fallback, hardware assisted transcoding andQuality of Service (QoS) measurement, the Acme Packet 1100 and 3900 appliances are a natural choice whenuncompromising reliability and performance are needed in an entry-level appliance. With models designed for thesmallest branch office to the largest data center, the Acme Packet ESBC product family supports distributed,centralized, or hybrid SIP trunking topologies.Acme Packet 1100 and 3900 appliances address the unique connectivity, security, and control challengesenterprises often encounter when extending real-time voice, video, and UC sessions to smaller sites. Theappliances also helps enterprises contain voice transport costs and overcome the unique regulatory compliancechallenges associated with IP telephony. TDM fallback capabilities ensure continuous dial out service at remotesites in the event of WAN or SIP trunk failures. Stateful high availability configurations protect against link andhardware failures. An embedded browser based graphical user interface (GUI) simplifies setup and administrationAcme Packet 1100 and 3900 Security PolicyPage 2 of 27
3. Cryptographic Module Specification3.1 Definition of the Cryptographic ModuleThe module consists of the Acme Packet 1100 and Acme Packet 3900 appliances running firmware version E-CZ8.0.0 on hardware platform 1100 and 3900. The module is classified as a multi-chip standalone cryptographicmodule. The physical cryptographic boundary for the Acme Packet 1100 is defined as the module case and allcomponents within the case. The physical cryptographic boundary for the Acme Packet 3900 is all componentswith exception of the removable power supplies.A representation of the cryptographic boundary is defined below:Figure 1: Acme Packet 1100Figure 2: Acme Packet 39003.2 FIPS 140-2 Validation ScopeThe Acme Packet 1100 and 3900 appliances are being validated to overall FIPS 140-2 Level 2 requirements. SeeTable 1 below.Acme Packet 1100 and 3900 Security PolicyPage 3 of 27
Security Requirements SectionCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles and Services and AuthenticationFinite State Machine ModelPhysical SecurityOperational EnvironmentCryptographic Key ManagementEMI/EMCSelf-TestsDesign AssuranceMitigation of Other AttacksLevel22222N/A2223N/ATable 1: FIPS 140-2 Security Requirements3.3 Approved or Allowed Security FunctionsThe Acme Packet 1100 and 3900 appliances contain the following FIPS Approved Algorithms listed in Table 2:Approved or Allowed Security FunctionsCertificateSymmetric AlgorithmsAESTriple DES1OpenSSL: (CBC, ECB, CTR, GCM); Encrypt/Decrypt; Key Size 128, 2565235Mocana: (CBC); Encrypt/Decrypt; Key Size 128, 2565269OpenSSL: (CBC); Encrypt/Decrypt; Key Size 1922647Mocana: (CBC); Encrypt/Decrypt; Key Size 1922667Secure Hash Standard (SHS)SHSOpenSSL: SHA-1, SHA-256, SHA-3844215Mocana: SHA-1, SHA-2564239Data Authentication CodeHMACOpenSSL: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-3843467Mocana: HMAC-SHA-1, HMAC-SHA-2563488Asymmetric AlgorithmsRSAOpenSSL:RSA: FIPS186-4:186-4KEY(gen): FIPS186-4 Random eALG[ANSIX9.31] SIG(gen) (2048 SHA(256 , 384))SIG(Ver) (2048 SHA(1, 256, 384))2797RSA: FIPS186-2Signature Generation 9.31:Modulus lengths: 4096SHAs: SHA-256, SHA-384Mocana:12819Per IG A.13 the same Triple-DES key shall not be used to encrypt more than 2 20 64-bit blocks of data.Acme Packet 1100 and 3900 Security PolicyPage 4 of 27
Approved or Allowed Security FunctionsCertificateRSA: 186-4:186-4KEY(gen): FIPS186-4 Random ePKCS1.5: SIG(Ver) (1024 SHA(1); (2048 SHA (1))ECDSAOpenSSL: FIPS186-4:PKG: CURVES ( P-256 P-384 Testing Candidates )SigGen: CURVES ( P-256: (SHA-256, 384) P-384: (SHA-256, 384)SigVer: CURVES ( P-256: (SHA-256, 384) P-384: (SHA-256, 384) )1360Random Number GenerationDRBGOpenSSL:CTR DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher Use df: ( AES-256 )]Hash Based DRBG: [ Prediction Resistance Tested: Not Enabled ( SHA-1 )2001CVLCVLOpenSSL: SNMP KDF, SRTP KDF, TLS KDF1707Mocana: SSH KDF1743Key TransportKTSOpenSSL: KTS (AES Cert. #5235 and HMAC Cert. #3467; key establishment methodology provides128 or 256 bits of encryption strength); KTS (Triple-DES Cert. #2647 and HMAC Cert. #3467; keyestablishment methodology provides 112 bits of encryption strength)Mocana: KTS (AES Cert. #5269 and HMAC Cert. #3488; key establishment methodology provides 128or 256 bits of encryption strength); KTS (Triple-DES Cert. #2667 and HMAC Cert. #3488; keyestablishment methodology provides 112 bits of encryption strength)Table 2: FIPS Approved or Allowed Security Functions3.4 Non-Approved But Allowed Security FunctionsThe following are considered non-Approved but allowed security functions:AlgorithmUsageEC-Diffie-HellmanCVL Certs. #1707 and 1743, key agreement, key establishment methodology provides 128 or 192bits of encryption strength.Diffie-HellmanCVL Certs. #1707 and 1743, key agreement, key establishment methodology provides 112-bits ofencryption strength.RSA Key WrappingCVL Certs. #1707 and 1743, key wrapping, key establishment methodology provides 112-bits ofencryption strength.NDRNGUsed for seeding NIST SP 800-90A DRBG.MD5MACing: HMAC MD5, Hashing: MD5Table 3: Non-Approved but Allowed Security FunctionsAcme Packet 1100 and 3900 Security PolicyPage 5 of 27
3.5 Non-Approved Security FunctionsThe following services are considered non-Approved and may not be used in a FIPS-approved mode of operation:ServiceNon-Approved Security FunctionsSSHMACing: HMACTLSSymmetric: DES, RC4SNMPHashing: MD5, MACing: HMAC MD5 Symmetric: DESDiffie-HellmanKey agreement, less than 112 bits of encryption strength.RSA Key WrappingKey wrapping, less than 112 bits of encryption strength.IKEv1IKEv1 KDFTable 4: Non-Approved Disallowed FunctionsServices listed in the previous table make use of non-compliant cryptographic algorithms. Use of these algorithmsare prohibited in a FIPS-approved mode of operation. Some of these services may be allowed in FIPS mode whenusing allowed algorithms (as specified in section 8.1).Acme Packet 1100 and 3900 Security PolicyPage 6 of 27
4. Module Ports and InterfacesThe table below provides the mapping of ports as per FIPS 140-2 Standard.LogicalInterfaceData InputPhysical Port 1100Ethernet INT/EXT PortsPhysical Port 3900Ethernet SFP PortsP0,1,2,3TDM PortsData OutputCipher textPlain textEthernet INT/EXT PortsEthernet SFP PortsP0,1,2,3TDM PortsControl InputInformation Input/OutputCipher textPlain textConsole PortConsole PortReset PinholeReset ButtonT1/E1 TDM portPower SwitchEthernet MGT PortT1/E1 TDM portsPlaintext control input via console port (configurationcommands, operator passwords)Ciphertext control input via network management (EMScontrol, CDR accounting, CLI management)Ethernet MGT PortsStatus OutputPowerConsole PortConsole PortPlaintext status output via console port.Ethernet MGT PortsEthernet MGT PortsLEDsLEDsCiphertext status output via network managementPower PlugPower PlugN/ATable 5 – Mapping of FIPS 140 Logical Interfaces to Physical PortsThe table below describes the interfaces on the Acme 1100 and 3900 appliances.PhysicalInterfaceConsole PortNumber ofPorts 1100Numberof Ports390011USB Ports22Management13Description / UseProvides console access to the module. The module supports only one activeserial console connection at a time.Console port communication is used for administration and maintenancepurposes from a central office (CO) location. Tasks conducted over a consoleport include: Configuring the boot process and management network Creating the initial connection to the module Accessing and using functionality available via the ACLI Performing in-lab system maintenance (services described below) Performing factory-reset to zeroize nvram and keysThis port is used for recovery only by Oracle. e.g. system re-installation afterzeroization. On the AP 1100, the USB ports are blocked. On the AP 3900, atamper seal is applied over the USB ports.Used for EMS control, CDR accounting, CLI management, and otherAcme Packet 1100 and 3900 Security PolicyPage 7 of 27
PhysicalInterfaceNumber ofPorts 1100Numberof Ports3900Ethernet portsSignaling andMedia EthernetportsReset Pinhole –Reset ButtonTDM PortsDescription / Usemanagement functions2INT/EXT14SFPP0,1,2,3144Provide network connectivity for signaling and media traffic.These ports are also used for incoming and outgoing data (voice) connections.Provides reset functionalityUsed to convert analog signals to digital signalsTable 6 – Physical PortsFigure 3: Acme Packet 1100 – Front ViewFigure 4: Acme Packet 1100 – Rear ViewFigure 5: Acme Packet 3900 – Front ViewAcme Packet 1100 and 3900 Security PolicyPage 8 of 27
Figure 6: Acme Packet 3900 – Rear ViewAcme Packet 1100 and 3900 Security PolicyPage 9 of 27
5. Physical SecurityThe cryptographic module includes the following physical security mechanisms: Production-grade components Production-grade opaque enclosure with factory installed tamper evident seals.Physical SecurityMechanismRecommended Frequency ofInspection/TestTamper LabelIn accordance with organization’sSecurity Policy.Opaque EnclosureIn accordance with organization’sSecurity PolicyInspection/Test Guidance DetailsInspect the enclosure and tamper evident tape for physicalsigns of tampering or attempted access to the cryptographicmodule. If the module displays signs of tampering orunauthorized access, the Cryptographic Officer shouldcontact Oracle immediately.Visually inspect the module and ensure for broken casing,open screws and other questionable enclosureinconsistencies.Table 7 - Security Mechanism Inspection and TestThe module is ships with the tamper seals applied: Acme Packet 1100: 2 sealsFigure 7: Rear of Acme Packet 1100Acme Packet 1100 and 3900 Security PolicyPage 10 of 27
Figure 8: Top side of Acme Packet 1100 Acme Packet 3900: 3 sealsFigure 9: Front of Acme Packet 3900Figure 10: Right side of Acme Packet 3900Acme Packet 1100 and 3900 Security PolicyPage 11 of 27
Figure 11: Top side of Acme Packet 3900Figure 12: Rear of Acme Packet 3900Acme Packet 1100 and 3900 Security PolicyPage 12 of 27
Figure 13: Bottom side of Acme Packet 3900The Crypto officer is responsible for the following maintenance activities associated with the module physicalsecurity, Periodically (as defined by the organization’s Security Policy) inspect the module tamper tape to ensure thatno tampering has occurred Review and record the serial numbers of the applied tamper labels in a security logAcme Packet 1100 and 3900 Security PolicyPage 13 of 27
6. Roles and ServicesAs required by FIPS 140-2 Level 2, there are three roles (a Crypto Officer Role, User Role, and Unauthenticated Role) in the module that operatorsmay assume. The module supports role-based authentication, and the respective services for each role are described in the following sections.The below table gives a high level description of all services provided by the module and lists the roles allowed to invoke each service.Operator RoleSummary of ServicesUser View configuration versions and system performance data Test pattern rules, local policies, and session translations Display system alarms.Crypto-OfficerUnauthenticatedAllowed access to all system commands and configuration privileges Show Status Initiate self-testsTable 8 – Service Summary6.1 Operator Services and DescriptionsThe below table provides a full description of all services provided by the module and lists the roles allowed to invoke each service.UXCOService NameXXXXConfigureZeroize CSP’sFirmware UpdateBypassXDecryptService DescriptionInitializes the module for FIPS mode of operationClears keys/CSPs from memory and diskUpdates firmwareConfigure bypass using TCP or UDP and viewing bypassservice statusDecrypts a block of data Using AES or Triple-DES in FIPSModeKeys and CSP(s)Access Type(s)HMAC-SHA-256 keyAll CSP’sFirmware Integrity Key (RSA)HMAC-SHA-256 Bypass KeyR, W, XZR, XR, W, XTLS Session Keys (Triple-DES)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (Triple-DES)XXXXAcme Packet 1100 and 3900 Security PolicyPage 14 of 27
UCOService NameService DescriptionXXEncryptEncrypts a block of data Using AES or Triple-DES in FIPSModeXXGenerate KeysGenerates AES or Triple-DES keys for encrypt/decryptoperations. Generates Diffie-Hellman, EC DiffieHellman, and RSA keys for key transport/keyestablishment.XXVerifyUsed as part of the TLS, SSH protocol negotiationKeys and CSP(s)Access Type(s)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)TLS Session Keys (Triple-DES)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (Triple-DES)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)XXXXXXXXXXXXTLS Session Keys (Triple-DES)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (Triple-DES)SSH Session Key (AES128)R, WR, WR, WR, WR, WSSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)R, WR, WR, WDiffie-Hellman Public Key (DH)Diffie-Hellman Private Key (DH)EC Diffie-Hellman Public Key (ECDH)EC Diffie-Hellman Private Key (ECDH)SSH authentication private Key (RSA)SSH authentication public key (RSA)TLS authentication private Key(ECDSA/RSA)TLS authentication public key(ECDSA/RSA)TLS premaster secret, TLS Master secret,SRTP Master keySSH authentication private Key (RSA)R, WR, WR, WR, WR, WR, WR, WR, WR, WAcme Packet 1100 and 3900 Security PolicyPage 15 of 27R, WX
UCOService NameService DescriptionKeys and CSP(s)Access Type(s)SSH authentication public key (RSA)TLS authentication private Key(ECDSA/RSA)TLS authentication public key(ECDSA/RSA)Diffie-Hellman Public Key (DH)Diffie-Hellman Private Key (DH)EC Diffie-Hellman Public Key (ECDH)EC Diffie-Hellman Private Key (ECDH)DRBG SeedDRBG Entropy Input StringDRBG CDRBG VDRBG KeySNMP Authentication KeySRTP Authentication KeySSH Integrity KeysTLS Integrity KeysXXXXXXXR, W, XXXGenerate SeedGenerate an entropy input for Hash Drbg, CTR DRBGXXGenerate RandomNumberGenerate random number.XXHMACGenerate HMACXXGenerate CertificateGenerate certificateWeb UI CertificateR, W, XXXAuthenticateAuthenticate UsersOperator PasswordR, W, XR – Read, W – Write, X – Execute, Z - ZeroizeFor all other services, see https://docs.oracle.com/cd/E92503 01/index.htm.Table 9 – Operator Services and Descriptions6.2 Unauthenticated Services and DescriptionsThe below table provides a full description of the unauthenticated services provided by the module:Service NameOn-Demand Self-Test InitializationShow StatusFactory Reset ServiceService DescriptionThis service initiates the FIPS self-test when requested.This service shows the operational status of the moduleThis service restores the module to factory defaults.Acme Packet 1100 and 3900 Security PolicyPage 16 of 27R, W, XR, W, XR, W, XXXXX
Table 10 – Operator Services and Descriptions6.3 Operator Authentication6.3.1 Crypto-Officer and User: Password-Based AuthenticationIn FIPS-approved mode of operation, the module is accessed via Command Line Interface over the Web UI, Console ports, or via SSH or SNMPv3over the Network Management Ports. Other than status functions available by viewing the Status LEDs, the services described are available onlyto authenticated operators.MethodPassword-Based(CO and e)Probability of a Single Successful Random AttemptProbability of a Successful Attempt within a MinutePasswords must be a minimum of 8 characters. Thepassword can consist of alphanumeric values, {a-z, A-Z, 0-9,and special characters], yielding 94 choices per character.The probability of a successful random attempt is 1/94 8,which is less than 1/1,000,000. Assuming 10 attempts persecond via a scripted or automatic attack, the probability of asuccess with multiple attempts in a one-minute period is600/94 8, which is less than 1/100,000.Passwords must be a minimum of 12 numeric characters. 09, yielding 10 choices per character. The probability of asuccessful random attempt is 1/10 12, which is less than1/1,000,000. Assuming 10 attempts per second via a scriptedor automatic attack, the probability of a success withmultiple attempts in a one-minute period is 600/10 12,which is less than 1/100,000.Passwords must be a minimum of 8 characters. The password canconsist of alphanumeric values, {a-z, A-Z, 0-9, and special characters],yielding 94 choices per character. The module will lock an accountafter 3 failed authentication attempts; thus, the maximumnumber of attempts in one minute is 3. Therefore, theprobability of a success with multiple consecutive attempts in aone-minute period is 3/948 which is less than 1/100,000.Passwords must be a minimum of 12 numeric characters. 0-9, yielding10 choices per character. The module will lock an account after 3failed authentication attempts; thus, the maximum number ofattempts in one minute is 3. Therefore, the probability of asuccess with multiple consecutive attempts in a one-minuteperiod is 3/1012 which is less than 1/100,000.Table 11 – Crypto-Officer and User AuthenticationAcme Packet 1100 and 3900 Security PolicyPage 17 of 27
6.4 Key and CSP ManagementThe following keys, cryptographic key components and other critical secu
Acme Packet 1100 and 3900 Security Policy Page 2 of 27 2. Acme Packet 1100 & 3900 2.1 Functional Overview The Acme Packet 1100 and 3900 appliances are specifically designed to meet the unique price performance and manageability requirements of the small to medium sized enterprise and remote office/ branch office. Ideal for
