Transcription
FIPS 140-2 Non-Proprietary Security PolicyAcme Packet VMEFIPS 140-2 Level 1 ValidationSoftware Version: E-CZ8.2.0Date: July 9th, 2019Document Version 3.2 Oracle CorporationThis document may be reproduced whole and intact including the Copyright notice.
Title: Acme Packet VME Non-Proprietary Security PolicyDate: July 9th, 2019Author: Acumen Security, LLC.Contributing Authors:Oracle Communications EngineeringOracle Security Evaluations – Global Product SecurityOracle CorporationWorld Headquarters500 Oracle ParkwayRedwood Shores, CA 94065U.S.A.Worldwide Inquiries:Phone: 1.650.506.7000Fax: 1.650.506.7200oracle.comCopyright 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof aresubject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whetherexpressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specificallydisclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. Thisdocument may reproduced or distributed whole and intact including this copyright notice.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Oracle Acme Packet VME Security Policyi
Table of Contents1.Introduction .11.1 Overview .11.2 Document Organization .12. Acme Packet VME .22.1 Functional Overview.23. Cryptographic Module Specification .33.1 Definition of the Cryptographic Module .33.2 Definition of the Physical Cryptographic Boundary .33.3 FIPS 140-2 Validation Scope .33.4 Approved or Allowed Security Functions .43.5 Non-Approved But Allowed Security Functions .63.6 Non-Approved Security Functions .63.7 Vendor Affirmed Security Functions .74. Module Ports and Interfaces .85. Physical Security .96. Roles and Services . 106.1 Operator Services and Descriptions. 106.2 Unauthenticated Services and Descriptions . 136.3 Operator Authentication . 136.3.1Crypto-Officer: Password-Based Authentication. 136.3.2User: Password-Based Authentication . 146.4 Key and CSP Management . 147. Self-Tests . 237.1 Power-Up Self-Tests . 237.1.1Software integrity Test . 237.1.2Mocana Cryptographic Library Machine Edition (VME) Self-tests . 237.1.3Oracle Acme Packet Cryptographic Library Virtual Machine Edition (VME) Self-Tests . 237.2 Critical Functions Self-Tests . 247.3 Conditional Self-Tests . 248. Crypto-Officer and User Guidance . 258.1 Secure Setup and Initialization . 258.2 AES-GCM IV Construction/Usage. 269. Mitigation of Other Attacks . 2710. Operational Environment . 2810.1Tested Environments . 2810.2Vendor Affirmed Environment . 28Acronyms, Terms and Abbreviations. 29References . 30Oracle Acme Packet VME Security Policyii
List of TablesTable 1: FIPS 140-2 Security Requirements . 4Table 2: Approved and Allowed Security Functions Acme Packet Cryptographic Library Virtual Machine Edition (VME) . 5Table 3: Approved and Allowed Security Functions Oracle Acme Packet Mocana Cryptographic Library Virtual Machine Edition(VME) . 6Table 4: Non-Approved but Allowed Security Functions . 6Table 5: Non-Approved Disallowed Functions . 7Table 6: Vendor Affirmed Functions . 7Table 7: Mapping of FIPS 140 Logical interfaces to Logical Ports . 8Table 8: Service Summary . 10Table 9: Operator Services and Descriptions . 13Table 10: Operator Services and Descriptions . 13Table 11: Crypto-Officer and User Authentication . 14Table 12: User Authentication . 14Table 13: CSP Table . 22Table 14: Operating environment . 28Table 15: Vendor Affirmed Operating Environment . 28Table 16: Acronyms . 29Table 17: References . 30List of FiguresFigure 1: VME Logical Cryptographic Boundary . 3Oracle Acme Packet VME Security Policyiii
1. Introduction1.1OverviewThis document is the Security Policy for the Acme Packet VME developed by Oracle Communications. AcmePacket VME is also referred to as “the module” or “module”. This Security Policy specifies the security rules underwhich the module shall operate to meet the requirements of FIPS 140-2 Level 1. It also describes how the AcmePacket VME functions to meet the FIPS requirements, and the actions that operators must take to maintain thesecurity of the module.This Security Policy describes the features and design of the Acme Packet VME module using the terminologycontained in the FIPS 140-2 specification. FIPS 140-2, Security Requirements for Cryptographic Module specifiesthe security requirements that will be satisfied by a cryptographic module utilized within a security systemprotecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program(CMVP) validates cryptographic module to FIPS 140-2. Validated products are accepted by the Federal agencies ofboth the USA and Canada for the protection of sensitive or designated information.1.2Document OrganizationThe Security Policy document is one document in a FIPS 140-2 Submission Package. The Submission Packagecontains: Oracle Non-Proprietary Security PolicyOracle Vendor Evidence documentFinite State MachineEntropy Assessment DocumentOther supporting documentation as additional referencesWith the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Documentation isproprietary to Oracle and is releasable only under appropriate non-disclosure agreements. For access to thesedocuments, please contact Oracle.Oracle Acme Packet VME Security PolicyPage 1 of 30
2. Acme Packet VME2.1Functional OverviewThe Acme Packet VME is specifically designed to meet the unique price performance and manageabilityrequirements of the small to medium sized enterprise and remote office/ branch office. Ideal for small site bordercontrol and Session Initiation Protocol (SIP) trunking service termination applications, the Acme Packet VMEdeliver Oracle’s industry leading ESBC capabilities in binary packaged executable that can be run in a virtualenvironment.Acme Packet VME addresses the unique connectivity, security, and control challenges enterprises oftenencounter when extending real-time voice, video, and UC sessions to smaller sites. The appliance also helpsenterprises contain voice transport costs and overcome the unique regulatory compliance challenges associatedwith IP telephony. An embedded browser based graphical user interface (GUI) simplifies setup andadministration.Oracle Acme Packet VME Security PolicyPage 2 of 30
3. Cryptographic Module Specification3.1Definition of the Cryptographic ModuleThe logical cryptographic boundary of the module consists of the Oracle VME ISO image called “nnSCZ820mg.iso”version E-CZ8.2.0.Figure 1 shows the logical block diagram (red-dotted line) of the module executing in memory and its interactionswith the hypervisor through the module’s defined logical cryptographic boundary. The module interacts directlywith the hypervisor, which runs directly on the host system.Cryptographic ProviderVME Application SoftwareLinux Operating SystemHypervisorHost HardwareFigure 1: VME Logical Cryptographic BoundaryData OutputData InputControl InputStatus OutputCryptographic Boundary3.2Definition of the Physical Cryptographic BoundaryThe module consists of binary packaged into an executable that can be run in a virtual environment. The moduleis classified as a multi-chip standalone cryptographic module. The physical cryptographic boundary is defined asthe hard enclosure of the host system on which it runs and no components are excluded from the requirementsof FIPS PUB 140-2.3.3FIPS 140-2 Validation ScopeThe Acme Packet VME appliances are being validated to overall FIPS 140-2 Level 1 requirements. See Table 1below.Oracle Acme Packet VME Security PolicyPage 3 of 30
Security Requirements SectionCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles and Services and AuthenticationFinite State Machine ModelPhysical SecurityOperational EnvironmentCryptographic Key ManagementEMI/EMCSelf-TestsDesign AssuranceMitigation of Other AttacksLevel1121N/A11113N/ATable 1: FIPS 140-2 Security Requirements3.4Approved or Allowed Security FunctionsThe Acme Packet VME contains the following FIPS Approved Algorithms listed in Table 2 (Oracle Acme PacketCryptographic Library Acme Packet Virtual Machine Edition (VME)) and Table 3 (Oracle Acme Packet MocanaCryptographic Library Acme Packet Virtual Machine Edition (VME)):Approved or Allowed Security FunctionsCertificateSymmetric AlgorithmsAESTriple DES1CBC, ECB, CTR, GCM; Encrypt/Decrypt; Key Size 128, 256CBC; Encrypt/Decrypt; Key Size 192C 144C 144Secure Hash Standard (SHS)SHSSHA-1, SHA-256, SHA-384, SHA-512C 144Data Authentication CodeHMACHMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512C 144Asymmetric Algorithms1Triple-DES was CAVP tested but is not utilized by the services associated with the Oracle Acme Packet Cryptographic Library.Oracle Acme Packet VME Security PolicyPage 4 of 30
RSARSA: FIPS186-4:186-4 KEY(gen): FIPS186-4 Random eALG[ANSIX9.31] SIG(gen) (2048 SHA(1, 256 , 384))ALG[ANSIX9.31] SIG(Ver) (2048 SHA(1, 256, 384))C 144RSA: FIPS186-2 :ALG[ANSIX9.31] SIG(gen) (4096 SHA (256,384))ALG[ANSIX9.31] SIG(Ver) (2048 SHA(1, 256, 384)), (4096 SHA (1, 256, 384))RSA: FIPS186-4:186-4 KEY(gen):FIPS186-4 Random e ALG[ANSIX9.31] SIG(gen) (2048 SHA(1, 256 , 384), (4096SHA (256,384))SIG(Ver) (2048 SHA(1, 256, 384))RSA: FIPS186-2Signature Verification 9.31:Modulus lengths: 2048, 4096SHAs: SHA-1, SHA-256, SHA-384ECDSAFirmware: FIPS186-4PKG: CURVES (P-256, P-384 Testing Candidates)SigGen: CURVES (P-256: (SHA-256, 384) P-384: (SHA-256, 384)SigVer: CURVES (P-256: (SHA-256, 384) P-384: (SHA-256, 384))C 144Random Number GenerationDRBGCTR DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher Use df:(AES-256)]Hash Based DRBG: [ Prediction Resistance Tested: Not Enabled (SHA-1)C 144SNMP KDF, SRTP KDF, TLS KDF (TLS Version: v1.0/1.1, v1.2)C 144Key establishmentKey DerivationKey TransportKTSKTS (AES Cert. # C144 and HMAC Cert. # C144; key establishment methodology provides 128 or256 bits of encryption strength);Table 2: Approved and Allowed Security Functions Acme Packet Cryptographic Library Virtual Machine Edition (VME)Approved or Allowed Security FunctionsCertificateSymmetric AlgorithmsAES2Triple DESCBC; Encrypt/Decrypt; Key Size 128, 256C 142CBC; Encrypt/Decrypt; Key Size 192C 142Secure Hash Standard (SHS)SHSSHA-1, SHA-256, SHA-384, SHA-512C 142Data Authentication CodeHMAC2HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512C 142Per IG A.13 the same Triple-DES key shall not be used to encrypt more than 2 20 64-bit blocks of data.Oracle Acme Packet VME Security PolicyPage 5 of 30
Asymmetric AlgorithmsRSARSA: 186-4:186-4 KEY(gen): FIPS186-4 Random e PKCS1.5: SIG(Ver) (1024 SHA(1); (2048SHA (1))C 142SSH KDF, IKEv1/IKEv2 KDFC 142Key EstablishmentKey DerivationKey TransportKTS (AES Cert. # C142 and HMAC Cert. # C142; key establishment methodology provides 128 or256 bits of encryption strength);KTSTable 3: Approved and Allowed Security Functions Oracle Acme Packet Mocana Cryptographic Library VirtualMachine Edition (VME)Note: P-384 for ECDSA was CAVP tested but is not utilized by the module’s services.3.5Non-Approved But Allowed Security FunctionsThe following are considered non-Approved but allowed security functions:AlgorithmUsageEC-Diffie-HellmanCVL Certs. #C:144 and #C:142, key agreement, key establishment methodology provides128 or 192-bits of encryption strength.Diffie-HellmanCVL Certs. #C:144 and #C:142, key agreement, key establishment methodology provides112-bits of encryption strength.RSA Key Wrappingkey wrapping, key establishment methodology provides 112-bits of encryption strength.NDRNGUsed for seeding the NIST SP 800-90A Hash DRBG and CTR DRBG. Per FIPS 140-2 IG 7.14scenario 1 (a).The module provides a minimum of 440 bits of entropy input for the Hash DRBG. Theinput length for the CTR DRBG depends on the size of the AES key used. If the AES keylength is 128 bits, the seed size is 256 bits. If the AES key length is 256 bits, then the seedsize is 384 bits.MD5 (TLS 1.0/1.1/1.2)MACing: HMAC MD5, Hashing: MD5Table 4: Non-Approved but Allowed Security Functions3.6Non-Approved Security Functions and ServicesThe following services are considered non-Approved and may not be used in a FIPS-approved mode of operation:ServiceNon-Approved Security FunctionsSSHAsymmetric Algorithms: DSA, Symmetric Algorithms: Rijndael, AES GCM, 192-Bit AES CTRSNMPHashing: MD5, Symmetric Algorithms: DESSRTPHashing: MD5IKEv1, IKEv2Hashing: MD5, Symmetric Algorithms: 192-Bit AES CBCTLS 1.0/1.1/1.2Symmetric Algorithms: DESOracle Acme Packet VME Security PolicyPage 6 of 30
Diffie-HellmanKey agreement, less than 112 bits of encryption strength.RSA Key WrappingKey wrapping, less than 112 bits of encryption strength.Table 5: Non-Approved Disallowed FunctionsServices listed in the previous table make use of non-compliant cryptographic algorithms. Use of thesealgorithms is prohibited in a FIPS-approved mode of operation. Some of these services may be allowed in FIPSmode when using allowed algorithms (as specified in section 8.1)3.7Vendor Affirmed Security FunctionsThe following services are considered non-Approved and may not be used in a FIPS-approved mode of operation:AlgorithmCKGVendor Affirmed Security FunctionsIn accordance with FIPS 140-2 IG D.12, the cryptographic module performs Cryptographic KeyGeneration (CKG) as per SP800-133 (vendor affirmed). The resulting generated symmetric keysand the seed used in the asymmetric key generation are the unmodified output from an NISTSP 800-90A DRBG.Table 6: Vendor Affirmed FunctionsOracle Acme Packet VME Security PolicyPage 7 of 30
4. Module Ports and InterfacesOracle Virtual Machine edition is a virtualized cryptographic module that meets the overall Level 1 FIPS 140-2requirements. The module interfaces can be categorized as follows: Data Input InterfaceData Output InterfaceControl Input interfaceStatus Output InterfacePower InterfaceThe table below provides a mapping of ports for the Oracle VME:FIPS 140 InterfaceData InputData OutputControl InputStatus OutputPowerPhysical PortVM PortLogicalInterfaceInformation Input/OutputHost SystemEthernet(10/100/1000) Ports,Host System USBPorts.Host SystemEthernet(10/100/1000) Ports,Host System USBPorts.Host SystemEthernet(10/100/1000) Ports,Host System SerialPorts. Virtual EthernetPorts, Virtual USB Ports.API Input Dataand Parameters. Virtual EthernetPorts, Virtual USB Ports.API Output Dataand Parameters. Virtual EthernetPorts, Virtual SerialPorts.API CommandInput Parameters.Host SystemEthernet(10/100/1000) Ports,Host System SerialPorts.Host Power Plug Virtual EthernetPorts, Virtual SerialPorts.API Status OutputParameters. Plaintext control input viaconsole port(configuration commands,operator passwords) Ciphertext control inputvia network management(EMS control, CDRaccounting, CLImanagement)Plaintext Status Output viaConsole Port.NAN/ACiphertext Status Output vianetwork management.N/ACipher textPlain textCipher textPlain TextTable 7: Mapping of FIPS 140 Logical interfaces to Logical PortsOracle Acme Packet VME Security PolicyPage 8 of 30
5. Physical SecurityThe module is comprised of software only and thus does not claim any physical security.Oracle Acme Packet VME Security PolicyPage 9 of 30
6. Roles and ServicesAs required by FIPS 140-2 Level 1, there are three roles (a Crypto Officer Role, User Role, and Unauthenticated Role) in the module that operatorsmay assume. The module supports role-based authentication, and the respective services for each role are described in the following sections.The below table gives a high-level description of all services provided by the module and lists the roles allowed to invoke each service.Operator RoleSummary of Services View configuration versions and system performance data Test pattern rules, local policies, and session translations Display system alarms.Allowed access to all system commands and configuration privileges Request Authentication Show Status Initiate self-testsUserCrypto-OfficerUnauthenticatedTable 8: Service Summary6.1Operator Services and DescriptionsThe below table provides a full description of all services provided by the module and lists the roles allowed to invoke each service.UCOService NameXConfigureXXXZeroize CSP’sSoftware UpdateBypassService DescriptionInitializes the module for FIPS mode ofoperationClears keys/CSPs from memory and diskUpdates softwareConfigure bypass using TCP or UDP andviewing bypass service statusKeys and CSP(s)Access Type(s)HMAC-SHA-256 keyR, W, XAll CSP’sSoftware Integrity Key (RSA)HMAC-SHA-256 Bypass KeyZR, XR, W, XOracle Acme Packet VME Security PolicyPage 10 of 30
UCOXXXXXXService NameDecryptEncryptGenerate KeysService DescriptionDecrypts a block of data Using AES or TripleDES in FIPS ModeEncrypts a block of data Using AES or TripleDES, in FIPS ModeGenerates AES or Triple-DES forencrypt/decrypt operations.Keys and CSP(s)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)IKE Session Encryption Key (Triple-DES, AES-128, AES256)IPsec Session Encryption Key (Triple-DES, AES-128 orAES-256)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)IKE Session Encryption Key (Triple-DES, AES-128, AES256)IPsec Session Encryption Key (Triple-DES, AES-128 orAES-256)TLS Session Keys (AES128)TLS Session Keys (AES256)SSH Session Key (AES128)SSH Session Key (AES256)SRTP Session Key (AES-128)SNMP Privacy Key (AES-128)IKE Session Encryption Key (Triple-DES, AES-128, AES256)IPsec Session Encryption Key (Triple-DES, AES-128 orAES-256)Access Type(s)XXXXXXXXXXXXXXXXR, WR, WR, WR, WR, WR, WR, WR, WOracle Acme Packet VME Security PolicyPage 11 of 30
UCOService NameService DescriptionGenerates Diffie-Hellman, EC Diffie-Hellman,and RSA keys for key transport/keyestablishment.XXVerifyUsed as part of the TLS, SSH protocolnegotiationXXGenerate SeedXXGenerate RandomNumberGenerate an entropy input for Hash DRBG,CTR DRBGGenerate random number.XXHMACGenerate HMACXXGenerate CertificateGenerate certificateKeys and CSP(s)Diffie-Hellman Public Key (DH)Diffie-Hellman Private Key (DH)EC Diffie-Hellman Public Key (ECDH)EC Diffie-Hellman Private Key (ECDH)SSH authentication private Key (RSA)SSH authentication public key (RSA)TLS authentication private Key (ECDSA/RSA)TLS authentication public key (ECDSA/RSA)TLS premaster secret,TLS Master secret,SRTP Master keyIKE Private Key (RSA)IKE Public Key (RSA)SKEYSEEDSKEYIDSKEYID dSSH authentication private Key (RSA)SSH authentication public key (RSA)TLS authentication private Key (ECDSA/RSA)TLS authentication public key (ECDSA/RSA)Diffie-Hellman Public Key (DH)Diffie-Hellman Private Key (DH)EC Diffie-Hellman Public Key (ECDH)EC Diffie-Hellman Private Key (ECDH)DRBG SeedDRBG Entropy Input StringDRBG CDRBG VDRBG KeySNMP Authentication KeySRTP Authentication KeySSH Integrity KeysTLS Integrity KeysIPsec Session Authentication KeyIKE Session Authentication KeyWeb UI CertificateAccess Type(s)R, WR, WR, WR, WR, WR, WR, WR, WR, WR, WR, WR, WR, WR, WR, WR, WXXXXXXXXR, W, XR, W, XR, W, XR, W, XXXXXXXR, W, XOracle Acme Packet VME Security PolicyPage 12 of 30
UCOXXService NameAuthenticateService DescriptionAuthenticate UsersKeys and CSP(s)Operator PasswordAccess Type(s)R, W, XR – Read, W – Write, X – Execute, Z - ZeroizeTable 9: Operator Services and DescriptionsNote: TLS, SRTP and SNMP protocols use the Oracle Acme Packet Cryptographic library.Note: SSH, IKEv2 and IPSec use the Oracle Acme Packet Mocana Cryptographic library.6.2Unauthenticated Services and DescriptionsThe below table provides a full description of the unauthenticated services provided by the module:Service NameOn-Demand Self-TestInitializationShow StatusFactory Reset ServiceService DescriptionThis service initiates the FIPS self-test when requested.This service shows the operational status of the moduleFactory Reset Service - This service restores the module to factory defaultsTable 10: Operator Services and Descriptions6.3Operator Authentication6.3.1 Crypto-Officer: Password-Based AuthenticationIn FIPS-approved mode of operation, the module is accessed via Command Line Interface over the Console ports or via SSH, SNMPv3 or HTTPSover the Network Management Ports. Other than status functions available by viewing the Status LEDs, the services described are available onlyto authenticated operators.MethodPasswordBased(CO and UserAuthentication)Probability of a Single Successful Random AttemptPasswords must be a minimum of 8 characters. Thepassword can consist of alphanumeric values, {a-z, A-Z, 0-9,and special characters], yielding 94 choices per character.The probability of a successful random attempt is 1/94 8,which is less than 1/1,000,000.Probability of a Successful Attempt within a MinutePasswords must be a minimum of 8 characters. The password canconsist of alphanumeric values, {a-z, A-Z, 0-9, and special characters],yielding 94 choices per character Assuming 10 attempts per second viaa scripted or automatic attack, the probability of a success withmultiple attempts in a one-minute period is 600/94 8, which is lessthan 1/100,000.Oracle Acme Packet VME Security PolicyPage 13 of 30
MethodProbability of a Single Successful Random AttemptSNMPv3PasswordsPasswords must be a minimum of 8 characters. Thepassword can consist of alphanumeric values, {a-z, A-Z, 0-9,and special characters], yielding 94 choices per character.The probability of a successful random attempt is 1/94 8,which is less than rds must be a minimum of 12 numeric characters. 09, yielding 10 choices per character. The probability of asuccessful random attempt is 1/10 12, which is less than1/1,000,000.Probability of a Successful Attempt within a MinutePasswords must be a minimum of 8 characters. The password canconsist of alphanumeric values, {a-z, A-Z, 0-9, and special characters],yielding 94 choices per character. Assuming 10 attempts per secondvia a scripted or automatic attack, the probability of a success withmultiple attempts in a one-minute period is 600/94 8, which is lessthan 1/100,000.Passwords must be a minimum of 12 numeric characters. 0-9, yielding10 choices per character. Assuming 10 attempts per second via ascripted or automatic attack, the probability of a success with multipleattempts in a one-minute period is 600/10 12, which is less than1/100,000.Table 11: Crypto-Officer and User Authentication6.3.2 User: Password-Based AuthenticationThe module also supports authentication via digital certificates for the User Role as implemented by the TLS and SSH protocols. The modulesupports a public key-based authentication with 2048-bit RSA and 2048-bit ECDSA keys.MethodCertificate-BasedProbability of a Single Successful Random AttemptA 2048-bit RSA/ECDSA key has at least 112-bits of equivalentstrength. The probability of a successful random attempt
This document is the Security Policy for the Acme Packet VME developed by Oracle Communications. Acme Packet VME is also referred to as "the module" or "module". This Security Policy specifies the security rules under which the module shall operate to meet the requirements of FIPS 140-2 Level 1. It also describes how the Acme
