WIXLIB

Mocana CorporationMocana Cryptographic Suite B Module Security PolicyDefinition of Public Keys:The following are the public keys contained in the module:Table 6: Public Key try/OutputDH PublicComponentUsed to derive the secretsession key during DH keyagreement protocolInternally usingthe AES-CTRDRBGTemporarily involatile RAMEntry: Receive ClientPublic Componentduring DH exchange.Output: TransmitHost PublicComponent duringDH exchangeECDH PublicComponentUsed to derive the secretsession key during ECDHkey agreement protocolInternally usingthe AES-CTRDRBGTemporarily involatile RAMEntry: Receive ClientPublic Componentduring DH exchange.Output: TransmitHost PublicComponent duringDH exchangeRSA PublicKeysUsed to verify RSAsignaturesMay begeneratedinternally usingthe AES-CTRDRBG orgeneratedexternallyTemporarily involatile RAMInput: Plaintext ifgenerated externally tOutput: PlaintextRSA KeyWrapping PublicKeysUsed for RSA KeyWrapping encryptionoperationMay begeneratedinternally usingthe AES-CTRDRBG orgeneratedexternallyTemporarily involatile RAMInput: Plaintext ifgenerated externallyOutput: PlaintextDSA PublicKeysUsed to verify DSAsignaturesMay begeneratedinternally usingthe AES-CTRDRBG orgeneratedexternallyTemporarily involatile RAMInput: Plaintext ifgenerated externallyOutput: PlaintextECDSA PublicKeysUsed to verify ECDSAsignaturesMay begeneratedinternally usingthe AES-CTRDRBG orgeneratedexternallyTemporarily involatile RAMInput: Plaintext ifgenerated externallyOutput: PlaintextPage 11

Mocana CorporationMocana Cryptographic Suite B Module Security PolicyDefinition of CSPs Modes of AccessThe following table defines the relationship between access to CSPs and the different moduleservices.Table 7 – CSP Access Rights within Roles & ServicesRoleC.O.ServiceCryptographic Keys and CSPs Access OperationUserXDH KeyGenerationUse DH ParametersGenerate DH Key pairXDH Key ExchangeUse DH Private ComponentGenerate DH shared secretXECDH KeyExchangeUse ECDH Private ComponentGenerate ECDH shared secretXRSA KeyGenerationGenerate RSA Public/Private Key pairXRSA SignatureGenerationUse RSA Private KeyGenerate RSA SignatureXRSA SignatureVerificationUse RSA Public KeyVerify RSA SignatureXRSA KeyWrappingEncryptionUse RSA Public KeyPerforms Key Wrapping EncryptionXRSA KeyWrappingDecryptionUse RSA Private KeyPerforms Key Wrapping DecryptionXDSA KeyGenerationGenerate DSA Key Pair for Signature Generation/VerificationXDSA SignatureGenerationUse DSA Private KeyGenerate DSA SignatureXDSA SignatureVerificationUse DSA Public KeyVerify DSA SignatureXECDSA KeyGenerationGenerate ECDSA Key Pair for Signature Generation/VerificationXECDSA SignatureGenerationUse DSA Private KeyGenerate ECDSA SignatureXECDSA SignatureVerificationUse ECDSA Public KeyVerify ECDSA SignatureXAES EncryptionUse AES KeyXAES DecryptionUse AES KeyXAES MessageUse AES KeyPage 12

Mocana CorporationRoleC.O.Mocana Cryptographic Suite B Module Security PolicyServiceCryptographic Keys and CSPs Access OperationUserAuthenticationCodeXTDES EncryptionUse TDES KeyXTDES DecryptionUse TDES KeyXSHA-1Generate SHA-1 Output; no CSP accessXSHA-224/256Generate SHA-224/256 Output; no CSP accessXSHA-384/512Generate SHA-384/512 Output; no CSP accessXHMAC-SHA-1MessageAuthenticationCodeUse HMAC-SHA-1 KeyGenerate HMAC-SHA-1 OutputXHMAC-SHA224/256 MessageAuthenticationCodeUse HMAC-SHA-224/256 KeyGenerate HMAC-SHA-224/256 OutputXHMAC-SHA384/512 MessageAuthenticationCodeUse HMAC-SHA-384/512 KeyGenerate HMAC-SHA-384/512 OutputXAES-CTR DRBGRandom NumberGenerationUse Seed Key to generate random numberDestroy Seed Key after useXKey DestructionDestroy All CSPsXShow StatusN/AXSelf-TestsN/AXRead VersionN/APage 13

Mocana CorporationMocana Cryptographic Suite B Module Security Policy7. Operational EnvironmentThe FIPS 140-2 Area 6 Operational Environment requirements are applicable because theMocana Cryptographic Suite B Module operates in a modifiable operational environment.Operational testing of the module was performed on the following environments:Integrity O/S 5.0-iOS-5-iOS-6-iOS-9.3The module is delivered as a binary library to be linked into an application in a similar manner tothe shared library version of the Mocana cryptographic module. Using this library whenbuilding the application, in contrast to a shared library, means that the integrity of the binarycode in the library must be tested within the fully linked executable code of the application thatincorporates it.The module is delivered as a library file (e.g. “libmss.a”) compatible with the target executionenvironment of the application.A signature file (e.g. “libmss.a.sig”) is delivered that ensures that the above library file was notchanged (HMAC-SHA1 fingerprint);An executable development tool (e.g. “secure link”) is delivered that is compatible with the hostdevelopment environment in which the application is being built;To ensure an unbroken “chain” of integrity checks, the “secure link” development tool mustperform a self integrity check to ensure that it has not been modified. It will also verify thedelivered library file and signature file. It will then act as a front end to the normal developmenttool linker to perform the final link with this library into an application. Finally it will sign thecryptographic-module within the executable and store the signature into the executable. If thedeveloper does not use the “secure link” development tool to perform the final link step of theirapplication, the cryptographic module will fail its startup integrity check. The “secure link”development tool performs these steps:1.Perform integrity check on itself using the same procedure as that to be used by the developer'sapplication as described below;2.Locate the library file and its signature file;3.Validate the signature with the data stored in the library file ( HMAC-SHA1 finger print ofwhole file);4.Execute the linking step of the application with the validated library (using the linker andlinker options as specified by the developer);5.Create a new HMAC-SHA1 fingerprint including the sections (e.g. “.text” and “.rodata”) of thecreated executable file that covers the library crypto code and constants. This step excludes theapplication’s code and constants, and any other sections by fingerprinting between top andbottom markers that are used to wrap the library code and constants;Page 14

Mocana CorporationMocana Cryptographic Suite B Module Security Policy6.“Stamp” the executable file with the generated HMAC-SHA1 value, so during the applicationstartup the integrity of the library code and constants can be validated;Integrity Check at Application StartDuring application startup, the application will check the integrity of the library code andconstants during the module startup function. It verifies the integrity by executing the HMACSHA1 fingerprint algorithm in memory and comparing the result with the value found in aspecific place in the executable application. This is analogous to the HMAC-SHA1 calculationand verification against the signature file utilized in the shared object version of the MocanaCryptographic Suite B Module.8. Security RulesThe Mocana Cryptographic Suite B Module design corresponds to the following security rules.This section documents the security rules enforced by the cryptographic module to implementthe security requirements of this FIPS 140-2 Level 1 module.1. The cryptographic module shall provide two distinct roles. These are the User role and theCryptographic Officer role.2. The cryptographic module does not provide any operator authentication.3. The cryptographic module shall encrypt/decrypt message traffic using the Triple-DES orAES algorithms.4. The cryptographic module shall perform the following self-tests:Power-up Self-Tests: Cryptographic Algorithm Tests:AES-ECB, CBC, OFB. CFB, CCM, , CTR, GCM, and XTS Encrypt and DecryptKnown Answer TestsAES-CMAC Generation and Verification Known Answer TestsTriple-DES CBC Encrypt and Decrypt Known Answer TestsHMAC-SHA-1 Known Answer TestHMAC-SHA-224 Known Answer TestHMAC-SHA-256 Known Answer TestHMAC-SHA-384 Known Answer TestHMAC-SHA-512 Known Answer TestSHA-1 Known Answer TestSHA-224 Known Answer TestSHA-256 Known Answer TestSHA-384 Known Answer TestSHA-512 Known Answer TestRSA Encrypt and Decrypt Known Answer TestsRSA Sign and Verify Known Answer TestsDSA Pairwise Consistency TestPage 15

Mocana Corporation-Mocana Cryptographic Suite B Module Security PolicyECDSA Pairwise Consistency TestECDH Pairwise Consistency TestDH Pairwise Consistency TestAES-CTR DRBG Known Answer Test Software Integrity Test: HMAC-SHA-1 Critical Functions Tests: N/AConditional Tests: DSA Pairwise Consistency Test RSA Pairwise Consistency Test ECDSA Pairwise Consistency Test FIPS 186-2 RNG Continuous Test AES-CTR DRBG Continuous Test Dual EC DRBG Continuous Test NDRNG Continuous TestThe module can be configured to utilize all or only a subset of the Approved security functionslisted in Section 3 above. Only the self-tests of the algorithms that are to be utilized will be runat power-up. Upon re-configuration from one Approved mode of operation to another, themodule will reinitialize and perform all power-up self-tests associated with the new Approvedmode of operation.5. At any time, the operator shall be capable of commanding the module to perform the powerup self-tests by reloading the cryptographic module into memory.6. The cryptographic module is available to perform services only after successfully completingthe power-up self-tests.7. Data output shall be inhibited during key generation, self-tests, zeroization, and error states.8. Status information shall not contain CSPs or sensitive data that if misused could lead to acompromise of the module.9. The module shall not support concurrent operators.10. DES, Blowfish, ARC2, ARC4, MD2, MD4, MD5, HMAC-MD5, AES EAX, AES XCBC,RSA PKCS #1 v2.1 RSAES-OAEP encryption/decryption, FIPS 186-2 RNG, and Dual ECDRBG are not allowed for use in the FIPS Approved mode of operation. When thesealgorithms are used, the module is no longer operating in the FIPS Approved mode ofoperation. It is the responsibility of the consuming application to zeroize all keys and CSPsprior to and after utilizing these non-Approved algorithms. CSPs shall not be shared betweenthe Approved and non-Approved modes of operation.Page 16

Mocana CorporationMocana Cryptographic Suite B Module Security Policy9. Physical SecurityThe FIPS 140-2 Area 5 Physical Security requirements are not applicable because the MocanaCryptographic Suite B Module is software only.10. Mitigation of Other Attacks PolicyThe module has not been designed to mitigate any specific attacks outside the scope of FIPS140-2 requirements.11. Cryptographic Officer GuidanceThe operating system running the Mocana Cryptographic Suite B Module must be configured ina single-user mode of operation.Key Destruction ServiceThere is a context structure associated with every cryptographic algorithm available in thismodule. Context structures hold sensitive information such as cryptographic keys. Thesecontext structures must be destroyed via respective API calls when the application software nolonger needs to use a specific algorithm any more. This API call will zeroize all sensitiveinformation including cryptographic keys before freeing the dynamically allocated memory. Seethe Mocana Cryptographic API Reference for additional information.12. Definitions and AcronymsAESAdvanced Encryption StandardAPIApplication Program InterfaceCOCryptographic OfficerCSPCritical Security ParameterDESData Encryption StandardDHDiffie-HellmanDRBGDeterministic Random Bit GeneratorDSADigital Signature AlgorithmECDHElliptic Curve Diffie-HellmanECDSAElliptic Curve Digital Signature AlgorithmEMCElectromagnetic CompatibilityEMIElectromagnetic InterferenceFIPSFederal Information Processing StandardPage 17

Mocana CorporationMocana Cryptographic Suite B Module Security PolicyHMACKeyed-Hash Message Authentication CodeRAMRandom Access MemoryRNGRandom Number GeneratorRSARivest, Shamir and Adleman AlgorithmTDESTriple-DESSHASecure Hash AlgorithmSOShared ObjectPage 18

RSA Private Key Used to create RSA digital signatures May be generated internally using the AES-CTR DRBG or generated externally Temporarily in volatile RAM Entry: Plaintext if generated externally Output: Plaintext An application program which uses the API may destroy the key. The Key Destruction service zeroizes this CSP. RSA Key