Security Policy 02.07.19 RSA BSAFE® Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 This document is a non-proprietary security policy for the RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 (Crypto-J JSAFE and JCE Software Module) security software. This document may be freely reproduced and distributed whole and intact including the copyright notice. Contents: Preface ............................................................................................................
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Preface This document is a non-proprietary security policy for the Crypto-J JSAFE and JCE Software Module from RSA Security LLC, a Dell Technologies company (RSA). This security policy describes how the Crypto-J JSAFE and JCE Software Module meets the overall Level 1 security requirements of FIPS 140-2, and how to securely operate it.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Document Organization This document explains the Crypto-J JSAFE and JCE Software Module features and functionality relevant to FIPS 140-2, and contains the following sections: • This section, Preface provides an overview and introduction to the Security Policy. • The Cryptographic Module, describes the module and how it meets the FIPS 140-2 Security Level 1 requirements.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1 The Cryptographic Module This section provides an overview of the module, and contains the following topics: • Introduction • Module Characteristics • Module Interfaces • Roles and Services • Cryptographic Key Management • Cryptographic Algorithms • Self-tests. 1.1 Introduction More than a billion copies of the RSA BSAFE technology are embedded in today's most popular software applications and hardware devices.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 The following table lists the certification levels sought for the JCM for each section of the FIPS 140-2 specification.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.2.2 Affirmation of Compliance for other Operating Environments Affirmation of compliance is defined in Section G.5, “Maintaining Validation Compliance of Software or Firmware Cryptographic Modules,” in Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program. Compliance is maintained in all operational environments for which the binary executable remains unchanged.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 – – Android 8.x • ARM v7 (32-bit) • ARM v8 (32-bit) • ARM v8 (64-bit) • x86 (32-bit). Android 9.0 • • HPE – • HP-UX 11.31 • Itanium® 2 (32-bit) HP JDK 8.0 • Itanium 2 (64-bit) HP JDK 8.0. IBM – – • AIX® 7.1 • PowerPC® (32-bit) IBM JDK 8.0 • PowerPC (64-bit) IBM JDK 8.0. AIX 7.2 • PowerPC (32-bit) IBM JDK 8.0 • PowerPC (64-bit) IBM JDK 8.0. Linux® – CentOS 6.10 • – – x86_64 (64-bit) IBM JDK 8.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 – Windows 10 Enterprise • – Windows Server 2008 SP2 • – x86_64 (64-bit) IBM JDK 8.0, Oracle JDK 8.0 and 9.0.1. Oracle – – • x86_64 (64-bit) IBM JDK 8.0, Oracle JDK 8.0 and 9.0.1. Windows Server 2016 • • x86_64 (64-bit) IBM JDK 8.0, Oracle JDK 8.0 and 9.0.1. Windows Server 2012 R2 • – x86_64 (64-bit) IBM JDK. 8.0, Oracle JDK 8.0. Windows Server 2012 • – x86 _64 (64-bit) IBM JDK 8.0, Oracle JDK 8.0 and 9.0.1.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.3 Module Interfaces As a multi-chip standalone module, the physical interface to the JCM consists of a keyboard, mouse, monitor, serial ports and network adapters. The underlying logical interface to the module is the API, documented in the relevant API Javadoc.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.4 Roles and Services The JCM is designed to meet all FIPS 140-2 Level 1 requirements, implementing both a Crypto Officer role and a Crypto User role. As allowed by FIPS 140-2, the JCM does not require user identification or authentication for these roles. 1.4.1 Crypto Officer Role The Crypto Officer is responsible for installing and loading the module.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.4.3 Services The JCM provides services which are available for both FIPS 140-2 and non-FIPS 140-2 usage. For a list of FIPS 140-2 approved and FIPS 140-2 allowed algorithms, see Table 5. The following table lists the un-authenticated services provided by the JCM which may be used by either Role, in either the FIPS or non-FIPS mode, in terms of the module interface.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 2 Services Available to the Crypto User and Crypto Officer Roles (continued) Services Available to the Crypto User and Crypto Officer Roles Key Derivation: KDF clearSensitiveData clone generate getCryptoModule Algorithms allowed for FIPS 140-2 usage HKDF KDFTLS10 (For use with TLS versions 1.0 and 1.1) KDFTLS12 (For use with TLS version 1.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.5 Cryptographic Key Management Cryptographic key management is concerned with generating and storing keys, protecting keys during use, zeroizing keys when they are no longer required and managing access to keys. 1.5.1 Key Generation The module supports the generation of the DSA, RSA, and Diffie-Hellman (DH) and ECC public and private keys.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.5.5 Key Access An authorized operator of the module has access to all key data created during JCM operation. The User and Officer roles have equal and complete access to all keys. The following table lists the different services provided by the module with the type of access to keys or CSPs.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.6 Cryptographic Algorithms The JCM offers a wide range of cryptographic algorithms. This section describes the algorithms that can be used when operating the module in a FIPS 140-2 compliant manner. The following table lists the FIPS 140-2 approved and FIPS 140-2 allowed algorithms that can be used when operating the module in a FIPS 140-2 compliant way.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 The following lists all other available algorithms in the JCM that are not allowed for FIPS 140-2 usage. These algorithms must not be used when operating the module in a FIPS 140-2 compliant way.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 1.7 Self-tests The module performs power-up and conditional self-tests to ensure proper operation. If the power-up self-test fails, the module is disabled and throws a SecurityException. The module cannot be used within the current JVM. If the conditional self-test fails, the module throws a SecurityException and aborts the operation. A conditional self-test failure does NOT disable the module. 1.7.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 By default, all Cryptographic Algorithm tests are run at power-up. However, if configured to do so, the module will run all of the power-up self-tests when first loaded in an operational environment, and run only the Software Integrity Test on subsequent restarts. 1.7.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 2 Secure Operation of the Module The following guidance must be followed in order to operate the module in a FIPS 140-2 mode of operation, in conformance with FIPS 140-2 requirements. Note: The module operates as a Validated Cryptographic Module only when the rules for secure operation are followed. 2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 The available role values are the constants FIPS140Context.ROLE_CRYPTO_OFFICER and FIPS140Context.ROLE_USER. No role authentication is required for operation of the module in Security Level 1 mode. When in Security Level 1 mode, invocation of methods which are particular to Security Level 2 Roles, Services and Authentication will result in an error. 2.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 • In case the power to the module is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. • When generating key pairs using the KeyPairGenerator object, the generate(boolean pairwiseConsistency) method must not be invoked with an argument of false. Use of the no-argument generate() method is recommended.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 • When using DSA key pair generation and signature generation or DH key pair generation and key agreement, the domain parameters must have prime P length (PRIME_LEN) and subprime Q length (SUBPRIME_LEN) within the set of acceptable pair sets (PRIME_LEN, SUBPRIME_LEN): (2048, 224), (2048, 256) or (3072, 256).
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 • KDFs: – For Single-step KDF: – A FIPS 140-2 approved hash function must be used. – For HKDF: – • • A FIPS 140-2 approved HMAC must be used. • The extracted key-derivation key must be used solely for the single key-expansion step. For more information see SP 800-56C Rev.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 – For three-key Triple-DES: • The use of three-key Triple-DES is approved. • The user is responsible for ensuring the same Triple-DES key has a limit of: • 220 64-bit data block encryptions when keys are generated as part of one of the recognized IETF protocols. • 216 64-bit data block encryptions otherwise.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 7 Verifier Requirements FIPS 186-4 Requirement Module Capabilities and Recommendations Obtain assurance of the signatory’s claimed identity. The module verifies the signature created using the private key, but all other assurances are outside the scope of the module. Obtain assurance of the validity of the domain parameters for DSA and ECDSA.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 8 Key Establishment Recommendations (continued) NIST SP 800-56A Recommendations Module Capabilities and Recommendations Obtain a key establishment key pair that is generated as specified for the appropriate algorithm. The module generates the digital signature key pair according to the required standards. Choose a FIPS-Approved DRBG like HMAC DRBG to generate the key pair.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 2.3.5 Crypto User Guidance on Key Generation and Entropy The module generates cryptographic keys whose strengths are modified by available entropy. As a result, no assurance is given for the minimum strength of generated keys. The JCM provides the HMAC DRBG, CTR DRBG and Hash DRBG implementations for key generation.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 2.5 Operating the Cryptographic Module Both FIPS and non-FIPS algorithms are available to the operator. In order to operate the module in the FIPS-Approved mode, all rules and guidance provided in Secure Operation of the Module must be followed by the module operator. The module does not enforce the FIPS 140-2 mode of operation.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 3 Acronyms The following table lists the acronyms used with the JCM and their definitions. Table 11 Acronyms used with the JCM 38 Acronym Definition 3DES Refer to Triple-DES AD Authenticated Decryption. A function that decrypts purported ciphertext and verifies the authenticity and integrity of the data. AE Authenticated Encryption.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 11 Acronyms used with the JCM (continued) Acronyms Acronym Definition CRNG Continuous Random Number Generation. CSP Critical Security Parameters. CTR Counter mode of encryption, which turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a counter. CTS Cipher Text Stealing.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 11 Acronyms used with the JCM (continued) 40 Acronym Definition FPE Format Preserving Encryption. HKDF HMAC-based Extract-and-Expand Key Derivation Function. HMAC Keyed-Hashing for Message Authentication Code. IV Initialization Vector. Used as a seed value for an encryption operation. JCE Java Cryptography Extension. JVM Java Virtual Machine. KAT Known Answer Test. KDF Key Derivation Function.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 11 Acronyms used with the JCM (continued) Acronyms Acronym Definition PC Personal Computer. Poly1305 A cryptographic MAC standardized in RFC 7539. private key The secret key in public key cryptography. Primarily used for decryption but also used for encryption with digital signatures. PRNG Pseudo-random Number Generator. RC2 Block cipher developed by Ron Rivest as an alternative to the DES.
RSA BSAFE Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 Table 11 Acronyms used with the JCM (continued) 42 Acronym Definition TDES Refer to Triple-DES. TLS Transport Layer Security. Triple-DES A symmetric encryption algorithm which uses either two or three DES keys. The two key variant of the algorithm provides 80 bits of security strength while the three key variant provides 112 bits of security strength.