Security Policy 09.10.14 RSA BSAFE® Crypto-C Micro Edition Version 4.1 Security Policy Level 1 with Level 2 Roles, Services, and Authentication This is a non-proprietary Security Policy for RSA BSAFE Crypto-C Micro Edition 4.1 (Crypto-C ME). It describes how Crypto-C ME meets the Level 2 security requirements of FIPS 140-2 for roles, services and authentication, the Level 3 security requirements of FIPS 140-2 for design assurance, and the Level 1 security requirements of FIPS 140-2 for all other aspects.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 1 Introduction The Crypto-C ME software development toolkit is designed to enable developers to incorporate cryptographic technologies into applications. Crypto-C ME security software helps to protect sensitive data as it is stored, using strong encryption techniques to ease integration with existing data models.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2 Crypto-C ME Cryptographic Toolkit Crypto-C ME is designed with the ability to optimize code for different processors, and specific speed or size requirements. Assembly-level optimizations on key processors mean Crypto-C ME algorithms can be used at increased speeds on many platforms.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 The following table lists the certification levels sought for Crypto-C ME for each section of the FIPS 140-2 specification.
RSA BSAFE Crypto-C Micro Edition 4.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 • Oracle®: – – • – • 6 SPARC® v8 (32-bit), built with Sun Studio 10, Sun C 5.8 • x86 (32-bit), built with Sun Studio 10, Sun C 5.8 • x86_64 (64-bit), built with Sun Studio 10, Sun C 5.8 Solaris 11: • SPARC v8+ (32-bit), built with Solaris Studio 12.3, Sun C 5.12 • SPARC v9-T2 (64-bit), built with Solaris Studio 12.3, Sun C 5.12 • SPARC v9-T4 (64-bit), built with Solaris Studio 12.3, Sun C 5.12 AIX® v6.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 • WindRiver®: – VxWorks 6.4 on PowerPC 604 (32-bit), built with gcc version 3.4.4 – VxWorks 6.7 on PowerPC 604 (32-bit), built with gcc version 4.1.2 2.1.2 Affirmation of Compliance for other Operating Environments Affirmation of compliance is defined in Section G.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 • Novell: – – • • x86_64 (64-bit), built with LSB3.0 and gcc 3.4 • PowerPC (32-bit), built with gcc 3.4 • PowerPC (64-bit), built with gcc 3.4 SUSE Linux Enterprise Server 11 on Itanium (64-bit), built with LSB3.0 and gcc 3.4 – Ubuntu 12.04 LTS: • x86 (32-bit), built with LSB 3.0 and gcc 3.4 • x86_64 (64-bit), built with LSB3.0 and gcc 3.4 • x86_64 (64-bit), built with LSB4.0 and gcc 4.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.1.3 Configuring Single User Mode This section describes how to configure single user mode for the different operating system platforms supported by Crypto-C ME.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 HP-UX To configure single user mode for systems running an HP-UX operating system: 1. Log in as the root user. 2. Edit /etc/passwd and remove all the users except root and the pseudo-users. Make sure the password fields for the pseudo-users are a star (*). This prevents login as the pseudo-users. 3. Edit /etc/nsswitch.conf so files is the only option for passwd and group.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Apple Mac OS X To configure single user mode for systems running an Apple Mac OS X operating system: 1. Start a terminal session. 2. Edit /etc/passwd and /etc/master.passwd to remove all the users except root and the pseudo-users (daemon users). Make sure the password fields in /etc/master.passwd for the pseudo-users are either a star (*) or double exclamation mark (!!). This prevents login as the pseudo-users. 3.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.2 Crypto-C ME Interfaces Crypto-C ME is validated as a multi-chip standalone cryptographic module. The physical cryptographic boundary of the module is the case of the general-purpose computer or mobile device, which encloses the hardware running the module. The physical interfaces for Crypto-C ME consist of the keyboard, mouse, monitor, CD-ROM drive, floppy drive, serial ports, USB ports, COM ports, and network adapter(s).
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 The underlying logical interface to Crypto-C ME is the API, documented in the RSA BSAFE Crypto-C Micro Edition API Reference Guide. Crypto-C ME provides for Control Input through the API calls. Data Input and Output are provided in the variables passed with the API calls, and Status Output is provided through the returns and error codes documented for each call. This is illustrated in the following diagram.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.3 Roles, Services, and Authentication Crypto-C ME meets all FIPS 140-2 Level 2 requirements for roles, services, and authentication, implementing both a User role and Crypto Officer role. Role-based authentication is implemented for these roles. Only one role can be active at a time and Crypto-C ME does not allow concurrent operators. 2.3.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 PIN Data PIN data supplied by the application is hashed using the SHA-512 algorithm to generate 64 bytes of authentication data, which is stored in the roles database. To prevent successful random authentication attempts the application must set random PIN data of sufficient security strength. The PIN must contain random data with the equivalent of a minimum of 74 effectively random bits.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.3.4 Unloading and Reloading the Module A roles database stored in memory is erased when the cryptographic module is unloaded. When the cryptographic module is reloaded, the roles database must be recreated before any roles are accessible. For the steps to create a roles database in memory, see “To create the roles database in memory:” on page 14.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.4 Cryptographic Key Management Cryptographic key management is concerned with generating and storing keys, managing access to keys, protecting keys during use, and zeroizing keys when they are not longer required. 2.4.1 Key Generation Crypto-C ME supports the generation of DSA, RSA, Diffie-Hellman (DH) and Elliptic Curve Cryptography (ECC) public and private keys.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Table 2 Key Storage (continued) Key or CSP Storage HMAC DRBG entropy Volatile memory only (plaintext). HMAC DRBG V value Volatile memory only (plaintext). HMAC DRBG key Volatile memory only (plaintext). HMAC DRBG init_seed Volatile memory only (plaintext). FIPS 186-2 seed Volatile memory only (plaintext). FIPS 186-2 key Volatile memory only (plaintext). 2.4.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Table 3 Key and CSP Access (continued) Service Type Key or CSP Type of Access Self-test (Crypto Officer service) Hardcoded keys (DSA and AES) Read/Execute Show status None N/A Zeroization All Read/Write 2.4.4 Key Protection/Zeroization All key data resides in internally allocated data structures and can be output only using the Crypto-C ME API.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.5 Cryptographic Algorithms To achieve compliance with the FIPS 140-2 standard, only FIPS 140-2-approved or allowed algorithms can be used in an approved mode of operation. The following table lists the FIPS 140-2-approved and allowed algorithms supported by Crypto-C ME with validation certificate numbers.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Table 4 Crypto-C ME FIPS 140-2-approved and allowed Algorithms (continued) Algorithm Type Algorithm Validation Certificate Key Wrapping RSA encrypt and decrypt (2048 to 4096-bit key size). For key wrapping using RSA, the key establishment methodology provides between 112 and 150 bits of encryption strength. Less than 112 bits of security (key sizes less than 2048 bits) is non-compliant.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 • Entropy RNG • OTP RNG. For more information about using Crypto-C ME in a FIPS 140-2-compliant manner, see “Secure Operation of Crypto-C ME” on page 24. 2.6 Self Tests Crypto-C ME performs a number of power-up and conditional self-tests to ensure proper operation. If a power-up self-test fails for one of the resource libraries, all cryptographic services for the library are disabled.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 2.6.2 Conditional Self-tests Crypto-C ME performs two conditional self-tests: • A pair-wise consistency test each time Crypto-C ME generates a DSA, RSA, or EC public/private key pair. • A Continuous Random Number Generation (CRNG) test each time the toolkit produces random data, as per the FIPS 140-2 standard.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 3 Secure Operation of Crypto-C ME This section provides an overview of how to securely operate Crypto-C ME in compliance with the FIPS 140-2 standards. 3.1 Crypto Officer and Crypto User Guidance The Crypto Officer and Crypto User must only use algorithms approved for use in a FIPS 140 mode of operation, as listed in Table 4 on page 20.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 • When using GCM feedback mode for symmetric encryption, the authentication tag length and authenticated data length may be specified as input parameters, but the Initialization Vector (IV) must not be specified. It must be generated internally. • In the case where the module is powered down, a new key must be used for AES GCM encryption/decryption.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 3.3 Modes of Operation The following table lists and describes the available mode filters to determine the mode Crypto-C ME operates in and the algorithms allowed. Table 6 Crypto-C ME Mode Filters Mode Description R_MODE_FILTER_FIPS140 Implements FIPS 140-2 mode and provides the cryptographic algorithms listed in Table 4 on page 20. The default pseudo-random number generator (PRNG) is CTR DRBG. FIPS 140-2-approved.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 3.4 Operating Crypto-C ME Crypto-C ME operates in an unrestricted mode on startup, providing access to all cryptographic algorithms available from the FIPS 140-2 provider set against the library context. To restrict the module to a specific set of algorithms, call R_LIB_CTX_set_mode() with one of the mode filters listed in listed in Table 6 on page 26.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 3.6 Pseudo-random Number Generator In all modes of operation, Crypto-C ME provides the CTR DRBG as the default pseudo-random number generator (PRNG). Users can choose to use an approved PRNG other than the default, including HMAC DRBG or FIPS 186-2 (with or without mod q) when creating a cryptographic object and setting this object against the operation requiring random number generation (for example, key generation).
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 4 Services The following is the list of services, authenticated and unauthenticated, provided by Crypto-C ME. Authenticated services can only be used by users authenticated in the Crypto Officer or Crypto User role. Unauthenticated services can be used by any user. For more information about authentication of roles, see “Roles, Services, and Authentication” on page 14.
RSA BSAFE Crypto-C Micro Edition 4.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 R_SKEY_delete() R_SKEY_dup() R_SKEY_dup_ef() R_SKEY_free() R_SKEY_generate() R_SKEY_get_info() R_SKEY_load() R_SKEY_new() R_SKEY_new_ef() R_SKEY_SEARCH_add_filter() R_SKEY_SEARCH_free() R_SKEY_SEARCH_init() R_SKEY_SEARCH_new() R_SKEY_SEARCH_next() R_SKEY_set_info() R_SKEY_set_provider_filter() R_SKEY_store() 4.
RSA BSAFE Crypto-C Micro Edition 4.
RSA BSAFE Crypto-C Micro Edition 4.
RSA BSAFE Crypto-C Micro Edition 4.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 5 Acronyms and Definitions The following table lists and describes the acronyms and definitions used throughout this document. Table 7 Acronyms and Definitions Term Definition AES Advanced Encryption Standard. A fast symmetric key algorithm with a 128-bit block, and keys of lengths 128, 192, and 256 bits. Replaces DES as the US symmetric encryption standard. API Application Programming Interface. BPS Brier, Peyrin and Stern.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Table 7 Acronyms and Definitions Term Definition DSA Digital Signature Algorithm. An asymmetric algorithm for creating digital signatures. DRBG Deterministic Random Bit Generator. Dual EC DRBG Dual Elliptic Curve Deterministic Random Bit Generator. EC Elliptic Curve. ECAES Elliptic Curve Asymmetric Encryption Scheme. ECB Electronic Codebook.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Table 7 Acronyms and Definitions Term Definition MD2 A message digest algorithm, which hashes an arbitrary-length input into a 16-byte digest. MD2 is no longer considered secure. MD4 A message digest algorithm, which hashes an arbitrary-length input into a 16-byte digest. MD5 A message digest algorithm, which hashes an arbitrary-length input into a 16-byte digest. Designed as a replacement for MD4.
RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy Level 1 with Level 2 Table 7 Acronyms and Definitions Term Definition SEED SEED symmetric key encryption algorithm developed by the Korean Information Security Agency. SHA Secure Hash Algorithm. An algorithm, which creates a unique hash value for each possible input. SHA takes an arbitrary input, which is hashed into a 160-bit digest. SHA-1 A revision to SHA to correct a weakness. It produces 160-bit digests.