FIPS 140-2 Non-Proprietary Security Policy Java Crypto Module - … · 2018-09-27 · Table 3 – FIPS-Approved Algorithm Certificates 2.1.3 Non-Approved but Allowed Cryptographic

FIPS140-2Non-ProprietarySecurityPolicy:JavaCryptoModule

DocumentVersion1.0 ©SkyhighNetworks Page1of20

FIPS140-2Non-ProprietarySecurityPolicy

JavaCryptoModule

SoftwareVersion1.0

DocumentVersion1.0

December11,2015

PreparedFor:

PreparedBy:

SkyhighNetworks900E.HamiltonAve.Suite400Campbell,CA95008www.skyhighnetworks.com

SafeLogicInc.469HamiltonAvenueSuite306PaloAlto,CA94301www.safelogic.com



Abstract

Thisdocumentprovidesanon-proprietaryFIPS140-2SecurityPolicyforJavaCryptoModule.

TableofContents1 Introduction...................................................................................................................................................4

1.1 AboutFIPS140................................................................................................................................................41.2 AboutthisDocument......................................................................................................................................41.3 ExternalResources..........................................................................................................................................41.4 Notices............................................................................................................................................................41.5 Acronyms........................................................................................................................................................4

2 JavaCryptoModule.......................................................................................................................................62.1 CryptographicModuleSpecification...............................................................................................................6

2.1.1 ValidationLevelDetail.............................................................................................................................62.1.2 ApprovedCryptographicAlgorithms.......................................................................................................72.1.3 Non-ApprovedbutAllowedCryptographicAlgorithms..........................................................................82.1.4 Non-ApprovedCryptographicAlgorithms...............................................................................................8

2.2 ModuleInterfaces.........................................................................................................................................112.3 Roles,Services,andAuthentication..............................................................................................................12

2.3.1 OperatorServicesandDescriptions......................................................................................................122.3.2 OperatorAuthentication.......................................................................................................................14

2.4 PhysicalSecurity...........................................................................................................................................142.5 OperationalEnvironment.............................................................................................................................142.6 CryptographicKeyManagement..................................................................................................................15

2.6.1 RandomNumberGeneration................................................................................................................172.6.2 Key/CSPStorage....................................................................................................................................172.6.3 Key/CSPZeroization..............................................................................................................................17

2.7 Self-Tests.......................................................................................................................................................172.7.1 Power-OnSelf-Tests..............................................................................................................................172.7.2 ConditionalSelf-Tests............................................................................................................................18

2.8 MitigationofOtherAttacks..........................................................................................................................18

3 GuidanceandSecureOperation...................................................................................................................193.1 CryptoOfficerGuidance................................................................................................................................19

3.1.1 SoftwareInstallation.............................................................................................................................193.1.2 AdditionalRulesofOperation...............................................................................................................19

3.2 UserGuidance...............................................................................................................................................193.2.1 GeneralGuidance..................................................................................................................................193.2.2 FIPS-ApprovedModeofOperation.......................................................................................................20



ListofTables

Table1–AcronymsandTerms.....................................................................................................................................5Table2–ValidationLevelbyFIPS140-2Section..........................................................................................................6Table3–FIPS-ApprovedAlgorithmCertificates...........................................................................................................8Table4-NonApprovedAlgorithms...........................................................................................................................10Table5–LogicalInterface/PhysicalInterfaceMapping...........................................................................................12Table6–ModuleServices,Roles,andDescriptions...................................................................................................13Table7–ModuleKeys/CSPs.......................................................................................................................................16Table8–Power-OnSelf-Tests....................................................................................................................................18Table9–ConditionalSelf-Tests..................................................................................................................................18

ListofFigures

Figure1–ModuleBoundaryandInterfacesDiagram................................................................................................11



1 Introduction

1.1 AboutFIPS140

FederalInformationProcessingStandardsPublication140-2—SecurityRequirementsforCryptographicModulesspecifiesrequirementsforcryptographicmodulestobedeployedinaSensitivebutUnclassifiedenvironment.TheNationalInstituteofStandardsandTechnology(NIST)andCommunicationsSecurityEstablishment(CSE)CryptographicModuleValidationProgram(CMVP)runtheFIPS140program.TheNVLAPaccreditsindependenttestinglabstoperformFIPS140-2testing;theCMVPvalidatesmodulesmeetingFIPS140-2validation.ValidatedisthetermgiventoamodulethatisdocumentedandtestedagainsttheFIPS140-2criteria.

MoreinformationisavailableontheCMVPwebsiteathttp://csrc.nist.gov/groups/STM/cmvp/index.html.

1.2 AboutthisDocument

Thisnon-proprietaryCryptographicModuleSecurityPolicyfortheJavaCryptoModulefromSkyhighNetworksprovidesanoverviewoftheproductandahigh-leveldescriptionofhowitmeetsthesecurityrequirementsofFIPS140-2.Thisdocumentcontainsdetailsonthemodule’scryptographickeysandcriticalsecurityparameters.ThisSecurityPolicyconcludeswithinstructionsandguidanceonrunningthemoduleinaFIPS140-2modeofoperation.

JavaCryptoModulemayalsobereferredtoasthe“module”inthisdocument.

1.3 ExternalResources

TheSkyhighNetworkswebsite(http://www.skyhighnetworks.com)containsinformationonSkyhighNetworksservicesandproducts.TheCryptographicModuleValidationProgramwebsitecontainslinkstotheFIPS140-2certificateandSkyhighNetworkscontactinformation.

1.4 Notices

Thisdocumentmaybefreelyreproducedanddistributedinitsentiretywithoutmodification.

1.5 Acronyms

Thefollowingtabledefinesacronymsfoundinthisdocument:



Table1–AcronymsandTerms

Acronym TermAES AdvancedEncryptionStandardANSI AmericanNationalStandardsInstituteAPI ApplicationProgrammingInterfaceCMVP CryptographicModuleValidationProgramCO CryptoOfficerCSE CommunicationsSecurityEstablishmentCSP CriticalSecurityParameterDES DataEncryptionStandardDH Diffie-HellmanDSA DigitalSignatureAlgorithmEC EllipticCurveEMC ElectromagneticCompatibilityEMI ElectromagneticInterferenceFCC FederalCommunicationsCommissionFIPS FederalInformationProcessingStandardGPC GeneralPurposeComputerGUI GraphicalUserInterfaceHMAC (Keyed-)HashMessageAuthenticationCodeKAT KnownAnswerTestMAC MessageAuthenticationCodeNIST NationalInstituteofStandardsandTechnologyOS OperatingSystemPKCS Public-KeyCryptographyStandardsPRNG PseudoRandomNumberGeneratorPSS ProbabilisticSignatureSchemeRNG RandomNumberGeneratorRSA Rivest,Shamir,andAdlemanSHA SecureHashAlgorithmSSL SecureSocketsLayerTriple-DES TripleDataEncryptionAlgorithmTLS TransportLayerSecurityUSB UniversalSerialBus



2 JavaCryptoModule

2.1 CryptographicModuleSpecification

TheJavaCryptoModuleprovidescryptographicfunctionsforSkyhighNetworkscloudvisibilityandenablementproducts.

Themodule'slogicalcryptographicboundaryisthesharedlibraryfilesandtheirintegritycheckHMACfiles.Themoduleisamulti-chipstandaloneembodimentinstalledonaGeneralPurposeDevice.Themoduleisasoftwaremoduleandreliesonthephysicalcharacteristicsofthehostplatform.Themodule’sphysicalcryptographicboundaryisdefinedbytheenclosurearoundthehostplatform.

Alloperationsofthemoduleoccurviacallsfromhostapplicationsandtheirrespectiveinternaldaemons/processes.

2.1.1 ValidationLevelDetail

ThefollowingtableliststhelevelofvalidationforeachareainFIPS140-2:

FIPS140-2SectionTitle ValidationLevelCryptographicModuleSpecification 1CryptographicModulePortsandInterfaces 1Roles,Services,andAuthentication 1FiniteStateModel 1PhysicalSecurity N/AOperationalEnvironment 1CryptographicKeyManagement 1ElectromagneticInterference/ElectromagneticCompatibility 1Self-Tests 1DesignAssurance 1MitigationofOtherAttacks N/ATable2–ValidationLevelbyFIPS140-2Section



2.1.2 ApprovedCryptographicAlgorithms

Themodule’scryptographicalgorithmimplementationshavereceivedthefollowingcertificatenumbersfromtheCryptographicAlgorithmValidationProgram:

Algorithm CAVPCertificateAES(128-,192-,256-bitkeysinECB,CBC,CFB128andOFBmodes) 3192DSA(FIPS186-4)

• Signatureverificationo L=1024,N=160,SHA-1throughSHA-512o L=2048,N=224,256,SHA-1throughSHA-512o L=3072,N=256,SHA-1throughSHA-512

• PQGgeneration(ProbablePrimesPandQ,UnverifiableandCanonicalGenerationG)

o L=2048,N=224,SHA-224throughSHA-512o L=2048,N=256,SHA-256throughSHA-512o L=3072,N=256,SHA-256throughSHA-512

• KeyPairGenerationo L=2048,N=224o L=2048,N=256o L=3072,N=256

• SignatureGenerationo L=2048,N=224,SHA-224throughSHA-512o L=2048,N=256,SHA-256throughSHA-512o L=3072,N=256,SHA-256throughSHA-512

914

ECDSA(FIPS186-4)• SignatureVerification(SHA-1throughSHA-512)

o P–curves192,224,256,384,and521o K–curves163,233,283,409,and571o B–curves163,233,283,409,and571

• SignatureGeneration(SHA-224throughSHA-512)o P–curves224,256,384,and521o K–curves233,283,409,and571o B–curves233,283,409,and571

583

RSA(FIPS186-4)• KeyPairGeneration(X9.31)

o AppendixB.3.3o Mod2048,3072o TableC.3ProbabilisticPrimalityTests(2^-100)

• SignatureGeneration(PKCSv1.5,PSS)o Mod2048,SHA-224throughSHA-512o Mod3072,SHA-224throughSHA-512

1622



Algorithm CAVPCertificate• SignatureVerification(PKCSv1.5,PSS)

o Mod1024,SHA-1throughSHA-512o Mod2048,SHA-1throughSHA-512o Mod3072,SHA-1throughSHA-512

HMACusingSHA-1,SHA-224,SHA-256,SHA-384,SHA-512 2011SHA-1,SHA-224,SHA-256,SHA-384,SHA-512 2637SP800-90AbasedHMAC-DRBG,noreseed 668Triple-DES(two-andthree-keywithECB,CBC,CFB8andOFBmodes)1 1818Table3–FIPS-ApprovedAlgorithmCertificates

2.1.3 Non-ApprovedbutAllowedCryptographicAlgorithms

Themodulesupportsthefollowingnon-FIPS140-2approvedbutallowedalgorithms:

• Diffie-Hellman(keyagreement;keyestablishmentmethodologyprovidesbetween112and219bitsofencryptionstrength)

• ECDiffie-Hellman(keyagreement;keyestablishmentmethodologyprovidesbetween112and256bitsofencryptionstrength)

2.1.4 Non-ApprovedCryptographicAlgorithms

Themodulesupportsthefollowingnon-approvedalgorithmsandmodes:

Algorithm ModesorCipherTypeDSA2 PQGGen,KeyGenandSigGen;non-compliantlessthan112bits

ofencryptionstrength)includingFIPS186-2signaturegenerationandkeygeneration

ECDSA2 KeyGenandSigGen;non-compliantlessthan112bitsofencryptionstrength)includingFIPS186-2signaturegenerationandkeygeneration

RSA2 KeyGenandSigGen;non-compliantlessthan112bitsofencryptionstrength

Diffie-Hellman keyagreement;keyestablishmentmethodologyprovidingbetween80and112bitsofencryptionstrength

ECDiffie-Hellman keyagreement;keyestablishmentmethodologyprovidesbetween80and112bitsofencryptionstrength

AES2 GCM,CFB8,CTR,CMAC,CCM

1Theuseoftwo-keyTripleDESforencryptionisrestricted:thetotalnumberofblocksofdataencryptedwiththesamecryptographickeyshallnotbegreaterthan2^202Non-compliant



Algorithm ModesorCipherTypeANSIX9.31AppendixA.2.4PRNG2 (AES-128)Blowfish SymmetricBlockCipher3Camellia SymmetricBlockCipher3CAST5 SymmetricBlockCipher3CAST6 SymmetricBlockCipher3ChaCha SymmetricStreamCipher4DES SymmetricBlockCipher3TDESKeyWrapping2 SymmetricBlockCipher3ElGamal AsymmetricBlockCipher5GOST28147 SymmetricBlockCipher3GOST3411 DigestGrain128 SymmetricStreamCipher4Grainv1 SymmetricStreamCipher4HC128 SymmetricStreamCipher4HC256 SymmetricStreamCipher4IDEA SymmetricBlockCipher3IES KeyAgreementandStreamCipherbasedonIEEEP1363a

(draft10)ISAAC SymmetricStreamCipher4MD2 DigestMD4 DigestMD5 DigestNaccacheStern AsymmetricBlockCipher5Noekeon SymmetricBlockCipher3Password-Based-Encryption(PBE) • PKCS5S1,anyDigest,anysymmetricCipher,ASCII

• PKCS5S2,SHA1/HMac,anysymmetricCipher,ASCII,UTF8• PKCS12,anyDigest,anysymmetricCipher,Unicode

RC2 SymmetricBlockCipher3RC2KeyWrapping SymmetricStreamCipher4RC4 SymmetricStreamCipher4RC532 SymmetricBlockCipher3RC564 SymmetricBlockCipher3RC6 SymmetricBlockCipher3RFC3211Wrapping SymmetricBlockCipher3

3SymmetricBlockCipherscanbeusedwiththefollowingmodesandpadding:ECB,CBC,CFB,CCM,CTS,GCM,GCF,EAX,OCB,OFB,CTR,OpenPGPCFB,GOSTOFB,AEAD-CCM,AEAD-EAX,AEAD-GCM,AEAD-OCB,PKCS7Padding,ISO10126d2Padding,ISO7816d4Padding,X932Padding,ISO7816d4Padding,ZeroBytePadding,TBCPadding4SymmetricStreamCipherscanonlybeusedwithECBmode.5AsymmetricBlockCipherscanbeusedwithECBmodeandthefollowingencodings:OAEP,PKCS1,ISO9796d1



Algorithm ModesorCipherTypeRFC3394Wrapping SymmetricBlockCipher3Rijndael SymmetricBlockCipher3RipeMD128 DigestRipeMD160 DigestRipeMD256 DigestRipeMD320 DigestRSAEncryption AsymmetricBlockCipher5Salsa20 SymmetricStreamCipher4SEED SymmetricBlockCipher3SEEDWrapping SymmetricBlockCipher3Serpent SymmetricBlockCipher3Shacal2 SymmetricBlockCipher3SHA-32 DigestSHA-512/t2 DigestSkein-256-* DigestSkein-512-* DigestSkein-1024-* DigestSkipjack2 SymmetricBlockCipher3SP800-90ADRBG2 CTR,HashTEA SymmetricBlockCipher3TDES2 CFB64Threefish SymmetricBlockCipher3Tiger DigestTLSv1.0KDF2 KeyDerivationFunctionTwofish SymmetricBlockCipher3VMPC SymmetricStreamCipher4Whirlpool DigestXSalsa20 SymmetricStreamCipher4XTEAEngine SymmetricBlockCipher3Table4-NonApprovedAlgorithms



2.2 ModuleInterfaces

Thefigurebelowshowsthemodule’sphysicalandlogicalblockdiagram:

Figure1–ModuleBoundaryandInterfacesDiagram

Theinterfaces(ports)forthephysicalboundaryincludethecomputerkeyboardport,mouseport,networkport,USBports,displayandpowerplug.Whenoperational,themoduledoesnottransmitanyinformationacrossthesephysicalportsbecauseitisasoftwarecryptographicmodule.Therefore,themodule’sinterfacesarepurelylogicalandareprovidedthroughtheApplicationProgrammingInterface(API)thatacallingdaemoncanoperate.Thelogicalinterfacesexposeservicesthatapplicationsdirectlycall,andtheAPIprovidesfunctionsthatmaybecalledbyareferencingapplication(seeSection2.3–Roles,Services,andAuthenticationforthelistofavailablefunctions).ThemoduledistinguishesbetweenlogicalinterfacesbylogicallyseparatingtheinformationaccordingtothedefinedAPI.



TheAPIprovidedbythemoduleismappedontotheFIPS140-2logicalinterfaces:datainput,dataoutput,controlinput,andstatusoutput.EachoftheFIPS140-2logicalinterfacesrelatestothemodule’scallableinterface,asfollows:

FIPS140-2Interface LogicalInterface ModulePhysicalInterfaceDataInput InputparametersofAPIfunction

callsNetworkInterface

DataOutput OutputparametersofAPIfunctioncalls

NetworkInterface

ControlInput APIfunctioncalls KeyboardInterface,MouseInterface

StatusOutput FunctioncallsreturningstatusinformationandreturncodesprovidedbyAPIfunctioncalls.

DisplayController

Power None PowerSupplyTable5–LogicalInterface/PhysicalInterfaceMapping

AsshowninFigure1–ModuleBoundaryandInterfacesDiagramandTable6–ModuleServices,Roles,andDescriptions,theoutputdatapathisprovidedbythedatainterfacesandislogicallydisconnectedfromprocessesperformingkeygenerationorzeroization.Nokeyinformationwillbeoutputthroughthedataoutputinterfacewhenthemodulezeroizeskeys.

2.3 Roles,Services,andAuthentication

ThemodulesupportsaCryptoOfficerandaUserrole.ThemoduledoesnotsupportaMaintenancerole.TheUserandCrypto-OfficerrolesareimplicitlyassumedbytheentityaccessingservicesimplementedbytheModule.

2.3.1 OperatorServicesandDescriptions

Themodulesupportsservicesthatareavailabletousersinthevariousroles.Alloftheservicesaredescribedindetailinthemodule’suserdocumentation.ThefollowingtableshowstheservicesavailabletothevariousrolesandtheaccesstocryptographickeysandCSPsresultingfromservices:

Service Roles CSP/Algorithm PermissionInitializemodule CO None NoneShowstatus CO None NoneRunself-testsondemand CO None

None

Zeroizekey CO AESkeyDHcomponentsDRBGEntropyDRBGSeedDSAprivate/publickey

Write



Service Roles CSP/Algorithm PermissionECDHcomponentsECDSAprivate/publickeyHMACkeyRSAprivate/publickeyTriple-DESkey

Generateasymmetrickeypair User RSAprivate/publickeyDSAprivate/publickey

Write

Generatekeyedhash(HMAC) User HMACkey Read/Execute

Generatemessagedigest(SHS6) User None None

Generaterandomnumberandloadentropy(DRBG)

User DRBGSeedDRBGEntropy

Read/Execute

Keyagreement User DHcomponentsECDHcomponents

Write

SignatureGeneration User RSAprivatekeyDSAprivatekeyECDSAprivate/public

Read/Execute

SignatureVerification User RSApublickeyDSApublickeyECDSAprivate/public

Read/Execute

Symmetricdecryption User AESkeyTriple-DESkey

Read/Execute

Symmetricencryption User AESkeyTriple-DESkey

Read/Execute

Table6–ModuleServices,Roles,andDescriptions

WheninNon-FIPSapprovedmodeofoperation,themoduleallowsaccesstoeachoftheserviceslistedabove,withexceptionofFIPSself-tests.Wheninnon-FIPS-approvedmodeofoperationthemodulealsoprovidesaservice(APIfunctioncall)foreachnon-approvedalgorithmlistedinSection2.1.4.ThesefunctioncallsareassignedtotheUser,andhaveRead/Write/Executepermissiontothemodule'smemorywhileinoperation.

6SHA–SecureHashStandard



2.3.2 OperatorAuthentication

AsrequiredbyFIPS140-2,therearetworoles(aCryptoOfficerroleandUserrole)inthemodulethatoperatorsmayassume.AsallowedbyLevel1,themoduledoesnotsupportauthenticationtoaccessservices.Assuch,therearenoapplicableauthenticationpolicies.AccesscontrolpoliciesareimplicitlydefinedbytheservicesavailabletotherolesasspecifiedinTable6–ModuleServices,Roles,andDescriptions.

2.4 PhysicalSecurity

Thissectionofrequirementsdoesnotapplytothismodule.Themoduleisasoftware-onlymoduleanddoesnotimplementanyphysicalsecuritymechanisms.

2.5 OperationalEnvironment

Themoduleoperatesonageneralpurposecomputer(GPC)runningageneralpurposeoperatingsystem(GPOS).ForFIPSpurposes,themoduleisrunningonthisoperatingsysteminsingleusermodeanddoesnotrequireanyadditionalconfigurationtomeettheFIPSrequirements.

Themodulewastestedonthefollowingplatforms:

• OEMPowerEdgeR420running64-bitWindowsServer2012withJavaRuntimeEnvironment(JRE)v1.7.0_17.

Themoduleisalsosupportedonthefollowingplatformforwhichoperationaltestingwasnotperformed:

• OEMPowerEdgeR420runningCentOS6.7andCentOS7

Complianceismaintainedforotherenvironmentwherethemoduleisunchanged.Noclaimcanbemadeastothecorrectoperationofthemoduleorthesecuritystrengthsofthegeneratedkeyswhenportedtoanoperationalenvironmentwhichisnotlistedonthevalidationcertificate.

TheGPC(s)usedduringtestingmetFederalCommunicationsCommission(FCC)FCCElectromagneticInterference(EMI)andElectromagneticCompatibility(EMC)requirementsforbusinessuseasdefinedby47CodeofFederalRegulations,Part15,SubpartB.FIPS140-2validationcomplianceismaintainedwhenthemoduleisoperatedonotherversionsoftheGPOSrunninginsingleusermode,assumingthattherequirementsoutlinedinNISTIGG.5aremet.



2.6 CryptographicKeyManagement

ThetablebelowprovidesacompletelistofCriticalSecurityParametersusedwithinthemodule:

KeysandCSPs StorageLocations

StorageMethod InputMethod Output

Method Zeroization

AESkeyAES128,192,256bitkeyforencryption,decryption

RAM Plaintext Inputelectronicallyinplaintext

Never powercycle

Triple-DESkeyTriple-DES112,168bitkeyforencryption,decryption


Never powercycle

HMACkeyHMACkeyformessageAuthenticationwithSHS


Never powercycle

RSAprivatekeyRSA2048,3072bitkeyforsignatureandkeygeneration


Never powercycle

RAM Plaintext Internallygenerated

Outputelectronicallyinplaintext

powercycle

RSApublickeyRSA1024,2048,3072bitkeyforsignatureverificationandkeygeneration


Never powercycle



powercycle

DSAprivatekeyDSA2048,3072-bitforsignaturegeneration


Never powercycle



powercycle

DSApublickeyDSA1024,2048,3072-bitkeyforsignatureverification

ModuleBinary

Plaintext Inputelectronicallyinplaintext

Never powercycle



powercycle

ECDSAprivatekeyAllNISTdefinedB,K,


Neverexitsthemodule

powercycle



KeysandCSPs StorageLocations

StorageMethod InputMethod Output

Method Zeroization

andPCurvesforsignaturegeneration



powercycle

ECDSApublickeyAllNISTdefinedB,K,andPCurvesforsignatureverification


Neverexitsthemodule

powercycle



powercycle

DHpubliccomponentsPubliccomponentsofDHprotocol



powercycle

DHprivatecomponentPrivateexponentofDHprotocol


Never powercycle

ECDHpubliccomponentsPubliccomponentsofECDHprotocol



powercycle

ECDHprivatecomponentPrivateexponentofECDHprotocol


Neverexitsthemodule

powercycle

DRBGseedRandomdata440-bitor880-bittogeneraterandomnumberusingtheDRBG

RAM Plaintext InternallygeneratedusingnoncealongwithDRBGentropyinputstring

Neverexitsthemodule

powercycle

DRBGEntropyInputString512-bitvaluetogenerateseedanddeterminerandomnumberusingtheDRBG

RAM Plaintext Externallygenerated;Inputelectronicallyinplaintext

Neverexitsthemodule

powercycle

R=ReadW=WriteD=Delete

Table7–ModuleKeys/CSPs

Theapplicationthatusesthemoduleisresponsibleforappropriatedestructionandzeroizationofthekeymaterial.Themoduleprovidesfunctionsforkeyallocationanddestructionwhichoverwritethememorythatisoccupiedbythekeyinformationwithzerosbeforeitisdeallocated.



2.6.1 RandomNumberGeneration

ThemoduleusesSP800-90ADRBGforcreationofasymmetricandsymmetrickeys.

Themoduleacceptsinputfromentropysourcesexternaltothecryptographicboundaryforuseasseedmaterialforthemodule’sApprovedDRBG.Therefore,themodulegeneratescryptographickeyswhosestrengthsaremodifiedbyavailableentropy,andnoassuranceisprovidedforthestrengthofthegeneratedkeys.

ThemoduleperformscontinualtestsontheoutputoftheapprovedRNGtoensurethatconsecutiverandomnumbersdonotrepeat.

2.6.2 Key/CSPStorage

PublicandprivatekeysareprovidedtothemodulebythecallingprocessandaredestroyedwhenreleasedbytheappropriateAPIfunctioncallsorduringpowercycle.Themoduledoesnotperformpersistentstorageofkeys.

2.6.3 Key/CSPZeroization

TheapplicationisresponsibleforcallingtheappropriatedestructionfunctionsfromtheAPI.Thedestructionfunctionsthenoverwritethememoryoccupiedbykeyswithzerosanddeallocatesthememory.Thisoccursduringprocesstermination/powercycle.Keysareimmediatelyzeroizedupondeallocation,whichsufficientlyprotectstheCSPsfromcompromise.

2.7 Self-Tests

FIPS140-2requiresthatthemoduleperformselfteststoensuretheintegrityofthemoduleandthecorrectnessofthecryptographicfunctionalityatstartup.Inadditionsomefunctionsrequirecontinuousverificationoffunction,suchastherandomnumbergenerator.Allofthesetestsarelistedanddescribedinthissection.

Ifanyself-testfails,themodulewillenteracriticalerrorstate,duringwhichcryptographicfunctionalityandalldataoutputisinhibited.Tocleartheerrorstate,theCOmustrebootthehostsystem,reloadthemodule,orrestartthecallingapplication.Nooperatorinterventionisrequiredtoruntheself-tests.

Thefollowingsectionsdiscussthemodule’sself-testsinmoredetail.

2.7.1 Power-OnSelf-Tests

Power-onself-testsareexecutedautomaticallywhenthemoduleisloadedintomemory.ThemoduleverifiestheintegrityoftheruntimeexecutableusingaHMAC-SHA-512digestcomputedatbuildtime.Ifthefingerprintsmatch,thepower-upself-testsarethenperformed.Ifthepower-upself-testsaresuccessful,themoduleisinFIPSmode.



TYPE DETAILSoftwareIntegrityCheck • HMAC-SHA512onallmodulecomponentsKnownAnswerTests • AESencryptanddecryptKATs

• Triple-DESencryptanddecryptKATs• HMACSHA1KAT• HMACSHA-256KAT• HMACSHA-512KAT• RSAsignandverifyKATs• SP800-90ADRBGKAT(HMAC)

Pair-wiseConsistencyTests • DSA• ECDSA• Diffie-Hellman• ECDiffie-Hellman

Table8–Power-OnSelf-Tests

Input,output,andcryptographicfunctionscannotbeperformedwhiletheModuleisinaself-testorerrorstatebecausethemoduleissingle-threadedandwillnotreturntothecallingapplicationuntilthepower-upselftestsarecomplete.Ifthepower-upselftestsfail,subsequentcallstothemodulewillalsofail-thusnofurthercryptographicoperationsarepossible.

2.7.2 ConditionalSelf-Tests

Themoduleimplementsthefollowingconditionalself-testsuponkeygeneration,orrandomnumbergeneration(respectively):

TYPE DETAILPair-wiseConsistencyTests • DSA

• ECDSA• Diffie-Hellman• ECDiffie-Hellman

ContinuousRNGTests • SP800-90ADRBG(HMAC)Table9–ConditionalSelf-Tests

2.8 MitigationofOtherAttacks

TheModuledoesnotcontainadditionalsecuritymechanismsbeyondtherequirementsforFIPS140-2Level1cryptographicmodules.



3 GuidanceandSecureOperation

3.1 CryptoOfficerGuidance

3.1.1 SoftwareInstallation

Themoduleisprovideddirectlytosolutiondevelopersandisnotavailablefordirectdownloadtothegeneralpublic.ThemoduleanditshostapplicationistobeinstalledonanoperatingsystemspecifiedinSection2.5oronewhereportabilityismaintained.

InordertoremaininFIPS-approvedmode,thefollowingstepsmustbetakenduringtheinstallationprocess:

1. TheJavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyFiles7mustbeinstalledintheJRE.Instructionsforinstallationarefoundinthedownloadfilelocatedhere:http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

2. ThemodulemustbeconfiguredastheJRE'sdefaultSecurityProviderbymodifyingthejre/lib/security/java.securityfileandaddingthefollowinglinetothelistofproviders:

security.provider.1=com.safelogic.cryptocomply.jce.provider. Provider

3.1.2 AdditionalRulesofOperation

1. Thewritablememoryareasofthemodule(dataandstacksegments)areaccessibleonlybytheapplicationsothattheoperatingsystemisin"singleuser"mode,i.e.onlytheapplicationhasaccesstothatinstanceofthemodule.

2. Theoperatingsystemisresponsibleformultitaskingoperationssothatotherprocessescannotaccesstheaddressspaceoftheprocesscontainingthemodule.

3.2 UserGuidance

3.2.1 GeneralGuidance

Themoduleisnotdistributedasastandalonelibraryandisonlyusedinconjunctionwiththesolution.

TheenduseroftheoperatingsystemisalsoresponsibleforzeroizingCSPsviawipe/securedeleteprocedures.

Ifthemodulepowerislostandrestored,thecallingapplicationcanresettheIVtothelastvalueused.



3.2.2 FIPS-ApprovedModeofOperation

InordertomaintaintheFIPS-approvedmodeofoperation,thefollowingrequirementsmustbeobserved:

1. ThecallingapplicationmustinstantiateandoperatethemodulethroughtheJCEinterfaceprovidedbytheJDK.

2. ThecallingapplicationmaynotshareCSPsbetweennon-FIPS-approved-modeandFIPS-approved-modeofoperation.TheoperatormustresetthemodulebeforeswitchingtoFIPS-approved-modeofoperation.

3. Thecallingapplicationmustrestricttheuseoftwo-keyTripleDESencryption:thetotalnumberofblocksofdataencryptedwiththesamecryptographickeyshallnotbegreaterthan2^20.

4. Themodulerequiresthataminimumof256bitsofentropybeprovidedforeachuseoftheDRBG/loadentropyservice.

Documents

FIPS 140-2 Non-Proprietary Security Policy Java Crypto Module - … · 2018-09-27 · Table 3 – FIPS-Approved Algorithm Certificates 2.1.3 Non-Approved but Allowed Cryptographic