CryptoComply for Java - NIST · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for Java...
Transcript of CryptoComply for Java - NIST · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for Java...
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page1of21
FIPS140-2Non-ProprietarySecurityPolicy
CryptoComplyforJava
SoftwareVersion2.2-fips
DocumentVersion1.2
March12,2018
SafeLogicInc.
530LyttonAve.,Suite200PaloAlto,CA94301www.safelogic.com
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page2of21
Abstract
Thisdocumentprovidesanon-proprietaryFIPS140-2SecurityPolicyforCryptoComplyforJava.
SafeLogic'sCryptoComplyforJavaisdesignedtoprovideFIPS140-2validatedcryptographic
functionalityandisavailableforlicensing.Formoreinformation,visit
https://www.safelogic.com/cryptocomply-for-java/.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page3of21
TableofContents
1 Introduction...................................................................................................................................................51.1 AboutFIPS140................................................................................................................................................51.2 AboutthisDocument......................................................................................................................................51.3 ExternalResources..........................................................................................................................................51.4 Notices............................................................................................................................................................51.5 Acronyms........................................................................................................................................................5
2 CryptoComplyforJava...................................................................................................................................72.1 CryptographicModuleSpecification...............................................................................................................7
2.1.1 ValidationLevelDetail.............................................................................................................................72.1.2 ApprovedCryptographicAlgorithms.......................................................................................................82.1.3 Non-ApprovedbutAllowedCryptographicAlgorithms..........................................................................92.1.4 Non-ApprovedCryptographicAlgorithms...............................................................................................9
2.2 ModuleInterfaces.........................................................................................................................................122.3 Roles,Services,andAuthentication..............................................................................................................13
2.3.1 OperatorServicesandDescriptions......................................................................................................132.3.2 OperatorAuthentication.......................................................................................................................15
2.4 PhysicalSecurity...........................................................................................................................................152.5 OperationalEnvironment.............................................................................................................................152.6 CryptographicKeyManagement..................................................................................................................16
2.6.1 RandomNumberGeneration................................................................................................................182.6.2 Key/CSPStorage....................................................................................................................................182.6.3 Key/CSPZeroization..............................................................................................................................18
2.7 Self-Tests.......................................................................................................................................................182.7.1 Power-OnSelf-Tests..............................................................................................................................182.7.2 ConditionalSelf-Tests............................................................................................................................19
2.8 MitigationofOtherAttacks..........................................................................................................................193 GuidanceandSecureOperation...................................................................................................................20
3.1 CryptoOfficerGuidance................................................................................................................................203.1.1 SoftwareInstallation.............................................................................................................................203.1.2 AdditionalRulesofOperation...............................................................................................................20
3.2 UserGuidance...............................................................................................................................................203.2.1 GeneralGuidance..................................................................................................................................203.2.2 FIPS-ApprovedModeofOperation.......................................................................................................21
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page4of21
ListofTables
Table1–AcronymsandTerms.....................................................................................................................................6Table2–ValidationLevelbyFIPS140-2Section..........................................................................................................7Table3–FIPS-ApprovedAlgorithmCertificates...........................................................................................................9Table4-NonApprovedAlgorithms...........................................................................................................................11Table5–LogicalInterface/PhysicalInterfaceMapping...........................................................................................13Table6–ModuleServices,Roles,andDescriptions...................................................................................................14Table7–ModuleKeys/CSPs.......................................................................................................................................17Table8–Power-OnSelf-Tests....................................................................................................................................19Table9–ConditionalSelf-Tests..................................................................................................................................19
ListofFigures
Figure1–ModuleBoundaryandInterfacesDiagram................................................................................................12
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page5of21
1 Introduction
1.1 AboutFIPS140
FederalInformationProcessingStandardsPublication140-2—SecurityRequirementsforCryptographic
ModulesspecifiesrequirementsforcryptographicmodulestobedeployedinaSensitivebut
Unclassifiedenvironment.TheNationalInstituteofStandardsandTechnology(NIST)and
CommunicationsSecurityEstablishment(CSE)CryptographicModuleValidationProgram(CMVP)run
theFIPS140program.TheNVLAPaccreditsindependenttestinglabstoperformFIPS140-2testing;the
CMVPvalidatesmodulesmeetingFIPS140-2validation.Validatedisthetermgiventoamodulethatis
documentedandtestedagainsttheFIPS140-2criteria.
MoreinformationisavailableontheCMVPwebsiteat
http://csrc.nist.gov/groups/STM/cmvp/index.html.
1.2 AboutthisDocument
Thisnon-proprietaryCryptographicModuleSecurityPolicyforCryptoComplyforJavaprovidesan
overviewoftheproductandahigh-leveldescriptionofhowitmeetsthesecurityrequirementsofFIPS
140-2.Thisdocumentcontainsdetailsonthemodule’scryptographickeysandcriticalsecurity
parameters.ThisSecurityPolicyconcludeswithinstructionsandguidanceonrunningthemoduleina
FIPS140-2modeofoperation.
CryptoComplyforJavamayalsobereferredtoasthe“module”inthisdocument.
1.3 ExternalResources
TheSafeLogicwebsite(http://www.safelogic.com)containsinformationonSafeLogicservicesand
products.TheCryptographicModuleValidationProgramwebsitecontainslinkstotheFIPS140-2
certificateandSafeLogiccontactinformation.
1.4 Notices
Thisdocumentmaybefreelyreproducedanddistributedinitsentiretywithoutmodification.
1.5 Acronyms
Thefollowingtabledefinesacronymsfoundinthisdocument:
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page6of21
Table1–AcronymsandTerms
Acronym TermAES AdvancedEncryptionStandard
ANSI AmericanNationalStandardsInstitute
API ApplicationProgrammingInterface
CMVP CryptographicModuleValidationProgram
CO CryptoOfficer
CSE CommunicationsSecurityEstablishment
CSP CriticalSecurityParameter
DES DataEncryptionStandard
DH Diffie-Hellman
DSA DigitalSignatureAlgorithm
EC EllipticCurve
EMC ElectromagneticCompatibility
EMI ElectromagneticInterference
FCC FederalCommunicationsCommission
FIPS FederalInformationProcessingStandard
GPC GeneralPurposeComputer
GUI GraphicalUserInterface
HMAC (Keyed-)HashMessageAuthenticationCode
KAT KnownAnswerTest
MAC MessageAuthenticationCode
NIST NationalInstituteofStandardsandTechnology
OS OperatingSystem
PKCS Public-KeyCryptographyStandards
PRNG PseudoRandomNumberGenerator
PSS ProbabilisticSignatureScheme
RNG RandomNumberGenerator
RSA Rivest,Shamir,andAdleman
SHA SecureHashAlgorithm
SSL SecureSocketsLayer
Triple-DES TripleDataEncryptionAlgorithm
TLS TransportLayerSecurity
USB UniversalSerialBus
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page7of21
2 CryptoComplyforJava
2.1 CryptographicModuleSpecification
CryptoComplyforJavaisastandards-based“Drop-inCompliance”cryptographicenginefornativeJava
environments.Themoduledeliverscorecryptographicfunctionstomobileplatformsandfeatures
robustalgorithmsupport,includingSuiteBalgorithms.CryptoComplyoffloadsfunctionsforsecurekey
management,dataintegrity,dataatrestencryption,andsecurecommunicationstoatrusted
implementation.
Themodule'slogicalcryptographicboundaryisthesharedlibraryfilesandtheirintegritycheckHMAC
files(cryptocomply-2.2-fips.jarandcryptocomply-2.2-fips.hmac).Themoduleisamulti)chipstandalone
embodimentinstalledonaGeneralPurposeDevice.Themoduleisasoftwaremoduleandreliesonthe
physicalcharacteristicsofthehostplatform.Themodule’sphysicalcryptographicboundaryisdefined
bytheenclosurearoundthehostplatform.Alloperationsofthemoduleoccurviacallsfromhost
applicationsandtheirrespectiveinternaldaemons/processes.
2.1.1 ValidationLevelDetail
ThefollowingtableliststhelevelofvalidationforeachareainFIPS140-2:
FIPS140-2SectionTitle ValidationLevelCryptographicModuleSpecification 1
CryptographicModulePortsandInterfaces 1
Roles,Services,andAuthentication 1
FiniteStateModel 1
PhysicalSecurity N/A
OperationalEnvironment 1
CryptographicKeyManagement 1
ElectromagneticInterference/ElectromagneticCompatibility 1
Self-Tests 1
DesignAssurance 1
MitigationofOtherAttacks N/A
Table2–ValidationLevelbyFIPS140-2Section
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page8of21
2.1.2 ApprovedCryptographicAlgorithms
Themodule’scryptographicalgorithmimplementationshavereceivedthefollowingcertificatenumbers
fromtheCryptographicAlgorithmValidationProgram:
Algorithm CAVPCertificateAES(128-,192-,256-bitkeysinECB,CBC,CFB128andOFBmodes) 3192
DSA(FIPS186-4)
• Signatureverification
o L=1024,N=160,SHA-1throughSHA-512
o L=2048,N=224,256,SHA-1throughSHA-512
o L=3072,N=256,SHA-1throughSHA-512
• PQGgeneration(ProbablePrimesPandQ,UnverifiableandCanonical
GenerationG)
o L=2048,N=224,SHA-224throughSHA-512
o L=2048,N=256,SHA-256throughSHA-512
o L=3072,N=256,SHA-256throughSHA-512
• KeyPairGeneration
o L=2048,N=224
o L=2048,N=256
o L=3072,N=256
• SignatureGeneration
o L=2048,N=224,SHA-224throughSHA-512
o L=2048,N=256,SHA-256throughSHA-512
o L=3072,N=256,SHA-256throughSHA-512
914
ECDSA(FIPS186-4)
• SignatureVerification(SHA-1throughSHA-512)
o P–curves192,224,256,384,and521
o K–curves163,233,283,409,and571
o B–curves163,233,283,409,and571
• SignatureGeneration(SHA-224throughSHA-512)
o P–curves224,256,384,and521
o K–curves233,283,409,and571
o B–curves233,283,409,and571
583
RSA(FIPS186-4)
• KeyPairGeneration(X9.31)
o AppendixB.3.3
o Mod2048,3072
o TableC.3ProbabilisticPrimalityTests(2^-100)
• SignatureGeneration(PKCSv1.5,PSS)
o Mod2048,SHA-224throughSHA-512
o Mod3072,SHA-224throughSHA-512
1622
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page9of21
Algorithm CAVPCertificate• SignatureVerification(PKCSv1.5,PSS)
o Mod1024,SHA-1throughSHA-512
o Mod2048,SHA-1throughSHA-512
o Mod3072,SHA-1throughSHA-512
HMACusingSHA-1,SHA-224,SHA-256,SHA-384,SHA-512 2011
SHA-1,SHA-224,SHA-256,SHA-384,SHA-512 2637
SP800-90AbasedHMAC-DRBG,noreseed 668
Triple-DES(two-andthree-keywithECB,CBC,CFB8andOFBmodes)1 1818
Table3–FIPS-ApprovedAlgorithmCertificates
2.1.3 Non-ApprovedbutAllowedCryptographicAlgorithms
Themodulesupportsthefollowingnon-FIPS140-2approvedbutallowedalgorithms:
• Diffie-Hellman(keyagreement;keyestablishmentmethodologyprovidesbetween112and219
bitsofencryptionstrength)
• ECDiffie-Hellman(keyagreement;keyestablishmentmethodologyprovidesbetween112and
256bitsofencryptionstrength)
2.1.4 Non-ApprovedCryptographicAlgorithms
Themodulesupportsthefollowingnon-approvedalgorithmsandmodes:
Algorithm ModesorCipherTypeDSA2 PQGGen,KeyGenandSigGen;non-compliantlessthan112bits
ofencryptionstrength)includingFIPS186-2signature
generationandkeygeneration
ECDSA2 KeyGenandSigGen;non-compliantlessthan112bitsof
encryptionstrength)includingFIPS186-2signaturegeneration
andkeygeneration
RSA2 KeyGenandSigGen;non-compliantlessthan112bitsof
encryptionstrength
Diffie-Hellman keyagreement;keyestablishmentmethodologyproviding
between80and112bitsofencryptionstrength
ECDiffie-Hellman keyagreement;keyestablishmentmethodologyprovides
between80and112bitsofencryptionstrength
AES2 GCM,CFB8,CTR,CMAC,CCM
1Theuseoftwo-keyTripleDESforencryptionisrestricted:thetotalnumberofblocksofdataencryptedwiththe
samecryptographickeyshallnotbegreaterthan2^202Non-compliant
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page10of21
Algorithm ModesorCipherTypeANSIX9.31AppendixA.2.4PRNG2 (AES-128)
Blowfish SymmetricBlockCipher3
Camellia SymmetricBlockCipher3
CAST5 SymmetricBlockCipher3
CAST6 SymmetricBlockCipher3
ChaCha SymmetricStreamCipher4
DES SymmetricBlockCipher3
TDESKeyWrapping2 SymmetricBlockCipher3
ElGamal AsymmetricBlockCipher5
GOST28147 SymmetricBlockCipher3
GOST3411 Digest
Grain128 SymmetricStreamCipher4
Grainv1 SymmetricStreamCipher4
HC128 SymmetricStreamCipher4
HC256 SymmetricStreamCipher4
IDEA SymmetricBlockCipher3
IES KeyAgreementandStreamCipherbasedonIEEEP1363a
(draft10)
ISAAC SymmetricStreamCipher4
MD2 Digest
MD4 Digest
MD5 Digest
NaccacheStern AsymmetricBlockCipher5
Noekeon SymmetricBlockCipher3
Password-Based-Encryption(PBE) • PKCS5S1,anyDigest,anysymmetricCipher,ASCII
• PKCS5S2,SHA1/HMac,anysymmetricCipher,ASCII,UTF8
• PKCS12,anyDigest,anysymmetricCipher,Unicode
RC2 SymmetricBlockCipher3
RC2KeyWrapping SymmetricStreamCipher4
RC4 SymmetricStreamCipher4
RC532 SymmetricBlockCipher3
RC564 SymmetricBlockCipher3
RC6 SymmetricBlockCipher3
RFC3211Wrapping SymmetricBlockCipher3
3SymmetricBlockCipherscanbeusedwiththefollowingmodesandpadding:ECB,CBC,CFB,CCM,CTS,GCM,
GCF,EAX,OCB,OFB,CTR,OpenPGPCFB,GOSTOFB,AEAD-CCM,AEAD-EAX,AEAD-GCM,AEAD-OCB,PKCS7Padding,
ISO10126d2Padding,ISO7816d4Padding,X932Padding,ISO7816d4Padding,ZeroBytePadding,TBCPadding4SymmetricStreamCipherscanonlybeusedwithECBmode.
5AsymmetricBlockCipherscanbeusedwithECBmodeandthefollowingencodings:OAEP,PKCS1,ISO9796d1
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page11of21
Algorithm ModesorCipherTypeRFC3394Wrapping SymmetricBlockCipher3
Rijndael SymmetricBlockCipher3
RipeMD128 Digest
RipeMD160 Digest
RipeMD256 Digest
RipeMD320 Digest
RSAEncryption AsymmetricBlockCipher5
Salsa20 SymmetricStreamCipher4
SEED SymmetricBlockCipher3
SEEDWrapping SymmetricBlockCipher3
Serpent SymmetricBlockCipher3
Shacal2 SymmetricBlockCipher3
SHA-32 Digest
SHA-512/t2 Digest
Skein-256-* Digest
Skein-512-* Digest
Skein-1024-* Digest
Skipjack2 SymmetricBlockCipher3
SP800-90ADRBG2 CTR,Hash
TEA SymmetricBlockCipher3
TDES2 CFB64
Threefish SymmetricBlockCipher3
Tiger Digest
TLSv1.0KDF2 KeyDerivationFunction
Twofish SymmetricBlockCipher3
VMPC SymmetricStreamCipher4
Whirlpool Digest
XSalsa20 SymmetricStreamCipher4
XTEAEngine SymmetricBlockCipher3
Table4-NonApprovedAlgorithms
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page12of21
2.2 ModuleInterfaces
Thefigurebelowshowsthemodule’sphysicalandlogicalblockdiagram:
Figure1–ModuleBoundaryandInterfacesDiagram
Theinterfaces(ports)forthephysicalboundaryincludethecomputerkeyboardport,mouseport,
networkport,USBports,displayandpowerplug.Whenoperational,themoduledoesnottransmitany
informationacrossthesephysicalportsbecauseitisasoftwarecryptographicmodule.Therefore,the
module’sinterfacesarepurelylogicalandareprovidedthroughtheApplicationProgrammingInterface
(API)thatacallingdaemoncanoperate.Thelogicalinterfacesexposeservicesthatapplicationsdirectly
call,andtheAPIprovidesfunctionsthatmaybecalledbyareferencingapplication(seeSection2.3–
Roles,Services,andAuthenticationforthelistofavailablefunctions).Themoduledistinguishesbetween
logicalinterfacesbylogicallyseparatingtheinformationaccordingtothedefinedAPI.
Processor
Processor
Opera+ngSystem
HostApplica+on
Module
(FIPS140-2LogicalBoundary)
Interface=D
Interface=CInterface=CInterface=ABCD
=Plaintext
=Ciphertext
=LogicalBoundary
=PhysicalBoundary
A=DataInput
B=DataOutput
C=ControlInput
D=StatusOutput
E=Power
InterfaceLegend
NetworkInterface
KeyboardController
MouseInterface
MemoryPowerSupply
DisplayController
Interface=E
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page13of21
TheAPIprovidedbythemoduleismappedontotheFIPS140-2logicalinterfaces:datainput,data
output,controlinput,andstatusoutput.EachoftheFIPS140-2logicalinterfacesrelatestothe
module’scallableinterface,asfollows:
FIPS140-2Interface LogicalInterface ModulePhysicalInterfaceDataInput InputparametersofAPIfunction
calls
NetworkInterface
DataOutput OutputparametersofAPIfunction
calls
NetworkInterface
ControlInput APIfunctioncalls KeyboardInterface,Mouse
Interface
StatusOutput Functioncallsreturningstatus
informationandreturncodes
providedbyAPIfunctioncalls.
DisplayController
Power None PowerSupply
Table5–LogicalInterface/PhysicalInterfaceMapping
AsshowninFigure1–ModuleBoundaryandInterfacesDiagramandTable6–ModuleServices,Roles,
andDescriptions,theoutputdatapathisprovidedbythedatainterfacesandislogicallydisconnected
fromprocessesperformingkeygenerationorzeroization.Nokeyinformationwillbeoutputthroughthe
dataoutputinterfacewhenthemodulezeroizeskeys.
2.3 Roles,Services,andAuthentication
ThemodulesupportsaCryptoOfficerandaUserrole.ThemoduledoesnotsupportaMaintenance
role.TheUserandCrypto-Officerrolesareimplicitlyassumedbytheentityaccessingservices
implementedbytheModule.
2.3.1 OperatorServicesandDescriptions
Themodulesupportsservicesthatareavailabletousersinthevariousroles.Alloftheservicesare
describedindetailinthemodule’suserdocumentation.Thefollowingtableshowstheservicesavailable
tothevariousrolesandtheaccesstocryptographickeysandCSPsresultingfromservices:
Service Roles CSP/Algorithm PermissionInitializemodule CO None None
Showstatus CO None None
Runself-testsondemand CO None
None
Zeroizekey CO AESkey
DHcomponents
DRBGEntropy
DRBGSeed
DSAprivate/publickey
Write
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page14of21
Service Roles CSP/Algorithm PermissionECDHcomponents
ECDSAprivate/publickey
HMACkey
RSAprivate/publickey
Triple-DESkey
Generateasymmetrickeypair User RSAprivate/publickey
DSAprivate/publickey
Write
Generatekeyedhash(HMAC) User HMACkey Read/Execute
Generatemessagedigest(SHS6) User None None
Generaterandomnumberand
loadentropy(DRBG)
User DRBGSeed
DRBGEntropy
Read/Execute
Keyagreement User DHcomponents
ECDHcomponents
Write
SignatureGeneration User RSAprivatekey
DSAprivatekey
ECDSAprivate/public
Read/Execute
SignatureVerification User RSApublickey
DSApublickey
ECDSAprivate/public
Read/Execute
Symmetricdecryption User AESkey
Triple-DESkey
Read/Execute
Symmetricencryption User AESkey
Triple-DESkey
Read/Execute
Table6–ModuleServices,Roles,andDescriptions
WheninNon-FIPSapprovedmodeofoperation,themoduleallowsaccesstoeachoftheserviceslisted
above,withexceptionofFIPSself-tests.Wheninnon-FIPS-approvedmodeofoperationthemodulealsoprovidesaservice(APIfunctioncall)foreachnon-approvedalgorithmlistedinSection2.1.4.These
functioncallsareassignedtotheUser,andhaveRead/Write/Executepermissiontothemodule's
memorywhileinoperation.
6SHA–SecureHashStandard
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page15of21
2.3.2 OperatorAuthentication
AsrequiredbyFIPS140-2,therearetworoles(aCryptoOfficerroleandUserrole)inthemodulethat
operatorsmayassume.AsallowedbyLevel1,themoduledoesnotsupportauthenticationtoaccess
services.Assuch,therearenoapplicableauthenticationpolicies.Accesscontrolpoliciesareimplicitly
definedbytheservicesavailabletotherolesasspecifiedinTable6–ModuleServices,Roles,and
Descriptions.
2.4 PhysicalSecurity
Thissectionofrequirementsdoesnotapplytothismodule.Themoduleisasoftware-onlymoduleand
doesnotimplementanyphysicalsecuritymechanisms.
2.5 OperationalEnvironment
Themoduleoperatesonageneralpurposecomputer(GPC)runningageneralpurposeoperatingsystem
(GPOS).ForFIPSpurposes,themoduleisrunningonthisoperatingsysteminsingleusermodeanddoes
notrequireanyadditionalconfigurationtomeettheFIPSrequirements.
Themodulewastestedonthefollowingplatforms:
• OEMPowerEdgeR420running64-bitWindowsServer2012withJavaRuntimeEnvironment
(JRE)v1.7.0_17.
Themoduleisalsosupportedonthefollowingplatformforwhichoperationaltestingwasnot
performed:
• OEMPowerEdgeR420running64-bitWindowsServer2012withJavaRuntimeEnvironment
(JRE)v1.8.0_45
• OEMPowerEdgeR420runningCentOS6.7andCentOS7
• Nexus5runningAndroid4and5
Complianceismaintainedforotherenvironmentwherethemoduleisunchanged.Noclaimcanbe
madeastothecorrectoperationofthemoduleorthesecuritystrengthsofthegeneratedkeyswhen
portedtoanoperationalenvironmentwhichisnotlistedonthevalidationcertificate.
TheGPC(s)usedduringtestingmetFederalCommunicationsCommission(FCC)FCCElectromagnetic
Interference(EMI)andElectromagneticCompatibility(EMC)requirementsforbusinessuseasdefined
by47CodeofFederalRegulations,Part15,SubpartB.FIPS140-2validationcomplianceismaintained
whenthemoduleisoperatedonotherversionsoftheGPOSrunninginsingleusermode,assumingthat
therequirementsoutlinedinNISTIGG.5aremet.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page16of21
2.6 CryptographicKeyManagement
ThetablebelowprovidesacompletelistofCriticalSecurityParametersusedwithinthemodule:
KeysandCSPs StorageLocations
StorageMethod InputMethod Output
Method Zeroization
AESkey
AES128,192,256bit
keyforencryption,
decryption
RAM Plaintext Input
electronicallyin
plaintext
Never powercycle
Triple-DESkey
Triple-DES112,168
bitkeyfor
encryption,
decryption
RAM Plaintext Input
electronicallyin
plaintext
Never powercycle
HMACkey
HMACkeyfor
message
Authenticationwith
SHS
RAM Plaintext Input
electronicallyin
plaintext
Never powercycle
RSAprivatekey
RSA2048,3072bit
keyforsignatureand
keygeneration
RAM Plaintext Input
electronicallyin
plaintext
Never powercycle
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
RSApublickey
RSA1024,2048,3072
bitkeyforsignature
verificationandkey
generation
RAM Plaintext Input
electronicallyin
plaintext
Never powercycle
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
DSAprivatekey
DSA2048,3072-bit
forsignature
generation
RAM Plaintext Input
electronicallyin
plaintext
Never powercycle
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
DSApublickey
DSA1024,2048,
3072-bitkeyfor
signatureverification
Module
Binary
Plaintext Input
electronicallyin
plaintext
Never powercycle
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
ECDSAprivate
key
AllNISTdefinedB,K,
RAM Plaintext Input
electronicallyin
plaintext
Neverexitsthe
module
powercycle
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page17of21
KeysandCSPs StorageLocations
StorageMethod InputMethod Output
Method Zeroization
andPCurvesfor
signaturegeneration
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
ECDSApublickey
AllNISTdefinedB,K,
andPCurvesfor
signatureverification
RAM Plaintext Input
electronicallyin
plaintext
Neverexitsthe
module
powercycle
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
DHpublic
components
Publiccomponentsof
DHprotocol
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
DHprivate
component
Privateexponentof
DHprotocol
RAM Plaintext Internally
generated
Never powercycle
ECDHpublic
components
Publiccomponentsof
ECDHprotocol
RAM Plaintext Internally
generated
Output
electronicallyin
plaintext
powercycle
ECDHprivate
component
Privateexponentof
ECDHprotocol
RAM Plaintext Internally
generated
Neverexitsthe
module
powercycle
DRBGseed
Randomdata440-bit
or880-bitto
generaterandom
numberusingthe
DRBG
RAM Plaintext Internally
generatedusing
noncealongwith
DRBGentropy
inputstring
Neverexitsthe
module
powercycle
DRBGEntropy
InputString
512-bitvalueto
generateseedand
determinerandom
numberusingthe
DRBG
RAM Plaintext Externally
generated;Input
electronicallyin
plaintext
Neverexitsthe
module
powercycle
R=ReadW=WriteD=Delete
Table7–ModuleKeys/CSPs
Theapplicationthatusesthemoduleisresponsibleforappropriatedestructionandzeroizationofthe
keymaterial.Themoduleprovidesfunctionsforkeyallocationanddestructionwhichoverwritethe
memorythatisoccupiedbythekeyinformationwithzerosbeforeitisdeallocated.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page18of21
2.6.1 RandomNumberGeneration
ThemoduleusesSP800-90ADRBGforcreationofasymmetricandsymmetrickeys.
Themoduleacceptsinputfromentropysourcesexternaltothecryptographicboundaryforuseasseed
materialforthemodule’sApprovedDRBG.Therefore,themodulegeneratescryptographickeyswhose
strengthsaremodifiedbyavailableentropy,andnoassuranceisprovidedforthestrengthofthe
generatedkeys.
ThemoduleperformscontinualtestsontheoutputoftheapprovedRNGtoensurethatconsecutive
randomnumbersdonotrepeat.
2.6.2 Key/CSPStorage
Publicandprivatekeysareprovidedtothemodulebythecallingprocessandaredestroyedwhen
releasedbytheappropriateAPIfunctioncallsorduringpowercycle.Themoduledoesnotperform
persistentstorageofkeys.
2.6.3 Key/CSPZeroization
TheapplicationisresponsibleforcallingtheappropriatedestructionfunctionsfromtheAPI.The
destructionfunctionsthenoverwritethememoryoccupiedbykeyswithzerosanddeallocatesthe
memory.Thisoccursduringprocesstermination/powercycle.Keysareimmediatelyzeroizedupon
deallocation,whichsufficientlyprotectstheCSPsfromcompromise.
2.7 Self-Tests
FIPS140-2requiresthatthemoduleperformselfteststoensuretheintegrityofthemoduleandthe
correctnessofthecryptographicfunctionalityatstartup.Inadditionsomefunctionsrequirecontinuous
verificationoffunction,suchastherandomnumbergenerator.Allofthesetestsarelistedand
describedinthissection.
Ifanyself-testfails,themodulewillenteracriticalerrorstate,duringwhichcryptographicfunctionality
andalldataoutputisinhibited.Tocleartheerrorstate,theCOmustrebootthehostsystem,reloadthe
module,orrestartthecallingapplication.Nooperatorinterventionisrequiredtoruntheself-tests.
Thefollowingsectionsdiscussthemodule’sself-testsinmoredetail.
2.7.1 Power-OnSelf-Tests
Power-onself-testsareexecutedautomaticallywhenthemoduleisloadedintomemory.Themodule
verifiestheintegrityoftheruntimeexecutableusingaHMAC-SHA-512digestcomputedatbuildtime.If
thefingerprintsmatch,thepower-upself-testsarethenperformed.Ifthepower-upself-testsare
successful,themoduleisinFIPSmode.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page19of21
TYPE DETAILSoftwareIntegrityCheck • HMAC-SHA512onallmodulecomponents
KnownAnswerTests • AESencryptanddecryptKATs
• Triple-DESencryptanddecryptKATs
• HMACSHA1KAT
• HMACSHA-256KAT
• HMACSHA-512KAT
• RSAsignandverifyKATs
• SP800-90ADRBGKAT(HMAC)
Pair-wiseConsistencyTests • DSA
• ECDSA
• Diffie-Hellman
• ECDiffie-HellmanTable8–Power-OnSelf-Tests
Input,output,andcryptographicfunctionscannotbeperformedwhiletheModuleisinaself-testor
errorstatebecausethemoduleissingle-threadedandwillnotreturntothecallingapplicationuntilthe
power-upselftestsarecomplete.Ifthepower-upselftestsfail,subsequentcallstothemodulewillalso
fail-thusnofurthercryptographicoperationsarepossible.
2.7.2 ConditionalSelf-Tests
Themoduleimplementsthefollowingconditionalself-testsuponkeygeneration,orrandomnumber
generation(respectively):
TYPE DETAILPair-wiseConsistencyTests • DSA
• ECDSA
• Diffie-Hellman
• ECDiffie-Hellman
ContinuousRNGTests • SP800-90ADRBG(HMAC)Table9–ConditionalSelf-Tests
2.8 MitigationofOtherAttacks
TheModuledoesnotcontainadditionalsecuritymechanismsbeyondtherequirementsforFIPS140-2
Level1cryptographicmodules.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page20of21
3 GuidanceandSecureOperation
3.1 CryptoOfficerGuidance
3.1.1 SoftwareInstallation
Themoduleisprovideddirectlytosolutiondevelopersandisnotavailablefordirectdownloadtothe
generalpublic.Themoduleanditshostapplicationistobeinstalledonanoperatingsystemspecifiedin
Section2.5oronewhereportabilityismaintained.
InordertoremaininFIPS-approvedmode,thefollowingstepsmustbetakenduringtheinstallation
process:
1. TheJavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyFiles7mustbe
installedintheJRE.Instructionsforinstallationarefoundinthedownloadfilelocatedhere:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
2. ThemodulemustbeconfiguredastheJRE'sdefaultSecurityProviderbymodifyingthe
jre/lib/security/java.securityfileandaddingthefollowinglinetothelistofproviders:
security.provider.1=com.safelogic.cryptocomply.jce.provider. Provider
3.1.2 AdditionalRulesofOperation
1. Thewritablememoryareasofthemodule(dataandstacksegments)areaccessibleonlybythe
applicationsothattheoperatingsystemisin"singleuser"mode,i.e.onlytheapplicationhas
accesstothatinstanceofthemodule.
2. Theoperatingsystemisresponsibleformultitaskingoperationssothatotherprocessescannot
accesstheaddressspaceoftheprocesscontainingthemodule.
3.2 UserGuidance
3.2.1 GeneralGuidance
Themoduleisnotdistributedasastandalonelibraryandisonlyusedinconjunctionwiththesolution.
TheenduseroftheoperatingsystemisalsoresponsibleforzeroizingCSPsviawipe/securedelete
procedures.
Ifthemodulepowerislostandrestored,thecallingapplicationcanresettheIVtothelastvalueused.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava
DocumentVersion1.2 ©SafeLogic Page21of21
3.2.2 FIPS-ApprovedModeofOperation
InordertomaintaintheFIPS-approvedmodeofoperation,thefollowingrequirementsmustbe
observed:
1. ThecallingapplicationmustinstantiateandoperatethemodulethroughtheJCEinterface
providedbytheJDK.
2. ThecallingapplicationmaynotshareCSPsbetweennon-FIPS-approved-modeandFIPS-
approved-modeofoperation.TheoperatormustresetthemodulebeforeswitchingtoFIPS-
approved-modeofoperation.
3. Thecallingapplicationmustrestricttheuseoftwo-keyTripleDESencryption:thetotalnumber
ofblocksofdataencryptedwiththesamecryptographickeyshallnotbegreaterthan2^20.
4. Themodulerequiresthataminimumof256bitsofentropybeprovidedforeachuseofthe
DRBG/loadentropyservice.