CryptoComply for Java - NIST · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for Java...

FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforJava

DocumentVersion1.2 ©SafeLogic Page1of21

FIPS140-2Non-ProprietarySecurityPolicy

CryptoComplyforJava

SoftwareVersion2.2-fips

DocumentVersion1.2

March12,2018

SafeLogicInc.

530LyttonAve.,Suite200PaloAlto,CA94301www.safelogic.com



Abstract

Thisdocumentprovidesanon-proprietaryFIPS140-2SecurityPolicyforCryptoComplyforJava.

SafeLogic'sCryptoComplyforJavaisdesignedtoprovideFIPS140-2validatedcryptographic

functionalityandisavailableforlicensing.Formoreinformation,visit

https://www.safelogic.com/cryptocomply-for-java/.



TableofContents

1 Introduction...................................................................................................................................................51.1 AboutFIPS140................................................................................................................................................51.2 AboutthisDocument......................................................................................................................................51.3 ExternalResources..........................................................................................................................................51.4 Notices............................................................................................................................................................51.5 Acronyms........................................................................................................................................................5

2 CryptoComplyforJava...................................................................................................................................72.1 CryptographicModuleSpecification...............................................................................................................7

2.1.1 ValidationLevelDetail.............................................................................................................................72.1.2 ApprovedCryptographicAlgorithms.......................................................................................................82.1.3 Non-ApprovedbutAllowedCryptographicAlgorithms..........................................................................92.1.4 Non-ApprovedCryptographicAlgorithms...............................................................................................9

2.2 ModuleInterfaces.........................................................................................................................................122.3 Roles,Services,andAuthentication..............................................................................................................13

2.3.1 OperatorServicesandDescriptions......................................................................................................132.3.2 OperatorAuthentication.......................................................................................................................15

2.4 PhysicalSecurity...........................................................................................................................................152.5 OperationalEnvironment.............................................................................................................................152.6 CryptographicKeyManagement..................................................................................................................16

2.6.1 RandomNumberGeneration................................................................................................................182.6.2 Key/CSPStorage....................................................................................................................................182.6.3 Key/CSPZeroization..............................................................................................................................18

2.7 Self-Tests.......................................................................................................................................................182.7.1 Power-OnSelf-Tests..............................................................................................................................182.7.2 ConditionalSelf-Tests............................................................................................................................19

2.8 MitigationofOtherAttacks..........................................................................................................................193 GuidanceandSecureOperation...................................................................................................................20

3.1 CryptoOfficerGuidance................................................................................................................................203.1.1 SoftwareInstallation.............................................................................................................................203.1.2 AdditionalRulesofOperation...............................................................................................................20

3.2 UserGuidance...............................................................................................................................................203.2.1 GeneralGuidance..................................................................................................................................203.2.2 FIPS-ApprovedModeofOperation.......................................................................................................21



ListofTables

Table1–AcronymsandTerms.....................................................................................................................................6Table2–ValidationLevelbyFIPS140-2Section..........................................................................................................7Table3–FIPS-ApprovedAlgorithmCertificates...........................................................................................................9Table4-NonApprovedAlgorithms...........................................................................................................................11Table5–LogicalInterface/PhysicalInterfaceMapping...........................................................................................13Table6–ModuleServices,Roles,andDescriptions...................................................................................................14Table7–ModuleKeys/CSPs.......................................................................................................................................17Table8–Power-OnSelf-Tests....................................................................................................................................19Table9–ConditionalSelf-Tests..................................................................................................................................19

ListofFigures

Figure1–ModuleBoundaryandInterfacesDiagram................................................................................................12



1 Introduction

1.1 AboutFIPS140

FederalInformationProcessingStandardsPublication140-2—SecurityRequirementsforCryptographic

ModulesspecifiesrequirementsforcryptographicmodulestobedeployedinaSensitivebut

Unclassifiedenvironment.TheNationalInstituteofStandardsandTechnology(NIST)and

CommunicationsSecurityEstablishment(CSE)CryptographicModuleValidationProgram(CMVP)run

theFIPS140program.TheNVLAPaccreditsindependenttestinglabstoperformFIPS140-2testing;the

CMVPvalidatesmodulesmeetingFIPS140-2validation.Validatedisthetermgiventoamodulethatis

documentedandtestedagainsttheFIPS140-2criteria.

MoreinformationisavailableontheCMVPwebsiteat

http://csrc.nist.gov/groups/STM/cmvp/index.html.

1.2 AboutthisDocument

Thisnon-proprietaryCryptographicModuleSecurityPolicyforCryptoComplyforJavaprovidesan

overviewoftheproductandahigh-leveldescriptionofhowitmeetsthesecurityrequirementsofFIPS

140-2.Thisdocumentcontainsdetailsonthemodule’scryptographickeysandcriticalsecurity

parameters.ThisSecurityPolicyconcludeswithinstructionsandguidanceonrunningthemoduleina

FIPS140-2modeofoperation.

CryptoComplyforJavamayalsobereferredtoasthe“module”inthisdocument.

1.3 ExternalResources

TheSafeLogicwebsite(http://www.safelogic.com)containsinformationonSafeLogicservicesand

products.TheCryptographicModuleValidationProgramwebsitecontainslinkstotheFIPS140-2

certificateandSafeLogiccontactinformation.

1.4 Notices

Thisdocumentmaybefreelyreproducedanddistributedinitsentiretywithoutmodification.

1.5 Acronyms

Thefollowingtabledefinesacronymsfoundinthisdocument:



Table1–AcronymsandTerms

Acronym TermAES AdvancedEncryptionStandard

ANSI AmericanNationalStandardsInstitute

API ApplicationProgrammingInterface

CMVP CryptographicModuleValidationProgram

CO CryptoOfficer

CSE CommunicationsSecurityEstablishment

CSP CriticalSecurityParameter

DES DataEncryptionStandard

DH Diffie-Hellman

DSA DigitalSignatureAlgorithm

EC EllipticCurve

EMC ElectromagneticCompatibility

EMI ElectromagneticInterference

FCC FederalCommunicationsCommission

FIPS FederalInformationProcessingStandard

GPC GeneralPurposeComputer

GUI GraphicalUserInterface

HMAC (Keyed-)HashMessageAuthenticationCode

KAT KnownAnswerTest

MAC MessageAuthenticationCode

NIST NationalInstituteofStandardsandTechnology

OS OperatingSystem

PKCS Public-KeyCryptographyStandards

PRNG PseudoRandomNumberGenerator

PSS ProbabilisticSignatureScheme

RNG RandomNumberGenerator

RSA Rivest,Shamir,andAdleman

SHA SecureHashAlgorithm

SSL SecureSocketsLayer

Triple-DES TripleDataEncryptionAlgorithm

TLS TransportLayerSecurity

USB UniversalSerialBus



2 CryptoComplyforJava

2.1 CryptographicModuleSpecification

CryptoComplyforJavaisastandards-based“Drop-inCompliance”cryptographicenginefornativeJava

environments.Themoduledeliverscorecryptographicfunctionstomobileplatformsandfeatures

robustalgorithmsupport,includingSuiteBalgorithms.CryptoComplyoffloadsfunctionsforsecurekey

management,dataintegrity,dataatrestencryption,andsecurecommunicationstoatrusted

implementation.

Themodule'slogicalcryptographicboundaryisthesharedlibraryfilesandtheirintegritycheckHMAC

files(cryptocomply-2.2-fips.jarandcryptocomply-2.2-fips.hmac).Themoduleisamulti)chipstandalone

embodimentinstalledonaGeneralPurposeDevice.Themoduleisasoftwaremoduleandreliesonthe

physicalcharacteristicsofthehostplatform.Themodule’sphysicalcryptographicboundaryisdefined

bytheenclosurearoundthehostplatform.Alloperationsofthemoduleoccurviacallsfromhost

applicationsandtheirrespectiveinternaldaemons/processes.

2.1.1 ValidationLevelDetail

ThefollowingtableliststhelevelofvalidationforeachareainFIPS140-2:

FIPS140-2SectionTitle ValidationLevelCryptographicModuleSpecification 1

CryptographicModulePortsandInterfaces 1

Roles,Services,andAuthentication 1

FiniteStateModel 1

PhysicalSecurity N/A

OperationalEnvironment 1

CryptographicKeyManagement 1

ElectromagneticInterference/ElectromagneticCompatibility 1

Self-Tests 1

DesignAssurance 1

MitigationofOtherAttacks N/A

Table2–ValidationLevelbyFIPS140-2Section



2.1.2 ApprovedCryptographicAlgorithms

Themodule’scryptographicalgorithmimplementationshavereceivedthefollowingcertificatenumbers

fromtheCryptographicAlgorithmValidationProgram:

Algorithm CAVPCertificateAES(128-,192-,256-bitkeysinECB,CBC,CFB128andOFBmodes) 3192

DSA(FIPS186-4)

• Signatureverification

o L=1024,N=160,SHA-1throughSHA-512

o L=2048,N=224,256,SHA-1throughSHA-512


• PQGgeneration(ProbablePrimesPandQ,UnverifiableandCanonical

GenerationG)




• KeyPairGeneration

o L=2048,N=224

o L=2048,N=256

o L=3072,N=256

• SignatureGeneration




914

ECDSA(FIPS186-4)

• SignatureVerification(SHA-1throughSHA-512)

o P–curves192,224,256,384,and521

o K–curves163,233,283,409,and571

o B–curves163,233,283,409,and571

• SignatureGeneration(SHA-224throughSHA-512)

o P–curves224,256,384,and521

o K–curves233,283,409,and571

o B–curves233,283,409,and571

583

RSA(FIPS186-4)

• KeyPairGeneration(X9.31)

o AppendixB.3.3

o Mod2048,3072

o TableC.3ProbabilisticPrimalityTests(2^-100)

• SignatureGeneration(PKCSv1.5,PSS)

o Mod2048,SHA-224throughSHA-512


1622



Algorithm CAVPCertificate• SignatureVerification(PKCSv1.5,PSS)




HMACusingSHA-1,SHA-224,SHA-256,SHA-384,SHA-512 2011

SHA-1,SHA-224,SHA-256,SHA-384,SHA-512 2637

SP800-90AbasedHMAC-DRBG,noreseed 668

Triple-DES(two-andthree-keywithECB,CBC,CFB8andOFBmodes)1 1818

Table3–FIPS-ApprovedAlgorithmCertificates

2.1.3 Non-ApprovedbutAllowedCryptographicAlgorithms

Themodulesupportsthefollowingnon-FIPS140-2approvedbutallowedalgorithms:

• Diffie-Hellman(keyagreement;keyestablishmentmethodologyprovidesbetween112and219

bitsofencryptionstrength)

• ECDiffie-Hellman(keyagreement;keyestablishmentmethodologyprovidesbetween112and

256bitsofencryptionstrength)

2.1.4 Non-ApprovedCryptographicAlgorithms

Themodulesupportsthefollowingnon-approvedalgorithmsandmodes:

Algorithm ModesorCipherTypeDSA2 PQGGen,KeyGenandSigGen;non-compliantlessthan112bits

ofencryptionstrength)includingFIPS186-2signature

generationandkeygeneration

ECDSA2 KeyGenandSigGen;non-compliantlessthan112bitsof

encryptionstrength)includingFIPS186-2signaturegeneration

andkeygeneration

RSA2 KeyGenandSigGen;non-compliantlessthan112bitsof

encryptionstrength

Diffie-Hellman keyagreement;keyestablishmentmethodologyproviding

between80and112bitsofencryptionstrength

ECDiffie-Hellman keyagreement;keyestablishmentmethodologyprovides

between80and112bitsofencryptionstrength

AES2 GCM,CFB8,CTR,CMAC,CCM

1Theuseoftwo-keyTripleDESforencryptionisrestricted:thetotalnumberofblocksofdataencryptedwiththe

samecryptographickeyshallnotbegreaterthan2^202Non-compliant



Algorithm ModesorCipherTypeANSIX9.31AppendixA.2.4PRNG2 (AES-128)

Blowfish SymmetricBlockCipher3

Camellia SymmetricBlockCipher3

CAST5 SymmetricBlockCipher3

CAST6 SymmetricBlockCipher3

ChaCha SymmetricStreamCipher4

DES SymmetricBlockCipher3

TDESKeyWrapping2 SymmetricBlockCipher3

ElGamal AsymmetricBlockCipher5

GOST28147 SymmetricBlockCipher3

GOST3411 Digest

Grain128 SymmetricStreamCipher4

Grainv1 SymmetricStreamCipher4

HC128 SymmetricStreamCipher4

HC256 SymmetricStreamCipher4

IDEA SymmetricBlockCipher3

IES KeyAgreementandStreamCipherbasedonIEEEP1363a

(draft10)

ISAAC SymmetricStreamCipher4

MD2 Digest

MD4 Digest

MD5 Digest

NaccacheStern AsymmetricBlockCipher5

Noekeon SymmetricBlockCipher3

Password-Based-Encryption(PBE) • PKCS5S1,anyDigest,anysymmetricCipher,ASCII

• PKCS5S2,SHA1/HMac,anysymmetricCipher,ASCII,UTF8

• PKCS12,anyDigest,anysymmetricCipher,Unicode

RC2 SymmetricBlockCipher3

RC2KeyWrapping SymmetricStreamCipher4

RC4 SymmetricStreamCipher4




RFC3211Wrapping SymmetricBlockCipher3

3SymmetricBlockCipherscanbeusedwiththefollowingmodesandpadding:ECB,CBC,CFB,CCM,CTS,GCM,

GCF,EAX,OCB,OFB,CTR,OpenPGPCFB,GOSTOFB,AEAD-CCM,AEAD-EAX,AEAD-GCM,AEAD-OCB,PKCS7Padding,

ISO10126d2Padding,ISO7816d4Padding,X932Padding,ISO7816d4Padding,ZeroBytePadding,TBCPadding4SymmetricStreamCipherscanonlybeusedwithECBmode.

5AsymmetricBlockCipherscanbeusedwithECBmodeandthefollowingencodings:OAEP,PKCS1,ISO9796d1



Algorithm ModesorCipherTypeRFC3394Wrapping SymmetricBlockCipher3

Rijndael SymmetricBlockCipher3

RipeMD128 Digest

RipeMD160 Digest

RipeMD256 Digest

RipeMD320 Digest

RSAEncryption AsymmetricBlockCipher5

Salsa20 SymmetricStreamCipher4

SEED SymmetricBlockCipher3

SEEDWrapping SymmetricBlockCipher3

Serpent SymmetricBlockCipher3

Shacal2 SymmetricBlockCipher3

SHA-32 Digest

SHA-512/t2 Digest

Skein-256-* Digest

Skein-512-* Digest

Skein-1024-* Digest

Skipjack2 SymmetricBlockCipher3

SP800-90ADRBG2 CTR,Hash

TEA SymmetricBlockCipher3

TDES2 CFB64

Threefish SymmetricBlockCipher3

Tiger Digest

TLSv1.0KDF2 KeyDerivationFunction

Twofish SymmetricBlockCipher3

VMPC SymmetricStreamCipher4

Whirlpool Digest

XSalsa20 SymmetricStreamCipher4

XTEAEngine SymmetricBlockCipher3

Table4-NonApprovedAlgorithms



2.2 ModuleInterfaces

Thefigurebelowshowsthemodule’sphysicalandlogicalblockdiagram:

Figure1–ModuleBoundaryandInterfacesDiagram

Theinterfaces(ports)forthephysicalboundaryincludethecomputerkeyboardport,mouseport,

networkport,USBports,displayandpowerplug.Whenoperational,themoduledoesnottransmitany

informationacrossthesephysicalportsbecauseitisasoftwarecryptographicmodule.Therefore,the

module’sinterfacesarepurelylogicalandareprovidedthroughtheApplicationProgrammingInterface

(API)thatacallingdaemoncanoperate.Thelogicalinterfacesexposeservicesthatapplicationsdirectly

call,andtheAPIprovidesfunctionsthatmaybecalledbyareferencingapplication(seeSection2.3–

Roles,Services,andAuthenticationforthelistofavailablefunctions).Themoduledistinguishesbetween

logicalinterfacesbylogicallyseparatingtheinformationaccordingtothedefinedAPI.

Processor

Processor

Opera+ngSystem

HostApplica+on

Module

(FIPS140-2LogicalBoundary)

Interface=D

Interface=CInterface=CInterface=ABCD

=Plaintext

=Ciphertext

=LogicalBoundary

=PhysicalBoundary

A=DataInput

B=DataOutput

C=ControlInput

D=StatusOutput

E=Power

InterfaceLegend

NetworkInterface

KeyboardController

MouseInterface

MemoryPowerSupply

DisplayController

Interface=E



TheAPIprovidedbythemoduleismappedontotheFIPS140-2logicalinterfaces:datainput,data

output,controlinput,andstatusoutput.EachoftheFIPS140-2logicalinterfacesrelatestothe

module’scallableinterface,asfollows:

FIPS140-2Interface LogicalInterface ModulePhysicalInterfaceDataInput InputparametersofAPIfunction

calls

NetworkInterface

DataOutput OutputparametersofAPIfunction

calls

NetworkInterface

ControlInput APIfunctioncalls KeyboardInterface,Mouse

Interface

StatusOutput Functioncallsreturningstatus

informationandreturncodes

providedbyAPIfunctioncalls.

DisplayController

Power None PowerSupply

Table5–LogicalInterface/PhysicalInterfaceMapping

AsshowninFigure1–ModuleBoundaryandInterfacesDiagramandTable6–ModuleServices,Roles,

andDescriptions,theoutputdatapathisprovidedbythedatainterfacesandislogicallydisconnected

fromprocessesperformingkeygenerationorzeroization.Nokeyinformationwillbeoutputthroughthe

dataoutputinterfacewhenthemodulezeroizeskeys.

2.3 Roles,Services,andAuthentication

ThemodulesupportsaCryptoOfficerandaUserrole.ThemoduledoesnotsupportaMaintenance

role.TheUserandCrypto-Officerrolesareimplicitlyassumedbytheentityaccessingservices

implementedbytheModule.

2.3.1 OperatorServicesandDescriptions

Themodulesupportsservicesthatareavailabletousersinthevariousroles.Alloftheservicesare

describedindetailinthemodule’suserdocumentation.Thefollowingtableshowstheservicesavailable

tothevariousrolesandtheaccesstocryptographickeysandCSPsresultingfromservices:

Service Roles CSP/Algorithm PermissionInitializemodule CO None None

Showstatus CO None None

Runself-testsondemand CO None

None

Zeroizekey CO AESkey

DHcomponents

DRBGEntropy

DRBGSeed

DSAprivate/publickey

Write



Service Roles CSP/Algorithm PermissionECDHcomponents

ECDSAprivate/publickey

HMACkey

RSAprivate/publickey

Triple-DESkey

Generateasymmetrickeypair User RSAprivate/publickey

DSAprivate/publickey

Write

Generatekeyedhash(HMAC) User HMACkey Read/Execute

Generatemessagedigest(SHS6) User None None

Generaterandomnumberand

loadentropy(DRBG)

User DRBGSeed

DRBGEntropy

Read/Execute

Keyagreement User DHcomponents

ECDHcomponents

Write

SignatureGeneration User RSAprivatekey

DSAprivatekey

ECDSAprivate/public

Read/Execute

SignatureVerification User RSApublickey

DSApublickey

ECDSAprivate/public

Read/Execute

Symmetricdecryption User AESkey

Triple-DESkey

Read/Execute

Symmetricencryption User AESkey

Triple-DESkey

Read/Execute

Table6–ModuleServices,Roles,andDescriptions

WheninNon-FIPSapprovedmodeofoperation,themoduleallowsaccesstoeachoftheserviceslisted

above,withexceptionofFIPSself-tests.Wheninnon-FIPS-approvedmodeofoperationthemodulealsoprovidesaservice(APIfunctioncall)foreachnon-approvedalgorithmlistedinSection2.1.4.These

functioncallsareassignedtotheUser,andhaveRead/Write/Executepermissiontothemodule's

memorywhileinoperation.

6SHA–SecureHashStandard



2.3.2 OperatorAuthentication

AsrequiredbyFIPS140-2,therearetworoles(aCryptoOfficerroleandUserrole)inthemodulethat

operatorsmayassume.AsallowedbyLevel1,themoduledoesnotsupportauthenticationtoaccess

services.Assuch,therearenoapplicableauthenticationpolicies.Accesscontrolpoliciesareimplicitly

definedbytheservicesavailabletotherolesasspecifiedinTable6–ModuleServices,Roles,and

Descriptions.

2.4 PhysicalSecurity

Thissectionofrequirementsdoesnotapplytothismodule.Themoduleisasoftware-onlymoduleand

doesnotimplementanyphysicalsecuritymechanisms.

2.5 OperationalEnvironment

Themoduleoperatesonageneralpurposecomputer(GPC)runningageneralpurposeoperatingsystem

(GPOS).ForFIPSpurposes,themoduleisrunningonthisoperatingsysteminsingleusermodeanddoes

notrequireanyadditionalconfigurationtomeettheFIPSrequirements.

Themodulewastestedonthefollowingplatforms:

• OEMPowerEdgeR420running64-bitWindowsServer2012withJavaRuntimeEnvironment

(JRE)v1.7.0_17.

Themoduleisalsosupportedonthefollowingplatformforwhichoperationaltestingwasnot

performed:

• OEMPowerEdgeR420running64-bitWindowsServer2012withJavaRuntimeEnvironment

(JRE)v1.8.0_45

• OEMPowerEdgeR420runningCentOS6.7andCentOS7

• Nexus5runningAndroid4and5

Complianceismaintainedforotherenvironmentwherethemoduleisunchanged.Noclaimcanbe

madeastothecorrectoperationofthemoduleorthesecuritystrengthsofthegeneratedkeyswhen

portedtoanoperationalenvironmentwhichisnotlistedonthevalidationcertificate.

TheGPC(s)usedduringtestingmetFederalCommunicationsCommission(FCC)FCCElectromagnetic

Interference(EMI)andElectromagneticCompatibility(EMC)requirementsforbusinessuseasdefined

by47CodeofFederalRegulations,Part15,SubpartB.FIPS140-2validationcomplianceismaintained

whenthemoduleisoperatedonotherversionsoftheGPOSrunninginsingleusermode,assumingthat

therequirementsoutlinedinNISTIGG.5aremet.



2.6 CryptographicKeyManagement

ThetablebelowprovidesacompletelistofCriticalSecurityParametersusedwithinthemodule:

KeysandCSPs StorageLocations

StorageMethod InputMethod Output

Method Zeroization

AESkey

AES128,192,256bit

keyforencryption,

decryption

RAM Plaintext Input

electronicallyin

plaintext

Never powercycle

Triple-DESkey

Triple-DES112,168

bitkeyfor

encryption,

decryption

RAM Plaintext Input

electronicallyin

plaintext

Never powercycle

HMACkey

HMACkeyfor

message

Authenticationwith

SHS

RAM Plaintext Input

electronicallyin

plaintext

Never powercycle

RSAprivatekey

RSA2048,3072bit

keyforsignatureand

keygeneration

RAM Plaintext Input

electronicallyin

plaintext

Never powercycle

RAM Plaintext Internally

generated

Output

electronicallyin

plaintext

powercycle

RSApublickey

RSA1024,2048,3072

bitkeyforsignature

verificationandkey

generation

RAM Plaintext Input

electronicallyin

plaintext

Never powercycle


generated

Output

electronicallyin

plaintext

powercycle

DSAprivatekey

DSA2048,3072-bit

forsignature

generation

RAM Plaintext Input

electronicallyin

plaintext

Never powercycle


generated

Output

electronicallyin

plaintext

powercycle

DSApublickey

DSA1024,2048,

3072-bitkeyfor

signatureverification

Module

Binary

Plaintext Input

electronicallyin

plaintext

Never powercycle


generated

Output

electronicallyin

plaintext

powercycle

ECDSAprivate

key

AllNISTdefinedB,K,

RAM Plaintext Input

electronicallyin

plaintext

Neverexitsthe

module

powercycle



KeysandCSPs StorageLocations

StorageMethod InputMethod Output

Method Zeroization

andPCurvesfor

signaturegeneration


generated

Output

electronicallyin

plaintext

powercycle

ECDSApublickey

AllNISTdefinedB,K,

andPCurvesfor

signatureverification

RAM Plaintext Input

electronicallyin

plaintext

Neverexitsthe

module

powercycle


generated

Output

electronicallyin

plaintext

powercycle

DHpublic

components

Publiccomponentsof

DHprotocol


generated

Output

electronicallyin

plaintext

powercycle

DHprivate

component

Privateexponentof

DHprotocol


generated

Never powercycle

ECDHpublic

components

Publiccomponentsof

ECDHprotocol


generated

Output

electronicallyin

plaintext

powercycle

ECDHprivate

component

Privateexponentof

ECDHprotocol


generated

Neverexitsthe

module

powercycle

DRBGseed

Randomdata440-bit

or880-bitto

generaterandom

numberusingthe

DRBG


generatedusing

noncealongwith

DRBGentropy

inputstring

Neverexitsthe

module

powercycle

DRBGEntropy

InputString

512-bitvalueto

generateseedand

determinerandom

numberusingthe

DRBG

RAM Plaintext Externally

generated;Input

electronicallyin

plaintext

Neverexitsthe

module

powercycle

R=ReadW=WriteD=Delete

Table7–ModuleKeys/CSPs

Theapplicationthatusesthemoduleisresponsibleforappropriatedestructionandzeroizationofthe

keymaterial.Themoduleprovidesfunctionsforkeyallocationanddestructionwhichoverwritethe

memorythatisoccupiedbythekeyinformationwithzerosbeforeitisdeallocated.



2.6.1 RandomNumberGeneration

ThemoduleusesSP800-90ADRBGforcreationofasymmetricandsymmetrickeys.

Themoduleacceptsinputfromentropysourcesexternaltothecryptographicboundaryforuseasseed

materialforthemodule’sApprovedDRBG.Therefore,themodulegeneratescryptographickeyswhose

strengthsaremodifiedbyavailableentropy,andnoassuranceisprovidedforthestrengthofthe

generatedkeys.

ThemoduleperformscontinualtestsontheoutputoftheapprovedRNGtoensurethatconsecutive

randomnumbersdonotrepeat.

2.6.2 Key/CSPStorage

Publicandprivatekeysareprovidedtothemodulebythecallingprocessandaredestroyedwhen

releasedbytheappropriateAPIfunctioncallsorduringpowercycle.Themoduledoesnotperform

persistentstorageofkeys.

2.6.3 Key/CSPZeroization

TheapplicationisresponsibleforcallingtheappropriatedestructionfunctionsfromtheAPI.The

destructionfunctionsthenoverwritethememoryoccupiedbykeyswithzerosanddeallocatesthe

memory.Thisoccursduringprocesstermination/powercycle.Keysareimmediatelyzeroizedupon

deallocation,whichsufficientlyprotectstheCSPsfromcompromise.

2.7 Self-Tests

FIPS140-2requiresthatthemoduleperformselfteststoensuretheintegrityofthemoduleandthe

correctnessofthecryptographicfunctionalityatstartup.Inadditionsomefunctionsrequirecontinuous

verificationoffunction,suchastherandomnumbergenerator.Allofthesetestsarelistedand

describedinthissection.

Ifanyself-testfails,themodulewillenteracriticalerrorstate,duringwhichcryptographicfunctionality

andalldataoutputisinhibited.Tocleartheerrorstate,theCOmustrebootthehostsystem,reloadthe

module,orrestartthecallingapplication.Nooperatorinterventionisrequiredtoruntheself-tests.

Thefollowingsectionsdiscussthemodule’sself-testsinmoredetail.

2.7.1 Power-OnSelf-Tests

Power-onself-testsareexecutedautomaticallywhenthemoduleisloadedintomemory.Themodule

verifiestheintegrityoftheruntimeexecutableusingaHMAC-SHA-512digestcomputedatbuildtime.If

thefingerprintsmatch,thepower-upself-testsarethenperformed.Ifthepower-upself-testsare

successful,themoduleisinFIPSmode.



TYPE DETAILSoftwareIntegrityCheck • HMAC-SHA512onallmodulecomponents

KnownAnswerTests • AESencryptanddecryptKATs

• Triple-DESencryptanddecryptKATs

• HMACSHA1KAT

• HMACSHA-256KAT

• HMACSHA-512KAT

• RSAsignandverifyKATs

• SP800-90ADRBGKAT(HMAC)

Pair-wiseConsistencyTests • DSA

• ECDSA

• Diffie-Hellman

• ECDiffie-HellmanTable8–Power-OnSelf-Tests

Input,output,andcryptographicfunctionscannotbeperformedwhiletheModuleisinaself-testor

errorstatebecausethemoduleissingle-threadedandwillnotreturntothecallingapplicationuntilthe

power-upselftestsarecomplete.Ifthepower-upselftestsfail,subsequentcallstothemodulewillalso

fail-thusnofurthercryptographicoperationsarepossible.

2.7.2 ConditionalSelf-Tests

Themoduleimplementsthefollowingconditionalself-testsuponkeygeneration,orrandomnumber

generation(respectively):

TYPE DETAILPair-wiseConsistencyTests • DSA

• ECDSA

• Diffie-Hellman

• ECDiffie-Hellman

ContinuousRNGTests • SP800-90ADRBG(HMAC)Table9–ConditionalSelf-Tests

2.8 MitigationofOtherAttacks

TheModuledoesnotcontainadditionalsecuritymechanismsbeyondtherequirementsforFIPS140-2

Level1cryptographicmodules.



3 GuidanceandSecureOperation

3.1 CryptoOfficerGuidance

3.1.1 SoftwareInstallation

Themoduleisprovideddirectlytosolutiondevelopersandisnotavailablefordirectdownloadtothe

generalpublic.Themoduleanditshostapplicationistobeinstalledonanoperatingsystemspecifiedin

Section2.5oronewhereportabilityismaintained.

InordertoremaininFIPS-approvedmode,thefollowingstepsmustbetakenduringtheinstallation

process:

1. TheJavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyFiles7mustbe

installedintheJRE.Instructionsforinstallationarefoundinthedownloadfilelocatedhere:

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

2. ThemodulemustbeconfiguredastheJRE'sdefaultSecurityProviderbymodifyingthe

jre/lib/security/java.securityfileandaddingthefollowinglinetothelistofproviders:

security.provider.1=com.safelogic.cryptocomply.jce.provider. Provider

3.1.2 AdditionalRulesofOperation

1. Thewritablememoryareasofthemodule(dataandstacksegments)areaccessibleonlybythe

applicationsothattheoperatingsystemisin"singleuser"mode,i.e.onlytheapplicationhas

accesstothatinstanceofthemodule.

2. Theoperatingsystemisresponsibleformultitaskingoperationssothatotherprocessescannot

accesstheaddressspaceoftheprocesscontainingthemodule.

3.2 UserGuidance

3.2.1 GeneralGuidance

Themoduleisnotdistributedasastandalonelibraryandisonlyusedinconjunctionwiththesolution.

TheenduseroftheoperatingsystemisalsoresponsibleforzeroizingCSPsviawipe/securedelete

procedures.

Ifthemodulepowerislostandrestored,thecallingapplicationcanresettheIVtothelastvalueused.



3.2.2 FIPS-ApprovedModeofOperation

InordertomaintaintheFIPS-approvedmodeofoperation,thefollowingrequirementsmustbe

observed:

1. ThecallingapplicationmustinstantiateandoperatethemodulethroughtheJCEinterface

providedbytheJDK.

2. ThecallingapplicationmaynotshareCSPsbetweennon-FIPS-approved-modeandFIPS-

approved-modeofoperation.TheoperatormustresetthemodulebeforeswitchingtoFIPS-

approved-modeofoperation.

3. Thecallingapplicationmustrestricttheuseoftwo-keyTripleDESencryption:thetotalnumber

ofblocksofdataencryptedwiththesamecryptographickeyshallnotbegreaterthan2^20.

4. Themodulerequiresthataminimumof256bitsofentropybeprovidedforeachuseofthe

DRBG/loadentropyservice.

CryptoComply for Java - NIST · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for Java...

Documents

Transcript of CryptoComply for Java - NIST · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for Java...