Security Policy: HID Global Cryptographic Module
Total Page:16
File Type:pdf, Size:1020Kb
FIPS 140-2 Non-Proprietary Security Policy: HID Global Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy HID Global Cryptographic Module Software Version 1.0 Document Version 1.3 September 21, 2018 Prepared For: Prepared By: HID Global Corporation SafeLogic Inc. 611 Center Ridge Drive 530 Lytton Ave, Suite 200 Austin, TX 78753 Palo Alto, CA 94301 www.hidglobal.com www.safelogic.com Document Version 1.3 © HID Global Page 1 of 33 FIPS 140-2 Non-Proprietary Security Policy: HID Global Cryptographic Module Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for the HID Global Cryptographic Module. Document Version 1.3 © HID Global Page 2 of 33 FIPS 140-2 Non-Proprietary Security Policy: HID Global Cryptographic Module Table of Contents 1 Introduction .............................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document .................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices .......................................................................................................................................................... 5 2 HID Global Cryptographic Module .............................................................................................................. 6 2.1 Cryptographic Module Specification ............................................................................................................ 6 2.1.1 Validation Level Detail ............................................................................................................................. 6 2.1.2 Modes of Operation ................................................................................................................................. 6 2.1.3 Module Configuration .............................................................................................................................. 7 2.1.4 Approved Cryptographic Algorithms ....................................................................................................... 9 2.1.5 Non-Approved Cryptographic Algorithms ............................................................................................. 14 2.1.6 Non-Approved Mode of Operation ....................................................................................................... 14 2.2 Critical Security Parameters and Public Keys ............................................................................................. 16 2.2.1 Critical Security Parameters ................................................................................................................... 16 2.2.2 Public Keys ............................................................................................................................................. 18 2.3 Module Interfaces ...................................................................................................................................... 19 2.4 Roles, Services, and Authentication ........................................................................................................... 20 2.4.1 Assumption of Roles .............................................................................................................................. 20 2.4.2 Services .................................................................................................................................................. 20 2.5 Physical Security ......................................................................................................................................... 25 2.6 Operational Environment ........................................................................................................................... 25 2.6.1 Use of External RNG ............................................................................................................................... 25 2.7 Self-Tests .................................................................................................................................................... 26 2.7.1 Power-Up Self-Tests ............................................................................................................................... 26 2.7.2 Conditional Self-Tests ............................................................................................................................ 27 2.8 Mitigation of Other Attacks ....................................................................................................................... 28 3 Security Rules and Guidance ..................................................................................................................... 29 3.1 Basic Enforcement ...................................................................................................................................... 29 3.1.1 Additional Enforcement with a Java SecurityManager .......................................................................... 29 3.1.2 Basic Guidance ....................................................................................................................................... 29 3.1.3 Enforcement and Guidance for GCM IVs ............................................................................................... 30 3.1.4 Enforcement and Guidance for use of the Approved PBKDF ................................................................ 30 3.1.5 Software Installation .............................................................................................................................. 30 4 References and Acronyms ......................................................................................................................... 31 4.1 References .................................................................................................................................................. 31 4.2 Acronyms .................................................................................................................................................... 32 Document Version 1.3 © HID Global Page 3 of 33 FIPS 140-2 Non-Proprietary Security Policy: HID Global Cryptographic Module List of Tables Table 1 – Validation Level by FIPS 140-2 Section ........................................................................................................... 6 Table 2 – Available Java Permissions ............................................................................................................................. 8 Table 3 – FIPS-Approved Algorithm Certificates .......................................................................................................... 12 Table 4 – Approved Cryptographic Functions Tested with Vendor Affirmation .......................................................... 13 Table 5 – Non-Approved but Allowed Cryptographic Algorithms ............................................................................... 14 Table 6 – Non-Approved Cryptographic Functions for use in non-FIPS mode only..................................................... 15 Table 7 – Critical Security Parameters ......................................................................................................................... 17 Table 8 – Public Keys ................................................................................................................................................... 18 Table 9 – Logical Interface / Physical Interface Mapping ............................................................................................ 20 Table 10 – Description of Roles ................................................................................................................................... 20 Table 11 – Module Services, Roles, and Descriptions.................................................................................................. 22 Table 12 – CSP Access Rights within Services .............................................................................................................. 24 Table 13 – Power-Up Self-Tests ................................................................................................................................... 27 Table 14 – Conditional Self-Tests ................................................................................................................................. 27 Table 15 – References ................................................................................................................................................. 32 Table 16 – Acronyms and Terms.................................................................................................................................. 33 List of Figures Figure 1 – Module Boundary and Interfaces Diagram ................................................................................................. 19 Document Version 1.3 © HID Global Page 4 of 33 FIPS 140-2 Non-Proprietary Security Policy: HID Global Cryptographic Module 1 Introduction 1.1 About FIPS 140 Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic