Product Requirements for DG Core, ATP, and DLP Licensing
Total Page:16
File Type:pdf, Size:1020Kb
VERDASYS SECURE CRYPTOGRAPHIC MODULE SOFTWARE VERSION 1.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level 1 Document Version 0.4 Author: Digital Guardian, Inc. CONTENTS 1. INTRODUCTION ................................................................................................................................................. 3 1.1 PURPOSE ................................................................................................................................................................... 3 1.2 REFERENCES ............................................................................................................................................................... 3 1.3 DOCUMENT ORGANIZATION ......................................................................................................................................... 3 2. VSEC MODULE ................................................................................................................................................... 4 2.1 OVERVIEW ................................................................................................................................................................. 4 2.2 MODULE SPECIFICATION .............................................................................................................................................. 6 2.2.1. PHYSICAL CRYPTOGRAPHIC BOUNDARY ....................................................................................................... 6 2.2.2. LOGICAL CRYPTOGRAPHIC BOUNDARY ........................................................................................................ 7 2.3 MODULE INTERFACES .................................................................................................................................................. 8 2.4 ROLES AND SERVICES ................................................................................................................................................... 9 2.5 PHYSICAL SECURITY ................................................................................................................................................... 11 2.6 OPERATIONAL ENVIRONMENT ..................................................................................................................................... 11 2.7 CRYPTOGRAPHIC KEY MANAGEMENT ........................................................................................................................... 11 2.8 SELF-TESTS .............................................................................................................................................................. 13 2.9 MITIGATION OF OTHER ATTACKS ................................................................................................................................. 14 3. SECURE OPERATION ........................................................................................................................................ 15 3.1 INITIAL SETUP ........................................................................................................................................................... 15 3.2 CRYPTO OFFICER GUIDANCE ....................................................................................................................................... 15 3.3 USER GUIDANCE ....................................................................................................................................................... 15 4. ACRONYMS ..................................................................................................................................................... 16 TABLE OF FIGURES FIGURE 1: DIGITAL GUARDIAN ARCHITECTURE .............................................................................................................................. 5 FIGURE 2: STANDARD GPC BLOCK DIAGRAM ................................................................................................................................. 7 FIGURE 3: LOGICAL BLOCK DIAGRAM AND CRYPTOGRAPHIC BOUNDARY ............................................................................................ 8 LIST OF TABLES TABLE 1: SECURITY LEVEL PER FIPS 140-2 SECTION ....................................................................................................................... 6 TABLE 2: FIPS INTERFACE MAPPINGS ........................................................................................................................................... 9 TABLE 3: MAPPING SERVICES TO INPUTS, OUTPUTS, CSPS, AND TYPE OF ACCESS .............................................................................. 11 TABLE 4: FIPS-APPROVED ALGORITHM IMPLEMENTATIONS ........................................................................................................... 12 TABLE 5: LIST OF CRYPTOGRAPHIC KEYS, KEY COMPONENTS, AND CSPS .......................................................................................... 13 © 2017 Digital Guardian, Inc. Page 2 of 16 1. INTRODUCTION 1.1 PURPOSE This is a non-proprietary Cryptographic Module Security Policy for the Verdasys Secure Cryptographic Module from Digital Guardian, Inc.. This Security Policy describes how the Verdasys Secure Cryptographic Module meets the security requirements of FIPS 140-2 and how to run the module in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 – Security Requirements for Cryptographic Modules) details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Communication Security Establishment Canada (CSEC): http://csrc.nist.gov/groups/STM/index.html. The Verdasys Secure Cryptographic Module is referred to in this document as VSEC, the cryptographic module, or the module. 1.2 REFERENCES This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources: . The Digital Guardian website (http://www.digitalguardian.com) contains information on the full line of products from Digital Guardian. The CMVP website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) contains contact information for individuals to answer technical or sales-related questions for the module. 1.3 DOCUMENT ORGANIZATION The Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: . Vendor Evidence document . Finite State Model document . Other supporting documentation as additional references This Security Policy and the other validation submission documentation were produced by Corsec Security, Inc. under contract to Digital Guardian. With the exception of this Non-Proprietary Security Policy, the FIPS 140- 2 Submission Package is proprietary to Digital Guardian and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Digital Guardian. © 2017 Digital Guardian, Inc. Page 3 of 16 2. VSEC MODULE This section describes the Verdasys Secure Cryptographic Module from Digital Guardian, Inc. 2.1 OVERVIEW Digital Guardian is a pioneer in Enterprise Information Protection (EIP), a data-centric and risk-based approach to security that focuses on information flow and human interaction across an organization. Digital Guardian’s Digital Guardian product provides the foundation necessary for implementing an EIP platform. Through its unique architecture, the Digital Guardian product reduces the risk of data loss or misuse by its realtime enforcement of corporate security policies, automated encryption of files and emails, and automatic discovery and classification of sensitive data. The Digital Guardian product protects information at rest, in use, and in motion, mitigating both internal and external risks. Its sophisticated tracking and reporting capabilities provide visibility into how information is used and where it is located. This activity data can then be correlated into actionable intelligence. It can also provide powerful forensic support during investigations into fraud, theft, and malicious activity. Through the enterprise-wide installation of a kernel and user mode component called DG Agent, the Digital Guardian product provides data protection at the point of use, where it is most vulnerable. Once installed, DG Agent operates invisibly on desktops, laptops, and servers. The integrated framework also consists of a centralized DG Server and DG Management Console, comprising a Web-based command center for the Digital Guardian platform. Figure 1 below gives an overview of the Digital Guardian architecture. © 2017 Digital Guardian, Inc. Page 4 of 16 Figure 1: Digital Guardian Architecture Digital Guardian’s primary use of cryptography is in the following two components: the Adaptive Mail Encryption module (AME) and the Adaptive File Encryption module (AFE). Based on content and security policy rules, AME and AFE encrypt and decrypt files, emails, and attachments selectively and automatically, in most cases without end-user knowledge or action. The Verdasys Secure Cryptographic Module,