FIPS 140-2 Non-Proprietary Security Policy: Forcepoint Java Crypto Module FIPS 140-2 Non-Proprietary Security Policy Forcepoint Java Crypto Module Software Version 3.0.1 Document Version 1.2 December 21, 2017 Prepared For: Prepared By: Forcepoint SafeLogic Inc. 10900-A Stonelake Blvd. 530 Lytton Ave Quarry Oaks 1 Suite 200 Ste. 350 Palo Alto, CA 94301 Austin, TX 78759 www.safelogic.com www.forcepoint.com Document Version 1.2 © Forcepoint Page 1 of 35 FIPS 140-2 Non-Proprietary Security Policy: Forcepoint Java Crypto Module Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for the Forcepoint Java Crypto Module. Document Version 1.2 © Forcepoint Page 2 of 35 FIPS 140-2 Non-Proprietary Security Policy: Forcepoint Java Crypto Module Table of Contents 1 Introduction .............................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document .................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices .......................................................................................................................................................... 5 2 Forcepoint Java Crypto Module .................................................................................................................. 6 2.1 Cryptographic Module Specification ............................................................................................................ 6 2.1.1 Validation Level Detail ............................................................................................................................. 6 2.1.2 Modes of Operation ................................................................................................................................. 6 2.1.3 Module Configuration .............................................................................................................................. 7 2.1.4 Approved Cryptographic Algorithms ....................................................................................................... 9 2.1.5 Non-Approved Cryptographic Algorithms ............................................................................................. 15 2.1.6 Non-Approved Mode of Operation ....................................................................................................... 15 2.2 Critical Security Parameters and Public Keys ............................................................................................. 17 2.2.1 Critical Security Parameters ................................................................................................................... 17 2.2.2 Public Keys ............................................................................................................................................. 19 2.3 Module Interfaces ...................................................................................................................................... 20 2.4 Roles, Services, and Authentication ........................................................................................................... 21 2.4.1 Assumption of Roles .............................................................................................................................. 21 2.4.2 Services .................................................................................................................................................. 21 2.5 Physical Security ......................................................................................................................................... 26 2.6 Operational Environment ........................................................................................................................... 26 2.6.1 Use of External RNG ............................................................................................................................... 27 2.7 Self-Tests .................................................................................................................................................... 27 2.7.1 Power-Up Self-Tests ............................................................................................................................... 28 2.7.2 Conditional Self-Tests ............................................................................................................................ 29 2.8 Mitigation of Other Attacks ....................................................................................................................... 29 3 Security Rules and Guidance ..................................................................................................................... 31 3.1 Basic Enforcement ...................................................................................................................................... 31 3.1.1 Additional Enforcement with a Java SecurityManager .......................................................................... 31 3.1.2 Basic Guidance ....................................................................................................................................... 31 3.1.3 Enforcement and Guidance for GCM IVs ............................................................................................... 32 3.1.4 Enforcement and Guidance for use of the Approved PBKDF ................................................................ 32 3.1.5 Software Installation .............................................................................................................................. 32 4 References and Acronyms ......................................................................................................................... 33 4.1 References .................................................................................................................................................. 33 4.2 Acronyms .................................................................................................................................................... 34 Document Version 1.2 © Forcepoint Page 3 of 35 FIPS 140-2 Non-Proprietary Security Policy: Forcepoint Java Crypto Module List of Tables Table 1 – Validation Level by FIPS 140-2 Section ........................................................................................................... 6 Table 2 – Available Java Permissions ............................................................................................................................. 8 Table 3 – FIPS-Approved Algorithm Certificates .......................................................................................................... 13 Table 4 – Approved Cryptographic Functions Tested with Vendor Affirmation .......................................................... 14 Table 5 – Non-Approved but Allowed Cryptographic Algorithms ............................................................................... 15 Table 6 – Non-Approved Cryptographic Functions for use in non-FIPS mode only..................................................... 16 Table 7 – Critical Security Parameters ......................................................................................................................... 18 Table 8 – Public Keys ................................................................................................................................................... 19 Table 9 – Logical Interface / Physical Interface Mapping ............................................................................................ 21 Table 10 – Description of Roles ................................................................................................................................... 21 Table 11 – Module Services, Roles, and Descriptions.................................................................................................. 23 Table 12 – CSP Access Rights within Services .............................................................................................................. 26 Table 13 – Power-Up Self-Tests ................................................................................................................................... 29 Table 14 – Conditional Self-Tests ................................................................................................................................. 29 Table 15 – References ................................................................................................................................................. 34 Table 16 – Acronyms and Terms.................................................................................................................................. 35 List of Figures Figure 1 – Module Boundary and Interfaces Diagram ................................................................................................. 20 Document Version 1.2 © Forcepoint Page 4 of 35 FIPS 140-2 Non-Proprietary Security Policy: Forcepoint Java Crypto Module 1 Introduction 1.1 About FIPS 140 Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic