Citrix Systems, Inc. Citrix ADC VPX Software Version: 12.1.51.152 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 1 Document Version: 0.12 Prepared for: Prepared by: Citrix Systems, Inc. Corsec Security, Inc. 851 Cypress Creek Road 13921 Park Center Road, Suite 460 Fort Lauderdale, FL 33309 Herndon, VA 20171 United States of America United States of America Phone: +1 954 267 3000 Phone: +1 703 267 6050 www.citrix.com www.corsec.com FIPS 140-2 Non-Proprietary Security Policy, Version 0.12 September 30, 2020 Table of Contents 1. Introduction ..........................................................................................................................................4 1.1 Purpose .....................................................................................................................................................4 1.2 References ................................................................................................................................................4 1.3 Document Organization ...........................................................................................................................4 2. Citrix ADC VPX .......................................................................................................................................5 2.1 Overview ...................................................................................................................................................5 2.2 Module Specification ................................................................................................................................6 2.2.1 Physical Cryptographic Boundary ............................................................................................. 11 2.2.2 Logical Cryptographic Boundary ............................................................................................... 13 2.3 Module Interfaces ................................................................................................................................. 13 2.4 Roles and Services ................................................................................................................................. 14 2.4.1 Authorized Roles ...................................................................................................................... 14 2.4.2 Operator Services ..................................................................................................................... 14 2.4.3 Additional Services ................................................................................................................... 21 2.5 Physical Security .................................................................................................................................... 23 2.6 Operational Environment ...................................................................................................................... 23 2.7 Cryptographic Key Management ........................................................................................................... 25 2.8 EMI / EMC .............................................................................................................................................. 34 2.9 Self-Tests ............................................................................................................................................... 34 2.9.1 Power-Up Self-Tests ................................................................................................................. 34 2.9.2 Conditional Self-Tests ............................................................................................................... 35 2.9.3 Critical Functions Self-Tests ...................................................................................................... 35 2.9.4 Self-Test Failures ...................................................................................................................... 35 2.10 Mitigation of Other Attacks ................................................................................................................... 36 3. Secure Operation ................................................................................................................................. 38 3.1 Installation and Setup ............................................................................................................................ 38 3.1.1 Installation ................................................................................................................................ 38 3.1.2 General Configuration .............................................................................................................. 38 3.1.3 FIPS-Approved Mode Configuration and Status ....................................................................... 39 3.2 Crypto Officer Guidance ........................................................................................................................ 41 3.2.1 Management ............................................................................................................................ 41 3.2.2 On-Demand Self-Tests .............................................................................................................. 41 3.2.3 Zeroization ................................................................................................................................ 41 3.2.4 Monitoring Status ..................................................................................................................... 41 3.3 User Guidance ....................................................................................................................................... 42 3.4 Additional Guidance and Usage Policies ............................................................................................... 42 3.5 Non-FIPS-Approved Mode ..................................................................................................................... 43 4. Acronyms ............................................................................................................................................ 44 Citrix ADC VPX ©2020 Citrix Systems, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 2 of 47 FIPS 140-2 Non-Proprietary Security Policy, Version 0.12 September 30, 2020 List of Tables Table 1 – Security Level per FIPS 140-2 Section .........................................................................................................6 Table 2 – Algorithm Certificate Numbers (Citrix ADC CP Cryptographic Library v1) ..................................................8 Table 3 – Algorithm Certificate Numbers (Citrix ADC DP Cryptographic Library v1) .................................................9 Table 4 – CVL Certificate Numbers .......................................................................................................................... 10 Table 5 – Allowed Algorithm Implementations ....................................................................................................... 11 Table 6 – VPX Interface Mappings ........................................................................................................................... 14 Table 7 – Mapping of Module Services to Roles, CSPs, and Type of Access ........................................................... 15 Table 8 – Additional Services ................................................................................................................................... 21 Table 9 – Cryptographic Keys, Cryptographic Key Components, and CSPs ............................................................. 25 Table 10 – Acronyms ............................................................................................................................................... 44 List of Figures Figure 1 – Block Diagram of the Host Server ........................................................................................................... 12 Figure 2 – VPX Logical Cryptographic Boundary...................................................................................................... 13 Citrix ADC VPX ©2020 Citrix Systems, Inc. This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 3 of 47 FIPS 140-2 Non-Proprietary Security Policy, Version 0.12 September 30, 2020 1. Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Citrix ADC VPX from Citrix Systems, Inc. (hereafter referred to as Citrix). This Security Policy describes how the Citrix ADC VPX meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S.1 and Canadian government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in a secure FIPS-Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the module. The Citrix ADC VPX is referred to in this document as “VPX” or “the module”. 1.2 References This document deals only with operations and capabilities of the module in the technical terms of a