FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 1 of 49
HP FlexFabric 5900CP and
12910 Switch Series
FIPS 140-2 Non-Proprietary Security Policy
Security Level 2 Validation
Version 1.05
December 2015
Copyright Hewlett-Packard Development Company,L.P 2014, May be reproduced only in its
original entirety [without revision].
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 2 of 49
Revision Record
Date Revision Version Change Description Author
2014-12-12 1.00 Initial version HP
2015-01-22 1.01 Adding 5900CP HP
2015-03-20 1.02 Changes based on CMVP comments HP
2015-09-07 1.03 Changes based on CMVP comments HP
2015-12-22 1.04
Added comment RE: what to do if tamper
labels tampered with
HPE
2015-12-29 1.05 Change 1 word in Algorithm table HPE
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 3 of 49
Table of Contents
1 Introduction................................................................................................................................. 8
2 Overview...................................................................................................................................... 9
2.1 Comware Switch Block Level Diagram..............................................................................10
2.2 HP 5900CP Switch Series.................................................................................................12
2.2.1 Product overview ....................................................................................................12
2.2.2 Opacity shield and tamper evidence label...............................................................12
2.2.3 Test Modules .........................................................................................................14
2.3 HP FlexFabric 12910 Switch .............................................................................................14
2.3.1 Product overview ....................................................................................................14
2.3.2 Opacity shield and tamper evidence label...............................................................14
2.3.3 Test Modules .........................................................................................................18
3 Security Appliance Validation Level.........................................................................................19
4 Physical Characteristics and Security Appliance Interfaces..................................................20
4.1 HP 5900CP Switch Series.................................................................................................20
4.2 HP FlexFabric 12910 Switch .............................................................................................20
4.3 Physical Interfaces Mapping..............................................................................................22
5 Roles, Services, and Authentication ........................................................................................23
5.1 Roles.................................................................................................................................23
5.2 Services ............................................................................................................................24
5.2.1 Crypto Officer Services ...........................................................................................24
5.2.2 User Services..........................................................................................................28
5.2.3 Non-Approved Services ..........................................................................................30
5.3 Authentication Mechanisms...............................................................................................31
6 Cryptographic Algorithms.........................................................................................................33
6.1 FIPS Approved Cryptographic Algorithms .........................................................................33
6.2 FIPS Allowed Cryptographic Algorithms............................................................................34
6.3 Non-FIPS Approved Cryptographic Algorithms..................................................................34
7 Cryptographic Key Management ..............................................................................................35
7.1 Cryptographic Security Parameters...................................................................................35
7.2 Access Control Policy........................................................................................................38
8 Self-Tests ...................................................................................................................................42
8.1 Power-On Self-Tests .........................................................................................................42
8.2 Conditional Self-Tests .......................................................................................................43
9 Delivery and Operation..............................................................................................................44
9.1 Secure Delivery.................................................................................................................44
9.2 Secure Operation ..............................................................................................................44
10 Physical Security Mechanism.................................................................................................46
11 Mitigation of Other Attacks .....................................................................................................48
12 Documentation References.....................................................................................................49
12.1 Obtaining documentation.................................................................................................49
12.2 Technical support ............................................................................................................49
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 4 of 49
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 5 of 49
TABLE OF TABLES
Table 1 HP 12910 Switch Series test configuration............................................................................... 18
Table 2 Validation Level by Section ...................................................................................................... 19
Table 3 Correspondence between Physical and Logical Interfaces ...................................................... 22
Table 4 Roles and Role description ...................................................................................................... 23
Table 5 Crypto officer services.............................................................................................................. 24
Table 6 user service.............................................................................................................................. 28
Table 7 FIPS-Approved Cryptography Algorithms................................................................................. 33
Table 8 FIPS-Allowed Cryptography Algorithms ................................................................................... 34
Table 9 Non-FIPS Approved Cryptography Algorithms......................................................................... 34
Table 10 Cryptographic Security Parameters........................................................................................ 35
Table 11 Access by Service for Crypto Officer...................................................................................... 38
Table 12 Access by Service for User role ............................................................................................. 39
Table 13 Power-On Self-Tests.............................................................................................................. 42
Table 14 Conditional Self-Tests ............................................................................................................ 43
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 6 of 49
FIPS 140-2 Non-Proprietary Security Policy for the HP
Networking Switches
Keywords: Security Policy, CSP, Roles, Service, Cryptographic Module
List of abbreviations:
Abbreviation Full spelling
AAA Authentication, Authorization, and Accounting
AES Advanced Encryption Standard
CF Compact Flash
CLI Command Line Interface
CMVP Cryptographic Module Validation Program
CSP Critical Security Parameter
DES Data Encryption Standard
DOA Dead on arrival
FCoE Fibre Channel over Ethernet
FIPS Federal Information Processing Standard
HMAC Hash-based Message Authentication Code
HTTP Hyper Text Transfer Protocol
IRF Intelligent Resilient Framework
KAT Known Answer Test
LED Light Emitting Diode
LPU Line Processing Unit
MAC Message Authentication Code
MAN Metropolitan Area Network
MPU Main Processing Unit
NIST National Institute of Standards and Technology
OAA Open Application Architecture
OAP Open Application Platform
PSU Power Supply Unit
RADIUS Remote Authentication Dial In User Service
RAM Random Access Memory
RSA Rivest Shamir and Adleman method for asymmetric encryption
SFP Small Form-Factor Plugable
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 7 of 49
Abbreviation Full spelling
SFP+ Enhanced Small Form-Factor Pluggable
SHA Secure Hash Algorithm
SRPU Switching and routing processor unit
SSL Secure Sockets Layer
XFP 10 Gigabit Small Form-Factor Pluggable
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 8 of 49
1 Introduction
This document is a non-proprietary Cryptographic Module Security Policy for HP FlexFabric
5900CP and 12910 Switch Series. The policy describes how the HP FlexFabric 5900CP and
12910 Switch Series meet the requirements of FIPS 140-2. This document also describes how to
configure the HP FlexFabric 5900CP and 12910 Switch Series in FIPS 140-2 mode. This
document was prepared as part of the FIPS 140-2 Level 2 validation.
FIPS 140-2 standard details the U.S. Government requirements for cryptographic security
appliances. More information about the standard and validation program is available on the NIST
website at csrc.nist.gov/groups/STM/cmvp/.
This document includes the following sections:
 Overview
 Security Appliance Validation Level
 Physical Characteristics and Security Appliance Interfaces
 Roles, Services and Authentication
 Cryptographic Algorithms
 Cryptographic Key Management
 Self-Tests
 Delivery and Operation
 Physical Security Mechanism
 Mitigation of Other Attacks
 Obtaining Documentation and Technical Assistance
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 9 of 49
2 Overview
The HP Networking devices are suitable for a range of uses: at the edge of a network, connecting
server clusters in a data center, in an enterprise LAN core, and in large-scale industrial networks
and campus networks. Each device is based on the HP Comware Software, Version 7.1.045
platform.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 10 of 49
2.1 Comware Switch Block Level Diagram
Figure 1 Security Architecture Block Diagram
The cryptographic module provides the following services externally:
1. Management: supports various login methods and configuration interfaces for managing the
system.
Cryptographic Module
Hardware
Firmware
Management Service Communication Service
Security Function
Administrator
Network user/IT
entity
Forwarding Function
I1
I2
A2 A3
D2
C2
D1
M1
M2
C1
A1
Authorize
Authorize
Authorize
C3
C4
ACL
Authorize
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 11 of 49
2. Communication: supports interoperation between the communication protocols at different
layers in the protocol stack, such as 802.3, PPP, and IP, and uses the forwarding function to
receive/send packets for the local device and forward packets for other devices.
To ensure security, the security function provides appropriate access control for the cryptographic
module to identify and authenticate the external entities attempting to access them, and authorize
the external entities that pass the identification and authentication. The access control function also
records the external entities’ accesses to the services, such as the beginning time and end time of
a visit. The figure above shows how administrators (crypto officer, user role) and network users
access a cryptographic module service.
M2: The administrator accesses the management service to configure the security function.
M1: The administrator accesses the management service to configure the communication service.
C1: The security function issues the forwarding control ACL or other control measures to the
forwarding function for security processing like packet filtering.
D2: The communication service uses the forwarding function to receive and send packets for the
local device.
C2: The communication service issues routing entries or MAC address entries to the forwarding
function for forwarding packets for other devices.
A1: The administrator connects to a physical management interface (the console for example) of
the cryptographic module to access the system management access control service of the security
function. If the access succeeds, the l1 access to the management service is authorized. The
security function uses the C3 authorization action to authorize the administrator administrative roles.
I1: The administrator accesses the management service through the physical management
interface.
A2: The administrator connects to a network interface (such as an Ethernet interface) of the
cryptographic module to access the system management access control service of the security
function. If the access succeeds, the I2 access to the management service is authorized.
I2: The administrator accesses the management service through the network interface.
A3: A network user connects to a network interface of the cryptographic module to access the
communication access control service of the security function. If the access succeeds, D1/D2 are
authorized. The security function uses the C4 authorization action to authorize the network user
the communication service access privilege, namely, the network access privilege.
D1: Forwarding packets for the network user.
To facilitate cryptographic module management, the administrator is allowed to access the system
management service by remote login through a network interface. To prevent the authentication
data of the administrator (such as the username and password) from being intercepted and prevent
the operation commands from being tampered, the cryptographic module provides the
SSH2/HTTPS for secure remote management.
For the management service, the cryptographic module defines predefined roles and custom user
roles, which service differs as result of different access permissions.
Each user can switch to a different user role without reconnecting to the device. To switch to a
different user role, a user must provide the role switching authentication information. The
authentication is role-based. All users can be authenticated locally, and optionally supports
authentication via a RADIUS and TACACS+ server.
If needed, IPSec can be configured to protect the network data.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 12 of 49
No external programs can take control of the cryptographic module, because the cryptographic
module does not provide the general-purpose computing service. This ensures the absolute control
of the cryptographic module.
2.2 HP 5900CP Switch Series
2.2.1 Product overview
The HP FlexFabric 5900CP Switch Series is a family of high-density, ultra-low-latency, top-of-
rack (ToR) switches that is part of the HP FlexNetwork architecture's HP FlexFabric solution.
Ideally suited for deployment at the server access layer of large enterprise data centers, the HP
5900CP Switch Series is also powerful enough for deployment at the data center core layer of
medium-sized enterprises. With the increase in virtualized applications and server-to-server traffic,
customers now require ToR switch innovations that will meet their needs for higher-performance
server connectivity, convergence of Ethernet and storage traffic, the capability to handle virtual
environments, and ultra-low-latency all in a single device.
 Converged ports for Ethernet, FCoE and FC
 Cut-through with ultra-low-latency and wire speed
 HP Intelligent Resilient Framework (IRF) for virtualization and two-tier architecture
 High 1 GbE/10GbE ToR port density with 40 GbE uplinks
 IPv6 support in ToR with full L2/L3 features
 Convergence ready with DCB, FCoE, and TRILL
2.2.2 Opacity shield and tamper evidence label
The following figures show representatives of the series, with and without opacity shield and
tamper evidence label.
Figure 1 5900CP rear view
Figure 2 5900CP front view
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 13 of 49
Front: Rear:
Top: Bottom:
Right:
Left:
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 14 of 49
2.2.3 Test Modules
Testing included one model in the HP 5900CP series
 JG838A HP FlexFabric 5900CP-48XG-4QSFP+ Switch
2.3 HP FlexFabric 12910 Switch
2.3.1 Product overview
The HP FlexFabric 12910 Switch is a next-generation modular data center core switch designed
to support virtualized data centers and the evolving needs of private and public cloud deployments.
The FlexFabric 12910 switch delivers unprecedented levels of performance, buffering, scale, and
availability with high density 10GbE, 40GbE and 100GbE. The HP FlexFabric 12910 Switch
includes a 10-slot chassis with front-to-back airflow.
Ready for software-defined networking (SDN), the switch supports full Layer 2 and 3 features,
including advanced features such as Transparent Interconnection of Lots of Links (TRILL) and
Intelligent Resilient Framework (IRF), which provides the ability to build large, resilient switching
fabrics. The HP FlexFabric 12910 Switch also supports fully redundant and hot-swappable
components to complement its other enterprise-class capabilities.
 Nonblocking, lossless Clos architecture
 Large Layer 2 scaling with TRILL and HP IRF
 DCB and FCoE convergence
 Enhanced modularity with control and data plane separation
 High 10GbE, 40GbE and 100 GbE density across 36 Tb/s switch fabric
2.3.2 Opacity shield and tamper evidence label
The following figures show representatives of the series, with tamper evidence label.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 15 of 49
Top: Front:
Bottom: Rear:
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 16 of 49
Right:
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 17 of 49
Left:
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 18 of 49
2.3.3 Test Modules
Testing included one model in the 12900 series:
 HP FlexFabric 12910 Switch AC Chassis
The following table lists the test configurations for the HP FlexFabric 12910 Switch.
Table 1 HP 12910 Switch Series test configuration
Chassis Controller Modules
12910
HP FlexFabric 12910
Switch AC Chassis
HP FlexFabric 12910 Main Processing Unit
Front Slot
HP FlexFabric 12900 48-port 10/100/1000BASE-T EB
Module
Front Slot
HP FlexFabric 12900 48-port 10/100/1000BASE-T EB
Module
Front Slot HP FlexFabric 12900 48-port GbE SFP EB Module
Front Slot
HP FlexFabric 12900 16-port 40GbE QSFP+ EA
Module
Front Slot
HP FlexFabric 12900 16-port 40GbE QSFP+ EA
Module
Front Slot
HP FlexFabric 12900 16-port 40GbE QSFP+ EA
Module
Front Slot
HP FlexFabric 12900 16-port 40GbE QSFP+ EA
Module
Front Slot
HP FlexFabric 12900 48-port 1/10GbE SFP+ EC
Module
Front Slot
HP FlexFabric 12900 48-port 10/100/1000BASE-T EB
Module
Front Slot HP FlexFabric 12900 48-port 10GbE SFP+ EA Module
Rear slot HP FlexFabric 12910 3.84Tbps Type B Fabric Module
Rear slot HP FlexFabric 12910 3.84Tbps Type B Fabric Module
Rear slot HP FlexFabric 12910 3.84Tbps Type B Fabric Module
Rear slot HP FlexFabric 12910 3.84Tbps Type B Fabric Module
Rear slot HP FlexFabric 12910 3.84Tbps Type B Fabric Module
Rear slot HP FlexFabric 12910 3.84Tbps Type B Fabric Module
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 19 of 49
3 Security Appliance Validation Level
The following table lists the level of validation for each area in the FIPS PUB 140-2.
Table 2 Validation Level by Section
No. Area Level
1 Cryptographic Module Specification 2
2 Cryptographic Module Ports and Interfaces 2
3 Roles, Services, and Authentication 2
4 Finite State Model 2
5 Physical Security 2
6 Operational Environment N/A
7 Cryptographic Key management 2
8 Electromagnetic Interface/Electromagnetic Compatibility 2
9 Self-Tests 2
10 Design Assurance 2
11 Mitigation of Other Attacks N/A
12 Overall Level 2
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 20 of 49
4 Physical Characteristics and Security Appliance
Interfaces
4.1 HP 5900CP Switch Series
The HP FlexFabric 5900CP switch is a multi-chip standalone security appliance, and the
cryptographic boundary is defined as encompassing the “top,” “front,” “left,” “right,” and “bottom”
surfaces of the case. The general components of the HP 5900CP switch include firmware and
hardware, which are placed in the three-dimensional space within the case.
The HP 5900CP switch provides:
 48 SFP+ dual-personality ports; supports 1G/10G Ethernet,
 4 Gbps/8 Gbps Fiber Channel
 4 QSFP+ 40GbE ports
 A serial console port
 A management Gigabit Ethernet port.
 LEDs for system, power, and module status.
 USB 2.0 port.
 CF card slot.
 Power switch
 Reset switch
The documents in HP website (http://h17007.www1.hp.com/us/en/products/switches/
HP_5900_Switch_Series/index.aspx#tab2 ) describe the ports in detail along with the
interpretation of the LEDs.
4.2 HP FlexFabric 12910 Switch
The HP FlexFabric 12910 Switch Series is a multi-chip standalone security appliances, and the
cryptographic boundary is defined as encompassing the “top,” “front,” “left,” “right,” and “bottom”
surfaces of the case.
HP FlexFabric 12910 Switch chassis accommodates eight LPUs. LPUs provide Gigabit Ethernet,
SFP Gigabit, SFP+ 10-Gigabit, XFP 10-Gigabit, QSFP+ 40-Gigabit and CFP 100-Gigabit ports in
a range of numbers and combinations.
In addition, the HP FlexFabric 12910 Switch requires a MPU. The chassis have two MPU slots.
Each MPU provides a 100-Mbps Ethernet management port, a serial management port, an
auxiliary serial port, two USB ports (host and device), and a CF card slot. (The MPUs have
reserved ports, which are not supported at present (a RS-232/485 port, standby main board
coaxial clock interfaces, and MCC Gigabit Ethernet interfaces).) The MPUs have status LEDs for
switching fabric modules, LPU, fan, power, MPU, and CF status reporting. Each MPU has a reset
button.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 21 of 49
Chassis power is provided through AC power frames. Each AC power frame accommodates up
to six hot-swappable 1U AC PSU. The frame has status LED and a power frame switch. A power
entry module supplies power input to each PSU.
http://h17007.www1.hp.com/us/en/networking/products/switches/HP_FlexFabric_12900_Switch
_Series/index.aspx#tab=TAB1 describes MPU options, LPU options, and ports in detail along
with the interpretation of the LEDs
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 22 of 49
4.3 Physical Interfaces Mapping
The physical interfaces provided by the HP Networking products map to four FIPS 140-2 defined
logical interface: data input, data output, control input and status output. Table 3 presents the
mapping.
Table 3 Correspondence between Physical and Logical Interfaces
Physical Interface FIPS 140-2 Logical Interface
Networking ports Data Input Interface
Console port
Management Ethernet port
CF card slot
USB ports
Networking ports Data Output Interface
Console port
Management Ethernet port
CF card slot
USB ports
Networking ports Control Input Interface
Console port
Management Ethernet port
Power switches
Reset Switch
Port status LED mode switching button
Networking ports Status Output Interface
Console port
Management Ethernet port
LEDs
Power Slot Power Interface
Backplane
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 23 of 49
5 Roles, Services, and Authentication
5.1 Roles
The HP FlexFabric 5900CP and 12910 Switch Series provides 18 predefined roles and 64 custom
user roles. There are 16 roles (Table 4) in the device that operators may assume:
 network-admin, level-15 and security-audit which are the FIPS Crypto-Officer Role,
 network-operator, level 0 ~ level 14 and 64 custom user roles which are defined as the
FIPS User Role.
Table 4 presents the roles and roles description. The devices allow multiple management users
to operate the appliance simultaneously.
The HP Networking switches do not employ a maintenance interface and do not have a
maintenance role.
Table 4 Roles and Role description
FIPS Role Comware Role
Name
Role Description
Crypto-Officer network-admin  Accesses all features and resources in the system, except
for the display security-logfile summary, info-center security-
logfile directory, and security-logfile save commands.
level-15 Has the same rights as network-admin
Level-9 Has access to all features and resources except those in the
following list.
 RBAC non-debugging commands.
 Local users.
 File management.
 Device management.
 The display history-command all command.
security-audit  Security log manager. The user role has the following
access to security log files:
 Access to the commands for displaying and maintaining
security log files (for example, the dir, display security-logfile
summary, and more commands).
 Access to the commands for managing security log files and
security log file system (for example, the info-center
security-logfile directory, mkdir, and security-logfile save
commands).
Only the security-audit user role has access to security log files.
User network-operator  Accesses the display commands for all features and
resources in the system, except for commands such as
display history-command all and display security-logfile
summary.
 Enables local authentication login users to change their own
password.
level-0 Has access to diagnostic commands, including ping, tracert,
and ssh2.
level-1 Has access to the display commands of all features and
resources in the system except display history-command all.
The level-1 user role also has all access rights of the user role
level-0.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 24 of 49
custom user
role;
level-2 to level-8;
level-10 to level-
14
Have no access rights by default. Access rights are
configurable.
5.2 Services
HP Networking switches provide five services:
 View device status,
 View running status,
 Network functions,
 Security management,
 Configuration function.
You can access these services by using any of the following methods:
 Console Port
 SSH
The console port and SSH present a command line interface while the web user interface is a
graphical user interface.
5.2.1 Crypto Officer Services
The Crypto Officer role is responsible for the configuration and maintenance of the switches. The
Crypto Officer services consist of the following:
Table 5 Crypto officer services
Service Description Input Output CSP Access
Available to
Role
View device
status
 View currently
running image
version;
 View installed
hardware
components status
and version
Commands
Status of
devices
None
Network-admin,
level-15,
level-9
View running
status
 View memory status,
packet statistics,
interface status,
current running
image version,
current configuration,
routing table, active
sessions,
temperature and
SNMP MIB statistics.
Commands
Status of
device
functions
None
Network-admin,
level-15,
level-9
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 25 of 49
Perform
Network
functions
 Network diagnostic
service such as
“ping”;
 Network connection
service such as
“SSHv2” client;
 Provide IKEv1/IPsec
service to protect the
session between the
switch and external
server(e.g. Radius
Server/Log Server)
 Initial Configuration
setup (IP, hostname,
DNS server)
Commands
and
configuration
data
Status of
commands
and
configuration
data
CSP1-1: RSA
private keys (read
access);
CSP1-2: DSA
private keys (read
access);
CSP1-3: Public
keys (read
access);
CSP2-1: IPsec
authentication
keys(read/write
access);
CSP2-2: IPsec
encryption
keys(read/write
access);
CSP2-3: IKE pre-
shared keys(read
access);
CSP2-4: IKE
Authentication
key(read/write
access);
CSP2-5: IKE
Encryption
Key(read/write
access);
CSP2-6: IKE RSA
Authentication
private Key(read
access);
CSP2-7: IKE DSA
Authentication
private Key(read
access);
CSP2-8: IKE
Diffie-Hellman
Key Pairs(read
access);
CSP3-1: SSH
RSA Private
key(read access);
CSP3-2: SSH
Diffie-Hellman
Key
Pairs(read/write
access);
CSP3-3: SSH
Session
Key(read/write
access);
CSP3-4: SSH
Session
Network-admin,
level-15,
level-9
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 26 of 49
authentication
Key(read/write
access);
CSP4-1: User
Passwords(read/
write access);
CSP4-2: super
password(read
access);
CSP4-3: RADIUS
shared secret
keys(read
access);
CSP4-4:
TACACS+ shared
secret keys(read
access);
CSP5-1: DRBG
entropy
input(read/write
access);
CSP6-1: DRBG
seed(read
access);
CSP6-2: DRBG
V(read access);
CSP6-3: DRBG
Key(read access);
CSP7-1: SNMPv3
Authentication
Key(read access);
CSP7-2: SNMPv3
Encryption
Key(read access);
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 27 of 49
Perform
Security
management
 Change the role;
 Reset and change
the password of
same/lower privilege
user;
 Maintenance of the
super password;
 Maintenance (create,
destroy, import,
export) of public
key/private
key/shared key;
 Maintenance of
IPsec/IKE.
 Maintenance of
SNMPv3
 Management (create,
delete, modify) of the
user roles;
 Management of the
access control rules
for each role;
 Management (create,
delete, modify) of the
user account;
 Management of the
time;
 Maintenance (delete,
modify) system start-
up parameters;
 File operation (e.g.
dir, copy, del);
 Shut down or Reboot
the security
appliance;
 Perform self-test
Commands
and
configuration
data
Status of
commands
and
configuration
data
CSP1-1: RSA
private key(write
access);
CSP1-2: DSA
private key(write
access);
CSP1-3: Public
keys(write
access);
CSP2-3: IKE pre-
shared keys(write
access);
CSP4-1: User
Passwords(write
access);
CSP4-2: super
password(write
access);
CSP4-3: RADIUS
shared secret
keys(write
access);
CSP4-4:
TACACS+ shared
secret keys(write
access);
CSP5-1: DRBG
entropy input(read
access);
CSP6-1: DRBG
seed(read
access);
CSP6-2: DRBG
V(read access);
CSP6-3: DRBG
Key(read access);
CSP7-1: SNMPv3
Authentication
Key(write access);
CSP7-2: SNMPv3
Encryption
Key(write access);
CSP8-1: System
KEK
Network-admin,
level-15,
level-9,
security-audit
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 28 of 49
Perform
Configuration
functions
 Save configuration;
 Management of
information center;
 Define network
interfaces and
settings;
 Set the protocols the
switches will
support(e.g. SFTP
server, SSHv2
server);
 Enable interfaces
and network
services;
 Management of
access control
scheme
 Shut down or Reboot
the security
appliance;
Commands
and
configuration
data
Status of
commands
and
configuration
data
CSP1-1: RSA
private key(write
access);
CSP1-2: DSA
private key(write
access);
CSP1-3: Public
keys(write
access);
CSP2-3: IKE pre-
shared keys(write
access);
CSP4-1: User
Passwords(write
access);
CSP4-2: super
password(write
access);
CSP4-3: RADIUS
shared secret
keys(write
access);
CSP4-4:
TACACS+ shared
secret keys(write
access);
CSP7-1: SNMPv3
Authentication
Key(write access);
CSP7-2: SNMPv3
Encryption
Key(write access);
CSP8-1: System
KEK
Network-admin,
level-15,
level-9,
security-audit
5.2.2 User Services
The following table describes the services available to user service.
Table 6 user service
Service Description Input Output CSP Access Available to
Role
View device
status
 View currently running
image version;
 View installed
hardware components
status and version
Commands Status of
devices
None network-operator
View running
status
 View memory status,
packet statistics,
interface status,
current running image
version, current
Commands Status of
device
functions
None network-operator
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 29 of 49
configuration, routing
table, active sessions,
temperature and
SNMP MIB statistics.
Perform
Network
functions
 Network diagnostic
service such as “ping”;
 Network connection
service such as
“SSHv2” client;
Commands
and
configuratio
n data
Status of
commands
and
configuratio
n data
CSP1-1: RSA
private
key(read/write
access);
CSP1-2: DSA
private key(read
access);
CSP1-3: Public
keys(read
access);
CSP2-1: IPsec
authentication
keys(read/write
access);
CSP2-2: IPsec
encryption
keys(read/write
access);
CSP2-3: IKE pre-
shared keys(read
access);
CSP2-4: IKE
Authentication
key(read/write
access);
CSP2-5: IKE
Encryption
Key(read/write
access);
CSP2-6: IKE RSA
Authentication
private Key(read
access);
CSP2-7: IKE DSA
Authentication
private Key(read
access);
CSP2-8: IKE
Diffie-Hellman
Key Pairs(read
access);
CSP3-1: SSH
RSA Private
key(read access);
CSP3-2: SSH
Diffie-Hellman
Key
Pairs(read/write
access);
CSP3-3: SSH
Session
Level-0,
Level-1
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 30 of 49
Key(read/write
access);
CSP3-4: SSH
Session
authentication
Key(read/write
access);
CSP4-1: User
Passwords(read/
write access);
CSP4-2: super
password(read
access);
CSP4-3: RADIUS
shared secret
keys(read
access);
CSP4-4:
TACACS+ shared
secret keys(read
access);
CSP5-1: DRBG
entropy
input(read/write
access);
CSP6-1: DRBG
seed(read
access);
CSP6-2: DRBG
V(read access);
CSP6-3: DRBG
Key(read access);
CSP7-1: SNMPv3
Authentication
Key(read access);
CSP7-2: SNMPv3
Encryption
Key(read access);
CSP8-1: System
KEK
5.2.3 Non-Approved Services
The HP modules support the following non-approved services:
 Self-tests: This service executes the suite of self-tests required by FIPS 140-2 in non-
FIPS mode.
 Show Status: This service provides status outputs provided by the approved services
and LED interfaces.
 Change Mode: This service configures the module to run in a FIPS Approved mode
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 31 of 49
 Internet Key Exchange (IKE) with DES, MD5, HMAC-MD5, Diffie-Hellman (<2048-
bits), RSA (< 2048-bits), DSA (< 2048-bits).
 Perform Network Time Protocol (NTP) service.
 Perform Secure Socket Layer (SSL) version 3.0.
 Perform TLS 1.0 with DES, RC4, MD5, HMAC-MD5, RSA (< 2048-bits).
 Perform Secure Shell version 1.x.
 Perform Secure Shell version 2.0 with DES, MD5, HMAC-MD5, DSA (<2048-bits)
 Perform Telnet.
5.3 Authentication Mechanisms
HP networking devices support identity-based authentication, and role-based access control.
 Identity-based authentication
Each user is authenticated upon initial access to the device. The authentication is identity-
based. All users can be authenticated locally, and optionally supports authentication via a
RADIUS and TACACS+ server.
To logon to the appliances, an operator must connect to it through one of the management
interfaces (console port, SSH) and provide a password.
A user must be authenticated using usernames and passwords. The minimum password
length is 15 characters, and the maximum is 63. The passwords must contain at least one
lower case letter (26), one upper case letter (26), one special character (32) and one numeric
character (10). The remaining eleven characters can be a lower case letter (26), an upper
case letter (26), a special character (32) and/or a numeric character (10) equaling 94
possibilities per character. An alpha, numeric or special character cannot appear three or more
times consecutively. Therefore, for a 15 characters password, the probability of randomly
guessing the correct sequence is 1 in 64,847,834,440,785 (this calculation is based on the
use of the typical standard American QWERTY computer keyboard. The calculation is 26 x
26 x 32 x 10 x 94 x 93 x 94 x 94 x 93 x 94 x 94 x 93 x 94 x 94 x 93 = 64,847,834,440,785.
Assuming the first four digits are one from each character set [26 x 26 x 32 x 10] the fifth digit
can be from the complete set of available characters [94]. Since a character or number cannot
appear three or more times consecutively, for the sixth character the set of available
characters is decreased by 1 [93]. The seventh and eighth character again can draw from the
complete set of available characters [94 x 94]. Since a character or number cannot appear
three or more times consecutively, for the ninth character the set of available characters is
decreased by 1 [93]. This pattern continues for the remaining characters in the password.)
In order to guess the password in 1 minute with close to probability 1 requires
64,847,834,440,785 trials, which is stronger than the one in a million chance required by FIPS
140-2. By default, the maximum number of consecutive failed login attempts is three and a
user failing to log in after the specified number of attempts must wait for one minute before
trying again. Using Anderson’s formula to calculate the probability of guessing a password in
1 minute:
 P probability of guessing a password in specified period of time
 G number of guesses tested in 1 time unit
 T number of time units
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 32 of 49
 N number of possible passwords
Then P >= T x G / N (4.6262E-14 = 1 x 3 / 64,847,834,440,785)
The probability of guessing a password in 1 minute is 4.6262E-14.
To provide additional password security, Comware 7.1 provides additional limits to the number
of consecutive failed login attempts. If an FTP or VTY user fails authentication, the system
adds the user to a password control blacklist. If a user fails to provide the correct password
after the specified number of consecutive attempts, the system can take one of the following
actions, based on the administrator’s choice:
Blocks the user's login attempts until the user is manually removed from the password
control blacklist.
Blocks the user's login attempts within a configurable period of time, and allows the
user to log in again after the period of time elapses or the user is removed from the
password control blacklist.
HP Networking devices can also use certificate credentials using 2048 bit RSA keys and SHA-
256; in such a case the security strength is 112 bits, so an attacker would have a 1 in 2^112
chance of a successful authentication which is much stronger than the one in a million chance
required by FIPS 140-2.
The users who try to log in or switch to a different user privilege level can be authenticated by
RADIUS and TACACS+ Server. The minimum password length is 15 characters, and the
maximum is 63. Therefore, for a 15 characters password, the probability of randomly guessing
the correct sequence is one in 64,847,834,440,785. The device (RADIUS client) and the
RADIUS server use a shared key to authenticate RADIUS packets and encrypt user
passwords exchanged between them. For more details, see RFC 2865: 3 Packet Format
Authenticator field and 5.2 User-password.
 Role-based access control
In Comware 7.1.045, the command and resource access permissions are assigned to roles.
Users are given permission to access a set of commands and resources based on the users'
user roles. Each user can have one or more roles.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 33 of 49
6 Cryptographic Algorithms
6.1 FIPS Approved Cryptographic Algorithms
The following table lists the FIPS-Approved algorithms HP Networking devices provide.
Table 7 FIPS-Approved Cryptography Algorithms
Algorithm Bits of Security Application Certificate
AES-128
AES-192
AES-256
128
192
256
Kernel –
Encryption/decryption
#2988, #2985
AES-128
AES-192
AES-256
128
192
256
Encryption/decryption #2989, #2945
SHA-1 80 Kernel – Hashing #2509, #2506
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
80
112
128
192
256
Hashing #2510, #2481
HMAC SHA-1 160 Kernel -
Message Authentication
#1894, #1891
HMAC SHA-1
HMAC SHA-224
HMAC SHA-256
HMAC SHA-384
HMAC SHA-512
160
224
256
384
512
Message Authentication #1895, #1868
RSA-SHA1 80 Digital Signature Verification #1566, #1548
RSA-SHA224
RSA-SHA256
RSA-SHA384
RSA-SHA512
112 (RSA-2048) Key Pair Generation,
Digital Signature Generation
Digital Signature Verification
#1566, #1548
DSA-SHA1 80 Digital Signature Verification #888, #877
DSA-SHA224
DSA-SHA256
DSA-SHA384
DSA-SHA512
112 (DSA-2048) Key Pair Generation,
Digital Signature Generation
Digital Signature Verification
#888, #877
CTR DRBG Random bits generation #571, #548
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 34 of 49
Algorithm Bits of Security Application Certificate
SP 800-135 KDFs IKEv1, SSH, SNMP1 #364, #343
6.2 FIPS Allowed Cryptographic Algorithms
The following table contains the set of FIPS Allowed cryptographic algorithms that can also be
used in FIPS mode.
Table 8 FIPS-Allowed Cryptography Algorithms
Algorithm Bits of Security Application
Diffie-Hellman 2048 112 Key Agreement
RSA 2048 112 Key Agreement
Key Wrapping
6.3 Non-FIPS Approved Cryptographic Algorithms
The following table contains the set of non-FIPS Approved algorithms that are implemented but
may not be used when operating in FIPS mode. These algorithms are used in non-FIPS mode.
Table 9 Non-FIPS Approved Cryptography Algorithms
Algorithm Application
DES Encryption/decryption
Diffie-Hellman (<
2048-bits)
Key Agreement
RC4 Encryption/decryption
MD5 Hashing
HMAC MD5 Message Authentication
RSA
(<2048-bits)
Key Pair Generation,
Digital Signature Generation
Digital Signature Verification
Key Agreement
Key Wrapping
DSA
(<2048-bits)
Key Pair Generation,
Digital Signature Generation
Digital Signature Verification
1
These protocols have not been reviewed or tested by the CAVP and CMVP
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 35 of 49
7 Cryptographic Key Management
7.1 Cryptographic Security Parameters
The security appliances use a variety of Critical Security Parameters (CSP) during operation. The
following table lists the CSP including cryptographic keys used by the HP Networking devices. It
summarizes generation, storage, and zeroization methods for the CSP.
Table 10 Cryptographic Security Parameters
#
Key/
CSP Name
Algorithm Key Size Description Storage Zeroization
Public key management
CSP1-
1
RSA private
key
RSA 2048 bits
Identity certificates
for the security
appliance itself.
FLASH
(cipher text /
AES256)
Using CLI
command to
zeroize.
CSP1-
2
DSA private
key
DSA 2048 bits
Identity certificates
for the security
appliance itself.
FLASH
(cipher text /
AES256)
Using CLI
command to
zeroize
CSP1-
3
Public keys DSA/ RSA
1024 bits
~ 2048
bits
Public keys of peers
to validate the digital
signature
FLASH(plai
n text)
Delete public
keys of peers
from
configuration,
write to startup
config
IPsec
CSP2-
1
IPsec
authentication
keys
HMAC-
SHA1
160 bits
Used to authenticate
the IPsec traffic
RAM (plain
text)
Automatically
when session
expires.
CSP2-
2
IPsec
encryption
keys
AES
128 bits
192 bits,
256 bits
Used to encrypt the
IPsec traffic
RAM (plain
text)
Automatically
when session
expires.
CSP2-
3
IKE pre-shared
keys
Shared
Secret
6 ~ 128
bytes
Entered by the
Crypto-Officer in
plain text form and
used for
authentication during
IKE
FLASH(ciph
er text/
AES-CTR-
256) and
RAM
(cipher text/
AES-CTR-
256)
Using CLI
command to
zeroize
CSP2-
4
IKE
Authentication
key
HMAC-
SHA1
160 bits
Used to authenticate
IKE negotiations
RAM (plain
text)
Automatically
when session
expires.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 36 of 49
#
Key/
CSP Name
Algorithm Key Size Description Storage Zeroization
CSP2-
5
IKE Encryption
Key
AES
128 bits
192 bits,
256 bits
Used to encrypt IKE
negotiations
RAM (plain
text)
Automatically
when session
expires.
CSP2-
6
IKE RSA
Authentication
private Key
RSA 2048 bits
private key used for
IKE protocol during
the handshake
RAM(plain
text)
Automatically
when
handshake
finishing
CSP2-
7
IKE DSA
Authentication
private Key
DSA 2048 bits
private key used for
IKE protocol during
the handshake
RAM(plain
text)
Automatically
when
handshake
finishing
CSP2-
8
IKE Diffie-
Hellman Key
Pairs
Diffie-
Hellman
2048 bits
Key agreement for
IKE
RAM (plain
text)
Automatically
when
handshake
finishing
SSH
CSP3-
1
SSH RSA
Private key
RSA 2048 bits
private key used for
SSH protocol
RAM(plain
text)
Automatically
when
handshake
finishing
CSP3-
2
SSH Diffie-
Hellman Key
Pairs
Diffie-
Hellman
2048 bits
Key agreement for
SSH sessions.
RAM (plain
text)
Automatically
when
handshake
finishing
CSP3-
3
SSH Session
Key
AES
128 bits,
256 bits
SSH session
symmetric key
RAM (plain
text)
Automatically
when SSH
session
terminated
CSP3-
4
SSH Session
authentication
Key
HMAC-
SHA1
160 bits
SSH session
authentication key
RAM (plain
text)
Automatically
when SSH
session
terminated
AAA
CSP4-
1
Crypto-Officer
Password
Secret
15 ~ 63
bytes
Used to authenticate
the administrator
role.
FLASH
(cipher text /
AES256)
Using CLI
command to
zeroize
CSP4-
2
User
Password
Secret
15 ~ 63
bytes
Used to authenticate
the user role.
FLASH
(cipher text /
AES256)
Using CLI
command to
zeroize
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 37 of 49
#
Key/
CSP Name
Algorithm Key Size Description Storage Zeroization
CSP4-
3
RADIUS
shared secret
keys
Shared
Secret
15 ~ 64
bytes
Used for
authenticating the
RADIUS server to
the security
appliance and vice
versa.
FLASH
(cipher text /
AES256)
Using CLI
command to
zeroize
CSP4-
4
TACACS+
shared secret
keys
Shared
Secret
15~255
bytes
Used for
authenticating the
TACACS+ server to
the security
appliance and vice
versa.
FLASH
(cipher text /
AES256)
Using CLI
command to
zeroize
Entropy
CSP5-
1
DRBG entropy
input
SP 800‐90
CTR_DRBG
256 bits
Entropy
source used to
construct seed
RAM
(plaintext)
Resetting or
rebooting the
security
appliance
Random Bits Generation
CSP6-
1
DRBG seed
SP 800‐90
CTR_DRBG
384 bits
Input to the DRBG
that determines the
internal state of the
DRBG
RAM
(plaintext)
Resetting or
rebooting the
security
appliance
CSP6-
2
DRBG V
SP 800‐90
CTR_DRBG
128 bits
Generated by
entropy
source via the
CTR_DRBG
derivation function. It
is stored in DRAM
with plaintext form
RAM
(plaintext)
Resetting or
rebooting the
security
appliance
CSP6-
3
DRBG Key
SP 800‐90
CTR_DRBG
256 bits
DRBG key used for
SP 800-90
CTR_DRBG
RAM
(plaintext)
Resetting or
rebooting the
security
appliance
SNMPv3
CSP7-
1
SNMPv3
Authentication
Key
SHA1 160 bits
Used to verify
SNMPv3 packet.
FLASH
(cipher text /
AES256)
RAM (plain
text)
Using CLI
command to
zeroize
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 38 of 49
#
Key/
CSP Name
Algorithm Key Size Description Storage Zeroization
CSP7-
2
SNMPv3
Encryption
Key
AES 128 bits
Used to encrypt
SNMPv3 packet.
FLASH
(cipher text /
AES256)
RAM (plain
text)
Using CLI
command to
zeroize
System KEK
CSP8-
1
Key
encrypting
key
AES 256 bits
Used to encrypt all
private key, user
password, and pre-
shared key stored on
internal storage.
The KEK is
generated using
some random bytes,
RAM(plain
text)
Zeroized when
Resetting or
rebooting the
security
appliance
7.2 Access Control Policy
The services accessing the CSPs, the type of access and which role accesses the CSPs are
listed below. The types of access are: read (r), write (w), and delete (d).
Table 11 Access by Service for Crypto Officer
Service Access
/CSP
Network functions
Security
management
Configuration functions
PKI
CSP1-1 r wd wd
CSP1-2 r wd wd
CSP1-3 r wd wd
IPsec
CSP2-1 rwd d
CSP2-2 rwd d
CSP2-3 r wd wd
CSP2-4 rwd d
CSP2-5 rwd d
CSP2-6 rd d
CSP2-7 rd d
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 39 of 49
Service Access
/CSP
Network functions
Security
management
Configuration functions
CSP2-8 rd d
SSH
CSP3-1 rd d
CSP3-2 rwd d
CSP3-3 rwd d
CSP3-4 rwd d
AAA
CSP4-1 rwd wd wd
CSP4-2 r wd wd
CSP4-3 r wd wd
CSP4-4 r wd wd
Entropy
CSP5-1 rw r
Random Bits
Generation
CSP6-1 r r
CSP6-2 r r
CSP6-3 r r
SNMPv3
CSP7-1 r wd wd
CSP7-2 r wd Wd
System KEK
CSP8-1 r r r
Table 12 Access by Service for User role
Service Access
/CSP
Network functions Configuration functions
Public key management
CSP1-1 r
CSP1-2 r
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 40 of 49
Service Access
/CSP
Network functions Configuration functions
CSP1-3 r
IPsec
CSP2-1 rwd
CSP2-2 rwd
CSP2-3 r
CSP2-4 rwd
CSP2-5 rwd
CSP2-6 rd
CSP2-7 rd
CSP2-8 rd
SSH
CSP3-1 rd
CSP3-2 rwd
CSP3-3 rwd
CSP3-4 rwd
AAA
CSP4-1 rwd
CSP4-2 r
CSP4-3 r
CSP4-4 r
Entropy
CSP5-1 rw
Random Bits Generation
CSP6-1 r
CSP6-2 r
CSP6-3 r
SNMPv3
CSP7-1 r
CSP7-2 r
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 41 of 49
Service Access
/CSP
Network functions Configuration functions
System KEK
CSP8-1 r r
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 42 of 49
8 Self-Tests
HP Networking devices include an array of self-tests that are run during startup and during
operations to prevent any secure data from being released and to insure all components are
functioning correctly.
8.1 Power-On Self-Tests
The following table lists the power-on self-tests implemented by the switches. The switches
perform all power-on self-tests automatically at boot. All power-on self-tests must be passed
before any role can perform services. The power-on self-tests are performed prior to the
initialization of the forwarding function, which prevents the security appliance from passing any
data during a power-on self-test failure.
Table 13 Power-On Self-Tests
Implementation Tests Performed
Security Appliance Software Software/firmware Test (non-Approved RSA 2048
with SHA-256 which acts as a 256 bit EDC)
DSA signature/verification PWCT
RSA signature/verification KAT
RSA signature/verification PWCT
RSA encryption/decryption PWCT
Kernel AES encrypt KAT / AES decrypt KAT
AES encrypt KAT / AES decrypt KAT
Kernel SHA-1 KAT
SHA-1 KAT
SHA224 KAT
SHA256 KAT
SHA384 KAT
SHA 512 KAT
Kernel HMAC SHA-1 KAT
HMAC SHA-1 KAT
HMAC SHA224 KAT
HMAC SHA256 KAT
HMAC SHA384 KAT
HMAC SHA 512 KAT
CTR DRBG KAT
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 43 of 49
8.2 Conditional Self-Tests
The following table lists the conditional self-tests implemented by the switches. Conditional self-
tests run when a switch generates a DSA or RSA key pair and when it generates a random
number.
Table 14 Conditional Self-Tests
Implementation Tests Performed
Security Appliance Software
Pairwise consistency test for RSA
Pairwise consistency test for DSA
Continuous Random Number Generator Test for the
FIPS-approved RNG (CTR DRBG)
Continuous Random Number Generator Test for entropy
source (NDRNG)
Firmware load using an Approved RSA 2048 with SHA-
256
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 44 of 49
9 Delivery and Operation
9.1 Secure Delivery
To ensure no one has tampered with the goods during delivery, inspect the Networking switch
physical package and check as follows:
1. Outer Package Inspection
1) Check that the outer carton is in good condition.
2) Check the package for a HP Quality Seal or IPQC Seal, and ensure that it is intact.
3) Check that the IPQC seal on the plastic bag inside the carton is intact.
4) If any check failed, the goods shall be treated as dead-on-arrival (DOA) goods.
2. Packing List Verification
Check against the packing list for discrepancy in material type and quantity. If any
discrepancy found, the goods shall be treated as DOA goods.
3. External Visual Inspection
Inspect the cabinet or chassis for any defects, loose connections, damages, and illegible
marks. If any surface defect or material shortage found, the goods shall be treated as
DOA goods.
4. Confirm Software/firmware
1) Version verification
To verify the software version, start the appliance, view the self-test result during
startup, and use the display version command to check that the software version.
For the 5900CP, “HP Comware Software, Version 7.1.045, Release R2311P03”
indicates it is a FIPS 140-2 and CC certification version. For the 12910, “HP
Comware Software, Version 7.1.045, Release 1005P10” indicates it is a FIPS
140-2 and CC certification version. If software loading failed or the version
information is incorrect, please contact HP for support.
2) RSA with SHA-256 verification
To verify that software/firmware has not been tampered, run SHA Hash command
on the appliance. If the hash value is different from release notes of this software,
contact HP for support. To get release notes, please access HP website.
5. DOA (Dead on Arrival)
If the package is damaged, any label/seal is incorrect or tampered, stop
unpacking the goods, retain the package, and report to HP for further investigation.
The damaged goods will be replaced if necessary.
9.2 Secure Operation
The rules for securely operating an HP Networking switch in FIPS mode are:
1. Install and connect the device according to the installation and configuration guides.
2. Start the device, and enter the configuration interface.
3. Check and configure the clock.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 45 of 49
4. By default, the device does not run in FIPS mode. Enable the device to work in FIPS
mode using the fips mode enable command in system view. This will allow the switch
to internally enforce FIPS-compliance behavior, such as run power-up self-test and
conditional self-test.
5. Set up username/password for crypto officer role. The password must comprise no less
than 15 characters and must contain uppercase and lowercase letters, digits, and
special characters.
6. Save the configurations and re-start the device.
The device works in FIPS mode after restarting:
1. Configure the security appliance to use SSHv2.
An operator can determine whether a switch is in FIPS mode with the command display fips
status. When in FIPS mode:
1. The FTP/TFTP server is disabled.
2. The Telnet server is disabled.
3. The HTTP server is disabled.
4. SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
5. The SSH server does not support SSHv1 clients
6. Generated RSA/DSA key pairs have a modulus length 2048 bits.
7. SSHv2, SNMPv3, IPsec and SSL do not support Non-FIPS approved cryptographic
algorithms.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 46 of 49
10 Physical Security Mechanism
FIPS 140-2 Security Level 2 Physical Security requirements mandate that a cryptographic module
have an opaque enclosure with tamper-evident seals for doors or removable covers. HP
Networking devices include both appliance and chassis models. The tamper-evident seals and
opacity shields shall be installed for the module to operate in a FIPS Approved mode of operation.
All Networking devices need tamper-evident seals to meet the Physical Security requirements.
Only the HP FlexFabric 5900CP needs an opacity shield.
The Crypto Officer is responsible for properly placing all tamper evident labels on a device and is
responsible for the securing and control of any unused seals and opacity shields. The Crypto
Officer shall clean the module of any grease, dirt, or oil before applying the tamper-evident labels
or opacity shields. The Crypto Officer is also responsible for the direct control and observation of
any changes to the modules such as reconfigurations where the tamper-evident labels or opacity
shields are removed or installed to ensure the security of the module is maintained during such
changes and the module is returned to a FIPS approved state. The security labels recommended
for FIPS 140-2 compliance are provided in the FIPS Kit. These security labels are very fragile and
cannot be removed without clear signs of damage to the labels.
All units use the same label kits:
Label Kit – Description
Label Kit - Part
Number
HP 12mm x 60mm Tamper-Evidence (30) Labels JG585A
HP 12mm x 60mm Tamper-Evidence (100) Labels JG586A
The opacity kit for each product model is below:
5900CP series
Unit Opacity Kit – Description Opacity kit
– Part Number
HP FlexFabric 5900CP-
48XG-4QSFP+ Switch
HP FlexFabric 5900CP-48XG-4QSFP+ Switch
Opacity Shield Kit
JG719A
Each modular switch is entirely encased by a thick steel chassis. The HP FlexFabric 12910 Switch
has slots for switching fabric cards. On-board LAN connectors and console connectors are
provided on the MPU board. Power cable connection and a power switch are provided on the
power supplies. The individual modules that comprise the switch may be removed to allow access
to the internal components of each module.
Any chassis slot that is not populated with a module must have a slot cover installed in order to
operate in a FIPS compliant mode. The slot covers are included with each chassis, and additional
slot covers may be ordered from HP.
Use the procedure described in FIPS enclosure install instruction to apply tamper evident labels
to the switch.
The Crypto Officer should inspect the tamper evident labels periodically to verify they are intact
and the serial numbers on the applied tamper evident labels match the records in the security log.
If evidence of tampering is found with the TELs, the module must immediately be powered down
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 47 of 49
and all administrators must be made aware of a physical security breach in compliance the local
site policies and procedures for dealing with this type of incident.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 48 of 49
11 Mitigation of Other Attacks
The Security appliances do not claim to mitigate any attacks in a FIPS approved mode of
operation.
FIPS 140-2 Non-Proprietary Security Policy for HP FlexFabric 5900CP and 12910 Switch Series
Page 49 of 49
12 Documentation References
12.1 Obtaining documentation
You can access the HP Networking products page: http://h17007.www1.hp.com/us/en/ , where
you can obtain the up-to-date documents of HP Routers and Switches, such as datasheet,
installation manual, configuration guide, command reference, and so on.
12.2 Technical support
For technical or sales related question please refer to the contacts list on the HP website:
http://www.HP.com.
The actual support website is:
http://www8.hp.com/us/en/support-drivers.html