© Copyright 2001 Tumbleweed Communications, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. V1.0 Tumbleweed Messaging Management System (MMS™) Security Kernel FIPS 140-1 Non-Proprietary Security Policy Level 1 Validation October, 2000 2 Table of Contents 1 INTRODUCTION..............................................................................................................................................3 1.1 Purpose ...........................................................................................................................................................3 1.2 References .......................................................................................................................................................3 1.3 Document Organization ..................................................................................................................................3 2 Tumbleweed MMS.............................................................................................................................................4 2.1 The MMS Security Kernel ...............................................................................................................................4 2.2 Operating System Configuration.....................................................................................................................5 2.3 The MMS Security Kernel API ........................................................................................................................5 2.3.1 User API Calls:......................................................................................................................................5 2.3.2 Crypto Officer API Calls:......................................................................................................................7 2.3.3 Accessing Services ................................................................................................................................8 2.4 Physical Security.............................................................................................................................................8 2.5 Cryptographic Algorithms and Keys...............................................................................................................8 2.6 Self-Tests .........................................................................................................................................................9 3 1 INTRODUCTION 1.1 Purpose This is the non-proprietary FIPS 140-1 security policy for the Tumbleweed Messaging Management System (MMS™) Security Kernel. This Security Policy details the secure operation of the MMS Security Kernel as required in Federal Information Processing Standards Publication 140-1 (FIPS 140-1) as published by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce. 1.2 References For more information on the Tumbleweed Messaging Management System, the MMS Security Kernel, or Tumbleweed’s entire product line, please visit www.tumbleweed.com. For more information on FIPS 140-1 and validation process, please visit www.FIPS140-1.com. For more information on NIST and the cryptographic module validation program, please visit csrc.nist.gov/cryptval 1.3 Document Organization The Security Policy document is one document in complete FIPS 140-1 Submission Package. In addition to this document, the complete Submission Package contains: ♦ Vendor Evidence document ♦ Finite State Machine ♦ Module Software Listing ♦ Other supporting documentation as additional references The remainder of this document (Section 2) outlines the functionality of the module and gives high-level details on how it meets the requirements of FIPS 140-1. This Security Policy and other Certification Submission Documentation were produced by Corsec Security, Inc. under contract to Tumbleweed Communications, Inc. (Tumbleweed). With the exception of this Non- Proprietary Security Policy, the FIPS 140-1 Certification Submission Documentation is Tumbleweed-proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Tumbleweed. 4 2 Tumbleweed MMS The Tumbleweed Messaging Management System (MMSTM ) is a suite of software designed to allow organizations to apply security beyond the firewall and secure e-mail and Web traffic. MMS provides a complete set of secure e-mail solutions, including virus scanning, content control, access control, encryption, and authentication. MMS integrates with existing e-mail networks and adds secure communications using S-MIME and strong cryptography. Flexible administration capabilities allow MMS users to secure e-mail configuration with custom policies across an entire enterprise network. MMS allows administrators and policy-makers to define and enforce security policies to ensure the safe and efficient use of corporate e-mail systems. Policies can apply to virus scanning, content control, access control, encryption, and digital signature policies universally across the enterprise. A number of subcomponents of MMS provide specific functionality. MMS Content Manager allows content filtering of e-mail messages and attachments according to set policies. E-mail is scanned for specific words or content that constitute policy violations. MMS can then block, quarantine, archive, defer delivery, send to additional recipients, or redirect to alternate recipients. Content filtering can be combined with Access controls to provide robust protection against Spam and junk mail, and can be used to block e-mail viruses, such as Melissa. With MMS Access Manager, companies can set policies that restrict e-mail from certain senders or to certain recipients. MMS Virus Manager uses integrated server-based anti-virus software from Network Associates to detect and optionally clean or strip infected attachments in both incoming and outgoing messages. MMS Format Manager can strip or rewrite addresses in message headers, protecting your network from potential hackers. The MMS Web Filter monitors and controls submissions to Internet message boards and Web-based e-mail services, and includes countermeasures to detect malicious mobile code (Java and ActiveX applets), and control downloads of inappropriate files and software. MMS can also enact policies for secure communications by automatically re-routing sensitive e- mail traffic to Tumbleweed's solution for secure online messaging, Tumbleweed Integrated Messaging ExchangeTM (IMETM ). The integrated MMS/IME solution automatically redirects sensitive traffic to Tumbleweed IMETM - no end user action is required to send groupware- generated messages securely over the Internet. 2.1 The MMS Security Kernel All portions of the MMS use a shared set of cryptographic functionality called the MMS Security Kernel. The MMS Security Kernel exposes application programming interface API calls to the other portions of MMS. These APIs allow each sub-component of MMS to access the same robust, tested security services. These services are also made available to other non-MMS applications through the Secure Messenger Toolkit (SMT), which includes the MMS Security Kernel as its Secure Messenger Engine. The Cryptographic boundary for the MMS Security Kernel encompasses the software contained within the MMSSMT.DLL. However, for the FIPS 140-1 evaluation, the MMS Security Kernel 5 is considered to be a multi-chip standalone cryptographic module running on a standard personal computer (PC) running the Windows NT operating system in single-user mode. The MMS Security Kernel can also be run on other Windows and UNIX platforms. 2.2 Operating System Configuration The MMS Security Kernel was evaluated against all level one requirements of FIPS 140-1 and the level two operating system requirements, resulting in an overall level 1 FIPS 140-1 validation. The module is installed only as executable code, includes cryptographic self-integrity checks using FIPS-approved algorithms, and limits access to the executable to authorized users or processes. The MMS Security Kernel code is written in C and C++ and meets all FIPS 140-1 software security requirements. The module software design corresponds to the Finite State Machine (FSM) Model described in the Tumbleweed proprietary document: “Tumbleweed Messaging Management System (MMS™) Security Kernel FIPS 140-1 Finite State Machine”. The MMS Security Kernel should be securely installed by an administrator of the Windows NT machine, with permissions to access the module files and directory limited to appropriate accounts. Using Windows NT to provide this type of controlled access requires the use of the NTFS file system, and not FAT or FAT32. The administer should limit access to the module to only users approved to operate the module, and limit access to user data files created by the module on the hard drive and in SQL tables. User file location is defined during session start. Access to User data files should be limited to the particular user and the module itself. The Windows NT User Manager for Domains can be used to define users and groups for whom access permissions may be defined. The file and folder security properties can then be defined to specify access for the MMS Security Kernel files. 2.3 The MMS Security Kernel API The MMS Security Kernel provides a number of services, and supports two distinct roles. These two roles provide services to configure User information (which is referred to as the Crypto- Officer role), and to exercise routine User services (which is referred to as the User role). All of these services are accessed through Applications Programming Interface (API) function calls described in more detail in the following sections. FIPS 140-1 does not require authentication for access to services under each role at level 1; however, the MMS Security Kernel provides some optional User identification capabilities. Since the MMS Security Kernel is considered a multi-chip standalone module, the physical interfaces consist of the keyboard, mouse, monitor, serial ports, network adapters, etc. However, the actual interfaces to the module are the logical inputs through the API and the Graphical User Interfaces that can be optionally called through the APIs. This includes fifty five active User and Crypto-Officer function calls, and thirty seven inactive Crypto-Officer function calls (provided for backwards compatibility purposes). The function calls are divided below into Crypto-Officer functions and User functions. 2.3.1 User API Calls: 6 The User services fall into three groups of API calls. The SMT Message group provides message manipulation routines, the SMT Session Group provides functions to choose a User and set up an active User session, and the SMT Util Group provides string conversion utilities. SMT Session Group (User Services) SmtSession_Start Start an SMT session SmtSession_End End an SMT session SmtSession_CertManager Launch the certificate manager SmtSession_PickCert Allow selection of a certificate from a list SmtSession_ViewCert Display a certificate (by SMTID_CERT) SmtSession_GetCertStatus Gets the status of a certificate SmtSession_SetProps Set the session properties SmtSession_GetProps Get the session properties SmtSession_DisplayProps Display the session properties to the user SmtSession_GetMaxPageCount (Win32) Propsheet extension support SmtSession_GetPages (Win32) Propsheet extension support SmtSession_FreePages (Win32) Propsheet extension support SmtSession_DetermineBestSigningCertificate Determines the best signing certificate SmtSession_ExportCert Exports the signing certificate SmtSession_GenerateProxyCertificate Generates proxy certificate SmtSession_GetAllUserCertificates Gets signing and proxy certificates SmtSession_GetCertDetails Get certificate details SmtSession_GetCertDisplayName Retrieve Certificate and display name SmtSession_GetProxyCertID Get proxy Certificate Identification SmtSession_Lock Checks for invalid parameters SmtSession_IsCertificateSuitableForProxyPar ent Check that Certificate is suitable for Proxy SmtSession_Unlock Retrieve Session Identification SMT Message Group (User Services) SmtMsg_Copy Copy contents of one message into another. SmtMsg_Create Create a new message object SmtMsg_Destroy Destroy an existing message object SmtMsg_SetProps Set the message security properties SmtMsg_GetProps Get the message security properties SmtMsg_SetSender Set the sender (properties) of a message SmtMsg_GetSender Get the sender (properties) of a message SmtMsg_AddRecip Add a recipient to a message SmtMsg_DeleteRecip Delete a recipient from a message SmtMsg_BeginEnumRecip Begin enumerating the recipients of a message SmtMsg_EnumRecip Retrieve the next recipient of a message SmtMsg_EndEnumRecip End enumerating recipients of a message SmtMsg_SetRecipProps Set the properties for a recipient SmtMsg_GetRecipProps Get the properties of a recipient SmtMsg_ClearPlainBody Clear the plaintext body of a message SmtMsg_ClearCipherBody Clear the ciphertext body of a message SmtMsg_BeginWritePlainBody Begin writing the plaintext body of a message SmtMsg_BeginWriteCipherBody Begin writing the ciphertext body of a message SmtMsg_WriteBody Write to an open body property of a message SmtMsg_EndWriteBody End writing to a body property of a message SmtMsg_BeginReadPlainBody Begin reading the plaintext body of a message SmtMsg_BeginReadCipherBody Begin reading the ciphertext body of a message SmtMsg_ReadBody Read from an open body property of a message SmtMsg_EndReadBody End reading from a body property of a message 7 SmtMsg_EncryptAndSign Encrypt and/or sign a message SmtMsg_DecryptAndVerify Decrypt and/or verify a message signature SMT Util Group (User Services) SmtUtil_GetEncAlgorithmStr Converts an encryption algorithm ID to a string SmtUtil_GetSigAlgorithmStr Converts a signature algorithm ID to a string 2.3.2 Crypto Officer API Calls: The Crypto Officer calls allow the creation, deletion and modification of Users and their associated information. This includes user certificates, private keys, addresses, trusts, and other user configuration data. These may be accessed with the calls in the SMT User Group, and the optional GUIs that these functions will present. In addition, there is a set of compatibility functions which may be called but do no processing in this version of the MMS Security Kernel. These functions return an error value when called in order to indicate that they are only provided for compatibility purposes. SMT User Group (Crypto Officer Services) SmtUser_Add Add a user SmtUser_GetProps Set the properties of a user SmtUser_BeginEnum Begin enumerating users SmtUser_Enum Retrieve the next user SmtUser_EndEnum End enumerating users SMT Compatibility Group (Crypto Officer Services) SmtUser_Delete Delete a user SmtUser_SetProps Get the properties of a user SmtUser_DisplayProps Display user properties SmtUser_DisplayList Display a list of users, returning selected user SmtUser_DisplayListWithHelp Display users with help, returning selected SmtAddress_Add Add an entry to the address book SmtAddress_Delete Delete an entry from the address book SmtAddress_SetProps Set the properties of an address book entry SmtAddress_GetProps Get the properties of an address book entry SmtAddress_DisplayProps Display address book entry properties to user SmtAddress_BeginEnum Begin enumerating address book entries SmtAddress_Enum Retrieve the next address book entry SmtAddress_EndEnum End enumerating address book entries SmtAddress_DisplayRecipList Displays the recipient list for a message object SmtAddress_DisplayAddrBook Displays the SMT address book SmtMsgProp_Display Display message security properties to user SmtMsgProp_FreePages (Win32) Propsheet extension support SmtMsgProp_GetMaxPageCount (Win32) Propsheet extension support SmtMsgProp_GetPages (Win32) Propsheet extension support SmtMsg_ImportCerts Import Session Identification Certificates SmtMsg_Publish Publish Session Identification Certificates SmtSession_AddCertificateSources Add the sources of certificates SmtSession_ClearPassphrase Clear the private key passphrase SmtSession_Config Configure Session SmtSession_DoAbout Display the SMT about box SmtSession_DoHelp Provide help for a given context SmtSession_GenerateKey Generate a key pair for the current user SmtSession_GetCurrentUserAddressKey Retrieve Current Address Key SmtSession_GetCurrentUserSigningCertificate Retrieve Current Signing Certificate properties 8 SmtSession_RegisterCallbacks Register Session ID, UI Parameters, Flags, and Callbacks SmtSession_Version Retrieve Session Version SmtUtil_CheckVersion Performs version checking on SMT SmtUtil_GetCertStatusStr Converts a certificate status value to a string SmtUtil_GetRandomData Fills a buffer with random data SmtUtil_GetSupportedEncAlgorithms Retrieve supported Encryption algorithms SmtUtil_GetSupportedSigAlgorithms Retrieve supported Signature algorithms SmtUtil_WipeFile Overwrites and deletes a file A complete description of each of these functions, including inputs and outputs is provided in the Tumbleweed MMS SMT Security Kernel Programmers Reference. 2.3.3 Accessing Services The operators of the module implicitly assume the Crypto Officer or User role when they access the appropriate API functions for the module. However, before accessing functions, the operators must create a message or session, and identify themselves to the device as a particular operator. The evaluated version of the module expects that a single operator is created and associated with a particular e-mail address. Each user has a set of properties and preferences associated with them that are used in the generation of messages. Users are selected after the module has been started and an active session created. 2.4 Physical Security The MMS Security Kernel is a software module and was tested on the Windows NT operating system as configured in single-user mode. The MMS Security Kernel module can also be operated upon other Windows-compatible platforms, but was not tested upon these platforms. The module was tested against FIPS 140-1 requirements on a standard Intel platform Personal Computer (PC) that meets all FIPS 140-1 level 1 physical requirements. This includes providing production grade equipment, standard passivation of components, and FCC certification against electromagnetic interference and compatibility. 2.5 Cryptographic Algorithms and Keys The MMS Security Kernel provides a number of cryptographic algorithms, including both FIPS- approved algorithms and non-FIPS approved algorithms. All FIPS-approved algorithms have been separately validated as meeting the applicable FIPS standards. The following algorithms are provided: FIPS-approved algorithms: • Data Encryption Standard (DES) (FIPS PUB 46-3) using Cipher Block Chaining (CBC) mode as defined in NIST Special Publication 800-17 • Triple DES (FIPS PUB 46-3) using CBC mode as defined in NIST Special Publication 800-20 • Digital Signature Standard (DSS) Digital Signature Algorithm (DSA) (FIPS 186- 2) • Secure Hashing Algorithm (SHA-1) (FIPS 180-1) 9 • RSA Digital Signatures (RSA) (FIPS PUB 186-2) using Public Key Cryptographic Standard (PKCS) #1 formats. This includes signature generation and verification using SHA-1 hashing and RSA encryption. Other algorithms: • MD5 with RSA Encryption Digital Signatures (Using PKCS#1) • MD2 with RSA Encryption Digital Signatures (Using PKCS#1) • MD5 Message Digests • MD2 Message Digests • Key Exchange using RSA Public/Private Encryption/Decryption • RC2 CBC (40, 64, 128, 255 bit) Symmetric Encryption/Decryption • RC5 (40, 64, 128 bit) Symmetric Encryption/Decryption Symmetric keys are dynamically created by the module for encryption of messages, and are zeroized from memory when encryption or decryption operations complete. Symmetric keys are encrypted using public key technology as defined in SMIME specifications for secure transmission to recipients. There are public and private keys managed in the module and associated with each user. Public keys are included in public key certificates, and stored in SQL tables, and in user specific files. Private keys are stored internally to the module in private key files, and all of these keys can be replaced or deleted at the user’s discretion. 2.6 Self-Tests The MMS Security Kernel consists of software modules running on a Windows NT operating system in single-user mode, and includes a number of startup and conditional self-tests to ensure proper operation of the module. This includes a self-integrity check made during software load using a DSA digital signature of the module, cryptographic algorithm tests, and other critical startup tests. Additionally, the MMS Security Kernel performs pairwise consistency tests on newly generated public and private key pairs, and continuous random number generator tests, as required by FIPS 140-1.