KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
Suite B Cryptographic Module v2.3.1
FIPS 140-2 Security Policy
Revision: 1.0
Prepared by: KEYW Corporation
7740 Milestone Parkway, Suite 500
Hanover, MD 21076
443-733-1600 Phone
443-733-1601 Fax
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
Contents
Revision History ............................................................................................................................................4
Abbreviations................................................................................................................................................5
1. Introduction...........................................................................................................................................6
1.1. Identification ..................................................................................................................................6
1.2. Overview.........................................................................................................................................6
1.3. FIPS 140-2 Security Levels ..............................................................................................................8
2. Cryptographic Module Specification.....................................................................................................9
2.1. Security Functions ..........................................................................................................................9
2.2. Modes of Operation .......................................................................................................................9
2.3. Cryptographic Boundary...............................................................................................................10
2.4. Determining Module Version.......................................................................................................10
3. Cryptographic Module Ports and Interfaces .......................................................................................11
4. Roles, Services, and Authentication ....................................................................................................13
4.1. Roles .............................................................................................................................................13
4.2. Services.........................................................................................................................................14
4.3. Authentication..............................................................................................................................16
5. Physical Security ..................................................................................................................................17
6. Cryptographic Keys and Critical Security Parameters .........................................................................18
6.1. Key Zeroization.............................................................................................................................20
7. Self-Tests .............................................................................................................................................21
7.1. Invoking Self-Tests........................................................................................................................23
7.2. Self-Tests Results..........................................................................................................................23
8. Mitigation of Other Attacks.................................................................................................................24
9. Referenced Documents.......................................................................................................................25
Page 2 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
Tables and Figures
Figure 1 – Module Message Encryption/Decryption Flow ...........................................................................6
Table 1 – Summary of Achieved FIPS 140-2 Security Levels.........................................................................8
Table 2 – FIPS-Approved Security Functions.................................................................................................9
Figure 2 – Module Cryptographic Boundary...............................................................................................10
Table 3 – Module Ports and Interfaces.......................................................................................................11
Figure 3 – Module I/O.................................................................................................................................12
Figure 4 – Module Cryptographic Boundary I/O.........................................................................................12
Table 4 – Module Services for Cryptographic Officer Role.........................................................................14
Table 5 – Module Services for User Role ....................................................................................................15
Table 6 – Module Authentication...............................................................................................................16
Table 7 – Module Cryptographic Keys and Critical Security Parameters....................................................19
Table 8 – Module Self-Tests........................................................................................................................22
Table 9 – Module Self-Test Error Codes .....................................................................................................23
Page 3 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
Revision History
Revision Date Author Changes
1.0 July 11, 2014 R. Glenn
D. Mackie
C. Constantinescu
D. Wolff
E. Hufford
Initial Release
Page 4 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
Abbreviations
AAD Additional Authentication Data
AC Alternating Current
AES Advanced Encryption Standard
API Application Programming Interface
BAS BlackBerry Administration Service
BES BlackBerry Enterprise Server
BIN Binary
CA Certification Authority
CAVP Cryptographic Algorithm Validation Program
CSP Critical Security Parameters
CVL Component Validation List
DEP Default Entry Point
DLL Dynamic Link Library
EC Elliptic Curve
ECC Elliptic Curve Cryptography
ECDH Elliptic Curve Diffie-Hellman
ECDSA Elliptic Curve Digital Signature Algorithm
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FFC Finite Field Cryptography
FIPS Federal Information Processing Standard
GCM Galois/Counter Mode
HMAC Keyed-hash Message Authentication Code
HRNG Hardware Random Number Generator
I/O Input/Output
IV Initialization Vector
KAM Key Agreement Manager
KAS Key Agreement Scheme
KASVS Key Agreement Schemes Validation System
KAT Known Answer Test
KDF Key Derivation Function
KEK Key Encryption Key
LCD Liquid Crystal Display
LED Light Emitting Diode
MDS Mobile Data System
MS Mobile Set
NIST National Institute of Standards and Technology
OS Operating System
PKI Public Key Infrastructure
PKV Public Key Validation
PT Plaintext
RBG Random Bit Generator
S/MIME Secure/Multipurpose Internet Mail Extensions
SHA Secure Hash Algorithm
SSL Secure Sockets Layer
TLS Transport Layer Security
µSC Micro Smart Card
USB Universal Serial Bus
USSOCOM United States Special Operations Command
VS Validation Specification
XTS XEX Tweakable Block Cipher with Ciphertext Stealing
Page 5 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
1. Introduction
1.1. Identification
The following information identifies this document:
• Title: Suite B Cryptographic Module FIPS 140-2 Security Policy
• Version: 2.3.1
1.2. Overview
KEYW, in coordination with the United States Special Operations Command (USSOCOM), has developed
a Suite B-compliant, standards based, Federal Information Processing Standard (FIPS) 140-2 Level 1
certified Cryptographic Library that is utilized by the Suite B Cryptographic Module. The Suite B
Cryptographic Module implements an AES/GCM-256 layer of encrypted communications between a
BlackBerry Enterprise Server (BES) and a BlackBerry Mobile Set (MS) with Elliptic Curve (EC) key
exchange used to negotiate symmetric keys, which is initiated by a Key Agreement Manager (KAM).
An “in-band” Elliptic Curve Diffie-Hellman (ECDH) Key Agreement Scheme (KAS) implementing the Full
Unified Model, C(2, 2, ECC CDH) as described in National Institute of Standards and Technology (NIST)
publication SP 800-56A (Reference [1]) is used by the Suite B Cryptographic Module as it provides an
optimal encryption and keying solution on the BES and the BlackBerry MS. The in-band KAS solution
integrates with existing BlackBerry Application Programming Interfaces (APIs), which includes a C++ API
for the BES and a Java API for the BlackBerry MS, and fits within the BES infrastructure -- making it the
simplest solution to manage.
Figure 1 – Module Message Encryption/Decryption Flow
The Suite B Cryptographic Module, hereafter referred to as the Module, operates as one of several
layers of encryption within the BlackBerry infrastructure. The BlackBerry encryption is invoked
automatically when the Module is instantiated, providing an additional layer of encryption and
obfuscation above the Module. Additional encryption at the application layer can be added by enabling
S/MIME encryption on emails and SSL/TLS encryption on web traffic via the use of the BlackBerry
Page 6 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
S/MIME Support Package and the BlackBerry MDS Connection Service. All of these additional layers of
encryption use FIPS 140-2 Level 1 certified cryptographic libraries, either from BlackBerry (FIPS 140-2
Validation Certificate #1669) on the BlackBerry MS or Microsoft (FIPS 140-2 Validation Certificate #1335)
on the BES. The Module has been developed to operate on Microsoft Windows Server 2008 with BES
version 5.0 (Service Pack 3) or later and the BlackBerry Operating System (OS) version 7.0.0/7.1.0. The
Module has been tested on Microsoft Windows Server 2008 with BES version 5.0 (Service Pack 3) and
the BlackBerry OS version 7.0.0. The Module has been developed in Microsoft Visual C++ 2010 for the
BES portion of the solution and in Java BlackBerry OS 7.0.0 for the BlackBerry MS. The Module relies on
the Cryptographic Library, which has been developed from the same source code base and performs the
same cryptographic functions end-to-end.
The Module must be installed on the server hosting the BES and on the BlackBerry MS during initial
provisioning. Once installed with the appropriate BES security policy, the Module cannot be removed
from the BlackBerry MS without performing a complete wipe of the BlackBerry MS. The Module key
exchange functions are managed from the BES by the KAM web application, which is developed by
KEYW but does not perform any cryptographic functions, only the management of those functions.
The Module meets the requirements of the FIPS 140-2 Security Level 1 specification. The Module
Cryptographic Library provides the following cryptographic services:
• Data encryption and decryption
• Message digest and authentication code generation
• Digital signature verification
• Elliptic curve key agreement
The Module leverages Random Bit Generators (RBGs) from the FIPS 140-2 certified environments on
which it runs based upon configuration.
• BlackBerry MS
o BlackBerry RBG – FIPS 140-2 Level 1 (Certificates #132 and #133)
o Supports FIPS 140-2 certified microSD Smart Card HRNG (Compatible with SafeNet
microSD Smart Card 650 (µSC650) HRNG)
• BES
o Microsoft Cryptographic Library RBG – FIPS 140-2 Level 1 (Certificates #23 and #27)
o SafeNet Luna SA5 with Luna SA 7000 PCI card HRNG – FIPS 140-2 Level 3 (Certificate
#998)
Page 7 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
1.3. FIPS 140-2 Security Levels
The Module meets the overall requirements applicable to Level 1 security for FIPS 140-2 as shown in the
table below:
Cryptographic Module Specification 1
Cryptographic Module Ports and Interfaces 1
Roles, Services, and Authentication 1
Finite State Model 1
Physical Security N/A
Operational Environment 1
Cryptographic Key Management 1
EMI/EMC 1
Self-Tests 1
Design Assurance 1
Mitigation of Other Attacks N/A
Cryptographic Module Security Policy 1
Table 1 – Summary of Achieved FIPS 140-2 Security Levels
Page 8 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
2. Cryptographic Module Specification
2.1. Security Functions
The Module Cryptographic Library is software that implements the following FIPS-approved security
functions:
Algorithm Description CAVP Certificate No.
AES-128, AES-192,
AES-256
FIPS Publication 197, The Advanced Encryption
Standard (AES), U.S. DoC/NIST, November 26,
2001, Natl. Inst. Stand. Technol. (Reference [3])
#2603
GCM NIST SP 800-38D, Recommendation for Block
Cipher Modes of Operation: Galois/Counter Mode
(GCM) and GMAC, November 2007, Natl. Inst.
Stand. Technol. (Reference [4])
#2603
ECDSA ANS X9.62-2005: Public Key Cryptography for the
Financial Services Industry: The Elliptic Curve
Digital Signature Algorithm (ECDSA). Per the NIST
SP 800-131A transition: curve sizes less than P-224
shall not be used. (Reference [8]/[15])
#448
ECDH ECDH Key Agreement Scheme (KAS) implementing
the Full Unified Model, C(2, 2, ECC CDH) as
described in NIST SP 800-56A, Recommendation
for Pair-Wise Key Establishment Schemes Using
Discrete Logarithm Cryptography, Revision 1,
March 2007, Natl. Inst. Stand. Technol. Per the
NIST SP 800-131A transition: curve sizes less than
P-224 shall not be used. (Reference [1]/[2]/[15])
#98 and #259
(CVL Certificate Nos.)
SHA-1, 224, 256,
384, 512, 512/224,
512/256
FIPS Publication 180-4, Secure Hash Standard
(SHS), March 2012, Natl. Inst. Stand. Technol.
(Reference [5])
#2187
HMAC-SHA-1, 224,
256, 384, 512,
512/224, 512/256
FIPS Publication 198-1, The Keyed-Hash Message
Authentication Code (HMAC), July 2008, Natl. Inst.
Stand. Technol. (Reference [6])
#1610
XTS NIST SP 800-38E, Recommendation for Block
Cipher Modes of Operation: the XTS-AES Mode for
Confidentiality on Storage Devices, January 2010,
Natl. Inst. Stand. Technol. (Reference [7])
#2603
Table 2 – FIPS-Approved Security Functions
2.2. Modes of Operation
The Module must be installed on the BES and the BlackBerry MS manually, and once installed the
Module Cryptographic Library runs all algorithms in FIPS 140-2 compliant mode. There are no
algorithms or “expanded” cryptographic modes within the Module that are not FIPS 140-2 compliant.
As mentioned in Section 1.2, the Module leverages RBGs from the FIPS 140-2 certified environments
that shall be configured for FIPS mode.
Page 9 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
• BlackBerry MS
o Enable the Enforce FIPS Mode of Operation IT policy rule via the BAS to guarantee
generating FIPS-validated random bytes for the ephemeral keys and initialization
vectors
• BES
o Enable the FIPS compliant algorithms mode via the Local Security Policy to guarantee
generating FIPS-validated random bytes for the ephemeral keys, nonces and
initialization vectors
2.3. Cryptographic Boundary
The physical boundary of the Module is the physical boundary of the BlackBerry MS or BES hardware
device that executes the Module as shown in the following figure. Consequently, the embodiment of
the Module is a multiple-chip standalone.
Figure 2 – Module Cryptographic Boundary
2.4. Determining Module Version
The operator can determine the version of the Module by performing the following steps:
On the BlackBerry MS:
1. On the BlackBerry MS Home screen, click the Options icon
2. Click Device > Application Management
3. The Applications screen displays the KEYWxcoder version as v2.3.1
On the BES:
1. On the BES, right-click the KEYWxcoder.dll file and click view Properties
2. Click Details tab
The File version property displays the KEYWxcoder version as v2.3.1
Page 10 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
3. Cryptographic Module Ports and Interfaces
The Module ports correspond to the physical ports of the BlackBerry MS and BES executing the Module,
and the Module interfaces correspond to the logical interfaces to the Module. The following table and
figures describe the Module ports and interfaces.
FIPS 140-2 Interface Module Ports Module Interfaces
Data Input BlackBerry MS: All data traffic
(email, contacts, calendars,
web traffic, management
traffic). Cellular Voice traffic
is excluded.
Input parameters of Module
function calls
BES: All data traffic (email,
contacts, calendars, web
traffic, management traffic).
Cellular Voice traffic is
excluded.
Data Output BlackBerry MS: All data traffic
(email, contacts, calendars,
web traffic, management
traffic). Cellular Voice traffic
is excluded.
Output parameters of Module
function calls
BES: All data traffic (email,
contacts, calendars, web
traffic, management traffic).
Cellular Voice traffic is
excluded.
Control Input BlackBerry MS: Touch Screen,
BlackBerry Buttons
Module function calls
BES: Keyboard, Mouse
Status Output BlackBerry MS: LCD, LED Return codes of Module
function calls
BES: BlackBerry Dispatcher
Logs, KAM web application
Power Input BlackBerry MS: USB Port,
Battery
N/A
BES: AC Power Supply
Maintenance N/A N/A
Table 3 – Module Ports and Interfaces
Page 11 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
Figure 3 – Module I/O
Figure 4 – Module Cryptographic Boundary I/O
Page 12 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
4. Roles, Services, and Authentication
4.1. Roles
The Module supports user and cryptographic officer roles. The Module does not support a maintenance
role. The Module does not support multiple or concurrent operators and is intended for use by a single
operator, thus it always operates in a single-user mode of operation.
Page 13 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
4.2. Services
The services described in the following tables are available to the operator roles:
Cryptographic Officer Role (BES/KAM)
Service Description Input/Output
Start Transcoding Performed by the KAM during BlackBerry MS
provisioning, which initializes the Module and
allows encryption and decryption of data traffic.
The Module will continue Transcoding until the
KAM performs Stop Transcoding or as a result of a
fault in Key Exchange.
Input: The state of
the Module BIN file
for a BlackBerry MS is
modified to Start
Transcoding.
Stop Transcoding Performed by the KAM or as a result of a fault in
Key Exchange, which disallows Module encryption
and decryption of data traffic.
Input: The state of
the Module BIN file
for a BlackBerry MS is
modified to Stop
Transcoding.
Key Exchange Initiated by the KAM on a schedule and/or
manually and also by a custom email message from
an email server, which performs key agreement
between the BES and a BlackBerry MS using ECDH
to negotiate new symmetric keys for data traffic
encryption and decryption.
Input: The state of
the Module BIN file
for a BlackBerry MS is
modified to perform
Key Exchange.
View Status The Module status for a BlackBerry MS is displayed
by the KAM. The Module status for the BES is
displayed by Windows Services via the BlackBerry
Dispatcher service in the Status column. The
BlackBerry Dispatcher service can be started,
stopped or re-started via Windows Services.
Output: The state of
the Module BIN file
for a BlackBerry MS
determines status.
The running state of
the Module for the
BES determines
status.
Zeroize Performed by the BlackBerry “Wipe Handheld” or
“Security Wipe” function via the BES, which
remotely erases all user data, certificates and keys
on a BlackBerry MS. The KAM can also delete the
Module BIN file for a BlackBerry MS, which erases
the keying material on the BES for that BlackBerry
MS.
Input: BlackBerry
Encrypted Key Store
is erased and BIN file
is deleted.
Table 4 – Module Services for Cryptographic Officer Role
Page 14 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
User Role (BlackBerry MS)
Service Description Input/Output
View Status Displayed in the BlackBerry notification area and
BlackBerry MS logs.
Output: The state of
the status flag
determines status.
Encrypt Data
Traffic
Encrypts all data traffic that is sent from the
BlackBerry MS or BES with a symmetric key that
was negotiated during Key Exchange.
Output: Plaintext
data is encrypted
into ciphertext.
Decrypt Data
Traffic
Decrypts all data traffic that is received by the
BlackBerry MS or BES with a symmetric key that
was negotiated during Key Exchange.
Input: Ciphertext
data is decrypted
into plaintext.
Zeroize Performed by the BlackBerry “Wipe Handheld” or
“Security Wipe” function on the BlackBerry MS,
which erases all user data, certificates and keys on
that BlackBerry MS.
Input: BlackBerry
Encrypted Key Store
is erased.
Table 5 – Module Services for User Role
Page 15 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
4.3. Authentication
The Module does not support operator authentication. Roles are implicitly selected based on the
service performed by the operator.
Role Type of Authentication Authentication Data
Cryptographic Officer
(BES/KAM)
Module: None
BES: Keyboard Login
Module: None
BES: Username and Password as
required by IT Policy
User (BlackBerry MS) Module: None
BlackBerry MS: Keyboard Login
Module: None
BlackBerry MS: User PIN or
Password as required by IT Policy
Table 6 – Module Authentication
Page 16 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
5. Physical Security
The Module is implemented entirely in software, thus it is not subject to the FIPS 140-2 Physical Security
requirements.
The BES that executes the Module is located on production grade equipment within the backend
network infrastructure and is expected to be secure by best practices. Similarly, on the BlackBerry MS,
physical security is provided as a basic requirement for BlackBerry production-grade components that
host the Module.
Page 17 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
6. Cryptographic Keys and Critical Security Parameters
The following table describes the cryptographic keys, key components and Critical Security Parameters
(CSPs) utilized exclusively by the Module.
Key/CSP Type(s) of Access Input/Output Storage Destruction
HMAC Integrity
Check Key
Used for Software
Integrity Checksum.
Cryptographic
Officer Role
(BES/KAM): Read
& Write
Generated (using a
KEYW proprietary
method) during
each Module
registration. A new
key is generated
after each build.
HMAC key not
stored, only
briefly
generated (in
RAM) during
Module
registration
Destroyed
(zeroized)
immediately
after each
Module
registration
ECDH Key
Establishment Keys
The BES and each
BlackBerry MS are
acting as
independent entities
within a PKI
framework and use
approved methods
of (traffic) key
establishment.
User Role
(BlackBerry MS):
Read & Write
When executing a
key agreement
scheme, each side
imports its own PKI
static key pair
(private and public
keys) and imports
the other side’s
public key,
accessing PKI
Certificates issued
(and signed) by a
Certification
Authority (CA).
Additionally, each
side outputs
internally a Private
Ephemeral key and
then outputs the
corresponding
Public Ephemeral
key to the other
side.
BlackBerry MS:
BlackBerry
Encrypted Key
Store
BlackBerry MS:
Erased on “Wipe
Handheld” or
“Security Wipe”
command
Cryptographic
Officer Role
(BES/KAM): Read
& Write
BES: since
retrieving static
keys from PKI
Certificates is
repetitive and
time consuming,
the static keys
are cached (and
KEK- encrypted)
in the BIN files in
order to
expedite
subsequent key
exchanges
BES: Delete BIN
file
XTS-AES Keys
Serve as Key
Encryption Keys
(KEKs) to protect
(encrypt) the
contents of BIN files
on the BES.
Cryptographic
Officer Role
(BES/KAM): Read
& Write
Generated (using a
KEYW proprietary
method) each time
CSPs are accessed
and/or updated on
a BIN file. Each BIN
file has its own KEK.
XTS-AES keys not
stored, only
briefly
generated (in
RAM) during
CSPs access
Destroyed
(zeroized)
immediately
after each usage
Page 18 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
AES (Traffic) Keys
Symmetric keys
used for encryption
and decryption of
traffic packets.
User Role
(BlackBerry MS):
Read & Write
Negotiated after a
BES-initiated Key
Agreement process,
using an approved
ECDH scheme.
Distinct keys are
used for incoming
and outgoing traffic.
BlackBerry MS:
BlackBerry
Encrypted Key
Store
BlackBerry MS:
Erased on “Wipe
Handheld” or
“Security Wipe”
command
Cryptographic
Officer Role
(BES/KAM): Read
& Write
BES: BIN files on
server protected
by KEKs
BES: traffic keys
not archived;
existing keys
discarded and
substituted by
newly
negotiated keys
GCM IVs and Tags
Used during GCM
authenticated
encryption of traffic
packets.
User Role
(BlackBerry MS):
Read & Write
BlackBerry MS: IV
provided by RBG on
MS before packet
encryption, GCM
authentication Tag
computed after
packet encryption
BlackBerry MS:
IVs and Tags not
stored, only
briefly
generated (in
RAM) during
packet
transmission
BlackBerry MS:
Erased after
transmission of
outgoing packets
and reception/
verification of
incoming
packets
Cryptographic
Officer Role
(BES/KAM): Read
& Write
BES: IV provided by
RBG on BES before
packet encryption,
GCM authentication
Tag computed after
packet encryption
BES: IVs and
Tags not stored,
only briefly
generated (in
RAM) during
packet
transmission
BES: Erased after
transmission of
outgoing packets
and reception/
verification of
incoming
packets
HMAC Keys
Used during HMAC-
SHA-1, 256, 384,
512 operations
executed during the
Key Confirmation
phase of key
exchange.
User Role
(BlackBerry MS):
Read & Write
BlackBerry MS:
Split from the front
part of the Derived
Key Material built
during key
exchange
BlackBerry MS:
HMAC keys not
stored, only
briefly
generated (in
RAM) during key
exchange
BlackBerry MS:
Erased after the
Key
Confirmation
phase of key
exchange is
completed
Cryptographic
Officer Role
(BES/KAM): Read
& Write
BES: Split from the
front part of the
Derived Key
Material built
during key
exchange
BES: HMAC keys
not stored, only
briefly
generated (in
RAM) during key
exchange
BES: Erased after
the Key
Confirmation
phase of key
exchange is
completed
Table 7 – Module Cryptographic Keys and Critical Security Parameters
Page 19 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
6.1. Key Zeroization
The Module leverages the built-in BlackBerry security solution to ensure algorithmic keys and key
components are protected. Similarly, data and specifically key removal via zeroization, is an integral
part of the BlackBerry security solution. A user can request a zeroization at any time by navigating to
Options and selecting “Wipe Handheld” or “Security Wipe” on the BlackBerry MS, which erases all user
data, certificates and keys on that BlackBerry MS. The BES administrator may also zeroize the
BlackBerry MS remotely via the “Wipe Handheld” or “Security Wipe” command through the BlackBerry
Administration Service (BAS) interface on the BES as well.
Furthermore, new symmetric keys for data traffic encryption and decryption can be negotiated using
ECDH via the KAM as frequently as possible by schedule and/or manually and also by a custom email
message from an email server. The KAM can also delete the Module BIN file for each individual
BlackBerry MS, which erases the keying material on the BES for that BlackBerry MS.
Page 20 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
7. Self-Tests
The Module implements a series of self-tests that are described in the following table:
Test Description
Software Integrity The BES validates the software integrity during registration of the
Module DLL file on the BES on power-up. The integrity check is a two-
step process consisting of an HMAC verification (based on the NIST-
approved HMAC-160 algorithm), applied to the whole Module DLL image
processed as a binary data file.
In the first step, the 160-bit (20-byte) HMAC key for the HMAC
verification is derived (in a KEYW proprietary manner) from several build-
specific data fields including the current version string and build date.
This HMAC key customization is aimed at preventing malicious Module
DLL rebuilds and authenticating the original build only.
In the second step, the 160-bit HMAC key is used to perform an HMAC-
160 integrity check of the whole Module DLL image. This computation
produces a 160-bit checksum that is compared against a hexadecimal
value pre-stored in the KEYWxcoder.ini file.
The BlackBerry MS validates the software integrity during registration of
the Module COD file on a BlackBerry MS on power-up, which is only
allowed if the BES has deployed the Security Transcoder Cod File Hashes
IT policy rule and the Primary Transcoder IT policy rule (only applicable
for BES 5.0 SP4 or later and BlackBerry OS 7.1.0.9 or later) via IT Policy to
the BlackBerry MS, which contains the SHA-1 hash of the Module COD
file.
GCM
Encrypt/Decrypt
Exercises a set of Known Answer Tests (KATs) extracted from the GCM
test vectors published by NIST in the GCMVS specification (Reference [9])
on all three GCM encryption modes corresponding to AES key sizes of
128, 192 and 256 bits featuring the largest combinations of PT, IV and
AAD.
SHA Exercises a set of Known Answer Tests (KATs) extracted from the SHA
test vectors published by NIST in the SHAVS specification (Reference
[10]) on all SHA versions specified in FIPS Publication 180-4 including the
new SHA-512/224 and SHA-512/256 featuring mixed hash/digest size
combinations with the longest input data.
The comprehensive SHA KATs implicitly provide assurance about the
validity of the Key Derivation Function (KDF) employed by the ECDH Key
Agreement Scheme (as recommended in NIST SP 800-56A - Reference
[1], a SHA-based concatenation KDF is being used).
HMAC Exercises a set of Known Answer Tests (KATs) extracted from the HMAC
test vectors published by NIST in the HMACVS specification (Reference
[11]) featuring the largest combinations of key and tag sizes covering all
versions of the underlying hashing algorithm (SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512, SHA-512/224 and SHA-512/256).
The comprehensive HMAC KATs implicitly provide assurance about the
validity of the Bilateral Key Confirmation method employed by the ECDH
Key Agreement Scheme (Reference [1], Section 8.4).
Page 21 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
ECDSA KeyPair/PKV Exercises a set of Known Answer Tests (KATs) adapted from the ECDSA
KeyPair (private/public key verification) and PKV (Public Key Validation)
test vectors published by NIST in the ECDSA2VS specification (Reference
[14]) covering each version of the underlying prime-field EC (P-192, P-
224, P-256, P-384 and P-521).
The ECDSA KeyPair tests include multiple KAT verifications of ECC point
multiplication, which is the ECC primitive used for shared-secret (“Z”)
computation by the ECDH Key Agreement Scheme.
Key Agreement
Scheme (KAS)
Exercises a set of Known Answer Tests (KATs) adapted from the ECDH
test vectors published by NIST in the KASVS specification (Reference [12])
featuring the Full Unified model of ECDH covering each version of the
underlying prime-field EC (P-192, P-224, P-256, P-384 and P-521). Each
test run includes both Initiator-side and Responder-side functions.
Every invocation of the Key Agreement Scheme involves (within the BES
and BlackBerry MS class constructors) a verification of the arithmetic
validity of the selected set of ECC domain parameters (Reference [1],
Section 5.5.2).
The KAS implementation provides built-in assurance (verification) of the
arithmetic validity of a public key, by performing a full ECC public key
validation each time such a key is being used: each side verifies both own
and opposite static public keys, each side verifies opposite side’s
ephemeral public key (Reference [1], Section 5.6.2).
Also, during key agreement, each side renews its assurance of possessing
the correct private key by using the Key Regeneration method
(Reference [1], Section 5.6.3), while the ephemeral (generated) private
key is subjected to the constraints specified in Reference [1], Section
5.6.1.2.
The underlying cryptographic algorithms used during ECDH key
agreement are fully validated via individual power-on self-tests:
• ECC point multiplication is validated via ECDSA KeyPair KATs
• The Key Derivation Function is validated via SHA KATs
• The Key Confirmation function is validated via HMAC KATs
XTS Encrypt/Decrypt Exercises a set of Known Answer Tests (KATs) extracted from the XTS test
vectors published by NIST in the XTSVS specification (Reference [13]).
Both formats specified for the tweak value input (128-bit hexadecimal
string or 64-bit Data Unit Sequence Number) are being tested with
various, non-trivial Data Unit bit sizes in encrypt and decrypt mode.
Table 8 – Module Self-Tests
Page 22 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
7.1. Invoking Self-Tests
The operator can invoke the power-on self-tests on the BlackBerry MS by hard resetting the BlackBerry
MS (soft resetting the BlackBerry MS will not invoke power-on self-tests). At power-on the BlackBerry
OS executes the Module’s Default Entry Point (DEP) automatically, which invokes the self-tests listed in
Table 8 and does not require operator intervention.
public static void main(String[] args) // Default Entry Point (DEP)
The operator can invoke the power-on self-tests on the BES by restarting the BlackBerry Dispatcher
service via Windows Services. At power-on the BlackBerry Dispatcher service executes the Module’s
DEP automatically, which invokes the self-tests listed in Table 8 and does not require operator
intervention.
int __cdecl LoadDLL() // Default Entry Point (DEP)
If the Software Integrity self-test fails the Module will not load and an error is logged. If the KAT self-
tests fail the Module will prohibit any subsequent cryptographic operations and an error is logged.
Subsequent self-tests on both the BES and BlackBerry MS exercise all Suite B cryptographic algorithms
used by the Module, either via regular traffic encryption/decryption or during key exchange.
The Module does not rely on any other external service to initiate the power-on self-tests.
7.2. Self-Tests Results
Upon successful self-test completion, the Module will complete its initialization and transition to normal
operational state. In the event of a self-test failure, the Module will enter an error state and a specific
error code will be returned indicating which self-test has failed. The Module will not provide any
cryptographic services while in this state.
Self-Test Possible Error Code
Software Integrity
Checksum
444
GCM Encrypt 2100 + Test Count
GCM Decrypt 2200 + Test Count
SHA 2300 + Test Count
HMAC 2400 + Test Count
ECDSA Key 2800 + Test Count
KAS 2500 + Test Count (combined indicator of the EC type and failing sub-test)
XTS Encrypt 2600 + Test Count
XTS Decrypt 2700 + Test Count
Table 9 – Module Self-Test Error Codes
Page 23 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
8. Mitigation of Other Attacks
The Module has not been designed to mitigate any specific attacks outside the scope of the FIPS 140-2
requirements. The Module resides within the FIPS 140-2 BlackBerry Cryptographic Kernel operating
environment, which provides an additional layer of protection to attacks of the Module.
Furthermore, any concerns related to the recently discovered (April 2014) bug in some TLS
implementations, publicized as the “heartbleed bug” and referenced as CVE-2014-0160 in the National
Vulnerability Database, are not applicable to the Module implementation. This is because the Module,
either during validation testing or regular operation, does not employ any services, nor does it import
any software components, pertaining to affected OpenSSL implementations.
Page 24 of 25
KEYW Corporation Suite B Cryptographic Module
Cyber Security Division KXD002
9. Referenced Documents
[1] NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete
Logarithm Cryptography, Revision 1, March 2007, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
[2] NIST SP 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete
Logarithm Cryptography (Draft Revision), August 2012, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/publications/drafts/800-56a/draft-sp-800-56a.pdf
[3] FIPS Publication 197, The Advanced Encryption Standard (AES), U.S. DoC/NIST, November 26, 2001,
Natl. Inst. Stand. Technol. [Web page], http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[4] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode
(GCM) and GMAC, November 2007, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
[5] FIPS Publication 180-4, Secure Hash Standard (SHS), March 2012, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
[6] FIPS Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), July 2008, Natl. Inst.
Stand. Technol. [Web page], http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
[7] NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for
Confidentiality on Storage Devices, January 2010, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
[8] ANS X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve
Digital Signature Algorithm (ECDSA), November 2005
[9] The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS), National Institute of
Standards and Technology, Updated: August 30, 2012, [Web
page], http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmvs.pdf
[10] The Secure Hash Algorithm Validation System (SHAVS), Updated: July 23, 2012, National Institute of
Standards and Technology, [Web
page], http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf
[11] The Keyed-Hash Message Authentication Code Validation System (HMACVS), Updated: July 23,
2012, National Institute of Standards and Technology, [Web
page], http://csrc.nist.gov/groups/STM/cavp/documents/mac/HMACVS.pdf
[12] The Key Agreement Schemes Validation System (KASVS), Updated September 2011, Natl. Inst.
Stand. Technol. [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASVS.pdf
[13] The XTS-AES Validation System (XTSVS), Updated: March 2, 2011, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf
[14] The FIPS 186-3 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS), Updated:
January 9, 2013, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/groups/STM/cavp/documents/dss2/ecdsa2vs.pdf
[15] NIST SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic
Algorithms and Key Lengths, January 2011, Natl. Inst. Stand. Technol. [Web
page], http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
Page 25 of 25