Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
Version 2.2
Last Update: 2017-10-20
Prepared by:
atsec information security Corp.
9130 Jollyville Road, Suite 260
Austin, TX 78759
www.atsec.com
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
2 of 30
1. Introduction ................................................................................................................................4
1.1. Purpose of the Security Policy...............................................................................................4
1.2. Target Audience....................................................................................................................4
2. Cryptographic Module Specification ............................................................................................5
2.1. Description of Module...........................................................................................................5
2.2. Description of Approved Mode..............................................................................................7
2.3. Cryptographic Module Boundary...........................................................................................7
2.3.1. Software Block Diagram .............................................................................................7
2.3.2. Hardware Block Diagram ............................................................................................8
3. Cryptographic Module Ports and Interfaces ...............................................................................10
4. Roles, Services, and Authentication ..........................................................................................11
4.1. Roles ..................................................................................................................................11
4.2. Services .............................................................................................................................11
4.3. Operator Authentication .....................................................................................................17
4.4. Mechanism and Strength of Authentication ........................................................................17
5. Finite State Machine..................................................................................................................18
6. Physical Security .......................................................................................................................19
7. Operational Environment ..........................................................................................................20
8. Cryptographic Key Management ...............................................................................................21
8.1. Key Entry and Output .........................................................................................................21
8.2. Key Storage........................................................................................................................21
8.3. Zeroization Procedure.........................................................................................................21
9. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)....................................22
10. Self-Tests .................................................................................................................................23
10.1. Power-Up Tests .................................................................................................................23
10.2. Integrity Check .................................................................................................................23
11. Design Assurance....................................................................................................................24
11.1. Configuration Management ..............................................................................................24
11.2. Delivery and Operation.....................................................................................................24
11.2.1. Downloading a FIPS 140-2-compatible engine version ..............................................24
11.3. Cryptographic Officer Guidance........................................................................................24
11.3.1. Installation................................................................................................................24
11.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version......................24
11.3.1.2 Configuring the engine..........................................................................................25
11.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode ..............................25
11.3.1.4 Resetting the appliance to factory settings ...........................................................26
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
3 of 30
11.3.1.5 Recovering from a FIPS 140-2 self-test failure .......................................................26
11.3.2. Initialization..............................................................................................................26
11.4. User Guidance..................................................................................................................27
11.4.1. AES GCM ..................................................................................................................27
11.4.2. Zeroization ...............................................................................................................27
12. Mitigation of Other Attacks......................................................................................................28
13. Glossary and Abbreviations.....................................................................................................29
14. References ..............................................................................................................................30
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
4 of 30
1. Introduction
This document is a non-proprietary FIPS 140-2 Security Policy for the Forcepoint NGFW
Cryptographic Kernel Module with the versions 2.0 and 2.0.1. An earlier version of this module has
gone through FIPS 140-2 validation under certificate #1991. This document contains a
specification of the rules under which the module must operate and describes how this module
meets the requirements as specified in the Federal Information Processing Standards Publication
(FIPS PUB) 140-2 for a Security Level 1 multi-chip standalone software module.
1.1. Purpose of the Security Policy
There are three major reasons that a security policy is required:
• For FIPS 140-2 validation,
• Allows individuals and organizations to determine whether the cryptographic module, as
implemented, satisfies the stated security policy, and
• Describes the capabilities, protection, and access rights provided by the cryptographic
module, allowing individuals and organizations to determine whether it will meet their
security requirements.
1.2. Target Audience
This document is intended to be part of the package of documents that are submitted for FIPS
140-2 validation. It is intended for the following people:
• Developers working on the release
• FIPS 140-2 testing lab
• Cryptographic Module Validation Program (CMVP)
• Consumers
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
5 of 30
2. Cryptographic Module Specification
This document is the non-proprietary security policy for the Forcepoint NGFW Cryptographic Kernel
Module, and was prepared as part of the requirements for conformance to FIPS 140-2, Level 1.
The following section describes the module and how it complies with the FIPS 140-2 standard in
each of the required areas.
2.1. Description of Module
The Forcepoint NGFW Cryptographic Kernel Module is a multi-chip standalone, software-only
module that provides general-purpose cryptographic algorithms for Forcepoint applications. The
binary of the module and the integrity check file are qcl_fips.ko and checksums.fips. Assembly
language optimizations are used in the cryptographic module implementation. The module
contains the following cryptographic functionality:
• Cryptographic hash functions
• Message authentication code functions
• Symmetric key encryption and decryption
The following table shows the overview of the security level for each of the eleven sections of the
validation.
Security Component Security Level
Cryptographic Module Specification 1
Cryptographic Module Ports and Interfaces 1
Roles, Services and Authentication 1
Finite State Model 1
Physical Security 1
Operational Environment 1
Cryptographic Key Management 1
EMI/EMC 1
Self Tests 1
Design Assurance 3
Mitigation of Other Attacks N/A
Table 1: Security Levels
The module has been tested on the following platforms:
Module
Version
Manufacturer Model O/S & Ver. AES-NI
2.0 Forcepoint MIL-320 Debian GNU/Linux 6.0-based distri-
bution running on Intel Atom D (sin-
gle-user mode)
Not Support
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
6 of 30
Forcepoint 5206 Debian GNU/Linux 6.0-based distri-
bution running on Intel Xeon E5
(single-user mode)
With AES-NI
Forcepoint 3206 Debian GNU/Linux 6.0-based distri-
bution running on Intel Xeon E5
(single-user mode)
With and Without
AES-NI
Forcepoint 3202 Debian GNU/Linux 6.0-based distri-
bution running on Intel Xeon E5
(single-user mode)
With and Without
AES-NI
Forcepoint 1402 Debian GNU/Linux 6.0-based distri-
bution running on Intel Xeon E5
(single-user mode)
With AES-NI
Forcepoint 1065 Debian GNU/Linux 6.0-based distri-
bution running on Intel Core i3 (sin-
gle-user mode)
With AES-NI
Forcepoint 1035 Debian GNU/Linux 6.0-based distri-
bution running on Intel Celeron
(single-user mode)
With AES-NI
2.0.1 Forcepoint 325-C2 Debian GNU/Linux 9.0-based distri-
bution running on Intel Atom C (sin-
gle-user mode)
With AES-NI
Forcepoint 2105 Debian GNU/Linux 9.0-based distri-
bution running on Intel Xeon D (sin-
gle-user mode)
With AES-NI
Forcepoint 3305 Debian GNU/Linux 9.0-based distri-
bution running on Intel Xeon E5
(single-user mode)
With and Without
AES-NI
Forcepoint 6205 Debian GNU/Linux 9.0-based distri-
bution running on Intel Xeon E5
(single-user mode)
With AES-NI
Table 2A: Tested Platforms
The following are the vendor affirmed platforms for the module version 2.0.1:
Manufacturer Model O/S & Ver. AES-NI
Forcepoint 321-C2 Debian GNU/Linux 9.0-based distribu-
tion running on Intel Atom C (single-user
mode)
With AES-NI
Forcepoint 2101 Debian GNU/Linux 9.0-based distribu-
tion running on Intel Xeon D (single-user
mode)
With AES-NI
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
7 of 30
Forcepoint 3301 Debian GNU/Linux 9.0-based distribu-
tion running on Intel Xeon E5 (single-
user mode)
With AES-NI
Table 2B: Vendor Affirmed Platforms
Note: Per IG G.5, the CMVP makes no statement as to the correct operation of the module or the security
strengths of the generated keys when the module is ported to the vendor affirmed platforms that are not listed on
the validation certificate.
2.2. Description of Approved Mode
The cryptographic module supports only a FIPS 140-2 approved mode. The cryptographic module
is initialized and set in the FIPS 140-2 approved mode when the kernel module is loaded.
The calling application can call the ssh_crypto_get_certification_mode() function to confirm the
current mode of operation. It returns SSH_CRYPTO_CERTIFICATION_FIPS_140_2 to indicate that the
module is indeed in the FIPS 140-2-approved mode.
The module supports the following approved functions:
• AES: ECB, CBC, OFB, CFB128 and GCM modes
• Triple-DES: ECB, CBC, OFB and CFB64 modes
• SHS: hashing
• HMAC: message integrity
2.3. Cryptographic Module Boundary
2.3.1.Software Block Diagram
The logical boundary of the module is the binary code of the Cryptographic Kernel Module itself,
which is indicated by the “Cryptographic Boundary” rectangle as illustrated in the diagram below.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
8 of 30
Forcepoint NGFW
Cryptographic Kernel
Module
Data in
Physical Boundary
Data out
Control in
Status out
Cryptographic Boundary
Userspace
Kernel
2.3.2.Hardware Block Diagram
The physical boundary of the module is the enclosure of the appliance that the module is running
on. The module was tested on seven separate appliances, all of which are general purpose
computers. The hardware block diagram below depicts all test appliances and their internal
components and ports (processor, SSD, USB, Ethernet, etc.).
Figure 1: Software Block Diagram
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
9 of 30
Processor
Chipset RAM
CFast Drive*
Ethernet
Controller /
Ports
(6)
(8)
(4)
Disk
Controller
(10)
(7)
(9)
Serial Controller / Port
(5)
Power
Supply
ROM
USB Controller / Ports
(3)
(1)
(2)
1, 2, 4, 5, 6, 7, 8, 12, 13, 14 and 15: Data in, data out, control in, status out
3: Power in
9, 10 and 11: Control in
Cryptographic Module Boundary
Storage Slot /
SSD**
(11)
Expansion
Module Slot /
Ethernet
Ports ***
(13)
(12)
*) 321, 325, 2101, 2105, MIL-320, 1035, 1065
**) 3301, 3305, 6205, 1402, 3202, 3206, 5206
***) 325, 2101, 2105, 3301, 3305, 6205, 1035, 1065, 1402, 3202, 3206, 5206
Wireless
Module /
Radio /
Antenna ****
(15)
(14)
****) 325, MIL-320
Figure 2: Hardware Block Diagram
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
10 of 30
3. Cryptographic Module Ports and Interfaces
FIPS Interface Physical Ports Logical Ports
Data Input Ethernet ports, serial port, wireless
radio
API input parameters
Data Output Ethernet ports, serial port, wireless
radio
API output parameters and return
values
Control Input Serial port, Ethernet ports, wireless
radio
API functions, API input parameters
Status Output Serial port, Ethernet ports, wireless
radio
API return values, console, kernel ring
buffer
Power Input PC power supply port N/A
Table 3: Ports and Interfaces
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
11 of 30
4. Roles, Services, and Authentication
4.1. Roles
The module implements both a User and a Cryptographic Officer (CO) role. The module does not
allow concurrent operators.
The User role assumes to perform Approved algorithms operations. The CO role assumes to
perform module installation and initialization.
The User and CO roles are implicitly assumed by the entity accessing services implemented by the
module. No further authentication is required. The CO can initialize the module.
4.2. Services
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO
Symmetric Algorithms
AES encryption
and decryption
✓ 128, 192, 256
bit keys
ECB,
CBC,
OFB,
CFB128
Yes
Certs
#2914,
#2915,
#2916,
#2917,
#2918,
#2919,
#2920,
#2921,
#4587,
#4589,
#4650,
#4717
RWX FIPS 197
ssh_cipher_allocate
ssh_cipher_free
ssh_cipher_get_blo
ck_length
ssh_cipher_get_iv
ssh_cipher_get_iv_l
ength
ssh_cipher_get_key
_length
ssh_cipher_get_ma
x_key_length
ssh_cipher_get_mi
n_key_length
ssh_cipher_get_sup
ported
ssh_cipher_has_fix
ed_key_length
ssh_cipher_is_fips_
approved
ssh_cipher_name
sh_cipher_set_iv
ssh_cipher_support
ed
ssh_cipher_transfor
m
ssh_cipher_transfor
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
12 of 30
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO m_remaining
ssh_cipher_transfor
m_with_iv
ssh_cipher_get_blo
ck_len
AES-GCM au-
thenticated en-
cryption and de-
cryption
✓128, 192, 256
bit keys
GCM Yes
Certs
#2914,
#2915,
#2916,
#2917,
#2918,
#2919,
#2920,
#2921,
#4587,
#4589,
#4650,
#4717
RWX SP 800-38D
ssh_cipher_allocate
ssh_cipher_free
ssh_cipher_get_blo
ck_length
ssh_cipher_get_iv
ssh_cipher_get_iv_l
ength
ssh_cipher_get_key
_length
ssh_cipher_get_ma
x_key_length
ssh_cipher_get_mi
n_key_length
ssh_cipher_get_sup
ported
ssh_cipher_has_fix
ed_key_length
ssh_cipher_is_fips_
approved
ssh_cipher_name
sh_cipher_set_iv
ssh_cipher_support
ed
ssh_cipher_transfor
m
ssh_cipher_transfor
m_remaining
ssh_cipher_transfor
m_with_iv
ssh_cipher_get_blo
ck_len
ssh_cipher_is_auth
_cipher
ssh_cipher_auth_re
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
13 of 30
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO set
ssh_cipher_auth_u
pdate
ssh_cipher_auth_fi
nal
ssh_cipher_auth_di
gest_length
ssh_cipher_is_auth
ssh_cipher_generat
e_iv_ctr
ssh_cipher_auth_di
gest_len
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
14 of 30
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO
Triple-DES
encryption and
decryption
✓168 bit keys ECB,
CBC,
OFB,
CFB64
Yes
Certs
#1729,
#1730,
#1731,
#1732,
#1733,
#1734,
#2440,
#2441,
#2473
RWX SP 800-67
ssh_cipher_allocate
ssh_cipher_free
ssh_cipher_get_blo
ck_length
ssh_cipher_get_iv
ssh_cipher_get_iv_l
ength
ssh_cipher_get_key
_length
ssh_cipher_get_ma
x_key_length
ssh_cipher_get_mi
n_key_length
ssh_cipher_get_sup
ported
ssh_cipher_has_fix
ed_key_length
ssh_cipher_is_fips_
approved
ssh_cipher_name
sh_cipher_set_iv
ssh_cipher_support
ed
ssh_cipher_transfor
m
ssh_cipher_transfor
m_remaining
ssh_cipher_transfor
m_with_iv
ssh_cipher_get_blo
ck_len
Hash Functions
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
✓ N/A Yes
Certs
#2452,
#2453,
#2454,
#2455,
#2456,
#2457,
RX FIPS 180-4
ssh_hash_allocate
ssh_hash_digest_le
ngth
ssh_hash_final
ssh_hash_free
ssh_hash_get_supp
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
15 of 30
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO #3762,
#3763,
#3809
orted
ssh_hash_input_blo
ck_size
ssh_hash_is_fips_a
pproved
ssh_hash_name
ssh_hash_reset
ssh_hash_supporte
d
ssh_hash_update
Message Authentication Codes (MACs)
HMAC-SHA1
HMAC-SHA224
HMAC-SHA-256
HMAC-SHA-384
HMAC-SHA-512
✓ At least 112
bits HMAC key
N/A Yes
Certs
#1843,
#1844,
#1845,
#1846,
#1847,
#1848,
#3036,
#3037,
#3078
RWX FIPS 198-1
ssh_mac_allocate
ssh_mac_final
ssh_mac_free
ssh_mac_get_block
_length
ssh_mac_get_max_
key_length
ssh_mac_get_min_
key_length
ssh_mac_get_supp
orted
ssh_mac_is_fips_ap
proved
ssh_mac_length
ssh_mac_name
ssh_mac_reset
ssh_mac_supporte
d
ssh_mac_update
Management
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
16 of 30
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO
Installation ✓
N/A N/A N/A N/A Please refer to sec-
tion 11.3 “Crypto-
graphic Officer
Guidance” for se-
cure installation of
the module.
Initialization ✓
N/A N/A N/A RX ssh_crypto_library_
initialize
sg_crypto_register_
error_callback
Mode manage-
ment
✓
N/A N/A N/A RX ssh_crypto_get_cer
tification_mode
ssh_crypto_set_cer
tification_mode
Uninitialization ✓
N/A N/A N/A RX ssh_crypto_free
ssh_crypto_library_
uninitialize
External crypto
registration
✓
N/A N/A N/A RX The external cryp-
to registration is
not supported on
the tested For-
cepoint platforms.
The functions be-
low return
SG_CRYPTO_REGIS
TER_NOT_SUPPORT
ED.
sg_cipher_external
_register
sg_cipher_external
_unregister
sg_hash_external_r
egister
sg_hash_external_
unregister
sg_mac_external_r
egister
sg_mac_external_u
nregister
sg_ciphermac_exte
rnal_register
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
17 of 30
Service Roles CSP Modes FIPS Ap-
proved?
Cert # (if
applica-
ble)
Access Notes/API func-
tion
User
CO sg_ciphermac_exte
rnal_unregister
Status
Query status ✓
✓
N/A N/A N/A RX ssh_crypto_library_
get_status
ssh_crypto_library_
get_version
ssh_crypto_status_
message
Self-tests
Perform self-
tests
✓
✓
N/A N/A N/A RX ssh_crypto_library_
self_tests
Table 4: Services
Note – The 3305 and 6205 platforms share the same processor family and operating system. The CAVS certificates for
3305 will therefore apply to both 3305 and 6205 platforms.
4.3. Operator Authentication
There is no operator authentication; assumption of role is implicit by action.
4.4. Mechanism and Strength of Authentication
No authentication is required at Security Level 1; authentication is implicit by assumption of the
role.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
18 of 30
5. Finite State Machine
The following diagram represents the states and transitions of the cryptographic module.
Figure 3: Cryptographic Module Finite State Machine
The state model contains the following states:
• UNLOADED: The start state of the cryptographic module is UNLOADED. The module is in this
state until the shared library is loaded and linked to the application. Cryptographic operations
are not available while in this state.
• UNINITIALIZED: The module is in the UNINITIALIZED state after it has been loaded but not yet
initialized, or it has been successfully uninitialized. Cryptographic operations are not available
while in this state.
• SELF-TEST: The module performs power-up self-tests during initialization or on-demand. Cryp-
tographic operations are not available while in this state.
• OK: The cryptographic operations are available and are performed.
• ERROR: A self-test, a cryptographic operation or uninitialization has failed. An error indicator is
output by the module.
The state transitions are as follows:
1. The loadable kernel module is loaded.
2. The cryptographic module is initialized using the ssh_crypto_library_initialize function. The
function is called automatically when the cryptographic kernel module is loaded.
3. The self-tests succeed.
4. A cryptographic operation is performed successfully.
5. Self-tests are performed using the ssh_crypto_library_self_tests function.
6. The cryptographic module is uninitialized using the ssh_crypto_library_uninitialize function.
7. The shared library or the loadable kernel module is unloaded.
8. The self-tests fail.
9. A conditional test fails during a cryptographic operation.
10. The module uninitialization fails because cryptographic objects are still referenced.
11. Cryptographic objects are no longer in use and the module uninitialization succeeds. This
transition also occurs automatically when the power-up self-tests fail during the module
initialization.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
19 of 30
6. Physical Security
The cryptographic module is tested on the Forcepoint MIL-320, 5206, 3206, 3202, 1402, 1065 and
1035 appliances that consist of production-grade components with standard passivation and a
production-grade enclosure.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
20 of 30
7. Operational Environment
This module will operate in a modifiable operational environment per the FIPS 140-2 definition.
The module operates on the Forcepoint NGFW Debian GNU/Linux based hardened operating
system that is set in the FIPS 140-2 compatible mode of operation. Login to the operating system
is disabled and only the preinstalled Forcepoint application is running on the system. Therefore the
operational environment is considered non-modifiable. The application that uses the cryptographic
module is also the single user of the module.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
21 of 30
8. Cryptographic Key Management
Keys are established externally. CSPs can be accessed only using the API. The operating system
protects the memory and the address space of the process from unauthorized access.
Name Auth
Role
Generation Size and
Type
Output Storage Zeroization
AES
symmetric
keys
User External,
electronic
entry
128-, 192-,
256-bit
Symmetric
key
N/A Plaintext in
memory
API call, power off
Triple-DES
symmetric
keys
User External,
electronic
entry
168-bit
Symmetric
key
N/A Plaintext in
memory
API call, power off
HMAC key User External,
electronic
entry
At least
112 bits
Symmetric
key
N/A Plaintext in
memory
API call, power off
HMAC key
for
module
integrity
check
User,
Crypto
Officer
Manufacturer 128 bits
HMAC-
SHA-256
key
N/A In module
binary
Zeroization is not
required per FIPS
IG 7.4
Table 6: Key Management
8.1. Key Entry and Output
The cryptographic module supports electronic entry of symmetric keys and HMAC keys via API
parameters. The application using the cryptographic module can pass secret keys to the module in
plaintext within the physical boundary. The keys are associated with the calling application and
are all ephemeral. Both User and Crypto Officer can enter, use and destroy symmetric keys. The
module does not output any keys or CSPs.
8.2. Key Storage
The keys and CSPs are stored in plaintext in memory. The module does not provide persistent
storage of keys.
8.3. Zeroization Procedure
The stored keys and CSPs are zeroized when the application calls the appropriate API function:
ssh_cipher_free and ssh_mac_free. It is the calling application responsibility to call the zeroization
API function to zeroize the keys and CSPs. Temporary key material is zeroized automatically by the
module when no longer needed. All keys and CSPs can be zeroized by powering off the module
and performing a system restore operation by the operational environment.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
22 of 30
9. Electromagnetic Interference/Electromagnetic Compatibility
(EMI/EMC)
All seven test platforms as shown in Table 2 are compliant to 47 CFR FCC Part 15, Subpart B, Class
A (Business use).
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
23 of 30
10. Self-Tests
10.1. Power-Up Tests
The power-up self-tests are executed automatically when the cryptographic module is loaded. The
kernel module initialization function returns 0 (SSH_CRYPTO_OK) when the power-up self-tests have
succeeded. If the power-up self-tests fail, the cryptographic module outputs an error indicator and
enters an error state. The computer will need to be restarted in order for the cryptographic module
to return to an operational state. No further operations are allowed when the module is in an error
state.
Self-tests are performed on-demand when the user calls the ssh_crypto_library_self_tests function.
Cryptographic algorithm tests (Known Answer Tests):
• AES encryption and decryption tested separately
• Triple-DES encryption and decryption tested separately
• HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-512
• SHA-1, SHA-256, SHA-512
Cryptographic self-test error messages:
• Cipher algorithm test failed during self test.
• Mac algorithm test failed during self test.
• Hash algorithm test failed during self test.
• The checksum of the library is incorrect. Integrity has been compromised.
It is the application’s responsibility to reboot the appliance to recover the module from the error
state. The library will not cause the rebooting of the appliance.
10.2. Integrity Check
The cryptographic module uses the HMAC-SHA-256 message authentication code of the module
binary for the integrity tests. The module reads the module binary file, computes the HMAC-SHA-
256 MAC of the file content and compares it to the known correct MAC that is input to the module
when it is loaded.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
24 of 30
11. Design Assurance
11.1. Configuration Management
Git and SharePoint are used for configuration management of the cryptographic module.
11.2. Delivery and Operation
The cryptographic module is never released as source code. It is delivered as part of the
Forcepoint NGFW software (formerly Stonesoft Security Engine). The FIPS-compatible Forcepoint
NGFW software image is downloaded from the Forcepoint website. The Forcepoint NGFW software
is also preinstalled on Forcepoint NGFW appliances (see Table 2: Tested Platforms). Product
information for the appliances is available at the Forcepoint website:
https://www.forcepoint.com/product/network-security/forcepoint-ngfw
11.2.1. Downloading a FIPS 140-2-compatible engine version
A FIPS-compatible version of the Forcepoint NGFW software is downloaded as follows:
1. Go to the Forcepoint NGFW Downloads page at https://support.forcepoint.com/Downloads.
2. Enter the Proof-of-License (POL) or Proof-of-Serial (POS) code in the License Identification field
and click Submit.
3. Click Forcepoint NGFW downloads. The Forcepoint NGFW Downloads page opens.
4. Download the .zip installation file.
5. Verify the SHA checksum. The correct checksum is shown on the download page.
11.3. Cryptographic Officer Guidance
11.3.1. Installation
The cryptographic module is delivered as part of the Forcepoint NGFW software. To run the
cryptographic module on a Forcepoint NGFW appliance, the NGFW software is set to a FIPS-
compatible operating mode.
11.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version
Forcepoint NGFW appliances are delivered with the most recent engine software preinstalled. The
engine software must be upgraded to the FIPS 140-2-compatible engine version before entering
FIPS-compatible operating mode. This is necessary even if the same version was installed
previously, because the file system checksum is stored during the upgrade process.
To upgrade to the FIPS 140-2-compatible engine version:
1. Save the FIPS 140-2-compatible engine upgrade zip file in the root directory of a USB memory
stick. Note – The engine upgrade zip file must be in the root directory of the media.
2. Boot up the appliance. The Engine Configuration Wizard starts.
3. In the NGFW Initial Configuration Wizard, select Firewall/VPN for the role.
4. Select Upgrade. The Select Source Media dialog opens.
5. Select USB Memory. The upgrade starts.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
25 of 30
6. Select OK. The engine reboots and the Engine Configuration Wizard starts with the engine im-
age verification dialog shown. Select Calculate. The file system checksum is calculated and
displayed below the checksum from the engine image zip file.
7. Verify that the calculated checksum is identical to the checksum from the zip file.
8. Select OK. The upgrade starts and the engine reboots.
9. Check the engine version to make sure that the certified version is loaded.
10. Select kernel in FIPS mode after reboot.
Continue as instructed in Configuring the engine, below.
11.3.1.2 Configuring the engine
To configure the engine:
1. Start the Engine Configuration Wizard as instructed in the Configuring the Engine in the
Engine Configuration Wizard section of the Forcepoint NGFW Installation Guide.
2. Configure the Operating System settings as instructed in the Configuring the Operating
System Settings section of the Forcepoint NGFW Installation Guide. Select Restricted FIPS-
compatible operating mode. The SSH (Secure Shell) daemon and root password options are
automatically disabled in the Engine Configuration Wizard.
3. Configure the network interfaces according to your environment as instructed in the Config-
uring the Network Interfaces section of the Forcepoint NGFW Installation Guide.
4. Contact the Management Server as instructed in the Contacting the Management Server
section of the Forcepoint NGFW Installation Guide. Enter node IP address manually is selected
by default and other IP address options are disabled when FIPS-compatible operating mode is
enabled.
The engine restarts.
11.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode
Restricted FIPS 140-2-compatible operating mode must be enabled during the initial configuration
of the appliance. The following steps describe how to verify that FIPS 140-2-compatible operating
mode has been activated.
To verify activation of FIPS 140-2-compatible operating mode:
1. Verify that the following messages are displayed on the console when the engine restarts:
FIPS: rootfs integrity check OK
(displayed after the root file system integrity test has been executed successfully)
FIPS power-up tests succeeded
(displayed after the FIPS 140-2 power-up tests have been executed successfully)
2. Continue as instructed in the After Successful Management Server Contact section of the
Forcepoint NGFW Installation Guide.
Note – If the engine does not enter FIPS-compatible operating mode even though it is configured
to do so, or if the power-up tests fail (a power-up test error message is displayed or the success
message is not displayed), the appliance must be reset to factory settings and reinstalled as
instructed in Recovering from a FIPS 140-2 self-test failure.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
26 of 30
11.3.1.4 Resetting the appliance to factory settings
Resetting the appliance to factory settings is not part of the normal installation procedure. There is
no need to reset the appliance to factory settings before starting to use it for the first time. These
instructions can be used to reset the appliance to factory settings when necessary, such as when
initial configuration has been completed without enabling the Restricted FIPS-compatible operating
mode, during use, or when the appliance is being removed from use.
To reset the appliance to factory settings:
1. Reboot the appliance and select System restore options from the boot menu. Forcepoint
NGFW System Restore starts.
2. Enter 2 for Advanced data removal options.
3. Enter one of the following options:
• 1 for 1 pass overwrite
• 8 for a Custom number of overwrite passes
If you selected Custom, enter the number of overwrite passes. A larger number of overwrites is
more secure, but it may take a considerable amount of time depending on the appliance storage
capacity.
11.3.1.5 Recovering from a FIPS 140-2 self-test failure
If the FIPS 140-2 power-up self-tests fail, or the engine does not enter FIPS-compatible operating
mode, the appliance must be reset to factory settings and reinstalled according to these
instructions. Begin by Resetting the appliance to factory settings.
To recover from a FIPS 140-2 self-test failure:
1. Reset the appliance to factory settings as instructed in Resetting the appliance to factory
settings.
2. Repeat the engine version upgrade as instructed in Upgrading appliances to the FIPS 140-
2-compatible engine version.
3. Configure the firewall engine and enable FIPS-compatible operating mode as instructed in
Configuring the engine.
4. Verify that FIPS-compatible operating mode is activated as instructed in Verifying activation
of FIPS 140-2-compatible operating mode.
11.3.2. Initialization
The cryptographic module is initialized by loading the kernel module before any cryptographic
functionality is available. The kernel module is loaded as follows:
# modprobe –f <module name> msg_digest=<hash value> file_path=<module path> \
file_size=<module size>
<module name> is the name of the kernel module
<hash value> is the known SHA-256 hash value for the integrity check
<module path> is the pathname of the kernel module binary
<module size> is the size of the kernel module binary
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
27 of 30
The operation is performed automatically by the Forcepoint NGFW software.
11.4. User Guidance
11.4.1. AES GCM
If the module’s power is lost and then restored, the key used for the AES GCM
encryption/decryption shall be redistributed.
11.4.2. Zeroization
When a cryptographic key is no longer used, the key must be zeroized and freed using the
ssh_cipher_free and ssh_mac_free functions for symmetric key encryption/decryption and message
authentication keys, respectively.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
28 of 30
12. Mitigation of Other Attacks
No other attacks are mitigated.
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
29 of 30
13. Glossary and Abbreviations
AES Advanced Encryption Specification
API Application Programming Interface
CAVP Cryptographic Algorithm Validation Program
CBC Cipher Block Chaining
CFB Cipher Feedback
CMT Cryptographic Module Testing
CMVP Cryptographic Module Validation Program
CO Cryptographic Officer
CSP Critical Security Parameter
CTR Counter
CVT Component Verification Testing
DES Data Encryption Standard
ECB Electronic Codebook
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FCC Federal Communications Commission
FIPS Federal Information Processing Standards
FSM Finite State Model
GCM Galois Counter Mode
HMAC Hash Message Authentication Code
MAC Message Authentication Code
NIST National Institute of Science and Technology
NVLAP National Voluntary Laboratory Accreditation Program
OFB Output Feedback
O/S Operating System
POL Proof-of-License
POS Proof-of-Serial
SHA Secure Hash Algorithm
SHS Secure Hash Standard
UI User Interface
Forcepoint NGFW Cryptographic Kernel Module
FIPS 140-2 Non-Proprietary Security Policy
© 2017 Forcepoint / atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
30 of 30
14. References
[1] FIPS 140-2 Standard: http://csrc.nist.gov/groups/STM/cmvp/standards.html
[2] FIPS 140-2 Implementation Guidance: http://csrc.nist.gov/groups/STM/cmvp/standards.html
[3] FIPS 140-2 Derived Test Requirements: http://csrc.nist.gov/groups/STM/cmvp/standards.html
[4] FIPS 197 Advanced Encryption Standard: http://csrc.nist.gov/publications/PubsFIPS.html
[5] FIPS 180-4 Secure Hash Standard: http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
[6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC):
http://csrc.nist.gov/publications/PubsFIPS.html
[7] SP 800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher:
http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf
[8] SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM)
and GMAC: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf