7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 1/20 Corporation 7705 SAR-OS SAR-18/8/X/Ax/Wx/W/H/Hc Data Plane Cryptographic Module (SARDCM) FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level:1 Document Version: 1.8 December 12, 2022 CAVP CERT 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 2/20 TABLE OF CONTENTS GLOSSARY .................................................................................................................................................................3 1. INTRODUCTION..............................................................................................................................................5 1.1 PURPOSE......................................................................................................................................................5 1.2 VERSIONS AVAILABLE FOR FIPS.................................................................................................................5 2. SAR-OS CRYPTOGRAPHIC MODULE OVERVIEW ................................................................................6 2.1 SARDCM CHARACTERISTICS.....................................................................................................................6 2.2 SARDCM APPROVED ALGORITHMS.........................................................................................................10 2.3 SARDCM INTERFACES.............................................................................................................................11 3. SARDCM ROLES AND SERVICES .............................................................................................................12 4. PHYSICAL SECURITY .................................................................................................................................13 5. OPERATIONAL ENVIRONMENT ..............................................................................................................14 6. KEY TABLE ....................................................................................................................................................15 6.1 KEYS/CSPS ALGORITHMS IN FIPS-140-2 MODE ......................................................................................15 7. EMC/EMI (FCC COMPLIANCE).................................................................................................................16 8. SELF TESTS ....................................................................................................................................................17 8.1 SELF TESTS ON THE DATAPLANE...............................................................................................................17 8.2 CONDITIONAL TEST ON THE CSM .............................................................................................................17 9. FIPS-140 USER GUIDANCE .........................................................................................................................18 9.1 FIPS-140-2 MODE CONFIGURATION .........................................................................................................18 9.2 NON-FIPS-140-2 MODE............................................................................................................................19 10. REFERENCES ...............................................................................................................................................20 LIST OF FIGURES Figure 2-1: SARDCM Diagram of Logical and Physical Boundaries................................6 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 3/20 GLOSSARY AES Advanced Encryption Standard BGP Border Gateway Protocol CBC Cipher Block Chaining CFM Control / Forwarding Module CLI Command Line Interface CMVP Cryptographic Module Validation Program CSM Control Switch Module CSP Critical Security Parameter CVL Component Validation List ESP Encapsulating Security Payload FIPS Federal Information Processing Standard GRE Generic Routing Encapsulation HMAC Hashed Message Authentication Code ICMP Internet Control Message Protocol ICV Integrity Check Value IGMP Internet Group Management Protocol IP Internet Protocol IPSec IP Security LDP Label Distribution Protocol LSP Label Switched Path MPLS Multi-protocol label switching NDRNG Non-Deterministic RNG NGE Network Group Encryption NIST National Institute of Standards and Technology OSPF Open Shortest Path First PFS Perfect Forward Secrecy RNG Random Number Generator SA Security Association SAM Service Aware Manager SFM Switch Fabric Module SHA Secure Hash Algorithm SSH Secure Shell SPI Security Parameter Index 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 4/20 TLS Transport Layer Security TM Traffic Management VPLS Virtual Private LAN Service Table 1 - Glossary 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 5/20 1. INTRODUCTION 1.1 Purpose This document describes the non-proprietary SAR-OS (Service Aggregation Router Operating System) Data Plane Cryptographic Module (SARDCM 1.0) Security Policy for the 7705 SAR- OS SAR-18/8/X/Ax/Wx/W/H/Hc Data Plane Cryptographic Module (SARDCM). These are referenced in the document as either 7705 or SAR. This security policy provides the details for configuring and running the 7705 products in a FIPS-140-2 mode of operation and describes how the module meets the level 1 requirements of FIPS 140-2. Please see the references section for a full list of FIPS 140-2 requirements. Section Section Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self-Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Table 2 - Security Level per FIPS 140-2 Section 1.2 Versions Available for FIPS The following platforms of the 7705 products were tested for running the SARDCM in a FIPS approved mode: Platform Model(s) 7705 SAR platforms supporting datapath encryption including IPSec and NGE SAR-8, SAR-18, SAR-Ax, SAR-H, SAR-Hc, SAR-W, SAR-Wx, SAR-X Table 3 - FIPS Capable Platforms and Models 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 6/20 2. SAR-OS CRYPTOGRAPHIC MODULE OVERVIEW The section provides an overview of the SAR-OS Data Plane Cryptographic Module (SARDCM) and the FIPS validated cryptographic algorithms used by services requiring those algorithms. The SARDCM doesn’t implement any services or protocols directly. Instead, it provides the cryptographic algorithm functions needed to allow SAR-OS to implement cryptography for those services and protocols that require it. 2.1 SARDCM Characteristics Figure 2-1: SARDCM Diagram of Logical and Physical Boundaries The SARDCM logical and physical properties and boundary considerations is illustrated in Figure 2-1. The solid blue line represents the physical boundary of the cryptographic module that represents the hardware system on which SAR-OS is running and hence where SARDCM is also running. The dashed blue line indicates the logical cryptographic boundary of the SARDCM within SAR-OS. The SARDCM is available as a cryptographic service for any SAR- OS services or protocols that require cryptographic operations. 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 7/20 The SARDCM provides the cryptographic services required for the data plane (ie IPSec and NGE). On the 7705 SAR-18/8 and SAR-X/Ax/Wx/W/H/Hc, all the control plane functionality is part of the Control and Switching Module (CSM), while the data plane is managed by the Winpath network processor. It should be noted on SAR-X/Ax/Wx/W/H/Hc platforms the CSM and line cards are physically on the same hardware, but logically separate. The Winpath network processor on these platforms is encryption capable. Also on SAR-18/8 all the control plane functionality is part of the Control and Switching Module (CSM) while the data plane is managed by the Winpath network processor which is present on all interface cards. The data path encryption is done on Winpath for all SAR platform mentioned above. The SARDCM is part of two SAR-OS binary files (both.tim and support.tim) that are used to run the full SAR-OS application. SARDCM is classified as a multi-chip standalone firmware module and SARDCM is included within the SAR-OS application code. SARDCM has been validated on each CSM used by the hardware platforms listed in the following table. Note that the CSM is integrated into the chassis of 7705 SAR-X/Ax/Wx/W/H/Hc variants while the CSM is a separate hardware module on the SAR-8/18 systems and integrated into the chassis on all other 7705 variants. 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 8/20 Platform Dataplane Encryption Hardware Network Processor SAR-8 8pGEv3 12 MIPS core @ 450 MHz Winpath 3 SAR-8 2p 10GE +4p GE 48 MIPS core @400 MHz Winpath 4 SAR-18 8pGEV3 12 MIPS core @ 450 MHz Winpath 3 SAR-18 2p10GE + 4p GE 48 MIPS core @ 400 MHz Winpath 4 SAR-18 1p10GE/10p 1GEv2 12 MIPS core @ 450 MHz Winpath 3 SAR-H 12 MIPS core @ 320 MHz Winpath 3 SAR-Hc 9 MIPS core @ 320 MHz Winpath 3 SAR-X 2 x 48 MIPS core @ 400 MHz Winpath 4 SAR-W 12 MIPS core @ 400 MHz Winpath 3 SAR-Wx 12 MIPS core @ 400 MHz Winpath 3 SAR-Ax 2 MIPS core @ 600Mhz Winpath 3 Table 4 – Validated Hardware and FIPS Compatible Platforms The firmware version used to validate version 1.0 of the SARDCM was SAR-OS 21.10R5. Figure 2-2: Picture of the SAR-8 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 9/20 Figure 2-3: Picture of the SAR-18 Figure 2-4: Picture of the SAR-H Figure 2-5: Picture of the SAR-Hc Figure 2-6: Picture of the SAR-X 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 10/20 Figure 2-7: Picture of the SAR-W Figure 2-8: Picture of the SAR-Wx Figure 2-9: Picture of the SAR-Ax 2.2 SARDCM Approved Algorithms The SARDCM uses the following FIPS approved algorithms: Algorithm CAVP Cert (21.10R5) AES CBC (e/d; 128, 192, 256) C2025, C2026 Triple-DES (TCBC) (e/d; keying option 1) C2025, C2026 HMAC (HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512) C2025, C2026 SHA (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) C2025, C2026 Table 5 – Approved Algorithm Implementations 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 11/20 2.3 SARDCM Interfaces The physical ports used by SARDCM within SAR-OS are the same as those available on the system which is running SAR-OS per the platforms specified in the previous section. The logical interface is a C-language application program interface (API). The Data Input interface consists of the input parameters of the API procedures and includes plaintext and/or cipher text data. The Data Output interface consists of the output parameters of the API procedures and includes plaintext and/or cipher text data. The Control Input interface consists of API functions that specify commands and control data used to control the operation of the module. The API may specify other functions or procedures as control input data. The Status Output includes the return status, data and values associated with the status of the module. The module provides logical interfaces to the other services within SAR-OS and those other SAR-OS services use the following logical interfaces for cryptographic functions: data input, data output, control input, and status output. Interface Description Data Input API input parameters including plaintext and/or cipher text data Data Output API output parameters including plaintext and/or cipher text data Control Input API procedure calls that may include other function calls as input, or input arguments that specify commands and control data used to control the operation of the module. Status Output API return code describing the status of SARDCM Table 6 – FIPS 140-2 Logical Interface Mappings 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 12/20 3. SARDCM ROLES AND SERVICES The SARDCM meets all FIPS 140-2 level 1 requirements for Roles and Services, implementing support for both the Crypto Officer and User roles within the SARDCM. The support for both Crypto Officer and User roles within the SARDCM is classed as a process. As allowed by FIPS 140-2, the SARDCM does not support user authentication for these roles. Only one role may be using the SARDCM at a time and the module does not allow concurrent operators to access the SARDCM. The User and Crypto Officer roles are implicitly assumed by the entity accessing the services implemented by the SARDCM: • Installation and initialization of the SARDCM which is embedded in the SAR-OS image and installed on the SAR-OS platforms is assumed implicitly as the Crypto Officer when installation and initialization occurs. The services available by the SARDCM in FIPS mode to the Crypto Officer and User roles consist of the following: Services Access Critical Security Parameters Crypto Officer User Encryption Execute Symmetric keys AES, Triple-DES X X Decryption Execute Symmetric keys AES, Triple-DES X X Hash (HMAC) Execute HMAC SHA keys X X Perform Self-Tests Execute/read NA X X Show Status Execute NA X X Zeroization Execute Symmetric key, HMAC-SHA keys X X Module Initialization Execute All CSPs X Table 7 – Module Services 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 13/20 4. PHYSICAL SECURITY The module obtains its physical security from any platform running SAR-OS with production grade components and standard passivation as allowed by FIPS 140-2 level 1. 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 14/20 5. OPERATIONAL ENVIRONMENT The SARDCM was tested on the following platforms that represent the required HW components that runs SAR-OS and the SARDCM. Platform used for testing/validation Hardware running SAR-OS SAR-8 6 core @ 800 MHz, on CSMv2 module with: • 8 port GigEv3 card with Winpath 3 network processor • 2 port 10GE + 4 port GE card with Winpath 4 processor SAR-18 8 core @ 600 MHz on SAR-18 CSM module with: • 8 port GigEv3 card with Winpath 3 network processor • 2 port 10GE + 4 port GE card with Winpath 4 network processor SAR-H 2 core @ 600 MHz on chassis with Winpath3 network processor SAR-Hc 2 core @ 600 MHz on chassis with Winpath3 network processor SAR-X 8 core @ 800 MHz on chassis with Winpath4 network processor SAR-W 1 core @ 500 MHz on chassis with Winpath3 network processor SAR-Wx 2 core @ 600 MHz on chassis with Winpath3 network processor SAR-Ax 2 core @ 600 MHz on chassis with Winpath3 network processor Table 8 – Hardware and Platforms Used to Test Module 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 15/20 6. KEY TABLE 6.1 Keys/CSPs Algorithms In FIPS-140-2 Mode The following keys and CSPs are available when running in FIPS-140-2 mode for the SARDCM. The keys are used by the following protocols (IPSec and NGE): Key or CSP User of the service Storage Generation/Input Zeroization Access Role (R,W,X) Triple DES-CBC IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X AES-128-CBC NGE DRAM (plaintext) Operator – Manually Command R, W, X AES-128-CBC IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X AES-192-CBC IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X AES-256-CBC NGE DRAM (plaintext) Operator – Manually Command R, W, X AES-256-CBC IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X HMAC-SHA-1 IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X HMAC-SHA-256 IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X HMAC-SHA-256 NGE DRAM (plaintext) Operator – Manually Command R, W, X HMAC-SHA-384 IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X HMAC-SHA-512 IPSec DRAM (plaintext) API parameter Reboot, Command R, W, X HMAC-SHA-512 NGE DRAM (plaintext) Operator – Manually Command R, W, X Table 9 – Cryptographic Keys and CSPs Access roles include “R”- Read, “W” – Write, and “X” – Execute. No network protocols including IPSec have been reviewed or tested by the CAVP or CMVP. 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 16/20 7. EMC/EMI (FCC COMPLIANCE) The SAR chassis where the Network Processor, SAR-OS and SARDCM runs were tested and found conformant to the EMI/EMC requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (business use). 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 17/20 8. SELF TESTS 8.1 Self Tests on the Dataplane When FIPS-140-2 mode is enabled the node performs the following startup tests: • Firmware integrity check on startup using HMAC-SHA-256 • Triple-DES encrypt KAT • Triple-DES decrypt KAT • AES encrypt 128, 192,256 KAT • AES decrypt 128, 192,256 KAT • HMAC SHA-1 KAT, HMAC SHA-224 KAT, HMAC-SHA-256 KAT, HMAC SHA-384 KAT, HMAC SHA-512 KAT • SHA-1 KAT, SHA-224 KAT, SHA-256 KAT, SHA-384 KAT, SHA-512 KAT Should any of these tests fail, the SARDCM does not allow the network processor to continue booting the image. An error is displayed on the console port that indicates the failed test and the SARDCM forces a reboot of the network processor module to attempt the self-tests again. 8.2 Conditional Test on the CSM When FIPS-140-2 mode is enabled the node performs the following conditional self tests during normal operation of the node: • Manual Key Entry Tests Descriptions of the tests are described in the following sections. SARDCM Failure When a Conditional Test (e.g. Manual Key Entry Test) fails, then the SARDCM is considered as failed. The node will print a message on the console that indicates that the SARDCM has failed. 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 18/20 9. FIPS-140 USER GUIDANCE The following sections described the SAR-OS user guidance for configuring the SAR systems where the SARDCM is embedded and accessed by SAR-OS. 9.1 FIPS-140-2 Mode Configuration To enable FIPS-140-2 on the 7705 a configurable parameter is available in the bof.cfg file. When configured in the bof.cfg, the node boots in FIPS-140-2 mode and the following behaviors are enabled on the node: • Only FIPS-140-2 approved algorithms are available for encryption and authentication for any cryptographic function on the CSM where SAR-OS and the SARDCM reside • Startup tests are executed on the network processor when the node boots • Conditional tests are executed when required during normal operation (e.g. manual key entry test) • In accordance to NIST guidance, operators are responsible for ensuring that a single Triple‐DES key shall not be used to encrypt more than 2^16 64‐bit data blocks. The current state of the bof and the parameters used for booting can be verified with the following CLI commands: *A:bkvm12>show bof *A:bkvm12>show bof booted The output of "show bof booted" would show "fips-140-2" instead of "no fips-140-2". Note the FIPS-140-2 parameter in the bof.cfg does not take effect until the node has been rebooted. When running in FIPS mode the system will display a value in the system command that indicates this is the case. 9.2 Configurations Not Allowed when running in FIPS-140-2 Mode When the node is configured in FIPS-140-2 mode the following disallowed algorithms are visible in CLI but not available. The User must not configure the following algorithms and functions when running in FIPS-140-2 mode or reverse the configuration steps in Section 9.1: • MD5 o SNMP, OSPF, BGP, LDP, NTP authentication, multi-chassis redundancy • HMAC-MD5 SNMP, IS-IS, RSVP • HMAC-MD5-96 o SNMP • HMAC-SHA-1-96 o SNMP, OSPF, BGP, LDP • AES-128-CMAC-96 o BGP, LDP 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 19/20 9.3 Non-FIPS-140-2 Mode The module supports the Crypto Officer and User roles while in the non-Approved mode of operation. To disable FIPS-140-2 on the SAR-8/18/H/Hc/X/W/Wx/Ax, the User must configure the bof with “no fips-140-2” and reboot the system to transition to the non FIPS-140-2 mode. The User must delete persistent keys before switching mode. 7705 Series FIPS-140-2 Security Policy Version 1.0 Copyright 2022 © Nokia Dec 12, 2022 This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 20/20 10.REFERENCES [FIPS 140-2] FIPS PUB 140-2, Security Requirements for Cryptographic Modules, May 25, 2001, CHANGE NOTICES (12-03-2002). http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf [FIPS 140-2 DTR] Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, January 4, 2011 Draft. http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 2/FIPS1402DTR.pdf [FIPS 140-2 IG] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program, December 3, 2019. http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 2/FIPS1402IG.pdf