SonicWall, Inc. SonicWALL TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700 and NSa 3700 Non-Proprietary FIPS 140-2 Security Policy Document Version: 1.0 Date: February 17, 2022 Level 2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 2 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Copyright Notice Copyright © 2022 SonicWall, Inc. Public Material May be reproduced only in its original entirety (without revision). SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 3 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1. Introduction ..................................................................................................................6 1.1 Module Description and Cryptographic Boundary ......................................................................7 1.2 Ports and Interfaces .....................................................................................................................7 1.3 Modes of Operation...................................................................................................................17 1.3.1 FIPS 140-2 Approved mode of Operation.....................................................................................17 1.3.2 Non-Approved mode of Operation...............................................................................................18 1.3.3 Non-Approved Algorithms with No Security Claimed ..................................................................18 2. Cryptographic Functionality ......................................................................................... 19 2.1 Critical Security Parameters.......................................................................................................22 2.2 Public Keys..................................................................................................................................23 3. Roles, Authentication and Services .............................................................................. 24 3.1 Assumption of Roles...................................................................................................................24 3.2 Authentication Methods............................................................................................................25 3.3 Services.......................................................................................................................................26 3.3.1 User Role Services.........................................................................................................................26 3.3.2 Crypto Officer Services..................................................................................................................26 3.3.3 Unauthenticated services .............................................................................................................27 4. Self-tests ..................................................................................................................... 32 5. Physical Security Policy................................................................................................ 34 6. Operational Environment ............................................................................................ 38 7. Mitigation of Other Attacks Policy................................................................................ 39 8. Security Rules and Guidance ........................................................................................ 40 8.1 Crypto-Officer Guidance ............................................................................................................40 8.2 Transition of module to and from Approved mode of operation..............................................41 9. References and Definitions .......................................................................................... 42 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 4 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). List of Tables Table 1 – Cryptographic Module List ............................................................................................................6 Table 2 – Security Level of Security Requirements.......................................................................................6 Table 3 – Front view Physical ports/Logical interfaces description for the TZ270/TZ270W/TZ370/TZ370W ......................................................................................................................................................................8 Table 4 – Rear view Physical Ports/Logical Interfaces description for TZ270/270W/370 and TZ370W......9 Table 5 – List of Physical ports/Logical interfaces description for the TZ470 and TZ470W ......................10 Table 6 – Rear view of Physical ports/Logical Interfaces description for the TZ470 and TZ470W............11 Table 7 – Front Panel Physical Ports/Logical Interfaces description of TZ570/TZ570W/TZ570P and TZ670 ....................................................................................................................................................................13 Table 8 – Rear Panel Physical Ports/Logical Interfaces description of TZ570/TZ570W/TZ570P and TZ670 ....................................................................................................................................................................14 Table 9 – Front view of Physical ports/Logical interfaces description for NSa 2700 and NSa 3700.........15 Table 10 – Rear view of Physical ports/Logical interfaces description for NSa 2700 and NSa 3700.........17 Table 11 – Approved Algorithms ................................................................................................................19 Table 12 - Non-Approved but Allowed Cryptographic Functions...............................................................21 Table 13 - Security Relevant Protocols Used in FIPS Mode ........................................................................21 Table 14 – Role Description ........................................................................................................................24 Table 15 – Authentication Description .......................................................................................................25 Table 16 – Authenticated Services..............................................................................................................28 Table 17 – Unauthenticated Services .........................................................................................................28 Table 18 – Security Parameters Access Rights within Services and CSPs...................................................29 Table 19 – Security Parameters Access Rights within Services and Public Keys.........................................30 Table 20 – Number of Tamper Evident Seals..............................................................................................34 Table 21 - References..................................................................................................................................42 Table 22 – Acronyms and Definitions .........................................................................................................43 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 5 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). List of Figures Figure 1. Front view of the physical ports on TZ270....................................................................................7 Figure 2. Front view of the physical ports on TZ270W.................................................................................8 Figure 3. Front view of the physical ports on TZ370.....................................................................................8 Figure 4. Front view of the physical ports on TZ370W.................................................................................8 Figure 5. Rear view of the physical ports of the TZ270, TZ270W, TZ370 and TZ370W ...............................9 Figure 6. Front View of the physical ports of the TZ470.............................................................................10 Figure 7. Front View of the physical ports of the TZ470W .........................................................................10 Figure 8. Rear View of the physical ports of the TZ470 and TZ470W.........................................................11 Figure 9. Front view of TZ570 .....................................................................................................................12 Figure 10. Front view of TZ570W................................................................................................................12 Figure 11. Front view of TZ570P .................................................................................................................12 Figure 12. Front view of TZ670 ...................................................................................................................13 Figure 13. Rear view of TZ570/TZ 570P/TZ670...........................................................................................14 Figure 14. Rear view of TZ570W.................................................................................................................14 Figure 15. Front View of the physical ports of NSa 2700............................................................................15 Figure 16. Front View of the physical ports of NSa 3700............................................................................15 Figure 17. Rear View of NSa 2700...............................................................................................................16 Figure 18. Rear view of NSA 3700...............................................................................................................17 Figure 19. Tamper seal placements for TZ270/ TZ270W/ TZ370/ TZ370W/ TZ470/ TZ470W (Bottom View) ....................................................................................................................................................................35 Figure 20. Tamper seal placements for TZ570/ TZ570W/ TZ570P (Bottom View).....................................35 Figure 21. Tamper seal placements for TZ670 (Bottom View) ...................................................................36 Figure 22. Tamper seal placement for NSa 2700/ NSa 3700 (Left View)....................................................36 Figure 23. Tamper seal placement for NSa 2700/ NSa 3700 (Bottom View)..............................................37 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 6 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 1. Introduction This document defines the Security Policy for the SonicWALL TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700 and NSa 3700 models, hereafter denoted as the Module. The Module is an Internet security appliance, which provides stateful packet filtering firewall, deep packet inspection, virtual private network (VPN), and traffic shaping services. The Module is a multiple-chip standalone cryptographic module, in 11 configurations with hardware part numbers and versions as follows: Table 1 – Cryptographic Module List Module Hardware P/N and Version Firmware Version 1 TZ270 101-500665-50 SonicOS 7.0 2 TZ270W 101-500666-50 SonicOS 7.0 3 TZ370 101-500649-50 SonicOS 7.0 4 TZ370W 101-500648-50 SonicOS 7.0 5 TZ470 101-500643-50 SonicOS 7.0 6 TZ470W 101-500629-50 SonicOS 7.0 7 TZ570 101-500594-51 SonicOS 7.0 8 TZ570W 101-500593-51 SonicOS 7.0 9 TZ570P 101-500640-50 SonicOS 7.0 10 TZ670 101-500592-51 SonicOS 7.0 11 NSa 2700 101-500661-50 SonicOS 7.0 12 NSa 3700 101-500663-50 SonicOS 7.0 The Module firmware version for all models is SonicOS 7.0. Note that the different hardware versions vary only in form factor, CPU, number of ports, presence of wireless interfaces, and memory. The Module is intended for use by US Federal agencies and other markets that require FIPS 140-2 validated cryptographic modules. The appliance Encryption technology uses Suite B algorithms. Suite B algorithms are approved by the U.S. government for protecting both Unclassified and Classified data. The FIPS 140-2 security levels for the Module are as follows: Table 2 – Security Level of Security Requirements Security Requirement Security Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 3 Finite State Model 2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 7 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Security Requirement Security Level Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A Overall 2 The overall FIPS validation level for the module is Security Level 2. 1.1 Module Description and Cryptographic Boundary The physical form of the Module is depicted in Figure 1 through Figure 18. The Module is a multi-chip standalone embodiment. The cryptographic boundary is the surfaces and edges of the device enclosure, inclusive of the physical ports. 1.2 Ports and Interfaces The Module’s ports and associated FIPS defined logical interface categories are listed in the tables in this section. Figure 1. Front view of the physical ports on TZ270 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 8 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 2. Front view of the physical ports on TZ270W Figure 3. Front view of the physical ports on TZ370 Figure 4. Front view of the physical ports on TZ370W Table 3 – Front view Physical ports/Logical interfaces description for the TZ270/TZ270W/TZ370/TZ370W Physical Ports Quantity (Label in Figure) Description Logical Interfaces USB Interfaces 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 9 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Status LEDs Varies One Power LED: Indicate TZ is receiving power. One Test LED: Indicates module is initializing and performing self- tests. One Security LED: Indicates security services monitored by this LED. One Storage LED: Indicates status of extended storage. One U0 WWAN LED indicated for 5G/LTE activity. One Wireless W0 WLAN LED (TZ270W & TZ370W only): indicates WLAN status. Status output Ethernet Interface LED 8 Ethernet interface LEDs (X0-X7): 1G link activity. In general, these LEDs indicates the status of the Ethernet interface. Status output Figure 5. Rear view of the physical ports of the TZ270, TZ270W, TZ370 and TZ370W Table 4 – Rear view Physical Ports/Logical Interfaces description for TZ270/270W/370 and TZ370W Physical Ports Quantity (Label in Figure) Description Logical Interfaces Power Interface 1 AC power interfaces Power Console Interface 1 One RJ-45 Console port. Data Input, Control Input and status output Safe Mode/Reset Button 1 Used to manually reset the appliance to Safe Mode. Control Input 1G Ethernet Interface 8 1G Ethernet ports (X0-X7). Data Input, data output, status output, and control input (via SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 10 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). the external GUI Administration interface) Figure 6. Front View of the physical ports of the TZ470 Figure 7. Front View of the physical ports of the TZ470W Table 5 – List of Physical ports/Logical interfaces description for the TZ470 and TZ470W Physical Ports Quantity (Labels in Figure) Description Logical Interfaces USB Interfaces 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Status LED 6 One Power LED: Indicate TZ is receiving power. One Test LED: Indicates module is initializing and performing self- tests. One Security LED: Indicates security services monitored by this LED. Status output SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 11 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). One Storage LED: Indicates status of extended storage. One U0 WWAN LED indicated for 5G/LTE activity. One Wireless W0 WLAN LED (TZ470W only): indicates WLAN status. Ethernet/SFP/SFP+ LEDs 10 Ethernet interface LEDs (X0-X7): 1G link activity SFP/SFP+ interface LEDs (X8-X9): 2.5G or 1G link activity. In general, these LEDs indicates the status of the Ethernet/SFP/SFP+ interface. Status output Figure 8. Rear View of the physical ports of the TZ470 and TZ470W Table 6 – Rear view of Physical ports/Logical Interfaces description for the TZ470 and TZ470W Physical Ports Quantity (Labels in Figure) Description Logical Interfaces Power Interface 1 AC power interface Power Serial Console Interface 2 One RJ-45 and One Micro USB Console port. Data input, control input and status output Safe Mode/Reset Button 1 Used to manually reset the appliance to Safe Mode. Control Input SFP/SFP+ Interface 2 2x SFP/SFP+ interfaces with LINK and ACT LEDs. TZ470 and TZ470W support 1G and 2.5G on interface X8/X9 Data input, data output, status output, and control input (via the external GUI Administration interface) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 12 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 1G Ethernet interface 8 8x 1G Ethernet interfaces (X0- X7) with LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI Administration interface) Figure 9. Front view of TZ570 Figure 10. Front view of TZ570W Figure 11. Front view of TZ570P SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 13 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 12. Front view of TZ670 Table 7 – Front Panel Physical Ports/Logical Interfaces description of TZ570/TZ570W/TZ570P and TZ670 Physical Ports Quantity Description Logical Interfaces USB Interfaces 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Status LED Varies Two Power LEDs: one indicating the primary power LED and another indicating the redundant power LED. One Test LED: Indicates module is initializing and performing self-tests. One Security LED: Indicates security services monitored by this LED. One Storage LED: Indicates status of extended storage. One U0 WWAN LED indicated for 5G/LTE activity. One Wireless W0 WLAN LED (TZ570W only): indicates WLAN status. Status output Ethernet/SFP/SFP+ LEDs 10 Ethernet interface LEDs (X0-X7): 1G link activity SFP/SFP+ interface LEDs (X8-X9): 5G or 2.5G link activity (TZ 570, TZ 570W and TZ 570P) and 10G, 5G or 2.5G link activity (TZ 670). In general, these LEDs indicates the status of the Ethernet/SFP/SFP+ interface. Status output SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 14 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 13. Rear view of TZ570/TZ 570P/TZ670 Figure 14. Rear view of TZ570W Table 8 – Rear Panel Physical Ports/Logical Interfaces description of TZ570/TZ570W/TZ570P and TZ670 Physical Ports Quantity Description Logical Interfaces Safe Mode/Reset Button 1 Used to manually reset the appliance to Safe Mode. Control Input Power Interface 2 Power interfaces Power Console Interface 2 One RJ-45 and One Micro USB Console port. Data Input, Control input and status output SFP/SFP+ Interface 2 SFP/SFP+ ports: TZ570/TZ570P/TZ570W support 5G or 2.5G on interfaces X8 and X9 TZ670 supports 10G,5G or 2.5G on interfaces X8 and X9 Data input, data output, status output, and control input (via the external GUI Administration interface) 1G Ethernet interface 8 1G Ethernet ports (X0-X7). Data input, data output, status output, and control input (via the external GUI Administration interface) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 15 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 15. Front View of the physical ports of NSa 2700 Figure 16. Front View of the physical ports of NSa 3700 Table 9 – Front view of Physical ports/Logical interfaces description for NSa 2700 and NSa 3700 Physical Ports Quantity (Labels in Figure) Description Logical Interfaces Safe Mode/Reset Button 1 Used to manually reset the appliance to Safe Mode. Control Input USB Interfaces 2 Allows the attachment of an external device. Security Guidance is “not to be used in FIPS Mode” N/A Serial Console Interface 1 DB-9/RJ-45 serial connector. Provides a serial console which can be used for basic administration functions. Data input, control input and status output MGMT 1 1G RJ45 isolated out-of- band management (MGMT) port, with integral LINK and ACT LEDs Control input, status output, data input and data output SFP/SFP+ Interface Varies NSa 2700 supports 3 x10/2.5/1GE SFP/SFP+ interfaces (X16-X18) with LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 16 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). NSa 3700 supports 6 x10/2.5/1GE (X28-33) and 4 x5/2.5/1GE SFP/SFP+ (X24-X27) interfaces with LINK and ACT LEDs. Administration interface) Status LED Varies Two Power LED: Two Power LEDs: one indicating the primary power LED and another indicating the redundant power LED. Test LED: Indicates NSa booting up status. Security LED: Indicates security status on the NSa. Storage LED: Indicates status of extended storage. Status output Ethernet Interface Varies NSa 2700 consists of 16x 1G Ethernet ports (X0- X15) with LINK and ACT LEDs. NSa 3700 consists of 24x 1G Ethernet ports (X0- X23) with LINK and ACT LEDs. Data input, data output, status output, and control input (via the external GUI Administration interface) Figure 17. Rear View of NSa 2700 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 17 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 18. Rear view of NSA 3700 Table 10 – Rear view of Physical ports/Logical interfaces description for NSa 2700 and NSa 3700 Physical Ports Qty. Description Logical Interfaces Power Interface 1 AC power interfaces Power Redundant power 1 Slot for redundant power supply Power Fan Interface Varies 1x Fan component (NSa 2700) 2x Fan component (NSa 3700) N/A 1.3 Modes of Operation 1.3.1 FIPS 140-2 Approved mode of Operation The module is not configured to operate in FIPS-mode by default. The operator is responsible for updating the following settings appropriately during setup and will be prompted by the compliance tool if a setting has been modified taking the module out of compliance. The following steps must be taken during set-up of the module to enable FIPS-mode of operation: 1. The default Administrator and User passwords shall be immediately changed and be at least eight (8) characters. 2. The RADIUS/TACACS+ shared secrets must be at least eight (8) characters. 3. Traffic between the module and the RADIUS/TACACS+ server must be secured via an IPSec tunnel. • Note: this step need only be performed if RADIUS or TACACS+ is supported. • LDAP cannot be enabled in FIPS mode without being protected by TLS • LDAP cannot be enabled in FIPS mode without selecting 'Require valid certificate from server' • LDAP cannot be enabled in FIPS mode without valid local certificate for TLS 4. IKE must be configured with 3rd Party Certificates for IPsec Keying Mode when creating VPN tunnels. o RSA Certificates lengths must be 2048-bit or greater in size 5. When creating VPN tunnels, ESP must be enabled for IPSec. 6. FIPS-approved algorithms must be used for encryption and authentication when creating VPN tunnels. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 18 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 7. Group 14, 19, 20 or 21 must be used for IKE Phase 1 DH Group. SHA-256 and higher must be used for Authentication. 8. “Advanced Routing Services” must not be enabled. 9. “Group VPN management” must not be enabled. 10. SNMP or SSH must not be enabled. The module does not enforce but as a policy, a user should not enable the below features while in FIPS mode of operation: • Do not use USB interface. • Do not use TLS 1.3/TLS 1.3 KDF. • Do not use Wireless interface. • 802.11i wireless security Note: Once FIPS mode of operation is enabled SonicOS enforces all of the above items. Operators will not be allowed to enable these features while in FIPS mode of operation. Note: In case the module's power is lost and then restored, a new key for use with the AES GCM encryption/decryption must be established. 1.3.2 Non-Approved mode of Operation The Cryptographic Module provides the same set of services in the non-Approved mode as in the Approved mode but allows the following additional administration options and non FIPS-approved algorithms which are not used in the FIPS mode of operation. The following services must be disabled before placing the module in FIPS mode. The module does not transition to FIPS mode until the following services are disabled. • AAA server authentication (the Approved mode requires operation of RADIUS or TACACS+ only within a secure VPN tunnel). • SSH1 • SNMP2 1.3.3 Non-Approved Algorithms with No Security Claimed The module supports the following non-Approved but allowed algorithms and protocols with no security claimed: • Triple-DES (non-compliant) • MD5 (non-compliant) • PBKDF (non-complaint) The operator must also follow the rules outlined in Section 1.3.1 and consult FIPS 140-2 IG 1.23 for further understanding of the use of functions where no security is claimed. Section 3.3 indicates the module services associated with these functions. 1 Keys derived using the SSH KDF are not allowed for use in the Approved mode. 2 Keys derived using the SNMP KDF are not allowed for use in the Approved mode. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 19 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 2. Cryptographic Functionality The Module implements the FIPS Approved and Non-Approved but Allowed cryptographic functions listed in the tables below. Table 11 – Approved Algorithms Cert Algorithm Mode Description Functions/Caveats C1861 AES [197] CBC [38A] Key Sizes: 128, 192, 256 Encrypt, Decrypt CTR [38A] Key Sizes: 128, 192, 256 Encrypt GMAC [38D] Key Sizes: 128, 192, 256 Encrypt, Decrypt GCM [38D]3 Key Sizes: 128, 192, 256 Tag Len: 128 Authenticated Encrypt, Authenticated Decrypt, Message Authentication Vendor Affirmed CKG [IG D.12] [133 rev2] Section 5.1 Asymmetric signature key generation using unmodified DRBG output Key Generation [133 rev2] Section 5.2 Asymmetric key establishment key generation using unmodified DRBG output [133 rev2] Section 6.1 Direct symmetric key generation using unmodified DRBG output [133 rev2] Section 6.2.1 Derivation of symmetric keys from a key agreement shared secret. [133 rev2] Section 6.2.2 Derivation of symmetric keys from a pre-shared key [133 rev2] Section 6.3 Combining multiple keys and other data Vendor Affirmed DH KAS-SSC (SP 800- 56Arev3 Shared Secret Calculation per Scenario X1 of IG D.8 and IG D.1rev3. Key Derivation per SP 800-135 (CVL DH group 14 (dhEphem scheme per section 6.1.2.1 of SP800-56Arev3) Key Agreement ECDH ECDH P-256, P-384 and P- 521 (Ephemeral Unified scheme per section 6.1.2.2 of SP800-56Arev3) 3 The module’s AES-GCM implementation conforms to IG A.5 scenario #1 following RFC 5288 for TLS v1.2. Per RFC 5246, if the module is the party that encounters this condition it will trigger a handshake to establish a new encryption key. The module’s support for acceptable AES GCM ciphersuites from Section 3.3.1 of SP800-52 rev1 or SP800-52 rev2. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 20 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Description Functions/Caveats Cert. #C1861) and RFC 8446) C1861 CVL: IKEv1 [135] DSA, PSK[135] SHA (256, 384, 512) Key Derivation CVL: IKEv2 [135] DH 224-521 bits SHA (256, 384, 512) CVL: TLS [135]4 v1.0, v1.1, v1.2 SHA (256, 384, 512) CVL: SSH [135] v2 SHA-1 CVL: SNMP [135] SHA-1 C1861 DRBG [90Arev1] Hash SHA-256 Deterministic Random Bit Generation C1861 ECDSA [186-4] P-224, P-256, P-384, P-521 KeyGen P-192, P-224, P-256, P-384, P-521 PKV P-224 5 SHA(256, 384, 512) P-256 SHA(256, 384, 512) P-384 SHA(256, 384, 512) P-521 SHA(256, 384, 512) SigGen P-192 SHA(1, 256, 384, 512) P-224 SHA(1, 256, 384, 512) P-256 SHA(1, 256, 384, 512) P-384 SHA(1, 256, 384, 512) P-521 SHA(1, 256, 384, 512) SigVer C1861 HMAC [198] SHA-1 Key Sizes: KS < BS λ = 12 Message Authentication, KDF Primitive, Password Obfuscation SHA-256 Key Sizes: KS = BS λ = 32 SHA-384 Key Sizes: KS = BS λ = 48 SHA-512 Key Sizes: KS = BS λ = 64 C1861 KTS [IG G.13 and D.9] AES (Cert. # C1861); HMAC (Cert. # C1861) AES (Key Sizes: 128, 192, 256); HMAC SHA(1, 256, 384, 512) Encryption, Key Transport, Authentication using within TLS C1861 RSA [186-4] X9.31 Key Generation Mode:B.3.6 KeyGen 4 SSH, SNMP, TLS 1.0 and 1.1 KDFs were CAVP tested but are not supported/used in the Approved mode of operation. 5 ECDSA P-224 was CAVP tested but is not supported/used in the Approved mode of operation. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 21 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Description Functions/Caveats n = 2048 n = 3072 PKCS1_v1.5 n = 2048 SHA(256, 384, 512) n = 3072 SHA(256, 384, 512) SigGen PKCS1_v1.5 [186-2 Legacy] n = 1024 SHA-1 n = 1536 SHA-1 n = 2048 SHA-1 SigVer PKCS1_v1.5 [186-4] n = 1024 SHA(1, 256, 384, 512) n = 2048 SHA(1, 256, 384, 512) n = 3072 SHA(256, 384, 512) SigVer C1861 SHS [180-4] SHA-1 SHA-256 SHA-384 SHA-512 Message Digest Generation, Password Obfuscation Note: There are few algorithms, modes, moduli and key sizes that have been CAVP tested but are not implemented/used by the module. Only the algorithms, modes, and key sizes shown in this table are implemented by the module. Table 12 - Non-Approved but Allowed Cryptographic Functions Algorithm Description RSA RSA (key wrapping; key establishment methodology provides 112 bits of encryption strength) NDRNG (used only to seed the Approved DRBG) NDRNG (internal entropy source) for seeding the Hash DRBG. The module generates a minimum of 256 bits of entropy for key generation. The following service/security function is non-approved and not allowed to be used in FIPS mode of operation. - TLS 1.3 KDF By policy, the operators in FIPS mode of operation shall not use TLS 1.3. Usage of the above algorithm/function results in non-conformance as the TLS 1.3 KDF is not CAVP tested, and module does not implement self-test for the algorithm/function specified above. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 22 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). The following table provides the security relevant protocols used in Approved mode of operation. Table 13 - Security Relevant Protocols Used in FIPS Mode Protocol Key Exchange Auth Cipher Integrity IKEv1 DH Group 14, 19, 20, 21 RSA and ECDSA digital signature AES CBC 128/192/256 HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-512-256 IKEv2 DH Group 14, 19, 20, 21 RSA and ECDSA Digital Signature Shared Key Message Integrity Code AES CBC 128/192/256 HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-512-256 IPsec ESP IKEv1 or IKEv2 with optional: Diffie-Hellman (L=2048, N=224, 256) EC Diffie-Hellman P-256, P-384 and P-521 IKEv1, IKEv2 AES CBC 128/192/256 HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-512-256 TLS 1.2 or SSL 3.1 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Note: no parts of these protocols, other than the KDF, have been tested by the CAVP and CMVP. 2.1 Critical Security Parameters All CSPs used by the Module are described in this section. All usage of these CSPs by the Module (including all CSP lifecycle states) is described in the services detailed in Section 3.3. The following Critical Security Parameters (CSP) are contained in the cryptographic module: • IKE Shared Secret – Shared secret used during IKE Phase 1 (length 4 ~ 128 bytes). • SKEYID – Secret value used to derive other IKE secrets. • SKEYID_d – Secret value used to derive keys for security associations. • SKEYID_a – Secret value used to derive keys to authenticate IKE messages. • SKEYID_e – Secret value used to derive keys to encrypt IKE messages. • IKE Session Encryption Key – AES (CBC) 128, 192, 256 key used to encrypt data. • IKE Session Authentication Key – HMAC-SHA-256, HMAC-SHA-384 and HMAC-SHA-512 bit key used for data authentication. • IKE Private Key – RSA 2048 bit and ECDSA P-256, P-384 and P-521 key used to authenticate the module to a peer during IKE. • IPsec Session Encryption Key – AES (CBC) 128, 192, 256 key used to encrypt data. • IPsec Session Authentication Key – HMAC-SHA-256, HMAC-SHA-384 and HMAC-SHA-512 bit key used for data authentication for IPsec traffic. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 23 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). • TLS 1.2 Master Secret– used for the generation of TLS Session Keys and TLS Integrity Key (384- bits). • TLS 1.2 Premaster Secret – used for the generation of Master Secret (384 bits). • TLS 1.2 Private Key– used in the TLS 1.2 signature algorithm (RSA 2048 bit). • TLS 1.2 Session Key – AES CBC 128/256 bit and AES GCM 128/256 bit key used to protect TLS 1.2 connection. • TLS 1.2 Integrity Key – HMAC-SHA-1/256/384 bit key used to check the integrity of TLS 1.2 connection. • Diffie-Hellman/EC Diffie-Hellman – Diffie-Hellman Private Key (N = 224, 256) or EC DH P-256/P- 384/P-521 used within IKE key agreement and EC DH P-256/P-384 used within TLS key agreement. • DRBG V and C values – Used to seed the Approved DRBG. • Entropy Input: 256 bits entropy (min) input used to instantiate the DRBG. • DRBG Seed: Seed material used to seed or reseed the DRBG . • RADIUS Shared Secret – Used for authenticating the RADIUS server to the module and vice versa. Type: A minimum of 8 characters for RADIUS authentication. • Passwords – Authentication data. Type: A minimum 8 ASCII characters. 2.2 Public Keys The following Public Keys are contained in the cryptographic module: • Root CA Public Key – Used for verifying a chain of trust for receiving certificates. • Peer IKE Public Key – RSA 2048 bit and ECDSA P-256, P-384 and P-521 key for verifying digital signatures from a peer device. • IKE Public Key – RSA 2048 bit and ECDSA P-256, P-384 and P-521 key for verifying digital signatures from a peer device. • Firmware Verification Key – P-256 ECDSA key used for verifying firmware during firmware load. • EC Diffie-Hellman Public Key – ECDH P-256/P-384 is used within TLS key agreement. • Diffie-Hellman/EC Diffie-Hellman Public Key – Diffie-Hellman 2048-bit key, EC DH P-256/P- 384/P-5216 used within IKE key agreement. • Authentication Public Key – 2048-bit RSA public key used to authenticate the User. • TLS 1.2 Public Key – RSA – 2048-bit public key used in the TLS handshake. 6 P-521 curve only available for IKEv1 and IKEv2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 24 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 3. Roles, Authentication and Services 3.1 Assumption of Roles The cryptographic module provides the roles described in Table 14. The cryptographic module does not provide a Maintenance role. The built-in “Administrator” is a member of “SonicWALL Administrators” group on the SonicWALL appliance, and the name used to login may be configured by the Cryptographic Officer role; the default username for the “Administrator” user is “admin”. The User role is authenticated using the credentials of a member of the “Limited Administrators” user group. The User role can query status and non-critical configuration. The user group, “SonicWALL Read-Only Admins,” satisfies neither the Cryptographic Officer nor the User Role and should not be used in FIPS mode operations. The configuration settings required to enable FIPS mode are specified in Section 1.3.1 of this document. The built-in administrator for which the default username is “admin” which is a member of “SonicWALL Administrators” group has the full control privilege to query status and configure all firewall configurations including configure other user privilege. Other members (users) of “SonicWALL Administrators” group have the same full control privilege as built in administrator (part of “SonicWALL Administrators” group) . There is another group called “Limited Administrators”. Members of “limited Administrators” user group can query status and non-critical configuration. A User is authenticated by username and password. User is granted privilege by the membership of user group after login. Table 14 – Role Description Role ID Role Description Authentication Type Authentication Data CO Referred to as “SonicWALL Administrators” group (Administrator and as well as other members (users)) in the vendor documentation Identity-based Username and Password User Referred to as “Limited Administrators” (user group) in the vendor documentation Identity-based Username and Password or Digital Signature The Module supports concurrent operators. Separation of roles is enforced by requiring users to authenticate using either a username and password, or digital signature verification. The User role requires the use of a username and password or possession of a private key of a user entity belonging to the “Limited Administrators” group. The Cryptographic Officer role requires the use of the “Administrator” username and password, or the username and password of a user entity belonging to the “SonicWALL Administrators” group. Multiple users may be logged in simultaneously, but only a single user-session can have full configuration privileges at any time, based upon the prioritized preemption model described below: 1. The Admin user (SonicWALL Administrators) has the highest priority and can preempt any users. 2. The additional users who are members of the “SonicWALL Administrators” group can preempt any users except for the Admin user. 3. A user that is a member of the “Limited Administrators” user group can only preempt other members of the “Limited Administrators” group. Session preemption may be handled in one of two ways, configurable from the System > Administration page, under the “On admin preemption” setting: SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 25 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 1. “Drop to non-config mode” – the preempting user will have three choices: a. “Continue” – this action will drop the existing administrative session to a “non-config mode” and will impart full administrative privileges to the preempting user. b. “Non-Config Mode” – this action will keep the existing administrative session intact, and will login the preempting user in a “non-config mode” c. “Cancel” – this action will cancel the login and will keep the existing administrative session intact. 2. “Log-out” – the preempting user will have two choices: a. “Continue” – this action will log out the existing administrative session and will impart full administrative privileges to the preempting user. b. “Cancel” – this action will cancel the login and will keep the existing administrative session intact. “Non-config mode” administrative sessions will have no privileges to cryptographic functions making them functionally equivalent to User role sessions. The ability to enter “Non-config mode” may be disabled altogether from the System > Administration page, under the “On admin preemption” setting by selecting “Log out” as the desired action. 3.2 Authentication Methods The cryptographic module provides authentication relying upon username/passwords or an RSA 2048- bit (at a minimum) digital signature verification. Table 15 – Authentication Description Authentication Method Probability Justification CO and User password The probability is 1 in 96^8, which is less than one in 1,000,000 that a random attempt will succeed or, a false acceptance will occur for each attempt (This is also valid for RADIUS shared secret keys). After three (3) successive unsuccessful password verification tries, the cryptographic module pauses for one second before additional password entry attempts can be reinitiated. This makes the probability approximately 180/96^8 = 2.5E-14, which is less than one in 100,000, that a random attempt will succeed or a false acceptance will occur in a one- minute period. Passwords must be at least eight (8) characters long each, and the password character set is ASCII characters 32-127, which is 96 ASCII characters, hence, the probability is 1 in 96^8. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 26 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Authentication Method Probability Justification User RSA 2048-bit (minimum) digital signature The probability that a random attempt will succeed or a false acceptance will occur is 1/2^112, which is less than 1 in 1,000,000. Due to processing and network limitations, the module can verify at most 300 signatures in a one minute period. Thus, the probability that a random attempt will succeed or a false acceptance will occur in a one minute period is 300/2^112 = 5.8E-32, which is less than 1 in 100,000. A 2048-bit RSA digital signature has a strength of 112-bits, hence the probability is 1/2^112. 3.3 Services 3.3.1 User Role Services • Show Status – Monitoring, pinging, traceroute, viewing logs. • Show Non-critical Configuration – “Show” commands that enable the User to view VPN tunnel status and network configuration parameters. • Session Management – Limited commands that allow the User to perform minimal VPN session management, such as clearing logs, and enabling some debugging events. This includes the following services: 1. Log On 2. Monitor Network Status 3. Log Off (themselves and guest users) 4. Clear Log 5. Export Log 6. Filter Log 7. Generate Log Reports 8. Configure DNS Settings • TLS 1.2 – TLS used for the https configuration tool or network traffic over a TLS VPN • IPsec VPN – Network traffic over an IPsec VPN 3.3.2 Crypto Officer Services The Cryptographic Officer role is authenticated using the credentials of the “Administrator” user which is the member of “SonicWALL Administrators” group (also referred to as “Admin”), or the credentials of a other members (users) of the “SonicWALL Administrators” group. The use of “SonicWALL Administrators” provides identification of specific users (i.e., by username) upon whom full administrative privileges are imparted. The Cryptographic Officer role can show all status and configure cryptographic algorithms, cryptographic keys, certificates, and servers used for VPN tunnels. The Crypto Officer sets the rules by which the module encrypts, and decrypts data passed through the VPN tunnels. The authentication mechanisms are discussed in Section 3.1 and 3.2. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 27 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). • Show Status - Monitoring, pinging, traceroute, viewing logs. • Show Non-critical Configuration – “Show” commands that enable the User to view VPN tunnel status and network configuration parameters. • Configuration Settings – System configuration7 , network configuration, User settings, Hardware settings, Log settings, and Security services including initiating encryption, decryption, random number generation, key management, and VPN tunnels. This includes the following services: 1. Configure VPN Settings 2. Set Content Filter 3. Import/Export Certificates 4. Upload Firmware8 5. Configure DNS Settings 6. Configure Access • Session Management – Management access for VPN session management, such as setting and clearing logs, and enabling debugging events and traffic management. This includes the following services: 1. Log On 2. Import/Export Certificates 3. Clear Log 4. Filter Log 5. Export Log 6. Setup DHCP Server 7. Generate Log Reports • Zeroize – Zeroizing cryptographic keys • TLS 1.2 – TLS used for the https configuration tool or network traffic over a TLS VPN • IPsec VPN 9 – Network traffic over an IPsec VPN The cryptographic module also supports unauthenticated services, which do not disclose, modify, or substitute CSP, use approved security functions, or otherwise affect the security of the cryptographic module. 3.3.3 Unauthenticated services • Module Reset - Firmware removal with configuration return to factory state. • No Auth Function - Authenticates the operator and establishes secure channel. • Show Status – LED activity and console message display. • Self-test Initiation – power cycle 7 Non-compliant Triple-DES implementation associated with the configuration setting is used to encrypt/decrypt signature files (internal to the module only). This function is considered obfuscation and cannot be used to compromise the module or store/transmit sensitive information. 8 Note: Only validated firmware version shall be loaded using the firmware upload service. Any other firmware version that is not listed in the module certificate is considered out of scope and requires separate FIPS 140-2 certificate. 9 MD5 (no security claimed) and keys derived from the non-conformant PBKDF are always encapsulated by the IPsec VPN service. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 28 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Note 1: The same services are available in the non-Approved mode of operation. In the non-Approved mode of operation, the non-Approved functions listed in Section 1.3.2 can be utilized. Note 2: The module does not support a bypass capability. The cryptographic module provides several security services including VPN and IPsec. The cryptographic module provides the Cryptographic Officer role the ability to configure VPN tunnels and network settings. All services implemented by the Module are listed in the table(s) below. Table 16 – Authenticated Services Service Description CO U Status Information Viewing Logs, viewing network interface settings, viewing system flag to check whether the module is running in the FIPS Approved mode of operation (“Show fips”) and viewing status of the module (i.e module configuration) X X Configuration management Setting up VPN, setup filters, upload firmware, Auth directory configuration, creating user accounts X Session Management Audit configuration, Certificate management, DHCP setup X X Zeroize Destroys all Keys and CSPs. Upon system Zeroize all Keys and CSP which are permanent are erased X TLS 1.2 TLS used for HTTPS management of the module/network traffic over TLS X X IPsec VPN Module can configure/run traffic over IPsec VPN using certificates X X Table 17 – Unauthenticated Services Service Description Module Reset Reset the Module by activating the reset switch. No Auth Function Authenticates the operator and establishes secure channel. Show Status LED status activity and console message display. Self-test Initiation Power Cycle. Note: The same services are available in the non-Approved mode of operation. In the non-Approved mode of operation, the non-Approved functions listed in Section 1.3.2 can be utilized. Table 18 defines the relationship between access to Security Parameters and the different module services. Table 19 defines the relationship between access to Public Keys and the different module services. The modes of access shown in the tables are defined as: • G = Generate: The module generates the CSP. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 29 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). • I = Import: The CSP is entered into the module from an external source. • R = Read: The module reads the CSP for output. • E = Execute: The module executes using the CSP. • W = Write: The module writes the CSP to persistent storage. • Z = Zeroize: The module zeroizes the CSP. In the tables below, TLS and IPsec listings are inclusive of functions that can be operated with IPsec or TLS communications active. Table 18 – Security Parameters Access Rights within Services and CSPs Service CSPs IKE Shared Secret SKEYID SKEYID_d SKEYID_a SKEYID_e IKE Session Encryption Key IKE Session Authentication Key IKE Private Key IPsec Session Encryption Key IPsec Session Authentication Key TLS 1.2 Master Secret TLS 1.2 Premaster Secret TLS 1.2 Session Key TLS 1.2 Integrity Key TLS 1.2 Private Key DH/EC DH Private Key DRBG Seed DRBG V and C values RADIUS Shared Secret Entropy Input Passwords Show Status - - - - - - - - - - - - - - - - - - - - Show Non- critical Configuration - - - - - - - - - - - - - - - - - - - - Monitor Network Status - - - - - - - - - - - - - - - - - - - - Log On - - - - - - - - - - - - - - - - - - - E Log Off - - - - - - - - - - - - - - - - - - - - Clear Log - - - - - - - - - - - - - - - - - - - - Export Log - - - - - - - - - - - - - - - - - - - - Import/Export Certificates - - - - - - - - - - - - - - - - - - - - Filter Log - - - - - - - - - - - - - - - - - - - - Setup DHCP Server10 - - - - - - - - - - - - - - - - - - - - 10 DHCP setup does not use CSPs, but DHCP server setup is performed with IPsec active. See below for IPsec VPN CSP usage. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 30 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Service CSPs IKE Shared Secret SKEYID SKEYID_d SKEYID_a SKEYID_e IKE Session Encryption Key IKE Session Authentication Key IKE Private Key IPsec Session Encryption Key IPsec Session Authentication Key TLS 1.2 Master Secret TLS 1.2 Premaster Secret TLS 1.2 Session Key TLS 1.2 Integrity Key TLS 1.2 Private Key DH/EC DH Private Key DRBG Seed DRBG V and C values RADIUS Shared Secret Entropy Input Passwords Generate Log Reports - - - - - - - - - - - - - - - - - - - - Configure VPN Settings - - - - - IE - - IG - - - - - - G GE IG - - - IPsec VPN GERW GE GE GE GE - GE GE GERW GE GE - - - - E GE GE GE GE - TLS - - - - - - - - - - GE GE GE GEW GE GE GE GE - - Set Content Filter - - - - - - - - - - - - - - - - - - - - Upload Firmware - - - - - - - - - - - - - - - - - - - - Configure DNS Settings - - - - - - - - - - - - - - - - - - - - Configure Access - - - - - - - - - - - - - - - - - - - IEW Zeroize Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Table 19 – Security Parameters Access Rights within Services and Public Keys Service Public Keys Root CA Public Key IKE Public Key EC Diffie-Hellman Public Key (TLS) Peer IKE Public Key Diffie-Hellman/EC Diffie Hellman Public Key (IKE) Authentication Public Key Firmware Verification Key TLS 1.2 Public Key Show Status - - - - - - - - SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 31 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 11 DHCP setup does not use CSPs, but DHCP server setup is performed with IPsec active. See below for IPsec VPN CSP usage. Service Public Keys Root CA Public Key IKE Public Key EC Diffie-Hellman Public Key (TLS) Peer IKE Public Key Diffie-Hellman/EC Diffie Hellman Public Key (IKE) Authentication Public Key Firmware Verification Key TLS 1.2 Public Key Show Non-critical Configuration - - - - - - - - Monitor Network Status - - - - - - - - Log On - - - - - - - - Log Off - - - - - - - - Clear Log - - - - - - - - Export Log - - - - - - - - Import/Export Certificates - - - - - - - - Filter Log - - - - -- - - - Setup DHCP Server11 - - - - - - - Generate Log Reports - - - - - - - - Configure VPN Settings I IG - - G - - - IPsec VPN E E - IE E IE - - TLS - - GE - - IE - E Set Content Filter - - - - - - - - Upload Firmware - - - - - - E - Configure DNS Settings - - - - - - - - Configure Access - - - - - - - - Zeroize Z Z Z Z Z Z Z Z SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 32 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 4. Self-tests The module performs self-tests to ensure the proper operation of the module. Per FIPS 140-2 these are categorized as either power-up self-tests or conditional self-tests. Power up self–tests are available on demand by power cycling the module. The module performs the following algorithm KATs on power-up: • Firmware Integrity: 256-bit EDC • AES: KATs: Encryption, Decryption; Modes: CBC and GCM; Key sizes: 128 bits • DRBG : KATs: HASH DRBG; Security Strengths: 256 bits • ECDSA: PCT: Signature Generation, Signature Verification; Curves/Key sizes: P-256 • HMAC: KATs: Generation, Verification; SHA sizes: SHA-1, SHA-256, SHA-384, SHA-512 • RSA: KATs: Signature Generation, Signature Verification; Key sizes: 2048 and 3072 bits • SHA: KATs: SHA-1, SHA-256, SHA-384, SHA-512 • TDES: KATs: Encryption, Decryption; Modes: CBC; Key sizes: 2-key, 3-key12 • DSA: KATs: Signature Generation, Signature Verification; Key sizes: 1024, 2048, 3072bits13 • KDFs: IKEv1, IKEv2, TLS, SSH, SNMP14 The module performs the following conditional self-tests as indicated. • DRBG and NDRNG Continuous Random Number Generator Tests per IG 9.8 • RSA Pairwise Consistency Test on RSA key pair generation • ECDSA Pairwise Consistency Test on ECDSA key pair generation • Firmware Load Test: ECDSA (P-256) signed SHA-256 hash When a new firmware image is loaded, the cryptographic module verifies the ECDSA P-256 signed SHA- 256 hash of the image. If this verification fails, the firmware image loading is aborted. If any of the tests described above fail, the cryptographic module enters the error state. No security services are provided in the error state. Upon successful completion of the Diagnostic Phase, the cryptographic module enters the Command and Traffic Processing State. Security services are only provided in the Command and Traffic Processing State. No VPN tunnels are started until all tests are successfully completed. This effectively inhibits the data output interface. 12 Triple-DES KATs are performed even if they are not implemented in any of the services that are available in Approved mode of operation. 13 DSA KATs are performed even if they are not implemented in any of the services that are available in Approved mode of operation. 14 The SSH and SNMP KDF KATs are performed even if they are not supported in the Approved mode of operation. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 33 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). When all tests are completed successfully, the Test LED is turned off. The module performs the following critical self-tests. These critical function tests are performed for the SP 800-90A DRBG: • SP 800-90A Instantiation Test • SP 800-90A Generate Test • SP 800-90A Reseed Test • SP 800-90A Uninstantiate Test SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 34 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 5. Physical Security Policy The chassis of all the modules are sealed with one (1) or two (2) tamper-evident seals, applied during manufacturing. The physical security of the module is intact if there is no evidence of tampering with the seal. The locations of the tamper-evident seals are indicated by the red rectangles below in Figures 17 – 21. The Cryptographic Officer shall inspect the tamper seals for signs of tamper evidence once every six months. If evidence of tamper is found, the Cryptographic Officer is requested to follow their internal IT policies which may include contacting the SonicWALL for replacing the unit. Table 20 below lists the number of tamper evident seals applied per module: Table 20 – Number of Tamper Evident Seals # Module Number of tamper evident seal(s)/module 1 TZ270 1 2 TZ270W 1 3 TZ370 1 4 TZ370W 1 5 TZ470 1 6 TZ470W 1 7 TZ570 1 8 TZ570W 1 9 TZ570P 1 10 TZ670 2 11 NSa 2700 2 12 NSa 3700 2 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 35 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 19. Tamper seal placements for TZ270/ TZ270W/ TZ370/ TZ370W/ TZ470/ TZ470W (Bottom View) Figure 20. Tamper seal placements for TZ570/ TZ570W/ TZ570P (Bottom View) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 36 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 21. Tamper seal placements for TZ670 (Bottom View) Figure 22. Tamper seal placement for NSa 2700/ NSa 3700 (Left View) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 37 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Figure 23. Tamper seal placement for NSa 2700/ NSa 3700 (Bottom View) SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 38 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 6. Operational Environment Area 6 of the FIPS 140-2 requirements does not apply to this module as the module only allows the loading of firmware through the firmware load test, which ensures the image is appropriately ECDSA signed by SonicWall, Inc. Hence, the module is classified as a Limited OE. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 39 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 7. Mitigation of Other Attacks Policy Area 11 of the FIPS 140-2 requirements do not apply to this module as it has not been designed to mitigate any specific attacks outside the scope of FIPS 140-2 requirements. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 40 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 8. Security Rules and Guidance This section documents the security rules for the secure operation of the cryptographic module to implement the security requirements of FIPS 140-2. 1. The module provides two distinct operator roles: User and Cryptographic Officer. 2. The module provides identity-based authentication for the crypto-officer, and for the user. 3. The module clears previous authentications on power cycle. 4. An operator does not have access to any cryptographic services prior to assuming an authorized role. 5. The module allows the operator to initiate power-up self-tests by power cycling power or resetting the module. 6. Power up self-tests do not require any operator action. 7. Data output are inhibited during key generation, self-tests, zeroization, and error states. 8. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 9. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. 10. The module does not support a maintenance interface or role. 11. The module does not support manual key entry. 12. The module does not have any proprietary external input/output devices used for entry/output of data. 13. The module does not enter or output plaintext CSPs. 14. The module does not output intermediate key values. 15. The operators should not use TLS 1.3 as the TLS 1.3KDF is not CAVP tested and hence considered as non-approved security function in FIPS mode of operation. 8.1 Crypto-Officer Guidance The following steps must be performed by the Crypto-Officer (CO) to configure the required roles and place the module in the FIPS Approved mode of operation: 1. During testing, the tester should apply power to the module's host appliance and tester can observe that the network interface drivers or a login prompt will be available only upon initial boot up of all power-up self-tests and successful completion of these self-tests . 2. As the CO, the tester should login using the vendor provided default login and password. The default password and login should be changed/updated. 3. As the CO, management IP address and Gateway should be configured for the module. 4. Over the web interface, the tester should then proceed to system settings and update the settings to be consistent with Section 1.3.1 of this document with the assistance of compliance checking procedure and then enabling FIPS mode using a checkbox. The FIPS checkbox does not place the module in FIPS mode until the settings of Section 1.3.1 of this document are met. Then click OK. The system automatically restarts. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 41 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 5. The tester shall observe that the module self-tests executed automatically before a log in was possible. The tester will observe that the “FIPS enabled checkbox” is enabled to indicate that the module is in the Approved mode of operation. The tester can verify that in the system/settings page that FIPS mode is enabled. 6. As the CO, the tester shall proceed to create the roles specified in Section 3.1 of this document. Passwords and Digital signatures required for authentication to each should be configured or installed as appropriate. 8.2 Transition of module to and from Approved mode of operation The keys and CSPs generated in the cryptographic module during FIPS mode of operation cannot be used when the module transitions to non-FIPS mode and vice versa. While the module transitions from FIPS to non-FIPS mode or from non-FIPS to FIPS mode, all the keys and CSPs shall be zeroized by the Crypto Officer using the “Zeroize” service. While transition from non-FIPS to FIPS mode, the CO has to zeroize all plaintext key and CSPs by issuing “Zeroize” service and then the CO has to follow Section 8.1 of the Security Policy to place the module in Approved mode of operation. SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 42 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). 9. References and Definitions The following standards are referred to in this Security Policy. Table 21 - References Abbreviation Full Specification Name [FIPS140-2] Security Requirements for Cryptographic Modules, May 25, 2001 [IG] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [108] NIST Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions (Revised), October 2009 [131A] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019 [132] NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation, Part 1: Storage Applications, December 2010 [133] NIST Special Publication 800-133rev2, Recommendation for Cryptographic Key Generation, June 2020. [135] National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, Special Publication 800-135rev1, December 2011. [186] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July, 2013. [186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, January 2000. [197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 26, 2001 [198] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [180] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August, 2015 [202] FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, FIPS PUB 202, August 2015 [38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 [38B] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Special Publication 800-38B, May 2005 SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 43 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Abbreviation Full Specification Name [38C] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, Special Publication 800-38C, May 2004 [38D] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800- 38D, November 2007 [56Arev3] NIST Special Publication 800-56Arev3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), April 2018 [56Br1] NIST Special Publication 800-56A Revision 1, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography, September 2014 [67] National Institute of Standards and Technology, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, May 2004 [90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, June 2015. Table 22 – Acronyms and Definitions Acronym Definition AES Advanced Encryption Standard CO Crypto Officer FIPS Federal Information Processing Standard CSP Critical Security Parameter VPN Virtual Private Network EMC Electromagnetic Compatibility EMI Electromagnetic Interference Triple-DES Triple Data Encryption Standard DES Data Encryption Standard CBC Cipher Block Chaining DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator RSA Rivest, Shamir, Adleman asymmetric algorithm IKE Internet Key Exchange RADIUS Remote Authentication Dial-In User Service IPSec Internet Protocol Security SonicWALL FIPS 140-2 Security Policy Copyright SonicWall, Inc., 2022 Version 1.0 Page 44 of 44 SonicWall, Inc. Public Material – May be reproduced only in its original entirety (without revision). Acronym Definition LAN Local Area Network DH Diffie-Hellman GUI Graphical User Interface SHA Secure Hash Algorithm HMAC Hashed Message Authentication Code