CERTIFAX 3000 Security Policy Document # 001 Author Neil Witchlow Revision $Revision: 1.14 $ Last Updated $Date: 1999/07/29 16:43:51 $ Certicom Corporation 103-200 Matheson Blvd. West Mississuaga, Ontario L5R 3L7 Creation Date: December 1, 1997 Last Update: July 29, 1999 CERTIFAX 3000 Security Policy i TABLE OF CONTENTS 1 Introduction..................................................................................................................1 1.1 CF3000 Description.............................................................................................1 1.2 CF3000 Operation................................................................................................4 2 Security Policy.............................................................................................................5 2.1 Security Level ......................................................................................................5 2.2 Roles and Services...............................................................................................6 2.2.1 Crypto-Officer Role (“Administrator”) ...........................................................6 2.2.2 CSM Role ........................................................................................................8 2.2.3 FSM Role.......................................................................................................12 2.2.4 User Role .......................................................................................................13 2.2.5 Services Not Requiring a Role.......................................................................15 2.3 Security-Relevant Data Items ............................................................................16 2.3.1 Configuration Settings ...................................................................................17 3 Security Rules ............................................................................................................19 3.1 Operation............................................................................................................19 3.2 Domains.............................................................................................................20 3.3 Mailboxes...........................................................................................................21 3.4 Send....................................................................................................................22 3.5 Print Mailbox .....................................................................................................22 3.6 Zeroize ...............................................................................................................23 3.7 Installation..........................................................................................................23 3.8 General Administration......................................................................................23 3.9 Audit Trail..........................................................................................................24 3.10 User Administration...........................................................................................25 3.11 CO Administration.............................................................................................25 3.12 Security Settings ................................................................................................26 3.13 System Settings..................................................................................................27 3.14 FS1000 Interoperability .....................................................................................27 3.15 Encryption-Free CertiFax ..................................................................................28 4 Service/ROLE vs. SRDI ............................................................................................30 5 End of Document .......................................................................................................32 CERTIFAX 3000 Security Policy ii MODIFICATION HISTORY Rev. Date Changes 0 19980109 Initial draft. Replaces earlier document by K. Smith. 2 19980127 Revised after internal review. 3 19980427 Correction of errata 4 19980525 Correction of errata 5 19980915 Correction of errata 6 19981102 Correction of errata 7b 19990208 Correction of errata, FS1000 information 9 19990302 Correction of errata, FAXBUFF 1.10 Moved document into MKS Si (new revision numbering) 1.11 Corrections for FIPS 140-1 Certification 1.12 Removed ECDSA signature on firmware 1.13 Final corrections for FIPS 140-1 Certification 1.14 19990729 Final corrections RECENT CHANGES • New “encryption-free” functionality • Only one system report can be printed at a time • Modem settings per domain, specified by CO. • Revised SRDI matrix to accommodate FS1000 and FAXBUFF functionality CERTIFAX 3000 Security Policy iii TERMS AND DEFINITIONS CF3000 Certicom’s second generation fax encryptor CO Crypto-Officer; the local “administrator” for the CF3000 unit CSM PC application for managing CF3000 units FS1000 Certicom’s first generation fax encryptor FSM Certification Authority for FS1000 networks ID Identification LCD Liquid Crystal Display PSTN Public Switched Telephone Network DTMF Dual-Tone Multi-Frequency tones used in “tone dialing” CERTIFAX 3000 Security Policy 1 1 INTRODUCTION This document describes the Security Policy for the CertiFax 3000 (CF3000) fax encryptor, as part of the submission for this product towards FIPS-140 certification. The CF3000 is implemented as a multi-chip stand-alone cryptographic module per the definition of FIPS 140-1. The physical cryptographic boundary of the CF3000 is defined by the CF3000’s case. 1.1 CF3000 Description The CertiFax 3000 fax encryptor allows for secure transmission and reception of faxes between any two Group III facsimile devices equipped with the unit. The CF3000 module is inserted between the facsimile device and its telephone network, and operates transparently to the attached fax device, at data rates between 2400 and 14400 bps. Beginning each communication session, the CF3000 executes a public-key X.509 certificate based key negotiation protocol using the Elliptic Curve Cryptosystem (ECC). Both the private and public keys are generated by the module itself and the private key never leaves the module under any circumstances. A secure communication path is established between the calling module and answering module before any critical data is transmitted. Symmetric key encryption is used for data transfer. The module implements the following algorithms: • Elliptic Curve Digital Signature Algorithm (ECDSA – ANSI X9.62) • Elliptic Curve Key Agreement Protocol (MQV2 – ANSI X9.63) • Secure Hash Algorithm (SHA-1 – FIPS 180-1) • Data Encryption Standard (DES – ANSI X3.92-1981) • Triple DES (TDES – ANSI X9.52-1998) • FIPS-approved random number generator (FIPS 186) The CF3000 conforms to FIPS 140-1 Level 3 physical security. The enclosure is tamper resistant, preventing any critical security parameters from being extracted. Physical probing of the module interior will leave clear evidence of tampering. If the module is opened, tamper response circuitry will erase all critical data. Up to 99 secure “domains” (user groups) are supported, where each domain holds its own X.509 certificate, certified by a Certification Authority (CA). Two modules may communicate within a domain only if they both hold a valid certificate for that domain. Thus, each module can participate in up to 99 secure networks. In addition, the CF3000 supports a “CLEAR” domain for communicating with unsecured faxes, and a “PUBLIC” domain for secure but unauthenticated communication with CF3000 units outside the CERTIFAX 3000 Security Policy 2 customer’s network. A FAXBUFF domain is available for use in jurisdictions that prohibit the use of encryption. This domain uses clear, unauthenticated transmission, but enhance confidentiality by storing the fax in a mailbox at the receiving end. An optional mailbox feature stores an incoming fax within the unit until the intended recipient authorizes printing to the attached fax device. The receiving device can be configured to store all incoming faxes that are not addressed to specific mailboxes in a general “domain” mailbox. The CF3000 supports a number of configuration options that allow it to be tailored to the customer’s requirement. Most of these options involve a trade-off between convenience and security. The module will qualify for FIPS 140-1 Level 3 compliance only when specific options are configured. These are documented later. The unit provides an operator interface using text menus, via a 2x16-character LCD display, and a numeric keypad with menu navigation keys. The CF3000 can be administered via this interface, or with suitable configuration, from a PC-based application known as the CertiFax Security Manager (CSM). The CSM can connect to the unit directly via the serial port, or remotely via a dial-up connection to the telco port. The CSM provides a Certification Authority that permits the customer to define domains, and a centralized administration point for the customer’s network of CF3000 units. The FS1000 is Certicom’s first generation fax encryptor. It uses a certificate-based encryption scheme that is different from that of the CF3000. The installed base of FS1000 units includes a small number of customers that have large FS1000 networks. These customers need a way of migrating to the CF3000 without wholesale replacement of existing units. A specially equipped model (the CF3102) is capable of inter-operating with a network of FS1000 units. This model contains an alternative daughter-board that has the hardware needed to participate in the FS1000 secure protocols. A CF3102 is designed to participate simultaneously in both a (new) CF3000 network, and an (existing) FS1000 network. Operationally, it offers complete CF3000-oriented functionality when exchanging faxes with CF3000 units, and appears to be a fully functional FS1000 when exchanging faxes with an FS1000 unit. Administratively, it takes its configuration instructions from the CSM, but will co-operate with an FSM for the purposes of installing, removing or re-certifying FS1000 “groups” (i.e. domains.) The CF3102 is the only CERTIFAX 3000 product that operates in this non-FIPS mode. Physically the CF3102 looks no different from any other CF3000 model. The only way to distinguish between them is to view the model number on the display by using the System Info command on the keypad. Specially-equipped models (denoted by a ‘1’ in the tens position) are intended for use in jurisdictions that prohibit encryption. These models do not contain the DES chip used for CERTIFAX 3000 Security Policy 3 encryption. Such models support only the CLEAR and FAXBUFF domains. These models can exchange faxes with each other, and with regular CertiFax units, using the FAXBUFF domain, which can be installed on a regular unit by the CSM. CERTIFAX 3000 Security Policy 4 1.2 CF3000 Operation The CF3000 acts as an invisible buffer between the fax device and the telephone network. The telephone network line plugs into the Telco port of the unit, and the fax device into the Fax port. This ensures that all outgoing or incoming calls are routed through the CF3000 unit. The unit operates in one of four general modes: Send, Receive, Configure or Test. To send a fax, the user provides authentication, identifies the target domain and optionally a mailbox, and then uses the fax device to dial the call to the receiving fax. Depending on the security settings, some or all of these parameters can be built into the dialing sequence output by the fax device. Once the call is placed, the sending CF3000 isolates its fax device from the receiving one while it establishes a secure session with the receiving CF3000. Fax information is then relayed from the sending fax device to the receiving CF3000, via the sending CF3000. The receiving CF3000 either relays the fax transmission to the receiving fax device, or stores it in a mailbox for later pickup. The unit will receive incoming fax calls without operator action. The incoming fax is relayed through to the attached fax device, or stored in a mailbox for later retrieval. The CF3000 unit will periodically run diagnostic checks when idle. It will also test its telco and fax ports to ensure that it is connected to the network and/or fax device. The unit can be administered locally by the crypto-officer, using either the keypad/menu interface, or the CSM attached to the local serial port. If so configured, it will also accept incoming calls from the CSM over the telco port. The unit does not originate calls to the CSM. CERTIFAX 3000 Security Policy 5 2 SECURITY POLICY 2.1 Security Level In many areas, the CF3000 design meets the requirements for the highest FIPS security rating, namely FIPS PUB 140-1 Level 4. However, its physical design and software implementation result in an overall rating of Level 3. Table 1 shows the highest security level attainable by this design, for each of the eleven sections of the FIPS requirement. FIPS Requirement Section Level Cryptographic Module 3 Module Interfaces 3 Roles and Services 3 Finite State Machine 3 Physical Security 3 Software 3 Operating System Security N/A Key Management 3 Cryptographic Algorithms 3 EMI/EMC 3 Self-Tests 4 Table 1: FIPS 140-1 Security Level Specification for the CF3000 CERTIFAX 3000 Security Policy 6 2.2 Roles and Services The CF3000 supports the following roles and services: 2.2.1 Crypto-Officer Role (“Administrator”) The Crypto-Officer is responsible for initializing the CF3000 unit, and configuring it. Configuration includes security settings, system settings, access control. Configuration can be delegated to the CSM. 2.2.1.1 Crypto Officer Services The following services can be invoked by the Crypto-Officer, after providing proper authentication: CO Authentication Providing identity and password, in order to secure access to the other services listed in this table. Inputs: CO ID and PIN Outputs: Access to desired function. Initialize Module A step in the installation process, where the CO is prompted to enter the new CO password, and specify whether a CSM is to be used. Inputs: Fax receiving device attached to Fax port, Network attached to Telco port, New PIN for CO 1, New PIN re-entered for verification, Selection re enabling CSM Access. Outputs: Initialized local database. Initiate CSM Serial Port Access Instruct the unit to await connection to a CSM via the serial port. Inputs: CO Authentication, CSM performing “Connect Request” attached to the serial port. Outputs: CSM session over serial port. CERTIFAX 3000 Security Policy 7 Initiate FSM Serial Port Access Instruct the unit to await connection to a FSM via the serial port. (CF3102 only) Inputs: CO Authentication, FSM performing “Connect Request” attached to the serial port. Outputs: FSM session over serial port. Print Log Print recent log entries to the attached fax device. Inputs: CO Authentication, Fax receiving device attached to Fax port. Outputs: Logs delivered to fax device. Print Reports Print one of several system reports to the attached fax device. Inputs: CO Authentication, Fax receiving device attached to Fax port. Outputs: Reports delivered to fax device. Zeroize Unit Destroy the database key, rendering stored data unusable. Inputs: CO Authentication. Outputs: Destruction of database key. Reset Defaults Return all configuration settings to the “factory” defaults. Inputs: CO Authentication. Outputs: Updated database settings. In addition, the CO may also invoke the following services described elsewhere: Module Configuration Services (see page 10.) CERTIFAX 3000 Security Policy 8 2.2.2 CSM Role The CSM is an optional accessory that lets a customer (a) create and install private domains and (b) manage a network of CF3000 units using a graphical user interface. The CSM can be connected via a cable attached directly to the CSM serial port, or via a dial- up connection over the telephone port. 2.2.2.1 CSM Services The following services can be invoked by the CSM: Initial Certification Establish the relationship between the unit and a specific CSM. No other CSM will be given access to the unit. Inputs: CO Authentication, CSM performing “Initial Certification Request” attached to the serial/Telco port. Outputs: CSM relationship established. Establish Local or Remote Session Establish a secure and authenticated session over the indicated connection (serial port or dialup) as a pre-requisite to accessing the other services in this table. Inputs: Case 1: CO Authentication, Indication of serial port for CSM Connection, “CSM Connection Request” on serial port. or Case 2: Incoming call from CSM on Telco port Outputs: Secure CSM session established. Install/Re-certify Domains Install a new domain on the unit, or re-certify an existing domain. Inputs: Authenticated CSM session, Domain install/re-certify request. Outputs: Updated local database. Remove Domain Remove a domain from the unit. Inputs: Authenticated CSM session, Domain removal request Outputs: Updated local database. CERTIFAX 3000 Security Policy 9 Create/Delete COs Create new COs, or delete them from the unit. Inputs: Authenticated CSM session, CO create/remove request Outputs: Updated local database. Replace Firmware Download updated/upgraded firmware to the unit. Inputs: Authenticated CSM session, Firmware replacement request. Outputs: Updated local firmware. Note: This service is not a FIPS 140-1 approved mode. Extract Logs Transfer log file entries to CSM for archival purposes. Inputs: Authenticated CSM session, Extract Logs request. Outputs: Updated log pointers, logs transmitted. Enable/Disable FS1000 Enable/disable FS1000 Interoperability (CF3102 only.) Inputs: Authenticated CSM session, Enable FS1000 request. Outputs: Updated local database. FS1000 User Permissions Enable/disable FS1000 groups access for individual users. (Only if FS1000 interoperability is enabled.) Inputs: Authenticated CSM session, FS1000 User Permissions request. Outputs: Updated local database. In addition, the CSM may also invoke the following services described elsewhere: Module Configuration (see page 10.) CERTIFAX 3000 Security Policy 10 2.2.2.2 Module Configuration Services The following services can be invoked by both the Crypto-Officer and the CSM: Enable/Disable Domain Enable or disable a specific domain. Inputs: Authenticated CO/CSM session, Domain enable/disable request. Outputs: Updated local database. Create/Remove/Change User Create or remove user, or change ID, PIN, Name, Domain Permissions, and/or Mailbox attributes Inputs: Authenticated CO/CSM session, User create/remove/change request. Outputs: Updated local database. Enable/Disable CO Enable or disable another CO. Inputs: Authenticated CO/CSM session, CO disable request. Outputs: Updated local database. Change Security Settings Change configuration options that affect security features. Inputs: Authenticated CO/CSM session, Security setting change request. Outputs: Updated local settings. Change System Settings Change configuration options that affect other system features. Inputs: Authenticated CO/CSM session, System setting change request. Outputs: Updated local settings. Change Log Settings Change configuration options that affect the Log feature. Inputs: Authenticated CO/CSM session, Log setting change request. Outputs: Updated local settings. CERTIFAX 3000 Security Policy 11 Enable/Disable CSM Access: Disallow or allow remote CSM access. Inputs: Authenticated CO/CSM session, CSM Access disable request. Outputs: Updated local settings. Change Admin PIN: Change the CO password. Inputs: Case 1: CO Authentication, New CO PIN (twice) or Case 2: Authenticated CO session, Change Co PIN request. Outputs: Updated local database. Un-initialize Module Permanently remove all content, keys, etc. and return all settings to the original “out-of-box” values. Inputs: Authenticated CO/CSM session, Uninitialize module request. Outputs: Cleared settings and database. Disable Unit Enable or disable access to end-user services. Inputs: Authenticated CO/CSM session, Disable unit request. Outputs: Updated local settings. Modem Settings Display and/or alter modem settings. Inputs: CO Authentication Selected domain. Outputs: Information displayed on LCD, and/or revised modem settings CERTIFAX 3000 Security Policy 12 2.2.3 FSM Role The FSM is the certification authority for the first generation fax encryptor (FS1000.) The CF3102 supports interworking with established FS1000 networks. The FSM is the certification authority for the FS1000 network. The FSM connects to the CF3102 via a cable attached directly to the CSM serial port. 2.2.3.1 FSM Services The following services can be invoked by the FSM: Establish Local Session Establish a secure and authenticated session over the indicated connection (serial port or dialup) as a pre-requisite to accessing the other services in this table. Inputs: CO Authentication, Indication of serial port for FSM Connection, “FSM Connection Request” on serial port. Outputs: Secure FSM session established. Install/Re-certify FS1000 Groups Install a new FS1000 group on the unit, or re-certify an existing group. Inputs: Authenticated FSM session, Group install/re-certify request. Outputs: Updated local database. Remove Group Remove an FS1000 group from the unit. Inputs: Authenticated FSM session, Group removal request Outputs: Updated local database. Enable/Disable Group Enable or disable a specific FS1000 group on the unit. Inputs: Authenticated FSM session, Group enable/disable request Outputs: Updated local database. CERTIFAX 3000 Security Policy 13 2.2.4 User Role The operator in the user role is using the CF3000 primarily to send clear or secure fax messages. (No end-user action is required to receive faxes.) There are other related services, such as printing a received fax from a mailbox. 2.2.4.1 User Services The following services are available from the user role: User Authentication Providing user identity and/or password (as per Access Level settings) in order to access to the other services listed in this table. Inputs: UserID, User PIN Outputs: Access to all other user services Clear Send Send a non-encrypted fax to a destination outside of the customer network. Inputs: Authenticated user, Domain 0 (Clear) Incoming fax call on Fax port Outputs: Outgoing fax call on Telco port Mailbox Send Send a secure fax to a specific user mailbox at another destination within the customer network. Inputs: Authenticated user, Any secure domain1 , Target mailbox number, Incoming fax call on Fax port Outputs: Outgoing fax call on Telco port 1 Excludes FS1000 groups, which do not support mailboxing. CERTIFAX 3000 Security Policy 14 Domain Send Send a secure fax to another destination within the customer network. (The fax may or may not be mailboxed according to settings at the receiving end.) This may involve the FS1000 protocol, if so configured by the CSM. Inputs: Authenticated user, Any secure domain, Incoming fax call on Fax port Outputs: Outgoing fax call on Telco port Print User Mailbox Print messages being held in a user mailbox. Requires ID and PIN, regardless of Access Level setting. Inputs: Authenticated user. Outputs: Outgoing call on Fax port, to print messages. Print Domain Mailbox Print messages being held in a domain mailbox. Inputs: Authenticated user, Any secure domain (for which user has permission). Outputs: Outgoing call on Fax port, to print messages. Emergency Zeroize Voluntarily destroy the database key, rendering all stored information useless. (This is independent of the similar function available to the CO.) Inputs: Authenticated user. Outputs: Disabled unit. Change User PIN Change the password associated with a specific user. Requires ID and PIN, regardless of Access Level setting. Inputs: Authenticated user, New PIN, New PIN again for verification purposes. Outputs: Updated PIN. CERTIFAX 3000 Security Policy 15 2.2.5 Services Not Requiring a Role The following services are available to all users without requiring a specific role. Reset Print/Connect Alarm Reset an alarm raised by failure of a print function or connect audit function. Inputs: ESC key Outputs: Cancelled alarm Run Tests A set of tests to be individually selected and executed, with results noted on display and in log file. Inputs: Selected test (or ALL tests) Outputs: Test results displayed on LCD System Info A sequence of displays showing hardware/firmware identification and memory configuration. Inputs: None Outputs: Information displayed on LCD Display Last Error Display the last error code to be detected, if any. Inputs: None Outputs: Information displayed on LCD Check Connections Initiate connection audit. Inputs: None Outputs: Information displayed on LCD CERTIFAX 3000 Security Policy 16 2.3 Security-Relevant Data Items The following list explains each security-related data item used or affected by the above services. SRDI Description X.509 An X.509 domain certificate that contains the domain information, Digital Signature Algorithm Identifier, and CA Digital Signature of the domain information. Also used for FS1000 group certificates. DomPrivKey The private key of the domain. DomPubKey The public key of the domain. SessionKey The symmetric session key that is derived for secure communication. RandomSeed The seed used for random number generation. DatabaseKey The key used to encrypt all stored information, including settings and the session keys used to encrypt stored messages. MfrPubKey Certicom public key used to verify signature on firmware image. OperPIN The PIN (user or administrator) entered by the operator during authentication. OperInfo The information pertaining to a particular operator (CO vs. user, display name, PIN, permitted domains, mailbox indicator) DomPerms Domain Permissions for the current user. Includes FS1000 group permission. DomInfo Domain information: display name, enabled indicator. CLRSend Setting indicates if bypass is permitted on send operation CLRReceive Setting indicates if bypass is permitted on receive operation. FS1000 Enable Setting indicates if FS1000 functionality (of a CF3102) is to be enabled. FS1000 Inverse The inverse (in the ring) of the group private key, used for computing fast signatures that are needed in the FS1000 transport protocol. CERTIFAX 3000 Security Policy 17 2.3.1 Configuration Settings These settings control the operation of the CF3000. A special indication is used for items that must have a specific setting in order to qualify for the overall FIPS 140-1 Level 3 approval. These configuration settings can only be set/modified by an authenticated CO or CSM. Item Description Level-3 Access Level How much authentication (0=none, 1=PIN only, or 2=ID+PIN) is required for access to end-user functions. N.B. Must be ‘2’ for FIPS 140-1, Level 3 operation. 2 Dialstring Authentication Boolean. True permits authentication information may be entered via number dialed by fax device. N.B. Must be false for FIPS 140-1, Level 3 operation. false Authentication Timeout For send operations, the maximum length of time system will wait after keypad operations are complete before fax call is dialed by the fax device. any Allow Clear Send Boolean. If false, the unit cannot be used to send unsecured faxes. (i.e. the CLEAR domain will not be available for SEND operations.) any Allow Clear Receive Boolean. If false, the unit cannot be used to receive unsecured faxes. (i.e. the CLEAR domain will not be available for RECEIVE operations.) any Default Domain The domain which will be used if the operator does not explicitly choose one. It is also the initial offering when the operator is presented with a list of domains. any End-User Zeroize Boolean. If true, an “emergency zeroize” function is available to end-users. any Secure Banner Boolean. If true, a security notice is appended at the end of each printed fax document. any CERTIFAX 3000 Security Policy 18 Alpha Security Indicator Boolean. If false the security notice that appears in the header strip will contain only numeric digits any Auto Print Log Boolean. If true, the log will automatically be printed to the attached fax device when approximately one-page’s worth has accumulated. any Log Archiving Boolean. If true, the log data will not qualify for being overwritten until it has been collected by the CSM. any Buzzer Boolean. If true, the buzzer will be sounded (a single beep) upon successful transmission of a fax. any Auto Print Test Page Boolean. If true, the power-on test sequence includes printing a test page to the attached fax device. any Local Administration Allowed Boolean, settable only from the CSM. If false, the local administrator is not permitted to change any system settings. any Language Determines the language to be used in text produced by the system. One of French or English. any Diagnostic Period Minutes of inactivity after which diagnostic test suite is executed. Zero indicates feature is disabled. N.B. Must be > 0 for FIPS 140-1, Level 3 operation. non-zero Connection Audit Period Minutes of inactivity after which connection audit test suite is executed. Zero indicates feature is disabled. any Admin Session Timeout Number of seconds of inactivity after which crypto-officer session is terminated. any FS1000 Interoperability Enabled Boolean, settable only from the CSM, for selected models. If true, unit will be capable of accepting group certificates from an FSM, and exchanging faxes using the FS1000 protocol. (This mode is only available with the CF3102 model number.) any CERTIFAX 3000 Security Policy 19 3 SECURITY RULES This section documents the security rules enforced by CF3000 to implement the security requirements of FIPS 140-1. Note that in many cases, the design meets the requirements for Level 4 approval, but the overall target is Level 3 because of physical design and operating system choices. Each rule has a unique mnemonic identifier enclosed in square brackets, and the rule itself appears in italic font. The value in parentheses is the ID of the transition that implements this rule, according to the accompanying Finite State Machine description. Some rules may be accompanied by additional information in plain font. Rules have been grouped into headings for review purposes. 3.1 Operation [OP-POWERUP1] The unit performs diagnostic tests on power up. During these tests, the modems are held in reset to inhibit data output. If a fault is detected, the unit enters an error state, holds the modems in reset to prevent data output, and remains inoperative. (A18) The tests performed include: • A “known answer” cryptographic algorithm test for each of encryption, decryption, and signing/verifying. • Verification of the CRC of the firmware image. • A test of critical hardware such as the DES chip, and the real-time clock. • Statistical random number generator tests specified by FIPS 140-1. [OP-CONDTEST1] Each of the tests performed on power up can also be invoked on demand. Modem control during testing and error state are as described above. (D9) [OP-CONDTEST2] In addition, the following tests can be performed on demand. Modem control during testing and error state are as described above. (D9) • A pairwise consistency test for public and private keys • A test of other hardware components including the LCD display, keypad keys, buzzer and lamp. • A test of telephony interface functions (Modem Response, Loopback, Relays, DTMF Detection, Loop Current) • A test of module memory (RAM, D/B Flash, M/B Flash, Firmware) [OP-TESTPAGE] The unit can be configured to print a test page to the attached fax device on successful completion of the power-up tests. (A31) CERTIFAX 3000 Security Policy 20 [OP-DIAG] The unit will periodically perform diagnostic checks after a configurable period of inactivity, to ensure that the unit remains in operable condition. (A6) [OP-CONNECT] The unit will periodically check that it is connected to a fax device and network, after a configurable period of inactivity, to ensure that the unit remains in operable condition and in service. (A6) [OP-SINGLE] The unit is engaged in at most one activity at any one point in time. (General assertion). After power-up, the system enters the idle state. Activity will be generated in response to one of operator input, internal timer or incoming call detection events. Once the unit is engaged in some activity, events not involved with that activity are ignored. [OP-IDLE] After each activity, the unit returns to the idle state. (A3 et al.) [OP-MENU] When idle, use of any of the keypad keys will launch the Menu activity, preventing the unit from responding to other inputs or requests. (A14) The operator can navigate a set of menus, potentially launching another activity. [OP-COMMANDS] As an alternative to navigating a menu tree, the operator can use a shortcut to directly launch selected activity. (D0) This implicitly terminates the current activity, if there is one. [OP-PROMPT1] Input prompts require the operator to take some action. The prompt is displayed until input is given, or the task times out. (D25) The time-out duration may vary from task to task. [OP-PROMPT2] Transient prompts are used to display information that does not require user reaction. (Assertion) A transient prompt normally lasts 3000 milliseconds, and is then followed by another transient prompt or input prompt. However, transient prompts may also be used to report real-time changes in status, in which case the prompt may be replaced whenever the underlying status changes. 3.2 Domains [DOMAIN-1] Two units can exchange secure faxes only if they share a domain (a certificate given by a common certification authority, or use the PUBLIC domain.) (E8,[]) Domains are identified internally by a 16-character domain name, and are designated by the operator using a two-digit code. Each unit can currently support up to 99 customer-defined domains. [DOMAIN-00] Domain code 00 is reserved for the CLEAR (bypass) domain. (CSM.) [DOMAIN-99] Domain code 99 is initially used for the PUBLIC domain shipped with the unit. However, the customer may remove this domain and reassign the code 99 to a customer-defined domain. (CSM) CERTIFAX 3000 Security Policy 21 [DOMAIN-CSM] The CertiFax Security Manager (CSM) is used to create customer- defined domains, and install these domains on selected CF3000 units. (CSM) [DOMAIN-ENABLE] The CO can enable or disable any user-accessible2 domain that is installed on the unit. However, only the CSM can install new domains on the unit. (P4,P12,E17) 3.3 Mailboxes [MAILBOX-FEATURE] The unit can optionally be equipped with mailbox capability, in one of several capacities. (Assertion) [MAILBOX-NOTIFICATION] When a new message is stored in a (user or domain) mailbox, a notice is printed to the attached fax device. (A23) The notice identifies the mailbox, date, time, and total number of pages waiting (which includes earlier unprinted faxes.) [MAILBOX-USER] Each user ID can be selectively given a User Mailbox. (P6) This means that users at other locations can send secure faxes addressed to this specific user ID. [MAILBOX-DOMAIN] Each user-accessible3 domain (other than CLEAR) can be selectively given a Domain Mailbox. (P4) When a domain is granted a mailbox, all incoming faxes using this domain (excluding those addressed to a User Mailbox) are stored in the domain mailbox. A notification page is generated. Any user who is authorized to send using this domain can authorize the printing from the domain mailbox. Establishing a domain mailbox is strictly a local decision, and does not require the knowledge or cooperation of the sender. [MAILBOX-USER-DOMAIN] If an incoming message is addressed to a particular user mailbox, but that user does not have permission to use the domain selected by the sender, the transmission will be disallowed. (E13,E14) [MAILBOX-OVERFLOW] The unit will stop accepting new messages into mailboxes when the storage capacity is exhausted. (E13,E14) The unit will display a status message to this effect. [MAILBOX-DELETION] Deleting the user or domain from the unit will delete the associated mailbox, together with any messages stored in the mailbox. (P4,P6) 2 This term was chosen to exclude the CSM domain that authenticates and secures CSM access. 3 This term was chosen to exclude the CSM domain that authenticates and secures CSM access. CERTIFAX 3000 Security Policy 22 3.4 Send [SEND-AUTH] In order to send a fax, the user must be authenticated to the specified Access Level. The authentication can be entered via the keypad. If permitted by configuration rules, the authentication information can alternatively be entered via the dialstring. (F16,F2,F3) [SEND-DOMAIN] In order to send a secure fax, the user must accept the default domain, or specify a domain via the keypad or dialstring. (F3) [SEND-DOMAIN-PERMS] In order to send a secure fax, the user must have permission to use the selected or implied domain. (F3) [SEND-MAILBOX] A (secure) fax may optionally be sent to a specific user mailbox at the receiving site, by inclusion of a “mailbox” parameter. The validity of this parameter cannot be determined until the transmission is attempted. The receiver will terminate the transmission if the requested user does not exist, is disabled, does not have mailbox capability, or does not have permission to use the domain selected by the sender. (E13,E14) [SEND-PARMS-CONFLICT] If a send parameter is entered via the keypad interface, the dialstring must not include parameters. (F16) [SEND-DIALSTRING-EXTRANEOUS] The send operation will fail if the dialstring contains extraneous parameter information. (F16) [SEND-CLEAR] In order to send a fax to a non-secure device, the user will need to select the CLEAR domain. The CO determines if this domain is available. (F2,P4) [SEND-DOMAIN-DEFAULT1] There is a default domain specified for the unit. The keypad interface will normally offer this domain as the default domain. This domain will be used if the user does not explicitly select a domain (P20,F2,F3) [SEND-DOMAIN-DEFAULT2] The keypad interface will offer the user the default domain specified for the unit, unless this domain is not valid for the user, in which case the interface offers the lowest numbered valid domain. (I2,J2) [SEND-AUTHTIMEOUT] After entering authentication information and send parameters, the unit will wait for a configurable time for the attached fax device to dial the actual call. The send operation is terminated if the call does not begin within this period. (K6,J4) 3.5 Print Mailbox [PRINT-DOMAIN] In order to print the contents of a domain mailbox, the user must be authenticated to the specified Access Level. The interface will only offer the user those domains which (a) have mailboxes (b) have pages waiting and (c) for which the user has permissions. (L2,L4) CERTIFAX 3000 Security Policy 23 [PRINT-USER] In order to print the contents of their personal mailbox, the user must provide ID and PIN, independent of the setting of Access Level. (M2) [PRINT-OPERATION] Printing a mailbox will cause all waiting pages to be printed, oldest first. Each document is deleted from storage as the local unit acknowledges receipt. (M3,L5) [PRINT-RECOVERY] Standard fax protocol allows the unit to re-transmit any page that is not properly received by the fax device. If this is unsuccessful, the unit sounds an alarm, and the operator will have a choice of Retry Printing (from start of current document), Purge Document or Cancel Printing. (L5,M3) Cancel Printing is assumed if no input is forthcoming. 3.6 Zeroize [ZEROIZE] If so configured via the CO, the user may voluntarily zeroize the unit. The user must authenticated to the level specified by Access Level. (N2) Independent of this setting, there is a CO function to zeroize the unit. 3.7 Installation [FIRST-USE] Initialization is performed on first power-up, after startup tests, and includes: update the random seed, install the PUBLIC domain; prompt for administrator PIN, prompt for initial setting of CSM Access (enable or disable.) (A16) [INITIAL-CERT1] Initial certification establishes control of a unit by a specific CSM. Only the CSM that performs the Initial Certification of the unit may administer the unit. (E6) [INITIAL-CERT2] Initial certification must be initiated by the local CO. It can occur via a dialup connection or by direct connection to the serial port. The certification session itself is encrypted using the PUBLIC domain installed during initialization) but is not authenticated. (P10) All subsequent contact between the CSM and the unit is encrypted and authenticated using keys exchanged during the initial certification session. 3.8 General Administration [LOCAL-CONTROL1] The CSM cannot assume control over a unit without an explicit action at the unit by the CO. (P10) The unit must be placed into “Initial Cert” for the initial CSM contact. [LOCAL-CONTROL2] The CO retains the ability to disable CSM access if and only if the CO has not been disabled by the CSM (see [CSM-CONTROL1]). (P20) This action is appropriate if the CSM is believed to have been compromised. CERTIFAX 3000 Security Policy 24 [CSM-CONTROL1] The CSM can disable any or all CO-s, thus taking exclusive control over a unit if and only if the CSM has not been disabled by the CO (see [LOCAL- CONTROL2]). (E17) [ADMIN-AUTH] The CO must provide both ID and PIN to gain access to local administration functions. (P2) Access is via the Configure menu. [ADMIN-EXIT] The CO session will continue until the Configuration menu is exited, or an inactivity timer expires. (P1) [ADMIN-REPORTS] The CO can print one of several reports to the attached fax device. These include a system status report, a mailbox status report, a list of available user mailboxes, and a list of available domains. (P24) [ADMIN-ZEROIZE] The CO can voluntarily zeroize the unit, rendering any stored contents useless. The unit will require re-manufacture before it can be used again. (P14) Some customers will prefer to do this prior to returning the unit to Certicom for service. [ADMIN-RESET] The CO can reset all system settings to the factory default. (P22) [ADMIN-UNINITIALIZE] The CO can voluntarily un-initialize the unit. This action will permanently remove all content, keys, etc. and return all settings to the original “out-of- box” values. (P16) The process takes about one minute to complete. It is appropriate if the unit is to be taken out of service, possibly in preparation for re-deployment in another location or network. Note that for the CF3102, the MOBIUS group is permanently removed. The only way to restore this group is to return the unit for re-manufacture. [ADMIN-MAINTENANCE] The CO can initiate any of several diagnostic tests. (D9) These include various Crypto, Telephony, Memory and Interface tests. [ADMIN-DISABLEUNIT] The CO can temporarily disable a unit, preventing it from providing any service to the user role. (P20) Administration functions and CSM access remain available. 3.9 Audit Trail [LOG] All important events and transactions are recorded in a log file, which can be printed via the attached fax device, and/or collected by the CSM. (Assertion.) [LOG-AUTO-PRINT] The CO can arrange to have the log automatically printed to the attached fax device. (P20) Printing occurs when a page’s worth of activity has occurred. This provides a continuous hard-copy local record of activity. [LOG-PRINT] The CO can print the most recent log entries on demand. (P18) This does not affect Auto Printing. CERTIFAX 3000 Security Policy 25 [LOG-ARCHIVE] The CO can specify that all log files are to be kept until collected by the CSM for archiving purposes. (P20) This ensures that a continuous soft-copy record is kept at the CSM. [LOG-OVERFLOW] The unit will not overwrite a log entry until it has been collected by the CSM (if Archiving is enabled.) (Assertion.) If the buffer becomes full, the unit will stop accepting new transactions. This ensures the record of activity provided by Auto- Printing and/or Archiving is complete and continuous. 3.10 User Administration [USER-OPTIONAL] Users need only be defined if (a) the Access Level is 2, or (b) an individual requires a personal mailbox. (Assertion.) [USER-UNIQUEID] A user is identified by a 1-8 digit number that is unique across units. The number 0 is not a valid ID. (P6,CSM) [USER-NAME] A user has a 16-character text name. (P6,CSM) This consists of upper- case ASCII characters, plus selected special characters (space, hyphen apostrophe.) [USER-PIN] A user has a numeric PIN (3-8 digits). This PIN is never displayed or printed. To guard against undetected access to the user account, the CO may change the PIN but may not determine its current value. (P26,CSM) [USER-ENABLED] The CO may disable a user ID, preventing the user from taking any action that requires user authentication. (P6) [USER-MAILBOX] If the unit supports mailboxing, the CO may grant/revoke the user the ability to have messages stored in a mailbox. (P6,CSM) Revoking this privilege prevents the reception of new message into the mailbox, but does not affect the ability to print messages that are already received. [USER-DOMAINS] The user must be given explicit permission to use each domain. (P6,CSM) A newly created user does not have permission to use any domains. A newly installed domain is initially disabled for all users. 3.11 CO Administration [CO-ID] Each CO is identified by a 1-8 digit number that is unique for the unit only. The number 0 is not a valid CO ID. (CSM) [CO-NAME] A CO has a 16-character text name. (P8,CSM) This consists of upper-case ASCII characters, plus selected special characters (space, hyphen apostrophe.) [CO-PIN] A CO has a numeric PIN (3-8 digits). This PIN is never displayed or printed. To guard against undetected access to the unit, the CSM may change the PIN but may not determine its current value. (P28,CSM) CERTIFAX 3000 Security Policy 26 [CO-DEFAULT] As shipped from the factory, the unit has a single CO with ID “1” and name “ADMIN1”. (Assertion.) [CO-PIN-INITIALIZE] The CO is forced to change the PIN for CO “1” as part of the initialization process. (H0) This guards against an attack using the default CO PIN. [CO-ENABLED] The CO may disable any other CO, but not him/herself. (P8) [CO-MULTIPLE] A unit can support up to 8 CO-s. (CSM) Additional CO-s are defined using the CSM. Only the CSM can create or delete CO-s. [CO-LAST] The CSM is not permitted to delete the last CO of a unit. (CSM) 3.12 Security Settings [SECURITY-ACCESS-LEVEL] The CO determines the level of authentication required for the user role. (P20) Level 2 requires both ID and PIN; Level 1 is PIN only and Level 0 requires no authentication. When the Access Level is 1, the CO specifies the (single) PIN to be used by the user role. N.B. This setting must be “2” to qualify for FIPS 140- 1 Level 3. [SECURITY-DIALSTRING] The CO determines if authentication information (ID and/or PIN) may be entered via the digits dialed by the attached fax device. (P20) N.B. This setting must be false to qualify for FIPS 140-1 Level 3. [SECURITY-AUTH-TIMEOUT] The CO determines how long the unit waits after completion of keypad input before the fax device must place the call. (P20) The value is in the range of 1-999 seconds, default 90 seconds. [SECURITY-ALLOW-CLEAR-SEND] The CO determines if end-users are permitted to send unencrypted faxes to devices that are not equipped with CF3000 units. (P20) [SECURITY-ALLOW-CLEAR-RECEIVE] The CO determines if end-users are permitted to receive unencrypted faxes from devices that are not equipped with CF3000 units. (P20) [SECURITY-DEFAULT-DOMAIN] The CO can specify the default domain to be used for Send operations, to be used in the absence of operator input. (P20) [SECURITY-USER-ZEROIZE] The CO determines if emergency zeroization is available to the user role. (Zeroization is always available to the CO role.) (P20) [SECURITY-SECURE-BANNER] The CO determines whether secure faxes are to have the original calling station ID replaced with a security indication. (P20) Actual display of this calling station ID is up to the attached fax device. Some units display this information on an LCD and/or in the transmission log; many print it together with date- time and page number on the “header strip” that appears at the top of each printed page. CERTIFAX 3000 Security Policy 27 [SECURITY-DIAGNOSTIC-PERIOD] The CO determines how frequently an idle unit will perform self-diagnostic tests. (P20) The default is 60 minutes, but may be any value between 0-9999 where 0 implies “do not test.” N.B. This setting must be set to a non- zero value to qualify for FIPS 140-1 Level 3. [SECURITY-CONNECTAUDIT-PERIOD] The CO determines how frequently an idle unit will perform a connection audit. (P20) The default is 60 minutes, but may be any value between 0-9999 where 0 implies “do not test.” [SECURITY-ADMIN-TIMEOUT] The CO determines the number of seconds of inactivity which will cause the CO session to terminate. (P20) The range is 1-999 seconds, with a default of 90. 3.13 System Settings [SETTING-OTHER] Other settings control: Auto-Printing of Log, Trace Information in Log, Print Test Page on Startup, Prompt Language, Use of Alphanumeric Text in Security Indicator. (P20) [SETTING-LOG-ARCHIVE] The CSM determines whether log entries should be kept until collected by the CSM. (P20) 3.14 FS1000 Interoperability [FS1000-ENABLING] Only selected models (CF3100-series) have the hardware needed to interoperate with FS1000 units. This capability is not expressed until it is specifically enabled. (E2,F25) Only the CSM can enable this capability. (E17) The capability can be enabled only if it is permitted by the license file provided by Certicom. (CSM) [FS1000-RESERVED-CODES] For CF3100-series units, domain codes 90-94 are reserved, and may not be used for private domains. This is true even if FS1000 Interoperability is disabled. (F4) These codes will be used by end-users to designate groups 0-4 for Secure Send operations: Group 0 – Domain 90 Group 1 – Domain 91 Group 2 – Domain 92 Group 3 – Domain 93 Group 4 – Domain 94 [FS1000-INIT-CERT] Certification for the FS1000 communications is performed by the Fax Secrets Manager (FSM) through the serial interface of the CF3102. The local administrator must first place the unit into FSM connection mode before the serial interface is used by the CF3102. (P30) [FS1000-RECERT] Once an FSM has installed an FS1000 certificate (using the serial port) it can subsequently delete, re-certify or disable the certificate using either the serial CERTIFAX 3000 Security Policy 28 port, or by calling the CF3102. (P30,E31) The exchange is encrypted using the existing certificate. N.B. This function is not yet implemented. [FS1000-FSM-ACCESS] The local administrator can prevent the unit from accepting a call from any FSM by disabling FSM access. (E31) This does not disable access by the CSM. N.B. This function is not yet implemented. [FS1000-SEND] To send a fax to an FS1000 Destination, the CF3102 user simply selects the appropriate domain code for the destination. If the domain code selected by the user corresponds to one of the FS1000 groups, the unit will initiate the FS1000 send protocol for the transmission. (F25) The user need not “do” anything special, and may indeed be unaware of any special treatment being accorded this transmission. Note that even though the FS1000 protocol is used for the actual transmission, the CF3102 continues to offer CF3000-level functionality, such as dialstring validation, that is not available to FS1000 users. [FS1000-USER-PERMS] When configured for Access Level 2, the user must have explicit permission in order to send using an FS1000 group. (F3) Users have a single enable/disable status which, when enabled, allows access to any FS1000 group that is available on the unit. The User indicates the selection by using the domain code that corresponds to the group. [FS1000-RECEIVE] No user action is necessary to receive a fax from an FS1000- equipped location. When the FS1000 send attempt is detected the CF3100 engages the FS1000 receive protocol. (E35) Once the group is authenticated, fax reception proceeds. (E22,E27) [FS1000-PROTOCOL] The Fax Secrets protocol implements Certicom proprietary encryption algorithms. The signature scheme is El Gamal like, and the key exchange is Diffie-Hellman like. (Assertion) These protocols and the stream cipher are described in the CF3000 Functional Specification, and in full detail in "Response to CSE - Annex A of A282-6,R2/376-93" by Ashok Vadekar (1994). 3.15 Encryption-Free CertiFax [FAXBUFF-MODELS] Several models will be prepared without DES encryption hardware, and with a special firmware compilation which omits all encryption functionality. (Assertion) Such models are suitable for deployment is jurisdictions that prohibit encryption. [FAXBUFF-INITIALIZATION] On manufacturing power-up, an encryption-free model will detect the absence of encryption hardware, and prepare for encryption-free operation. (Assertion) This action creates and installs a FAXBUFF domain as domain code 98, with mailboxing enabled by default. An encryption-free CertiFax supports only the CLEAR and FAXBUFF domains – the PUBLIC domain is not installed in these units. CERTIFAX 3000 Security Policy 29 [FAXBUFF-INTERWORK] A CSM can install the FAXBUFF domain on a regular CertiFax model, in any non-reserved domain code. (E17) [FAXBUFF-CERTIFICATE] When sending or receiving using the FAXBUFF domain, the unit does not attempt to authenticate the certificate received from the other unit. (E36,F33) This action is unnecessary, because the certificate is self-created; also, the required cryptographic functions are not available. [FAXBUFF-TRANSMISSION] Actual transmission using the FAXBUFF domain occurs in the clear. (E37,F34) [FAXBUFF-INTERLOCK] Two encryption-capable CertiFax units will be prevented from transmitting a fax using the FAXBUFF domain. (E12,F12) The tags contained in the certificate from the other unit will allow a regular CertiFax to determine if it is dealing with another regular CertiFax unit. If this is the case, the transmission is terminated. [FAXBUFF-CSM] An encryption-free CertiFax cannot be administered by a CSM. It does not support the cryptography needed to secure this connection. (E17) CSM-related functions may still appear in the menu structure, but these will not be effective. CERTIFAX 3000 Security Policy 30 4 SERVICE/ROLE VS. SRDI The table shown on the following pages serves two purposes: 1. It shows the role or roles in which a particular service is available. 2. It shows which Security-Relevant Data Items (SRDIs) are used and/or altered by each service. The table is explained as follows: • The rows of the table are each of the services offered by the CF3000, grouped into one of several categories. These are CO, CSM, Module Configuration, User and Unauthenticated User services. Services are listed by name in the major column labeled “Service”. A description of each service can be found in section 2.2. • The next set of columns, grouped under the label “Roles”, identify each of the four roles provided by the CF3000. An “X” in one of these columns indicates that the particular service is available under the role. Roles are also described in section 2.2. • The final set of columns, grouped under the label “SRDI-s”, identify each of the security-related data items provided by the CF3000. A symbol in one of these cells indicates that the particular SRDI is accessed by the service. The nature of the access is one of: R for “Read” the value of the item is used by not changed by the service. W for “Write” the SRDI is changed by the service M for “Modify” some portion of the SRDI is changed by the service. (This is similar to “W” but is used for SRDIs that are “collections” rather than single items.) • Recent changes are shown in italics. CERTIFAX 3000 Security Policy 31 Service Role SRDI Identifier Category/Name User No Role Req’d CO CSM FSM X.509 DomPrivKey DomPubKey SessionKey RandomSeed DatabaseKey MfrPubKey OperPIN OperInfo DomPerms DomInfo ClrSend ClrReceive FS1000 Enable FS1000 Inverse CO CO Authentication X R R R Initialize Module X W W W W W W W W W W W W Initiate CSM Serial Port Access X R R Initiate FSM Serial Port Access X Print Log X Print Reports X R R R R Zeroize Unit X W W Reset Defaults X R W W W W W CSM Initial Certification X W W W R M Establish Local/Remote Session X R R R W R R Install/Re-certify Domain X W W W R M Remove Domain X M Create/Delete COs X R M Replace Firmware (Not a FIPS 140-1 approved mode) X R Extract Logs X Enable/Disable FS1000 ability X R W FS1000 User Permissions X R M Module Configuration Enable/Disable Domain X X M Create/Remove/Change User X X R M M Disable CO X X M Change Security Settings X X Change System Settings X X Change Log Settings X X Disable CSM Access X X Change CO PIN X X R M Un-initialize Module X X W W W W W W W W W W W W Disable Unit X X Modem Settings X X M FSM Establish Session X R R R W R R Install/Re-certify FS1000 Group X W W W R M W Remove FS1000 Group X M Enable/Disable FS1000 Group X M Table 2 SRDI Matrix Part 1 CERTIFAX 3000 Security Policy 32 Service Role SRDI Identifier Category/Name User No Role Req’d CO CSM FSM X.509 DomPrivKey DomPubKey SessionKey RandomSeed DatabaseKey MfrPubKey OperPIN OperInfo DomPerms DomInfo ClrSend ClrReceive FS1000 Enable FS1000 Inverse User User Authentication X R R R Clear Send X R Mailbox Send X R R R R R R R Domain Send X R R R R R R R Print User Mailbox X R Print Domain Mailbox X R R R Emergency Zeroize X W W Change User PIN X M R Services Not Requiring a Role Reset Print/Connect Alarm X Run Tests X X System Info X X Display Last Error X X Check Connections X X Table 3 SRDI Matrix Part 2 5 END OF DOCUMENT