© 2023 Senetas Corporation Ltd. All rights reserved. SP-CN4010-CN4020-CN6010-CN6100-CN6110-CN6140-CN9100- CN9120 v1.01 Once released this document may be freely reproduced and distributed whole and intact including this copyright notice. www.senetas.com Senetas Corporation Ltd., distributed by Thales SA (SafeNet) CN Series Encryptors FIPS 140-3 Non-Proprietary Security Policy Level 3 Validation September 2024 Module Name: CN Series Encryptors Model Names: CN4010 1G Ethernet Encryptor CN4020 1G Ethernet Encryptor CN6010 1G Ethernet Encryptor CN6100 10G Ethernet Encryptor CN6110 1/10G Ethernet Encryptor CN6140 1/10G Multi Port Ethernet Encryptor CN9100 100G Ethernet Encryptor CN9120 100G Ethernet Encryptor HW Versions: CN4000 Series: A4010B (DC) A4020B (DC) CN6000 Series: A6010B (AC), A6011B (DC), A6012B (AC/DC) A6100B (AC), A6101B (DC), A6102B (AC/DC) A6110B (AC), A6111B (DC), A6112B (AC/DC) A6140B (AC), A6141B (DC), A6142B (AC/DC) CN9000 Series: A9100B (AC), A9101B (DC), A9102B (AC/DC) A9120B (AC), A9121B (DC), A9122B (AC/DC) FW Version: 5.5.0 Senetas Corp. Ltd. Version 1.01 Page 2 of 71 CN Series Non-Proprietary Security Policy Document History Authors Date Version Comment Senetas Corp. Ltd. 19-Dec-2023 1.00 CMVP Release for firmware version 5.5.0 Senetas Corp. Ltd. 11-Sep-2024 1.01 Interim validation update Senetas Corp. Ltd. Version 1.01 Page 3 of 71 CN Series Non-Proprietary Security Policy Table of Contents Document History......................................................................................................................................................2 1. General..................................................................................................................................................................5 1.1 References .....................................................................................................................................................6 1.2 Acronyms and Abbreviations .........................................................................................................................7 1.3 Security Levels ...............................................................................................................................................9 2. Cryptographic Module Specification....................................................................................................................10 2.1 Module Identification ....................................................................................................................................10 Module Images......................................................................................................................................13 Branding................................................................................................................................................14 2.2 Operational Overview...................................................................................................................................15 General .................................................................................................................................................15 Encryptor deployment ...........................................................................................................................17 Encryptor management.........................................................................................................................17 2.3 Configuration ................................................................................................................................................18 Administrator Guidance: Approved mode.............................................................................................18 non-Administrator Guidance .................................................................................................................19 2.4 Ethernet implementation ..............................................................................................................................20 Unicast operation ..................................................................................................................................21 Multipoint VLAN operation ....................................................................................................................21 Transport Independent Mode (TIM) operation......................................................................................21 2.5 Hybrid Session Establishment .....................................................................................................................22 Quantum Resistant Algorithms (QRA)..................................................................................................22 Quantum Key Distribution (QKD)..........................................................................................................22 2.6 TRANSEC operation ....................................................................................................................................22 2.7 Cryptographic Algorithms.............................................................................................................................23 Approved Algorithms.............................................................................................................................23 3. Cryptographic Module Interfaces ........................................................................................................................32 3.1 CN4000 Series Ports....................................................................................................................................32 CN4010 Ports........................................................................................................................................32 CN4020 Ports........................................................................................................................................33 3.2 CN6000 Series Ports....................................................................................................................................33 CN6010 & CN6110 Encryptor Ports .....................................................................................................33 CN6100 Encryptor Ports .......................................................................................................................34 CN6140 Encryptor Ports .......................................................................................................................34 CN6000 Series Encryptor Power Supplies and Fan Tray.....................................................................35 3.3 CN9000 Series Ports....................................................................................................................................35 CN9100 Encryptor Ports .......................................................................................................................35 CN9120 Encryptor Ports .......................................................................................................................35 CN9000 Series Encryptor Power Supplies and Fan Tray.....................................................................36 3.4 CN Series Interfaces ....................................................................................................................................37 4. Roles, Services and Authentication.....................................................................................................................38 4.1 Supported Roles...........................................................................................................................................38 4.2 Bypass Configuration ...................................................................................................................................40 4.3 Identification and Authentication ..................................................................................................................40 4.4 Roles and Authentication .............................................................................................................................41 4.5 Roles and Services ......................................................................................................................................41 Approved Services................................................................................................................................41 5. Software/Firmware Security ................................................................................................................................45 5.1 Software/Firmware Integrity Test .................................................................................................................45 Senetas Corp. Ltd. Version 1.01 Page 4 of 71 CN Series Non-Proprietary Security Policy On Demand Software/Firmware Integrity Test .....................................................................................45 6. Operational Environment.....................................................................................................................................46 7. Physical Security .................................................................................................................................................47 7.1 Physical Security Mechanisms.....................................................................................................................47 7.2 Environmental Failure Protection and Testing .............................................................................................50 7.3 Hardness Testing Temperature Ranges......................................................................................................51 8. Non-Invasive Security..........................................................................................................................................52 9. Sensitive Security Parameter Management........................................................................................................53 9.1 Cryptographic Keys and SSPs.....................................................................................................................53 9.2 Entropy .........................................................................................................................................................63 Entropy CN4010, CN4020, CN6010, CN6110, CN6140, CN9100 & CN9120 .....................................63 Entropy CN6100....................................................................................................................................63 9.3 Key and CSP zeroization .............................................................................................................................63 Zeroization sequence............................................................................................................................63 Erase command and key press sequence............................................................................................64 Tamper initiated zeroization..................................................................................................................64 “Emergency” Erase ...............................................................................................................................64 KeySecure Connector integration (Split Key SMK) ..............................................................................65 9.4 Data privacy .................................................................................................................................................65 10. Self-tests..............................................................................................................................................................66 10.1 Pre-operational Self-tests.............................................................................................................................66 Periodic Self-tests .................................................................................................................................66 On demand Self-tests ...........................................................................................................................66 10.2 Conditional Self-tests ...................................................................................................................................66 11. Life-cycle Assurance ...........................................................................................................................................69 11.1 Delivery.........................................................................................................................................................70 11.2 Location........................................................................................................................................................70 11.3 End of Service Life .......................................................................................................................................70 12. Mitigation of Other Attacks ..................................................................................................................................71 12.1 TRANSEC ....................................................................................................................................................71 Senetas Corp. Ltd. Version 1.01 Page 5 of 71 CN Series Non-Proprietary Security Policy 1. General This is a non-proprietary FIPS 140-3 Security Policy for the Senetas Corporation Ltd. CN Series Encryptors (running firmware version 5.5.0) comprising of the CN4010, CN4020, CN6010, CN6100, CN6110, CN6140, CN9100 and CN9120 hardware cryptographic models. This Security Policy specifies the security rules under which the module operates to meet the FIPS 140-3 Level 3 requirements. The CN Series Encryptors are distributed worldwide under different brands as depicted in this Security Policy. Senetas distributes under their own brand. Thales SA, the master worldwide distributor, distributes under the joint Thales/Senetas and SafeNet/Senetas brands (refer to Section 2.1.2). FIPS 140-3 (Federal Information Processing Standards Publication 140-3), Security Requirements for Cryptographic Modules, specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive but unclassified information. Based on four security levels for cryptographic modules this standard identifies requirements in twelve sections. For more information about the NIST/CCCS Cryptographic Module Validation Program (CMVP) and the FIPS 140-3 standard, visit www.nist.gov/cmvp. This Security Policy, using the terminology contained in the FIPS 140-3 specification, describes how the CN Series models comply with the twelve sections of the standard. In this document, the CN4010, CN4020, CN6010, CN6100, CN6110, CN6140, CN9100 and CN9120 Encryptors are collectively referred to as the “CN Series” and individually as “the module” or “the encryptor”. The CN4010 and CN4020 models are collectively referred to as the “CN4000 Series”. The CN6010, CN6100, CN6110 and CN6140 models are collectively referred to as the “CN6000 Series”. The CN9100 and CN9120 models are collectively referred to as the “CN9000 Series”. The model name refers to all of the relevant module versions i.e. CN6010 refers to the module versions A6010B (AC), A6011B (DC), A6012B (AC/DC) (refer to Table 2 for a full listing). This Security Policy and the associated CMVP certificate are for firmware version 5.5.0 only – the loading of any other firmware version on the specified CN Series Encryptors is out of scope of this FIPS 140-3 validation. This Security Policy contains only non-proprietary information. Any other documentation associated with FIPS 140- 3 conformance testing and validation is proprietary and confidential to Senetas Corporation Ltd. and is releasable only under appropriate non-disclosure agreements. For more information describing the CN Series systems, visit http://www.senetas.com. Senetas Corp. Ltd. Version 1.01 Page 6 of 71 CN Series Non-Proprietary Security Policy 1.1 References For more information on the FIPS 140-3 standard and validation program please refer to the National Institute of Standards and Technology website at www.nist.gov/cmvp. The following standards from NIST are all available via the URL: www.nist.gov/cmvp . [1] FIPS PUB 140-3: Security Requirements for Cryptographic Modules. [2] NIST Special Publication (SP) 800-140 FIPS 140-3 Derived Test Requirements (DTR). [3] NIST Special Publication (SP) 800-140A CMVP Documentation Requirements. [4] NIST Special Publication (SP) 800-140B CMVP Security Policy Requirements. [5] NIST Special Publication (SP) 800-140Crev2 CMVP Approved Security Functions. [6] NIST Special Publication (SP) 800-140Drev2 CMVP Approved Sensitive Security Parameter Generation and Establishment Methods. [7] NIST Special Publication (SP) 800-140E CMVP Approved Authentication Mechanisms. [8] NIST Special Publication (SP) 800-140Frev1 CMVP Approved Non-Invasive Attack Mitigation Test Metrics. [9] ISO/IEC 19790:2012(E), Information technology — Security techniques — Security requirements for cryptographic modules. [10] ISO/IEC 24759:2017(E), Information technology — Security techniques — Test requirements for cryptographic modules. [11] NIST Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program. [12] Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197. [13] Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4. [14] Secure Hash Standard (SHS), Federal Information Processing Standards Publication 180-4. [15] NIST Special Publication (SP) 800-131Arev2, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. [16] NIST Special Publication (SP) 800-90Arev1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. [17] NIST Special Publication (SP) 800-56Arev3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. [18] Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4. [19] NIST Special Publication (SP) 800-56Brev2, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography. [20] NIST Special Publication (SP) 800-108rev1 Recommendation for Key Derivation Using Pseudorandom Functions. [21] NIST Special Publication (SP) 800-56Crev2 Recommendation for Key-Derivation Methods in Key Establishment Schemes. [22] NIST Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. [23] NIST Special Publication (SP) 800-133rev2, Recommendation for Cryptographic Key Generation. [24] NIST Special Publication (SP) 800-67rev2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. [25] NIST Special Publication (SP) 800-135rev1, Recommendation for Existing Application-Specific Key Derivation Functions [26] Senetas CN Series User Guides Senetas Corp. Ltd. Version 1.01 Page 7 of 71 CN Series Non-Proprietary Security Policy 1.2 Acronyms and Abbreviations AAA Authentication, Authorization and Accounting AES Advanced Encryption Standard CA Certification Authority CBC Cipher Block Chaining CCCS Canadian Centre for Cyber Security CFB Cipher Feedback CM7 Senetas Encryptor Remote Management Application Software CI Connection Identifier (used interchangeably with Tunnel) CLI Command Line Interface CMVP Cryptographic Module Validation Program CRNGT Continuous Random Number Generator Test CSE Communications Security Establishment CSP Critical Security Parameter CTR Counter Mode DEK Data Encrypting Key(s) DES Data Encryption Standard DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EFP Environmental Failure Protection EFT Environmental Failure Testing EMC Electromagnetic Compatibility EMI Electromagnetic Interference ESV Entropy Source Validation ESV (P) Physical Entropy Source ESV (NP) Non-Physical Entropy Source FIPS Federal Information Processing Standard FTP File Transfer Protocol FTPS FTP Secure (FTP Over TLS) Gbps Gigabits per second GCM Galois Counter Mode GDK Group Derivation Key HMAC Keyed-Hash Message Authentication Code IP Internet Protocol IV Initialization Vector KAS-ECC Elliptic Curve Key Agreement Scheme (ECDH) KAS-FCC Finite Field Key Agreement Scheme (DH) KAT Known Answer Test KDF Key Derivation Function KDK Key Derivation Key Senetas Corp. Ltd. Version 1.01 Page 8 of 71 CN Series Non-Proprietary Security Policy KEM Key Encapsulation Method KID Key ID KEK Key Encrypting Key(s) KMIP Key Management Interoperability Protocol KMS Key Management Service LED Light Emitting Diode MAC Media Access Control (Ethernet source/destination address) Mbps Megabits per second NIST National Institute of Standards and Technology NVLAP National Voluntary Laboratory Accreditation Program OAEP Optimal Asymmetric Encryption Padding OQS Open Quantum Safe PKCS Public Key Cryptography Standards PSP Public Security Parameter PUB Publication QKD Quantum Key Distribution QRA Quantum Resistant Algorithms RAM Random Access Memory RFC Request for Comment ROM Read Only Memory RNG Random Number Generator RSA Rivest Shamir and Adleman Public Key Algorithm RTC Real Time Clock SAN Storage Area Network SDRAM Synchronous Dynamic Random Access Memory SFP Small Form-factor Pluggable (transceiver) SFTP SSH File Transfer Protocol SID Sender ID SMC Gemalto’s Network Security Management Center SME Secure Message Exchange SMK System Master Key SP Special Publication SPB Shortest Path Bridging SHA Secure Hash Algorithm SSH Secure Shell SSP Sensitive Security Parameter TACACS+ Terminal Access Control Access Control Server TIM Transport Independent Mode TLS Transport Layer Security TRANSEC TRANsmission SECurity (also known as Traffic Flow Security or TFS) X.509 Digital Certificate Standard RFC 2459 Senetas Corp. Ltd. Version 1.01 Page 9 of 71 CN Series Non-Proprietary Security Policy 1.3 Security Levels The module meets the overall Security Level 3 requirements for FIPS 140-3. See Table 1 below, which indicates the security level of each of the twelve sections of the FIPS 140-3 standard. Table 1 Security Levels ISO/IEC 24759 Section 6 [Number Below] FIPS 140-3 Section Title Security Level 1 General 3 2 Cryptographic Module Specification 3 3 Cryptographic Module Interfaces 3 4 Roles, Services and Authentication 3 5 Software/Firmware Security 3 6 Operational Environment N/A 7 Physical Security 3 8 Non-invasive Security N/A 9 Sensitive Security Parameter Management 3 10 Self-tests 3 11 Life Cycle Assurance 3 12 Mitigation of Other Attacks 3 Senetas Corp. Ltd. Version 1.01 Page 10 of 71 CN Series Non-Proprietary Security Policy 2. Cryptographic Module Specification CN Series Encryptors are Hardware cryptographic modules. The CN6000 Series and CN9000 Series outer casing defines the cryptographic boundary aside from the pluggable transceivers, dual redundant power supplies and replaceable fan tray module that lie outside the cryptographic boundary. The CN4000 Series outer casing defines the cryptographic boundary aside from the pluggable transceivers on the CN4020 and the “AC to DC” plug-pack adapter which lie outside the cryptographic boundary. The cryptographic boundary is depicted by the red dashed line in Figure 1 below. Firmware Cryptographic Algorithms 8P8C (mag) 8P8C (mag) Management Ports Keypad (CN6000/ CN9000 Series) Power Supply A Power Supply B Dual Fan Tray High Speed Crypto System Power/Cooling System Common Library Cryptographic Algorithms Management System +12V AC/DC Network Port/s Connection to unprotected network Local Port/s Connection to protected network Management Ethernet SNMPv3 CN6000/9000 Series Dual Power Input CN4000 Series Power input Cryptographic Boundary Management Console RS232 Entropy Source CPU LEDs Emergency Erase Button Tamper Optical Transceiver/s Optical Transceiver/s Power Distribution and Fan Control Figure 1 Cryptographic Boundary Block Diagram 2.1 Module Identification CN Series Encryptors, with firmware version 5.5.0, provide data privacy and access control services for Ethernet networks. See model details summarized in Table 2. Senetas Corp. Ltd. Version 1.01 Page 11 of 71 CN Series Non-Proprietary Security Policy Table 2 Cryptographic Module Tested Configuration Model Name Hardware Versions Distinguishing Features Firmware Version Power Interface / Protocol Transceiver/ Connector CN4010 A4010B [O]1,2 A4010B [Y]1,2 A4010B [T]1,2 DC 1G Ethernet 1G TIM RJ45 5.5.0 CN4020 A4020B [O]1,3 A4020B [Y]1,3 A4020B [T]1,3 DC 1G Ethernet 1G TIM SFP 5.5.0 A6010B [O]1,4 A6010B [Y]1,4 A6010B [T]1,4 AC RJ45, SFP CN6010 A6011B [O]1,4 A6011B [Y]1,4 A6011B [T]1,4 DC 1G Ethernet 1G TIM 5.5.0 A6012B [O]1,4 A6012B [Y]1,4 A6012B [T]1,4 AC/DC A6100B [O]1,4 A6100B [Y]1,4 A6100B [T]1,4 AC CN6100 A6101B [O]1,4 A6101B [Y]1,4 A6101B [T]1,4 DC 10G Ethernet 10G TIM XFP 5.5.0 A6102B [O]1,4 A6102B [Y]1,4 A6102B [T]1,4 AC/DC A6110B [O]1,4 A6110B [Y]1,4 A6110B [T]1,4 AC 1G Ethernet 1G TIM 10G Ethernet 10G TIM CN6110 A6111B [O]1,4 A6111B [Y]1,4 A6111B [T]1,4 DC RJ45, SFP+ 5.5.0 A6112B [O]1,4 A6112B [Y]1,4 A6112B [T]1,4 AC/DC A6140B [O]1,4 A6140B [Y]1,4 A6140B [T]1,4 AC 1G Ethernet 1G TIM 10G Ethernet SFP+ 5.5.0 Senetas Corp. Ltd. Version 1.01 Page 12 of 71 CN Series Non-Proprietary Security Policy Model Name Hardware Versions Distinguishing Features Firmware Version Power Interface / Protocol Transceiver/ Connector CN6140 A6141B [O]1,4 A6141B [Y]1,4 A6141B [T]1,4 DC 10G TIM 4x10G Ethernet A6142B [O]1,4 A6142B [Y]1,4 A6142B [T]1,4 AC/DC A9100B [O]1,5 A9100B [Y]1,5 A9100B [T]1,5 AC CFP4 CN9100 A9101B [O]1,5 A9101B [Y]1,5 A9101B [T]1,5 DC 100G Ethernet 5.5.0 A9102B [O]1,5 A9102B [Y]1,5 A9102B [T]1,5 AC/DC A9120B [O]1,6 A9120B [Y]1,6 A9120B [T]1,6 AC 100G Ethernet QSFP28 5.5.0 CN9120 A9121B [O]1,6 A9121B [Y]1,6 A9121B [T]1,6 DC A9122B [O]1,6 A9122B [Y]1,6 A9122B [T]1,6 AC/DC Note 1: Model variants distinguished by [O], [Y] and [T] are identical except for logos on the front fascia: [O] Denotes Senetas Corp. Ltd. sole branded version [Y] Denotes Senetas Corp. Ltd. & SafeNet co-branded version [T] Denotes Senetas Corp. Ltd. & Thales SA co-branded version Note 2: These models derive their power from an “AC to DC” plug-pack adapter which is considered to be outside the cryptographic boundary. Note 3: These models support pluggable SFP transceivers and derive their power from an “AC to DC” plug-pack adapter all of which are considered to be outside the cryptographic boundary. Note 4: These models support pluggable SFP transceivers, dual power supplies and removable fan tray which are considered to be outside the cryptographic boundary. Note 5: This model supports pluggable CFP4 transceivers, dual power supplies and removable fan tray which are considered to be outside the cryptographic boundary. Note 6: This model supports pluggable QSFP28 transceivers, dual power supplies and removable fan tray which are considered to be outside the cryptographic boundary. Senetas Corp. Ltd. Version 1.01 Page 13 of 71 CN Series Non-Proprietary Security Policy Module Images CN4010 1G Ethernet Encryptor CN4020 1G Ethernet Encryptor CN6010 1G Ethernet Encryptor CN6100 10G Ethernet Encryptor CN6110 1/10G Ethernet Encryptor CN6140 1/10G Multi Port Ethernet Encryptor CN9100 100G Ethernet Encryptor CN9120 100G Ethernet Encryptor Senetas Corp. Ltd. Version 1.01 Page 14 of 71 CN Series Non-Proprietary Security Policy Branding 2.1.2.1 CN4010 & CN4020 branding Figure 2 – Senetas sole-branding Figure 3 – Thales co-branding Figure 4 – SafeNet co-branding 2.1.2.2 CN6010, CN6100 & CN6110 branding Figure 5 – Senetas sole-branding Figure 6 – Thales co-branding Figure 7 – SafeNet co-branding Thales logo added to fascia SafeNet logo added to fascia Thales logo added to fascia SafeNet logo added to fascia Senetas Corp. Ltd. Version 1.01 Page 15 of 71 CN Series Non-Proprietary Security Policy 2.1.2.3 CN6140, CN9100 & CN9120 branding Figure 8 – Senetas sole-branding Figure 9 – Thales co-branding Figure 10 – SafeNet co-branding 2.2 Operational Overview General CN Series Encryptors operate in point-to-point and point-to-multipoint network topologies and at data rates ranging from 10Mb/s to 100Gb/s. Encryptors are typically installed between an operator’s private network equipment and public network connection and are used to secure data travelling over either fibre optic or CAT5/6 cables. Securing a data link that connects two remote office sites is a common installation application. Figure 11 provides an operational overview of two CN6010 encryptors positioned in the network. Figure 11 – CN6010 Operational Overview Thales logo added to fascia SafeNet logo added to fascia Senetas Corp. Ltd. Version 1.01 Page 16 of 71 CN Series Non-Proprietary Security Policy Devices establish one or more encrypted data paths referred to as `connections`. The term refers to a connection that has been securely established and is processing data according to a defined encryption policy. Each `connection` has a `connection identifier` (CI) and associated CI mode that defines how data is processed for each policy. Connections are interchangeably referred to as ‘tunnels’. CN Series Encryptors support CI Modes of ‘Secure’, ‘Discard’ and ‘Bypass’. These CI Modes can be applied to all data carried on a connection or to a selected subset or grouping which can be user configured in accordance the specific protocol being carried on the network connection. A typical example in the case of an Ethernet network would be to make policy decisions based upon an Ethernet packet’s VLAN ID. The default CI Mode negotiated between a pair of connected encryptors is `Discard`. In this mode user data is not transmitted to the public network. In order to enter `Secure` mode and pass information securely, each encryptor must be activated and `Certified` by a trusted body (refer to Section 2.3 for initial configuration steps) and exchange the key encrypting key (KEK) and initial data encryption key (DEK), using the RSA-OAEP-256 key transport process in accordance with SP 800- 56Brev2 Section 9. Alternatively, ECDSA/ECDH utilises ephemeral key agreement for the purpose of establishing DEKs in accordance with SP 800-56Arev3. If the session key exchange is successful this results in a separate secure session per connection, without the need for secret session keys (DEKs) to be displayed or manually transported and installed. When deployed in layer 2 Ethernet networks, the modules can be configured in point-to-point mode (Line Mode) to establish connections between pairs of modules or they can be configured in multi-point mode (MAC Multipoint and VLAN modes) to establish connections between groups of encryptors. The authentication and key establishment algorithms in these modes of operation are determined by the X.509 certificate assigned to the connections. Additionally, Transport Independent Mode1 (TIM) allows concurrent secure connections between encryptors over OSI network layers 2, 3 and 4. DEKs are derived/distributed using one of two key provider mechanisms: • Key Derivation Function (KDF) • External Key Server using KMIP When the KDF mechanism is configured the encryptors are loaded with a Key Derivation Key via CM7. The KDK is used to derive the DEKs using a KDF that conforms to SP 800-108rev1. The external key server mechanism relies on a 3rd party Key Management Service (KMS) such as SafeNet’s KeySecure to distribute the DEKs to the encryptors. Figure 12 illustrates the conceptual data flow through a CN Series Encryptors. 1. A data packet arrives at the encryptor’s interface ports. When operating in Line mode data packets are processed according to a single CI policy, otherwise, 2. The encryptor looks up the appropriate packet header field, e.g. Encryptor Sender ID (SID), MAC address or VLAN ID and determines whether the field has been associated with an existing CI, 3. If a match is found, the encryptor will process the data packet according to the policy setting for that CI and send the data out the opposite port. If a match cannot be found, the data packet is processed according to the default policy setting. Figure 12 - Data Flow through the Encryptor 1 TIM is not available on the CN9100 and CN9120 models, and the CN6140 model in 4x10G Mode. Senetas Corp. Ltd. Version 1.01 Page 17 of 71 CN Series Non-Proprietary Security Policy Encryptor deployment Figure 13 illustrates a point-to-point (or link) configuration in which each module connects with a single far end module and encrypts the entire bit stream. If a location maintains secure connections with multiple remote facilities, it will need a separate pair of encryptors for each physical connection (link). Figure 13 – Link (point-to-point) Configuration Figure 14 illustrates a meshed network configuration. Each CN Series Encryptor is able to maintain simultaneous secured connections with many far end encryptors. Figure 14 – Meshed (multipoint) Configuration Encryptor management Encryptors can be centrally controlled or managed across local and remote stations using the CM7 or SMC remote management applications. The remote management applications reside outside the cryptographic boundary and are not in the scope of the FIPS validation. Encryptors support both in-band and out-of-band SNMPv3 management. In-band management interleaves management messages with user data on the encryptor’s network interface port whilst out-of-band management uses the dedicated front panel Ethernet port. A Command Line Interface (CLI) is also available via the console RS-232 port. Alternatively, the CLI can be accessed remotely via SSH (when configured). When configuring remote CLI access the authentication algorithm is restricted to ECDSA. ECDSA keys are restricted to NIST P-256, P-384 and P-521 curves. Remote CLI access is disabled by default. Approved mode of operation enforces the use of SNMPv3 privacy and authentication. Management messages are encrypted using AES-128 or AES-256. Senetas Corp. Ltd. Version 1.01 Page 18 of 71 CN Series Non-Proprietary Security Policy 2.3 Configuration Administrator Guidance: Approved mode Full configuration instructions are provided in the User Guides [26]. Use the guidance here to constrain the configuration so that the device is not compromised during the configuration phase. This will ensure the device boots properly and enters FIPS 140-3 approved mode. When powering up the module for the first time, use the front panel or the CLI to configure the system for network connectivity. Then use the remote management application to initialize the module and perform the configuration operations. 1. Power on the unit. The system boot-up sequence is entered each time the module is powered on and after a firmware restart. The CN Series Encryptor automatically completes its self-tests and verifies the authenticity of its firmware as part of the initialization process. The results of these tests are reported on the front panel LCD and are also logged in the system audit log. If errors are detected during the diagnostic phase, the firmware will not complete the power up sequence but will instead enter a Secure shutdown state and Halt (“Secure Halt”). If this occurs the first time power is applied or any time in the future, the module will notify the CO that a persistent (hard) error has occurred and that the module must be returned for inspection and repair. 2. Follow the User Guide’s [26] Commissioning section to set the system’s IP Address, Date and Time. 3. If the CM7 application is being run for the first time, it will ask if the CM7 installation will act as the Certification Authority (CA) for the secure network. If the user selects yes, a private and public RSA or ECDSA key pair that will be used to sign X.509v3 Certificate Signing Requests from the module is generated by the CM7 application. 4. Activate the cryptographic module. A newly manufactured or erased cryptographic module must be Activated before X.509 certificate requests can be processed. See the User Guide’s commissioning section for details. Activation ensures that the default credentials of the ‘admin’ account are replaced with those specified by the customer prior to loading signed X.509 certificates into the module. The updated user credentials (username and password) are transmitted to the encryptor using RSA 2048 public key encryption, and a hashing mechanism is used by the local administrator to authenticate the message. 5. Install a signed X.509 certificate into the cryptographic module. CN Series cryptographic modules support X.509v3 Certificate Signing Requests (CSRs) and will accept certificates signed by the remote management application CM7 (when acting as a CA) as well as certificates signed by External CAs. In both cases each CN Series cryptographic module supplies upon request an X.509v3 CSR containing the module’s details and either a 2048-bit Public RSA key or an ECDSA Public key using NIST P-256, P-384 or P-521 curves. The administrator then takes the CSR and has it signed by either the trusted local CA (the remote management application CM7 for X.509v3 certificates using either a 2048-bit Public RSA key or an ECDSA Public key using NIST P-256, P-384 or P-521 curves) or an external CA for X.509v3 certificates using either a 2048- or 4096-bit Public RSA key or an ECDSA Public key using NIST P-256, P-384 or P-521 curves. For a typical deployment this procedure is repeated for all cryptographic modules in the network and the signed certificates are installed into each module. After an X.509 certificate has been installed into CN Series module the administrator can create supervisor, upgrader and operator accounts. At this point the CN Series Encryptor is able to encrypt in accordance with the configured security policy; the ENT (enter) key on the front panel is disabled; and the default factory account has been removed. Senetas Corp. Ltd. Version 1.01 Page 19 of 71 CN Series Non-Proprietary Security Policy 6. Ensure the encryptor is in FIPS 140-3 mode (default setting) via the Senetas CM7 remote management applications’ Management-Access tab. See Figure 33 for details. Alternatively log into the CLI and run the CLI command “fips on” and follow the prompts. After the unit reboots log into the CLI and run the “fips” command without an argument. The command should return the message “FIPS mode enabled”. Note: “fips mode” is enabled by default. 7. The maximum number of encryptors allowed in a multipoint group is 512. When operating in multipoint mode (MAC Multicast or VLAN mode) with Sender ID (SID) enabled, the user must set a unique SID between 1 and 512 for each encryptor within the Multipoint group. 8. Configure the security policy to enable encrypted tunnels with other CN Series modules. Configuration of the security policy is network specific; refer to the User Guide [26] for specific details. Note: The module also supports TACACS+. If TACACS+ is enabled the module is no longer considered to be in approved mode. non-Administrator Guidance Non-administrators (Operator privilege level ref. Table 13) are able to view the modules configuration parameters and message logs. Non-administrators are not able to configure the module. Please refer to the User Guides [26] for comprehensive information on non-Administrator (Operator) functions. Senetas Corp. Ltd. Version 1.01 Page 20 of 71 CN Series Non-Proprietary Security Policy 2.4 Ethernet implementation Basic operation The Ethernet encryptor provides layer 2, 3 and 4 security services by encrypting the contents of data frames across Ethernet networks. The encryptor connects between a local (protected) network and a remote (protected) network across the public (unprotected) network. An encryptor is paired with one or more remote Ethernet encryptors to provide secure data transfer over encrypted connections as shown in Figure 15 below. Figure 15 – Layer 2 Ethernet connections The encryptor’s Ethernet receiver receives frames on its ingress port; valid frames are classified according to the Ethernet header then processed according to the configured policy. Allowable policy actions are: • Encrypt – payload of frame is encrypted according to the defined policy • Discard – drop the frame, no portion is transmitted • Bypass – transmit the frame without alteration CN Series tunnels are encrypted using CAVP validated AES algorithms. The CN4010, CN4020, CN6010, CN6110 (1G mode) and CN6140 (1G mode) 1G Ethernet encryptors support AES encryption with a key size of 128 or 256 bits in cipher feedback (CFB), counter (CTR) and Galois Counter (GCM) modes. The CN6100, CN6110 and CN6140 in 10G Ethernet mode and the CN9000 Series support AES encryption with a key size of 128 or 256 bits in counter (CTR) and Galois Counter (GCM) modes. Connections between encryptors use a unique key pair with a separate key for each direction. Unicast traffic can be encrypted using AES CFB, CTR or GCM modes whereas Multicast/VLAN traffic in a meshed network must use AES CTR or GCM modes. The Ethernet transmitter module calculates and inserts the Frame Check Sequence (FCS) at the end of the frame. The frame is then encoded and transmitted. For details about Unicast and Multicast network topologies supported by the modules see next section. Senetas Corp. Ltd. Version 1.01 Page 21 of 71 CN Series Non-Proprietary Security Policy Unicast operation Unicast traffic is encrypted using a key pair for each of the established connections. When operating in line mode there is just one entry in the connection table. When operating in multipoint mode, connection table entries are managed by MAC address or VLAN ID and can be added manually, or if ‘Auto discovery’ is enabled, they will be automatically added based on the observed traffic. Entries do not age and will remain in the table. Multipoint VLAN operation Multicast traffic between encryptors connected in line mode shares the same single key pair that is used by unicast traffic. VLAN encryption mode is used to encrypt traffic sent to all encryptors on a VLAN. Unlike unicast encryption (which encrypts traffic from a single sender to a single receiver and uses a unique pair of keys per encrypted connection), VLAN encryption within a multipoint network requires a group key management infrastructure to ensure that each encryptor can share a set of encryption keys per VLAN ID. The group key management scheme which is used for VLAN mode is responsible for ensuring group keys are maintained across the visible network. The group key management scheme is designed to be secure, dynamic and robust; with an ability to survive network outages and topology changes automatically. It does not rely on an external key server to distribute group keys as this introduces both a single point of failure and a single point of compromise. For robustness and security, a group key master is automatically elected amongst the visible encryptors within a mesh based on the actual traffic. If communications problems segment the network, the group key management scheme will automatically maintain/establish new group key managers within each segment. Figure 16 – Multipoint VLAN connections Transport Independent Mode (TIM) operation In Transport Independent Mode each encryptor in the network must be configured with a unique Sender ID (SID), The SID is sent in a shim inserted into each encrypted frame and is used by the receiving encryptor to identify the origin of the frame. When running in this mode, the SID is interchangeably referred to as the Key ID (KID). Egress data flow (Encrypt data received on Local port and transmitted on Network Port) Each encryptor has a single transmission 256-bit AES Data Encrypting Key (DEK) and all secure traffic is encrypted using that key. Ingress data flow (Decrypt data received on Network port and transmitted on Local Port) When an encryptor receives an encrypted frame, it uses the KID in the frame’s shim to identify the key to use for decryption. If the receiver doesn’t have keys for the received KID, it will request them from the configured key provider. A receiver must store two DEKs plus a salt for every peer encryptor that it communicates with. TIM key updates In Transport Independent Mode keys are periodically updated using either a time-based mechanism or a frame counter-based mechanism. Senetas Corp. Ltd. Version 1.01 Page 22 of 71 CN Series Non-Proprietary Security Policy Figure 17 – Transport Independent Mode connections 2.5 Hybrid Session Establishment Optionally, a hybrid mode for session establishment is available in line with NIST guidance for use of both approved and quantum resistant key establishment/derivation methods. When operating in this mode, the approved methods may be augmented with both Quantum Resistant Algorithm methods, and/or Quantum Key Distribution mechanisms. Quantum Resistant Algorithms (QRA) The CN Series Encryptors support the use of candidate Quantum Resistant Algorithms as available from the Open Quantum Safe initiative. The user can select from a full list consisting of the RSA/ECDSA algorithms and the new OQS signing algorithms. The keys established using the approved RSA/ECDH algorithms are combined with data established using the Quantum Resistant Algorithms. Quantum Key Distribution (QKD) The CN Series Encryptors support the use of Quantum Key Distribution devices such as ID Quantique’s Cerberis QKD system or any industry standard ETSI compliant QKD systems for hybrid key establishment. For hybrid key establishment the keys distributed using the approved RSA/ECDH algorithms are combined with the data derived from the QKD server. 2.6 TRANSEC operation Traffic Analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. TRANSEC is TRANsmission SECurity and is used to disguise patterns in network traffic to prevent Traffic Analysis. TRANSEC mode can be optionally enabled between two end points of a point-point rate-limited layer 2 service provider network. When operating in TRANSEC mode (CN4000 and CN6000 Series only) transport frames exit the network port at a constant rate irrespective of the rate at which user data arrives at local port. This ensures that Traffic Analysis, if performed, would generate no useful insight into the user data. The transport frame rate and length are user configurable. AES encryption protects the user data and when operating in GCM encryption mode provides the additional guarantee of data authentication. TRANSEC mode coupled with AES-256 GCM provides triple layer protection of user data. Senetas Corp. Ltd. Version 1.01 Page 23 of 71 CN Series Non-Proprietary Security Policy Figure 18 – TRANSEC constant rate transport frame assembly 2.7 Cryptographic Algorithms Approved Algorithms 2.7.1.1 CN Series Common Crypto Library Algorithms Table 3 lists approved software algorithms that are common to the CN Series Encryptors. These algorithms are used during the establishment of secure connections (SME), for management services (SNMPv3, TLS and SSH) and to generate and encrypt CSPs. Table 3 Approved Algorithms – CN Series Common Crypto Library CAVP Cert Algorithm and Standard Mode/Method Description/ Key Size(s)/ Key Strength(s) Use/ Function A3451 Triple-DES SP 800-67rev2 TCFB81 (d; KO 1) Three key (192 bits) Decryption of CSPs after upgrade from legacy versions of code. CSPs are then encrypted using AES256 A3451 AES FIPS PUB 197, SP 800-38A SP 800-38D CFB128 (e/d) CTR (e) ECB2 (e/d) CBC (e/d) GCM (e/d; Internal IV, AAD=0 to 256) 128-bit 256-bit Symmetric Encryption/ Decryption A3451 RSA FIPS186-4 KeyGen3 ; MOD: 2048 ALG[RSASSA-PKCS1_V1_5]: SigGen; MOD: 2048 SHS: SHA-256 SigVer; MOD: 2048 SHS: SHA-256, SHA-384 and SHA-512 SigVer; MOD: 4096 SHS: SHA-256, SHA-384 and SHA-512 2048-bit 4096-bit Key Generation Signature Generation/ Verification A3451 ECDSA FIPS186-4 KeyGen KeyVer SigGen SigVer P-256 P-384 P-521 Key Generation Signature Generation/ Verification A3451 KAS-ECC SP 800-56Arev3 Elliptic Curve Diffie-Hellman (Cofactor) Ephemeral Unified Model key agreement NIST P-256, P-384 and P-521 curves8 are supported and SHA-256, SHA-384 and SHA-512 (respectively) are Key Establishment Senetas Corp. Ltd. Version 1.01 Page 24 of 71 CN Series Non-Proprietary Security Policy used for key derivation A3451 KAS-FFC SP 800-56Arev3 dhEphem key agreement MODP-2048-bit Oakley Group 149 using SHA-256 for key derivation Key Establishment A3451 SHA FIPS 180-4 SHA-14 (BYTE only) SHA-256 (BYTE only) SHA-384 (BYTE only) SHA-512 (BYTE only) Hashing A3451 HMAC FIPS 198-1 HMAC-SHA-15 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512 Key Sizes Ranges Tested: KS fips on The Senetas CM7 remote management application screen for reporting the FIPS status is found on the User Management screen, in the System pane under FIPS Mode. All of the versioning information is also displayed. Figure 33 – “FIPS mode” selection Note: Read all of the instructions in this section before installing, configuring, and operating the CN Series Encryptors. Senetas Corp. Ltd. Version 1.01 Page 70 of 71 CN Series Non-Proprietary Security Policy 11.1 Delivery Before the shipment proceeds a serial number is allocated for the ordered module. Prior to the module shipping, a Shipping Advice form listing the purchase order number, the model number, the serial number and date of shipment is sent to the purchaser. When the module is delivered, the CO can verify that the model and serial numbers on the outside of the packaging, the model and serial numbers attached to the encryptor itself, and the numbers listed on the Shipping Advice form, all match. The CO can also verify that the encryptor has not been modified by examining the tamper evident seal on the outside of the unit. If the seal is broken, then the integrity of the encryptor cannot be assured and the supplier should be informed immediately. Upon receipt of a CN Series Encryptor, the following steps should be undertaken: 1. Inspect the shipping label as well as the label on the bottom of the system to ensure it is the correct version of the hardware. 2. Inspect the encryptor for signs of tampering. Check that the tamper evident tape and the covers of the device do not show any signs of tampering. If tampering is detected, return the device to the manufacturer. Do not install the encryptor if it shows signs of tampering or has an incorrect label. Contact your organization’s Security Officer for instructions on how to proceed. If the device has the correct label and shows no signs of tampering, proceed to the next section. 11.2 Location The encryptor must be installed in a secure location to ensure that it cannot be physically bypassed or tampered with. Ultimately the security of the network is only as good as the physical security around the encryptor. Always maintain and operate the CN Series Encryptor in a protected/secure environment. If it is configured in a staging area, and then relocated to its operational location, never leave the unit unsecured and unattended. Ideally the encryptor will be installed in a climate-controlled environment with other sensitive electronic equipment (e.g. a telecommunications room, computer room or wiring closet). The encryptor can be installed in a standard 19- inch rack or alternatively mounted on any flat surface. Choose a location that is as dry and clean as possible. Ensure that the front and rear of the encryptor are unobstructed to allow a good flow of air through the fan vents. The encryptor is intended to be located between a trusted and an untrusted network. The Local Interface of the encryptor is connected to appropriate equipment on the trusted network and the Network Interface of the encryptor is connected to the untrusted (often public) network. Depending on the topology of your network, the Local Interface will often connect directly to a router or switch, while the Network Interface will connect to the NTU provided by the network carrier. 11.3 End of Service Life As outlined in NIST SP 800-88 Revision 1; for secure destruction of networking devices at the end of their service life: • Zeroise the encryptor by running the CLI erase –f command or by pressing the emergency erase button which is accessible via the front panel using a paper clip. • Shred to <2mm (.07”) squared particles or less, Disintegrate, Pulverise or Incinerate by burning the encryptor in a licensed incinerator. Senetas Corp. Ltd. Version 1.01 Page 71 of 71 CN Series Non-Proprietary Security Policy 12. Mitigation of Other Attacks The CN4000 Series and CN6000 Series can be configured to mitigate against traffic analysis attacks on point-to- point connections using the TRANSEC feature. The module does not mitigate against any other specific attacks. 12.1 TRANSEC Traffic Analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. TRANSEC is transmission security and is used to disguise patterns in network traffic to prevent Traffic Analysis. A TRANSEC enabled module exhibits the following encryption characteristics: • Generates and transmits fixed size encrypted Ethernet frames at a constant frame rate from the WAN facing network port. • Encrypts the entire Ethernet frame received on the local port so that no MAC addresses, other header information or payload data is exposed. • The rate of the transmitted Ethernet frame is constant and independent of the received plaintext traffic rate from the local port. • In the absence of user data from the local port the TRANSEC encryptor module fills the transmitted frames with pseudo random or encrypted data such that it cannot be distinguished from encrypted user data. • TRANSEC encryptor modules default to decrypting traffic received on their network interface and discard all introduced traffic that is not ‘real’ user data.