Version 2.1 3e Technologies International, Inc. FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation 3e-525A-3[2], 3e-525A-3 BASIC[2], 3e-525A-3 BASIC with TEC[2], 3e-525A-3MP[2], 3e-525A-3MP with TEC[2], 3e-525V-3[2], 3e-525Ve-3[2] and 3e-525Ve-4[1] AirGuard™ Wireless Access Points (Hardware Versions: 2.0(A) (3e-525A-3, 3e-525A-3 BASIC, 3e-525A-3 BASIC with TEC, 3e-525A-3MP, 3e-525A-3MP with TEC, 3e-525V-3, 3e- 525Ve-3, 3e-525Ve-4), 2.1 (3e-525A-3, 3e-525A-3MP, 3e-525V-3, 3e- 525Ve-4); Firmware Versions: 4.3.2[1] and 4.3.3[2]) Security Policy Version 2.2 January 25, 2010 Copyright ©2008 by 3e Technologies International. This document may freely be reproduced and distributed in its entirety. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 ii 1. INTRODUCTION..................................................................................................... 1 2. REFERENCES.......................................................................................................... 1 3. AIRGUARD WIRELESS ACCESS POINT .......................................................... 2 3.1. CRYPTOGRAPHIC MODULE .................................................................................. 2 3.2. MODULE INTERFACES .......................................................................................... 5 3.3. ROLES AND SERVICES .......................................................................................... 6 3.3.1. Crypto Officer and Administrator Role Services........................................ 7 3.3.2. User Role Services.................................................................................... 11 3.3.3. Security Server Role Services ................................................................... 12 3.3.4. Unauthenticated Services.......................................................................... 12 3.4. CRYPTOGRAPHIC ALGORITHMS ......................................................................... 13 3.5. CRYPTOGRAPHIC KEYS AND SRDIS................................................................... 14 3.6. SELF-TESTS ....................................................................................................... 21 3.7. SECURE OPERATION OF THE AIRGUARD WIRELESS ACCESS POINT ................... 21 3.7.1. Applying Tamper-Evident Seals (All Models)........................................... 22 3.7.2. Checking for Tamper Evidence................................................................. 30 GLOSSARY..................................................................................................................... 31 FIPS 140-2 Non-Proprietary Security Policy Version 2.1 1 1. Introduction This document describes the non-proprietary cryptographic module security policy for 3e Technologies International‘s wireless gateway product variations, the 3e-525A-3[2], 3e-525A-3 BASIC[2], 3e-525A-3 BASIC with TEC[2], 3e-525A-3MP[2], 3e-525A-3MP with TEC[2], 3e-525V-3[2], 3e-525Ve-3[2] and 3e-525Ve-4[1] AirGuard™ Wireless Access Points (Hardware Versions: 2.0(A) (3e-525A-3, 3e-525A-3 BASIC, 3e-525A-3 BASIC with TEC, 3e-525A-3MP, 3e-525A-3MP with TEC, 3e-525V-3, 3e-525Ve-3, 3e-525Ve-4), 2.1 (3e- 525A-3, 3e-525A-3MP, 3e-525V-3, 3e-525Ve-4); Firmware Versions: 4.3.2[1] and 4.3.3[2]). Please note other HW and FW versions may be vendor-affirmed. This policy was created to satisfy the requirements of FIPS 140-2 Level 2. This document defines 3eTI’s security policy and explains how the gateway product variations meet the FIPS 140-2 security requirements. The cryptographic module security policy consists of a specification of the security rules, under which the cryptographic module shall operate, including the security rules derived from the requirements of the standard. Please refer to FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. 2. References • AirGuard™ Wireless Access Point User’s Guide, Model 3e-525A-3, Model 3e- 525A-3 Basic, Model 3e-525A-3MP, 6/3/08. • Installation Guide for the 3e525A-3MP Wireless Access Point with Mobile Power, document Revision A. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 2 3. AirGuard Wireless Access Point 3.1. Cryptographic Module The eight variants of the 525A-3 AirGuard Wireless Access Point module (the module) are devices, which consist of electronic hardware, embedded software and strong metal case. There are two different types of metal cases, one for non-MP models, and one for MP models, as depicted in the figures below. For purposes of FIPS 140-2, the module is considered to be a multi-chip standalone product. The 525A-3/525V-3/525Ve-3/525Ve-4 product variants operate as either a gateway connecting a local area network to wide area network (WAN) or as an access point within a local area network (LAN). The 525V-3/Ve-3/Ve-4 products are simply 525A-3 units that contain separate video- processing printed circuit boards (entirely isolated from all cryptographic functionality). The 525V-3 contains an older Axis video board, with separate video and camera PTZ interface ports. The 525Ve-3 contains a newer Mango video board, with a video port only (no camera PTZ port). The 525Ve-4 contains a different Mango video board with dual video ports, as well as a separate camera PTZ port. In summary, the eight variants of the module under Hardware Version 2.0(A) differ from each other as follows: 1. 525A-3 has mil-spec-461 compliant filters. Uses Power Over Ethernet (POE). Executes firmware 4.3.3. 2. 525A-3 BASIC does not have the mil-spec-461-compliant filtering. Uses POE. Executes firmware 4.3.3. 3. 525A-3 BASIC w/TEC is a variant of #2 above with a thermo-electric cooler installed. Executes firmware 4.3.3. 4. 525A-3MP has power (24V nominal) entering through the antenna panel. Executes firmware 4.3.3. 5. 525A-3MP w/TEC is a variant of #4 above with a thermo-electric cooler installed. Executes firmware 4.3.3. 6. 525V-3 is a variant of #1 above with older Axis video processing board. Executes firmware 4.3.3. 7. 525Ve-3 is a variant of #1 above with newer Mango video board and video port only. Executes firmware 4.3.3. 8. 525Ve-4 is a variant of #1 above with newer Mango video board and dual video ports as well as camera PTZ port. Executes firmware 4.3.2. The four variants under Hardware Version 2.1 differ from each other as follows: 1. 525A-3 does not have the mil-spec-461-compliant filtering. Uses POE. Executes firmware 4.3.3. 2. 525A-3MP has power (24V nominal) entering through the antenna panel. Executes firmware 4.3.3. 3. 525V-3 is a variant of #1 above with older Axis video processing board. Executes firmware 4.3.3. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 3 4. 525Ve-4 is a variant of #1 above with newer Mango video board and dual video ports as well as camera PTZ port. Executes firmware 4.3.2. The term TEC in two of the variants stands for Thermo-Electric Cooler. It is circuitry included within the unit to extend the temperature range of the unit. It is used to pump heat energy away from the WLAN circuit boards to the enclosure case in warm environment. The cryptographic boundary of the 525A-3/525V-3/525Ve-3/525Ve-4 product variants is defined to be the entire enclosure of the Gateway. The 525A-3/525V-3/525Ve-3/525Ve-4 product variants are physically bound by the mechanical enclosure, which is protected by tamper evident tape. 525A-3 metal case, Hardware Version 2.0(A) FIPS 140-2 Non-Proprietary Security Policy Version 2.1 4 525A-3MP models’ power port on AP Antennae panel 3e-525V-3 FIPS 140-2 Non-Proprietary Security Policy Version 2.1 5 3.2. Module Interfaces There are three modes of operation that determine how antennae and ports are used by the module: • Mode #1. Access point mode o local antennae configured to encrypt/decrypt o LAN port used for administration o WAN port used to connect protected wired network o Bridging antenna – configurable • Mode #2. Gateway mode o local antennae configured to encrypt/decrypt o LAN port used to connect protected wired network o WAN port used to connect unprotected external network o either LAN or WAN port used for administration. o Bridging antenna – configurable • Mode #3. Bridging mode: o bridge antenna configured to encrypt/decrypt o local antennae may be configured for either access point mode or bridging mode. Additionally, there is no separate power port for the "-3" models (they use Power over Ethernet a.k.a. PoE), while there is a separate DC power port for the "MP" models. The following table summarizes module interfaces when the module is operating in access point mode: FIPS interface Module interface Data input Local antennae (2) Bridging antenna (if enabled) WAN port Video (525-“V” models only) Data output Local antennae (2) Bridging antenna (if enabled) WAN port Camera PTZ (525-“V” models only) Control input LAN port Status output LEDs: • Power • WAN • WLAN 1 • WLAN 2 • WLAN SS • FIPS/MODE LAN port Power port WAN port (PoE) FIPS 140-2 Non-Proprietary Security Policy Version 2.1 6 FIPS interface Module interface MP port (DC) (Mobile Power models only) The following table summarizes module interfaces when the module is operating in gateway mode: FIPS interface Module interface Data input Local antennae Bridging antenna (if enabled) LAN port WAN port Video (525-“V” models only) Data output Local antennae Bridging antenna (if enabled) LAN port WAN port Camera PTZ (525-“V” models only) Control input LAN port WAN port Status output LEDs: • Power • WAN • WLAN 1 • WLAN 2 • WLAN SS • FIPS/MODE LAN port WAN port Power port WAN port (PoE) MP port (DC) (Mobile Power models only) 3.3. Roles and Services The 525A-3/525V-3/525Ve-3/525Ve-4 product variants support four separate roles. The set of services available to each role is defined in this section. The 525A-3/525V- 3/525Ve-3/525Ve-4 product variants authenticate an operator’s role by verifying his PIN or access to a shared secret. The following table identifies the strength of authentication for each authentication mechanism supported: FIPS 140-2 Non-Proprietary Security Policy Version 2.1 7 Authentication Mechanism1 Strength of Mechanism Userid and password Minimum 8 characters => 94^8 = 1.641E-16 Static Key (TDES or AES) TDES (192-bits) or AES (128, 192, or 256-bits) AES CCM pre-shared key Minimum 8 characters => 94^8 = 6.095E15 The module halts (introduces a delay) for a second after each unsuccessful authentication attempt by CO or Admin. The highest rate of authentication attempts to the module is one attempt per second. This translates to 60 attempts per minute. Therefore the probability for multiple attempts to use the module's authentication mechanism during a one-minute period is 60/(94^8), or less than (9.84E-15). 3.3.1. Crypto Officer and Administrator Role Services Crypto Officer Role: The Crypto officer role performs all security functions provided by the 525A-3/525V-3/525Ve-3/525Ve-4 product variants. This role performs cryptographic initialization and management functions (e.g., module initialization, input/output of cryptographic keys and SRDIs, audit functions and user management). The Crypto officer is also responsible for managing the Administrator users. The Crypto officer must operate within the Security Rules and Physical Security Rules specified in Sections 3.1 and 3.2. The Crypto officer uses a secure web-based HTTPS connection to configure the 525A-3/525V-3/525Ve-3/525Ve-4 product variants. Up to ten Crypto Officers may be defined in the 525A-3/525V-3/525Ve-3/525Ve-4 product variants. The Crypto Officer authenticates to the 525A-3/525V-3/525Ve-3/525Ve-4 product variants using a username and password. Administrator Role: This role performs general 525A-3/525V-3/525Ve-3/525Ve-4 product variants configuration such as defining the WLAN, LAN and DHCP settings, performing self-tests and viewing system log messages for auditing purposes. No CO security functions are available to the Administrator. The Administrator can also reboot the 525A-3/525V-3/525Ve-3/525Ve-4 product variants, if deemed necessary. The Administrator must operate within the Security Rules a specified in Section 3.1 and always uses a secure web-based HTTPS connection to configure the 525A-3/525V- 3/525Ve-3/525Ve-4 product variants. The Administrator authenticates to the 525A- 3/525V-3/525Ve-3/525Ve-4 product variants using a username and password. Up to 5 operators who can assume the Administrator role can be defined. All Administrators are 1 The module implements one authentication mechanism that authenticates individual operators into Crypto Officer and Administrator roles: the web GUI username/password mechanism. The module implements three authentication mechanisms that implicitly authenticate operators into a single User operator role: 3eTI static pre-shared key mechanism, 802.11i pre-shared key mechanism, 3eTI bridging pre-shared key mechanism. The module relies on an authentication server in the environment to authenticate User operators for 3eTI DKE and 802.11i EAP-TLS Approved encrypting modes. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 8 identical; i.e., they have the same set of services available. The Crypto Officer is responsible for managing (creating, deleting) Administrator users. Crypto Officer and Administrator services, and the keys/CSPs that each role has access to using web GUI page to provide correspondence to the key/CSP are summarized in the table below. If there is no web GUI interface to input/output a key/CSP, neither the Crypto Officer nor the Administrator have access to it. Please see the table titled “RFC 2818 HTTPS Keys/CSPs” under section 3.5 of this document for a list of keys/CSPs used/generated as a result of executing the Web GUI service Operator Roles CryptoOfficer Administrator Categories Features Show 2 Set 3 Add 4 Delete 5 Default Reset 6 Show 7 Set 8 Add 9 Delete 10 Default Reset 11 System Configuration • General Hostname Domain name Date/Time X X X X X X X X X X X X X X X X X X • WAN DHCP client Static IP address 10/100 MBps half/full X X X X X X X X X X X X X X X X X X 2 The operator can view this setting 3 The operator can change this setting 4 The operator can add a required input. For example: Adding an entry to the MAC address filtering table 5 The operator can delete a particular entry. For example: Deleting an entry from the MAC address filtering table 6 The operator can reset this setting to its factory default value. 7 The operator can view this setting 8 The operator can change this setting 9 The operator can add a required input. For example: Adding an entry to the MAC address filtering table 10 The operator can delete a particular entry. For example: Deleting an entry from the MAC address filtering table 11 The operator can reset this setting to its factory default value. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 9 Operator Roles CryptoOfficer Administrator Categories Features Show 2 Set 3 Add 4 Delete 5 Default Reset 6 Show 7 Set 8 Add 9 Delete 10 Default Reset 11 duplex/auto • LAN IP address Subnet mask X X X X X X X X X X X X • Operating Mode Gateway – FIPS Gateway – Non-FIPS AP / Bridging Mode – FIPS AP / Bridging Mode – Non- FIPS AP / Bridging Mode – FIPS / IPv6 AP / Bridging Mode – Non- FIPS / IPv6 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Wireless Access Point • General SSID Wireless Mode Channel Number • Enable / Disable Auto Selection • Auto selection button Transmit Power Mode Fixed Power Level Beacon Interval RTS Threshold DTIM Basic Rates Preamble Enable / Disable Broadcast SSID X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X • Security No Encryption Dynamic Key Management Triple-DES AES (128-/192-256-bit) FIPS 802.11i X X X X X X X X X X X X X X X X X X X X • Wireless VLAN Enable/Disable VLAN X X X X X X X X X X • MAC Address Filtering Enable/Disable Add/Delete entry Allow/Disallow Filter X X X X X X X X X X X X • Rogue AP Detection Enable/Disable Known AP MAC address Email / Display rogue AP X X X X X X X X X X X X X X • Advanced Load Balancing Layer 2 Isolation X X X X X X X X X X X X Wireless Bridge • General Manual/Auto Bridge SSID X X X X X X X X X X X X FIPS 140-2 Non-Proprietary Security Policy Version 2.1 10 Operator Roles CryptoOfficer Administrator Categories Features Show 2 Set 3 Add 4 Delete 5 Default Reset 6 Show 7 Set 8 Add 9 Delete 10 Default Reset 11 Max Auto Bridge Bridge Priority Signal Strength Threshold Broadcast SSID enable/disable Signal Strength LED MAC STP enable/disable Remote BSSID X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X • Radio Wireless Mode Tx Rate Channel No Tx Pwr Mode Propagation Distance RTS Threshold Remote BSSID X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X • Encryption No Encryption Triple-DES AES (128-/192-256-bit) X X X X X X X X X X X X X X Service Settings • DHCP Server Enable / Disable Starting / Ending IP address X X X X X X X X X X X X • Subnet Roaming Enable / Disable Coordinator Address X X X X X X X X X X X X X X • SNMP agent Enable/ Disable Community settings Secure User Configuration System Information X X X X X X X X X X X X X X X X X X X X X X X X • Misc Service Print Server: Enable/ Disable X X X X X X User Management • List All Users X X X X X X • Add New User X • User Password Policy Enable/Disable Policy setting X X X X X X X X Monitoring/Reports • System Status Security Mode Current Encryption Mode Bridging encryption mode System Uptime Total Usable memory Free Memory Current Processes Other Information Network interface status X X X X X X X X X X X X X X X X X X • Bridging Status Status of Layer 2 bridge devices X X • Wireless Clients MAC Address (manfr’s X X FIPS 140-2 Non-Proprietary Security Policy Version 2.1 11 Operator Roles CryptoOfficer Administrator Categories Features Show 2 Set 3 Add 4 Delete 5 Default Reset 6 Show 7 Set 8 Add 9 Delete 10 Default Reset 11 name) Received Signal Strength TX rate X X X X • Adjacent AP List AP MAC address SSID Channel Signal Noise Type Age WEP X X X X X X X X X X X X X X X X • DHCP Client List Client Hostname IP Address MAC Address (manfr’s name) X X X X X X X X X X X X • System Log Date/Time/Message X X X X • Web Access Log X X X X • Network Activities X X X X Auditing • Log X X X X • Report Query X X • Configuration Enable/Disable Selectable items X X X X X X X X System Administration • System Upgrade Firmware Upgrade Local Configuration Upgrade Remote Configuration Upgrade X X X X X X X X X X X X • Factory Defaults X • Remote Logging Enable/Disable Settings X X X X X X X X X X X X • Reboot X X • Utilities Ping Traceroute X X X X 3.3.2. User Role Services User Role: This role is assumed by the wireless client workstation that uses static or dynamic key AES or Triple-DES encryption to communicate wirelessly with the 525A- 3/525V-3/525Ve-3/525Ve-4 product variants. Authentication is either performed through entry of a static key by the user or an EAP-TLS authentication is performed, with the user providing a public key certificate. The static key (Triple-DES or AES key) is configured on the 525A-3/525V-3/525Ve-3/525Ve-4 product variants by the Crypto officer. The static key must be pre-shared between the 525A-3/525V-3/525Ve-3/525Ve-4 FIPS 140-2 Non-Proprietary Security Policy Version 2.1 12 product variants and the User. The Gateway supports 128 Users (client workstations) if MAC address filtering is disabled. If MAC address filtering is enabled, only 60 Users are allowed. The User role has the ability to send data to and through the 525A-3/525V-3/525Ve- 3/525Ve-4 product variants. All data is sent in the form of 802.11i wireless packets. All wireless communication is encrypted using either Triple-DES or AES encryption (based upon the 525A-3/525V-3/525Ve-3/525Ve-4 product variants configuration). In bypass mode, plaintext packets can also be sent to the 525A-3/525V-3/525Ve-3/525Ve-4 product variants. The User role also employs 802.11i authentication schemes including 802.1X, EAP-TLS, and preshared key modes. Also, a Wireless Access Point (WAP) may act in the User role by communicating with the 525A-3/525V-3/525Ve-3/525Ve-4 product variants in bridging mode. 3.3.3. Security Server Role Services Security Server Role: This role is assumed by the authentication server, which is a self- contained workstation connected to the 525A-3/525V-3/525Ve-3/525Ve-4 product variants over the Ethernet Uplink WAN port. The security server is employed for authentication of wireless clients and key management activities. The Security Server is used only during dynamic key exchange. The Security Server authenticates using a shared secret which is used as an HMAC-SHA1 key to sign messages sent to the 525A- 3/525V-3/525Ve-3/525Ve-4 product variants during dynamic key exchange. The Security Server IP address and password are configured on the 525A-3/525V-3/525Ve- 3/525Ve-4 product variants by the Crypto Officer. Only one Security Server is supported. The Security Server performs following services: • The EAP-TLS authentication from 3e-SS through the 3e-WAP to the 3e-010F Crypto Client • Process dynamic key exchange after a successful authentication • Perform a DH key exchange with the 525A-3/525V-3/525Ve-3/525Ve-4 product variants to negotiate an AES key • Send Unicast key to the Gateway encrypted with the AES key negotiated using a DH key exchange 3.3.4. Unauthenticated Services Unauthenticated services include the following: Service Description Input Output Key/CSP 802.11a/b/g (and variants, as well as WLAN management 802.11 wireless traffic (used in both Approved encrypting modes and in 802.11a/b/g inputs and data 802.11a/b/g outputs and data None FIPS 140-2 Non-Proprietary Security Policy Version 2.1 13 functions such as VLAN and MAC filtering are supported as described in the User’s Guide section “Introduction”) bypass modes) NAT Wired network service available only in gateway mode (used in both Approved encrypting modes and in bypass modes) NAT inputs and data NAT outputs and data None DHCP Wired network service available only in gateway mode (used in both Approved encrypting modes and in bypass modes) DHCP inputs and data DHCP outputs and data None 3.4. Cryptographic Algorithms The 525A-3/525V-3/525Ve-3/525Ve-4 product variants supports the following FIPS- approved cryptographic algorithms: • TDES (ECB, CBC modes; 192-bit keysize), cert #292 • AES (ECB mode; 128, 192, 256-bit keysizes), cert #238 • AES CCM (128-bit keysize), cert #1 • SHA-1, cert #278 • HMAC-SHA1, cert #13 • FIPS 186-2 (Appendix 3.1 and 3.1) PRNG, cert#22 The 525A-3/525V-3/525Ve-3/525Ve-4 product variants also supports the following non- FIPS cryptographic algorithms: • Diffie Hellman (1024-bit modulus) allowed in FIPS mode for key agreement. This key establishment method provides 80-bits of security. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 14 • RSA decrypt (PKCS#1 using a 1024-bit modulus) allowed in FIPS mode for key un-wrapping. This key establishment method provides 80-bits of security. • RC4 (used in WEP/WPA) • MD5 hashing (used in MS-CHAP for PPPoE and SNMP agent) • DES CBC (non-compliant) (used in SNMP v3) • AES CFB (non-compliant) (used in SNMP v3) 3.5. Cryptographic Keys and SRDIs The 525A-3/525V-3/525Ve-3/525Ve-4 product variants contains the following security relevant data items:12 Non-Protocol Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use Operator passwords ASCII string Input encrypted (using TLS session key) Not output Ciphertext in flash (SHA-1 hash) Not zeroized Used to authenticate CO and Admin role operators Configuration file passphrase HMAC key (ASCII string) Input encrypted (using TLS session key) Not output Plaintext in RAM. It is put into temporary memory/auto variable/stack. Zeroized when a configuration file is uploaded after it is used. Used for downloaded configuration file message authentication Firmware integrity check key HMAC key (ASCII string) Input encrypted (using TLS session key) Not output Plaintext in flash Not zeroized. Used for firmware load message authentication SNMP packet authentication keys, username HMAC key (ASCII string) Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when reset to factory settings. Use for SNMP message authentication RNG Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use FIPS 186-2 seed ASCII string (includes the value of a call to the standard C library time() function) Not input Not output Plaintext in RAM Zeroized every time a new random number is generated using the FIPS PRNG after it is used. Used to initialize FIPS PRNG FIPS 186-2 seed key Symmetric RNG Not output Plaintext in RAM Zeroized every time a new random Used to initialize FIPS PRNG 12 There is in addition to the keys/CSPs listed below a “configuration file key”. However, it is not considered either a key or a CSP. Keys/CSPs encrypted using the configuration file key stored in flash are considered stored as plaintext. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 15 number is generated using the FIPS PRNG after it is used. 3eTI Static Protocol Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use Static key 1. AES ECB (e/d; 128,192,256) 2. TDES (Triple-DES 192) Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when local antennae Approved encrypting mode either reconfigured or changed from 3eTI Static mode to any other local antennae Approved encrypting mode, to bypass mode. Zeroized when reset to factory settings. Used to encrypt unicast, and broadcast/ multitcast traffic in support of static mode 3eTI DKE Protocol Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use See EAP-TLS keys/CSPs - - - - - There are DKE-specific EAP-TLS keys/CSPs used to authenticate User operator to module Dynamic unicast key 1. AES ECB (e/d; 128,192,256) 2. TDES (Triple-DES 192) Not input (TLS master secret resulting from successful User EAP- TLS authentication in DKE mode) Not output Plaintext in RAM Zeroized when 3eTI DKE session times out Note that it takes approximately five minutes for a DKE session to time out given the DKE protocol specification. When a timeout occurs after a session Used to encrypt unicast traffic in support of DKE FIPS 140-2 Non-Proprietary Security Policy Version 2.1 16 times out, zeroization is immediate. Dynamic broadcast key 1. AES ECB (e/d; 128,192,256) 2. TDES (Triple-DES 192) RNG (it is only generated once, the first time a DKE client needs it, since all clients use same broadcast key) Encrypted (using Dynamic unicast key) Plaintext in RAM Zeroized when local antennae Approved encrypting mode either reconfigured or changed from 3eTI DKE mode to any other local antennae Approved encrypting mode, to bypass mode. Used to encrypt broadcast and multicast traffic in support of DKE. The same key is used for all DKE clients. IEEE 802.11i Protocol PSK Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use PSK mode passphrase ASCII string Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when local antennae Approved encrypting mode either reconfigured or changed from IEEE 802.11i mode to any other local antennae Approved encrypting mode (including 802.11i EAP- TLS), to bypass mode. Zeroized when reset to factory settings. Used to derive 802.11i PMK IEEE 802.11i Protocol EAP-TLS Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use See EAP- TLS keys/CSPs - - - - - There are 802.11i EAP- TLS-specific EAP-TLS keys/CSPs used to authenticate User operator to module IEEE 802.11i Protocol Keys/CSPs (Common to PSK and EAP-TLS) FIPS 140-2 Non-Proprietary Security Policy Version 2.1 17 Key/CSP Type Generation/ Input Output Storage Zeroization Use PMK If 802.11i PSK, then derived from PSK mode passphrase: HMAC-SHA1 where passphrase is HMAC key and SSID is hashed. If 802.11i EAP-TLS, then secret key (TLS master secret) If 802.11i PSK, then ASCII string is input encrypted (using TLS session key) If 802.11i EAP-TLS, then not input, instead derived (TLS master secret resulting from successful User EAP- TLS authentication in DKE mode) Not output If 802.11i PSK, then plaintext in flash For both 802.11i PSK and EAP-TLS, plaintext in RAM Zeroized when local antennae Approved encrypting mode either reconfigured or changed from IEEE 802.11i mode to any other local antennae Approved encrypting mode (including from 802.11i PSK to 802.11i EAP- TLS, and 802.11i EAP- TLS to 802.11i PSK), to bypass mode. If 802.11i PSK, zeroized when reset to factory settings. 802.11i PMK PTK AES (key derivation; 256) Not input (derived from PMK) Not output Plaintext in RAM When 802.11i session ends. 802.11i PTK KCK HMAC key (128 bits from PTK) Not input (derived from PTK) Not output Plaintext in RAM When 802.11i session ends. 802.11i KCK KEK AES ECB(e/d; 128) Not input (derived from PTK) Not output Plaintext in RAM When 802.11i session ends. 802.11i KEK TK AES CCM (e/d; 128) Not input (derived from PTK) Not output Plaintext in RAM When 802.11i session ends. 802.11i TK TK (copy in driver) AES CCM (e/d; 128) Not input (derived from PTK) Not output Plaintext in RAM When 802.11i session ends. 802.11i TK GMK AES (key derivation; 256) Not input (RNG) Not output Plaintext in RAM Zeroized when local antennae Approved encrypting mode either reconfigured or changed from IEEE 802.11i mode to any other 802.11i GMK FIPS 140-2 Non-Proprietary Security Policy Version 2.1 18 local antennae Approved encrypting mode (including from 802.11i PSK to 802.11i EAP- TLS, and 802.11i EAP- TLS to 802.11i PSK), to bypass mode. When re-key period expires GTK AES CCM (e/d; 128) Not input (derived from GMK) Output encrypted (using KEK) Plaintext in RAM Zeroized when local antennae Approved encrypting mode either reconfigured or changed from IEEE 802.11i mode to any other local antennae Approved encrypting mode (including from 802.11i PSK to 802.11i EAP- TLS, and 802.11i EAP- TLS to 802.11i PSK), to bypass mode. When re-key period expires 802.11i GTK 3eTI Security Server Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use Security Server password HMAC key (ASCII string) Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when local antennae Approved encrypting mode either reconfigured or changed from 3eTI DKE or IEEE 802.11i EAP- TLS mode to Authenticate module to Security Server in support of DKE and 802.11i EAP- TLS authentication FIPS 140-2 Non-Proprietary Security Policy Version 2.1 19 any other local antennae Approved encrypting mode (including to 802.11i PSK), to bypass mode Zeroized when reset to factory settings. Backend password HMAC key (ASCII string) Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when local antennae Approved encrypting mode either reconfigured or changed from 3eTI DKE or IEEE 802.11i EAP- TLS mode to any other local antennae Approved encrypting mode (including to 802.11i PSK), to bypass mode Zeroized when reset to factory settings. Authenticate messages between module and security server in support of 802.11i EAP- TLS Backend key AES ECB key (d;128) Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when local antennae Approved encrypting mode either reconfigured or changed from 3eTI DKE or IEEE 802.11i EAP- TLS mode to any other local antennae Approved encrypting mode (including to 802.11i PSK), to bypass Decrypt TLS master secret returned to module by Security Server after successful User authentication in support of 802.11i EAP- TLS FIPS 140-2 Non-Proprietary Security Policy Version 2.1 20 mode Zeroized when reset to factory settings. DH private exponent Private DH key RNG Not output Plaintext in RAM Zeroized after decrypt TLS master secret returned from Security Server Zeroized if the DKE session times out. Used in DH exchange performed after successful User EAP- TLS authentication in DKE mode DH session key (a.k.a. AES post authentication key) AES ECB key (d;128) Not input (derived from DH exchange) Not output Plaintext in RAM Zeroized when successfully authenticate 3eTI DKE client after decrypt TLS master secret returned from Security Server. Decrypt TLS master secret returned to module by Security Server after successful User authentication in support of DKE EAP- TLS 3eTI Bridging Protocol Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use Bridging static key AES ECB (e/d; 128,192,256) TDES (Triple- DES 192) Input encrypted (using TLS session key) Not output Plaintext in flash Zeroized when bridge antenna Approved encrypting mode either reconfigured or when changed from 3eTI bridging mode to any other bridging antenna mode. Zeroized when reset to factory settings. Used to encrypt bridged traffic between two modules RFC 2818 HTTPS Keys/CSPs Key/CSP Type Generation/ Input Output Storage Zeroization Use RSA private key RSA (1024) (key wrapping; key establishment Not input (installed at factory) Not output Plaintext in flash Not zeroized. Used to support CO and Admin HTTPS FIPS 140-2 Non-Proprietary Security Policy Version 2.1 21 methodology provides 80- bits of encryption strength) interfaces. TLS session key for encryption Triple-DES (192) Not input (derived) Not output Plaintext in RAM Zeroized when a page of the web GUI is served after it is used. TLS server write key 3.6. Self-Tests The module performs the following self-tests: Power-up self-tests: • AES ECB - encrypt/decrypt KAT • Triple-DES CBC – encrypt/decrypt KAT • AES CCM KAT • SHA-1 KAT • HMAC-SHA-1 KAT • FIPS 186-2 (Appendix 3.1, 3.3) RNG KAT • DH pairwise consistency test (critical function) • SHA-1 Integrity Test for firmware Conditional self-tests: • CRNGT for Approved PRNG • CRNGT for non-Approved PRNG (Open SSL based RNG) • Bypass Tests • Firmware Load Test using HMAC-SHA-1 3.7. Secure Operation of the AirGuard Wireless Access Point The following 525A-3/525V-3/525Ve-3/525Ve-4 product variants security rules must be followed by the operator in order to ensure secure operation: 1. Every operator (Crypto Officer or Administrator) has a user-id on the 525A- 3/525V-3/525Ve-3/525Ve-4 product variants. No operator will violate trust by sharing his/her password associated with the user-id with any other operator or entity. 2. The Crypto Officer will not share any key, or SRDI used by the 525A-3/525V- 3/525Ve-3/525Ve-4 product variants with any other operator or entity. 3. The Crypto Officer will not share any MAC address filtering information used by the 525A-3/525V-3/525Ve-3/525Ve-4 product variants with any other operator or entity. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 22 4. The operators will explicitly logoff by closing all secure browser sessions established with the 525A-3/525V-3/525Ve-3/525Ve-4 product variants. 5. The operator will disable browser cookies and password storing mechanisms on the browser used for web configuration of the 525A-3/525V-3/525Ve-3/525Ve-4 product variants. 6. The Crypto officer is responsible for inspecting the tamper evident seals on a daily basis. A compromised tape reveals message “OPENED” with visible red dots. Other signs of tamper include wrinkles, tears and marks on or around the label. 7. The Crypto Officer should change the default password when configuring the 525A-3/525V-3/525Ve-3/525Ve-4 product variants for the first time. The default password should not be used. Secure installation, configuration, and operation procedures are below. 3.7.1. Applying Tamper-Evident Seals (All Models) The following section contains detailed instructions to the Crypto Officer concerning where and how to apply the tamper evident seals to the 525A-3/525V-3/525Ve-3/525Ve- 4 product variants enclosure, in order to provide physical security for FIPS 140-2 level 2 requirements. Note the physical security rules are the same between the 525A-3 and the 525A-3MP. A security seal is added from the back plate to the antenna plate. A second security seal is added from the front of the unit to the antenna plate, taking care not to cover the L.E.D. labeling. ½” length 440 Pan Head screws are used on each circular connector to secure them to the panel. Two 440 KEPS nuts and a nylon washer are added to the inside shaft and tightened together with washers facing each other approximately 1/32” from the connector panel. This prevents the screws from being removed and thus entry cannot be accomplished without removing the security labels. Materials: 525A-3/525V-3/525Ve-3/525Ve-4 product variants – Quantity: 1 Seal, Tape, Tamper-evident – Quantity: 4 Isopropyl Alcohol Swab 3M Adhesive Remover (citrus or petroleum based solvent) Installation – Tamper-evident tape 1. Locate on 525A-3/525V-3/525Ve-3/525Ve-4 product variants the placement locations of tamper-evident tape seals. (4 locations as shown in the figures above for the 525A-3/525V-3/525Ve-3/525Ve-4 product variants). 2. Thoroughly clean area where tamper-evident tape seal is to be applied with isopropyl alcohol swab. Area must be clean of all oils and foreign matter (dirt, grime, etc.) 3. Record tracking number from tamper-evident tape seal. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 23 4. Apply seal to locations on the 525A-3/525V-3/525Ve-3/525Ve-4 product variants as shown in the figure above. It is important to ensure that the seal has equal contact area with both top and bottom housings. 5. After application of seals to the 525A-3/525V-3/525Ve-3/525Ve-4 product variants, apply pressure to verify that adequate adhesion has taken place. Removal – Tamper-evident tape 1. Locate on 525A-3/525V-3/525Ve-3/525Ve-4 product variants locations of tamper-evident tape seals. (4 locations (two on each panel) as shown in the figure above for the 525A-3/525V-3/525Ve-3/525Ve-4 product variants) 2. Record tracking numbers from existing tamper-evident tape seal and verify physical condition as not tampered or destroyed after installation. 3. Cut tape along seam of 525A-3/525V-3/525Ve-3/525Ve-4 product variants to allow opening of enclosure. 4. Using 3M adhesive remover or equivalent, remove residual tamper-evident seal tape. (two locations as shown in the figure above for the 525A-3/525V-3/525Ve- 3/525Ve-4 product variants) The photos below show the physical interface of the 3e-525A-3 enclosure with tamper evident seals. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 24 HARDWARE VERSION 2.0(A) 3e-525A-3, Hardware Version 2.0(A), Side One – Upper Left 3e-525A-3, Hardware Version 2.0(A), Side One – Lower Right FIPS 140-2 Non-Proprietary Security Policy Version 2.1 25 3e-525A-3, Hardware Version 2.0(A), Side Two The photos below show the physical interface of the 3e-525A-3 BASIC enclosure with tamper evident seals. 3e-525A-3 BASIC, Hardware Version 2.0(A), Side One FIPS 140-2 Non-Proprietary Security Policy Version 2.1 26 3e-525A-3 BASIC, Hardware Version 2.0(A), Side Two The photos below show the physical interface of the 3e-525A-3MP enclosure with tamper evident seals. 3e-525A-3MP, Hardware Version 2.0(A), Side One FIPS 140-2 Non-Proprietary Security Policy Version 2.1 27 3e-525A-3MP, Hardware Version 2.0(A), Side Two The figures below show the physical interface of the 3e-525V-3 enclosure with tamper evident seals. 3e-525V-3, Hardware Version 2.0(A), Side One FIPS 140-2 Non-Proprietary Security Policy Version 2.1 28 3e-525V-3, Hardware Version 2.0(A), Side Two The figures below show the physical interface of the 3e-525Ve-3 enclosure with tamper evident seals. 3e-525Ve-3, Hardware Version 2.0(A), Sides One and Two FIPS 140-2 Non-Proprietary Security Policy Version 2.1 29 The figures below show the physical interface of the 3e-525Ve-4 enclosure with tamper evident seals. VIDEO CAMERA UPLINK LOCAL BRIDGING ANTENNA VIDEO PTZ 0 1 3e-525Ve-4, Hardware Version 2.0(A), Side One 3e-525Ve-4, Hardware Version 2.0(A), Side Two FIPS 140-2 Non-Proprietary Security Policy Version 2.1 30 HARDWARE VERSION 2.1 Common to all Hardware Version 2.1 models, Side One Common to all Hardware Version 2.1 models, Side Two 3.7.2. Checking for Tamper Evidence Tamper-evident seals should be checked for letters from the word “OPENED” left behind by seal residue when the seal is removed. Tamper-evident seals should also be checked for nicks and scratches that make the metal case visible through the nicked or scratched seal. FIPS 140-2 Non-Proprietary Security Policy Version 2.1 31 Glossary AP Access Point CO Cryptographic Officer DH Diffie Hellman DHCP Dynamic Host Configuration Protocol DMZ De-Militarized Zone IP Internet Protocol EAP Extensible Authentication Protocol FIPS Federal Information Processing Standard HTTPS Secure Hyper Text Transport Protocol LAN Local Area Network MAC Medium Access Control NAT Network Address Translation PRNG Pseudo Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SRDI Security Relevant Data Item SSID Service Set Identifier TLS Transport Layer Security WAN Wide Area Network WLAN Wireless Local Area Network