FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 1 of 26 FIPS 140-2 Non-Proprietary Security Policy Maxar AEDS Document Version 1.4 October 25, 2023 Prepared For: Prepared By: Maxar Technologies 3825 Fabian Way Palo Alto, CA 94303 www.maxar.com SafeLogic Inc. 530 Lytton Ave, Suite 200 Palo Alto, CA 94301 www.safelogic.com FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 2 of 26 Table of Contents 1 Introduction 4 1.1 About FIPS 140 4 1.2 About this Document 4 1.3 External Resources 4 1.4 Notices 4 1.5 Acronyms 4 2 Cryptographic Module Specification 6 2.1 Validation Level Detail 7 2.2 Approved Cryptographic Algorithms 8 2.3 Non-Approved but Allowed Algorithms 10 2.4 Module Interfaces 12 2.4.1 Interface Security 13 2.4.1.1 Compliance to IG A.5 13 2.5 Roles, Services, and Authentication 14 2.5.1 Operator Services and Descriptions 14 2.5.2 Crypto Officer Authentication 17 2.5.3 User Authentication 17 2.6 Physical Security 17 2.7 Operational Environment 18 2.8 Cryptographic Key Management 19 2.9 Self-Tests 23 2.9.1 Power-On Self-Tests 24 2.9.2 Conditional Self-Tests 25 2.10 Mitigation of Other Attacks 25 3 Guidance and Secure Operation 25 3.1 Crypto Officer Guidance 25 3.2 User Guidance 26 List of Tables Table 1 - Acronyms and Terms...................................................................................................................................5 Table 2 - Validation level by FIPS 140-2 Section ........................................................................................................7 Table 3 - FIPS Approved Algorithm Certificates.......................................................................................................10 Table 4 - Approved Cryptographic Functions with Vendor Affirmations.................................................................10 Table 5 - Non-Approved but Allowed Algorithms....................................................................................................11 Table 6 - Interface Descriptions ...............................................................................................................................12 Table 7 - Logical Interface / Physical Interface Mapping .........................................................................................12 Table 8 - Operator Services......................................................................................................................................17 Table 9 - Module Protected Keys / CSPs ..................................................................................................................22 Table 10 - Module Public Keys / CSPs ......................................................................................................................23 Table 11 - Power-On Self Tests ................................................................................................................................24 FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 3 of 26 Table 12 - Conditional Self-Tests..............................................................................................................................25 List of Figures Figure 1 – Maxar AEDS (front) with Tamper-Evident Seals Locations...........................................................................6 Figure 2 – Maxar AEDS (back) with Tamper-Evident Seals Locations............................................................................7 FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 4 of 26 1 Introduction 1.1 About FIPS 140 Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST), Canadian Centre for Cyber Security (CCCS), and Cryptographic Module Validation Program (CMVP) run the FIPS 140 program. National Voluntary Laboratory Accreditation Program (NVLAP) accredits independent testing labs to perform FIPS 140 testing; the CMVP validates modules meeting FIPS 140 validation. Validated is the term given to a module that is documented and tested against the FIPS 140 criteria. More information is available on the CMVP website at https://csrc.nist.gov/groups/STM/cmvp/index.html. 1.2 About this Document This non-proprietary Cryptographic Module Security Policy for the Maxar AEDS from Maxar Technologies (“Maxar”) provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-2. This document contains details on the module’s cryptographic keys and critical security parameters. This Security Policy concludes with instructions and guidance on running the module in a FIPS 140-2 mode of operation. Maxar AEDS may also be referred to as the “module” in this document. 1.3 External Resources The Maxar website (www.maxar.com) contains information on Maxar services and products. The Cryptographic Module Validation Program website contains links to the FIPS 140-2 certificate and Maxar contact information. 1.4 Notices This document may be freely reproduced and distributed in its entirety without modification. 1.5 Acronyms The following table defines acronyms found in this document: FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 5 of 26 Acronym Term AEDS AES Encryption / Decryption System AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface AWS Amazon Web Services CA Certificate Authority CCSDS Consultative Committee for Space Data Systems CMVP Cryptographic Module Validation Program CO Crypto Officer CSEC Communications Security Establishment Canada CSP Critical Security Parameter DES Data Encryption Standard DH Diffie-Hellman DSA Digital Signature Algorithm EC Elliptic Curve EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standard GPC General Purpose Computer GUI Graphical User Interface HMAC (Keyed-) Hash Message Authentication Code HSM Hardware Security Module KAT Known Answer Test KO Key Option MAC Message Authentication Code MD Message Digest MMI Machine-to-Machine Interface NIST National Institute of Standards and Technology OS Operating System PKCS Public-Key Cryptography Standards PKG Public Key Generation PKV Public Key Validation PRNG Pseudo Random Number Generator PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SDLS Space Data Link Security SSL Secure Sockets Layer Triple-DES Triple Data Encryption Algorithm TLS Transport Layer Security Table 1 - Acronyms and Terms FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 6 of 26 2 Cryptographic Module Specification The Maxar AEDS provides a dedicated implementation of the CCSDS Space Data Link Security (SDLS) protocol for spacecraft telecommand encryption and telemetry decryption using the Advanced Encryption Standard (AES). The module is hardware Revision 1, which consists of firmware version 1.0.6.1558.2958 on an AIC TB116-AN server and is classified as a multi-chip standalone cryptographic module. The module also includes the embedded Nuvoton NPCT6XX series TPM 2.0 hardware module with firmware 1.3.0.1 validated to FIPS 140-2 under Cert. #2627 operating in FIPS mode. The physical cryptographic boundary is defined as the outer case of the AIC TB116-AN server. The module runs on a non-modifiable operating environment. Photos of the AIC TB116-AN with the three (3) tamper-evident seals affixed by the manufacturer are depicted below in Figures 1 &2. Figure 1 – Maxar AEDS (front) with Tamper-Evident Seals Locations 1 2 3 FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 7 of 26 Figure 2 – Maxar AEDS (back) with Tamper-Evident Seals Locations 2.1 Validation Level Detail The following table lists the level of validation for each area in FIPS 140-2: FIPS 140-2 Section Title Validation Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 Electromagnetic Interference / Electromagnetic Compatibility 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A Table 2 - Validation level by FIPS 140-2 Section 1 2 3 FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 8 of 26 2.2 Approved Cryptographic Algorithms The following table lists all certificates issued by the Cryptographic Algorithm Validation Program for the module’s embedded cryptographic algorithm implementations. Emphasis0F 1 in Table 3 (only) is added to those algorithms that are employed by the module. Algorithm CAVP Certificate AES ECB (e/d; 128, 192, 256) CBC (e/d; 128, 192, 256) CFB1 (e/d; 128, 192, 256) CFB8 (e/d; 128, 192, 256) CFB128 (e/d; 128, 192, 256) OFB (e/d; 128, 192, 256) CTR (ext only; 128, 192, 256) CCM (KS: 128, 192, 256) CMAC (Generation/Verification) (KS: 128, 192, 256) XTS (e/d; 128, 256) GCM (KS: AES_128(e/d), AES_192(e/d), AES_256(e/d))1F 2 GMAC_Supported A2061 CVL (ECC CDH KAS) Curves (B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521) Component 2178 CVL KDF (SP 800-135 for TLS v1.0/1.1, and TLS v1.2) C585 SP 800-90A DRBG (Hash_DRBG, HMAC_DRBG, CTR_DRBG) A2061 DSA FIPS 186-4 PQG Gen: 2048 & 3072 (using SHA-2) PQG Ver: 1024, 2048 & 3072 (using SHA-1 and SHA-2) Key Pair: 2048-bit & 3072-bit Sig Gen: 2048-bit & 3072-bit (using SHA-2) Sig Ver: 1024-bit, 2048-bit & 3072-bit (using SHA-1 & SHA-2) A2061 ECDSA FIPS 186-4 PKG: Curves (B-233, B-283, B-409 & B-571, K-233, K-283, K-409, K-571, P-224, P- 256, P-384, P-521) PKV: Curves All P, K & B A2061 1 Algorithms in-use are underlined and italic. If only certain variants of an algorithm are in-use, only those variants will be italic. [Note: this is only applicable to Table 3.] 2 256 bits of entropy strength is claimed since the IV is generated internally FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 9 of 26 Sig Gen: (B-233, B-283, B-409 & B-571, K-233, K-283, K-409, K-571, P-224, P-256, P- 384, P-521) (SHA-2) Sig Ver: Curves (B-163, B-233, B-283, B-409 & B-571, K-163, K-233, K-283, K-409, K- 571, P-192, P224, P-256, P-384, P-521) (using SHA-1 and SHA-2) HMAC-SHA-1 (160-bit key), HMAC-SHA-224, HMAC-SHA-256 (256-bit key), HMAC- SHA-384 (384-bit key), HMAC-SHA-512 A2061 KAS-SSC ECC Domain Parameter Generation Methods: B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 FCC Domain Parameter Generation Methods: FB, FC CVL Cert. #C585; Key establishment methodology provides 192 bits of encryption strength. A2062 KTS AES-GCM (key establishment methodology provides 128 or 256 bits of encryption strength) A2061 KTS AES-CBC (with HMAC-SHA1, HMAC-SHA-256); key establishment methodology provides 128 or 256 bits of encryption strength) A2061 RSA (X9.31, PKCS #1.5, PSS) FIPS 186-2 ANSIX9.31 Sig Gen: 4096-bit (SHA-256, SHA-384, SHA-512) Sig Ver: 1024-bit, 1536-bit, 2048-bit, 3072-bit & 4096-bit (any SHA size) PKCS1 V1 5 Sig Gen: 4096-bit (SHA-224, SHA-256, SHA-384, SHA-512) Sig Ver: 1024-bit, 1536-bit, 2048-bit, 3072-bit & 4096-bit (any SHA size) PSS Sig Gen: 4096-bit (SHA-224, SHA-256, SHA-384, SHA-512) Sig Ver: 1024-bit, 1536-bit, 2048-bit, 3072-bit & 4096-bit (any SHA size) FIPS 186-4 ANSIX9.31 Sig Gen: 2048-bit (using SHA-256, SHA-384, SHA-512) Sig Ver: 1024-bit, 2048-bit, 3072-bit & 4096-bit (any SHA size) PKCS1 V1 5 Sig Gen: 2048-bit & 3072-bit (SHA-256, SHA-384, SHA-512) A2061 FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 10 of 26 Sig Ver: 1024-bit, 2048-bit, 3072-bit & 4096-bit (SHA-1, SHA-224, SHA-256, SHA- 384, SHA-512) PSS Sig Gen: 2048-bit & 3072-bit (SHA-256, SHA-384, SHA-512) Sig Ver: 1024-bit, 2048-bit, 3072-bit & 4096-bit (any SHA size) RSA FIPS 186-4 Key Gen: 2048, 3072, 4096 A2090 SHA-1 (with HMAC only), SHA-224, SHA-256, SHA-384, SHA-512 A2061 Triple-DES TECB (KO 1 e/d) TCBC (KO 1 e/d) TCFB1 (KO 1 e/d) TCFB8 (KO 1 e/d) TCFB64 (KO 1 e/d) TOFB (KO 1 e/d) CMAC (KS: 3-Key; Generation/Verification; Block Size(s): Full / Partial) A2061 Table 3 - FIPS Approved Algorithm Certificates The following Approved cryptographic algorithms are vendor affirmed as part of the validated embedded module. Algorithm IG Reference Use CKG Vendor Affirmed IG D.12 [SP 800-133 Rev.2] Sections 5.1, 5.2, 5.3 and Sections 6.1, 6.2.1, 6.2.2, 6.5 The cryptographic module performs Cryptographic Key Generation (CKG) for symmetric keys and asymmetric seeds per NIST SP 800-133rev2 (vendor affirmed). The resulting symmetric key or asymmetric seed is an unmodified output from the Approved DRBG. Table 4 - Approved Cryptographic Functions with Vendor Affirmations 2.3 Non-Approved but Allowed Algorithms The module supports the following non-FIPS 140-2 approved but allowed algorithms that may be used in the Approved mode of operation. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 11 of 26 Algorithm Use NDRNG The module uses HW NDRNG which generates 384 bits (full entropy) of data to seed the DRBG during instantiation and 256 bits of data to reseed. (This complies with IG 7.14 Section 1.a.) RSA Key Wrapping, Non-SP 800-56B compliant Allowed until 2023.12.31 per FIPS140-2_IG - D.9: Key establishment using PKCS#1-v1.5 padding per Section 8.1 of RFC 2313 methodology provides 112 bits of encryption strength. Note: RSA key wrapping is used in TLS protocol implementation. Table 5 - Non-Approved but Allowed Algorithms FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 12 of 26 2.4 Module Interfaces The table below describes the active physical interfaces of the module: Physical Interface Description / Use Gigabit Ethernet Port (6) ● Machine-to-Machine Interface (MMI) provides SDLS cryptographic services via TLS secure TCP/IP connection. Note that only TLS v1.2 is supported. ● Web-based User Interface (WebUI) provides initial module configuration & control via HTTP/2-over-TLS secure TCP/IP connection. Note that only TLS v1.2 is supported. Power Interfaces (2) Accept and provide power to the module LEDs ● Power ● System ID ● System management alert ● Drive activity ● Network activity USB port (front panel) Accepts USB flash drive for key loading USB ports (rear panel) Accepts USB flash drive for key loading Serial DB9 Port Disabled VGA port Disabled IPMI Port Disabled Table 6 - Interface Descriptions The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to four FIPS 140-2 defined logical interfaces: data input, data output, control input, and status output. The logical interfaces and their mapping are provided in the following table: FIPS 140-2 Logical Interface Module Physical Interface Data Input Gigabit Ethernet Ports (6) USB Port Data Output Gigabit Ethernet Ports (6) Control Input Gigabit Ethernet Port Status Output Gigabit Ethernet Port LEDs LCD display Power Power Plug On/Off Switch Table 7 - Logical Interface / Physical Interface Mapping FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 13 of 26 2.4.1 Interface Security Communications over both the Machine-to-Machine Interface (MMI) and Web User Interface (WebUI) are secured by Transport Layer Security (TLS) version 1.2. For TLS, the GCM implementation meets Option 1 of IG A.5: it is used in a manner compliant with SP 800-52 and in accordance with Section 4 of RFC 5288 for TLS key establishment (refer to Section 2.4.1.1 for more detail). During operational testing, the module was tested against an independent version of TLS and found to behave correctly. The TLS cipher suites supported for MMI and WebUI communications (in their IANA canonical forms) are as follows: MMI  TLS_RSA_WITH_AES_128_GCM_SHA256  TLS_RSA_WITH_AES_128_CBC_SHA256  TLS_RSA_WITH_AES_256_GCM_SHA384  TLS_RSA_WITH_AES_256_CBC_SHA256 WebUI  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Note that all ECDHE ciphers use Elliptic Curve P-384 as defined in FIPS 186-4. No parts of this protocol, other than the KDF, have been tested by the CAVP and CMVP. 2.4.1.1 Compliance to IG A.5 The AES GCM IV generation is in compliance with the RFC5288 and RFC5289 and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-2_IG] IG A.5, provision 1 (“TLS protocol IV generation”); thus, the module is compliant with [SP800-52]. The counter portion of the AES GCM IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of possible values for a given session key, the first party to encounter this condition shall trigger a handshake to establish a new encryption key in accordance with RFC 5246. In the event the nonce_explicit part of the IV exhausts the maximum number of possible values for a given session key, either party (the client or the server) that encounters this condition shall trigger a handshake to establish a new encryption key. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 14 of 26 2.5 Roles, Services, and Authentication As required by FIPS 140-2, there are two roles (a Crypto Officer role and User role) in the module that operators may assume. The module supports role-based authentication, and the respective services for each role are described in the following sections. The module does not support a Maintenance role. 2.5.1 Operator Services and Descriptions The services available to the User and Crypto Officer roles in the module are as follows: Service Description Service Input / Output Interface Key/CSP Access Roles WebUI TLS Session Init Provides a protected session for module configuration TLS Handshake / TLS Session Established Gigabit Ethernet Port TLS Session AES/HMAC Keys (WebUI), TLS ECDHE Key (WebUI), TLS Premaster Secret (WebUI), TLS Master Secret (WebUI), TLS Server Cert RSA Private Key (WebUI), Counter DRBG Entropy, Counter DRBG V Value (Seed Length), Counter DRBG Key, Counter DRBG init_seed Crypto Officer MMI TLS Session Init Provides a protected session for SDLS-related cryptographic services Initiate TLS session / TLS Session Established Gigabit Ethernet Port TLS Session AES/HMAC Keys (MMI), TLS Premaster Secret (MMI), TLS Master Secret (MMI), TLS Server Cert RSA Private Key (MMI), Counter DRBG Entropy, Counter DRBG V Value (Seed Length), Counter DRBG Key, Counter DRBG init_seed User MMI Channel Enable Enable use of the MMI TLS Session Init service for User-role connections Start MMI Channel / MMI Channel Enabled Gigabit Ethernet Port (WebUI) TLS Session AES/HMAC Keys (WebUI), SDLS AES Keys, SDLS AES Key Checksums Crypto Officer FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 15 of 26 Service Description Service Input / Output Interface Key/CSP Access Roles MMI Channel Disable Disconnect User-role MMI TLS Sessions and disable the MMI TLS Session Init service for User-role connections Stop MMI Channel / MMI Channel Disabled Gigabit Ethernet Port (WebUI) TLS Session AES/HMAC Keys (WebUI), TLS Session AES/HMAC Keys (MMI), TLS Premaster Secret (MMI), TLS Master Secret (MMI), TLS Server Cert RSA Private Key (MMI) Crypto Officer Module Initialization Performs Module Integrity Tests service and initializes the module for FIPS mode of operation Power on Device / Module Initialization Complete On/Off Switch LUKS Partition AES Key Crypto Officer Configure Configure critical security parameters within the module Configuration Parameters / Module configured Gigabit Ethernet Port (WebUI), USB Port TLS Session AES/HMAC Keys (WebUI), TLS Server Cert RSA Private Key (MMI/WebUI), TLS Client Cert RSA Key, TLS Server CA RSA Private Key, SDLS AES Keys, SDLS AES Key Checksums, Counter DRBG Entropy, Counter DRBG V Value (Seed Length), Counter DRBG Key, Counter DRBG init_seed Crypto Officer Distribute MMI Credentials Distribute TLS credentials for User-role MMI access Initiate Download / Credentials Distributed Gigabit Ethernet Port (WebUI) TLS Session AES/HMAC Keys (WebUI), TLS Server Cert RSA Private Key (WebUI), TLS Client Cert RSA Key, TLS Client CA RSA Private Key Crypto Officer Module Integrity Tests Performs integrity tests on module firmware and Initiate Module Integrity Tests / Module Integrity Tests Completed On/Off Switch Firmware Integrity Data User FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 16 of 26 Service Description Service Input / Output Interface Key/CSP Access Roles security features SDLS AES Key Select Loads an SDLS AES Key into RAM to use for cryptographic services Key Index / Active SDLS AES Key Selected Gigabit Ethernet Port (MMI) TLS Session AES/HMAC Keys (MMI), SDLS AES Keys, SDLS AES Key Checksums, Active SDLS AES Key User SDLS AES Decrypt Decrypts a block of SDLS protocol data Initiate AES decryption / data decrypted Gigabit Ethernet Port (MMI) TLS Session AES/HMAC Keys (MMI), Active SDLS AES Key User SDLS AES Encrypt Encrypts a block of SDLS protocol data Initiate AES encryption/ data encrypted Gigabit Ethernet Port (MMI) Active SDLS AES Key, TLS Session AES/HMAC Keys (MMI) User Shutdown Power off module to clear RAM and module state Initiate Shutdown / Module Powered Down Power Plug, On/Off Switch, Gigabit Ethernet Port (WebUI) All CSPs stored in RAM Crypto Officer Reboot Perform Shutdown service, power on machine and perform Module Initialization service Initiate Reboot / Module state and RAM cleared Gigabit Ethernet Port (WebUI) TLS Session AES/HMAC Keys (WebUI/MMI), TLS Premaster Secret (WebUI/MMI), TLS Master Secret (WebUI/MMI), TLS ECDHE Key (WebUI), TLS Server Cert RSA Private Key (WebUI/MMI), Counter DRBG Entropy, Counter DRBG V Value (Seed Length), Counter DRBG Key, Counter DRBG init_seed Crypto Officer Factory Reset Clear CSPs, restore factory settings, and perform Reboot service Factory Reset Initiated /CSPs cleared from RAM and LUKS partition, new LUKS AES Key derived, module restored to factory settings Gigabit Ethernet Port (WebUI) All CSPs on LUKS Partition, All CSPs in RAM Crypto Officer FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 17 of 26 Service Description Service Input / Output Interface Key/CSP Access Roles Show Status Shows status of the module Show status commands / Module status Gigabit Ethernet Port (WebUI) None Crypto Officer Table 8 - Operator Services 2.5.2 Crypto Officer Authentication The Crypto Officer role authenticates via a 1 Gigabit Ethernet. Other than status functions available by viewing LEDs, the services described in the table above are available only to authenticated operators. The operator authenticates via plaintext username/password over a TCP/IP connection secured by TLS version 1.2 (see §3.2.1 for details). Session authorization is provided by a cryptographically signed JSON Web Token. Passwords are stored on the module. The module checks these parameters before allowing access. The module enforces a minimum password length of 12 characters. The password is required to contain at least three of the following four classes of characters: digits, uppercase letters, lowercase letters, and the set of other printable ASCII characters, yielding 95 choices per character. The probability of a successful random attempt is 1/9512 , which is less than 1/1,000,000. The module enforces a 30- minute lockout after five (5) consecutive failed password attempts, so the probability of a success with multiple attempts in a one-minute period is 5/9512 , which is less than 1/100,000. The Maxar AEDS is delivered with a factory default password for Crypto Office authentication. The first action for the AEDS Crypto Officer will be to change the password in a manner that meets the password requirements in this section. 2.5.3 User Authentication The module requires certificate-based TLS mutual authentication for the User-role machine-to-machine interfaces. A list of supported TLS cipher-suites is provided in §3.2.1. The module incorporates an internal Public Key Infrastructure (PKI) system with dedicated X509 Certificate Authorities (CA) for issuing and revoking server and client certificates, using 2048-bit RSA keys. A 2048-bit RSA key has 112 bits of equivalent strength. The probability of a successful random attempt is 1/2^112, which is less than 1/1,000,000. The module enforces a limit of 10 incoming connections per second on User-role TCP ports, so the probability of success with multiple consecutive attempts in a one-minute period is 600/2^112 which is less than 1/100,000. 2.6 Physical Security The module is a multiple-chip standalone module and conforms to Level 2 requirements for physical security. The module’s production-grade enclosure is made of a hard metal, and the enclosure contains a removable cover. The tamper-evident seals are affixed by the manufacturer as depicted in the photographs in Section 2.1 of this policy. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 18 of 26 The tamper-evident seals must be affixed to the module in the locations as shown in Section 2.1 for the module to operate in the approved mode of operation. 2.7 Operational Environment The module operates in a limited operational environment and does not implement a General-Purpose Operating System. The module meets Federal Communications Commission (FCC) FCC Electromagnetic Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined by 47 Code of Federal Regulations, Part15, Subpart B. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 19 of 26 2.8 Cryptographic Key Management The table below provides a list of Critical Security Parameters and Public Keys that are either inaccessible, or are only accessible with authentication: Ref# Keys and CSPs Storage Locations Storage Method Key Establishment Input Method Output Method Zeroization Access 1 SDLS AES Keys RAM Plaintext See (30) Disk Read (SDLS AES Key Select, MMI Channel Enable), USB Key (Configure) None Shutdown CO: WD U: WD 2 SDLS AES Key Checksums RAM Plaintext See (31) Disk Read (SDLS AES Key Select, MMI Channel Enable) None Shutdown CO: WD U: WD 3 Active SDLS AES Key RAM Plaintext See (30) Disk Read (SDLS AES Key Select) None Reboot CO: D U: WD 4 TLS Session AES/HMAC Keys (MMI) RAM Plaintext [1,3] Derived from (6) None None Reboot, MMI Channel Disable CO: D U: RW 5 TLS Premaster Secret (MMI) RAM Plaintext [1] Entry From MMI client, encrypted by (40) (MMI TLS Session Init) None Reboot, MMI Channel Disable CO: D U: RW 6 TLS Master Secret (MMI) RAM Plaintext [1] Derived from (5) None None Reboot, MMI Channel Disable CO: D U: RW 7 TLS Server Cert RSA Private Key (MMI)** RAM Plaintext See (23) Disk Read (MMI TLS Session Init) None Reboot, MMI Channel Disable CO: D U: W 8 TLS Session AES/HMAC Keys (WebUI) RAM Plaintext [2,3] Derived from (10) None None Reboot CO: RWD 9 TLS Premaster Secret (WebUI) RAM Plaintext [2] Derived from (12) None None Reboot CO: RWD FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 20 of 26 10 TLS Master Secret (WebUI) RAM Plaintext [2] Derived from (9) None None Reboot CO: RWD 11 TLS Server Cert RSA Private Key (WebUI)† RAM Plaintext See (24) Disk Read (WebUI TLS Session Init) None Reboot CO: WD 12 TLS ECDHE Private Key (WebUI)** RAM Plaintext Generated (TLS Handshake) None None Reboot CO: WD 13 JSON Web Token HMAC Key RAM Plaintext Generated (DRBG) None None Reboot CO: WD 14 LUKS Partition AES Key RAM Plaintext See (32) Disk Read None Shutdown CO: WD 15 Firmware Integrity Data RAM Plaintext See (33) Disk Read (Module Integrity Tests) None Module Integrity Tests Completed CO: WD 16 TLS Client Cert RSA Public Key†† RAM Plaintext See (26) TCP (MMI TLS Session Init), Disk Read (Distribute MMI Credentials) CO download encrypted by (8) Shutdown CO: RWD 17 TLS Client Cert RSA Private Key RAM Plaintext See (25) Disk Read (Distribute MMI Credentials) CO download encrypted by (8) Shutdown CO: RWD 18 TLS Server CA RSA Private Key† RAM Plaintext See (27) Disk Read (Configure) None Reboot CO: WD 19 TLS Client CA RSA Private Key† RAM Plaintext See (28) Disk Read (DistributeMMI Credentials) None Reboot CO: WD 20 TLS Root CA RSA Private Key† RAM Plaintext See (29) Disk Read (Factory Reset) None Reboot CO: WD 21 TLS Client Cert RSA Public Key Disk Plaintext See (26) Disk Copy (Distribute MMI Credentials) None Factory Reset CO: WD FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 21 of 26 22 TLS Client Cert RSA Private Key Disk Plaintext See (24) Disk Copy (Distribute MMI Credentials) None Factory Reset CO: WD 23 TLS Server Cert RSA Private Key (MMI) LUKS partition Encrypted Generated None None Factory Reset CO: WD 24 TLS Server Cert RSA Private Key (WebUI) LUKS partition Encrypted Generated None None Factory Reset CO: WD 25 TLS Client Cert RSA Private Key LUKS partition Encrypted Generated None None Factory Reset CO: WD 26 TLS Client Cert RSA Public Key LUKS partition Encrypted Generated None None Factory Reset CO: WD 27 TLS Server CA RSA Private Key LUKS partition Encrypted Generated None None Factory Reset CO: WD 28 TLS Client CA RSA Private Key LUKS partition Encrypted Generated None None Factory Reset CO: WD 29 TLS Root CA RSA Private Key LUKS partition Encrypted Generated None None Factory Reset CO: WD 30 SDLS AES Keys LUKS partition Encrypted Entry Disk Write (Configure) None Factory Reset CO: WD 31 SDLS AES Key Checksums LUKS partition Encrypted Entry Disk Write (Configure) None Factory Reset CO: WD 32 LUKS Partition AES Key TPM Encrypted Generated (DRBG) None None Factory Reset CO: WD 33 Firmware Integrity Data Disk Plaintext Pre-loaded None None None 34 Counter DRBG Entropy RAM Plaintext Generated (NDRNG) None None Reboot CO: D U: W 35 Counter DRBG V RAM Plaintext Generated (NDRNG) None None Reboot CO: D FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 22 of 26 Value (Seed Length) 36 Counter DRBG Key RAM Plaintext Generated (NDRNG) None None Reboot CO: D U: W 37 Counter DRBG init_seed RAM Plaintext Generated (NDRNG) None None Reboot CO: D R = Read W = Write D = Delete ** = RSA/ECDH Decryption Key † = RSA Signature Generation Key †† = RSA Signature Verification Key [1] See IETF RFC 5246 §8.1.1 [2] See IETF RFC 5246 §8.1.2 [3] See IETF RFC 5288 §4 Table 9 - Module Protected Keys / CSPs FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 23 of 26 The table below provides a list of Critical Security Parameters that are accessible without authentication: Ref # Keys and CSPs Storage Locations Storage Method Key Establishment Input Method Output Method Zeroization 38 TLS Server Cert RSA Public Key (WebUI) RAM Plaintext See (44) Disk Read TCP Reboot 39 TLS ECDHE Public Key (WebUI) RAM Plaintext Generated (TLS Handshake) None TCP Reboot 40 TLS Server Cert RSA Public Key (MMI) RAM Plaintext See (44) Disk Read TCP Reboot 41 TLS Server CA RSA Public Key (MMI) RAM Plaintext See (45) Disk Read TCP Reboot 42 TLS Client CA RSA Public Key (MMI)†† RAM Plaintext See (46) Disk Read TCP Reboot 43 TLS Root CA RSA Public Key (MMI)†† RAM Plaintext See (47) Disk Read TCP Reboot 44 TLS Server Cert RSA Public Key (MMI,WebUI) LUKS partition Encrypted Generated None None Factory Reset 45 TLS Server CA RSA Public Key LUKS partition Encrypted Generated None None Factory Reset 46 TLS Client CA RSA Public Key LUKS partition Encrypted Generated None None Factory Reset 47 TLS Root CA RSA Public Key LUKS partition Encrypted Generated None None Factory Reset R = Read W = Write D = Delete †† = RSA Signature Verification Key Table 10 - Module Public Keys / CSPs 2.9 Self-Tests FIPS 140-2 requires the module to perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality at start up. In addition, some functions require on-going verification of function, such as the random number generator. All these tests are listed and described in this section. In the event of a self-test error, the module will log the error and will halt. The module must be rebooted to resume function. The following sections discuss the module’s self-tests in more detail. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 24 of 26 2.9.1 Power-On Self-Tests Power-on self-tests are run upon the initialization of the module and do not require operator intervention to run. If any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the operator. The module implements the following power-on self-tests: TYPE DETAIL PASS/FAIL CRITERIA Firmware Integrity Check ● SHA-256 ● Pass LCD Output: SWINTEGRITY CHECK PASSED Fail LCD Output: SWINTEGRITY CHECK FAILED Known Answer Tests2F 3 ● AES encrypt/decrypt (all modes) ● Triple-DES encrypt/decrypt (all modes) ● ECDH P-224 KAT (Shared secret calculation per SP 80056A §5.7.1.2, IG 9.6) HMAC-SHA-1 ● HMAC-SHA-224 ● HMAC-SHA-256 ● HMAC-SHA-384 ● HMAC-SHA-512 ● RSA sign/verify using 2048 bit key, SHA-256, PKCS#1 ● SHA-1 ● SP 800-90 DRBG (Hash_DRBG, HMAC_DRBG, CTR_DRBG) (Instantiate, Generate, and Reseed Health Test Functions) Pass LCD Output: FIPS SELFTEST PASSED Fail LCD Output: FIPS SELFTEST FAILED Pair-wise Consistency Tests ● DSA sign/verify using 2048 bit key, SHA-384 ● RSA sign/verify using 2048 bit key, SHA-256, PKCS#1 ● ECDSA keygen/sign/verify using P-224, K-233 and SHA-512 Table 11 - Power-On Self Tests Each module performs all power-on self-tests automatically when the module is initialized. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The Power-on self-tests can be run on demand by rebooting the module in FIPS approved Mode of Operation. 3 Note that all SHA-X KATs are tested as part of the respective HMAC SHA-X KAT. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 25 of 26 2.9.2 Conditional Self-Tests Conditional self-tests are tests that run on an automatic and on-going basis during operation of the module. If any of these tests fail, the module will enter an error state, where no services can be accessed by the operators. The module can be re-initialized to clear the error and resume FIPS mode of operation. Each module performs the following conditional self-tests: TYPE DETAIL Pair-wise Consistency Tests ● DSA ● RSA ● ECDSA Continuous RNG Tests ● Performed on all approved DRBGs (including the NDRNG) Key Entry Test ● CRC on key load Table 12 - Conditional Self-Tests The module does not perform a firmware load test because no additional firmware can be loaded in the module. Please see Section 3 for guidance on configuring and maintaining FIPS mode. 2.10 Mitigation of Other Attacks The module does not mitigate other attacks. 3 Guidance and Secure Operation The module only supports FIPS-mode of operation. Beyond initial setup, no specific technical steps are required to configure FIPS-mode of operation. There are no means for a User or the Crypto Officer to take the Maxar AEDS out of FIPS-mode. 3.1 Crypto Officer Guidance The Crypto Officer must configure and enforce the following initialization procedures in order to operate in FIPS approved mode of operation: ● Verify that the firmware version of the module is Version 1.0.6.1558.2958. No other version can be loaded or used in FIPS mode of operation. ● Users of the module should monitor for evidence of tampering as directed by their local Facility Security Plan or other governing local instructions. If evidence of tampering is noted, users should follow local procedures for reporting possible compromise of cryptographic material. ● Do not disclose passwords and store passwords in a safe location and according to their organization’s systems security policies for password storage. FIPS 140-2 Non-Proprietary Security Policy: Maxar AEDS Document Version 1.4 © Maxar Technologies Page 26 of 26 3.2 User Guidance No additional guidance is required to maintain FIPS mode of operation.