Peplink Pepwave Limited FIPS 140-2 Security Policy Peplink FIPS Module Version: 3.0.8 Date: July 12th , 2024 Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 2 of 41 Copyright © 2024 Peplink Pepwave Limited Copyright Notice This document may be freely reproduced and distributed whole and intact including this copyright notice. Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 3 of 41 Modification History Version Description Release Date 1.0 Initial Documentation 09/21/2023 1.1 Updated the strength caveat of KTS-RSA in Table 6, List of Tables and Table number References 10/19/2023 1.2 Updated the strength caveat of KTS-RSA in Table 6 07/12/2024 Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 4 of 41 Table of Contents FIPS 140-2 Overview ............................................................................................................................................................ 6 1. Introduction................................................................................................................................................................. 7 1.1 Scope................................................................................................................................................................... 7 1.2 Module Overview................................................................................................................................................. 7 1.3 Module Boundary ................................................................................................................................................ 8 2. Security Level ............................................................................................................................................................... 9 3. TestedConfigurations................................................................................................................................................ 10 4. Portsand Interfaces................................................................................................................................................... 11 5. Roles,Services and Authentication............................................................................................................................. 12 5.1 Roles.................................................................................................................................................................. 12 5.2 Services.............................................................................................................................................................. 12 6. Physical Security......................................................................................................................................................... 15 7. Operational Environment........................................................................................................................................... 16 8. Cryptographic Algorithms and Key Management........................................................................................................ 17 8.1 Cryptographic Algorithms .................................................................................................................................. 17 8.2 Critical Security Parameters (CSP’s) and Public Keys........................................................................................... 26 8.3 Key Generation and Entropy .............................................................................................................................. 28 9. ElectromagneticInterference/ElectromagneticCompatibility (EMI/EMC)................................................................. 29 10. Self-tests .................................................................................................................................................................... 30 10.1 Power-On Self-Tests........................................................................................................................................... 30 10.2 Conditional Self-Tests......................................................................................................................................... 31 10.3 Assurances......................................................................................................................................................... 31 10.4 Critical Function Tests ........................................................................................................................................ 31 11. Mitigation of Other Attacks ........................................................................................................................................ 32 12. CryptoOfficerand UserGuidance .............................................................................................................................. 33 12.1 AES-GCM Usage ................................................................................................................................................. 33 12.2 Triple-DES Usage................................................................................................................................................ 33 12.3 Miscellaneous.................................................................................................................................................... 33 Appendix A: Installation and Usage Guidance..................................................................................................................... 34 Appendix B: Compilers....................................................................................................................................................... 36 Appendix C: Glossary.......................................................................................................................................................... 37 Appendix D: Table of References........................................................................................................................................ 39 Appendix E: Trademarks .................................................................................................................................................... 41 Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 5 of 41 List of Tables Table 1 – Security Levels for each FIPS 140-2 Area ...................................................................................................................9 Table 2 – Tested Configurations.............................................................................................................................................10 Table 3 – Physical Port and Logical Interface Mapping ..........................................................................................................11 Table 4 – Approved Services and Role Allocation ...................................................................................................................14 Table 5 – Non-Approved Services and Role Allocation............................................................................................................14 Table 6 – FIPS Approved Algorithms.......................................................................................................................................25 Table 7 – Allowed Algorithms ................................................................................................................................................25 Table 8 – Non-Approved Algorithms......................................................................................................................................25 Table 9 – Critical Security Parameters....................................................................................................................................26 Table 10 – Public Keys............................................................................................................................................................27 Table 11 – Power On Self-Tests ..............................................................................................................................................31 Table 12 – Conditional Tests...................................................................................................................................................31 Table 13 – Assurances............................................................................................................................................................31 Table 14 – Compilers Used for Each Operational Environment...............................................................................................36 Table 15 – Glossary of Terms .................................................................................................................................................38 Table 16 – Standards and Publications Referenced within this Security Policy........................................................................40 Table 17 – Trademarks Referenced within this Security Policy ...............................................................................................41 List of Figures Figure 1 – Module Block Diagram............................................................................................................................................8 Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 6 of 41 FIPS 140-2 Overview Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) run the FIPS 140 program. NVLAP accredits independent testing labs to perform FIPS 140-2 testing; the CMVP validates modules meeting FIPS 140-2 validation. Validated is the term given to a module that is documented and tested against the FIPS 140-2 criteria. More information is available onthe CMVP website at: http://csrc.nist.gov/groups/STM/cmvp/index.html About this Document This non-proprietary Cryptographic Module Security Policy for the Peplink FIPS Module from Peplink Pepwave Limited provides an overview and a high-level description of how it meets the overall Level 1 security requirements of FIPS 140-2. Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 7 of 41 1. Introduction 1.1 Scope This document describes the non-proprietary cryptographic module security policy for the Peplink FIPS Module, hereafter referred to as “the Module.” It contains specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-2 standard. 1.2 Module Overview The Module is a software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality. The Module is classified under FIPS 140-2 as a software module, with a multi-chip standalone module embodiment. The physical cryptographic boundary is the general-purpose computer on which the module is installed. The logical cryptographic boundary of the Module is the Peplink FIPS Module, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The module implements both an Approved and non-Approved mode of operation. Use of the Approved algorithms listed in table 6 and allowed algorithms listed in table 7 will place the module in the Approved mode of operation. Use of the non-Approved algorithms listed in table 8 will place the module in the non-Approved mode of operation. Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 8 of 41 1.3 Module Boundary The following block diagram details the Module’s physical and logical boundaries. Figure 1 – Module Block Diagram Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 9 of 41 2. Security Level The following table lists the level of validation for each area in FIPS 140-2: FIPS 140-2 Security Requirement Areas Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 3 Mitigation of Other Attacks 1 Overall Level 1 Table 1 – Security Levels for each FIPS 140-2 Area The Module meets the overall security level requirements of Level 1. The Module’s software versions for this validation are 3.0.8. Please note that this corresponds to version 3.0.8 of the OpenSSL FIPS Provider of which this Module is a rebrand. Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 10 of 41 3. Tested Configurations The Module has been tested on the platforms listed below in Table 2. # Operating System/Hypervisor Hardware Platform Processor Optimizations (Target) Module Version 1 Ubuntu Linux 22.04.1 LTS Dell Inspiron 7591 Intel i7 (x64) None 3.0.8 2 Ubuntu Linux 22.04.1 LTS Dell Inspiron 7591 Intel i7 (x64) PAA (AES-NI) 3.0.8 3 Debian 11.5 Dell Inspiron 7591 Intel i7 (x64) None 3.0.8 4 Debian 11.5 Dell Inspiron 7591 Intel i7 (x64) PAA (AES-NI) 3.0.8 5 FreeBSD 13.1 Dell Inspiron 7591 Intel i7 (x64) None 3.0.8 6 FreeBSD 13.1 Dell Inspiron 7591 Intel i7(x64) PAA (AES-NI) 3.0.8 7 Windows 10 Dell Inspiron 7591 Intel i7(x64) None 3.0.8 8 Windows 10 Dell Inspiron 7591 Intel i7(x64) PAA (AES-NI) 3.0.8 9 macOS 11.5.2 Applei7Mac Mini Intel i7 (x64) None 3.0.8 10 macOS 11.5.2 Applei7Mac Mini Intel i7 (x64) PAA (AES-NI) 3.0.8 Table 2 – Tested Configurations See Appendix Afor additional information oninstallation. See Appendix B for a listof the specific compilers used to generate the Module for the respective operational environments. Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 11 of 41 4. Ports and Interfaces The physical ports of the Module are the same as the computer system on which it is executing. The logical interface is a C-language application program interface (API), the mapping of which is described in the following table: Logical Interface Type Description Data Input API entry point data input stack parameters Data Output API entry point data output stack parameters Control Input API entry point and corresponding stack parameters Status Output API entry point return values and status stack parameters Table 3 – Physical Port and Logical Interface Mapping As a software module, control of the physical ports is outside module scope. However, when the module is performing self-tests, or is in an error state, all output on the logical data output interface is inhibited. In error scenarios, the module returns only an error value (no data output is returned). Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 12 of 41 5. Roles, Services and Authentication 5.1 Roles The Module implements both a User Role (User) as well as the Crypto Officer (CO) role. The Module does not support authentication and does not allow concurrent operators. The User and Crypto Officer roles are implicitly assumed by the application accessing services implemented by the Module. 5.2 Services All the services provided by the module can be accessed by both the User and the Crypto Officer roles. The User Role (User) can load the Module and call any of the API functions. The Crypto Officer Role (CO) is responsible for installation of the Module on the host computer system and calling of any API functions. The module provides the following Approved services which utilize algorithms listed in Table 6 and 7: Service Roles (User/CO) Description Initialize X Module initialization. Does not access CSPs. Self-Test X Perform POST self-tests (SELF_TEST_post( )) on demand. Does not access CSPs. Show Status X The Module’s status can be verified by querying the “status” parameter. Does not access CSPs. CSP/Key Zeroization X All services automatically overwrite CSPs stored in allocated memory. Stack cleanup is the responsibility of the calling application. RandomNumber Generation X Used for random number and symmetric key generation. • Seed or reseed a DRBG instance • Determine security strength of a DRBG instance • Obtain random data Uses and updates Hash_DRBG CSPs, HMAC_DRBG CSPs, CTR_DRBG CSPs AsymmetricKey Generation X Used to generate DSA, ECDSA, RSA , DH, ECDH, X25519 and X448 keys: Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 13 of 41 Service Roles (User/CO) Description • RSA SGK, RSA SVK; DSA SGK, DSA SVK; ECDSA SGK, ECDSA SVK; DH Private, DH Public, ECDH Private, ECDH Public; X25519 Private, X25519 Public, X448 Private and X448 Public keys There is one supported entropy strength for each mechanism and algorithm type, the maximum specified in SP 800-90Ar1 Key Derivation X Used to derive keys using KBKDF, PBKDF2, HKDF, SP 800-56Cr2 One- Step KDF (KDA), SP 800-135 TLS 1.2, SSHv2, ANSI X9.6-2001, ANSI X9.42-2001 KDFs and TLS 1.3 KDF. Symmetric Encrypt/Decrypt X Used to encrypt or decrypt data. Executes using AES EDK, TDES EDK (passed in by the calling application). Symmetric Digest X Used to generate or verify data integrity with CMAC. Executes using AES CMAC Key (passed in by the calling application). Message Digest X Used to generate a SHA-1, SHA-2, or SHA-3 message digest. Does not access CSPs Keyed Hash X Used to generate or verify data integrity with HMAC or KMAC. Executes using HMAC or KMAC Key (passed in by the calling application) Key Transport X Used to encrypt or decrypt a key value on behalf of the calling application (does not establish keys into the module). Executes using RSA KDK, RSA KEK (passed in by the calling application). Key Wrapping X Used to encrypt a key value on behalf of the calling application Executes using AES Key Wrapping Key (passed in by the calling application). Key Agreement X Used to perform key agreement primitives on behalf of the calling application (does not establish keys into the module). Executes using DH Private, DH Public, EC DH Private, EC DH Public, X25519 Private, X25519 Public, X448 Private and X448 Public, RSA SGK, RSA SVK (passed in by the calling application). Version 1.2 Public Material – May be reproduced only in its original entirety (without revision). Peplink Pepwave Limited Page 14 of 41 Service Roles (User/CO) Description Digital Signature X Used to generate or verify RSA, DSA, or ECDSA digital signatures. Executes using RSA SGK, RSA SVK; DSA SGK, DSA SVK; ECDSA SGK, ECDSA SVK (passed in by the calling application). Utility X Miscellaneous helper functions. Does not access CSPs. Table 4 – Approved Services and Role Allocation The module provides the following non-Approved services which utilize algorithms listed in Table 5: Service Roles (User/CO) Description Digital Signature X Used to generate or verify Ed25519 or Ed448 digital signatures. Used to verify RSA digital signatures with 1024