The nShield security policy nForce 300, nForce 150, nForce 75 Date: 13 March 2006 Version: 1.54.28 © Copyright 2006 nCipher Corporation Limited, Cambridge, United Kingdom. Reproduction is authorised provided the document is copied in its entirety without modification and including this copyright notice. nCipher™, nForce™, nShield™, nCore™, KeySafe™, CipherTools™, CodeSafe™, SEE™ and the SEE logo are trademarks of nCipher Corporation Limited. nFast® and the nCipher logo are registered trademarks of nCipher Corporation Limited. All other trademarks are the property of the respective trademark holders. nCipher Corporation Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness to a particular purpose. nCipher Corporation Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. Patents UK Patent GB9714757.3. Corresponding patents/applications in USA, Canada, South Africa, Japan and International Patent Application PCT/GB98/00142. nCipher nCipher Corporation Ltd. 1 nForce 300, nForce 150, nForce 75 security policy nForce 300, nForce 150, nForce 75 security policy Purpose The nShield Hardware Security Modules are multi-tasking hardware module that is optimized for performing modular arithmetic on very large integers. The nShield module also offers a complete set of key management protocols. The nForce 300, nForce 150, nForce 75are FIPS 140-1 level 23 devices. The units are identical in operation and only vary in the processing speed. The nShield module connects to the host computer via a SCSI module bus. The nShield module must be accessed by a custom written application. Full documentation for the nCipher API can be downloaded from the nCipher web site: http://www.ncipher.com. The nShield module stores keys on the hard disk of the host computer in encrypted form called key blobs. The nShield module can be connected to a computer running one of the following operating systems: • Windows NT 4.0 for Intel • Windows 2000 • Solaris • HP-UX • AIX • Linux x86 • FreeBSD x86 Windows NT was used for the validation. The validated firmware version is 1.54.28. Roles The nShield module defines the following roles: 2 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy User All users initially connect to the nShield module in the User role. In this role the user can load previously created tokens and use these to load keys from key blobs. Once they have loaded a key they can then use it to perform cryptographic operations as defined by the ACL stored with the key. Each key blob contains an ACL that determines what services can be performed on that key. This ACL can require a certificate from a Security Officer authorising the action. Some actions including writing tokens always require a certificate. nCipher Security Officer The nCipher Security Officer is responsible for overall security of the module. The nCipher Security Officer is identified by a key pair, referred to as KNSO. The hash of the public half of this key is stored when the unit is initialised. Any operation involving a module key or writing a token requires a certificate signed by KNSO. The nCipher Security Officer is responsible for creating key blobs and tokens and distributing these to users. Junior Security Officer Where the nCipher Security Officer want to delegate responsibility for authorising an action they can create a key pair and give this to their delegate who becomes the JSO. An ACL can then refer to this key, and the JSO is then empowered to sign the certificate authorising the action. The JSOís keys should be stored on a key blob protected by a token that is not used for any other purpose. In order to assume the role of JSO the user loads the JSO key. A JSO can delegate portions of their authority is the same way. Services available to each role The following table lists the services available to a user in each role and for each service list the additional authorisation required to perform this service. nCipher Corporation Ltd. 3 nForce 300, nForce 150, nForce 75 security policy Non Cryptographic services The following services do not provide cryptographic functionality. • Enquiry • Modular exponentiation • Exponentiation using CRT • Random number • Random prime • Get slot list • Get slot information • Load logical token • Format token • Insert software token • Remove software token • Get module key list • Get module signature key • Fail • Clear unit • New client • Existing client • Which module • Merge keys • Statistics Enumerate Tree • Statistic Get Values • Pause For Notifications • Bignum Operations • Hash The Random number and Random prime functions are not used in key generation. They are only used if an external application requires a random number or prime number. 4 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy Self test The self test service is performed automatically when the module is switched on and whenever it is reset by pressing the clear button on the front panel. FIPS 140-1 services The following services provide cryptographic functionality Cryptographic services available in each role. Command/Service Role Unauth User JSO NSO Change share PIN - passphrase passphrase passphrase Channel Open - handle, ACL handle, ACL handle, ACL Channel Update - channel ID channel ID channel ID Decrypt - handle, ACL handle, ACL handle, ACL Delete share - cert cert yes Delete token data - cert cert yes Derive Key - handle, ACL handle, ACL handle, ACL Destroy - handle, ACL handle, ACL handle, ACL Duplicate key - handle, ACL handle, ACL handle, ACL Encrypt - handle, ACL handle, ACL handle, ACL Export key - handle, ACL handle, ACL handle, ACL Generate key/Generate key pair - level 3 test level 3 test level 3 test Generate logical token - cert cert yes Get ACL - handle, ACL handle, ACL handle, ACL Get application information - handle, ACL handle, ACL handle, ACL Get key information - handle, ACL handle, ACL handle, ACL Import key - level 3 test level 3 test level 3 test Initialise unit nFast, init nFast, init nFast, init nFast, init Load as module key - cert cert yes Load blob - token or key token or key token or key Make key blob - handle, ACL handle, ACL handle, ACL Read share - passphrase passphrase passphrase Read token data - cert cert yes Remove module key - cert cert yes Set application information - handle, ACL handle, ACL handle, ACL Set Security Officer nFast, init nFast, init nFast, init nFast, init Sign - handle, ACL handle, ACL handle, ACL Verify - handle, ACL handle, ACL handle, ACL nCipher Corporation Ltd. 5 nForce 300, nForce 150, nForce 75 security policy Write share - cert cert yes Write token data cert cert yes Authorisation required for each service Code Description - The user can not perform this service in this role. yes The user can perform this service in this role without further authorisation. handle The user can perform this service if they possess a valid handle for the key. The handle is an arbitrary number generated when the key is loaded. The handle for an object is specific to the user that created the object. There are services which allow a user to pass an ID for an object they have created to another user or SEEWorld. ACL The user can only perform this service with a key if the ACL for the key permits this service. The ACL may require that the user present a certificate signed by a Security Officer. token or key A user can only load a key blob if they have previously loaded the token or key used to encrypt the blob. passphrase A user can only load a share, or change the share PIN, if they possess the passphrase used to encrypt the share. The module key with which the Pass Phrase was combined must also be present. cert A user can only perform this service in this role if they are in possession of a certificate from the nCipher Security Officer. nFast A user can only perform this service is they are logged into the host computer as the user nFast. init Initialising a unit requires physical access to the unit. It destroys all stored keys. Once you have initialised a unit you must define a new NSO before the unit will enter the operational state. Channel ID The ChannelUpdate command requires a ChannelID returned by ChannelOpen. The ChannelID must be presented by the user to whom it was issued. Cryptographic services available in each role. Command/Service Role Unauth User JSO NSO 6 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy Services For more information on each of these services refer to the nCipher Developerís Guide and nCipher Developerís Reference. level 3 test In order to enforce Level 3 compliance for FIPS 140-1 sections 3, 8 and 11: the unit must be initialised with the FIPS_level3_compliance flag set. If this flag is set: the Generate Key, Generate Key Pair and Import commands require authorisation with a certificate signed by the nCipher Security Officer. the Import command fails if you attempt to import a key of a type that can be used to Sign or Decrypt messages. the Generate Key, Generate Key Pair, Import and Derive Key operations will not allow you to create an ACL for a secret key that allows the key to be exported in plain text. Authorisation required for each service Code Description Description of each service Service Description Bignum Operations Performs simple arithmetic on big numbers Change share PIN Updates the pass phrase used to encrypt a token share. The pass phrase supplied by the user is not used directly, it is first hashed and then combined with the module key. Channel Open Opens a communication channel which can be used for bulk encryption. Channel Update performs encryption on a previously opened channel. Clear unit Resets the unit removing all temporary keys, but not module keys. Performs power on self tests. Decrypt Decrypts a cipher text with a stored key returning the plain text. Delete share Removes a share from a smart card or software token. Delete token data Removes a file, but not a logical token, from a smart card or software token. Derive Key Creates a new key object from a variable number of other keys already stored on the module and returns a KeyId for the new key. Destroy Removes a key nCipher Corporation Ltd. 7 nForce 300, nForce 150, nForce 75 security policy Duplicate key Creates a second instance of a key with the same ACL and returns a handle to the new instance. Encrypt Encrypts a plain text with a stored key returning the cipher text. Enquiry Returns status information about the module Existing client Starts a new connection as an existing client. Exponentiation using CRT Returns AD MOD PQ given A, D, P and Q Export key Exports a key in plain text. If the unit is in its FIPS 140-1 level 3 mode, this service is only available for public keys. Fail Causes the unit to enter the error state, for test purposes. Format token Formats a software token ready for use. Generate key Generates a symmetric key of a given type with a specified ACL and returns a handle. Optionally returns a certificate containing the ACL. Generate key pair Generates a key pair of a given type with specified ACLs for each half or the pair. Performs a pairwise consistency check on the key pair. Returns two key handles. Optionally returns certificates containing the ACL Generate logical token Creates a new logical token. Get ACL Returns the ACL for a given KeyID. Get application information Returns the application information stored with a key. Get key information Returns the hash of a key for use in ACLs Get module key list Returns a list of the hash of the module keys. Get module signature key Returns the handle of the public half of the modules signing key. Get slot information Returns information about the token shares stored on the token in a specified slot. Get slot list Returns a list of slots present in the module, Hash This command hashes a message Import key Loads a key and ACL from the host and returns a handle. If the unit is in its FIPS 140-1 level 3 mode, this service is only available for public keys. Initialise Puts the unit into the initialisation state, clearing all stored keys. Requires physical access to the unit. Insert software token Loads a software token from the host disk and ëinsertsí it into a slot. Load as module key Loads a key as a module key. Description of each service Service Description 8 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy Load blob Loads a key that has been stored in a key blob. The user must first have loaded the token or key used to encrypt the blob. Load logical token Allocates space for a new logical token Make key blob Creates a key blob containing the key and returns it. Merge keys Where one key is loaded on several modules with different handles, returns a new handle that can be used to refer to any of these handles. Modular exponentiation Returns AP MODN given A P and N New client Returns a client id. Pause For Notifications This is a command which merely waits for a certain period of time before returning which the unit can use to return asynchronous notifications. Random number Generate a random number Random prime Generates a random number that passes Rabin Millar primality test. Read share Reads a share from a token. Once sufficient shares have been loaded recreates token Read token data Reads a file, but not a logical token, to a smart card or software token. Remove module key Removes a loaded module key. Remove software token Removes a software token from an emulated slot and writes it to the host disk. Set application information Stores information with a key. Set Security Officer Loads a key hash as the Security Officerís Key. This can only be performed while the unit is in the initialisation state. Sign Returns the digital signature of plain text using a stored key. Statistic Get Values Gather statistics from the whole of the nCipher system. These statistics do not reveal any cryptographic information. Statistics Enumerate Tree Lists the statistics that can be returned. Verify Verifies a digital signature using a stored key. Which module Returns the list of modules on which a key is loaded. Write share Writes a new share to a smart card or software token. The number of shares that can be created is specified when the token is created. All shares must be written before the token is destroyed. Write token data Writes a file, but not a logical token, to a smart card or software token. Description of each service Service Description nCipher Corporation Ltd. 9 nForce 300, nForce 150, nForce 75 security policy Keys For each type of key used by the nShield module, the following section describes the access that a user has to the keys. The nShield module refers to keys by their handle, an arbitrary number, or by its SHA-1 hash. Module signing key - private half This key is used to sign certificates created by module. The user has no access to this key in any role. Module signing key - public half This key is used to verifying certificates created by module. Users can export this in plain text in any role. Module Key These keys are used for encrypting tokens. Any user may export a list of SHA-1 hashes of the module keys to determine whether a required key is present. The nCipher Security Officer can load keys as module keys and remove module keys. The Security Officer can export the key for in an encrypted from for archival before it is loaded as a module key. Security Officers key - private half This key is used to sign certificates authorising other users to perform tasks. The NSO can output this key as a key blob. No other user can access this key. Security Officers key - public half This key is used to verify certificates. The nCipher Security Officer can export this as a key blob or in plain text. The key is in plain text in certificates so other users who are given a certificate may see this key. Token Tokens are never output in plain text. Any user can retrieve a list of SHA-1 hashes of the tokens they have loaded. They have no access to tokens loaded by other users. Tokens are exported as encrypted shares. The nCipher Security Officer can create tokens under any module key. Junior Security Officerís can create tokens if they have a certificate from the nCipher Security Officer. This certificate can restrict the module keys under which the JSO can create keys. 10 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy Working keys Keys used for encryption, decryption, applying and verifying signatures are stored in key blobs. A user can access a key only if they possess the key blob and can load the token under which the blob was encrypted. The blob contains an ACL that lists the services that can be performed with the key. Note In order to comply with FIPS 140-1 level 3: all secret and private keys must have ACLs that prevent output in plain text. An ACL can require a certificate authorising a service. The keys used to sign these certificates are themselves stored in key blobs. The Security Officer loads these keys in the same way as any other key. Users can only access keys that they have loaded; they cannot access keys loaded by other users. Rules Identification and authentication All communication with the nShield module is performed via a server program running on the host machine, using standard inter process communication, using sockets in UNIX operating system, named pipes under Windows NT. In order to use the module the user must first log on to the host computer and start an nCipher enabled application. The application connects to the nCipher server, this connection is given a client ID, a 120-bit arbitrary number. Access Control Keys are stored on the host computerís hard disk in an encrypted format, known as a key blob. In order to load a key the user must first load the token used to encrypt this blob. Tokens can be divided into shares. Each share can be stored on a smart card or software token on the computerís hard disk. These shares are further protected by encryption with a pass phrase and a module key. Therefore a user can only load a key if they possess sufficient shares in the token, the required pass phrases and the module key are loaded in the module. nCipher Corporation Ltd. 11 nForce 300, nForce 150, nForce 75 security policy Module keys are stored in EEPROM in the module. They can only be loaded or removed by the nCipher Security Officer, who is identified by a public key pair created when the module is initialised. It is not possible to change the Security Officerís key without reinitialising the module, which clears all the module keys, thus preventing access to all other keys. The key blob also contains an Access Control List that specifies which services can be performed with this key, and the number of times these services can be performed. These can be hard limits or per authorisation limits. If a hard limit is reached that service can no longer be performed on that key. If a per-authorisation limit is reached the user must reauthorise the key by reloading the token. All objects are referred to by handle. Handles are cross-referenced to client IDs. If a command refers to a handle that was issued to a different client, the command is refused. Services exist to pass a handle between clientIDs. Object re-use All objects stored in the module are referred to by a handle. The moduleís memory management functions ensure that a specific memory location can only be allocated to a single handle. The handle also identifies the object type, and all of the modules enforce strict type checking. When a handle is released the memory allocated to it is actively zeroed. Error conditions If the nShield module cannot complete a command due to a temporary condition, the module returns a command block with no data and with the status word set to the appropriate value. The user can resubmit the command at a later time. The server program can record a log of all such failures. If the nShield module encounters an unrecoverable error it enters the error state. This is indicated by the status LED flashing in the Morse pattern SOS. As soon as the unit enters the error state all processors stop processing commands and no further replies are returned. In the error state the unit does not respond to commands. The unit must be reset. Physical security The nShield module is enclosed in a steel case made of three pieces of 1 mm steel. The unit is sealed with tamper evident seals from Advantage technology. 12 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy In order to prevent access to the unit via the ventilation slots, the slots in the base and lid are offset so that there is no straight line path though the two sets of slots. To comply with FIPS 140-1 level 3 roles and services The nCipher enabled application must perform the following services, for more information refer to the nCipher Security Officerís Guide and Technical Reference Manual. To initialise an module 1 Fit the initialisation link and restart the module 2 Use the Initialise command to enter the Initialisation state. 3 Generate a key pair to use a Security Officerís key. 4 Generate a logical token to use to protect the Security Officerís key. 5 Write one or more shares of this token onto software tokens. 6 Export the private half of the Security Officerís key as a key blob under this token. 7 Export the public half of the Security Officerís key as plain text. 8 Use the Set Security Officer service to set the Security Officerís key and the operational policy of the module. In order to comply with FIPS 140-1 level 3 roles and services you must set at least the following flags: • NSOPerms_ops_ReadFile • NSOPerms_ops_WriteFile • NSOPerms_ops_EraseShare • NSOPerms_ops_EraseFile • NSOPerms_ops_FormatToken • NSOPerms_ops_GenerateLogToken • NSOPerms_ops_SetKM • NSOPerms_ops_RemoveKM • NSOPerms_ops_StrictFIPS140 9 Keep the tokens and key blobs safe. 10 You can create extra module keys in order to distinguish groups of users. 11 You may want to create working keys and user authorisation at this stage. nCipher Corporation Ltd. 13 nForce 300, nForce 150, nForce 75 security policy 12 Remove the initialisation link and restart the module. To create a new user 1 Create a logical token. 2 Write one or more shares of this token onto software tokens. 3 For each key the user will require, export the key as a key blob under this token. 4 Give the user any pass phrases used and the key blob. To authorise the user to create keys 1 Create a new key, with an ACL that only permits UseAsSigningKey. This action may need to be authenticated. 2 Export this key as a key blob under the users token. 3 Create a certificate signed by the nCipher Security Officerís key that: • includes the hash of this key as the certifier • authorises the action GenerateKey or GenerateKeyPair depending on the type of key required. • if the user needs to store the keys, enables the action MakeBlob, limited to their token. 4 Give the user the key blob and certificate. To authorise a user to act as a Junior Security Officer 1 Generate a logical token to use to protect the Junior Security Officerís key. 2 Write one or more shares of this token onto software tokens 3 Create a new key pair, • Give the private half an ACL that permits Sign and UseAsSigningKey. • Give the public half an ACL that permits ExportAsPlainText 4 Export the private half of the Junior Security Officerís key as a key blob under this token. 14 nCipher Corporation Ltd. nForce 300, nForce 150, nForce 75 security policy 5 Export the public half of the Junior Security Officerís key as plain text. • Create a certificate signed by the nCipher Security officerís key includes the hash of this key as the certifier • authorises the actions GenerateKey, GenerateKeyPair • authorises the actions GenerateLogicalToken, WriteShare and MakeBlob, these may be limited to a particular module key. 6 Give the Junior Security Officer the software token, any pass phrases used, the key blob and certificate. To authenticate a user to use a stored key 1 Use the LoadLogicalToken service to create the space for a logical token. 2 Use the ReadShare service to read each share from the software token. 3 Use the LoadBlob service to load the key from the key blob. 4 The user can now perform the services specified in the ACL for this key. Note To assume Security Officer role load the Security Officerís key using this procedure. The Security Officerís key can then be used in certificates authorising further operations. To authenticate a user to create a new key 1 If you have not already loaded your user token, load it as above. 2 Use the LoadBlob service to load the authorisation key from the key blob. 3 Use the KeyId returned to build a signing key certificate. 4 Present this certificate with the certificate supplied by the security officer with the GenerateKey, GenerateKeyPair or MakeBlob command. nCipher Corporation Ltd. 15 nForce 300, nForce 150, nForce 75 security policy