Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
Version 1.2
Last Update: 2013-10-28
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
2 of 45
1. Introduction ..................................................................................................................................... 4
1.1. Purpose of the Security Policy .......................................................................................... 4
1.2. Target Audience ..................................................................................................................... 4
2. Cryptographic Module Specification ...................................................................................... 5
2.1. Description of Module.......................................................................................................... 5
2.2. Description of Approved Mode ......................................................................................... 6
2.3. Cryptographic Module Boundary..................................................................................... 7
2.3.1. Software Block Diagram ............................................................................................ 7
2.3.2. Hardware Block Diagram........................................................................................... 8
3. Cryptographic Module Ports and Interfaces........................................................................ 9
4. Roles, Services, and Authentication..................................................................................... 10
4.1. Roles......................................................................................................................................... 10
4.2. Services................................................................................................................................... 10
4.3. Operator Authentication ................................................................................................... 27
4.4. Mechanism and Strength of Authentication.............................................................. 27
5. Finite State Machine................................................................................................................... 28
6. Physical Security.......................................................................................................................... 29
7. Operational Environment ......................................................................................................... 30
8. Cryptographic Key Management........................................................................................... 31
8.1. Random Number Generation .......................................................................................... 32
8.2. Key/CSP Generation............................................................................................................ 32
8.3. Key/CSP Establishment...................................................................................................... 32
8.4. Key Entry and Output......................................................................................................... 33
8.5. Key Storage............................................................................................................................ 33
8.6. Zeroization Procedure........................................................................................................ 33
9. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC).............. 34
10. Self-Tests....................................................................................................................................... 35
10.1. Power-Up Tests ................................................................................................................... 35
10.2. Integrity Check................................................................................................................... 36
10.3. Conditional Tests ............................................................................................................... 36
11. Design Assurance....................................................................................................................... 37
11.1. Configuration Management .......................................................................................... 37
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
3 of 45
11.2. Delivery and Operation................................................................................................... 37
11.2.1. Downloading a FIPS 140-2-compatible engine version................................ 37
11.3. Cryptographic Officer Guidance.................................................................................. 37
11.3.1. Installation .................................................................................................................... 37
11.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version. 37
11.3.1.2 Configuring the engine......................................................................................... 38
11.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode............ 38
11.3.1.4 Resetting the appliance to factory settings.................................................. 39
11.3.1.5 Recovering from a FIPS 140-2 self-test failure............................................. 39
11.3.2. Entropy Source ............................................................................................................ 39
11.3.3. Initialization .................................................................................................................. 40
11.4. User Guidance.................................................................................................................... 40
11.4.1. AES GCM ........................................................................................................................ 40
11.4.2. Zeroization.................................................................................................................... 40
11.4.3. Key Export..................................................................................................................... 40
12. Mitigation of Other Attacks ................................................................................................... 41
13. Glossary and Abbreviations .................................................................................................. 42
14. References................................................................................................................................... 44
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
4 of 45
1. Introduction
This document is a non-proprietary FIPS 140-2 Security Policy for the Stonesoft Cryptographic
Library module. The current version of the module is v1.1. This document contains a specification
of the rules under which the module must operate and describes how this module meets the
requirements as specified in the Federal Information Processing Standards Publication (FIPS PUB)
140-2 for a Security Level 1 multi-chip standalone software module.
1.1. Purpose of the Security Policy
There are three major reasons that a security policy is required:
 For FIPS 140-2 validation,
 Allows individuals and organizations to determine whether the cryptographic module, as
implemented, satisfies the stated security policy, and
 Describes the capabilities, protection, and access rights provided by the cryptographic
module, allowing individuals and organizations to determine whether it will meet their
security requirements.
1.2. Target Audience
This document is intended to be part of the package of documents that are submitted for FIPS
validation. It is intended for the following people:
 Developers working on the release
 FIPS 140-2 testing lab
 Cryptographic Module Validation Program (CMVP)
 Consumers
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
5 of 45
2. Cryptographic Module Specification
This document is the non-proprietary security policy for the Stonesoft Cryptographic Library and
was prepared as part of the requirements to FIPS 140-2, Level 1.
The following section describes the module and how it complies with the FIPS 140-2 standard in
each of the required areas.
2.1. Description of Module
The Stonesoft Cryptographic Library is a shared library that provides a C-language application
programming interface for use by Stonesoft applications. Assembly language optimizations are
used in the cryptographic module implementation.
The files consisting of the logical boundary of the module are the module binary file
libqscrypto.so.1.1 and the checksums.fips file that contains the HMAC-SHA-256 value needed for
the module integrity check. The module contains the following cryptographic functionality:
 Pseudo random number generation
 Cryptographic hash functions
 Message authentication code functions
 Symmetric key encryption and decryption
 Public key cryptography: key pair generation, digital signature generation and verification
 Key agreement and establishment
 Key wrapping
The following table shows the overview of the security level for each of the eleven sections of the
validation.
Security Component Security Level
Cryptographic Module Specification 1
Cryptographic Module Ports and Interfaces 1
Roles, Services and Authentication 1
Finite State Model 1
Physical Security 1
Operational Environment 1
Cryptographic Key Management 1
EMI/EMC 1
Self Tests 1
Design Assurance 3
Mitigation of Other Attacks N/A
Table 1: Security Levels
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
6 of 45
The module has been tested on the following platforms:
Manufacturer Model O/S & Ver.
Stonesoft FW-315 Debian GNU/Linux 6.0-based distribution (single-user mode)
Stonesoft FW-1301 Debian GNU/Linux 6.0-based distribution (single-user mode)
Table 2: Tested Platforms
2.2. Description of Approved Mode
The cryptographic module supports only a FIPS 140-2 approved mode. The calling application can
invoke ssh_crypto_get_certification_mode() to check the status of the module. It returns
SH_CRYPTO_CERTIFICATION_FIPS_140_2 to indicate that the module is indeed in the FIPS-
APPROVED mode.
The module provides the following algorithms and services:
 AES: key wrapping, encryption and decryption; ECB, CBC, and GCM modes
 Triple-DES: encryption and decryption; ECB and CBC modes
 DSA: key generation, digital signatures, and verification
 RSA: key generation, digital signatures, and verification
 ECDSA: key generation, digital signature, and verification
 DRBG: random number generation
 SHS: hashing
 HMAC: message authentication code
In addition, the module provides the following key establishment methods:
 Diffie-Hellman key agreement as key establishment method
 EC Diffie-Hellman: key agreement as key establishment method
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
7 of 45
2.3. Cryptographic Module Boundary
2.3.1. Software Block Diagram
The logical boundary of the module is the Cryptographic Library itself, which is indicated by the
“Cryptographic Boundary” rectangle as illustrated in the diagram below.
Stonesoft
Cryptographic Library
Data in
Physical Boundary
Data out
Control in
Status out
Cryptographic Boundary
Figure 1: Software Block Diagram
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
8 of 45
2.3.2. Hardware Block Diagram
The physical boundary of the module is the enclosure of the appliance that the module is running
on. The module was tested on two separate appliances, both of which are general purpose
computers. The hardware block diagram below depicts both test appliances (FW-1301 and FW-
315) and their internal components and ports (processor, SSD, USB, Ethernet, etc.).
Processor
Chipset RAM
Flash Drive
(FW-315)
Ethernet
Controller /
Ports
(6)
(8)
(4)
Disk
Controller
(10)
(7)
(9)
Serial Controller / Port
(5)
Power
Supply
ROM
USB Controller / Ports
(3)
(1)
(2)
1, 2, 4, 5, 6, 7, 8, 12 and 13: Data in, data out, control in, status out
3: Power in
9, 10 and 11: Control in
Cryptographic Module Boundary
Storage Slot /
SSD
(FW-1301)
(11)
Expansion
module slot /
Ethernet Ports
(FW-1301)
(13)
(12)
Figure 2: Hardware Block Diagram
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
9 of 45
3. Cryptographic Module Ports and Interfaces
FIPS Interface Physical Ports Logical Ports
Data Input Ethernet ports, serial port API input parameters
Data Output Ethernet ports, serial port API output parameters and return
values
Control Input Ethernet ports, serial port API input parameters
Status Output Ethernet ports, serial port API return values
Power Input PC power supply port N/A
Table 3: Ports and Interfaces
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
10 of 45
4. Roles, Services, and Authentication
4.1. Roles
The module implements both a User and a Crypto Officer role. The module does not allow
concurrent operators.
The User and Crypto Officer roles are implicitly assumed by the entity accessing services
implemented by the module. No further authentication is required. The Crypto Officer can install
and initialize the module.
4.2. Services
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
Symmetric Algorithms
AES encryption
and decryption
  128, 192,
256 bit
keys
ECB, CBC Yes
Cert #2240,
2241
RWX FIPS 197
ssh_cipher_allocate
ssh_cipher_free
ssh_cipher_get_blo
ck_length
ssh_cipher_get_iv
ssh_cipher_get_iv_l
ength
ssh_cipher_get_key
_length
ssh_cipher_get_ma
x_key_length
ssh_cipher_get_mi
n_key_length
ssh_cipher_get_sup
ported
ssh_cipher_has_fix
ed_key_length
ssh_cipher_is_fips_
approved
ssh_cipher_name
sh_cipher_set_iv
ssh_cipher_support
ed
ssh_cipher_transfor
m
ssh_cipher_transfor
m_remaining
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
11 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ssh_cipher_transfor
m_with_iv
ssh_cipher_get_blo
ck_len
AES-GCM au-
thenticated en-
cryption and de-
cryption


128, 192,
256 bit
keys
GCM Yes
Cert #2240,
2241
RWX SP 800-38D
ssh_cipher_allocate
ssh_cipher_free
ssh_cipher_get_blo
ck_length
ssh_cipher_get_iv
ssh_cipher_get_iv_l
ength
ssh_cipher_get_key
_length
ssh_cipher_get_ma
x_key_length
ssh_cipher_get_mi
n_key_length
ssh_cipher_get_sup
ported
ssh_cipher_has_fix
ed_key_length
ssh_cipher_is_fips_
approved
ssh_cipher_name
sh_cipher_set_iv
ssh_cipher_support
ed
ssh_cipher_transfor
m
ssh_cipher_transfor
m_remaining
ssh_cipher_transfor
m_with_iv
ssh_cipher_get_blo
ck_len
ssh_cipher_is_auth
_cipher
ssh_cipher_auth_re
set
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
12 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ssh_cipher_auth_u
pdate
ssh_cipher_auth_fi
nal
ssh_cipher_auth_di
gest_length
ssh_cipher_is_auth
ssh_cipher_generat
e_iv_ctr
ssh_cipher_auth_di
gest_len
AES key wrap-
ping
  128, 256
bit keys
ECB Yes
Cert #2240,
2241
RWX sg_aes_key_unwra
p_kek_with_paddin
g
sg_aes_key_unwra
p_with_padding
sg_aes_key_wrap_k
ek_with_padding
sg_aes_key_wrap_
with_padding
ssh_aes_key_unwr
ap
ssh_aes_key_unwr
ap_kek
ssh_aes_key_wrap
ssh_aes_key_wrap_
kek
Triple-DES en-
cryption and de-
cryption


168 bit
keys
ECB, CBC Yes
Cert #1401,
1402
RWX ssh_cipher_allocate
ssh_cipher_free
ssh_cipher_get_blo
ck_length
ssh_cipher_get_iv
ssh_cipher_get_iv_l
ength
ssh_cipher_get_key
_length
ssh_cipher_get_ma
x_key_length
ssh_cipher_get_mi
n_key_length
ssh_cipher_get_sup
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
13 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ported
ssh_cipher_has_fix
ed_key_length
ssh_cipher_is_fips_
approved
ssh_cipher_name
sh_cipher_set_iv
ssh_cipher_support
ed
ssh_cipher_transfor
m
ssh_cipher_transfor
m_remaining
ssh_cipher_transfor
m_with_iv
ssh_cipher_get_blo
ck_len
Asymmetric Algorithms
DSA domain pa-
rameter genera-
tion
  L=1024,
N=160;
L=2048,
N=224;
L=2048,
N=256;
L=3072,
N=256
Yes
Cert #694,
695
RWX FIPS 186-3
ssh_private_key_ge
nerate
DSA key pair
generation
  L=1024,
N=160;
L=2048,
N=224;
L=2048,
N=256;
L=3072,
N=256
Yes
Cert #694,
695
RWX FIPS 186-3
ssh_private_key_ge
nerate
ssh_private_key_de
rive_public_key
DSA signature
generation
  L=1024,
N=160;
L=2048,
N=224;
L=2048,
Yes
Cert #694,
695
RX FIPS 186-3
ssh_private_key_si
gn
ssh_private_key_si
gn_async
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
14 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
N=256;
L=3072,
N=256
ssh_private_key_si
gn_digest
ssh_private_key_si
gn_digest_async
ssh_private_key_m
ax_signature_input
_len
ssh_private_key_m
ax_signature_outp
ut_len
ssh_private_key_de
rive_signature_has
h
ssh_proxy_key_rgf_
sign
DSA signature
verification
  L=1024,
N=160;
L=2048,
N=224;
L=2048,
N=256;
L=3072,
N=256
Yes
Cert #694,
695
RX FIPS 186-3
ssh_public_key_ver
ify_async
ssh_public_key_ver
ify_digest_async
ssh_public_key_ver
ify_signature
ssh_public_key_ver
ify_signature_with_
digest
ssh_public_key_der
ive_signature_hash
ssh_proxy_key_rgf_
verify
DSA public key
validation


1024,
2048,
3072 bits
modulus
size
Yes
Cert #694,
695
RX FIPS 186-3
ssh_public_key_vali
date
RSA key genera-
tion
  1024,
2048,
3072
modulus
size.
Public key
value
Yes
Cert #1147,
1148
RWX FIPS 186-3
ssh_private_key_ge
nerate
ssh_private_key_de
rive_public_key
ssh_mp_fip186_ifc_
aux_prime_create
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
15 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
65537. ssh_mp_fips186_ifc
_prime_factor
RSA signature
generation
based on
PKCS#1 v1.5
  1024,
2048,
3072 bit
modulus
SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512
Yes
Cert #1147,
1148
RX FIPS 186-3
ssh_private_key_si
gn
ssh_private_key_si
gn_async
ssh_private_key_si
gn_digest
ssh_private_key_si
gn_digest_async
ssh_private_key_m
ax_signature_input
_len
ssh_private_key_m
ax_signature_outp
ut_len
ssh_private_key_de
rive_signature_has
h
ssh_proxy_key_rgf_
sign
RSA signature
verification
based on
PKCS#1 v1.5
  1024,
2048,
3072 bit
modulus
SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512
Yes
Cert #1147,
1148
RX FIPS 186-3
ssh_public_key_ver
ify_async
ssh_public_key_ver
ify_digest_async
ssh_public_key_ver
ify_signature
ssh_public_key_ver
ify_signature_with_
digest
ssh_public_key_der
ive_signature_hash
ssh_proxy_key_rgf_
verify
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
16 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
RSA signature
generation
based on PSS
(probabilistic
signature
scheme)
  1024,
2048,
3072 bit
modulus
SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512
Yes
Cert #1147,
1148
RX FIPS 186-3
ssh_private_key_si
gn
ssh_private_key_si
gn_async
ssh_private_key_si
gn_digest
ssh_private_key_si
gn_digest_async
ssh_private_key_m
ax_signature_input
_len
ssh_private_key_m
ax_signature_outp
ut_len
ssh_private_key_de
rive_signature_has
h
ssh_proxy_key_rgf_
sign
RSA signature
verification
based on PSS
(probabilistic
signature
scheme)
  1024,
2048,
3072 bit
modulus
SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512
Yes
Cert #1147,
1148
RX FIPS 186-3
ssh_public_key_ver
ify_async
ssh_public_key_ver
ify_digest_async
ssh_public_key_ver
ify_signature
ssh_public_key_ver
ify_signature_with_
digest
ssh_public_key_der
ive_signature_hash
ssh_proxy_key_rgf_
verify
RSA public key
validation


1024,
2048,
3072 bit
modulus
Yes
Cert #1147,
1148
RX FIPS 186-3
ssh_public_key_vali
date
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
17 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ECDSA key pair
generation


192, 224,
256, 384,
521 bit
prime
modulus
Yes
Cert #349,
350
RWX FIPS 186-3
ssh_private_key_ge
nerate
ssh_private_key_de
rive_public_key
ECDSA signature
generation


192, 224,
256, 384,
521 bit
prime
modulus
Yes
Cert #349,
350
RX FIPS 186-3
ssh_private_key_si
gn
ssh_private_key_si
gn_async
ssh_private_key_si
gn_digest
ssh_private_key_si
gn_digest_async
ssh_private_key_m
ax_signature_input
_len
ssh_private_key_m
ax_signature_outp
ut_len
ssh_proxy_key_rgf_
sign
ECDSA signature
verification


192, 224,
256, 384,
521 bit
prime
modulus
Yes
Cert #349,
350
RX FIPS 186-3
ssh_public_key_ver
ify_async
ssh_public_key_ver
ify_digest_async
ssh_public_key_ver
ify_signature
ssh_public_key_ver
ify_signature_with_
digest
ssh_public_key_der
ive_signature_hash
ssh_proxy_key_rgf_
verify
ECDSA public
key validation


192, 224,
256, 384,
521 bit
prime
Yes
Cert #349,
350
RX FIPS 186-3
ssh_public_key_vali
date
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
18 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
modulus
Asymmetric key
management


Private
keys
RW ssh_private_key_co
py
ssh_private_key_fr
ee
ssh_private_key_ge
t_info
ssh_private_key_is_
fips_approved
ssh_private_key_na
me
ssh_private_key_pr
ecompute
ssh_private_key_se
lect_scheme
ssh_public_key_cop
y
ssh_public_key_cre
ate_proxy
ssh_public_key_fre
e
ssh_public_key_get
_info
ssh_public_key_get
_predefined_group
s
ssh_public_key_get
_supported
ssh_public_key_is_f
ips_approved
ssh_public_key_na
me
ssh_public_key_pre
compute
Hash Functions
SHA-1   N/A Yes
Cert #1929,
1930
RX ssh_hash_allocate
ssh_hash_asn1_oid
ssh_hash_asn1_oid
_compare
ssh_hash_asn1_oid
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
19 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
_generate
ssh_hash_compare
_result
ssh_hash_compare
_start
ssh_hash_digest_le
ngth
ssh_hash_final
ssh_hash_free
ssh_hash_get_supp
orted
ssh_hash_input_blo
ck_size
ssh_hash_is_fips_a
pproved
ssh_hash_name
ssh_hash_reset
ssh_hash_supporte
d
ssh_hash_update
ssh_hash_of_buffer
ssh_sha_transform
ssh_sha_permuted
_transform
SHA-224
SHA-256
SHA-384
SHA-512
  N/A Yes
Cert #1929,
1930
RX ssh_hash_allocate
ssh_hash_asn1_oid
ssh_hash_asn1_oid
_compare
ssh_hash_asn1_oid
_generate
ssh_hash_compare
_result
ssh_hash_compare
_start
ssh_hash_digest_le
ngth
ssh_hash_final
ssh_hash_free
ssh_hash_get_supp
orted
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
20 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ssh_hash_input_blo
ck_size
ssh_hash_is_fips_a
pproved
ssh_hash_name
ssh_hash_reset
ssh_hash_supporte
d
ssh_hash_update
ssh_hash_of_buffer
Message Authentication Codes (MACs)
HMAC-SHA-1   HMAC key N/A Yes
Cert #1370,
1371
RWX ssh_mac_allocate
ssh_mac_final
ssh_mac_free
ssh_mac_get_block
_length
ssh_mac_get_max_
key_length
ssh_mac_get_min_
key_length
ssh_mac_get_supp
orted
ssh_mac_is_fips_ap
proved
ssh_mac_length
ssh_mac_name
ssh_mac_reset
ssh_mac_supporte
d
ssh_mac_update
HMAC-SHA-224
HMAC-SHA-256
HMAC-SHA-384
HMAC-SHA-512
  HMAC key N/A Yes
Cert #1370,
1371
RWX ssh_mac_allocate
ssh_mac_final
ssh_mac_free
ssh_mac_get_block
_length
ssh_mac_get_max_
key_length
ssh_mac_get_min_
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
21 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
key_length
ssh_mac_get_supp
orted
ssh_mac_is_fips_ap
proved
ssh_mac_length
ssh_mac_name
ssh_mac_reset
ssh_mac_supporte
d
ssh_mac_update
Random Number Generation
DRBG   Seed with
256-bit
entropy,
Entropy
input
string with
256-bit
entropy
AES 256
ECB
Yes
Cert #266,
267
RWX SP 800-90A
ssh_random_add_n
oise
ssh_random_get_b
yte
ssh_random_get_ui
nt32
ssh_random_stir
ssh_random_get_s
upported
ssh_random_suppo
rted
ssh_random_is_fips
_approved
ssh_random_alloca
te
ssh_random_free
ssh_random_name
ssh_random_add_e
ntropy
ssh_random_add_li
ght_noise
ssh_mprz_aux_mod
_random
ssh_mprz_aux_mod
_random_entropy
Key Agreement
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
22 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
Diffie-Hellman   Diffie-
Hellman
secret,
shared
secret
Component
Cert #37, 38
RWX SP 800-56A
ssh_pk_group_copy
ssh_pk_group_coun
t_randomizers
ssh_pk_group_dh_a
gree
ssh_pk_group_dh_a
gree_async
ssh_pk_group_dh_a
gree_max_output_l
ength
ssh_pk_group_dh_r
eturn_randomizer
ssh_pk_group_dh_s
ecret_free
ssh_pk_group_dh_s
etup
ssh_pk_group_dh_s
etup_async
ssh_pk_group_dh_s
etup_max_output_l
ength
ssh_pk_group_free
ssh_pk_group_gen
erate
ssh_pk_group_gen
erate_randomizer
ssh_pk_group_get_i
nfo
EC Diffie-
Hellman


EC Diffie-
Hellman
secret,
shared
secret
Component
Cert #37, 38
RWX SP 800-56A
ssh_pk_group_copy
ssh_pk_group_coun
t_randomizers
ssh_pk_group_dh_a
gree
ssh_pk_group_dh_a
gree_async
ssh_pk_group_dh_a
gree_max_output_l
ength
ssh_pk_group_dh_r
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
23 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
eturn_randomizer
ssh_pk_group_dh_s
ecret_free
ssh_pk_group_dh_s
etup
ssh_pk_group_dh_s
etup_async
ssh_pk_group_dh_s
etup_max_output_l
ength
ssh_pk_group_free
ssh_pk_group_gen
erate
ssh_pk_group_gen
erate_randomizer
ssh_pk_group_get_i
nfo
ssh_pk_group_prec
ompute
ssh_pk_group_sele
ct_scheme
ssh_dh_group_crea
te_proxy
Key Entry and Output
DSA key entry   DSA pri-
vate key
Yes
Cert #694,
695
W ssh_pk_import
ssh_private_key_de
fine
ssh_private_key_im
port
ssh_public_key_def
ine
ssh_public_key_im
port
DSA key output 

DSA pri-
vate key
Yes
Cert #694,
695
R ssh_pk_export
ssh_private_key_ex
port
RSA key entry 

RSA pri-
vate key
Yes
Cert #1147,
1148
W ssh_pk_import
ssh_private_key_de
fine
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
24 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ssh_private_key_im
port
ssh_public_key_def
ine
ssh_public_key_im
port
RSA key output 

RSA pri-
vate key
Yes
Cert #1147,
1148
R ssh_pk_export
ssh_private_key_ex
port
ECDSA key entry 

ECDSA
private
key
Yes
Cert #349,
350
W ssh_pk_import
ssh_private_key_de
fine
ssh_private_key_im
port
ssh_public_key_def
ine
ssh_public_key_im
port
ECDSA key out-
put


ECDSA
private
key
Yes
Cert #349,
350
R ssh_pk_export
ssh_private_key_ex
port
Diffie-Hellman
key entry


Diffie-
Hellman
private
key
Component
Cert #37, 38
W ssh_pk_import
ssh_pk_group_imp
ort
ssh_pk_group_imp
ort_randomizers
Diffie-Hellman
key output


Diffie-
Hellman
private
key
Component
Cert #37, 38
R ssh_pk_export
ssh_pk_group_expo
rt
ssh_pk_group_expo
rt_randomizers
EC Diffie-
Hellman key en-
try


EC Diffie-
Hellman
private
key
Component
Cert #37, 38
W ssh_pk_import
ssh_pk_group_imp
ort
ssh_pk_group_imp
ort_randomizers
EC Diffie-
Hellman key


EC Diffie-
Hellman
Component
Cert #37, 38
R ssh_pk_export
ssh_pk_group_expo
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
25 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
output private
key
rt
ssh_pk_group_expo
rt_randomizers
Management
Installation 
N/A N/A N/A N/A Please refer to sec-
tion 11.3 “Crypto-
graphic Officer
Guidance” for se-
cure installation of
the module.
Initialization 
N/A N/A N/A RX ssh_crypto_library_
initialize
ssh_crypto_library_
regis-
ter_noise_request
ssh_crypto_library_
regis-
ter_progress_func
ssh_pk_provider_re
gister
sg_crypto_register_
error_callback
ssh_random_noise_
polling_init
ssh_drbg_instantiat
e
sg_drbg_enable_co
ntinuous_test
ssh_drbg_reseed
ssh_drbg_generate
ssh_drbg_uninstant
iate
Mode manage-
ment

N/A N/A N/A RX ssh_crypto_get_cer
tification_mode
ssh_crypto_set_cer
tification_mode
Uninitialization 
N/A N/A N/A RX ssh_crypto_free
ssh_crypto_library_
uninitialize
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
26 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
ssh_crypto_library_
unregis-
ter_noise_request
ssh_random_noise_
polling_uninit
External crypto
registration

N/A N/A N/A RX The external cryp-
to registration is
not supported on
the tested
Stonesoft plat-
forms.. The func-
tions below return
SG_CRYPTO_REGIS
TER_NOT_SUPPORT
ED.
sg_cipher_external
_register
sg_cipher_external
_unregister
sg_hash_external_r
egister
sg_hash_external_
unregister
sg_mac_external_r
egister
sg_mac_external_u
nregister
sg_ciphermac_exte
rnal_register
sg_ciphermac_exte
rnal_unregister
Status
Query status 

N/A N/A N/A RX ssh_crypto_library_
get_status
ssh_crypto_library_
get_version
sg_crypto_library_g
et_path
ssh_crypto_status_
message
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
27 of 45
Service Roles CSP Modes FIPS Ap-
proved? Cert
# (if appli-
cable)
Access Notes/API Func-
tion
User
CO
Self-tests
Perform self-
tests


N/A N/A N/A RX ssh_crypto_library_
self_tests
Other services
Compression 

N/A N/A N/A RX ssh_compress_allo
cate
ssh_compress_free
ssh_compress_get_
supported
ssh_compress_is_n
one
ssh_compress_syn
c_levels
ssh_compress_buff
er
Auxiliary ser-
vices


N/A N/A N/A RX ssh_aux_pkcs1_pa
d
ssh_aux_pkcs1_un
pad
ssh_aux_pkcs1_wra
p_and_pad
ssh_cipher_alias_g
et_native
ssh_cipher_alias_g
et_supported
ssh_cipher_alias_su
pported
ssh_ecp_set_param
Table 4: Services
4.3. Operator Authentication
There is no operator authentication; assumption of role is implicit by action.
4.4. Mechanism and Strength of Authentication
No authentication is required at Security Level 1; authentication is implicit by assumption of the
role.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
28 of 45
5. Finite State Machine
The following diagram represents the states and transitions of the cryptographic module.
Figure 3: Cryptographic Module Finite State Machine
The state model contains the following states:
 UNLOADED: The start state of the cryptographic module is UNLOADED. The module is in this
state until the shared library is loaded and linked to the application. Cryptographic operations
are not available while in this state.
 UNINITIALIZED: The module is in the UNINITIALIZED state after it has been loaded but not yet
initialized, or it has been successfully uninitialized. Cryptographic operations are not available
while in this state.
 SELF-TEST: The module performs power-up self-tests during initialization or on-demand. Cryp-
tographic operations are not available while in this state.
 OK: The module enters the FIPS mode in the “OK” state after successfully passing the power-
up self-tests. The cryptographic services are available in this state.
 ERROR: The module enters this state after a self-test, a cryptographic operation or uninitializa-
tion has failed. An error indicator is output by the module.
The state transitions are as follows:
1. The shared library is loaded and linked dynamically to the application.
2. The cryptographic module is initialized using the ssh_crypto_library_initialize function. The
function is called automatically when the shared library is loaded.
3. The self-tests succeed.
4. A cryptographic operation is performed successfully.
5. On-demand self-tests are performed using the ssh_crypto_library_self_tests function.
6. The cryptographic module is uninitialized using the ssh_crypto_library_uninitialize function.
7. The shared library is unloaded.
8. Power-up self-tests fail.
9. A conditional test fails during a cryptographic operation.
10. The module uninitialization fails because cryptographic objects are still referenced.
11. Cryptographic objects are no longer in use and the module uninitialization succeeds. This
transition also occurs automatically when the power-up self-tests fail during the module
initialization.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
29 of 45
6. Physical Security
The cryptographic module is tested on the Stonesoft FW-315 and FW-1301 appliances that consist
of production-grade components with standard passivation and a production-grade enclosure.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
30 of 45
7. Operational Environment
This module will operate in a modifiable operational environment per the FIPS 140-2 definition.
The module operates on the Stonesoft Debian GNU/Linux based hardened operating system that is
set in the FIPS compatible mode of operation. Login to the operating system is disabled and only
the preinstalled Stonesoft application is running on the system. Therefore the operational
environment is considered non-modifiable. The application that uses the cryptographic module is
also the single user of the module.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
31 of 45
8. Cryptographic Key Management
Keys are established externally. CSPs can be accessed only using the API. The operating system
protects the memory and the address space of the process from unauthorized access.
Name Auth
Role
Generation Type Output Storage Zeroization
HMAC key
for
module
integrity
check
User,
CO
External,
electronic
entry
HMAC key N/A In module
binary
Zeroization is not
required per FIPS
IG 7.4
AES,
Triple-DES
symmetric
keys
User,
CO
External,
electronic
entry
Symmetric
key
N/A Plaintext in
memory
API call, power off
DSA
private
key
User,
CO
DSA key
generation
using DRBG,
externally
using DSA
key entry
Private
key
Encrypted,
plaintext
Plaintext in
memory
API call, power off
RSA
private
key
User,
CO
RSA key
generation
using DRBG,
externally
using RSA
key entry
Private
key
Encrypted,
plaintext
Plaintext in
memory
API call, power off
ECDSA
private
key
User,
CO
ECDSA key
generation
using DRBG,
externally
using ECDSA
key entry
Private
key
Encrypted,
plaintext
Plaintext in
memory
API call, power off
HMAC key User,
CO
External,
electronic
entry
HMAC N/A Plaintext in
memory
API call, power off
DRBG
entropy
input
User,
CO
External,
electronic
entry
Entropy
input
N/A Plaintext in
memory
API call, power off
DRBG
seed
User,
CO
Dev/urandom
and
dev/random
Seed N/A Plaintext in
memory
API call, power off
Diffie- User, DSA key Private N/A Plaintext in API call, power off
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
32 of 45
Hellman
secret
CO generation
using DRBG
key memory
Diffie-
Hellman
shared
secret
User,
CO
Generated
through
Diffie-
Hellman
protocol
Symmetric
key
Plaintext Plaintext in
memory
API call, power off
EC Diffie-
Hellman
secret
User,
CO
ECDSA key
generation
using DRBG,
Private
key
N/A Plaintext in
memory
API call, power off
EC Diffie-
Hellman
shared
secret
User,
CO
Generated
through
Diffie-
Hellman
protocol
Symmetric
key
Plaintext Plaintext in
memory
API call, power off
Table 5: Key Management
8.1. Random Number Generation
The cryptographic module implements an AES block cipher based DRBG with derivation function
according to SP 800-90A. The module obtains the seed and the entropy input string from
/dev/urandom. The seed and the entropy input string are both 256 bytes. Their security strength is
256 bits, i.e., 1 bit per byte is assumed. In the operational environment, /dev/urandom is seeded
with 4096 bytes from /dev/urandom. During the installation, the seed data is also mixed with 32
bytes from /dev/random to ensure sufficient entropy.
8.2. Key/CSP Generation
DSA key pairs are generated using random bits from DRBG according to FIPS 186-3 Appendix
B.1.1.
RSA key pairs are generated using probable primes with conditions using auxiliary probable
primes and random bits from the DRBG according to FIPS 186-3 Appendix B.3.6.
ECDSA key pairs are generated using extra random bits from the DRBG according to FIPS 186-3
Appendix B.4.1.
Diffie-Hellman and EC Diffie-Hellman secrets and public values are generated using random bits
from the DRBG.
8.3. Key/CSP Establishment
The cryptographic module supports Diffie-Hellman primitives for key agreement using ephemeral
keys:
 FFC DH dhEphem, C(2, 0, FFC DH) using 1024, 1536, and 2048-bit groups
 ECC CDH Ephemeral Unified Model, C(2, 0, ECC CDH) using p-192, p-224, p-256, p-384, and
p-521 curves
CAVEAT 1: Diffie-Hellman key agreement; key establishment methodology provides between 80
and 112 bits of encryption strength;
CAVEAT 2: EC Diffie-Hellman key agreement; key establishment methodology provides between
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
33 of 45
80 and 256 bits of encryption strength.
The cryptographic module also supports the AES key wrapping algorithm as key transport method
to wrap the private keys for imports/exports. The AES algorithm is FIPS 140-2-approved and its
implementation in the module is certified by CAVP. The key size for AES key wrap is either 128 or
256 bits depending on the key that is provided by the calling application.
CAVEAT 3: AES key wrapping; key establishment methodology provides 128 or 256 bits of encryp-
tion strength.
8.4. Key Entry and Output
The cryptographic module supports electronic entry of symmetric keys and HMAC keys. The
application using the cryptographic module can import secret keys to the module in plaintext
within the physical boundary. In addition, private keys can be imported encrypted using AES key
wrapping.
Private keys can be exported in plaintext to the application using the module within the physical
boundary. In addition, private keys can be exported encrypted using AES key wrapping.
There is no output of intermediate key generation values from the module at any point in time.
The module does not support manual entry of keys.
8.5. Key Storage
The keys and CSPs are stored in plaintext in memory. The module does not provide persistent
storage of keys.
8.6. Zeroization Procedure
The stored keys and CSPs are zeroized when the application calls the appropriate API function:
ssh_cipher_free, ssh_mac_free, ssh_private_key_free, ssh_pk_group_free and
ssh_crypto_library_uninitialize. Intermediate key material is zeroized automatically by the module
when no longer needed. All keys and CSPs can be zeroized by powering off the module and
performing a system restore operation by the operational environment.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
34 of 45
9. Electromagnetic Interference/Electromagnetic Compatibility
(EMI/EMC)
Testing Platform EMC information
Stonesoft FW-315 Testing Laboratory:
Intertek ETL Semko OY
FCC registration number: 910391
Test summary:
15.107 Conducted emissions to AC-mains test passed
15.109 Radiated emissions test passed
Conforms to Class B
Stonesoft FW-1301 Testing Laboratory:
Intertek ETL Semko OY
FCC registration number: 910391
Test summary:
15.107 Conducted emissions to AC-mains test passed
15.109 Radiated emissions test passed
Conforms to Class A
Table 6: FCC IDs
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
35 of 45
10. Self-Tests
10.1. Power-Up Tests
The power-up self-tests are executed automatically when the cryptographic module is loaded. The
ssh_crypto_library_initialize() function returns SSH_CRYPTO_OK when the power-up self-tests are
successfully completed.
If the power-up self-tests fail, the cryptographic module outputs an error message and enters an
error state. No further operations are allowed when the module is in an error state. The
cryptographic module causes the process termination with a non-zero exit status when the power-
up self-tests have failed. The computer will need to be restarted in order for the cryptographic
module to enter to an operational state.
Self-tests are performed on-demand when the user calls the ssh_crypto_library_self_tests()
function.
Algorithm Test
AES Known Answer Test (KAT), encryption and decryption are tested separately
Triple-DES KAT, encryption and decryption are tested separately
DSA Pair-wise consistency test (PCT) in place of KAT for signature generation and
verification test, pair-wise consistency test for DSA key pair generation
RSA KAT for signature generation and verification tested separately , pair-wise
consistency test for RSA key pair generation
ECDSA KAT for signature generation and verification tested separately, pair-wise
consistency test for ECDSA key pair generation
SHS KAT for SHA-1, SHA-256 and SHA-512
HMAC KAT for HMAC-SHA-1, HMAC-SHA-256 and HMAC-SHA-512
DRBG KAT
Diffie-Hellman KAT, pair-wise consistency test
EC Diffie-Hellman KAT, pair-wise consistency test
Table 7: Power-Up Tests
The following are the error messages related to self-test failure:
Reason For Failure Error Message
Failure of AES/Triple-DES
KAT
Cipher algorithm test failed during self-test
Failure of
RSA/DSA/ECDSA/Diffie-
Hellman, EC-Diffie-
Hellman KAT or PCT
Public key algorithm test failed during self-test
Failure of SHS KAT Hash algorithm test failed during self-test
Failure of HMAC KAT Mac algorithm test failed during self-test
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
36 of 45
Failure of integrity test The checksum of the library is incorrect. Integrity has been
compromised
Table 8: Error Messages Related to Self-Test Failure
It is the applications responsibility to reboot the appliance to recover the module from the error
state. The library will not cause the rebooting of the appliance.
10.2. Integrity Check
The cryptographic module uses the HMAC-SHA-256 message authentication code of the module
binary for the integrity tests. The module reads the module binary file, computes the HMAC-SHA-
256 MAC of the file content and compares it to the known correct MAC that is input to the module
when it is loaded.
10.3. Conditional Tests
Algorithm Test
DSA Pair-wise consistency test
RSA Pair-wise consistency test
ECDSA Pair-wise consistency test
DRBG Continuous test
Table 9: Conditional Tests
The following are the error messages related to conditional test failure:
Reason For Failure Error Message
Failure of DSA pair-wise
consistency test
Cryptographic Library error occurred (1)
Failure of RSA pair-wise
consistency test
Cryptographic Library error occurred (1)
Failure of ECDSA pair-
wise consistency test
Cryptographic Library error occurred (1)
Failure of DRBG
continuous test
Continuous DRBG test failed
Table 10: Error Messages Related to Conditional Test Failure
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
37 of 45
11. Design Assurance
11.1. Configuration Management
Git and Lotus Notes are used for configuration management of the cryptographic module.
11.2. Delivery and Operation
The cryptographic module is never released as source code. It is delivered as part of the Stonesoft
Security Engine software version 5.4.7 and later. The FIPS 140-2-compatible Security Engine
software image is downloaded from the Stonesoft website. The Security Engine software is also
preinstalled on Stonesoft appliances (see Table 2: Tested Platforms). Product information for the
appliances is available at the Stonesoft website: http://www.stonesoft.com/en/products/appliances/
11.2.1. Downloading a FIPS 140-2-compatible engine version
A FIPS 140-2-compatible version of the Security Engine software is downloaded as follows:
1. Go to the Stonesoft Downloads page at https://my.stonesoft.com/download.do.
2. Enter the Proof-of-License (POL) or Proof-of-Serial (POS) code in the License Identification field
and click Submit.
3. Click Stonesoft Security Engine Downloads. The Stonesoft Security Engine Downloads
page opens.
4. Download the .zip installation file.
5. Contact Stonesoft Support by e-mail or phone and verify the SHA-1 checksum. The correct
checksum is also shown on the download page. If e-mail is used to contact Stonesoft Support,
the Stonesoft Support PGP private key is used to sign the e-mail reply message. Verify the sig-
nature using the Stonesoft Support PGP public key available at the Stonesoft website at
http://www.stonesoft.com/en/support/support_contact_information/index.html.
11.3. Cryptographic Officer Guidance
11.3.1. Installation
The cryptographic module is delivered as part of the Stonesoft Security Engine software. To run
the cryptographic module on a Stonesoft appliance, the engine software is set to a FIPS 140-2-
compatible operating mode.
11.3.1.1 Upgrading appliances to the FIPS 140-2-compatible engine version
Stonesoft appliances are delivered with the most recent engine software preinstalled. The engine
software must be upgraded to the FIPS 140-2-compatible engine version before entering FIPS-
compatible operating mode. This is necessary even if the same version was installed previously,
because the file system checksum is stored during the upgrade process.
To upgrade to the FIPS-compatible engine version:
1. Save the FIPS 140-2-compatible engine upgrade zip file in the root directory of a USB memory
stick. Note – The engine upgrade zip file must be in the root directory of the media.
2. Contact Stonesoft support using the PGP key, available at:
http://www.stonesoft.com/en/support/support_contact_information/index.html to obtain the
correct SHA1 checksum.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
38 of 45
3. Boot up the appliance. The Engine Configuration Wizard starts.
4. Select Upgrade. The Select Source Media dialog opens.
5. Select USB Memory. The upgrade starts.
6. Select OK. The engine reboots and the Engine Configuration Wizard starts with the engine im-
age verification dialog shown. Select Calculate SHA1. The SHA1 checksum is calculated and
displayed below the checksum from the engine image zip file.
7. Verify that the calculated checksum is identical to the checksum from the zip file and that both
checksums match the checksum provided by Stonesoft Support.
8. Select OK. The engine reboots.
9. Check the engine version to make sure that the certified version is loaded.
Continue as instructed in Configuring the engine, below.
11.3.1.2 Configuring the engine
To configure the engine:
1. Start the Engine Configuration Wizard as instructed in the Configuring the Engine in the
Engine Configuration Wizard section of the Firewall/VPN Installation Guide.
2. Configure the Operating System settings as instructed in the Configuring the Operating
System Settings section of the Firewall/VPN Installation Guide. Select Restricted FIPS-
compatible operating mode. The SSH daemon and root password options are automatically
disabled in the Engine Configuration Wizard.
3. Configure the network interfaces according to your environment as instructed in the Config-
uring the Network Interfaces section of the Firewall/VPN Installation Guide.
4. Contact the Management Server as instructed in the Contacting the Management Server
section of the Firewall/VPN Installation Guide. Enter node IP address manually is selected by
default and other IP address options are disabled when FIPS-compatible operating mode is en-
abled.
The engine restarts.
11.3.1.3 Verifying activation of FIPS 140-2-compatible operating mode
Restricted FIPS-compatible operating mode must be enabled during the initial configuration of the
appliance. The following steps describe how to verify that FIPS 140-2-compatible operating mode
has been activated.
To verify activation of FIPS 140-2-compatible operating mode:
1. Verify that the following messages are displayed on the console when the engine restarts:
FIPS: rootfs integrity check OK
(displayed after the root file system integrity test has been executed successfully)
FIPS power-up tests succeeded
(displayed after the FIPS 140-2 power-up tests have been executed successfully)
2. Continue as instructed in the After Successful Management Server Contact section of the
Firewall/VPN Installation Guide.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
39 of 45
Note – If the engine does not enter the FIPS 140-2-compatible operating mode even though it is
configured to do so, or if the power-up tests fail (a power-up test error message is displayed or the
success message is not displayed), the appliance must be reset to factory settings and reinstalled
as instructed in Recovering from a FIPS 140-2 self-test failure.
11.3.1.4 Resetting the appliance to factory settings
Resetting the appliance to factory settings is not part of the normal installation procedure. There is
no need to reset the appliance to factory settings before starting to use it for the first time. These
instructions can be used to reset the appliance to factory settings when necessary, such as when
initial configuration has been completed without enabling the Restricted FIPS 140-2-compatible
operating mode, during use, or when the appliance is being removed from use.
To reset the appliance to factory settings:
1. Reboot the appliance and select System restore options from the boot menu. Stonesoft En-
gine System Restore starts.
2. Enter 2 for Advanced data removal options.
3. Enter one of the following options:
 1 for 1 pass overwrite
 8 for a Custom number of overwrite passes
If you selected Custom, enter the number of overwrite passes. A larger number of overwrites is
more secure, but it may take a considerable amount of time depending on the appliance storage
capacity.
11.3.1.5 Recovering from a FIPS 140-2 self-test failure
If the FIPS 140-2 power-up self-tests fail, or the engine does not enter FIPS 140-2-compatible
operating mode, the appliance must be reset to factory settings and reinstalled according to these
instructions. Begin by Resetting the appliance to factory settings.
To recover from a FIPS 140-2 self-test failure:
1. Reset the appliance to factory settings as instructed in Resetting the appliance to factory
settings.
2. Repeat the engine version upgrade as instructed in Upgrading appliances to the FIPS 140-
2-compatible engine version.
3. Configure the firewall engine and enable FIPS 140-2-compatible operating mode as instructed
in Configuring the engine.
4. Verify that FIPS-compatible operating mode is activated as instructed in Verifying activation
of FIPS 140-2-compatible operating mode.
11.3.2. Entropy Source
The cryptographic module uses /dev/urandom as the entropy source. To have a sufficient amount
of entropy available, /dev/urandom must be seeded before using the cryptographic module.
During the installation of the module, 4096 bytes must be read from /dev/urandom. This data is
mixed with 32 bytes from /dev/random using an exclusive or operation. The mixed data is used to
seed /dev/urandom. The state must be saved before shutdown by writing 4096 bytes to an
entropy file for reading and seeding /dev/urandom during the next startup.
The operation is performed automatically by the Stonesoft engine software.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
40 of 45
11.3.3. Initialization
The cryptographic module is initialized using the ssh_crypto_library_initialize() function before any
cryptographic functionality is available. In order for the integrity check to succeed, the known SHA-
265 MAC needs to be available either in:
/etc/checksums.fips file
or
LIBQSCRYPTO_CHECKSUM environment variable
The /etc/checksums.fips file is provided with the Stonesoft engine software.
11.4. User Guidance
11.4.1. AES GCM
In case the module’s power is lost and then restored, the key used for the AES GCM
encryption/decryption shall be re-distributed.
11.4.2. Zeroization
When a cryptographic key is no longer used, the key must be zeroized and freed using the
ssh_cipher_free, ssh_mac_free and ssh_private_key_free functions for symmetric key
encryption/decryption, message authentication and public key cryptography, respectively.
11.4.3. Key Export
Private keys must not be exported unencrypted outside the physical module boundary from the
application using the cryptographic module.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
41 of 45
12. Mitigation of Other Attacks
No other attacks are mitigated.
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
42 of 45
13. Glossary and Abbreviations
AES Advanced Encryption Specification
API Application Programming Interface
CAVP Cryptographic Algorithm Validation Program
CBC Cypher Block Chaining
CCM Counter with Cipher Block Chaining-Message
Authentication Code
CFB Cypher Feedback
CMT Cryptographic Module Testing
CMVP Cryptographic Module Validation Program
CO Cryptographic Officer
CSP Critical Security Parameter
CTR Counter
CVT Component Verification Testing
DES Data Encryption Standard
DH Diffie-Hellman
DSA Digital Signature Algorithm
ECB Electronic Codebook
ECDH EC Diffie-Hellman
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FCC Federal Communications Commission
FIPS Federal Information Processing Standards
FSM Finite State Model
GCM Galois Counter Mode
HMAC Hash Message Authentication Code
KAT Known Answer Test
MAC Message Authentication Code
NIST National Institute of Science and Technology
NVLAP National Voluntary Laboratory Accreditation
Program
OFB Output Feedback
O/S Operating System
PCT Pair-wise Consistency Test
POL Proof-of-License
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
43 of 45
POS Proof-of-Serial
PP Protection Profile
RNG Random Number Generator
RSA Rivest, Shamir, Addleman
SHA Secure Hash Algorithm
SHS Secure Hash Standard
SSH Secure Shell
UI User Interface
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
44 of 45
14. References
[1] FIPS 140-2 Standard, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
[2] FIPS 140-2 Implementation Guidance,
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
[3] FIPS 140-2 Derived Test Requirements,
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402DTR.pdf
[4] FIPS 197, Advanced Encryption Standard (AES),
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[5] FIPS 180-4 Secure Hash Standard, http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
[6] FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC),
http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
[7] FIPS 186-2, Digital Signature Standard, http://csrc.nist.gov/publications/fips/archive/fips186-
2/fips186-2.pdf
[8] FIPS 186-3 Digital Signature Standard (DSS), http://csrc.nist.gov/publications/fips/fips186-
3/fips_186-3.pdf
[9] ANS X9.31 Appendix A.2.4, Random Number Generator,
http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
[10]NIST SP 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA)
Block Cipher, http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf
[11]NIST SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication, http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
[12]NIST SP 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for
Authentication and Confidentiality, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-
38C_updated-July20_2007.pdf
[13]NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode
(GCM) and GMAC, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
[14]NIST SP 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode
for Confidentiality on Storage Devices, http://csrc.nist.gov/publications/nistpubs/800-38E/nist-
sp-800-38E.pdf
[15]NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes using Discrete
Logarithm Cryptography (Revised), http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-
56A_Revision1_Mar08-2007.pdf
[16]NIST SP 800-56B, Recommendation for Pair-Wise Establishment Schemes Using Integer Factor-
ization Cryptography, http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf
Stonesoft Cryptographic Library
FIPS 140-2 Security Policy
© 2013 Stonesoft/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
45 of 45
[17]NIST SP 800-90A, Recommendation for Random Number Generation Using Deterministic Ran-
dom Bit Generators, http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
[18]NIST SP 800-131A Recommendation for Transitioning the Use of Cryptographic Algorithms and
Key Lengths http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf