Apple FIPS Cryptographic Module, V1.1 FIPS 140-2 Non .

2y ago
15 Views
2 Downloads
485.55 KB
21 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Arnav Humphrey
Transcription

Apple Inc. Apple FIPS Cryptographic Module, v1.1FIPS 140-2 Non-Proprietary Security PolicyDocument Control NumberAPPLEFIPS SECPOL 002.16Version 2.16March 16, 2011Prepared by:Shawn GeddisApple Inc.11921 Freedom DriveSuite 600Reston, VA 20190Phone: (703) 264-5103Fax: (703) 264-5157www.apple.comAPPLEFIPS SECPOL 002.16 Copyright 2012Page 1

Table of ContentsFIPS SECURITY LEVEL OVERVIEW .3EXECUTIVE SUMMARY .3OVERVIEW.3INTRODUCTION.4APPLE FIPS CRYPTOGRAPHIC MODULE .5OVERVIEW.5CRYPTOGRAPHIC MODULE SPECIFICATION.8MODES OF OPERATION .9CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .10ROLES, SERVICES, AND AUTHENTICATION.11Roles .11Services .11Authentication.12PHYSICAL SECURITY.12OPERATIONAL ENVIRONMENT .12CRYPTOGRAPHIC KEY MANAGEMENT.13Key Generation .13Key Establishment .13Key Entry and Output .13Key Storage.13Key Zeroization.13List of Keys and CSP .14EMI/EMC .14SELF-TESTS .15DESIGN ASSURANCE.16MITIGATION OF OTHER ATTACKS.16SECURE OPERATION.17SECURITY FUNCTIONS .17CRYPTO OFFICER GUIDANCE.19USER GUIDANCE.19GLOSSARY AND REFERENCES .20GLOSSARY.20REFERENCES.21APPLEFIPS SECPOL 002.16 Copyright 2012Page 2

Section 1FIPS Security Level OverviewFIPS SectionLevelCryptographic Module Specification1Cryptographic Module Ports and Interfaces1Roles, Services, and Authentication1Finite State Model1Physical SecurityN/AOperational Environment1Cryptographic Key Management1EMI/EMC1Self-Tests1Design Assurance1Mitigation of Other AttacksN/ATable 1 FIPS Security Level OverviewSection 2Executive SummarySection 2.1OverviewThis document is the non-proprietary security policy supporting the Apple FIPS CryptographicModule, v1.1. This document may be reproduced only in its original entirety, without revision.This security policy describes the module and how it meets the security requirements of FIPS140-2. It also provides a specification of the FIPS 140-2 security rules under which the moduleoperates. This document was prepared as part of the FIPS 140-2 Level 1 validation of themodule.With the exception of this non-proprietary security policy as well as the Role Guide: CryptoOfficer, all other FIPS 140-2 validation submission documentation is proprietary to Apple Inc.and is releasable only under appropriate non-disclosure agreements. For access to thesedocuments, please contact Apple Inc.APPLEFIPS SECPOL 002.16 Copyright 2012Page 3

Section 2.2IntroductionThe Level 1 Apple FIPS Cryptographic Module, v1.1 is included within OS X Lion v10.7 for useby 3rd party applications and services. The module consists of the Apple Cryptographic ServiceProvider (AppleCSP), the module’s PRNG, and the FIPSPerformSelfTest helper application. Thismodule continues to provide cryptographic services for 3rd party applications and services stillusing CDSA while OS X Lion uses a separate next generation cryptographic module for Appleapplications and services.APPLEFIPS SECPOL 002.16 Copyright 2012Page 4

Section 3Apple FIPS Cryptographic ModuleSection 3.1OverviewCDSA (Common Data Security Architecture) provides cryptographic services for 3rd partyapplications on OS X Lion, therefore Apple has re-validated CDSA for the benefit of 3rd partyproducts only.CDSA provides security services and has its own standard applicationprogramming interface (API). OS X Lion includes new security APIs that call upon nextgeneration cryptography but still includes the CDSA APIs for 3rd party applications. Legacy 3rdParty applications directly call the CDSA security APIs. Figure 1 below illustrates thisarchitecture.ApplicationsLegacy Security ServicesOS X Lion Security ServicesAPIAPIAPIAPIAPIAPIAPIAPINext Generation CryptographyCDSAAPIBSD and MachFigure 1 OS X Lion Security Architecture OverviewCDSA is an Open Source security architecture adopted as a technical standard by the OpenGroup. Apple has developed its own Open Source implementation of CDSA. The core of CDSAis CSSM (Common Security Services Manager), a set of Open Source code modules thatimplement a public API called the CSSM API. CSSM provides APIs for cryptographic services(such as creation of cryptographic keys, encryption and decryption of data), certificate services(such as creation of digital certificates, reading and evaluation of digital certificates), securestorage of data, and other security services.APPLEFIPS SECPOL 002.16 Copyright 2012Page 5

CSSM also defines an interface for plug-ins that implements security services for a particularoperating system and hardware environment. The implementation on a given platform canoptionally supply a middleware layer that provides an operating-system-specific API forapplications. Whether such a layer is present or not, applications can call the CSSM API directly.The validated CDSA module implements nearly all the standard features of CSSM, plus a set ofmiddleware security services to provide a standard interface for application programmers.The CDSA standard defines a four-layer architecture, with the top layer being the applicationsthat use the CDSA security features. Figure 2 below illustrates the implementation of CDSA andshows the first three layers: the CDSA plug-ins, CSSM, and the security APIs, which constitutethe middleware layer. The Authorization Services, the Security Server daemon, and the SecurityAgent shown in the figure are technically outside of CDSA, but they are shown here forcompleteness because they constitute an integral part of the security architecture.Legacy Security TransportSecurityObjective-CAPICertificate,Key, and TrustServicesAuthorizationServicesCSSM APICSSMSecurity a telibraryTrust TPtrust policylibraryAppleCSPFigure 2 Implementation of CDSAAPPLEFIPS SECPOL 002.16 Copyright 2012Page 6

Security contexts in Figure 2 are data structures used by CSSM to assist applications inmanaging the many parameters used in security operations. The CSSM managers implement thestandard CSSM API. The CDSA plug-ins shown in Figure 2 are those provided by the module .The CDSA specification allows any number of plug-ins. As long as a plug-in follows the rulesfor interfacing with the CSSM managers, it can implement any portion of the CDSA feature set,including a combination of features associated with two or more of the CSSM managers. TheCDSA specification even allows for the expansion of CDSA by the addition of elective modulemanagers and associated plug-ins. Plug-ins can call each other as well as being called by theCSSM managers and, in fact, it is common for them to do so. All secure communications andauthentication protocols are based on keys and encryption provided by the AppleCSP.APPLEFIPS SECPOL 002.16 Copyright 2012Page 7

Section 3.2Cryptographic Module SpecificationThe logical cryptographic boundary of Apple FIPS Cryptographic Module, v1.1 (“Modulelibrary”) is the shared object library itself. The logical cryptographic boundary consists of theApple Cryptographic Service Provider (AppleCSP), the module’s PRNG, and theFIPSPerformSelfTest helper application. The AppleCSP is a basic plug-in module that workstogether with the helper application. The PRNG is used in generating the module’s keys. TheFIPSPerformSelfTest file performs the FIPS required power on self-tests for the AppleCSP. Thephysical cryptographic boundary of the Module library is the enclosure of the computer systemon which the module is running.Figure 3 below shows the cryptographic boundary of the module. The logical boundary isindicated by the red dotted line while the physical boundary is indicated by the black dotted line.The Power On Self Test block within the diagram represents the FIPSPerformSelfTest file, thePRNG block represents the module’s PRNG, and the CSP Module block within the diagramrepresents the AppleCSP.Calls Sec* API FunctionPasses in Input andReceives Output and StatusApplicationOperating SystemSec* APIsCalls Sec* API FunctionPasses in Input andReceives Output and StatusCalls Sec* API FunctionPasses in Input andReceives Output and StatusExternal hardware(keyboard, mouse,video display, etc.)Power OnSelf TestPRNGCDSACSP ModuleDLCLTPFigure 3 Cryptographic Module BoundaryAPPLEFIPS SECPOL 002.16 Copyright 2012Page 8

Section 3.3Modes of OperationThe module has two modes of operation: Approved mode and Non-approved mode. The moduleruns in the Approved mode by default. The module is considered running in the Non-approvedmode when the module uses an internally generated RSA key pair for signature generation andverification, RSA key wrapping, or any non-allowed algorithms listed in Table 6. RSA Keywrapping is not allowed in the Approved mode because RSA keys are generated using a Nonapproved key generation method as listed in Table 6.The installation of the Apple FIPS Cryptographic Module by the Crypto Officer involves foursteps and more information about these steps can be found in the “Role Guide: Crypto Officer”document:1.2.3.4.Obtaining the FIPS Administration Tools installerInstalling the FIPS Administration ToolsVerifying the FIPS Administration Tools were successfully installedVerify the integrity of the FIPS Administration ToolsThe User can also verify the Apple FIPS Cryptographic Module status by running theFIPSPerformSelfTest status command in the Terminal application. More information is availableabout the module on the Apple Support website http://www.apple.com/support/ and searching forFIPS.APPLEFIPS SECPOL 002.16 Copyright 2012Page 9

Section 3.4Cryptographic Module Ports and InterfacesThe cryptographic module is a software module. This module was tested on the 15-inchMacBook Pro portable computer platform. The platform for the module provides a number ofphysical ports and logical interfaces. The platform’s physical ports correspond to the ports of theportable computer that executes the module. They include a 15.4 inch display, power button,power adaptor port, two USB 2.0 ports, audio line in/optical digital audio input, headphone/optical digital audio output, two AirPort Extreme/Bluetooth wireless antennas, ExpressCard/34slot, FireWire 800 port, Gigabit Ethernet, Mini DisplayPort, SuperDrive optical drive, keyboard,trackpad, speaker, microphone, iSight video camera and LEDs. The module implements therequired FIPS 140-2 logical interfaces through application programming interface (API) calls asshown in the following table.FIPS 140-2 LogicalModule Physical PortsModule Logical InterfacesInterfacesData InputUSB, audio line in/optical digital Data passed to the API calls to be usedaudio input, wireless antennas, by the ModuleExpressCard/34, FireWire,Ethernet, SuperDrive,microphone, iSight video cameraData OutputDisplay, USB, headphone/optical Data returned from API calls,digital audio output, wirelessgenerated by the Moduleantennas, ExpressCard/34,FireWire, Ethernet, MiniDisplayPort, SuperDrive, speakerControl InputUSB, wireless antennas,Exported API callsExpressCard/34, FireWire,Ethernet, SuperDrive, trackpad,keyboardStatus OutputDisplay, USB, wireless antennas, Returned status information and returnExpressCard/34, FireWire,codes provided by API function callsEthernet, SuperDrive, Miniafter executionDisplayPort, LEDsPowerPower button, power adaptorN/Aport, battery packTable 2 Mapping of Ports and InterfacesAPPLEFIPS SECPOL 002.16 Copyright 2012Page 10

Section 3.5Roles, Services, and AuthenticationSection 3.5.1RolesThe Apple cryptographic module supports two authorized roles: User and Crypto Officer.The User can request access to the module in order to use its cryptographic services.The Crypto Officer can request access to install or remove the module as well as perform poweron self tests and check the status of the module.Section 3.5.2RoleServicesServiceCritical Security Parameter(CSP) AccessUserShow FIPS Enabled StatusReadShow FIPSPerformSelfTestReadVersionAES secret key data encryption/ Write, ExecutedecryptionTriple-DES secret key dataWrite, Executeencryption/decryptionRSA/DSA/ECDSA Signature Write, Executegeneration and verificationDiffie-Hellman public/private Write, Executekey agreementElliptic Curve Diffie-Hellman Write, Executepublic/private key agreementPseudo Random NumberWrite, ExecuteGeneration (PRNG)SHS HashingWrite, ExecuteHMAC SHA-1 Keyed Hashing Write, ExecuteCrypto OfficerInstallationShow FIPS Enabled StatusShow FIPSPerformSelfTestVersionShow PLEFIPS SECPOL 002.16 Copyright 2012Page 11

Show FIPSPerformSelfTestWrite, ExecuteCreatePerform Full FIPS Self TestExecuteAES secret key data encryption/ Write, ExecutedecryptionTriple-DES secret key dataWrite, Executeencryption/decryptionRSA/DSA/ECDSA Signature Write, Executegeneration and verificationDiffie-Hellman public/private Write, Executekey agreementElliptic Curve Diffie-Hellman Write, Executepublic/private key agreementPseudo Random NumberWrite, ExecuteGeneration (PRNG)SHS HashingWrite, ExecuteHMAC SHA-1 Keyed Hashing Write, ExecuteTable 3 Roles and ServicesSection 3.5.3AuthenticationWithin the constraints of FIPS 140-2 Level 1, the module does not implement an authenticationmechanism for operator authentication. The module relies upon the operating system, which liesoutside the logical boundary, for operator authentication.Section 3.6Physical SecurityPhysical Security is not required for the software module. The FIPS software was tested on a 15inch MacBook Pro laptop computer with an Intel microprocessor running at a clock speed of2.93 GHz. The computer is made from production grade components and includes a lightweightaluminum alloy production grade enclosure.Section 3.7Operational EnvironmentThe software module runs on OS X Lion in single operator mode of operation. When the Macoperating system loads the module into memory, the FIPSPerformSelfTest runs code signing(RSA Signature) validations on all components of the module with the exception of HMACSHA1 validation on the PRNG, which will ensure a full cryptographic verification of themodule. Loading will only continue if the module passes these checks. A number of other selftests are also run at this time. The complete list of self-tests are listed in section 3.10.APPLEFIPS SECPOL 002.16 Copyright 2012Page 12

Section 3.8Cryptographic Key ManagementThe module provides the capability to use cryptographic keys with several algorithms. Theimplemented FIPS-approved algorithms include AES, Triple-DES, RSA/DSA/ECDSA,SHA-1/224/256/384/512, HMAC SHA-1, and FIPS 186-2 PRNG.Section 3.8.1Key GenerationThis module implements the FIPS Approved FIPS 186-2 PRNG to generate keys and uses thosekeys directly without further modification.Section 3.8.2Key EstablishmentThe module uses Diffie-Hellman and Elliptic Curve Diffie-Hellman key agreement for keyestablishment. Methodologies providing a minimum of 80 bits of encryption strength are allowedin the FIPS mode of operation. Encryption strength is determined in accordance with FIPS 140-2Implementation Guidance 7.5 and NIST Special Publication 800-57 (Part 1).Section 3.8.3Key Entry and OutputAll keys are imported from, or output to, the invoking program running on the same computer.All keys entered into the module are electronically entered in plain text form. Keys are outputfrom the module in plain text form.Section 3.8.4Key StorageKeys stored in memory are stored in plaintext.Section 3.8.5Key ZeroizationAll keys can be zeroized by overwriting them, deleting them, or by rebooting the computer. AllInput keys are passed into the module as a read-only constant and the Output keys are written bythe module directly to the memory location provided by the calling application. The callingapplication owns the memory and has direct ability to zeroize those keys by overwriting themwhen requesting new keys from the module to replace existing keys in memory owned by thecalling application, deleting them by issuing a zeroization command within the callingapplication, or the system can be rebooted to clear all keys in memory.APPLEFIPS SECPOL 002.16 Copyright 2012Page 13

Section 3.8.6List of Keys and CSPCSPsAES keysCSPs typeSymmetric secretkeysTriple-DES keys Symmetric secretkeysRSA/DSA/AsymmetricECDSA Key Pairs private and publickey pairsRSA Key PairsAsymmetricprivate and publickey pairsDiffie-HellmanDiffie-Hellmanand Eliptic Curve and Eliptic CurveDiffie-HellmanDiffie-Hellmankey pairsprivate and publickey pairs1RSA Key PairsKey wrapping keyGenerationStorageInternal via FIPS Plaintext2186-2 PRNGInternal via FIPS Plaintext2186-2 PRNGInternal via FIPS Plaintext2186-2 PRNGExternalPlaintext2Internal via FIPS Plaintext2186-2 PRNGInternal via FIPS Plaintext2186-2 PRNGHMAC keyTriple-DES key Internal via FIPS Plaintext2186-2 PRNGFIPS 186-2 PRNG Secret key values Internal – byPlaintext2seed keysgathering entropyUseData encryption/decryptionData encryption/decryptionSigning andVerificationSigning andVerificationKey agreementKey wrappingMessageauthenticationPseudo-randomnumber generatorfor keys1Note : Internally generated RSA keys must never be used in a FIPS Approved mode ofoperation for signature generation and verification and for RSA key wrapping.Note 2: Keys stored in memory are stored in plaintext.Table 4 List of Keys and CSPSection 3.9EMI/EMCThe module is designed to meet security level 1 requirements for EMI/EMC. The module wastested and found compliant with requirements for a Class B digital device.APPLEFIPS SECPOL 002.16 Copyright 2012Page 14

Section 3.10Self-TestsThe module performs a set of self-tests to ensure proper operation in compliance with FIPS140-2. These self-tests are run during power-on (power-on self-tests) or when certain conditionsare met (conditional self-tests). Self tests are performed for the approved security functions andalgorithms as required.Power-On Self-TestsSoftware Integrity Test (RSA and HMAC-SHA1)RNG KATAES KATTriple-DES KATRSA SHA-1 KATRSA SHA-224 KATRSA SHA-256 KATRSA SHA-384 KATRSA SHA-512 KATDSA Pairwise Consistency Test (DSA Key GEN/DSA SIG GEN/DSA SIG VER)ECDSA Pairwise Consistency Test (ECDSA KEYGEN/ECDSA SIG GEN/ECDSA SIG VER)SHA-1 KATSHA-224 KATSHA-256 KATSHA-384 KATSHA-512 KATHMAC SHA-1 KATConditional Self-TestsCRNG TestsDSA Pairwise Consistency TestECDSA Pairwise Consistency TestAPPLEFIPS SECPOL 002.16 Copyright 2012Page 15

Section 3.11Design AssuranceApple manages and records source code and associated documentation files. Apple implements asystem for document and source code management compliant with FIPS 140-2 Level 1 security.The Apple module hardware data, which includes descriptions, parts data, part types, bills ofmaterials, manufacturers, changes, history, and hardware documentation are managed andrecorded. Additionally, configuration management is provided for the module’s FIPSdocumentation. Document management utilities provide access control, versioning, and logging.Section 3.12Mitigation of Other AttacksThe module does not use other security mechanisms to mitigate against specific attacks.APPLEFIPS SECPOL 002.16 Copyright 2012Page 16

Section 4Secure OperationSection 4.1Security FunctionsThe module meets Level 1 requirements for FIPS 140-2.The Apple cryptographic module supports the following approved and non-approved ateNumberMode/Key Size/DescriptionAsymmetricKeyRSAPKCS#1 v1.5ECDSAANSI X9.62DSAFIPS 186-2AESFIPS 197PKCS#1 v1.5: SigGen; SigVer;1024, 1536, 2048, 3072, 4096;SHA-1, SHA-224, SHA-256,SHA-384, SHA-512KeyGen; SigGen; SigVer:Curves(P-192 P-256 P-384 P-521)FIPS186-2: KeyGen Mod(1024);SigGen Mod(1024); e/d; 128,192,256); CBC(e/d;128,192,256)FIPS 46-3, SP TECB(e/d; KO 1,2); TCBC(e/d;800-67KO 1,2)18721216PRNGsFIPS186-2 PRNG FIPS 186-2FIPS 186-2: x-Original; SHA-1981SHA-1SHA-224SHA-256SHA-384SHA-512Byte orienting hashingByte orienting hashingByte orienting hashingByte orienting hashingByte orienting hashing16451645164516451645HashesFIPS 180-2FIPS 180-2FIPS 180-2FIPS 180-2FIPS 180-2Keyed-HashesHMAC SHA-1FIPS 198Table 5 Approved FIPS 140-2 Security Functions1116APPLEFIPS SECPOL 002.16 Copyright 2012Page 17

ServiceAlgorithmStandardMode of OperationCiphersDESBlowfishCASTASCRC2RC4RC5ECB, CBCECB, CBCECB, CBCECB, CBCECB, CBCECB, CBCAsymmetricKeyRSA (key wrapping; key establishmentmethodology provides between 80 andRSA Encrypt/Decrypt128 bits of encryption strength; noncompliant less than 80 bits ofencryption strength)RSA Key Generation PKCS#1RSA (key generation)Diffie-Hellman (key agreement; keyestablishment methodology providesDiffie-HellmanANSI X9.42 between 80 and 112 bits of encryptionstrength; non-compliant less than 80bits of encryption strength)EC Diffie-Hellman (key agreement;Elliptic Curve Diffiekey establishment methodologyANSI X9.63Hellmanprovides between 80 and 256 bits ofencryption strength).FEEHashesMD2MD5KeyedHashesHMAC MD5Table 6 Non-Approved FIPS 140-2 Security FunctionsAPPLEFIPS SECPOL 002.16 Copyright 2012Page 18

Section 4.2Crypto Officer GuidanceThe Crypto Officer must operate the module in a manner consistent with the guidance providedwithin the “Role Guide: Crypto Officer” document. The secure operation procedures include theinitial setup, configuring the module in a FIPS compliant manner, and keeping the module in aFIPS-approved mode of operation.Section 4.3User GuidanceThe User must operate the module in a manner consistent with the guidance provided within theApple Support document “How to set up and maintain a FIPS-enabled system” to make sure thatonly approved security functions are allowed in the FIPS approved mode of operation. Only theservices listed in Table 3 should be used if a FIPS approved mode of operation is to be maintained.All security functions listed in Table 5 can be used in the FIPS approved mode of operation.Although outside the boundary of the module, the User should be careful not to providecryptographic keys or other critical security parameters (CSPs) to other unauthorized parties.In addition to the security functions listed in Table 5, both Diffie-Hellman and Elliptic CurveDiffie-Hellman for key agreement listed in Table 6 are also allowed in the FIPS approved modeof operation. No other non-approved security function should be used. Key establishmentmethodologies provide a minimum of 80 bits of encryption strength. Encryption strength isdetermined in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST SpecialPublication 800-57 (Part 1).The User can verify the Apple FIPS Cryptographic Module status by running theFIPSPerformSelfTest status command in the Terminal application. The User can verify the AppleFIPS Cryptographic Module version by running the FIPSPerformSelfTest version command inthe Terminal application. More information is available about the module on the Apple Supportwebsite http://www.apple.com/support/.and searching for FIPS.APPLEFIPS SECPOL 002.16 Copyright 2012Page 19

Section 5Glossary and ReferencesGlossarySection EDMACNISTPRNGRAMSHAApplication Programming InterfaceBerkeley Software DistributionCipher Block ChainingCommon Data Security ArchitectureCryptographic Module Validation ProgramCyclical Redundancy CheckCritical Security ParameterCommon Security Services ManagerError Detection CodeElectromagnetic CompatibilityElectromagnetic InterferenceFederal Communication CommissionFederal Information Processing StandardKnown Answer TestLight Emitting DiodeMessage Authentication CodeNational Institute of Standards and TechnologyPseudo Random Number GeneratorRandom Access MemorySecure Hash AlgorithmAPPLEFIPS SECPOL 002.16 Copyright 2012Page 20

Section 5.2ReferencesThis document deals only with operations and capabilities of the module in the technical terms ofa FIPS 140-2 cryptographic module security policy. More information is available about themodule on the Apple Support website http://www.apple.com/support/.and searching for FIPS.To get the latest updates on Apple’s security services and for pointers to other Apple securityresources, go to the ADC technology page for security at http://developer.apple.com/security/.CDSA, included as part of OS X Lion, is an Open Source standard by the Open Group (http://www.opengroup.org/security/cdsa.htm). For an introduction to CDSA, see CDSA Explained,second edition, from the Open Group. The CDSA/CSSM technical standard is Common Security:CDSA and CSSM, version 2 (with corrigenda), also from the Open Group.Information on the full line of products from Apple can be found at (http://www.apple.com/mac).Information on FIPS 140-2 validations and the Cryptographic Module Validation Program can befound at (http://csrc.nist.gov/groups/STM/cmvp/). The website also contains contact informationfor answers to technical or sales-related questions regarding the Cryptographic ModuleValidation Program.APPLEFIPS SECPOL 002.16 Copyright 2012Page 21

Data Storage Library Services Manager Certificate Library Services Manager Trust Policy Services Manager Security contexts . The logical cryptographic boundary of Apple FIPS Cryptographic Module, v1.1 (“Module library”) is the shared object library itself. . FireWire, Ethernet, Mini

Related Documents:

The Barracuda Cryptographic Software Module is a cryptographic software library that provides fundamental cryptographic functions for applications in Barracuda security products that use Barracuda OS v2.3.4 and require FIPS 140-2 approved cryptographic functions. The FIPS 140-2 validation of the Barracuda Cryptographic Software

FIPS 140-2 Security Policy KeyPair FIPS Object Module for OpenSSL Page 4 of 18 1 Introduction This document is the non-proprietary security policy for the KeyPair FIPS Object Module for OpenSSL (FIPS 140-2 Cert. #3503), hereafter referred to as the Module. The Module is a software library providing a C language application program interface (API) for use by

An “OpenSSL FIPS Object Module” (a.k.a. “FIPS module”) had been previously created. The FIPS module is a specially devised software component that was designed for compatibility with OpenSSL and created so that users can use a version of OpenSSL as a FIPS 140-validated cryptographic module. The FIPS module is about one-sixth the

these applications also support Kerberized connections. For the purposes of FIPS- 140- 2 validation the Module is classified as a multi-chip stand-alone Module. 2.2 Cryptographic Boundary The logical cryptographic boundary for the Module is the library itself. An in-core memory cryptographic digest (HMAC-SHA-1) is computed on the Cryptographic

the terminology contained in the FIPS 140-2 specification. FIPS 140-2, Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CSE Cryptographic Module Validation Program (CMVP .

The Oracle Linux OpenSSL Cryptographic Module (hereafter referred to as the “Module”) is a software module supporting FIPS 140-2 Approved cryptographic algorithms within Oracle Linux. The code base of the Module is formed in a combination of standard OpenSSL shared Library, OpenSSL FIPS Object Module, and development

ColorTokens OpenSSL FIPS Object Module This document is the non-proprietary security policy for the ColorTokens OpenSSL FIPS Object Module, hereafter referred to as the Module. The Module is a software cryptographic module that is built from the OpenSSL. The module is a

Le Code s’applique à tous les partenaires, aux cadres et aux membres du conseil d’administration, de même qu’au personnel temporaire et aux entrepreneurs indépendants. Nous demandons également aux tiers qui travaillent à notre compte de respecter les mêmes normes éthiques rigoureuses. En tant que partenaires, nous devons