\documentclass{article} \setlength{\textwidth}{6.5in} \setlength{\textheight}{9in} \setlength{\headheight}{0in} \setlength{\topmargin}{0in} \setlength{\headsep}{0in} \setlength{\oddsidemargin}{0in} \setlength{\evensidemargin}{0in} \title{\textbf{Botan FIPS 140-2 Security Policy}} \author{Jack Lloyd \\ \texttt{lloyd@randombit.net}} \date{} \newcommand{\filename}[1]{\texttt{#1}} \newcommand{\module}[1]{\texttt{#1}} \newcommand{\type}[1]{\texttt{#1}} \newcommand{\function}[1]{\textbf{#1}} \newcommand{\macro}[1]{\texttt{#1}} \begin{document} \maketitle \tableofcontents \parskip=5pt %\baselineskip=15pt \pagebreak \section{Introduction} \emph{Note that this is a draft, and almost certainly does not comply with what FIPS 140-2 wants (also it's incomplete). In any case, there is no way for me to afford paying the validation lab, so this is all theoretical.} \emph{I would welcome comments from people who are familiar with the FIPS 140 process. I am currently basing this off a few dozen other security policies and the FIPS itself.} \subsection{Purpose} This document is a security policy for the Botan C++ crypto library for use in a FIPS 140-2 Level 1 validation process. It describes how to configure and use the library to comply with the requirements of FIPS 140-2. This document is non-proprietary, and may be freely reproduced and distributed in unmodified form. \subsection{Product Description} The Botan C++ crypto library (hereafter ``Botan'' or ``the library'') is an open source C++ class library providing a general-purpose interface to a wide variety of cryptographic algorithms and formats (such as X.509v3 and PKCS \#10). It runs on most Win32 and POSIX-like systems, including Windows NT/2000/XP, MacOS X, Linux, Solaris, FreeBSD, and QNX. However, only versions running on \emph{(goal:)} Windows XP, Linux, and Solaris have been validated by FIPS 140-2 at this time. \subsection{Algorithms} The library contains the following FIPS Approved algorithms: RSA, DSA, DES, TripleDES, Skipjack, AES, SHA-1, HMAC, the X9.19 DES MAC, and the FIPS 186-2 SHA-1 RNG. Other (non-Approved) algorithms, such as MD5 and Diffie-Hellman, are also included. \section{Initialization} Certain tests are only performed if the flag ``fips140'' is passed as part of the initialization process to the library (the argument to \type{LibraryInitializer} or \function{Init::initialize}). Known answer tests and key generation self-checks for RSA and DSA are always performed, regardless of this setting. This flag must be passed by any application which desires using the FIPS 140 mode of operation. \section{Roles and Services} Botan supports two roles, the User and the Crypto Officer. Authentication is not performed by the module; all authentication is implicitly done by the operating system. \subsection{User Role} The user has the ability to access the services of the module. This role is implicitly selected whenever the module's services are accessed. \subsection{Crypto Officer Role} The crypto officer has all of the powers of the user, and in addition has the power to install and uninstall the module and to configure the operating system. This role is implicitly selected whenever these actions are performed. \section{Key Management} \subsection{Key Import/Export} Symmetric keys can be imported and exported in either unencrypted, encrypted, or split-knowledge forms, as the application desires. Private keys for asymmetric algorithms can be imported and exported as either encrypted or unencrypted PKCS \#8 structures. The library natively supports PKCS \#5 encryption with TripleDES for encrypting private keys. \subsection{Key Storage} In no case does the library itself import or export keys from/to an external storage device; all such operations are done explicitly by the application. It is the responsibly of the operator to ensure than any such operations comply with the requirements of FIPS 140-2 Level 1. \subsection{Key Generation} Keys for symmetric algorithms (such as DES, AES, and HMAC) are generated by an Approved RNG, by generating a random byte string of the appropriate size, and using it as a key. DSA keys are generated as specified in FIPS 186-2 (or not?). RSA keys are generated as specified in ANSI X9.31 (\emph{I think...}). Diffie-Hellman keys are generated in a manner compatible with ANSI X9.42. All newly created DSA and RSA keys are checked with a pairwise consistency test before being returned to the caller. A pairwise consistency check can be performed on any RSA, DSA, or Diffie-Hellman key by calling the \function{check\_key} member function with an argument of \type{true}. \subsection{Key Establishment} Botan supports using RSA or Diffie-Hellman to establish keys. RSA can be used with PKCS \#1 v1.5 or OAEP padding. None of these methods are FIPS Approved, but Annex D of FIPS 140-2 allows for their use until such time as a FIPS Approved asymmetric key establishment method is established. \subsection{Key Protection / Zeroization} Keys are protected against external access by the operating system's memory and process protection mechanisms. If the library is used by multiple processes at once, the OS virtual memory mechanisms ensure that each version will have it's own data space (and thus, keys are not shared among multiple processes). All keys and other sensitive materials are zeroed in memory before being released to the system. On Windows systems the \function{VirtualLock} system call is used to notify the operating system that the memory containing potentially sensitive keying material is not swapped to disk, preventing an attacker from applying disk forenistics techniques to recovery data. On Unix systems, Botan allocates memory from file-backed memory mappings, which are thoroughly erased when the memory is freed. \section{References} \end{document}