FIPS Operational Environment: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 168: Line 168:
* process ID (pid) of the process using the NSS cryptographic module
* process ID (pid) of the process using the NSS cryptographic module
* user ID (uid) of the user who owns the process
* user ID (uid) of the user who owns the process
* the PKCS #11 function that generated the event. For example, <code>FC_Login</code>.
* the actual audit message, which usually consists of
* the arguments and return code (error code) of the function. Arguments that contain sensitive information such as passwords are omitted.
** the PKCS #11 function that generated the event. For example, <code>FC_Login</code>.
* the type of event (an error message). For example, "power-up self-tests failed".
** the arguments and return code (error code) of the function. Arguments that contain sensitive information such as passwords are omitted.
** (optional) an error message. For example, "power-up self-tests failed".


The following events are auditable by the NSS cryptographic module.
The following events are auditable by the NSS cryptographic module.
Line 181: Line 182:
* requests to use authentication data management mechanisms
* requests to use authentication data management mechanisms
** FC_InitPIN calls (which initialize the NSS User's password)
** FC_InitPIN calls (which initialize the NSS User's password)
*** "C_InitPIN(hSession=<session handle>)=<return code>"
** FC_SetPIN calls (which change the NSS User's password)
** FC_SetPIN calls (which change the NSS User's password)
*** "C_SetPIN(hSession=<session handle>)=<return code>"
* use of a security-relevant crypto officer function
* use of a security-relevant crypto officer function
** FC_InitToken calls (which re-initialize the module)
** FC_InitToken calls (which re-initialize the module)
*** "C_InitToken(slotID=<slot ID>, pLabel="<token label>")=<return code>"
** FC_InitPIN calls (which initialize the NSS User's password)
** FC_InitPIN calls (which initialize the NSS User's password)
*** "C_InitPIN(hSession=<session handle>)=<return code>"
* requests to access authentication data associated with the cryptographic module
* requests to access authentication data associated with the cryptographic module
** N/A. The module doesn't give the operator access to the authentication data.
** N/A. The module doesn't give the operator access to the authentication data.
* use of an authentication mechanism (e.g., login) associated with the cryptographic module
* use of an authentication mechanism (e.g., login) associated with the cryptographic module
** FC_Login calls
** FC_Login calls
*** "C_Login(hSession=<session handle>, userType=<user type>)=<return code>"
** FC_Logout calls
** FC_Logout calls
*** "C_Logout(hSession=<session handle>)=<return code>",
* explicit requests to assume a crypto officer role
* explicit requests to assume a crypto officer role
** N/A. The crypto officer role is assumed implicitly when the operator performs crypto officer functions.
** N/A. The crypto officer role is assumed implicitly when the operator performs crypto officer functions.
Line 196: Line 203:
* other auditable events
* other auditable events
** Power-up self-test failure
** Power-up self-test failure
*** "C_Initialize()=<return code> power-up self-tests failed"
** Pair-wise consistency test failure
** Pair-wise consistency test failure
*** "C_GenerateKeyPair(hSession=<session handle>, pMechanism->mechanism=<mechanism>)=<return code> self-test: pair-wise consistency test failed"
** Continuous random number generator test failure
** Continuous random number generator test failure
*** C_GenerateRandom(hSession=<session handle>, pRandomData=<pointer>, ulRandomLen=<length>)=<return code> self-test: continuous RNG test failed"
** Switching between FIPS and non-FIPS modes
*** "enabled FIPS mode"
*** "disabled FIPS mode"

Revision as of 00:40, 15 September 2006

Operational Environment

The operational environment for the NSS cryptographic module is a general purpose, modifiable operational environment that uses one of the following commercially-available operating systems:

  • Security Level 1
    • Red Hat Enterprise Linux 4
    • Windows XP Service Pack 2
    • Solaris 10
    • HP-UX B.11.11
    • Mac OS X 10.4
  • Security Level 2
    • Red Hat Enterprise Linux 4: CAPP EAL4+
    • Trusted Solaris 8: LSPP, CAPP, and RBACPP; EAL4

Single Operator Mode of Operation

All the major general purpose operating systems today are multi-user OS. When the NSS cryptographic module is used at Security Level 1, only one user account should be created in the OS. The following explains how to configure each OS for single user.

Mac OS X Instructions

To delete other user accounts

  1. Log into your user account.
  2. From the Apple menu, choose System Preferences.
  3. From the View menu, choose Accounts.
  4. All the user accounts are listed on the left hand side of the Accounts dialog. Your user account is listed under My Account and should have Admin privilege. If there is no user account under Other Accounts, stop here. Otherwise, follow the steps below to delete the other accounts.
  5. If the lock icon at the lower left corner of the Accounts dialog is locked, click the lock to make changes.
  6. Select a user account under Other Accounts.
  7. Click the minus sign (-) at the lower left corner of the Accounts dialog to delete the selected user account.
  8. Repeat the above two steps until there is no user account under Other Accounts.

To turn off remote login and other sharing services

  1. Log into your user account.
  2. From the Apple menu, choose System Preferences.
  3. From the View menu, choose Sharing.
  4. In the Sharing dialog, select the Services tab. All the services are listed under the message "Select a service to change its settings." If none of the checkboxes is checked, stop here. Otherwise, follow the steps below.
  5. If the lock icon at the lower left corner of the Sharing dialog is locked, click the lock to make changes.
  6. The checkboxes for Remote Login, FTP Access, and Apple Remote Desktop must be unchecked.
  7. Personal File Sharing, Windows Sharing, and Personal Web Sharing give users of other computers read/write or read access to the Public folders, shared folders, and sites folders on the computer. It is prudent to uncheck these checkboxes, just in case the cryptographic module's program or data files are stored in one of these folders by mistake.
  8. It is fine if Remote Apple Events, Printer Sharing, or Xgrid are enabled. But do not check these checkboxes unless you need to enable these services.

Unix Instructions

The general idea is the same across all Unix variants.

  • Remove all login accounts except "root" (the superuser).
  • Disable NIS and other name services for users and groups.
  • Turn off all remote login, remote command execution, and file transfer daemons.

The specific procedures for each of the UNIX variants are described below.

HP-UX

  1. Log in as the "root" user.
  2. Edit the system file /etc/passwd and remove all the users except "root" and the pseudo-users. Make sure the password fields for the pseudo-users are a star (*). This prevents login as the pseudo-users.
  3. Edit the system file /etc/nsswitch.conf. Make sure that files is the only option for passwd and group. This disables NIS and other name services for users and groups.
  4. Edit the system file /etc/inetd.conf. Remove or comment out the lines for remote login, remote command execution, and file transfer daemons such as telnetd, rlogind, remshd, rexecd, ftpd, and tftpd.
  5. Reboot the system for the changes to take effect.

Red Hat Enterprise Linux

  1. Log in as the "root" user.
  2. Edit the system files /etc/passwd and /etc/shadow and remove all the users except "root" and the pseudo-users. Make sure the password fields in /etc/shadow for the pseudo-users are either a star (*) or double exclamation mark (!!). This prevents login as the pseudo-users.
  3. Edit the system file /etc/nsswitch.conf and make files the only option for passwd, shadow, and group. This disables NIS and other name services for users and groups.
  4. In the /etc/xinetd.d directory, edit the files eklogin, gssftp, klogin, krb5-telnet, kshell, rexec, rlogin, rsh, rsync, telnet, and tftp, and set the value of disable to yes.
  5. Reboot the system for the changes to take effect.

Solaris

  1. Log in as the "root" user.
  2. Edit the system files /etc/passwd and /etc/shadow and remove all the users except "root" and the pseudo-users. Make sure the password fields in /etc/shadow for the pseudo-users are either a star (*) or NP. This prevents login as the pseudo-users.
  3. Edit the system file /etc/nsswitch.conf and make files the only option for passwd, shadow, and group. This disables NIS and other name services for users and groups.
  4. In the /etc/inetd.d directory, edit the files eklogin, gssftp, klogin, krb5-telnet, kshell, rexec, rlogin, rsh, rsync, telnet, and tftp, and set the value of disable to yes.
  5. Reboot the system for the changes to take effect.

Windows XP Instructions

  1. Log into your user account.
  2. From the Start menu, choose Control Panel.
  3. In the Control Panel, doubleclick the User Accounts icon.
  4. Make sure the Guest account is off. If the Guest account is on, click its icon and click "Turn off the guest account" to turn it off.
  5. Follow the steps below to delete the other accounts.
    Note: User Accounts may show some accounts that are used by programs. For example, ASP.NET Machine Account (shown as ASP.NET Machine A... in User Accounts) is used by Microsoft .NET Framework 1.1 for running the ASN.NET worker process (aspnet_wp.exe), and SQLDebugger is used by Microsoft Visual Studio .NET Debugger. Deleting such accounts could cripple the programs using these accounts. As a precaution, remove those programs before deleting these accounts.
  6. Click the icon of an account other than your own account and the Guest account.
  7. Click "Delete the account".
  8. Repeat the above two steps until all the accounts other than your own account and the Guest account have been deleted.

See also

Software Integrity Test

The Digital Signature Algorithm (DSA) is used as the Approved authentication technique (validation certificate# 172) for the integrity test of the software components. Software components protected using the digital signatures are the softoken (PKCS #11) and freebl libraries (e.g., libsoftokn3.so and libfreebl3.so). (See Security Policy Rule #36 for a list of module files by platform.) When the softoken and freebl libraries are built, a DSA public/private key pair with a 1024-bit prime modulus p is generated, the private key is used to generate a DSA signature of the library, and the public key and signature are stored in a file with the name libraryname.chk. When the self-test is initiated (e.g., at initialization for the FIPS mode), the module verifies the signatures (in the libraryname.chk files) of the softoken and freebl libraries. If the signature verification fails, the self-test fails.

FC_Initialize calls nsc_CommonInitialize and then the DSA signature is verified before the library initialization is allowed to proceed.

Configuring Discretionary Access Control

On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files.

Below we describe how to set the file mode bits to specify the set of roles that can access each component of the NSS cryptographic module.

Access to Stored Cryptographic Software and Cryptographic Programs

When installing the NSS cryptographic module library files, the operator shall use the chmod utility to set the file mode bits of the library files to 0755 so that all users can execute the library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example,

 $ chmod 0755 libsoftokn3.so libfreebl*3.so

The file mode bits can be verified with the ls utility. For example,

 $ ls -l libsoftokn3.so libfreebl*3.so
 -rwxr-xr-x  1 wtchang wtchang  455411 Jun  8 17:07 libfreebl3.so
 -rwxr-xr-x  1 wtchang wtchang 1052734 Jun  8 17:07 libsoftokn3.so
On HP-UX PA-RISC, replace the .so suffix by .sl in the above commands. On Mac OS X, replace the .so suffix by .dylib in the above commands.

Access to Cryptographic Keys, CSPs, and Plaintext Data

Cryptographic keys, CSPs, and plaintext data are stored in the NSS databases. The NSS cryptographic module creates its database files with the 0600 permission bits so that only the owner can read or modify the database files. (See the dbsopen() or dbopen() calls in the nsslowcert_OpenPermCertDB, nsslowkey_OpenKeyDB, and secmod_OpenDB functions.) For example,

 $ ls -l *.db
 -rw-------  1 wtchang wtchang 65536 May 15 22:16 cert8.db
 -rw-------  1 wtchang wtchang 32768 May 15 22:16 key3.db
 -rw-------  1 wtchang wtchang 32768 May 15 22:15 secmod.db

Since the cryptographic keys and CSPs are stored in encrypted form, the owner needs to assume the NSS User role by authenticating with the password to decrypt the cryptographic keys and CSPs stored in the private key database.

Access to Audit Data

The NSS cryptographic module may use the Unix syslog() function and the audit mechanism provided by the operating system to audit events. Access to the audit data is described in the next two subsections.

Access to syslog Log Files

On Unix (including Linux and Mac OS X), the NSS cryptographic module uses the syslog() function to audit events, so the audit data are stored in the system log. Only the root user can modify the system log. On some platforms, only the root user can read the system log; on other platforms, all users can read the system log.

The system log is usually under the /var/adm or /var/log directory. The exact location of the system log is specified in the /etc/syslog.conf file. The NSS cryptographic module uses the default user facility and the info, warning, and err severity levels for its log messages. We give two examples below.

Red Hat Enterprise Linux 4: The /etc/syslog.conf file on Red Hat Enterprise Linux 4 has:

 *.info;mail.none;authpriv.none;cron.none                /var/log/messages

which specifies that /var/log/messages is the system log. The permission bits of the system log are:

 $ ls -l /var/log/messages
 -rw-------  1 root root 38054 Jun  9 10:18 /var/log/messages

so only the root user can read or modify the system log.

Solaris 10: The /etc/syslog.conf file on Solaris 10 has:

 *.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

which specifies that /var/adm/messages is the system log. The permission bits of the system log are:

 $ ls -l /var/adm/messages
 -rw-r--r--   1 root     root           0 Jun  7 03:10 /var/adm/messages

so all users can read the system log, but only the root user can modify it.

Access to System Audit Log

To meet the audit requirements of FIPS 140-2 at Security Level 2, on Red Hat Enterprise Linux 4 and Solaris, the NSS cryptographic module also uses the audit mechanism provided by the operating system to audit events, so the audit data are also stored in the system audit log. Only the root user can read or modify the system audit log.

On Red Hat Enterprise Linux 4, the system audit log is in the /var/log/audit directory. This directory and the log files in it have the following permission bits (the following commands were run as the root user; only the root user can run the second command):

 # ls -ld /var/log/audit
 drwxr-x---  2 root root 4096 Jun  1 19:50 /var/log/audit
 # ls -l /var/log/audit
 total 13460
 -rw-r-----  1 root root 3248038 Jun  8 17:50 audit.log
 -r--r-----  1 root root 5242886 Jun  1 19:50 audit.log.1
 -r--r-----  1 root root 5242936 May 20 18:01 audit.log.2

On Solaris default audit records are stored in system_name:/var/audit/.

Entry of Cryptographic Keys and CSPs

N/A. The NSS cryptographic module does not support manual entry of cryptographic keys and CSPs.

Auditable Events

Many auditable events required by FIPS 140-2 are related to the crypto officer role. In the NSS cryptographic module, the crypto officer role is only used to perform these functions:
  • install the module,
  • initialize or re-initialize the module, and
  • initialize the NSS User's password.
Moreover, the operator assumes the crypto officer role implicitly when he performs a crypto officer function. No explicit request or authentication (beyond logging into the OS user account of the operator) is required.

Every audit record contains the following information on the event:

  • date and time of the event
  • the string "NSS <softoken library name>", identifying the NSS cryptographic module. On Red Hat Enterprise Linux and Solaris, this string is "NSS libsoftokn3.so".
  • process ID (pid) of the process using the NSS cryptographic module
  • user ID (uid) of the user who owns the process
  • the actual audit message, which usually consists of
    • the PKCS #11 function that generated the event. For example, FC_Login.
    • the arguments and return code (error code) of the function. Arguments that contain sensitive information such as passwords are omitted.
    • (optional) an error message. For example, "power-up self-tests failed".

The following events are auditable by the NSS cryptographic module.

  • attempts to provide invalid input for crypto officer functions
    • We log the use of all crypto officer functions (see below) with the return code. The return code tells us whether the operator attempted to provide invalid input.
  • the addition or deletion of an operator to/from a crypto officer role
    • N/A. Any authorized operator can assume the crypto officer role.
  • operations to process audit data stored in the audit trail
    • These operations are recorded by the audit mechanism of the OS.
  • requests to use authentication data management mechanisms
    • FC_InitPIN calls (which initialize the NSS User's password)
      • "C_InitPIN(hSession=<session handle>)=<return code>"
    • FC_SetPIN calls (which change the NSS User's password)
      • "C_SetPIN(hSession=<session handle>)=<return code>"
  • use of a security-relevant crypto officer function
    • FC_InitToken calls (which re-initialize the module)
      • "C_InitToken(slotID=<slot ID>, pLabel="<token label>")=<return code>"
    • FC_InitPIN calls (which initialize the NSS User's password)
      • "C_InitPIN(hSession=<session handle>)=<return code>"
  • requests to access authentication data associated with the cryptographic module
    • N/A. The module doesn't give the operator access to the authentication data.
  • use of an authentication mechanism (e.g., login) associated with the cryptographic module
    • FC_Login calls
      • "C_Login(hSession=<session handle>, userType=<user type>)=<return code>"
    • FC_Logout calls
      • "C_Logout(hSession=<session handle>)=<return code>",
  • explicit requests to assume a crypto officer role
    • N/A. The crypto officer role is assumed implicitly when the operator performs crypto officer functions.
  • the allocation of a function to a crypto officer role
    • N/A. The functions allocated to the crypto officer role are fixed.
  • other auditable events
    • Power-up self-test failure
      • "C_Initialize()=<return code> power-up self-tests failed"
    • Pair-wise consistency test failure
      • "C_GenerateKeyPair(hSession=<session handle>, pMechanism->mechanism=<mechanism>)=<return code> self-test: pair-wise consistency test failed"
    • Continuous random number generator test failure
      • C_GenerateRandom(hSession=<session handle>, pRandomData=<pointer>, ulRandomLen=<length>)=<return code> self-test: continuous RNG test failed"
    • Switching between FIPS and non-FIPS modes
      • "enabled FIPS mode"
      • "disabled FIPS mode"