MozillaWiki

FIPS Operational Environment: Difference between revisions

Page Discussion

FIPS Operational Environment (view source)

Revision as of 18:59, 16 November 2011

305 bytes removed ,  16 November 2011
→‎Software Integrity Test
 
(17 intermediate revisions by 5 users not shown)
Line 2: Line 2:


The operational environment for the NSS cryptographic module is a general purpose, modifiable operational environment that uses one of the following commercially-available operating systems:
The operational environment for the NSS cryptographic module is a general purpose, modifiable operational environment that uses one of the following commercially-available operating systems:
* Security Level 1
* Security Level 1
** Red Hat Enterprise Linux 4
** Red Hat Enterprise Linux Version 6 32 bit
** Windows XP Service Pack 2
** Red Hat Enterprise Linux Version 6 64 bit
** Solaris 10
** HP-UX B.11.11, with the HP-UX Strong Random Number Generator (KRNG11i) bundle installed to add the /dev/urandom special file
** Mac OS X 10.4
* Security Level 2
** Red Hat Enterprise Linux Version 4 Update 1 AS: CAPP EAL4+
** Sun Trusted Solaris Version 8 4/01: LSPP, CAPP, and RBACPP; EAL4


==Single Operator Mode of Operation==
==Single Operator Mode of Operation==
Line 37: Line 32:


See also
See also
* NSA, ''[http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/applemac/osx_client_final_v_1_1.pdf Apple Mac OS X v10.3.x "Panther" Security Configuration Guide]''. Read Chapter 4 ''Configuring System Settings'', Section ''Managing System Preferences'', Subsection ''Sharing'', pages 37-39. Check the [http://checklists.nist.gov/repository/ NIST Security Configuration Checklists Repository] for newer versions of this document.
* NSA, ''[http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml NSA Security Configuration Guide]  
* [http://www.nsa.gov/applications/links/notices.cfm?address=http://images.apple.com/support/security/guides/docs/Leopard_Security_Config_2nd_Ed.pdf Mac OS X Security Configuration for Version 10.5 Leopard Second Edition]''


===Unix Instructions===
===Unix Instructions===
Line 46: Line 42:


The specific procedures for each of the UNIX variants are described below.
The specific procedures for each of the UNIX variants are described below.
'''HP-UX'''
# Log in as the "root" user.
# Edit the system file <code>/etc/passwd</code> and remove all the users except "root" and the pseudo-users. Make sure the password fields for the pseudo-users are a star (*). This prevents login as the pseudo-users.
# Edit the system file <code>/etc/nsswitch.conf</code>. Make sure that <code>files</code> is the only option for <code>passwd</code> and <code>group</code>. This disables NIS and other name services for users and groups.
# Edit the system file <code>/etc/inetd.conf</code>. Remove or comment out the lines for remote login, remote command execution, and file transfer daemons such as <code>telnetd</code>, <code>rlogind</code>, <code>remshd</code>, <code>rexecd</code>, <code>ftpd</code>, and <code>tftpd</code>.
# Reboot the system for the changes to take effect.


'''Red Hat Enterprise Linux'''
'''Red Hat Enterprise Linux'''
Line 60: Line 49:
# In the <code>/etc/xinetd.d</code> directory, edit the files <code>eklogin</code>, <code>gssftp</code>, <code>klogin</code>, <code>krb5-telnet</code>, <code>kshell</code>, <code>rexec</code>, <code>rlogin</code>, <code>rsh</code>, <code>rsync</code>, <code>telnet</code>, and <code>tftp</code>, and set the value of <code>disable</code> to <code>yes</code>.
# In the <code>/etc/xinetd.d</code> directory, edit the files <code>eklogin</code>, <code>gssftp</code>, <code>klogin</code>, <code>krb5-telnet</code>, <code>kshell</code>, <code>rexec</code>, <code>rlogin</code>, <code>rsh</code>, <code>rsync</code>, <code>telnet</code>, and <code>tftp</code>, and set the value of <code>disable</code> to <code>yes</code>.
# Reboot the system for the changes to take effect.
# Reboot the system for the changes to take effect.
See also
* NSA, ''[http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml NSA Security Configuration Guide]
* ''[http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
Guide to the Secure Configuration of Red Hat Enterprise Linux 5]''


'''Solaris'''
'''Solaris'''
Line 67: Line 61:
# In the <code>/etc/inetd.d</code> directory, edit the files <code>eklogin</code>, <code>gssftp</code>, <code>klogin</code>, <code>krb5-telnet</code>, <code>kshell</code>, <code>rexec</code>, <code>rlogin</code>, <code>rsh</code>, <code>rsync</code>, <code>telnet</code>, and <code>tftp</code>, and set the value of <code>disable</code> to <code>yes</code>.
# In the <code>/etc/inetd.d</code> directory, edit the files <code>eklogin</code>, <code>gssftp</code>, <code>klogin</code>, <code>krb5-telnet</code>, <code>kshell</code>, <code>rexec</code>, <code>rlogin</code>, <code>rsh</code>, <code>rsync</code>, <code>telnet</code>, and <code>tftp</code>, and set the value of <code>disable</code> to <code>yes</code>.
# Reboot the system for the changes to take effect.
# Reboot the system for the changes to take effect.
See also
* NSA, ''[http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml NSA Security Configuration Guide]
* ''[http://www.nsa.gov/ia/_files/os/sunsol_10/s10-cis-appendix-v1.1.pdf
An Overview of Solaris 10 Operating System Security Controls ]''


===Windows XP Instructions===
===Windows XP Instructions===
Line 81: Line 81:
* [http://csrc.ncsl.nist.gov/publications/nistpubs/index.html#sp800-68 SP 800-68 Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist]. Section 6.5 ''System Services'' explains how to disable unnecessary services such as '''NetMeeting Remote Desktop Sharing''' and '''Telnet''' to reduce the number of attack vectors against the system. Section 7.2.1 ''Built-in Accounts'' explains how to disable default user accounts, which are often used in exploits against computer systems. Note that the recommendation in Section 7.2.3 ''Daily Use Accounts'' is at odds with the single operator mode of operation requirement of FIPS 140-2 Security Level 1.
* [http://csrc.ncsl.nist.gov/publications/nistpubs/index.html#sp800-68 SP 800-68 Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist]. Section 6.5 ''System Services'' explains how to disable unnecessary services such as '''NetMeeting Remote Desktop Sharing''' and '''Telnet''' to reduce the number of attack vectors against the system. Section 7.2.1 ''Built-in Accounts'' explains how to disable default user accounts, which are often used in exploits against computer systems. Note that the recommendation in Section 7.2.3 ''Daily Use Accounts'' is at odds with the single operator mode of operation requirement of FIPS 140-2 Security Level 1.
* [http://csrc.ncsl.nist.gov/publications/nistpubs/index.html#sp800-69 Draft SP 800-69 Draft Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist]. Read Appendix B.2 ''Disable Default User Accounts'' and Appendix B.5 ''Disable Unneeded Services''. Note that Appendix A ''Essential Security Settings'', Step 6: ''Set Up Limited User Accounts'' is at odds with the single operator mode of operation requirement of FIPS 140-2 Security Level 1.
* [http://csrc.ncsl.nist.gov/publications/nistpubs/index.html#sp800-69 Draft SP 800-69 Draft Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist]. Read Appendix B.2 ''Disable Default User Accounts'' and Appendix B.5 ''Disable Unneeded Services''. Note that Appendix A ''Essential Security Settings'', Step 6: ''Set Up Limited User Accounts'' is at odds with the single operator mode of operation requirement of FIPS 140-2 Security Level 1.
* [http://www.nsa.gov/ia/_files/os/winxp/NSA_Windows_XP_Security_Guide_Addendum.pdf NSA Windows XP Security Guide Addendum]
* [http://www.nsa.gov/ia/_files/os/winxp/Windows_XP_Security_Guide_v2.2.zip Zipped Windows XP Security Configuration Guides]


==Software Integrity Test==
==Software Integrity Test==


The [http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf Digital Signature Algorithm (DSA)] is used as the Approved authentication technique ([http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 validation certificate# 172]) for the integrity test of the software components. [http://wiki.mozilla.org/FIPS_Module_Specification#Module_Components Software components ] protected using the digital signatures are the softoken (PKCS #11) and freebl libraries (e.g., libsoftokn3.so and libfreebl3.so). (See [http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf Security Policy Rule #33] for a list of module files by platform.) When the softoken and freebl libraries are built, a DSA public/private key pair with a 1024-bit prime modulus p is generated, the private key is used to generate a DSA signature of the library, and the public key and signature are stored in a file with the name ''libraryname''.chk. When the self-test is initiated (e.g., at initialization for the FIPS mode), the module verifies the signatures (in the ''libraryname''.chk files) of the softoken and freebl libraries. If the signature verification fails, the self-test fails.
The [http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf Digital Signature Algorithm (DSA)] is used as the Approved authentication technique ([http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 validation certificate# 172]) for the integrity test of the software components. [http://wiki.mozilla.org/FIPS_Module_Specification#Module_Components Software components ] protected using the digital signatures are the softoken (PKCS #11) and freebl libraries (e.g., libsoftokn3.so and libfreebl3.so). (See [http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf Security Policy Rule #15] for a list of module files by platform.) When the softoken and freebl libraries are built, a DSA public/private key pair with a 1024-bit prime modulus p is generated, the private key is used to generate a DSA signature of the library, and the public key and signature are stored in a file with the name ''libraryname''.chk. When the self-test is initiated (e.g., at initialization for the FIPS mode), the module verifies the signatures (in the ''libraryname''.chk files) of the softoken and freebl libraries. If the signature verification fails, the self-test fails.


[http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/fipstokn.c.dep.html#FC_Initialize    FC_Initialize] calls [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pkcs11.c.dep.html#nsc_CommonInitialize nsc_CommonInitialize] and then the DSA signature is verified before the library initialization is allowed to proceed. If the signature verification fails, FC_Initialize puts the module in the Error state by setting the Boolean state variable <code>sftk_fatalError</code> to true. All the PKCS #11 functions that perform cryptographic operations or output data check <code>sftk_fatalError</code> on entry. In the Error state (<code>sftk_fatalError</code> is true), no action besides returning the error code <code>CKR_DEVICE_ERROR</code> is taken by those functions, which prevents cryptograhic operations and data output. (See also [http://wiki.mozilla.org/ModuleInterfaces#In_Error_State In Error State].)
[http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/fipstokn.c.dep.html#FC_Initialize    FC_Initialize] calls [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pkcs11.c.dep.html#nsc_CommonInitialize nsc_CommonInitialize] and then the DSA signature is verified before the library initialization is allowed to proceed. If the signature verification fails, FC_Initialize puts the module in the Error state by setting the Boolean state variable <code>sftk_fatalError</code> to true. All the PKCS #11 functions that perform cryptographic operations or output data check <code>sftk_fatalError</code> on entry. In the Error state (<code>sftk_fatalError</code> is true), no action besides returning the error code <code>CKR_DEVICE_ERROR</code> is taken by those functions, which prevents cryptograhic operations and data output. (See also [http://wiki.mozilla.org/ModuleInterfaces#In_Error_State In Error State].)
Line 96: Line 98:
===Access to Stored Cryptographic Software and Cryptographic Programs===
===Access to Stored Cryptographic Software and Cryptographic Programs===
When installing the NSS cryptographic module library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the library files to '''0755''' so that all users can execute the library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example,
When installing the NSS cryptographic module library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the library files to '''0755''' so that all users can execute the library files, but only the files' owner can modify (i.e., write, replace, and delete) the files. For example,
   $ chmod 0755 libsoftokn3.so libfreebl*3.so
   $ chmod 0755 libsoftokn3.so libfreebl*3.so libnssdbm3.so
The file mode bits can be verified with the <code>ls</code> utility. For example,
The file mode bits can be verified with the <code>ls</code> utility. For example,
   $ ls -l libsoftokn3.so libfreebl*3.so
   $ ls -l libsoftokn3.so libfreebl*3.so
   -rwxr-xr-x  1 wtchang wtchang  455411 Jun  8 17:07 libfreebl3.so
   -rwxr-xr-x  1 wtchang wtchang  455411 Jun  8 17:07 libfreebl3.so
   -rwxr-xr-x  1 wtchang wtchang 1052734 Jun  8 17:07 libsoftokn3.so
   -rwxr-xr-x  1 wtchang wtchang 1052734 Jun  8 17:07 libsoftokn3.so
<div class=note>On HP-UX PA-RISC, replace the <code>.so</code> suffix by <code>.sl</code> in the above commands. On Mac OS X, replace the <code>.so</code> suffix by <code>.dylib</code> in the above commands.</div>
  -rwxr-xr-x  1 wtchang wtchang  263540 Jun  8 17:07 libnssdbm3.so
<div class=note>On windows, replace the <code>.so</code> suffix by <code>.dll</code> in the above commands. On Mac OS X, replace the <code>.so</code> suffix by <code>.dylib</code> in the above commands.</div>


===Access to Cryptographic Keys, CSPs, and Plaintext Data===
===Access to Cryptographic Keys, CSPs, and Plaintext Data===


Cryptographic keys, CSPs, and plaintext data are stored in the NSS databases. The NSS cryptographic module creates its database files with the '''0600''' permission bits so that only the owner can read or modify the database files. (See the <code>dbsopen()</code> or <code>dbopen()</code> calls in the [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pcertdb.c.dep.html#nsslowcert_OpenPermCertDB <code>nsslowcert_OpenPermCertDB</code>], [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/keydb.c.dep.html#nsslowkey_OpenKeyDB <code>nsslowkey_OpenKeyDB</code>], and [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pk11db.c.dep.html#secmod_OpenDB <code>secmod_OpenDB</code>] functions.) For example,
Cryptographic keys, CSPs, and plaintext data are stored in the NSS databases. The NSS cryptographic module creates its database files with the '''0600''' permission bits so that only the owner can read or modify the database files. (See the [http://mxr.mozilla.org/security/ident?i=dbsopen <code>dbsopen()</code>] or [[http://mxr.mozilla.org/security/ident?i=dbopen <code>dbopen()</code>] calls in the [http://mxr.mozilla.org/security/ident?i=nsslowcert_OpenPermCertDB <code>nsslowcert_OpenPermCertDB</code>], [http://mxr.mozilla.org/security/ident?i=nsslowkey_OpenKeyDB <code>nsslowkey_OpenKeyDB</code>], and [http://mxr.mozilla.org/security/ident?i=secmod_OpenDB <code>secmod_OpenDB</code>] functions.) For example,
   $ ls -l *.db
   $ ls -l *.db
   -rw-------  1 wtchang wtchang 65536 May 15 22:16 cert8.db
   -rw-------  1 wtchang wtchang 65536 May 15 22:16 cert8.db
   -rw-------  1 wtchang wtchang 32768 May 15 22:16 key3.db
   -rw-------  1 wtchang wtchang 32768 May 15 22:16 key3.db
   -rw-------  1 wtchang wtchang 32768 May 15 22:15 secmod.db
   -rw-------  1 wtchang wtchang 32768 May 15 22:15 secmod.db
  or
  $ls -l *.db
  -rw-------  1 gb  staff  9216 May  6 10:22 cert9.db
  -rw-------  1 gb  staff  11264 May  6 10:22 key4.db
Since the cryptographic keys and CSPs are stored in encrypted form, the owner needs to assume the NSS User role by authenticating with the password to decrypt the cryptographic keys and CSPs stored in the private key database.
Since the cryptographic keys and CSPs are stored in encrypted form, the owner needs to assume the NSS User role by authenticating with the password to decrypt the cryptographic keys and CSPs stored in the private key database.


Relyea
439

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/40609...370279"