Security Policy
This is a draft document.
Authentication Policy
Strength of Authentication Mechanism
In FIPS mode, the NSS cryptographic module imposes the following requirements on the password.
- The password must be at least seven characters long.
- The password must consist of characters from three or more character classes. We define five character classes: digits (0-9), ASCII lowercase letters, ASCII uppercase letters, ASCII non-alphanumeric characters (such as space and punctuation marks), and non-ASCII characters. If an ASCII uppercase letter is the first character of the password, the uppercase letter is not counted toward its character class. Similarly, if a digit is the last character of the password, the digit is not counted toward its character class.
To estimate the probability that a random guess of the password will succeed, we assume that
- the characters of the password are independent with each other, and
- the probability of guessing an individual character of the password is < 1/10.
Since the password is >= 7 characters long, the probability that a random guess of the password will succeed is < (1/10)^7 = 1/10,000,000.
After each failed authentication attempt in FIPS mode, the NSS cryptographic module inserts a one-second delay before returning to the caller, allowing at most 60 authentication attempts during a one-minute period. Therefore, the probability of a successful random guess of the password during a one-minute period is < 60 * 1/10,000,000 = 0.6 * (1/100,000).
Mitigation of Other Attacks
The NSS cryptographic module is designed to mitigate the following attacks.
|
Other Attacks |
Mitigation Mechanism |
Specific Limitations |
|---|---|---|
| Timing attacks on RSA | RSA blinding
Timing attack on RSA was first demonstrated by Paul Kocher in 1996[1], who contributed the mitigation code to our module. Most recently Boneh and Brumley[2] showed that RSA blinding is an effective defense against timing attacks on RSA. |
None. |
| Cache-timing attacks on the modular exponentiation operation used in RSA and DSA | Cache invariant modular exponentiation
This is a variant of a modular exponentiation implementation that Colin Percival[3] showed to defend against cache-timing attacks. |
This mechanism requires intimate knowledge of the cache line sizes of the processor. The mechanism may be ineffective when the module is running on a processor whose cache line sizes are unknown. |
| Arithmetical errors in RSA signatures | Double-checking RSA signatures
Arithmetical errors in RSA signatures might leak the private key. Ferguson and Schneier[4] recommend that every RSA signature generation should verify the signature just generated. |
None. |
Results of FIPS 140-2 Level 2 Validation of NSS Cryptographic Module 3.11.5
| FIPS 140-2 Section |
Description |
Validation Level Obtained |
| 1.0 |
Cryptographic Module Specification |
2 |
| 2.0 |
Cryptographic Module Ports and Interfaces |
2 |
| 3.0 |
Roles, Services, and Authentication |
2 |
| 4.0 |
Finite State Model |
2 |
| 5.0 |
Physical Security |
2 |
| 6.0 |
Operational Enviroment |
2 |
| 7.0 |
Cryptographic Key Management |
2 |
| 8.0 |
EMI/EMC |
2 |
| 9.0 |
Self-Tests |
2 |
| 10.0 |
Design Assurance |
2 |
| 11.0 |
Mitigation of Other Attacks |
2 |
| C |
Cryptographic Module Security Policy |
2 |
Platform List
- Level 1
- Red Hat Enterprise Linux 4 x86
- Windows XP Service Pack 2
- 64-bit Solaris 10 AMD64
- HP-UX B.11.11 PA-RISC
- Mac OS X 10.4
- Level 2
- Red Hat Enterprise Linux 4 x86_86
- 64-bit Trusted Solaris 8 SPARC
References
[1] P. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems," CRYPTO '96, Lecture Notes In Computer Science, Vol. 1109, pp. 104-113, Springer-Verlag, 1996. (http://www.cryptography.com/timingattack/)
[2] D. Boneh and D. Brumley, "Remote Timing Attacks are Practical," http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html.
[3] C. Percival, "Cache Missing for Fun and Profit," http://www.daemonology.net/papers/htt.pdf.
[4] N. Ferguson and B. Schneier, Practical Cryptography, Sec. 16.1.4 "Checking RSA Signatures", p. 286, Wiley Publishing, Inc., 2003.