WebSphere DataPower Release 6.0.1 - FIPS 140-2 and NIST SP800-131a support. 601DataPower_Security_NIST.ppt Page 1 of 17
This presentation discusses three new security features in the WebSphere DataPower Release 6.0.1 firmware. The first of the new features is support for FIPS 140-2 Level 1 mode. The second of the new features is support for NIST SP800-131a within the cryptobin action and our PRNG. The third of the new features is support for disabling the crypto hardware inside of the appliance. 601DataPower_Security_NIST.ppt Page 2 of 17
There is a standard called FIPS 140-2 that is used to validate cryptographic implementations according to various rules set by an organization called NIST. Many government customers are required to use cryptographic implementations that are validated to this standard. The 6.0.1 firmware introduces the concept of an appliance-wide cryptographic mode. It defaults to the Permissive mode which behaves exactly like previous versions of the firmware. We now also support a FIPS 140-2 Level 1 mode which causes all cryptographic operations in the firmware's main task to be performed inside of a FIPS 140-2 Level 1 validated cryptographic module. Previous firmware versions supported the use of an optional HSM card but the HSM support does not perform all of the main task's crypto operations inside of the HSM boundary, so this new mode is more thorough in that regard. Also, customers using the Virtual platform cannot use an HSM so this mode is especially useful for those customers. It is important to note that neither the DataPower appliance as a whole nor its firmware have been FIPS 140-2 validated by NIST. Only the internal cryptographic module used in FIPS mode (and the optional HSM card) have been validated by NIST. 601DataPower_Security_NIST.ppt Page 3 of 17
The first step in putting the appliance firmware into FIPS mode involves changing the password on existing user accounts. Previous firmware versions used an algorithm called md5crypt to hash user account passwords and this algorithm can never be used while in FIPS mode, so it is necessary to changes user account passwords after enabling the new support for sha256crypt passwords under RBM settings as shown here. 601DataPower_Security_NIST.ppt Page 4 of 17
The second step in putting the appliance firmware into FIPS mode is to use the Set Crypto Mode action to select FIPS 140-2 Level 1 mode and then reload the firmware. After the reload the appliance should be in FIPS mode. 601DataPower_Security_NIST.ppt Page 5 of 17
For B2B, if a banned algorithm is used in Request MDN Signing Algorithm property of B2B Partner Profile Destination, DataPower will discard the algorithm when generating an outbound AS messages. However, if there is no other applicable digest algorithm, the B2B Partner Profile will be opstate down. For the inbound flow, it is possible that a partner requests DataPower to return a signed MDN using a banned digest algorithm. The requested digest algorithm is specified in the signed-receipt-micalg parameter of AS Disposition-Notification-Option header. In this case, the banned digest algorithm will be ignored and the next applicable digest algorithm from the algorithm list will be used. 601DataPower_Security_NIST.ppt Page 6 of 17
FIPS mode has some limitations. The first one is that various existing product features will not work in FIPS mode since they require algorithms (like MD5 or RC2) that are banned by the FIPS 140-2 standard. Examples include the RADIUS protocol (hard-codes the use of MD5), version 3.0 of the SSL protocol (hard-codes the use of MD5), and most encrypted private key files (most of them use MD5 and/or RC2). This is not a DataPower-specific limitation; it is inherent in any FIPS 140-2 validated module. Additionally the RSA acceleration functionality of any non-fips crypto cards will be automatically disabled (again, to comply with the FIPS standard). The firmware must be reloaded to get into or out of FIPS mode (the change does not take effect immediately). Only the main firmware task respects the crypto mode setting (not the WTX or SSH tasks). In FIPS mode, Kerberos and SNMPv3 become more disabled than is required by the FIPS 140-2 standard (this is a DataPower-specific limitation). Errors getting into FIPS mode will be visible in the Crypto Mode status provider and in the system logs. Operations that fail at config time or run time due to things banned in FIPS mode will also put messages in the system logs (look for messages involving banned algorithms or too small keys). 601DataPower_Security_NIST.ppt Page 7 of 17
The Crypto Mode status providers shows three things. The Target mode is the mode that the user asked for previously for this run of the firmware. The Current mode is the mode that the firmware is currently running in (usually the same as the Target unless some error occurs). The Pending Target mode will become the Target mode the next time that the firmware is reloaded. Here they are all the same which shows that the user previously asked for FIPS mode, the box is currently in FIPS mode (it entered it successfully), and that the next firmware restart will also attempt to use FIPS mode. 601DataPower_Security_NIST.ppt Page 8 of 17
There is another NIST standard called SP800-131a which mandates the use of specific strong cryptographic algorithms, bans the use of weak cryptographic algorithms, and bans the use of key sizes that are too small. IBM SWG has mandated that all of our software products provide support for the use of SP800-131a compliant algorithms in any cryptographic functionality, so in the 6.0.1 release we added that support in the few places that were previously missing it: the cryptobin sign and verify actions, our pseudo-random number generator, and our B2B protocols. This talk does not cover the changes to the B2B protocols. The other parts of the firmware (the SSL stack, the XML crypto actions, and so forth) already had this support in previous firmware releases. Many federal customers are required to comply with SP800-131a so it is important that our firmware support the algorithms required for them to do so. 601DataPower_Security_NIST.ppt Page 9 of 17
The cryptobin sign action is used to create PKCS#7 and S/MIME signatures. It was modified in 6.0.1 to allow the user to select strong signing algorithms such as RSA with SHA-256 (using the configuration property shown here). The cryptobin verify action was also modified to allow signatures involving those same strong signing algorithms. 601DataPower_Security_NIST.ppt Page 10 of 17
NIST SP800-131a mandates the use of one of a couple of specific pseudo-random number generators (no other methods are approved for use as a PRNG). The PRNG used in firmware before 6.0.1 is not compliant with these rules, nor is the PRNG used in the 6.0.1 firmware when in the Permissive crypto mode. The PRNG used in the 6.0.1 firmware when in FIPS 140-2 Level 1 mode does comply with these rules. So to fully comply with the NIST SP800-131a PRNG requirements it is necessary to put the 6.0.1 firmware into FIPS 140-2 Level 1 mode. 601DataPower_Security_NIST.ppt Page 11 of 17
Unlike FIPS 140-2 where the 6.0.1 firmware has a global enforcement mode, we do not have any such global mode for NIST SP800-131a. It is up to the user to configure each cryptographic portion of their services in a compliant way. Mainly this involves choosing modern algorithms (3DES, AES, SHA-2) with adequately large RSA keys. Most of our default values comply with this standard but not all of them do (for backwards compatibility reasons). Note that the only way to get a compliant PRNG is to use FIPS 140-2 Level 1 mode. There is no specific troubleshooting for NIST SP800-131a since it is not a new features in and of itself. It is just a concept of supporting strong algorithms within each of the existing cryptographic product features (SSL, message level cryptography, B2B protocols, and so forth). 601DataPower_Security_NIST.ppt Page 12 of 17
Physical DataPower appliances all contain some kind of crypto card that is used to accelerate RSA operations (the HSM card is also used for key storage). The 6.0.1 firmware gives the user the ability to disable all or part of the functionality of the crypto card inside of the appliance. There is no good reason for a user to do this unless they are advised to do so by IBM support. It was mainly added because this functionality was added internally to support FIPS mode and because it is occasionally useful in some support cases. 601DataPower_Security_NIST.ppt Page 13 of 17
To disable part of the crypto hardware use the action shown here and then reload the firmware. Again, there is no reason to do this unless you are advised to do so by IBM support. 601DataPower_Security_NIST.ppt Page 14 of 17
There are some limitations in the user's ability to disable the crypto hardware. First is that each request to change how much of the hardware is disabled must be followed by a firmware reload (it does not take effect immediately). Second is that when in FIPS mode a non-fips card will have its RSA functionality disabled automatically in a way that cannot be overridden by the user. Whether or not some part of the crypto harwdare is disabled can be seen in two status providers shown on the next slide. 601DataPower_Security_NIST.ppt Page 15 of 17
The Crypto Hardware Disablement status providers shows three things. The Target value is what the user asked for previously for this run of the firmware. The Current value is the current state of the crypto hardware (usually the same as the Target unless you are in FIPS mode with a non- HSM card). The Pending Target value will become the Target value the next time that the firmware is reloaded. Here the appliance is in FIPS mode with a non-hsm crypto card so even though the client has requested (Target) that no part of the card be disabled the RSA part of the card got disabled anyway (Current) due to FIPS mode. Also, the existing Crypto Engine status provider has been augmented to show the Current field from the Crypto Hardware Disablement status provider. It will also consider this state as part of the overall status value ( fully operational may be replaced with partially disabled or fully disabled to indicate that not all parts of the card are operating). 601DataPower_Security_NIST.ppt Page 16 of 17
601DataPower_Security_NIST.ppt Page 17 of 17