Security Policy Statement

Contents
casp1041
The
DX NetOps Spectrum
Security Policy Statement applies to the
DX NetOps Spectrum
product and is applicable as long as the product is used within the documented procedures defined in the product documentation.
The
DX NetOps Spectrum
Security Policy Statement details the encryption and hashing that is used by specific
DX NetOps Spectrum
components.
The
DX NetOps Spectrum
Security Policy Statement communicates the FIPS 140-2 statement for the
DX NetOps Spectrum
product. Specifically, it does the following:
  • Clearly states what
    DX NetOps Spectrum
    modules are FIPS-compliant and which are FIPS-compatible
  • Identifies FIPS certificate numbers for the encryption modules or hash algorithms used
  • Communicates additional items that require extra physical security or protection
  • Identifies the application boundaries surrounding the different application modules using encryption and or hashing
  • Identifies what data is protected
  • Communicates how keys are protected
  • Explains how to enable FIPS mode on the software component
Definitions
The following terms are used in the
DX NetOps Spectrum
Security Policy Statement:
FIPS-compliant
means that the component is capable of running FIPS-compliant encryption and hashing modules and offers the ability to run in FIPS mode.
FIPS-compatible
means that the component uses FIPS-certified algorithms for encryption and hashing, but does not offer the ability to run in FIPS mode.
FIPS 140-2 Compatibility Matrix
The following table shows the extent to which
DX NetOps Spectrum
uses FIPS-compliant algorithms:
DX NetOps Spectrum
Software Component
Module
Version
Certificate1
Algorithms2
Algorithm Cert#3
Mode4
BSAFE Crypto-J
5.1.1
1502
SHA-256
1549
Compatible
BSAFE Crypto-J
5.1.1
1502
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-C ME
2.0
608
3DES
378
Compatible
OpenSSL***
0.9.8
2097
3DES, AES-128, AES-256, SHA
1302
Compatible
BSAFE Crypto-C ME
2.0
608
3DES, SHA
378
Compliant
OpenSSL
0.9.8
2097
3DES, SHA-256
1302
Compatible
BSAFE Crypto-C ME
2.0
608
3DES
378
Compatible
OpenSSL
0.9.8
2097
3DES, SHA
1302
Compatible
Notes:
  • * You can configure a different algorithm for Secure Domain Manager (SDM) and the SDM Connector. You do not have to use 3DES.
  • ** Credentials of old user models using SHA are updated to SHA-256 on the first-time login to 9.4. For the newly created models (from 9.4), credentials are hashed using SHA-256.
  • *** OpenSSL module is part of CAPKI. In FIPS mode, it is FIPS-2 compliant as all consumer products use only FIPS-approved algorithm from Crypto-C ME of CAPKI. These certificate and algorithm certs are from Crypto-C ME (4.0.1).
  • You can find NIST certificate numbers at: http://csrc.nist.gov/groups/STM/cmvp/validation.html
  • These are the only algorithms the software supports. You can find more information at: http://csrc.nist.gov/groups/STM/cavp/validation.html
  • Verify algorithm certificate numbers by looking up the certificate number at NIST, opening the Security Policy, or reading the 'Level/Description' column associated with the Certificate number.
  • N/A means the software does not offer the ability to operate in FIPS mode. Compatible or Compliant means the software is capable of operating in FIPS mode according to the definitions of those terms.