Security Policy Statement

Contents
casp941
Contents
The 
 Security Policy Statement applies to the 
 product and is applicable as long as the product is used within the documented procedures defined in the product documentation.
The 
 Security Policy Statement details the encryption and hashing that is used by specific 
 components.
The 
 Security Policy Statement communicates the FIPS 140-2 statement for the 
 product. Specifically, it does the following:
  • Clearly states what 
     modules are FIPS-compliant and which are FIPS-compatible
  • Identifies FIPS certificate numbers for the encryption modules or hash algorithms used
  • Communicates additional items that require extra physical security or protection
  • Identifies the application boundaries surrounding the different application modules using encryption and or hashing
  • Identifies what data is protected
  • Communicates how keys are protected
  • Explains how to enable FIPS mode on the software component
Definitions
The following terms are used in the 
 Security Policy Statement:
FIPS-compliant
 means that the component is capable of running FIPS-compliant encryption and hashing modules and offers the ability to run in FIPS mode.
FIPS-compatible
 means that the component uses FIPS-certified algorithms for encryption and hashing, but does not offer the ability to run in FIPS mode.
FIPS 140-2 Compatibility Matrix
The following table shows the extent to which 
 uses FIPS-compliant algorithms:
Software Component
Module
Version
Certificate1
Algorithms2
Algorithm Cert#3
Mode4
BSAFE Crypto-J
5.1.1
1502
SHA-256
1549
Compatible
BSAFE Crypto-J
5.1.1
1502
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-J
5.1.1
714
AES-256
1766
Compatible
BSAFE Crypto-C ME
2.0
608
3DES
378
Compatible
OpenSSL***
0.9.8
2097
3DES, AES-128, AES-256, SHA
1302
Compatible
BSAFE Crypto-C ME
2.0
608
3DES, SHA
378
Compliant
OpenSSL
0.9.8
2097
3DES, SHA-256
1302
Compatible
BSAFE Crypto-C ME
2.0
608
3DES
378
Compatible
OpenSSL
0.9.8
2097
3DES, SHA
1302
Compatible
Notes:
  • * You can configure a different algorithm for Secure Domain Manager (SDM) and the SDM Connector. You do not have to use 3DES.
  • ** Credentials of old user models using SHA are updated to SHA-256 on first-time login to 
     9.4. For the newly created models (from 
     9.4), credentials are hashed using SHA-256.
  • *** OpenSSL module is part of CAPKI. In FIPS mode, it is FIPS-2 complaint as all consumer products use only FIPS approved algorithm from Crypto-C ME of CAPKI. These certificate and algorithm certs are from Crypto-C ME (4.0.1).
  • You can find NIST certificate numbers at: http://csrc.nist.gov/groups/STM/cmvp/validation.html
  • These are the only algorithms the software supports. You can find more information at: http://csrc.nist.gov/groups/STM/cavp/validation.html
  • Verify algorithm certificate numbers by looking up the certificate number at NIST, opening the Security Policy, or reading the 'Level/Description' column associated with the Certificate number.
  • N/A means the software does not offer the ability to operate in FIPS mode. Compatible or Compliant means the software is capable of operating in FIPS mode according to the definitions of those terms.