Valerie Bubb Fenwick wrote: > Hi Hai-May - > > Sorry for the last minute feedback. I hope this is not > all coming in too late. This is a really good document, > and I only have a few comments. > > On Thu, 13 Mar 2008, Hai-May Chao wrote: > >> >> The following is the design for administration and policy configuration >> to support FIPS 140-2 Cryptographic Framework. We had discussions >> in this area among Valerie, Darren and myself. Thanks for their >> earlier feedback. >> >> Please take a look and send comments. The review period for this will >> close on 3/19/08. >> >> 1. Administration cryptoadm command >> >> We need to have the ability to toggle the FIPS mode of >> operation in the Cryptographic Framework. Extending cryptoadm >> command to support the enabling and disabling FIPS mode. >> >> SYNOPSIS: >> >> a. cryptoadm enable fips >> >> This is to enable FIPS mode. >> >> b. cryptoadm disable fips >> >> This is to disable FIPS mode. >> >> c. cryptoadm list fips >> >> This is to display the status of FIPS mode policy. >> Output is: >> fips=disabled (The default mode is disabled) or >> fips=enabled >> >> 2. Policy configuration files >> >> a. The kernel-level policy configuration file (kcf.conf): >> >> A new entry corresponds to FIPS mode policy is added. >> fips=disabled (The default mode is disabled) or >> fips=enabled >> >> Example - kcf.conf: >> # Start SUNWcsr >> fips=disabled >> des:supportedlist=CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC, >> CKM_DES3_ECB >> aes:supportedlist=CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR >> ... >> ... >> # End SUNWcsr >> >> The status of FIPS mode is set according to the command: >> cryptoadm enable|disable fips >> >> b. The user-level policy configuration file (pkcs11.conf): >> >> A new entry corresponds to FIPS mode policy is added. >> fips=disabled (The default mode is disabled) or >> fips=enabled >> >> Example - pkcs11.conf: >> # Start SUNWcsr >> fips=disabled >> metaslot:metaslot_status=enabled;metaslot_auto_key_migrate=enabled; >> metaslot_token=Sun Software PKCS#11 softtoken; >> metaslot_slot=Sun Crypto Softtoken >> /usr/lib/security/$ISA/pkcs11_kernel.so >> /usr/lib/security/$ISA/pkcs11_softtoken.so >> # End SUNWcsr >> >> The status of FIPS mode is set according to the command: >> cryptoadm enable|disable fips >> >> c. When disable/enable fips command is issued from cryptoadm, >> we make sure that the following places are sync'ed: >> pkcs11.conf, kcf.conf and the global variable in kernel indicating >> the FIPS status. >> >> 3. When FIPS mode is enabled >> >> a. Keeping metalsot enabled >> >> We keep metaslot enabled in FIPS mode even >> metaslot_auto_key_migrate >> is enabled. This is because the keys are encrypted when they >> cross the boundary. >> >> b. pkcs11_softtoken will be left enabled >> >> c. Keeping pkcs11_kernel enabled >> >> We don't disable pkcs11_kernel as pkcs11_kernel and KCF are inside >> the crypto boundary. It is what is plugged into KCF that is the >> issue, >> such as ncp and n2cp that should be disabled, but not >> pkcs11_kernel. >> However if an SCA-6000 is installed, which is FIPS approved, as >> long >> as the keys that pass from metaslot to pkcs11_kernel to /dev/crypto >> to KCF to mca are wrapped, it is good from the FIPS view. Note >> that >> such a configuration with the SCA-6000 we don't think should be >> part >> of the framework FIPS evaluation. >> >> d. Disable non FIPS approved algorithms > > We need "e. Disable hardware providers and non-sun plugins" > > This all needs to be priveleged and audited, of course :) > > For the actual evaluation, we may need to require use of > a crypto officer role, but I'm not 100% sure about that yet. > > We also need to attempt to unload non approved algorithms and > providers at the time this command is issued. If that fails, > we need to inform the "crypto officer" that they will need to reboot. > > The rest of the document looks great. > > Thank you for putting this all together! > > Valerie
Valerie, Thanks for your review comments! I'll add your above comments to the design. Thanks, Hai-May
