| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 10/10/2029 |
| Caveat | When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Forcepoint |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for Forcepoint NGFW Cryptographic Kernel Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>upgrade<br/>update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Forcepoint NGFW Cryptographic Kernel Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>upgrade<br/>update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Forcepoint NGFW Cryptographic Kernel Module 10900-A Stonelake Blvd, Ste. 350, Austin, TX 78759, USA www.forcepoint.com
| Revision | Date | Reason | |
|---|---|---|---|
| April 29, 2022 | |||
| April 29, 2024 | |||
| September 30, 2024 |
Revision History A Initial release. B CMVP comment responses. C CMVP comment responses. © 2024 Forcepoint. This document may be freely reproduced and distributed whole and intact including this
Acronyms and Abbreviations Term Definition AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface CBC Cipher Block Chaining CFB Cipher FeedBack CMVP Cryptographic Module Validation Program CO Crypto Officer CSP Critical Security Parameter ECB Electronic Code Book FIPS Federal Information Processing Standard GCM Galois Counter Mode HMAC Keyed-Hash Message Authentication Code IG Implementation Guidance ISO/IEC International Organization for Standardization / International Electrotechnical Commission I/O Input/Output IV Initialization Vector KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology N/A Not Applicable
Term Definition OFB Output FeedBack POST Power-on Self-Test SHA Secure Hash Algorithm SSP Sensitive Security Parameter Preface This is a non-proprietary Cryptographic Module Security Policy for the Forcepoint NGFW Cryptographic Kernel Module (Software Version: 3.0) from Forcepoint. This Security Policy describes how the Forcepoint NGFW Cryptographic Kernel Module (referred as crypto module, module, library) meet the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographicmodule-validation-program This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module.
| Name | Requirement |
|---|---|
| General | General |
| Cryptographic Module Specification | Cryptographic Module Specification |
| Cryptographic Module Interfaces | Cryptographic Module Interfaces |
| Roles, Services, and Authentication | Roles, Services, and Authentication |
| Software/Firmware Security | Software/Firmware Security |
| Operational Environment | Operational Environment |
| Physical Security | Physical Security |
| Non-Invasive Security | Non-Invasive Security |
| Sensitive Security Parameter Management | Sensitive Security Parameter Management |
| Self-Tests | Self-Tests |
| Life-Cycle Assurance | Life-Cycle Assurance |
| Mitigation of Other Attacks | Mitigation of Other Attacks |
The Forcepoint NGFW Cryptographic Kernel Module meets overall level 1 security requirements for FIPS 140-3 as summarized in the table below: TABLE 1: SECURITY LEVELS N/A N/A [Number Below]
N/A [Number Below] 2. Cryptographic Module Specification 2.1.Module Overview The Forcepoint NGFW Cryptographic Kernel Module is a module that provides general-purpose cryptographic algorithms for Forcepoint applications. The binary of the module and the integrity check file are qcl_fips.ko and checksums.fips. Assembly language optimizations are used in the cryptographic module implementation. The module contains the following cryptographic functionality:
The module supports the following approved functions:
The following block diagram provides an illustration of the following Operational environments: NGFW OS 10 on Linux 4.19 running on NGFW 3410 with Intel Xeon Gold 6230N with PAA; NGFW OS 10 on Linux 4.19 running on NGFW N120W with Intel Atom C3338 with PAA; NGFW OS 10 on Linux 4.19 running on NGFW N120W with Intel Atom C3338 without PAA FIGURE 1: SOFTWARE BLOCK DIAGRAM 1
The following block diagram provides an illustration of the following Operational environment: NGFW OS 10 on Linux 4.19 on ESXi 7.0 running on Dell PowerEdge R440 with Intel Xeon Silver 4208 with PAA FIGURE 2. SOFTWARE BLOCK DIAGRAM 2
| Name | Operating System | Hardware Platform | Processor |
|---|---|---|---|
| NGFW OS 10 on Linux 4.19 on ESXi 7.0 | NGFW OS 10 on Linux 4.19 on ESXi 7.0 | Dell PowerEdge R440 | Intel Xeon Silver 4208 |
| NGFW OS 10 on Linux 4.19 | NGFW OS 10 on Linux 4.19 | NGFW 3410 | Intel Xeon Gold 6230N |
| NGFW OS 10 on Linux 4.19 | NGFW OS 10 on Linux 4.19 | NGFW N120W | Intel Atom C3338 |
| NGFW OS 10 on Linux 4.19 | NGFW OS 10 on Linux 4.19 | NGFW N120W | Intel Atom C3338 |
2.4.Test Configuration The following tested configurations are covered in this security policy: TABLE 2: TESTED OPERATIONAL ENVIRONMENTS # AES-NI AES-NI AES-NI None
TABLE 3: VENDOR AFFIRMED OPERATIONAL ENVIRONMENTS # NGFW 3401 NGFW 2210 NGFW 2205 NGFW 2201 NGFW N120 NGFW N60 Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when the module is ported to the vendor affirmed platforms that are not listed on the validation certificate.
| AES-CBC, AES- CFB128, AES-ECB, AES-GCM, AES- OFB FIPS 197, SP 800- 38A, SP 800-38D | AES-CBC, AES-CFB128, AES-ECB, AES-GCM, AES-OFB | Direction: Encrypt, Decrypt Key Length: 128, 192, 256 |
|---|
2.5.Approved Algorithms The following associated CAVP certificates are used by the cryptographic module: Forcepoint NGFW Cryptographic Kernel Module (Cert. #A2166) The approved algorithms implemented by the module alongside their mapping to the certificates above alongside algorithms use by services are listed in the table below. TABLE 4: APPROVED ALGORITHMS #A2166 Used for encryption and decryption services
| SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 FIPS 180-4 | SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 | BYTE only |
|---|
| HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 FIPS 198-1 | SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 | HMAC-SHA-1 (96, 160 bit MAC; > 112 bit keys) HMAC-SHA2-224 (128, 224 bit MAC; > 112 bit keys) HMAC-SHA2-256 (96, 128, 256 bit MAC; > 112 bit keys) HMAC-SHA2-384 (128, 192, 384 bit MAC; > 112 bit keys) HMAC-SHA2-512 (128, 256, 512 bit MAC; > 112 bit keys) |
|---|
#A2166 Used for secure hashing services Message Authentication Code #A2166 Used for message authentication services and module integrity
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input, Data Output, Control Input, Status Output | API Input Parameters, API Output Parameters and Return Values, API Functions, Console, Kernel Ring Buffer |
| N/A | N/A | Data Input, Data Output, Control Input, Status Output | API Input Parameters, API Output Parameters and Return Values, API Functions, Console, Kernel Ring Buffer |
| N/A | N/A | Data Input, Data Output, Control Input, Status Output | API Input Parameters, API Output Parameters and Return Values, API Functions, Console, Kernel Ring Buffer |
| N/A | N/A | Status Output | API Return Values, Console, Kernel Ring Buffer |
| N/A | N/A | Power Input | N/A |
The module does not implement any non-approved algorithms allowed in the approved mode of operation. The module does not implement any non-approved algorithms allowed in the approved mode of operation with no security claimed. 3. Cryptographic Module Interfaces 3.1.Ports and Interface Overview The figures in section Module Description identify the physical interfaces to the cryptographic module. The following table maps the physical interface to logical interfaces and supported data. TABLE 5: PORTS AND INTERFACES N/A N/A N/A N/A N/A N/A
| Name | Roles | Input | Service | Input |
|---|---|---|---|---|
| Initialize module | NA | |||
| Uninitialize module | NA | |||
| Show status | NA | |||
| Perform self-tests | NA | |||
| Perform zeroization | State record | |||
| Show module versioning information | NA | |||
| Perform encryption and decryption (AES) | Key and data to process | |||
| Perform authenticated encryption and decryption (AES-GCM) | Key and data to process | |||
| Perform secure hash (SHS) | Data to process | |||
| Perform message authentication (HMAC) | Key and data to process | |||
| Crypto Officer | Crypto Officer | Implicitly assumed when the APIs associated with the ‘Crypto Officer’ services are being exercised. | N/A | |
| User | User | Implicitly assumed when the APIs associated with the ‘User’ services are being exercised. | N/A |
4. Roles, Services, and Authentication 4.1.Roles The mapping of the cryptographic module’s roles services is in the table below: TABLE 6: ROLES, SERVICE COMMANDS, INPUT AND OUTPUT Crypto officer Crypto officer User User Indicator of success or failure User User Version User Encrypted or decrypted User Encrypted or decrypted User Message digest User authentication code
Roles and Authentication All roles are assumed implicitly based on the API that is currently being executed. TABLE 7: ROLES AND AUTHENTICATION N/A N/A All services listed in the table below can be accessed in approved mode and when in this mode exclusively use the security functions listed in Approved Algorithms. Notes on the content of Table 8: Approved Services: In the ‘Access Rights to Keys and/or SSPs’ column:
| Name | Description | Roles | Csps Accessed | ||
|---|---|---|---|---|---|
| Prepare the module for operation API Functions: • ssh_crypto_library_initialize • ssh_crypto_register_error_callback • ssh_crypto_get_certification_mode • ssh_crypto_set_certification_mode | Prepare the module for operation API Functions: • ssh_crypto_library_initialize • ssh_crypto_register_error_callback • ssh_crypto_get_certification_mode • ssh_crypto_set_certification_mode | Crypto Officer | N/A | N/A | N/A |
| Take the module out of operation API Functions: • ssh_crypto_free • ssh_crypto_library_uninitialize | Take the module out of operation API Functions: • ssh_crypto_free • ssh_crypto_library_uninitialize | Crypto Officer | N/A | N/A | N/A |
| Query the status of the module API Functions: • ssh_crypto_library_get_status • ssh_crypto_status_message | Query the status of the module API Functions: • ssh_crypto_library_get_status • ssh_crypto_status_message | User | N/A | N/A | N/A |
| Re-run pre-operational and conditional self-tests API Functions: • ssh_crypto_library_self_tests | Re-run pre-operational and conditional self-tests API Functions: • ssh_crypto_library_self_tests | User | HMAC Key for Module Integrity Check | AES- CBC, AES- CFB128, AES- ECB, AES- OFB, AES- GCM, SHA-1, SHA2- 256, SHA2- 512, HMAC- SHA-1, HMAC- SHA2- 256, HMAC- SHA2- 512 | E |
| Zeroize keys by freeing crypto operation state records API Functions: • ssh_cipher_free • ssh_mac_free | Zeroize keys by freeing crypto operation state records API Functions: • ssh_cipher_free • ssh_mac_free | User | AES Symmetric Keys HMAC Keys | N/A | Z |
| Query the version of the module API Functions: • ssh_crypto_library_get_version | Query the version of the module API Functions: • ssh_crypto_library_get_version | User | N/A | N/A | N/A |
Roles, Services, and Authentication TABLE 8: APPROVED SERVICES
Roles, Services, and Authentication Perform selftests
Roles, Services, and Authentication Perform zeroization
| Perform cryptography API Functions: • ssh_cipher_allocate • ssh_cipher_get_block_length • ssh_cipher_get_iv • ssh_cipher_get_iv_length • ssh_cipher_get_key_length • ssh_cipher_get_max_key_length • ssh_cipher_get_min_key_length • ssh_cipher_get_supported • ssh_cipher_has_fixed_key_length • ssh_cipher_is_fips_approved • ssh_cipher_name • ssh_cipher_set_iv • ssh_cipher_supported • ssh_cipher_transform • ssh_cipher_transform_remaining • ssh_cipher_transform_with_iv • ssh_cipher_get_block_len • ssh_cipher_auth_reset • ssh_cipher_auth_update • ssh_cipher_auth_final • ssh_cipher_auth_digest_length • ssh_cipher_is_auth • ssh_cipher_generate_iv_ctr • ssh_cipher_auth_digest_len | AES-CBC, AES- CFB128, AES-ECB, AES-GCM, AES-OFB | AES Symmetric Keys | User | W, E |
|---|
Roles, Services, and Authentication encryption and decryption
| Name | Description | Roles | Csps Accessed | ||
|---|---|---|---|---|---|
| Perform cryptography API Functions: See ‘Perform encryption and decryption (AES)’ | Perform cryptography API Functions: See ‘Perform encryption and decryption (AES)’ | User | AES Symmetric Keys | AES-GCM | W, E |
| Perform cryptography API Functions: • ssh_hash_allocate • ssh_hash_digest_length • ssh_hash_final • ssh_hash_free • ssh_hash_get_supported • ssh_hash_input_block_size • ssh_hash_is_fips_approved • ssh_hash_name • ssh_hash_reset • ssh_hash_supported • ssh_hash_update | Perform cryptography API Functions: • ssh_hash_allocate • ssh_hash_digest_length • ssh_hash_final • ssh_hash_free • ssh_hash_get_supported • ssh_hash_input_block_size • ssh_hash_is_fips_approved • ssh_hash_name • ssh_hash_reset • ssh_hash_supported • ssh_hash_update | User | N/A | SHA-1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2-512 | N/A |
| Perform cryptography API Functions: • ssh_mac_allocate • ssh_mac_final • ssh_mac_get_block_length • ssh_mac_get_max_key_length • ssh_mac_get_min_key_length • ssh_mac_get_supported • ssh_mac_is_fips_approved • ssh_mac_length • ssh_mac_name • ssh_mac_reset • ssh_mac_supported • ssh_mac_update | Perform cryptography API Functions: • ssh_mac_allocate • ssh_mac_final • ssh_mac_get_block_length • ssh_mac_get_max_key_length • ssh_mac_get_min_key_length • ssh_mac_get_supported • ssh_mac_is_fips_approved • ssh_mac_length • ssh_mac_name • ssh_mac_reset • ssh_mac_supported • ssh_mac_update | User | HMAC Keys | HMAC- SHA-1, HMAC- SHA2- 224, HMAC- SHA2- 256, HMAC- SHA2- 384, HMAC- SHA2-512 | W, E |
Roles, Services, and Authentication authenticated W, E SSH_CRYPTO_OK (0) from associated API secure hash (SHS) SHA2224, SHA2256, SHA2384, N/A N/A SSH_CRYPTO_OK (0) from associated API
Roles, Services, and Authentication message authentication
Software/Firmware Security
| Name | Strength | Generation | Establishment | Storage | Import Export | Zeroisation | |
|---|---|---|---|---|---|---|---|
| 128-256 bits | 128-256 bits | N/A | N/A | Plaintext in RAM | Plaintext Electronic Entry from App | AES-CBC, AES-CFB128, AES-ECB, AES- GCM, AES- OFB Cert. #A2166 | Zeroization API or Power Off |
| 112-256 bits | 112-256 bits | N/A | N/A | Plaintext in RAM | Plaintext Electronic Entry from App | HMAC-SHA-1, HMAC-SHA2- 224, HMAC- SHA2-256, HMAC-SHA2- 384, HMAC- SHA2-512 Cert. #A2166 | Zeroization API or Power Off |
| 256 bits | 256 bits | Pre-loaded (hard coded in module binary) | N/A | Plaintext in Persistent Storage | N/A | HMAC-SHA2- 256 Cert. # A2166 | Not Required per ISO 19780:2012 section 7.9.7, as it’s used solely for self- test purposes |
Sensitive Security Parameter Management TABLE 9: SSPS HMAC-SHA2224, HMACSHA2-256, HMAC-SHA2384, HMACSHA2-512 AES Symmetric N/A AES keys used for general encryption and decryption services HMAC keys used for general message authentication services N/A N/A Related SSPs: None Related SSPs: None N/A
Sensitive Security Parameter Management Module Integrity Check N/A N/A Related SSPs: None 7.5, this key is only used for the approved integrity technique, and as such is not considered an SSP. However, it has been included in this table for completeness.
| Name | Use Function | ||||
|---|---|---|---|---|---|
| Cryptographic | Operations | Test | Location | When | Indicator |
| Mechanism Tested | Performed | Performed | |||
| AES-CBC, AES-CFB128, AES-ECB, AES-OFB 128, 192, 256 | Encryption | Cert. #A2166 | Upon Library Load | ||
| AES-CBC, AES-CFB128, AES-ECB, AES-OFB 128, 192, 256 | Decryption | Cert. #A2166 | Upon Library Load | ||
| Cryptographic | Operations | Test | Location | When | Indicator |
| Mechanism Tested | Performed | Performed | |||
| AES-GCM 128 | Encryption | Cert. #A2166 | Upon Library Load | ||
| AES-GCM 128 | Decryption | Cert. #A2166 | Upon Library Load | ||
| SHA-1, SHA2-256, SHA2- 512 | Hashing | Cert. #A2166 | Upon Library Load | ||
| HMAC-SHA-1, HMAC- SHA2-256, HMAC-SHA2- 512 | MAC Generation, Verification | Cert. #A2166 | Upon Library Load |
| Test | Operations Performed | Indicator |
|---|---|---|
| HMAC-SHA2-256 Verify |
Self-Tests 10. Self-Tests 10.1. Pre-Operational Tests The pre-operational self-tests are run automatically when the module is loaded to confirm the software integrity, and to check the continued correct operation of each of the implemented cryptographic algorithms used in support of the integrity checks. User may initiate the on-demand pre-operational self-tests by calling the API function ssh_crypto_library_self_tests. While the module is running these self-tests, all data output interfaces are disabled until the successful completion of the self-tests. If one of the pre-operational self-tests fails or a conditional self-test fails, the module enters an error state. Error indicators are output on the status output interface specifying which self-test failed within the module. In this state, all cryptographic functions and data output via the module’s data output interfaces is inhibited. If the module is re-loaded, it will rerun all self-tests. Successful completion of the self-tests will clear the error state, and the module will return to the approved mode of operation. For any consecutive failure of the self-tests during reload, the module will remain in an error state. If the problem persists, CO intervention is required to either perform a restore to factory default settings and reinstall, or power-off the Forcepoint NGFW and contact Forcepoint Customer Support. TABLE 10: PRE-OPERATIONAL SELF-TESTS Kernel Module Integrity Test SSH_CRYPTO_TEST_INTEG_DI GEST or SSH_CRYPTO_TEST_INTEG_IN VALID and error state entry 10.2. Conditional Tests The module automatically performs conditional self-tests based on the module operation. These self-tests do not require operator input to initiate. Implemented conditional tests are in one of the following forms:
Life-Cycle Assurance KAT test for authenticated SSH_CRYPTO_TEST_CIPHER and error state entry KAT test for authenticated SSH_CRYPTO_TEST_CIPHER and error state entry KAT test for SSH_CRYPTO_TEST_HASH and error state entry KAT test for SSH_CRYPTO_TEST_MAC and error state entry 11. Life-Cycle Assurance 11.1. Installation The cryptographic module is delivered as part of the Forcepoint NGFW firmware for appliances and Forcepoint NGFW software installation package for virtualization platforms. The FIPS 140-3 validated Forcepoint NGFW Cryptographic Kernel Module version 3.0 is included in Forcepoint NGFW firmware and software installation package version 6.10.3.26158. The Forcepoint NGFW component providing the firewall and VPN capabilities on a Linux-based operating system is referred to as NGFW Engine. When NGFW Engine is initialized in approved mode of operation, the Forcepoint NGFW Cryptographic Kernel Module is loaded. Once loaded, the Forcepoint NGFW Cryptographic Kernel Module supports only the approved mode of operation. The following sections detail how to ensure that the validated version of the module is installed and being utilized by the Forcepoint NGFW. 11.1.1. Downloading the Forcepoint NGFW Cryptographic Kernel Module Forcepoint NGFW appliances are delivered in an operational state with the most recent firmware preinstalled. The NGFW firmware must be upgraded to a NGFW firmware version containing the FIPS 140-3 validated Forcepoint NGFW Cryptographic Kernel Module version 3.0 to be placed in the approved mode of operation. Note: Upgrading an appliance to a Forcepoint NGFW firmware version is necessary even if the same version was installed previously. This is required because the file system checksum is stored during the upgrade process. A method to update the firmware image with a SHA2-512 checksum signed with ECDSA P-521 is provided. Prior to installing the new image, its associated checksum is checked. If the signature check fails, the new firmware is ignored, and the current firmware remains loaded. If the signature check passes, the new image will be installed and executed after the appliance is restarted. Failure to follow this will result in the module operating in a non-compliant state.
Life-Cycle Assurance Forcepoint NGFW may also be installed on supported virtualization platforms. An existing virtual machine must be upgraded to a Forcepoint NGFW software version containing the FIPS 140-3 validated Forcepoint NGFW Cryptographic Kernel Module version 3.0 to be placed in the approved mode of operation by reinstalling the Forcepoint NGFW software. The installation file is downloaded as follows:
Life-Cycle Assurance 6. 7. 8. 9. b. For a multiprocessor system, type 2, then press Enter. Continue in one of the following ways: a. If you selected Full Install, type YES, then press Enter to accept automatic hard disk partitioning. b. If you selected Full Install in expert mode, install the engine in expert mode. The installation process starts. When the installation is ready press Enter to reboot. The virtual machine restarts and displays the installed version. Verify the NGFW software version to ensure that the correct NGFW software version is loaded. 11.2. Setting up a FIPS-Compatible Configuration on the Engine To configure the NGFW Engine:
Life-Cycle Assurance 11.4. Secure Initialization The cryptographic module is initialized by loading the kernel module before any cryptographic functionality is available. The kernel module is loaded as follows: # modprobe qcl_fips.ko • qcl_fips.ko is the name of the kernel module The operation is performed automatically by the Forcepoint NGFW engine when configured to operate in the approved mode. 11.5. Secure Sanitization The stored keys and CSPs are zeroized when the application calls the appropriate API function: ssh_cipher_free and ssh_mac_free. It is the calling application’s responsibility to call the zeroization API function to zeroize the keys and CSPs. Temporary key material is zeroized automatically by the module when no longer needed. All keys and CSPs can be zeroized by powering off the platform where the module is running. 11.6. Guidance 11.6.1. Identifying the Module Version The version of the module (3.0) is stored within the module binary itself (qcl_fips.ko), and is made available to a calling application via the API call ssh_crypto_library_get_version. 11.6.2. Non-Approved Mode of Operation The module does not support a non-approved mode of operation. 11.6.3. Resetting the Engine to Factory Default Settings Resetting the engine to factory default settings is not part of the normal installation procedure. There is no need to reset the engine to factory default settings before starting to use it for the first time. These instructions can be used to reset the engine to factory default settings when necessary, such as when initial configuration has been completed without enabling the Restricted FIPS-compatible operating mode, during use, or when the engine is being removed from use. To reset the engine to factory default settings:
If you selected Custom, enter the number of overwrite passes. A larger number of overwrites is more secure, but it may take a considerable amount of time depending on the engine storage capacity. 11.6.4. Recovering from a FIPS 140 Self-test Failure If the FIPS 140 power-up self-tests fail, or the engine does not enter FIPS-compatible operating mode, the engine must be reset to factory default settings and reinstalled according to these instructions. Begin by Resetting the engine to factory default settings.
Mitigation of Other Attacks To recover from a FIPS 140 self-test failure: