Security Policy, page by page
FortiClient Crypto Library Document Version: 4.1 Publication Date: Thursday, October 3, 2024 Software Version: 7.0.2 Fortinet Technologies Inc.
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://fortiguard.com/ END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com FortiClient Crypto Library FIPS 140-3 Security Policy 04-708-802275-20241003 last page of this document FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Table of Contents
| # | Section | Page |
|---|
| 1.0 | General | 6 |
| 1.1 | Overview | 6 |
| 1.2 | Security Levels | 6 |
| 1.3 | Additional Information | 7 |
| 2.0 | Cryptographic Module Specification | 8 |
| 2.1 | Module Description | 8 |
| 2.1.1 | Description | 8 |
| 2.1.2 | Purpose or Use | 8 |
| 2.1.3 | Module Type | 8 |
| 2.1.4 | Module Embodiment | 8 |
| 2.1.5 | Module Characteristics | 8 |
| 2.1.6 | Cryptographic Boundary | 8 |
| 2.1.7 | Tested Operational Environment’s Physical Perimeter | 9 |
| 2.1.8 | Diagram, Schematic, or Photograph | 9 |
| 2.2 | Version Information | 10 |
| 2.3 | Operating Environments | 10 |
| 2.3.1 | Hardware OEs | 10 |
| 2.3.2 | Software, Firmware, Hybrid OEs | 10 |
| 2.3.3 | Executable Code List | 11 |
| 2.3.4 | Vendor Affirmed Operating Environments | 11 |
| 2.4 | Excluded Components | 11 |
| 2.5 | Modes of Operation | 11 |
| 2.5.1 | Modes List and Description | 11 |
| 2.5.2 | Mode Change Instructions | 12 |
| 2.5.3 | Degraded Mode | 12 |
| 2.6 | Algorithms | 12 |
| 2.6.1 | Approved Algorithms | 12 |
| 2.6.2 | Vendor Affirmed Algorithms | 14 |
| 2.6.3 | Non-Approved, Allowed Algorithms | 14 |
| 2.6.4 | Non-Approved, Allowed Algorithms with No Security Claimed | 14 |
| 2.6.5 | Non-Approved, Not Allowed Algorithms | 15 |
| 2.7 | Security Function Implementations | 15 |
| 2.8 | Algorithm Specific Information | 20 |
| 2.9 | RNG and Entropy | 20 |
| 2.9.1 | Entropy Information | 20 |
| 2.9.2 | RNG Information | 21 |
| 2.10 | Key Generation | 21 |
| 2.11 | Key Establishment | 21 |
| 2.11.1 | Key Agreement Information | 21 |
| 2.11.2 | Key Transport Information | 21 |
| 2.12 | Industry Protocols | 21 |
| 2.13 | Design and Rules | 21 |
| 2.14 | Initialisation | 22 |
| 2.15 | Additional Information | 22 |
| 3.0 | Cryptographic Module Interfaces | 23 |
| 3.1 | Ports and Interfaces | 23 |
| 3.2 | Trusted Channel Specification | 23 |
| 3.3 | Control Interface Not Inhibited | 23 |
| 3.4 | Additional Information | 23 |
| 4.0 | Roles, Services, and Authentication | 24 |
| 4.1 | Authentication Methods | 24 |
| 4.2 | Roles | 24 |
| 4.3 | Approved Services | 24 |
| 4.4 | Non-Approved Services | 27 |
| 4.5 | External Software/Firmware Loaded | 27 |
| 4.6 | Bypass Actions and Status | 27 |
| 4.7 | Cryptographic Output Actions and Status | 27 |
| 4.8 | Additional Information | 27 |
| 5.0 | Software/Firmware Security | 28 |
| 5.1 | Integrity Techniques | 28 |
| 5.2 | Initiate on Demand | 28 |
| 5.3 | Open Source Parameters | 28 |
| 5.4 | Non-Reconfigurable Memory End of Life Procedures | 28 |
| 5.5 | Additional Information | 28 |
| 6.0 | Operational Environment | 29 |
| 6.1 | Operational Environment Type and Requirements | 29 |
| 6.2 | Configuration Settings and Restrictions | 29 |
| 6.3 | Additional Information | 29 |
| 7.0 | Physical Security | 30 |
| 8.0 | Non-Invasive Security | 31 |
| 9.0 | Sensitive Security Parameters Management | 32 |
| 9.1 | Storage Areas | 32 |
| 9.2 | SSP Input/Output Methods | 32 |
| 9.3 | SSP Zeroization Methods | 32 |
| 9.4 | SSPs | 33 |
| 10.0 | Self-Tests | 36 |
| 10.1 | Pre-Operational Self-Tests | 36 |
| 10.2 | Conditional Self-Tests | 37 |
| 10.3 | Periodic Self-Test Information | 40 |
| 10.4 | Error States | 40 |
| 10.5 | Operator Initiation Self-Test | 40 |
| 10.6 | Additional Information | 41 |
| 11.0 | Life-Cycle Assurance | 42 |
| 11.1 | Startup Procedures | 42 |
| 11.2 | Administrator Guidance | 43 |
| 11.3 | Non-Administrator Guidance | 43 |
| 11.4 | Maintenance Requirements | 43 |
| 11.5 | End of Life | 43 |
| 11.6 | Additional Information | 43 |
| 12.0 | Mitigation of Other Attacks | 44 |
| 1 | General | 1 |
| 2 | Cryptographic module specification | 1 |
| 3 | Cryptographic module interfaces | 1 |
| 4 | Roles, services and authentication | 1 |
| 5 | Software/Firmware security | 1 |
| 6 | Operational environment | 1 |
| 9 | Sensitive security parameter management | 1 |
| 10 | Self-tests | 1 |
| 11 | Life-cycle assurance | 1 |
FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Security level
| Name | ISO Section | Requirement | Level |
|---|
| 1 | 1 | General | 1 |
| 3 | Cryptographic module interfaces | 1 |
|---|
| 5 | Software/Firmware security | 1 |
|---|
| 9 | Sensitive security parameter management | 1 |
|---|
1.1. Overview This document is a FIPS 140-3 Security Policy for Fortinet's FortiClient Crypto Library, version 7.0.2. This policy describes how the FortiClient Crypto Library (hereafter referred to as the ‘module’) meets the FIPS 140-3 security requirements and how to operate the modules in a FIPS compliant manner. This policy was created as part of the FIPS 140-3 Level 1 validation of the module. The Federal Information Processing Standards Publication 140-3 - Security Requirements for Cryptographic Equipment (FIPS 140-3) details the United States Federal Government requirements for cryptographic equipment. Detailed information about the FIPS 140-3 standard and validation program is available on the NIST (National Institute of Standards and Technology) website at https://csrc.nist.gov/projects/cryptographic-modulevalidation-program. 1.2. Security Levels The module meets the overall requirements for a FIPS 140-3 Level 1 validation . Table 1: Security Levels Roles, services and authentication Operational environment N/A Non-invasive security N/A Self-tests Mitigation of other attacks N/A Overall FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
1.3. Additional Information This policy deals specifically with operation and implementation of the modules in the technical terms of the FIPS 140-3 standard and the associated validation program. Other Fortinet product manuals, guides and technical notes can be found at the Fortinet technical documentation website at https://docs.fortinet.com. Additional information on the entire Fortinet product line can be obtained from the following sources:
- Find general product information in the product section of the Fortinet corporate website at https://www.fortinet.com/products.
- Find on-line product support for registered products in the technical support section of the Fortinet corporate website at https://support.fortinet.com/.
- Find contact information for technical or sales related questions in the contacts section of the Fortinet corporate website at https://www.fortinet.com/contact.
- Find security information and bulletins in the FortiGuard Center of the Fortinet corporate website at https://wwww.fortiguard.com. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
2.0 Cryptographic Module Specification
2.1. Module Description 2.1.1. Description The FortiClient Crypto Library (hereafter referred to as the module) is a software cryptographic module that provides cryptographic services for FortiClient, Fortinet’s endpoint security application. FortiClient and the module are designed to execute on a general purpose computer (GPC) hardware platform. The module has no physical characteristics and relies on the physical characteristics of the GPC on which it runs. The module is a component of the FortiClient software and requires the following:
- A commercially available, general purpose, x86 compatible computer
- Windows 10
- Araneus Alea II entropy token
- Microsoft EMS server The purpose of the module is providing cryptographic services for FortiClient. 2.1.2. Purpose or Use This module provides cryptographic services for FortiClient, Fortinet’s endpoint security application for Microsoft Windows. 2.1.3. Module Type This module is a software cryptographic module. 2.1.4. Module Embodiment The module is classified as a multi-chip standalone cryptographic module. 2.1.5. Module Characteristics Please refer to Section 2 of the Security Policy. 2.1.6. Cryptographic Boundary The module's cryptographic boundary encompasses the following FortiClient software binaries:
- FCCryptd.exe
- FCCrypt.dll, which serves as a wrapper for:
- libcrypto-1_1.dll (32bit version) or libcrypto-1_1.dll-x64.dll (64bit version)
- libssl-1_1.dll (32bit version) or libssl-1_1-x64.dll (64bit version) FortIPS.sys FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
2.1.7. Tested Operational Environment’s Physical Perimeter The TOEPP refers to the physical perimeter of the chassis of the general-purpose computer (GPC) on which the module is running. 2.1.8. Diagram, Schematic, or Photograph Figure 1: Physical Perimeter of the TOEPP The entire box in Figure 1 represents the TOEPP, while the gray boxes within the TOEPP represent the cryptographic boundary. For details on the cryptographic boundary and the Tested Operational Environment's Physical Perimeter, please refer to sections 2.1.6 and 2.1.7, respectively. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Module configuration
| Name | Operating System | Hardware Platform | Processor | Paa Pai |
|---|
| Microsoft Windows 10 (64-bit) | Microsoft Windows 10 (64-bit) | Dell XPS 8700 | Intel Core i7-4770 | N/A |
2.2. Version Information The validated FortiClient Crypto Library version is 7.0.2. To verify the installed version, open a Windows Command Prompt window as an administrator and run the following command:
- fccryptd.exe fips version The command runs the software integrity test and displays the module version as shown in the following image. Figure 2: Module Version Output 2.3. Operating Environments 2.3.1. Hardware OEs Not Applicable. FortiClient is a level 1 Software Module. 2.3.2. Software, Firmware, Hybrid OEs The FortiClient Crypto Library module is a software module and is considered as a modifiable OE. The FortiClient module was tested on the following platform(s). Table 2: Operating Environments
- Software/Firmware/Hybrid N/A FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Module configuration
| Name | Operating System | Hardware Platform | Firmware Version | Package | Integrity Test |
|---|
| Fccryptd.exe | | | Software version: 7.0.2 | Fccryptd.exe | RSA-3072 |
| Microsoft Windows 10 | Microsoft Windows 10 | GPC with x86 or x86-64 bit processor | | | |
Module configuration
| Name | Operating System | Hardware Platform | Firmware Version | Package | Integrity Test |
|---|
| Fccryptd.exe | | | Software version: 7.0.2 | Fccryptd.exe | RSA-3072 |
| Microsoft Windows 10 | Microsoft Windows 10 | GPC with x86 or x86-64 bit processor | | | |
| Fortips.sys | Software version: 7.0.2 | RSA-3072 |
|---|
2.3.3. Executable Code List Table 3: Executable Code Sets
- Software/Firmware/Hybrid Fccryptd.dll 2.3.4. Vendor Affirmed Operating Environments Fortinet vendor affirms the following operating environments. Note: No claim can be made as to the correct operation of the module or the security strengths of the generated keys when ported to an OE which is not listed on the validation certificate. Table 4: Vendor Affirmed Operating Environments 2.4. Excluded Components None. 2.5. Modes of Operation 2.5.1. Modes List and Description The module does not support multiple modes of operation. The validated configuration of the module meets the FIPS 140-3 requirements by default once the startup procedures described in section 11.1 have been performed - i.e. the module has no approved mode that can be enabled or disabled by the user or local administrator and is always in the approved mode of operation. The module assumes Microsoft EMS server usage for FortiClient deployment package creation, providing centralized management and deployment services, and is included in the FortiClient software package. The FortiClient deployment package is created on the EMS server with "FIPS" selected as an option and then deployed to the client PC. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Description | Indicator | FIPS |
|---|
| FIPS Deployed Package | The module is deployed as a FIPS | Run the command: fccryptd.exe fips version | Approved |
Approved algorithm
| Name | CAVP Cert | Mode Method | Key Size | Use Function | | |
|---|
| AES-CBC | A3419 | CBC | | Encryption/Decryption | Key Length: 128, 192, 256 | |
| Counter DRBG SP 800-90Arev1 | A3419 | Counter-Based | Prediction Resistance: No | | | Random Bit Generation |
| ECDSA KeyVer | A3419 | ECDSA KeyVer | Curve: K-233, P-256, P-384, P- 521 | | | Public Key Validation |
| ECDSA SigVer | A3419 | ECDSA SigVer | Curve: P-256, P-384, P-521 | | | Digital Signature Verification |
| (FIPS186-4) | | | Hash Algorithms: SHA2-256, | | | |
| FIPS 186-4 | | | SHA2- 384, SHA2-512 | | | |
| HMAC-SHA2-256 | A3419 | SHA2-256 | MAC Length: 256 | | | Message Authentication |
| FIPS PUB 198-1 | | | Key Length: 112-1024 | | | |
Approved algorithm
| Name | CAVP Cert | Mode Method | Key Size | Use Function | | |
|---|
| AES-CBC | A3419 | CBC | | Encryption/Decryption | Key Length: 128, 192, 256 | |
| Counter DRBG SP 800-90Arev1 | A3419 | Counter-Based | Prediction Resistance: No | | | Random Bit Generation |
| ECDSA KeyVer | A3419 | ECDSA KeyVer | Curve: K-233, P-256, P-384, P- 521 | | | Public Key Validation |
| ECDSA SigVer | A3419 | ECDSA SigVer | Curve: P-256, P-384, P-521 | | | Digital Signature Verification |
| (FIPS186-4) | | | Hash Algorithms: SHA2-256, | | | |
| FIPS 186-4 | | | SHA2- 384, SHA2-512 | | | |
| HMAC-SHA2-256 | A3419 | SHA2-256 | MAC Length: 256 | | | Message Authentication |
| FIPS PUB 198-1 | | | Key Length: 112-1024 | | | |
Table 5: Modes of Operation 2.5.2. Mode Change Instructions The module only supports one mode of operation. 2.5.3. Degraded Mode The module does not support a degraded mode of operation. Table 6: Approved Algorithms for Fccrypd.exe AES-ECB ECDSA KeyGen ECB ECDSA KeyGen ECDSA SigGen ECDSA SigGen HMAC-SHA-1 SHA-1 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|
| HMAC-SHA2-512 | A3419 | SHA2-512 | MAC Length: 512 | Message Authentication |
| FIPS PUB 198-1 | | | Key Length: 112-1024 | |
| KAS-ECC-SSC | A3419 | Scheme: | P-256, P-384, P-521 | Shared Secret |
| SP 800-56Arev3 | | ephemeralUnified | | Computation |
| PBKDF SP 800-132 (Option 1b) | A3419 | PBKDF2 | HMAC-SHA-1 | Password-Based Key Derivation |
| RSA SigGen (FIPS186- | A3419 | RSA SigGen | Modulo Sizes: 2048, 3072, 4096 | Digital Signature Generation |
| SHA-1 | A3419 | SHA-1 | Message Length: 0-65528 | Message Digest |
| FIPS 180-4 | | | Increment 8 | |
| SHA2-384 | A3419 | SHA2-384 | Message Length: 0-65528 | Message Digest |
| FIPS 180-4 | | | Increment 8 | |
| SHA3-512 | A3419 | 1 SHA3-512 | Message Length: 0-65528 | Message Digest |
| FIPS 180-4 | | | Increment 8 | |
Sp800-56Arev3 SHA3-5121 Scheme: dhEphem ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 RSA KeyGen (FIPS1864) RSA KeyGen RSA SigVer Verification SHA3-5121 MODP ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Prime Generation RSA SigVer (FIPS1864) Safe Primes Key Appendix D Note: SHA3-256, SHA3-384, HMAC SHA3-256 and HMAC SHA3-384 are CAVP tested, but not used by any service within the module. Note: Keys derived from passwords, as described in SP 800-132, may only be used in storage applications. Note: The recommended iteration count of 1000 is used, as per SP 800-132. Legacy usage only. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | CAVP Cert | Mode Method | Use Function | | |
|---|
| AES-CBC | A4688 | CBC | Encryption/Decryption | Key Length: 128, 192, 256 | |
| SHA2-384 | A4688 | | Message Authentication | MAC Length: 384 | HMAC-SHA2-384 |
| FIPS PUB 198-1 | | | | Key Length: 112-1024 | FIPS PUB 198-1 |
| SHA2-256 | A4688 | | Message Digest | Message Length: 0-65528 | SHA2-256 |
| FIPS 180-4 | | | | Increment 8 | FIPS 180-4 |
| SHA2-512 | A4688 | | Message Digest | Message Length: 0-65528 | SHA2-512 |
| FIPS 180-4 | | | | Increment 8 | FIPS 180-4 |
| OE | Algorithm | | | Reference | Algorithm Properties |
| Microsoft Windows 10 running on a Dell XPS 8700 with an Intel Core i7-4770(Haswell) | CKG (Asymmetric) | | Section 5.1 and 5.2 of SP 800- | | Key Type: Asymmetric |
Approved algorithm
| Name | CAVP Cert | Mode Method | Use Function | | |
|---|
| AES-CBC | A4688 | CBC | Encryption/Decryption | Key Length: 128, 192, 256 | |
| SHA2-384 | A4688 | | Message Authentication | MAC Length: 384 | HMAC-SHA2-384 |
| FIPS PUB 198-1 | | | | Key Length: 112-1024 | FIPS PUB 198-1 |
| SHA2-256 | A4688 | | Message Digest | Message Length: 0-65528 | SHA2-256 |
| FIPS 180-4 | | | | Increment 8 | FIPS 180-4 |
| SHA2-512 | A4688 | | Message Digest | Message Length: 0-65528 | SHA2-512 |
| FIPS 180-4 | | | | Increment 8 | FIPS 180-4 |
| OE | Algorithm | | | Reference | Algorithm Properties |
| Microsoft Windows 10 running on a Dell XPS 8700 with an Intel Core i7-4770(Haswell) | CKG (Asymmetric) | | Section 5.1 and 5.2 of SP 800- | | Key Type: Asymmetric |
Table 7: Approved Algorithms for FortIPS.sys 2.6.2. Vendor Affirmed Algorithms Table 8: Vendor Affirmed Algorithms (Symmetric) 2.6.3. Non-Approved, Allowed Algorithms None. 2.6.4. Non-Approved, Allowed Algorithms with No Security Claimed None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Description | Approved Functions | Type | Properties | Algorithm Properties |
|---|
| AES for Symmetric Encryption/Decryption (FCT Library) | Encryption/Decryption | AES-CBC | BC-UnAuth | Publication: SP 800-38A | Key Sizes: AES-CBC: 128, 192, 256 AES-ECB: 128 |
Approved algorithm
| Name | Key Size | | | | |
|---|
| Counter DRBG (FortiClient 7.0.2 Crypto Library for Windows) | Deterministic Random Bit Generation | DRBG | DRBG | Publication: SP 800- 90Arev1 | 256-bit AES- |
| ECDSA KeyVer | ECDSA Public Key Verification | ECDSA for Key Verification | AsymKeyPa ir-KeyVer | Publication: FIPS 186-4 | Curve: K-233, P-256, P-384, P-521 |
2.6.5. Non-Approved, Not Allowed Algorithms None. 2.7. Security Function Implementations Table 9: Security Function Implementations (IPSec Driver) IPSec Crypto ir-KeyGen Key Generation of the ECDSA KeyGen CKG (Asymmetric) ECDSA SigGen DigSigSigGen ECDSA Signature SHA2-256 SHA2-384 SHA2-512 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | Key Size | Use Function | | | |
|---|
| Publication: FIPS 186-4 | Curve: P-256, P-384, P-521 | ECDSA for Signature Verification | DigSig- SigVer | ECDSA Signature Verification for the ECDSA Public Key | ECDSA SigVer |
| Name | Type | Description | SF Properties | Algorithms | Algorithm Properties |
|---|
DigSigSigVer HMAC-SHA-1 HMAC for Keyed Hash Operations (FCT MAC Message Authentication HMAC-SHA3-512 MAC Lengths: 160, SHA-1 (FortiClient SHA3-512 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | Use Function | | | | |
|---|
| Publication: FIPS 198-1 | Message Authentication | HMAC for Keyed Hash Operations (IPSec Driver) | MAC | HMAC-SHA2-256 | MAC Lengths: 256, 384, 512 |
| Publication: SP 800- 56Arev3 | DH Shared Secret Computation | FFC-SSC | KAS-SSC | KAS-FFC-SSC Sp800-56Arev3 (FortiClient 7.0.2 Crypto Library for Windows) | Safe Primes: |
Sensitive security parameter
| Name | Strength | Generation |
|---|
| of the RSA Private | (FIPS186-4) | of the RSA Private |
| Key and RSA Public | (FortiClient 7.0.2 | Key and RSA Public |
ECC-SSC Curves: P256, P-384, P-521 PBKDF PBKDF PBKDF Password-Based Key Derivation HMAC-SHA-1 HMAC-SHA-1 Password Length: 8-105 SHA-1 (FortiClient FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | Use Function | | | | |
|---|
| Publication: FIPS 186-4 | RSA for Signature Verification | DigSig- SigVer | RSA Signature Verification for the RSA Public Key | RSA SigVer | Modulo Sizes: 1024 [Legacy], 2048, 3072, 4096 |
RSA SigGen Generation DigSigSigGen DigSigSigVer Digest (FCT Library) Message Digest FIPS 202 Message Length: 065528 Increment 8 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | Use Function | | | | |
|---|
| Publication: SP 800- 56Arev3 | Safe Prime Key Generation | AsymKeyPa ir- SafePri | Key Generation for all module services that utilize KAS-FFC-SSC | Safe Primes Key Generation (FortiClient 7.0.2 Crypto Library for Windows) | Safe Primes: |
| Name | Type | Description | SF Properties | Algorithms | Algorithm Properties |
|---|
| SHA for Message Digest (IPSec Driver) | SHA | Message Digest | Publication: FIPS 180-4, FIPS 202 | SHA2-256 | Message Length: 0- 65528 Increment 8 |
|---|
| | | | (FortiClient 7.0.2 | |
| | | | IPSec Crypto | |
| | | | Library for | |
| | | | Windows) | |
| | | | SHA2-384 | |
| | | | (FortiClient 7.0.2 | |
| | | | IPSec Crypto | |
| | | | Library for | |
| | | | Windows) | |
| | | | SHA2-512 | |
| | | | (FortiClient 7.0.2 | |
| | | | IPSec Crypto | |
| | | | Library for | |
| | | | Windows) | |
SHA3-512 Length: 065528 RSA and SHA for Integrity Test DigSigSigGen, RSA and SHA for the pre-operational integrity tests. FIPS 186-4 RSA SigVer (FIPS186-4) Modulo Size: FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
2.8. Algorithm Specific Information Symmetric Keys: The module generates symmetric keys as per section 6.2.3 of SP 800-133rev2 using PBKDF2 (Password Based Key Derivation Function). PBKDF: PBKDF2 uses HMAC-SHA-1 and a 128-bit salt to derive keys, which are used solely for storage purposes, in accordance with SP 800-132 and IG D.N. The probability of guessing a password at random (S) is equal to the Character Pool Size (C) raised to the power of the number of characters in the password (N). The Character Pool Size (C) is 95, as the password can contain lowercase (a- z) [26], uppercase (A-Z) [26], digits (0-9) [10], and special characters (!"$,) [33]. The minimum password length is 8 characters and is enforced. However, there is no constraint on the number of times a character is used from the character pool. Therefore, the probability of guessing a password (S) is between 95^8 and 95^105
- i.e. using an 8 character password the probability of guessing the password is 1 in 6,634,204,312,890,625. Asymmetric Keys: ECDSA and RSA key generation are performed using the approved Counter DRBG provided in accordance with Section 4 of SP 800-133rev2. For ECDSA, the elliptic curve is selected with appropriate base order to meet SP 800-57 Part 1 requirements. 2.9. RNG and Entropy 2.9.1. Entropy Information The module uses an entropy token (Araneus Alea II) to seed the DRBG during the modules’ boot process and to periodically reseed the DRBG. The entropy token is not within the TOEPP (per IG 9.5.A) of the module; therefore, no assurance can be made regarding the correct operation of the entropy token, nor is there a guarantee of the stated entropy. Entropy Strength The entropy loaded into the approved AES-256 bit DRBG is 256 bits Reseed Period The DRBG is seeded from the entropy token during the boot process and then reseeded periodically. The default reseed period is once every 24 hours (1440 minutes) and is configurable (1 to 1440 minutes). The entropy token must be installed to complete the boot process and to reseed the DRBG. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
| Entropy Sources | Minimum Number of Bits of Entropy | Details | |
|---|
| Araneus Alea II USB token | 256 | | The Entropy Input String is 256 bits and expected |
| | | to provide Full Entropy. |
| | | The module requests 10240 bits of data from the |
| | | token and passes it through SHA2-256 (A3419) |
| | | before seeding the DRBG with the 256-bit output. |
| | | This 256-bit input is expected to provide 256-bits |
| | | of entropy from the external token. |
| | | No assurance of the minimum strength of |
| | | generated SSPs (e.g., keys) |
| | | IG 9.3.A Scenario 1c |
Table 10: Entropy Sources 2.9.2. RNG Information The module uses the approved Counter DRBG as per section 10.2.1 of SP 800-90Arev1, which is seeded using the entropy source described in section 2.9.1 of the Security Policy to generate random numbers. 2.10. Key Generation The module complies with Section 4, 5, 6.1, and 6.2.3 of SP 800-133rev2, where the module uses its Approved DRBG to generate random values and seeds used for symmetric and asymmetric key generation. The resulting symmetric key or generated seed is an unmodified output from the DRBG. 2.11. Key Establishment 2.11.1. Key Agreement Information For KAS-ECC-SSC, elliptic-curve groups approved for use by the key-establishment schemes specified in SP 800-56Arev3 Appendix D are used. For KAS-FFC-SSC, an approved safe prime group listed in SP 800-56A rev3 Appendix D is used. 2.11.2. Key Transport Information None. 2.12. Industry Protocols None. 2.13. Design and Rules Refer to section 11.1 ‘Startup Procedures’ for Installation process. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
2.14. Initialisation Refer to section 11.1 ‘Startup Procedures’ for Installation process. 2.15. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Ports and interfaces
| Name | Physical Port | Logical Interface | Data That Passes |
|---|
| N/A | N/A | Data Input | API input parameters for data- plain text and |
| N/A | Control Input | API input commands from FortiClient application, |
|---|
| | entropy input |
3.0 Cryptographic Module Interfaces
3.1. Ports and Interfaces FortiClient is a software module and therefore does not have physical interfaces. FortiClient's logical interfaces and the types of data passed over the interfaces are described below. Table 11: Ports and Interfaces N/A Data Output API output parameters for data- encrypted or decrypted, digital signatures, hashes Status Output API return values to the FortiClient application N/A N/A N/A Note: Data I/O occurs between the FortiClient application and the crypto module. All the data output via data output interface is inhibited when the module is performing pre-operational tests, zeroization, or enters an error state. The module does not support a control output interface 3.2. Trusted Channel Specification Not Applicable (Level 1 Module) 3.3. Control Interface Not Inhibited Not Applicable. Entering the error mode shuts down the module (and the FortiClient application) completely. See 10.4 (Error States) for more information. 3.4. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Role Access | Type | Authentication Methods |
|---|
| Crypto-Officer | CO | Role | N/A |
4.0 Roles, Services, and Authentication
The FortiClient module does not claim any authentication methods as it is a FIPS 140-3 level 1 software module. 4.2. Roles The module provides the following roles:
- A User with Windows administrative privileges assumes the "Crypto Officer Role". Multiple accounts can be logged in to the Windows PC, but only one account (and therefore only one role) can be active at a time through Windows user switching. The module does not provide a Maintenance role. Table 12: Roles N/A 4.3. Approved Services The following tables detail the types of approved services available to each role in approved mode of operation, the types of access for each role and the Keys or CSPs they affect. Generate G Read Access R Write Access W Execute Access E Zeroize Z FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Description | Roles | Role Access | Csps Accessed | Indicator | Input | Output | | Derive Key Via PBKDF2 | API Call Parameters | Key is Derived | PBKDF SHA for Message Digest (FCT Library) HMAC for Keyed Hash Operations (FCT Library) | CO |
|---|
| Asymmetric Key Generation | RSA and ECDSA Keys are Generated | CO | | ECDSA Public | Successful completion of service. IG 2.4.C, Scenario 2 | API Call Parameters | Asymmetric Key Generated | ECDSA for Key Generation ECDSA for Key Verification RSA for key Generation | | | | | |
| Successful | | | FortiClient module installed on the GPC | N/A | | | | | Install | Windows GUI | FortiClient installed on GPC | N/A | CO |
| completion | | | SSC and | Secret Keys: | | | | | | | | ECDSA for Key | |
| of service. | | | KAS-ECC- | G, E | | | | | | | | Generation | |
| IG 2.4.C, | | | SSC are | ECDH Private | | | | | | | | FFC-SSC | |
Service
| Name | Description | Roles | Role Access | Csps Accessed | Indicator | Input | Output | | Derive Key Via PBKDF2 | API Call Parameters | Key is Derived | PBKDF SHA for Message Digest (FCT Library) HMAC for Keyed Hash Operations (FCT Library) | CO |
|---|
| Asymmetric Key Generation | RSA and ECDSA Keys are Generated | CO | | ECDSA Public | Successful completion of service. IG 2.4.C, Scenario 2 | API Call Parameters | Asymmetric Key Generated | ECDSA for Key Generation ECDSA for Key Verification RSA for key Generation | | | | | |
| Successful | | | FortiClient module installed on the GPC | N/A | | | | | Install | Windows GUI | FortiClient installed on GPC | N/A | CO |
| completion | | | SSC and | Secret Keys: | | | | | | | | ECDSA for Key | |
| of service. | | | KAS-ECC- | G, E | | | | | | | | Generation | |
| IG 2.4.C, | | | SSC are | ECDH Private | | | | | | | | FFC-SSC | |
Table 13: Approved Services Backup / Restore Back and Restore configuration Configuration Backed Up or Restored N/A Execute Manual Self-Tests Manual SelfTests are executed generated to provide authentication Initialize CLI Command Self-Test results displayed in Command Prompt Window Integrity Test N/A R, G G, R E E N/A N/A E, G N/A N/A Initialized as startup N/A Software Integrity Key: E G, E FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Input | | Random Bit Generation | API Call Parameters | Random bits generated | DRBG | CO |
|---|
| Implementations | | | Access | Implementations | | | | | | | | |
| using FFC DH and ECC respectively | using FFC DH and ECC respectively | | Keys: G, E | Safe Prime Key | Scenario 2 | | Safe Prime Key Generation | | | | | |
| Successful | | Crypto Module version shown | | | | N/A | | Show Version Information | Windows CLI command | Show | N/A | CO |
| completion | | | | | | | | | | FortiClient | | |
| of service. | | | | | | | | | | crypto | | |
| IG 2.4.C, | | | | | | | | | | module | | |
| Scenario 2 | | | | | | | | | | version | | |
Service
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Input | | Random Bit Generation | API Call Parameters | Random bits generated | DRBG | CO |
|---|
| Implementations | | | Access | Implementations | | | | | | | | |
| using FFC DH and ECC respectively | using FFC DH and ECC respectively | | Keys: G, E | Safe Prime Key | Scenario 2 | | Safe Prime Key Generation | | | | | |
| Successful | | Crypto Module version shown | | | | N/A | | Show Version Information | Windows CLI command | Show | N/A | CO |
| completion | | | | | | | | | | FortiClient | | |
| of service. | | | | | | | | | | crypto | | |
| IG 2.4.C, | | | | | | | | | | module | | |
| Scenario 2 | | | | | | | | | | version | | |
G, E Perform Digital Signature Digital Signature using RSA and ECDSA asymmetric ECDSA for Signature Digital Signature Performed ECDSA for Signature Verification ECDSA Public ECDSA G, E RSA Public RSA for Signature RSA Private RSA for Signature Verification A counterbased random G, E G, R Status Module Status Displayed Decryption used to encrypt plaintext and decrypt ciphertext GUI Approved mode Console) N/A N/A N/A N/A Perform Decryption E E All Keys: Z Zeroize All Sensitive GUI/CLI Stored SSPs zeroized and N/A FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Csps Accessed | Approved Functions |
|---|
| Implementations | Access | Implementations |
Parameters are zeroized of service. IG 2.4.C, Scenario 2 FortiClient restored to factory settings. 4.4. Non-Approved Services None. 4.5. External Software/Firmware Loaded None. The module does not use or require external software or firmware components. 4.6. Bypass Actions and Status None. The module does not implement a bypass mode. 4.7. Cryptographic Output Actions and Status None. The module does not support self-initiated cryptographic output. 4.8. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
5.0 Software/Firmware Security
5.1. Integrity Techniques The module uses an RSA PKCS1.5 3072 with SHA2-256 (Cert. #3419) signatures to verify the integrity of its binaries. The integrity check runs automatically when FortiClient starts, but it can also be triggered manually (on demand) from the Windows command prompt using the following command : fccryptd.exe fips kat integrity If the tests passes, the results are output to the command prompt window. If the tests fail, FortiClient will log the failure and shuts down. See Section 10.4 (Error States) for more information. 5.2. Initiate on Demand Refer to section 10.5 (Operator Initiation Self-Test) for more information. 5.3. Open Source Parameters Not Applicable, the module is delivered as a compiled executable. 5.4. Non-Reconfigurable Memory End of Life Procedures Not Applicable. 5.5. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
6.0 Operational Environment
6.1. Operational Environment Type and Requirements The FortiClient module operates in a modifiable operational environment and runs on a commercially available GPC. For specific information regarding the operational environment, please refer to section 2.3.1. There are no user-configurable settings for the module. For more details on the installation process, please refer to section 11.1. 6.2. Configuration Settings and Restrictions None. 6.3. Additional Information Since the operating environment (Windows) lets users install new software, the module falls under the category of a modifiable OE. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
7.0 Physical Security
Not applicable. FortiClient is a level 1 software module. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
8.0 Non-Invasive Security
Not Applicable. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Sensitive security parameter
| Name | Type | Description |
|---|
| Plaintext in SDRAM | Dynamic | System Memory |
Service
| Name | From | | | | Entry Type | |
|---|
| API Input | Application | Crypto | Plaintext | Manual | Electronic | N/A |
| Entropy Input | Entropy Source (Araneus Alea II) | Crypto | Plaintext | Manual | Electronic | N/A |
|---|
| | Module | | | | |
| | Software | | | | |
| Method | Description | Rationale | | | Operator Initiation |
|---|
| | | | | Capability |
| Procedural Zeroisation | 1. Uninstalling the Module 2. Overwriting the mass storage 3. Power Cycling the Host Computer | | In accordance with IG 9.7.B | Yes | |
| | | Resolution 2, successful | | |
| | | completion of the procedural | | |
| | | zeroisation itself serves as the | | |
| | | implicit indicator that | | |
| | | zeroisation is complete | | |
9.0 Sensitive Security Parameters Management
9.1. Storage Areas Table 14: Storage Areas 9.2. SSP Input/Output Methods Table 15: SSP Input-Output Methods N/A API Output N/A N/A The module does not support manual SSP entry or intermediate key generation output. 9.3. SSP Zeroization Methods As per SP IG 9.3 Resolution 2, Fortinet follows SSP procedural zeroization which is achieved through the following steps: Table 16: SSP Zeroisation Methods 1. 2. 3. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Sensitive security parameter
| Name | Type | Description | Strength | Generation | Establishment | Strength | | 128 – 256 bits | Asymmetric Public Key | Internal as per SP 800-56 Arev3 | N/A |
|---|
| AES Keys | Symmetric | Symmetric Key used to | 128, 192, 256 bits | Internal as per SP | | 128, 192, 256 bits | N/A | | | | |
| Encrypt and Decrypt | Key | Encrypt and Decrypt | | 800-133rev2 | | | | | | | |
| Data | Cryptography | Data | | Section 6.1 | | | | | | | |
| HMAC Keys | | | 160, 256, | | Keyed Hash | | | >= 112 bits | Message Authentication | External | N/A |
| RSA Public Key | | | 2048, 3072 bits | | Asymmetric Key used | | | 112 – 128 bits | Public Key Cryptography | Internal as per FIPS 186-4 | N/A |
| Software Integrity Key | | | 3072 bits | | Key used to ensure the | | | 128 bits | Authentication | N/A | Pre-Loaded |
Approved algorithm
| Name | Key Size | | | | | |
|---|
| Internal as per SP 800-90Arev1 | 256 bits | DRBG Output | Random Numbers used | 256 bits | DRBG | N/A |
| Internal as per SP | 256 bits | DRBG ‘Key’ | Internal State Value for | 256 bits | DRBG | N/A |
| 800-90Arev1 | | Value | the DRBG | | | |
Sensitive security parameter
| Name | Type | Description | Strength | Generation | Establishment | Strength | | 128 – 256 bits | Asymmetric Public Key | Internal as per SP 800-56 Arev3 | N/A |
|---|
| AES Keys | Symmetric | Symmetric Key used to | 128, 192, 256 bits | Internal as per SP | | 128, 192, 256 bits | N/A | | | | |
| Encrypt and Decrypt | Key | Encrypt and Decrypt | | 800-133rev2 | | | | | | | |
| Data | Cryptography | Data | | Section 6.1 | | | | | | | |
| HMAC Keys | | | 160, 256, | | Keyed Hash | | | >= 112 bits | Message Authentication | External | N/A |
| RSA Public Key | | | 2048, 3072 bits | | Asymmetric Key used | | | 112 – 128 bits | Public Key Cryptography | Internal as per FIPS 186-4 | N/A |
| Software Integrity Key | | | 3072 bits | | Key used to ensure the | | | 128 bits | Authentication | N/A | Pre-Loaded |
9.4. SSPs Table 17: SSPs (Part 1) N/A DH Private N/A N/A DH Shared Secret Keys Shared Secret Computation N/A N/A DRBG Seed Seeding Material for N/A N/A Values N/A N/A ECDH Private Private Key N/A N/A ECDH Shared Secret Keys Shared Secret Computation N/A N/A Private Key Generation Private Key N/A N/A PBKDF2 Derived Keys Derivation Derived via SP N/A N/A RSA Private Private Key N/A N/A FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Sensitive security parameter
| Name | Storage | Zeroization | Use | Input | | Category |
|---|
| N/A | Plaintext in SDRAM | Procedural Zeroization (See Section 9.3) | AES for Symmetric | API Input API Output | API Call Lifetime | CSP |
Sensitive security parameter
| Name | Storage | Zeroization | Use | Input | | Category |
|---|
| N/A | Plaintext in SDRAM | Procedural Zeroization (See Section 9.3) | AES for Symmetric | API Input API Output | API Call Lifetime | CSP |
Approved algorithm
| Name | Use Function | | | | | |
|---|
| ECDH Private | ECC-SSC | API Input API Output | Plaintext in SDRAM | API Call Lifetime | Procedural | PSP |
| Keys: Paired With | ECDSA for Key Verification | | | | Zeroization (See Section | |
| FFC-SSC | API Input API Output | Plaintext in SDRAM | API Call Lifetime | Procedural | PSP | DH Private |
|---|
| Safe Prime Key Generation | | | | Zeroization (See Section | | Keys: Paired With |
| DRBG | Entropy Input | Plaintext in SDRAM | API Call Lifetime | Procedural | CSP | N/A |
|---|
| | | | Zeroization | | |
| | | | (See Section | | |
| | | | 9.3) | | |
| N/A | Entropy Input | Plaintext in SDRAM | API Call Lifetime | Procedural | CSP | N/A |
|---|
| | | | Zeroization | | |
| | | | (See Section | | |
| | | | 9.3) | | |
| DRBG | N/A | Plaintext in SDRAM | API Call Lifetime | Procedural | CSP | N/A |
|---|
| | | | Zeroization | | |
| | | | (See Section | | |
| | | | 9.3) | | |
User Password Input to PBKDF2 for Key Derivation
8 – 105
8 – 105
characters Derivation N/A N/A Table 18: SSPs (Part 2) 9.3) N/A 9.3) DH Public 9.3) DH Public Keys: Derived From 9.3) 9.3) N/A N/A 9.3) Input: Derived From N/A 9.3) N/A N/A 9.3) N/A N/A 9.3) N/A 9.3) ECDH Public 9.3) Keys: Derived From FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Sensitive security parameter
| Name | Storage | Zeroization | Use | Input | Storage | Category |
|---|
| ECDSA Private Key: Paired With | API Call Lifetime | Procedural | ECDSA for Signature Verification | API Input API Output | Plaintext in SDRAM | PSP |
| N/A | API Call Lifetime | Procedural Zeroization (See Section 9.3) | HMAC for Keyed | API Input API Output | Plaintext in SDRAM | CSP |
| RSA Private Key: Paired With | API Call Lifetime | Procedural | RSA for Signature Verification | API Input API Output | Plaintext in SDRAM | PSP |
| N/A | API Call Lifetime | API Call | RSA and SHA for | N/A | Plaintext | Non-SSP |
| Integrity Test | | Lifetime | Integrity Test | | in SDRAM | |
ECC-SSC Generation Generation Generation 9.3) 9.3) 9.3) ECDSA Public 9.3) N/A 9.3) User Password: Derived From 9.3) RSA Public N/A PBKDF2 Derived Keys: Derived By ECDH Public Keys: Derived From ECDH Private Keys: Derived From PBKDF Generation Generation N/A PBKDF FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Self test
| Name | Algorithm Or Test | Test Type | Details | Implementation | | | |
|---|
| HMAC-SHA2-256 | HMAC-SHA2-256 | Critical Functions Test | Verify | Fccryptd.exe (Cert. #A3419) | Configuration Integrity Test | KAT | Pass |
Approved algorithm
| Name | Use Function | | | | | |
|---|
| SHA2-256 and RSA SigVer (FIPS 186-4) | Sign and Verify | Fccryptd.exe (Cert. #A3419) | RSA | KAT | Software Integrity Test | Pass |
| PKCS1.5 | | | PKCS1.5 | | | Indicator |
| 3072 and | | | 3072 and | | | Error |
| SHA2-256 | | | SHA2-256 | | | Indicator |
10.0 Self-Tests
10.1. Pre-Operational Self-Tests The cryptographic module’s pre-operational self-tests provide the operator with assurance that no faults have been introduced that could hinder correct operation, as outlined in ISO/IEC 19790:2012, section 7.10.1. Upon successfully passing the self-test, the module logs a pass indicator message in cryptdlog.txt. Refer to section 10.6 for more information. The module performs the startup configuration integrity test by performing the following steps: Upon first startup, fccryptd.exe calculates an HMAC using SHA2-256 for the configuration settings stored in the registry. The calculated HMAC value is then stored in the registry. When authorized configuration changes are made, fccryptd.exe recalculates and stores the new HMAC value. On subsequent startups, fccryptd.exe verifies the integrity by recalculating the HMAC and comparing it with the stored HMAC value. If the stored and recalculated HMAC values don't match, the configuration integrity test fails. The configuration integrity test can be run on demand using fccrypt fips kat configuration at the command line. The following is an example of a successful self-test: In the event that any of the self-tests fail, FortiClient logs an error indicator message for the specific test(s) in cryptdlog.txt. Refer to section 10.4 for examples and more information. Table 19: Pre-Operational Self-Tests FortIPS.sys (Cert. #A4688) FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Self test
| Name | Algorithm Or Test | Test Method | Test Type | Details | Implementation | Test Properties | | Condition |
|---|
| AES-CBC | AES-CBC | KAT | CAST | Encrypt | Fccryptd.exe (Cert. #A3419) | Key Size: 128 | Pass | Boot Up |
Approved algorithm
| Name | Key Size | Use Function | | | | | |
|---|
| AES-CBC | Key Size: 128 | Encrypt | FortIPS.sys (Cert. #A4688) | KAT | CAST | Pass | Boot Up |
| AES-ECB | Key Size: 128 | Encrypt | Fccryptd.exe (Cert. #A3419) | KAT | CAST | Pass | Boot Up |
| Counter DRBG | AES-CBC (256 bit) | Instantiate, Generate, and Reseed | Fccryptd.exe (Cert. #A3419) | Health Tests | CAST | Pass | Boot Up |
10.2. Conditional Self-Tests Cryptographic Algorithm Self Tests (CASTs): The module performs self-tests on approved algorithms, as required by FIPS 140-3 Implementation Guidance (IG) section 10.3.A. If any self-test fails, FortiClient logs the specific test(s) in cryptdlog.txt (refer to Section 10.6 for more information). The module also performs Critical Functions Test (CFT), Continuous Pair-wise Consistency Test (CPCT), as outlined in FIPS 140-3 IG section 10.3.A. Table 20: Conditional Self-Tests ECDH Key Decrypt Decrypt Decrypt Prediction Resistance: No Derivation Function: Yes SP 80056Arev3) ECC Full of a ECDH FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Self test
| Name | Algorithm Or Test | Test Method | Test Type | Details | Implementation | Test Properties | | |
|---|
| ECDSA KeyGen (FIPS186-4) | ECDSA KeyGen (FIPS186-4) | PCT | PCT | Key Pair Generation | Fccryptd.exe (Cert. #A3419) | P-256 | Pass | Prior to the |
| Error | | | | | | | Error | Operational |
Approved algorithm
| Name | Use Function | | | | | | |
|---|
| ECDSA SigVer (FIPS186-4) | Verify | Fccryptd.exe (Cert. #A3419) | P-256 | KAT | CAST | Pass | Boot Up |
| HMAC-SHA2- 384 | Verify | Fccryptd.exe (Cert. #A3419) | HMAC-SHA2- 384 | KAT | CAST | Pass | Boot Up |
| HMAC-SHA3- 256 | Verify | Fccryptd.exe (Cert. #A3419) | HMAC-SHA3- 256 | KAT | CAST | Pass | Boot Up |
| HMAC-SHA3- 512 | Verify | Fccryptd.exe (Cert. #A3419) | HMAC-SHA3- 512 | KAT | CAST | Pass | Boot Up |
| HMAC-SHA2- 384 | Verify | Fortips.sys (Cert. #A4688) | HMAC-SHA2- 384 | KAT | CAST | Pass | Boot Up |
| KAS-ECC- SSC5 | Verify | Fccryptd.exe (Cert. #A3419) | P-256 | KAT | CAST | Pass | Boot Up |
| Error | of shared | | | | | Error | |
SigGen HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA3512 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 KAS-ECCSSC5 Sign FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Approved algorithm
| Name | Use Function | | | | | | |
|---|
| HMAC-SHA-1 | Key Derivation | PBKDF2 | Fccryptd.exe (Cert. #A3419) | KAT | CAST | Pass | Boot Up |
| 2048 bit | Sign | RSA SigGen (FIPS186-4) | Fccryptd.exe (Cert. #A3419) | KAT | CAST | Pass | Boot Up |
| SHA2-256 | Hashing | SHA2-256 | Fccryptd.exe (Cert. #A3419) | KAT | CAST | Pass | Boot Up |
| SHA2-512 | Hashing | SHA2-512 | Fccryptd.exe (Cert. #A3419) | KAT | CAST | Pass | Boot Up |
| SHA2-384 | Hashing | SHA3-3846 | Fccryptd.exe (Cert. #A3419) | KAT | CAST | Pass | Boot Up |
| SHA2-256 | Implemented Exclusively for Self-Tests | TLS KDF | N/A | KAT | CAST | Pass | Boot Up |
KAS-FFCSSC RSA KeyGen RSA SigVer SHA3-2566 SHA3-5126 N/A MODP-2048 PCT PCT Verify computation of shared secret Z in dhEphem Key Pair Generation Prior to the First Operational Use. Verify Note: SHA3-256, SHA3-386, HMAC SHA3-256 and HMAC SHA3-384 are CAVP tested, but not used by any service within the module. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Service
| Name | Description | Role Access | Indicator | |
|---|
| Critical Error State | FortiClient Logs the Specific Test or Tests that failed in cryptdlog.txt | Boot Up, Manual | Check Logs | Power-Cycle |
| Algorithm | Implementation | Test Properties | Test Method | Type | Indicator | Details | Condition |
|---|
| Period | Periodic Method | |
|---|
| On-Demand | | Pre-Operational Self-Tests: |
| | • Programmatically |
| | Conditional Cryptographic Self-Tests: |
| | • Programmatically |
| | • Manually |
| | Pair-Wise Consistency Test: |
| | • Programmatically |
IKEv2 N/A SHA2-256 KAT CAST Pass Implemented Exclusively for Table 21: Periodic Information
- 10.4. Error States Table 22: Error States 10.5. Operator Initiation Self-Test The startup self-tests can also be initiated on demand from the Windows command prompt using the following commands:
- FCCryptd.exe fips kat all (to initiate all self-tests)
- FCCryptd.exe fips kat <test> (to initiate a specific self-test)
- FCCryptd.exe fips <test> (to list available tests)
- FCCryptd.exe fips kat pbkdf FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
10.6. Additional Information The results of the self-tests are logged to a file. For a default installation of FortiClient on the C: drive, you can view the Cryptdlog.txt file in: C:\Program Files\Fortinet\FortiClient\logs\fips. When the self-tests are run, each implementation of an algorithm is tested. For example, when the AES self-test is run, all AES implementations are tested. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
11.0 Life-Cycle Assurance
11.1. Startup Procedures The FortiClient FIPS 140-3 installer packages are created and deployed using Microsoft's Enterprise Mobility and Security (EMS) platform. Operating the module without following the guidance in Section 11 will result in non-compliant behavior and is outside the scope of this Security Policy. The basic steps in the deployment process are as follows:
- Download FortiClient from the Fortinet support site. 32bit and 64bit versions are available: ▪ FortiClientSetup_7.0.8.7048.zip (Vendor Affirmed) ▪ FortiClientSetup_7.0.8.7048_x64.zip
- Upload FortiClient to your EMS platform
- Create FortiClient installation packages with the desired features and select the ‘FIPS 140-3’ option’.
- Install the entropy token on the PC.
- Deploy FortiClient using your EMS platform or install FortiClient manually on the PC. It is important to note that the version number on the zip files includes the build number. Thus, to verify the installed version, open a Windows Command Prompt window as an administrator and run the following command: • fccryptd.exe fips version The command runs the software integrity test and displays the module version as shown in the following image. Figure 3: Approved Mode Indicator Launch the FortiClient application as you would launch any other Windows application. Failure to perform the steps outlined in this section will result in the module operating in a non-compliant state. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
11.2. Administrator Guidance FortiClient administrator guidance is publicly available from the Fortinet Technical Documentation site. The key administrator guidance documents are listed below: FortiClient Administration Guide EMS Administration Guide EMS QuickStart Guide 11.3. Non-Administrator Guidance None. Non-Administrator guidance is included in the FortiClient Administration Guide. 11.4. Maintenance Requirements None. 11.5. End of Life Not Applicable. 11.6. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
12.0 Mitigation of Other Attacks
Not Applicable. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the FortiClient Crypto Library FIPS 140-3 Security Policy most current version of the publication shall be applicable. Fortinet Technologies Inc.