advertisement
LG Electronics Inc. G3
Administrator Guidance
Version 1.2
2015/02/17
LG Electronics Inc.
20 Yoido-dong, Youngdungpogu, Seoul 152-721, Korea
APPENDIX C CONFIGURATION OF FIPS VALIDATED CRYPTOGRAPHIC ENGINES ....................... 32
Page 2 of 34
1. Document Introduction
This guide includes procedures for configuring Common Criteria on LG G3 Smartphones.
1.1 Evaluated Devices
The evaluated device is the LG G3 Smartphone. The following carrier models are supported:
LG G3 D850 (AT&T)
LG G3 VS985 (Verizon)
LG G3 LS990 (Sprint)
LG G3 D851 (T-Mobile)
The software identification for the evaluated devices is as follows:
Security software version, MDF v1.1 Release 3
1.2 Acronyms
• BYOD : Bring Your Own Device
• CA : Certificate Authority
• CAVP : Cryptographic Algorithm Validation Program
• CBC : Cipher Block Chaining
• CCM : Counter with CBC-Message Authentication Code
• CC Mode : Common Criteria Mode
• CCTL : Common Criteria Testing Laboratory
• CDH : Computational Diffie–Hellman
• CRC : Cyclic Redundancy Check
• CTR : Counter
• CVL : Component Validation List
• DEK : Data Encryption Key
• DPM : Device Policy Manager
- It is Android native APIs for device management. Please see the link below.
- http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html
• DRGB : Deterministic Random Bit Generator
• ECDSA : Elliptic Curve Digital Signature Algorithm
• EAP-TLS : Extensible Authentication Protocol - Transport Layer Security
• ECC : Elliptic Curve Cryptography
• eMMC : embedded Multi Media Card
• FIPS : Federal Information Processing Standards
• FS Signature : File System Signature
• FW Signature : Firmware Signature
Page 3 of 34
• GCM : Galois Counter Mode
• GPS : Global Positioning System
• HMAC : Keyed-Hash Message Authentication Code
• HW : Hardware
• ISV : Independent Software Vendor
• KEK : Key Encryption Key
• KW : Key Wrap
• LG FOTA : LG Firmware Over The Air
• LG MDM : LG Mobile Device Management
- It is LG’s mobile device management solution. It extends DPM in android framework.
• NFC : Near Field Communication
• OS : Operating System
• PBKDF2 : Password-Based Key Derivation Function 2
• PIN : Personal Identification Number
• PKG : Public Key Generation
• PKV : Public Key Validation
• RSA : Rivest Shamir Adleman
• SD Card : Secure Digital Card
• SIG : Signature
• SHA : Secure Hash Algorithm
• SHS : Secure Hash Standard
• SMS : Short Messaging Service
• SP : Special Publications
• SSID : Service Set Identifier
• TEE : Trusted Execution Environment
• USB : Universal Serial Bus
• VPN : Virtual Private Network
• WEP : Wired Equivalent Privacy
• Wi-Fi : Wireless Fidelity
• WLAN : Wireless Local-Area Network
• WPA : Wi-Fi Protected Access
Page 4 of 34
2. Evaluated Capabilities
The Common Criteria configuration adds support for many security capabilities. Some of those capabilities include the following:
1. Cryptographic Key Management
The LG provides Key Management feature to protect keys and key materials used for Full Disk
Encryption, SD Card encryption and Android KeyStore.
A. Random Number Generation
This feature employs all deterministic random bit generation services in accordance with NIST 800-
90a using CTR_DRBG (AES) to generate keys which provide entropy of more than 128bits.
B. Key management
It manages the major types of keys: DEKs and KEKs. DEKs are used to protect data. KEKs are used to protect other keys – DEKs, other KEKs and other types of keys and key materials
C. Key storage
It stores the cryptographic keys encrypted by a h/w-protected key into a special user partition. The special user partition is wiped when Factory data reset is performed.
2. FIPS 140-2 Validated Cryptographic Modules
The LG provides 3 cryptographic modules with FIPS 140-2 Validated algorithms as the following.
A. OpenSSL
This Module requires an initialization sequence to call application invokes enabling FIPS mode.
Application can test to see if FIPS mode has been successfully performed. Application can use evaluated cryptographic APIs in FIPS mode.
B. BouncyCastle
Application needs to set a provider as “BCFIPS” which is FIPS 140-2 validated BouncyCastle-based cryptographic module. It is available through the Java Security API. http://developer.android.com/reference/javax/crypto/Cipher.html
C. Linux Kernel Crypto library
Under the CC mode, this Module automatically enters into FIPS mode. So, it always runs in FIPS mode during the CC mode.
3. Data protection
The LG Data Encryption protects user data stored in the device’s internal storage and the external SD card from an unauthorized use. The capability can be configured by application settings or by IT administrators using MDM capabilities.
All user data is encrypted with 256-bits AES (Advanced Encryption Standard) algorithm and stored in the user data partition The encryption key is protected by a KEK generated by combining a KEK derived from a user PIN or password using PBKDF2 with a randomly generated KEK which is protected by h/w.
• Full Disk encryption
• SD Card encryption
• KeyStore data protection
4. Certificate Validation
Page 5 of 34
LG provides Certificate validation feature for all certificates to protect your secure connection from spoofing and invalid certificates. This capability can be automatically configured by enabling CC Mode.
• More robust validation of certificates
5. MDM Capability
Although generic Android OS has been supporting mobile devices management (MDM) capability since
Android 2.2, enterprises need substantial control and management over mobile devices where corporate data is being used.
The newest native Android OS does not even provide as much management capability as IT managers would want under various circumstances of organizations and environments. For example, there is no way to restrict the use of GPS or Bluetooth by native MDM APIs of generic Android.
To close such gaps, LG Android devices come pre-loaded with extended MDM capability on top of the native Android OS, giving IT administrators the enhanced ability to configure various device and application settings, control hardware components, and manage applications at much more granular levels.
LG Android device not only expends MDM capability and but also adds a rich feature set of mobile application management keeping in mind of enterprise mobility management to meet the requirement for granular and high level of manageability and security in LG Android devices.
Figure 1 describes LG MDM architecture. Independent software vendors (ISVs) can not only use generic
MDM APIs provided by Android but they can also leverage a rich set of extended MDM on LG Android devices according to their needs and requirements.
• Encryption Policy
• Password Management
• Lock-screen Policy
• Certificate Management
• Radio Control
• Wi-Fi Settings
• Hardware Control
• Application Control
6. Firmware Update Protection
< LG MDM Architecture >
Page 6 of 34
Except secure update verified by RSA(2048bit) altorithm and SHA256 for hash, unsecured firmware update methods is restricted in CC mode. For the details of secure updates, please see the Section 4. Secure Update
Process.
• Restriction of firmware update other than FOTA (CC mode only)
Page 7 of 34
3. Security Configuration
The LG G3 Smartphone offers a rich built-in interface and MDM callable interface for security configuration. This section identifies the security parameters for configuring your device in Common Criteria mode, for managing its security settings and for controlling preinstalled and 3 rd
party applications. Please contact to [email protected]
for the information about the testing app, guide and the list of natively installed applications.
3.1 Common Criteria Mode
To configure your device into Common Criteria Mode, you must set the following options:
1. Enable the password on the lock-screen
Please refer to No.5,6,7 in 3.2 Common Criteria Related Settings
2. Disable the ‘show password’
Please refer to No 9,10 in 3.2 Common Criteria Related Settings
3. Disallow the ‘Download Mode’
Please refer to No 44 in 3.2 Common Criteria Related Settings
4. Enable device encryption
Please refer to No 2 in 3.2 Common Criteria Related Settings
5. Enable SD card encryption
Please refer to No 3 in 3.2 Common Criteria Related Settings
6. Disable the ‘Smart Lock’
Please refer to No 14 in 3.2 Common Criteria Related Settings
7. Disallow VPN split-tunneling
Please refer to No 45 in 3.2 Common Criteria Related Settings
8. Set CC mode
Please refer to No 1 in 3.2 Common Criteria Related Settings
3.2 Common Criteria Related Settings
The Common Criteria evaluation requires a range of security settings be available. Those security settings are identified in the table below.
Security
Feature
CC
Mode
Encrypti on
No. Setting Description
1
2
Common
Criteria
Mode
Device
Encrypti on
Enable CC mode
Encrypts all internal storage
Required
Value
Enable
Enable
API
[LGMDM] void setCommonCriteriaMode(C omponentName who, int mode) mode =
LGMDMManager.COMMO
NCRITERIA_ENABLED
[LGMDM]
Void setEncryptionPolicy(Compo nentName who, int policy) policy = 1
User Interface
N/A
Encrypt all data on your phone.
Settings > Security >
Encrypt phone
Page 8 of 34
3
4
Passwor d
Manage ment
5
6
SD Card
Encrypti on
Wipe
Device
Password
Length
Minimum number of characters in a password
Greater than 6
Password
Complexit y
Encrypts all
SD card storage
Removes all data from device
Specify the type of characters required in a password
Enable
Enable
[LGMDM] void setEncryptionPolicy(Compo nentName who, int policy) policy = 2
[LGMDM] void wipeData(int flags) flags =
0(Devices)
1(Devices+Storage)
[DevicePolicyManager] void setPasswordMinimumLengt h(ComponentName admin, int length) length = greater than 6
[DevicePolicyManager]
Void setPasswordQuality(Compo nentName admin, int quality)
Quality :
DevicePolicyManager.PASS
WORD_QUALITY_COMP
LEX (393216)
&
================= void setPasswordMinimumLetter s(ComponentName admin, int length) length = Insert the number you want or void setPasswordMinimumNume ric (ComponentName admin, int length) length = Insert the number you want or void setPasswordMinimumLower
Case (ComponentName admin, int length) length = Insert the number
Encrypt all data on the SD card storage.
Settings > Security >
Encrypt SD card storage
Reset your settings to the factory default values and delete all your data.
Settings > Backup & reset > Factory data reset
Set a screen lock type to secure your phone
Display > Lock screen > Select screen lock >
Password
Set a screen lock type to secure your phone
Display > Lock screen > Select screen lock >
Password
Page 9 of 34
7
8
9
Password
Expiration
Maximum password failed attempt
Password
Visible
10 Show password
Maximum length of time before a password must change you want or void setPasswordMinimumUpper
Case (ComponentName admin, int length) length = Insert the number you want or void setPasswordMinimumSymb ols (ComponentName admin, int length) length = Insert the number you want or void setPasswordMinimumNonL etter (ComponentName admin, int length) length = Insert the number you want
=================
[DevicePolicyManager]
Void setPasswordExpirationTime out(ComponentName admin, long timeout) timeout = millisecond unit ex. 1Day = 24*60*60*1000)
Maximum
number of authenticat ion failures
10 or less [DevicePolicyManager] setMaximumFailedPassword sForWipe(ComponentName admin, int num) num = insert the number you want
The last character of the password is visible for a few seconds if enabled
Disallow show password option on the
Disabled [LGMDM]
Void setAllowPasswordTypingVi sible(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
Disabled [LGMDM] void setAllowPasswordVisible
N/A
N/A
Show the last character of the hidden password as you type.
Settings > Security >
Password typing visible
N/A
Page 10 of 34
Lockscreen
Certifica te
Manage ment
11 Inactivity to lockout
Time before lock-screen is engaged
12 Banner2) Banner
13
14
15
Remote
Lock
Smart lock
Import
CA
Certificat es configuratio n screen of lock-screen password message displayed on the lockscreen
Looks the device remotely
Control smart lock
Import CA
Certificates into the
Trust
Less than
15 minutes
Administra tor defined text
Enable
KEYGUA
RD_DISA
BLE_FEA
TURES_N
ONE/KEY
GUARD_
DISABLE
_TRUST_
AGENTS
(ComponentName boolean allow) allow = true : enabled allow = false : disabled who,
[DevicePolicyManager] void setMaximumTimeToLock(C omponentName admin, long timeMs) timeMs : millisecond unit
[LGMDM]
Void setWarningMsg(Component
Name who, boolean allow,
String str) allow = true str = Insert the text you want
[LGMDM] void lockNow()
[DevicePolicyManager] void setKeyguardDisabledFeature s(ComponentName admin, int which) which =
KEYGUARD_DISABLE_T
RUST_AGENTS : disabled which =
KEYGUARD_DISABLE_F
EATURES_NONE : enabled
N/A
N/A
Sets the amount of time before the screen times out.
Settings > Display >
Screen timeout
Sets the amount of time before the screen automatically locks after the screen has timed-out.
Settings > Display >
Lock timer
N/A
[LGMDM] int installCertificate(Component
Name who, String path,
Install certificates from storage
Settings > Security >
Credential storage >
Page 11 of 34
Radio
Control
16 Remove
Certificat es
Anchor
Database or the credential storage
Remove certificates from the
Trust
Anchor
Database or the credential storage
17
18
19
20
Control
Wi-Fi
Control
GPS
Control
Cellular
Control
NFC
Control access to
Wi-Fi
Control access to
GPS
Control access to
Cellular
Control access to
NFC
Enable/Dis able
Enable/Dis able
Enable/Dis able
Enable/Dis able
String password) path : path of file location password : PKCS12 password
[LGMDM]
Boolean uninstallCertificate(Compon entName who, String certificateId)
Install from storage
Deletes all secure certificates and related credentials and erases the secure storage’s own password. you’re prompted to confirm you want to clear this data.
Settings > Security >
Credential storage >
Install from storage >
Clear credentials
Turns on Wi-Fi to connect to available
Wi-Fi networks.
Settings > Networks
> Wi-Fi
[LGMDM] void setAllowWifi(ComponentNa me who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowGPSLocation(Com ponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowAirplaneModeOn(C omponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowNfc(ComponentNa me who, int allow) allow = true : enabled
Turn on location service, your phone determines your approximate location using GPS.
Settings > General >
Location > Mode >
Device sensors only(GPS only)
Turn off all wireless connections(Wi-Fi,
Bluetooth and data) and calls.
Settings > Networks
> More > Wireless & networks > Airplane mode
Allow sending and receiving data, such as transportation or credit card info, by holding phone and other device together.
Settings > Networks
Page 12 of 34
Wi-Fi
21
22 Control
Location
Service
23
24
25
Control
Bluetoot h
Control
SMS
Control
VPN
Specify
Wi-Fi
Control access to
Bluetooth
Control access to
Location
Service
Control
Messaging capabilities
Control access to
VPN
Specify
SSID values
Enable/Dis able
Enable/Dis able
Enable/Dis able
Enable/Dis able listType = allow = false : disabled
[LGMDM] void setAllowBluetooth(Compon entName who, int allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowGPSLocation(Com ponentName who, boolean allow) allow = true : enabled allow = false : disabled public void setAllowWirelessLocation(C omponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowSendingSms(Comp onentName who, boolean allow) allow = true : enabled allow = false : disabled void setAllowReceivingSmsMms
(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowVpn(ComponentNa me who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM]
> Share & connect >
NFC
Turn the Bluetooth wireless feature on or off to use Bluetooth
Settings > Networks
> Bluetooth
Turn on location service, your phone determines your approximate location using GPS, Wi-Fi and mobile networks
Settings > General >
Location > Mode >
High accuracy(GPS and networks)
N/A
Displays the list of
Virtual Private
Networks (VPNs) that you've previously configured. Allows you to add different types of VPNs.
Settings > Networks
> More > Wireless & networks > VPN
Settings > Networks
Page 13 of 34
Settings SSIDs
26 Set
WLAN
CA
Certificat e
27 Specify security type
28 Select authentic ation protocol for connecting to Wi-Fi.
Can also create white and black lists for
SSIDs.
Select the
CA
Certificate for the Wi-
FI connection
Specify the connection security
(WEP,
WPA2, etc)
Specify the
EAP-TLS connection values
2
CA
Certificate
Wi-Fi connection type
Wi-Fi protocol void setAllowWiFiSSIDList(Com ponentName who, int listType, List<String> wblist) listType = 1 : Black list listType = 2 : White list wblist = list of WiFi SSID
[LGMDM]
Int installCertificateSelectUsety pe(ComponentName who,
String path, String password, int useType) useType = 2
> Wi-Fi
Settings > Security >
Credential storage >
Install from storage
[LGMDM] void setWiFiSecurityLevel(Comp onentName who, int policy) policy = 0~3
NONE : 0
WEP : 1
WPA: 2
EAP : 3
[LGMDM] void setEap(String eap); eap = “TLS”
Turns on Wi-Fi to connect to available
Wi-Fi networks.
Settings > Networks
> Wi-Fi
Turns on Wi-Fi to connect to available
Wi-Fi networks.
Settings > Networks
> Wi-Fi “FAST”
“PEAP”
“TTLS”
Ex)
LGMDMWifiConfiguration newConfig = new
LGMDMWifiConfiguration(
); newConfig.SSID = oldSSID; newConfig.hiddenSSID = false; newConfig.priority = oldPriority; newConfig.allowedKeyMan
agement.set(LGMDMWifiC onfiguration.KeyMgmt.WP
Page 14 of 34
Hardwar e
Control
29 Select client credentia ls
30
31
Control
Microph one
Control
Camera
Specify the client credentials to access a specified
WLAN
Control access to microphones
Control access to camera
Wi-Fi credentials
Enable/Dis able
Enable/Dis able
A_EAP); newConfig.allowedKeyMan
agement.set(LGMDMWifiC onfiguration.KeyMgmt.IEE
E8021X); newConfig.setEap("TLS")
; newConfig.setPhase2("None
"); newConfig.setIdentity("wifiuser"); newConfig.setCaCert("pmk"
); newConfig.setClientCert("p mk"); newConfig.setEngine(LGM
DMWifiConfiguration.ENG
INE_ENABLE); newConfig.setEngineId(LG
MDMWifiConfiguration.KE
YSTORE_ENGINE_ID); newConfig.setKeyId("pmk")
;
LGMDMManager.getInstan
ce().addWifiNetwork(newC onfig)
[LGMDM]
List<String> enumCertificateIdSelectUset ype(ComponentName who, int useType) useType = 2
Settings > Networks
> Wi-Fi
N/A [LGMDM]
void setAllowMicrophone(Comp onentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setCameraDisabled(Compon entName admin, boolean disabled) disabled = true : disabled disabled = false : allow
N/A
Page 15 of 34
32
33
34
Control access to mounting the device for storage over USB.
Control access to
USB debugging.
35 Control
USB
Tethered
Connecti ons
Control access to
USB tethered connections.
36 Control
Bluetoot
37
Control
USB
Mass
Storage
Control
USB
Debuggi ng
Control
SD Card h
Tethered
Connecti ons
Control
Hotspot
Connecti ons
Control access to SD card storage.
Control access to
Bluetooth tethered connections.
Control access to
Wi-Fi hotspot connections
Enable/Dis able
Enable/Dis able
Enable/Dis able
Enable/Dis able
Enable/Dis able
Enable/Dis able
[LGMDM] public void setAllowUsb(ComponentNa me who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowUSBDebugging(Co mponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowExternalMemorySl ot(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowUSBTethering(Co mponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowBluetoothTethering
(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void setAllowHotspot(Componen tName who, boolean allow) allow = true : enabled allow = false : disabled
N/A
Turn on debug mode when USB is connected
Settings > General >
Developer options >
USB debugging
Settings > General >
Storage >SD CARD
Connect the USB cable to share the internet connection with the computer.
Settings > Networks
> More > Wireless & networks > USB tethering
Turn on Bluetooth tethering and connect other devices to phone via Bluetooth
Settings > Networks
> More > Wireless & networks > Bluetooth tethering
Allows you to use your device as a Wi-
Fi hotspot for other devices to use your mobile network connection.
Set up Wi-Fi hotspot:
Sets the SSID and password for your
Wi-Fi hotspot.
Timeout: Allows you to set the time after
Page 16 of 34
Applicat ion
Control
38 Automati c Time
Allows the device to get time from the Wi-Fi connection
Enable/Dis able
39 Install
40
41
Applicati on
Uninstall
Applicati on
Applicati on
Whitelist
Installs specified application
Uninstalls specified application
Specifies a list of applications that may be installed
[LGMDM] void setAllowChangeDateAndTi me(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
[LGMDM] void installApplication(Compone ntName who, String path) path : apk file path to the installation.
[LGMDM] public void uninstallApplication(Compo nentName who, String packageName) packageName : package name to be deleted.
[LGMDM]
<install> public void setAllowInstallApplication(
ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
& void setApplicationState(Compon entName who,
List<LGMDMApplicationSt ate> applicationStateList) which Wi-Fi hotspot automatically turns off.
Settings > Networks
> More > Wireless & networks > Mobile
Hotspot
Use Date & time settings to set how dates will be displayed. You can also use these settings to set your own time and time zone rather than obtaining the current time from the mobile network.
Settings > General >
Date & Time
N/A
Settings > General >
Application manager
> menu > Uninstall apps
Settings > General >
Application manager
Page 17 of 34
42 Applicati Specifies a applicationStateList: Insert the list you want ex)
ArrayList<LGMDMApplica tionState> mSelectedAppStateList;
LGMDMApplicationState item = new
LGMDMApplicationState(); item.setPackageName(editT ext.getText().toString()); item.setAllowInstallation(1); item.setAllowUninstallation(
0~2); item.setEnable(0~2); mSelectedAppStateList.add( item);
<uninstall> public void setAllowUninstallApplicatio n(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
& void setApplicationState(Compon entName who,
List<LGMDMApplicationSt ate> applicationStateList) applicationStateList: Insert the list you want ex)
ArrayList<LGMDMApplica tionState> mSelectedAppStateList;
LGMDMApplicationState item = new
LGMDMApplicationState(); item.setPackageName(editT ext.getText().toString()); item.setAllowInstallation(0~
2); item.setAllowUninstallation(
1); item.setEnable(0~2); mSelectedAppStateList.add( item);
[LGMDM] Settings > General >
Page 18 of 34
on
Blacklist list of applications that may not be installed
<install> void setApplicationState(Compon entName who,
List<LGMDMApplicationSt ate> applicationStateList) applicationStateList: Insert the list you want
Application manager ex)
ArrayList<LGMDMApplica tionState> mSelectedAppStateList;
LGMDMApplicationState item = new
LGMDMApplicationState(); item.setPackageName(editT ext.getText().toString()); item.setAllowInstallation(2); item.setAllowUninstallation(
0~2); item.setEnable(0~2); mSelectedAppStateList.add( item);
<uninstall> void setApplicationState(Compon entName who,
List<LGMDMApplicationSt ate> applicationStateList) applicationStateList: Insert the list you want ex)
ArrayList<LGMDMApplica tionState> mSelectedAppStateList;
LGMDMApplicationState item = new
LGMDMApplicationState(); item.setPackageName(editT ext.getText().toString()); item.setAllowInstallation(0~
2); item.setAllowUninstallation(
2); item.setEnable(0~2); mSelectedAppStateList.add( item);
Page 19 of 34
43 Applicati on
Reposito ry
Specifies the location from which applications may be installed
Downloa d Mode
44 Control
Downlo ad
Mode
Control access to
Download
Mode
<running> void setApplicationState(Compon entName who,
List<LGMDMApplicationSt ate> applicationStateList) applicationStateList: Insert the list you want ex)
ArrayList<LGMDMApplica tionState> mSelectedAppStateList;
LGMDMApplicationState item = new
LGMDMApplicationState(); item.setPackageName(editT ext.getText().toString()); item.setAllowInstallation(0~
2); item.setAllowUninstallation(
0~2); item.setEnable(2); mSelectedAppStateList.add( item);
N/A Void setAllowInstallation(int allowInstallation)
allowInstallation :
0(Default)
1(Enabled)
2(Disabled)
& void installApplication(Compone ntName who, String path) path : apk file path to the installation.
[LGMDM]
Int setAllowDownloadMode(Co mponentName who, boolean allow) allow = true : enabled allow = false : disabled
N/A
Page 20 of 34
VPN 45 Control
VPN splittunnelin g
Control access to
VPN splittunneling
Disabled [LGMDM] void setAllowVPNSplitTunneling
(ComponentName who, boolean allow) allow = true : enabled allow = false : disabled
[Password Policy Recommendation]
To configure good and strong password, next password policies are strongly recommended
N/A
1. Password Length
For setting the good password, administrator has to set password length. It is recommended that the password length is more than 8 characters.
Please refer to No.5 in 3.2 Common Criteria Related Settings
2. Password Complexity and Quality
Password complexity should include more than 1 character, number and symbol. Administrator can enforce minimum number of numeric, upper and lower case, symbol, and so on. Administrator also can choose one of password quality to increase the level of password strength;
PASSWORD_QUALITY_UNSPECIFIED,PASSWORD_QUALITY_SOMETHING,
PASSWORD_QUALITY_NUMERIC,PASSWORD_QUALITY_ALPHABETIC,
PASSWORD_QUALITY_ALPHANUMERIC, or PASSWORD_QUALITY_COMPLEX.
Please refer to No 6 in 3.2 Common Criteria Related Settings
3. Maximum password failed attempt
Administrator can set maximum password failed attempt policy. The device will be wiped immediately when maximum count is reached in case of unsuccessful authentication. For example, when maximum password failed attempt is 10, if the half of maximum count(5) is reached , device shows the warning dialog that displays ‘Life is good’ message and requires user input to continue trying authentication and then, if maximum count(10) is reached, the device will be wiped.
Please refer to No 8 in 3.2 Common Criteria Related Settings
Page 21 of 34
4. Secure Update Process
This section provides how secure updates are delivered. LG FOTA supports below verification item for secure update when delta package for FOTA is placed on device’s storage.
Verification of delta package itself
Verification of whether delta package is for the device’s image or not
Verification of delta package itself is done through checking signature of it. The signature is made for every delta package of firmware images and files. It’s used RSA(2048bit) altorithm and SHA256 for hash, to make signature for packages of each images.
Verification of whether delta package is for the device’s image is done through checking CRC of every image
(CRC-32). It checks identification between calculated CRC value of every image such as all firmware image and all files, and delivered CRC value of delta packages for
Download delta package
Check Signature of whole pkg.
Write a update setting value to eMMC
Reset Device & reboot
Read a update setting value on eMMC
Update?
Magic code?
Check Signature of each FW pkg.
Check identification by
CRC for each FW images
Check Signature of each File pkg.
Check identification by
CRC for each File
Update Firmware images
Update Files
Reset & Normal booting
Stop FOTA Upgrade
Whole Signature mismatch error occurred
&
Device goes to Idle status
FW Signature mismatch error occurred
&
Normal boot
Validation Fail occurred
(Mismatch between FW image & pkg.)
&
Normal boot
FS Signature mismatch error occurred
&
Normal boot
Validation Fail occurred
(Mismatch between FW image & pkg.)
&
Normal boot
[FOTA update process for secure delta package]
Page 22 of 34
5. Cryptographic APIs
The following Algorithms are evaluated by CCTL (CC Testing Laboratory). You can access to the following algorithms by using Android Cryptographic APIs. In case of BCFIPS cryptographic module, it is required that you must manually call the “C ryptoServicesRegistrar.setApprovedOnlyMode(true); “ for every program to access the BCFIPS API.
5.1 AES CBC
Cipher class to encrypt or decrypt a plaintext.
// get cipher instance with provided algorithm and provider
Cipher cipher = Cipher.
getInstance ( algorithm , provider );
// generate key and iv to be used when encrypt or decrypt
SecretKeySpec skeySpec = new SecretKeySpec ( key , "AES" );
AlgorithmParameterSpec ivSpec = new IvParameterSpec ( iv );
// initiate cipher instance as encrypt mode cipher.
init (Cipher.
ENCRYPT_MODE , skeySpec, ivSpec); byte [] encrypted = cipher.
doFinal ( plaintext );
// initiate cipher instance as decrypt mode cipher.init(Cipher.
DECRYPT_MODE , skeySpec, ivSpec); byte [] decrypted = cipher.doFinal(encrypted);
Supported algorithms and providers
“AES/CBC/NoPadding”, “AndroidOpenSSL”
“AES/CBC/NoPadding”, “BCFIPS”
5.2 AES Key Wrap
Cipher class to encrypt or decrypt a plaintext.
// Key encryption key
SecretKeySpec wrapKey = new SecretKeySpec ( K , "AES" );
// Key to be encrypted
SecretKeySpec key = new SecretKeySpec( P , "AES" );
// wrap a private key with KEK
Cipher cipher = Cipher.
getInstance ( algorithm , provider ); cipher.
init (Cipher.
WRAP_MODE , wrapKey); byte [] wrappedKey = cipher.
wrap (key);
// unwrap cipher.init(Cipher.
UNWRAP_MODE , wrapKey);
Key unwrappedKey = cipher.
unwrap (wrappedKey, "AES" , Cipher.
SECRET_KEY );
Supported algorithm and provider
“AESWRAP”, “BCFIPS”
Reference webpage : http://developer.android.com/reference/javax/crypto/Cipher.html
http://developer.android.com/reference/javax/crypto/spec/SecretKeySpec.html
Page 23 of 34
5.3 ECDSA
Signature class to sign a hash data with EC private key and verify with EC public key.
CryptoServicesRegistrar.setSecureRandom(new FipsDRBG.Builder(new SecureRandom(), true).build(FipsDRBG.SHA512_HMAC, null, false));
Provider provider = new BouncyCastleFipsProvider();
Security.addProvider( provider );
// hash the plaintext
MessageDigest md = MessageDigest.
getInstance ( hash_algorithm , provider ); md.
update ( plaintext ); byte [] hashdata = md.
digest ();
KeyPairGenerator kpg ;
ECGenParameterSpec kpgparams ; if ( provider .equals( "BCFIPS" ))
{ kpg = KeyPairGenerator.getInstance( "ECDSA" , provider ); kpgparams = new ECGenParameterSpec( curve );
} else
{ kpg = KeyPairGenerator.getInstance( "EC" , provider ); kpgparams = new ECGenParameterSpec( curve );
} kpg .initialize( kpgparams ,CryptoServicesRegistrar.getSecureRandom());
ECParameterSpec params =
((ECPublicKey)kpg.generateKeyPair().getPublic()).getParams();
// key spec generation
ECPublicKeySpec ec_public = ………;
ECPrivateKeySpec ec_private = ………;
// key generation
KeyFactory kf ; if ( provider .equals( "BCFIPS" ))
{ kf = KeyFactory.getInstance( "ECDSA" , provider );
} else
{ kf = KeyFactory.getInstance( "EC" , provider );
ECPrivateKey privkey = (ECPrivateKey) kf.
generatePrivate (ec_private);
ECPublicKey pubkey = (ECPublicKey) kf.
generatePublic (ec_public);
}
// sign the hashdata and generate signature
Signature signature = Signature.
getInstance ( algorithm , provider ); signature.
initSign (privkey); signature.
update (hashdata); byte [] signed = signature.
sign ();
// Signature differs every time because of internal random generator
Page 24 of 34
// verify the signature with public key signature.
initVerify (pubkey); signature.update(hashdata); boolean verified = signature.
verify (signed);
Supported hash algorithms
“SHA-256”
“SHA-384”
“SHA-512”
Supported algorithms and providers
“SHA256withECDSA”, “AndroidOpenSSL”
“SHA384withECDSA”, “AndroidOpenSSL”
“SHA512withECDSA”, “AndroidOpenSSL”
“SHA256WITHECDSA”, “BCFIPS”
“SHA384WITHECDSA”, “BCFIPS”
“SHA512WITHECDSA”, “BCFIPS”
Supported algorithms for BCFIPS
“ECDSA” KeyFactory
“ECDH” KeyFactory
“ECDSA” KeyPairGenerator
“ECDH” KeyPairGenerator
“ECDSA” Signature
Supported algorithms for AndroidOpenSSL
“EC” KeyFactory
“EC” KeyPairGenerator
“ECDSA” Signature
Reference webpage : http://developer.android.com/reference/java/security/Signature.html
http://developer.android.com/reference/java/security/spec/ECPublicKeySpec.html
http://developer.android.com/reference/java/security/spec/ECPrivateKeySpec.html
5.4 HMAC
Mac class to calculate the hash of plaintext with key.
Mac hmac = Mac.
getInstance ( algorithm , provider );
SecretKeySpec secretkey = new SecretKeySpec ( key , algorithm ); hmac.
init (secretkey); byte [] hmacdata = hmac.
doFinal ( plaintext );
Supported algorithms and providers
“HmacSHA1”, “AndroidOpenSSL”
“HmacSHA256”, “AndroidOpenSSL”
“HmacSHA384”, “AndroidOpenSSL”
“HmacSHA512”, “AndroidOpenSSL”
“HMACSHA1”, “BCFIPS”
“HMACSHA256”, “BCFIPS”
“HMACSHA384”, “BCFIPS”
“HMACSHA512”, “BCFIPS”
Reference webpage :
Page 25 of 34
http://developer.android.com/reference/javax/crypto/Mac.html
5.5 PBKDFv2
SecretKeyFactory class to derivate password to secret key.
SecretKeyFactory skf = SecretKeyFactory.
getInstance ( algorithm , provider );
KeySpec keySpec = new PBEKeySpec ( password .toCharArray(), salt .getBytes(), count , keylen ); byte [] dkey = skf.
generateSecret (keySpec).getEncoded();
Supported algorithm and provider
“PBKDF2”, “BCFIPS”
Reference webpage: http://developer.android.com/reference/javax/crypto/SecretKeyFactory.html
http://developer.android.com/reference/javax/crypto/spec/PBEKeySpec.html
5.6 RSA
KeyFactory class to generate RSA private key and public key.
Signature class to sign a plaintext with above generated private key and verify with public key.
// generate key spec
KeyFactory kf = KeyFactory.
getInstance ( algorithm , provider );
RSAPrivateKeySpec rsa_private = new RSAPrivateKeySpec ( new BigInteger( n , 16), new BigInteger( d , 16));
RSAPublicKeySpec rsa_public = new RSAPublicKeySpec ( new BigInteger( n , 16), new BigInteger( e , 16));
// generate key
PrivateKey privKey = kf.
generatePrivate (rsa_private);
PublicKey pubKey = kf.
generatePublic (rsa_public);
// sign test
Signature signature = Signature.
getInstance ( SHAAlg , provider ); signature.
initSign (privKey); signature.
update ( plaintext ); byte [] signed = signature.
sign ();
// verify test signature.
initVerify (pubKey); signature.update( plaintext ); boolean verified = signature.
verify (signed);
Supported algorithms and providers
“RSA”, “AndroidOpenSSL”
“RSA”, “BCFIPS”
Supported algorithms for SHA
“SHA1”
“SHA256”
Page 26 of 34
Reference webpage: http://developer.android.com/reference/java/security/KeyFactory.html
http://developer.android.com/reference/java/security/Signature.html
http://developer.android.com/reference/java/security/spec/RSAPrivateKeySpec.html
http://developer.android.com/reference/java/security/spec/RSAPublicKeySpec.html
5.7 SHA
You can use MessageDigest class to calculate the hash of plaintext.
MessageDigest md = MessageDigest.
getInstance ( algorithm , provider ); md.
update ( plaintext ); byte [] hashdata = md.
digest ();
Supported algorithms and providers
“SHA-1”, “AndroidOpenSSL”
“SHA-256”, “AndroidOpenSSL”
“SHA-384”, “AndroidOpenSSL”
“SHA-512”, “AndroidOpenSSL”
“SHA-1”, “BCFIPS”
“SHA-256”, “BCFIPS”
“SHA-384”, “BCFIPS”
“SHA-512”, ”BCFIPS”
Reference webpage : http://developer.android.com/reference/java/security/MessageDigest.html
Page 27 of 34
6. VPN Configuration
The LG VPN in LGE mobile devices provides IPsec VPN connection.
If a VPN connection is established, interceptor module(kernel side) in LG VPN is able to control all inbound and outbound traffic traverse.
It means that all IP traffics are controlled through the VPN client (IPsec tunnels).
Applications LG VPN <Inbound>
User
Kernel socket socket
Routing socket tun0
interceptor
Routing eth0
Applications LG VPN <Outbound>
User
Kernel socket socket socket
Routing tun0
interceptor
Routing eth0
The Split-tunneling feature is enabled by default. So, the Split-tunneling feature must be disabled on the
CC Mode. The feature can be configured by MDM capability.
Page 28 of 34
7. Wi-Fi Configuration
The Path of LGE device to connect to access point is Settings > Wi-Fi
Following a guide to test EAP-TLS/TTLS in the LGE devices. :
1. Place certificates into internal storage or external SD card by using MTP or Email attachment.
Administrators are able to distribute certificates by web link that executes certificates installation directly.
2. “Install certificates” of the “PERSONAL” tab on the “advanced Wi-Fi” menu.
- Must select “Wi-Fi” of “Credential use” tab.
3. Back to the Wi-Fi menu, Select Access point which is supported EAP-method.
-
Select EAP method to “TLS” or “TTLS”
- Select CA certificate, User certificate installed on Step #2
- Input identity parameter.
- Push “Connect” button.
Page 29 of 34
Appendix A Generating Secure Random Data
This appendix guides how to generate cryptographically secure pseudo-random data.
To use FIPS validated SecureRandom, enable FIPS mode of OpenSSL first. See Appendix C.
Reference Page: http://developer.android.com/reference/java/security/SecureRandom.html
A.1 Android API for Generating Secure Random Data
SecureRandom() provides the most cryptographically strong provider available as following example. com.android.org.conscrypt.FipsMode.FIPS_mode_set(1);
SecureRandom sr = new SecureRandom();
Byte[] output = new byte[16]
Sr.nextBytes(output);
Page 30 of 34
Appendix B Key Usage, Import, Destruction
This appendix guides how to utilize the key management with Keystore APIs
Reference Page: https://developer.android.com/reference/java/security/KeyStore.html
https://developer.android.com/reference/java/security/KeyPairGenerator.html
B.1 Key Usage
Use the Android KeyStore provider to let an individual app store its own credentials that only the application itself can access. This provides a way for applications to manage credentials that are usable only by themselves.
AndroidKeyStore is registered as a KeyStore type for use with the KeyStore.getInstance(type) method and as a provider for use with the KeyPairGenerator.getInstance(algorithm, provider) method.
You can refer to examples from the Android KeyStore System webpage for generating a new key pair, signing and verifying as follow.
Reference pages: https://developer.android.com/training/articles/keystore.html
B.2 Key Import
The Android Keystore system lets you store private keys in a container java.security.KeyStore mKeyStore = java.security.KeyStore.getInstance("AndroidKeyStore"); mKeyStore.load(null, null); mKeyStore.setKeyEntry(“TEST_ALIAS_1”, privKey, null, chain);
B.3 Key Destruction
Application can delete the entry identified with the given alias from this KeyStore. mKeyStore.deleteEntry(“ TEST_ALIAS_1”);
Page 31 of 34
Appendix C Configuration of FIPS Validated Cryptographic Engines
This appendix guides how to configure FIPS mode.
C.1 Setting the FIPS Mode
Get a FIPS status of OpenSSL by FIPS_mode() function and set FIPS mode by FIPS_mode_set() function.
Example code import com.android.org.conscrypt.FipsMode; if (FipsMode.FIPS_mode() != 1) {
if (FipsMode.FIPS_mode_set(1) != 1) {
Log.e("CryptoTest", "Failed to OpenSSL enable");
} else {
Toast.makeText(this, "OpenSSL FIPS Mode Enable Success", Toast.LENGTH_LONG).show();
}
} else {
Toast.makeText(this, "OpenSSL is in FIPS Mode", Toast.LENGTH_LONG).show();
}
C.2 Add BouncyCastleFipsProvider
Please add BouncyCastleFipsProvider to Android security provider list to use BCFIPS provider. The following is an example code. import com.lge.org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
Provider p = new BouncyCastleFipsProvider();
Security.addProvider(p);
KeyPairGenerator kpg = KeyPairGenerator.getInstance( "ECDSA" , “BCFIPS” );
ECGenParameterSpec kpgparams = new ECGenParameterSpec(“secp521r1”);
C.3 SDK for FipsMode APIs
A SDK is needed to build an application using FipsMode APIs. Please contact to [email protected]
for the information about the SDK for FipsMode APIs.
Page 32 of 34
Appendix D Guidance for TLS cipher suites
This appendix guides how to set specific cipher suites in your source codes.
Limited cipher suites can be selectable in the CC mode.
Reference webpage: http://developer.android.com/reference/javax/net/ssl/package-summary.html https://developer.android.com/training/articles/security-ssl.html
D.1 Android APIs for TLS connection
Https connections can be established by using URL class.
URL url = new URL("https://wikipedia.org");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream(); copyInputStreamToOutputStream(in, System.out);
D.2 How to set cipher suites using Android API
It describes how to set TLS cipher suites with Android APIs. The cipher suites are limited on the CC Mode to prevent TLS connection by weak cipher suites because LG Android platform restricts other cipher suites not in the following table from being set when generating cipher suites list of client hello message for TLS connection.
Application developers can choose few cipher suites among the approved cipher suites.
Example codes
private X509HostnameVerifier hostname Verifier;
@Override
public Socket createSocket(Socket socket, String host, int port,
boolean autoClose) throws IOException, UnknownHostException
{
SSLSocket sslSocket = (SSLSocket) socketFactory.createSocket(socket,
host, port, autoClose); sslSocket.setEnabledProtocols(protocol);
String[] ciphersuits = new String[]{ "AES128-SHA",
"AES256-SHA",
"DHE-RSA-AES128-SHA",
"DHE-RSA-AES256-SHA",
"AES128-SHA256",
"AES256-SHA256",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384"};
sslSocket.setEnabledCipherSuites(ciphersuits);
hostnameVerifier.verify(host, sslSocket);
return sslSocket;
}
Page 33 of 34
Approved Cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLSv1
TLSv1.1
TLS version
TLSv1.2
Page 34 of 34
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project