DocuSign Signature Appliance Hardware version 8.0 or

DocuSign Signature Appliance
Hardware version 8.0 or Hardware version 7.0
with Firmware version 8.0
FIPS 140-2 Non-Proprietary
Security Policy
Level 3 Validation
July 2016
-
1 -
Table of Contents
1
INTRODUCTION .......................................................................................................................... 3
1.1 PURPOSE ............................................................................................................................. 3
1.2 REFERENCES ....................................................................................................................... 3
1.3 TERMINOLOGY ................................................................................................................... 3
1.4 DOCUMENT ORGANIZATION ............................................................................................... 3
2
FIPS 140-2 SECURITY LEVEL................................................................................................... 5
3
SECURITY RULES ....................................................................................................................... 6
3.1 SECURE BY DESIGN ............................................................................................................ 7
3.2 PRODUCT DELIVERY ........................................................................................................... 9
3.3 INITIALIZATION ................................................................................................................ 10
3.3.1
Installing the DocuSign Signature Appliance ....................................................... 10
3.3.2
Restoring the DocuSign Signature Appliance from backup .................................. 11
3.4 USERS DIRECTORIES ......................................................................................................... 12
3.5 MANAGING THE DOCUSIGN SIGNATURE APPLIANCE ........................................................ 12
3.5.1
Cryptographic Officer ........................................................................................... 12
3.5.2
User ....................................................................................................................... 13
3.6 SECURE OPERATION – DOCUSIGN SA CLIENT .................................................................. 13
3.7 ADDITIONAL SECURITY ISSUES......................................................................................... 14
3.8 HIGH AVAILABILITY AND LOAD BALANCING ................................................................... 15
3.9 INTERFACE TO EXTERNAL CA IN AUTOMATED MODE ...................................................... 15
3.10 WELL-DEFINED INTERFACES ............................................................................................ 15
3.11 ROLES AND SERVICES ....................................................................................................... 17
3.11.1
Supervisor (Crypto Officer) Role .......................................................................... 17
3.11.2
User/Application Role ........................................................................................... 18
3.12 STRONG CRYPTOGRAPHIC ALGORITHMS AND SECURE KEY MANAGEMENT ..................... 23
3.12.1
Power-Up Self Tests .............................................................................................. 27
3.12.2
Conditional Tests ................................................................................................... 28
3.13 MITIGATION OF OTHER ATTACKS ..................................................................................... 28
3.14 MAINTENANCE ................................................................................................................. 28
4
FIPS 140-2 LEVEL 3 COMPLIANT MODE ............................................................................ 29
4.1
CONFIGURING THE APPLIANCE TO WORK IN FIPS MODE .................................... 29
5
UPGRADE APPLIANCE FIRMWARE FROM VERSION 6.0 TO VERSION 7.7 ............. 31
6
UPGRADE APPLIANCE FIRMWARE FROM VERSION 7.7 TO VERSION 8.0 ............. 32
-
2 -
1 INTRODUCTION
1.1 Purpose
This document describes the non-proprietary Cryptographic Module Security Policy for the DocuSign
Signature Appliance. This security policy describes how the DocuSign Signature Appliance meets the
security requirements of FIPS 140-2, and how to operate the DocuSign Signature Appliance in a
secure FIPS 140-2 mode. This policy was prepared as part of the level 3 FIPS 140-2 testing of the
DocuSign Signature Appliance.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules.
Additional information about the FIPS 140-2 standard and validation program is available on the
NIST web site at http://csrc.nist.gov/groups/STM/cmvp/index.html.
1.2 References
This document deals only with the operations and capabilities of the DocuSign Signature Appliance
in the technical terms of a FIPS 140-2 cryptographic module security policy. Additional information
about the DocuSign Signature Appliance and other DocuSign products is available at
www.docusign.com .
1.3 Terminology
In this document the DocuSign Signature Appliance is referred to as the appliance.
1.4 Document Organization
This document is part of the FIPS 140-2 Submission Package. In addition to this document, the
Submission Package contains the following documents:

Vendor Evidence

Finite State Machine

Module Firmware Listing
 Other supporting documentation as additional references
This document is organized as follows:

Section 1: Introduction – Includes an overview of the DocuSign Signature Appliance and
explains the secure configuration and operation of the appliance.

Section 2: FIPS 140-2 security level – Details each level of the FIPS 140-2 requirements
section.

Section 3: Appliance Security Rules – Details the general features and functionality of the
DocuSign Signature Appliance.
-
3 -

Section 4: FIPS 140-2 Level 3 Compliant Mode – Addresses the required configuration for the
FIPS 140-2 mode of operation.
With the exception of this non-proprietary Security Policy, the FIPS 140-2 Validation submission
documentation is DocuSign-proprietary and may only be released under appropriate non-disclosure
agreements.
This document may be reproduced and distributed providing such a reproduction is complete and
unmodified.
For access to the FIPS 140-2 Validation Submission documents, contact DocuSign.
-
4 -
2 FIPS 140-2 security level
The DocuSign Signature Appliance is validated to meet the FIPS 140-2 security requirements for the
levels shown below. The overall module is validated to FIPS 140-2 security level 3.
FIPS 140-2 Security Requirements Section
Level
Cryptographic Module Specification
3
Cryptographic Module Port and Interfaces
3
Role, Services and Authentication
3
Finite State Model
3
Physical Security (Multi-Chip Standalone)
3
Cryptographic Key Management
3
EMI/EMC
3
Self-Tests
3
Design Assurance
3
Mitigation of Other Attacks
N/A
Operational Environment
N/A
Table 1 - FIPS 140-2 Security Requirements Level
-
5 -
3 Security Rules
The DocuSign Signature Appliance is a digital signature appliance that enables users within an
organization to digitally sign documents and data. Contained within a secure, tamper-responsive
steel case, the Appliance performs the actual digital signature operation using an asymmetric key of
the user. All keys and critical security parameters are protected within the cryptographic boundary
by the physical security mechanisms of the appliance.
The Appliance provides the basic RSA digital signature operation. Additional cryptographic
algorithms are used in support of this main functionality. These are used to encrypt: the session
between the user’s PC and The Appliance; the asymmetric keys that are kept in the internal
database; and the backup of The Appliance’s database. They are also used to provide data integrity.
The Appliance performs all cryptographic operations internally and, through self-tests, it ensures
that these operations function correctly.
Figure 1 – DocuSign Signature Appliance - hardware version 8.0
-
6 -
Figure 2 – DocuSign Signature Appliance - Hardware version 7.0
3.1 Secure by Design
The DocuSign Signature Appliance is a multi-chip standalone appliance. It has been designed to meet
all of the Level 3 FIPS 140-2 requirements. Encased within a tamper-responsive and tamper-evident
steel box, the appliance both protects against and reacts to attacks. Access to the appliance is only
permitted through specific, well-defined interfaces detailed in Well-Defined Interfaces section.
All vents on the module are baffled meet the FIPS 140-2 opacity requirements for physical security.
Appliance Hardware version 8.0 includes a dual power supply, where the power supply can be
removable and replaceable.
Tamper Evident cans provide evidence of any attempt to tamper with module cover. The Tamper
Evident cans are placed over a screw that joins the top cover and bottom enclosure.
The Tamper Evident cans are applied at manufacturing stage.
The Tamper Evident cans are shown in Figure 3 (for Appliance Hardware version 8.0) and Figure 4
(for Appliance Hardware version 7.0).
-
7 -
Figure 3 - Tamper Evident cans – DocuSign Signature Appliance - Hardware version 8.0
Figure 4 - Tamper Evident cans – DocuSign Signature Appliance - Hardware version 7.0
-
8 -
The units are encased in a solid metal case rigged with micro-switches and only the specified
physical interfaces permit access to the module. Intrusion attempts cause power to be instantly cut
off, preventing access to any useful information by zeroizing all plaintext critical security parameters
including the Appliance Critical keys.
3.2 Product Delivery
When the Crypto Officer receives the appliance, the Crypto Officer must check the appliance’s case
for any evidence of physical tampering. The Crypto Officer should verify that the Tamper Evident
cans are attached to the appliance and that they are not damaged.
If you think the appliance has been tampered with during delivery, contact DocuSign.
-
9 -
3.3 Initialization
The appliance is delivered to you in the Factory Settings state. In this state it is not yet a FIPS module
and only the following options are relevant:

Setting network parameters – The Cryptographic Officer can set the IP address of the
Appliance, define that the IP address is retrieved using a DHCP protocol and set other
networking related parameters. This operation is performed through the Appliance’s console.

Time adjustments – The Cryptographic Officer can define the current time of the appliance
or retrieve time from an NTP server. This operation is performed through the Appliance’s
console.

Installation – This critical procedure must be performed in a secure environment. Only after
the Appliance is installed it can begin to provide its digital signature services.
For additional details related to appliance initialization, see 3.3.1Installing the DocuSign
Signature Appliance section.

Restoration – This critical procedure must be performed in a secure environment.
Restoration is similar to installation. This procedure uses the backup file of the internal
database.
For additional details related to appliance initialization, see Restoring the DocuSign Signature
Appliance from backup section.
Remark:
Starting from Appliance Hardware version 8.0, a web based console can be used. The web based
console can be accessed through a dedicated LAN interface (labeled as LAN0) of the appliance to IP
address 10.0.0.2 on port 8088.
Also, any operation from the web based console requires physical access to the appliance by
unplugging/plugging the license token as part of approving the operation.
If Appliance Hardware version 7.0 is used, a built-in Console is used for performing local
administrative operations. The built-in Console is accessed through the front panel display and four
button keypad.
3.3.1 Installing the DocuSign Signature Appliance
The Appliance installation is performed using the administrative DocuSign SA Client (i.e. DocuSign
Signature Appliance’s Client). The Cryptographic Officer uses the administrative DocuSign SA client
to send installation commands to the Appliance. The installation commands are sent using the
regular client/appliance secure protocol (see Secure Operation – DocuSign SA Client).
During installation, the following security related issues are handled:

The first Crypto Officer User ID and password are provided. The Crypto Officer is defined in
the users database with the required permissions to manage users, groups and the
-
10 -
Appliance.
Assigning users to groups is relevant only for when the Appliance is installed in Directory
Independent mode.


A set of four Server critical Triple-DES keys are randomly generated inside the Appliance and
are placed inside the internal tamper device. These keys are also loaded into the two blue
USB tokens. These tokens must be stored on the Crypto Officer’s premises and are only used
during the:

Reset tamper operation performed by the Crypto Officer.

Restoration of the Appliance.

Installing an alternate appliance for High Availability purpose.
In the case that it is configured to use an internal CA, A RSA key pair is generated for the
internal CA (Certificate Authority) of the appliance. This key is used for generating X.509based Certificates for users. The RSA private key is encrypted and stored in the Appliance.
During normal Appliance operation, a USB-based license plug is plugged into the Appliance’s USB
port. The USB token controls the number of possible existing users in the Appliance’s database.
DocuSign manufactures the Appliance based on firmware versions 6.0, 7.7 or 8.0.
Also, it is possible to upgrade Appliance firmware version 6.0 to Appliance firmware version 7.7 or
upgrade Appliance firmware version 7.7 to Appliance firmware version 8.0. For more information of
how to perform a firmware upgrade, refer to Chapters 5 and 6.
3.3.2 Restoring the DocuSign Signature Appliance from backup
If the appliance was physically damaged, reset to factory settings, or damaged in some other way, a
backup of the Appliance’s database must be restored to a new or existing Appliance. The restore
operation is very similar to the installation of a new Appliance and must be performed in a secure
environment. In addition, the Appliance must be in the Factory Settings state to perform the restore
operation.
A restoration differs from an installation in the following ways:


A valid backup file of an operational Appliance must be available.
The Crypto Officer must have a valid backup token that includes the critical keys of that
operational Appliance.
During restoration:

The Crypto Officer provides the backup file and plugs the backup token into the Appliance’s
USB token slot.
 All users and their relevant data, such as their private keys, are restored to the Appliance’s
database.
After restoration, all users can sign their documents and data using the Appliance.
After initialization, the product is a FIPS module and begins serving user requests and Crypto Officer
requests.
-
11 -
3.4 Users Directories
The DocuSign Signature Appliance supports installation in environments where a user directory
already exists. Currently the following Users Directory environments are supported:

Microsoft Active Directory

LDAP based environment such as: IBM Tivoli, SUN Directory Server and Oracle Internet
Directory.
The Appliance provides two additional functionalities when using these environments:

Synchronization with the Users Directory of the environment – The Appliance is
synchronized with the users directory of the environment. Every user in the users directory
who is classified as a signer is also defined in the Appliance and is able to sign documents.

Authentication using Kerberos Ticketing mechanism – When a user attempts to securely
connect to the Appliance for any operation, such as signing a document, the login operation
is done using the Kerberos Ticketing mechanism. The Appliance authenticates users from
Active Directory relying on the Kerberos Ticketing mechanism.

Besides the above directories, the Appliance supports the Directory Independent
environment where users are defined by the administrator of the organization and the login
operation is performed internally by the Appliance.
Note: Only the Directory Independent environment and module interface to Microsoft Active
Directory are submitted for FIPS 140-2 validation.
Also, it is possible to authenticate a user based on a SAML ticket provided by a trusted Identity
Provider. Using A SAML ticket can be enabled when the Appliance is deployed in Directory
Independent mode.
3.5 Managing the DocuSign Signature Appliance
3.5.1 Cryptographic Officer
The Crypto Officer performs both appliance and user/groups management of the Appliance.
In the case of Active Directory based environment, users are managed in the directory and all
changes that are made in the directory sync with the list of users in the Appliance.
The Crypto Officer connects securely to the Appliance (see Secure Operation on page 13). The
following sections describe in detail all operations that can be performed by the Crypto Officer.
The Crypto Officer creates users and groups according to the organization’s policy. For each user, a
User-ID and a Password is provided. This operation is relevant only when the Appliance is installed in
Directory Independent environment. In Active Directory environment, a user is created in the
Appliance when the Crypto Officer creates the user in Active Directory and defines the user as a
member of the Appliance’s signers group.
-
12 -
By default, after a user is created, the appliance automatically generates a new RSA key pair and a
Certificate for the user.
The Crypto Officer can delete users. When a user is deleted, all the user’s keys, certificates, and
graphical images are also deleted. This operation is relevant only when the Appliance is installed in
Directory Independent Environment. In Active Directory Environment users are deleted from the
Appliance when the Crypto Officer deletes the user in Active Directory or removes the user from the
Appliance’s signers group.
3.5.2 User
In the case of Directory Independent environment, the user can change the password. The
password length must be greater than six Unicode characters and less than twenty eight Unicode
characters.
In the case of Active directory environment, the user’s password is managed by the directory.
The user can also direct the Appliance to generate additional RSA keys. It is possible to store several
graphical signature images in the user account in the Appliance. These images are stored in the
Appliance’s database, retrieved by the DocuSign SA Client, and can be incorporated into the signed
document in the user’s PC.
A user can only use keys that are owned by that user.
Remark: starting from Appliance version 8.0, it is possible to configure the Appliance to use an RSA
key pool when Appliance Internal CA is used. The implementation is based on a process which is
executed within the Cryptographic module and writes the newly generated keys to the database,
encrypted with Appliance Critical Key 1.
These keys will be assigned to user when it is required to assign a signature key for the user. a
certain key from the key pool can only belong to a certain user.
3.6 Secure Operation – DocuSign SA Client
Any operator who wishes to use the Appliance’s services can connect via a secure protocol using the
DocuSign SA Client. The secure networking protocol is a standard TLS (Transport Layer Security)
protocol with the following parameters:

The TLS protocol is based on a Server RSA key. The TLS Server RSA key is externally generated
during manufacturing. Each individual Appliance includes a different TLS Server RSA key.

The TLS session is based on Triple-DES-CBC encryption and HMAC-SHA1 data integrity.

Upon session creation, the only operation that can be performed is an authentication
command. The authentication is based on User ID and Password authentication, which are
verified by the Appliance or using a Kerberos ticket when the Appliance is installed in Active
Directory environment.
-
13 -
Also, it is possible to authenticate a user based on validating a SAML Token that was created
by a trusted Identity provider.

Only after the user is authenticated, can the user perform operations such as digitally sign
data. Similarly, the Crypto Officer can connect securely to the Appliance and perform
administrative operations.

It is possible to configure the Appliance to use extended authentication, where any digital
signature operation requires the end user to authenticate. There are two modes of extended
authentication:

Radius based – the end user provides an additional password that is validated by an
external Radius Server. Usually the extended password is a one time password.

PKI based – the end user signs the current time with a local SmartCard or a software
token. The signature is validated by the Appliance.
3.7 Additional Security Issues
The four critical keys are used for:
1) Encrypt sensitive data in the database in non-volatile memory and MAC plaintext data in the
database.
2) MAC individual user’s records in the database.
3) Encrypt database for backup
4) MAC database for backup
The four critical keys of the Appliance are stored on a special backup token and in an internal tamper
device. These keys are loaded into the Appliance’s volatile memory during startup from the tamper
device and erased from memory when the appliance is shut down.
Any attempt to access the device that triggers the tamper response will cause power to be instantly
cut off, preventing access to any useful information by zeroizing all plain text critical security
parameters, including the Appliance’s critical keys. Without these keys, it is not possible to start the
Appliance or access the Appliance’s stored data.
The critical keys will also be deleted from the internal tamper device. Upon next startup of the
device a tamper detected message will be displayed in the console (touch screen of Appliance
hardware version 8.0 or internal console of Appliance hardware version 7.0).
Also, if there is an attempt to access the device when the power is off, the tamper response circuit is
still active. If the tamper circuit is activated, the critical keys will be deleted from the internal
tamper device and the tamper detected message will appear in the console upon next startup.
Module zeroization can be done by performing the Factory Restore operation from the console. This
operation will zeroize all plain text critical security parameters, including the Appliance’s critical
keys. Also all users’ information as well as the users’ keys will be deleted from the Appliance’s
database.
-
14 -
The units are encased in a solid metal case rigged with micro-switches and only the specified
physical interfaces permit access to the appliance. The boundary of the module is the metal case.
The appliance meets FCC requirements in 47 CFR Part 15 for personal computers and peripherals
designated for home use (Class B), and is labeled according to FCC requirements.
The cryptographic boundary is the metal case of the Appliance, it does not include the lockable door
on the front panel or the air filter holder that attaches to the front panel. The door on the front
panel can be closed to cover: the LCD display, four button keypad, USB port, and the status LEDs.
In the case of Appliance Hardware version 8.0 there is no lockable door. So that all components such
as USB port and status LEDs are directly visible.
Also, Appliance Hardware version 8.0 enables using a dual-power supply containing two removable
power supply units. The removable power supply units are external components of the module. The
power supply bays, internal power wires, power connectors, internal power circuit and fan are
excluded components.
In the case of Appliance Hardware version 7.0 there is a lockable door, so that all components such
as USB port and status LEDS are not visible.
3.8 High Availability and Load Balancing
It is possible to deploy two or more appliances in the same organization. The purpose of having
more than one active appliance is to enable the organization’s users to continue and digitally sign in
the event of a hardware or firmware malfunction to the Appliance.
The main Appliance is named the Primary Appliance, while the other appliances are named the
Alternate Appliances.
The whole content of the appliance’s database is replicated to the alternate appliances, thus
enabling end user to sign data either using the primary appliance or an alternate appliance.
3.9 Interface to External CA in Automated mode
The Appliance can be configured to access an external CA in automated mode for the purpose of
certificate enrollment.
Upon a creation of a user, the Appliance will connect to the external CA and the external CA will
issue a certificate for the user. Upon updating user information such as email, a new certificate will
be generated for the user.
If the user is deleted from the Appliance, the certificate of the user will be revoked.
3.10 Well-Defined Interfaces
The appliance is a steel, rack mountable box, in which only the interfaces provide access to the
appliance.
The physical interfaces of Appliance hardware version 7.0 include the power connector, network
-
15 -
connection (Ethernet Interface using TCP/IP), one key slot, power switches, LEDs, an LCD display, key
pad with four buttons, and one USB slot for a smartcard-based USB token. All ports use standard PC
pin outs.
The physical interfaces of Appliance hardware version 8.0 include the power connector, regular
network connection (Ethernet Interface using TCP/IP), administrative network connection (Ethernet
Interface using TCP/IP), power switches, LEDs, a touch screen and one USB slot for a smartcardbased USB token. All ports use standard PC pin outs.
Table 2 shows the mapping of the FIPS 140-2 logical interfaces to the appliance’s physical interfaces.
FIPS 140-2 Logical Interfaces
Appliance Physical Interfaces
Data Input Interface
Network port (LAN) – hardware version 7.0,
Network port (LAN1) – hardware version 8.0,
USB slot for smartcard-based token1
Network port (LAN) – hardware version 7.0, Network
port (LAN1) – hardware version 8.0,
USB slot for smartcard-based token2
Network port (LAN) – hardware version 7.0, Network
port (LAN0/LAN1) – hardware version 8.0,
Keypad (hardware version 7.0),
Data Output Interface
Control Input Interface
Touch Screen (hardware version 8.0)
Network port (LAN) – hardware version 7.0, Network
ports (LAN0/LAN1) – hardware version 8.0,
LEDs,
Display - hardware version 7.0,
Status Output Interface
Touch Screen - hardware version 8.0
AC power connector – hardware version 7.0
Power Interface
DC power connector – hardware version 8.0
Table 2 - Interfaces
1.
2.
Used only in the case of restoration or a reset tamper event.
Used only during installation.
When the DocuSign SA Client is used, all requests for cryptographic services are performed through
the Appliance API. This API, written in C/C++ and based on RPC (Remote Procedure Calls), provides a
high-level interface to the cryptographic services provided by the appliance that include RSA key
generation and digital signature operations.
-
16 -
When Appliance Hardware version 7.0 is used, the LCD displays the following status information: IP
address, version information, and serial number.
The Front of the module has the following LED’s:

Power LED

Hard Disk LED

Tamper LED
When Appliance Hardware version 8.0 is used, the Touch Screen displays the following status
information: IP address, version information, and serial number.
The Front of the module has the following LED’s:

Power LED

Hard Disk LED

Tamper LED
Status information can also be sent via syslog protocol to a syslog server or can be retrieved by
network monitoring systems via SNMP protocol. This status information is sent using the network
ports of the module.
3.11 Roles and Services
The DocuSign Signature Appliance employs password-based, identity-based authentication of users
and operators secured by the TLS protocol. Multiple users and operators can connect and use the
Appliance simultaneously. Each user has a user record that contains the user name, common name,
email address, and administrative authorization mask. The administrative authorization mask
controls whether the user can perform appliance management tasks or user management tasks.
There are two roles that can be assigned to an operator, User and Supervisor (Crypto Officer).
In Active Directory, it is possible to authenticate users and Crypto Officers based on SSPI (Security
Support Provider Interface), which is a Kerberos based ticketing mechanism. The user is
authenticated to the domain and provided with a ticket from the domain. The ticket is sent from the
DocuSign SA client to the Appliance during user authentication. The Appliance authenticates the
user based on the given ticket.
3.11.1 Supervisor (Crypto Officer) Role
The Supervisor role is assigned to the Crypto Officer and is used for user and appliance
management, appliance installation/restoration, and the appliance’s configuration. The Crypto
Officer possesses the backup tokens necessary for reset tampering and restoring from backup. The
Crypto Officer can log into the Appliance remotely using the standard Appliance authentication
protocol.
-
17 -
The Crypto Officer can perform the following tasks. These tasks represent special services of the
Appliance:

Create users – DI Environment

Update user information – DI Environment

Retrieve user information

Revoke Users – DI Environment

Set user password – DI Environment

Disable/Enable user logon – DI Environment

Create groups – DI Environment

Update groups – DI Environment

Delete groups – DI Environment

Attach/detach a user from a group – DI Environment

Disable/enable a group – DI Environment

Perform shutdown

Load Firmware

Perform backup of all data in the Appliance

Retrieve log file

Update system parameters

Zeroize Module

Asymmetric cryptography

Authentication

Graphical image Import/export

Delete Keys

Change user password – DI Environment
 Show FIPS mode Status
Locally, the Crypto Officer has the ability to access certain management operations of the appliance,
including resetting a tamper condition, which is performed using the backup USB token.
It is possible to set a specific Client IP address as a system parameter.
Only from this IP address, it is possible to perform a backup of the Appliance to a file without
requesting for administrator User ID and a password, thus automate a periodical backup for the
Appliance.
3.11.2 User/Application Role
The User/Application role is used for accessing the cryptographic services provided by the appliance.
A user logs into the appliance remotely using a user ID and a password or based on Active Directory
-
18 -
ticket (SSPI). The session is protected using the TLS protocol. A user is not permitted to perform any
user or appliance management operations.
A user can access the following services:

Asymmetric cryptography

Authentication

Graphical image Import/export

Delete Keys

Change user password – DI Environment
 Show FIPS mode Status
The Crypto Officer and User role can use the Asymmetric cryptography service to generate an RSA
key pair, Generate a digital signature, retrieve a public key and certificate, and upload a user
certificate.
An operator assigned a User/Application role must first authenticate to the appliance using the user
ID and password or based on Active Directory ticket (SSPI). After successful authentication, an
authenticated and encrypted session is created. During this session, the operator may only perform
cryptographic services on RSA keys that belong to the operator.
Also, the user can change his/her password. The password length must be greater than or equal six
Unicode characters.
In addition, the user can be authenticated based on a SAML token provided by a trusted Identity
provider.
In Directory Independent environment the module enforces a minimum password length of six
characters. Each character may be numeric (0-9) or alphanumeric (a-z, A-Z) or even Unicode. Just
considering the alphanumeric set of characters there are 62 possible characters and the password is
at minimum 6 characters long.
Therefore, the probability of a random attempt to succeed is:
One in (62 ^ 6) or 1 in 56,800,235,584. This is less than 1 in 1,000,000.
It takes the module approximately 1msec to process a login attempt, for a maximum of 1,000 login
attempts in 1 second and 60,000 login attempts in 1 minute. This allows a maximum of:
Therefore, the probability of a random attempt to succeed during a minute is:
One in ((62 ^ 6) / 60,000) or 1 in (56,800,235,584 / 60,000) or 1 in 946,670.This is less than 1 in
100,000.
If SAML authentication is used, since the SAML token is based on a 2048bit digital signature, The
probability that random access will succeed is far less than one in 1,000,000 attempts using this
authentication mechanism. The authentication provides 1 in 2^161/(3000*60) probability of a
successful random attempt during a one-minute period since the appliance cannot process more than
3000 SAML validations per second.
-
19 -
An operator who has access to the role of Crypto Officer must first authenticate to the appliance
using the user ID and password of the Crypto Officer or based on an Active Directory ticket (SSPI).
When using Active Directory authentication, the Crypto Officer must be part of an Active Directory
administrative group. During this session, the operator may perform user management and
appliance management services.
In the case of Active Directory environment, the user and Crypto-Officer authenticate by presenting
a ticket over a TLS channel. The Kerberos ticket is encrypted and contains a domain session key with
length of at least 56 bits.
Therefore, the probability of random attempt to succeed is:
One in (2^56) or 1/72,000,000,000,000,000. This is less than 1 in 1,000,000.
It takes the module 1msec to process a login attempt. A maximum of 1,000 login attempts may be
processed in 1 second and 60,000 login attempts in 1 minute. This allows a maximum of: (2^56) /
60,000 ~ 1,200,000,000,000 attempts per minute.
Therefore, the probability of a random attempt to succeed during a minute is:
One in (1,200,000,000,000), this is less than 1 in 100,000.
The Appliance can be configured to use additional authentication for every digital signature
operation.
The additional authentication is defined as the following:

Either Username and Password authentication using a Radius Server.
The user will provide his/her password. Both user ID and password will be authenticated by a
Radius server using the Radius protocol.

Or PKI based digital signature based on a SmartCard or Software token. The signature is done
based on the current time. The digital signature is validated by the Appliance.
The Radius authentication is based on 32 bytes of authentication data sent from the Appliance to
the Radius Server. 16 bytes are randomly generated by the Appliance.
Therefore the probability of random attempt to succeed is:
One in (2^128), this is less than 1 in 1,000,000.
It takes the module 1msec to process a signature request and 60,000 signature requests in 1 minute.
Therefore, the probability of a random attempt to succeed during a minute is:
One in (2^128/60000), this is less than 1 in 100,000.
Since the Radius authentication is done in addition to the authentication methods above both
method (Active Directory and Directory Independent) probabilities are increased.
In the case of a PKI signature validation as part of the authentication process, is based on a 2048bit
digital signature, The probability that random access will succeed is far less than one in 1,000,000
attempts using this authentication mechanism. The authentication provides 1 in 2^161/(3000*60)
probability of a successful random attempt during a one-minute period since the appliance cannot
process more than 3000 signature validations per second.
-
20 -
Table 3 lists which roles have access to each service.
Services
Role
Create users – DI Environment
CO
Update user information
CO
Retrieve user information
CO
Revoke users – DI Environment
CO
Set user password – DI Environment
CO
Enable/Disable user login – DI Environment
CO
Create group – DI Environment
CO
Update group – DI Environment
CO
Delete group – DI Environment
CO
Attach/Detach user from a group – DI Environment
CO
Enable/Disable group – DI Environment
CO
Perform shutdown
CO
Load Firmware
CO
Perform backup
CO
Retrieve log file
CO
Self-Tests
CO
Update system parameters
CO
Asymmetric cryptography
CO/User
Authentication
CO/User
Graphical image Import/export
CO/User
Delete Keys
CO/User
Change user password – DI Environment
CO/User
Zeroize Module
CO
Show FIPS mode Status
CO/User/No Role
Setting network parameters
No Role
-
21 -
Time adjustments
No Role
Shutdown
No Role
Backup to a specified IP address
No Role
DRBG
No Role
Table 3 - Role Access to Services
-
22 -
3.12 Strong Cryptographic Algorithms and Secure Key Management
The DocuSign Signature Appliance supports and uses a variety of strong cryptographic algorithms.
The Appliance implements these algorithms based on the following FIPS 140-2-approved algorithms:
Type of Algorithm
Algorithm Name
Cert. numbers
Session data
encryption
Triple-DES (ANSI X9.52) in CBC
mode – 192 bits
Triple-DES (Certs. #2160 and
#2161)
Session packet
integrity

HMAC-SHA1

HMAC (Certs. #2563 and
#2564)

SHA1

SHS (Certs. #3248 and
#3249)
Database integrity
Triple-DES-MAC – in CBC mode –
192 bits
Triple-DES (Certs. #2155 and
#2156) Vendor Affirmed
Database encryption
Triple-DES (ANSI X9.52) in CBC
mode – 192 bits
Triple-DES (Certs. #2155 and
#2156)
Backup encryption
Triple-DES (ANSI X9.52) in CBC
mode – 192 bits
Triple-DES (Certs. #2155 and
#2156)


TLS-based session
scheme
HMAC – SHA1
HMAC (Certs. #2563 and
#2564)

CVL (TLS) – TLS 1.0

CVL (Certs. #786 and
#787)


KTS
KTS (Triple-DES Cert.
#2160 and HMAC Cert.
#2563)

KTS (Triple-DES Cert.
#2161 and HMAC Cert.
#2564)
-
23 -
Type of Algorithm
Algorithm Name
Cert. numbers
Authentication

SHS (Certs. #3237 and #3238)
Hash for Digital
signature generation
SHA-256, SHA-384 and SHA-512
SHS (Certs. #3237 and #3238)
RSA Key generation
FIPS 186-4 RSA Key Generation:
2048 bit
RSA (Certs. #2005 and #2006)
Digital signature
generation
PKCS1 v1.5 RSA Signature
Generation: 2048 bit
RSA (Certs. #2005 and #2006)
Digital signature
verification
PKCS1 v1.5 RSA Signature
Verification: 2048 bit
RSA (Certs. #2005 and #2006)
Random Number
generation

HMAC-Based DRBG

DRBG (Certs. #1137 and
#1138)

Hash-Based DRBG

DRBG (Cert. #98)
HMAC

HMAC-SHA256

HMAC (Certs. #2551 and
#2552)
Password Derivation
PBKDF
User ID/Password
authentication scheme based on
SHA-1
Vendor Affirmed
Table 4 - Implemented Algorithms and FIPS Approved algorithms
The module implements the following Non-FIPS approved, but allowed, algorithms:

RSA-TLS (key wrapping; key establishment methodology provides 112 bits of encryption
strength). TLS protocol has not been reviewed or tested by the CAVP and CMVP.

MD5 (used in Extended Authentication mode – Radius and by the TLS1.0 implementation)

HW RNG (used in Safenet eToken 5105)
The module implements the following Non-FIPS approved algorithms:

SHS (non-compliant) – used in RSA-RESTful-TLS in non-FIPS mode

HMAC (non-compliant) – used in RSA-RESTful-TLS in non-FIPS mode

Triple-DES (non-compliant) – used in RSA-RESTful-TLS in non-FIPS mode
-
24 -

RSA-RESTful-TLS (key wrapping; non-compliant)
The Appliance stores private keys in a key database. This database is stored encrypted (with TripleDES CBC) on the Appliance’s internal hard drive. Within the key database, each key is attached to a
specific user.
Generated keys in the appliance cannot be read outside the Appliance. User’s public keys,
certificates, and graphical images of the user’s signature are stored in the Appliance’s database and
can be retrieved during a user’s session. The user can retrieve only his/her objects.
Table 5 provides a list of keys, their key types, and access control.
Cryptographic Keys and CSPs
Key Type
Appliance Critical Key 1 – Key
and values encryption in
database
Triple-DES 192 bit key, FIPS
46-2
X
Appliance Critical Key 2 – MAC
of users database records
Triple-DES 192 bit key, FIPS
46-2
X
Appliance Critical Key 3 –
Appliance’s Backup encryption
Triple-DES 192 bit key, FIPS
46-2
X
Appliance Critical Key 4 – MAC
of the Appliance’s Backup
Triple-DES 192 bit key, FIPS
46-2
X
Appliance TLS RSA
public/private key pair
RSA 2048 bit key
X
Triple-DES KEK for Appliance
TLS RSA public/private key pair
Password-based key
derivation is implemented in
compliance with SP 800-132.
X
Password for accessing TripleDES KEK for Appliance TLS RSA
public/private key pair
N/A
X
Appliance Internal CA RSA key
RSA 2048 bit key – defined in
installation
X
-
Crypto Officer
Access
(R/W/X*)
25 -
User
Access
(R/W/X1)
Cryptographic Keys and CSPs
Key Type
Crypto Officer
Access
(R/W/X*)
User
Access
(R/W/X1)
DocuSign RSA public key –
firmware validation – hard
coded
RSA 2048 bit key
X
DocuSign RSA public key –
DLM (downloadable module)
validation – hard coded
RSA 2048 bit key
X
Session encryption/decryption
keys
Triple-DES 192 bit keys,
FIPS 46-2
X
X
HMAC key
20 bytes
X
X
User public key certificates
RSA 2048 bit public keys
stored in certificates
X, R
R, W, X
User signature keys
RSA 2048 bit
W
W, X
DRBG Key
HMAC-DRBG RNG Input
X
X
DRBG seed
DRBG seed in Safenet
eToken 5105
X
X
DRBG state2
DRBG state in Safenet
eToken 5105
X
X
Table 5 - Keys, Key Types and Access
1 Execute a command on the key without the ability to Read or Write.
2 The DRBG State is associated with the internal DRBG (eToken). The internal DRBG state is not accessible to
the
Appliance and is zeroized when the Appliance powers off.
Remark: The DRBG Key, which is of size 256bit is based on a 256bit random seed that is retrieved
from an internal Safenet eToken 5105 (FIPS 140-2 validation #1883).
The estimated entropy is at least 5.74/8, which means that a random seed of 256bit, will produce
minimum entropy of 184bit.
This assumes a residual security risk results from the incomplete testing of a third-party entropy
source.
-
26 -
Self Testing
The Appliance monitors firmware operations using a set of self-tests to ensure proper operation
according to the FIPS 140-2 standard. The appliance includes both the power-up self tests and
conditional tests. These tests are described in the following sections.
3.12.1 Power-Up Self Tests
 Critical Function Test - Low Level Hardware Check
 Firmware Integrity Test (RSA signature verification)
 Triple-DES encrypt KAT (for Appliance-internal Triple-DES implementation)
 Triple-DES decrypt KAT (for Appliance-internal Triple-DES implementation)
 Triple-DES encrypt (for Appliance-CKIT Triple-DES implementation)
 Triple-DES decrypt KAT (for Appliance-CKIT Triple-DES implementation)
 Triple-DES MAC KAT (for Triple-DES MAC using underlying Appliance-internal Triple-DES
implementation)
 SHA-1 KAT (for Appliance-internal SHA-1 implementation)
 SHA-256 KAT (for Appliance-internal SHA-256 implementation)
 SHA-384 KAT (for Appliance-internal SHA-384 implementation)
 SHA-512 KAT (for Appliance-internal SHA-512 implementation)
 SHA-1 KAT (for Appliance-CKIT SHA-1 implementation)
 MD5 KAT
 HMAC SHA-256 KAT (for Appliance HMAC implementation)
 HMAC SHA-1 KAT (for Appliance-CKIT HMAC implementation)
 RSA decrypt KAT
 RSA encrypt KAT
 RSA sign KAT
 RSA verify KAT
 HMAC-DRBG KAT
 Critical Function Test - Database Access
In the case of Appliance Hardware version 7.0, following to a failure of any of the above tests, the
following error is displayed in the console:
Crypto Failure, Can't continue! or Appliance Database is down!
-
27 -
In the case of Appliance Hardware version 8.0, following to failure of any of the above tests, the
following error will be displayed in the Critical Alerts attribute in the Touch Screen Console:
On – Critical Error or On – DB Error
3.12.2 Conditional Tests
 Continuous RNG test (for HMAC-DRBG).
The Appliance random is based on a non-deterministic seed key that is generated by the
approved DRBG (Cert. #98) of internal Safenet eToken 5105 (FIPS 140-2 validation #1883).
The seed key is updated every minute and checked for continuous test based on comparision
errors.
The output of the DRBG algorithm is checked for continuous test and statistical errors.
If any of the tests fails, the module enters the error state.
 Continuous RNG test for DRBG output (for DRBG Cert. #98)
 Firmware Load Test 1
 RSA Key Generation pairwise consistency test
3.13 Mitigation of Other Attacks
The DocuSign Signature Appliance does not include any mechanisms for the prevention of special
attacks.
3.14 Maintenance
The Crypto Officer must check the appliance’s case for any evidence of physical tampering. Special
protective screw cover Tamper Evident cans are attached over two screws on the back of the
appliance. These Tamper Evident cans would be damaged if the appliance’s case has been opened.
Verify that the Tamper Evident cans are attached to the appliance and that they are not damaged.
If you think the appliance has been tampered with, contact DocuSign.
1
Make sure that the new firmware version is a FIPS 140-2 validated firmware version.
RSA 2048bit with SHA-256 digital signature verification is used in this test.
-
28 -
4 FIPS 140-2 Level 3 Compliant Mode
Cryptographic services should only use FIPS 140-2 approved algorithms. A list of these algorithms
can be found in Section 3.12, Strong Cryptographic Algorithms and Secure Key Management.
Only one user can be assigned the role of Crypto Officer. Only the Crypto Officer may possess the
backup USB tokens necessary to restore the appliance or reset the tamper operation.
Directory Independent and Active Directory environments are FIPS 140-2 level 3 validated. The
Appliance also supports LDAP environment, however, this is not included in the scope of this FIPS
140-2 level 3 validation process.
The Appliance can be interfaced through a SOAP based Web Services protocol or RESTful based Web
Services protocol. Both SOAP based Web Services interface and RESTful based Web Services are not
included in the scope of this FIPS 140-2 level 3 validation process.
To make sure the Appliance is running in FIPS Mode, inspect the value of FIPS Mode in the settings
section in the console. When in FIPS 140-2 level 3 approved mode, the console displayed FIPS Mode
on.
4.1 Configuring the Appliance to work in FIPS mode
There are several System Parameters that must be set to appropriate values for having the
Appliance work in FIPS mode.
For changing system parameters, open the Appliance Management utility and login as the appliance
administrator. Go to the System Parameters section and set the values of the following System
Parameters:

Advanced- Enforce FIPS Approved Algorithm.
This value must be set to true. When this value is set, it is not allowed to sign using a 1024bit RSA
key. When this value is set, it is not allowed to use SHA1 as part of the digital signature
operation.
Also, when this value is set The FIPS 186-4 based RSA key generation algorithm is used for
generating RSA keys. This means that only RSA 2048bit keys can be generated.

Advanced – Web Services Support
This value must be set to false, since the SOAP based Web Services interfaces is not included as
part of the FIPS 140-2 level 3 scope.
-
29 -

Advanced – RESTful Web Services Support
This value must be set to false, since the RESTFul based Web Services interfaces is not included
as part of the FIPS 140-2 level 3 scope.
-
30 -
5 Upgrade Appliance firmware from version 6.0 to version
7.7
Perform the following instructions for upgrading Appliance firmware version from version 6.0 to
version 7.7.
In order to upgrade to Appliance version 7.7, the Appliance TLS Server key needs to be replaced.
Such replacement can be done only when the Appliance is in Factory State.

Contact DocuSign support to get Appliance firmware upgrade package from version 6.0 to 7.1,
from version 7.1 to version 7.4, from version 7.4 to version 7.5 and from version 7.5 to version
7.7.

Perform the upgrade in a secure environment.

The upgrade procedure can be performed either on an installed appliance or a non-installed
appliance.

Invoke the Appliance Management application from the DocuSign SA Client’s control Panel.

Locate the relevant appliance according to its IP address and Login as an appliance administrator.

Invoke the Upload Software option for each upgrade file. Provide the set of upgrade files
provided you by DocuSign.

In each upgrade, a progress bar will indicate the progress of the upgrade operation. When the
whole operation ends the Appliance is installed with firmware version 7.7.

If the Appliance+ is in Factory State, then continue to the next step. Otherwise backup the
appliance and turn the appliance to Factory state.

Contact DocuSign for getting a new TLS Server Key that is unique for your appliance. Use the
Appliance Management application/Upload Software option, to upload the TLS Server Key that is
packaged for you by DocuSign. Make sure that the operation ended successfully.

You can now either perform an installation of the appliance or restoration using the previously
kept backup file.
-
31 -
6 Upgrade Appliance firmware from version 7.7 to version
8.0
Perform the following instructions for upgrading Appliance firmware version from version 7.7 to
version 8.0.

Contact DocuSign support to get Appliance firmware upgrade package from version 7.7 to 8.0.

Perform the upgrade in a secure environment.

The upgrade procedure can be performed either on an installed appliance or a non-installed
appliance.

Invoke the Appliance Management application from the DocuSign SA Client’s control Panel.

Locate the relevant appliance according to its IP address and Login as an appliance administrator.

Invoke the Upload Software option for each upgrade file. Provide the set of upgrade files
provided you by DocuSign.
In each upgrade, a progress bar will indicate the progress of the upgrade operation. When the whole
operation ends the Appliance is installed with firmware version 8.0.
-
32 -