9
Key agreement
Random number generation
Zeroization by deleting the key object
2.4 Physical Security
The module is a software module intended for use on a variety of platforms including
Microsoft Windows XP, Vista, and Win7, Linux, Solaris and other UNIX variants. Since
the module is a software module, it can be exempted from the physical security
requirements of the FIPS 140-2 standard.
2.5 Software and Operating System Security
The Proofpoint Security Library is a software module tested on the CentOS 5 operating
system running with Sun JRE 1.6.0. The library will also operate under Windows XP,
Vista, and Win7, Linux, Solaris and other UNIX variants.
The module consists of a single, signed JAR file. As explained below, a cryptographic
mechanism is used within the module to ensure that the code has not been accidentally or
ineptly modified from its validated configuration.
2.6 Cryptographic Key Management
The Proofpoint Security Library securely administers cryptographic keys, including
ephemeral session keys. All session keys are ephemeral and are discarded immediately
after use.
2.6.1 Key Generation
The module generates keys using a FIPS approved PRNG (FIPS 186-2, Appendix 3.1,
using SHA-1 to construct the function G). The PRNG allows the use of an optional
XSEED. The module also implements a non-approved RNG (AES RNG) , which is not
allowed for use in FIPS mode.
The module does not provide symmetric key generation. The application must always
pass in the key as an argument to the classes for each of the approved symmetric
algorithms.
2.6.2 Key Storage
The module does not store secret or private key material.
2.6.3 Key Zeroization
All ephemeral key data resides in internally allocated data structures that are zeroized by
deletion of the object. An operator can initiate key zeroization by deleting the key object.
2.7 Cryptographic Algorithms
When operating in FIPS mode, the Proofpoint Security Library supports the following
algorithms for the following purposes, key sizes, and cipher modes: