fipsmode

PERPETUA

FIPS Mode for ISC Communication User

L INNOVATION

Guide

Lenel OnGuard® 2010 FIPS Mode for ISC Communication User Guide, product version 6.4. This guide is item number DOC-1202, revision 1.012, March 2010

Copyright © 1995-2010 Lenel Systems International, Inc. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Lenel Systems International, Inc.

Non-English versions of Lenel documents are offered as a service to our global audiences. We have attempted to provide an accurate translation of the text, but the official text is the English text, and any differences in the translation are not binding and have no legal effect.

The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that agreement. Lenel and OnGuard are registered trademarks of Lenel Systems International, Inc.

Windows, Windows Vista, Windows 2003, and Windows XP are trademarks and Microsoft is a registered trademark of Microsoft Corporation. Integral and FlashPoint are trademarks of Integral Technologies, Inc. Crystal Reports for Windows is a trademark of Crystal Computer Services, Inc. Oracle is a registered trademark of Oracle Corporation. Other product names mentioned in this User Guide may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Portions of this product were created using LEADTOOLS © 1991-2010 LEAD Technologies, Inc. ALL RIGHTS RESERVED.

OnGuard includes ImageStream® Graphic Filters. Copyright © 1991-2010 Inso Corporation. All rights reserved. ImageStream Graphic Filters and ImageStream are registered trademarks of Inso Corporation.

FIPS Mode for ISC Communication User Guide

Table of Contents

Chapter 1: Introduction ...............................................................5

Terminology .................................................................................................... 6

Encryption Keys .............................................................................................. 6

Master Key 1 and Master Key 2 ........................................................................................ 6

DIP Switch Settings for Encryption ................................................................. 7

Operator Types ............................................................................................... 7

Chapter 2: FIPS Mode Configuration Utility ..............................9

FIPS Mode Configuration Utility Main Window ............................................. 10

FIPS Mode Parameters Dialog ..................................................................... 12

Chapter 3: Encryption to ISCs Using FIPS Mode ...................15

Configuring FIPS Mode on Existing Encryption Systems ............................. 15

Generate Master Keys .................................................................................................... 16

Configure FIPS Mode in the FIPS Mode Configuration Utility ......................................... 16

Load New Master Keys into the Lenel ISCs .................................................................... 17

Verify Encryption Permissions ........................................................................................ 17

Enable FIPS-mode Controller Encryption ....................................................................... 18

Restart the Communication Server ................................................................................. 18

Configuring FIPS Mode on New Encryption Systems ................................... 19

Configure the Keys on the Lenel ISCs ............................................................................ 19

Chapter 4: Using FIPS Mode .....................................................21

View a Controller’s Encryption Characteristics in Alarm Monitoring ............. 21

Switch to a New Master Key ......................................................................... 22

revision 1 — 3

Table of Contents

Activating the Inactive Key without Changing Its Value .................................................. 22

Updating the Value of the Inactive Key and Making it Active .......................................... 23

Zeroing Keys ................................................................................................. 24

Using the Zero Keys Function ......................................................................................... 25

Using the Clear Function ................................................................................................. 25

Zero Out Keys on the Controllers .................................................................................... 26

Chapter 5: Troubleshooting FIPS Mode ..................................29

Error Messages ............................................................................................. 29

Frequently Asked Questions ......................................................................... 30

Index .................................................................................................33

4 — revision 1


Chapter 1: Introduction

OnGuard enables you to encrypt the connection between the Communication Server and the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). There are three methods that could be used to encrypt this connection:

• Manual key management encryption

• Automatic key management encryption

• Federal Information Processing Standards (FIPS) mode encryption

This user guide focuses on FIPS mode encryption. When FIPS mode is enabled, the entire system is configured for manual key management with the ‘Allow downgraded connections’ option disabled. For a detailed description of manual and automatic key management encryption, refer to the Encryption for Controllers User Guide.

FIPS is a set of standards that describe how information is handled and processed within governmental agencies. One of these sets of standards is FIPS 140-2, which contains security requirements for cryptographic modules. All software utilized by Federal agencies which uses cryptographic-based security systems to protect sensitive information on computer and telecommunications systems must adhere to this standard.

FIPS mode is a type of encryption available to OnGuard users who wish to eventually become FIPS compliant. This method of encryption has the highest level of security, but also requires a high amount of administration. Master keys must be configured manually on every controller, and any time a master key needs to be changed, you must run the FIPS Mode Configuration Utility on every computer running a Communication Server that is servicing encrypted controllers in FIPS mode.

For manual key management encryption and automatic key management encryption, the master keys and encryption settings are stored in the OnGuard database. For FIPS mode encryption, the master keys and encryption settings are stored in the Communication Server’s registry instead, and any encryption settings in the database are ignored.

For manual key management and FIPS mode encryption, the master keys must be loaded into the controllers using the Lenel Controller Encryption Utility. For automatic key management, the keys are automatically loaded from the existing connection between the Communication Server and the ISC.

For manual and automatic key encryption, the encryption settings and master keys that the Communication Server uses are configured using System Administration. For FIPS mode encryption, the encryption settings and master keys that the Communication Server uses are configured using the FIPS Mode Configuration Utility. The utility is located in the C:\Program Files\OnGuard directory, and must be run on each computer running a Communication Server that is servicing encrypted controllers in FIPS mode. The computer(s) running the Communication Server should only be used in single user mode so that only one person can use the machine at a single time.

revision 1 — 5

1: Introduction

The table that follows summarizes these differences:

Terminology

Throughout this use guide, the term controller is used. Within the context of this user guide, you will also see a controller referred to as an Intelligent System Controller (ISC) or an access panel.

Encryption Keys

To encrypt connections, OnGuard implements the Advanced Encryption Standard (AES). A symmetrical block cipher algorithm, such as AES, requires that both sender and receiver use the same key. 128-bit keys are used in the encryption between OnGuard and a Lenel controller.

Master keys are used to encrypt data packets that transfer a session key to the controller. Master keys are the crux of the encryption process. Both ends of the connection, the controller and host, must agree on the master key being used to achieve a connection.

Session keys are used to encrypt any data that is communicated between OnGuard and Lenel access controllers, except for the transfer of new session keys. Session keys are automatically generated by OnGuard when a connection is established with a controller. Session keys are internal to the system and never exposed.

Master Key 1 and Master Key 2

To maintain smooth system operation, two master keys exist in the system and controllers: master key 1 and master key 2.

Only one master key, the active master key, is in use at a given time. The other master key is inactive. When a master key change is desired, the inactive master key value is first updated in the controllers. Once this process is complete, the inactive master key is activated. Over the life of an installation, master key 1 will

Encryption method

Level of security

Level of maintenance

Storage location for master keys

Configuration location for encryption settings used by Communication Server

Automatic key High Low OnGuard database System Administration

Manual key Higher Medium OnGuard database System Administration

FIPS mode Highest High Communication Server registry FIPS Mode Configuration Utility

6 — revision 1


sometimes be the active master key and other times be the inactive master key. This is also true of master key 2.

Important: It is important to keep master key values secure. These values are shared secretly between the controllers and the Communication Server, and allow an encrypted connection to be made. Since the AES algorithm is public, all parties that have access to the key can encrypt and decrypt the data. Master key values should not be shared with anybody who is not involved in their management. They should not be written down or electronically stored in locations that are not secure.

Master Key Storage

Lenel controllers store master keys in non-volatile EEPROM memory permanently soldered to the controller circuit board. There is no mechanism available for obtaining these values from a controller.

Note that controllers come from the factory with factory default master key values. Once a controller is configured for encryption within the OnGuard system, these factory default values are replaced.

DIP Switch Settings for Encryption

For FIPS mode encryption, Lenel recommends that you turn DIP switch 8 ON and reboot the controller so that the controller will require an encrypted connection, and will only accept encrypted connections with entities that know the proper master key values. For more information, refer to “DIP Switch Settings for Encryption” in the Encryption for Controllers User Guide.

Operator Types

For FIPS 140-2, there are two types of operators, the Crypto officer and the User. These two operators are differentiated by the services and encryption utilities they run.

The Crypto officer is responsible for master key management, master key generation, and setting up controller bypass. The Crypto officer is also responsible for the portions of the zeroing process that use the FIPS Mode Configuration Utility. The Crypto officer does not have access to any physical ports. The Crypto officer handles all functions that require using the FIPS Mode Configuration Utility and the FIPS Key Generator.

revision 1 — 7

1: Introduction

The User is responsible for secure data transmission and showing status. The User is also responsible for the portions of the zeroing process that involve the Communication Server. The User has access to the hardware ports (serial, LAN, and dialup), and handles all functions that require using the Communication Server.

The table that follows summarizes the operator types:

Operator type

Functions Ports Services/encryption utilities typically used

Crypto officer

• Master key management

• Master key generation

• Setting up controller bypass

• Zeroing keys (FIPS Mode Configuration Utility portion)

None • FIPS Mode Configuration Utility

• FIPS Key Generator

User • Secure data transmission

• Showing status

• Zeroing keys (Communication Server portion)

Hardware ports (serial, LAN, and dialup)

Communication Server

8 — revision 1


Chapter 2: FIPS Mode Configuration Utility

The FIPS Mode Configuration Utility that ships with OnGuard is used to configure the encrypted connection between the Communication Server and the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). The utility is located in the C:\Program Files\OnGuard directory, and must be run on each computer running a Communication Server that is servicing encrypted controllers in FIPS mode.

This utility is used to:

• Enter and modify the master keys that are used for encryption by Communication Servers that service encrypted controllers in FIPS mode

• Indicate which key is active

• Specify individual access panels to bypass

• Zero out keys

When FIPS mode encryption is enabled using the FIPS Mode Configuration Utility, settings from the OnGuard database are ignored and settings on the Communication Server are used for encryption purposes instead. The settings are stored in a registry key that is only accessible by the account that creates the key. An administrator will need to make sure the appropriate registry key (HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-PARAMS) is accessible by the account that the Communication Server is running under (if it differs from the account used to configure these settings).

When FIPS mode is enabled, all Lenel access panels on this particular Communication Server will be required to use an encrypted connection. If they do not, they will not come online.

This chapter describes the FIPS Mode Configuration Utility. For details on configuring a system for FIPS mode, refer to Chapter 3: Encryption to ISCs Using FIPS Mode on page 15.

revision 1 — 9

2: FIPS Mode Configuration Utility

FIPS Mode Configuration Utility Main Window

FIPS Mode Configuration Utility Main Window

Form Element Comment

FIPS mode Shows whether FIPS mode is currently enabled or disabled. Possible values include:

• Enabled - FIPS mode is currently turned on; encryption settings and master keys are stored in the Communication Server’s registry. When FIPS mode is enabled, any encryption settings in the OnGuard database are ignored.

• Disabled - FIPS mode is currently turned off; encryption settings and master keys are stored in the OnGuard database.

To change this setting, click [Modify] and select or deselect the Enable FIPS mode check box in the FIPS Mode Parameters dialog.

Active key Indicates the current active master key or “None” if FIPS mode is disabled. Possible values include:

• 1 - Indicates master key value 1 is active

• 2 - Indicates master key value 2 is active

• None - Indicates FIPS mode is disabled

Modify Opens the FIPS Mode Parameters dialog, in which you can configure FIPS mode settings. These settings include whether FIPS mode is enabled, whether controllers can bypass encryption, the active master key, and the key values for master key 1 and master key 2.

Zero Keys The zero keys function should be used in case of attack/compromise. This function zeros out the master keys (if set) in the Windows registry. If a key isn’t set, then that key won’t be updated. If it is set, it will be updated to be all 0’s. For more information, refer to Zeroing Keys on page 24.

10 — revision 1


Clear The clear keys function should be used if you wish to stop using FIPS mode on a computer. This function first zeros out the keys in the registry, and then removes all FIPS mode-related parameters from the Windows registry. This essentially turns off FIPS mode.

Although technically you could use the clear function in case of attack/compromise, it is strongly recommended that you use the zero keys function instead. For more information, refer to Zeroing Keys on page 24.

Help Displays help information for the FIPS Mode Configuration Utility.

FIPS Mode Configuration Utility Main Window (Continued)


revision 1 — 11


FIPS Mode Parameters Dialog

FIPS Mode Parameters Dialog


Enable FIPS mode Indicates whether FIPS mode is enabled for the current workstation. If this check box is selected, encryption keys from the database will not be used. Instead, the active key number and master key values configured via this utility will be used.

Active master key number

Indicates which master key is the active key. The active key is the one being used for the current communication with the panel. This option must be set to 1 or 2 if FIPS mode is enabled. If FIPS mode is disabled, this option must be set to 0.

Master key 1 value Specifies the value for master key 1. The key is 128 bits and is represented as a 32 character representation of a hexadecimal number. The key must be 32 characters long and can only contain valid hexadecimal characters. For security, any values entered display as * on the screen.

Import Click to import the Master key 1 value from a file rather than typing it in manually. If you imported the master key value from a file, this value will automatically be populated with the correct value.

Clear Clears the Master key 1 value and Confirm master key 1 value fields.

Confirm master key 1 value

If you imported the master key from a file, this value will automatically be populated with the correct value. If you typed the Master key value 1 in by hand, retype it to confirm that it is correct.

Master key 2 value Specifies the value for master key 2. The key is 128 bits and is represented as a 32 character representation of a hexadecimal number. The key must be 32 characters long and can only contain valid hexadecimal characters. For security, any values entered display as * on the screen.

12 — revision 1


Import Click to import the Master key 2 value from a file rather than typing it in manually. If you imported the master key value from a file, this value will automatically be populated with the correct value.

Clear Clears the Master key 2 value and Confirm master key 2 value fields.

Confirm master key 2 value

If you imported the master key from a file, this value will automatically be populated with the correct value. If you typed the Master key value 1 in by hand, retype it to confirm that it is correct.

Allow controller encryption bypass

If you select this check box, the Bypassed controllers section becomes enabled and you can specify individual controllers to bypass. Bypassed controllers will not use controller encryption.

If this check box is not selected, then controller encryption bypass is not allowed.

Panel ID listing window

Displays panel IDs of all controllers that will be bypassed. You can also select a panel ID for a controller you no longer wish to bypass and remove it from the list of bypassed controllers. Note that deselecting the Allow controller encryption check box clears this list of bypassed controllers.

Panel ID Enabled only if the Allow controller encryption bypass check box is selected. Type the ID number of the panel that you wish to bypass, and then click [Add].

Add Enabled only if the Allow controller encryption check box is selected. Type the ID number of the panel that you wish to bypass in the Panel ID field, and then click [Add]. The panel ID you entered will be listed in the Panel ID listing window, and will be bypassed.

Remove Enabled only if a panel ID is selected in the Panel ID listing window. If clicked, the selected panel ID will be removed from the list of bypassed controllers and will no longer be bypassed.

Save If clicked, an attempt will be made to save the changes made in this dialog.

Cancel If clicked, the changes made in this dialog will be discarded and the settings on the workstation will not be altered.

FIPS Mode Parameters Dialog (Continued)


revision 1 — 13


14 — revision 1


Chapter 3: Encryption to ISCs Using FIPS Mode

The configuration of encryption to ISCs using FIPS is different depending on whether you are configuring it for a system that is already using encryption, or if it is a new system that doesn’t use encryption yet. Follow the instructions for the category your system falls into:

• Configuring FIPS Mode on Existing Encryption Systems on page 15

• Configuring FIPS Mode on New Encryption Systems on page 19

Configuring FIPS Mode on Existing Encryption Systems

This section assumes that controller encryption is in use on your system. (If it is not, refer to Configuring FIPS Mode on New Encryption Systems on page 19 instead.) Follow these general steps to begin using FIPS mode; detailed information about each step follows this list.

1. Generate master key 1 and master key 2 using a FIPS-approved method. The FIPS Key Generator located on the Supplemental disc can be used to do this. For more information, refer to Generate Master Keys on page 16.

2. Run the FIPS Mode Configuration Utility on each computer running a Communication Server that is servicing encrypted controllers in FIPS mode and configure it to use FIPS mode. For more information, refer to Configure FIPS Mode in the FIPS Mode Configuration Utility on page 16.

a. Run the FIPS Mode Configuration Utility.

b. Import the key(s) that you generated.

c. Enable FIPS mode.

d. Specify which controllers, if any, will bypass controller encryption.

e. Save the settings.

f. Shut down or restart the Communication Server(s).

3. Run the Lenel Controller Encryption Utility and load the new master keys into the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). For more information, refer to “Load or Update Keys” in the Lenel Controller Encryption Configuration Utility online help or user guide, as well as Load New Master Keys into the Lenel ISCs on page 17.

4. If you shut down the Communication Server(s) in step 2, start it up. For more information, refer to Restart the Communication Server on page 18.

5. (Optional) Verify that you have the correct permissions to proceed. For more information, refer to Verify Encryption Permissions on page 17.

6. Log into System Administration and enable FIPS mode in the OnGuard software. When you do this, the previous non-FIPS mode keys will automatically be cleared from the database. For more information, refer to Enable FIPS-mode Controller Encryption on page 18.

revision 1 — 15

3: Encryption to ISCs Using FIPS Mode

Generate Master Keys

In order to be FIPS compliant, you must generate master key 1 and master key 2 using a FIPS-approved random number generator. One such utility is the FIPS Key Generator, which is located on the Supplemental disc. For more information, refer to the FIPS Key Generator User Guide, which is available in the Start menu after you install the FIPS Key Generator.

Important: The master key generator in System Administration that is used by non-FIPS mode encryption systems is NOT FIPS approved.

Configure FIPS Mode in the FIPS Mode Configuration Utility

1. On the Communication Server, navigate to C:\Program Files\OnGuard and run FIPSModeConfigurationUtility.exe. The FIPS Mode Configuration Utility Main window opens.

2. In the FIPS Mode Configuration Utility, click [Modify]. The FIPS Mode Parameters window is displayed.

3. Enter the desired master key value (1 or 2). This can be done by either entering a key manually or by importing a key from a file.

• To enter a key manually:

a. Type the key in the appropriate Master key value field. The key must be 32 characters long and can only contain valid hexadecimal characters. For security, any values entered display as * on the screen.

b. Retype the key in the appropriate Confirm master key value field.

• To import a key from a file:

a. Click [Import] for the master key value (1 or 2) that you wish to import.

Important: It is your responsibility to use a secure process when importing the master keys. Never import keys from an insecure location such as a network drive. If you save the files that contain the keys on a USB Flash drive, floppy disk, or other portable device so they can be transferred, be sure to safeguard the device.

If you import a key from a USB device, the USB device must be directly connected to the device the module is running on and may not pass through any intervening systems. Additionally, a human operator must be physically present and physically involved with the key importation from the USB device; the importation cannot be an electronic process that can run without human intervention.

b. The Open dialog displays. Navigate to the file that contains the key, select it, and then click [Open]. The key will automatically populate

16 — revision 1


both of the respective Master key value and Confirm master key value fields.

4. Repeat step 3 for the second master key.

5. Select the Enable FIPS mode check box.

Note: Do not confuse this setting with the Enable FIPS-mode controller encryption setting in System Administration. This setting controls whether the keys are stored in the registry or not, whereas the setting in System Administration only determines what encryption-related forms display in System Administration.

6. In the Active master key number field, select which master key will be active.

7. Select whether to allow controller encryption bypass.

• If all controllers must use controller encryption, the Allow controller encryption bypass option should be deselected.

• If there are specific controllers you do not wish to use controller encryption:

a. Select the Allow controller encryption check box.

b. In the Panel ID field, type the ID of the panel you wish to bypass.

c. Click [Add].

d. Repeat for all controllers you wish to bypass.

8. Click [Save].

9. A message prompts whether you are sure that you wish to make these changes. Click [Yes].

10. Shut down or restart the Communication Server.

Load New Master Keys into the Lenel ISCs

Systems already using encryption that are being configured to use FIPS mode will already have master keys in use. However, for security reasons you must generate new master keys using a FIPS-approved method when you begin using FIPS mode. These new master keys must then be loaded into the controllers using the Lenel Controller Encryption Utility.

For more information, refer to “Load or Update Keys” in the Lenel Controller Encryption Configuration Utility online help or user guide.

Verify Encryption Permissions

For the Encryption tabs to be shown in System Administration, you must have the ‘Controller encryption’ user permission (Administration > Users > System Permission Groups form > Access Control sub-tab, select the Controller encryption check box).

revision 1 — 17


To be able to modify or encryption settings, you must have ‘Controller encryption’ and ‘Modify/Export’ permissions (Administration > Users > System Permission Groups form > Access Control sub-tab, select the Controller encryption and Modify/Export check boxes).

Enable FIPS-mode Controller Encryption

The FIPS-mode controller encryption System Option setting in System Administration determines whether the windows for configuring controller encryption will be visible in System Administration. An administrator may choose to enable this option so the OnGuard user interface does not display things to users that don’t apply to them. If this option is selected, the windows for configuring controller encryption that are normally in the following locations will not be visible:

• (Non-segmented systems only) System Options folder

• (Segmented systems only) Segments folder

• Encryption form in the Access Panels folder

This setting is separate from the FIPS mode settings that are configured on the individual Communication Server(s) using the FIPS Mode Configuration Utility. This setting has no impact on whether FIPS mode is used; it only affects how System Administration works and what windows are displayed. To use FIPS mode, you must enable FIPS mode on the Communication Server(s) by running the FIPS Mode Configuration Utility.

Note: When you enable FIPS-mode controller encryption, all controller encryption keys will be removed from the database.

To enable FIPS mode controller encryption:

1. In System Administration, select System Options from the Administration menu.

2. On the General System Options form, click [Modify].

3. Select the Enable FIPS-mode controller encryption check box.

4. Click [OK].

5. A message is displayed that says, “Enabling FIPS mode will cause all controller encryption keys to be removed from the database. Do you want to continue?” If you wish to do this, click [Yes].

Restart the Communication Server

The settings set using the FIPS Mode Configuration Utility are stored in the registry, and the Communication Server only checks these settings upon startup. Therefore, after configuring FIPS mode in the FIPS Mode Configuration Utility you must restart the Communication Server in order for the changes to take effect.

18 — revision 1


Configuring FIPS Mode on New Encryption Systems

If you have a new system or a system that currently does not use controller encryption and you wish to start using FIPS mode, follow these steps. If not, refer to Configuring FIPS Mode on Existing Encryption Systems on page 15.

1. Generate master key 1 and master key 2 using a FIPS-approved method. The FIPS Key Generator located on the Supplemental disc can be used to do this. For more information, refer to Generate Master Keys on page 16.

2. Configure the keys on the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). For more information, refer to Configure the Keys on the Lenel ISCs on page 19.

3. For each computer running a Communication Server that is servicing encrypted controllers in FIPS mode, do the following:

a. Install the OnGuard software. For more information, refer to the Installation Guide. If the Communication Server will be separate from the database server, then perform a custom installation and install only the Communication Server service. Be sure that the computer is in single user mode.

b. Set the Communication Server to start up automatically.

c. Configure FIPS mode using the FIPS Mode Configuration Utility. For more information, refer to Configure FIPS Mode in the FIPS Mode Configuration Utility on page 16.

1) Run the FIPS Mode Configuration Utility.

2) Enable FIPS mode.

3) Enter the master key(s).

4) Specify which controllers, if any, will bypass controller encryption.

5) Save the settings.

d. Make sure that the appropriate the appropriate registry key (HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-PARAMS) is accessible by the account that the Communication Server is running under (if it differs from the account used to configure these settings).

4. Restart the Communication Server. For more information, refer to Restart the Communication Server on page 18.

5. Log into System Administration.

6. Enable FIPS mode in the OnGuard software. For more information, refer to Enable FIPS-mode Controller Encryption on page 18.

Configure the Keys on the Lenel ISCs

FIPS mode is used to encrypt the connection between the controller and the Communication Server, so the master key values in both locations must be the same. To configure the master keys for the controller:

1. Install the Lenel Controller Encryption Configuration Utility on a laptop computer. This utility is located on the Supplemental disc. For more

revision 1 — 19


information, refer to “Install the Lenel Controller Encryption Configuration Utility” in the Lenel Controller Encryption Configuration Utility online help or user guide.

2. Take the laptop computer to the first controller you wish to store the keys on.

3. Once at the controller:

Note: For complete details for each of these steps, refer to “Start the Utility and Connect to a Controller” in the Lenel Controller Encryption Configuration Utility online help or user guide.

a. Physically disconnect the cable between access control system and the controller. For more information, refer to “Start the Utility and Connect to a Controller” in the Lenel Controller Encryption Configuration Utility online help or user guide.

b. Physically connect the cable from the controller to the host machine.

c. Start the Lenel Controller Encryption Configuration Utility.

d. Connect to the controller.

e. Enter master key 1 and master key 2.

f. Load the master keys. For complete details for each of these steps, refer to “Load or Update Master Keys” in the Lenel Controller Encryption Configuration Utility online help or user guide.

g. (Optional, but highly recommended) Turn DIP switch 8 ON. Once this is done, reboot the controller so that the controller will require an encrypted connection and will only accept encrypted connections with entities that know the proper master key values. For more information, refer to DIP Switch Settings for Encryption on page 7.

4. Repeat step 3 at each controller. Load the same master key 1 and master key 2 file on each controller. Be sure to keep the files that contain the master keys in a secure place that you can remember.

20 — revision 1


Chapter 4: Using FIPS Mode

There are two types of operators: Crypto officer and User. For a detailed description of each, refer to Operator Types on page 7.

User procedures:

• View a Controller’s Encryption Characteristics in Alarm Monitoring on page 21

Crypto officer procedures:

• Switch to a New Master Key on page 22

• Zero keys Using the Zero Keys Function on page 25 or Using the Clear Function on page 25

• Zero Out Keys on the Controllers on page 26

View a Controller’s Encryption Characteristics in Alarm Monitoring

The following icons may be used in Alarm Monitoring to indicate a controller’s encryption status:

To view a controller’s encryption status in Alarm Monitoring:

1. Right-click on the controller’s icon and select Properties.

2. Look at the Connection type field. If you have the proper permissions, the type of encryption connection being used on the controller, if any, is displayed in the Connection type field. Types that may be indicated include plain, encrypted in non-FIPS mode, or encrypted in FIPS mode.

Notes: To view the encryption connection type, you must have the ‘Controller encryption’ user permission (Administration > Users > System Permission

Controller icon Description

Access panel (without encryption)

.Access panel normal encrypted

Access panel offline encryption error

Access panel online encryption mismatch

revision 1 — 21

4: Using FIPS Mode

Groups form > Access Control sub-tab, select the Controller encryption check box).

Any operator can view error conditions of a controller being offline due to an encryption error or the current connection to the controller not matching the configured connection.

Switch to a New Master Key

Master key exposure is extremely low over the encrypted connections. The Master key is only used to encrypt an initial session packet in which a random session key is transferred to the controller. All other packets in a given session with the controller are encrypted using that session key.

The master key can be switched periodically as desired or at any time if there is concern that it has been compromised.

Activating the Inactive Key without Changing Its Value

The very first time a key switch is made, the administrator may wish to simply use the master key 2 value that was initially setup in the system and in the controllers.

Additionally, on subsequent key switches, the administrator may not be concerned with generating a new key value, but simply may want to switch to the other master key value previously configured. This may be done if they simply want to vary the master key value periodically without going to the trouble of making it unique with each change.

To activate the inactive key without changing its value:

1. On the Communication Server, run the FIPS Mode Configuration Utility.

2. Click [Modify]. The FIPS Mode Parameters window opens.

3. Verify that both master key 1 and master key 2 have been entered or imported.

4. In the Active master key number field, select the master key number that was previously inactive.

5. Click [Save].

6. Restart the Communication Server. When the Communication Server starts, it automatically detects which key is active and informs the controller which one to use.

7. Repeat steps 2 - 6 on each computer running a Communication Server that is servicing encrypted controllers in FIPS mode.

22 — revision 1


Updating the Value of the Inactive Key and Making it Active

The following procedure can be used to switch master keys while using a new master key value.

1. If you want to use a new key, generate one using a FIPS-approved method. Do not activate this key yet.

Important: It is your responsibility to use a secure process when transferring the keys. Never import keys from an insecure location such as a network drive. If you save the files that contain the keys on a USB Flash drive, floppy disk, or other portable device so they can be transferred, be sure to safeguard the device.

If you import a FIPS-approved key from a USB device, the USB device must be directly connected to the device the module is running on and may not pass through any intervening systems. Additionally, a human operator must be physically present and physically involved with the key importation from the USB device; the importation cannot be an electronic process that can run without human intervention.

2. Visit each controller configured for encryption and connect it to the Controller Encryption Configuration Utility. Update the inactive master key.

Important: Do not update the active master key. If this is done, the controller will remain offline until the configuration change is made in the FIPS Mode Configuration Utility to activate that key.

3. Connect the controller using its standard access control system connection. The controller should come back online with an encrypted connection using the currently active master key. Note that if possible, controllers marked logically offline in the access control system should be updated as well. This will allow them to easily be marked back online in the future.

4. After every controller has been updated, import the new key and activate the inactive key by doing the following:

a. On the Communication Server, run the FIPS Mode Configuration Utility.

b. Click [Modify]. The FIPS Mode Parameters window opens.

c. For the key you wish to import, click [Import] and import the new key. Alternatively, you can type the new key into the appropriate Master key value and Confirm master key value fields.

d. In the Active master key number field, select the master key number you wish to make active.

e. Click [Save].

f. Restart the Communication Server. When the Communication Server starts, it automatically detects which key is active and informs the controller which one to use. The access control system should begin

revision 1 — 23

4: Using FIPS Mode

making encrypted connections to the controllers using the newly activated master key.

g. Repeat steps b - f on each computer running a Communication Server that is servicing encrypted controllers in FIPS mode.

Zeroing Keys

Zeroing keys simply means setting the master key values in the HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-PARAMS registry entry to a value of all zeros (0x00000000000000000000000000000000). Do not do this manually! There are two different functions available in the FIPS Mode Configuration Utility that zero keys: the zero keys function, and the clear function. Although both functions zero out the keys in the registry, which function you use depends on why you are zeroing the keys.

In case of an attack or compromise, you should use the zero keys function to ensure an adversary won’t recover them. You would shut down the Communication Server, and then use the zero keys function in the FIPS Mode Configuration Utility to zero the keys. After the attack/compromise is resolved, generate new keys, use the Lenel Controller Encryption Utility to load the keys onto the ISCs, use the FIPS Mode Configuration Utility to load the keys on the Communication Server(s), and then finally restart the Communication Server.

If you wish to stop using FIPS mode on a machine, use the clear function. The clear function zeroes the master keys in the registry and then removes all FIPS mode-related registry entries from the machine. The clear function is the preferred function for this use because the zero keys function wouldn’t remove the FIPS mode-related parameters from the registry.

The table that follows summarizes the differences between the zero and clear functions:

Zeroing method

When to use Effect on registry FIPS mode status after using function

Zero function

In case of attack/compromise

Keys are zeroed • If FIPS mode was on, it remains ON

• If FIPS mode was off, it remains OFF

Clear function

To remove all configuration related to FIPS mode if no longer in use

Keys are zeroed, and then any FIPS mode-related entries are removed from the registry

FIPS mode if OFF

24 — revision 1


Using the Zero Keys Function

The zero keys function should be used in case of an attack/compromise. The zero keys function zeroes out any stored master key values in the registry, but leaves all other FIPS mode-related settings in the registry unchanged. For more information, refer to Zeroing Keys on page 24.

Note: If you wish to remove FIPS mode and related FIPS mode parameters from a computer, use the clear function rather than the zero keys function. For more information, refer to Using the Clear Function on page 25.

In case of attack/compromise, follow these steps to zero the keys:

1. Shut down the Communication Server. This is necessary in order to zero out any keys currently being used in addition to any stored keys.

2. On the Communication Server machine, run the FIPS Mode Configuration Utility. (This is the FIPSModeConfigurationUtility.exe file located in C:\Program Files\OnGuard.) The FIPS Mode Configuration Utility Main window opens.

3. Click [Zero Keys].

4. A message prompts you to confirm that you wish to zero out the master key values in the registry. Click [Yes] to zero out the master keys, or [No] to cancel zeroing the master keys.

5. If the master keys were successfully zeroed out, a message indicating this is displayed.

After the attack/compromise has been resolved, do the following:

1. Generate new master keys using a FIPS-approved method. For more information, refer to Generate Master Keys on page 16.

2. Run the Lenel Controller Encryption Utility and load new master keys into the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). For more information, refer to “Load or Update Keys” in the Lenel Controller Encryption Configuration Utility online help or user guide.

3. Run the FIPS Mode Configuration Utility on each computer running a Communication Server that is servicing encrypted controllers in FIPS mode and import the new keys.

4. Restart the Communication Server.

Using the Clear Function

The clear function should be used to remove FIPS mode and related FIPS mode parameters from a computer. In the case of an attack/compromise, use the zero keys function instead. For more information, refer to Using the Zero Keys Function on page 25.

revision 1 — 25

4: Using FIPS Mode

When you use the clear function, two things happen:

1. The master key entries in the registry, if set, are zeroed out and changed to a value of all zeros.

2. All FIPS mode parameters are removed from the registry. This includes settings such as whether FIPS mode is enabled, master key values, whether controller bypass is being used, controllers that are bypassed, and so forth. This essentially turns off FIPS mode.

For more information, refer to Zero Out Keys on the Controllers on page 26.

To use the clear function to zero keys and remove FIPS mode-related parameters from the registry:

1. Shut down the Communication Server. This is necessary in order to zero out any keys currently being used in addition to any stored keys.

2. On the Communication Server machine, run the FIPS Mode Configuration Utility. (This is the FIPSModeConfigurationUtility.exe file located in C:\Program Files\OnGuard.) The FIPS Mode Configuration Utility Main window opens.

3. Click [Clear].

4. A message prompts you to confirm that you wish to clear the FIPS parameters from the workstation. Click [Yes] to clear the FIPS parameters, or [No] to cancel clearing the parameters.

5. If the FIPS parameters were successfully cleared, a message indicating this is displayed.

6. (Optional) Zero out the keys on the controllers. For more information, refer to Zero Out Keys on the Controllers on page 26.

Zero Out Keys on the Controllers

Normally it is not necessary to zero out the keys on the controllers, since they are stored inside the controller in non-volatile EEPROM memory which is soldered to the circuit board and there is no way to request these values from the hardware, you may. However, you may wish to do so if you are done using encryption, or if you are sending a controller back to the factory and you want to make sure all evidence of the keys is removed.

Important: If keys are zeroed on the controller, the controller should remain physically disconnected from its communication channel until new keys are set.

26 — revision 1


To zero out keys on the controllers:

1. Physically disconnect the controller from its communication channel.

2. Zero out the keys in the Communication Server’s registry. Refer to Using the Zero Keys Function on page 25 or Using the Clear Function on page 25.

3. Use the Lenel Controller Encryption Utility to manually set the keys to all zeros using the “Load or Update Master Keys” procedure in the Lenel Controller Encryption Configuration Utility online help or user guide. Remember that keys are 32 digits long, so enter 32 zeros.

4. After the new keys have been set, physically reconnect the controller to its communication channel.

revision 1 — 27

4: Using FIPS Mode

28 — revision 1


Chapter 5: Troubleshooting FIPS Mode

If you encounter any errors when using the FIPS Mode configuration Utility, please consult this section for suggestions on how to solve the problem.

Error Messages

Errors encountered when loading master keys

Error Check

The controller bypass flag contained an invalid value

The controller bypass flag refers to the Enable FIPS mode check box setting. Its value is stored as 1 or 0 in the registry. If you receive this error, then this value in the registry is neither of these values. To correct this, either clear the FIPS mode parameters, or save new parameters.

The Controller Bypass Flag and Bypassed Controllers value do not logically agree

In the FIPS Mode Parameters window, if the Allow controller encryption bypass check box is selected, then controllers must be listed in the Bypassed controllers section. Either add controllers to be bypassed, or deselect the Allow controller encryption bypass check box.

The FIPS Mode Flag setting and Active Master Key value do not logically agree

In the FIPS Mode Parameters window, if the Enable FIPS mode check box is selected, then the Active master key number field must be set to 1 or 2. If the Enable FIPS mode check box is deselected, then the Active master key number must be set to 0.

The Master Key 1 Value is not a proper key value

or

The Master Key 2 Value is not a proper key value

Verify that you selected the correct file.

If you did, insure that the file contains only the master key. A master key is in hexadecimal form. It must be exactly 32 digits, and may contain any of the following numbers or letters: 0 – 9, A – F.

There was an error reading the registry key which stores the parameters from the registry

Verify that the user running the FIPS Mode Configuration Utility has sufficient permissions to access and modify the registry.

Errors encountered when saving

Error Action needed to correct the error

Invalid key length for master key 1 Make sure that the master key contains exactly 32 digits, and that it only contains the following numbers or letters: 0 – 9, A – F.

revision 1 — 29

5: Troubleshooting FIPS Mode

Frequently Asked Questions

Question: Does the Enable FIPS-mode controller encryption setting on the General System Options form allow me to use FIPS mode encryption?

Answer: No, this setting only controls whether the encryption-related tabs are displayed in System Administration. To enable FIPS mode encryption, you must use the FIPS Mode Configuration Utility.

Question: How do I make the encryption tabs visible in the OnGuard software?

Answer: In Administration > System Options, deselect the Enable FIPS-mode controller encryption check box. For more information, refer to Enable FIPS-mode Controller Encryption on page 18.

Question: How can I hide the encryption tabs in the OnGuard software?

Answer: In Administration > System Options, select the Enable FIPS-mode controller encryption check box. For more information, refer to Configure FIPS Mode in the FIPS Mode Configuration Utility on page 16.

Master Key 1 is active, but the Master Key 1 Value is not a proper key value

Make sure that the master key contains exactly 32 digits, and that it only contains the following numbers or letters: 0 – 9, A – F.

Master Key 2 is active, but the Master Key 2 Value is not a proper key value

Make sure that the master key contains exactly 32 digits, and that it only contains the following numbers or letters: 0 – 9, A – F.

The controller bypass flag and Bypassed Controllers value did not agree with each other

In the FIPS Mode Parameters window, if the Allow controller encryption bypass check box is selected, then controllers must be listed in the Bypassed controllers section. Either add controllers to be bypassed, or deselect the Allow controller encryption bypass check box.

The two key values entered for master key 1 do not match

Retype the values in the Master key 1 value and the Confirm master key 1 value fields; they must be the same.

There was an error setting up a Security Descriptor and its DACL for the registry


There was an error creating the registry key which stores the parameters


Errors encountered when saving (Continued)

Error Action needed to correct the error

30 — revision 1


Question: FIPS can be configured in System Administration or using the FIPS Mode Configuration Utility - which settings override which?

Answer: Settings set via the FIPS Mode Configuration Utility override anything set in System Administration.

Question: What is the difference between the “Zero Keys” and the “Clear” option in the FIPS Mode Configuration Utility?

Answer: The “Zero Keys” option resets the master key values in the registry (if set) to a value of all zeros. All other encryption settings in the registry, such as bypassed controllers, remain unchanged. The zero keys function should be used in case of attack/compromise.

The “Clear Keys” option resets the master key values in the registry (if set) to a value of all zeros, and then removes all FIPS mode-related settings (master keys, Enable FIPS mode setting, bypassed controllers, etc.) from the registry. Using the “Clear Keys” option is essentially turning off FIPS mode. The clear keys function should be used when you wish to stop using FIPS mode on a machine.

For a detailed discussion of the differences, refer to Zeroing Keys on page 24.

revision 1 — 31

5: Troubleshooting FIPS Mode

32 — revision 1


Index

A

Access panel terminology..................................... 6Active key setting ............................................... 10Alarm Monitoring encryption icons ................... 21Allow controller encryption bypass setting ........ 13Attack........................................................... 24, 25Automatic key management encryption ............... 5

B

Bypass controller settings ................................... 13

C

Clear FIPS mode parameters .............................. 25Clear keys button definition................................ 11Communication Server ....................................... 18

restart ........................................................... 18Configure

encryption to ISCs using FIPS mode........... 15FIPS in the FIPS Mode Configuration

Utility.................................................... 16FIPS mode on existing encryption systems . 15FIPS mode on new encryption systems ....... 19keys on ISCs ................................................ 19

Controller terminology ......................................... 6Controllers

configure keys on......................................... 19icons in Alarm Monitoring .......................... 21zeroing keys on ............................................ 26

Crypto officer........................................................ 7

D

DIP switch 8................................................... 7, 20DIP switch settings for encryption........................ 7

E

Enable FIPS-mode controller encryption ........... 18Encryption keys

master............................................................. 6session............................................................ 6

Encryption typesautomatic........................................................ 5FIPS mode encryption ................................... 5manual............................................................ 5

Error messagesloading master keys ..................................... 29saving........................................................... 29

F

FIPSdefinition........................................................ 5Key Generator utility ................................... 16

FIPS modeconfigure on existing systems...................... 15configure on new systems............................ 19disable using clear function ......................... 26

FIPS Mode Configuration Utility ......................... 9Main Window .............................................. 10Parameters dialog ........................................ 12

FIPS mode parametersActive master key number ........................... 12Allow controller encryption bypass............. 13dialog ........................................................... 12Enable FIPS mode ....................................... 12Master key 1 value....................................... 12Master key 2 value....................................... 12remove from registry ................................... 25

Frequently asked questions................................. 30

G

Generate master keys .......................................... 16

I

Import master keys.............................................. 12Intelligent System Controller (ISC) terminology . 6Introduction........................................................... 5

K

Key generator...................................................... 16

L

Loadmaster key values onto the Communication

Server.................................................... 16master keys into ISCs .................................. 17

M

Manual key management encryption.................... 5Master key

storage............................................................ 7switch to new ............................................... 22

Master key 1.......................................................... 6Master key 2.......................................................... 6Master keys ........................................................... 6

generate........................................................ 16import into Communication Server ............. 16

revision 1 — 33

Index

load into ISCs .............................................. 17storing ............................................................ 7

O

Operator types....................................................... 7Overview............................................................... 5

P

Permissions ......................................................... 17

R

Registry key for FIPS mode parameters ............... 9Restart the Communication Server ..................... 18

S

Session keys .......................................................... 6Storing master keys............................................... 7Switch to a new master key ................................ 22

T

Terminology.......................................................... 6Troubleshooting .................................................. 26

U

User ....................................................................... 8

V

Verify encryption permissions............................ 17View a controller’s encryption characteristics in

Alarm Monitoring........................................ 21

Z

Zero keysbutton definition .......................................... 10function ........................................................ 25

ZeroingFIPS mode parameters................................. 25keys on controllers....................................... 26

Zeroing keysoverview ...................................................... 24using the clear function................................ 25using zero keys function .............................. 25

34 — revision 1


revision 1 — 35

Lenel Systems International, Inc.1212 Pittsford-Victor RoadPittsford, New York 14534 USATel 585.248.9720 Fax [email protected]

fipsmode

Documents