Professional Documents
Culture Documents
FIPS Mode For ISC Communication User: Perpetual Innovation
FIPS Mode For ISC Communication User: Perpetual Innovation
Communication User
PERPETUAL INNOVATION
Guide
Lenel OnGuard® 2010 FIPS Mode for ISC Communication User Guide, product version
6.4. This guide is item number DOC-1202, revision 1.012, March 2010
Copyright © 1995-2010 Lenel Systems International, Inc. Information in this document is subject
to change without notice. No part of this document may be reproduced or transmitted in any form
or by any means, electronic or mechanical, for any purpose, without the express written
permission of Lenel Systems International, Inc.
Non-English versions of Lenel documents are offered as a service to our global audiences. We
have attempted to provide an accurate translation of the text, but the official text is the English
text, and any differences in the translation are not binding and have no legal effect.
The software described in this document is furnished under a license agreement and may only be
used in accordance with the terms of that agreement. Lenel and OnGuard are registered
trademarks of Lenel Systems International, Inc.
Windows, Windows Vista, Windows 2003, and Windows XP are trademarks and Microsoft is a
registered trademark of Microsoft Corporation. Integral and FlashPoint are trademarks of Integral
Technologies, Inc. Crystal Reports for Windows is a trademark of Crystal Computer Services, Inc.
Oracle is a registered trademark of Oracle Corporation. Other product names mentioned in this
User Guide may be trademarks or registered trademarks of their respective companies and are
hereby acknowledged.
Portions of this product were created using LEADTOOLS © 1991-2010 LEAD Technologies, Inc.
ALL RIGHTS RESERVED.
OnGuard includes ImageStream® Graphic Filters. Copyright © 1991-2010 Inso Corporation. All
rights reserved. ImageStream Graphic Filters and ImageStream are registered trademarks of Inso
Corporation.
FIPS Mode for ISC Communication User Guide
Table of Contents
Terminology .................................................................................................... 6
revision 1 — 3
Table of Contents
Updating the Value of the Inactive Key and Making it Active .......................................... 23
Index .................................................................................................33
4 — revision 1
FIPS Mode for ISC Communication User Guide
Chapter 1: Introduction
This user guide focuses on FIPS mode encryption. When FIPS mode is enabled,
the entire system is configured for manual key management with the ‘Allow
downgraded connections’ option disabled. For a detailed description of manual
and automatic key management encryption, refer to the Encryption for
Controllers User Guide.
FIPS is a set of standards that describe how information is handled and processed
within governmental agencies. One of these sets of standards is FIPS 140-2,
which contains security requirements for cryptographic modules. All software
utilized by Federal agencies which uses cryptographic-based security systems to
protect sensitive information on computer and telecommunications systems must
adhere to this standard.
For manual key management and FIPS mode encryption, the master keys must be
loaded into the controllers using the Lenel Controller Encryption Utility. For
automatic key management, the keys are automatically loaded from the existing
connection between the Communication Server and the ISC.
For manual and automatic key encryption, the encryption settings and master
keys that the Communication Server uses are configured using System
Administration. For FIPS mode encryption, the encryption settings and master
keys that the Communication Server uses are configured using the FIPS Mode
Configuration Utility. The utility is located in the C:\Program Files\OnGuard
directory, and must be run on each computer running a Communication Server
that is servicing encrypted controllers in FIPS mode. The computer(s) running
the Communication Server should only be used in single user mode so that only
one person can use the machine at a single time.
revision 1 — 5
1: Introduction
FIPS mode Highest High Communication Server registry FIPS Mode Configuration
Utility
Terminology
Throughout this use guide, the term controller is used. Within the context of this
user guide, you will also see a controller referred to as an Intelligent System
Controller (ISC) or an access panel.
Encryption Keys
To encrypt connections, OnGuard implements the Advanced Encryption
Standard (AES). A symmetrical block cipher algorithm, such as AES, requires
that both sender and receiver use the same key. 128-bit keys are used in the
encryption between OnGuard and a Lenel controller.
Master keys are used to encrypt data packets that transfer a session key to the
controller. Master keys are the crux of the encryption process. Both ends of the
connection, the controller and host, must agree on the master key being used to
achieve a connection.
Session keys are used to encrypt any data that is communicated between
OnGuard and Lenel access controllers, except for the transfer of new session
keys. Session keys are automatically generated by OnGuard when a connection is
established with a controller. Session keys are internal to the system and never
exposed.
Only one master key, the active master key, is in use at a given time. The other
master key is inactive. When a master key change is desired, the inactive master
key value is first updated in the controllers. Once this process is complete, the
inactive master key is activated. Over the life of an installation, master key 1 will
6 — revision 1
FIPS Mode for ISC Communication User Guide
sometimes be the active master key and other times be the inactive master key.
This is also true of master key 2.
Important: It is important to keep master key values secure. These values are shared
secretly between the controllers and the Communication Server, and allow
an encrypted connection to be made.
Since the AES algorithm is public, all parties that have access to the key can
encrypt and decrypt the data.
Master key values should not be shared with anybody who is not involved in
their management. They should not be written down or electronically stored
in locations that are not secure.
Note that controllers come from the factory with factory default master key
values. Once a controller is configured for encryption within the OnGuard
system, these factory default values are replaced.
Operator Types
For FIPS 140-2, there are two types of operators, the Crypto officer and the User.
These two operators are differentiated by the services and encryption utilities
they run.
The Crypto officer is responsible for master key management, master key
generation, and setting up controller bypass. The Crypto officer is also
responsible for the portions of the zeroing process that use the FIPS Mode
Configuration Utility. The Crypto officer does not have access to any physical
ports. The Crypto officer handles all functions that require using the FIPS Mode
Configuration Utility and the FIPS Key Generator.
revision 1 — 7
1: Introduction
The User is responsible for secure data transmission and showing status. The
User is also responsible for the portions of the zeroing process that involve the
Communication Server. The User has access to the hardware ports (serial, LAN,
and dialup), and handles all functions that require using the Communication
Server.
8 — revision 1
FIPS Mode for ISC Communication User Guide
The FIPS Mode Configuration Utility that ships with OnGuard is used to
configure the encrypted connection between the Communication Server and the
Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). The
utility is located in the C:\Program Files\OnGuard directory, and must be run
on each computer running a Communication Server that is servicing encrypted
controllers in FIPS mode.
When FIPS mode encryption is enabled using the FIPS Mode Configuration
Utility, settings from the OnGuard database are ignored and settings on the
Communication Server are used for encryption purposes instead. The settings are
stored in a registry key that is only accessible by the account that creates the key.
An administrator will need to make sure the appropriate registry key
(HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-
PARAMS) is accessible by the account that the Communication Server is
running under (if it differs from the account used to configure these settings).
When FIPS mode is enabled, all Lenel access panels on this particular
Communication Server will be required to use an encrypted connection. If they
do not, they will not come online.
This chapter describes the FIPS Mode Configuration Utility. For details on
configuring a system for FIPS mode, refer to Chapter 3: Encryption to ISCs
Using FIPS Mode on page 15.
revision 1 — 9
2: FIPS Mode Configuration Utility
FIPS mode Shows whether FIPS mode is currently enabled or disabled. Possible values include:
• Enabled - FIPS mode is currently turned on; encryption settings and master keys are
stored in the Communication Server’s registry. When FIPS mode is enabled, any
encryption settings in the OnGuard database are ignored.
• Disabled - FIPS mode is currently turned off; encryption settings and master keys are
stored in the OnGuard database.
To change this setting, click [Modify] and select or deselect the Enable FIPS mode check box
in the FIPS Mode Parameters dialog.
Active key Indicates the current active master key or “None” if FIPS mode is disabled. Possible values
include:
Modify Opens the FIPS Mode Parameters dialog, in which you can configure FIPS mode settings.
These settings include whether FIPS mode is enabled, whether controllers can bypass
encryption, the active master key, and the key values for master key 1 and master key 2.
Zero Keys The zero keys function should be used in case of attack/compromise. This function zeros out
the master keys (if set) in the Windows registry. If a key isn’t set, then that key won’t be
updated. If it is set, it will be updated to be all 0’s. For more information, refer to Zeroing
Keys on page 24.
10 — revision 1
FIPS Mode for ISC Communication User Guide
Clear The clear keys function should be used if you wish to stop using FIPS mode on a
computer. This function first zeros out the keys in the registry, and then removes all
FIPS mode-related parameters from the Windows registry. This essentially turns off FIPS
mode.
Although technically you could use the clear function in case of attack/compromise,
it is strongly recommended that you use the zero keys function instead. For more
information, refer to Zeroing Keys on page 24.
Help Displays help information for the FIPS Mode Configuration Utility.
revision 1 — 11
2: FIPS Mode Configuration Utility
Enable FIPS mode Indicates whether FIPS mode is enabled for the current workstation. If this check box is
selected, encryption keys from the database will not be used. Instead, the active key number
and master key values configured via this utility will be used.
Active master key Indicates which master key is the active key. The active key is the one being used for the
number current communication with the panel. This option must be set to 1 or 2 if FIPS mode is
enabled. If FIPS mode is disabled, this option must be set to 0.
Master key 1 value Specifies the value for master key 1. The key is 128 bits and is represented as a 32 character
representation of a hexadecimal number. The key must be 32 characters long and can only
contain valid hexadecimal characters. For security, any values entered display as * on the
screen.
Import Click to import the Master key 1 value from a file rather than typing it in manually. If you
imported the master key value from a file, this value will automatically be populated with the
correct value.
Clear Clears the Master key 1 value and Confirm master key 1 value fields.
Confirm master If you imported the master key from a file, this value will automatically be populated with the
key 1 value correct value. If you typed the Master key value 1 in by hand, retype it to confirm that it is
correct.
Master key 2 value Specifies the value for master key 2. The key is 128 bits and is represented as a 32 character
representation of a hexadecimal number. The key must be 32 characters long and can only
contain valid hexadecimal characters. For security, any values entered display as * on the
screen.
12 — revision 1
FIPS Mode for ISC Communication User Guide
Import Click to import the Master key 2 value from a file rather than typing it in manually. If you
imported the master key value from a file, this value will automatically be populated with the
correct value.
Clear Clears the Master key 2 value and Confirm master key 2 value fields.
Confirm master If you imported the master key from a file, this value will automatically be populated with the
key 2 value correct value. If you typed the Master key value 1 in by hand, retype it to confirm that it is
correct.
Allow controller If you select this check box, the Bypassed controllers section becomes enabled and you can
encryption bypass specify individual controllers to bypass. Bypassed controllers will not use controller
encryption.
If this check box is not selected, then controller encryption bypass is not allowed.
Panel ID listing Displays panel IDs of all controllers that will be bypassed. You can also select a panel ID for a
window controller you no longer wish to bypass and remove it from the list of bypassed controllers.
Note that deselecting the Allow controller encryption check box clears this list of bypassed
controllers.
Panel ID Enabled only if the Allow controller encryption bypass check box is selected. Type the ID
number of the panel that you wish to bypass, and then click [Add].
Add Enabled only if the Allow controller encryption check box is selected. Type the ID number of
the panel that you wish to bypass in the Panel ID field, and then click [Add]. The panel ID you
entered will be listed in the Panel ID listing window, and will be bypassed.
Remove Enabled only if a panel ID is selected in the Panel ID listing window. If clicked, the selected
panel ID will be removed from the list of bypassed controllers and will no longer be bypassed.
Save If clicked, an attempt will be made to save the changes made in this dialog.
Cancel If clicked, the changes made in this dialog will be discarded and the settings on the
workstation will not be altered.
revision 1 — 13
2: FIPS Mode Configuration Utility
14 — revision 1
FIPS Mode for ISC Communication User Guide
1. Generate master key 1 and master key 2 using a FIPS-approved method. The
FIPS Key Generator located on the Supplemental disc can be used to do this.
For more information, refer to Generate Master Keys on page 16.
2. Run the FIPS Mode Configuration Utility on each computer running a
Communication Server that is servicing encrypted controllers in FIPS mode
and configure it to use FIPS mode. For more information, refer to Configure
FIPS Mode in the FIPS Mode Configuration Utility on page 16.
a. Run the FIPS Mode Configuration Utility.
b. Import the key(s) that you generated.
c. Enable FIPS mode.
d. Specify which controllers, if any, will bypass controller encryption.
e. Save the settings.
f. Shut down or restart the Communication Server(s).
3. Run the Lenel Controller Encryption Utility and load the new master keys
into the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and
LNL-3300). For more information, refer to “Load or Update Keys” in the
Lenel Controller Encryption Configuration Utility online help or user guide,
as well as Load New Master Keys into the Lenel ISCs on page 17.
4. If you shut down the Communication Server(s) in step 2, start it up. For
more information, refer to Restart the Communication Server on page 18.
5. (Optional) Verify that you have the correct permissions to proceed. For more
information, refer to Verify Encryption Permissions on page 17.
6. Log into System Administration and enable FIPS mode in the OnGuard
software. When you do this, the previous non-FIPS mode keys will
automatically be cleared from the database. For more information, refer to
Enable FIPS-mode Controller Encryption on page 18.
revision 1 — 15
3: Encryption to ISCs Using FIPS Mode
Important: The master key generator in System Administration that is used by non-FIPS
mode encryption systems is NOT FIPS approved.
Important: It is your responsibility to use a secure process when importing the master
keys. Never import keys from an insecure location such as a network drive.
If you save the files that contain the keys on a USB Flash drive, floppy disk,
or other portable device so they can be transferred, be sure to safeguard the
device.
If you import a key from a USB device, the USB device must be directly
connected to the device the module is running on and may not pass through
any intervening systems. Additionally, a human operator must be physically
present and physically involved with the key importation from the USB
device; the importation cannot be an electronic process that can run without
human intervention.
b. The Open dialog displays. Navigate to the file that contains the key,
select it, and then click [Open]. The key will automatically populate
16 — revision 1
FIPS Mode for ISC Communication User Guide
both of the respective Master key value and Confirm master key
value fields.
4. Repeat step 3 for the second master key.
5. Select the Enable FIPS mode check box.
Note: Do not confuse this setting with the Enable FIPS-mode controller
encryption setting in System Administration. This setting controls whether
the keys are stored in the registry or not, whereas the setting in System
Administration only determines what encryption-related forms display in
System Administration.
6. In the Active master key number field, select which master key will be
active.
7. Select whether to allow controller encryption bypass.
• If all controllers must use controller encryption, the Allow controller
encryption bypass option should be deselected.
• If there are specific controllers you do not wish to use controller
encryption:
a. Select the Allow controller encryption check box.
b. In the Panel ID field, type the ID of the panel you wish to bypass.
c. Click [Add].
d. Repeat for all controllers you wish to bypass.
8. Click [Save].
9. A message prompts whether you are sure that you wish to make these
changes. Click [Yes].
10. Shut down or restart the Communication Server.
For more information, refer to “Load or Update Keys” in the Lenel Controller
Encryption Configuration Utility online help or user guide.
revision 1 — 17
3: Encryption to ISCs Using FIPS Mode
This setting is separate from the FIPS mode settings that are configured on the
individual Communication Server(s) using the FIPS Mode Configuration Utility.
This setting has no impact on whether FIPS mode is used; it only affects how
System Administration works and what windows are displayed. To use FIPS
mode, you must enable FIPS mode on the Communication Server(s) by running
the FIPS Mode Configuration Utility.
Note: When you enable FIPS-mode controller encryption, all controller encryption
keys will be removed from the database.
18 — revision 1
FIPS Mode for ISC Communication User Guide
1. Generate master key 1 and master key 2 using a FIPS-approved method. The
FIPS Key Generator located on the Supplemental disc can be used to do this.
For more information, refer to Generate Master Keys on page 16.
2. Configure the keys on the Lenel ISCs (LNL-500, LNL-1000, LNL-2000,
LNL-2220, and LNL-3300). For more information, refer to Configure the
Keys on the Lenel ISCs on page 19.
3. For each computer running a Communication Server that is servicing
encrypted controllers in FIPS mode, do the following:
a. Install the OnGuard software. For more information, refer to the
Installation Guide. If the Communication Server will be separate from
the database server, then perform a custom installation and install only
the Communication Server service. Be sure that the computer is in
single user mode.
b. Set the Communication Server to start up automatically.
c. Configure FIPS mode using the FIPS Mode Configuration Utility. For
more information, refer to Configure FIPS Mode in the FIPS Mode
Configuration Utility on page 16.
1) Run the FIPS Mode Configuration Utility.
2) Enable FIPS mode.
3) Enter the master key(s).
4) Specify which controllers, if any, will bypass controller encryption.
5) Save the settings.
d. Make sure that the appropriate the appropriate registry key
(HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-
PARAMS) is accessible by the account that the Communication Server
is running under (if it differs from the account used to configure these
settings).
4. Restart the Communication Server. For more information, refer to Restart
the Communication Server on page 18.
5. Log into System Administration.
6. Enable FIPS mode in the OnGuard software. For more information, refer to
Enable FIPS-mode Controller Encryption on page 18.
revision 1 — 19
3: Encryption to ISCs Using FIPS Mode
Note: For complete details for each of these steps, refer to “Start the Utility and
Connect to a Controller” in the Lenel Controller Encryption Configuration
Utility online help or user guide.
a. Physically disconnect the cable between access control system and the
controller. For more information, refer to “Start the Utility and Connect
to a Controller” in the Lenel Controller Encryption Configuration
Utility online help or user guide.
b. Physically connect the cable from the controller to the host machine.
c. Start the Lenel Controller Encryption Configuration Utility.
d. Connect to the controller.
e. Enter master key 1 and master key 2.
f. Load the master keys. For complete details for each of these steps, refer
to “Load or Update Master Keys” in the Lenel Controller Encryption
Configuration Utility online help or user guide.
g. (Optional, but highly recommended) Turn DIP switch 8 ON. Once this
is done, reboot the controller so that the controller will require an
encrypted connection and will only accept encrypted connections with
entities that know the proper master key values. For more information,
refer to DIP Switch Settings for Encryption on page 7.
4. Repeat step 3 at each controller. Load the same master key 1 and master key
2 file on each controller. Be sure to keep the files that contain the master
keys in a secure place that you can remember.
20 — revision 1
FIPS Mode for ISC Communication User Guide
There are two types of operators: Crypto officer and User. For a detailed
description of each, refer to Operator Types on page 7.
User procedures:
• View a Controller’s Encryption Characteristics in Alarm Monitoring on page
21
Notes: To view the encryption connection type, you must have the ‘Controller
encryption’ user permission (Administration > Users > System Permission
revision 1 — 21
4: Using FIPS Mode
Groups form > Access Control sub-tab, select the Controller encryption
check box).
Any operator can view error conditions of a controller being offline due to
an encryption error or the current connection to the controller not matching
the configured connection.
The master key can be switched periodically as desired or at any time if there is
concern that it has been compromised.
22 — revision 1
FIPS Mode for ISC Communication User Guide
1. If you want to use a new key, generate one using a FIPS-approved method.
Do not activate this key yet.
Important: It is your responsibility to use a secure process when transferring the keys.
Never import keys from an insecure location such as a network drive. If you
save the files that contain the keys on a USB Flash drive, floppy disk, or
other portable device so they can be transferred, be sure to safeguard the
device.
If you import a FIPS-approved key from a USB device, the USB device must
be directly connected to the device the module is running on and may not
pass through any intervening systems. Additionally, a human operator must
be physically present and physically involved with the key importation from
the USB device; the importation cannot be an electronic process that can run
without human intervention.
Important: Do not update the active master key. If this is done, the controller will
remain offline until the configuration change is made in the FIPS Mode
Configuration Utility to activate that key.
3. Connect the controller using its standard access control system connection.
The controller should come back online with an encrypted connection using
the currently active master key. Note that if possible, controllers marked
logically offline in the access control system should be updated as well. This
will allow them to easily be marked back online in the future.
4. After every controller has been updated, import the new key and activate the
inactive key by doing the following:
a. On the Communication Server, run the FIPS Mode Configuration
Utility.
b. Click [Modify]. The FIPS Mode Parameters window opens.
c. For the key you wish to import, click [Import] and import the new key.
Alternatively, you can type the new key into the appropriate Master key
value and Confirm master key value fields.
d. In the Active master key number field, select the master key number
you wish to make active.
e. Click [Save].
f. Restart the Communication Server. When the Communication Server
starts, it automatically detects which key is active and informs the
controller which one to use. The access control system should begin
revision 1 — 23
4: Using FIPS Mode
Zeroing Keys
Zeroing keys simply means setting the master key values in the
HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-PARAMS
registry entry to a value of all zeros (0x00000000000000000000000000000000).
Do not do this manually! There are two different functions available in the FIPS
Mode Configuration Utility that zero keys: the zero keys function, and the clear
function. Although both functions zero out the keys in the registry, which
function you use depends on why you are zeroing the keys.
In case of an attack or compromise, you should use the zero keys function to
ensure an adversary won’t recover them. You would shut down the
Communication Server, and then use the zero keys function in the FIPS Mode
Configuration Utility to zero the keys. After the attack/compromise is resolved,
generate new keys, use the Lenel Controller Encryption Utility to load the keys
onto the ISCs, use the FIPS Mode Configuration Utility to load the keys on the
Communication Server(s), and then finally restart the Communication Server.
If you wish to stop using FIPS mode on a machine, use the clear function. The
clear function zeroes the master keys in the registry and then removes all FIPS
mode-related registry entries from the machine. The clear function is the
preferred function for this use because the zero keys function wouldn’t remove
the FIPS mode-related parameters from the registry.
The table that follows summarizes the differences between the zero and clear
functions:
Clear To remove all Keys are zeroed, and FIPS mode if OFF
function configuration related to then any FIPS
FIPS mode if no longer mode-related entries
in use are removed from
the registry
24 — revision 1
FIPS Mode for ISC Communication User Guide
Note: If you wish to remove FIPS mode and related FIPS mode parameters from a
computer, use the clear function rather than the zero keys function. For more
information, refer to Using the Clear Function on page 25.
1. Shut down the Communication Server. This is necessary in order to zero out
any keys currently being used in addition to any stored keys.
2. On the Communication Server machine, run the FIPS Mode Configuration
Utility. (This is the FIPSModeConfigurationUtility.exe file located in
C:\Program Files\OnGuard.) The FIPS Mode Configuration Utility Main
window opens.
3. Click [Zero Keys].
4. A message prompts you to confirm that you wish to zero out the master key
values in the registry. Click [Yes] to zero out the master keys, or [No] to
cancel zeroing the master keys.
5. If the master keys were successfully zeroed out, a message indicating this is
displayed.
revision 1 — 25
4: Using FIPS Mode
1. The master key entries in the registry, if set, are zeroed out and changed to a
value of all zeros.
2. All FIPS mode parameters are removed from the registry. This includes
settings such as whether FIPS mode is enabled, master key values, whether
controller bypass is being used, controllers that are bypassed, and so forth.
This essentially turns off FIPS mode.
For more information, refer to Zero Out Keys on the Controllers on page 26.
To use the clear function to zero keys and remove FIPS mode-related parameters
from the registry:
1. Shut down the Communication Server. This is necessary in order to zero out
any keys currently being used in addition to any stored keys.
2. On the Communication Server machine, run the FIPS Mode Configuration
Utility. (This is the FIPSModeConfigurationUtility.exe file located in
C:\Program Files\OnGuard.) The FIPS Mode Configuration Utility Main
window opens.
3. Click [Clear].
4. A message prompts you to confirm that you wish to clear the FIPS
parameters from the workstation. Click [Yes] to clear the FIPS parameters,
or [No] to cancel clearing the parameters.
5. If the FIPS parameters were successfully cleared, a message indicating this
is displayed.
6. (Optional) Zero out the keys on the controllers. For more information, refer
to Zero Out Keys on the Controllers on page 26.
Important: If keys are zeroed on the controller, the controller should remain physically
disconnected from its communication channel until new keys are set.
26 — revision 1
FIPS Mode for ISC Communication User Guide
revision 1 — 27
4: Using FIPS Mode
28 — revision 1
FIPS Mode for ISC Communication User Guide
If you encounter any errors when using the FIPS Mode configuration Utility,
please consult this section for suggestions on how to solve the problem.
Error Messages
The controller bypass flag contained an invalid The controller bypass flag refers to the Enable FIPS mode
value check box setting. Its value is stored as 1 or 0 in the registry. If
you receive this error, then this value in the registry is neither
of these values. To correct this, either clear the FIPS mode
parameters, or save new parameters.
The Controller Bypass Flag and Bypassed In the FIPS Mode Parameters window, if the Allow
Controllers value do not logically agree controller encryption bypass check box is selected, then
controllers must be listed in the Bypassed controllers section.
Either add controllers to be bypassed, or deselect the Allow
controller encryption bypass check box.
The FIPS Mode Flag setting and Active Master In the FIPS Mode Parameters window, if the Enable
Key value do not logically agree FIPS mode check box is selected, then the Active
master key number field must be set to 1 or 2. If the
Enable FIPS mode check box is deselected, then the
Active master key number must be set to 0.
The Master Key 1 Value is not a proper key value Verify that you selected the correct file.
or If you did, insure that the file contains only the master
key. A master key is in hexadecimal form. It must be
The Master Key 2 Value is not a proper key value
exactly 32 digits, and may contain any of the following
numbers or letters: 0 – 9, A – F.
There was an error reading the registry key which Verify that the user running the FIPS Mode Configuration
stores the parameters from the registry Utility has sufficient permissions to access and modify the
registry.
Invalid key length for master key 1 Make sure that the master key contains exactly 32
digits, and that it only contains the following numbers
or letters: 0 – 9, A – F.
revision 1 — 29
5: Troubleshooting FIPS Mode
Master Key 1 is active, but the Master Key 1 Value Make sure that the master key contains exactly 32
is not a proper key value digits, and that it only contains the following numbers
or letters: 0 – 9, A – F.
Master Key 2 is active, but the Master Key 2 Value Make sure that the master key contains exactly 32
is not a proper key value digits, and that it only contains the following numbers
or letters: 0 – 9, A – F.
The controller bypass flag and Bypassed In the FIPS Mode Parameters window, if the Allow
Controllers value did not agree with each other controller encryption bypass check box is selected, then
controllers must be listed in the Bypassed controllers section.
Either add controllers to be bypassed, or deselect the Allow
controller encryption bypass check box.
The two key values entered for master key 1 do not Retype the values in the Master key 1 value and the Confirm
match master key 1 value fields; they must be the same.
There was an error setting up a Security Descriptor Verify that the user running the FIPS Mode Configuration
and its DACL for the registry Utility has sufficient permissions to access and modify the
registry.
There was an error creating the registry key which Verify that the user running the FIPS Mode Configuration
stores the parameters Utility has sufficient permissions to access and modify the
registry.
Answer: No, this setting only controls whether the encryption-related tabs are
displayed in System Administration. To enable FIPS mode encryption, you must
use the FIPS Mode Configuration Utility.
Question: How do I make the encryption tabs visible in the OnGuard software?
Question: How can I hide the encryption tabs in the OnGuard software?
30 — revision 1
FIPS Mode for ISC Communication User Guide
Answer: Settings set via the FIPS Mode Configuration Utility override anything
set in System Administration.
Question: What is the difference between the “Zero Keys” and the “Clear”
option in the FIPS Mode Configuration Utility?
Answer: The “Zero Keys” option resets the master key values in the registry (if
set) to a value of all zeros. All other encryption settings in the registry, such as
bypassed controllers, remain unchanged. The zero keys function should be used
in case of attack/compromise.
The “Clear Keys” option resets the master key values in the registry (if set) to a
value of all zeros, and then removes all FIPS mode-related settings (master keys,
Enable FIPS mode setting, bypassed controllers, etc.) from the registry. Using
the “Clear Keys” option is essentially turning off FIPS mode. The clear keys
function should be used when you wish to stop using FIPS mode on a machine.
For a detailed discussion of the differences, refer to Zeroing Keys on page 24.
revision 1 — 31
5: Troubleshooting FIPS Mode
32 — revision 1
FIPS Mode for ISC Communication User Guide
Index
A F
Access panel terminology ..................................... 6 FIPS
Active key setting ............................................... 10 definition........................................................ 5
Alarm Monitoring encryption icons ................... 21 Key Generator utility ................................... 16
Allow controller encryption bypass setting ........ 13 FIPS mode
Attack........................................................... 24, 25 configure on existing systems...................... 15
Automatic key management encryption ............... 5 configure on new systems............................ 19
disable using clear function ......................... 26
B FIPS Mode Configuration Utility ......................... 9
Bypass controller settings ................................... 13 Main Window .............................................. 10
Parameters dialog ........................................ 12
C FIPS mode parameters
Active master key number ........................... 12
Clear FIPS mode parameters .............................. 25 Allow controller encryption bypass............. 13
Clear keys button definition................................ 11 dialog ........................................................... 12
Communication Server ....................................... 18 Enable FIPS mode ....................................... 12
restart ........................................................... 18 Master key 1 value....................................... 12
Configure Master key 2 value....................................... 12
encryption to ISCs using FIPS mode........... 15 remove from registry ................................... 25
FIPS in the FIPS Mode Configuration Frequently asked questions................................. 30
Utility.................................................... 16
FIPS mode on existing encryption systems . 15 G
FIPS mode on new encryption systems ....... 19
keys on ISCs ................................................ 19 Generate master keys .......................................... 16
Controller terminology ......................................... 6
Controllers I
configure keys on......................................... 19 Import master keys.............................................. 12
icons in Alarm Monitoring .......................... 21 Intelligent System Controller (ISC) terminology . 6
zeroing keys on ............................................ 26 Introduction........................................................... 5
Crypto officer........................................................ 7
K
D Key generator...................................................... 16
DIP switch 8................................................... 7, 20
DIP switch settings for encryption........................ 7 L
Load
E master key values onto the Communication
Enable FIPS-mode controller encryption ........... 18 Server.................................................... 16
Encryption keys master keys into ISCs .................................. 17
master............................................................. 6
session............................................................ 6 M
Encryption types Manual key management encryption.................... 5
automatic........................................................ 5 Master key
FIPS mode encryption ................................... 5 storage............................................................ 7
manual............................................................ 5 switch to new ............................................... 22
Error messages Master key 1.......................................................... 6
loading master keys ..................................... 29 Master key 2.......................................................... 6
saving........................................................... 29 Master keys ........................................................... 6
generate........................................................ 16
import into Communication Server ............. 16
revision 1 — 33
Index
O
Operator types....................................................... 7
Overview............................................................... 5
P
Permissions ......................................................... 17
R
Registry key for FIPS mode parameters ............... 9
Restart the Communication Server ..................... 18
S
Session keys .......................................................... 6
Storing master keys............................................... 7
Switch to a new master key ................................ 22
T
Terminology.......................................................... 6
Troubleshooting .................................................. 26
U
User ....................................................................... 8
V
Verify encryption permissions............................ 17
View a controller’s encryption characteristics in
Alarm Monitoring........................................ 21
Z
Zero keys
button definition .......................................... 10
function ........................................................ 25
Zeroing
FIPS mode parameters................................. 25
keys on controllers....................................... 26
Zeroing keys
overview ...................................................... 24
using the clear function................................ 25
using zero keys function .............................. 25
34 — revision 1
FIPS Mode for ISC Communication User Guide
revision 1 — 35
Lenel Systems International, Inc.
1212 Pittsford-Victor Road
Pittsford, New York 14534 USA
Tel 585.248.9720 Fax 585.248.9185
www.lenel.com
docfeedback@lenel.com