FIPS Mode for ISC

Communication User

PERPETUAL INNOVATION
Guide

Lenel OnGuard® 2010 FIPS Mode for ISC Communication User Guide, product version
6.4. This guide is item number DOC-1202, revision 1.012, March 2010
Copyright © 1995-2010 Lenel Systems International, Inc. Information in this document is subject
to change without notice. No part of this document may be reproduced or transmitted in any form
or by any means, electronic or mechanical, for any purpose, without the express written
permission of Lenel Systems International, Inc.
Non-English versions of Lenel documents are offered as a service to our global audiences. We
have attempted to provide an accurate translation of the text, but the official text is the English
text, and any differences in the translation are not binding and have no legal effect.
The software described in this document is furnished under a license agreement and may only be
used in accordance with the terms of that agreement. Lenel and OnGuard are registered
trademarks of Lenel Systems International, Inc.
Windows, Windows Vista, Windows 2003, and Windows XP are trademarks and Microsoft is a
registered trademark of Microsoft Corporation. Integral and FlashPoint are trademarks of Integral
Technologies, Inc. Crystal Reports for Windows is a trademark of Crystal Computer Services, Inc.
Oracle is a registered trademark of Oracle Corporation. Other product names mentioned in this
User Guide may be trademarks or registered trademarks of their respective companies and are
hereby acknowledged.
Portions of this product were created using LEADTOOLS © 1991-2010 LEAD Technologies, Inc.
ALL RIGHTS RESERVED.
OnGuard includes ImageStream® Graphic Filters. Copyright © 1991-2010 Inso Corporation. All
rights reserved. ImageStream Graphic Filters and ImageStream are registered trademarks of Inso
Corporation.
 FIPS Mode for ISC Communication User Guide

Table of Contents

Chapter 1: Introduction ...............................................................5

Terminology .................................................................................................... 6

Encryption Keys .............................................................................................. 6

Master Key 1 and Master Key 2 ........................................................................................ 6

DIP Switch Settings for Encryption ................................................................. 7

Operator Types ............................................................................................... 7

Chapter 2: FIPS Mode Configuration Utility ..............................9

FIPS Mode Configuration Utility Main Window ............................................. 10

FIPS Mode Parameters Dialog ..................................................................... 12

Chapter 3: Encryption to ISCs Using FIPS Mode ...................15

Configuring FIPS Mode on Existing Encryption Systems ............................. 15

Generate Master Keys .................................................................................................... 16

Configure FIPS Mode in the FIPS Mode Configuration Utility ......................................... 16

Load New Master Keys into the Lenel ISCs .................................................................... 17

Verify Encryption Permissions ........................................................................................ 17

Enable FIPS-mode Controller Encryption ....................................................................... 18

Restart the Communication Server ................................................................................. 18

Configuring FIPS Mode on New Encryption Systems ................................... 19

Configure the Keys on the Lenel ISCs ............................................................................ 19

Chapter 4: Using FIPS Mode .....................................................21

View a Controller’s Encryption Characteristics in Alarm Monitoring ............. 21

Switch to a New Master Key ......................................................................... 22

revision 1 — 3
Table of Contents

Activating the Inactive Key without Changing Its Value .................................................. 22

Updating the Value of the Inactive Key and Making it Active .......................................... 23

Zeroing Keys ................................................................................................. 24

Using the Zero Keys Function ......................................................................................... 25

Using the Clear Function ................................................................................................. 25

Zero Out Keys on the Controllers .................................................................................... 26

Chapter 5: Troubleshooting FIPS Mode ..................................29

Error Messages ............................................................................................. 29

Frequently Asked Questions ......................................................................... 30

Index .................................................................................................33

4 — revision 1
 FIPS Mode for ISC Communication User Guide

Chapter 1: Introduction

OnGuard enables you to encrypt the connection between the Communication

Server and the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and
LNL-3300). There are three methods that could be used to encrypt this
connection:
• Manual key management encryption
• Automatic key management encryption
• Federal Information Processing Standards (FIPS) mode encryption

This user guide focuses on FIPS mode encryption. When FIPS mode is enabled,
the entire system is configured for manual key management with the ‘Allow
downgraded connections’ option disabled. For a detailed description of manual
and automatic key management encryption, refer to the Encryption for
Controllers User Guide.

FIPS is a set of standards that describe how information is handled and processed
within governmental agencies. One of these sets of standards is FIPS 140-2,
which contains security requirements for cryptographic modules. All software
utilized by Federal agencies which uses cryptographic-based security systems to
protect sensitive information on computer and telecommunications systems must
adhere to this standard.

FIPS mode is a type of encryption available to OnGuard users who wish to

eventually become FIPS compliant. This method of encryption has the highest
level of security, but also requires a high amount of administration. Master keys
must be configured manually on every controller, and any time a master key
needs to be changed, you must run the FIPS Mode Configuration Utility on every
computer running a Communication Server that is servicing encrypted
controllers in FIPS mode.

For manual key management encryption and automatic key management

encryption, the master keys and encryption settings are stored in the OnGuard
database. For FIPS mode encryption, the master keys and encryption settings are
stored in the Communication Server’s registry instead, and any encryption
settings in the database are ignored.

For manual key management and FIPS mode encryption, the master keys must be
loaded into the controllers using the Lenel Controller Encryption Utility. For
automatic key management, the keys are automatically loaded from the existing
connection between the Communication Server and the ISC.

For manual and automatic key encryption, the encryption settings and master
keys that the Communication Server uses are configured using System
Administration. For FIPS mode encryption, the encryption settings and master
keys that the Communication Server uses are configured using the FIPS Mode
Configuration Utility. The utility is located in the C:\Program Files\OnGuard
directory, and must be run on each computer running a Communication Server
that is servicing encrypted controllers in FIPS mode. The computer(s) running
the Communication Server should only be used in single user mode so that only
one person can use the machine at a single time.

revision 1 — 5
1: Introduction

The table that follows summarizes these differences:

Encryption Level of Level of Storage location for master Configuration location

method security maintenance keys for encryption settings
used by
Communication Server

Automatic key High Low OnGuard database System Administration

Manual key Higher Medium OnGuard database System Administration

FIPS mode Highest High Communication Server registry FIPS Mode Configuration
Utility

Terminology
Throughout this use guide, the term controller is used. Within the context of this
user guide, you will also see a controller referred to as an Intelligent System
Controller (ISC) or an access panel.

Encryption Keys
To encrypt connections, OnGuard implements the Advanced Encryption
Standard (AES). A symmetrical block cipher algorithm, such as AES, requires
that both sender and receiver use the same key. 128-bit keys are used in the
encryption between OnGuard and a Lenel controller.

Master keys are used to encrypt data packets that transfer a session key to the
controller. Master keys are the crux of the encryption process. Both ends of the
connection, the controller and host, must agree on the master key being used to
achieve a connection.

Session keys are used to encrypt any data that is communicated between
OnGuard and Lenel access controllers, except for the transfer of new session
keys. Session keys are automatically generated by OnGuard when a connection is
established with a controller. Session keys are internal to the system and never
exposed.

Master Key 1 and Master Key 2

To maintain smooth system operation, two master keys exist in the system and
controllers: master key 1 and master key 2.

Only one master key, the active master key, is in use at a given time. The other
master key is inactive. When a master key change is desired, the inactive master
key value is first updated in the controllers. Once this process is complete, the
inactive master key is activated. Over the life of an installation, master key 1 will

6 — revision 1
 FIPS Mode for ISC Communication User Guide

sometimes be the active master key and other times be the inactive master key.
This is also true of master key 2.

Important: It is important to keep master key values secure. These values are shared
secretly between the controllers and the Communication Server, and allow
an encrypted connection to be made.
Since the AES algorithm is public, all parties that have access to the key can
encrypt and decrypt the data.
Master key values should not be shared with anybody who is not involved in
their management. They should not be written down or electronically stored
in locations that are not secure.

Master Key Storage

Lenel controllers store master keys in non-volatile EEPROM memory

permanently soldered to the controller circuit board. There is no mechanism
available for obtaining these values from a controller.

Note that controllers come from the factory with factory default master key
values. Once a controller is configured for encryption within the OnGuard
system, these factory default values are replaced.

DIP Switch Settings for Encryption

For FIPS mode encryption, Lenel recommends that you turn DIP switch 8 ON
and reboot the controller so that the controller will require an encrypted
connection, and will only accept encrypted connections with entities that know
the proper master key values. For more information, refer to “DIP Switch
Settings for Encryption” in the Encryption for Controllers User Guide.

Operator Types
For FIPS 140-2, there are two types of operators, the Crypto officer and the User.
These two operators are differentiated by the services and encryption utilities
they run.

The Crypto officer is responsible for master key management, master key
generation, and setting up controller bypass. The Crypto officer is also
responsible for the portions of the zeroing process that use the FIPS Mode
Configuration Utility. The Crypto officer does not have access to any physical
ports. The Crypto officer handles all functions that require using the FIPS Mode
Configuration Utility and the FIPS Key Generator.

revision 1 — 7
1: Introduction

The User is responsible for secure data transmission and showing status. The
User is also responsible for the portions of the zeroing process that involve the
Communication Server. The User has access to the hardware ports (serial, LAN,
and dialup), and handles all functions that require using the Communication
Server.

The table that follows summarizes the operator types:

Operator Functions Ports Services/encryption

type utilities typically used

Crypto • Master key management None • FIPS Mode

officer Configuration Utility
• Master key generation
• FIPS Key Generator
• Setting up controller bypass
• Zeroing keys (FIPS Mode
Configuration Utility portion)

User • Secure data transmission Hardware ports (serial, Communication Server

LAN, and dialup)
• Showing status
• Zeroing keys
(Communication Server
portion)

8 — revision 1
 FIPS Mode for ISC Communication User Guide

Chapter 2: FIPS Mode Configuration Utility

The FIPS Mode Configuration Utility that ships with OnGuard is used to
configure the encrypted connection between the Communication Server and the
Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-3300). The
utility is located in the C:\Program Files\OnGuard directory, and must be run
on each computer running a Communication Server that is servicing encrypted
controllers in FIPS mode.

This utility is used to:

• Enter and modify the master keys that are used for encryption by
Communication Servers that service encrypted controllers in FIPS mode
• Indicate which key is active
• Specify individual access panels to bypass
• Zero out keys

When FIPS mode encryption is enabled using the FIPS Mode Configuration
Utility, settings from the OnGuard database are ignored and settings on the
Communication Server are used for encryption purposes instead. The settings are
stored in a registry key that is only accessible by the account that creates the key.
An administrator will need to make sure the appropriate registry key
(HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-
PARAMS) is accessible by the account that the Communication Server is
running under (if it differs from the account used to configure these settings).

When FIPS mode is enabled, all Lenel access panels on this particular
Communication Server will be required to use an encrypted connection. If they
do not, they will not come online.

This chapter describes the FIPS Mode Configuration Utility. For details on
configuring a system for FIPS mode, refer to Chapter 3: Encryption to ISCs
Using FIPS Mode on page 15.

revision 1 — 9
2: FIPS Mode Configuration Utility

FIPS Mode Configuration Utility Main Window

FIPS Mode Configuration Utility Main Window

Form Element Comment

FIPS mode Shows whether FIPS mode is currently enabled or disabled. Possible values include:

• Enabled - FIPS mode is currently turned on; encryption settings and master keys are
stored in the Communication Server’s registry. When FIPS mode is enabled, any
encryption settings in the OnGuard database are ignored.
• Disabled - FIPS mode is currently turned off; encryption settings and master keys are
stored in the OnGuard database.

To change this setting, click [Modify] and select or deselect the Enable FIPS mode check box
in the FIPS Mode Parameters dialog.

Active key Indicates the current active master key or “None” if FIPS mode is disabled. Possible values
include:

• 1 - Indicates master key value 1 is active

• 2 - Indicates master key value 2 is active
• None - Indicates FIPS mode is disabled

Modify Opens the FIPS Mode Parameters dialog, in which you can configure FIPS mode settings.
These settings include whether FIPS mode is enabled, whether controllers can bypass
encryption, the active master key, and the key values for master key 1 and master key 2.

Zero Keys The zero keys function should be used in case of attack/compromise. This function zeros out
the master keys (if set) in the Windows registry. If a key isn’t set, then that key won’t be
updated. If it is set, it will be updated to be all 0’s. For more information, refer to Zeroing
Keys on page 24.

10 — revision 1
 FIPS Mode for ISC Communication User Guide

FIPS Mode Configuration Utility Main Window (Continued)

Form Element Comment

Clear The clear keys function should be used if you wish to stop using FIPS mode on a
computer. This function first zeros out the keys in the registry, and then removes all
FIPS mode-related parameters from the Windows registry. This essentially turns off FIPS
mode.

Although technically you could use the clear function in case of attack/compromise,
it is strongly recommended that you use the zero keys function instead. For more
information, refer to Zeroing Keys on page 24.
Help Displays help information for the FIPS Mode Configuration Utility.

revision 1 — 11
2: FIPS Mode Configuration Utility

FIPS Mode Parameters Dialog

FIPS Mode Parameters Dialog

Form Element Comment

Enable FIPS mode Indicates whether FIPS mode is enabled for the current workstation. If this check box is
selected, encryption keys from the database will not be used. Instead, the active key number
and master key values configured via this utility will be used.

Active master key Indicates which master key is the active key. The active key is the one being used for the
number current communication with the panel. This option must be set to 1 or 2 if FIPS mode is
enabled. If FIPS mode is disabled, this option must be set to 0.

Master key 1 value Specifies the value for master key 1. The key is 128 bits and is represented as a 32 character
representation of a hexadecimal number. The key must be 32 characters long and can only
contain valid hexadecimal characters. For security, any values entered display as * on the
screen.

Import Click to import the Master key 1 value from a file rather than typing it in manually. If you
imported the master key value from a file, this value will automatically be populated with the
correct value.

Clear Clears the Master key 1 value and Confirm master key 1 value fields.

Confirm master If you imported the master key from a file, this value will automatically be populated with the
key 1 value correct value. If you typed the Master key value 1 in by hand, retype it to confirm that it is
correct.

Master key 2 value Specifies the value for master key 2. The key is 128 bits and is represented as a 32 character
representation of a hexadecimal number. The key must be 32 characters long and can only
contain valid hexadecimal characters. For security, any values entered display as * on the
screen.

12 — revision 1
 FIPS Mode for ISC Communication User Guide

FIPS Mode Parameters Dialog (Continued)

Form Element Comment

Import Click to import the Master key 2 value from a file rather than typing it in manually. If you
imported the master key value from a file, this value will automatically be populated with the
correct value.

Clear Clears the Master key 2 value and Confirm master key 2 value fields.

Confirm master If you imported the master key from a file, this value will automatically be populated with the
key 2 value correct value. If you typed the Master key value 1 in by hand, retype it to confirm that it is
correct.

Allow controller If you select this check box, the Bypassed controllers section becomes enabled and you can
encryption bypass specify individual controllers to bypass. Bypassed controllers will not use controller
encryption.

If this check box is not selected, then controller encryption bypass is not allowed.

Panel ID listing Displays panel IDs of all controllers that will be bypassed. You can also select a panel ID for a
window controller you no longer wish to bypass and remove it from the list of bypassed controllers.
Note that deselecting the Allow controller encryption check box clears this list of bypassed
controllers.

Panel ID Enabled only if the Allow controller encryption bypass check box is selected. Type the ID
number of the panel that you wish to bypass, and then click [Add].

Add Enabled only if the Allow controller encryption check box is selected. Type the ID number of
the panel that you wish to bypass in the Panel ID field, and then click [Add]. The panel ID you
entered will be listed in the Panel ID listing window, and will be bypassed.

Remove Enabled only if a panel ID is selected in the Panel ID listing window. If clicked, the selected
panel ID will be removed from the list of bypassed controllers and will no longer be bypassed.

Save If clicked, an attempt will be made to save the changes made in this dialog.

Cancel If clicked, the changes made in this dialog will be discarded and the settings on the
workstation will not be altered.

revision 1 — 13
2: FIPS Mode Configuration Utility

14 — revision 1
 FIPS Mode for ISC Communication User Guide

Chapter 3: Encryption to ISCs Using FIPS Mode

The configuration of encryption to ISCs using FIPS is different depending on

whether you are configuring it for a system that is already using encryption, or if
it is a new system that doesn’t use encryption yet. Follow the instructions for the
category your system falls into:
• Configuring FIPS Mode on Existing Encryption Systems on page 15
• Configuring FIPS Mode on New Encryption Systems on page 19

Configuring FIPS Mode on Existing Encryption Systems

This section assumes that controller encryption is in use on your system. (If it is
not, refer to Configuring FIPS Mode on New Encryption Systems on page 19
instead.) Follow these general steps to begin using FIPS mode; detailed
information about each step follows this list.

1. Generate master key 1 and master key 2 using a FIPS-approved method. The
FIPS Key Generator located on the Supplemental disc can be used to do this.
For more information, refer to Generate Master Keys on page 16.
2. Run the FIPS Mode Configuration Utility on each computer running a
Communication Server that is servicing encrypted controllers in FIPS mode
and configure it to use FIPS mode. For more information, refer to Configure
FIPS Mode in the FIPS Mode Configuration Utility on page 16.
a. Run the FIPS Mode Configuration Utility.
b. Import the key(s) that you generated.
c. Enable FIPS mode.
d. Specify which controllers, if any, will bypass controller encryption.
e. Save the settings.
f. Shut down or restart the Communication Server(s).
3. Run the Lenel Controller Encryption Utility and load the new master keys
into the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and
LNL-3300). For more information, refer to “Load or Update Keys” in the
Lenel Controller Encryption Configuration Utility online help or user guide,
as well as Load New Master Keys into the Lenel ISCs on page 17.
4. If you shut down the Communication Server(s) in step 2, start it up. For
more information, refer to Restart the Communication Server on page 18.
5. (Optional) Verify that you have the correct permissions to proceed. For more
information, refer to Verify Encryption Permissions on page 17.
6. Log into System Administration and enable FIPS mode in the OnGuard
software. When you do this, the previous non-FIPS mode keys will
automatically be cleared from the database. For more information, refer to
Enable FIPS-mode Controller Encryption on page 18.

revision 1 — 15
3: Encryption to ISCs Using FIPS Mode

Generate Master Keys

In order to be FIPS compliant, you must generate master key 1 and master key 2
using a FIPS-approved random number generator. One such utility is the FIPS
Key Generator, which is located on the Supplemental disc. For more information,
refer to the FIPS Key Generator User Guide, which is available in the Start menu
after you install the FIPS Key Generator.

Important: The master key generator in System Administration that is used by non-FIPS
mode encryption systems is NOT FIPS approved.

Configure FIPS Mode in the FIPS Mode Configuration

Utility
1. On the Communication Server, navigate to C:\Program Files\OnGuard
and run FIPSModeConfigurationUtility.exe. The FIPS Mode
Configuration Utility Main window opens.
2. In the FIPS Mode Configuration Utility, click [Modify]. The FIPS Mode
Parameters window is displayed.
3. Enter the desired master key value (1 or 2). This can be done by either
entering a key manually or by importing a key from a file.
• To enter a key manually:
a. Type the key in the appropriate Master key value field. The key
must be 32 characters long and can only contain valid hexadecimal
characters. For security, any values entered display as * on the
screen.
b. Retype the key in the appropriate Confirm master key value field.
• To import a key from a file:
a. Click [Import] for the master key value (1 or 2) that you wish to
import.

Important: It is your responsibility to use a secure process when importing the master
keys. Never import keys from an insecure location such as a network drive.
If you save the files that contain the keys on a USB Flash drive, floppy disk,
or other portable device so they can be transferred, be sure to safeguard the
device.

If you import a key from a USB device, the USB device must be directly
connected to the device the module is running on and may not pass through
any intervening systems. Additionally, a human operator must be physically
present and physically involved with the key importation from the USB
device; the importation cannot be an electronic process that can run without
human intervention.

b. The Open dialog displays. Navigate to the file that contains the key,
select it, and then click [Open]. The key will automatically populate

16 — revision 1
 FIPS Mode for ISC Communication User Guide

both of the respective Master key value and Confirm master key
value fields.
4. Repeat step 3 for the second master key.
5. Select the Enable FIPS mode check box.

Note: Do not confuse this setting with the Enable FIPS-mode controller
encryption setting in System Administration. This setting controls whether
the keys are stored in the registry or not, whereas the setting in System
Administration only determines what encryption-related forms display in
System Administration.

6. In the Active master key number field, select which master key will be
active.
7. Select whether to allow controller encryption bypass.
• If all controllers must use controller encryption, the Allow controller
encryption bypass option should be deselected.
• If there are specific controllers you do not wish to use controller
encryption:
a. Select the Allow controller encryption check box.
b. In the Panel ID field, type the ID of the panel you wish to bypass.
c. Click [Add].
d. Repeat for all controllers you wish to bypass.
8. Click [Save].
9. A message prompts whether you are sure that you wish to make these
changes. Click [Yes].
10. Shut down or restart the Communication Server.

Load New Master Keys into the Lenel ISCs

Systems already using encryption that are being configured to use FIPS mode
will already have master keys in use. However, for security reasons you must
generate new master keys using a FIPS-approved method when you begin using
FIPS mode. These new master keys must then be loaded into the controllers
using the Lenel Controller Encryption Utility.

For more information, refer to “Load or Update Keys” in the Lenel Controller
Encryption Configuration Utility online help or user guide.

Verify Encryption Permissions

For the Encryption tabs to be shown in System Administration, you must have
the ‘Controller encryption’ user permission (Administration > Users > System
Permission Groups form > Access Control sub-tab, select the Controller
encryption check box).

revision 1 — 17
3: Encryption to ISCs Using FIPS Mode

To be able to modify or encryption settings, you must have ‘Controller

encryption’ and ‘Modify/Export’ permissions (Administration > Users >
System Permission Groups form > Access Control sub-tab, select the Controller
encryption and Modify/Export check boxes).

Enable FIPS-mode Controller Encryption

The FIPS-mode controller encryption System Option setting in System
Administration determines whether the windows for configuring controller
encryption will be visible in System Administration. An administrator may
choose to enable this option so the OnGuard user interface does not display
things to users that don’t apply to them. If this option is selected, the windows for
configuring controller encryption that are normally in the following locations
will not be visible:
• (Non-segmented systems only) System Options folder
• (Segmented systems only) Segments folder
• Encryption form in the Access Panels folder

This setting is separate from the FIPS mode settings that are configured on the
individual Communication Server(s) using the FIPS Mode Configuration Utility.
This setting has no impact on whether FIPS mode is used; it only affects how
System Administration works and what windows are displayed. To use FIPS
mode, you must enable FIPS mode on the Communication Server(s) by running
the FIPS Mode Configuration Utility.

Note: When you enable FIPS-mode controller encryption, all controller encryption
keys will be removed from the database.

To enable FIPS mode controller encryption:

1. In System Administration, select System Options from the Administration

menu.
2. On the General System Options form, click [Modify].
3. Select the Enable FIPS-mode controller encryption check box.
4. Click [OK].
5. A message is displayed that says, “Enabling FIPS mode will cause all
controller encryption keys to be removed from the database. Do you want to
continue?” If you wish to do this, click [Yes].

Restart the Communication Server

The settings set using the FIPS Mode Configuration Utility are stored in the
registry, and the Communication Server only checks these settings upon startup.
Therefore, after configuring FIPS mode in the FIPS Mode Configuration Utility
you must restart the Communication Server in order for the changes to take
effect.

18 — revision 1
 FIPS Mode for ISC Communication User Guide

Configuring FIPS Mode on New Encryption Systems

If you have a new system or a system that currently does not use controller
encryption and you wish to start using FIPS mode, follow these steps. If not, refer
to Configuring FIPS Mode on Existing Encryption Systems on page 15.

1. Generate master key 1 and master key 2 using a FIPS-approved method. The
FIPS Key Generator located on the Supplemental disc can be used to do this.
For more information, refer to Generate Master Keys on page 16.
2. Configure the keys on the Lenel ISCs (LNL-500, LNL-1000, LNL-2000,
LNL-2220, and LNL-3300). For more information, refer to Configure the
Keys on the Lenel ISCs on page 19.
3. For each computer running a Communication Server that is servicing
encrypted controllers in FIPS mode, do the following:
a. Install the OnGuard software. For more information, refer to the
Installation Guide. If the Communication Server will be separate from
the database server, then perform a custom installation and install only
the Communication Server service. Be sure that the computer is in
single user mode.
b. Set the Communication Server to start up automatically.
c. Configure FIPS mode using the FIPS Mode Configuration Utility. For
more information, refer to Configure FIPS Mode in the FIPS Mode
Configuration Utility on page 16.
1) Run the FIPS Mode Configuration Utility.
2) Enable FIPS mode.
3) Enter the master key(s).
4) Specify which controllers, if any, will bypass controller encryption.
5) Save the settings.
d. Make sure that the appropriate the appropriate registry key
(HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-
PARAMS) is accessible by the account that the Communication Server
is running under (if it differs from the account used to configure these
settings).
4. Restart the Communication Server. For more information, refer to Restart
the Communication Server on page 18.
5. Log into System Administration.
6. Enable FIPS mode in the OnGuard software. For more information, refer to
Enable FIPS-mode Controller Encryption on page 18.

Configure the Keys on the Lenel ISCs

FIPS mode is used to encrypt the connection between the controller and the
Communication Server, so the master key values in both locations must be the
same. To configure the master keys for the controller:

1. Install the Lenel Controller Encryption Configuration Utility on a laptop

computer. This utility is located on the Supplemental disc. For more

revision 1 — 19
3: Encryption to ISCs Using FIPS Mode

information, refer to “Install the Lenel Controller Encryption Configuration

Utility” in the Lenel Controller Encryption Configuration Utility online help
or user guide.
2. Take the laptop computer to the first controller you wish to store the keys on.
3. Once at the controller:

Note: For complete details for each of these steps, refer to “Start the Utility and
Connect to a Controller” in the Lenel Controller Encryption Configuration
Utility online help or user guide.

a. Physically disconnect the cable between access control system and the
controller. For more information, refer to “Start the Utility and Connect
to a Controller” in the Lenel Controller Encryption Configuration
Utility online help or user guide.
b. Physically connect the cable from the controller to the host machine.
c. Start the Lenel Controller Encryption Configuration Utility.
d. Connect to the controller.
e. Enter master key 1 and master key 2.
f. Load the master keys. For complete details for each of these steps, refer
to “Load or Update Master Keys” in the Lenel Controller Encryption
Configuration Utility online help or user guide.
g. (Optional, but highly recommended) Turn DIP switch 8 ON. Once this
is done, reboot the controller so that the controller will require an
encrypted connection and will only accept encrypted connections with
entities that know the proper master key values. For more information,
refer to DIP Switch Settings for Encryption on page 7.
4. Repeat step 3 at each controller. Load the same master key 1 and master key
2 file on each controller. Be sure to keep the files that contain the master
keys in a secure place that you can remember.

20 — revision 1
 FIPS Mode for ISC Communication User Guide

Chapter 4: Using FIPS Mode

There are two types of operators: Crypto officer and User. For a detailed
description of each, refer to Operator Types on page 7.

User procedures:
• View a Controller’s Encryption Characteristics in Alarm Monitoring on page
21

Crypto officer procedures:

• Switch to a New Master Key on page 22
• Zero keys Using the Zero Keys Function on page 25 or Using the Clear
Function on page 25
• Zero Out Keys on the Controllers on page 26

View a Controller’s Encryption Characteristics in Alarm

Monitoring
The following icons may be used in Alarm Monitoring to indicate a controller’s
encryption status:

Controller icon Description

Access panel (without encryption)

Access panel normal encrypted

.
Access panel offline encryption
error

Access panel online encryption

mismatch

To view a controller’s encryption status in Alarm Monitoring:

1. Right-click on the controller’s icon and select Properties.

2. Look at the Connection type field. If you have the proper permissions, the
type of encryption connection being used on the controller, if any, is
displayed in the Connection type field. Types that may be indicated include
plain, encrypted in non-FIPS mode, or encrypted in FIPS mode.

Notes: To view the encryption connection type, you must have the ‘Controller
encryption’ user permission (Administration > Users > System Permission

revision 1 — 21
4: Using FIPS Mode

Groups form > Access Control sub-tab, select the Controller encryption
check box).
Any operator can view error conditions of a controller being offline due to
an encryption error or the current connection to the controller not matching
the configured connection.

Switch to a New Master Key

Master key exposure is extremely low over the encrypted connections. The
Master key is only used to encrypt an initial session packet in which a random
session key is transferred to the controller. All other packets in a given session
with the controller are encrypted using that session key.

The master key can be switched periodically as desired or at any time if there is
concern that it has been compromised.

Activating the Inactive Key without Changing Its Value

The very first time a key switch is made, the administrator may wish to simply
use the master key 2 value that was initially setup in the system and in the
controllers.

Additionally, on subsequent key switches, the administrator may not be

concerned with generating a new key value, but simply may want to switch to the
other master key value previously configured. This may be done if they simply
want to vary the master key value periodically without going to the trouble of
making it unique with each change.

To activate the inactive key without changing its value:

1. On the Communication Server, run the FIPS Mode Configuration Utility.

2. Click [Modify]. The FIPS Mode Parameters window opens.
3. Verify that both master key 1 and master key 2 have been entered or
imported.
4. In the Active master key number field, select the master key number that
was previously inactive.
5. Click [Save].
6. Restart the Communication Server. When the Communication Server starts,
it automatically detects which key is active and informs the controller which
one to use.
7. Repeat steps 2 - 6 on each computer running a Communication Server that is
servicing encrypted controllers in FIPS mode.

22 — revision 1
 FIPS Mode for ISC Communication User Guide

Updating the Value of the Inactive Key and Making it

Active
The following procedure can be used to switch master keys while using a new
master key value.

1. If you want to use a new key, generate one using a FIPS-approved method.
Do not activate this key yet.

Important: It is your responsibility to use a secure process when transferring the keys.
Never import keys from an insecure location such as a network drive. If you
save the files that contain the keys on a USB Flash drive, floppy disk, or
other portable device so they can be transferred, be sure to safeguard the
device.

If you import a FIPS-approved key from a USB device, the USB device must
be directly connected to the device the module is running on and may not
pass through any intervening systems. Additionally, a human operator must
be physically present and physically involved with the key importation from
the USB device; the importation cannot be an electronic process that can run
without human intervention.

2. Visit each controller configured for encryption and connect it to the

Controller Encryption Configuration Utility. Update the inactive master key.

Important: Do not update the active master key. If this is done, the controller will
remain offline until the configuration change is made in the FIPS Mode
Configuration Utility to activate that key.

3. Connect the controller using its standard access control system connection.
The controller should come back online with an encrypted connection using
the currently active master key. Note that if possible, controllers marked
logically offline in the access control system should be updated as well. This
will allow them to easily be marked back online in the future.
4. After every controller has been updated, import the new key and activate the
inactive key by doing the following:
a. On the Communication Server, run the FIPS Mode Configuration
Utility.
b. Click [Modify]. The FIPS Mode Parameters window opens.
c. For the key you wish to import, click [Import] and import the new key.
Alternatively, you can type the new key into the appropriate Master key
value and Confirm master key value fields.
d. In the Active master key number field, select the master key number
you wish to make active.
e. Click [Save].
f. Restart the Communication Server. When the Communication Server
starts, it automatically detects which key is active and informs the
controller which one to use. The access control system should begin

revision 1 — 23
4: Using FIPS Mode

making encrypted connections to the controllers using the newly

activated master key.
g. Repeat steps b - f on each computer running a Communication Server
that is servicing encrypted controllers in FIPS mode.

Zeroing Keys
Zeroing keys simply means setting the master key values in the
HKEY_LOCAL_MACHINE/Software/Lenel/OnGuard/FIPS-MODE-PARAMS
registry entry to a value of all zeros (0x00000000000000000000000000000000).
Do not do this manually! There are two different functions available in the FIPS
Mode Configuration Utility that zero keys: the zero keys function, and the clear
function. Although both functions zero out the keys in the registry, which
function you use depends on why you are zeroing the keys.

In case of an attack or compromise, you should use the zero keys function to
ensure an adversary won’t recover them. You would shut down the
Communication Server, and then use the zero keys function in the FIPS Mode
Configuration Utility to zero the keys. After the attack/compromise is resolved,
generate new keys, use the Lenel Controller Encryption Utility to load the keys
onto the ISCs, use the FIPS Mode Configuration Utility to load the keys on the
Communication Server(s), and then finally restart the Communication Server.

If you wish to stop using FIPS mode on a machine, use the clear function. The
clear function zeroes the master keys in the registry and then removes all FIPS
mode-related registry entries from the machine. The clear function is the
preferred function for this use because the zero keys function wouldn’t remove
the FIPS mode-related parameters from the registry.

The table that follows summarizes the differences between the zero and clear
functions:

Zeroing When to use Effect on registry FIPS mode

method status after
using function

Zero In case of attack/ Keys are zeroed • If FIPS mode

function compromise was on, it
remains ON
• If FIPS mode
was off, it
remains OFF

Clear To remove all Keys are zeroed, and FIPS mode if OFF
function configuration related to then any FIPS
FIPS mode if no longer mode-related entries
in use are removed from
the registry

24 — revision 1
 FIPS Mode for ISC Communication User Guide

Using the Zero Keys Function

The zero keys function should be used in case of an attack/compromise. The zero
keys function zeroes out any stored master key values in the registry, but leaves
all other FIPS mode-related settings in the registry unchanged. For more
information, refer to Zeroing Keys on page 24.

Note: If you wish to remove FIPS mode and related FIPS mode parameters from a
computer, use the clear function rather than the zero keys function. For more
information, refer to Using the Clear Function on page 25.

In case of attack/compromise, follow these steps to zero the keys:

1. Shut down the Communication Server. This is necessary in order to zero out
any keys currently being used in addition to any stored keys.
2. On the Communication Server machine, run the FIPS Mode Configuration
Utility. (This is the FIPSModeConfigurationUtility.exe file located in
C:\Program Files\OnGuard.) The FIPS Mode Configuration Utility Main
window opens.
3. Click [Zero Keys].
4. A message prompts you to confirm that you wish to zero out the master key
values in the registry. Click [Yes] to zero out the master keys, or [No] to
cancel zeroing the master keys.
5. If the master keys were successfully zeroed out, a message indicating this is
displayed.

After the attack/compromise has been resolved, do the following:

1. Generate new master keys using a FIPS-approved method. For more

information, refer to Generate Master Keys on page 16.
2. Run the Lenel Controller Encryption Utility and load new master keys into
the Lenel ISCs (LNL-500, LNL-1000, LNL-2000, LNL-2220, and LNL-
3300). For more information, refer to “Load or Update Keys” in the Lenel
Controller Encryption Configuration Utility online help or user guide.
3. Run the FIPS Mode Configuration Utility on each computer running a
Communication Server that is servicing encrypted controllers in FIPS mode
and import the new keys.
4. Restart the Communication Server.

Using the Clear Function

The clear function should be used to remove FIPS mode and related FIPS mode
parameters from a computer. In the case of an attack/compromise, use the zero
keys function instead. For more information, refer to Using the Zero Keys
Function on page 25.

revision 1 — 25
4: Using FIPS Mode

When you use the clear function, two things happen:

1. The master key entries in the registry, if set, are zeroed out and changed to a
value of all zeros.
2. All FIPS mode parameters are removed from the registry. This includes
settings such as whether FIPS mode is enabled, master key values, whether
controller bypass is being used, controllers that are bypassed, and so forth.
This essentially turns off FIPS mode.

For more information, refer to Zero Out Keys on the Controllers on page 26.

To use the clear function to zero keys and remove FIPS mode-related parameters
from the registry:

1. Shut down the Communication Server. This is necessary in order to zero out
any keys currently being used in addition to any stored keys.
2. On the Communication Server machine, run the FIPS Mode Configuration
Utility. (This is the FIPSModeConfigurationUtility.exe file located in
C:\Program Files\OnGuard.) The FIPS Mode Configuration Utility Main
window opens.
3. Click [Clear].
4. A message prompts you to confirm that you wish to clear the FIPS
parameters from the workstation. Click [Yes] to clear the FIPS parameters,
or [No] to cancel clearing the parameters.
5. If the FIPS parameters were successfully cleared, a message indicating this
is displayed.
6. (Optional) Zero out the keys on the controllers. For more information, refer
to Zero Out Keys on the Controllers on page 26.

Zero Out Keys on the Controllers

Normally it is not necessary to zero out the keys on the controllers, since they are
stored inside the controller in non-volatile EEPROM memory which is soldered
to the circuit board and there is no way to request these values from the hardware,
you may. However, you may wish to do so if you are done using encryption, or if
you are sending a controller back to the factory and you want to make sure all
evidence of the keys is removed.

Important: If keys are zeroed on the controller, the controller should remain physically
disconnected from its communication channel until new keys are set.

26 — revision 1
 FIPS Mode for ISC Communication User Guide

To zero out keys on the controllers:

1. Physically disconnect the controller from its communication channel.

2. Zero out the keys in the Communication Server’s registry. Refer to Using the
Zero Keys Function on page 25 or Using the Clear Function on page 25.
3. Use the Lenel Controller Encryption Utility to manually set the keys to all
zeros using the “Load or Update Master Keys” procedure in the Lenel
Controller Encryption Configuration Utility online help or user guide.
Remember that keys are 32 digits long, so enter 32 zeros.
4. After the new keys have been set, physically reconnect the controller to its
communication channel.

revision 1 — 27
4: Using FIPS Mode

28 — revision 1

Chapter 5: Troubleshooting FIPS Mode
If you encounter any errors when using the FIPS Mode configuration Utility,
please consult this section for suggestions on how to solve the problem.
Error Messages
Errors encountered when loading master keys
Error
The controller bypass flag contained an invalid
value
The Controller Bypass Flag and Bypassed
Controllers value do not logically agree
The FIPS Mode Flag setting and Active Master
Key value do not logically agree
The Master Key 1 Value is not a proper key value
or
The Master Key 2 Value is not a proper key value
There was an error reading the registry key which
stores the parameters from the registry
Errors encountered when saving
Error
Invalid key length for master key 1
FIPS Mode for ISC Communication User Guide
Check
The controller bypass flag refers to the Enable FIPS mode
check box setting. Its value is stored as 1 or 0 in the registry. If
you receive this error, then this value in the registry is neither
of these values. To correct this, either clear the FIPS mode
parameters, or save new parameters.
In the FIPS Mode Parameters window, if the Allow
controller encryption bypass check box is selected, then
controllers must be listed in the Bypassed controllers section.
Either add controllers to be bypassed, or deselect the Allow
controller encryption bypass check box.
In the FIPS Mode Parameters window, if the Enable
FIPS mode check box is selected, then the Active
master key number field must be set to 1 or 2. If the
Enable FIPS mode check box is deselected, then the
Active master key number must be set to 0.
Verify that you selected the correct file.
If you did, insure that the file contains only the master
key. A master key is in hexadecimal form. It must be
exactly 32 digits, and may contain any of the following
numbers or letters: 0 – 9, A – F.
Verify that the user running the FIPS Mode Configuration
Utility has sufficient permissions to access and modify the
registry.
Action needed to correct the error
Make sure that the master key contains exactly 32
digits, and that it only contains the following numbers
or letters: 0 – 9, A – F.
revision 1 — 29
5: Troubleshooting FIPS Mode

Errors encountered when saving (Continued)

Error Action needed to correct the error

Master Key 1 is active, but the Master Key 1 Value
is not a proper key value
Master Key 2 is active, but the Master Key 2 Value
is not a proper key value
The controller bypass flag and Bypassed
Controllers value did not agree with each other
Make sure that the master key contains exactly 32
digits, and that it only contains the following numbers
or letters: 0 – 9, A – F.
Make sure that the master key contains exactly 32
digits, and that it only contains the following numbers
or letters: 0 – 9, A – F.
In the FIPS Mode Parameters window, if the Allow
controller encryption bypass check box is selected, then
controllers must be listed in the Bypassed controllers section.
Either add controllers to be bypassed, or deselect the Allow
controller encryption bypass check box.

The two key values entered for master key 1 do not Retype the values in the Master key 1 value and the Confirm
match master key 1 value fields; they must be the same.

There was an error setting up a Security Descriptor Verify that the user running the FIPS Mode Configuration
and its DACL for the registry Utility has sufficient permissions to access and modify the
registry.

There was an error creating the registry key which Verify that the user running the FIPS Mode Configuration
stores the parameters Utility has sufficient permissions to access and modify the
registry.

Frequently Asked Questions

Question: Does the Enable FIPS-mode controller encryption setting on the
General System Options form allow me to use FIPS mode encryption?

Answer: No, this setting only controls whether the encryption-related tabs are
displayed in System Administration. To enable FIPS mode encryption, you must
use the FIPS Mode Configuration Utility.

Question: How do I make the encryption tabs visible in the OnGuard software?

Answer: In Administration > System Options, deselect the Enable FIPS-

mode controller encryption check box. For more information, refer to Enable
FIPS-mode Controller Encryption on page 18.

Question: How can I hide the encryption tabs in the OnGuard software?

Answer: In Administration > System Options, select the Enable FIPS-mode

controller encryption check box. For more information, refer to Configure FIPS
Mode in the FIPS Mode Configuration Utility on page 16.

30 — revision 1
 FIPS Mode for ISC Communication User Guide

Question: FIPS can be configured in System Administration or using the FIPS

Mode Configuration Utility - which settings override which?

Answer: Settings set via the FIPS Mode Configuration Utility override anything
set in System Administration.

Question: What is the difference between the “Zero Keys” and the “Clear”
option in the FIPS Mode Configuration Utility?

Answer: The “Zero Keys” option resets the master key values in the registry (if
set) to a value of all zeros. All other encryption settings in the registry, such as
bypassed controllers, remain unchanged. The zero keys function should be used
in case of attack/compromise.

The “Clear Keys” option resets the master key values in the registry (if set) to a
value of all zeros, and then removes all FIPS mode-related settings (master keys,
Enable FIPS mode setting, bypassed controllers, etc.) from the registry. Using
the “Clear Keys” option is essentially turning off FIPS mode. The clear keys
function should be used when you wish to stop using FIPS mode on a machine.

For a detailed discussion of the differences, refer to Zeroing Keys on page 24.

revision 1 — 31
5: Troubleshooting FIPS Mode

32 — revision 1
 FIPS Mode for ISC Communication User Guide

Index

A F
Access panel terminology ..................................... 6 FIPS
Active key setting ............................................... 10 definition........................................................ 5
Alarm Monitoring encryption icons ................... 21 Key Generator utility ................................... 16
Allow controller encryption bypass setting ........ 13 FIPS mode
Attack........................................................... 24, 25 configure on existing systems...................... 15
Automatic key management encryption ............... 5 configure on new systems............................ 19
disable using clear function ......................... 26
B FIPS Mode Configuration Utility ......................... 9
Bypass controller settings ................................... 13 Main Window .............................................. 10
Parameters dialog ........................................ 12
C FIPS mode parameters
Active master key number ........................... 12
Clear FIPS mode parameters .............................. 25 Allow controller encryption bypass............. 13
Clear keys button definition................................ 11 dialog ........................................................... 12
Communication Server ....................................... 18 Enable FIPS mode ....................................... 12
restart ........................................................... 18 Master key 1 value....................................... 12
Configure Master key 2 value....................................... 12
encryption to ISCs using FIPS mode........... 15 remove from registry ................................... 25
FIPS in the FIPS Mode Configuration Frequently asked questions................................. 30
Utility.................................................... 16
FIPS mode on existing encryption systems . 15 G
FIPS mode on new encryption systems ....... 19
keys on ISCs ................................................ 19 Generate master keys .......................................... 16
Controller terminology ......................................... 6
Controllers I
configure keys on......................................... 19 Import master keys.............................................. 12
icons in Alarm Monitoring .......................... 21 Intelligent System Controller (ISC) terminology . 6
zeroing keys on ............................................ 26 Introduction........................................................... 5
Crypto officer........................................................ 7
K
D Key generator...................................................... 16
DIP switch 8................................................... 7, 20
DIP switch settings for encryption........................ 7 L
Load
E master key values onto the Communication
Enable FIPS-mode controller encryption ........... 18 Server.................................................... 16
Encryption keys master keys into ISCs .................................. 17
master............................................................. 6
session............................................................ 6 M
Encryption types Manual key management encryption.................... 5
automatic........................................................ 5 Master key
FIPS mode encryption ................................... 5 storage............................................................ 7
manual............................................................ 5 switch to new ............................................... 22
Error messages Master key 1.......................................................... 6
loading master keys ..................................... 29 Master key 2.......................................................... 6
saving........................................................... 29 Master keys ........................................................... 6
generate........................................................ 16
import into Communication Server ............. 16

revision 1 — 33
Index

load into ISCs .............................................. 17

storing ............................................................ 7

O
Operator types....................................................... 7
Overview............................................................... 5

P
Permissions ......................................................... 17

R
Registry key for FIPS mode parameters ............... 9
Restart the Communication Server ..................... 18

S
Session keys .......................................................... 6
Storing master keys............................................... 7
Switch to a new master key ................................ 22

T
Terminology.......................................................... 6
Troubleshooting .................................................. 26

U
User ....................................................................... 8

V
Verify encryption permissions............................ 17
View a controller’s encryption characteristics in
Alarm Monitoring........................................ 21

Z
Zero keys
button definition .......................................... 10
function ........................................................ 25
Zeroing
FIPS mode parameters................................. 25
keys on controllers....................................... 26
Zeroing keys
overview ...................................................... 24
using the clear function................................ 25
using zero keys function .............................. 25

34 — revision 1
FIPS Mode for ISC Communication User Guide

revision 1 — 35
Lenel Systems International, Inc.
1212 Pittsford-Victor Road
Pittsford, New York 14534 USA
Tel 585.248.9720 Fax 585.248.9185
www.lenel.com
docfeedback@lenel.com