Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 1 of 25
FIPS 140-2 Non-proprietary Security Policy
LogRhythm 7.8.0 AI Engine Server
LogRhythm, Inc.
4780 Pearl East Circle
Boulder, CO 80301
July 6, 2022
Document Version 1.2
Module Version 7.8.0
Prepared by:
Accredited Testing & Evaluation Labs
6841 Benjamin Franklin Drive
Columbia, MD 21046
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 2 of 25
© Copyright 2022 LogRhythm, Inc.
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm,
Inc. makes no warranty of any kind with respect to this information. LogRhythm, Inc.
specifically disclaims the implied warranty of merchantability and fitness for a particular
purpose. LogRhythm, Inc. shall not be liable for any direct, indirect, incidental, consequential,
or other damages alleged in connection with the furnishing or use of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product
names mentioned may be trademarks, registered trademarks, or service marks of their
respective holders.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 3 of 25
Table of Contents
1. Introduction........................................................................................................................4
2. Overview.............................................................................................................................5
2.1. Ports and Interfaces ......................................................................................................8
2.2. Modes of Operation......................................................................................................9
2.3. Module Validation Level............................................................................................10
3. Roles ..................................................................................................................................11
4. Services..............................................................................................................................12
4.1. User Services................................................................................................................12
4.2. Crypto Officer Services..............................................................................................12
5. Policies...............................................................................................................................14
5.1. Security Rules...............................................................................................................14
5.2. Identification and Authentication Policy.................................................................15
5.3. Access Control Policy and SRDIs ............................................................................15
5.4. Physical Security ..........................................................................................................18
6. Crypto Officer Guidance................................................................................................19
6.1. Secure Operation Initialization Rules.......................................................................19
6.2. Approved Mode ..........................................................................................................20
7. Mitigation of Other Attacks...........................................................................................22
8. Terminology and Acronyms...........................................................................................23
9. References.........................................................................................................................24
Appendix A: TLS Cipher Suites................................................................................................25
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 4 of 25
1. Introduction
LogRhythm is an integrated log management and security information event management
(SIEM) solution. It is a distributed system containing several cryptographic modules, which
support secure communication between components. A LogRhythm deployment is made up
of distributed components including Advanced Intelligence (AI) Engine Servers, Consoles
(Client/Web), Data Indexers, Data Processors, a Platform Manager, and System Monitor
Agents. An AI Engine Server analyzes log metadata for complex events, which it may forward
to Platform Manager. A LogRhythm Console provides a graphical user interface (GUI) to
view log messages, events, and alerts. LogRhythm Consoles are also used to manage
LogRhythm deployments. Data Indexers deliver distributed and highly scalable indexing of
machine and forensic data. Data Indexers run Elasticsearch and LogRhythm services to
provide raw log and metadata persistence and search capabilities. Indexers can be clustered to
enable high availability and improved performance. A Data Processor aggregates log data from
System Monitor Agents, extracts metadata from the logs, forwards logs/metadata to
Elasticsearch for persistence and search, and analyzes content of logs and metadata. A Data
Processor may forward log metadata to an AI Engine Server and may forward significant
events to Platform Manager. A Platform Manager manages configuration, alarms,
notifications, and case and security incident management. A System Monitor Agent collects
log data from network sources. LogRhythm relies on Microsoft SQL Server. LogRhythm
stores log data in SQL Server databases on Data Processor and Platform Manager. It stores
configuration information in SQL Server databases on Platform Manager. System Monitor
Agent, Data Processor, AI Engine Server, Platform Manager, and Console each include a
cryptographic module.
This document describes the security policy for the LogRhythm AI Engine Server
cryptographic module. It covers the secure operation of the AI Engine Server cryptographic
module including initialization, roles, and responsibilities for operating the product in a secure,
FIPS-compliant manner. This module is validated at Security Level 1 as a multi-chip
standalone module. The module relies on the following cryptographic modules for the
corresponding LogRhythm versions:
Table 1 Bounded Modules
LogRhythm version Cryptographic Module
7.8.0
Microsoft Windows Server 2019 Cryptographic Primitives
Library (bcryptprimitives.dll) (CMVP Certificate #3197)
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 5 of 25
2. Overview
The LogRhythm AI Engine Server cryptographic module provides cryptographic services to
an AI Engine Server. In particular, these services support secure communication with
LogRhythm Data Processors and Platform Manager SQL Server databases.
An AI Engine Server is a server running the LogRhythm AI Engine Communication Manager
(LRAIEComMgr) and AI Engine (LRAIEEngine) services. The AI Engine Communication
Manager service marshals log message data received from Data Processors. The AI Engine
service processes the log message data. AI Engine Server cryptographic module runs on a
general purpose computer (GPC). The AI Engine Server operating system is Windows Server
2019 (x64). The AI Engine Server cryptographic module was tested on a Dell PowerEdge
R740 Server with an Intel Xeon Silver 4114 processor, both with and without PAA (AES-NI
acceleration).
The AI Engine Server cryptographic module is a software module. Its physical boundary is
the enclosure of the standalone GPC on which the AI Engine Server services run. The
software within the logical cryptographic boundary consists of all software assemblies for the
AI Engine Communications Manager service and the AI Engine service. The AI Engine Server
cryptographic module software consists of the following files in “C:\Program
Files\LogRhythm\LogRhythm AI Engine”:
 clrzmq.dll
 Google.ProtocolBuffers.dll
 LogRhythm.CrossCutting.dll
 LogRhythm.Data.dll
 LogRhythm.DTO.dll
 LogRhythm.Protobuffers.dll
 LRAIEComMgr.exe
 lraiecommgr.hsh
 LRAIEEngine.exe
 lraieengine.hsh
 lraiutils.exe
 lraiutils.hsh
 lrhmcommgr.dll
 lrhmengine.dll
 lrhmenginesvr.dll
 lrhmschema.dll
 lrsecurity.dll
 nsoftware.IPWorks.dll
 nsoftware.IPWorksSSH.dll
 nsoftware.IPWorksSSL.dll
 nsoftware.IPWorksSSNMP.dll
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 6 of 25
 nsoftware.System.dll
 scshared.dll
 scvbcomn.dll
 Xceed.Compression.dll
 Xceed.Compression.Formats.dll
 Xceed.FileSystem.dll
 Xceed.GZip.dll
 Xceed.Tar.dll
 Xceed.Zip.dll
Other files and subdirectories of “C:\Program Files\LogRhythm\LogRhythm AI Engine” are
outside the logical cryptographic boundary. The excluded files are:
 EULA.rtf
 LRAIEComMgr.exe.config
 lraiecommgr.Log4Net
 LRAIEEngine.exe.config
 lraieengine.Log4Net
 lraiutils.exe.config
 AIEngine001.lrhm.cs
 AIEngine001.lrhm.dll
 DocumentFormat.OpenXml.dll
 Infragistics2.Shared.dll
 Infragistics2.Win.Misc.dll
 Infragistics2.Win.UltraWinDataSource.dll
 Infragistics2.Win.UltraWinEditors.dll
 Infragistics2.Win.UltraWinGrid.dll
 Infragistics2.Win.UltraWinTabControl.dll
 Infragistics2.Win.UltraWinToolbars.dll
 Infragistics2.Win.dll
 libzmq.dll
 Logger.Log4Net
 LogRhythm.Business.dll
 log4net.dll
 lrconfig.exe
 lrconfig.exe.config
 lrconfig.visualelementsmanifest.xml
 lrhmenginesvc.visualelementsmanifest.xml
 lrhmperf.dll
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 7 of 25
 lrhmuicomn.dll
 Newtonsoft.Json.dll
 SimpleInjector.dll
 SimpleInjector.Extensions.LifetimeScoping.dll
 sccscomn.dll
 sccsuicomn.dll
The excluded directories (along with their subdirectories) are:
 config
 logs
 state
 data
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 8 of 25
Figure 1 Cryptographic Module Boundaries illustrates the relationship between the AI Engine
Server cryptographic module and the AI Engine Server as a whole. It shows physical and
logical cryptographic boundaries of the module.
2.1. Ports and Interfaces
The AI Engine Server cryptographic module ports consist of one or more network interface
cards (NIC) on the AI Engine Server GPC. NIC are RJ45 Ethernet adapters, which are
connected to IP network(s). The specific ports on the tested platform as well as the mappings
to the logical interfaces are as follows:
Table 2: Physical to Logical Interface Mappings
Physical Interface Logical Interface
4 x 10GbE Ethernet Ports Data Input, Data Output, Control Input,
Status Output
1 x Dedicated iDRAC Ethernet Port N/A – Not used by module
1 x Dedicated iDRAC direct USB Ports N/A – Not used by module
2 x USB 2.0 Ports N/A – Not used by module
Figure 1 Cryptographic Module Boundaries
Physical Boundary (General Purpose Computer)
Microsoft Windows Server 2019 Operating System
Logical Cryptographic Boundary
AI Engine
Communicatio
n Manager
Platform Manager
SQL Server
Windows File
System
Data Processor
Mediator Server
AI Engine
bcrypt-
primitives.DLL
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 9 of 25
2 x USB 3.0 Ports N/A – Not used by module
1 x Serial Port N/A – Not used by module
1 x VGA Port N/A – Not used by module
All data enters the AI Engine Server physically through the NIC and logically through the
GPC’s network driver interface to the module. Hence, the NIC correspond to the data input,
data output, control input, and status output interfaces defined in [FIPS 140-2]. Although
located on the same GPC as the cryptographic module, the Windows operating system file
system and Windows Event Log are outside the logical cryptographic boundary. Hence, the
file system and Windows Event Log also present data input, data output, control input, and
status output logical interfaces.
Data input to AI Engine is made up of log message data. Data Processor processes log
messages collected by System Monitor Agents and sends log message data to the AI Engine
Communications Manager over a TLS socket connection. Data output from AI Engine Server
comprises log message data sent to the Platform Manager SQL Server as well as data written
to the local file system. AI Engine Server sends event data to the Platform Manager SQL
Server over a TLS socket connection. Data output to the local file system consists of suspense
log files and unprocessed logs. The Console provides a graphical interface to configure the AI
Engine Server cryptographic module, but configuration information reaches the module
indirectly through the Platform Manager SQL Server. (The Console is a separate and distinct
component of a LogRhythm deployment.) The Console connects to Platform Manager SQL
Server and stores configurations in a database. The AI Engine service retrieves the
configuration information from the database. Hence, the TLS connection to the Platform
Manager SQL Server serves as the control input interface. The status output interface
comprises the TLS connection to the Platform Manager SQL Server, the local file system, and
the Windows Event Log. The AI Engine Server sends status information to Platform Manager
SQL Server using TLS, which makes it available to the Console. The AI Engine Server writes
status information to log files in the file system and the Windows Event Log.
2.2. Modes of Operation
The AI Engine Server cryptographic module has two modes of operation: Approved and non-
Approved. Approved mode is a FIPS-compliant mode of operation. The module provides the
cryptographic functions listed in Table 3 and Table 4 below. While the functions in Table 4
are not FIPS Approved, they are allowed in Approved mode of operation when used as part
of an approved key transport scheme where no security is provided by the algorithm.
Table 3 FIPS Approved Cryptographic Functions (please see section 6.1 for specific modes used).
Label Approved Cryptographic Function Standard
AES Advanced Encryption Algorithm FIPS 197
CVL Transport Layer Security Key
Derivation Function
SP 800-135 Rev. 1
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 10 of 25
Label Approved Cryptographic Function Standard
DRBG Deterministic Random Bit Generator SP 800-90A Rev. 1
HMAC Keyed-Hash Message Authentication
Code
FIPS 198-1
RSA Rivest Shamir Adleman Signature
Algorithm
FIPS 186-4
SHS Secure Hash Algorithm FIPS 180-4
Triple-DES Triple Data Encryption Algorithm SP 800-67 Rev. 2
Table 4 FIPS Non-Approved but allowed Cryptographic Functions
Label Non-Approved Cryptographic Function
MD5 Message-Digest Algorithm 5
NDRNG The module depends on the Cryptographic Primitives Library (Cert. #3197)
for AES-CTR DRBG Entropy Input. The DRBG is provided at least 256
bits of entropy from the NDRNG
RSA Key Wrapping using PKCS 1 v1.5
The AI Engine Server cryptographic module does not implement a bypass capability.
2.3. Module Validation Level
The module meets an overall FIPS 140-2 compliance of Security Level 1.
Table 5 LogRhythm 7.8.0 AI Engine Server Security Levels
Security Requirements Section Level
Cryptographic Module Specification 1
Cryptographic Module Ports and Interfaces 1
Roles, Services, and Authentication 1
Finite State Model 1
Physical Security N/A
Operational Environment 1
Cryptographic Key Management 1
Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) 1
Self-Tests 1
Design Assurance 1
Mitigation of Other Attacks N/A
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 11 of 25
3. Roles
In Approved mode, AI Engine Server cryptographic module supports four roles which
correspond to the FIPS 140-2 Crypto Officer and User roles. Roles are assumed implicitly,
since the module does not provide user authentication.
Crypto Officer Role: Operators with the Crypto Officer role have direct access to the
cryptographic module. Responsibilities of the Crypto Officer role include initial configuration,
on-demand self test, and status review.
User Role: Operators with the User role are other components of a LogRhythm deployment
configured to interact with the AI Engine Server. These are: Data Processor and Platform
Manager. The User Role can be further divided into the following LogRhythm Roles
Table 6 LogRhythm User roles
LogRhythm Role Description
LogRhythmGlobalAdmin Allows for complete read and write access to both the
configuration of the module and the data it collects.
LogRhythmRestrictedAdmin Allows for read and write access to configuration changes
and the data as permitted by LogRhythmGlobalAdmin.
LogRhythmGlobalAnalyst Allows for read only access to all data and configuration
resources.
LogRhythmRestrictedAnalyst Allows for read only access to data and configuration as
permitted by LogRhytmGlobalAdmin.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 12 of 25
4. Services
In Approved mode, the services available to an operator depend on the operator’s role.
4.1. User Services
4.1.1. Data Processor Write Log Data
This service provides a protected communication channel to transfer log message data from
Data Processor to an AI Engine Server. The channel is established in accordance with the AI
Engine Server configuration. (See service Write AI Engine Server Configuration.) Please see
Appendix A for the list of supported cipher suites used in the TLS 1.0/1.2 connections.
4.1.2. Platform Manager Read Log Data
This service provides a protected communication channel to transfer log message data to the
Platform Manager SQL Server from the AI Engine Server. The channel is established in
accordance with the AI Engine Server configuration. (See service Write AI Engine Server
Configuration.) Please see Appendix A for the list of supported cipher suites used in the TLS
1.0/1.2 connections.
4.1.3. Write AI Engine Server Configuration
This service provides a protected communication channel to transfer configuration data from
the Platform Manager SQL Server to the AI Engine Server. An operator in the Crypto Officer
role sets up communication between the AI Engine Server and the Platform Manager SQL
Server during deployment. After set up, the Platform Manager SQL Server uses this service to
propagate configuration changes to the AI Engine Server. Please see Appendix A for the list
of supported cipher suites used in the TLS 1.0/1.2 connections.
Note that an AI Engine Server’s configuration originates from the Console. The Console
transfers the configuration information to the Platform Manager SQL Server.
4.2. Crypto Officer Services
4.2.1. Configure AI Engine Server Communication
After the AI Engine Server has been installed, this service provides an operator in the Crypto
Officer role with the capability to configure the AI Engine Server to communicate with
Platform Manager. This consists of setting the IP address for the Platform Manager. The
Platform Manager SQL Server provides all other configuration information. (See service Write
AI Engine Server Configuration.)
4.2.2. Perform Self-Tests
AI Engine Server module performs a (start-up) power-on software integrity self test to verify
the integrity of the module software. If the module fails a software integrity test, it reports
status indicating which failure occurred and transitions to an error state, in which the module
ceases to continue processing. The AI Engine Server will not be able to receive logs and cannot
output data to an SQL Server database when it is in an error state.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 13 of 25
An operator can run the software integrity test on demand by stopping and starting the
module. The system integrity test will always run at startup regardless of FIPS Mode.
4.2.3. Show FIPS Status
AI Engine Server provides status information about the cryptographic module mode of
operation through AI Engine Server log files. When the AI Engine Server component is
started, the AI Engine Server processes write messages to the logs indicating the mode of
operation, for example:
AI Engine Server running in FIPS mode: YES
AI Engine Communication Manager running in FIPS mode: YES
To determine whether AI Engine Server is in Approved mode, an operator in the Crypto
Officer role checks the AI Engine Server process logs, LRAIEComMgr.log and
LRAIEEngine.log.
Similarly, LogRhythm provides information about communication encryption through AI
Engine Server log files. When the AI Engine Server component is started, the AI Engine
Server processes write messages to the log files indicating whether encryption is being used,
for example.
AI Engine Server using encryption for SQL Server communications: YES
To determine whether AI Engine Server is encrypting communication, check the AI Engine
Server service logs, LRAIEComMgr.log and LRAIEEngine.log. The AI Engine Server
cryptographic module must be encrypting communications in order to be considered
operating in Approved mode.
The Data Processor cryptographic module may enter an error state and stop (for example,
when a self test fails). An operator in the Crypto Officer role checks the AI Engine Server log
files (LRAIEComMgr.log and LRAIEEngine.log) and the Windows Event Log for error
messages to determine the cause the cryptographic module’s error state.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 14 of 25
5. Policies
5.1. Security Rules
In order to operate the AI Engine Server cryptographic module securely, the operator should
be aware of the security rules enforced by the module. Operators should adhere to rules
required for physical security of the module and for secure operation.
The AI Engine Server cryptographic module enforces the following security rules when
operating in Approved mode (its FIPS compliant mode of operation). These rules include
both security rules that result from the security requirements of FIPS 140-2 and security rules
that LogRhythm has imposed.
1. Approved mode is supported on Windows Server 2019 (10.0.17763) in a single-user
environment.
2. The AI Engine Server cryptographic module operates in Approved mode only when
used with the FIPS approved version of the bounded modules identified in Table 1
operating in FIPS mode.
3. The AI Engine Server cryptographic module is in Approved mode only when it
operates in the environment of BCRYPTPRIMITIVES, namely:
i) FIPS approved security functions are used and Windows is booted normally,
meaning Debug mode is disabled and Driver Signing enforcement is enabled;
ii) One of the following DWORD registry values is set to 1:
(1) HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\-
Enabled
(2) HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\-
Configuration\SelfTestAlgorithms
(3) HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
(4) HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\MD
MEnabled
4. When installed on a system where FIPS is enabled, AI Engine Server runs in a FIPS-
compliant mode of operation. When communicating with other LogRhythm
components, the AI Engine Server encrypts communication including:
 Module to Data Processor
 Module to Platform Manager SQL Server
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 15 of 25
5. The AI Engine Server cryptographic module operates in the Approved mode only
when using a pre-placed, user-provided certificate for TLS communication with AI
Engine Communication Manager. Dynamically-generated, self-signed certificate for
the AI Engine Communication Manager shall not be used in Approved mode. See
[Help] section “Certificate Configuration for LogRhythm Component Connections”
for detailed configuration instructions. [Help] section “Common Access Card (CAC)
Use” covers operational requirements for user-provided certificates (for example,
extended key usage values).
6. In accordance with [SP 800-57 P3] and [SP 800-131A] (key length transition
recommendations), the size of TLS public/private keys provided for AI Engine Server,
Data Processor, and SQL Servers shall be at least 2048 bits.
7. In accordance with [SP 800-57 P3] (key length transition recommendations), the size
of public/private keys for the CA issuing AI Engine Server, Data Processor, and SQL
Server certificates shall be at least 2048 bits.
5.2. Identification and Authentication Policy
The AI Engine Server cryptographic module does not provide operator authentication. Roles
are assumed implicitly. Operating system and SQL Server authentication mechanisms are not
within the scope of the validation.
5.3. Access Control Policy and SRDIs
This section specifies the LogRhythm AI Engine Server’s Security Relevant Data Items as well
as the access control policy enforced by the LogRhythm.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 16 of 25
5.3.1. Cryptographic Keys, CSPs, and SRDIs
While operating in a FIPS-compliant manner, the LogRhythm AI Engine Server contains the
following security relevant data items:
Table 7 Cryptographic Keys CSPs and SRDIs
ID Key type Size Description Origin Storage Zeroization Method
Secret and Private Keys
TLS private
key
RSA 2048-bits,
3072-bits
Used for TLS
session
establishment
External (entered
through Windows
operating system)
Volatile memory
and the operating
system
As per guidance for bound
module [Win BCRYPT] and
Windows operating
system guidance
TLS Pre-
master
Secret
Symmetric 384-bits Used for TLS
Master Secret
derivation
Generated
internally via DRBG
(client), Generated
externally (server)
Plaintext in volatile
memory
As per guidance for bound
module [Win BCRYPT]
TLS Master
Secret
Symmetric 384-bits Used for TLS
session key
derivation
Derived from Pre-
master Secret
Plaintext in volatile
memory
As per guidance for bound
module [Win BCRYPT]
TLS session
encryption
keys
AES CBC 128-bits,
256-bits
Used for TLS
communication
Generated through
TLS handshake via
SP 800-135 KDF
Plaintext in volatile
memory
As per guidance for bound
module [Win BCRYPT]
Triple-DES
CBC
192-bits
TLS session
integrity
keys
HMAC-
SHA1, SHA-
256
160-bits,
256-bits
Used for TLS
communication
Generated through
TLS handshake via
SP 800-135 KDF
Plaintext in volatile
memory
As per guidance for bound
module [Win BCRYPT]
Public Keys
TLS public
key
RSA 2048-bits,
3072-bits
Used for TLS
communication
with Data
Processors and
Platform
Manager SQL
Server
N/A (entered
through Windows
operating system)
Volatile memory
and the operating
system
As per guidance for bound
module [Win BCRYPT] and
Windows operating
system guidance
Data
Processor
public key
RSA 2048-bits,
3072-bits
Used for TLS
communication
with Data
Processors
N/A (entered
through TLS
handshake)
Volatile memory As per guidance for bound
module [Win BCRYPT]
CA public
key
RSA 2048-bits,
3072-bits
Used for TLS
communication
with Data
Processors and
Platform
Manager SQL
Server
N/A (entered
through Windows
operating system)
Volatile memory
and the operating
system
As per guidance for bound
module [Win BCRYPT] and
Windows operating
system guidance
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 17 of 25
ID Key type Size Description Origin Storage Zeroization Method
SQL Server
public key
RSA 2048-bits,
3072-bits
Used for TLS
communication
with Platform
Manager SQL
Server
N/A (entered
through TLS
handshake)
Volatile memory As per guidance for bound
module [Win BCRYPT]
Other Keys/CSPs
Power-up
integrity
test key
HMAC-
SHA1
160 bits Used to verify
integrity of
cryptographic
module image on
power up
Preplaced in
module by
LogRhythm
Obscured in
volatile memory
Re-initialize module
5.3.2. Access Control Policy
The AI Engine Server cryptographic module allows controlled access to the SRDIs contained
within it. The following table defines the access that an operator or application has to each
SRDI while operating the AI Engine Server in a given role performing a specific AI Engine
Server cryptographic module service. The permissions are categorized as a set of four separate
permissions: read, write, execute, delete (r, w, x, and d, respectively, in the table). If no
permission is listed, then an operator outside the Data Processor has no access to the SRDI.
Table 8 Access Control
LogRhythm Data
Processor Server
Access Policy
[Key:
r: read
w: write
x: execute
d: delete]
Security
Relevant
Data
Item
TLS
private
key
TLS
Pre-master
Secret
TLS
Master
Secret
TLS
session
encryption
keys
TLS
session
Integrity
keys
TLS
public
key
Data
Processor
public
key
CA
public
key
SQL
Server
public
key
Power-up
integrity
test
key
Role/Service
User Role
Data Processor
Write Log Data
x w,x,d w,x,d w,x,d w,x,d x w,x,d x
Platform Manager
Read Log Data
x w,x,d w,x,d w,x,d w,x,d x x w,x,d
Write AI Engine
Server
Configuration
x w,x,d w,x,d w,x,d w,x,d x x w,x,d
Crypto-officer Role
Configure AI Engine
Server
Communication
r,w,d r,w,d r,w,d
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 18 of 25
LogRhythm Data
Processor Server
Access Policy
[Key:
r: read
w: write
x: execute
d: delete]
Security
Relevant
Data
Item
TLS
private
key
TLS
Pre-master
Secret
TLS
Master
Secret
TLS
session
encryption
keys
TLS
session
Integrity
keys
TLS
public
key
Data
Processor
public
key
CA
public
key
SQL
Server
public
key
Power-up
integrity
test
key
Perform Self Tests x
Show FIPS Status
5.4. Physical Security
This section is not applicable.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 19 of 25
6. Crypto Officer Guidance
6.1. Secure Operation Initialization Rules
The LogRhythm software is delivered with the LogRhythm Appliance or standalone as part
of the LogRhythm Solution Software (LRSS).
LRSS is the software-only solution for installation and configuration on your own dedicated
custom hardware or a supported virtualization platform. Follow the instructions in [Help]
section “Install LogRhythm” to install an AI Engine Server. Once AI Engine Server is
installed, enable Approved mode as described below. See the LogRhythm Solution Software
Installation Guide for more details.
The LogRhythm AI Engine Server provides the cryptographic functions listed in section
Modes of Operation above. The following table identifies the FIPS algorithm certificates for
the Approved cryptographic functions along with modes and sizes. Note that while the
algorithm certificates list more modes and options than what is contained in the table below,
that the algorithms listed in the table are the only ones utilized by the module.
Table 9 Cryptographic Algorithms
Algorithm Type Modes/Mod sizes
Algorithm
Cert No.
BCRYPTPRIMITIVES.DLL Algorithms
AES CBC, 128 and 256-bit keys Cert. #C211
CVL1 TLS 1.0/1.1 and TLS 1.2 KDF Cert. #C211
DRBG SP 800-90A CTR_DRBG (AES-256) Cert. #C211
HMAC SHA-1, SHA-256 Cert. #C211
SHS SHA-1/256/384/512 Cert. #C211
RSA ALG [RSASSA-PKCS1_V1_5]: SIG(gen) 2048 and 3072 bits
modulus, SHS: SHA-256, SHA-384 and SHA-512
SIG (ver): 1024, 2048 and 3072 bits modulus, SHS: SHA-1,
SHA-256, SHA-384 and SHA-512
Cert. #C211
Triple-DES2 Triple-DES-CBC, 192-bits Cert. #C211
1 This protocol has not been reviewed or tested by the CAVP and CMVP
2 The use of Triple-DES as part of the IETF Protocols TLS 1.0 and TLS 1.2 (RFC 2246 and 5246) limits
the use of a single key to no more than 2^20 encryptions.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 20 of 25
6.2. Approved Mode
6.2.1. Establishing Approved Mode
Establishing Approved mode entails:
1. Enabling Windows FIPS security policy on the GPC hosting the AI Engine Server.
2. Providing public key certificate for the AI Engine Communication Manager to support
encrypted communication.
3. Enabling encrypted communication between LogRhythm components.
Enabling Windows FIPS security policy affects other LogRhythm components installed on
the same GPC as the AI Engine Server. Hence, Windows FIPS security policy should be
configured initially for all LogRhythm cryptographic modules in a deployment at the same
time. [Help] section “Federal Information Processing Standards (FIPS)” covers the
procedures for establishing Windows FIPS security policy across a LogRhythm deployment,
including the AI Engine Server cryptographic module.
[Help] section “Public Key Infrastructure (PKI) Support” covers providing public key
certificates as well as configuring AI Engine Communication Manager to use the certificate.
Section “TLS Configuration” below describes how to enable encrypted communication. Only
those ciphersuites specified in “Appendix A: TLS Cipher Suites” may be used in the approved
mode.
When FIPS mode is enabled on a host, all LogRhythm services will connect to SQL Server
using Windows Integrated Security regardless of what is configured in their INI files. See
[Help] section “Integrated Security” for steps to enable Integrated Security.
6.2.2. TLS Configuration
The cryptographic module supports protected communication between the AI Engine Server
and other LogRhythm components. Protection is provided by TLS. In particular, the AI
Engine Server module supports TLS between itself and the following external components:
 Data Processor and
 Platform Manager SQL Server.
In Approved mode, TLS communication is required between all components. Enable TLS
communication for the AI Engine cryptographic module:
1. Open the AI Engine Server Local Configuration Manager from where the AI Engine
Server resides by clicking Start > All Programs > LogRhythm > AI Engine
Configuration Manager.
2. Select the General tab and check ‘Encrypt all communication.’
3. To restart the AI Engine Server when the Local Configuration Manager exits, select
the Windows Service tab and check ‘Start (or restart) the service when the
configuration is saved.’
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 21 of 25
4. Click OK to save the settings and exit.
The TLS communication is not enabled and the module is not in Approved mode until the
module is restarted.
6.2.3. Starting and Stopping the Cryptographic Module
The AI Engine Server cryptographic module runs as two Windows services: LRAIEEngine
and LRAIEComMgr. Starting services LRAIEEngine and LRAIEComMgr starts the AI Engine
Server cryptographic module. Similarly, stopping services LRAIEEngine and LRAIEComMgr
stops the cryptographic module. Use the LogRhythm Console, Windows Service Control
Manager (SCM), or Windows command line to start or stop the cryptographic module. [Help]
section “Restart AI Engine Servers” describes Console operation. The Windows commands
for starting and stopping the module are ‘net start’ and ‘net stop,’ respectively.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 22 of 25
7. Mitigation of Other Attacks
This section is not applicable.
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 23 of 25
8. Terminology and Acronyms
Table 10 Terms and Accronyms
Term/Acronym Description
AIE Advanced Intelligence Engine
CSP Cryptographic Service Provider
DP Data Processor
GPC General Purpose Computer
GUI Graphical User Interface
Mediator Server service System Monitor Agents collect logs and send them to a
Mediator Server service, which processes the logs
PM Platform Manager
SIEM Security Information Event Management
SRDI Security Relevant Data Item
TLS Transport Layer Security
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 24 of 25
9. References
[FIPS 198-1] Federal Information Processing Standards Publication: The Keyed-Hash Message
Authentication Code (HMAC), Information Technology Laboratory
National Institute of Standards and Technology, July 2008.
[FIPS 140-2] Federal Information Processing Standards Publication: Security Requirements for
Cryptographic Modules, Information Technology Laboratory National
Institute of Standards and Technology, 25 May 2001.
[FIPS 140-2 IG] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module
Validation Program, National Institute of Standards and Technology
Canadian Centre for Cyber Security, 4 May 2021
[Help] LogRhythm NextGen SIEM 7.8.0 Documentation, Version 7.8.0.
[SP 800-57 P3] NIST Special Publication 800-57 Part 3, Revision 1
Recommendation for Key Management Part 3: Application-Specific Key Management
Guidance, National Institute of Standards and Technology, January 2015
[SP 800-131A] NIST Special Publication 800-131A, Revision 2
Transitioning the Use of Cryptographic Algorithms and Key Lengths, National
Institute of Standards and Technology, March 2019
[Win BCRYPT] Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft
Windows 10 Home Edition (32-bit version) Windows 10 Pro Edition (64-bit version)
Windows 10 Enterprise Edition (64-bit version) Windows 10 Education Edition (64-
bit version) Windows 10 S Edition (64-bit version) Windows 10 Mobile Microsoft
Surface Hub Windows Server Standard Core Windows Server Datacenter Core
Microsoft Azure Data Box Edge, Document Version 1.4, 7 May 2020
Non-proprietary security policy. May be reproduced only in its original entirety without revision.
Page 25 of 25
Appendix A: TLS Cipher Suites
Below is a list of the supported TLS Cipher Suites:
Table 11 TLS Ciphersuites
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2, TLS 1.0
TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2, TLS 1.0
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.2, TLS 1.0