CryptoComply for Libgcrypt€¦ · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for...
Transcript of CryptoComply for Libgcrypt€¦ · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for...
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page1of29
FIPS140-2Non-ProprietarySecurityPolicy
CryptoComplyforLibgcryptSoftwareVersion4.0 DocumentVersion1.8 March12,2018
SafeLogicInc.
530LyttonAve.,Suite200PaloAlto,CA94301www.safelogic.com
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page2of29
Abstract Thisdocumentprovidesanon-proprietaryFIPS140-2SecurityPolicyforCryptoComplyforLibgcrypt.SafeLogic'sCryptoComplyforLibgcryptisdesignedtoprovideFIPS140-2validatedcryptographicfunctionalityandisavailableforlicensing.Formoreinformation,visithttps://www.safelogic.com/cryptocomply-for-libgcrypt/.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page3of29
TableofContents1 Introduction.................................................................................................................................................5
1.1 AboutFIPS140............................................................................................................................................51.2 AboutthisDocument...................................................................................................................................51.3 ExternalResources......................................................................................................................................51.4 Notices.........................................................................................................................................................5
2 CryptoComplyforLibgcrypt..........................................................................................................................62.1 CryptographicModuleSpecification...........................................................................................................6
2.1.1 ValidationLevelDetail............................................................................................................................62.1.2 ModesofOperation................................................................................................................................72.1.3 ApprovedCryptographicAlgorithms......................................................................................................82.1.4 Non-ApprovedCryptographicAlgorithms............................................................................................102.1.5 Non-ApprovedModeofOperation.......................................................................................................10
2.2 CriticalSecurityParametersandPublicKeys.............................................................................................122.2.1 CriticalSecurityParameters..................................................................................................................122.2.2 RandomNumberGeneration...............................................................................................................142.2.3 Key/CriticalSecurityParameter(CSP)Access.....................................................................................142.2.4 KeyCSPStorage....................................................................................................................................142.2.5 Key/CSPZeroization............................................................................................................................14
2.3 ModuleInterfaces.....................................................................................................................................152.4 Roles,Services,andAuthentication...........................................................................................................18
2.4.1 AssumptionofRoles.............................................................................................................................182.4.2 Services.................................................................................................................................................18
2.5 PhysicalSecurity........................................................................................................................................212.6 OperationalEnvironment..........................................................................................................................212.7 Self-Tests...................................................................................................................................................22
2.7.1 Power-UpSelf-Tests..............................................................................................................................222.7.2 On-Demandself-tests...........................................................................................................................232.7.3 ConditionalSelf-Tests...........................................................................................................................23
2.8 MitigationofOtherAttacks.......................................................................................................................243 SecurityRulesandGuidance......................................................................................................................26
3.1 CryptoOfficerGuidance............................................................................................................................263.2 UserGuidance...........................................................................................................................................26
3.2.1Three-keyTriple-DES.................................................................................................................................274 ReferencesandAcronyms..........................................................................................................................28
4.1 References.................................................................................................................................................284.2 Acronyms...................................................................................................................................................28
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page4of29
ListofTables
Table1–ValidationLevelbyFIPS140-2Section..........................................................................................................6Table2–FIPS-ApprovedAlgorithmCertificates...........................................................................................................9Table3–Non-ApprovedbutAllowedCryptographicAlgorithms..............................................................................10Table4–Non-ApprovedCryptographicFunctionsforuseinnon-FIPSmodeonly....................................................11Table5–CriticalSecurityParameters........................................................................................................................13Table6–LogicalInterface/PhysicalInterfaceMapping...........................................................................................17Table7–DescriptionofRoles....................................................................................................................................18Table8–CryptographicModule’sApprovedServices...............................................................................................19Table9–CSPAccessRightswithinServices...............................................................................................................21Table10–FIPSTestedConfigurations........................................................................................................................22Table11–PAAFunctionImplementations.................................................................................................................22Table12–Power-UpSelf-Tests..................................................................................................................................23Table13–ConditionalSelf-Tests................................................................................................................................23Table14–References.................................................................................................................................................28Table15–AcronymsandTerms.................................................................................................................................29
ListofFigures
Figure1–ModuleBoundaryandInterfacesDiagram................................................................................................15
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page5of29
1 Introduction
1.1 AboutFIPS140
FederalInformationProcessingStandardsPublication140-2—SecurityRequirementsforCryptographicModulesspecifiesrequirementsforcryptographicmodulestobedeployedinaSensitivebutUnclassifiedenvironment.TheNationalInstituteofStandardsandTechnology(NIST)andCommunicationsSecurityEstablishmentCanada(CSE)CryptographicModuleValidationProgram(CMVP)runtheFIPS140program.TheNVLAPaccreditsindependenttestinglabstoperformFIPS140testing;theCMVPvalidatesmodulesmeetingFIPS140validation.ValidatedisthetermgiventoamodulethatisdocumentedandtestedagainsttheFIPS140criteria.MoreinformationisavailableontheCMVPwebsiteathttp://csrc.nist.gov/groups/STM/cmvp/index.html.
1.2 AboutthisDocument
Thisnon-proprietaryCryptographicModuleSecurityPolicyforCryptoComplyforLibgcryptfromSafeLogicprovidesanoverviewoftheproductandahigh-leveldescriptionofhowitmeetstheoverallLevel1securityrequirementsofFIPS140-2.CryptoComplyforLibgcryptmayalsobereferredtoasthe“module”inthisdocument.
1.3 ExternalResources
TheSafeLogicwebsite(https://www.safelogic.com)containsinformationonSafeLogicservicesandproducts.TheCryptographicModuleValidationProgramwebsitecontainslinkstotheFIPS140-2certificateandSafeLogiccontactinformation.
1.4 Notices
Thisdocumentmaybefreelyreproducedanddistributedinitsentiretywithoutmodification.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page6of29
2 CryptoComplyforLibgcrypt
2.1 CryptographicModuleSpecification
CryptoComplyforLibgcrypt(hereafterreferredtoas"themodule")isasoftwarelibraryimplementinggeneralpurposecryptographicalgorithms.Thesoftwareversionis4.0.Themoduleprovidescryptographicservicestoapplicationsrunningintheuserspaceoftheunderlyingoperatingsystemthroughanapplicationprograminterface(API).Themodule'slogicalcryptographicboundaryisthesharedlibraryfileanditsintegritycheckfileaslistedbelow:
• libgcrypt.so.11 • libgcrypt.so.11.hmac
2.1.1 ValidationLevelDetailThefollowingtableliststhelevelofvalidationforeachareainFIPS140-2:
FIPS140-2SectionTitle ValidationLevel
CryptographicModuleSpecification 1CryptographicModulePortsandInterfaces 1Roles,Services,andAuthentication 1FiniteStateModel 1PhysicalSecurity N/AOperationalEnvironment 1CryptographicKeyManagement 1ElectromagneticInterference/ElectromagneticCompatibility
1
Self-Tests 1DesignAssurance 1MitigationofOtherAttacks 1Table1–ValidationLevelbyFIPS140-2Section
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page7of29
2.1.2 ModesofOperationThemodulesupportstwomodesofoperation:FIPSapprovedandnon-approvedmodes.Themodeofoperationinwhichthemoduleisoperatingcanbedeterminedby:
• Ifthefile/proc/sys/crypto/fips_enabledexistsandcontainsanumericvalueotherthan0,LibgcryptisputintoFIPSmodeatinitializationtime
• Ifthefile/etc/gcrypt/fips_enabledexists,LibgcryptisputintoFIPSmodeatinitializationtime.Notethatthisfilenameishardwiredanddoesnotdependonanyconfigurationoptions.
ThemoduleturnstotheFIPSapprovedmodeaftertheinitializationandthepower-onself-testshavecompletedsuccessfully.WhenLibgcryptisintheFIPSmodeofoperation,therequestofservicesinvolvingnon-FlPSapprovedalgorithmswillbedenied.However,themoduledoesnotcheckforapprovedkeysizesorapprovedmodeofalgorithms.
The services available in FIPS mode can be found in Section 2.1.3, Table 2. The non-ApprovedbutallowedservicescanbefoundinSection2.1.4,Table3.
Theservicesavailableinnon-FIPSmodecanbefoundinSection2.1.5,Table4.Note:Usinganon-Approvedkeysizes,algorithmsorblockchainingmodespecifiedinTable4
willresultinthemoduleimplicitlyenteringthenon-FIPSmodeofoperation.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page8of29
2.1.3 ApprovedCryptographicAlgorithmsThemodule’scryptographicalgorithmimplementationshavereceivedthefollowingcertificatenumbersfromtheCryptographic
AlgorithmValidationProgram.
CAVPCert. Algorithm Standard Mode/Method
KeyLengths,CurvesorModuli
Use
3643,
3644,
3645,
3646
AES FIPS197
SP800-38A
ECB,CBC,OFB,CFB128,CTR 128,192,256 Encryption,Decryption
972,
973,
974,
975
-----
979,
980
DRBG SP800-90A CTRDRBGusingAES128/192/256
Withderivationfunction
(withandwithoutpredictionresistance)
-----
HashDRBGusingSHA-1/256/384/512
(withandwithoutpredicationresistance)
HMACDRBGusingHMACSHA-
1/256/384/512
(withandwithoutpredicationresistance)
112,128,
192,256
RandomBit
Generation
1020,
1021
DSA1 FIPS186-4 KeyPairGeneration,Signature
Generation,SignatureVerification
1024,2048,
3072bits
(1024only
forSigVer)
DigitalSignature
Services
1 DSA signature generation with SHA-1 is only for use with protocols.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page9of29
CAVPCert. Algorithm Standard Mode/Method
KeyLengths,CurvesorModuli
Use
2398,
2399
HMAC FIPS198-1 SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512
Atleast112
bitsKS<BS,
KS=BS,KS>BS
Generation,
Authentication
1882,
1883
RSA FIPS186-4
PKCS#1v2.1(PSS
andPKCS1.5)
1024,2048,
3072,and
4096bits
(1024only
forSigVer)
KeyPairGeneration,
SignatureGeneration,
SignatureVerification,
ComponentTest
3065,
3066
SHA
FIPS180-4 SHA-1,
SHA-224,
SHA-256,
SHA-384,
SHA-512
DigitalSignature
Generation,Digital
SignatureVerification,
non-DigitalSignature
Applications
2033,
2034
Triple-DES SP800-67 TECB,TCBC,TCFB64,TOFB,CTR 2-key,3-key Encryption,Decryption
Table2–FIPS-ApprovedAlgorithmCertificates
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page10of29
2.1.4 Non-ApprovedCryptographicAlgorithmsThemodulesupportsthefollowingnon-FIPS140-2approvedbutallowedalgorithmsthatmaybeusedintheApprovedmodeofoperation.Algorithm UseRSAKeyEncrypt/Decryption [IGD.9]
RSAmaybeusedbyacallingapplicationaspartofakeyencapsulationscheme.
Keysizes:2048and3072bits
NDRNG Generationofrandomnumbers
Table3–Non-ApprovedbutAllowedCryptographicAlgorithms
2.1.5 Non-ApprovedModeofOperationThemodulesupportsanon-approvedmodeofoperation.ThealgorithmslistedinthissectionarenottobeusedbytheoperatorintheFIPSApprovedmodeofoperation.Algorithm UseARC4 Encryptionanddecryption(streamcipher)Blowfish EncryptionanddecryptionCamellia EncryptionanddecryptionCAST5 EncryptionanddecryptionCRC32 CyclicredundancycodeCSPRNG CryptographicallySecurePseudorandomNumberGeneratorDES Encryptionanddecryption(keysizeof56bits)ElGamal Keypairgeneration,encryptionanddecryption,signature
generation,signatureverificationGost 28147encryptionR34.11-94hashR34.11-2012(Stribog)hash
HMAC(SHA1,SHA224,SHA256,SHA384andSHA512)
Keysize<112bits
IDEA EncryptionanddecryptionMD4 Hashing
Digestsize128bit
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page11of29
Algorithm UseMD5 Hashing
Digestsize128bitOpenPGPS2KSaltedandIterated/salted
PasswordbasedkeyderivationcompliantwithOpenPGP(RFC4880)
RC2 EncryptionanddecryptionbasedonRFC2268RIPEMD160 HashingRSA Encryption/decryption:1024bits
Signaturegeneration,keygeneration:1024bitsSEED EncryptionanddecryptionSerpent EncryptionanddecryptionTiger HashingTwofish Encryptionanddecryption2-keyTriple-DES EncryptionWhirlpool HashingServicesavailableinFIPSmode
TheservicesavailableinFIPSmodecanbeusedinnon-FIPSmodeCSPs/keysseparationisenforcedbetweenbothmodes
Table4–Non-ApprovedCryptographicFunctionsforuseinnon-FIPSmodeonly
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page12of29
2.2 CriticalSecurityParametersandPublicKeys
2.2.1 CriticalSecurityParametersThetablebelowprovidesacompletelistofCriticalSecurityParametersusedwithinthemodule:
CSP Description/Usage KeyGeneration Key
Storage KeyEntry/Output KeyZeroization
AESKeys [FIPS-197,AddendumtoSP800-38A]AES(128/192/256)encryptkey19
Encryptionanddecryption
Useofthemodule’sSP800-90ADRBG
Application’smemory
APIinput/outputparametersandreturnvalueswithinthephysicalboundariesofthemodule
Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
Triple-DESKeys Encryptionanddecryption
Useofthemodule’sSP800-90ADRBG
Application’smemory
APIinput/outputparametersandreturnvalueswithinthephysicalboundariesofthemodule
Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
DSAPrivateKeys Signaturegeneration Useofthemodule’sSP800-90ADRBGandthemodule’sDSAkeygenerationmechanism
Application’smemory
APIinput/outputparametersandreturnvalueswithinthephysicalboundariesofthemodule
Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
RSAPrivateKeys Signaturegeneration Useofthemodule’sSP800-90ADRBGandthemodule’sRSAkeygenerationmechanism
Application’smemory
APIinput/outputparametersandreturnvalueswithinthephysicalboundariesofthemodule
Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
19 The AES-GCM key and IV are generated randomly per IG A.5, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page13of29
CSP Description/Usage KeyGeneration Key
Storage KeyEntry/Output KeyZeroization
SP800-90ADRBGEntropystring
Seedingmaterial Theseeddataobtainedfromhardwarerandomnumbergenerator/dev/random
Application’smemory
N/A Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
SP800-90ADRBGSeedandinternalstatevalues(CandVvalues)
DRBGstate BasedonentropystringasdefinedinSP800-90A
Application’smemory
N/A Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
HMACKeys Keyedhashing Useofthemodule’sSP800-90ADRBG
Application’smemory
APIinput/outputparametersandreturnvalueswithinthephysicalboundariesofthemodule
Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()
Table5–CriticalSecurityParameters
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page14of29
2.2.2 RandomNumberGenerationThemoduleemploysaDeterministicRandomBitGenerator(DRBG)basedon[SP800-90A]forthecreationofasymmetricandsymmetrickeys.TheDRBGisinitializedduringmoduleinitialization.ThemoduleloadsbydefaulttheDRBGusingHMAC_DRBGwithSHA-256andderivationfunctiontestswithoutpredictionresistance.TheDRBGisseededduringinitializationwithaseedobtainedfrom/dev/randomoftheappropriatelengthdependingontheinstantiatedtype(seeSection10of[SP800-90A]).ThemoduleperformscontinuoustestsontheoutputoftheDRBGtoensurethatconsecutiverandomnumbersdonotrepeat.Thenoisesourceof/dev/randomalsoimplementscontinuoustests.
2.2.3 Key/CriticalSecurityParameter(CSP)AccessAnauthorizedapplicationuser(theUserrole)hasaccesstoallkeydatageneratedduringtheoperationofthemodule.Moreover,themoduledoesnotsupporttheoutputofintermediatekeygenerationvaluesduringthekeygenerationprocess.
2.2.4 KeyCSPStoragePublicandprivatekeysareprovidedtothemodulebythecallingprocess,andaredestroyedwhenreleasedbytheappropriateAPIfunctioncalls.Themoduledoesnotperformpersistentstorageofkeys.
2.2.5 Key/CSPZeroizationThememoryoccupiedbykeysisallocatedbyregularmemoryallocationoperatingsystemcalls.Theapplicationisresponsibleforcallingtheappropriatedestructionfunctionsprovidedinthemodule'sAPIbyusingtheAPIfunctiongcry_free().Thedestructionfunctionsoverwritethememoryoccupiedbykeyswith"zeros"anddeallocatesthememorywiththeregularmemorydeallocationoperatingsystemcall.Incaseofabnormaltermination,orswapin/outofaphysicalmemorypageofaprocess,thekeysinphysicalmemoryareoverwrittenbytheLinuxkernelbeforethephysicalmemoryisallocatedtoanotherprocess.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page15of29
2.3 ModuleInterfaces
Thefigurebelowshowsthemodule’sphysicalandlogicalblockdiagram:
Figure1–ModuleBoundaryandInterfacesDiagramTheinterfaces(ports)forthephysicalboundaryincludethecomputerkeyboardport,mouseport,networkport,USBports,displayandpowerplug.Whenoperational,themoduledoesnottransmitanyinformationacrossthesephysicalportsbecauseitisasoftwarecryptographicmodule.Therefore,themodule’sinterfacesarepurelylogicalandareprovidedthroughtheApplicationProgrammingInterface(API)thatacallingdaemoncanoperate.Thelogicalinterfacesexposeservicesthatapplicationsdirectlycall,andtheAPIprovidesfunctionsthatmaybecalledbyareferencingapplication(seeSection2.4–
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page16of29
Roles,Services,andAuthenticationforthelistofavailablefunctions).ThemoduledistinguishesbetweenlogicalinterfacesbylogicallyseparatingtheinformationaccordingtothedefinedAPI.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page17of29
TheAPIprovidedbythemoduleismappedontotheFIPS140-2logicalinterfaces:datainput,dataoutput,controlinput,andstatusoutput.EachoftheFIPS140-2logicalinterfacesrelatestothemodule’scallableinterface,asfollows:FIPS140-2Interface LogicalInterface ModulePhysicalInterface
DataInput APIinputparametersfordata NetworkInterfaceDataOutput APIoutputparametersfordata NetworkInterfaceControlInput APIfunctioncalls,APIinputparameters,
/proc/sys/crypto/fips_enabledcontrolfile,/etc/gcrypt/fips_enabledconfigurationfile
KeyboardInterface,MouseInterface
StatusOutput APIreturncodes,APIoutputparameters DisplayController,NetworkInterface
Power None PowerSupplyTable6–LogicalInterface/PhysicalInterfaceMapping
TheDataInputinterfaceconsistsoftheinputparametersoftheAPIfunctions.TheDataOutputinterfaceconsistsoftheoutputparametersoftheAPIfunctions.TheControlInputinterfaceconsistsoftheAPIfunctioncallsandtheinputparametersusedtocontrolthebehaviorofthemodule.TheStatusOutputinterfaceincludesthereturnvaluesoftheAPIfunctionsandstatussentthroughoutputparameters.AsshowninFigure1–ModuleBoundaryandInterfacesDiagramandTable8–CryptographicModule’sApprovedServices,theoutputdatapathisprovidedbythedatainterfacesandislogicallydisconnectedfromprocessesperformingkeygenerationorzeroization.Nokeyinformationwillbeoutputthroughthedataoutputinterfacewhenthemodulezeroizeskeys.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page18of29
2.4 Roles,Services,andAuthentication
2.4.1 AssumptionofRolesThemodulesupportstwodistinctoperatorroles,UserandCryptoOfficer(CO).Thecryptographicmoduleimplicitlymapsthetworolestotheservices.Auserisconsideredtheownerofthethreadthatinstantiatesthemoduleand,therefore,onlyoneconcurrentuserisallowed.
ThemoduledoesnotsupportaMaintenanceroleorbypasscapability.Themoduledoesnotsupportauthentication.
Role RoleDescription AuthenticationTypeCO Performsmoduleinstallationandconfiguration
andsomebasicfunctions:getstatusfunctionandperformingself-tests.
N/A–AuthenticationisnotarequirementforLevel1
User Performsallservices,exceptmoduleinstallationand configuration.
N/A–AuthenticationisnotarequirementforLevel1
Table7–DescriptionofRoles
2.4.2 ServicesAllservicesimplementedbythemodulearelistedinTable8–CryptographicModule’sApprovedServices.ThesecondcolumnprovidesadescriptionofeachserviceandavailabilitytotheCryptoOfficerandUser,incolumns3and4,respectively.
Service Description CO UserSymmetricEncryption/Decryption
AESandTriple-DESencryptionanddecryption X
GetKeyLength cipher_get_keylen()function X
GetBlockLength Cipher_get_blocksize()funciton X
CheckAvailabilityofAlgorithm Cipher_get_blocksize()function X
SecureHashAlgorithm(SHS) SHAfunction X
HMAC HMACfunction X
RSA FIPS186-4RSASSA-PKCS#1.5andRSASSA-PSSfunction
X
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page19of29
Service Description CO UserDSA DSAFIPS186-4function X
GenerateRandomNumbers Fillbufferwithlengthrandombytes,functiontoallocateamemoryblockconsistingofnbytesofrandombytes,functiontoallocateamemoryblockconsistingofnbytesfreshrandombytesusingarandomqualityasdefinedbylevel.Thisfunctiondiffersfromgcry_randomize()inthatthereturnedbufferisallocatedina"secure"areaofthememory
X
InitializeModule Powering-upthemodule X
Selftests PerformsKnownAnswerTests(KAT)andIntegritycheck
X X
ZeroizeSecureMemory Gcry_free()orgcry_xfree()functions X
ReleaseallResourcesofContextCreatedBygcry_cipher_open()
Zeroizesallsensitiveinformationassociatedwiththiscipherhandle
X
ReleaseallResourcesofHashContextCreatedbygcry_md_open()
Zeroizesallsensitiveinformationassociatedwiththiscipherhandle
X
ReleasetheS-expressionObjectsSEXP
N/A X
ShowStatus N/A X X
InstallationandConfigurationoftheModule
N/A X
Table8–CryptographicModule’sApprovedServices
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page20of29
Table9–CSPAccessRightswithinServicesdefinestherelationshipbetweenaccesstoCSPsandthedifferentmoduleservices.Themodesofaccessshowninthetablearedefinedas:
R=Read:ThemodulereadstheCSP.ThereadaccessistypicallyperformedbeforethemoduleusestheCSP.
E=Execute:ThemoduleexecutesusingtheCSP.
W=Write:ThemodulewritestheCSP.ThewriteaccessistypicallyperformedafteraCSPisimportedintothemodule,whenthemodulegeneratesaCSP,orwhenthemoduleoverwritesanexistingCSP.
Z=Zeroize:ThemodulezeroizestheCSP.
Service
AESKe
ys
Triple-DESKeys
DSAPrivateKe
ys
RSAPrivateKe
ys
SP800-90A
DR
BGEntropy
Strin
g
SP800-90A
DR
BGSeedan
dinternalstate
values(C
and
V
values)
HMAC
Keys
SymmetricEncryption/Decryption RWE RWE - - - - -
GetKeyLength - - - - - - -
GetBlockLength - - - - - - -
CheckAvailabilityofAlgorithm - - - - - - -
SecureHashAlgorithm(SHS) - - - - - - -
HMAC - - - - - - RWE
RSA - - - RWE - - -
DSA - - RWE - - - -
GenerateRandomNumbers - - - - - WE -
InitializeModule - - - - - - -
Selftests - - - - - - -
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page21of29
Service
AESKe
ys
Triple-DESKeys
DSAPrivateKe
ys
RSAPrivateKe
ys
SP800
-90A
DR
BGEntropy
Strin
g
SP800
-90A
DR
BGSeedan
dinternalstate
values(C
and
V
values)
HMAC
Keys
ZeroizeSecureMemory Z Z Z Z Z Z Z
Releaseallresourcesofconnectcreatedbygcry_cipher_open() WE WE - - - - -
Releaseallresourcesofhashcontextcreatedbygcry_md_oopen()
- - - - - - -
ReleasetheS-expressionobjectsSEXP - - RWE RWE - - -
ShowStatus - - - - - - -
InstallationandConfigurationontheModule - - - - - - -
Table9–CSPAccessRightswithinServices
2.5 PhysicalSecurity
Themoduleisasoftware-onlymoduleanddoesnothavephysicalsecuritymechanisms.
2.6 OperationalEnvironment
ThemoduleoperatesinamodifiableoperationalenvironmentundertheFIPS140-2Level1definitions.Themodulerunsonacommerciallyavailablegeneral-purposeoperatingsystemexecutingonthehardwarespecifiedbelow.Theoperatingsystemisrestrictedtoasingleoperator(concurrentoperatorsareexplicitlyexcluded).Theapplicationthatrequestscryptographicservicesisthesingleuserofthemodule,evenwhentheapplicationisservingmultipleclients.InFIPSApprovedmode,theptrace(2)systemcall,thedebugger(gdb(l)).andstrace(l)shallbenotused.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page22of29
Themodulewastestedonthefollowingplatforms:
Hardware Processor OperatingSystem w/AES-NI WithoutAES-NIHPProliantDL380p
Gen8Intel®Xeon®E5-2600v3product
family
RedHatEnterpriseLinux7.1
Yes Yes
Table10–FIPSTestedConfigurations
ThemodulealsoincludesalgorithmimplementationsusingProcessorAlgorithmAcceleration(PAA)functionsprovidedbythedifferentprocessorssupported,asshowninthefollowing:
Processor ProcessorAlgorithmAcceleration(PAA)Function CryptographicModuleImplementation
Intelx86 AES-NI AESTable11–PAAFunctionImplementations
2.7 Self-Tests
Themoduleperformspower-uptestsatmoduleinitializationtoensurethatthemoduleisnotcorruptedandthatthecryptographicalgorithmsworkasexpected.Theself-testsareperformedwithoutanyuserintervention.Whilethemoduleisperformingthepower-uptests,servicesarenotavailableandinputoroutputisnotpossible:themoduleissingle-threadedandwillnotreturntothecallingapplicationuntiltheself-testsarecompletedsuccessfully.
2.7.1 Power-UpSelf-TestsAlgorithm TestTriple-DES KAT,encryptionanddecryptiontestedseparatelyAES128 KAT,encryptionanddecryptiontestedseparatelyAES192 KAT,encryptionanddecryptiontestedseparatelyAES256 KAT,encryptionanddecryptiontestedseparatelySHA-1 KATSHA-224 KATSHA-256 KATSHA-384 KATSHA-512 KATHMACSHA-1 KATHMACSHA-256 KATHMACSHA-384 KATHMACSHA-512 KATDRBG(Hash,HMACandCTR-based)
KAT
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page23of29
Algorithm TestRSA KATofsignaturegeneration/verificationDSA PCTofsignaturegeneration/verificationModuleIntegrityTest HMACSHA-256Table12–Power-UpSelf-Tests
2.7.2 On-Demandself-testsThemoduleprovidestheSelf-Testservicetoperformself-testsondemand.Thisserviceperformsthesamecryptographicalgorithmtestsexecutedduringpower-up,plussomeextendedself-tests,suchastestingadditionalblockchainingmodes.Duringtheexecutionoftheon-demandself-tests,servicesarenotavailableandnodataoutputorinputispossible.Toinvoketheon-demandself-tests,theusercaninvokethegcry_control(GCRYCTL_SELFTEST)command.
2.7.3 ConditionalSelf-TestsThemoduleimplementsthefollowingconditionalself-testsuponkeygeneration,orrandomnumbergeneration(respectively):TestTarget DescriptionDRBG ThecontinuousrandomnumbertestisonlyusedinFIPSmode.TheRNG
generatesrandomnumbersperblocksizedependingontheunderlyingDRBGtype(CTR;HMACorHash);thefirstblockgeneratedpercontextissavedinthecontextandanotherblockisgeneratedtobereturnedtothecaller.Eachblockiscomparedagainstthesavedblockandthenstoredinthecontext.Ifaduplicatedblockisdetected,anerrorissignaledandthelibraryisputintothe"Fatal-Error"state.(random/drbg.c:cdrbg_fips_continuous_test)
DSA Thetestusesarandomnumberofthesizeoftheqparametertocreateasignatureandthenchecksthatthesignatureverificationissuccessful.Asasecondsigningtest,thedataismodifiedbyincrementingitsvalueandthenisverifiedagainstthesignaturewiththeexpectedresultthattheverificationfails.(cipher/dsa.c:test_keys())
RSA Thetestcreatesarandomnumberofthesizeofp-64bitsandencryptsthisvaluewiththepublickey.Thenthetestchecksthattheencryptedvaluedoesnotmatchtheplaintextvalue.Thetestdecryptstheciphertextvalueandchecksthatitmatchestheoriginalplaintext.Thetestwillthengenerateanotherrandomplaintext,signit,modifythesignaturebyincrementingitsvalueby1,andverifythatthesignatureverificationfails.(cipher/rsa.c:test_keys())
Table13–ConditionalSelf-Tests
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page24of29
2.8 MitigationofOtherAttacks
LibgcryptusesablindingtechniqueforRSAdecryptiontomitigaterealworldtimingattacksoveranetwork:InsteadofusingtheRSAdecryptiondirectly,ablindedvalue(y=x·r"modisdecryptedandtheunblindedvalue(x'=y"·r1modn)returned.Theblindingvalue"r"israndomvaluewiththesizeofthemodulus"n"andgeneratedwith'GCRY_WEAK_RANDOM'randomlevel.WeakTriple-DESkeysaredetectedasfollows:InDESthereare64knownkeyswhichareweakbecausetheyproduceonlyone,two,orfourdifferentsubkeysinthesubkeyschedulingprocess.Thekeysinthistablehavealltheirparitybitscleared.static byte weak_keys[64][8] = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe },
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page25of29
{ 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ };
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page26of29
3 SecurityRulesandGuidance
3.1 CryptoOfficerGuidance
Themoduleisprovideddirectlytosolutiondevelopersandisnotavailablefordirectdownloadtothegeneralpublic.ThemoduleanditshostapplicationaretobeinstalledonanoperatingsystemspecifiedinSection2.6oronewhereportabilityismaintained.BecauseFIPS140-2hascertainrestrictionsontheuseofcryptographywhicharenotalwayswanted,theModuleneedstobeputintoFIPSApprovedmodeexplicitly:ifthefile/proc/sys/crypto/fips_enabledexistsandcontainsanumericvalueotherthan0,theModuleisputintoFIPSApprovedmodeatinitializationtime.Thisisthemechanismrecommendedforordinaryuse,activatedbyusingthefips=1optioninthebootloader.IfanapplicationthatusestheModuleforitscryptographyisputintoachrootenvironment,theCryptoOfficermustensureoneoftheabovemethodsisavailabletotheModulefromwithinthechrootenvironmenttoensureentryintoFIPSApprovedmode.FailuretodosowillnotallowtheapplicationtoproperlyenterFIPSApprovedmode.OncetheModulehasbeenputintoFIPSApprovedmode,itisnotpossibletoswitchbacktostandardmodewithoutterminatingtheprocessfirst.BecauseFIPS140-2hascertainrestrictionsontheuseofcryptographywhicharenotalwayswanted,LibgcryptneedstobeputintoFIPSmodeexplicitly.ToswitchLibgcryptintothismode,thefile/proc/sys/crypto/fips_enabledmustcontainanumericvalueotherthan0.IftheapplicationrequestsFIPSmode,usethecontrolcommand
gcry_control(GCRYCTL_FORCE_FIPS_MODE). Thismustbedonepriortoanyinitialization(i.e.beforethegcry_check_version()function).OnceLibgcrypthasbeenputintoFIPSmode,itisnotpossibletoswitchbacktostandardmodewithoutterminatingtheprocessfirst.IftheloggingverbositylevelofLibgcrypthasbeensettoatleast2,thestatetransitionsandtheself-testsarelogged.
3.2 UserGuidance
ApplicationsusingLibgcryptneedtocallgcry_control (GCRYCTL_INITIALIZATION_FINISHED, O)afterinitializationisdone:thatensuresthattheDRBGisproperlyseeded,amongothers. gcry_control(GCRYCTL_TERM_SECMEM)needstobecalledbeforetheprocessisterminated.Thefunctiongcry_set_allocation_handler()maynotbeused.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page27of29
Theusermustnotcallmalloc/freetocreate/releasespaceforkeys,letLibgcryptmanagespaceforkeys,whichwillensurethatthekeymemoryisoverwrittenbeforeitisreleased.Seethedocumentationfiledoc/gcrypt.texiwithinthesourcecodetreeforcompleteinstructionsforuse.Theinformationpagesareincludedwithinthedeveloperpackage.Theusercanfindthedocumentationatthefollowinglocationafterhavinginstalledthedeveloperpackage:
/usr/share/info/gcrypt.info-1.gz /usr/share/info/gcrypt.info-2.gz /usr/share/info/gcrypt.info.gz
3.2.1Three-keyTriple-DES
Itisthecallingapplication'sresponsibilitytomakesurethatthethreekeysk1,k2andk3areindependent.Two-keytriple-DESusagewillbringthemoduleintothenon-Approvedmodeofoperationimplicitly.
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page28of29
4 ReferencesandAcronyms
4.1 References
Abbreviation FullSpecificationNameFIPS140-2 SecurityRequirementsforCryptographicmodules,May25,2001FIPS180-4 SecureHashStandard(SHS)FIPS186-4 DigitalSignatureStandard(DSS)FIPS197 AdvancedEncryptionStandardFIPS198-1 TheKeyed-HashMessageAuthenticationCode(HMAC)IG ImplementationGuidanceforFIPSPUB140-2andtheCryptographic
ModuleValidationProgramPKCS#1v2.1 RSACryptographyStandardSP800-38A RecommendationforBlockCipherModesofOperation:ThreeVariantsof
CiphertextStealingforCBCModeSP800-56B RecommendationforPair-WiseKeyEstablishmentSchemesUsingInteger
FactorizationCryptographySP800-67 RecommendationfortheTripleDataEncryptionAlgorithm(TDEA)Block
CipherSP800-89 RecommendationforObtainingAssurancesforDigitalSignature
ApplicationsSP800-90A RecommendationforRandomNumberGenerationUsingDeterministic
RandomBitGeneratorsTable14–References
4.2 Acronyms
Thefollowingtabledefinesacronymsfoundinthisdocument:Acronym TermAES AdvancedEncryptionStandardAPI ApplicationProgrammingInterfaceCAVP CryptographicAlgorithmValidationProgramCBC Cipher-BlockChainingCFB CipherFeedbackModeCMVP CryptographicModuleValidationProgramCO CryptoOfficerCSP CriticalSecurityParameterCTR Counter-modeDES DataEncryptionStandardDRAM DynamicRandomAccessMemoryDRBG DeterministicRandomBitGeneratorDSA DigitalSignatureAlgorithm
FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt
DocumentVersion1.8 ©SafeLogic Page29of29
Acronym TermECB ElectronicCodeBookEMC ElectromagneticCompatibilityEMI ElectromagneticInterferenceFCC FederalCommunicationsCommissionFIPS FederalInformationProcessingStandardGPC GeneralPurposeComputerHMAC (Keyed-)HashMessageAuthenticationCodeIG ImplementationGuidanceKAT KnownAnswerTestMAC MessageAuthenticationCodeN/A NonApplicableNDRNG NonDeterministicRandomNumberGeneratorNIST NationalInstituteofScienceandTechnologyOFB OutputFeedbackOS OperatingSystemPKCS Public-KeyCryptographyStandardsPSS ProbabilisticSignatureSchemeRIPEMD RACEIntegrityPrimitivesEvaluationMessageDigestRSA Rivest,Shamir,andAdlemanSHA SecureHashAlgorithmSHS SecureHashStandardTCBC TDEACipher-BlockChainingTCFB TDEACipherFeedbackModeTDES TripleDataEncryptionStandardTECB TDEAElectronicCodebookTOFB TDEAOutputFeedbackUSB UniversalSerialBusTable15–AcronymsandTerms