CryptoComply for Libgcrypt€¦ · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for...

FIPS140-2Non-ProprietarySecurityPolicy:CryptoComplyforLibgcrypt

DocumentVersion1.8 ©SafeLogic Page1of29

FIPS140-2Non-ProprietarySecurityPolicy

CryptoComplyforLibgcryptSoftwareVersion4.0 DocumentVersion1.8 March12,2018

SafeLogicInc.

530LyttonAve.,Suite200PaloAlto,CA94301www.safelogic.com



Abstract Thisdocumentprovidesanon-proprietaryFIPS140-2SecurityPolicyforCryptoComplyforLibgcrypt.SafeLogic'sCryptoComplyforLibgcryptisdesignedtoprovideFIPS140-2validatedcryptographicfunctionalityandisavailableforlicensing.Formoreinformation,visithttps://www.safelogic.com/cryptocomply-for-libgcrypt/.



TableofContents1 Introduction.................................................................................................................................................5

1.1 AboutFIPS140............................................................................................................................................51.2 AboutthisDocument...................................................................................................................................51.3 ExternalResources......................................................................................................................................51.4 Notices.........................................................................................................................................................5

2 CryptoComplyforLibgcrypt..........................................................................................................................62.1 CryptographicModuleSpecification...........................................................................................................6

2.1.1 ValidationLevelDetail............................................................................................................................62.1.2 ModesofOperation................................................................................................................................72.1.3 ApprovedCryptographicAlgorithms......................................................................................................82.1.4 Non-ApprovedCryptographicAlgorithms............................................................................................102.1.5 Non-ApprovedModeofOperation.......................................................................................................10

2.2 CriticalSecurityParametersandPublicKeys.............................................................................................122.2.1 CriticalSecurityParameters..................................................................................................................122.2.2 RandomNumberGeneration...............................................................................................................142.2.3 Key/CriticalSecurityParameter(CSP)Access.....................................................................................142.2.4 KeyCSPStorage....................................................................................................................................142.2.5 Key/CSPZeroization............................................................................................................................14

2.3 ModuleInterfaces.....................................................................................................................................152.4 Roles,Services,andAuthentication...........................................................................................................18

2.4.1 AssumptionofRoles.............................................................................................................................182.4.2 Services.................................................................................................................................................18

2.5 PhysicalSecurity........................................................................................................................................212.6 OperationalEnvironment..........................................................................................................................212.7 Self-Tests...................................................................................................................................................22

2.7.1 Power-UpSelf-Tests..............................................................................................................................222.7.2 On-Demandself-tests...........................................................................................................................232.7.3 ConditionalSelf-Tests...........................................................................................................................23

2.8 MitigationofOtherAttacks.......................................................................................................................243 SecurityRulesandGuidance......................................................................................................................26

3.1 CryptoOfficerGuidance............................................................................................................................263.2 UserGuidance...........................................................................................................................................26

3.2.1Three-keyTriple-DES.................................................................................................................................274 ReferencesandAcronyms..........................................................................................................................28

4.1 References.................................................................................................................................................284.2 Acronyms...................................................................................................................................................28



ListofTables

Table1–ValidationLevelbyFIPS140-2Section..........................................................................................................6Table2–FIPS-ApprovedAlgorithmCertificates...........................................................................................................9Table3–Non-ApprovedbutAllowedCryptographicAlgorithms..............................................................................10Table4–Non-ApprovedCryptographicFunctionsforuseinnon-FIPSmodeonly....................................................11Table5–CriticalSecurityParameters........................................................................................................................13Table6–LogicalInterface/PhysicalInterfaceMapping...........................................................................................17Table7–DescriptionofRoles....................................................................................................................................18Table8–CryptographicModule’sApprovedServices...............................................................................................19Table9–CSPAccessRightswithinServices...............................................................................................................21Table10–FIPSTestedConfigurations........................................................................................................................22Table11–PAAFunctionImplementations.................................................................................................................22Table12–Power-UpSelf-Tests..................................................................................................................................23Table13–ConditionalSelf-Tests................................................................................................................................23Table14–References.................................................................................................................................................28Table15–AcronymsandTerms.................................................................................................................................29

ListofFigures

Figure1–ModuleBoundaryandInterfacesDiagram................................................................................................15



1 Introduction

1.1 AboutFIPS140

FederalInformationProcessingStandardsPublication140-2—SecurityRequirementsforCryptographicModulesspecifiesrequirementsforcryptographicmodulestobedeployedinaSensitivebutUnclassifiedenvironment.TheNationalInstituteofStandardsandTechnology(NIST)andCommunicationsSecurityEstablishmentCanada(CSE)CryptographicModuleValidationProgram(CMVP)runtheFIPS140program.TheNVLAPaccreditsindependenttestinglabstoperformFIPS140testing;theCMVPvalidatesmodulesmeetingFIPS140validation.ValidatedisthetermgiventoamodulethatisdocumentedandtestedagainsttheFIPS140criteria.MoreinformationisavailableontheCMVPwebsiteathttp://csrc.nist.gov/groups/STM/cmvp/index.html.

1.2 AboutthisDocument

Thisnon-proprietaryCryptographicModuleSecurityPolicyforCryptoComplyforLibgcryptfromSafeLogicprovidesanoverviewoftheproductandahigh-leveldescriptionofhowitmeetstheoverallLevel1securityrequirementsofFIPS140-2.CryptoComplyforLibgcryptmayalsobereferredtoasthe“module”inthisdocument.

1.3 ExternalResources

TheSafeLogicwebsite(https://www.safelogic.com)containsinformationonSafeLogicservicesandproducts.TheCryptographicModuleValidationProgramwebsitecontainslinkstotheFIPS140-2certificateandSafeLogiccontactinformation.

1.4 Notices

Thisdocumentmaybefreelyreproducedanddistributedinitsentiretywithoutmodification.



2 CryptoComplyforLibgcrypt

2.1 CryptographicModuleSpecification

CryptoComplyforLibgcrypt(hereafterreferredtoas"themodule")isasoftwarelibraryimplementinggeneralpurposecryptographicalgorithms.Thesoftwareversionis4.0.Themoduleprovidescryptographicservicestoapplicationsrunningintheuserspaceoftheunderlyingoperatingsystemthroughanapplicationprograminterface(API).Themodule'slogicalcryptographicboundaryisthesharedlibraryfileanditsintegritycheckfileaslistedbelow:

• libgcrypt.so.11 • libgcrypt.so.11.hmac

2.1.1 ValidationLevelDetailThefollowingtableliststhelevelofvalidationforeachareainFIPS140-2:

FIPS140-2SectionTitle ValidationLevel

CryptographicModuleSpecification 1CryptographicModulePortsandInterfaces 1Roles,Services,andAuthentication 1FiniteStateModel 1PhysicalSecurity N/AOperationalEnvironment 1CryptographicKeyManagement 1ElectromagneticInterference/ElectromagneticCompatibility

1

Self-Tests 1DesignAssurance 1MitigationofOtherAttacks 1Table1–ValidationLevelbyFIPS140-2Section



2.1.2 ModesofOperationThemodulesupportstwomodesofoperation:FIPSapprovedandnon-approvedmodes.Themodeofoperationinwhichthemoduleisoperatingcanbedeterminedby:

• Ifthefile/proc/sys/crypto/fips_enabledexistsandcontainsanumericvalueotherthan0,LibgcryptisputintoFIPSmodeatinitializationtime

• Ifthefile/etc/gcrypt/fips_enabledexists,LibgcryptisputintoFIPSmodeatinitializationtime.Notethatthisfilenameishardwiredanddoesnotdependonanyconfigurationoptions.

ThemoduleturnstotheFIPSapprovedmodeaftertheinitializationandthepower-onself-testshavecompletedsuccessfully.WhenLibgcryptisintheFIPSmodeofoperation,therequestofservicesinvolvingnon-FlPSapprovedalgorithmswillbedenied.However,themoduledoesnotcheckforapprovedkeysizesorapprovedmodeofalgorithms.

The services available in FIPS mode can be found in Section 2.1.3, Table 2. The non-ApprovedbutallowedservicescanbefoundinSection2.1.4,Table3.

Theservicesavailableinnon-FIPSmodecanbefoundinSection2.1.5,Table4.Note:Usinganon-Approvedkeysizes,algorithmsorblockchainingmodespecifiedinTable4

willresultinthemoduleimplicitlyenteringthenon-FIPSmodeofoperation.



2.1.3 ApprovedCryptographicAlgorithmsThemodule’scryptographicalgorithmimplementationshavereceivedthefollowingcertificatenumbersfromtheCryptographic

AlgorithmValidationProgram.

CAVPCert. Algorithm Standard Mode/Method

KeyLengths,CurvesorModuli

Use

3643,

3644,

3645,

3646

AES FIPS197

SP800-38A

ECB,CBC,OFB,CFB128,CTR 128,192,256 Encryption,Decryption

972,

973,

974,

975

-----

979,

980

DRBG SP800-90A CTRDRBGusingAES128/192/256

Withderivationfunction

(withandwithoutpredictionresistance)

-----

HashDRBGusingSHA-1/256/384/512

(withandwithoutpredicationresistance)

HMACDRBGusingHMACSHA-

1/256/384/512

(withandwithoutpredicationresistance)

112,128,

192,256

RandomBit

Generation

1020,

1021

DSA1 FIPS186-4 KeyPairGeneration,Signature

Generation,SignatureVerification

1024,2048,

3072bits

(1024only

forSigVer)

DigitalSignature

Services

1 DSA signature generation with SHA-1 is only for use with protocols.



CAVPCert. Algorithm Standard Mode/Method

KeyLengths,CurvesorModuli

Use

2398,

2399

HMAC FIPS198-1 SHA-1,

SHA-224,

SHA-256,

SHA-384,

SHA-512

Atleast112

bitsKS<BS,

KS=BS,KS>BS

Generation,

Authentication

1882,

1883

RSA FIPS186-4

PKCS#1v2.1(PSS

andPKCS1.5)

1024,2048,

3072,and

4096bits

(1024only

forSigVer)

KeyPairGeneration,

SignatureGeneration,

SignatureVerification,

ComponentTest

3065,

3066

SHA

FIPS180-4 SHA-1,

SHA-224,

SHA-256,

SHA-384,

SHA-512

DigitalSignature

Generation,Digital

SignatureVerification,

non-DigitalSignature

Applications

2033,

2034

Triple-DES SP800-67 TECB,TCBC,TCFB64,TOFB,CTR 2-key,3-key Encryption,Decryption

Table2–FIPS-ApprovedAlgorithmCertificates



2.1.4 Non-ApprovedCryptographicAlgorithmsThemodulesupportsthefollowingnon-FIPS140-2approvedbutallowedalgorithmsthatmaybeusedintheApprovedmodeofoperation.Algorithm UseRSAKeyEncrypt/Decryption [IGD.9]

RSAmaybeusedbyacallingapplicationaspartofakeyencapsulationscheme.

Keysizes:2048and3072bits

NDRNG Generationofrandomnumbers

Table3–Non-ApprovedbutAllowedCryptographicAlgorithms

2.1.5 Non-ApprovedModeofOperationThemodulesupportsanon-approvedmodeofoperation.ThealgorithmslistedinthissectionarenottobeusedbytheoperatorintheFIPSApprovedmodeofoperation.Algorithm UseARC4 Encryptionanddecryption(streamcipher)Blowfish EncryptionanddecryptionCamellia EncryptionanddecryptionCAST5 EncryptionanddecryptionCRC32 CyclicredundancycodeCSPRNG CryptographicallySecurePseudorandomNumberGeneratorDES Encryptionanddecryption(keysizeof56bits)ElGamal Keypairgeneration,encryptionanddecryption,signature

generation,signatureverificationGost 28147encryptionR34.11-94hashR34.11-2012(Stribog)hash

HMAC(SHA1,SHA224,SHA256,SHA384andSHA512)

Keysize<112bits

IDEA EncryptionanddecryptionMD4 Hashing

Digestsize128bit



Algorithm UseMD5 Hashing

Digestsize128bitOpenPGPS2KSaltedandIterated/salted

PasswordbasedkeyderivationcompliantwithOpenPGP(RFC4880)

RC2 EncryptionanddecryptionbasedonRFC2268RIPEMD160 HashingRSA Encryption/decryption:1024bits

Signaturegeneration,keygeneration:1024bitsSEED EncryptionanddecryptionSerpent EncryptionanddecryptionTiger HashingTwofish Encryptionanddecryption2-keyTriple-DES EncryptionWhirlpool HashingServicesavailableinFIPSmode

TheservicesavailableinFIPSmodecanbeusedinnon-FIPSmodeCSPs/keysseparationisenforcedbetweenbothmodes

Table4–Non-ApprovedCryptographicFunctionsforuseinnon-FIPSmodeonly



2.2 CriticalSecurityParametersandPublicKeys

2.2.1 CriticalSecurityParametersThetablebelowprovidesacompletelistofCriticalSecurityParametersusedwithinthemodule:

CSP Description/Usage KeyGeneration Key

Storage KeyEntry/Output KeyZeroization

AESKeys [FIPS-197,AddendumtoSP800-38A]AES(128/192/256)encryptkey19

Encryptionanddecryption

Useofthemodule’sSP800-90ADRBG

Application’smemory

APIinput/outputparametersandreturnvalueswithinthephysicalboundariesofthemodule

Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()

Triple-DESKeys Encryptionanddecryption

Useofthemodule’sSP800-90ADRBG




DSAPrivateKeys Signaturegeneration Useofthemodule’sSP800-90ADRBGandthemodule’sDSAkeygenerationmechanism




RSAPrivateKeys Signaturegeneration Useofthemodule’sSP800-90ADRBGandthemodule’sRSAkeygenerationmechanism




19 The AES-GCM key and IV are generated randomly per IG A.5, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed.



CSP Description/Usage KeyGeneration Key

Storage KeyEntry/Output KeyZeroization

SP800-90ADRBGEntropystring

Seedingmaterial Theseeddataobtainedfromhardwarerandomnumbergenerator/dev/random


N/A Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()

SP800-90ADRBGSeedandinternalstatevalues(CandVvalues)

DRBGstate BasedonentropystringasdefinedinSP800-90A


N/A Automaticallyzeroizedwhenfreeingthecipherhandlerbycallinggcry_free()

HMACKeys Keyedhashing Useofthemodule’sSP800-90ADRBG




Table5–CriticalSecurityParameters



2.2.2 RandomNumberGenerationThemoduleemploysaDeterministicRandomBitGenerator(DRBG)basedon[SP800-90A]forthecreationofasymmetricandsymmetrickeys.TheDRBGisinitializedduringmoduleinitialization.ThemoduleloadsbydefaulttheDRBGusingHMAC_DRBGwithSHA-256andderivationfunctiontestswithoutpredictionresistance.TheDRBGisseededduringinitializationwithaseedobtainedfrom/dev/randomoftheappropriatelengthdependingontheinstantiatedtype(seeSection10of[SP800-90A]).ThemoduleperformscontinuoustestsontheoutputoftheDRBGtoensurethatconsecutiverandomnumbersdonotrepeat.Thenoisesourceof/dev/randomalsoimplementscontinuoustests.

2.2.3 Key/CriticalSecurityParameter(CSP)AccessAnauthorizedapplicationuser(theUserrole)hasaccesstoallkeydatageneratedduringtheoperationofthemodule.Moreover,themoduledoesnotsupporttheoutputofintermediatekeygenerationvaluesduringthekeygenerationprocess.

2.2.4 KeyCSPStoragePublicandprivatekeysareprovidedtothemodulebythecallingprocess,andaredestroyedwhenreleasedbytheappropriateAPIfunctioncalls.Themoduledoesnotperformpersistentstorageofkeys.

2.2.5 Key/CSPZeroizationThememoryoccupiedbykeysisallocatedbyregularmemoryallocationoperatingsystemcalls.Theapplicationisresponsibleforcallingtheappropriatedestructionfunctionsprovidedinthemodule'sAPIbyusingtheAPIfunctiongcry_free().Thedestructionfunctionsoverwritethememoryoccupiedbykeyswith"zeros"anddeallocatesthememorywiththeregularmemorydeallocationoperatingsystemcall.Incaseofabnormaltermination,orswapin/outofaphysicalmemorypageofaprocess,thekeysinphysicalmemoryareoverwrittenbytheLinuxkernelbeforethephysicalmemoryisallocatedtoanotherprocess.



2.3 ModuleInterfaces

Thefigurebelowshowsthemodule’sphysicalandlogicalblockdiagram:

Figure1–ModuleBoundaryandInterfacesDiagramTheinterfaces(ports)forthephysicalboundaryincludethecomputerkeyboardport,mouseport,networkport,USBports,displayandpowerplug.Whenoperational,themoduledoesnottransmitanyinformationacrossthesephysicalportsbecauseitisasoftwarecryptographicmodule.Therefore,themodule’sinterfacesarepurelylogicalandareprovidedthroughtheApplicationProgrammingInterface(API)thatacallingdaemoncanoperate.Thelogicalinterfacesexposeservicesthatapplicationsdirectlycall,andtheAPIprovidesfunctionsthatmaybecalledbyareferencingapplication(seeSection2.4–



Roles,Services,andAuthenticationforthelistofavailablefunctions).ThemoduledistinguishesbetweenlogicalinterfacesbylogicallyseparatingtheinformationaccordingtothedefinedAPI.



TheAPIprovidedbythemoduleismappedontotheFIPS140-2logicalinterfaces:datainput,dataoutput,controlinput,andstatusoutput.EachoftheFIPS140-2logicalinterfacesrelatestothemodule’scallableinterface,asfollows:FIPS140-2Interface LogicalInterface ModulePhysicalInterface

DataInput APIinputparametersfordata NetworkInterfaceDataOutput APIoutputparametersfordata NetworkInterfaceControlInput APIfunctioncalls,APIinputparameters,

/proc/sys/crypto/fips_enabledcontrolfile,/etc/gcrypt/fips_enabledconfigurationfile

KeyboardInterface,MouseInterface

StatusOutput APIreturncodes,APIoutputparameters DisplayController,NetworkInterface

Power None PowerSupplyTable6–LogicalInterface/PhysicalInterfaceMapping

TheDataInputinterfaceconsistsoftheinputparametersoftheAPIfunctions.TheDataOutputinterfaceconsistsoftheoutputparametersoftheAPIfunctions.TheControlInputinterfaceconsistsoftheAPIfunctioncallsandtheinputparametersusedtocontrolthebehaviorofthemodule.TheStatusOutputinterfaceincludesthereturnvaluesoftheAPIfunctionsandstatussentthroughoutputparameters.AsshowninFigure1–ModuleBoundaryandInterfacesDiagramandTable8–CryptographicModule’sApprovedServices,theoutputdatapathisprovidedbythedatainterfacesandislogicallydisconnectedfromprocessesperformingkeygenerationorzeroization.Nokeyinformationwillbeoutputthroughthedataoutputinterfacewhenthemodulezeroizeskeys.



2.4 Roles,Services,andAuthentication

2.4.1 AssumptionofRolesThemodulesupportstwodistinctoperatorroles,UserandCryptoOfficer(CO).Thecryptographicmoduleimplicitlymapsthetworolestotheservices.Auserisconsideredtheownerofthethreadthatinstantiatesthemoduleand,therefore,onlyoneconcurrentuserisallowed.

ThemoduledoesnotsupportaMaintenanceroleorbypasscapability.Themoduledoesnotsupportauthentication.

Role RoleDescription AuthenticationTypeCO Performsmoduleinstallationandconfiguration

andsomebasicfunctions:getstatusfunctionandperformingself-tests.

N/A–AuthenticationisnotarequirementforLevel1

User Performsallservices,exceptmoduleinstallationand configuration.

N/A–AuthenticationisnotarequirementforLevel1

Table7–DescriptionofRoles

2.4.2 ServicesAllservicesimplementedbythemodulearelistedinTable8–CryptographicModule’sApprovedServices.ThesecondcolumnprovidesadescriptionofeachserviceandavailabilitytotheCryptoOfficerandUser,incolumns3and4,respectively.

Service Description CO UserSymmetricEncryption/Decryption

AESandTriple-DESencryptionanddecryption X

GetKeyLength cipher_get_keylen()function X

GetBlockLength Cipher_get_blocksize()funciton X

CheckAvailabilityofAlgorithm Cipher_get_blocksize()function X

SecureHashAlgorithm(SHS) SHAfunction X

HMAC HMACfunction X

RSA FIPS186-4RSASSA-PKCS#1.5andRSASSA-PSSfunction

X



Service Description CO UserDSA DSAFIPS186-4function X

GenerateRandomNumbers Fillbufferwithlengthrandombytes,functiontoallocateamemoryblockconsistingofnbytesofrandombytes,functiontoallocateamemoryblockconsistingofnbytesfreshrandombytesusingarandomqualityasdefinedbylevel.Thisfunctiondiffersfromgcry_randomize()inthatthereturnedbufferisallocatedina"secure"areaofthememory

X

InitializeModule Powering-upthemodule X

Selftests PerformsKnownAnswerTests(KAT)andIntegritycheck

X X

ZeroizeSecureMemory Gcry_free()orgcry_xfree()functions X

ReleaseallResourcesofContextCreatedBygcry_cipher_open()

Zeroizesallsensitiveinformationassociatedwiththiscipherhandle

X

ReleaseallResourcesofHashContextCreatedbygcry_md_open()

Zeroizesallsensitiveinformationassociatedwiththiscipherhandle

X

ReleasetheS-expressionObjectsSEXP

N/A X

ShowStatus N/A X X

InstallationandConfigurationoftheModule

N/A X

Table8–CryptographicModule’sApprovedServices



Table9–CSPAccessRightswithinServicesdefinestherelationshipbetweenaccesstoCSPsandthedifferentmoduleservices.Themodesofaccessshowninthetablearedefinedas:

R=Read:ThemodulereadstheCSP.ThereadaccessistypicallyperformedbeforethemoduleusestheCSP.

E=Execute:ThemoduleexecutesusingtheCSP.

W=Write:ThemodulewritestheCSP.ThewriteaccessistypicallyperformedafteraCSPisimportedintothemodule,whenthemodulegeneratesaCSP,orwhenthemoduleoverwritesanexistingCSP.

Z=Zeroize:ThemodulezeroizestheCSP.

Service

AESKe

ys

Triple-DESKeys

DSAPrivateKe

ys

RSAPrivateKe

ys

SP800-90A

DR

BGEntropy

Strin

g

SP800-90A

DR

BGSeedan

dinternalstate

values(C

and

V

values)

HMAC

Keys

SymmetricEncryption/Decryption RWE RWE - - - - -

GetKeyLength - - - - - - -

GetBlockLength - - - - - - -

CheckAvailabilityofAlgorithm - - - - - - -

SecureHashAlgorithm(SHS) - - - - - - -

HMAC - - - - - - RWE

RSA - - - RWE - - -

DSA - - RWE - - - -

GenerateRandomNumbers - - - - - WE -

InitializeModule - - - - - - -

Selftests - - - - - - -



Service

AESKe

ys

Triple-DESKeys

DSAPrivateKe

ys

RSAPrivateKe

ys

SP800

-90A

DR

BGEntropy

Strin

g

SP800

-90A

DR

BGSeedan

dinternalstate

values(C

and

V

values)

HMAC

Keys

ZeroizeSecureMemory Z Z Z Z Z Z Z

Releaseallresourcesofconnectcreatedbygcry_cipher_open() WE WE - - - - -

Releaseallresourcesofhashcontextcreatedbygcry_md_oopen()

- - - - - - -

ReleasetheS-expressionobjectsSEXP - - RWE RWE - - -

ShowStatus - - - - - - -

InstallationandConfigurationontheModule - - - - - - -

Table9–CSPAccessRightswithinServices

2.5 PhysicalSecurity

Themoduleisasoftware-onlymoduleanddoesnothavephysicalsecuritymechanisms.

2.6 OperationalEnvironment

ThemoduleoperatesinamodifiableoperationalenvironmentundertheFIPS140-2Level1definitions.Themodulerunsonacommerciallyavailablegeneral-purposeoperatingsystemexecutingonthehardwarespecifiedbelow.Theoperatingsystemisrestrictedtoasingleoperator(concurrentoperatorsareexplicitlyexcluded).Theapplicationthatrequestscryptographicservicesisthesingleuserofthemodule,evenwhentheapplicationisservingmultipleclients.InFIPSApprovedmode,theptrace(2)systemcall,thedebugger(gdb(l)).andstrace(l)shallbenotused.



Themodulewastestedonthefollowingplatforms:

Hardware Processor OperatingSystem w/AES-NI WithoutAES-NIHPProliantDL380p

Gen8Intel®Xeon®E5-2600v3product

family

RedHatEnterpriseLinux7.1

Yes Yes

Table10–FIPSTestedConfigurations

ThemodulealsoincludesalgorithmimplementationsusingProcessorAlgorithmAcceleration(PAA)functionsprovidedbythedifferentprocessorssupported,asshowninthefollowing:

Processor ProcessorAlgorithmAcceleration(PAA)Function CryptographicModuleImplementation

Intelx86 AES-NI AESTable11–PAAFunctionImplementations

2.7 Self-Tests

Themoduleperformspower-uptestsatmoduleinitializationtoensurethatthemoduleisnotcorruptedandthatthecryptographicalgorithmsworkasexpected.Theself-testsareperformedwithoutanyuserintervention.Whilethemoduleisperformingthepower-uptests,servicesarenotavailableandinputoroutputisnotpossible:themoduleissingle-threadedandwillnotreturntothecallingapplicationuntiltheself-testsarecompletedsuccessfully.

2.7.1 Power-UpSelf-TestsAlgorithm TestTriple-DES KAT,encryptionanddecryptiontestedseparatelyAES128 KAT,encryptionanddecryptiontestedseparatelyAES192 KAT,encryptionanddecryptiontestedseparatelyAES256 KAT,encryptionanddecryptiontestedseparatelySHA-1 KATSHA-224 KATSHA-256 KATSHA-384 KATSHA-512 KATHMACSHA-1 KATHMACSHA-256 KATHMACSHA-384 KATHMACSHA-512 KATDRBG(Hash,HMACandCTR-based)

KAT



Algorithm TestRSA KATofsignaturegeneration/verificationDSA PCTofsignaturegeneration/verificationModuleIntegrityTest HMACSHA-256Table12–Power-UpSelf-Tests

2.7.2 On-Demandself-testsThemoduleprovidestheSelf-Testservicetoperformself-testsondemand.Thisserviceperformsthesamecryptographicalgorithmtestsexecutedduringpower-up,plussomeextendedself-tests,suchastestingadditionalblockchainingmodes.Duringtheexecutionoftheon-demandself-tests,servicesarenotavailableandnodataoutputorinputispossible.Toinvoketheon-demandself-tests,theusercaninvokethegcry_control(GCRYCTL_SELFTEST)command.

2.7.3 ConditionalSelf-TestsThemoduleimplementsthefollowingconditionalself-testsuponkeygeneration,orrandomnumbergeneration(respectively):TestTarget DescriptionDRBG ThecontinuousrandomnumbertestisonlyusedinFIPSmode.TheRNG

generatesrandomnumbersperblocksizedependingontheunderlyingDRBGtype(CTR;HMACorHash);thefirstblockgeneratedpercontextissavedinthecontextandanotherblockisgeneratedtobereturnedtothecaller.Eachblockiscomparedagainstthesavedblockandthenstoredinthecontext.Ifaduplicatedblockisdetected,anerrorissignaledandthelibraryisputintothe"Fatal-Error"state.(random/drbg.c:cdrbg_fips_continuous_test)

DSA Thetestusesarandomnumberofthesizeoftheqparametertocreateasignatureandthenchecksthatthesignatureverificationissuccessful.Asasecondsigningtest,thedataismodifiedbyincrementingitsvalueandthenisverifiedagainstthesignaturewiththeexpectedresultthattheverificationfails.(cipher/dsa.c:test_keys())

RSA Thetestcreatesarandomnumberofthesizeofp-64bitsandencryptsthisvaluewiththepublickey.Thenthetestchecksthattheencryptedvaluedoesnotmatchtheplaintextvalue.Thetestdecryptstheciphertextvalueandchecksthatitmatchestheoriginalplaintext.Thetestwillthengenerateanotherrandomplaintext,signit,modifythesignaturebyincrementingitsvalueby1,andverifythatthesignatureverificationfails.(cipher/rsa.c:test_keys())

Table13–ConditionalSelf-Tests



2.8 MitigationofOtherAttacks

LibgcryptusesablindingtechniqueforRSAdecryptiontomitigaterealworldtimingattacksoveranetwork:InsteadofusingtheRSAdecryptiondirectly,ablindedvalue(y=x·r"modisdecryptedandtheunblindedvalue(x'=y"·r1modn)returned.Theblindingvalue"r"israndomvaluewiththesizeofthemodulus"n"andgeneratedwith'GCRY_WEAK_RANDOM'randomlevel.WeakTriple-DESkeysaredetectedasfollows:InDESthereare64knownkeyswhichareweakbecausetheyproduceonlyone,two,orfourdifferentsubkeysinthesubkeyschedulingprocess.Thekeysinthistablehavealltheirparitybitscleared.static byte weak_keys[64][8] = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe },



{ 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ };



3 SecurityRulesandGuidance

3.1 CryptoOfficerGuidance

Themoduleisprovideddirectlytosolutiondevelopersandisnotavailablefordirectdownloadtothegeneralpublic.ThemoduleanditshostapplicationaretobeinstalledonanoperatingsystemspecifiedinSection2.6oronewhereportabilityismaintained.BecauseFIPS140-2hascertainrestrictionsontheuseofcryptographywhicharenotalwayswanted,theModuleneedstobeputintoFIPSApprovedmodeexplicitly:ifthefile/proc/sys/crypto/fips_enabledexistsandcontainsanumericvalueotherthan0,theModuleisputintoFIPSApprovedmodeatinitializationtime.Thisisthemechanismrecommendedforordinaryuse,activatedbyusingthefips=1optioninthebootloader.IfanapplicationthatusestheModuleforitscryptographyisputintoachrootenvironment,theCryptoOfficermustensureoneoftheabovemethodsisavailabletotheModulefromwithinthechrootenvironmenttoensureentryintoFIPSApprovedmode.FailuretodosowillnotallowtheapplicationtoproperlyenterFIPSApprovedmode.OncetheModulehasbeenputintoFIPSApprovedmode,itisnotpossibletoswitchbacktostandardmodewithoutterminatingtheprocessfirst.BecauseFIPS140-2hascertainrestrictionsontheuseofcryptographywhicharenotalwayswanted,LibgcryptneedstobeputintoFIPSmodeexplicitly.ToswitchLibgcryptintothismode,thefile/proc/sys/crypto/fips_enabledmustcontainanumericvalueotherthan0.IftheapplicationrequestsFIPSmode,usethecontrolcommand

gcry_control(GCRYCTL_FORCE_FIPS_MODE). Thismustbedonepriortoanyinitialization(i.e.beforethegcry_check_version()function).OnceLibgcrypthasbeenputintoFIPSmode,itisnotpossibletoswitchbacktostandardmodewithoutterminatingtheprocessfirst.IftheloggingverbositylevelofLibgcrypthasbeensettoatleast2,thestatetransitionsandtheself-testsarelogged.

3.2 UserGuidance

ApplicationsusingLibgcryptneedtocallgcry_control (GCRYCTL_INITIALIZATION_FINISHED, O)afterinitializationisdone:thatensuresthattheDRBGisproperlyseeded,amongothers. gcry_control(GCRYCTL_TERM_SECMEM)needstobecalledbeforetheprocessisterminated.Thefunctiongcry_set_allocation_handler()maynotbeused.



Theusermustnotcallmalloc/freetocreate/releasespaceforkeys,letLibgcryptmanagespaceforkeys,whichwillensurethatthekeymemoryisoverwrittenbeforeitisreleased.Seethedocumentationfiledoc/gcrypt.texiwithinthesourcecodetreeforcompleteinstructionsforuse.Theinformationpagesareincludedwithinthedeveloperpackage.Theusercanfindthedocumentationatthefollowinglocationafterhavinginstalledthedeveloperpackage:

/usr/share/info/gcrypt.info-1.gz /usr/share/info/gcrypt.info-2.gz /usr/share/info/gcrypt.info.gz

3.2.1Three-keyTriple-DES

Itisthecallingapplication'sresponsibilitytomakesurethatthethreekeysk1,k2andk3areindependent.Two-keytriple-DESusagewillbringthemoduleintothenon-Approvedmodeofoperationimplicitly.



4 ReferencesandAcronyms

4.1 References

Abbreviation FullSpecificationNameFIPS140-2 SecurityRequirementsforCryptographicmodules,May25,2001FIPS180-4 SecureHashStandard(SHS)FIPS186-4 DigitalSignatureStandard(DSS)FIPS197 AdvancedEncryptionStandardFIPS198-1 TheKeyed-HashMessageAuthenticationCode(HMAC)IG ImplementationGuidanceforFIPSPUB140-2andtheCryptographic

ModuleValidationProgramPKCS#1v2.1 RSACryptographyStandardSP800-38A RecommendationforBlockCipherModesofOperation:ThreeVariantsof

CiphertextStealingforCBCModeSP800-56B RecommendationforPair-WiseKeyEstablishmentSchemesUsingInteger

FactorizationCryptographySP800-67 RecommendationfortheTripleDataEncryptionAlgorithm(TDEA)Block

CipherSP800-89 RecommendationforObtainingAssurancesforDigitalSignature

ApplicationsSP800-90A RecommendationforRandomNumberGenerationUsingDeterministic

RandomBitGeneratorsTable14–References

4.2 Acronyms

Thefollowingtabledefinesacronymsfoundinthisdocument:Acronym TermAES AdvancedEncryptionStandardAPI ApplicationProgrammingInterfaceCAVP CryptographicAlgorithmValidationProgramCBC Cipher-BlockChainingCFB CipherFeedbackModeCMVP CryptographicModuleValidationProgramCO CryptoOfficerCSP CriticalSecurityParameterCTR Counter-modeDES DataEncryptionStandardDRAM DynamicRandomAccessMemoryDRBG DeterministicRandomBitGeneratorDSA DigitalSignatureAlgorithm



Acronym TermECB ElectronicCodeBookEMC ElectromagneticCompatibilityEMI ElectromagneticInterferenceFCC FederalCommunicationsCommissionFIPS FederalInformationProcessingStandardGPC GeneralPurposeComputerHMAC (Keyed-)HashMessageAuthenticationCodeIG ImplementationGuidanceKAT KnownAnswerTestMAC MessageAuthenticationCodeN/A NonApplicableNDRNG NonDeterministicRandomNumberGeneratorNIST NationalInstituteofScienceandTechnologyOFB OutputFeedbackOS OperatingSystemPKCS Public-KeyCryptographyStandardsPSS ProbabilisticSignatureSchemeRIPEMD RACEIntegrityPrimitivesEvaluationMessageDigestRSA Rivest,Shamir,andAdlemanSHA SecureHashAlgorithmSHS SecureHashStandardTCBC TDEACipher-BlockChainingTCFB TDEACipherFeedbackModeTDES TripleDataEncryptionStandardTECB TDEAElectronicCodebookTOFB TDEAOutputFeedbackUSB UniversalSerialBusTable15–AcronymsandTerms

CryptoComply for Libgcrypt€¦ · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for...

Documents

Transcript of CryptoComply for Libgcrypt€¦ · FIPS 140-2 Non-Proprietary Security Policy: CryptoComply for...