SecureAgent® Software Cryptographic Module Version 2.2.006 Security Policy FIPS 140-2 Level 1 Validation September 5, 2013 Version 1.24 © 2013, SecureAgent® Software Inc. All rights reserved. www.SecureAgent.com This document may be freely reproduced and distributed whole and intact including this copyright notice. 1 Cryptographic Module Specification................................................................................................................ 3 2 Cryptographic Module Ports and Interfaces ................................................................................................... 7 3 Roles, Services, and Authentication ................................................................................................................ 8 4 Finite State Model............................................................................................................................................. 28 5 Physical Security (N/A) .................................................................................................................................... 28 6 Operational Environment ................................................................................................................................ 28 7 Cryptographic Key Management .................................................................................................................... 29 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) ................................................. 30 9 Self-Tests .......................................................................................................................................................... 30 10 Design Assurance .......................................................................................................................................... 30 11 Mitigation of Attacks (N/A) ............................................................................................................................ 31 References .......................................................................................................................................................... 31 SecureAgent® Software SecureAgent® Security Policy 1 Cryptographic Module Specification This document is the Security Policy for the SecureAgent® Software Cryptographic Module. This security policy specifies the security rules under which the module shall operate to meet the requirements of FIPS 140-2 Level 1. It describes how the module functions to meet the FIPS requirements, and the actions that operators must take to maintain the security of the module. This security policy describes the features and design of the SecureAgent® Software Cryptographic Module (a shared library providing cryptographic services and security functions) using the terminology contained in the FIPS 140-2 specification. FIPS 140-2, Security Requirements for Cryptographic Modules specifies the security requirements that must be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST Cryptographic Module Validation Program (CMVP) validates cryptographic modules to FIPS 140-2 standards. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. For information on the FIPS 140-2 standard and the CMVP program, visit http://csrc.nist.gov/groups/STM/cmvp. More information describing the SecureAgent® Software Cryptographic Module can be found at http://www.SecureAgent.com. This security policy contains only non-proprietary information. All other documentation submitted for FIPS 140-2 conformance testing and validation is “SecureAgent® Software - Proprietary” and is releasable only under appropriate non-disclosure agreements. The SecureAgent® Software Cryptographic Module meets the overall requirements applicable to Level 1 security for FIPS140-2. Table 1. Cryptographic Module Security Requirements Security Requirements Section Level 1 Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Machine Model N/A Physical Security 1 Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance N/A Mitigation of Other Attacks 1 Cryptographic Module Security Policy Page 3 of 32 SecureAgent® Software SecureAgent® Security Policy 1.1 Document History Table 2. Document Version Version Date Comments Name 1.00 9/13/2007 Initial Draft Ward Rosenberry 1.06 02/11/2011 Update Edwin Woehrstein 1.07 03/17/2011 Update Edwin Woehrstein 1.08 04/07/2011 Updated with TOR2/3 information Edwin Woehrstein 1.09 04/07/2011 Update Steve Soodsma 1.10 07/25/2011 Updated with TOR4/5 information Steve Soodsma 1.11 08/31/2011 Updated with TOR6 information Steve Soodsma 1.12 09/01/2011 Added Zeroization service to Table 5 Steve Soodsma 1.13 06/06/2012 Updated module name to libsai2s_x86.so Steve Soodsma Updated api function names Added HMAC, SHS, and RNG to table 5 1.14 06/25/2012 Updated with TOR7/8 information Steve Soodsma 1.15 07/18/2012 Updated with TOR9 information Steve Soodsma 1.16 07/19/2012 Updated table 7 Steve Soodsma 1.17 07/25/2012 Updated with TOR10 information Steve Soodsma 1.18 02/19/2013 Addressed received comments Steve Soodsma 1.19 04/03/2013 Added tables 5.3 and 5.4 Steve Soodsma 1.20 04/12/2013 Updated sections 1.4, 3.2, and Table 5.3 Steve Soodsma Removed Table 5.4 1.21 04/19/2013 Added N/A to section 1.2 Steve Soodsma Added module version to section 1.4 1.22 05/15/2013 Updated sections 1.4 and 9.1 Steve Soodsma 1.23 09/04/2013 Updated sections 1.5 and 3.2 Steve Soodsma 1.24 09/05/2013 Updated sections 1.5 and 3.2. Corrected typos. Steve Soodsma 1.2 Acronyms and Abbreviations AES Advanced Encryption Standard CBC Cipher Block Chaining CFB Cipher Feedback CMVP Cryptographic Module Validation Program CSE Communications Security Establishment CSP Critical Security Parameter DLL Dynamic Linked Library EK Encryption Key EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communication Commission FIPS Federal Information Processing Standard Page 4 of 32 SecureAgent® Software SecureAgent® Security Policy HEX Hexadecimal representation of a binary value HMAC Keyed-Hash Message Authentication Code KAT Known Answer Test KEK Key Encryption Key LAN Local Area Network NIST National Institute of Standards and Technology PRNG Pseudo Random Number Generator PUB Publication SHA-1 Secure Hash Algorithm N/A Not Applicable 1.3 Functional Overview The SecureAgent® Software Cryptographic Module provides the core cryptographic services for several secure communications and controller systems designed and manufactured by SecureAgent® Software. The SecureAgent® Software Cryptographic Module consists of functions that AES-encrypt data for the Application that is being written to an unprotected network or storage medium. Conversely the SecureAgent® Software Cryptographic Module decrypts AES-encrypted data that the Application reads from an unprotected network or storage medium and outputs the plaintext data for use within a protected environment. The SecureAgent® Software Cryptographic Module forms a cohesive subsystem within the SecureAgent Application that is contained in a larger controlling system (such as complete solution devices) that is outside the evaluation scope of this module. Features of the software include:  AES (128, 192, or 256-bit) data encryption  FIPS 140-2 power-on self-test and conditional test. Figure 1 illustrates typical module implementation. The SecureAgent® Software Cryptographic Module provides API functions to  Encrypt a data block  Decrypt a data block  Compress / Decompress a data block  Encrypt and convert to HEX representation  Decrypt a HEX representation of a data block  Test the module Figure 1. High Level Functional View of the SecureAgent® Software Cryptographic Module Function Page 5 of 32 SecureAgent® Software SecureAgent® Security Policy 1.4 Module Description The SecureAgent® Software Cryptographic Module is a software cryptographic module that executes within the SecureAgent Application. The SecureAgent® Software Cryptographic Module is tested on Sun Solaris 10. The SecureAgent® Software Cryptographic Module provides data encryption and decryption services, compression/decompression services and a service to convert the data after encryption into a human readable HEX representation and also to decrypt a human readable HEX representation of encrypted data. Software integrity services assure operators of a valid state within the module. The SecureAgent® Software Cryptographic Module does not have a bypass or maintenance mode. The module is in FIPS mode after calling sai_init to initialize the module and while using services listed in table 5.1.  A non-Approved mode exists.  The services available for the non-Approved mode are listed in Table 5.3.  The module is configured during initialization to operate only in FIPS mode by using the services listed in Table 5.1 when in the operational state. The files that comprise the SecureAgent® Software Cryptographic Module version 2.2.006 are: libsai2s_x86.so libgcrypt.so.11.7.0 libgpg-error.so.0.8.0 Page 6 of 32 SecureAgent® Software SecureAgent® Security Policy 1.5 Module Security Functions The SecureAgent® Software Cryptographic Module implements the security functions described in Table 3. The Algorithms listed in Table3 are only available in the Approved mode. The Algorithms listed in Table 3a are only available in the non-Approved mode. Table 3. Module Security Functions. Approved Security Function Certificate AES (FIPS PUB 197) #2044 SHA-256 (FIPS PUB 180-2) #1790 #1243 HMAC-SHA256 (FIPS PUB 198a) #1067 RNG (ANSI X9.31 Appendix A.2.4 using AES) NDRNG (Sun Solaris 10 /dev/random used for seeding) Table 3a. Module Non-Approved Mode Algorithms. Symmetric Key AES128, non-compliant Message Digests and HMAC AES192, non-compliant HAVAL AES256, non-compliant MD2 ARCFOUR MD4 BLOWFISH MD5 CAMELLIA128 RMD160 CAMELLIA192 SHA1, non-compliant CAMELLIA256 SHA224, non-compliant CAST5 SHA256, non-compliant DES SHA384, non-compliant RC2 SHA512, non-compliant SEED TIGER SERPENT128 TIGER1 SERPENT192 TIGER2 SERPENT256 WHIRLPOOL TDES Random Number Generator TWOFISH X9.31 RNG, non-compliant TWOFISH128 Key Derivation Asymmetric Key SIMPLE_S2K RSA, non-compliant SALTED_S2K DSA, non-compliant ITERSALTED_S2K Elgamal PBKDF2 2 Cryptographic Module Ports and Interfaces The SecureAgent® Software Cryptographic Module meets the requirements of a multi-chip standalone module. Since the SecureAgent® Software Cryptographic Module is a software module, its interfaces are defined in terms of the API that it provides. Data Input Interface is defined as the input data parameters of those API functions that accept, as their arguments, data to be used or processed by the module. The return value or arguments of appropriate types, data generated or otherwise processed by the API functions to the caller constitute Data Output Interface. Control Input Interface is comprised of the call used to initiate the module and the API functions used to control the operation of the module. Status Output Interface is defined as the API function sai_get_status that provides information about the status of the module. The function sai_get_status may be called anytime to indicate the status of the SecureAgent® Software Cryptographic Module. Table 4. Module Ports and Interfaces. FIPS 140-2 Interface Logical Interface Module Physical Interface API input parameters N/A Data Input Page 7 of 32 SecureAgent® Software SecureAgent® Security Policy FIPS 140-2 Interface Logical Interface Module Physical Interface API output parameters N/A Data Output API function calls, or configuration N/A Control Input files on filesystem sai_get_status N/A Status Output N/A N/A Power Input 3 Roles, Services, and Authentication 3.1 Roles The two roles are defined per the FIPS140-2 standard as follows: 1. Crypto Officer - can access all services implemented in the Module. The Crypto Officer can also install the Module on the target operating system (Sun Solaris 10) and configure the operating system for Module use. No special access to keys or data is provided to this role. The Crypto Officer role is implicitly selected when installing the module or configuring the operating system for the Module. 2. User - can access all services implemented in the Module. This role is implicitly selected when an application calls any of the API functions in the Module. In the SecureAgent® Software Cryptographic Module, an operator is implicitly assumed in the User or Cryptographic Officer role based upon the operations chosen. Both User and Cryptographic Officer can call all services implemented in the Module. The user role is assumed by the subsystem writing plaintext data to or reading plaintext data from the module after it has passed the FIPS power-on self-test. These actions comprise the module encryption and decryption services. Multiple concurrent operators are not allowed. Only a single user may access the module at any given point in time. Operators cannot change roles while using the module. The strength of the operator authentication, per the above roles, does not apply to this cryptographic module as it occurs outside of the module. 3.2 Services Tables 5.1 and 5.2 show the services available to the various roles. Encrypt and decrypt services delete the key from memory when the operation completes without modifying, disclosing, or substituting the key in any manner. Table 5.3 lists the libgcrypt services that are available in the non-Approved mode of operation.  CSPs defined in the FIPS mode shall not be accessed or shared while in the non-FIPS mode.  CSPs shall not be generated while in the non-FIPS mode and then accessed or shared while in the FIPS mode.  The Approved RNG may be used in the non-FIPS mode but the Approved RNG’s seed or seed key shall not be accessed or shared in the non-FIPS mode. Table 5.1 Roles and Services Service Description Crypto User Inputs Outputs Officer sai_encrypt Encrypts plain text input Plain text, Cipher text ● ● key sai_decrypt Decrypts cipher text Cipher text, Plain text ● ● input key sai_cipher_open Used for AES algorithm Cipher-hd, ● ● sai_cipher_setiv validation. The MCT test Plain text, Cipher text, sai_cipher_setkey performs CBC chaining Cipher text, Plain text sai_cipher_decrypt in the test program key Page 8 of 32 SecureAgent® Software SecureAgent® Security Policy Service Description Crypto User Inputs Outputs Officer sai_cipher_encrypt dictating the need for sai_cipher_close these lower-level functions. sai_hmac256_new Used for integrity check Data, key HMAC-SHA- ● ● sai_hmac256_update 256 sai_hmac256_finalize sai_hmac256_release sai_hmac256_new(NULL Key) Used in generating Data SHA-256 ● ● sai_hmac256_update SHA-256 sai_hmac256_finalize sai_hmac256_release sai_create_nonce Generates random No input Nonce ● ● numbers for use in AES- CBC initialization vectors sai_version Returns module version No input Module ● ● number version, FIPS Mode sai_selftest Performs module self- No input Return code ● ● test Pass/Fail sai_get_status Returns module's Message FSM State, ● ● current status buffer Self Test status sai_init Initializes FSM, No input Self Test status ● ● performs self-tests, and FIPS Mode module integrity check, FIPS Mode sai_zeroize Safely zeroizes memory Key or CSP No output ● ● to zeroize Table 5.2 Auxillary Functions Service Description Crypto User Inputs Outputs Officer sai_encrypt_hex Utility function for Data, key, IV Hex ● ● debug. Encrypts a data representation block to a hex of encrypted representation. data sai_decrypt_hex Utility function for Hex data, Binary ● ● debug. Decrypts a hex key, IV decrypted data encrypted data block to binary. sai_rngfips_run_external_test Used for RNG algorithm RNG KAT Status code ● ● sai_rngfips_deinit_external_test validation. Allows to values sai_rngfips_init_external_test test RNG with a Known Answer Test. sai_convert_bin_to_hex Utility function to Binary data Hex data ● ● convert binary data to hex representation sai_convert_hex_to_bin Utility function to Hex data Binary data ● ● convert hex data to binary representation. sai_strerror Utility functions to Error code String Error ● ● sai_strsource convert error codes to message human-readable string Page 9 of 32 SecureAgent® Software SecureAgent® Security Policy Service Description Crypto User Inputs Outputs Officer messages. sai_malloc General purpose Size Memory block ● ● sai_free memory allocation. sai_compress Utility functions to Source data, Output data ● ● sai_decompress provide data output compression and buffer, work decompression buffer services Table 5.3 Libgcrypt Services available in non-Approved mode Service Description Crypto User Inputs Outputs Officer gcry_err_make Wrappers for the libgpg- (source, code) gcry_error_t ● ● error library. (code) gcry_error_t gcry_error (err) gcry_err_code_t gcry_err_code (err) gcry_err_source_t gcry_err_source gcry_strerror Return a pointer to a string (err) const char * ● ● containing a description of the error code in the error value ERR. gcry_strsource Return a pointer to a string (err) const char * ● ● containing a description of the error source in the error value ERR. gcry_err_code_fro Retrieve the error code for (err) gcry_err_code_t ● ● m_errno the system error ERR. This returns GPG_ERR_UNKNOWN_ER RNO if the system error is not mapped (report this). gcry_err_code_to Retrieve the system error for (code) int ● ● _errno the error code CODE. This returns 0 if CODE is not a system error code. gcry_err_make_fr Return an error value with (source, err) gcry_error_t ● ● om_errno the error source SOURCE and the system error ERR. gcry_error_from_ Return an error value with (err) gcry_err_code_t ● ● errno the system error ERR. gcry_pth_select GNU Pth network wrapper (int nfd, fd_set *rset, ssize_t ● ● gcry_pth_waitpid macro fd_set *wset, set *eset, ssize_t struct timeval *timeout) int gcry_pth_accept (pid_t pid, int *status, int int gcry_pth_connect options) (int s, struct sockaddr *addr, gcry_socklen_t *length_ptr) (int s, struct sockaddr *addr, gcry_socklen_t length) gcry_pthread_mut pthread wrapper macros (void **priv) int ● ● ex_init (void **lock) int (void **lock) int gcry_pthread_mut Page 10 of 32 SecureAgent® Software SecureAgent® Security Policy ex_destroy (void **lock) int gcry_pthread_mut ex_lock gcry_pthread_mut ex_unlock gcry_check_versi Check that the library fulfills (const char const char * ● ● on the version requirement. *req_version) gcry_control Perform various operations (enum gcry_ctl_cmds gcry_error_t ● ● defined by CMD. CMD, ...) gcry_sexp_new Create an new S-expression (gcry_sexp_t *retsexp, gcry_error_t ● ● object from BUFFER of size const void *buffer, size_t LENGTH and return it in length, int autodetect) RETSEXP. With AUTODETECT set to 0 the data in BUFFER is expected to be in canonized format. gcry_sexp_create Same as gcry_sexp_new (gcry_sexp_t *retsexp, gcry_error_t ● ● but allows to pass a void *buffer, size_t FREEFNC which has the length, int autodetect, effect to transfer ownership void (*freefnc) (void *)) of BUFFER to the created object. gcry_sexp_sscan Scan BUFFER and return a (gcry_sexp_t *retsexp, gcry_error_t ● ● new S-expression object in size_t *erroff, const char RETSEXP.This function *buffer, size_t length) expects a printf like string in BUFFER. gcry_sexp_build Same as gcry_sexp_sscan (gcry_sexp_t *retsexp, gcry_error_t ● ● but expects a string in size_t *erroff, const char FORMAT and can thus only *format, ...) be used for certain encodings. gcry_sexp_build_ Like gcry_sexp_build, but (gcry_sexp_t *retsexp, gcry_error_t ● ● array uses an array instead of size_t *erroff, const char variable function arguments. *format, void **arg_list) gcry_sexp_releas Release the S-expression (gcry_sexp_t sexp) void ● ● e object SEXP gcry_sexp_canon Calculate the length of an (const unsigned char size_t ● ● _len canonized S-expresion in *buffer, size_t length, BUFFER and check for a size_t *erroff, valid encoding. gcry_error_t *errcode) gcry_sexp_sprint Copies the S-expression (gcry_sexp_t sexp, int size_t ● ● object SEXP into BUFFER mode, void *buffer, using the format specified in size_t maxlength) MODE. gcry_sexp_dump Dumps the S-expression (const gcry_sexp_t a) void ● ● object A in a format suitable for debugging to Libgcrypt's logging stream. gcry_sexp_cons General S-expression (const gcry_sexp_t a, gcry_sexp_t ● ● gcry_sexp_alist functions used with the const gcry_sexp_t b) gcry_sexp_t gcry_sexp_vlist public key functions. (const gcry_sexp_t gcry_sexp_t *array) gcry_sexp_t gcry_sexp_appen (const gcry_sexp_t a, …) gcry_sexp_t d (const gcry_sexp_t a, gcry_sexp_prepe const gcry_sexp_t n) nd (const gcry_sexp_t a, Page 11 of 32 SecureAgent® Software SecureAgent® Security Policy const gcry_sexp_t n); gcry_sexp_find_to Scan the S-expression for a (gcry_sexp_t list, const gcry_sexp_t ● ● ken sublist with a type (the car of char *tok, size_t toklen) the list) matching the string TOKEN. If TOKLEN is not 0, the token is assumed to be raw memory of this length. The function returns a newly allocated S- expression consisting of the found sublist or `NULL' when not found. gcry_sexp_length Return the length of the (const gcry_sexp_t list) int ● ● LIST. For a valid S- expression this should be at least 1. gcry_sexp_nth Create and return a new S- (const gcry_sexp_t list, gcry_sexp_t ● ● expression from the element int number) with index NUMBER in LIST. Note that the first element has the index 0. If there is no such element, `NULL' is returned. gcry_sexp_car Create and return a new S- (const gcry_sexp_t list) gcry_sexp_t ● ● expression from the first element in LIST; this called the "type" and should always exist and be a string. `NULL' is returned in case of a problem. gcry_sexp_cdr Create and return a new list (const gcry_sexp_t list) gcry_sexp_t ● ● form all elements except for the first one. Note, that this function may return an invalid S-expression because it is not guaranteed, that the type exists and is a string. However, for parsing a complex S-expression it might be useful for intermediate lists. Returns `NULL' on error. gcry_sexp_cadr (const gcry_sexp_t list) gcry_sexp_t ● ● gcry_sexp_nth_daThis function is used to get (const gcry_sexp_t list, const char * ● ● ta data from a LIST. A pointer int number, size_t to the actual data with index *datalen) NUMBER is returned and the length of this data will be stored to DATALEN. If there is no data at the given index or the index represents another list, `NULL' is returned. *Note:* The returned pointer is valid as long as LIST is not modified or released. Page 12 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_sexp_nth_strThis function is used to get (gcry_sexp_t list, int char * ● ● ing and convert data from a number) LIST. The data is assumed to be a Null terminated string. The caller must release the returned value using `gcry_free'. If there is no data at the given index, the index represents a list or the value can't be converted to a string, `NULL' is returned. gcry_sexp_nth_m This function is used to get (gcry_sexp_t list, int gcry_mpi_t ● ● pi and convert data from a number, int mpifmt); LIST. This data is assumed to be an MPI stored in the format described by MPIFMT and returned as a standard Libgcrypt MPI. The caller must release this returned value using `gcry_mpi_release'. If there is no data at the given index, the index represents a list or the value can't be converted to an MPI, `NULL' is returned. gcry_mpi_new Allocate a new big integer (unsigned int nbits) gcry_mpi_t ● ● object, initialize it with 0 and initially allocate memory for a number of at least NBITS. gcry_mpi_snew Same as gcry_mpi_new() (unsigned int nbits) gcry_mpi_t ● ● but allocate in "secure" memory. gcry_mpi_release Release the number A and (gcry_mpi_t a) void ● ● free all associated resources. gcry_mpi_copy Create a new number with (const gcry_mpi_t a) gcry_mpi_t ● ● the same value as A. gcry_mpi_set Store the big integer value U (gcry_mpi_t w, const gcry_mpi_t ● ● in W. gcry_mpi_t u) gcry_mpi_set_ui Store the unsigned integer (gcry_mpi_t w, unsigned gcry_mpi_t ● ● value U in W. long u) gcry_mpi_swap Swap the values of A and B. (gcry_mpi_t a, void ● ● gcry_mpi_t b) gcry_mpi_cmp Compare the big integer (const gcry_mpi_t u, int ● ● number U and V returning 0 const gcry_mpi_t v) for equality, a positive value for U > V and a negative for U < V. gcry_mpi_cmp_ui Compare the big integer (const gcry_mpi_t u, int ● ● number U with the unsigned unsigned long v) integer V returning 0 for equality, a positive value for U > V and a negative for U < V. Page 13 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_mpi_scan Convert the external (gcry_mpi_t *ret_mpi, gcry_error_t ● ● representation of an integer enum gcry_mpi_format stored in BUFFER with a format, const void length of BUFLEN into a *buffer, size_t buflen, newly create MPI returned in size_t *nscanned); RET_MPI. If NSCANNED is not NULL, it will receive the number of bytes actually scanned after a successful operation. gcry_mpi_print Convert the big integer A (enum gcry_mpi_format gcry_error_t ● ● into the external format, unsigned char representation described by *buffer, size_t buflen, FORMAT and store it in the size_t *nwritten, const provided BUFFER which gcry_mpi_t a) has been allocated by the user with a size of BUFLEN bytes. NWRITTEN receives the actual length of the external representation unless it has been passed as NULL. gcry_mpi_aprint Convert the big integer A int (enum gcry_mpi_format gcry_error_t ● ● the external representation format, unsigned char described by FORMAT and **buffer, size_t *nwritten, store it in a newly allocated const gcry_mpi_t a) buffer which address will be put into BUFFER. NWRITTEN receives the actual lengths of the external representation. gcry_mpi_dump Dump the value of A in a (const gcry_mpi_t a) void ● ● format suitable for debugging to Libgcrypt's logging stream. Note that one leading space but no trailing space or linefeed will be printed. It is okay to pass NULL for A. gcry_mpi_add W = U + V. (gcry_mpi_t w, void ● ● gcry_mpi_t u, gcry_mpi_t v); gcry_mpi_add_ui W = U + V. V is an (gcry_mpi_t w, void ● ● unsigned integer. gcry_mpi_t u, unsigned long v); gcry_mpi_addm W = U + V mod M. (gcry_mpi_t w, void ● ● gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m) gcry_mpi_sub W = U - V. (gcry_mpi_t w, void ● ● gcry_mpi_t u, gcry_mpi_t v); gcry_mpi_sub_ui W = U - V. V is an unsigned (gcry_mpi_t w, void ● ● integer. gcry_mpi_t u, unsigned long v ) gcry_mpi_subm W = U - V mod M (gcry_mpi_t w, void ● ● gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t Page 14 of 32 SecureAgent® Software SecureAgent® Security Policy m) gcry_mpi_mul W = U * V. (gcry_mpi_t w, void ● ● gcry_mpi_t u, gcry_mpi_t v) gcry_mpi_mul_ui W = U * V. V is an unsigned (gcry_mpi_t w, void ● ● integer. gcry_mpi_t u, unsigned long v ) gcry_mpi_mulm W = U * V mod M. (gcry_mpi_t w, void ● ● gcry_mpi_t u, gcry_mpi_t v, gcry_mpi_t m) gcry_mpi_mul_2e W = U * (2 ^ CNT). (gcry_mpi_t w, void ● ● xp gcry_mpi_t u, unsigned long cnt); gcry_mpi_div Q = DIVIDEND / DIVISOR, (gcry_mpi_t q, void ● ● R = DIVIDEND % DIVISOR, gcry_mpi_t r, gcry_mpi_t Q or R may be passed as dividend, gcry_mpi_t NULL. ROUND should be divisor, int round) negative or 0. gcry_mpi_mod R = DIVIDEND % DIVISOR (gcry_mpi_t r, void ● ● gcry_mpi_t dividend, gcry_mpi_t divisor) gcry_mpi_powm W = B ^ E mod M. (gcry_mpi_t w, const void ● ● gcry_mpi_t b, const gcry_mpi_t e, const gcry_mpi_t m) gcry_mpi_gcd Set G to the greatest (gcry_mpi_t g, int ● ● common divisor of A and B. gcry_mpi_t a, Return true if the G is 1. gcry_mpi_t b) gcry_mpi_invm Set X to the multiplicative (gcry_mpi_t x, int ● ● inverse of A mod M. Return gcry_mpi_t a, true if the value exists. gcry_mpi_t m) gcry_mpi_get_nbitReturn the number of bits (gcry_mpi_t a) unsigned int ● ● s required to represent A. gcry_mpi_test_bit Return true when bit number (gcry_mpi_t a, unsigned int ● ● N (counting from 0) is set in int n) A. gcry_mpi_set_bit Set bit number N in A. (gcry_mpi_t a, unsigned void ● ● int n) gcry_mpi_clear_bi Clear bit number N in A. (gcry_mpi_t a, unsigned void ● ● t int n) gcry_mpi_set_hig Set bit number N in A and (gcry_mpi_t a, unsigned void ● ● hbit clear all bits greater than N. int n) gcry_mpi_clear_hi Clear bit number N in A and (gcry_mpi_t a, unsigned void ● ● ghbit all bits greater than N. int n) gcry_mpi_rshift Shift the value of A by N bits (gcry_mpi_t x, void ● ● to the right and store the gcry_mpi_t a, unsigned result in X. int n) gcry_mpi_lshift Shift the value of A by N bits (gcry_mpi_t x, void ● ● to the left and store the gcry_mpi_t a, unsigned result in X. int n) gcry_mpi_set_opaStore NBITS of the value P (gcry_mpi_t a, void *p, gcry_mpi_t ● ● que points to in A and mark A as unsigned int nbits) an opaque value. WARNING: Never use an opaque MPI for anything thing else then Page 15 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_mpi_release, gcry_mpi_get_opaque. gcry_mpi_get_op Return a pointer to an (gcry_mpi_t a, unsigned void * ● ● aque opaque value stored in A int *nbits) and return its size in NBITS. Note that the returned pointer is still owned by A and that the function should never be used for an non- opaque MPI. gcry_mpi_set_flag Set the FLAG for the big (gcry_mpi_t a, enum void ● ● integer A. Currently only the gcry_mpi_flag flag) flag GCRYMPI_FLAG_SECURE is allowed to convert A into an big intger stored in "secure" memory. gcry_mpi_clear_fl Clear FLAG for the big (gcry_mpi_t a, enum void ● ● ag integer A. Note that this gcry_mpi_flag flag) function is currently useless as no flags are allowed. gcry_mpi_get_flagReturn true when the FLAG (gcry_mpi_t a, enum int ● ● is set for A. gcry_mpi_flag flag) gcry_cipher_open Create a handle for (gcry_cipher_hd_t gcry_error_t ● ● algorithm ALGO to be used *handle, int algo, int (ENC – See Table 5.3a) in MODE. FLAGS may be mode, unsigned int given as an bitwise OR of flags) the gcry_cipher_flags values. gcry_cipher_close Close the cioher handle H (gcry_cipher_hd_t h) void ● ● and release all resource. (ENC – See Table 5.3a) gcry_cipher_ctl Perform various operations (gcry_cipher_hd_t h, int gcry_error_t ● ● on the cipher object H. cmd, void *buffer, size_t (ENC – See Table 5.3a) buflen) gcry_cipher_info Retrieve various information (gcry_cipher_hd_t h, int gcry_error_t ● ● about the cipher object H. what, void *buffer, size_t (ENC – See Table 5.3a) *nbytes) gcry_cipher_algo_Retrieve various information (int algo, int what, void gcry_error_t ● ● info about the cipher algorithm *buffer, size_t *nbytes) ALGO. (ENC – See Table 5.3a) gcry_cipher_algo_Map the cipher algorithm (int algorithm) const char * ● ● name whose ID is contained in ALGORITHM to a string (ENC – See Table 5.3a) representation of the algorithm name. For unknown algorithm IDs this function returns "?". gcry_cipher_map Map the algorithm name (const char *name) int ● ● _name NAME to an cipher algorithm ID. Return 0 if the (ENC – See Table 5.3a) algorithm name is not known. gcry_cipher_mod Given an ASN.1 object (const char *string) int ● ● e_from_oid identifier in standard IETF dotted decimal format in (ENC – See Table 5.3a) STRING, return the Page 16 of 32 SecureAgent® Software SecureAgent® Security Policy encryption mode associated with that OID or 0 if not known or applicable. gcry_cipher_encryEncrypt the plaintext of size (gcry_cipher_hd_t h, gcry_error_t ● ● pt INLEN in IN using the cipher void *out, size_t outsize, handle H into the buffer const void *in, size_t (ENC – See Table 5.3a) OUT which has an allocated inlen) length of OUTSIZE. For most algorithms it is possible to pass NULL for in and 0 for INLEN and do a in- place decryption of the data provided in OUT. gcry_cipher_decryThe counterpart to (gcry_cipher_hd_t h, gcry_error_t ● ● pt gcry_cipher_encrypt. void *out, size_t outsize, const void *in, size_t (ENC – See Table 5.3a) inlen) gcry_cipher_setke Set KEY of length KEYLEN (gcry_cipher_hd_t hd, gcry_error_t ● ● y bytes for the cipher handle const void *key, size_t HD. keylen) (ENC – See Table 5.3a) gcry_cipher_setiv Set initialization vector IV of (gcry_cipher_hd_t hd, gcry_error_t ● ● length IVLEN for the cipher const void *iv, size_t (ENC – See Table 5.3a) handle HD. ivlen) gcry_cipher_reset Reset the handle to the (gcry_cipher_hd_t h) gcry_error_t ● ● state after open. (ENC – See Table 5.3a)t gcry_cipher_sync Perform the OpenPGP sync (gcry_cipher_hd_t h) gcry_error_t ● ● operation if this is enabled (ENC – See Table 5.3a) for the cipher handle H. gcry_cipher_cts Enable or disable CTS in (gcry_cipher_hd_t h, gcry_error_t ● ● future calls to size_t on) (ENC – See Table 5.3a) gcry_encrypt(). CBC mode only. gcry_cipher_setctrSet counter for CTR mode. (gcry_cipher_hd_t hd, gpg_error_t ● ● (CTR,CTRLEN) must const void *ctr, size_t (ENC – See Table 5.3a) denote a buffer of block size ctrlen) length, or (NULL,0) to set the CTR to the all-zero block. gcry_cipher_get_ Retrieved the key length in (int algo) size_t ● ● algo_keylen bytes used with algorithm A. (ENC – See Table 5.3a) gcry_cipher_get_ Retrieve the block length in (int algo) size_t ● ● algo_blklen bytes used with algorithm A. (ENC – See Table 5.3a) gcry_cipher_test_ Return 0 if the algorithm A is (int algo) gcry_error_t ● ● algo available for use. (ENC – See Table 5.3a) gcry_cipher_list Get a list consisting of the (int *list, int *list_length) gcry_error_t ● ● IDs of the loaded cipher (ENC – See Table 5.3a) modules. If LIST is zero, write the number of loaded cipher modules to LIST_LENGTH and return. Page 17 of 32 SecureAgent® Software SecureAgent® Security Policy If LIST is non-zero, the first *LIST_LENGTH algorithm IDs are stored in LIST, which must be of according size. In case there are less cipher modules than *LIST_LENGTH, *LIST_LENGTH is updated to the correct number. gcry_pk_encrypt Encrypt the DATA using the (gcry_sexp_t *result, gcry_error_t ● ● public key PKEY and store gcry_sexp_t data, (DSS – See Table 5.3a) the result as a newly created gcry_sexp_t pkey) S-expression at RESULT. gcry_pk_decrypt Decrypt the DATA using the (gcry_sexp_t *result, gcry_error_t ● ● private key SKEY and store gcry_sexp_t data, (DSS – See Table 5.3a) the result as a newly created gcry_sexp_t skey) S-expression at RESULT. gcry_pk_sign Sign the DATA using the (gcry_sexp_t *result, gcry_error_t ● ● private key SKEY and store gcry_sexp_t data, (DSS – See Table 5.3a) the result as a newly created gcry_sexp_t skey) S-expression at RESULT. gcry_pk_verify Check the signature (gcry_sexp_t sigval, gcry_error_t ● ● SIGVAL on DATA using the gcry_sexp_t data, (DSS – See Table 5.3a) public key PKEY. gcry_sexp_t pkey) gcry_pk_testkey Check that private KEY is (gcry_sexp_t key) gcry_error_t ● ● sane. (DSS – See Table 5.3a) gcry_pk_genkey Generate a new key pair (gcry_sexp_t *r_key, gcry_error_t ● ● according to the parameters gcry_sexp_t s_parms) (DSS – See Table 5.3a) given in S_PARMS. The new key pair is returned in as an S-expression in R_KEY. gcry_pk_ctl Catch all function for (int cmd, void *buffer, gcry_error_t ● ● miscellaneous operations. size_t buflen) (DSS – See Table 5.3a) gcry_pk_algo_info Retrieve information about (int algo, int what, void gcry_error_t ● ● the public key algorithm *buffer, size_t *nbytes) (DSS – See Table 5.3a) ALGO. gcry_pk_algo_na Map the public key algorithm (int algorithm) const char * ● ● me whose ID is contained in ALGORITHM to a string (DSS – See Table 5.3a) representation of the algorithm name. For unknown algorithm IDs this functions returns "?". gcry_pk_map_na Map the algorithm NAME to (const char* name) int ● ● me a public key algorithm Id. Return 0 if the algorithm (DSS – See Table 5.3a) name is not known. gcry_pk_get_nbits Return what is commonly (gcry_sexp_t key) unsigned int ● ● referred as the key length (DSS – See Table 5.3a) for the given public or private KEY. gcry_pk_get_keyg Please note that keygrip is (gcry_sexp_t key, unsigned char * ● ● rip still experimental and should unsigned char *array) not be used without (DSS – See Table 5.3a) contacting the author. Page 18 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_pk_get_curv Return the name of the (gcry_sexp_t key, int const char * ● ● e curve matching KEY. iterator, unsigned int *r_nbits) (DSS – See Table 5.3a) gcry_pk_get_para Return an S-expression with (int algo, const char gcry_sexp_t ● ● m the parameters of the *name) named ECC curve NAME. (DSS – See Table 5.3a) ALGO must be set to an ECC algorithm. gcry_pk_test_algo Return 0 if the public key (int algo) gcry_error_t ● ● algorithm A is available for (DSS – See Table 5.3a) use. gcry_pk_list Get a list consisting of the (int *list, int *list_length) gcry_error_t ● ● IDs of the loaded pubkey (DSS – See Table 5.3a) modules. If LIST is zero, write the number of loaded pubkey modules to LIST_LENGTH and return. If LIST is non-zero, the first *LIST_LENGTH algorithm IDs are stored in LIST, which must be of according size. In case there are less pubkey modules than *LIST_LENGTH, *LIST_LENGTH is updated to the correct number. gcry_md_open Create a message digest (gcry_md_hd_t *h, int gcry_error_t ● ● object for algorithm ALGO. algo, unsigned int flags) (SHS – See Table 5.3a) FLAGS may be given as an bitwise OR of the gcry_md_flags values. ALGO may be given as 0 if the algorithms to be used are later set using gcry_md_enable. gcry_md_close Release the message digest (gcry_md_hd_t hd) void ● ● object HD. (SHS – See Table 5.3a) gcry_md_enable Add the message digest (gcry_md_hd_t hd, int gcry_error_t ● ● algorithm ALGO to the algo) (SHS – See Table 5.3a) digest object HD. gcry_md_copy Create a new digest object (gcry_md_hd_t *bhd, gcry_error_t ● ● as an exact copy of the gcry_md_hd_t ahd) (SHS – See Table 5.3a) object HD. gcry_md_reset Reset the digest object HD (gcry_md_hd_t hd) void ● ● to its initial state. (SHS – See Table 5.3a) gcry_md_ctl Perform various operations (gcry_md_hd_t hd, int gcry_error_t ● ● on the digest object HD. cmd, void *buffer, size_t (SHS – See Table 5.3a) buflen) gcry_md_write Pass LENGTH bytes of data (gcry_md_hd_t hd, const void ● ● in BUFFER to the digest void *buffer, size_t (SHS – See Table 5.3a) object HD so that it can length) update the digest values. This is the actual hash function. Page 19 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_md_read Read out the final digest (gcry_md_hd_t hd, int unsigned char * ● ● from HD return the digest algo) (SHS – See Table 5.3a) value for algorithm ALGO. gcry_md_hash_b Convenience function to (int algo, void *digest, void ● ● uffer calculate the hash from the const void *buffer, size_t data in BUFFER of size length) (SHS – See Table 5.3a) LENGTH using the algorithm ALGO avoiding the creating of a hash object. The hash is returned in the caller provided buffer DIGEST which must be large enough to hold the digest of the given algorithm. gcry_md_get_alg Retrieve the algorithm used (gcry_md_hd_t hd) int ● ● o with HD. This does not work reliable if more than one (SHS – See Table 5.3a) algorithm is enabled in HD. gcry_md_get_alg Retrieve the length in bytes (int algo) unsigned int ● ● o_dlen of the digest yielded by algorithm ALGO. (SHS – See Table 5.3a) gcry_md_is_enabl Return true if the the (gcry_md_hd_t a, int int ● ● ed algorithm ALGO is enabled algo) in the digest object A. (SHS – See Table 5.3a) gcry_md_is_secur Return true if the digest (gcry_md_hd_t a) int ● ● e object A is allocated in "secure" memory. (SHS – See Table 5.3a) gcry_md_info Retrieve various information (gcry_md_hd_t h, int gcry_error_t ● ● about the object H. what, void *buffer, size_t (SHS – See Table 5.3a) *nbytes) gcry_md_algo_inf Retrieve various information (int algo, int what, void gcry_error_t ● ● o about the algorithm ALGO. *buffer, size_t *nbytes) (SHS – See Table 5.3a) gcry_md_algo_na Map the digest algorithm id (int algo) const char * ● ● me ALGO to a string representation of the (SHS – See Table 5.3a) algorithm name. For unknown algorithms this function returns "?". gcry_md_map_na Map the algorithm NAME to (const char* name) int ● ● me a digest algorithm Id. Return 0 if the algorithm (SHS – See Table 5.3a) name is not known. gcry_md_setkey For use with the HMAC (gcry_md_hd_t hd, const gcry_error_t ● ● feature, the set MAC key to void *key, size_t keylen) (SHS – See Table 5.3a) the KEY of KEYLEN bytes. gcry_md_debug Start or stop debugging for (gcry_md_hd_t hd, const void ● ● digest handle HD; i.e. create char *suffix) (SHS – See Table 5.3a) a file named dbgmd- . while hashing. If SUFFIX is NULL, debugging stops and the file will be closed. Page 20 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_md_putc Update the hash(s) of H with (gcry_md_hd_t h, char c) void ● ● the character C. This is a buffered version of the gcry_md_write function. gcry_md_final Finalize the digest (int algo) gcry_error_t ● ● calculation. This is not (SHS – See Table 5.3a) really needed because gcry_md_read() does this implicitly. gcry_md_test_alg Return 0 if the algorithm A is (int algo) gcry_error_t ● ● o available for use. (SHS – See Table 5.3a) gcry_md_get_asn Return an DER encoded (int algo, void *buffer, gcry_error_t ● ● oid ASN.1 OID for the algorithm size_t *nbytes) A in buffer B. N must point (SHS – See Table 5.3a) to size_t variable with the available size of buffer B. After return it will receive the actual size of the returned OID. gcry_md_start_de Enable debugging for digest (int algo, void *string) gcry_error_t ● ● bug object A; i.e. create files named dbgmd-. (SHS – See Table 5.3a) while hashing. B is a string used as the suffix for the filename. This macro is deprecated, use gcry_md_debug. gcry_md_stop_de Disable the debugging of A. (int algo, void *string) gcry_error_t ● ● bug This macro is deprecated, use gcry_md_debug. (SHS – See Table 5.3a) gcry_md_list Get a list consisting of the (int *list, int *list_length) gcry_error_t ● ● IDs of the loaded message (SHS – See Table 5.3a) digest modules. If LIST is zero, write the number of loaded message digest modules to LIST_LENGTH and return. If LIST is non- zero, the first *LIST_LENGTH algorithm IDs are stored in LIST, which must be of according size. In case there are less message digest modules than *LIST_LENGTH, *LIST_LENGTH is updated to the correct number. gcry_ac_data_ne Returns a new, empty data (gcry_ac_data_t *data) gcry_error_t ● ● w set in DATA. (DSS – See Table 5.3a) gcry_ac_data_desDestroy the data set DATA. (gcry_ac_data_t data) void ● ● troy (DSS – See Table 5.3a) Page 21 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_ac_data_copCreate a copy of the data (gcry_ac_data_t gcry_error_t ● ● y set DATA and store it in *data_cp, DATA_CP. gcry_ac_data_t data) (DSS – See Table 5.3a) gcry_ac_data_len Return the number of (gcry_ac_data_t data) unsigned int ● ● gth named MPI values inside of the data set DATA. (DSS – See Table 5.3a) gcry_ac_data_cle Destroy any values (gcry_ac_data_t data) void ● ● ar contained in the data set DATA. (DSS – See Table 5.3a) gcry_ac_data_set Add the value MPI to DATA (gcry_ac_data_t data, gcry_error_t ● ● with the label NAME. If unsigned int flags, const (DSS – See Table FLAGS contains char *name, gcry_mpi_t 5.3a)t GCRY_AC_FLAG_DATA_C mpi) OPY, the data set will contain copies of NAME and MPI. If FLAGS contains GCRY_AC_FLAG_DATA_D EALLOC or GCRY_AC_FLAG_DATA_C OPY, the values contained in the data set will be deallocated when they are to be removed from the data set. gcry_ac_data_get Store the value labeled with (gcry_ac_data_t data, gcry_error_t ● ● _name NAME found in DATA in unsigned int flags, const MPI. If FLAGS contains char *name, gcry_mpi_t (DSS – See Table 5.3a) GCRY_AC_FLAG_COPY, *mpi) store a copy of the MPI value contained in the data set. MPI may be NULL. gcry_ac_data_get Stores in NAME and MPI (gcry_ac_data_t data, gcry_error_t ● ● _index the named MPI value unsigned int flags, contained in the data set unsigned int idx, const (DSS – See Table 5.3a) DATA with the index IDX. If char **name, gcry_mpi_t FLAGS contains *mpi) GCRY_AC_FLAG_COPY, store copies of the values contained in the data set. NAME or MPI may be NULL. gcry_ac_data_to_ Convert the data set DATA (gcry_ac_data_t data, gcry_error_t ● ● sexp into a new S-Expression, gcry_sexp_t *sexp, const which is to be stored in char **identifiers) (DSS – See Table 5.3a) SEXP, according to the identifiers contained in IDENTIFIERS. gcry_ac_data_fro Create a new data set, (gcry_ac_data_t *data, gcry_error_t ● ● m_sexp which is to be stored in gcry_sexp_t sexp, const DATA_SET, from the S- char **identifiers) (DSS – See Table 5.3a) Expression SEXP, according to the identifiers contained in IDENTIFIERS. gcry_ac_io_init Initialize AC_IO according to (gcry_ac_io_t *ac_io, void ● ● MODE, TYPE and the gcry_ac_io_mode_t (DSS – See Table Page 22 of 32 SecureAgent® Software SecureAgent® Security Policy variable list of arguments. mode, 5.3a) The list of variable gcry_ac_io_type_t type, arguments to specify ...) depends on the given TYPE. gcry_ac_io_init_v Initialize AC_IO according to (gcry_ac_io_t *ac_io, void ● ● a MODE, TYPE and the gcry_ac_io_mode_t variable list of arguments mode, (DSS – See Table 5.3a) AP. The list of variable gcry_ac_io_type_t type, arguments to specify va_list ap) depends on the given TYPE. gcry_ac_open Create a new ac handle. (gcry_ac_handle_t gcry_error_t ● ● *handle, gcry_ac_id_t (DSS – See Table 5.3a) algorithm, unsigned int flags) gcry_ac_close Destroy an ac handle. (gcry_ac_handle_t void ● ● handle) (DSS – See Table 5.3a) gcry_ac_key_init Initialize a key from a given (gcry_ac_key_t *key, gcry_error_t ● ● data set. gcry_ac_handle_t (DSS – See Table 5.3a) handle, gcry_ac_key_type_t type, gcry_ac_data_t data) gcry_ac_key_pair Generates a new key pair (gcry_ac_handle_t gcry_error_t ● ● _generate via the handle HANDLE of handle, unsigned int NBITS bits and stores it in nbits, void *spec, (DSS – See Table 5.3a) KEY_PAIR. In case non- gcry_ac_key_pair_t standard settings are *key_pair, gcry_mpi_t wanted, a pointer to a **misc_data) structure of type gcry_ac_key_spec__t, matching the selected algorithm, can be given as KEY_SPEC. MISC_DATA is not used yet. gcry_ac_key_pair Returns the key of type (gcry_ac_key_pair_t gcry_ac_key_t ● ● _extract WHICH out of the key pair key_pair, KEY_PAIR. gcry_ac_key_type_t (DSS – See Table 5.3a) which) gcry_ac_key_data Returns the data set (gcry_ac_key_t key) gcry_ac_data_t ● ● _get contained in the key KEY. (DSS – See Table 5.3a) gcry_ac_key_test Verifies that the key KEY is (gcry_ac_handle_t gcry_error_t ● ● sane via HANDLE. handle, gcry_ac_key_t (DSS – See Table key) 5.3a)t gcry_ac_key_get_ Stores the number of bits of (gcry_ac_handle_t gcry_error_t ● ● nbits the key KEY in NBITS via handle, gcry_ac_key_t HANDLE. key, unsigned int *nbits) (DSS – See Table 5.3a) gcry_ac_key_get_ Writes the 20 byte long key (gcry_ac_handle_t gcry_error_t ● ● grip grip of the key KEY to handle, gcry_ac_key_t KEY_GRIP via HANDLE. key, unsigned char (DSS – See Table 5.3a) *key_grip) gcry_ac_key_dest Destroy a key. (gcry_ac_key_t key) void ● ● roy (DSS – See Table 5.3a) Page 23 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_ac_key_pair Destroy a key pair. (gcry_ac_key_pair_t void ● ● _destroy key_pair) (DSS – See Table 5.3a) gcry_ac_data_encEncodes a message (gcry_ac_em_t method, gcry_error_t ● ● ode according to the encoding unsigned int flags, void method METHOD. *options, gcry_ac_io_t (DSS – See Table 5.3a) OPTIONS must be a pointer *io_read, gcry_ac_io_t to a method-specific *io_write) structure (gcry_ac_em*_t). gcry_ac_data_decDecodes a message (gcry_ac_em_t method, gcry_error_t ● ● ode according to the encoding unsigned int flags, void method METHOD. *options, gcry_ac_io_t (DSS – See Table 5.3a) OPTIONS must be a pointer *io_read, gcry_ac_io_t to a method-specific *io_write) structure (gcry_ac_em*_t). gcry_ac_data_encEncrypt the plain text MPI (gcry_ac_handle_t gcry_error_t ● ● rypt value DATA_PLAIN with the handle, unsigned int key KEY under the control of flags, gcry_ac_key_t (DSS – See Table 5.3a) the flags FLAGS and store key, gcry_mpi_t the resulting data set into data_plain, DATA_ENCRYPTED. gcry_ac_data_t *data_encrypted) gcry_ac_data_decDecrypt the decrypted data (gcry_ac_handle_t gcry_error_t ● ● rypt contained in the data set handle, unsigned int DATA_ENCRYPTED with flags, gcry_ac_key_t (DSS – See Table 5.3a) the key KEY under the key, gcry_mpi_t control of the flags FLAGS *data_plain, and store the resulting plain gcry_ac_data_t text MPI value in data_encrypted) DATA_PLAIN. gcry_ac_data_sig Sign the data contained in (gcry_ac_handle_t gcry_error_t ● ● n DATA with the key KEY and handle, gcry_ac_key_t store the resulting signature key, gcry_mpi_t data, (DSS – See Table 5.3a) in the data set gcry_ac_data_t DATA_SIGNATURE. *data_signature) gcry_ac_data_veriVerify that the signature (gcry_ac_handle_t gcry_error_t ● ● fy contained in the data set handle, gcry_ac_key_t DATA_SIGNATURE is key, gcry_mpi_t data, (DSS – See Table 5.3a) indeed the result of signing gcry_ac_data_t the data contained in DATA data_signature) with the secret key belonging to the public key KEY. gcry_ac_data_encEncrypts the plain text (gcry_ac_handle_t gcry_error_t ● ● rypt_scheme readable from handle, IO_MESSAGE through gcry_ac_scheme_t (DSS – See Table 5.3a) HANDLE with the public key scheme, unsigned int KEY according to SCHEME, flags, void *opts, FLAGS and OPTS. If OPTS gcry_ac_key_t key, is not NULL, it has to be a gcry_ac_io_t pointer to a structure *io_message, specific to the chosen gcry_ac_io_t *io_cipher) scheme (gcry_ac_es_*_t). The encrypted message is written to IO_CIPHER. gcry_ac_data_decDecrypts the cipher text (gcry_ac_handle_t gcry_error_t ● ● rypt_scheme readable from IO_CIPHER handle, Page 24 of 32 SecureAgent® Software SecureAgent® Security Policy through HANDLE with the gcry_ac_scheme_t (DSS – See Table 5.3a) secret key KEY according to scheme, unsigned int SCHEME, @var{flags} and flags, void *opts, OPTS. If OPTS is not gcry_ac_key_t key, NULL, it has to be a pointer gcry_ac_io_t *io_cipher, to a structure specific to the gcry_ac_io_t chosen scheme *io_message) (gcry_ac_es_*_t). The decrypted message is written to IO_MESSAGE. gcry_ac_data_sig Signs the message readable (gcry_ac_handle_t gcry_error_t ● ● n_scheme from IO_MESSAGE through handle, HANDLE with the secret key gcry_ac_scheme_t (DSS – See Table 5.3a) KEY according to SCHEME, scheme, unsigned int FLAGS and OPTS. If OPTS flags, void *opts, is not NULL, it has to be a gcry_ac_key_t key, pointer to a structure gcry_ac_io_t specific to the chosen *io_message, scheme (gcry_ac_ssa_*_t). gcry_ac_io_t The signature is written to *io_signature) IO_SIGNATURE. gcry_ac_data_veriVerifies through HANDLE (gcry_ac_handle_t gcry_error_t ● ● fy_scheme that the signature readable handle, from IO_SIGNATURE is gcry_ac_scheme_t (DSS – See Table 5.3a) indeed the result of signing scheme, unsigned int the message readable from flags, void *opts, IO_MESSAGE with the gcry_ac_key_t key, secret key belonging to the gcry_ac_io_t public key KEY according to *io_message, SCHEME and OPTS. If gcry_ac_io_t OPTS is not NULL, it has to *io_signature) be an anonymous structure (gcry_ac_ssa_*_t) specific to the chosen scheme. gcry_ac_id_to_na Store the textual (gcry_ac_id_t algorithm, gcry_error_t ● ● me representation of the const char **name) algorithm whose id is given (DSS – See Table 5.3a) in ALGORITHM in NAME. This function is deprecated; use gcry_pk_algo_name. gcry_ac_name_to Store the numeric ID of the (const char *name, gcry_error_t ● ● _id algorithm whose textual gcry_ac_id_t *algorithm) representation is contained (DSS – See Table 5.3a) in NAME in ALGORITHM. This function is deprecated; use gcry_pk_map_name. gcry_kdf_derive Derive a key from a (const void *passphrase, gpg_error_t ● ● (KDF – See Table passphrase. size_t passphraselen, int 5.3a) algo, int subalgo, const void *salt, size_t saltlen, unsigned long iterations, size_t keysize, void *keybuffer) gcry_randomize Fill BUFFER with LENGTH (void *buffer, size_t void ● ● (RNG – See Table bytes of random, using length, enum 5.3a) random numbers of quality gcry_random_level level) LEVEL. Page 25 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_random_add Add the external random (const void *buffer, gcry_error_t ● ● _bytes from BUFFER with LENGTH size_t length, int quality) (RNG – See Table bytes into the pool. 5.3a) QUALITY should either be - 1 for unknown or in the range of 0 to 100 gcry_fast_random If random numbers are used None gcry_error_t ● ● _poll in an application, this macro (RNG – See Table should be called from time 5.3a) to time so that new stuff gets added to the internal pool of the RNG. gcry_random_byt Return NBYTES of allocated (size_t nbytes, enum void * ● ● es random using a random gcry_random_level level) (RNG – See Table numbers of quality LEVEL. 5.3a) gcry_random_byt Return NBYTES of allocated (size_t nbytes, enum void * ● ● es_secure random using a random gcry_random_level level) (RNG – See Table numbers of quality LEVEL. 5.3a) The random numbers are created returned in "secure" memory. gcry_mpi_random Set the big integer W to a (gcry_mpi_t w, unsigned void ● ● ize random value of NBITS int nbits, enum using a random generator gcry_random_level level) with quality LEVEL. Note that by using a level of GCRY_WEAK_RANDOM gcry_create_nonce is used internally. gcry_create_nonc Create an unpredictable (void *buffer, size_t void ● ● e nonce of LENGTH bytes in length) (RNG – See Table BUFFER. 5.3a) gcry_prime_gener Generate a new prime (gcry_mpi_t *prime, gcry_error_t ● ● ate number of PRIME_BITS bits unsigned int prime_bits, and store it in PRIME. If unsigned int factor_bits, FACTOR_BITS is non-zero, gcry_mpi_t **factors, one of the prime factors of gcry_prime_check_func_ (prime - 1) / 2 must be t cb_func, void *cb_arg, FACTOR_BITS bits long. If gcry_random_level_t FACTORS is non-zero, random_level, unsigned allocate a new, NULL- int flags) terminated array holding the prime factors and store it in FACTORS. FLAGS might be used to influence the prime number generation process. gcry_prime_group Find a generator for PRIME (gcry_mpi_t *r_g, gcry_error_t ● ● _generator where the factorization of gcry_mpi_t prime, (prime-1) is in the NULL gcry_mpi_t *factors, terminated array FACTORS. gcry_mpi_t start_g) Return the generator as a newly allocated MPI in R_G. If START_G is not NULL, use this as the start for the search. Page 26 of 32 SecureAgent® Software SecureAgent® Security Policy gcry_prime_relea Convenience function to (gcry_mpi_t *factors) void ● ● se_factors release the FACTORS array. gcry_prime_check Check whether the number (gcry_mpi_t x, unsigned gcry_error_t ● ● X is prime. int flags) gcry_set_progres Certain operations can (gcry_handler_progress_void ● ● s_handler provide progress t cb, void *cb_data) information. This function is used to register a handler for retrieving these information. gcry_set_allocatio Register a custom memory ( gcry_handler_alloc_t void ● ● n_handler allocation functions. func_alloc, gcry_handler_alloc_t func_alloc_secure, gcry_handler_secure_ch eck_t func_secure_check, gcry_handler_realloc_t func_realloc, gcry_handler_free_t func_free) gcry_set_outofcor Register a function used (gcry_handler_no_mem_ void ● ● e_handler instead of the internal out of t h, void *opaque) memory handler. gcry_set_fatalerro Register a function used (gcry_handler_error_t void ● ● r_handler instead of the internal fatal fnc, void *opaque) error handler. gcry_set_log_han Register a function used (gcry_handler_log_t f, void ● ● dler instead of the internal void *opaque) logging facility. gcry_set_gettext_ Reserved for future use. (const char *(*f)(const void ● ● handler char*)) gcry_malloc Libgcrypt uses its own (size_t n) void * ● ● memory allocation. It is (size_t n, size_t m) void * gcry_calloc gcry_malloc_secu important to use gcry_free () (size_t n) void * to release memory allocated (size_t n, size_t m) void * re gcry_calloc_secur by libgcrypt. (void *a, size_t n) void * (const char *string) char * e (size_t n) void * gcry_realloc (size_t n, size_t m) void * gcry_strdup (size_t n) void * gcry_xmalloc (size_t n, size_t m) void * gcry_xcalloc (void *a, size_t n) void * gcry_xmalloc_sec (const char * a) char * ure (void *a) void gcry_xcalloc_secu re gcry_xrealloc gcry_xstrdup gcry_free gcry_is_secure Return true if A is allocated (const void *a) int ● ● in "secure" memory. gcry_fips_mode_aReturn true if Libgcrypt is in None bool ● ● ctive FIPS mode. Page 27 of 32 SecureAgent® Software SecureAgent® Security Policy Table 5.3a Libgcrypt Algorithms available in non-Approved mode Libgcrypt Service Group Available Algorithms AES128, non-compliant ENC (Encryption) AES192, non-compliant AES256, non-compliant ARCFOUR BLOWFISH CAMELLIA128 CAMELLIA192 CAMELLIA256 CAST5 DES RC2 SEED SERPENT128 SERPENT192 SERPENT256 TDES TWOFISH TWOFISH128 RSA, non-compliant DSS (Digital Signature Standard) DSA, non-compliant Elgamal If flag GCRY_MD_FLAG_HMAC is 0, then the functions SHS (Secure Hash Standard) perform the specified hash algorithm If flag GCRY_MD_FLAG_HMAC is 1, then the functions perform the specified HMAC algorithm HAVAL MD2 MD4 MD5 RMD160 SHA1, non-compliant SHA224, non-compliant SHA256, non-compliant SHA384, non-compliant SHA512, non-compliant TIGER TIGER1 TIGER2 WHIRLPOOL NIST-Recommended Random Number Generator RNG (Random Number Generators) Based on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES and AES Algorithms (Implementing AES Only), non-compliant CSPRNG - The Continuously Seeded Pseudo Random Number Generator SIMPLE_S2K - The OpenPGP simple S2K algorithm KDF (Key Derivation Function) (cf. RFC4880). Its use is strongly deprecated. SALTED_S2K - The OpenPGP salted S2K algorithm (cf. RFC4880). Usually not used. ITERSALTED_S2K - The OpenPGP iterated+salted S2K algorithm (cf. RFC4880). This is the default for most OpenPGP applications. PBKDF2 - The PKCS#5 Passphrase Based Key Page 28 of 32 SecureAgent® Software SecureAgent® Security Policy Derivation Function number 2. 3.3 Authentication The Module neither identifies nor authenticates any user (in any role) that is accessing the Module. This is only acceptable for a FIPS 140-2, Security Level 1 validation. The Operating System (OS) and the SecureAgent Application provide functionality to require any user to be successfully authenticated prior to using any system services. Only a single operator assuming a particular role may operate the Module at any particular moment in time. The OS authentication mechanism must be enabled to ensure that none of the Module’s services are available to users who do not assume an authorized role. Table 6. Roles and Required Identification and Authentication. Role Type of Authentication Authentication Data Not required Not required Crypto Officer Not required Not required User 4 Finite State Model Refer to SecureAgent FiniteStateMachine for information related to the finite state model implemented in this module. 5 Physical Security (N/A) This is a software module. 6 Operational Environment The Module must run on Sun Solaris 10. After the module is initialized, a crypto officer confirms the module has the correct version number using the sai_version function. 2.2.006 7 Cryptographic Key Management SecureAgent® Software Cryptographic Module performs no key management. Because the SecureAgent® Software Cryptographic Module is a DLL, each process requesting access is provided its own instance of the SecureAgent® Software Cryptographic Module. The SecureAgent® Software Cryptographic Module contains only keys or data placed into the SecureAgent® Software Cryptographic Module via the services described in this document. No keys or data are persistently maintained by the SecureAgent® Software Cryptographic Module, or maintained after a process detaches from the SecureAgent® Software Cryptographic Module. Table 7. Keys and CSPs Name Size Description Method CSP Access Encrypt-Key 128,192,256 for AES Key supplied to the Send (encrypt data) API call Crypto Officer, service User Decrypt-Key 128,192,256 for AES Key supplied to the Receive (decrypt data) API call Crypto Officer, service User Seed 128 Seed generated from NDRNG used to seed API call Crypto Officer, X9.31 RNG User Seed Key 128 Seed key generated from NDRNG used as API call Crypto Officer, seed key for X9.31 RNG User Page 29 of 32 SecureAgent® Software SecureAgent® Security Policy 7.1 Random Number Generators The SecureAgent® Software Cryptographic Module uses an Approved RNG (ANSI X9.31 Appendix A.2.4 using AES) to generate initialization vectors (IVs) for Approved security functions. The SecureAgent® Software Cryptographic Module uses a non-Approved NDRNG (Sun Solaris 10 /dev/random) to seed the above Approved RNG. 7.2 Key Generation The SecureAgent® Software Cryptographic Module does not provide key generation services. Keys are generated outside the module. All keys must be provided through the API as described. 7.3 Key Establishment No key establishment is performed by the module. 7.4 Key Entry and Output Plaintext keys are entered into the module as parameters to API calls. No manual key entry is possible with the module. 7.5 Key Storage The SecureAgent® Software Cryptographic Module does not provide any persistent storage of key material. Keys are entered by the operator only via API calls. Key material is stored in the context, which is maintained in a user-supplied data structure passed in each API call. No key material is maintained inside the SecureAgent® Software Cryptographic Module between API calls. The only key material used by the SecureAgent® Software Cryptographic Module outside of the user-supplied context is that which is stored temporarily in local variables on the stack. The SecureAgent® Software Cryptographic Module relies upon the operating system memory protection to prevent processes from accessing each other’s key material. To ensure that other processes cannot access keys and data, the caller must not utilize shared memory. In addition, the operating system page file must not be configured to reside on a network drive. 7.6 Key Zeroization Zeroization of keys is performed internal to the module API functions using the gcry_burn_stack function and the wipememory macro. sai_zeroize reimplements the wipememory macro for application level key/CSP zeroization. It is possible that the operating system may swap memory that contains keys to a disk. To zeroize those keys, the User must wipe the swap files. One way to accomplish this is to reformat the hard drive containing the swap filesystem and overwrite the hard drive at least once. 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) The module runs on a GPC and this will be required to comply with FCC Part 15 regulations regarding the EMI/EMC for business use. 9 Self-Tests The module implements several self-tests to check proper functioning of the module. This includes power-up self-tests (which are also callable on demand) and conditional self-tests. The self-test can be initiated by calling the function sai_selftest, which returns the operational status of the module (after running self-tests) and an error code with description of the error (if applicable). Additionally, when the module is performing self-tests, none of the FIPS approved algorithms will be available and no data output is possible until self-tests are successfully completed. 9.1 Power-Up Tests The module performs a self-test when the API function sai_init is called or on demand when the API function sai_selftest is called. When the module is initialized with sai_init, a Known Answer Test is performed for the each cryptographic algorithm. The module returns the operational status of the module (after running self-tests) as “Pass/Fail” as shown in Table 5.1. If any of these tests fail, the module enters the fatal error state. Once the module is in the fatal error state, none of the FIPS approved algorithms will be available and data output is inhibited. Both functions may be called anytime. Page 30 of 32 SecureAgent® Software SecureAgent® Security Policy Cryptographic algorithm tests: 9.1.1 - AES 128, 192, 256 - HMAC-SHA256 - SHA256 - RNG Software integrity check uses an HMAC-SHA256 function to compare calculated result with a previously 9.1.2 generated result to verify module integrity. 9.2 Conditional Tests Software integrity check uses an HMAC-SHA256 function to compare calculated result with a previously 9.2.1 generated result to verify module integrity. Approved RNG continuous random number generator test checks for failure to a constant value. 9.2.2 Non-Approved NDRNG continuous random number generator test checks for failure to a constant 9.2.3 value. 10 Design Assurance 10.1 Configuration Management A configuration management (CM) system is established for the cryptographic module, module components, and associated module documentation. The configuration management defines how version numbers correspond to changes made to configuration items during the product lifecycle. The vendor uses the Mercurial source control management tool to facilitate the integrity of the module during the module's life cycle. Mercurial stores all changes to the Module's source code. 10.2 Delivery and Operation The SecureAgent® Software Cryptographic Module is provided as a dynamically-linked shared object library for the Solaris operating environment. 10.3 Development The cryptographic module software consists of the runtime software. Listings of these sources are provided separately. Annotations in the source code modules explain functions implemented in the code. 10.4 Guidance Documents The Crypto Officer Guide provides instructions on how to properly install and configure the Module. The User Guide describes how to use the services available in the Module. 11 Mitigation of Attacks (N/A) The SecureAgent® Software cryptographic module is not designed to mitigate specific attacks such as differential power analysis or timing attacks. References National Institute of Standards and Technology, FIPS PUB 140-2: Security Requirements for Cryptographic Modules, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, FIPS 140-2 Annex A: Approved Security Functions, available at URL: http://csrc.nist.gov/groups/STM/cmvp. Page 31 of 32 SecureAgent® Software SecureAgent® Security Policy National Institute of Standards and Technology, FIPS 140-2 Annex B: Approved Protection Profiles, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, FIPS 140-2 Annex C: Approved Random Number Generators, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, FIPS 140-2 Annex D: Approved Key Establishment Techniques, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology and Communications Security Establishment, Derived Test Requirements (DTR) for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, Data Encryption Standard (DES), Federal Information Processing Standards Publication 46-3, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, DES Modes of Operation, Federal Information Processing Standards Publication 81, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, available at URL: http://csrc.nist.gov/groups/STM/cmvp. National Institute of Standards and Technology, Secure Hash Standard (SHS), Federal Information Processing Standards Publication 180-1, available at URL: http://csrc.nist.gov/groups/STM/cmvp. Page 32 of 32