Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Document Version 1.1 Last update: 2016-05-09 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 1 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1Introduction............................................................................................................................. 3 2Cryptographic Module Specification........................................................................................ 4 2.1Module Overview........................................................................................................... 4 2.2FIPS 140-2 validation..................................................................................................... 5 2.3Modes of Operations...................................................................................................... 6 3Cryptographic Module Ports and Interfaces.............................................................................8 4Roles, Services and Authentication......................................................................................... 9 4.1Roles.............................................................................................................................. 9 4.2Services......................................................................................................................... 9 4.3Authentication............................................................................................................. 13 5Physical Security................................................................................................................... 14 6Operational Environment...................................................................................................... 15 6.1Applicability................................................................................................................. 15 6.2Policy........................................................................................................................... 15 7Cryptographic Key Management........................................................................................... 16 7.1Random Number Generation.......................................................................................16 7.2Key / Critical Security Parameter (CSP) Access............................................................17 7.3Key / CSP Storage........................................................................................................ 17 7.4Key / CSP Zeroization................................................................................................... 17 8Self Tests............................................................................................................................... 18 8.1Power-Up Tests............................................................................................................. 18 8.1.1Integrity Tests..................................................................................................... 18 8.1.2Cryptographic algorithm tests............................................................................18 8.2On-Demand self-tests..................................................................................................19 8.3Conditional Tests.......................................................................................................... 19 9Guidance............................................................................................................................... 20 9.1Crypto Officer Guidance............................................................................................... 20 9.2User Guidance............................................................................................................. 21 9.2.1Three-key Triple-DES.......................................................................................... 21 10Mitigation of Other Attacks.................................................................................................. 22 Appendix AGlossary and Abbreviations...................................................................................24 Appendix BReferences............................................................................................................ 26 ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 2 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 1 Introduction This document is the non-proprietary Security Policy for the Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-2 (Federal Information Processing Standards Publication 140-2) for a Security Level 1 module. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 3 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 2 Cryptographic Module Specification 2.1 Module Overview The Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 (hereafter referred to as “the module”) is a software library implementing general purpose cryptographic algorithms. The module provides cryptographic services to applications running in the user space of the underlying operating system through an application program interface (API). The module is implemented as a set of shared libraries / binary files; as shown in the diagram below, the shared library files and the integrity check file used to verify the module's integrity constitute the logical cryptographic boundary: System Physical Boundary Kernel User libgcrypt Cryptographic Module Boundary Figure 1: Software Block Diagram ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 4 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy The module is aimed to run in a general purpose computer. The physical boundary is the surface of the case of the target platform, as shown in the diagram below: Figure 2: Hardware Block Diagram All components of the module will be in the libgcrypt RPM version 1.5.3-12.el7_1.1. The following RPMs files are part of the module: • libgcrypt-1.5.3-12.el7_1.1 When installed on the system, the module comprises the following files: • /usr/lib64/libgcrypt.so.11 • /usr/lib64/.libgcrypt.so.11.hmac 2.2 FIPS 140-2 validation For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip standalone cryptographic module validated at security level 1. The table below shows the security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard: FIPS 140-2 Section Security Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services and Authentication 1 ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 5 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy FIPS 140-2 Section Security Level 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks 1 Table 1: Security Levels The module has been tested on the following platforms: Construct Hardware Processor Operating Tested or System With Without With AES-NI AES-NI CPACF HP Proliant DL380p Gen8 Intel® Red Hat yes yes n/a Xeon® E5- Enterprise 2600 v3 Linux 7.1 product family IBM POWER8 Little Endian 8286- POWER8E Red Hat n/a n/a n/a 41A Enterprise Linux 7.1 IBM z13 IBM/S390 Red Hat n/a n/a yes Enterprise Linux 7.1 Table 2: Tested Platforms The physical boundary is the surface of the case of the target platform. The logical boundary is depicted in the software block diagram. The module also includes algorithm implementations using Processor Algorithm Acceleration (PAA) functions provided by the different processors supported, as shown in the following table: Processor Processor Algorithm Acceleration Cryptographic Module (PAA) function implementation Intel x86 AES-NI AES Table 3: PAA function implementations 2.3 Modes of Operations The module supports two modes of operation: FIPS approved and non-approved modes. The mode of operation in which the module is operating can be determined by: • If the file /proc/sys/crypto/fips_enabled exists and contains a numeric value other than 0, libgcrypt is put into FIPS mode at initialization time • If the file /etc/gcrypt/fips_enabled exists, libgcrypt is put into FIPS mode at initialization time. Note that this filename is hardwired and does not depend on any configuration options. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 6 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy The module turns to the FIPS approved mode after the initialization and the power-on self- tests have completed successfully. When libgcrypt is in the FIPS mode of operation, the request of services involving non-FIPS approved algorithms will be denied. However, the module does not check for approved key sizes or approved mode of algorithms. The services available in FIPS mode can be found in section 4.2, Table 5. The non-Approved but allowed services can be found in section 4.2, Table 6. The services available in non-FIPS mode can be found in section 4.2, Table 7. Note: Using a non-Approved key sizes, algorithms or block chaining mode specified in Table 7 will result in the module implicitly entering the non-FIPS mode of operation. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 7 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 3 Cryptographic Module Ports and Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The logical interfaces are the application program interface (API) through which applications request services. The following table summarizes the four logical interfaces: Logical interface Description Data input API input parameters for data Data output API output parameters for data Control input API function calls, API input parameters, /proc/sys/crypto/fips_enabled control file, /etc/gcrypt/fips_enabled configuration file Status output API return codes, API output parameters Table 4: Logical Interfaces The Data Input interface consists of the input parameters of the API functions. The Data Output interface consists of the output parameters of the API functions. The Control Input interface consists of the API function calls and the input parameters used to control the behavior of the module. The Status Output interface includes the return values of the API functions and status sent through output parameters. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 8 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 4 Roles, Services and Authentication 4.1 Roles The module supports the following roles: ⚫ User role: performs all services, except module installation and configuration. ⚫ Crypto Officer role: performs module installation and configuration and some basic functions: get status function and performing self-tests. The User and Crypto Officer roles are implicitly assumed by the entity accessing the module services. 4.2 Services The module supports services available to users in the available roles. All services are described in detail in the user documentation. The following table shows the available services, the roles allowed (“CO” stands for Crypto Officer role and “U” stands for User role), the Critical Security Parameters involved and how they are accessed in the FIPS mode: Service Algorithm Key Note / Mode CAVS Role CSPs Access Length Cert. Symmetric Triple-DES 168 bits Modes: ECB, Certs. U 168 bits R, W, EX encryption/ CBC, CFB64, #2030, Triple-DES Key decryption OFB, CTR #2031, #2032, #2033 3-key Triple- and DES #2034 encryption/ decryption 2-key Triple- DES decryption only AES 128, 192 Modes: ECB, Certs. U 128/192/256 R, W, EX and 256 CBC, CFB128, #3643, bits AES Key bits OFB, CTR #3644, #3645, #3646, #3647, #3648 and #3649 Get Key N/A N/A cipher_get_k N/A U N/A R Length eylen() function Get Block N/A N/A cipher_get_bl N/A U N/A R Length ocksize() function Check N/A N/A cipher_get_bl N/A U N/A R availability ocksize() of function Algorithm Secure SHA-1, N/A N/A Certs. U N/A R, W, EX Hash ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 9 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Service Algorithm Key Note / Mode CAVS Role CSPs Access Length Cert. Algorithm SHA-224, #3062, #3063, (SHS) SHA-256, #3064, SHA-384, #3065 SHA-512 and #3066 HMAC HMAC-SHA-1, At least N/A Certs. U MAC-key R, W, EX HMAC-SHA- 112 bits #2395, 224, HMAC- KSBS #2398 384, HMAC- and SHA-512 #2399 RSA Key pair 2048 and FIPS 186-4, Certs. U RSA private R, W, EX generation, 3072 bits RSASSA-PKCS #1879, key signature modulus #1.5 #1880, generation #1881, RSASSA-PSS #1882 and 1024 bits verification and signature #1883 verification for legacy- use DSA Key pair L=2048, FIPS 186-4 Certs. U DSA private R, W, EX generation, N=224; #1017, keys signature #1018, L=2048, generation #1019, N=256; and #1020 L=3072, verification and N=256; #1021 Signature L=1024, verification N=160 Generate SP 800-90A N/A Fill buffer Certs. U Seed W, EX random DRBG: with length #976, numbers random #977, HMAC_DRBG bytes, #978, with SHA- function to #979 1/256/384/512 allocate a and HASH_DRBG memory #980 with SHA- block 1/256/384/512 consisting of (with and nbytes of without random prediction bytes, resistance) function to allocate a SP 800-90A Certs. memory DRBG: #972, block #973, CTR_DRBG consisting of #974, with nbytes fresh #975, derivation random #976, function bytes using a #977 random AES and quality as 128/192/256 #978 defined by (with and level. This without function prediction differs from resistance) gcry_randomi ze() in that the returned buffer is ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 10 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Service Algorithm Key Note / Mode CAVS Role CSPs Access Length Cert. allocated in a “secure" area of the memory Initialize N/A N/A Powering-up N/A U N/A EX Module the module Selftests N/A N/A Performs N/A U CO N/A EX Known Answer Test (KAT) and integrity check Zeroize N/A N/A gcry_free() or N/A U All CSPs W, EX secure gcry_xfree() stored in that memory functions secure memory Release all N/A N/A Zeroises all N/A U Cipher secret W, EX resources sensitive keys of context information created by associated gcry_cipher with this _open() cipher handle Release all N/A N/A Zeroises all N/A U N/A W, EX resources sensitive of hash information context associated created by with this gcry_md_o cipher handle pen() Release the N/A N/A N/A N/A U RSA/DSA R, W, EX S- asymmetric expression key pair objects SEXP Show N/A N/A N/A N/A U CO N/A R, EX Status Installation N/A N/A N/A N/A CO N/A R, EX and configurati on of the module Table 5: Cryptographic Module's Approved Services Service Note / Mode Role Acces (involving s algorithm) RSA Encryption/decryption: 2048, 3072 and 4096 bits U R, W, EX Signature generation, key generation: 4096 bits RSA signature verification: 4096 bits Table 6: Cryptographic Module's non-Approved but allowed in FIPS mode Services The following table shows the available services, the roles allowed, the Critical Security Parameters involved and how they are accessed in the non-FIPS mode: ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 11 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Service Note / Mode Role Access (involving algorithm) ARC4 Encryption and decryption (stream cipher) U Blowfish Encryption and decryption U Camellia Encryption and decryption U Cast5 Encryption and decryption U CRC32 Cyclic redundancy code U CSPRNG Cryptographically Secure Pseudorandom Number Generator U DES Encryption and decryption (key size of 56 bits) U El Gamal Key pair generation, encryption and decryption, signature U generation, signature verification Gost 28147 encryption U R 34.11-94 hash U R 34.11-2012 (Stribog) hash HMAC Key size < 112 bits U (SHA1, SHA224, SHA256, SHA384 and SHA512) IDEA Encryption and decryption U MD4 Hashing U Digest size 128 bit MD5 Hashing U Digest size 128 bit OpenPGP S2K Password based key derivation compliant with OpenPGP U Salted and (RFC4880) Iterated/salted RC2 Encryption and decryption based on RFC 2268 U RIPEMD 160 Hashing U RSA Encryption/decryption: 1024 bits Signature generation, key generation: 1024 bits U SEED Encryption and decryption U Serpent Encryption and decryption U Tiger Hashing U Twofish Encryption and decryption U 2-key Triple-DES Encryption U Whirlpool Hashing U Services The services available in FIPS mode can be used in non-FIPS mode U available in FIPS CSPs/keys separation is enforced between both modes mode Table 7: Cryptographic Module's non-Approved Services and Algorithms Note: ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 12 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 1. RSA (key wrapping; key establishment methodology between 112 and 150 bits of encryption strength) 4.3 Authentication The module is a Level 1 software-only cryptographic module and does not implement authentication. The role is implicitly assumed based on the service requested. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 13 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 5 Physical Security The module is comprised of software only and thus does not claim any physical security. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 14 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 6 Operational Environment 6.1 Applicability The module operates in a modifiable operational environment per FIPS 140-2 level 1 specifications. The module runs on a commercially available general-purpose operating system executing on the hardware specified in section Error: Reference source not found. 6.2 Policy The operating system is restricted to a single operator (concurrent operators are explicitly excluded). The application that request cryptographic services is the single user of the module, even when the application is serving multiple clients. In FIPS Approved mode, the ptrace(2) system call, the debugger (gdb(1)), and strace(1) shall be not used. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 15 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 7 Cryptographic Key Management The application that uses the module is responsible for appropriate destruction and zeroization of the key material. The library provides functions for key allocation and destruction, which overwrites the memory that is occupied by the key information with “zeros” before it is deallocated. 7.1 Random Number Generation The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90A] for the creation of asymmetric and symmetric keys. The DRBG is initialized during module initialization. The module loads by default the DRBG using HMAC_DRBG with SHA-256 and derivation function tests without prediction resistance. The DRBG is seeded during initialization with a seed obtained from /dev/random of the appropriate length depending on the instantiated type (see section 10 of [SP800-90A]). The module performs continuous tests on the output of the DRBG to ensure that consecutive random numbers do not repeat. The noise source of /dev/random also implements continuous tests. Here are listed the CSPs/keys details concerning storage, input, output, generation and zeroization: Keys/CSPs Key Generation Key Storage Key Entry/Output Key Zeroization AES Keys Use of the module's Application's API input/output Automaticly zeroized SP 800-90A DRBG memory parameters and return when freeing the values within the cipher handler by physical boundaries of calling gcry_free() the module Triple-DES Use of the module's Application's API input/output Automaticly zeroized Keys SP 800-90A DRBG memory parameters and return when freeing the values within the cipher handler by physical boundaries of calling gcry_free() the module DSA private Use of the module's Application's API input/output Automaticly zeroized keys SP 800-90A DRBG memory parameters and return when freeing the and the modules DSA values within the cipher handler by key generation physical boundaries of calling gcry_free() mechanism the module RSA private Use of the module's Application's API input/output Automaticly zeroized keys SP 800-90A DRBG memory parameters and return when freeing the and the modules RSA values within the cipher handler by key generation physical boundaries of calling gcry_free() mechanism the module SP 800-90A The seed data Application's N/A Automaticly zeroized DRBG obtained from memory when freeing DRBG Entropy hardware random handler by calling string number generator gcry_free() /dev/random SP 800-90A Based on entropy Application's N/A Automaticly zeroized DRBG Seed string as defined in memory when freeing DRBG and internal SP 800-90A handler by calling state values gcry_free() (C and V values) HMAC Keys Use of the module's Application's API input/output Automaticly zeroized SP 800-90A DRBG memory parameters and return when freeing the values within the cipher handler by ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 16 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy physical boundaries of calling gcry_free() the module Table 8: Keys/CSPs 7.2 Key / Critical Security Parameter (CSP) Access An authorized application as user (the User role) has access to all key data generated during the operation of the module. Moreover, the module does not support the output of intermediate key generation values during the key generation process. 7.3 Key / CSP Storage Public and private keys are provided to the module by the calling process, and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of keys. 7.4 Key / CSP Zeroization The memory occupied by keys is allocated by regular memory allocation operating system calls. The application is responsible for calling the appropriate destruction functions provided in the module's API by using the API function gcry_free(). The destruction functions overwrite the memory occupied by keys with “zeros” and deallocates the memory with the regular memory deallocation operating system call. In case of abnormal termination, or swap in/out of a physical memory page of a process, the keys in physical memory are overwritten by the Linux kernel before the physical memory is allocated to another process. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 17 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 8 Self Tests 8.1 Power-Up Tests The module performs power-up tests at module initialization to ensure that the module is not corrupted and that the cryptographic algorithms work as expected. The selftests are performed without any user intervention. While the module is performing the power-up tests, services are not available and input or output is not possible: the module is single-threaded and will not return to the calling application until the self-tests are completed successfully. 8.1.1 Integrity Tests The integrity of the module is verified comparing the HMAC-SHA-256 value calculated at run time with the HMAC value stored in the module that was computed at build time. 8.1.2 Cryptographic algorithm tests The module performs self-tests on all FIPS-Approved cryptographic algorithms supported in the approved mode of operation, using the known answer tests (KAT) shown in the following table: Algorithm Tests Triple-DES KAT, encryption and decryption tested separately AES 128 KAT, encryption and decryption tested separately AES 192 KAT, encryption and decryption tested separately AES 256 KAT, encryption and decryption tested separately SHA-1 KAT SHA-224 KAT SHA-256 KAT SHA-384 KAT SHA-512 KAT HMAC SHA-1 KAT HMAC SHA-224 KAT HMAC SHA-256 KAT HMAC SHA-384 KAT HMAC SHA-512 KAT DRBG (Hash, HMAC and KAT CTR-based) RSA KAT of signature generation/verification DSA PCT of signature generation/verification Module Integrity test HMAC SHA-256 Table 9: Self-tests ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 18 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 8.2 On-Demand self-tests The module provides the Self-Test service to perform self-tests on demand. This service performs the same cryptographic algorithm tests executed during power-up, plus some extended self-tests, such as testing additional block chaining modes. During the execution of the on-demand self-tests, services are not available and no data output or input is possible. To invoke the on-demand self-tests, the user can invoke the gcry_control(GCRYCTL_SELFTEST) command. 8.3 Conditional Tests The module performs conditional tests on the cryptographic algorithms shown in the following table: Algorithm Test DRBG The continuous random number test is only used in FIPS mode. The RNG generates random numbers per block size depending on the underlying DRBG type (CTR; HMAC or Hash); the 1st block generated per context is saved in the context and another block is generated to be returned to the caller. Each block is compared against the saved block and then stored in the context. If a duplicated block is detected, an error is signaled and the library is put into the “Fatal-Error" state. (random/drbg.c:cdrbg_fips_continuous_test) RSA The test creates a random number of the size of p-64 bits and encrypts this value with the public key. Then the test checks that the encrypted value does not match the plaintext value. The test decrypts the ciphertext value and checks that it matches the original plaintext. The test will then generate another random plaintext, sign it, modify the signature by incrementing its value by 1, and verify that the signature verification fails. (cipher/rsa.c:test_keys()) DSA The test uses a random number of the size of the q parameter to create a signature and then checks that the signature verification is successfull. As a second signing test, the data is modified by incrementing its value and then is verified against the signature with the expected result that the verification fails. (cipher/dsa.c:test_keys()) Table 10: Conditional Tests ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 19 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 9 Guidance The following guidance items are to be used for assistance in maintaining the module's validated status while in use. 9.1 Crypto Officer Guidance The version of the RPMs containing the FIPS validated Module is stated in section 1 above. The RPM package of the Module can be installed by standard tools recommended for the installation of RPM packages on a Red Hat Enterprise Linux system (for example, yum, rpm, and the RHN remote management tool). For proper operation of the in-module integrity verification, the prelink has to be disabled. This can be done by setting PRELINKING=no in the /etc/sysconfig/prelink configuration file. If the libraries were already prelinked, the prelink should be undone on all the system files using the 'prelink -u -a' command. The ciphers listed in Table 7 are not allowed to be used. To bring the Module into FIPS Approved mode, perform the following: 1. Install the dracut-fips package: # yum install dracut-fips 2. Recreate the INITRAMFS image: # dracut -f After regenerating the initramfs, the Crypto Officer has to append the following string to the kernel command line by changing the setting in the boot loader: fips=1 If /boot or /boot/efi resides on a separate partition, the kernel parameter boot= must be supplied. The partition can be identified with the command "df /boot" or "df /boot/efi" respectively. For example: $ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 233191 30454 190296 14% /boot The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string needs to be appended to the kernel command line: "boot=/dev/sda1" Reboot to apply these settings. Because FIPS 140-2 has certain restrictions on the use of cryptography which are not always wanted, the Module needs to be put into FIPS Approved mode explicitly: if the file /proc/sys/crypto/fips_enabled exists and contains a numeric value other than 0, the Module is put into FIPS Approved mode at initialization time. This is the mechanism recommended for ordinary use, activated by using the fips=1 option in the boot loader, as described above. If an application that uses the Module for its cryptography is put into a chroot environment, the Crypto Officer must ensure one of the above methods is available to the Module from within the chroot environment to ensure entry into FIPS Approved mode. Failure to do so will not allow the application to properly enter FIPS Approved mode. Once the Module has been put into FIPS Approved mode, it is not possible to switch back to standard mode without terminating the process first. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 20 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy If an application that uses the Module for its cryptography is put into a chroot environment, the Crypto Officer must ensure one of the above methods is available to the Module from within the chroot environment to ensure entry into FIPS approved mode. Failure to do so will not allow the application to properly enter FIPS approved mode. Because FIPS 140-2 has certain restrictions on the use of cryptography which are not always wanted, libgcrypt needs to be put into FIPS mode explicitly. To switch libgcrypt into this mode, the file /proc/sys/crypto/fips_enabled must contain a numeric value other than 0. If the application requests FIPS mode, use the control command gcry_control(GCRYCTL_FORCE_FIPS_MODE). This must be done prior to any initialization (i.e. before the gcry_check_version() function). Once libgcrypt has been put into FIPS mode, it is not possible to switch back to standard mode without terminating the process first. If the logging verbosity level of libgcrypt has been set to at least 2, the state transitions and the self tests are logged. 9.2 User Guidance Applications using libgcrypt need to call gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0) after initialization is done: that ensures that the DRBG is properly seeded, among others. gcry_control(GCRYCTL_TERM_SECMEM)needs to be called before the process is terminated. The function gcry_set_allocation_handler()may not be used. The user must not call malloc/free to create/release space for keys, let libgcrypt manage space for keys, which will ensure that the key memory is overwritten before it is released. See the documentation file doc/gcrypt.texi within the source code tree for complete instructions for use. The information pages are included within the developer package. The user can find the documentation at the following location after having installed the developer package: /usr/share/info/gcrypt.info-1.gz /usr/share/info/gcrypt.info-2.gz /usr/share/info/gcrypt.info.gz 9.2.1 Three-key Triple-DES It is the calling application’s responsibility to make sure that the three keys k1, k2 and k3 are independent. Two-key triple-DES usage will bring the module into the non-Approved mode of operation implicitly. ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 21 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy 10 Mitigation of Other Attacks libgcrypt uses a blinding technique for RSA decryption to mitigate real world timing attacks over a network: Instead of using the RSA decryption directly, a blinded value (y = x·re mod n) is decrypted and the unblinded value (x' = y'·r-1 mod n) returned. The blinding value “r” is a random value with the size of the modulus “n” and generated with `GCRY_WEAK_RANDOM' random level. Weak Triple-DES keys are detected as follows: In DES there are 64 known keys which are weak because they produce only one, two, or four different subkeys in the subkey scheduling process. The keys in this table have all their parity bits cleared. static byte weak_keys[64][8] = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe }, { 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 22 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ }; ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 23 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Appendix A Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMT Cryptographic Module Testing CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Functions CSP Critical Security Parameter CTR Counter Mode CVT Component Verification Testing DES Data Encryption Standard DFT Derivation Function Test DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology NDRNG Non-Deterministic Random Number Generator OFB Output Feedback OS Operating System PAA Processor Algorithm Acceleration PR Prediction Resistance PSS Probabilistic Signature Scheme ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 24 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSH Secure Shell TDES Triple DES UI User Interface XTS XEX-based Tweaked-codebook mode with ciphertext Stealing ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 25 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy Appendix B References FIPS180-4 Secure Hash Standard (SHS) March 2012 http://csrc.nist.gov/publications/fips/fips180-4/fips 180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198 1/FIPS-198 1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated July20_2007.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 26 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux libgcrypt Cryptographic Module v4.0 FIPS 140-2 Non-Proprietary Security Policy SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56A NIST Special Publication 800-56A Revision 2 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography May 2013 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 56Ar2.pdf SP800-56C Recommendation for Key Derivation through Extraction-then- Expansion November 2011 http://csrc.nist.gov/publications/nistpubs/800-56C/SP-800-56C.pdf SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800-90A NIST Special Publication 800-90A - Recommendation for Random Number Generation Using Deterministic Random Bit Generators January 2012 http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf SP800-90B NIST Draft Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation August 2012 http://csrc.nist.gov/publications/drafts/800-90/draft-sp800-90b.pdf SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions October 2009 http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131A NIST Special Publication 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths January 2011 http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf ©2016 Red Hat Enterprise Linux / atsec information security corporation Page 27 of 27 This document can be reproduced and distributed only whole and intact, including this copyright notice.