Red Hat Enterprise Linux 7 Libreswan Cryptographic Module version 7.0 and version rhel7.20190509 FIPS 140-2 Non-Proprietary Security Policy Version 1.3 Last update: 2021-05-03 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com ©2021 Red Hat®, Inc. / atsec information security corporation Page 1 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of contents 1 Introduction...........................................................................................................................3 2 Cryptographic Module Specification......................................................................................4 2.1 Module Overview.........................................................................................................4 2.2 FIPS 140-2 Validation...................................................................................................5 2.3 Modes of Operation......................................................................................................6 3 Cryptographic Module Ports and Interfaces...........................................................................7 4 Roles, Services and Authentication.......................................................................................8 4.1 Roles............................................................................................................................8 4.2 Services.......................................................................................................................8 4.3 Authentication...........................................................................................................11 5 Physical Security.................................................................................................................12 6 Operational Environment....................................................................................................13 6.1 Applicability...............................................................................................................13 6.2 Policy.........................................................................................................................13 7 Cryptographic Key Management.........................................................................................14 7.1 Random Number Generation and CSPs management................................................14 7.2 Key / CSP Storage......................................................................................................15 7.3 Key / CSP Zeroization.................................................................................................15 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC).............................16 9 Self Tests.............................................................................................................................17 9.1 Power-Up Tests...........................................................................................................17 9.1.1 Integrity Tests...................................................................................................17 9.1.2 Cryptographic Algorithm Tests..........................................................................17 10 Guidance...........................................................................................................................19 10.1 Crypto Officer Guidance...........................................................................................19 10.1.1 Configuration Changes and FIPS Approved Mode...........................................20 10.2 User Guidance.........................................................................................................20 10.2.1 Use of Triple-DES............................................................................................20 10.3 Handling Self-Test Errors..........................................................................................20 Appendix A Glossary and Abbreviations.................................................................................21 Appendix B References..........................................................................................................22 ©2021 Red Hat®, Inc. / atsec information security corporation Page 2 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1 Introduction This document is the non-proprietary Security Policy for the Red Hat Enterprise Linux 7 Libreswan Cryptographic Module version 7.0 and version rhel7.20190509. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-2 (Federal Information Processing Standards Publication 140-2) for a Security Level 1 module. ©2021 Red Hat®, Inc. / atsec information security corporation Page 3 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 2 Cryptographic Module Specification 2.1 Module Overview The Red Hat Enterprise Linux 7 Libreswan Cryptographic Module (hereafter referred to as “the module”) with versions 7.0 and rhel7.20190509 is a daemon implementing the cryptographic algorithms. The module provides the implementation of the IKEv1 and IKEv2 protocols. Note: This module only implements the IKE protocol (not IPsec), which is used to negotiate and configure the IPsec protocol family. The logical module boundary is depicted in the software block diagram below. The module is aimed to run on a general purpose computer; the physical boundary is the surface of the case of the target platform, as shown in the diagram below: ©2021 Red Hat®, Inc. / atsec information security corporation Page 4 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Figure 1: Software Block Diagram Figure 2: Hardware Block Diagram Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy This cryptographic module combines a vertical stack of Linux components. The components within the cryptographic boundary comprising the module are listed as follows: • Red Hat Enterprise Linux 7 Libreswan Cryptographic Module with the version 7.0 of the Libreswan RPM file 3.25-4.1.el7_6. This consists of Pluto IKE Daemon application found at /usr/libexec/ipsec/pluto. • Fipscheck RPM package (version 1.4.1-6.el7), that includes fipscheck library and application. Fipscheck performs the integrity validation of the IKE Daemon (pluto binary) The following components which act as bound modules need to be installed for the Red Hat Enterprise Linux 7 Libreswan Cryptographic Module to operate: • The bound module Red Hat Enterprise Linux NSS Cryptographic Module version 6.0 with FIPS 140-2 Certificate #3270 (hereafter referred to as the “NSS module”) provides cryptographic algorithms used by the IKE Daemon. The IKE Daemon uses the NSS module in accordance with the Security Rules stated in the NSS Cryptographic Module Security Policy. • The bound module Red Hat Enterprise Linux OpenSSL Cryptographic Module version 7.0 with FIPS 140-2 Certificate #3538 (hereafter referred to as the “OpenSSL module”) provides HMAC SHA-256 algorithm required by fipscheck application and library for integrity check. The updated Red Hat Enterprise Linux 7 Libreswan Cryptographic Module is as follows: • Consisting of the version rhel7.20190509 of the Libreswan RPM file 3.25-4.8.el7_6. This consists of Pluto IKE Daemon application found at /usr/libexec/ipsec/pluto. • Fipscheck RPM package (version 1.4.1-6.el7), that includes fipscheck library and application. Fipscheck performs the integrity validation of the IKE Daemon (pluto binary) The following components which act as bound modules need to be installed for the Red Hat Enterprise Linux 7 Libreswan Cryptographic Module to operate: • The bound module Red Hat Enterprise Linux 7 NSS Cryptographic Module version rhel7.20190606 with FIPS 140-2 Certificate #3860 (hereafter referred to as the “NSS module”) provides cryptographic algorithms used by the IKE Daemon. The IKE Daemon uses the NSS module in accordance with the Security Rules stated in the NSS Cryptographic Module Security Policy. • The bound module Red Hat Enterprise Linux 7 OpenSSL Cryptographic Module version rhel7.20190409 with FIPS 140-2 Certificate #3867 (hereafter referred to as the “OpenSSL module”) provides HMAC SHA-256 algorithm required by fipscheck application and library for integrity check. 2.2 FIPS 140-2 Validation For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip standalone cryptographic module validated at security level 1. The table below shows the security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard: ©2021 Red Hat®, Inc. / atsec information security corporation Page 5 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy FIPS 140-2 Section Security Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Table 1: Security Levels The module has been tested on the following platforms with and without PAA: Hardware Platform Processor Operating System Dell PowerEdge R630 Intel(R) Xeon(R) CPU E5 Red Hat Enterprise Linux 7 Table 2: Tested Platforms The physical boundary is the surface of the case of the target platform. The logical boundary is depicted in Figure 1: software block diagram. The module also includes algorithm implementations using Processor Algorithm Acceleration (PAA) functions provided by the different processors supported, as shown in the following table: Processor Processor Algorithm Acceleration (PAA) function Cryptographic Module implementation Intel Xeon E5 AES-NI AES Table 3: PAA function implementations 2.3 Modes of Operation The module only supports the FIPS approved mode, and it turns to FIPS approved mode after initialization and power-on self-tests succeed. The module verifies its integrity using a HMAC-SHA-256 digest operation and compares the value with the build time pre-computed value. If the digests match, the power-up self-tests are successful. The services available in FIPS mode can be found in section 4.2, Table 5. ©2021 Red Hat®, Inc. / atsec information security corporation Page 6 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 3 Cryptographic Module Ports and Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The logical interfaces through which applications request services are summarized in following table: Logical interface Description Data input IKE Network Port/Protocol, NSS Key Database file stored in /etc/ipsec.d/, whack socket input Data output IKE Network Port/Protocol, Linux Kernel (netlink/XFRM Interface) Control input IKE Network Port/Protocol, Configuration Files (/etc/ipsec.conf, /etc/ipsec.d/, /etc/ipsec.secrets), Linux Kernel (netlink/XFRM Interface), command line Status output IKE Network Port/Protocol, syslog, audit log Table 4: Logical Interfaces ©2021 Red Hat®, Inc. / atsec information security corporation Page 7 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 4 Roles, Services and Authentication 4.1 Roles The module supports the following roles: ⚫ User role: performs key derivation and negotiates IKE to establish security association. ⚫ Crypto Officer role: performs module installation and configuration, manages Pluto IKE Daemon, self tests and show status. The module is a Security Level 1 software-only cryptographic module and does not implement authentication. The User and Crypto Officer roles are implicitly assumed by the entity accessing the module services. The User role is assumed by the underlying server application that makes calls to the module on behalf of one or more external clients. 4.2 Services The module supports services available to users in the available roles. All services are described in detail in the user documentation. The following table shows the available services, the roles allowed (“CO” stands for Crypto Officer and “U” stands for User), the Critical Security Parameters (CSPs) involved and how they are accessed in the FIPS mode. “R” stands for Read permission, “W” stands for Write permission, and “Z” stands for Zeroization of the module. The Libreswan and the bound NSS module together provide the Diffie-Hellman and EC Diffie- Hellman key agreement. The Libreswan module only implements the KDF portion of the key agreement and the bound NSS module provides the shared secret computation. • Diffie-Hellman (Certs. #2024, #2026, #C1387 and #C1420 with CVL Certs. #C287 and #C1425, key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); • EC Diffie-Hellman (Certs. #2024, #2026, #C1387 and #C1420 with CVL Certs. #C287 and #C1425, key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); Service Algo(s). CAVS Cert(s) for Libreswan version 7.0 CAVS Cert(s) for Libreswan version rhel7.201905 09 Role CSPs Access Provided by libreswan: Install and Configure the module N/A N/A N/A CO RSA private keys, pre- shared keys R, W, Z Manage Pluto IKE Daemon start, stop, etc. Commands N/A N/A CO Zeroize of CSPs, Keys R, Z Negotiate IKE to establish security associations (SAs) SP 800-135 Key Derivation Function (KDF) in Cert. #C287 Cert. #C1425 U RSA private keys, shared secret IKE SA encryption keys and integrity keys, R ©2021 Red Hat®, Inc. / atsec information security corporation Page 8 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy IKEv1 and IKEv2 IPsec SA encryption keys and integrity keys W Self tests N/A N/A N/A CO HMAC SHA-256 keys for integrity check R Show Status N/A N/A N/A CO None R Provided by OpenSSL: Service Algo(s). CAVS Cert(s) for OpenSSL version 7.0 CAVS Cert(s) for OpenSSL version rhel7.201904 09 Role CSPs Access HMAC integrity check HMAC- SHA256 Certs. #C297, #C302, #C303, #C304, #C316, #C321, #C327, #C328, #C329, #C336 Certs. #C1378, #C1379, #C1380, #C1381, #C1382, #C1383, #C1384, #C1385, #C1386, #C1419 CO N/A R, W Provided by the NSS module: Service Algo(s). CAVS Cert(s) for NSS version 6.0 CAVS Cert(s) for NSS version rhel7.201906 06 Role CSPs Access IKE protocol cryptographic algorithms AES Certs. #5600, #5601, #5602, #5603 Certs. #C1387, #C1388, #C1420, #C1421 U AES 128, 192 and 256 bits keys R, W Triple-DES Certs. #2816, #2817 Certs. #C1387, #C1420 U Three-key Triple-DES 168 bits keys R, W ECDSA Certs. #1514, #1515 Certs. #C1387, #C1420 U ECDSA keys based on P- 256, P-384 and P-521 curves R, W RSA Certs. #3012, #3013 Certs. #C1387, #C1420 U For certificate based RSA: 3072 bits keys For raw RSA keys: 3072 keys R, W SHS Certs. #4498, #4499 Certs. #C1387, U N/A R, W ©2021 Red Hat®, Inc. / atsec information security corporation Page 9 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy #C1420 HMAC Certs. #3734, #3735 Certs. #C1387, #C1420 U At least 112 bits HMAC keys R, W DRBG Certs. #2245, #2246 Certs. #C1387, #C1420 U Entropy input string, seed, V and C values R, W Table 5: Services available in FIPS mode Note: The CAVS certificates from the bound modules include additional algorithms/modes but only a subset of it which is listed in Table 5 is used by the Libreswan module. Non-Approved but allowed algorithms Keys/CSPs Note Diffie-Hellman Diffie-Hellman public and private components with size between 2048 bits and 15360 bits Not validated by CAVP, but allowed in FIPS mode according to IG D.8 EC Diffie-Hellman EC Diffie-Hellman public and private components based on P-256, P-384 and P-521 curves Not validated by CAVP, but allowed in FIPS mode according to IG D.8 RSA (key wrapping) RSA keys with size between 3072 bits and 15360 bits or more; key establishment methodology provides between 112 and 256 bits of encryption strength Not compliant with NIST SP 800-56B, but allowed in FIPS mode according to IG D.9 NDRNG provides at least 112 bits of entropy N/A Table 6: Non-approved but allowed algorithms available in FIPS mode (provided by the bound NSS module) Usage Non-Approved algorithm Signature generation and verification RSA signature generation with key size not equal to 3072 bits; RSA signature verification with key size not equal to 3072 bits Message digest MD5 Message Authentication Code XCBC Key management Diffie-Hellman key agreement with key size less than 2048 bits RSA key wrapping (encrypt, decrypt) with key size less than 3072 bits Table 7: Non-approved algorithms (provided by the bound NSS module) Note: From the Libreswan module only the SP 800-135 Key Derivation Function has been validated by CAVP. ©2021 Red Hat®, Inc. / atsec information security corporation Page 10 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 4.3 Authentication The module is a Security Level 1 software-only cryptographic module and does not implement authentication. The role is implicitly assumed based on the service requested. ©2021 Red Hat®, Inc. / atsec information security corporation Page 11 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 5 Physical Security The module is comprised of software only and thus does not claim any physical security. ©2021 Red Hat®, Inc. / atsec information security corporation Page 12 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 6 Operational Environment This module operates in a modifiable operational environment per the FIPS 140-2 definition. 6.1 Applicability The module operates in a modifiable operational environment per FIPS 140-2 level 1 specifications. The module runs on a commercially available general-purpose operating system executing on the hardware specified in section 2.2. The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to: • Red Hat Enterprise Linux Atomic Host • Red Hat Virtualization (RHV) • Red Hat OpenStack Platform • OpenShift Container Platform • Red Hat Gluster Storage • Red Hat Ceph Storage • Red Hat CloudForms • Red Hat Satellite. Compliance is maintained for these products whenever the binary is found unchanged. The module operates in a modifiable operational environment per FIPS 140-2 level 1 specifications. The module runs on a commercially available general-purpose operating system executing on the hardware specified in section 1.1. 6.2 Policy The operating system is restricted to a single operator (concurrent operators are explicitly excluded). The application that request cryptographic services is the single user of the module, even when the application is serving multiple clients. In FIPS Approved mode, the ptrace(2) system call, the debugger (gdb(1)), and strace(1) shall be not used. ©2021 Red Hat®, Inc. / atsec information security corporation Page 13 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 7 Cryptographic Key Management The application that uses the module is responsible for appropriate destruction and zeroization of the key material. The library provides functions for key allocation and destruction, which overwrites the memory that is occupied by the key information with “zeros” before it is deallocated. 7.1 Random Number Generation and CSPs management The module does not implement any random number generator nor provides key generation. The module only provides key derivation through the implementation of the SP 800-135 KDF. The table below lists the CSPs/keys used by the module: Keys/CSPs Type Key Generation Key Storage Key Entry/Outp ut Key Zeroization RSA 3072 bits private keys RSA keys used for authentication N/A Ephemeral (peer’s key) Persistent (module key pair) N/A N/A Pre-shared keys shared secret used as input to KDF for IKEv1 and peer authentication for IKEv1 and IKEv2 N/A External to the module Loaded on startup Zeroized and freed on shutdown Post-Quantum Pre- shared key shared secret used as input to KDF for IKEv2 according to draft- ietf-ipsecme-qr- ikev2 N/A External to the module Loaded on startup Zeroized and freed on shutdown Shared secret according to the IKE protocol Shared secret established by Diffie-Hellman key agreement N/A Ephemeral IKE Network Port/Protocol Close of IKE SA or termination of Pluto IKE Daemon zeroizes the CSP IKE SA Tunnel Encryption Keys AES 128, 192, and 256 bits or Triple- DES 168 bits keys N/A (derived from shared secret by using KDF) Ephemeral N/A Close of IKE SA or termination of Pluto IKE Daemon zeroizes the CSP IKE SA Tunnel Integrity Keys HMAC keys with at least 112 bits N/A (derived from shared secret by using KDF) Ephemeral N/A Close of IKE SA or termination of Pluto IKE Daemon zeroizes the CSP IPsec SA Tunnel Encryption Keys AES 128, 192, and 256 bits or Triple- DES 168 bits keys N/A (derived from shared secret by using KDF) Ephemeral N/A Zeroized from the module's memory when passed to the kernel after establishment of the SA ©2021 Red Hat®, Inc. / atsec information security corporation Page 14 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy IPsec SA Tunnel Integrity Keys HMAC keys with at least 112 bits N/A (derived from shared secret by using KDF) Ephemeral N/A Zeroized from the module's memory when passed to the kernel after establishment of the SA Table 8: Keys/CSPs Notes: The RSA private keys are encrypted by the NSS module. When an operation requires a private key, the first pointer or handle to the private key is obtained using the public key and CKA_ID (key ID). Only during the operation, private keys are decrypted and the operation is performed. After the operation, the memory pointing to the private key is zeroized by the NSS module. 7.2 Key / CSP Storage Public and private keys are provided to the module by the calling process, and are destroyed when released by the appropriate IKE Network Port/Protocol. The module does not perform persistent storage of keys. 7.3 Key / CSP Zeroization For volatile memory, memset is included in deallocation operations. There are no restrictions when zeroizing any cryptographic keys and CSPs. ©2021 Red Hat®, Inc. / atsec information security corporation Page 15 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) MARKETING NAME.......................... PowerEdge R630 REGULATORY MODEL..................... E26S REGULATORY TYPE......................... E26S001 EFFECTIVE DATE............................. September 03, 2014 EMC EMISSIONS CLASS.................. Class A ©2021 Red Hat®, Inc. / atsec information security corporation Page 16 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 9 Self Tests 9.1 Power-Up Tests The module performs power-up tests at module initialization which includes the software integrity test to ensure that the module is not corrupted. The self-tests are triggered automatically without any user intervention. While the module is performing the power-up tests, services are not available and input or output is not possible: the module is single-threaded and will not return to the calling application until the self-tests are completed successfully. 9.1.1 Integrity Tests The integrity check is performed by the fipscheck application using the HMAC-SHA-256 algorithm implemented by the OpenSSL module. The OpenSSL module computes an HMAC SHA-256 value for the fipscheck utility, as well as the /usr/libexec/ipsec/pluto binary implementing the IKE protocol. The integrity verification is performed as follows: The Libreswan application links with the library libfipscheck.so which is intended to execute fipscheck application to verify the integrity of the Libreswan application file using the HMAC- SHA-256. Upon calling the FIPSCHECK_verify() function provided with libfipscheck.so, the fipscheck application is loaded and executed, and the following steps are performed: 1. fipscheck loads the OpenSSL module, which performs its own integrity check using the HMAC SHA-256 algorithm 2. fipscheck performs the integrity check of its own application file using the HMAC SHA- 256 algorithm provided by the OpenSSL module 3. fipscheck automatically verifies the integrity of libfipscheck.so library before processing requests of calling applications 4. The fipscheck application performs the integrity check of the /usr/libexec/ipsec/pluto binary file as follows: the fipscheck application computes the HMAC SHA-256 checksum of the file from the command line and compares the computed value to the value stored inside the /usr/lib64/fipscheck/pluto.hmac checksum file. The fipscheck application returns the appropriate exit value based on the comparison result: zero if the checksum is OK, which is enforced by the libfipscheck.so library. Otherwise, an error code will be shown, which puts the module into the error state. 5. Libreswan also performs additional power-on self-tests that are not relevant to tis FIPS validation, which we document here for completeness: Libreswan performs a few more algorithm checks during power-on. These tests mostly come from RFC test vectors and from NIST test vectors. For example, AES-CBC and AES-GCM are tested during power-on with a KAT. Note that the NSS bound module already performs these tests when it powers-on, so these tests are redundant for the purpose of this FIPS validation. If any of the above steps fails, an error code (a non-zero value) will be returned and the module enters the error state. In Error state, all output is inhibited and no cryptographic operation is allowed. The Module needs to be reinitialized in order to recover from the Error state. The power-up self tests can be performed on demand by reinitializing the Module. 9.1.2 Cryptographic Algorithm Tests The power-up self tests for the SP 800-135 KDF are covered by the CAVP certificate received for this algorithm documented in Table 5: Services available in FIPS mode. ©2021 Red Hat®, Inc. / atsec information security corporation Page 17 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy All other cryptographic algorithm self-tests are implemented in the NSS bound module. If any of the self-tests fail, Libreswan enters the Error state. In the Error state, all outputs are inhibited and no cryptographic operation is allowed. ©2021 Red Hat®, Inc. / atsec information security corporation Page 18 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 10 Guidance The following guidance items are to be used for assistance in maintaining the module's validated status while in use. 10.1 Crypto Officer Guidance NOTE: All cryptographic functions for the Red Hat Enterprise Linux 7 Libreswan Cryptographic Module will be provided by a copy of a FIPS 140-2 validated version of the NSS module. The OpenSSL module is used to perform integrity verification. • Configure Pluto as specified in ipsec.conf(5), and ipsec.secrets(5) man pages, as well as the file README.nss provided by the RPM package: libreswan-3.25-4.1.el7_6 and libreswan-3.25-4.8.el7_6. • To start and stop the module, use the (service ipsec) command. • ikelifetime should not be larger than 1 hour. • salifetime should not be larger than 1 hour. • Galois Counter Mode (GCM) and Counter with Cipher Block Chaining Message Authentication Code (CCM) should be used with their full tag lengths. • Aggressive mode should not be used. • Stopping the module will zeroize the ephemeral CSPs and keys. • To check FIPS 140-2 module status, use: # ipsec status | grep fips 000 fips mode=disabled; Note: do not use # ipsec barf for checking the FIPS status of the module • The version of the RPM containing the validated module is stated in section 2.1 above. The integrity of the RPM is automatically verified during the installation and the Crypto officer shall not install the RPM file if the RPM tool indicates an integrity error. • When zeroizing the module, the crypto officer is responsible for using a FIPS140-2 approved mechanism to clear the keys written on disk. • The database for the cryptographic keys used by the pluto daemon must be initialized after it has been created as documented in the README.nss documentation with the following command, assuming that the database is stored in the directory /etc/ipsec.d/ ◦ modutil -fips true -dbdir /etc/ipsec.d NOTE: Encryption and decryption of data is done implicitly when the pluto daemon is asked to set up a new Security Association. For proper operation of the in-module integrity verification, the prelink has to be disabled. For this purpose, Libreswan installs a libreswan-prelink.conf file in %{_sysconfdir}/prelink.conf.d/ that instructs prelink to skip /usr/libexec/ipsec. To bring the module into FIPS mode, perform the following: 1. Install the dracut-fips package: # yum install dracut-fips 2. Recreate the INITRAMFS image (note: this step only regenerates the initrd file for the currently running kernel): # dracut -f After regenerating the initrd, the crypto officer must check and append, if necessary, the following string to the kernel command line by changing the setting in the boot loader: fips=1 ©2021 Red Hat®, Inc. / atsec information security corporation Page 19 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy If /boot or /boot/efi resides on a separate partition, the kernel parameter boot= must be supplied. The partition can be identified with the command "df /boot" or "df /boot/efi" respectively. For example: $ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 233191 30454 190296 14% /boot The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string needs to be appended to the kernel command line: "boot=/dev/sda1" This operation ensures proper operation in the Approved mode. If the flag in /proc/sys/crypto/fips_enabled is different than 1, the operation of the machine must be halted, the flag must be set to 1, and the machine must be rebooted. The module must not operate if the flag is set incorrectly, i.e., different than 1. Reboot to apply these settings. 10.1.1 Configuration Changes and FIPS Approved Mode Use caution whenever making configuration changes that could potentially prevent access to the /proc/sys/crypto/fips_enabled flag (fips=1) in the file/proc. If the module does not detect this flag during initialization, it does not enable the FIPS approved mode. All user space modules depend on this file for transitioning into FIPS approved mode. 10.2 User Guidance There is no User Guidance as the user role is assumed by the underlying server application that makes calls to the module on behalf of one or more external clients. 10.2.1 Use of Triple-DES The Red Hat Enterprise Linux 7 Libreswan Cryptographic Module makes use of Triple-DES keys from the bound Red Hat Enterprise Linux NSS Cryptographic Module and Red Hat Enterprise Linux 7 NSS Cryptographic Module. According to IG A.13, the same Triple-DES key shall not be used to encrypt more than 216 64- bit blocks of data. 10.3 Handling Self-Test Errors OpenSSL and NSS self-test failures and Libreswan power-up self-tests may prevent Libreswan from operating. See the Guidance section in the OpenSSL and NSS Security Policies for instructions on handling OpenSSL or NSS self test failures. Power-up self-test errors are non-fatal errors that transition the module into an error state. The application must be restarted or reinstalled to recover from these errors. Libreswan outputs NSS error codes that can be used to determine the cause of the errors. In the case of integrity test failure, Libreswan enters an error state and outputs the following error: FIPS integrity verification test failed. The only recovery from this type of failure is to reinstall the Libreswan module. If you downloaded the software, verify the package hash to confirm a proper download. ©2021 Red Hat®, Inc. / atsec information security corporation Page 20 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix A Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CCM Counter with Cipher Block Chaining Message Authentication Code CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter DES Data Encryption Standard ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard TDES Triple DES ©2021 Red Hat®, Inc. / atsec information security corporation Page 21 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix B References FIPS180-4 Secure Hash Standard (SHS) August 2015 https://csrc.nist.gov/publications/detail/fips/180/4/final FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/detail/fips/198/1/final PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56A Rev. 3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final SP800-56C Rev. 1 NIST Special Publication 800-56C Revision 1 - Recommendation for Key Derivation through Extraction-then-Expansion April 2018 https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final SP800-67 Rev. 2 NIST Special Publication 800-67 Revision 2 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher November 2017 https://csrc.nist.gov/publications/detail/sp/800-67/rev-2/final SP800-90B NIST Draft Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://csrc.nist.gov/publications/detail/sp/800-90b/final SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions October 2009 http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131A Rev. 2 NIST Special Publication 800-131A Revision 2 - Transitions: Recommendation for Transitioning the Use of Cryptographic ©2021 Red Hat®, Inc. / atsec information security corporation Page 22 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 7 Libreswan Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithms and Key Lengths March 2019 https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final ©2021 Red Hat®, Inc. / atsec information security corporation Page 23 of 23 This document can be reproduced and distributed only whole and intact, including this copyright notice.