Red Hat Enterprise Linux OpenSSH Client
Cryptographic Module
version 5.0 [1] and 6.0 [2]
FIPS 140-2 Non-Proprietary Security Policy
Version 1.3
Last update: 2018-02-19
Prepared by:
atsec information security corporation
9130 Jollyville Road, Suite 260
Austin, TX 78759
www.atsec.com
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 1 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
Table of Contents
1 Introduction..........................................................................................................................3
2 Cryptographic Module Specifcation.....................................................................................4
2.1 Module Overview..........................................................................................................4
2.2 FIPS 140-2 validation....................................................................................................5
2.3 Modes of Operations.....................................................................................................6
3 Cryptographic Module Ports and Interfaces..........................................................................8
4 Roles, Services and Authentication......................................................................................9
4.1 Roles.............................................................................................................................9
4.2 Services........................................................................................................................9
4.3 Authentication............................................................................................................10
5 Physical Security................................................................................................................11
6 Operational Environment...................................................................................................12
6.1 Applicability................................................................................................................12
6.2 Policy..........................................................................................................................12
7 Cryptographic Key Management........................................................................................13
7.1 Random Number Generation......................................................................................13
7.2 Key / CSP Storage.......................................................................................................13
7.3 Key / CSP Zeroization..................................................................................................14
8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)............................15
8.1 Statement of compliance............................................................................................15
9 Self-Tests............................................................................................................................16
9.1 Power-Up Self-Tests.....................................................................................................16
9.1.1 Integrity Tests....................................................................................................16
9.1.2 Cryptographic algorithm tests...........................................................................16
10 Guidance..........................................................................................................................17
10.1 Crypto Ofcer Guidance............................................................................................17
10.1.1 Confguration Changes and FIPS Approved Mode............................................18
10.1.2 OpenSSH Confguration...................................................................................18
10.2 User Guidance..........................................................................................................18
10.2.1 Handling Self-Test Errors..................................................................................18
Appendix A Glossary and Abbreviations................................................................................20
Appendix B References.........................................................................................................22
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 2 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
1 Introduction
This document is the non-proprietary Security Policy for the Red Hat Enterprise Linux
OpenSSH Client Cryptographic Module version 5.0 [1] and 6.0 [2]. It contains the security
rules under which the module must operate and describes how this module meets the
requirements as specifed in FIPS PUB 140-2 (Federal Information Processing Standards
Publication 140-2) for a Security Level 1 module.
References followed by [1] refer to the OpenSSH module version 5.0. References followed by
[2] refer to the OpenSSH module version 6.0. References without any number are valid for
both modules. References are valid only for their respective module.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 3 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
2 Cryptographic Module Specifcation
2.1 Module Overview
The Red Hat Enterprise Linux OpenSSH Client Cryptographic Module version 5.0 [1] and 6.0
[2] (hereafter referred to as “the module”) is a software library implementing the
cryptographic support for the SSH protocol in the Red Hat Enterprise Linux user space.
The module is implemented as a set of binary fles.
Figure 1: Cryptographic Module Logical Boundary
The module is aimed to run on a general purpose computer; the physical boundary is the
surface of the case of the target platform, as shown in the diagram below:
Figure 2: Cryptographic Module Physical Boundary
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 4 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
The module will use the Red Hat Enterprise Linux OpenSSL Module (FIPS 140-2 Certifcate
#3016) as a bound module which provides the underlying cryptographic algorithms
necessary for establishing and maintaining the SSH session. In addition the integrity check
uses the cryptographic services provided by the Red Hat Enterprise Linux OpenSSL Module as
used by the utility application of fpscheck using the HMAC-SHA-256 algorithm.
This requires a copy of a Cert. #3016 validated version of the Red Hat Enterprise Linux
OpenSSL Module to be installed on the system for the current module to operate.
The cryptographic module combines a vertical stack of Linux components intended to limit
the external interface each separate component may provide. The following software need to
be installed for the module to operate:
• Red Hat Enterprise Linux OpenSSH Client Cryptographic Module with the version of the
OpenSSH Client RPM fle 7.4p1-11.el7 [1] and 7.4p1-16.el7 [2]
• The bound module of OpenSSL with FIPS 140-2 Certifcate #3016
• The contents of the fpscheck RPM package (version 1.4.1-6.el7)
• The contents of the fpscheck-lib RPM package (version 1.4.1-6.el7).
The OpenSSH client RPM package of the Module includes the binary fles, integrity check
HMAC fles and Man Pages. Any application other than the OpenSSH client application
(/usr/bin/ssh) delivered with the aforementioned OpenSSH RPM package is not part of the
Module. The FIPS certifcate for this module does not apply to these other applications.
The fles comprising the module are the following:
• /usr/sbin/ssh
• /usr/bin/fpscheck
• /usr/lib64/fpscheck/ssh.hmac
• /usr/lib64/fpscheck/fpscheck.hmac
• /usr/lib64/fpscheck/libfpscheck.so.1.2.1.hmac
• /usr/lib64/libfpscheck.so.1.2.1
2.2 FIPS 140-2 validation
For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip
standalone cryptographic module validated at Security Level 1. The table below shows the
security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard:
FIPS 140-2 Section Security
Level
1 Cryptographic Module Specifcation 1
2 Cryptographic Module Ports and Interfaces 1
3 Roles, Services and Authentication 1
4 Finite State Model 1
5 Physical Security N/A
6 Operational Environment 1
7 Cryptographic Key Management 1
8 EMI/EMC 1
9 Self Tests 1
10 Design Assurance 1
11 Mitigation of Other Attacks N/A
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 5 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
Table 1: Security Levels
The module has been tested on the following platforms with the following confguration:
Construct
or
Hardware Processor Operating System
Dell PowerEdge R630 Intel(R) Xeon(R) CPU E5-2640 v3 Red Hat Enterprise Linux 7.4 [1]
Red Hat Enterprise Linux 7.5 [2]
Table 2: Tested Platforms
The physical boundary is the surface of the case of the target platform. The logical boundary
is depicted in Figure 1: Cryptographic Module Logical Boundary.
The bound OpenSSL module also includes algorithm implementations using Processor
Algorithm Acceleration (PAA) functions provided by the processors.
2.3 Modes of Operations
The module supports two modes of operation: FIPS approved and non-approved modes.
The Module verifes the integrity of the runtime executable using a HMAC-SHA-256 digest
operation and compares the value with the build time pre-computed value. If the digests
match, the power-up self-tests are then performed. If the power-up self-tests are successful,
the Module turns to the FIPS Approved mode.
The following table shows algorithms available in FIPS mode and the services are listed in
section 4.2, Table 6.
The OpenSSH and the bound OpenSSL module together provide the Dife Hellman and EC
Dife Hellman key agreement. The OpenSSH module only implements the KDF portion of the
key agreement and the bound OpenSSL module provides the shared secret computation.
• Dife-Hellman (C L Certs. #1298, #1312, #1318, #1320, #1687, #1689, #1693 and
#1700 with C L Certs. #1361 and #1718, key agreement; key establishment
methodology provides 112 or 128 bits of encryption strength);
• EC Dife-Hellman (C L Certs. #1298, #1312, #1318, #1320, #1687, #1689, #1693 and
#1700 with C L Certs. #1361 and #1718, key agreement; key establishment
methodology provides between 112 and 256 bits of encryption strength);
Algorithm CAVS Certifcate
(version 5.0 [1])
CAVS Certifcate
(version 6.0 [2])
Provided by OpenSSH Module
SP 800-135 SSH KDF C L Certs. #1361 C L Cert. #1718
Provided by bound OpenSSL Module
AES (CBC, CTR) Certs. #4644, #4664, #4666,
#4667, #4695, #4696, #4697,
#4698, #4699 and #4700
Certs. #5203, #5204, #5205,
#5207, #5208, #5209, #5210,
#5211, #5212, #5227
Triple-DES (CBC) Certs. #2471, #2481, #2483 and
#2484
Certs. #2638, #2639, #2641,
#2642
HMAC Certs. #3076, #3088, #3090,
#3091, #3107, #3108, #3109,
#3110, #3111 and #3112
Certs. #3445, #3446, #3447,
#3449, #3450, #3451, #3452,
#3453, #3454, #3459
SHA Certs. #3807, #3821, #3823,
#3824, #3842, #3843, #3844,
#3845, #3846 and #3847
Certs. #4193, #4194, #4195,
#4197, #4198, #4199, #4200,
#4201, #4202, #4207
RSA Certs. #2535, #2544, #2546 and
#2547
Certs. #2786, #2787, #2789,
#2792
ECDSA Certs. #1144, #1148, #1150 and
#1151
Certs. #1347, #1348, #1350,
#1353
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 6 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
Algorithm CAVS Certifcate
(version 5.0 [1])
CAVS Certifcate
(version 6.0 [2])
SP 800-56A DLC primitive Dife-
Hellman
C L Certs. #1298, #1312,
#1318 and #1320
C L Certs. #1687, #1689,
#1693, #1700
SP 800-56A DLC primitive EC
Dife-Hellman
C L Certs. #1298, #1312,
#1318 and #1320
C L Certs. #1687, #1689,
#1693, #1700
DRBG Certs. #1567, #1576, #1578,
#1579, #1593, #1594, #1595,
#1596, #1597 and #1598
Certs. #1975, #1976, #1977,
#1979, #1980, #1981, #1982,
#1983, #1984, #1993
NDRNG Non-approved but allowed used
for seeding DRBG
Non-approved but allowed used
for seeding DRBG
Table 3: Approved or Allowed Algorithms
The following table lists the non-approved algorithms, use of any of these algorithm will put
the module in non FIPS mode.
Algorithm Notes
RSA Using Keys less than 2048 bit
DSA Using Keys less than 2048 bit
Table 4: Non Approved Algorithms from bound OpenSSL module
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 7 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
3 Cryptographic Module Ports and Interfaces
As a software-only module, the module does not have physical ports. For the purpose of the
FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the
hardware platform on which it runs.
The following table summarizes the four logical interfaces:
Logical
interfaces
Description Physical ports mapping the
logical interfaces
Command In Invocation of the ssh command on
the command line or via the
confguration fle /etc/ssh/sshcconfg
and ~./.ssh/confg
Environment variable
SSHcUSEcSTRONGcRNG
Keyboard, Ethernet port
Status Out Status messages returned after the
command execution
Display, Ethernet port
Data In Input parameters of the ssh
command on the command line with
confguration fle
~/.ssh/knownchosts,
/etc/ssh/sshcknownchosts, key fles
~/.ssh/idcecdsa*, ~/.ssh/idcrsa*,
data via SSHv2 channel, data via
local or remote port-forwarding port,
data via TUN device
Keyboard, Ethernet port
Data Out Output data returned by the ssh
command
Display, Ethernet port
Table 5: Ports and Logical Interfaces
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 8 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
4 Roles, Services and Authentication
4.1 Roles
The module supports the following roles:
⚫ User role: performs Key Derivation Function, Establish & Maintain SSH Session, Close
SSH Session and Show Status
⚫ Crypto Ofcer role: performs module installation and confguration, perform the
selftests and terminate SSH Application
The User and Crypto Ofcer roles are implicitly assumed by the entity accessing the module
services.
4.2 Services
The module supports services available to users in the available roles. All services are
described in detail in the user documentation.
The following table shows the available services, the roles allowed, the Critical Security
Parameters (CSPs) involved and how they are accessed in the FIPS mode.
'R' stands for Read permission, 'W' stands for write permission and 'EX' stands for executable
permission of the module:
Service Algo(s). Note(s) / Mode(s) Role CSPs Access
Establish &
Maintain
SSH
Session
SP 800-135 Key
Derivation
Function in the
SSH protocol
version 2
N/A User RSA or ECDSA client
private key
Dife-Hellman or EC
Dife-Hellman
shared secret,
derived keys
Derived session
encryption keys and
derived data
authentication
(HMAC) keys
R, W, EX
Close SSH
Session
N/A Zeroize User Derived session
encryption key and
derived data
authentication
(HMAC) keys
Shared secret
W
Terminate
SSH
Application
N/A Zeroize Crypto
ofcer
Derived session
encryption key and
data authentication
(HMAC) keys
Shared secret
W
Self-Tests HMAC-SHA-256
(uses the
cryptographic
services provided
by the bound
OpenSSL
module)
Integrity test invoked by
restarting the module
Crypto
ofcer
HMAC integrity key R, EX
Show N/A ia verbose mode and User N/A R, EX
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 9 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
Service Algo(s). Note(s) / Mode(s) Role CSPs Access
Status exit codes
Confgure
SSH Client
N/A N/A Crypto
ofcer
N/A R, EX
Installation N/A N/A Crypto
ofcer
N/A R, EX
Table 6: Available Cryptographic Module's Services in FIPS mode
Note: The SSH protocol has not been reviewed or tested by the CAVP and CMVP.
Only the SP 800-135 Key Derivation Function has been validated by CAVP.
Service Algo(s). Note(s) Role CSPs Access
Establish &
Maintain
SSH
Session
SP 800-135 Key
Derivation
Function in the
SSH protocol
version 2
N/A User Using RSA key listed
Table 4.
R, W, EX
Table 7: Available Cryptographic Module's services in Non-FIPS mode
4.3 Authentication
The module is a Security Level 1 software-only cryptographic module and does not implement
authentication. The role is implicitly assumed based on the service requested.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 10 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
5 Physical Security
The module is comprised of software only and thus does not claim any physical security.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 11 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
6 Operational Environment
6.1 Applicability
The module operates in a modifable operational environment per FIPS 140-2 Security Level 1
specifcations. The module runs on a commercially available general-purpose operating
system executing on the hardware specifed in section 2.2.
The Red Hat Enterprise Linux operating system is used as the basis of other products which
include but are not limited to:
• Red Hat Enterprise Linux Atomic Host
• Red Hat irtualization (RH )
• Red Hat OpenStack Platform
• OpenShift Container Platform
• Red Hat Gluster Storage
• Red Hat Ceph Storage
• Red Hat CloudForms
• Red Hat Satellite.
Compliance is maintained for these products whenever the binary is found unchanged.
6.2 Policy
The operating system is restricted to a single operator (concurrent operators are explicitly
excluded). The application that requests cryptographic services is the single user of the
module, even when the application is serving multiple clients.
In operational mode, the ptrace(2) system call, the debugger (gdb(1)), and strace(1) shall be
not used.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 12 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
7 Cryptographic Key Management
7.1 Random Number Generation
The module does not implement any random number generator nor provides key generation.
The module only provides key derivation through the implementation of the SP 800-135 KDF.
The module calls the bound OpenSSL module to obtain the shared secret which will be used
during the SSHv2 protocol initial handshake. The module derives keys from this shared secret
through the SP 800-135 KDF implementation. When the module requests
encryption/decryption services provided by the OpenSSL bound module, the resulting derived
symmetric key (i.e. the output of the SP 800-135 KDF) will be passed to the OpenSSL bound
module via API parameters.
Here are listed the CSPs/keys details concerning storage, input, output, generation and
zeroization:
Type Keys/CSPs Key Generation Key Storage Key Entry/Output Key Zeroization
Session
Encryption
Keys
Shared
secret
(2048 bits
or larger for
Dife-
Hellman; P-
256, P-384,
P-521 for
EC Dife-
Hellman)
N/A Module's
memory
Entry via API
parameters
Output: N/A
Zeroized by the
ssh application
Derived
keys
(AES
128/192/25
6-bit keys;
Triple-DES
168-bit
keys; HMAC
keys larger
than 112
bits)
N/A
(Derived from the
shared secret
through the SP
800-135 KDF)
Module's
memory
Entry: N/A
Output via API
parameters
Zeroized by the
ssh application
Client
Private
Keys
RSA private
keys
(2048/3072
/4096-bit
keys)
N/A Module's
memory
ia API parameters Zeroized by the
ssh application
ECDSA
private
keys
(P-256, P-
384, P-521
keys)
N/A Module's
memory
ia API parameters Zeroized by the
ssh application
Software
Integrity
Key
HMAC Key
(128-bit
key)
N/A Module's
binary fle
N/A N/A
Table 8: Keys/CSPs
7.2 Key / CSP Storage
The module does not perform persistent storage of keys. The keys and CSPs are temporarily
stored as plaintext in the RAM.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 13 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
The persistently stored public keys that are associated with a client username via the use of
the fle ~/.ssh/keys which is stored for each user individually in its home directory. This fle is
however not part of the module.
7.3 Key / CSP Zeroization
The destruction functions overwrite the memory occupied by keys with pre-defned values
and deallocates the memory with the free() call. In case of abnormal termination, or swap
in/out of a physical memory page of a process, the keys in physical memory are overwritten
before the physical memory is allocated to another process.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 14 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
8 Electromagnetic Interference/Electromagnetic
Compatibility (EMI/EMC)
MARKETING NAME......................….PowerEdge R630
REGULATORY MODEL................…..E26S
REGULATORY TYPE.....................….E26S001
EFFECTI E DATE..........................…September 03, 2014
EMC EMISSIONS CLASS...............…Class A
8.1 Statement of compliance
This product has been determined to be compliant with the applicable standards, regulations,
and directives for the countries where the product is marketed. The product is afxed with
regulatory marking and text as necessary for the country/agency. Generally, Information
Technology Equipment (ITE) product compliance is based on IEC and CISPR standards and
their national equivalent such as Product Safety, IEC 60950-1 and European Norm EN 60950-1
or EMC, CISPR 22/CISPR 24 and EN 55022/55024. Dell products have been verifed to comply
with the EU RoHS Directive 2011/65/EU. Dell products do not contain any of the restricted
substances in concentrations and applications not permitted by the RoHS Directive.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 15 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
9 Self-Tests
9.1 Power-Up Self-Tests
The module performs power-up self-tests at module initialization to ensure that the module is
not corrupted. The self-tests are automatically triggered without any user intervention.
While the module is performing the power-up tests, services are not available, and input or
output data is not possible: the module is single-threaded and will not return to the calling
application until the self-tests are completed successfully.
9.1.1 Integrity Tests
The integrity check is performed by the fpscheck application using the HMAC-SHA-256
algorithm implemented by the bound Red Hat Enterprise Linux OpenSSL Module.
When the OpenSSH module starts, it triggers the power-on self-tests, including the software
integrity test. The software integrity test, using the HMAC-SHA-256 algorithm, constitutes a
known answer test for the HMAC-SHA-256 algorithm.
The user space integrity verifcation is performed as follows: the OpenSSH Client application
links with the library libfpscheck.so which is intended to execute fpscheck to verify the
integrity of the OpenSSH Client application fle using the HMAC-SHA-256 algorithm. Upon
calling the FIPSCHECKcverify() function provided with libfpscheck.so, fpscheck is loaded and
executed, and the following steps are performed:
1. OpenSSL, loaded by fpscheck, performs the integrity check of the OpenSSL library
fles using the HMAC-SHA-256 algorithm
2. fpscheck performs the integrity check of its application fle using the HMAC-SHA-256
algorithm provided by the OpenSSL Module
3. fpscheck automatically verifes the integrity of libfpscheck.so before processing
requests of calling applications
4. The fpscheck application performs the integrity check of the OpenSSH Client
application fle. The fpscheck computes the HMAC-SHA-256 checksum of that and
compares the computed value with the value stored inside the
/usr/lib64/fpscheck/<applicationflename>.hmac checksum fle. The fpscheck
application returns the appropriate exit value based on the comparison result: zero if
the checksum is OK, an error code otherwise (which brings the OpenSSH Module into
the error state). The libfpscheck.so library reports the result to the OpenSSH Client
application.
If any of those steps fail, an error code is returned and the OpenSSH Module enters the error
state.
9.1.2 Cryptographic algorithm tests
The power-up self tests for the SP 800-135 KDF is covered by the SHS Known-Answer-Tests
performed by the bound Red Hat Enterprise Linux OpenSSL Module.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 16 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
10 Guidance
The following guidance items are to be used for assistance in maintaining the module's
validated status while in use.
10.1 Crypto Ofcer Guidance
The version of the RPMs containing the FIPS validated Module is stated in section 2.1 above.
The Red Hat Enterprise Linux OpenSSL Module referenced in section 2.1 must be installed
according to its Security Policy.
The RPM package of the Module can be installed by standard tools recommended for the
installation of RPM packages on a Red Hat Enterprise Linux system (for example, yum, rpm,
and the RHN remote management tool).
For proper operation of the in-module integrity verifcation, the prelink has to be disabled.
1 Disable the prelink:
# sed -i 's/PRELINKING=yes/PRELINKING=no/g' /etc/sysconfig/prelink
2 Run following command to return binaries to a non-prelink state:
# /usr/sbin/prelink -ua
Only the cipher types listed in section 1.2 are allowed to be used.
Crypto ofcer should perform the following steps for Module initialization:
1. Install the dracut-fps package:
# yum install dracut-fips
2. Recreate the INITRAMFS image:
# dracut -f
After regenerating the initramfs, the Crypto Ofcer has to append the following string to the
kernel command line by changing the setting in the boot loader:
fips=1
If /boot or /boot/ef resides on a separate partition, the kernel parameter boot=<partition
of /boot or /boot/ef> must be supplied. The partition can be identifed with the command
"df /boot"
or
"df /boot/efi"
respectively. For example:
$ df /boot
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 233191 30454 190296 14% /boot
The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string
needs to be appended to the kernel command line:
"boot=/dev/sda1"
Reboot to apply these settings.
The next step is to check the presence of the confguration fle /proc/sys/crypto/fpscenabled
and make sure it contains value 1.
The version of the RPM containing the validated Module is the version listed in chapter 2.1.
The integrity of the RPM is automatically verifed during the installation of the Module and the
Crypto Ofcer shall not install the RPM fle if the RPM tool indicates an integrity error.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 17 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
10.1.1 Confguration Changes and FIPS Approved Mode
Use care whenever making confguration changes that could potentially prevent access to the
/proc/sys/crypto/fpscenabled fag (fps=1) in the fle/proc. If the module does not detect this
fag during initialization, the module is not setup to operate FIPS compatible mode.
All user space modules depend on this fle for running in FIPS compatible mode.
10.1.2 OpenSSH Confguration
The user must not use DSA keys for performing key-based authentication as OpenSSH only
allows DSA keys with 1024 bit size which are disallowed as per SP800-131A.
The user must not accept DSA host keys potentially ofered during the frst contact of an SSH
server as OpenSSH only allows DSA keys with 1024 bit size which are disallowed as per
SP800- 131A.
When re-generating RSA host keys, the crypto ofcer should generate RSA keys with a size of
2048 bit or higher according to [SP800-131A]. The crypto ofcer should inform the user base
to not use RSA keys with key sizes smaller than 2048 bits.
In FIPS 140-2 mode, the module enforces the following restrictions. When these restrictions
are violated by confguration options or command line options, the module will not be in the
FIPS mode of oepration:
• SSH protocol version 1 is not allowed
• GSSAPI is not allowed
• Only the following ciphers are allowed:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-cbc
• aes192-cbc
• aes256-cbc
• 3des-cbc
• rijndael-cbc@lysator.liu.se
Only the following message authentication codes are allowed:
• hmac-sha1
• hmac-sha2-256
• hmac-sha2-512
• hmac-sha1-etm@openssh.com
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512-etm@openssh.com
10.2 User Guidance
See the ssh(1) man page for general usage documentation of the ssh client.
When connecting to a previously unknown server, the user will be prompted to verify a
fngerprint of the server's public key. This must be done by consulting a trusted source.
10.2.1 Handling Self-Test Errors
OpenSSL's self tests failures may prevent OpenSSH from operating. See the Guidance section
in the OpenSSL Security Policy for instructions on handling OpenSSL self test failures.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 18 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
The OpenSSH self test consists of the software integrity test. If the integrity test fails,
OpenSSH enters an error state. The only recovery from this type of failure is to reinstall the
OpenSSH module.
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 19 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
Appendix A Glossary and Abbreviations
AES Advanced Encryption Standard
AES-NI Advanced Encryption Standard New Instructions
CA P Cryptographic Algorithm alidation Program
CBC Cipher Block Chaining
CCM Counter with Cipher Block Chaining Message Authentication Code
CFB Cipher Feedback
CMAC Cipher-based Message Authentication Code
CMT Cryptographic Module Testing
CM P Cryptographic Module alidation Program
CSP Critical Security Parameter
CTR Counter Mode
C T Component erifcation Testing
DES Data Encryption Standard
DFT Derivation Function Test
DSA Digital Signature Algorithm
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
FFC Finite Field Cryptography
FIPS Federal Information Processing Standards Publication
FSM Finite State Model
GCM Galois Counter Mode
HMAC Hash Message Authentication Code
ICM Integer Counter Mode
KAS Key Agreement Schema
KAT Known Answer Test
MAC Message Authentication Code
NDF No Derivation Function
NIST National Institute of Science and Technology
NDRNG Non-Deterministic Random Number Generator
OFB Output Feedback
O/S Operating System
PAA Processor Algorithm Acceleration
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 20 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
PR Prediction Resistance
PSS Probabilistic Signature Scheme
RNG Random Number Generator
RSA Rivest, Shamir, Addleman
SHA Secure Hash Algorithm
SHS Secure Hash Standard
SSH Secure Shell
TDES Triple DES
UI User Interface
XTS XEX-based Tweaked-codebook mode with ciphertext Stealing
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 21 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
Appendix B References
FIPS180-4 Secure Hash Standard (SHS)
March 2012
http://csrc.nist.gov/publications/fps/fps180-4/fps 180-4.pdf
FIPS186-4 Digital Signature Standard (DSS)
July 2013
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS197 Advanced Encryption Standard
November 2001
http://csrc.nist.gov/publications/fps/fps197/fps-197.pdf
FIPS198-1 The Keyed Hash Message Authentication Code (HMAC)
July 2008
http://csrc.nist.gov/publications/fps/fps198 1/FIPS-198 1cfnal.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifcations ersion 2.1
February 2003
http://www.ietf.org/rfc/rfc3447.txt
RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm
September 2002
http://www.ietf.org/rfc/rfc3394.txt
RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding
Algorithm
September 2009
http://www.ietf.org/rfc/rfc5649.txt
SP800-38A NIST Special Publication 800-38A - Recommendation for Block
Cipher Modes of Operation Methods and Techniques
December 2001
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP800-38B NIST Special Publication 800-38B - Recommendation for Block
Cipher Modes of Operation: The CMAC Mode for Authentication
May 2005
http://csrc.nist.gov/publications/nistpubs/800-38B/SPc800-38B.pdf
SP800-38C NIST Special Publication 800-38C - Recommendation for Block
Cipher Modes of Operation: the CCM Mode for Authentication and
Confdentiality
May 2004
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38Ccupdated
July20c2007.pdf
SP800-38D NIST Special Publication 800-38D - Recommendation for Block
Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
November 2007
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
SP800-38E NIST Special Publication 800-38E - Recommendation for Block
Cipher Modes of Operation: The XTS AES Mode for Confdentiality on
Storage Devices
January 2010
http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 22 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Red Hat Enterprise Linux OpenSSH Client Cryptographic ModuleFIPS 140-2 Non-Proprietary Security Policy
SP800-38F NIST Special Publication 800-38F - Recommendation for Block
Cipher Modes of Operation: Methods for Key Wrapping
December 2012
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
SP800-56A NIST Special Publication 800-56A Revision 2 - Recommendation for
Pair Wise Key Establishment Schemes Using Discrete Logarithm
Cryptography
May 2013
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 56Ar2.pdf
SP800-56C Recommendation for Key Derivation through Extraction-then-
Expansion
November 2011
http://csrc.nist.gov/publications/nistpubs/800-56C/SP-800-56C.pdf
SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for
the Triple Data Encryption Algorithm (TDEA) Block Cipher
January 2012
http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf
SP800-90A NIST Special Publication 800-90A - Recommendation for Random
Number Generation Using Deterministic Random Bit Generators
January 2012
http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
SP800-90B NIST Draft Special Publication 800-90B - Recommendation for the
Entropy Sources Used for Random Bit Generation
August 2012
http://csrc.nist.gov/publications/drafts/800-90/draft-sp800-90b.pdf
SP800-108 NIST Special Publication 800-108 - Recommendation for Key
Derivation Using Pseudorandom Functions
October 2009
http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
SP800-131A NIST Special Publication 800-131A - Transitions: Recommendation
for Transitioning the Use of Cryptographic Algorithms and Key
Lengths
January 2011
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
©2018 Red Hat Enterprise Linux / atsec information security corporation Page 23 of 23
This document can be reproduced and distributed only whole and intact, including this copyright notice.