SUSE Linux Enterprise Server OpenSSL Cryptographic Module version 4.1.1 FIPS 140-2 Non-Proprietary Security Policy Doc version 4.1.5 Last update: 2023-09-27 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com ©2023 SUSE, LLC / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of contents 1 Cryptographic Module Specifcation.......................................................................................3 1.1 Module Overview.........................................................................................................3 1.2 Modes of Operation.......................................................................................................5 2 Cryptographic Module Ports and Interfaces............................................................................6 3 Roles, Services and Authentication........................................................................................7 3.1 Roles.............................................................................................................................7 3.2 Services........................................................................................................................7 3.3 Operator Authentication.............................................................................................10 3.4 Algorithms..................................................................................................................10 3.5 Allowed Algorithms.....................................................................................................15 3.5.1 Non-Approved Algorithms..................................................................................16 4 Physical Security .................................................................................................................17 5 Operational Environment ....................................................................................................18 5.1 Policy .........................................................................................................................18 6 Cryptographic Key Management .........................................................................................19 6.1 Random Number Generation......................................................................................20 6.2 Key/CSP Generation....................................................................................................20 6.3 Key Agreement / Key Transport / Key Derivation........................................................20 6.4 Key/CSP Entry and Output..........................................................................................22 6.5 Key/CSP Storage.........................................................................................................22 6.6 Key/CSP Zeroization....................................................................................................22 7 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC).............................23 8 Self Tests ............................................................................................................................24 8.1 Power-Up Tests...........................................................................................................24 8.1.1 Integrity Tests...................................................................................................24 8.1.2 Cryptographic Algorithm Tests..........................................................................24 8.2 On-Demand Self-Tests................................................................................................25 8.3 Conditional Tests........................................................................................................25 9 Guidance..............................................................................................................................26 9.1 Crypto Ofcer Guidance .............................................................................................26 9.1.1 Module Installation............................................................................................26 9.1.2 Operating Environment Confguration...............................................................26 9.1.3 Operational Environment limitations.................................................................27 9.2 User Guidance............................................................................................................27 9.2.1 TLS ...................................................................................................................27 9.2.2 API Functions.....................................................................................................27 9.2.3 Use of ciphers....................................................................................................27 9.2.4 AES XTS.............................................................................................................27 9.2.5 AES GCM IV.......................................................................................................28 9.2.6 Triple-DES encryption........................................................................................28 9.2.7 Environment Variables......................................................................................28 9.2.8 Key derivation using SP800-132 PBKDF.............................................................28 9.3 Handling FIPS Related Errors......................................................................................29 10 Mitigation of Other Attacks................................................................................................30 10.1 Blinding Against RSA Timing Attacks........................................................................30 10.2 Weak Triple-DES Key Detection................................................................................30 Appendix A - TLS Cipher Suites...............................................................................................31 Appendix B - CAVP certifcates................................................................................................34 Appendix C - Glossary and Abbreviations................................................................................37 Appendix D - References.........................................................................................................38 ©2023 SUSE, LLC / atsec information security. Page 2 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1 Cryptographic Module Specifcation This document is the non-proprietary security policy for the SUSE Linux Enterprise Server OpenSSL Cryptographic Module version 4.1.1. It contains the security rules under which the module must operate and describes how this module meets the requirements as specifed in FIPS 140-2 (Federal Information Processing Standards Publication 140-2) for a security level 1 module. This document was prepared in partial fulfllment of the FIPS 140-2 requirements for cryptographic modules and is intended for security ofcers, developers, system administrators and end-users. FIPS 140-2 details the requirements of the Governments of the U.S. and Canada for cryptographic modules, aimed at the objective of protecting sensitive but unclassifed information. For more information on the FIPS 140-2 standard and validation program please refer to the NIST website at http://csrc.nist.gov/. Throughout the document, “the OpenSSL module” and “the module” are also used to refer to the SUSE Linux Enterprise Server OpenSSL Cryptographic Module version 4.1.1. 1.1 Module Overview The SUSE Linux Enterprise Server OpenSSL Cryptographic Module is a software cryptographic module that implements the Transport Layer Security (TLS) protocol versions 1.0, 1.1 and 1.2, the Datagram Transport Layer Security (DTLS) protocol versions 1.0 and 1.2, and general-purpose cryptographic services. This Module provides cryptographic services to applications running in the user space of the underlying operating system through a C language application program interface (API). The Module may utilize processor instructions to optimize and increase performance. The Module can act as a TLS server or TLS client and interacts with other entities via TLS/DTLS network protocols. For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip standalone cryptographic module validated at overall security level 1. Table 1 shows the security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard: FIPS 140-2 Section Security Level 1 Cryptographic Module Specifcation 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks 1 Table 1: Security Levels ©2023 SUSE, LLC / atsec information security. Page 3 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table 2 lists the software components of the cryptographic module, which defnes its logical boundary. Component Description /usr/lib64/libcrypto.so.1.1 Shared library for cryptographic algorithms. /usr/lib64/libssl.so.1.1 Shared library for TLS/DTLS network protocols. /usr/lib64/.libcrypto.so.1.1.hmac Integrity check HMAC value for the libcrypto shared library. /usr/lib64/.libssl.so.1.1.hmac Integrity check HMAC value for the libssl shared library. Table 2: Cryptographic Module Components The software block diagram below shows the logical boundary of the module, and its interfaces with the operational environment. Figure 1: Software Block Diagram The module is aimed to run on a general purpose computer (GPC). Table 3 shows the platforms on which the module has been tested, and whether they use Processor Algorithm Accelerators (PAA) or Processor Algorithm Implementations (PAI) in the cryptographic algorithm implementations: Platform Processor Test Confguration Dell EMC PowerEdge 640 Intel Cascade Lake Xeon Gold 6234 SUSE Linux Enterprise Server 15 SP2 with and without AES-NI (PAA) IBM System Z/15 IBM z15 SUSE Linux Enterprise Server 15 SP2 with and without CPACF (PAI) Gigabyte R181-T90 Cavium ThunderX2 CN9975 ARMv8 SUSE Linux Enterprise Server 15 SP2 with and without Crypto Extensions (PAA) Table 3: Tested Platforms ©2023 SUSE, LLC / atsec information security. Page 4 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Note: Per FIPS 140-2 IG G.5, the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certifcate. The physical boundary of the module is the surface of the case of the tested platform. Figure 2 shows the hardware block diagram including major hardware components of a GPC. Figure 2: Hardware Block Diagram 1.2 Modes of Operation The module supports two modes of operation: • FIPS mode (the Approved mode of operation): only approved or allowed security functions with sufcient security strength can be used. • non-FIPS mode (the non-Approved mode of operation): only non-approved security functions can be used. The module enters FIPS mode after power-up tests succeed. Once the module is operational, the mode of operation is implicitly assumed depending on the security function invoked and the security strength of the cryptographic keys. Critical security parameters (CSPs) used or stored in FIPS mode are not used in non-FIPS mode, and vice versa. ©2023 SUSE, LLC / atsec information security. Page 5 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 2 Cryptographic Module Ports and Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The logical interfaces are the API through which applications request services, and the TLS protocol internal state and messages sent and received from the TCP/IP protocol. The ports and interfaces are shown in the following table. FIPS Interface Physical Port Logical Interface Data Input Ethernet ports API input parameters, kernel I/O network or fles on flesystem, TLS protocol input messages. Data Output Ethernet ports API output parameters, kernel I/O network or fles on flesystem, TLS protocol output messages. Control Input Ethernet port API function calls, API input parameters for control. Status Output Ethernet port API return values. Power Input PC Power Supply Port N/A Table 4: Ports and Interfaces ©2023 SUSE, LLC / atsec information security. Page 6 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 3 Roles, Services and Authentication 3.1 Roles The module supports the following roles: ⚫ User role: performs cryptographic services (in both FIPS mode and non-FIPS mode), TLS network protocol, key zeroization, get status, and on-demand self-test. ⚫ Crypto Ofcer role: performs module installation and confguration. 3.2 Services The module provides services to the users that assume one of the available roles. All services are shown in Table 5 and Table 6. Table 5 lists the services available in FIPS mode. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). The following convention is used to specify access rights to a CSP: • Create: the calling application can create a new CSP. • Read: the calling application can read the CSP. • Update: the calling application can write a new value to the CSP. • Zeroize: the calling application can zeroize the CSP. • n/a: the calling application does not access any CSP or key during its operation. The details of the approved cryptographic algorithms including the CAVP certifcate numbers can be found in Table 7. Service Algorithm Role Keys/CSPs Access Cryptographic Services Symmetric encryption and decryption AES User AES key Read Three-key Triple-DES User Three-key Triple-DES key Read Symmetric decryption Two-key Triple-DES User Two-key Triple-DES key Read RSA key generation RSA, DRBG User RSA public and private keys Create RSA digital signature generation and verifcation RSA, SHS User RSA public and private keys Read DSA key generation DSA, DRBG User DSA public and private keys Create DSA domain parameter generation DSA User None n/a DSA digital signature generation and verifcation DSA, SHS User DSA public and private keys Read ©2023 SUSE, LLC / atsec information security. Page 7 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Service Algorithm Role Keys/CSPs Access ECDSA key generation ECDSA, DRBG User ECDSA public and private keys Create ECDSA public key validation ECDSA User ECDSA public key Read ECDSA signature generation and verifcation ECDSA, DRBG, SHS User ECDSA public and private keys Read Random number generation DRBG User Entropy input string, seed material Read Internal state Update Message digest SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 User None N/A SHA3-224, SHA3-256, SHA3-384, SHA3-512 Message authentication code (MAC) HMAC User HMAC key Read CMAC with AES User AES key Read CMAC with Triple-DES User Triple-DES key Read Key encapsulation RSA User RSA public and private keys Read Key wrapping AES-KW, AES-KWP User AES key Read Dife-Hellman shared secret computation KAS-FFC-SSC User Dife-Hellman public and private keys Create, Read Shared secret Create Dife-Hellman key generation and verifcation using safe primes Safe Primes Key Generation and Verifcation User Dife-Hellman public and private keys Create, Read EC Dife-Hellman shared secret computation KAS-ECC-SSC User EC Dife-Hellman public and private keys Create, Read Shared secret Key derivation TLS KDF User Shared secret Read Derived key Create SSH KDF User Shared secret Read Derived key Create PBKDF KDF User Password/passphrase Read Derived key Create Network Protocol Services Transport Layer Security (TLS) Supported cipher suites in FIPS mode (see User RSA, DSA or ECDSA public and private keys Read ©2023 SUSE, LLC / atsec information security. Page 8 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Service Algorithm Role Keys/CSPs Access network protocol v1.0, v1.1 and v1.2 Appendix A for the complete list of valid cipher suites) TLS pre_master_secret, TLS master_secret, Dife Hellman or EC Dife Hellman public and private keys, AES or Triple-DES key, HMAC key Create TLS extensions n/a User RSA, DSA or ECDSA public and private keys Read Certifcate management n/a Crypto Ofcer RSA, DSA or ECDSA public and private keys Read Other FIPS-related Services Show status N/A User None N/A Zeroization N/A User All CSPs Zeroize Self-tests AES, Dife-Hellman, DSA, EC Dife-Hellman, ECDSA, DRBG, HMAC, RSA, SHS, Triple-DES User None N/A Module installation and confguration N/A Crypto Ofcer None N/A Module initialization N/A Crypto Ofcer None N/A Table 5: Services in FIPS mode of operation Table 6 lists the services only available in non-FIPS mode of operation. The details of the non- approved cryptographic algorithms available in non-FIPS mode can be found in Table 9. Service Algorithm / Modes Role Keys Access Cryptographic Services Symmetric encryption and decryption ARIA, Blowfsh, Camellia, CAST, CAST5, ChaCha20, DES, RC2, RC4, SEED, and Poly1305 User Symmetric key Read Symmetric encryption Two-key Triple-DES User Two-key Triple-DES key Read Authenticated encryption cipher for encryption and decryption AES and SHA from multi-bufer or stitch implementations listed in Table 9 User AES key, HMAC key Read Asymmetric key generation RSA, DSA and ECDSA restrictions listed in Table 9 User RSA, DSA or ECDSA public and private keys Create Digital signature generation and verifcation RSA, DSA and ECDSA and message digest restrictions listed in Table 9 User RSA, DSA or ECDSA public and private keys Read ©2023 SUSE, LLC / atsec information security. Page 9 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Service Algorithm / Modes Role Keys Access Message digest Blake2, Gost, MD4, MD5, MDC2, RMD160 User None N/A Message authentication code (MAC) HMAC and CMAC restrictions listed in Table 9 GMAC User HMAC key, two-key Triple- DES key Read RSA key encapsulation RSA keys smaller than 2048 bits. User RSA key pair Read Dife-Hellman shared secret computation Dife-Hellman restrictions listed in Table 9 User Dife-Hellman public and private keys Read EC Dife-Hellman shared secret computation Restrictions listed in Table 9 User EC Dife-Hellman public and private keys Read Key derivation KDF TLS v1.3 User Shared secret Read Derived key Create KDF PBKDF using non- approved message digest. User Password/passphrase Read Derived key Create Network Protocol Services Transport Layer Security (TLS) network protocol v1.0, v1.1 and v1.2 Non-supported cipher suites (see Appendix A for the complete list of valid cipher suites) User RSA, DSA or ECDSA public and private keys Read TLS pre_master_secret, TLS master_secret, Dife Hellman or EC Dife Hellman public and private keys, AES or Triple-DES key, HMAC key Create Transport Layer Security (TLS) network protocol v1.3 User RSA, DSA or ECDSA public and private keys Read TLS pre_master_secret, TLS master_secret, Dife Hellman or EC Dife Hellman public and private keys, AES or Triple-DES key, HMAC key Create Table 6: Services in non-FIPS mode of operation 3.3 Operator Authentication The module does not implement user authentication. The role of the user is implicitly assumed based on the service requested. 3.4 Algorithms The module provides multiple implementations of algorithms for the diferent processor architectures: • For the Intel Xeon processor architecture. ©2023 SUSE, LLC / atsec information security. Page 10 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy ◦ use of AES-NI (PAA), and SSSE3 and strict assembler instructions (non-PAA) for AES implementations; ◦ use of AVX2, AVX, SSSE3 and strict assembler instructions for SHA implementations (non-PAA); ◦ use of the CLMUL instruction set and strict assembler for GHASH that is used in GCM mode (non-PAA); ◦ C implementation for all algorithms (non-PAA). • For the IBM z15 processor architecture. ◦ use of the CPACF (PAI) and strict assembler (non-PAI) for AES, SHA and GHASH implementations; ◦ use of the CPACF for ECDSA signature generation and verifcation (PAI); ◦ C implementation for all algorithms (non-PAI). • For the ARMv8 processor architecture. ◦ use of the Crypto Extensions and NEON bit slicing instructions for AES and SHA implementations (PAA); ◦ C implementation for all algorithms (non-PAA). The module uses the most efcient implementation based on the processor’s capability. This behavior can be also controlled through the use of the capability mask environment variables OPENSSL_ia32cap (for Intel processors), OPENSSL_s390xcap (for IBM z/series processors) and OPENSSL_armcap (for ARM processors). Notice that only one algorithm implementation can be executed in runtime. Notice that for the Transport Layer Security (TLS) protocol, no parts of this protocol, other than the key derivation function (SP800-135 TLS KDF), have been tested by the CAVP. For the Secure Shell (SSH) protocol, the module only implements the key derivation function (SP800-135 SSH KDF). No other parts of this protocol are implemented. Table 7 lists the approved algorithms, the CAVP certifcates, and other associated information of the cryptographic implementations in FIPS mode. Please refer to Appendix B for more detailed information about the algorithm implementations tested for each CAVP certifcate. Algorithm Mode / Method Key Lengths, Curves or Moduli (in bits) Use Standard CAVP Certs AES ECB, CBC, CFB1, CFB8, CFB128, OFB, CTR 128, 192, 256 Data Encryption and Decryption FIPS197, SP800-38A A343 A350 A351 A357 A378 A381 A508 A1498 CMAC 128, 192, 256 MAC Generation and Verifcation SP800-38B CCM 128, 192, 256 Data Encryption and Decryption SP800-38C XTS 128, 256 Data Encryption and Decryption for Data Storage SP800-38E KW, KWP 128, 192, 256 Key Wrapping and Unwrapping SP800-38F ©2023 SUSE, LLC / atsec information security. Page 11 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Mode / Method Key Lengths, Curves or Moduli (in bits) Use Standard CAVP Certs GCM 128, 192, 256 Data Encryption and Decryption SP800-38D A339 A340 A344 A346 A349 A354 A358 A362 A370 A373 A377 A379 A509 A1498 DRBG CTR_DRBG: AES-128, AES-192, AES-256 with/without DF, with/without PR N/A Deterministic Random Bit Generation SP800-90A A348 A360 A365 A369 A382 A508 A1498 Hash_DRBG: SHA-1, SHA-224 SHA-256, SHA-384, SHA-512 with/without PR N/A Deterministic Random Bit Generation SP800-90A A342 A363 A375 A376 A380 A383 A1498 HMAC_DRBG: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 with/without PR N/A Deterministic Random Bit Generation SP800-90A A342 A363 A375 A376 A380 A383 A1498 DSA L=2048, N=224 L=2048, N=256 L=3072, N=256 Key Pair Generation FIPS186-4 A353 A360 A364 A365 A367 A386 A1498 SHA-224 L=2048, N=224 Domain Parameter Generation SHA-256 L=2048, N=256 L=3072, N=256 SHA-224, SHA-256, SHA-384, SHA-512 L=2048, N=224 Digital Signature Generation SHA-256, SHA-384, SHA-512 L=2048, N=256 L=3072, N=256 SHA-224 L=2048, N=224 Domain Parameter Verifcation SHA-256 L=2048, N=256 L=3072, N=256 ©2023 SUSE, LLC / atsec information security. Page 12 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Mode / Method Key Lengths, Curves or Moduli (in bits) Use Standard CAVP Certs SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 L=1024, N=160 L=2048, N=224 L=2048, N=256 L=3072, N=256 Digital Signature Verifcation ECDSA P-256, P-384, P-521 Key Pair Generation Public Key Verifcation FIPS186-4 A353 A360 A364 A365 A367 A386 A1498 SHA-224, SHA-256, SHA-384, SHA-512 P-224, P-256, P-384, P-521 Digital Signature Generation SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 P-224, P-256, P-384, P-521 Digital Signature Verifcation HMAC SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 112 or greater Message authentication code FIPS198-1 A353 A360 A364 A365 A367 A386 A1498 SHA3-224, SHA3-256, SHA3-384, SHA3-512 A352 A359 A368 A372 A374 A1498 KAS-ECC- SSC ECC Ephemeral Unifed Scheme P-224, P-256, P-384, P521 EC Dife- Hellman Key Agreement SP800- 56Arev3 A684 A1498 KAS-FFC- SSC dhEphem Scheme with safe prime groups 2048, 3072, 4096, 6144, 8192 Dife-Hellman Key Agreement SP800- 56Arev3 A684 A1498 Safe Primes Key Generation and Verifcation Safe Prime Groups: fdhe2048, fdhe3072, fdhe4096, fdhe6144, fdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 2048, 3072, 4096, 6144, 8192 Dife-Hellman Key Agreement SP800- 56Arev3 A684 A1498 KDF PBKDF HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 Key Derivation SP800-132 A353 A360 A364 A365 A367 A386 A1498 ©2023 SUSE, LLC / atsec information security. Page 13 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Mode / Method Key Lengths, Curves or Moduli (in bits) Use Standard CAVP Certs HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 Key Derivation SP800-132 A352 A359 A368 A372 A374 A1498 KDF SSH AES with SHA-1, SHA-256, SHA-384, SHA-512 128, 192, 256 Key Derivation SP800-135 CVLs. A355 A366 A371 A385 A1498 Triple-DES with SHA-1, SHA-256, SHA-384, SHA-512 192 KDF TLS TLS v1.0, v1.1, v1.2 Key Derivation SP800-135 CVLs. A353 A360 A364 A365 A367 A386 A1498 RSA 2048, 3072, 4096 Key Pair Generation FIPS186-4 A353 A360 A364 A365 A1498 A367 A386 A1498 PKCS#1v1.5: SHA-224, SHA-256, SHA-384, SHA-512 2048, 3072, 4096 Digital Signature Generation PSS: SHA-224, SHA-256, SHA-384, SHA-512 2048, 3072, 4096 X9.31: SHA-256, SHA-384, SHA-512 2048, 3072, 4096 PKCS#1v1.5: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 1024, 2048, 3072, 4096 Digital Signature Verifcation PSS: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 1024, 2048, 3072, 4096 X9.31: SHA-1, SHA-256, SHA-384, SHA-512 1024, 2048, 3072, 4096 SHS SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 N/A Message Digest FIPS180-4 A353 A360 A364 A365 A367 A386 A1498 ©2023 SUSE, LLC / atsec information security. Page 14 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Mode / Method Key Lengths, Curves or Moduli (in bits) Use Standard CAVP Certs SHA-3 SHA3-224, SHA3-256, SHA3-384, SHA3-512 N/A Message Digest FIPS202 A352 A359 A368 A372 A374 A507 A1498 Triple-DES ECB, CBC, CFB1, CFB8, CFB64, OFB 192 (two-key Triple-DES) Data Decryption SP800-67 SP800-38A A341 A345 A347 192 (three-key Triple-DES) Data Encryption and Decryption CMAC 192 MAC Generation and Verifcation SP800-67 SP800-38B KTS AES KW, KWP 128, 192, 256 Key Wrapping and unwrapping SP800-38F A343 A350 A351 A357 A378 A381 A508 A1498 AES CCM 128, 256 Key wrapping and unwrapping as part of the cipher suites in the TLS protocol AES GCM 128, 256 A339 A340 A344 A346 A349 A354 A358 A362 A370 A373 A377 A379 A509 A1498 AES CBC and HMAC 128, 256 A343 A350 A351 A357 A378 A381 A508 A353 A360 A364 A365 A367 A386 A1498 ©2023 SUSE, LLC / atsec information security. Page 15 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Mode / Method Key Lengths, Curves or Moduli (in bits) Use Standard CAVP Certs Triple-DES CBC and HMAC 192 A341 A345 A347 A353 A360 A364 A365 A367 A386 Table 7: Approved Cryptographic Algorithms 3.5 Allowed Algorithms Table 8 describes the non-approved but allowed algorithms in FIPS mode: Algorithm Use RSA Key Encapsulation with Encryption and Decryption Primitives with keys equal or larger than 2048 bits up to 15360 or more. Key Establishment; allowed per [FIPS140-2_IG] D.9 MD5 Pseudo-random function (PRF) in TLS v1.0 and v1.1; allowed per [SP800-52rev2] NDRNG The module obtains the entropy data from a NDRNG to seed the DRBG. Table 8: Non-Approved but Allowed Algorithms 3.5.1 Non-Approved Algorithms Table 9 shows the non-Approved cryptographic algorithms implemented in the module that are only available in non-FIPS mode. Algorithm Use ARIA, Blowfsh, Camellia, CAST, CAST5, ChaCha20, DES, RC2, RC4, SEED, SM4 Data Encryption and Decryption. 2-key Triple-DES Data Encryption. Chacha20 and Poly1305 Authenticated Data Encryption and Decryption. Blake2, GHASH, MD4, MD5, RMD160, SM3 Message Digest. GMAC, SipHash Message Authentication Code. HMAC with less than 112-bit keys Message Authentication Code. CMAC with 2-key Triple-DES Message Authentication Code. SM2 Digital Signature Generation and Verifcation. SRP Key Agreement. SHA-1 Digital Signature Generation, DSA Domain Parameter Generation. ©2023 SUSE, LLC / atsec information security. Page 16 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Use DSA with keys smaller than 2048 bits or greater than 3072 bits. Key Pair Generation, Domain Parameter Generation. DSA with keys smaller than 2048 bits or greater than 3072 bits. DSA with L=2048, N=256 or L=3072, N=256 and using SHA-1 or SHA-224. Digital Signature Generation. DSA with keys smaller than 1024 bits or greater than 3072 bits. Digital Signature Verifcation. RSA with keys smaller than 2048 bits or greater than 4096 bits. Key Pair Generation, Domain Parameter Verifcation, Digital Signature Generation. RSA with keys smaller than 1024 bits or greater than 4096 bits. Digital Signature Verifcation. RSA with keys smaller than 2048 bits Key Encapsulation. ECDSA with P-192 and P-224 curves, K curves, B curves and non-NIST curves. Key Pair Generation and Public Key Validation. ECDSA with P-192 curve, K curves, B curves and non-NIST curves. Digital Signature Generation and Verifcation. Dife-Hellman with keys generated with domain parameters other than safe primes. Key Agreement, Shared Secret computation. EC Dife-Hellman with P-192 curve, K curves, B curves and non-NIST curves. Key Agreement, Shared Secret computation. Multiblock ciphers using AES in CBC mode with 128 and 256 bit keys and HMAC SHA-1 and SHA- 256 (available only in Intel processors with AES- NI capability). Authenticated Data Encryption and Decryption. AES and SHA from multi-bufer or stitch implementations Data Encryption and Decryption, Message Digest. KDF TLS for v1.3 Key Derivation. PBKDF with non-approved message digest algorithms. Key Derivation. Table 9: Non-Approved Cryptographic Algorithms ©2023 SUSE, LLC / atsec information security. Page 17 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 4 Physical Security The module is comprised of software only and thus does not claim any physical security. ©2023 SUSE, LLC / atsec information security. Page 18 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 5 Operational Environment This module operates in a modifable operational environment per the FIPS 140-2 level 1 specifcations. The module runs on a commercially available general-purpose operating system executing on the hardware specifed in Table 3. The SUSE Linux Enterprise Server operating system is used as the basis of other products which include but are not limited to: • SLES • SLES for SAP • SLED • SLE Micro Compliance is maintained for these products whenever the binary is found unchanged. Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specifc operational environment is not listed on the validation certifcate. 5.1 Policy The operating system is restricted to a single operator; concurrent operators are explicitly excluded. The application that requests cryptographic services is the single user of the module. Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms ofered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running on a non-tested operational environment. ©2023 SUSE, LLC / atsec information security. Page 19 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 6 Cryptographic Key Management Table 10 summarizes the Critical Security Parameters (CSPs) that are used by the cryptographic services implemented in the module: Name Generation Entry and Output Zeroization AES keys Key material is entered via API parameters or generated during Dife- Hellman or EC Dife- Hellman key agreement. Keys are passed into the module via API input parameters in plaintext. EVP_CIPHER_CTX_free(), EVP_CIPHER_CTX_reset() Triple-DES keys EVP_CIPHER_CTX_free(), EVP_CIPHER_CTX_reset() HMAC keys HMAC_CTX_free() RSA public and private keys Public and private keys are generated using the FIPS 186-4 key generation method; random values are obtained from the SP800-90A DRBG. Keys are passed into the module via API input parameters in plaintext. Keys are passed out of the module via API output parameters in plaintext. RSA_free() DSA public and private keys DSA_free() ECDSA public and private keys EC_KEY_free() Dife-Hellman public and private keys Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90A DRBG. The key is passed into the module via API input parameters in plaintext. Keys are passed out of the module via API output parameters in plaintext. DH_free() EC Dife-Hellman public and private keys Public and private keys are generated using the FIPS 186-4 key generation method, random values are obtained from the SP800 90A DRBG. The key is passed into the module via API input parameters in plaintext. Keys are passed out of the module via API output parameters in plaintext. EC_KEY_free() Shared secret Generated during the Dife-Hellman or EC Dife-Hellman key agreement and shared secret computation. N/A DH_free(), EC_KEY_free() Password or passphrase Not Applicable. Key material is entered via API parameters. The key is passed into the module via API input parameters in plaintext. EVP_PKEY_free() Derived key Generated during the TLS KDF, SSH KDF or PBKDF Keys are passed out of the module via API output parameters in plaintext. EVP_PKEY_free() Entropy input string and seed material Obtained from NDRNG N/A FIPS_drbg_free() DRBG internal state: V value, C value, key (if applicable) Derived from entropy input as defned in SP800-90A N/A FIPS_drbg_free() ©2023 SUSE, LLC / atsec information security. Page 20 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Name Generation Entry and Output Zeroization TLS pre_master_secret Generated from the SP800-90A DRBG when module acts as a TLS client, for RSA cipher suites. Received from TLS client (network), wrapped with TLS server's RSA public key, when module acts as a TLS server with RSA cipher suites. SSL_free(), SSL_clear() Generated during key agreement for Dife- Hellman or EC Dife- Hellman cipher suites. N/A TLS master_secret Derived from TLS pre_master_secret using TLS KDF. N/A SSL_free(), SSL_clear() Table 10: Life cycle of Keys or CSPs The following sections describe how CSPs, in particular cryptographic keys, are managed during its life cycle. 6.1 Random Number Generation The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90A] for the creation of seeds for asymmetric keys, and server and client random numbers for the TLS protocol. In addition, the module provides a Random Number Generation service to calling applications. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The DRBG is initialized during module initialization; the module loads by default the DRBG using the CTR_DRBG mechanism with AES-256, with derivation function, and without prediction resistance. A diferent DRBG mechanism can be chosen through an API function call. The module uses a Non-Deterministic Random Number Generator (NDRNG), getrandom() system call, as the entropy source for seeding the DRBG. The NDRNG is provided by the operational environment (i.e., Linux RNG), which is within the module’s physical boundary but outside of the module’s logical boundary. The NDRNG provides at least 128 bits of entropy to the DRBG during initialization (seed) and reseeding (reseed). The Linux kernel performs conditional self-tests on the output of NDRNG to ensure that consecutive random numbers do not repeat. The module performs the DRBG health tests as defned in section 11.3 of [SP800-90A]. 6.2 Key/CSP Generation The module provides an SP800-90A-compliant Deterministic Random Bit Generator (DRBG) for creation of key components of asymmetric keys, and random number generation. The key generation methods implemented in the module for Approved services in FIPS mode is compliant with [SP800-133]. For generating RSA, DSA and ECDSA keys the module implements asymmetric key generation services compliant with [FIPS186-4]. A seed (i.e. the random value) used in asymmetric key generation is directly obtained from the [SP800-90A] DRBG. The public and private keys used in the EC Dife-Hellman key agreement schemes are generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4] and [SP800-56Arev3]. The Dife-Hellman key agreement scheme is also compliant with [SP800-56Arev3], and generates keys using safe primes defned in RFC7919 and RFC3526, as described in the next section. The module generates cryptographic keys whose strengths are modifed by available entropy. ©2023 SUSE, LLC / atsec information security. Page 21 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 6.3 Key Agreement / Key Transport / Key Derivation The module provides Dife-Hellman and EC Dife-Hellman key agreement schemes compliant with SP800-56rev3, and used as part of the TLS protocol key exchange in accordance with scenario X1 (2) of IG D.8; that is, the shared secret computation (KAS-FFC-SSC and KAS-ECC- SSC) followed by the derivation of the keying material using SP800-135 KDF. For Dife-Hellman, the module supports the use of safe primes from RFC7919 for domain parameters and key generation, which are used in the TLS key agreement implemented by the module. • TLS (RFC7919) ◦ fdhe2048 (ID = 256) ◦ fdhe3072 (ID = 257) ◦ fdhe4096 (ID = 258) ◦ fdhe6144 (ID = 259) ◦ fdhe8192 (ID = 260) The module also supports the use of safe primes from RFC3526, which are part of the Modular Exponential (MODP) Dife-Hellman groups that can be used for Internet Key Exchange (IKE). Note that the module only implements key generation and verifcation, and shared secret computation using safe primes, but no part of the IKE protocol. • IKEv2 (RFC3526) ◦ MODP-2048 (ID=14) ◦ MODP-3072 (ID=15) ◦ MODP-4096 (ID=16) ◦ MODP-6144 (ID=17) ◦ MODP-8192 (ID=18) The module also provides the following key transport mechanisms: • Key wrapping using AES-KW and AES-KWP. • Key wrapping using AES-CCM, AES-GCM, and AES in CBC mode and HMAC, used by the TLS protocol cipher suites with 128-bit or 256-bit keys. • Key wrapping using Triple-DES in CBC mode and HMAC, used by the TLS protocol cipher suites with 192-bit keys. • RSA key encapsulation using private key encryption and public key decryption (also used as part of the TLS protocol key exchange). According to Table 2: Comparable strengths in [SP 800-57], the key sizes of AES, RSA, Dife- Hellman and EC Dife-Hellman provides the following security strength in FIPS mode of operation: • AES key wrapping using AES in KW, KWP provides between 128 and 256 bits of encryption strength. • AES key wrapping using AES-CCM, AES-GCM, and AES in CBC mode and HMAC, provides between 128 or 256 bits of encryption strength. • Triple-DES key wrapping using HMAC provides 112 bits of encryption strength. • RSA key wrapping1 provides between 112 and 256 bits of encryption strength. • Dife-Hellman key agreement provides between 112 and 200 bits of encryption strength. 1 Key wrapping” is used instead of “key encapsulation” to show how the algorithm will appear in the certifcate per IG G.13. ©2023 SUSE, LLC / atsec information security. Page 22 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy • EC Dife-Hellman key agreement provides between 128 and 256 bits of encryption strength. Note: As the module supports RSA key pairs greater than 2048 bits up to 15360 bits or more, the encryption strength 256 bits is claimed for RSA key encapsulation. The module supports the following key derivation methods according to [SP800-135]: • KDF for the TLS protocol, used as pseudo-random functions (PRF) for TLSv1.0/1.1 and TLSv1.2. • KDF for the SSHv2 protocol. The module also supports password-based key derivation (PBKDF). The implementation is compliant with option 1a of [SP-800-132]. Keys derived from passwords or passphrases using this method can only be used in storage applications. 6.4 Key/CSP Entry and Output The module does not support manual key entry or intermediate key generation key output. The keys are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form. This is allowed by [FIPS140-2_IG] IG 7.7, according to the “CM Software to/from App Software via GPC INT Path” entry on the Key Establishment Table. 6.5 Key/CSP Storage Symmetric keys, HMAC keys, public and private keys are provided to the module by the calling application via API input parameters, and are destroyed by the module when invoking the appropriate API function calls. The module does not perform persistent storage of keys. The keys and CSPs are stored as plaintext in the RAM. The only exception is the HMAC key used for the Integrity Test, which is stored in the module and relies on the operating system for protection. 6.6 Key/CSP Zeroization The memory occupied by keys is allocated by regular memory allocation operating system calls. The application is responsible for calling the appropriate zeroization functions provided in the module's API and listed in Table 10. Calling the SSL_free() and SSL_clear() will zeroize the keys and CSPs stored in the TLS protocol internal state and also invoke the corresponding API functions listed in Table 10 to zeroize keys and CSPs. The zeroization functions overwrite the memory occupied by keys with “zeros” and deallocate the memory with the regular memory deallocation operating system call. ©2023 SUSE, LLC / atsec information security. Page 23 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 7 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) The test platforms as shown in Table 3 are compliant to 47 CFR FCC Part 15, Subpart B, Class A (Business use). ©2023 SUSE, LLC / atsec information security. Page 24 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 8 Self Tests 8.1 Power-Up Tests The module performs power-up tests when the module is loaded into memory, without operator intervention. Power-up tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. While the module is executing the power-up tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the power-up tests are completed successfully. If any power-up test fails, the module returns the error code listed in section 9.3 and displays the specifc error message associated with the returned error code, and then enters the Error state. The subsequent calls to the module will also fail; no further cryptographic operations are possible. If the power-up tests complete successfully, the module will return 1 in the return code and will accept cryptographic operation service requests. 8.1.1 Integrity Tests The integrity of the module is verifed by comparing an HMAC-SHA-256 value calculated at run time with the HMAC value stored in the .hmac fle that was computed at build time for each software component of the module. If the HMAC values do not match, the test fails and the module enters the error state. 8.1.2 Cryptographic Algorithm Tests The module performs self-tests on all FIPS-Approved cryptographic algorithms supported in the Approved mode of operation, using the Known Answer Tests (KAT) and Pair-wise Consistency Tests (PCT) shown in the following table: Algorithm Power-Up Tests AES KAT AES ECB mode with 128-bit key, encryption and decryption (separately tested) KAT AES CCM mode with 192-bit key, encryption and decryption (separately tested) KAT AES GCM mode with 256-bit key, encryption and decryption (separately tested) KAT AES XTS mode with 128 and 256-bit keys, encryption and decryption (separately tested) CMAC KAT AES CMAC with 128, 192 and 256 bit keys, MAC generation KAT Triple-DES CMAC, MAC generation Dife-Hellman Primitive “Z” Computation KAT with 2048-bit key DRBG KAT CTR_DRBG with AES with 256-bit keys with and without DF, with and without PR KAT Hash_DRBG with SHA-256 with and without PR KAT HMAC_DRBG with SHA-256 with and without PR DSA PCT DSA with L=2048, N=224 and SHA-256 EC Dife-Hellman Primitive “Z” Computation KAT with P-256 curve ECDSA PCT ECDSA with P-256 and SHA-256 ©2023 SUSE, LLC / atsec information security. Page 25 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Power-Up Tests HMAC KAT HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 KAT HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 PBKDF KDF KAT with SHA-256 RSA KAT RSA with 2048-bit key, PKCS#1 v1.5 scheme and SHA-256, signature generation and verifcation (separately tested) KAT RSA with 2048-bit key, PSS scheme and SHA-256, signature generation and verifcation (separately tested) KAT RSA with 2048-bit key, public key encryption and private key decryption (separately tested) SHA-3 KAT SHA3-256, SHA3-512, SHAKE-128 and SHAKE-256 SHS2 KAT SHA-1, SHA-256 and SHA-512 SSH KDF KAT with SHA256 TLS KDF KAT with SHA-256 Triple-DES KAT Triple-DES ECB mode, encryption and decryption (separately tested) Table 11: Self-Tests For the KAT, the module calculates the result and compares it with the known value. If the answer does not match the known answer, the KAT fails and the module enters the Error state. For the PCT, if the signature generation or verifcation fails, the module enters the Error state. 8.2 On-Demand Self-Tests On-Demand self-tests can be invoked by powering-of and reloading the module which cause the module to run the power-up tests again. 8.3 Conditional Tests The module performs conditional tests on the cryptographic algorithms, using the Pair-wise Consistency Tests (PCT) shown in the following table. If the conditional test fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output and cryptographic operations are not allowed. 2 SHA-224 and SHA-384 are not required per IG 9.4. ©2023 SUSE, LLC / atsec information security. Page 26 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Algorithm Conditional Tests DSA key generation PCT using SHA-256, signature generation and verifcation. ECDSA key generation PCT using SHA-256, signature generation and verifcation. RSA key generation PCT using SHA-256, signature generation and verifcation. PCT public encryption and private decryption. Table 12: Conditional Tests ©2023 SUSE, LLC / atsec information security. Page 27 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 9 Guidance 9.1 Crypto Ofcer Guidance The binaries of the module are contained in the RPM packages for delivery. The Crypto Ofcer shall follow this Security Policy to confgure the operational environment and install the module to be operated as a FIPS 140-2 validated module. The following RPM packages contain the FIPS validated module: Processor Architecture RPM Packages Intel 64-bit libopenssl1_1-1.1.1d-150200.11.62.1.x86_64.rpm libopenssl1_1-hmac-1.1.1d-150200.11.62.1.x86_64.rpm IBM z15 libopenssl1_1-1.1.1d-150200.11.62.1.s390x.rpm libopenssl1_1-hmac-1.1.1d-150200.11.62.1.s390x.rpm ARMv8 64-bit libopenssl1_1-1.1.1d-150200.11.62.1.aarch64.rpm libopenssl1_1-hmac-1.1.1d-150200.11.62.1.aarch64.rpm Table 13: RPM packages 9.1.1 Module Installation The Crypto Ofcer can install the RPM packages containing the module as listed in Table 13 using the zypper tool. The integrity of the RPM package is automatically verifed during the installation, and the Crypto Ofcer shall not install the RPM package if there is any integrity error. 9.1.2 Operating Environment Confguration The operating environment needs to be confgured to support FIPS, so the following steps shall be performed with the root privilege: 1. Install the dracut-fps RPM package: # zypper install dracut-fips 2. Recreate the INITRAMFS image: # dracut -f 3. After regenerating the initrd, the Crypto Ofcer has to append the following parameter in the /etc/default/grub confguration fle in the GRUB_CMDLINE_LINUX_DEFAULT line: fips=1 4. After editing the confguration fle, please run the following command to change the setting in the boot loader: # grub2-mkconfig -o /boot/grub2/grub.cfg If /boot or /boot/ef resides on a separate partition, the kernel parameter boot= must be supplied. The partition can be identifed with the command "df /boot" or "df /boot/ef" respectively. For example: # df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 233191 30454 190296 14% /boot The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string needs to be appended in the aforementioned grub fle: "boot=/dev/sda1" ©2023 SUSE, LLC / atsec information security. Page 28 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 5. Reboot to apply these settings. Now, the operating environment is confgured to support FIPS operation. The Crypto Ofcer should check the existence of the fle /proc/sys/crypto/fps_enabled, and verify it contains a numeric value “1”. If the fle does not exist or does not contain “1”, the operating environment is not confgured to support FIPS and the module will not operate as a FIPS validated module properly. 9.1.3 Operational Environment limitations Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms ofered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment. 9.2 User Guidance In order to run in FIPS mode, the module must be operated using the FIPS Approved services, with their corresponding FIPS Approved and FIPS allowed cryptographic algorithms provided in this Security Policy (see section 3.2). In addition, key sizes must comply with [SP800-131A]. 9.2.1 TLS The TLS protocol implementation provides both server and client sides. In order to operate in FIPS mode, digital certifcates used for server and client authentication shall comply with the restrictions of key size and message digest algorithms imposed by [SP800-131A]. In addition, for Dife-Hellman only the safe prime groups listed in RFC7919 are approved to be used in FIPS mode. 9.2.2 API Functions Passing “0” to the FIPS_mode_set() API function is prohibited. Executing the CRYPTO_set_mem_functions() API function is prohibited as it performs like a null operation in the module. The use of any of these API functions implies that the cryptographic module is being executed in an invalid confguration. 9.2.3 Use of ciphers The following ciphers (usually obtained by calling the EVP_get_cipherbyname() function) use multiblock implementations of the AES, HMAC and SHA algorithms that are not validated by the CAVP; therefore, they cannot be used in FIPS mode of operation. Cipher Name NID AES-128-CBC-HMAC-SHA1 NID_aes_128_cbc_hmac_sha1 AES-256-CBC-HMAC-SHA1 NID_aes_256_cbc_hmac_sha1 AES-128-CBC-HMAC-SHA256 NID_aes_128_cbc_hmac_sha256 AES-256-CBC-HMAC-SHA256 NID_aes_256_cbc_hmac_sha256 Table 14: Ciphers not allowed in FIPS mode of operation 9.2.4 AES XTS The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specifed in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks that is 16MB of data. ©2023 SUSE, LLC / atsec information security. Page 29 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy To meet the requirement stated in IG A.9, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not an Approved service. 9.2.5 AES GCM IV In case the module's power is lost and then restored, the key used for the AES GCM encryption or decryption shall be redistributed. The nonce_explicit part of the IV does not exhaust the maximum number of possible values for a given session key. The design of the TLS protocol in this module implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. The AES GCM IV generation is in compliance with the [RFC5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-2_IG] IG A.5, provision 1 (“TLS protocol IV generation”); in addition, the module is compliant with section 3.3.1 of [SP800- 52rev2]. When a GCM IV is used for decryption, the responsibility for the IV generation lies with the party that performs the AES GCM encryption and therefore there is no restriction on the IV generation. 9.2.6 Triple-DES encryption Data encryption using the same three-key Triple-DES key shall not exceed 216 Triple-DES blocks (2GB of data), in accordance to SP800-67 and IG A.13. [SP800-67] imposes a restriction on the number of 64-bit block encryptions performed under the same three-key Triple-DES key. When the three-key Triple-DES is generated as part of a recognized IETF protocol, the module is limited to 220 64-bit data block encryptions. This scenario occurs in the following protocols: • Transport Layer Security (TLS) versions 1.1 and 1.2, conformant with [RFC5246] • Secure Shell (SSH) protocol, conformant with [RFC4253] • Internet Key Exchange (IKE) versions 1 and 2, conformant with [RFC7296] In any other scenario, the module cannot perform more than 216 64-bit data block encryptions. The user is responsible for ensuring the module’s compliance with this requirement. 9.2.7 Environment Variables OPENSSL_ENFORCE_MODULUS_BITS Setting the environment variable OPENSSL_ENFORCE_MODULUS_BITS can restrict the module to only generate the acceptable key sizes of RSA. If the environment variable is set, the module enforces the generation of keys of 2048 bits or more. 9.2.8 Key derivation using SP800-132 PBKDF The module provides password-based key derivation (PBKDF), compliant with SP800-132. The module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to [SP800-132], the following requirements shall be met. • Derived keys shall only be used in storage applications. The Master Key (MK) shall not be used for other purposes. The length of the MK or DPK shall be of 112 bits or more. • A portion of the salt, with a length of at least 128 bits, shall be generated randomly using the SP800-90A DRBG. ©2023 SUSE, LLC / atsec information security. Page 30 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy • The iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. The minimum value shall be 1000. • Passwords or passphrases, used as an input for the PBKDF, shall not be used as cryptographic keys. • The length of the password or passphrase shall be of at least 20 characters, and shall consist of lower-case, upper-case and numeric characters. The probability of guessing the value is estimated to be 1/6220 = 10-36 , which is less than 2-112 . The calling application shall also observe the rest of the requirements and recommendations specifed in [SP800-132]. 9.3 Handling FIPS Related Errors When the module fails any power-on self-test or conditional test, the module will return an error code to indicate the error and will enter the Error state. Any further cryptographic operation is inhibited. The calling application can obtain the module state by calling the FIPS_selftest_failed() API function. The function returns 1 if the module is in the Error state, 0 if the module is in the Operational state. The following table shows the error codes and the corresponding condition: Error Message / Codes Error Condition FIPS_R_FINGERPRINT_DOES_NOT_MATCH (110) The integrity test fails at power-up. FIPS_R_SELFTEST_FAILED (101) Any of the AES, CMAC, DRBG, HMAC, SHA, or Triple-DES KATs fails at power-up. FIPS_R_TEST_FAILURE (117) Any of the KATs for RSA, the PCT for ECDSA or the PCT for DSA fails at power- up. FIPS_R_NOPR_TEST1_FAILURE (145) FIPS_R_NOPR_TEST2_FAILURE(146) FIPS_R_PR_TEST1_FAILURE (147) FIPS_R_PR_TEST2_FAILURE (148) The KAT of a DRBG fails at power-up. FIPS_R_FIPS_SELFTEST_FAILED (106) A cryptographic operation is invoked and the module is in the error state. FIPS_R_PAIRWISE_TEST_FAILED (127) The PCT of a newly generated RSA, DSA or ECDSA key pair fails during conditional tests. FIPS_R_ENTROPY_SOURCE_STUCK (142) The CRNGT for the NDRNG fails during conditional tests. Table 15: Error Codes and Error Events These errors are reported through the regular ERR interface of the modules and can be queried by functions such as ERR_get_error(). See the OpenSSL man pages for the function description. When the module is in the error state and the application calls a crypto function of the module that cannot return an error in normal circumstances (void return functions), the error message: “OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE” is printed ©2023 SUSE, LLC / atsec information security. Page 31 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy to stderr and the application is terminated with the abort() call. The only way to recover from this error is to restart the application. If the failure persists, the module must be reinstalled. ©2023 SUSE, LLC / atsec information security. Page 32 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 10 Mitigation of Other Attacks 10.1 Blinding Against RSA Timing Attacks RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack. The module provides the API functions RSA_blinding_on() and RSA_blinding_of() to turn the blinding on and of for RSA. When the blinding is on, the module generates a random value to form a blinding factor in the RSA key before the RSA key is used in the RSA cryptographic operations. 10.2 Weak Triple-DES Key Detection The module implements the DES_set_key_checked() for checking the weak Triple-DES key and the correctness of the parity bits when the Triple-DES key is going to be used in Triple- DES operations. The checking of the weak Triple-DES key is implemented in the API function DES_is_weak_key() and the checking of the parity bits is implemented in the API function DES_check_key_parity(). If the Triple-DES key does not pass the check, the module will return -1 to indicate the parity check error and -2 if the Triple-DES key matches to any value listed below: /* Weak and semi week keys as taken from * %A D.W. Davies * %A W.L. Price * %T Security for Computer Networks * %I John Wiley & Sons * %D 1984 * Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference * (and actual cblock values). */ #define NUM_WEAK_KEY 16 static const DES_cblock weak_keys[NUM_WEAK_KEY]={ /* weak keys */ {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, {0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE}, {0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E}, {0xE0,0xE0,0xE0,0xE0,0xF1,0xF1,0xF1,0xF1}, /* semi-weak keys */ {0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE}, {0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01}, {0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1}, {0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E}, {0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1}, {0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01}, {0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE}, {0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E}, {0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E}, {0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01}, {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, {0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}}; Please note that there is no weak key detection by default. The caller can explicitly set the DES_check_key to 1 or call DES_check_key_parity() and/or DES_is_weak_key() functions on its own. ©2023 SUSE, LLC / atsec information security. Page 33 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix A - TLS Cipher Suites The module supports the following cipher suites for the TLS protocol version 1.0, 1.1 and 1.2, compliant with section 3.3.1 of [SP800-52rev2]. Each cipher suite defnes the key exchange algorithm, the bulk encryption algorithm (including the symmetric key size) and the MAC algorithm. Cipher Suite Reference TLS_RSA_WITH_3DES_EDE_CBC_SHA RFC2246 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA RFC2246 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA RFC2246 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA RFC2246 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA RFC2246 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA RFC2246 TLS_RSA_WITH_AES_128_CBC_SHA RFC3268 TLS_DH_DSS_WITH_AES_128_CBC_SHA RFC3268 TLS_DH_RSA_WITH_AES_128_CBC_SHA RFC3268 TLS_DHE_DSS_WITH_AES_128_CBC_SHA RFC3268 TLS_DHE_RSA_WITH_AES_128_CBC_SHA RFC3268 TLS_DH_anon_WITH_AES_128_CBC_SHA RFC3268 TLS_RSA_WITH_AES_256_CBC_SHA RFC3268 TLS_DH_DSS_WITH_AES_256_CBC_SHA RFC3268 TLS_DH_RSA_WITH_AES_256_CBC_SHA RFC3268 TLS_DHE_DSS_WITH_AES_256_CBC_SHA RFC3268 TLS_DHE_RSA_WITH_AES_256_CBC_SHA RFC3268 TLS_DH_anon_WITH_AES_256_CBC_SHA RFC3268 TLS_RSA_WITH_AES_128_CBC_SHA256 RFC5246 TLS_RSA_WITH_AES_256_CBC_SHA256 RFC5246 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 RFC5246 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 RFC5246 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 RFC5246 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 RFC5246 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 RFC5246 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 RFC5246 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 RFC5246 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 RFC5246 TLS_DH_anon_WITH_AES_128_CBC_SHA256 RFC5246 ©2023 SUSE, LLC / atsec information security. Page 34 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Cipher Suite Reference TLS_DH_anon_WITH_AES_256_CBC_SHA256 RFC5246 TLS_PSK_WITH_3DES_EDE_CBC_SHA RFC4279 TLS_PSK_WITH_AES_128_CBC_SHA RFC4279 TLS_PSK_WITH_AES_256_CBC_SHA RFC4279 TLS_RSA_WITH_AES_128_GCM_SHA256 RFC5288 TLS_RSA_WITH_AES_256_GCM_SHA384 RFC5288 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 RFC5288 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 RFC5288 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 RFC5288 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 RFC5288 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 RFC5288 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 RFC5288 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 RFC5288 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 RFC5288 TLS_DH_anon_WITH_AES_128_GCM_SHA256 RFC5288 TLS_DH_anon_WITH_AES_256_GCM_SHA384 RFC5288 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA RFC4492 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA RFC4492 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA RFC4492 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA RFC4492 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA RFC4492 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA RFC4492 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA RFC4492 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA RFC4492 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA RFC4492 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA RFC4492 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA RFC4492 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA RFC4492 TLS_ECDH_anon_WITH_AES_128_CBC_SHA RFC4492 TLS_ECDH_anon_WITH_AES_256_CBC_SHA RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 RFC5289 ©2023 SUSE, LLC / atsec information security. Page 35 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Cipher Suite Reference TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 RFC5289 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 RFC5289 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 RFC5289 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 RFC5289 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 RFC5289 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 RFC5289 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 RFC5289 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 RFC5289 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 RFC5289 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 RFC5289 TLS_RSA_WITH_AES_128_CCM RFC6655 TLS_RSA_WITH_AES_256_CCM RFC6655 TLS_DHE_RSA_WITH_AES_128_CCM RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM RFC6655 TLS_RSA_WITH_AES_128_CCM_8 RFC6655 TLS_RSA_WITH_AES_256_CCM_8 RFC6655 TLS_DHE_RSA_WITH_AES_128_CCM_8 RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM_8 RFC6655 Table 16: TLS Cipher Suites ©2023 SUSE, LLC / atsec information security. Page 36 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix B - CAVP certifcates The tables below show the certifcates obtained from the CAVP for all the target platforms included in Table 3. The CAVP certifcates validate all algorithm implementations used as approved or allowed security functions in FIPS mode of operation. The tables include the certifcate number, the label used in the CAVP certifcate for reference and a description of the algorithm implementation. Cert# CAVP Label Algorithm Implementation PAA A345 TDES_C Triple-DES C implementation. No A378 AESNI AES using AESNI instructions. Yes A339 AESNI_AVX AES-GCM using AESNI instructions, and AVX instruction for multiplication and GHASH. Yes A373 AESNI_CLMULNI AES-GCM using AESNI instructions, and PCLMULQDQ instruction for multiplication and GHASH. Yes A346 AESNI_ASM AES-GCM using AESNI, and assembler implementation for multiplication and GHASH. Yes A381 AESASM AES assembler implementation. No A344 AESASM_AVX AES-GCM using assembler implementation, and AVX instruction for multiplication and GHASH. No A349 AESASM_CLMULNI AES-GCM using assembler implementation, and PCLMULQDQ instruction for multiplication and GHASH. No A370 AESASM_ASM AES-GCM using assembler implementation. No A343 BAES_CTASM AES using SSSE3 instruction for Constant Time assembler and Bit Slice AES. No A377 BAES_CTASM_AVX AES-GCM using SSSE3 instruction for Constant Time assembler and Bit Slice AES, and AVX instruction for multiplication and GHASH. No A379 BAES_CTASM_CLMULNI AES-GCM using SSSE3 instruction for Constant Time assembler and Bit Slice, and PCLMULQDQ instruction for multiplication and GHASH. No A340 BAES_CTASM_ASM AES-GCM using SSSE3 instruction for Constant Time assembler and Bit Slice, and assembler implementation for multiplication and GHASH. No A353 SHA_AVX2 All algorithms using SHA with AVX2 instruction. No A367 SHA_AVX All algorithms using SHA with AVX instruction. No A364 SHA_SSSE3 All algorithms using SHA with SSSE3 instruction. No A386 SHA_ASM All algorithms using SHA assembler implementation. No A382 DRBG_10X_AESNI CTR_DRBG with AES using AESNI instructions. Yes A369 DRBG_10X_AESASM CTR_DRBG with AES assembler implementation. No A348 DRBG_10X_BAES_CTASM CTR_DRBG with AES using SSSE3 instruction for Constant Time assembler and Bit Slice AES. No A376 DRBG_10X_SHA_AVX2 HMAC_DRBG and Hash_DRBG with SHA using AVX2 instruction. No ©2023 SUSE, LLC / atsec information security. Page 37 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Cert# CAVP Label Algorithm Implementation PAA A380 DRBG_10X_SHA_AVX HMAC_DRBG and Hash_DRBG with SHA using AVX instruction. No A375 DRBG_10X_SHA_SSSE3 HMAC_DRBG and Hash_DRBG with SHA using SSSE3 instruction. No A383 DRBG_10X_SHA_ASM HMAC_DRBG and Hash_DRBG with SHA assembler implementation. No A355 SSH_AVX2 KDF SSH using SHA with AVX2 instruction. No A371 SSH_AVX KDF SSH using SHA with AVX instruction. No A366 SSH_SSSE3 KDF SSH using SHA with SSSE3 instruction. No A385 SSH_ASM KDF SSH using SHA assembler implementation. No A374 SHA3_AVX2 All algorithms using SHA-3 with AVX2 instruction. No A372 SHA3_AVX512 All algorithms using SHA-3 with AVX instruction. No A368 SHA3_ASM All algorithms using SHA-3 assembler implementation. No A684 SP800 56A rev 3 SP800-56A rev 3 compliant implementation. No Table 17: CAVP certifcates for the Intel Xeon processor Cert# CAVP Label Algorithm Implementation PAI A341 TDES_C Triple-DES C implementation. No A360 SHA_ASM All algorithms impacted by SHA using assembler implementation. Yes A342 DRBG_10X_SHA_ASM HMAC_DRBG and Hash_DRBG with SHA using assembler implementation. Yes A359 SHA3_ASM All algorithms using SHA-3 assembler implementation. Yes A350 AESASM AES with assembler implementation. Yes A354 AESASM_ASM AES-GCM using assembler implementation. Yes A385 SSH_ASM KDF SSH using SHA assembler implementation. Yes A684 SP800 56A rev 3 SP800-56A rev 3 compliant implementation. Yes A1498 ALL_NOPAI All algorithm implementations without CPACF No Table 18: CAVP certifcates for the IBM z15 processor ©2023 SUSE, LLC / atsec information security. Page 38 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Cert# CAVP Label Algorithm Implementation PAA A347 TDES_C Triple-DES C implementation No A352 SHA3_ASM All algorithms impacted by SHA-3 using assembler implementation. No A365 SHA_ASM All algorithms impacted by SHA using assembler implementation. No A363 DRBG_10X_SHA_ASM HMAC_DRBG and Hash_DRBG using SHA assembler implementation. No A351 CE AES using Crypto Extensions Yes A358 CE_GCM AES-GCM using Crypto Extensions. Yes A357 VPAES AES using NEON bit slicing implementation. Yes A362 VPAES_GCM AES-GCM using NEON bit slicing implementation. Yes A507 NEON SHA using NEON implementation. Yes A508 AES_C AES using generic C implementation. No A509 AES_C_GCM AES-GCM using generic C implementation. No A385 SSH_ASM KDF SSH using SHA assembler implementation. No A684 SP800 56A rev 3 SP800-56A rev 3 compliant implementation. No Table 19: CAVP certifcates for the ARMv8 processor ©2023 SUSE, LLC / atsec information security. Page 39 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix C - Glossary and Abbreviations AES Advanced Encryption Specifcation AES_NI Intel® Advanced Encryption Standard (AES) New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining Message Authentication Code CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code MAC Message Authentication Code NIST National Institute of Science and Technology PKCS Public Key Cryptography Standards RNG Random Number Generator RPM Red hat Package Manager RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard TDES Triple-DES XTS XEX Tweakable Block Cipher with Ciphertext Stealing ©2023 SUSE, LLC / atsec information security. Page 40 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Appendix D - References FIPS 140-2 FIPS PUB 140-2 - Security Requirements for Cryptographic Modules https://csrc.nist.gov/publications/fps/fps140-2/fps1402.pdf FIPS 140-2_IG Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program December 3, 2019 https://csrc.nist.gov/groups/STM/cmvp/documents/fps140- 2/FIPS1402IG.pdf FIPS180-4 Secure Hash Standard (SHS) https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard https://csrc.nist.gov/publications/fps/fps197/fps-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) https://csrc.nist.gov/publications/fps/fps198-1/FIPS-198-1_fnal.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifcations Version 2.1 https://www.ietf.org/rfc/rfc3447.txt RFC2246 The TLS Protocol Version 1.0 https://www.ietf.org/rfc/rfc2246.txt RFC3268 Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) https://www.ietf.org/rfc/rfc3268.txt RFC4279 Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) https://www.ietf.org/rfc/rfc4279.txt RFC4346 The Transport Layer Security (TLS) Protocol Version 1.1 https://www.ietf.org/rfc/rfc4346.txt RFC4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) https://www.ietf.org/rfc/rfc4492.txt RFC5116 An Interface and Algorithms for Authenticated Encryption https://www.ietf.org/rfc/rfc5116.txt RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2 https://tools.ietf.org/html/rfc5246.txt RFC5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS https://tools.ietf.org/html/rfc5288.txt ©2023 SUSE, LLC / atsec information security. Page 41 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy RFC5487 Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode https://tools.ietf.org/html/rfc5487.txt RFC5489 ECDHE_PSK Cipher Suites for Transport Layer Security (TLS) https://tools.ietf.org/html/rfc5489.txt RFC6655 AES-CCM Cipher Suites for Transport Layer Security (TLS) https://tools.ietf.org/html/rfc6655.txt RFC7251 AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS https://tools.ietf.org/html/rfc7251.txt RFC7296 Internet Key Exchange Protocol Version 2 (IKEv2) https://tools.ietf.org/html/rfc7296.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confdentiality https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 38d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confdentiality on Storage Devices https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 38e.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-52rev2 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Confguration, and Use of Transport Layer Security (TLS) Implementations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP800-56Arev3 NIST Special Publication 800-56Ar3 - Recommendation for Pair- Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 56Ar3.pdf ©2023 SUSE, LLC / atsec information security. Page 42 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server OpenSSL Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy SP800-67 NIST Special Publication 800-67 Revision 2 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf SP800-90A NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 90Ar1.pdf SP800-131A NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 90Ar1.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications httpss://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 132.pdf ©2023 SUSE, LLC / atsec information security. Page 43 of 43 This document can be reproduced and distributed only whole and intact, including this copyright notice.