SUSE Linux Enterprise Server libgcrypt
Cryptographic Module
version 3.0
FIPS 140-2 Non-Proprietary Security Policy
Doc version 3.0.4
Last update: 2021-11-23
Prepared by:
atsec information security corporation
9130 Jollyville Road, Suite 260
Austin, TX 78759
www.atsec.com
©11/23/21 SUSE, LLC / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Table of contents
1 Cryptographic Module Specifcation.......................................................................................3
1.1 Module Overview..........................................................................................................3
1.2 Modes of Operation.......................................................................................................5
2 Cryptographic Module Ports and Interfaces............................................................................6
3 Roles, Services and Authentication........................................................................................7
3.1 Roles.............................................................................................................................7
3.2 Services........................................................................................................................7
3.3 Operator Authentication...............................................................................................9
3.4 Algorithms....................................................................................................................9
3.5 Allowed Algorithms.....................................................................................................11
3.6 Non-Approved Algorithms...........................................................................................12
4 Physical Security .................................................................................................................14
5 Operational Environment ....................................................................................................15
5.1 Policy .........................................................................................................................15
6 Cryptographic Key Management .........................................................................................16
6.1 Random Number Generation......................................................................................16
6.2 Key/CSP Generation....................................................................................................17
6.3 Key Transport ............................................................................................................17
6.4 Key Derivation............................................................................................................17
6.5 Key/CSP Entry and Output..........................................................................................17
6.6 Key/CSP Storage.........................................................................................................17
6.7 Key/CSP Zeroization....................................................................................................18
7 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC).............................19
8 Self Tests ............................................................................................................................20
8.1 Power-Up Tests...........................................................................................................20
8.1.1 Integrity Tests...................................................................................................20
8.1.2 Cryptographic Algorithm Tests..........................................................................20
8.2 On-Demand Self-Tests................................................................................................21
8.3 Conditional Tests........................................................................................................21
8.4 Error states.................................................................................................................21
9 Guidance..............................................................................................................................22
9.1 Crypto Ofcer Guidance .............................................................................................22
9.1.1 Module Installation............................................................................................22
9.1.2 Operating Environment Confguration...............................................................22
9.2 User Guidance............................................................................................................23
9.2.1 Memory Management........................................................................................23
9.2.2 AES XTS.............................................................................................................23
9.2.3 Triple-DES encryption........................................................................................23
9.2.4 Key derivation using SP800-132 PBKDF.............................................................23
10 Mitigation of Other Attacks................................................................................................25
10.1 Blinding Against RSA Timing Attacks........................................................................25
10.2 Weak Triple-DES Key Detection................................................................................25
Appendix A - Glossary and Abbreviations................................................................................26
Appendix B - References.........................................................................................................27
©11/23/21 SUSE, LLC / atsec information security. Page 2 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
1 Cryptographic Module Specifcation
This document is the non-proprietary security policy for the SUSE Linux Enterprise Server
libgcrypt Cryptographic Module version 3.0. It contains the security rules under which the
module must operate and describes how this module meets the requirements as specifed in
FIPS 140-2 (Federal Information Processing Standards Publication 140-2) for a security level 1
module.
FIPS 140-2 details the requirements of the Governments of the U.S. and Canada for
cryptographic modules, aimed at the objective of protecting sensitive but unclassifed
information. For more information on the FIPS 140-2 standard and validation program please
refer to the NIST website at http://csrc.nist.gov/.
Throughout the document, “the libgcrypt module” and “the module” are also used to refer to
the SUSE Linux Enterprise Server libgcrypt Cryptographic Module version 3.0.
1.1 Module Overview
The SUSE Linux Enterprise Server libgcrypt Cryptographic Module is a software library
implementing general purpose cryptographic algorithms. The module provides cryptographic
services to applications running in the user space of the underlying operating system through
a C language application program interface (API).
For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip
standalone cryptographic module validated at overall security level 1. Table 1 shows the
security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard:
FIPS 140-2 Section Security
Level
1 Cryptographic Module Specifcation 1
2 Cryptographic Module Ports and Interfaces 1
3 Roles, Services and Authentication 1
4 Finite State Model 1
5 Physical Security N/A
6 Operational Environment 1
7 Cryptographic Key Management 1
8 EMI/EMC 1
9 Self Tests 1
10 Design Assurance 1
11 Mitigation of Other Attacks 1
Table 1: Security Levels
©11/23/21 SUSE, LLC / atsec information security. Page 3 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Table 2 lists the software components of the cryptographic module, which defnes its logical
boundary. The module is provided for the 64-bit Intel architectures.
Processor
Architecture
Component Description
Intel 64-bit /usr/lib64/libgcrypt.so.20.2.2 Shared library for cryptographic
algorithms.
/usr/lib64/.libgcrypt.so.20.2.2.hmac Integrity check HMAC value for the
libgcrypt shared library.
Table 2: Cryptographic Module Components
The software block diagram below shows the logical boundary of the module, and its
interfaces with the operational environment.
Figure 1: Software Block Diagram
The module is aimed to run on a general purpose computer (GPC). Table 3 shows the
platform on which the module has been tested:
Platform Processor Test Confguration
Dell EMC PowerEdge 640 Intel® Cascade Lake
Xeon® Gold 6234
SUSE Linux Enterprise Server 15 SP0
Table 3: Tested Platforms
Note: Per FIPS 140-2 IG G.5, the Cryptographic Module Validation Program (CMVP) makes no
statement as to the correct operation of the module or the security strengths of the
generated keys when this module is ported and executed in an operational environment not
listed on the validation certifcate.
©11/23/21 SUSE, LLC / atsec information security. Page 4 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
The physical boundary of the module is the surface of the case of the tested platform. Figure
2 shows the hardware block diagram including major hardware components of a GPC.
Figure 2: Hardware Block Diagram
1.2 Modes of Operation
The module supports two modes of operation:
• FIPS mode (the Approved mode of operation): only approved or allowed security
functions with sufcient security strength can be used.
• non-FIPS mode (the non-Approved mode of operation): only non-approved security
functions can be used.
The module enters FIPS mode after power-up tests succeed. Once the module is operational,
the mode of operation is implicitly assumed depending on the security function invoked and
the security strength of the cryptographic keys.
Critical security parameters (CSPs) used or stored in FIPS mode are not used in non-FIPS
mode, and vice versa.
©11/23/21 SUSE, LLC / atsec information security. Page 5 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
2 Cryptographic Module Ports and Interfaces
As a software-only module, the module does not have physical ports. For the purpose of the
FIPS 140-2 validation, the physical ports are interpreted to be the physical ports of the
hardware platform on which it runs.
The logical interfaces are the API through which applications request services. The ports and
interfaces are shown in the following table.
FIPS
Interface
Physical Port Logical Interface
Data Input None API input parameters for data.
Data Output None API output parameters for data.
Control Input None API function calls, API input parameters for
control input, /proc/sys/crypto/fps_enabled
control fle.
Status Output None API return codes, API output parameters for
status output.
Power Input PC Power Supply Port N/A
Table 4: Ports and Interfaces
©11/23/21 SUSE, LLC / atsec information security. Page 6 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
3 Roles, Services and Authentication
3.1 Roles
The module supports the following roles:
⚫ User role: performs cryptographic services (in both FIPS mode and non-FIPS mode),
key zeroization, get status, and on-demand self-test.
⚫ Crypto Ofcer role: performs module installation and confguration.
The User and Crypto Ofcer roles are implicitly assumed by the entity accessing the module
to request services. No authentication is required.
3.2 Services
The module provides services to the users that assume one of the available roles. All services
are shown in Table 5 and Table 6.
Table 5 lists the services available in FIPS mode. For each service, the table lists the
associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys
or CSPs involved, and their access type(s). The following convention is used to specify access
rights to a CSP:
• Create: the calling application can create a new CSP.
• Read: the calling application can read the CSP.
• Update: the calling application can write a new value to the CSP.
• Zeroize: the calling application can zeroize the CSP.
• n/a: the calling application does not access any CSP or key during its operation.
The details of the approved cryptographic algorithms including the CAVP certifcate numbers
can be found in Table 7.
Service Algorithms Role Keys/CSPs Access
Cryptographic Services
Symmetric encryption
and decryption
AES User AES key Read
Three-key Triple-DES User Three-key Triple-DES key Read
Symmetric decryption Two-key Triple-DES User Two-key Triple-DES key Read
RSA key generation RSA, DRBG User RSA public and private
keys
Create
RSA digital signature
generation and
verifcation
RSA, SHS User RSA public and private
keys
Read
DSA key generation DSA, DRBG User DSA public and private
keys
Create
DSA domain parameter
generation and
verifcation
DSA User None n/a
DSA digital signature
generation and
verifcation
DSA, SHS User DSA public and private
keys
Read
©11/23/21 SUSE, LLC / atsec information security. Page 7 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Service Algorithms Role Keys/CSPs Access
ECDSA key generation ECDSA, DRBG User ECDSA public and
private keys
Create
ECDSA public key
validation
ECDSA User ECDSA public key Read
ECDSA signature
generation and
verifcation
ECDSA, DRBG, SHS User ECDSA public and
private keys
Read
Random number
generation
DRBG User Entropy input string,
seed material
Read
Internal state Update
Message digest SHA-1, SHA-224,
SHA-256, SHA-384,
SHA-512
User None N/A
SHA3-224, SHA3-256,
SHA3-384, SHA3-512,
SHAKE-128,
SHAKE-256
User None N/A
Message authentication
code (MAC)
HMAC User HMAC key Read
CMAC with AES User AES key Read
CMAC with Triple-DES User Triple-DES key Read
Key encapsulation RSA User RSA public and private
keys
Read
Key wrapping AES-KW User AES key Read
Key derivation PBKDF2 with HMAC User Password/passphrase Read
Derived key Create
Other FIPS-related Services
Show status N/A User None N/A
Zeroization N/A User All CSPs Zeroize
Self-tests AES, DSA, ECDSA,
DRBG, HMAC, RSA,
SHS, Triple-DES
User None N/A
Module installation and
confguration
N/A Crypto
Ofcer
None N/A
Module initialization N/A Crypto
Ofcer
None N/A
Table 5: Services in FIPS mode of operation
Table 6 lists the services only available in non-FIPS mode of operation. The details of the non-
approved cryptographic algorithms available in non-FIPS mode can be found in Table 9.
Service Algorithm / Modes Role Keys Access
Cryptographic Services
©11/23/21 SUSE, LLC / atsec information security. Page 8 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Service Algorithm / Modes Role Keys Access
Symmetric
encryption and
decryption
AES (GCM, OCB) User Symmetric key Read
ARC4, Blowfsh,
Camellia, CAST5,
ChaCha20, DES, IDEA,
RC2, RC4, Salsa20,
SEED, Serpent, Twofsh
Symmetric
encryption
Two-key Triple-DES User Two-key Triple-DES key Read
Asymmetric key
generation
ElGamal User RSA, DSA or ECDSA public
and private keys
Create
RSA, DSA and ECDSA
restrictions listed in
Table 9
Digital signature
generation and
verifcation
EC-GOST, EdDSA, El
Gamal
User RSA, DSA or ECDSA public
and private keys
Read
RSA, DSA and ECDSA
and message digest
restrictions listed in
Table 9
Random number
generation
Hash and HMAC DRBG
using SHA-384
User Entropy input string, seed
material
Read
Internal state Update
Message digest Blake2, Gost, MD4,
MD5, RMD160, Tiger,
Whirpool
User None N/A
Message
authentication code
(MAC)
GMAC, Poly1305 User MAC key Read
HMAC and CMAC
restrictions listed in
Table 9
HMAC key, two-key Triple-
DES key
Read
RSA key
encapsulation
RSA keys smaller than
2048 bits.
User RSA key pair Read
Key derivation KDF using OpenGPG
S2K and SCRYPT
User Password/passphrase Read
Derived key Create
Table 6: Services in non-FIPS mode of operation
3.3 Operator Authentication
The module does not implement user authentication. The role of the user is implicitly
assumed based on the service requested.
3.4 Algorithms
The module provides C implementation of cryptographic algorithms. Table 7 lists the
approved algorithms, the CAVP certifcates, and other associated information of the
cryptographic implementations in FIPS mode.
©11/23/21 SUSE, LLC / atsec information security. Page 9 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode / Method Key Lengths,
Curves (in bits)
Use Standard CAVP
Certs
AES ECB, CBC, CFB8,
CFB128, OFB, CTR
128, 192, 256 Data encryption
and decryption
FIPS197,
SP800-38A
#A118
CMAC 128, 192, 256 MAC generation
and verifcation
SP800-38B
CCM 128, 192, 256 Data encryption
and decryption
SP800-38C
XTS 128, 256 Data encryption
and decryption
for data storage
SP800-38E
DRBG CTR_DRBG:
AES-128, AES-192,
AES-256 with DF,
with/without PR
N/A Deterministic
random bit
generation
SP800-90A #A118
Hash_DRBG:
SHA-1, SHA-256,
SHA-512
with/without PR
N/A #A118
HMAC_DRBG:
SHA-1, SHA-256,
SHA-512
with/without PR
N/A #A118
DSA L=2048, N=224
L=2048, N=256
L=3072, N=256
Key pair
generation
FIPS186-4 #A118
SHA-224 L=2048, N=224 Domain
parameter
generation
SHA-256 L=2048, N=256
L=3072, N=256
SHA-224 L=2048, N=224 Digital signature
generation
SHA-224, SHA-256, L=2048, N=256
L=3072, N=256
SHA-224 L=2048, N=224 Domain
parameter
verifcation
SHA-256 L=2048, N=256
L=3072, N=256
SHA-1 L=1024, N=160 Digital signature
verifcation
SHA-224 L=2048, N=224
SHA-224, SHA-256 L=2048, N=256
L=3072, N=256
ECDSA P-256, P-384,
P-521
Key pair
generation
Public key
verifcation
FIPS186-4 #A118
SHA-224, SHA-256,
SHA-384, SHA-512
P-256, P-384,
P-521
Digital signature
generation
SHA-1, SHA-224,
SHA-256, SHA-384,
SHA-512
P-256, P-384,
P-521
Digital signature
verifcation
©11/23/21 SUSE, LLC / atsec information security. Page 10 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Mode / Method Key Lengths,
Curves (in bits)
Use Standard CAVP
Certs
HMAC SHA-1, SHA-224,
SHA-256, SHA-384,
SHA-512
112 or greater Message
authentication
code
FIPS198-1 #A118
SHA3-224, SHA3-256,
SHA3-384, SHA3-512
KDF PBKDF HMAC with
SHA-1, SHA-224,
SHA-256, SHA-384,
SHA-512, SHA3-224,
SHA3-256, SHA3-384,
SHA3-512
Key derivation SP800-132 vendor
afrmed1
KTS AES in KW mode 128, 192, 256 Key wrapping
and unwrapping
SP800-38F #A118
RSA B.3.3 2048, 3072,
4096
Key pair
generation
FIPS186-4 #A118
PKCS#1v1.5:
SHA-224, SHA-256,
SHA-384, SHA-512
2048, 3072,
4096
Digital signature
generation
PSS:
SHA-224, SHA-256,
SHA-384, SHA-512
2048, 3072,
4096
PKCS#1v1.5:
SHA-224, SHA-256,
SHA-384, SHA-512
2048, 3072,
4096
Digital signature
verifcation
PSS:
SHA-224, SHA-256,
SHA-384, SHA-512
2048, 3072,
4096
SHA-3 SHA3-224, SHA3-256,
SHA3-384, SHA3-512,
SHAKE-128,
SHAKE-256
Message Digest FIPS202 #A118
SHS SHA-1, SHA-224,
SHA-256, SHA-384,
SHA-512
N/A Message digest FIPS180-4 #A118
Triple-DES ECB, CBC, CFB8,
CFB64, OFB, CTR
192 (two-key
Triple-DES)
Data decryption SP800-67
SP800-38A
#A118
192 (three-key
Triple-DES)
Data encryption
and decryption
CMAC 192 MAC generation
and verifcation
SP800-67
SP800-38B
Table 7: Approved Cryptographic Algorithms for Intel Xeon Processor
3.5 Allowed Algorithms
Table 8 describes the non-approved but allowed algorithms in FIPS mode.
1 PBKDF has been tested by the CAVP with certifcate #A118, but the module does not
implement the required self-test.
©11/23/21 SUSE, LLC / atsec information security. Page 11 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Use
RSA key encapsulation with encryption and
decryption primitives with keys equal or larger than
2048 bits up to 15360 or more.
Key establishment; allowed per
[FIPS140-2_IG] D.9
NDRNG The module obtains the entropy data
from a NDRNG to seed the DRBG.
Table 8: Non-Approved but Allowed Algorithms
3.6 Non-Approved Algorithms
Table 9 shows the non-Approved cryptographic algorithms implemented in the module that
are only available in non-FIPS mode.
Algorithm Use
AES in OCB mode. Data encryption and decryption
AES in GCM mode. Authenticated data encryption and
decryption.
Arcfour (RC4), Blowfsh, Camellia, CAST5,
ChaCha20, DES, GOST28147, RC2, Salsa20,
SEED, Serpent, Twofsh.
Data encryption and decryption.
2-key Triple-DES. Data encryption.
ChaCha20-Poly1305. Authenticated data encryption and
decryption, message authentication code.
Blake2, MD2, MD4, MD5, RMD160, GOST,
Streebog, Tiger, Whirpool.
Message digest.
CMAC with non-approved symmetric
algorithms.
Message authentication code.
HMAC using keys less than 112 bits of length.
HMAC with non-approved message digest
algorithms.
Message authentication code.
GMAC. Message authentication code.
Poly1305. Message authentication code.
SHA-1. Message digest in digital signature
generation and verifcation.
DSA with L=1024, 7680, or 15360. Key pair generation, domain parameter
generation, domain parameter verifcation.
DSA with L=1024, 7680, or 15360.
DSA with L=2048, N=224 and using SHA-1,
SHA-256, SHA-384, or SHA-512.
DSA with L=2048, N=256 or L=3072, N=256
and using SHA-1, SHA-384, or SHA-512.
Digital signature generation.
©11/23/21 SUSE, LLC / atsec information security. Page 12 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Use
DSA with L=7680, 15360.
DSA with L=1024, N=160 and using SHA-224,
SHA-256, SHA-384, or SHA-512.
DSA with L=2048, N=224 and using SHA-1,
SHA-256, SHA-384, or SHA-512.
DSA with L=2048, N=256 or L=3072, N=256
and using SHA-1, SHA-384, or SHA-512.
Digital signature verifcation
RSA with keys smaller than 2048 bits or
greater than 4096 bits.
Key pair generation, digital signature
generation.
RSA with keys smaller than 1024 bits or
greater than 4096 bits.
Digital signature verifcation.
RSA with keys smaller than 2048 bits. Key encapsulation.
ECDSA with P-192 and P-224 curves, and non-
NIST curves (i.e. Ed25519, Curve25519,
brainpool and GOST curves).
Key pair generation, domain parameter
generation and verifcation, digital signature
generation and verifcation.
ECC-Gost, EdDSA. Key pair generation, public key validation,
signature generation and verifcation.
Elgamal. Key pair generation, public key validation,
signature generation and verifcation,
encryption and decryption.
OpenPGP S2K, SCRYPT. Key derivation.
Hash_DRBG and HMAC_DRBG with SHA-384. Random number generation.
Table 9: Non-Approved Cryptographic Algorithms
©11/23/21 SUSE, LLC / atsec information security. Page 13 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
4 Physical Security
The module is comprised of software only and thus does not claim any physical security.
©11/23/21 SUSE, LLC / atsec information security. Page 14 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
5 Operational Environment
This module operates in a modifable operational environment per the FIPS 140-2 level 1
specifcations. The module runs on a commercially available general-purpose operating
system executing on the hardware specifed in Table 3.
The SUSE Linux Enterprise Server operating system is used as the basis of other products
which include but are not limited to:
• SLES
• SLES for SAP
• SLED
• SLE Micro
Compliance is maintained for these products whenever the binary is found unchanged.
Note: The CMVP makes no statement as to the correct operation of the module or the
security strengths of the generated keys when so ported if the specifc operational
environment is not listed on the validation certifcate.
5.1 Policy
The operating system is restricted to a single operator; concurrent operators are explicitly
excluded.
The application that requests cryptographic services is the single user of the module.
The ptrace system call, the debugger gdb and strace shall not be used.
©11/23/21 SUSE, LLC / atsec information security. Page 15 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
6 Cryptographic Key Management
Table 10 summarizes the Critical Security Parameters (CSPs) that are used by the
cryptographic services implemented in the module. Key sizes allowed in the approved mode
of operation are specifed in Table 7 and Table 8.
Name Generation Entry and Output Zeroization
AES keys Not applicable. Key
material is entered via
API parameters.
Keys are passed into
the module via API
input parameters in
plaintext.
gcry_cipher_close(),
gcry_free()
Triple-DES keys
HMAC keys gcry_mac_close(),
gcry_free()
RSA public and
private keys
Public and private keys
are generated using
the FIPS 186-4 key
generation method;
the random value used
in key generation is
obtained from the
SP800-90A DRBG.
Keys are passed into
the module via API
input parameters in
plaintext.
Keys are passed out of
the module via API
output parameters in
plaintext.
gcry_sexp_release(),
gcry_mpi_release(),
gcry_free()
DSA public and
private keys
ECDSA public and
private keys
gcry_sexp_release(),
gcry_mpi_release(),
gcry_ctx_release(),
gcry_mpi_point_release(),
gcry_free()
Password or
passphrase
Not applicable. Key
material is entered via
API parameters.
The key is passed into
the module via API
input parameters in
plaintext.
gcry_free()
Derived key Generated during the
PBKDF
Keys are passed out of
the module via API
output parameters in
plaintext.
gcry_free()
Entropy input
string and seed
material
Obtained from the
NDRNG
Not applicable, it
remains within the
logical boundary.
gcry_ctrl
(GCRYCTL_TERM_SECMEM)
DRBG internal
state: V value, C
value, key (if
applicable)
Derived from entropy
input as defned in
SP800-90A
Not applicable, it
remains within the
logical boundary.
Table 10: Life cycle of Keys or CSPs
The following sections describe how CSPs, in particular cryptographic keys, are managed
during its life cycle.
6.1 Random Number Generation
The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90A] for
the creation of RSA, DSA and ECDSA keys, and DSA and ECDSA signature generation. In
addition, the module provides a Random Number Generation service to calling applications.
The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The DRBG is
initialized during module initialization; the module loads by default the DRBG using the
HMAC_DRBG mechanism with SHA-256 and without prediction resistance. A diferent DRBG
mechanism can be chosen by invoking the gcry_control(GCRYCTL_DRBG_REINIT) function.
The module uses a Non-Deterministic Random Number Generator (NDRNG) as the entropy
source for seeding the DRBG. The NDRNG is provided by the operational environment (i.e.,
Linux RNG), which is within the module’s physical boundary but outside of the module’s
©11/23/21 SUSE, LLC / atsec information security. Page 16 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
logical boundary. The NDRNG provides at least 128 bits of entropy to the DRBG during
initialization (seed) and reseeding (reseed).
The module uses by default /dev/random as the interface for getting entropy from the
NDRNG. This default setting can be changed by including the only-urandom keyword in the
libgcrypt confguration fle (/etc/gcrypt/random.conf); in that case the module gathers entropy
from the NDRNG via the getrandom() system call.
The Linux kernel performs conditional self-tests on the output of NDRNG to ensure that
consecutive random numbers do not repeat. The module performs the DRBG health tests as
defned in section 11.3 of [SP800-90A].
6.2 Key/CSP Generation
The module provides an SP800-90A-compliant Deterministic Random Bit Generator (DRBG)
for the creation of key components of asymmetric keys, and random number generation.
The key generation methods implemented in the module for Approved services in FIPS mode
is compliant with [SP800-133] (vendor afrmed).
For generating RSA, DSA and ECDSA keys the module implements asymmetric key
generation services compliant with [FIPS186-4]. A seed (i.e. the random value) used in
asymmetric key generation is directly obtained from the [SP800-90A] DRBG.
The module generates cryptographic keys whose strengths are modifed by available entropy.
6.3 Key Transport
The module provides the following key transport mechanisms:
• Key wrapping using AES-KW.
• RSA key encapsulation using private key encryption and public key decryption.
According to Table 2: Comparable strengths in [SP 800-57], the key sizes of AES and RSA
provide the following security strength in FIPS mode of operation:
• AES key wrapping provides between 128 and 256 bits of encryption strength.
• RSA key wrapping2
provides between 112 and 256 bits of encryption strength.
Note: As the module supports RSA key pairs greater than 2048 bits up to 15360 bits or more,
the encryption strength 256 bits is claimed for RSA key encapsulation.
6.4 Key Derivation
The module supports password-based key derivation (PBKDF), as a vendor-afrmed security
function. The implementation is compliant with option 1a of [SP-800-132]. Keys derived from
passwords or passphrases using this method can only be used in storage applications.
6.5 Key/CSP Entry and Output
The module does not support manual key entry or intermediate key generation key output.
The keys are provided to the module via API input parameters in plaintext form and output
via API output parameters in plaintext form. This is allowed by [FIPS140-2_IG] IG 7.7,
according to the “CM Software to/from App Software via GPC INT Path” entry on the Key
Establishment Table.
6.6 Key/CSP Storage
Symmetric keys, HMAC keys, public and private keys are provided to the module by the
calling application via API input parameters, and are destroyed by the module when invoking
the appropriate API function calls.
2 Key wrapping” is used instead of “key encapsulation” to show how the algorithm will
appear in the certifcate per IG G.13.
©11/23/21 SUSE, LLC / atsec information security. Page 17 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
The module does not perform persistent storage of keys. The keys and CSPs are stored as
plaintext in the RAM. The only exception is the HMAC key used for the Integrity Test, which is
stored in the module and relies on the operating system for protection.
6.7 Key/CSP Zeroization
The memory occupied by keys is allocated by regular memory allocation operating system
calls. The application is responsible for calling the appropriate zeroization functions provided
in the module's API and listed in Table 10. The zeroization functions overwrite the memory
occupied by keys with “zeros” and deallocate the memory with the regular memory
deallocation operating system call.
©11/23/21 SUSE, LLC / atsec information security. Page 18 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
7 Electromagnetic Interference/Electromagnetic
Compatibility (EMI/EMC)
The test platforms as shown in Table 3 are compliant to 47 CFR FCC Part 15, Subpart B, Class
A (Business use).
©11/23/21 SUSE, LLC / atsec information security. Page 19 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
8 Self Tests
8.1 Power-Up Tests
The module performs power-up tests when the module is loaded into memory, without
operator intervention. Power-up tests ensure that the module is not corrupted and that the
cryptographic algorithms work as expected.
While the module is executing the power-up tests, services are not available, and input and
output are inhibited. The module is not available for use by the calling application until the
power-up tests are completed successfully.
If any of the power-up test fails, the module enters the Error state. Subsequent calls to the
module will also fail; no further cryptographic operations are possible. If the power-up tests
complete successfully, the module will enter the Operational state and will accept
cryptographic operation service requests.
In order to verify whether the self-tests have succeeded and the module is in the Operational
state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function
will return TRUE if the module is in the operational state, FALSE if the module is in the Error
state.
8.1.1 Integrity Tests
The integrity of the module is verifed by comparing an HMAC-SHA-256 value calculated at
run time with the HMAC value stored in the .hmac fle that was computed at build time for
each software component of the module. If the HMAC values do not match, the test fails and
the module enters the error state.
8.1.2 Cryptographic Algorithm Tests
The module performs self-tests on all FIPS-Approved cryptographic algorithms supported in
the Approved mode of operation, using the Known Answer Tests (KAT) shown in the following
table.
Algorithm Power-Up Tests
AES KAT AES ECB mode with 128, 192 and 256 bit keys, encryption and
decryption (separately tested).
CMAC KAT AES CMAC with 128, 192 and 256 bit keys, MAC generation.
KAT Triple-DES CMAC, MAC generation.
DRBG KAT CTR_DRBG with AES with 128-bit key with DF, with and without PR.
KAT Hash_DRBG with SHA-256 with and without PR.
KAT Hash_DRBG with SHA-1 without PR.
KAT HMAC_DRBG with SHA-256 with and without PR.
DSA KAT DSA signature generation and verifcation with L=2048, N=256 and
SHA-256 (separately tested).
ECDSA KAT ECDSA signature generation and verifcation with P-256 and SHA-
256 (separately tested).
HMAC KAT HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384,
HMAC-SHA-512.
KAT HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-
512.
©11/23/21 SUSE, LLC / atsec information security. Page 20 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Algorithm Power-Up Tests
RSA KAT RSA PKCS#1 v1.5 signature generation and verifcation with 2048-
bit key and SHA-256 (separately tested).
KAT RSA with 2048-bit key, public key encryption and private key
decryption (separately tested).
SHS KAT SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512.
Triple-DES KAT Triple-DES ECB mode, encryption and decryption (separately
tested).
Table 11: Self-Tests
For the KAT, the module calculates the result and compares it with the known value. If the
answer does not match the known answer, the KAT fails and the module enters the Error
state.
8.2 On-Demand Self-Tests
On-Demand self-tests can be invoked by powering-of and reloading the module which cause
the module to run the power-up tests again. During the execution of the on-demand self-
tests, services are not available and no data output or input is possible.
In order to verify whether the self-tests have succeeded and the module is in the Operational
state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function
will return TRUE if the module is in the operational state, FALSE if the module is in the Error
state.
8.3 Conditional Tests
The module performs conditional tests on the cryptographic algorithms, using the Pair-wise
Consistency Tests (PCT) shown in the following table. If the conditional test fails, the module
returns an error code and enters the Error state. When the module is in the Error state, no
data is output and cryptographic operations are not allowed.
Algorithm Conditional Tests
DSA key generation PCT using signature generation and verifcation with SHA-256.
ECDSA key generation PCT using signature generation and verifcation with SHA-256.
RSA key generation PCT using signature generation and verifcation with SHA-256.
PCT using public encryption and private decryption.
Table 12: Conditional Tests
8.4 Error states
The Module enters the Error state with an error message, on failure of power-on self-tests or
conditional test. In the Error state, all data output is inhibited and no cryptographic operation
is allowed. The error can be recovered by restart (i.e. powering of and powering on) of the
module.
The module enters the Fatal Error state when random numbers are requested in the error
state or when requesting cipher operations on a deallocated handle. In the Fatal Error state
the module is aborted and is not available for use. The module needs to be reloaded in order
to recover from this state.
©11/23/21 SUSE, LLC / atsec information security. Page 21 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
9 Guidance
9.1 Crypto Ofcer Guidance
The binaries of the module are contained in the RPM packages for delivery. The Crypto Ofcer
shall follow this Security Policy to confgure the operational environment and install the
module to be operated as a FIPS 140-2 validated module.
The following RPM packages contain the FIPS validated module:
Processor Architecture RPM Packages
Intel 64-bit libgcrypt20-1.8.2-6.49.1.x86_64.rpm
Table 13: RPM packages
9.1.1 Module Installation
The Crypto Ofcer can install the RPM packages containing the module as listed in Table 13
using the zypper tool. The integrity of the RPM package is automatically verifed during the
installation, and the Crypto Ofcer shall not install the RPM package if there is any integrity
error.
9.1.2 Operating Environment Confguration
The operating environment needs to be confgured to support FIPS, so the following steps
shall be performed with the root privilege:
1. Install the dracut-fps RPM package:
# zypper install dracut-fips
2. Recreate the INITRAMFS image:
# dracut -f
3. After regenerating the initrd, the Crypto Ofcer has to append the following parameter in
the /etc/default/grub confguration fle in the GRUB_CMDLINE_LINUX_DEFAULT line:
fips=1
4. After editing the confguration fle, please run the following command to change the setting
in the boot loader:
# grub2-mkconfig -o /boot/grub2/grub.cfg
If /boot or /boot/ef resides on a separate partition, the kernel parameter boot=<partition
of /boot or /boot/ef> must be supplied. The partition can be identifed with the command
"df /boot" or "df /boot/ef" respectively. For example:
# df /boot
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 233191 30454 190296 14% /boot
The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string
needs to be appended in the aforementioned grub fle:
"boot=/dev/sda1"
5. Reboot to apply these settings.
Now, the operating environment is confgured to support FIPS operation. The Crypto Ofcer
should check the existence of the fle /proc/sys/crypto/fps_enabled, and verify it contains a
numeric value “1”. If the fle does not exist or does not contain “1”, the operating
©11/23/21 SUSE, LLC / atsec information security. Page 22 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
environment is not confgured to support FIPS and the module will not operate as a FIPS
validated module properly.
9.2 User Guidance
In order to run in FIPS mode, the module must be operated using the FIPS Approved services,
with their corresponding FIPS Approved and FIPS allowed cryptographic algorithms provided
in this Security Policy (see section 3.2). In addition, key sizes must comply with [SP800-131A].
The user can fnd the documentation at the following location once the module is installed:
/usr/share/info/gcrypt.info.gz
9.2.1 Memory Management
The user shall only use the memory management functions provided by the libgcrypt API.
Critical security parameters (e.g. keys) which are used as input or output parameters shall be
managed using the gcry_malloc_secure(), gcry_calloc_secure() and gcry_free() functions.
The function gcry_set_allocation_handler() shall not be used; the user shall not change the
libgcrypt memory handlers.
9.2.2 AES XTS
The AES algorithm in XTS mode can be only used for the cryptographic protection of data on
storage devices, as specifed in [SP800-38E]. The length of a single data unit encrypted with
the XTS-AES shall not exceed 2²⁰ AES blocks that is 16MB of data.
To meet the requirement stated in IG A.9, the module implements a check to ensure that the
two AES keys used in AES XTS mode are not identical.
9.2.3 Triple-DES encryption
Data encryption using the same three-key Triple-DES key shall not exceed 216
Triple-DES
blocks (2GB of data), in accordance to SP800-67 and IG A.13.
[SP800-67] imposes a restriction on the number of 64-bit block encryptions performed under
the same three-key Triple-DES key.
When the three-key Triple-DES is generated as part of a recognized IETF protocol, the module
is limited to 220
64-bit data block encryptions. This scenario occurs in the following protocols:
• Transport Layer Security (TLS) versions 1.1 and 1.2, conformant with [RFC5246]
• Secure Shell (SSH) protocol, conformant with [RFC4253]
• Internet Key Exchange (IKE) versions 1 and 2, conformant with [RFC7296]
In any other scenario, the module cannot perform more than 216
64-bit data block
encryptions.
The user is responsible for ensuring the module’s compliance with this requirement.
9.2.4 Key derivation using SP800-132 PBKDF
The module provides password-based key derivation (PBKDF), compliant with SP800-132. The
module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a
segment of it is used directly as the Data Protection Key (DPK).
In accordance to [SP800-132] and IG D.6, the following requirements shall be met.
• Derived keys shall only be used in storage applications. The Master Key (MK) shall not
be used for other purposes. The length of the MK or DPK shall be of 112 bits or more.
• A portion of the salt, with a length of at least 128 bits, shall be generated randomly
using the SP800-90A DRBG,
©11/23/21 SUSE, LLC / atsec information security. Page 23 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
• The iteration count shall be selected as large as possible, as long as the time required
to generate the key using the entered password is acceptable for the users. The
minimum value shall be 1000.
• Passwords or passphrases, used as an input for the PBKDF, shall not be used as
cryptographic keys.
• The length of the password or passphrase shall be of at least 20 characters, and shall
consist of lower-case, upper-case and numeric characters. The probability of guessing
the value is estimated to be 1/6220
= 10-36
, which is less than 2-112
.
The calling application shall also observe the rest of the requirements and recommendations
specifed in [SP800-132].
©11/23/21 SUSE, LLC / atsec information security. Page 24 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
10 Mitigation of Other Attacks
10.1 Blinding Against RSA Timing Attacks
RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA
decryption or signature operations, blinding must be used to protect the RSA operation from
that attack.
By default, the module uses the following blinding technique: instead of using the RSA
decryption directly, a blinded value y = x re
mod n is decrypted and the unblinded value x' =
y' r−1
mod n returned.
The blinding value r is a random value with the size of the modulus n.
10.2 Weak Triple-DES Key Detection
There are 64 known Triple-DES keys which are weak because they produce only one, two, or
four diferent subkeys in the subkey scheduling process. The module can detect these weak
keys; the calling application shall invoke the gcry_cipher_ctl() function with the
PRIV_CIPHERCTL_DISABLE_WEAK_KEY command (this feature is disabled by default).
©11/23/21 SUSE, LLC / atsec information security. Page 25 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Appendix A - Glossary and Abbreviations
AES Advanced Encryption Specifcation
AES_NI Intel® Advanced Encryption Standard (AES) New Instructions
CAVP Cryptographic Algorithm Validation Program
CBC Cipher Block Chaining
CCM Counter with Cipher Block Chaining Message Authentication Code
CMAC Cipher-based Message Authentication Code
CMVP Cryptographic Module Validation Program
CSP Critical Security Parameter
CTR Counter Mode
DES Data Encryption Standard
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
FIPS Federal Information Processing Standards Publication
GCM Galois Counter Mode
HMAC Hash Message Authentication Code
MAC Message Authentication Code
NIST National Institute of Science and Technology
PKCS Public Key Cryptography Standards
RNG Random Number Generator
RPM Red hat Package Manager
RSA Rivest, Shamir, Addleman
SHA Secure Hash Algorithm
SHS Secure Hash Standard
TDES Triple-DES
XTS XEX Tweakable Block Cipher with Ciphertext Stealing
©11/23/21 SUSE, LLC / atsec information security. Page 26 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
Appendix B - References
FIPS 140-2 FIPS PUB 140-2 - Security Requirements for Cryptographic
Modules
http://csrc.nist.gov/publications/fps/fps140-2/fps1402.pdf
FIPS 140-2_IG Implementation Guidance for FIPS PUB 140-2 and the
Cryptographic Module Validation Program
December 3, 2019
http://csrc.nist.gov/groups/STM/cmvp/documents/fps140-
2/FIPS1402IG.pdf
FIPS180-4 Secure Hash Standard (SHS)
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS186-4 Digital Signature Standard (DSS)
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS197 Advanced Encryption Standard
http://csrc.nist.gov/publications/fps/fps197/fps-197.pdf
FIPS198-1 The Keyed Hash Message Authentication Code (HMAC)
http://csrc.nist.gov/publications/fps/fps198-1/FIPS-198-1_fnal.pdf
FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-
Output Functions
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifcations Version 2.1
http://www.ietf.org/rfc/rfc3447.txt
SP800-38A NIST Special Publication 800-38A - Recommendation for Block
Cipher Modes of Operation Methods and Techniques
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38a.pdf
SP800-38B NIST Special Publication 800-38B - Recommendation for Block
Cipher Modes of Operation: The CMAC Mode for Authentication
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
SP800-38C NIST Special Publication 800-38C - Recommendation for Block
Cipher Modes of Operation: the CCM Mode for Authentication and
Confdentiality
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38c.pdf
SP800-38D NIST Special Publication 800-38D - Recommendation for Block
Cipher Modes of Operation: Galois/Counter Mode (GCM) and
GMAC
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38d.pdf
SP800-38E NIST Special Publication 800-38E - Recommendation for Block
Cipher Modes of Operation: The XTS AES Mode for Confdentiality
on Storage Devices
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38e.pdf
©11/23/21 SUSE, LLC / atsec information security. Page 27 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.
SUSE Linux Enterprise Server libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
SP800-38F NIST Special Publication 800-38F - Recommendation for Block
Cipher Modes of Operation: Methods for Key Wrapping
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for
the Triple Data Encryption Algorithm (TDEA) Block Cipher
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
67r1.pdf
SP800-90A NIST Special Publication 800-90A Revision 1 - Recommendation
for Random Number Generation Using Deterministic Random Bit
Generators
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
90Ar1.pdf
SP800-131A NIST Special Publication 800-131A Revision 1- Transitions:
Recommendation for Transitioning the Use of Cryptographic
Algorithms and Key Lengths
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
90Ar1.pdf
SP800-132 NIST Special Publication 800-132 - Recommendation for
Password-Based Key Derivation - Part 1: Storage Applications
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
132.pdf
©11/23/21 SUSE, LLC / atsec information security. Page 28 of 28
This document can be reproduced and distributed only whole and intact, including this copyright notice.