| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/10/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | SUSE, LLC |
flowchart LR
%% Deterministic review-risk graph for SUSE Linux Enterprise Libgcrypt Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for SUSE Linux Enterprise Libgcrypt Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;SUSE Linux Enterprise Libgcrypt Cryptographic Module version 3.2 Version 1.1 Last update: 2024-06-19 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 SUSE, LLC / atsec information security corporation.
| # | Section | Page |
|---|
This document is the non-proprietary FIPS 140-3 Security Policy for version 3.2 of the SUSE Linux Enterprise Libgcrypt Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. ISO/IEC 24759 FIPS 140-3 Section Title Security Level Section 6. [Number Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-cycle Assurance 1
12 Mitigation of Other Attacks 1
Table 1 - Security Levels © 2024 SUSE, LLC / atsec information security corporation.
The SUSE Linux Enterprise Libgcrypt Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module.
The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1
Only if the integrity test passed successfully, the module transitions to the operational state. No operator intervention is required to reach this point. The module operates in the approved mode of operation by default and can only transition into the non-approved mode by calling one of the nonapproved services listed in Table 10. Please see section 4 for the details on service indicator provided by the module that identifies when an approved service is called.
The module has been tested on the following platforms with the corresponding module variants and configuration options: # Operating System Hardware Processor PAA/Acceleration Platform
1 SUSE Linux Enterprise Server 15 Supermicro Intel® Xeon® With and without AES-NI
SP4 Super Server Silver 4215R (PAA) SYS-6019P-WTR
2 SUSE Linux Enterprise Server 15 GIGABYTE AMD EPYCÔ With and without AES-NI
3 SUSE Linux Enterprise Server 15 GIGABYTE ARM With and without
SP4 G242-P32-QZ Ampere® Cryptography Extensions Altra® Q80-30 (PAA)
4 SUSE Linux Enterprise Server 15 IBM z/15 z15 With and without CPACF
5 SUSE Linux Enterprise Server 15 IBM Power Power10 With and without ISA
SP4 on PowerVM (VIOS 3.1.4.00) E1080 (9080- (PAA) HEX) Table 3 - Tested Operational Environments
In addition to the platforms listed in Table 3, SUSE has also tested the module on the platforms in Table 4, and claims vendor affirmation on them. Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. # Operating System Hardware Processor PAA/Acceleration platform
1 SUSE Linux Enterprise Server IBM LinuxONE III LT1 z15 With and without
2 SUSE Linux Enterprise Micro 5.3 Supermicro Super Intel® Xeon® With and without
Server SYS-6019P- Silver 4215R AES-NI (PAA) WTR © 2024 SUSE, LLC / atsec information security corporation.
# Operating System Hardware Processor PAA/Acceleration platform
3 SUSE Linux Enterprise Micro 5.3 GIGABYTE R181- AMD EPYCÔ With and without
4 SUSE Linux Enterprise Micro 5.3 GIGABYTE G242- ARM With and without
P32-QZ Ampere® Cryptography Altra® Q80-30 Extensions (PAA)
5 SUSE Linux Enterprise Micro 5.3 IBM z/15 z15 With and without
6 SUSE Linux Enterprise Micro 5.3 IBM LinuxONE III LT1 z15 With and without
7 SUSE Linux Enterprise Server for Supermicro Super Intel® Xeon® With and without
SAP 15SP4 Server SYS-6019P- Silver 4215R AES-NI (PAA) WTR
8 SUSE Linux Enterprise Server for GIGABYTE R181- AMD EPYCÔ With and without
SAP 15SP4 Z90-00 7371 AES-NI (PAA)
9 SUSE Linux Enterprise Server for IBM Power E1080 Power10 With and without
SAP 15SP4 (9080-HEX) ISA (PAA)
10 SUSE Linux Enterprise Base Supermicro Super Intel® Xeon® With and without
Container Image 15SP4 Server SYS-6019P- Silver 4215R AES-NI (PAA) WTR
11 SUSE Linux Enterprise Base GIGABYTE R181- AMD EPYCÔ With and without
Container Image 15SP4 Z90-00 7371 AES-NI (PAA)
12 SUSE Linux Enterprise Base GIGABYTE G242- ARM With and without
Container Image 15SP4 P32-QZ Ampere® Cryptography Altra® Q80-30 Extensions (PAA)
13 SUSE Linux Enterprise Base IBM z/15 z15 With and without
Container Image 15SP4 CPACF (PAI)
14 SUSE Linux Enterprise Base IBM LinuxONE III LT1 z15 With and without
Container Image 15SP4 CPACF (PAI)
15 SUSE Linux Enterprise Base IBM Power E1080 Power10 With and without
Container Image 15SP4 (9080-HEX) ISA (PAA)
16 SUSE Linux Enterprise Desktop Supermicro Super Intel® Xeon® With and without
15SP4 Server SYS-6019P- Silver 4215R AES-NI (PAA) WTR
17 SUSE Linux Enterprise Desktop GIGABYTE R181- AMD EPYCÔ With and without
15SP4 Z90-00 7371 AES-NI (PAA)
18 SUSE Linux Enterprise Real Time Supermicro Super Intel® Xeon® With and without
15SP4 Server SYS-6019P- Silver 4215R AES-NI (PAA) WTR © 2024 SUSE, LLC / atsec information security corporation.
# Operating System Hardware Processor PAA/Acceleration platform
19 SUSE Linux Enterprise Real Time GIGABYTE R181- AMD EPYCÔ With and without
15SP4 Z90-00 7371 AES-NI (PAA) Table 4 - Vendor-Affirmed Operational Environments
Table 5 below lists all security functions of the module, including specific key strengths employed for approved services, and implemented modes of operation. The following are allowed for legacy use only: Digital signature verification using ECDSA with a SHA-1. CAVP Cert Algorithm Mode / Method Description / Key Use / Function and Standard Size(s) / Key Strength(s) A3022 A3023 AES CBC 128, 192, 256-bit keys Symmetric encryption; A3025 A3026 FIPS197, SP800- with 128-256 bits key Symmetric decryption 38A strength AES CFB8, CFB128 128, 192, 256-bit keys Symmetric encryption; FIPS197, with 128-256 bits key Symmetric decryption SP800-38A strength AES CCM 128, 192, 256-bit keys Key wrapping; Key SP800-38C with 128-256 bits key unwrapping strength AES CMAC 128, 192, 256-bit keys Message authentication SP800-38B with 128-256 bits key code (MAC) strength AES CTR 128, 192, 256-bit keys Symmetric encryption; FIPS197, with 128-256 bits key Symmetric decryption SP800-38A strength AES ECB 128, 192, 256-bit keys Symmetric encryption; FIPS197, with 128-256 bits key Symmetric decryption SP800-38A strength AES KW 128, 192, 256-bit keys Key wrapping; Key FIPS197, with 128-256 bits key unwrapping SP800-38F strength AES OFB 128, 192, 256-bit keys Symmetric encryption; FIPS197, with 128-256 bits key Symmetric decryption SP800-38A strength AES XTS 128, 256-bit keys with Symmetric encryption SP800-38E 128 and 256 bits key and symmetric strength decryption (for data storage) © 2024 SUSE, LLC / atsec information security corporation.
CAVP Cert Algorithm Mode / Method Description / Key Use / Function and Standard Size(s) / Key Strength(s) Vendor CKG RSA 2048, 3072, 4096-bit Key generation Affirmed SP 800- FIPS 186-4 keys with 112-149 bits 133Rev2 key strength section 4 ECDSA P-224, P-256, P-384, PIG D.H FIPS 186-4 521 with 112-256 bits key strength A3022 A3023 CTR_DRBG AES-128, AES- 128, 192, 256-bit AES Random number A3025 A3026 192, AES-256 with keys with 128-256 bits generation SP800-90Arev1 DF, with/without key strength PR A3022 A3023 Hash_DRBG SHA-1, SHA-256, N/A A3024 A3025 SP800-90Arev1 SHA-512 A3026 with/without PR A3022 A3023 HMAC_DRBG HMAC-SHA-1, 112 or more-bit HMAC A3024 A3025 SP800-90Arev1 HMAC-SHA-256, keys with 112 bits key A3026 HMAC-SHA-512 strength or greater with/without PR A3022 A3023 ECDSA FIPS 186-4 P-224, P-256, P-384, Key generation A3024 A3025 Appendix B.4.2 P-521 with 112-256 FIPS186-4 A3026 Testing bits key strength Candidates N/A P-224, P-256, P-384, Public key verification P-521 with 112-256 bits key strength SHA-224, SHA- P-224, P-256, P-384, Digital signature 256, SHA-384, P-521 with 112-256 generation SHA-512 bits key strength SHA-1, SHA-224, P-224, P-256, P-384, Digital signature SHA-256, SHA- P-521 with 112-256 verification 384, SHA-512 bits key strength E31 Non-Physical N/A Entropy input with Random number Entropy Source 256-bit strength generation SP 800-90B A3021 A3022 HMAC SHA-1 112 or more-bit keys Message authentication A3023 A3024 with 112 bits key code (MAC) FIPS198-1 A3025 A3026 strength or greater A3027 A3022 A3023 SHA-224, 112 or more-bit keys Message authentication A3024 A3025 SHA-256, SHA- with 112 bits key code (MAC) A3026 384, SHA-512 strength or greater © 2024 SUSE, LLC / atsec information security corporation.
CAVP Cert Algorithm Mode / Method Description / Key Use / Function and Standard Size(s) / Key Strength(s) A3024 A3025 SHA3-224, SHA3- 112 or more-bit keys A3026 256, SHA3-384, with 112 bits key SHA3-512 strength or greater A3022 A3023 KTS AES in KW mode 128, 192, 256-bit keys Key wrapping; Key A3025 A3026 with 128-256 bits key unwrapping SP800-38F SP800-38C strength FIPS IG D.G AES in CCM mode 128, 192, 256-bit keys Key wrapping; Key with 128-256 bits key unwrapping strength A3022 A3023 PBKDF2 Option 1a with Password: N/A; derived Key derivation A3024 A3025 SHA-1, SHA-224, key with 112-256 bits SP800-132 A3026 SHA-256, SHA- key strength 384, SHA-512, SHA3-224, SHA3-256, SHA3384, SHA3-512 A3022 A3023 RSA B.3.3 Random 2048, 3072, 4096 with Key generation A3024 A3025 Probable Primes 112-149 bits key FIPS186-4 A3026 strength PKCS#1v1.5: 2048, 3072, 4096 with Digital signature SHA-224, SHA- 112-149 bits key generation 256, SHA-384, strength SHA-512 PSS: 2048, 3072, 4096 with SHA-224, SHA- 112-149 bits key 256, SHA-384, strength SHA-512 PKCS#1v1.5: 2048, 3072, 4096 with Digital signature SHA-224, SHA- 112-149 bits key verification 256, SHA-384, strength SHA-512 PSS: 2048, 3072, 4096 with SHA-224, SHA- 112-149 bits key 256, SHA-384, strength SHA-512 A3024 A3025 SHA-3 SHA3-224, SHA3- N/A Message digest A3026 256, SHA3-384, FIPS202 SHA3-512, SHAKE-128, SHAKE-256 © 2024 SUSE, LLC / atsec information security corporation.
CAVP Cert Algorithm Mode / Method Description / Key Use / Function and Standard Size(s) / Key Strength(s) A3021 A3022 SHS SHA-1 N/A Message digest A3023 A3024 FIPS180-4 A3025 A3026 A3027 A3022 A3023 SHA-224, SHA- N/A Message digest A3024 A3025 256, SHA-384, A3026 SHA-512 Table 5 - Approved Algorithms
of Operation The module does not implement non-approved algorithms that are allowed in the approved mode of operation.
of Operation with No Security Claimed The module does not implement non-approved algorithms that are allowed in the approved mode of operation.
Mode of Operation Table 6 lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in Table 10. Algorithm/Functions Use/Function AES EAX Symmetric encryption; Symmetric decryption AES GCM Symmetric encryption; Symmetric decryption AES GMAC Message authentication code (MAC) AES OCB Symmetric encryption; Symmetric decryption BLAKE2B-160, BLAKE2B-256, BLAKE2B-384, Message digest BLAKE2B-512, BLAKE2S-128, BLAKE2S-160, BLAKE2S-224, BLAKE2S-256 CRC32 Error detection code ElGamal Key generation GOST R 34.11 Message digest MD4, MD5 Message digest PBKDF2 with non-approved message digest Key derivation algorithms or using input parameters not © 2024 SUSE, LLC / atsec information security corporation.
meeting requirements stated in section 11.2.3 RIPEMD-160 Message digest RSA OAEP Key encapsulation Tiger Message digest SM3, STRIBOG-256, STRIBOG-512 Message digest Whirlpool Message digest Table 6 - Non-Approved Not Allowed in the Approved Mode of Operation © 2024 SUSE, LLC / atsec information security corporation.
As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. All data output via data output interface is inhibited when the module is performing preoperational test or zeroization or when the module enters error state. Logical Interface1 Data that passes over port/interface Data Input API input parameters for data. Data Output API output parameters for data. Control Input API function calls, API input parameters for control input, /proc/sys/crypto/fips_enabled control file. Status Output API return codes, API output parameters for status output. Table 7 - Ports and Interfaces
1 The control output interface is omitted on purpose because the module does not implement it.
© 2024 SUSE, LLC / atsec information security corporation.
The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support authentication. Role Service Input Output Crypto Digital signature generation Private key, message, Signature Officer hash algorithm (CO) Digital signature verification Signature, message, Signature verification result hash algorithm, public key Error detection code None Code Key generation Key size Key pair Key derivation Password or passphrase Derived key Key encapsulation Key encapsulating key, Encapsulated key key to be encapsulated Key unwrapping Wrapped key, key Unwrapped key unwrapping key Key wrapping Key wrapping key, key Wrapped key to be wrapped Message authentication code Message, key Message authentication code (MAC) Message digest Message Message digest On-demand integrity test None Return codes/log messages Public key verification Key Return codes/log messages Random number generation Size Random number Symmetric decryption Ciphertext, key Plaintext Symmetric encryption Plaintext, key Ciphertext Show version N/A Name and version information Show status N/A Module status Self-test N/A Pass/fail results of self-tests Zeroization Any SSP N/A Table 8 - Roles, Service Commands, Input and Output © 2024 SUSE, LLC / atsec information security corporation.
The module provides services to the users that assume one of the available roles. All services are shown in Table 9 and Table 10.
Table 9 lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). The following convention is used to specify access rights to a CSP:
Service Description Approved Keys and/or Roles Access Indicator Security SSPs rights to Functions Keys and/or SSPs Digital Generate a RSA, SHS, DRBG RSA private key W, E rsa_sign and signature signature _gcry_fips_indi generation cator_pk functions returns “0” ECDSA, DRBG, ECDSA private W, E _gcry_fips_indi SHS key cator_pk function returns “0” Digital Verify a signature RSA, SHS RSA public key W, E rsa_verify and signature _gcry_fips_indi verification cator_pk functions returns “0” ECDSA, SHS ECDSA public W, E _gcry_fips_indi key cator_pk function returns “0” Public key Verify a public key ECDSA ECDSA public W, E _gcry_fips_indi verification key cator_pk function returns “0” Random Generate random CTR_DRBG Entropy input W, E drbg_generate number bitstrings function generation DRBG seed E, G returns “0” DRBG Internal W, E, G state (V, Key) Hash_DRBG Entropy input W, E DRBG seed E, G DRBG Internal W, E, G state (V, C) HMAC_DRBG Entropy input W, E DRBG seed E, G DRBG Internal W, E, G state (V, Key) Message digest Compute a SHA-1, SHA-224, N/A N/A _gcry_fips_indi message digest SHA-256, SHA- cator_hash 384, SHA-512, function SHA3-224, returns “0” SHA3-256, SHA3-384, SHA3-512 XOF Compute the SHAKE-128, N/A N/A _gcry_fips_indi output of an XOF SHAKE-256 cator_hash function returns “0” © 2024 SUSE, LLC / atsec information security corporation.
Service Description Approved Keys and/or Roles Access Indicator Security SSPs rights to Functions Keys and/or SSPs Message Compute a MAC HMAC HMAC key W, E _gcry_fips_indi authentication tag cator_mac code (MAC) AES CMAC AES key W, E function returns “0” Key wrapping Perform AES- AES-KW, AES- AES key W, E _gcry_fips_indi based key CCM cator_cipher wrapping function returns “0” Key unwrapping Perform AES- AES-KW, AES- AES key W, E _gcry_fips_indi based key CCM cator_cipher unwrapping function returns “0” Key derivation Derive a key from PBKDF2 Password or W, E _gcry_fips_indi a password passphrase cator_kdf function Derived key G, R returns “0” On demand Perform the HMAC-SHA-256 N/A N/A None integrity test integrity test on demand Other FIPS-related Services Show status Return the N/A N/A CO N/A None module status Zeroization Zeroize all SSPs N/A Any SSP Z Self-tests Perform selft-tests AES, CMAC, AES keys E DRBG, Non- HMAC keys Physical Entropy Source, ECDSA, RSA public key HMAC, RSA, RSA private key SHS, PBKDF2 ECDSA public key See Table 13 for ECDSA private additional key details Intermediate key generation value Password or passphrase Entropy input Derived key E, G DRBG seed DRBG Internal state (V, Key) DRBG Internal state (V, C) Show version Return the name N/A N/A N/A and version information © 2024 SUSE, LLC / atsec information security corporation.
Table 9 - Approved Services Table 10 lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-approved mode can be found in Table 6. Service Description Algorithms Accessed Role Cryptographic Services Symmetric encryption AES encryption using non- AES (GCM, EAX and OCB) CO approved AES modes Symmetric decryption AES decryption using nonapproved AES modes Message authentication code Message authentication AES GMAC (MAC) Key derivation PBKDF2 Key derivation PBKDF2 with non-approved message digest algorithms or using input parameters not meeting requirements stated in section 11.2.3 Key encapsulation Encapsulate a key RSA OAEP Key generation Generate a key pair ElGamal Message digest Message digest using non- MD5, MD4, GOST R 34.11, RIPEMDapproved algorithms 160, Tiger, Whirlpool, SM3, STRIBOG256, STRIBOG-512, BLAKE2B-160, BLAKE2B-256, BLAKE2B-384, BLAKE2B-512, BLAKE2S-128, BLAKE2S-160, BLAKE2S-224 and BLAKE2S-256 Error detection code Error detection code CRC32 Table 10 - Non-Approved Services © 2024 SUSE, LLC / atsec information security corporation.
The integrity of the module is verified by comparing an HMAC-SHA-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time for each software component of the module. If the HMAC values do not match, the test fails and the module enters the error state.
Integrity tests are performed as part of the Pre-Operational Self-Tests. The module provides the Self-Test service to perform self-tests on demand which includes the preoperational tests (i.e., integrity test) and cryptographic algorithm self-tests (CASTs). This service can be invoked by using the gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and neither data input nor output is possible. In order to verify whether the self-tests have succeeded and the module is in the Operational state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function will return TRUE if the module is in the operational state, FALSE if the module is in the Error state.
The module consists of executable code in the form of libgcrypt file as stated in Table 2. © 2024 SUSE, LLC / atsec information security corporation.
This module operates in a modifiable operational environment per the FIPS 140-3 level 1 specifications. The SUSE Linux Enterprise Server operating system is used as the basis of other products. Compliance is maintained for SUSE products whenever the binary is found unchanged per the vendor affirmation from SUSE based on the allowance FIPS 140-3 management manual section 7.9.1 bullet 1 a i). Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when supported if the specific operational environment is not listed on the validation certificate.
Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment.
The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 SUSE, LLC / atsec information security corporation.
The module is comprised of software only, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security corporation.
This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security corporation.
Table 11 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module. Key/SSP Strengt Security Generation Import/Export Establ Storage Zeroization Use & related Name/ h Function ishme keys Type and Cert. nt Number AES keys AES-XTS: AES-CBC, N/A MD/EE N/A RAM gcry_cipher_clos Use: Symmetric (CSP) 128, 256 AES-CCM, e(), gcry_free() encryption; bits AES-CFB128, Symmetric AES-CFB8, Import: decryption; AES-CMAC, API input Message Rest of AES-CTR, parameters authentication code the AES-KW, From: modes: (MAC); Key AES-OFB, Operator wrapping; Key 128, 192, AES-XTS calling unwrapping
application Related SSPs: N/A A3023 (TOEPP) A3025 To: A3026 Cryptographic HMAC keys 112 or HMAC module N/A RAM gcry_mac_close( Use: Message (CSP) greater A3021 Export: None ), gcry_free() Authentication bits A3022 Code (MAC) A3023 Related SSPs: N/A A3024 A3025 A3026 A3027 RSA public 112, 128, RSA Generated MD/EE N/A RAM gcry_sexp_releas Use: Digital key (PSP) 149 bits A3022 using e(), signature A3023 method Import: gcry_mpi_releas verification; Key A3024 B.3.3 generation API input e(), A3025 specified in parameters gcry_free() Related SSPs: A3026 FIPS 186-4; RSA private key, random From: Intermediate key values are Operator generation value obtained calling RSA 112, 128, from the application N/A RAM gcry_sexp_releas Use: Digital private key 149 bits SP800- (TOEPP) e(), signature (CSP) 90Arev1 To: gcry_mpi_releas generation; Key DRBG. Cryptographic e(), generation module gcry_free() Related SSPs: RSA public key, Export: Intermediate key generation value API output parameters From: Cryptographic module To: Operator calling application (TOEPP) © 2024 SUSE, LLC / atsec information security corporation.
Key/SSP Strengt Security Generation Import/Export Establ Storage Zeroization Use & related Name/ h Function ishme keys Type and Cert. nt Number ECDSA 112, 128, ECDSA Generated MD/EE N/A RAM gcry_sexp_releas Use: Digital public key 192, 256 A3022 using e(), signature (PSP) bits A3023 method gcry_mpi_releas verification; Key A3024 Import: B.4.2 e(), generation; Public A3025 specified in API input A3026 parameters gcry_ctx_release key verification FIPS 186-4; Related SSPs: (), random From: ECDSA private key, values are Operator gcry_mpi_point_r Intermediate key obtained calling elease(), generation value from the application gcry_free() SP800- (TOEPP) ECDSA 112, 128, N/A RAM gcry_sexp_releas Use: Digital 90Arev1 To: private key 192, 256 e(), signature DRBG. Cryptographic (CSP) bits gcry_mpi_releas generation; Key module generation; Public e(), gcry_ctx_release key verification Export: (), Related SSPs: API output ECDSA public key, gcry_mpi_point_r parameters Intermediate key elease(), From: generation value gcry_free() Cryptographic module To: Operator calling application (TOEPP) Intermedia 112-256 CKG SP 800- Import: None N/A RAM Automatic Use: Key te key bits vendor 133r2 Export: None generation generation affirmed Section 4, Related SSPs: value (CSP) 5.1, and 5.2 ECDSA public key, ECDSA private key, RSA public key, RSA private key Password N/A PBKDF2 N/A MD/EE N/A RAM gcry_free() Use: Key derivation or A3022 Related SSPs: passphrase A3023 Import: Derived key (CSP) A3024 A3025 API input A3026 parameters From: Operator calling application (TOEPP) To: Cryptographic module Export: None Derived N/A PBKDF2 SP 800- MD/EE N/A RAM gcry_free() Use: Key derivation key (CSP) A3022 133r2, Related SSPs: A3023 Section 6.2 Import: None Password or A3024 passphrase A3025 Export: A3026 API output parameters From: Cryptographic module © 2024 SUSE, LLC / atsec information security corporation.
Key/SSP Strengt Security Generation Import/Export Establ Storage Zeroization Use & related Name/ h Function ishme keys Type and Cert. nt Number To: Operator calling application (TOEPP) Entropy 256 bits Non-Physical Obtained Import: None N/A RAM gcry_ctrl(GCRYC Use: Random input (CSP) Entropy from Non- TL_TERM_SECME number generation Export: None Source Physical M) Related SSPs: E31 Entropy IG D.L DRBG seed Source Compliant DRBG seed CTR_DRB CTR_DRBG CTR_DRBG Import: None N/A RAM gcry_ctrl(GCRYC Use: Random (CSP) G: 128, A3022 Hash_DRBG TL_TERM_SECME number generation Export: None 192, 256 A3023 HMAC_DRB M) Related SSPs: bits A3025 G IG D.L Entropy input, A3026 Compliant Hash_DB DRBG Internal RG: 128, state (V, Key), Hash_DRBG,
256 bits DRBG Internal
HMAC_DRBG HMAC_D A3022 state (V, C) RBG: A3023 128, 256 A3024 bits A3025 A3026 DRBG CTR_DRBG CTR_DRBG Import: None N/A RAM gcry_ctrl(GCRYC Use: Random Internal A3022 HMAC_DRB TL_TERM_SECME number generation A3023 Export: None state (V, G M) Related SSPs: Key) (CSP) A3025 DRBG seed A3026 IG D.L HMAC_DRBG Compliant A3022 A3023 A3024 A3025 A3026 DRBG Hash_DRBG Hash_DRBG Import: None N/A RAM gcry_ctrl(GCRYC Use: Random Internal A3022 TL_TERM_SECME number generation A3023 Export: None state (V, M) Related SSPs: C) (CSP) A3024 DRBG seed A3025 A3026 IG D.L Compliant Table 11 - SSPs
The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90Arev1] for the creation of RSA and ECDSA keys, RSA and ECDSA signature generation. In addition, the module provides a Random Number Generation service to calling applications. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The DRBG is initialized during module initialization; the module loads by default the DRBG using the HMAC_DRBG mechanism with SHA-256 and without prediction resistance. A different DRBG mechanism can be chosen by invoking the gcry_control(GCRYCTL_DRBG_REINIT) function. The module uses an [SP800-90B]-compliant entropy source specified in Table 12. This entropy source is located within the cryptographic boundary. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it, sufficient to provide a DRBG with 256 bits of security strength. © 2024 SUSE, LLC / atsec information security corporation.
Entropy Source Minimum number of Details bits of entropy SP 800-90B compliant 256 bits of entropy in The Libgcrypt CPU Time Jitter RNG version 3.4.0 Non-Physical Entropy 256-bit output entropy source (with SHA-3 as the vetted Source conditioning component) is located within the (ESV cert. E31) module’s cryptographic boundary. Table 12 - Non-Deterministic Random Number Generation Specification
The module provides an [SP800-90Arev1]-compliant Deterministic Random Bit Generator (DRBG) for the creation of key components of asymmetric keys, and random number generation. The Cryptographic Key Generation (CKG) methods implemented in the module for Approved services in approved mode are compliant with section 5.1 of [SP800-133rev2] and with IG C.H. For generating RSA and ECDSA keys the module implements asymmetric key generation services compliant with [FIPS186-4]. A seed (i.e., the random value) used in asymmetric key generation is directly obtained from the [SP800-90Arev1] DRBG.
The module provides the following key transport mechanisms:
The module supports password-based key derivation (PBKDF2). The implementation is compliant with option 1a of [SP-800-132]. Keys derived from passwords or passphrases using this method can only be used in storage applications.
The module does not support direct manual SSP entry or intermediate SSP generation output. The SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry on the Key Establishment Table.
The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. © 2024 SUSE, LLC / atsec information security corporation.
The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in Table 11. Calling gcry_free() will zeroize the SSPs and also invoke the corresponding API functions listed in Table 11 to zeroize SSPs. The zeroization functions overwrite the memory occupied by SSPs with “zeros” and deallocate the memory with the regular memory deallocation operating system call. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. © 2024 SUSE, LLC / atsec information security corporation.
The module performs pre-operational tests automatically when the module is loaded into memory; pre-operational tests ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the pre-operational tests and CASTs, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational tests are completed successfully. After the pre-operational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state.
The module performs the integrity test using HMAC-SHA-256. The details of integrity test are provided in section 5.1.
Table 13 specifies the CASTs performed by the module. All CASTs performed are in the form of the Known Answer Tests (KATs) and are run prior to performing the integrity test. A KAT includes the comparison of a calculated output with an expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. Algorithm Condition Test AES Power on KAT AES ECB mode with 128, 192 and 256-bits keys, encryption, and decryption (separately tested). CMAC Power on KAT AES CMAC with 128-bit key, MAC generation. DRBG Power on KAT CTR_DRBG with AES with 128-bit key with DF, with and without PR. KAT Hash_DRBG with SHA-256 with and without PR. KAT Hash_DRBG with SHA-1 without PR. KAT HMAC_DRBG with HMAC-SHA-256 with and without PR. Health tests according to section 11.3 of [SP800-90Arev1] Non-Physical Power on NIST SP800-90B Entropy source start-up test RCT and APT with Entropy 1024 samples Source Continuous NIST SP800-90B Entropy source continuous test: RCT with Cutoff C = 31; APT with Cutoff C = 325; W = 512 ECDSA Power on KAT ECDSA signature generation and verification with P-256 and SHA-256 (separately tested). HMAC Power on KAT HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA384, HMAC-SHA-512. KAT HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512. © 2024 SUSE, LLC / atsec information security corporation.
Algorithm Condition Test RSA Power on KAT RSA PKCS#1 v1.5 signature generation and verification with 2048-bit key and SHA-256 (separately tested). SHS Power on KAT SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. PBKDF2 Power on KAT PBKDF2 with SHA-1 and SHA-256. Table 13
The module performs the Pair-wise Consistency Tests (PCT) shown in Table 14. If at least one of the tests fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output, and cryptographic operations are not allowed. Algorithm Test ECDSA key generation PCT using signature generation and verification with SHA-256. RSA key generation PCT using signature generation and verification with SHA-256. Table 14 - Pairwise Consistency Test
On-Demand self-tests can be invoked by using gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module which cause the module to run both the pre-operational self-tests and conditional self-tests again. During the execution of the on-demand self-tests, services are not available, and neither data input nor output is possible. In order to verify whether the self-tests have succeeded and the module is in the Operational state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function will return TRUE if the module is in the operational state, FALSE if the module is in the Error state.
When the module fails any pre-operational self-test or conditional test, the module will return an error code to indicate the error and will enter the Error state (i.e., Self-test error state). Additionally, when random numbers are requested in the error state or cipher operations are requested on a deallocated handle, the module is aborted, enters the Error state (i.e., Abort error state) and is not available for use. Any further cryptographic operation is inhibited. When the module is in Self-test Error state, the calling application can obtain the module state by calling the gcry_control(GCRYCTL_OPERATIONAL_P) API function. The function returns FALSE to indicate that the module is in the Error state. Otherwise, the function returns TRUE to indicate that the module is in the Operational state. In the Abort Error state the module is aborted and is not available for use, therefore, the module state cannot be obtained. In both Error states, all data output is inhibited, and no cryptographic operation is allowed. The Error states can be recovered by a restart (i.e., powering off and powering on) of the module. The following table shows the error codes and the corresponding condition: Error State Cause of Error Status Indicator Self-test error state Failure of pre-operational tests An error message related to the or conditional tests. cause of the failure. © 2024 SUSE, LLC / atsec information security corporation.
Error State Cause of Error Status Indicator Abort error state Random numbers are requested The module is aborted and is in the error state or cipher not available for use. operations are requested on a deallocated handle. Table 15 - Error States © 2024 SUSE, LLC / atsec information security corporation.
The Crypto Officer can install the RPM packages containing the module as listed in Table 17 using the zypper tool as follows. # zypper install libgcrypt20 # zypper install libgcrypt20-hmac The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error.
The operating environment needs to be configured to support FIPS, so the following steps shall be performed with the root privilege:
Table 16 includes the information on module installation process for the vendor affirmed platforms that are listed in Table 4. © 2024 SUSE, LLC / atsec information security corporation.
Product Link SUSE Linux Enterprise Micro 5.3 https://documentation.suse.com/sle-micro/5.3/single-html/SLEMicro-security/#sec-fips-slemicro-install SUSE Linux Enterprise Server https://documentation.suse.com/sles/15-SP4/html/SLESfor SAP 15SP4 all/book-security.html SUSE Linux Enterprise Base https://documentation.suse.com/smart/linux/html/conceptContainer Image 15SP4 bci/index.html SUSE Linux Enterprise Desktop https://documentation.suse.com/sled/15-SP4/html/SLED15SP4 all/book-security.html SUSE Linux Enterprise Real https://documentation.suse.com/sle-rt/15-SP4/ Time 15SP4 Table 16 - Installation for Vendor Affirmed Platforms Note: Per section 7.9 in the FIPS 140-3 Management Manual [FIPS140-3_MM], the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certificate.
For secure sanitization of the cryptographic module, the module must first to be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. The module does not possess persistent storage of SSPs, so further sanitization steps are not required.
The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow sections 11.1.1 and 11.1.2 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. Table 17 lists the RPM packages that contain the FIPS validated module and the OE directory where the components are installed. The "Show version" service returns the value “Libgcrypt version 1.9.4-150400.6.8.1”, which matches the service output and the version information provided in the RPM packages where the module is distributed, and map to version 3.2 of the cryptographic module. Processor Architecture RPM Packages Intel 64-bit libgcrypt20-1.9.4-150400.6.8.1.x86_64.rpm libgcrypt20-hmac-1.9.4-150400.6.8.1.x86_64.rpm AMD 64-bit libgcrypt20-1.9.4-150400.6.8.1.x86_64.rpm libgcrypt20-hmac-1.9.4-150400.6.8.1.x86_64.rpm IBM z15 libgcrypt20-1.9.4-150400.6.8.1.s390x.rpm libgcrypt20-hmac-1.9.4-150400.6.8.1.s390x.rpm © 2024 SUSE, LLC / atsec information security corporation.
Processor Architecture RPM Packages ARMv8 64-bit libgcrypt20-1.9.4-150400.6.8.1.aarch64.rpm libgcrypt20-hmac-1.9.4-150400.6.8.1.aarch64.rpm IBM Power10 64-bit libgcrypt20-1.9.4-150400.6.8.1.ppc64le.rpm libgcrypt20-hmac-1.9.4-150400.6.8.1.ppc64le.rpm Table 17
The user shall only use the memory management functions provided by the libgcrypt API. Critical security parameters (e.g., keys) which are used as input or output parameters shall be managed using the gcry_malloc_secure(), gcry_calloc_secure() and gcry_free() functions. The function gcry_set_allocation_handler() shall not be used; the user shall not change the libgcrypt memory handlers. The use of this API function implies that the cryptographic module is being executed in an invalid configuration.
The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical.
The module provides password-based key derivation (PBKDF2), compliant with SP800-132 and IG D.N. The module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132], the following requirements shall be met.
In compliance with IG C.F, the module implements only the approved modulus sizes of 2048, 3072, and 4096 bits for signature generation and verification. Each algorithm was tested, and corresponding certificates can be found detailed in Section 2.6 Approved Algorithms. © 2024 SUSE, LLC / atsec information security corporation.
The module implements blinding Against RSA Timing Attacks. RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack. By default, the module uses the following blinding technique: instead of using the RSA decryption directly, a blinded value y = x re mod n is decrypted and the unblinded value x' = y' r−1 mod n returned. The blinding value r is a random value with the size of the modulus n. © 2024 SUSE, LLC / atsec information security corporation.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DF Derivation Function DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code ISA Instruction Set Architecture KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PBKDF2 Password-based Key Derivation Function v2 PCT Pair-wise Consistency Test PKCS Public-Key Cryptography Standards PR Prediction Resistance © 2024 SUSE, LLC / atsec information security corporation.
PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSP Sensitive Security Parameter XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 SUSE, LLC / atsec information security corporation.
Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM FIPS 140-3 Cryptographic Module Validation Program - Management Manual (Draft) December 2022 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/Draft%20FIPS-140-3CMVP%20Management%20Manual%20v1.2%20%5BDec%2023%202022%5 D.pdf FIPS180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a.pdf © 2024 SUSE, LLC / atsec information security corporation.
SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038e.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-90Arev1 NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800132.pdf SP800-133rev2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 SUSE, LLC / atsec information security corporation.