| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/14/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy |
| Vendor | SUSE, LLC |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>recovery</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>recovery</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IPSEC<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;SUSE Linux Enterprise Kernel Crypto API Cryptographic Module version 3.3 and 3.4 Version 1.3 Last update: 2024-07-03 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
2.1 2.2 2.2.1 2.2.2 2.3 2.4 2.4.1 2.4.2 2.5 2.6 2.6.1 2.6.2 2.6.3 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No 2.6.4 4.1 4.2 4.3 4.3.1 4.3.2 4.3.3 5.1 5.2 5.3 6.1 6.2 6.3 © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 9.1 9.2 9.3 9.4 9.5 9.6 9.7 10.1 10.2 10.2.1 10.3 10.4 11.1 11.1.1 11.1.2 11.1.3 11.2 11.2.1 11.2.2 11.2.3 11.2.4 11.2.5 © 2024 SUSE, LLC / atsec information security.
| Name | ISO Section | Requirement | Level | ISO/IEC 24759 Section 6. [Number Below] |
|---|---|---|---|---|
| 1 | 1 | General | 1 | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 | |
| 3 | 3 | Cryptographic Module Interfaces | 1 | |
| 4 | 4 | Roles, Services, and Authentication | 1 | |
| 5 | 5 | Software/Firmware Security | 1 | |
| 6 | 6 | Operational Environment | 1 | |
| 7 | 7 | Physical Security | N/A | |
| 8 | 8 | Non-invasive Security | N/A | |
| 9 | 9 | Sensitive Security Parameter Management | 1 | |
| 10 | 10 | Self-tests | 1 | |
| 11 | 11 | Life-cycle Assurance | 1 | |
| 12 | 12 | Mitigation of Other Attacks | N/A | |
| Components | Description | Components | ||
| Version 3.3 | Version 3.3 | Static kernel binary. | ||
| Version 3.3 | Version 3.3 | Integrity check HMAC value for Linux kernel static binary (HMAC file). | ||
| Version 3.3 | Version 3.3 | Cryptographic kernel object files. | ||
| Components | Description | Components | ||
| /usr/lib64/libkcapi/fipscheck | /usr/lib64/libkcapi/fipscheck | Integrity test utility (fipscheck application). | ||
| /usr/lib64/libkcapi/.fipscheck.hmac | /usr/lib64/libkcapi/.fipscheck.hmac | Integrity check HMAC file for integrity test utility (HMAC file). |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module This document is the non-proprietary FIPS 140-3 Security Policy for version 3.3 and 3.4 of the SUSE Linux Enterprise Kernel Crypto API Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. N/A N/A N/A Table 1 - Security Levels © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
2.1 Module Embodiment The SUSE Linux Enterprise Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. 2.2 Module Design, Components, versions The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1 - Cryptographic Boundary 2.2.1 Module Name and Module Version Mapping The output of “uname -r” command will return the module identifier and version number. This command returns either "5.14.21-150400.24.46-default" that maps to module version 3.3 or "5.14.21-150400.15.11-rt" that maps to module version 3.4. 2.2.2 Module Components Table 2 lists the software components of the cryptographic module, which defines its cryptographic boundary. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.
| Name | Operating System | Hardware Platform | Software Version | Processor | Paa Pai | # |
|---|---|---|---|---|---|---|
| 1 | SUSE Linux Enterprise Server 15 SP4 | Supermicro Super Server SYS-6019P-WTR | 3.3 and 3.4 | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 1 |
| 2 | SUSE Linux Enterprise Server 15 SP4 | GIGABYTE R181- Z90-00 | 3.3 and 3.4 | AMD EPYCTM 7371 | With and without AES-NI (PAA) | 2 |
| 3 | SUSE Linux Enterprise Server 15 SP4 | GIGABYTE G242-P32-QZ | 3.3 | ARM Ampere® Altra®Q80-30 | With and without Cryptography Extensions (PAA) | 3 |
| 4 | SUSE Linux Enterprise Server 15 SP4 | IBM z/15 | 3.3 | z15 | With and without CPACF (PAI) | 4 |
| 5 | SUSE Linux Enterprise Server 15 SP4 on PowerVM (VIOS 3.1.4.00) | IBM Power E1080 (9080- HEX) | 3.3 | Power10 | With and without ISA (PAA) | 5 |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 2
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | SUSE Linux Enterprise Server 15SP4 | IBM LinuxONE III LT1 | z15 | With and without CPACF (PAI) | 1 |
| 2 | SUSE Linux Enterprise Micro 5.3 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 2 |
| 3 | SUSE Linux Enterprise Micro 5.3 | GIGABYTE R181-Z90-00 | AMD EPYCTM 7371 | With and without AES-NI (PAA) | 3 |
| 4 | SUSE Linux Enterprise Micro 5.3 | GIGABYTE G242-P32-QZ | ARM Ampere® Altra® Q80-30 | With and without Cryptography Extensions (PAA) | 4 |
| 5 | SUSE Linux Enterprise Micro 5.3 | IBM z/15 | z15 | With and without CPACF (PAI) | 5 |
| 6 | SUSE Linux Enterprise Micro 5.3 | IBM LinuxONE III LT1 | z15 | With and without CPACF (PAI) | 6 |
| 7 | SUSE Linux Enterprise Server for SAP 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 7 |
| 8 | SUSE Linux Enterprise Server for SAP 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCTM 7371 | With and without AES-NI (PAA) | 8 |
| 9 | SUSE Linux Enterprise Server for SAP 15SP4 on PowerVM (VIOS 3.1.4.00) | IBM Power E1080 (9080- HEX) | Power10 | With and without ISA (PAA) | 9 |
| 10 | SUSE Linux Enterprise Desktop 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 10 |
| 11 | SUSE Linux Enterprise Desktop 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCTM 7371 | With and without AES-NI (PAA) | 11 |
| 1 | SUSE Linux Enterprise Micro 5.3 | Supermicro Super Server | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 1 |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 2.4.1 Version 3.3 Vendor Affirmed Operational Environments # 5.3 SYS-6019PWTR 5.3 5.3 5.3 5.3 SYS-6019PWTR E1080 (9080HEX) SYS-6019PWTR Table 4 - Vendor Affirmed Operational Environments for version 3.3 2.4.2 Version 3.4 Vendor Affirmed Operational Environments # © 2024 SUSE, LLC / atsec information security.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 2 | SUSE Linux Enterprise Micro 5.3 | GIGABYTE R181-Z90-00 | AMD EPYCTM 7371 | With and without AES-NI (PAA) | 2 |
| 3 | SUSE Linux Enterprise Real Time 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 3 |
| 4 | SUSE Linux Enterprise Real Time 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCTM 7371 | With and without AES-NI (PAA) | 4 |
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES | Version 3.3: | CBC | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| FIPS197, | A3045, A3053, | keys with 128-256 | ||
| SP800-38A | A3061, A3064, | bits of security | ||
| A3075, A3078, | A3075, A3078, | strength | ||
| AES | Version 3.3: | CBC-CS3 | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| SP800-38A- | A3050, A3059, | keys with 128-256 | ||
| addendum | A3070, A3084, | bits of security | ||
| A3128 | A3128 | strength | ||
| AES | Version 3.3: | CCM | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| SP800-38C | A3045, A3053, | keys with 128-256 | ||
| A3064, A3075, | A3064, A3075, | bits of security | ||
| A3078, A3125, | A3078, A3125, | strength | ||
| AES | Version 3.3: | CFB128 | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| FIPS197, | A3048, A3057, | keys with 128-256 | ||
| SP800-38A | A3068, A3082, | bits of security | ||
| A3128 | A3128 | strength | ||
| AES | Version 3.3: | CMAC | 128, 192, 256-bit | Message authentication code (MAC) |
| SP800-38B | A3045, A3053, | keys with 128-256 | ||
| A3064, A3075, | A3064, A3075, | bits of security | ||
| A3078, A3125, | A3078, A3125, | strength | ||
| AES | Version 3.3: | CTR | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| FIPS197, | A3045, A3053, | keys with 128-256 | ||
| SP800-38A | A3061, A3064, | bits of security | ||
| A3075, A3078, | A3075, A3078, | strength | ||
| AES | Version 3.3: | ECB | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| FIPS197, | A3043, A3044, | keys with 128-256 | ||
| SP800-38A | A3045, A3051, | bits of security | ||
| A3052, A3053, | A3052, A3053, | strength | ||
| AES | Version 3.3: | GCM with external IV | 128, 192, 256-bit | Symmetric decryption |
| SP800-38D | A3045, A3053, | keys with 128-256 | ||
| A3061, A3064, | A3061, A3064, | bits of security | ||
| A3075, A3078, | A3075, A3078, | strength | ||
| AES | Version 3.3: | GCM with internal IV | 128, 192, 256-bit | Symmetric encryption |
| SP800-38D | A3051, A3055, | (RFC4106) | keys with 128-256 | |
| RFC4106 | A3062, A3065, | (IV Gen Mode 8.2.1) | bits of security | |
| A3076, A3079, | A3076, A3079, | strength | ||
| AES | Version 3.3: | GCM with external IV | 128, 192, 256-bit | Symmetric decryption |
| SP800-38D | A3052, A3056, | (RFC4106) | keys with 128-256 | |
| RFC4106 | A3063, A3066, | bits of security | ||
| A3077, A3080, | A3077, A3080, | strength | ||
| AES | Version 3.3: | KW | 128, 192, 256-bit | Key wrapping; Key unwrapping |
| SP800-38F | A3046, A3054, | keys with 128-256 | ||
| A3067, A3081, | A3067, A3081, | bits of security | ||
| A3128 | A3128 | strength | ||
| AES | Version 3.3: | OFB | 128, 192, 256-bit | Symmetric encryption; Symmetric decryption |
| SP800-38A | A3049, A3058, | keys with 128-256 | ||
| A3069, A3083, | A3069, A3083, | bits of security | ||
| A3128 | A3128 | strength | ||
| AES | Version 3.3: | XTS | 128, 256-bit keys | Symmetric encryption and Symmetric decryption (for data storage) |
| SP800-38E | A3045, A3053, | with 128 and 256- | ||
| A3061, A3064, | A3061, A3064, | bits of security | ||
| A3075, A3078, | A3075, A3078, | strength | ||
| CKG SP800- | Vendor | FIPS 186-4 | EC: P-256, P384 | Key generation |
| 133rev2 | Affirmed | keys with 128 and | ||
| DRBG | Version 3.3: | CTR_DRBG: | 128, 192, 256-bit | Deterministic random bit generation |
| SP800- | A3043, A3044, | AES-128, AES-192, | keys with 128, | |
| 90Arev1 | A3045, A3051, | AES-256 with DF, | 192 and 256 bits | |
| A3052, A3053, | A3052, A3053, | with/without PR | of security | |
| A3055, A3056, | A3055, A3056, | strength | ||
| Version 3.3: | Version 3.3: | Hash_DRBG: | N/A | |
| A3043, A3044, | A3043, A3044, | SHA-1, SHA2-256, | ||
| A3045, A3051, | A3045, A3051, | SHA2-384, SHA2-512 | ||
| A3052, A3053, | A3052, A3053, | with/without PR | ||
| A3055, A3056, | A3055, A3056, | HMAC_DRBG: | ³ 112-bit keys | |
| SHA-1, SHA2-256, | SHA-1, SHA2-256, | with 112-256 bits | ||
| SHA2-384, SHA2-512 | SHA2-384, SHA2-512 | of security | ||
| with/without PR | with/without PR | strength | ||
| ECDSA | Version 3.3: | B.4.2 Testing | P-256, P-384 keys | EC Diffie-Hellman key generation |
| FIPS186-4 | A3044 | candidates | with 128 and 192 | |
| Version 3.4: | Version 3.4: | bits of security | ||
| A3089 | A3089 | strength | ||
| ESV | Version 3.3: | CPU Jitter Source | N/A | Random number |
| SP800-90B | E19 | generation | ||
| HMAC | Version 3.3: | SHA-1 | ³ 112-bit keys | Message |
| FIPS198-1 | A3086 | with 112-256 bits | authentication code | |
| Version 3.3: | Version 3.3: | SHA-1, SHA2-224, | of security | (MAC) |
| A3074, A3087, | A3074, A3087, | SHA2-256 | ||
| Version 3.3: | Version 3.3: | SHA-1, SHA2-224, | ||
| A3043, A3044, | A3043, A3044, | SHA2-256, SHA2-384, | ||
| A3045, A3071, | A3045, A3071, | SHA2-512 | ||
| Version 3.3: | Version 3.3: | SHA2-224, SHA2-256 | ||
| Version 3.3 | Version 3.3 | SHA2-224, SHA2-256, | ||
| A3132 | A3132 | SHA2-384, SHA2-512 | ||
| Version 3.3 | Version 3.3 | SHA2-384, SHA2-512 | ||
| Version 3.3: | Version 3.3: | SHA3-224, SHA3-256, | ||
| A3047, A3085, | A3047, A3085, | SHA3-384, SHA3-512 | ||
| KAS ECC- | Version 3.3: | Ephemeral unified | P-256, P-384 keys | EC Diffie-Hellman |
| SSC | A3044 | with 128 and 192 | shared secret | |
| SP800- | Version 3.4: | bits of security | computation | |
| 56Arev3 | strength | |||
| KAS FCC- | Version 3.3: | dhEphem with safe | 2048, 3072, 4096, | Diffie-Hellman shared |
| SSC | A3043 | prime groups | 6144, 8192-bit | secret computation |
| SP800- | Version 3.4: | keys with 112-200 | ||
| 56Arev3 | A3088 | bits of security | ||
| IG D.F 2 (1) | strength | |||
| KTS | Version 3.3: | AES-CCM | 128, 192, 256-bit | Key Wrapping and Unwrapping |
| SP800-38F | A3045, A3053, | keys with 128, | ||
| A3064, A3075, | A3064, A3075, | 192 and 256 bits | ||
| A3078, A3125, | A3078, A3125, | of security | ||
| A3128 | A3128 | strength | ||
| Version 3.3: | Version 3.3: | AES-GCM | 128, 192, 256-bit | |
| Version 3.3: | Version 3.3: | AES-KW | 128, 192, 256-bit | |
| A3046, A3054, | A3046, A3054, | keys with 128-256 | ||
| A3067, A3081, | A3067, A3081, | bits of security | ||
| A3128 | A3128 | strength | ||
| KTS | (AES) | AES-CBC and HMAC- | 128, 256-bit keys | |
| SP800-38F | Version 3.3: | SHA-1 or HMAC-SHA2 | with 128, 256 bits | |
| FIPS140-3 | A3045, A3053, | of security | ||
| IG D.G | A3061, A3064, | strength | ||
| RSA | Version 3.3: | PKCS#1v1.5: | 2048, 3072, 4096- | Integrity test using |
| FIPS186-4 | A3045, A3071, | SHA-1, SHA2-224, | bit keys with 112- | digital signature |
| A3072, A3073, | A3072, A3073, | SHA2-256, SHA2-384, | 149 bits of | verification |
| A3078 | A3078 | SHA2-512 | security strength | |
| Version 3.4: | Version 3.4: | (usage of SHA-1 is | ||
| A3117, A3118 | A3117, A3118 | Use) | ||
| Safe Primes | Version 3.3: | Safe Prime Groups: | 2048, 3072, 4096, | Diffie-Hellman shared |
| ffdhe8192, | ffdhe8192, | bits of security | ||
| MODP-2048, MODP- | MODP-2048, MODP- | strength | ||
| SHA-3 | Version 3.3: | SHA3-224, SHA3-256, | N/A | Message Digest |
| FIPS202 | A3047, A3085, | SHA3-384, SHA3-512 | ||
| SHS | Version 3.3: | SHA-1 | N/A | Message digest |
| FIPS180-4 | A3086 | |||
| Version 3.3: | Version 3.3: | SHA-1, SHA2-224, | ||
| A3074, A3087, | A3074, A3087, | SHA2-256 | ||
| Version 3.3: | Version 3.3: | SHA-1, SHA2-224, | ||
| A3043, A3044, | A3043, A3044, | SHA2-256, SHA2-384, | ||
| A3045, A3071, | A3045, A3071, | SHA2-512 | ||
| Version 3.3: | Version 3.3: | SHA2-224, SHA2-256 | ||
| Version 3.3 | Version 3.3 | SHA2-224, SHA2-256, | ||
| A3132 | A3132 | SHA2-384, SHA2-512 | ||
| Version 3.3 | Version 3.3 | SHA2-384, SHA2-512 |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module # SYS-6019PWTR SYS-6019PWTR Table 5 - Vendor Affirmed Operational Environments for version 3.4 2.5 Modes of Operation of the Module After following the instructions for installation and configuration provided in section 11 the module is pre-configured to be operating in the Approved mode. When the module starts up successfully, after passing all the pre-operational self-test and conditional cryptographic algorithm self-tests (CASTs), the module is operating in the Approved mode of operation. Please see section 4 for the details on service indicator provided by the module that identifies when an approved service is called. If any service from the non-approved services list is called, the module transitions to nonapproved mode automatically. 2.6 Security Functions 2.6.1 Approved Algorithms Table 6 below lists all security functions of the module, including specific key strengths employed for approved services. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A KAS ECCSSC SP80056Arev3 KAS FCCSSC SP80056Arev3 © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A N/A © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 6 - Approved Algorithms 2.6.2 Non-Approved Algorithms Allowed in the Approved Mode of Operation The module does not implement non-approved algorithms allowed in the approved mode of operation. 2.6.3 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The module does not implement non-approved algorithms allowed in the approved mode of operation with no security claimed.. 2.6.4 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 7 lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in Table 11. Algorithm/Functions Use/Function AES-GCM with external IV Symmetric encryption AES-GMAC Message authentication code (MAC) © 2024 SUSE, LLC / atsec information security.
| Name | Use Function |
|---|---|
| RSA | RSA encryption primitive; RSA decryption primitive; RSA signature generation primitive; RSA signature verification primitive |
| ECDSA | ECDSA signature verification primitive |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 7 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation © 2024 SUSE, LLC / atsec information security.
| Name | Physical Port | Logical Interface |
|---|---|---|
| Data Input | API data input parameters from kernel system calls, kernel command line | Data Input |
| Data Output | API output parameters from kernel system calls | Data Output |
| Control Input | API function calls, API control input parameters from kernel system calls, kernel command line | Control Input |
| Status Output | API return values, kernel logs | Status Output |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. All data output via data output interface is inhibited when the module is performing preoperational test or zeroization or when the module enters error state. Table 8 - Ports and Interfaces
1 The control output interface is omitted on purpose because the module does not implement it.
© 2024 SUSE, LLC / atsec information security.
| Name | Roles | Input | Output |
|---|---|---|---|
| Symmetric encryption | Crypto Officer (CO) | Key, plaintext | Ciphertext |
| Symmetric decryption | Key, ciphertext | Plaintext | |
| Random number generation | Number of bits | Random number | |
| Message digest | Message | Digest of the message | |
| Message authentication code (MAC) | Message, key | Message authentication code | |
| Encrypt-then-MAC operation | Message, AES Key, HMAC key | Authenticated message | |
| RSA encryption primitive | Key, plaintext | Ciphertext | |
| RSA decryption primitive | Key, ciphertext | Plaintext | |
| RSA signature generation primitive | Key, hashed message | Signature | |
| RSA signature verification primitive | Key, signature | Hashed message | |
| Key wrapping | Key wrapping key, key to be wrapped | Wrapped key | |
| Key unwrapping | Wrapped key, key unwrapping key | Unwrapped key | |
| EC Diffie-Hellman shared secret computation | Private key, public key from peer | Shared secret | |
| Diffie-Hellman shared secret computation | Private key, public key from peer | Shared secret | |
| EC Diffie-Hellman key generation | Domain parameters | Generated key | |
| Diffie-Hellman key generation using safe primes | Domain parameters | Generated key | |
| Error detection code | None | Code | |
| Data compression | Data to compress | Compressed data | |
| Memory copy operation | Source, destination, offset, amount | Return codes and/or log messages | |
| Show status | None | Return codes and/or log messages | |
| Self-tests | None | Return codes and/or log | |
| Digital signature verification | Message, hash algorithm, public key | Verification result | |
| ECDSA digital signature verification primitive | Key, signature | Hashed message | |
| Module installation and configuration | Configuration parameters | Return codes and/or log | |
| Module initialization | None | None | |
| Show module name and version | None | Name and version information |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
4.1 Roles The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support authentication. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 9 - Roles, Service Commands, Input and Output 4.2 Authentication The module does not support authentication. 4.3 Services The module provides services to the users that assume one of the available roles. All services are shown in Table 10 and Table 11. 4.3.1 Service Indicator The module provides an approved service indicator as specified in the “Indicator” column in Table 10. 4.3.2 Approved Services Table 10 lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). No support of intermediate key generation is provided. The following convention is used to specify access rights to a CSP:
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Symmetric encryption; Symmetric decryption | Perform AES encryption and decryption | CO | AES key | AES-CBC, AES-CBS-CS3, AES-CFB128, AES-CTR, AES-ECB, AES-OFB, AES-XTS | W, E | crypto_skcipher_setkey |
| AES-CCM | AES-CCM | crypto_aead_setkey returns 0 | ||||
| AES-GCM | AES-GCM | crypto_tfm_get_flags has the CRYPTO_TFM_FIPS_COMP LIANCE flag set | ||||
| Random number generation | Generate random numbers | Entropy input | DRBG | W, E | crypto_rng_get_bytes | |
| DRBG seed, DRBG internal state | DRBG seed, DRBG internal state | G, E | ||||
| Message digest | Compute SHA hashes | None | SHA-1, SHA2, SHA3 | N/A | crypto_shash_init returns 0 | |
| Message authenticatio n code (MAC) | Compute HMAC | HMAC key | HMAC | W, E | crypto_shash_init returns | |
| Compute AES- based CMAC | Compute AES- based CMAC | AES key | CMAC with AES | W, E | crypto_cmac_digest_init | |
| Encrypt- then-MAC operation | Perform AES encryption then compute MAC | AES key, HMAC key | AES-CBC, HMAC- [SHA- 1, SHA2] | W, E | crypto_shash_init returns | |
| Key wrapping | Perform AES- based key wrapping | AES key | AES-KW, AES- CCM, AES- GCM | W, E | crypto_skcipher_setkey | |
| Perform AES- based key wrapping and HMAC | Perform AES- based key wrapping and HMAC | AES key, HMAC key | AES-CBC and HMAC | W, E | crypto_skcipher_setkey | |
| Key unwrapping | Perform AES- based key unwrapping | AES key | AES-KW, AES- CCM, AES- GCM | W, E | crypto_skcipher_setkey returns 0 | |
| Perform AES- based key unwrapping and HMAC | Perform AES- based key unwrapping and HMAC | AES key, HMAC key | AES-CBC and HMAC | W, E | crypto_skcipher_setkey returns 0; crypto_shash_init returns 0 | |
| EC Diffie- Hellman shared secret computation | Perform ECDH shared secret computation | EC Diffie- Hellman public, EC Diffie- Hellman private key | EC Diffie- Hellman | W, E | crypto_kpp_compute_sh ared_secret returns 0 | |
| EC Diffie- Hellman shared secret | EC Diffie- Hellman shared secret | G, R | ||||
| Key generation for EC Diffie- Hellman shared secret computation2 | Perform ECDH key generation | Module- generated EC Diffie-Hellman public key, Module- generated EC Diffie-Hellman private key | Generation per Section 5.6.1.2 of SP800- 56Arev3 exclusively for EC Diffie- Hellman | E, G, R | crypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0 | |
| Diffie- Hellman shared secret computation | Perform DH shared secret computation | Diffie-Hellman public key, Diffie-Hellman private key | Diffie- Hellman | W, E | crypto_kpp_compute_sh ared_secret returns 0 | |
| Diffie-Hellman shared secret | Diffie-Hellman shared secret | G, R | ||||
| Diffie- Hellman key generation using safe primes | Perform DH key generation | Module- generated Diffie-Hellman public key, Module- generated private key | Generation per Section 5.6.1.1 of SP800- 56Arev3 exclusively for Diffie- Hellman | E, G, R | crypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0 | |
| Error detection code | Detect, report, correct memory errors with crc32c3, 3 crct10dif | CO | None | N/A | N/A | Implicit (always approved) |
| Data compression | Compress data with deflate3 , lz43, lz4hc3, lzo3, zlib3, 8423 | None | N/A | N/A | Implicit (always approved) | |
| Memory copy operation | Copy memory | None | N/A | N/A | Implicit (always approved) | |
| Show status | Show module status | None | N/A | N/A | Implicit (always approved) | |
| On-Demand Self-tests | Perform self- tests on demand | None | AES, CMAC, SHS, SHA-3, HMAC, DRBG, EC Diffie- Hellman, Diffie- Hellman, RSA, DRBG | N/A | Implicit (always approved) | |
| Module installation and configuration | Install and configure module | None | N/A | N/A | Implicit (always approved) | |
| Module initialization | Initialize module | None | N/A | N/A | Implicit (always approved) | |
| Show status | Show module status | None | N/A | N/A | Implicit (always approved) | |
| Show module name and version | Show module name and version | None | N/A | N/A | Implicit (always approved) | |
| Symmetric encryption | Perform AES-GCM encryption using external IV | CO | AES | |||
| Message authentication code (MAC) | Perform message authentication code (MAC) using AES-GMAC | |||||
| RSA encryption primitive | Compute RSA cipher | RSA | ||||
| RSA decryption primitive | Compute plaintext from RSA cipher | |||||
| RSA signature generation primitive | Sign using RSA | |||||
| RSA signature verification primitive | Verify RSA-based signatures |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module W, E N/A W, E W, E W, E W, E G, E Encryptthen-MAC CCM, AESGCM W, E W, E CCM, AESGCM W, E W, E © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module EC DiffieHellman EC DiffieHellman W, E G, R SP80056Arev3 Modulegenerated EC Modulegenerated EC E, G, R DiffiePerform DH DiffieHellman W, E G, R Modulegenerated Modulegenerated E, G, R N/A N/A DiffieHellman key SP80056Arev3 for DiffieHellman N/A
2 The module performs a pairwise consistency test for EC Diffie-Hellman as outlined in section
5.6.2.1.4 of SP 800-56Arev3. This key generation service is for exclusive use of the EC DiffieHellman shared secret computation service.
3 This algorithm does not provide any cryptographic attribute, i.e., its purpose in the module is not
security relevant © 2024 SUSE, LLC / atsec information security.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Memory copy operation | Copy memory | None | N/A | N/A | Implicit (always approved) | |
| Show status | Show module status | None | N/A | N/A | Implicit (always approved) | |
| On-Demand Self-tests | Perform self- tests on demand | None | AES, CMAC, SHS, SHA-3, HMAC, DRBG, EC Diffie- Hellman, Diffie- Hellman, RSA, DRBG | N/A | Implicit (always approved) | |
| Module installation and configuration | Install and configure module | None | N/A | N/A | Implicit (always approved) | |
| Module initialization | Initialize module | None | N/A | N/A | Implicit (always approved) | |
| Show status | Show module status | None | N/A | N/A | Implicit (always approved) | |
| Show module name and version | Show module name and version | None | N/A | N/A | Implicit (always approved) | |
| Symmetric encryption | Perform AES-GCM encryption using external IV | CO | AES | |||
| Message authentication code (MAC) | Perform message authentication code (MAC) using AES-GMAC | |||||
| RSA encryption primitive | Compute RSA cipher | RSA | ||||
| RSA decryption primitive | Compute plaintext from RSA cipher | |||||
| RSA signature generation primitive | Sign using RSA | |||||
| RSA signature verification primitive | Verify RSA-based signatures | |||||
| ECDSA signature verification primitive | Verify ECDSA-based signatures | ECDSA |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module N/A N/A N/A N/A EC DiffieHellman, DiffieHellman, N/A N/A N/A N/A N/A N/A N/A Z N/A N/A Table 10 - Approved Services 4.3.3 Table 11 lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-approved mode can be found in Table 7. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Table 11 - Non-Approved Services © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
5.1 Integrity Techniques The module uses the HMAC-SHA2-256 algorithm for the integrity test of the static kernel binary and the fipscheck application. The HMAC calculation is performed by the fipscheck application itself. Additionally, the module uses RSA signature verification with a SHA2-256 message digest and a 2048-bit key for the integrity test of each of the kernel object files loaded during boot-up time. If the integrity values do not match the expected values, the test fails, and the module enters the error state. 5.2 On-Demand Integrity Test Integrity tests are performed as part of the Pre-Operational Self-Tests. The module provides the Self-Test service to perform self-tests on demand. This service performs the same cryptographic algorithm tests executed during power-up. Pre-Operational Self-Tests can also be invoked by calling the kernel_restart() which effectively powers off the module and then reloads the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible. 5.3 Executable Code The module consists of executable code in the form of the files listed in Table 2. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
6.1 Applicability This module operates in a modifiable operational environment per the FIPS 140-3 level 1 specifications. The SUSE Linux Enterprise Server operating system is used as the basis of other products. Compliance is maintained for SUSE products whenever the binary is found unchanged per the vendor affirmation from SUSE based on the allowance FIPS 140-3 management manual [FIPS140-3_MM] section 7.9.1 bullet 1 a i). Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when supported if the specific operational environment is not listed on the validation certificate. 6.2 Policy Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment. 6.3 Requirements The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
The module is comprised of software only, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.
| Name | Strength | Generation | Establishment | Zeroization | Use | Import Export | Security | Stora |
|---|---|---|---|---|---|---|---|---|
| Name/Typ | ment | related | t | Function and | ge | |||
| e | keys | Cert. Number | ||||||
| AES key | 128, 192, 256 | N/A | N/A | Zeroized when freeing the cipher handler | Use: Symmetric encryption; Symmetric decryption; Message authenticati on code (MAC) Related keys: N/A | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | AES-CBC, AES- CBC-CS3, AES- CFB128, AES- CMAC, AES-CTR, AES-ECB, AES- CCM, AES-CMAC, AES-GCM, AES- KW, AES-OFB, AES-XTS, CTR_DRBG A3043, A3044, A3045, A3049, A3050, A3051, A3052, A3053, A3054, A3055, A3056, A3057, A3058, A3059, A3061, A3062, A3063, A3064, A3065, A3066, A3068, A3069, A3070, A3075, A3076, A3077, A3078, A3079, A3080, A3082, A3083, A3084, A3088, A3089, A3090, A3093, A3094, A3095, A3096, A3097, A3098, A3099, A3100, A3101, A3102, A3103, A3104, A3106, A3107, A3108, A3109, A3110, A3111, A3113, A3115, A3125, A3128, A3129, A3130, A3131 | RAM |
| HMAC key | 112 to 256 | N/A | N/A | Zeroized when freeing the cipher handler | Use: Message authenticati on code (MAC) Related keys: N/A | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | HMAC A3043, A3044, A3045, A3047, A3071, A3072, A3073, A3074, A3078, A3085, A3086, A3087, A3088, A3089, A3090, A3092, A3116, A3117, A3118, A3119, A3125, A3126, A3127, A3131, A3132 | RAM |
| Name/Typ | ment | related | t | Function and | ge | |||
| e | keys | Cert. Number | ||||||
| Entropy input IG D.L compliant | 192 to 384 | Obtained from the SP800-90B entropy source | N/A | Zeroized when freeing the cipher handler | Use: Random number generation Related keys: DRBG seed | Import/Expor t: N/A; it remains within the cryptographic boundary. | ESV E19, E20 | RAM |
| DRBG seed IG D.L compliant | 192 to 384 | Derived from the entropy input as defined in SP800-90Arev1 | N/A | Zeroized when freeing the cipher handler | Use: Random number generation Related keys: Entropy input, DRBG internal state | Import/Expor t: N/A; it remains within the cryptographic boundary. | CTR_DRBG A3043, A3044, A3045, A3051, A3052, A3053, A3055, A3056, A3061, A3062, A3063, A3064, A3065, A3066, A3075, A3076, A3077, A3078, A3079, A3080, A3088, A3089, A3090, A3096, A3097, A3098, A3100, A3101, A3106, A3107, A3108, A3109, A3110, A3111, A3128, A3129, A3130 Hash_DRBG, HMAC_DRBG A3043, A3044, A3045, A3051, A3052, A3053, A3055, A3056, A3061, A3062, A3063, A3064, A3065, A3066, A3071, A3072, A3073, A3076, A3077, A3078, A3079, A3080, A3088, A3089, A3090, A3096, A3097, A3098, A3100, A3101, A3106, A3107, A3108, A3109, A3110, A3111, A3116, A3117, A3118, A3129, A3130 | RAM |
| DRBG internal state (V, C or key) IG D.L compliant | 128 to 256 | Computed as defined in SP800-90Arev1 | N/A | Zeroized when freeing the cipher handler | Use: Random number generation Related keys: DRBG seed | Import/Expor t: N/A; it remains within the cryptographic boundary | RAM | |
| Module- generated EC Diffie- Hellman public key | 128, 192 | Generated using the FIPS 186-4 key generation method, random values are obtained from the SP800 90Arev1 DRBG | N/A | Zeroized when freeing the cipher handler | Use: EC Diffie- Hellman key generation Related keys: Module- generated EC Diffie- Hellman private key | Import: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. | KAS ECC-SSC A3044, A3089 | RAM |
| Name/Typ | ment | related | t | Function and | ge | |||
| e | keys | Cert. Number | ||||||
| Module- generated EC Diffie- Hellman private key | 128, 192 | Generated using the FIPS 186-4 key generation method, random values are obtained from the SP800 90Arev1 DRBG | N/A | Zeroized when freeing the cipher handler | Use: EC Diffie- Hellman key generation, EC Diffie- Hellman shared secret computatio n Related keys: Module- generated EC Diffie- Hellman pubilc key | Import: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. | KAS ECC-SSC A3044, A3089 | RAM |
| EC Diffie- Hellman public key | 128, 192 | N/A | N/A | Zeroized when freeing the cipher handler | Use: EC Diffie- Hellman shared secret computatio n Related keys: EC Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | KAS ECC-SSC A3044, A3089 | RAM |
| EC Diffie- Hellman private key | 128, 192 | N/A | N/A | Zeroized when freeing the cipher handler | Use: EC Diffie- Hellman shared secret computatio n Related keys: EC Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | KAS ECC-SSC A3044, A3089 | RAM |
| Module- generated Diffie- Hellman public key | 128 to 200 | Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG. | N/A | Zeroized when freeing the cipher handler | Use: Key generation Related keys: Module- generated Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | KAS FFC-SSC A3043, A3088 | RAM |
| Name/Typ | ment | related | t | Function and | ge | |||
| e | keys | Cert. Number | ||||||
| Module- generated Diffie- Hellman private key | 128 to 200 | Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG. | N/A | Zeroized when freeing the cipher handler | Use: Key generation Related keys: Module- generated Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | KAS FFC-SSC A3043, A3088 | RAM |
| Diffie- Hellman public key | 128 to 200 | Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG. | N/A | Zeroized when freeing the cipher handler | Use: Diffie- Hellman shared secret computatio n Related keys: Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | KAS FFC-SSC A3043, A3088 | RAM |
| Diffie- Hellman private key | 128 to 200 | Public and private keys are generating using the SP 800-56Arev3 Safe Primes key generation method, random values are obtained from the SP800-90Arev1 DRBG. | N/A | Zeroized when freeing the cipher handler | Use: Diffie- Hellman shared secret computatio n Related keys: Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: N/A | KAS FFC-SSC A3043, A3088 | RAM |
| EC Diffie- Hellman Shared secret | 112 to 200 | N/A | Computed during the EC Diffie Hellman shared secret computati on according to SP 800- 56Arev3. | Zeroized when freeing the cipher handler | Use: EC Diffie- Hellman shared secret computatio n Related keys: EC Diffie- Hellman public key, EC Diffie- | Import: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. | KAS ECC-SSC A3044, A3089 | RAM |
| Name/Typ | ment | related | t | Function and | ge | |||
| e | keys | Cert. Number | ||||||
| Diffie- Hellman Shared secret | 112 to 200 | N/A | Computed during the Diffie Hellman shared secret computati on according to SP 800- 56Arev3. | Zeroized when freeing the cipher handler | Use: Diffie- Hellman shared secret computatio n Related keys: Diffie- Hellman public key, Diffie- Hellman private key | Import: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. | KAS FFC-SSC A3043, A3088 | RAM |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
Table 12 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic e N/A t N/A N/A © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e t N/A Modulegenerated EC DiffieHellman DiffieHellman Modulegenerated EC DiffieHellman © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e Modulegenerated EC DiffieHellman N/A t DiffieHellman EC DiffieHellman n Modulegenerated EC DiffieHellman EC DiffieHellman N/A N/A DiffieHellman EC DiffieHellman N/A N/A N/A DiffieHellman n DiffieHellman Modulegenerated DiffieHellman DiffieHellman n Modulegenerated DiffieHellman © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e Modulegenerated DiffieHellman DiffieHellman DiffieHellman EC DiffieHellman t N/A N/A N/A N/A Use: DiffieHellman n Modulegenerated DiffieHellman DiffieHellman Use: DiffieHellman n DiffieHellman DiffieHellman n DiffieHellman © 2024 SUSE, LLC / atsec information security.
| Name | Key Size | ||
|---|---|---|---|
| Details | Entropy Sources | Minimum number of bits of | |
| The CPU jitter is used as a SP800-90B- compliant entropy source. | At least 256 bits of entropy in the 384-bit output | ESV certs. version 3.3: E19 version 3.4: E20 |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module e t DiffieHellman N/A Use: DiffieHellman n DiffieHellman DiffieHellman Table 12 - SSPs 9.1 The module employs the Deterministic Random Bit Generator (DRBG) based on [SP800-90Arev1] for the random number generation. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The module performs the DRBG health tests as defined in section 11.3 of The entropy source is tested with RCT and APT Health tests as required by section 4 of [SP 80090B]. The DRBG is seeded with (DRBG_security_strength * 1.5) bits of random data from the CPU initialization (seed) and reseeding, the entropy source provides the required amount of entropy to meet the security strength of the respective DRBG methods. The module uses the entropy source specified in Table 13. Table 13 - Non-Deterministic Random Number Generation Specification 9.2 generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4], [SP800-56Arev3] and section 4 and 5.1 of [SP800-133rev2]. The random value used in asymmetric key generation is directly obtained from the [SP800-90Arev1] DRBG. This key generation method is used exclusively by the EC Diffie-Hellman algorithm and provides support for compliant with [SP 800-56Arev3] and generates keys using safe primes defined in RFC7919 and RFC3526. In accordance with FIPS140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys per SP800-133rev2 section 4 and 5 (vendor affirmed). © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 9.3 Key Agreement The module provides Diffie-Hellman and EC Diffie-Hellman shared secret computation compliant with [SP800- 56Arev3] in accordance with scenario 2 (1) of IG D.F, CAVP-tested compliance with the derivation of a shared secret Z for Diffie-Hellman and EC Diffie-Hellman (section 6 of SP 80056Arev3).
| Algorithm | Condition | Test |
|---|---|---|
| AES | Power up | KATs for AES in ECB, CBC, CTR, GCM, CCM and XTS modes using 128- 192- and 256-bit key size; encryption and decryption are performed separately. |
| CMAC | Power up | KATs AES CMAC with 128-, 192- and 256-bits keys, MAC generation. |
| SHS | Power up | KATs SHA-1, SHA2-224, SHA2-256, SHA2-384 and SHA2-512. |
| SHA-3 | Power up | KATs SHA3-224, SHA3-256, SHA3-384 and SHA3-512. |
| HMAC | Power up | KATs HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC- SHA2-384, HMAC2-SHA-512. KATs HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC- SHA3-512. |
| DRBG | Power up | KAT CTR_DRBG with AES with 128-bit key with DF, with and without PR. KAT CTR_DRBG with AES with 192, 256-bit key with DF, without PR. KAT Hash_DRBG with SHA-256 with and without PR. KAT HMAC_DRBG with SHA-256 with and without PR. KAT HMAC_DRBG with SHA-512 without PR. |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
The module performs the pre-operational and conditional cryptographic algorithms self-tests automatically when the module is loaded into memory. These self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. While the module is executing the pre-operational and the conditional cryptographic algorithms self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the self-tests are completed successfully. If any of the self-tests fails, an error message is returned and the module transitions to error state.
The module performs a pre-operational software integrity test automatically when the module is powered on before the module transitions into the operational state. The details on the integrity
Table 14 lists the cryptographic algorithm self-tests (CASTs). The CASTs include the KATs for the integrity mechanism that is run prior to performing the integrity test. The details of the integrity Each KAT includes comparison of the calculated output with the expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. After the pre-operational and conditional cryptographic algorithms self-tests succeed, a success message is recorded in the dmesg log, and the module becomes operational. © 2024 SUSE, LLC / atsec information security.
| Algorithm | Condition | Test |
|---|---|---|
| EC Diffie- Hellman | Power up | KAT EC Diffie-Hellman primitive “Z” computation with P-256 curve. |
| Diffie- Hellman | Power up | KAT Diffie-Hellman primitive “Z” computation with MODP-2048 and ffdhe3072. |
| RSA | Power up | KAT RSA signature verification with 2048-bit key and SHA-256 |
| DRBG | Power up | DRBG health tests as specified in Section 11.3 of SP 800-90Arev1. |
| Error State | Cause of Error | Status Indicator |
|---|---|---|
| Error state | Failure of pre-operational tests or conditional tests. Failure of Entropy source Health Tests Failure of PCT tests. | Kernel panic |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module EC DiffieHellman DiffieHellman Table 14
Conditional pair-wise consistency tests are performed during operational state of the module when the respective cryptographic functions are used. If any of the conditional Pair-Wise Consistency (PCT) tests fails, the module transitions to the error state. The module performs PCT tests for
On-demand self-tests can be invoked by powering-off and reloading the module which cause the module to run the pre-operational and conditional cryptographic algorithms self-tests. On-demand self-tests can also be invoked by calling kernel_restart() function which effectively powers off the module and then reloads the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible.
When the module fails any pre-operational self-test or conditional test, the module will indicate an error has occurred and will enter the Error state. Any further cryptographic operation is inhibited. In the Error state, all data output is inhibited, and no cryptographic operations are allowed. The error can be recovered by a restart (i.e., powering off and powering on) of the module. The following table shows the error codes and the corresponding condition: Table 15 - Error States © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
The Crypto Officer can install the RPM packages containing the module as listed in Table 17 using the zypper tool. The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error.
The operating environment needs to be configured to support FIPS, so the following steps shall be performed with the root privilege:
Environments Table 16 below includes the installation process for the Vendor Affirmed Operational Environments found in section 2.4.1 and section 2.4.2 above. © 2024 SUSE, LLC / atsec information security.
| Name | Processor | Package |
|---|---|---|
| Architecture | Architecture | |
| x86_64 | x86_64 | dracut-fips-055+suse.252.g4988b0bf-150400.1.8.rpm kernel-default-5.14.21-150400.24.46.1.rpm kernel-rt-5.14.21-150400.15.11.1.rpm (for x86_64 processors architecture) libkcapi-tools-0.13.0-1.114.rpm |
| aarch64 | aarch64 | |
| z15 | z15 | |
| Power10 | Power10 |
| Operating System | Product Link | |
|---|---|---|
| SUSE Linux Enterprise Micro 5.3 | https://documentation.suse.com/sle-micro/5.3/single-html/SLE- Micro-security/#sec-fips-slemicro-install | |
| SUSE Linux Enterprise Server for SAP 15SP4 | https://documentation.suse.com/sles/15-SP4/html/SLES-all/book- security.html | |
| SUSE Linux Enterprise Desktop 15SP4 | https://documentation.suse.com/sled/15-SP4/html/SLED-all/book- security.html | |
| SUSE Linux Enterprise Real Time 15SP4 | https://documentation.suse.com/sle-rt/15-SP4/ |
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module 5.3 Table 16 - Installation Process for Vendor Affirmed Operational Environments Note: Per section 7.9 in the FIPS 140-3 Management Manual [FIPS140-3_MM], the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certificate.
The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow sections 11.1.1 and 11.1.2 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. The following RPM packages contain the FIPS validated module: Table 17
The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not an Approved service.
In case the module's power is lost and then restored, the key used for the AES GCM encryption or decryption shall be redistributed. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module The GCM with internal IV generation in the approved mode is in compliance with RFC4106 and shall only be used in conjunction with the IPsec stack of the kernel to be compliant with IG C.H scenario 1. Any other usage of GCM encryption is considered as non-Approved. The nonce_explicit part of the IV does not exhaust the maximum number of possible values for a given session key. The design of the IPsec protocol ensures that the nonce_explicit, or counter portion, of the IV will not exhaust all of its possible values. When a GCM IV is used for decryption, the responsibility for the IV generation lies with the party that performs the AES-GCM encryption. The module merely receives the GCM IV and performs the operation. It is not responsible for generating the IV.
Self test failure within the kernel crypto API module will panic the kernel and the operating system will not load and/or halt immediately. Error recovery and return to operational state can be accomplished by rebooting the system. If the failure continues, the Crypto Officer must re-install the software package and make sure to follow all instructions. If the software was downloaded, the package hash value must be verified to confirm a proper download. Please contact SUSE if these steps do not resolve the problem. The kernel dumps self-test success and failure messages into the kernel message ring buffer. Post boot, the messages are moved to /var/log/messages. Use dmesg to read the contents of the kernel ring buffer. The format of the ringbuffer (dmesg) output is: alg: self-tests for %s (%s) passed Typical messages are similar to "alg: self-tests for xts(aes) (xts(aes)) passed" for each algorithm/sub-algorithm type.
To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the Diffie-Hellman and Elliptic Curve Diffie-Hellman shared secret computation algorithms in the context of IETF protocols. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, and the partial public key validation of the peer EC public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3.
As a first step for the secure sanitization, the module needs to be powered off which will erase the SSPs in the volatile memory. Then, the files listed in Table 2 must be deleted using the command “shred -zu <file_name>”. Then, for the actual deprecation, the module will be upgraded to a newer version that is approved. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module
The module does not offer mitigation of other attacks. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DF Derivation Function DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code ISA Instruction Set Architecture KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PR Prediction Resistance RNG Random Number Generator RSA Rivest, Shamir, Adleman SSC Shared Secret Computation SHA Secure Hash Algorithm SHS Secure Hash Standard © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program October 2022 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM FIPS 140-3 Cryptographic Module Validation Program - Management Manual April 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3CMVP%20Management%20Manual.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 https://www.ietf.org/rfc/rfc3394.txt © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 https://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038e.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-56Arev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module SP800-56B Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography March 2019 https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final SP800-56Crev2 Recommendation for Key Derivation through Extraction-thenExpansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57rev5 NIST Special Publication 800-57 Part 1 Revision 5 Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r5.pdf SP800-90Arev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Arev2 NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800132.pdf SP800-133rev2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise Kernel Crypto API Cryptographic Module SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 SUSE, LLC / atsec information security.