| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/16/2029 |
| Caveat | Interim validation. When operated in approved mode and installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | SUSE LLC |
flowchart LR
%% Deterministic review-risk graph for SUSE Linux Enterprise NSS Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for SUSE Linux Enterprise NSS Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;SUSE Linux Enterprise NSS Cryptographic Module version 3.1 Version 1.1 Last update: 2024-06-25 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 SUSE, LLC / atsec information security.
2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security
© 2024 SUSE, LLC / atsec information security.
© 2024 SUSE, LLC / atsec information security.
This document is the non-proprietary FIPS 140-3 Security Policy for version 3.1 of the SUSE Linux Enterprise NSS Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document.
was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. ISO/IEC 24759 FIPS 140-3 Section Title Security Level Section 6. [Number Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-cycle Assurance 1
12 Mitigation of Other Attacks 1
Table 1 - Security Levels © 2024 SUSE, LLC / atsec information security.
The SUSE Linux Enterprise NSS Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. It provides a C language application program interface (API) designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, IKEv2, PKCS#5, PKCS#7, PKCS#11, PKCS#12, S/MIME, X.509 v3 certificates, and other security standards supporting FIPS 140-3 validated cryptographic algorithms.
The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1
Table 2 lists the software components of the cryptographic module, which defines its cryptographic boundary. Components Description /usr/lib64/libsoftokn3.so PKCS#11 wrapper shared library. /usr/lib64/libsoftokn3.chk DSA signature for libsoftokn3.so. /usr/lib64/libnssdbm3.so NSS database management shared library. /usr/lib64/libnssdbm3.chk DSA signature for libnssdbm3.so. /lib64/libfreeblpriv3.so General purpose cryptographic shared library. /lib64/libfreeblpriv3.chk DSA signature for libfreeblpriv3.so. Table 2
When the module starts up successfully, after passing all the pre-operational and conditional cryptographic algorithms self-tests (CASTs), the module is operating in the approved mode of operation by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 11. Please see section 4.1.1 for details on the service indicator provided by the module that identifies when an approved service has been requested.
The module has been tested on the following platforms with the corresponding module variants and configuration options: # Operating System Hardware Processor PAA/Acceleration Platform
1 SUSE Linux Enterprise Server 15 SP4 Supermicro Intel® Xeon® With and without
Super Server Silver 4215R AES-NI (PAA) SYS-6019PWTR
2 SUSE Linux Enterprise Server 15 SP4 GIGABYTE AMD EPYCÔ With and without
3 SUSE Linux Enterprise Server 15 SP4 GIGABYTE ARM With and without
G242-P32-QZ Ampere® Crypto Extensions Altra® Q80-30 (PAA)
4 SUSE Linux Enterprise Server 15 SP4 IBM z/15 z15 With and without
CPACF (PAI) © 2024 SUSE, LLC / atsec information security.
# Operating System Hardware Processor PAA/Acceleration Platform
5 SUSE Linux Enterprise Server 15 SP4 IBM Power Power10 With and without
on PowerVM (VIOS 3.1.4.00) E1080 (9080- ISA (PAA) HEX) Table 3 - Tested Operational Environments
In addition to the platforms listed in Table 3, SUSE has also tested the module on the platforms in Table 4, and claims vendor affirmation on them. Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. # Operating System Hardware Processor PAA/Acceleration platform
1 SUSE Linux Enterprise IBM LinuxONE III z15 With and without CPACF
Server 15SP4 LT1 (PAI)
2 SUSE Linux Enterprise Micro Supermicro Intel® Xeon® With and without AES-NI
5.3 Super Server Silver 4215R (PAA)
3 SUSE Linux Enterprise Micro GIGABYTE AMD EPYCÔ With and without AES-NI
5.3 R181-Z90-00 7371 (PAA)
4 SUSE Linux Enterprise Micro GIGABYTE ARM Ampere® With and without
5.3 G242-P32-QZ Altra® Q80-30 Cryptography
5 SUSE Linux Enterprise Micro IBM z/15 z15 With and without CPACF
5.3 (PAI)
6 SUSE Linux Enterprise Micro IBM LinuxONE III z15 With and without CPACF
5.3 LT1 (PAI)
7 SUSE Linux Enterprise Supermicro Intel® Xeon® With and without AES-NI
Server for SAP 15SP4 Super Server Silver 4215R (PAA) SYS-6019P-WTR
8 SUSE Linux Enterprise GIGABYTE AMD EPYCÔ With and without AES-NI
Server for SAP 15SP4 R181-Z90-00 7371 (PAA)
9 SUSE Linux Enterprise IBM Power Power10 With and without ISA
Server for SAP 15SP4 E1080 (9080- (PAA) HEX)
10 SUSE Linux Enterprise Base Supermicro Intel® Xeon® With and without AES-NI
Container Image 15SP4 Super Server Silver 4215R (PAA) SYS-6019P-WTR © 2024 SUSE, LLC / atsec information security.
# Operating System Hardware Processor PAA/Acceleration platform
11 SUSE Linux Enterprise Base GIGABYTE AMD EPYCÔ With and without AES-NI
Container Image 15SP4 R181-Z90-00 7371 (PAA)
12 SUSE Linux Enterprise Base GIGABYTE ARM Ampere® With and without
Container Image 15SP4 G242-P32-QZ Altra® Q80-30 Cryptography Extensions (PAA)
13 SUSE Linux Enterprise Base IBM z/15 z15 With and without CPACF
Container Image 15SP4 (PAI)
14 SUSE Linux Enterprise Base IBM LinuxONE III z15 With and without CPACF
Container Image 15SP4 LT1 (PAI)
15 SUSE Linux Enterprise Base IBM Power Power10 With and without ISA
Container Image 15SP4 E1080 (9080- (PAA) HEX)
16 SUSE Linux Enterprise Supermicro Intel® Xeon® With and without AES-NI
Desktop 15SP4 Super Server Silver 4215R (PAA) SYS-6019P-WTR
17 SUSE Linux Enterprise GIGABYTE AMD EPYCÔ With and without AES-NI
18 SUSE Linux Enterprise Real Supermicro Intel® Xeon® With and without AES-NI
Time 15SP4 Super Server Silver 4215R (PAA) SYS-6019P-WTR
19 SUSE Linux Enterprise Real GIGABYTE AMD EPYCÔ With and without AES-NI
Time 15SP4 R181-Z90-00 7371 (PAA) Table 4 - Vendor-Affirmed Operational Environments
Table 5 lists all security functions of the module, including specific key strengths employed for approved services, and implemented modes of operation. The following are allowed for legacy use only: DSA signature verification with L=1024 and N=224. CAVP Cert Algorithm and Mode / Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A3575, A3581, AES CBC 128, 192, 256-bit Symmetric encryption; A3585 SP800-38A keys with 128-256 Symmetric decryption bits of key strength A3577 AES CMAC 128, 192, 256-bit Message SP800-38B keys with 128-256 authentication code bits of key strength (MAC) © 2024 SUSE, LLC / atsec information security.
CAVP Cert Algorithm and Mode / Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A3575, A3581 AES CTR 128, 192, 256-bit Symmetric encryption; SP800-38A keys with 128-256 Symmetric decryption bits of key strength A3580 AES CTS (CS1) 128, 192, 256-bit Symmetric encryption; SP800-38A- keys with 128-256 Symmetric decryption addendum bits of key strength A3575, A3581, AES ECB 128, 192, 256-bit Symmetric encryption; A3582, A3583, SP800-38A keys with 128-256 Symmetric decryption A3585, A3586, bits of key strength A3587 A3575, A3581, AES GCM with 128, 192, 256-bit Symmetric encryption A3582, A3583, SP800-38D internal IV keys with 128-256 A3585, A3586, RFC5288 (8.2.1) bits of key strength A3587 RFC8446 A3575, A3581, AES GCM with 128, 192, 256-bit Symmetric encryption A3582, A3583, SP800-38D internal IV keys with 128-256 A3585, A3586, SP800-90Arev1 (8.2.2) bits of key strength A3587 A3575, A3581, AES GCM with 128, 192, 256-bit Symmetric decryption A3582, A3583, SP800-38D external IV keys with 128-256 A3585, A3586, bits of key strength A3587 A3576 AES KW, KWP 128, 192, 256-bit Key wrapping and SP800-38F keys with 128-256 unwrapping bits of key strength Vendor Affirmed CKG Asymmetric key RSA: 2048, 3072, RSA key generation SP800-133rev2 generation 4096-bit keys with (FIPS-186-4, 112-149 bits of key SP800-90Arev1) strength Asymmetric key EC: P-256, P-384, P- EC key generation generation 521 elliptic curves (FIPS-186-4, with 112-256 bits of SP800-56Arev3, key strength SP800-90Arev1) Asymmetric key Safe Primes: 2048, Safe Primes key generation 3072, 4096, 6144, generation (SP800-56Arev3, 8192-bit keys with SP800-90Arev1) 112-200 bits of key strength Symmetric key AES: 128, 192, 256- Symmetric key generation bit keys with 128- generation © 2024 SUSE, LLC / atsec information security.
CAVP Cert Algorithm and Mode / Method Description / Key Use / Function Standard Size(s) / Key Strength(s) (SP800-90Arev1) 256 bits of key strength HMAC: ³ 112-bit keys with key strength of 112-256 bits A3575, A3582, DRBG Hash_DRBG: N/A Deterministic random A3583, A3584, SP800-90Arev1 SHA-256 without bit generation A3585, A3586, PR A3587, A3588 A3575, A3584, DSA SHA-224, SHA- L=1024, N=160 Digital signature A3588 FIPS186-4 256, SHA-384, L=2048, N=224 verification SHA-512 L=2048, N=256 Integrity test L=3072, N=256 keys with 80-128 of bits key strength A3575, A3584, ECDSA B.4.1 Extra P-256, P-384, P-521 EC Key pair generation A3588 FIPS186-4 Random Bits elliptic curves with EC Public key 128-256 bits of key verification strength SHA-224, SHA- P-256, P-384, P-521 Digital signature 256, SHA-384, elliptic curves with generation SHA-512 128-256 bits of key strength SHA-224, SHA- P-256, P-384, P-521 Digital signature 256, SHA-384, elliptic curves with verification SHA-512 128-256 bits of key strength E28, E29 Non-physical CPU Time Jitter N/A Random number Entropy Source RNG (SHA3-256 generation SP800-90B Conditioning Component) A3575, A3588 HMAC SHA-1 ³ 112-bit keys with Message FIPS198-1 key strength of 112- authentication code A3575, A3584, SHA-224, SHA- 256 bits (MAC) A3588 256 A3575 SHA-384, SHAA3575, A3584, KAS-ECC-SSC ECC P-256, P-384, P-521 EC Diffie-Hellman A3588 SP800-56Arev3 Ephemeral elliptic curves with shared secret Unified Scheme 128-256 bits of key computation strength © 2024 SUSE, LLC / atsec information security.
CAVP Cert Algorithm and Mode / Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A3575, A3584, KAS-FFC-SSC Safe Prime 2048, 3072, 4096, Diffie-Hellman shared A3588 SP800-56Arev3 Groups 6144, 8192-bit keys secret computation (dhEphem): with 112-200 bits of ffdhe2048, key strength ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 A3579 KDF IKE (CVL) HMAC-SHA-1 IKE derived secret Key derivation for SP800-135rev1 HMAC-SHA2-256, with 112 and 200 IKEv1 and IKEv2 HMAC-SHA2-384, bits of key strength HMAC-SHA2-512 A3575, A3584, KDF TLS (CVL) SHA-1 TLS derived secret Key derivation for TLS A3588 SP800-135rev1 with 112 to 256 bits key strength A3575, A3584, TLS v1.2 KDF SHA-256, A3588 (CVL) SHA-384, SP800-135rev1 SHA-512 RFC7627 A3574 KDA HKDF HMAC-SHA2-224, Key derivation for TLS SP800-56Crev1 HMAC-SHA2-256, (only TLS 1.3) HMAC-SHA2-384, HMAC-SHA2-512 A3578 KDF CMAC-AES128, 128 to 4096-bit Key-based key SP800-108 CMAC-AES192, keys with 128-256 derivation CMAC-AES256 in bits of key strength Counter, Feedback and Double-pipeline modes HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 in Counter, Feedback and Double-pipeline modes © 2024 SUSE, LLC / atsec information security.
CAVP Cert Algorithm and Mode / Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A3576 KTS AES KW, KWP 128, 192, 256 Key wrapping and SP800-38F unwrapping A3575, A3588 PBKDF HMAC-SHA-1 112 to 4096 derived Password-based key SP800-132 keys with 112-256 derivation A3575, A3584, HMAC-SHA-224, bits of key strength A3588 HMAC-SHA-256 A3575 HMAC-SHA-384, HMAC-SHA-512 A3575, A3584, RSA B.3.3 Random 2048, 3072, 4096- RSA Key pair A3588 FIPS186-4 Probable Primes bit keys with 112- generation
strength PKCS#1v1.5: 2048, 3072, 4096- Digital signature SHA-224, SHA- bit keys with 112- generation 256, SHA-384, 149 bits of key SHA-512 strength PSS: 2048, 3072, 4096SHA-224, SHA- bit keys with 112256, SHA-384, 149 bits of key SHA-512 strength PKCS#1v1.5: 2048, 3072, 4096- Digital signature SHA-224, SHA- bit keys with 112- verification 256, SHA-384, 149 bits of key SHA-512 strength PSS: 2048, 3072, 4096SHA-224, SHA- bit keys with 112256, SHA-384, 149 bits of key SHA-512 strength A3575, A3584, Safe primes Safe Prime 2048, 3072, 4096, Safe Primes key A3588 SP800-56Ar3 Groups: 6144, 8192-bit keys generation ffdhe2048, with 112-200 bits of ffdhe3072, key strength ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 A3575, A3588 SHS SHA-1 N/A Message digest © 2024 SUSE, LLC / atsec information security.
CAVP Cert Algorithm and Mode / Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A3575, A3584, FIPS180-4 SHA-224, SHAA3588 256 A3575 SHA-384, SHATable 5 - Approved Algorithms
Mode of Operation The module does not implement non-approved algorithms that are allowed in the approved mode of operation.
Mode of Operation with No Security Claimed Table 6 lists the non-approved algorithms that are allowed in the approved mode of operation with no security claimed. These algorithms are used by the approved services listed in Table 10. Algorithm1 Caveat Use/Function MD5 Only allowed as the PRF in TLSv1.0 Message digest used in TLS v1.0/1.1 and v1.1 per IG 2.4.A KDF only Table 6 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed
Mode of Operation Table 7 lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in Table 11. Algorithm/Functions Use/Function AES in CBC-MAC and XCBC-MAC modes Symmetric encryption and decryption AES-GCM with external IV Symmetric encryption
1 These algorithms do not claim any security and are not used to meet FIPS 140-3 requirements. Therefore, SSPs do not
map to these algorithms. © 2024 SUSE, LLC / atsec information security.
Algorithm/Functions Use/Function Camellia, CAST, CAST3, CAST5, ChaCha20, Symmetric key generation, encryption and DES, DES2, Triple-DES CDMF, IDEA, RC2, decryption RC4, RC5, SEED Poly1305 Symmetric encryption and decryption, message authentication code (MAC) MD2, MD5 Message digest HMAC using keys less than 112 bits of Message authentication code (MAC) length HMAC with non-approved message digest algorithms DSA with any key size Key pair generation, domain parameter generation and verification, digital signature generation DSA with non-approved message digest Digital signature verification algorithms DSA with keys smaller than 1024 bits or Digital signature verification greater than 3072 bits RSA with pre-hashed message Digital signature generation and verification RSA PSS with non-approved message Digital signature generation and verification digest algorithms RSA PSS with keys smaller than 2048 bits Key pair generation, digital signature generation or greater than 4096 bits and verification RSA PKCS#1v1.5 with non-approved Digital signature generation and verification message digest algorithms RSA PKCS#1v1.5 with keys smaller than Key pair generation, digital signature generation
RSA encryption and decryption with any Key encapsulation key size ISO/IEC 9796 RSA Digital signature generation and verification with and without message recovery RSA X.509 RSA X.509 certificate generation ECDSA with pre-hashed message Digital signature generation and verification ECDSA using non-approved message digest Digital signature generation and verification algorithms © 2024 SUSE, LLC / atsec information security.
Algorithm/Functions Use/Function ECDSA with P-192 and P-224 curves, K Key pair generation, digital signature generation curves, B curves and non-NIST curves and verification Curve25519 Key pair generation, domain parameter generation and verification, digital signature generation and verification J-PAKE Key agreement HKDF (outside of the TLS 1.3 protocol), Key derivation PBKDF1 Diffie-Hellman with keys generated with Diffie-Hellman shared secret computation domain parameters other than safe primes EC Diffie-Hellman with P-192 and P-224 EC Diffie-Hellman shared secret computation curves, K curves, B curves and non-NIST curves Table 7 - Non-Approved Not Allowed in the Approved Mode of Operation © 2024 SUSE, LLC / atsec information security.
As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. All data output via data output interface is inhibited when the module is performing preoperational test, conditional cryptographic algorithm self-tests, zeroization, or when the module enters the error state. Logical Interface2 Data that passes over port/interface Data Input API input parameters for data Data Output API output parameters for data Control Input API function calls, API input parameters for control input, /proc/sys/crypto/fips_enabled control file Status Output API return codes, API output parameters for status output Table 8 - Ports and Interfaces
2 The control output interface is omitted on purpose because the module does not implement it.
© 2024 SUSE, LLC / atsec information security.
The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support authentication. No support is provided for multiple concurrent operators or a maintenance role. Role Service Input Output Crypto Asymmetric Key Generation Key size Module generated Officer key pair (CO) Diffie-Hellman shared secret Diffie-Hellman private key Diffie-Hellman computation (owner), Diffie-Hellman shared secret public key from peer Digital signature generation Message, hash algorithm, Digital signature private key Digital signature verification Message, Signature, hash Verification result algorithm, public key EC Diffie-Hellman shared secret EC Private key (owner), EC EC Diffie-Hellman computation public key from peer shared secret Key derivation for TLS (EC) Diffie-Hellman Shared TLS derived secret secret Key derivation for IKEv1 and (EC) Diffie-Hellman Shared IKE derived secret IKEv2 secret Key-based key derivation Key derivation key KBKDF derived key Key encapsulation Key to be encapsulated, Encapsulated key Key encapsulating key Key unencapsulation Encapsulated key, Key Unencapsulated key encapsulating key Key unwrapping Wrapped key, Key Unwrapped key unwrapping key Key wrapping Key to be wrapped, Key Wrapped key wrapping key Message authentication code Message, HMAC key or AES Message (MAC) key authentication code Message digest Message Digest of the message Module initialization None None Module installation and Configuration parameters Return codes and/or configuration log messages On-Demand integrity tests None Return codes Password-based key derivation Password/Passphrase, Salt, PBKDF derived key Key size, Iteration Count © 2024 SUSE, LLC / atsec information security.
Role Service Input Output Public key verification Key Return codes/log messages Random number generation Number of bits Random number Self-tests Module reset Result of self-test (pass/fail) Symmetric decryption Key, IV (for AEAD), Plaintext Ciphertext Symmetric encryption Key, IV (for AEAD), Ciphertext Plaintext Symmetric key generation Key size Module generated key Show module name and version None Name and version information Show status None Return codes and/or log messages Zeroization Context containing SSPs N/A Table 9 - Roles, Service Commands, Input and Output
The module provides services to the operators that assume the available role. Table 10 lists approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). In addition to the CSPs listed in Table 10, any hash values of passwords and RBG state information are considered to be CSPs. No support of intermediate key generation is provided. The following convention is used to specify access rights to a CSP:
Service Description Approved Keys and/or SSPs Role Access Indicator Security rights to Functions Keys and/or SSPs Cryptographic Services Symmetric key Generate AES DRBG Module generated CO G, R NSC_NSSGetF generation or HMAC key AES key IPSStatus = 1 Module generated HMAC key Symmetric Perform AES AES-CBC, AES- AES key W, E NSC_NSSGetF encryption encryption CMAC, AES-CTR, IPSStatus = 1 AES-CTS (CS1), AES-ECB, AESGCM Symmetric Perform AES AES-CBC, AES- AES key W, E NSC_NSSGetF decryption decryption CMAC, AES-CTR, IPSStatus = 1 AES-CTS (CS1), AES-ECB, AESGCM Asymmetric Generate key RSA key Module generated G, R NSC_NSSGetF key generation pairs generation RSA public and IPSStatus = 1 DRBG private keys EC key Module generated EC generation public and private DRBG keys Safe Primes key Module generated generation Diffie-Hellman public DRBG and private keys Digital Generate a RSA digital RSA private key W, E NSC_NSSGetF signature signature signature IPSStatus = 1 generation generation SHS ECDSA digital EC private key signature generation SHS Digital Verify a RSA digital RSA public key W, E NSC_NSSGetF signature signature signature IPSStatus = 1 verification verification SHS ECDSA digital EC public key signature verification SHS DSA digital DSA public key signature verification SHS © 2024 SUSE, LLC / atsec information security.
Service Description Approved Keys and/or SSPs Role Access Indicator Security rights to Functions Keys and/or SSPs Public key Verify a public EC public key EC public key W, E NSC_NSSGetF verification key verification IPSStatus= 1 Random Generate DRBG Entropy input W, E NSC_NSSGetF number random IPSStatus= 1 generation bitstrings DRBG seed G, E DRBG internal state G, E Message digest Compute SHA SHA-1, SHA-224, None N/A NSC_NSSGetF hashes SHA-256, SHA- IPSStatus= 1 384, SHA-512 Message Compute a AES-CMAC AES key W, E NSC_NSSGetF authentication MAC tag IPSStatus= 1 code (MAC) HMAC HMAC key Key wrapping Perform AES- AES-KW AES key W, E NSC_NSSGetF based key AES-KWP IPSStatus= 1 wrapping Diffie-Hellman Perform DH KAS-FFC-SSC Diffie-Hellman W, E NSC_NSSGetF shared secret shared secret private key (owner) IPSStatus= 1 computation computation Diffie-Hellman public W, E key (peer) Diffie-Hellman shared G, R secret EC Diffie- Perform ECDH KAS-ECC-SSC EC private key W, E NSC_NSSGetF Hellman shared shared secret (owner) IPSStatus= 1 secret computation computation EC public key (peer) W, E EC Diffie-Hellman G, R shared secret Key derivation Perform key TLS 1.0/1.1 KDF (EC) Diffie-Hellman W, E NSC_NSSGetF for TLS derivation for TLS 1.2 KDF shared secret IPSStatus= 1 TLS KDA HKDF TLS derived secret G, R Key derivation Perform key IKE KDF (EC) Diffie-Hellman W, E for IKEv1 and derivation for shared secret IKEv2 IKEv1 and IKEv2 IKE derived secret G, R Password- Perform key PBKDF KDF PBKDF password or W, E based key derivation from passphrase derivation a password/pass PBKDF derived key G, R phrase Key-based key Perform key SP800-108 KDF Key derivation key W, E derivation derivation from with HMAC and a key CMAC-AES in Counter, KBKDF derived key G, R Feedback, and Double-pipeline modes © 2024 SUSE, LLC / atsec information security.
Service Description Approved Keys and/or SSPs Role Access Indicator Security rights to Functions Keys and/or SSPs Other FIPS-related Services Show status Show module N/A None CO N/A N/A status Zeroization Zeroize CSPs N/A All CSPs Z Self-tests Perform self- SHA-1, SHA-224, None N/A tests SHA-256, SHA384, SHA-512 AES ECB, CBC, KW KAS-FFC-SSC, KAS-ECC-SSC Hash_DRBG DSA ECSDA RSA KDA HKDF HMAC IKE KDF TLS KDF PBKDF See Table 14 for specfics On-Demand Perform self- See Table 14 None N/A integrity tests tests Module Install and N/A None N/A installation and configure configuration module Module Initialize N/A None N/A initialization module Show module Show module N/A None N/A name and name and version version Table 10 - Approved Services Table 11 lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-approved mode can be found in Table 7. Service Description Algorithms Accessed Role Indicator Cryptographic Services © 2024 SUSE, LLC / atsec information security.
Service Description Algorithms Accessed Role Indicator Symmetric key Generate symmetric key DRBG CO N/A generation When key length is less than 112 bits Symmetric encryption Compute the cipher for Camellia, CAST, CAST3, CAST5, and decryption encryption and ChaCha20, DES, DES2, Triple-DES, decryption CDMF, IDEA, RC2, RC4, RC5, SEED Compute AES GCM using AES GCM with external IV external IV Asymmetric key Generate RSA and EC key RSA and EC with restrictions listed generation pairs in Table 7 Digital signature Generate and verify RSA RSA and ECDSA and message digest generation and and ECDSA signatures restrictions listed in Table 7 verification DSA domain Generate DSA domain DSA parameter generation parameters DSA key generation Generate DSA key pairs DSA DSA digital signature Generate DSA signatures DSA generation DSA digital signature Verify DSA signatures DSA and message digest and key verification restrictions listed in Table 7 Message digest Compute message digest MD2, MD5 Message Compute HMAC HMAC with restrictions listed in authentication code Table 7 (MAC) Key encapsulation Perform RSA key RSA encapsulation Key unencapsulation Perform RSA key RSA unencapsulation Diffie-Hellman shared Perform DH shared secret Diffie-Hellman restrictions listed in secret computation computation Table 7 EC Diffie-Hellman Perform ECDH shared Restrictions listed in Table 7 shared secret secret computation computation Key derivation Perform key derivation HKDF (outside of the TLS 1.3 protocol) PBKDF1 Key agreement Perform key agreement J-PAKE Table 11 - Non-Approved Services © 2024 SUSE, LLC / atsec information security.
The integrity of the module is verified by performing a DSA signature verification for each component that comprises the module. The module uses DSA signature verification with a 2048bit key and SHA-256. If the DSA signature for any of the components cannot be verified, then the test fails, and the module enters the error state.
The module provides the Self-Test service to perform self-tests on demand which includes the preoperational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The SelfTests service can be called on demand by invoking the sftk_FIPSRepeatIntegrityCheck() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the Self-Test service can be invoked by powering-off and reloading the module. During the execution of the ondemand self-tests, services are not available, and no data output is possible.
The module consists of executable code in the form of libsoftokn3.so, libnssdbm3.so and libfreeblpriv3.so shared libraries as stated in the Table 2. © 2024 SUSE, LLC / atsec information security.
This module operates in a modifiable operational environment per the FIPS 140-3 level 1 specifications. The SUSE Linux Enterprise Server operating system is used as the basis of other products. Compliance is maintained for SUSE products whenever the binary is found unchanged per the vendor affirmation from SUSE based on the allowance FIPS 140-3 management manual section 7.9.1 bullet 1 a i). Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when supported if the specific operational environment is not listed on the validation certificate.
Instrumentation tools like the ptrace system call, the debugger gdb and strace, as well as other tracing mechanisms offered by the Linux environment (ftrace, systemtap) shall not be used. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment.
The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 SUSE, LLC / atsec information security.
The module is comprised of software only, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.
This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.
Table 12 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module. Key / SSP Strength Security Generation Import/Export Establis Storag Zeroization Use & Name / Function and hment e related keys Type Cert. Number3 Module 128, 192, Hash_DRBG Generated MD/EE N/A RAM FC_DestroyObj Use: generated 256 bits A3575, A3582, using the ect Symmetric key AES key A3583, A3584, SP800-90Arev1 generation Export: CM to (CSP) A3585, A3586, DRBG. Related TOEPP Path. A3587, A3588 SSPs: DRBG Passed from the internal state module via API parameters in wrapped form. AES key 128, 192, AES-CBC, N/A MD/EE N/A RAM FC_DestroyObj Use: (CSP) 256 bits AES-CMAC, ect Symmetric encryption; AES-CTR, Import: CM Symmetric AES-CTS (CS1), from TOEPP decryption; Path. AES-ECB, Message Passed to the authentication AES-GCM, module via API code (MAC); AES-KW, parameters in Key wrapping AES-KWP wrapped form. and A3575, A3576, unwrapping A3577, A3580, A3581, A3582, Related A3583, A3585, SSPs: N/A A3586, A3587 Module 112-256 Hash_DRBG Generated MD/EE N/A RAM FC_DestroyObj Use: generated bits A3575, A3582, using the ect Symmetric key HMAC key A3583, A3584, SP800-90Arev1 generation Export: CM to (CSP) A3585, A3586, DRBG. Related TOEPP Path. A3587, A3588 SSPs: DRBG Passed from the internal state module via API parameters in wrapped form HMAC key 112-256 HMAC N/A MD/EE N/A RAM FC_DestroyObj Use: Message (CSP) bits A3575, A3584, ect Authentication A3588 Import: CM Code (MAC) from TOEPP Related Path. SSPs: N/A Passed to the module via API parameters in wrapped format. Module 112, 128, RSA Generated MD/EE N/A RAM FC_DestroyObj Use: RSA key generated 149 bits A3575, A3584, using the FIPS ect generation RSA private A3588 186-4 key Related Export: CM to key generation SSPs: DRBG Hash_DRBG TOEPP Path. (CSP) method; the internal state; A3575, A3582, random value Passed from the Module A3583, A3584, used in key module via API generated RSA A3585, A3586, generation is parameters in public key A3587, A3588 wrapped form
3 see Table 5 for the certificate number of each algorithm listed in this column.
© 2024 SUSE, LLC / atsec information security.
Key / SSP Strength Security Generation Import/Export Establis Storag Zeroization Use & Name / Function and hment e related keys Type Cert. Number3 Module obtained from MD/EE Use: RSA key generated the SP800- generation RSA public 90Arev1 DRBG. Export: CM to Related key SSPs: DRBG TOEPP Path. (PSP) internal state; Passed from the Module module via API generated RSA parameters in plaintext (P) private key form RSA private 112, 128, RSA N/A MD/EE N/A RAM FC_DestroyObj Use: Digital keys 149 bits A3575, A3584, ect signature (CSP) A3588 Import: CM generation from TOEPP Related Path. SSPs: RSA public key Passed to the module via API parameters in wrapped form RSA public MD/EE Use: Digital key signature (PSP) Import: CM verification from TOEPP Related Path. SSPs: RSA private key Passed to the module via API parameters in plaintext (P) form Module 128, 192, KAS-ECC-SSC Generated MD/EE N/A RAM FC_DestroyObj Use: EC key generated 256 bits ECDSA using the FIPS ect generation EC private 186-4 key Related A3575, A3584, Export: CM to key generation SSPs: DRBG A3588 TOEPP Path. (CSP) method; the internal state; Hash_DRBG random value Passed from the module via API Module A3575, A3582, used in key generated EC A3583, A3584, generation is parameters in public key A3585, A3586, obtained from wrapped form Module A3587, A3588 the SP800- MD/EE Use: EC key generated 90Arev1 DRBG. generation EC public and Export: CM to key verification TOEPP Path. (PSP) Related Passed from the SSPs: DRBG module via API parameters in internal state; plaintext (P) Module generated EC form private key EC private 128, 192, KAS-ECC-SSC N/A MD/EE N/A RAM FC_DestroyObj Use: Digital key 256 bits ECDSA ect signature (CSP) generation; A3575, A3584, Import: CM EC DiffieA3588 from TOEPP Hellman Path. shared secret Passed to the computation module via API parameters in Related SSPs: EC wrapped form public key; EC Diffie-Hellman shared secret © 2024 SUSE, LLC / atsec information security.
Key / SSP Strength Security Generation Import/Export Establis Storag Zeroization Use & Name / Function and hment e related keys Type Cert. Number3 EC public MD/EE Use: Digital key signature (PSP) verification; EC Import: CM Public key from TOEPP verification; Path. EC DiffiePassed to the Hellman module via API shared secret parameters in computation plaintext (P) Related form SSPs: EC private key; EC Diffie-Hellman shared secret Module 112 to 200 Safe primes Generated MD/EE N/A RAM FC_DestroyObj Use: Safe generated bits A3575, A3584, using the SP ect Primes key Diffie- A3588 800-56Arev3 Export: CM to generation Hellman Hash_DRBG Safe Primes key TOEPP Path. Related private key generation Passed from the SSPs: DRBG A3575, A3582, (CSP) method; module via API internal state; A3583, A3584, random values parameters in Module A3585, A3586, are obtained wrapped form generated A3587, A3588 from the SP800- Diffie-Hellman 90Arev1 DRBG. public key Module MD/EE Use: Safe generated Primes key Diffie- Export: CM to generation Hellman TOEPP Path. and public key Passed from the verification module via API (PSP) Related parameters in keys: DRBG plaintext (P) internal state; form Module generated Diffie-Hellman private key Diffie- 112 to 200 KAS-FFC-SSC N/A MD/EE N/A RAM FC_DestroyObj Use: DiffieHellman bits A3575, A3584, ect Hellman private key A3588 Import: CM shared secret from TOEPP computation (CSP) Path. Related Passed to the SSPs: Diffiemodule via API Hellman parameters in shared secret; wrapped form Diffie-Hellman public key Diffie- MD/EE Use: DiffieHellman Hellman public key Import: CM shared secret from TOEPP computation (PSP) Path. Related Passed to the keys: Diffiemodule via API Hellman parameters in shared secret; plaintext (P) Diffie-Hellman form private key DSA public 80 to 128 DSA N/A MD/EE N/A RAM FC_DestroyObj Use: Digital key bits A3575, A3584, ect signature A3588 Import: CM verification; (PSP) from TOEPP Integrity test Path. © 2024 SUSE, LLC / atsec information security.
Key / SSP Strength Security Generation Import/Export Establis Storag Zeroization Use & Name / Function and hment e related keys Type Cert. Number3 Passed to the Related module via API SSPs: N/A parameters in plaintext (P) form Intermediat 112 to 256 CKG SP 800-133r2 N/A N/A RAM Automatic Use: RSA key e key bits Vendor affirmed Section 4 generation; EC generation key value generation; (CSP) Safe primes Key generation Related SSPs: Module generated RSA public key; Module generated RSA private key; Module generated EC public key; Module generated EC private key; Module generated Diffie-Hellman public key; Module generated Diffie-Hellman private key Diffie- 112 to 200 KAS-FFC-SSC N/A MD/EE SP 800- RAM FC_DestroyObj Use: DiffieHellman bits A3575, A3584, 56Ar3 ect Hellman shared A3588 (DH shared secret Export: CM to secret shared computation TOEPP Path. (CSP) secret Related Passed from the computat SSPs: Diffiemodule via API ion) parameters in Hellman public wrapped form. and private keys; TLS derived secret; IKE derived secret EC Diffie- 128 to 256 KAS-ECC-SSC N/A MD/EE SP 800- RAM FC_DestroyObj Use: EC DiffieHellman bits A3575, A3584, 56Ar3 ect Hellman shared A3588 (ECDH shared secret Export: CM to secret shared computation TOEPP Path. (CSP) secret Related Passed from the computat module via API SSPs: EC ion) Diffie-Hellman parameters in public and wrapped form. private keys; TLS derived secret; IKE derived secret PBKDF N/A PBKDF N/A MD/EE N/A RAM N/A Use: password A3575, A3584, Passwordor A3588 Import: CM based key passphrase from TOEPP derivation (CSP) Path. Related SSPs: PBKDF Passed to the derived key module via API © 2024 SUSE, LLC / atsec information security.
Key / SSP Strength Security Generation Import/Export Establis Storag Zeroization Use & Name / Function and hment e related keys Type Cert. Number3 parameters in plaintext (P) form PBKDF 112 to 256 PBKDF SP 800-133r2, MD/EE N/A RAM FC_DestroyObj Use: derived key bits A3575, A3584, Section 6.2 ect Password(CSP) A3588 Export: CM to based key derivation (for Generated TOEPP Path. storage during the Passed from the purposes) PBKDF module via API Related parameters in SSPs: PBKDF wrapped form password or passphrase Entropy 256, 384 ESV (Cert. E28, N/A N/A N/A RAM FC_Finalize Use: Random input bits E29) number (CSP) generation Hash_DRBG A3575, A3582, Related A3583, A3584, SSPs: DRBG A3585, A3586, seed A3587, A3588 DRBG seed 256 bits Hash_DRBG Generated from N/A N/A RAM FC_Finalize Use: Random (CSP) A3575, A3582, the entropy number A3583, A3584, input as defined generation IG D.L A3585, A3586, in SP800- Related compliant A3587, A3588 90Arev1 SSPs: Entropy input; DRBG internal state DRBG 256 bits Hash_DRBG Generated from N/A N/A RAM FC_Finalize Use: Random internal A3575, A3582, the DRBG seed number state: V, C A3583, A3584, as defined in generation (CSP) A3585, A3586, SP800-90Arev1 Related IG D.L A3587, A3588 SSPs: DRBG compliant seed TLS derived 112 to 256 KDF TLS, SP 800-133r2, MD/EE N/A RAM FC_DestroyObj Use: Key secret bits TLSv1.2 KDF Section 6.2 ect derivation for (CSP) A3575, A3584, TLS Export: CM to A3588 Derived during TOEPP Path. Related KDA HKDF the TLS KDF per Passed from the SSPs: DiffieSP800-135rev1 module via API Hellman or EC A3574 and KDA HKDF parameters in Diffie-Hellman per SP800- wrapped form. shared secret 56Crev1 IKE derived 112 to 200 IKE KDF SP 800-133r2, MD/EE N/A Stored FC_DestroyObj Use: Key secret bits Section 6.2 in the ect derivation for A3579 Export: CM to module IKEv1 and (CSP) TOEPP Path. IKEv2 Derived during the IKEv1 and Related Passed from the IKEv2 KDF per module via API SSPs: DiffieSP800-135rev1 Hellman or EC parameters in Diffie-Hellman wrapped form. shared secret Key CMAC-AES: KBKDF N/A MD/EE N/A RAM FC_DestroyObj Use: Keyderivation 128-256 SP800-108 ect based key key bits of key A3578 Import: CM derivation (CSP) strength from TOEPP Related HMAC: Path. SSPs: KBKDF 112-256 derived key Passed to the bits module via API © 2024 SUSE, LLC / atsec information security.
Key / SSP Strength Security Generation Import/Export Establis Storag Zeroization Use & Name / Function and hment e related keys Type Cert. Number3 parameters in wrapped form. KBKDF 128 to 256 KBKDF SP 800-133r2, MD/EE N/A RAM FC_DestroyObj Use: Keyderived key bits SP800-108 Section 6.2 ect based key (CSP) A3578 Export: CM to derivation Related Generated TOEPP Path. SSPs: Key during the Passed to the derivation key KBKDF module via API parameters in wrapped form. Table 12 - SSPs
The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90Arev1] for the creation of seeds for symmetric keys, asymmetric keys, RSA signature generation and ECDSA signature generation. In addition, the module provides a Random Number Generation service to calling applications. The DRBG supports the Hash_DRBG mechanism using SHA-256 and without prediction resistance. The module uses an SP800-90B-compliant entropy source specified in Table 13. This entropy source is located within the physical perimeter, but outside of the cryptographic boundary of the module. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it, sufficient to provide a DRBG with 256 bits of security strength. Entropy Sources Minimum Details number of bits of entropy SP800-90B compliant 256 bits of Standalone Userspace CPU Time Jitter RNG version Userspace Standalone entropy in the 3.4.0 entropy source (using SHA-3 as the vetted CPU Time Jitter RNG 256-bit output conditioning component) is located within the (64-bit with internal physical perimeter of the operational environment timer) and Userspace but outside the module cryptographic boundary Standalone CPU Time Jitter RNG (64-bit with external timer) (ESV Cert. E284, E295) Table 13 - Non-Deterministic Random Number Generation Specification
4 E28 Public Use Document: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-
validation-program/documents/entropy/E28_PublicUse.pdf
5 E29 Public Use Document: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-
validation-program/documents/entropy/E29_PublicUse.pdf © 2024 SUSE, LLC / atsec information security.
In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys.
The module provides Diffie-Hellman (dhEphem) and EC Diffie-Hellman (Ephemeral Unified Scheme) shared secret computation compliant with SP800-56Arev3, in accordance with scenario 2 (1) of IG D.F. For Diffie-Hellman, the module supports the use of safe primes from RFC7919 for domain parameters and key generation.
The module also supports the use of safe primes from RFC3526, which are part of the Modular Exponential (MODP) Diffie-Hellman groups that can be used for Internet Key Exchange (IKE). Note that the module only implements key generation and verification, and shared secret computation using safe primes, but no part of the IKE protocol.
The module does not support manual key entry or intermediate key generation key output. The SSPs has to be provided to the module via API input parameters in encrypted form (using the FC_UnwrapKey function) and output via API output parameters also in encrypted form (using the FC_WrapKey function). The module uses AES with KW/KWP compliant with SP800-38F as the approved key wrapping method. PSPs can be imported and exported in plaintext.
The module employs the cryptographic keys and CSPs in the approved mode of operation as listed in Table 12. The module does not perform persistent storage of keys. Note that the private key database (provided with the files key3.db/key4.db) is outside the cryptographic boundary. Symmetric keys, HMAC keys, public and private keys are provided to the module by the calling application via API input parameters and are destroyed by the module when invoking the appropriate API function calls. The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. © 2024 SUSE, LLC / atsec information security.
The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in Table 12.
The module performs the pre-operational self-test and CASTs automatically when the module is loaded into memory. The pre-operational self-test ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational tests and CASTs are completed successfully. After the pre-operational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state. In order to verify whether the self-tests have succeeded, the calling application may invoke the FC_Initialize function. The function will return CKR_OK if the module is operational, CKR_DEVICE_ERROR if the module is in the Error state.
The module performs pre-operational tests automatically when the module is powered on. The pre-operational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. The types of pre-operational self-tests are described in the next sub-sections.
The module performs the integrity test using DSA signature verification with a 2048-bit key and SHA-256. The details of integrity test are provided in section 5.1.
Table 14 specifies all the CASTs. The CASTs are performed in the form of the Known Answer Tests (KATs) and are run prior to performing the integrity test. A KAT includes the comparison of a calculated output with an expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. Algorithm Test AES KAT AES in ECB mode with 128-, 192- and 256-bit keys, encryption and decryption (separately tested). KAT AES in CBC mode with 128-, 192- and 256-bit keys, encryption and decryption (separately tested). KAT AES in KW mode with 128-, 192- and 256-bit keys, encryption and decryption (separately tested). Diffie-Hellman Primitive “Z” Computation KAT with 2048-bit key. DRBG KAT Hash_DRBG with SHA-256 without PR. DSA KAT DSA signature verification with L=2048, N=224 and SHA-224. © 2024 SUSE, LLC / atsec information security.
Algorithm Test EC Diffie-Hellman Primitive “Z” Computation KAT with P-256 curve. ECDSA KAT ECDSA signature generation and verification with P-256 and SHA-224 (separately tested). HKDF KAT HKDF with HMAC-SHA2-256, HMAC-SHA2-384. HMAC KAT HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512. IKE KDF KAT IKE PRF using HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 and HMAC-SHA2-512. KDF KAT SP800-108 Counter KDF with HMAC-SHA-256. PBKDF2 KDF KAT with HMAC-SHA-1 and HMAC-SHA2-256. RSA KAT RSA PKCS#1 v1.5 signature generation and verification with 2048-bit key and SHA-256, SHA-384 and SHA-512 (separately tested). SHS KAT SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. TLS KDF KAT TLS KDF for v1.0/v1.1 KAT TLS KDF for v1.2 with SHA-224, SHA-256, SHA-384, SHA-512 Table 14 - Conditional Cryptographic Algorithms Self-Tests
The module performs the Pair-wise Consistency Tests (PCT) shown in the following table. If at least one of the tests fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output, and cryptographic operations are not allowed. Algorithm Test ECDSA key generation PCT using SHA-224, signature generation and verification. RSA key generation PCT using SHA-224, signature generation and verification. Safe primes key generation PCT according to section 5.6.2.1.4 of [SP800-56Arev3]. EC Diffie-Hellman key PCT using SHA2-224, signature generation and verification generation (covered by pre-requisite algorithm ECDSA’s PCT). Table 15 - Pairwise Consistency Test © 2024 SUSE, LLC / atsec information security.
The module provides the Self-Test service to perform self-tests on demand which includes the preoperational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The SelfTests service can be called on demand by invoking the sftk_FIPSRepeatIntegrityCheck() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the Self-Test service can be invoked by powering-off and reloading the module. During the execution of the ondemand self-tests, services are not available, and no data output is possible.
The Module enters the Error state returning the CKR_DEVICE_ERROR error code, on failure of preoperational self-tests or conditional test. In the Error state, all data output is inhibited and no cryptographic operation is allowed. The error can be recovered by powering-off and reloading the module. Error State Cause of Error Status Indicator Error state Failure of pre-operational tests or CKR_DEVICE_ERROR error code conditional tests. Table 16 - Error States Self-test errors transition the module into an error state that keeps the module operational but prevents any cryptographic related operations. The module must be restarted and perform the per-operational self-test and the CASTs to recover from these errors. If failures persist, the module must be re-installed. © 2024 SUSE, LLC / atsec information security.
The Netscape Portable Runtime (NSPR) package (mozilla-nspr-4.23-3.9.1.x86_64.rpm) is a prerequisite for the module. The mozilla-nspr package must be installed in the operating environment. The Crypto Officer can install the RPM packages containing the module as listed in Table 18 using the zypper tool. The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error.
The operating environment needs to be configured to support FIPS, so the following steps shall be performed with the root privilege:
The module may use the Unix syslog function and the audit mechanism provided by the operating system to audit events. Auditing is turned off by default. Auditing capability must be turned on as © 2024 SUSE, LLC / atsec information security.
part of the initialization procedures by setting the environment variable NSS_ENABLE_AUDIT to 1. The Crypto Officer must also configure the operating system's audit mechanism. The module uses the syslog function to audit events, so the audit data are stored in the system log. Only the root user can modify the system log. On some platforms, only the root user can read the system log; on other platforms, all users can read the system log. The system log is usually under the /var/log directory. The exact location of the system log is specified in the /etc/syslog.conf file. The module uses the default user facility and the info, warning, and err severity levels for its log messages. The module can also be configured to use the audit mechanism provided by the operating system to audit events. The audit data would then be stored in the system audit log. Only the root user can read or modify the system audit log. To turn on this capability it is necessary to create a symbolic link from the library file /usr/lib64/libaudit.so.1 to /usr/lib64/libaudit.so.1.0.0.
Table 17 includes the information on module installation process for the vendor affirmed platforms that are listed in Table 4. Product Link SUSE Linux Enterprise https://documentation.suse.com/sle-micro/5.3/single-html/SLE-MicroMicro 5.3 security/#sec-fips-slemicro-install SUSE Linux Enterprise https://documentation.suse.com/sles/15-SP4/html/SLES-all/bookServer for SAP 15SP4 security.html SUSE Linux Enterprise Base https://documentation.suse.com/smart/linux/html/conceptContainer Image 15SP4 bci/index.html SUSE Linux Enterprise https://documentation.suse.com/sled/15-SP4/html/SLED-all/bookDesktop 15SP4 security.html SUSE Linux Enterprise Real https://documentation.suse.com/sle-rt/15-SP4 Time 15SP4 Table 17 - Installation for Vendor Affirmed Platforms Note: Per section 7.9 in the FIPS 140-3 Management Manual [FIPS140-3_MM], the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certificate.
For secure sanitization of the cryptographic module, the module needs first to be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. The module does not possess persistent storage of SSPs, so further sanitization steps are not needed. © 2024 SUSE, LLC / atsec information security.
The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow section 11.1.1 and 11.1.2 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. Table 18 lists the RPM packages that contain the FIPS validated module. The "Show module name and version" is implemented by accessing the CKA_NSS_VALIDATION_MODULE_ID attribute of the CKO_NSS_VALIDATION object in the default slot. The object attribute contains the value “SUSE Linux Enterprise NSS 3.79.4-150400.3.29.1”, which matches the service output and the version information provided in the RPM packages where the module is distributed, and map to version 3.1 of the cryptographic module. Processor Architecture RPM Packages Intel 64-bit libsoftokn3-3.79.4-150400.3.29.1.x86_64.rpm libsoftokn3-hmac-3.79.4-150400.3.29.1.x86_64.rpm libfreebl3-3.79.4-150400.3.29.1.x86_64.rpm libfreebl3-hmac-3.79.4-150400.3.29.1.x86_64.rpm AMD 64-bit libsoftokn3-3.79.4-150400.3.29.1.x86_64.rpm libsoftokn3-hmac-3.79.4-150400.3.29.1.x86_64.rpm libfreebl3-3.79.4-150400.3.29.1.x86_64.rpm libfreebl3-hmac-3.79.4-150400.3.29.1.x86_64.rpm IBM z15 libsoftokn3-3.79.4-150400.3.29.1.s390x.rpm libsoftokn3-hmac-3.79.4-150400.3.29.1.s390x.rpm libfreebl3-3.79.4-150400.3.29.1.s390x.rpm libfreebl3-hmac-3.79.4-150400.3.29.1.s390x.rpm ARMv8 64-bit libsoftokn3-3.79.4-150400.3.29.1.aarch64.rpm libsoftokn3-hmac-3.79.4-150400.3.29.1.aarch64.rpm libfreebl3-3.79.4-150400.3.29.1.aarch64.rpm libfreebl3-hmac-3.79.4-150400.3.29.1.aarch64.rpm IBM Power10 64-bit libsoftokn3-3.79.4-150400.3.29.1.aarch64.rpm libsoftokn3-hmac-3.79.4-150400.3.29.1.aarch64.rpm libfreebl3-3.79.4-150400.3.29.1.aarch64.rpm libfreebl3-hmac-3.79.4-150400.3.29.1.aarch64.rpm Table 18 - RPM packages
In order to run in in the approved mode, the module must be operated using the approved services, with their corresponding approved and allowed cryptographic algorithms provided in this Security Policy (see section 2). In addition, key sizes must comply with [SP800-131Arev2]. The following module initialization steps must be followed before starting to use the NSS module:
The AES GCM IV generation is in compliance with section 8.2.2 of [SP800-38D] and IG C.H scenario
2 [FIPS140-3_IG], in which the GCM IV is generated internally at its entirety randomly. The module
uses the DRBG that is compliant with SP800-90A-rev1, for generating the IV. The DRBG is fully seeded with entropy provided by the SP800-90B compliant entropy source that is not within the cryptographic boundary of the module but within its physical perimeter. The GCM IV must be at least 96 bits in length, which is enforced by the module. When a GCM IV is used for decryption, the responsibility for the IV generation lies with the party that performs the AES GCM encryption. The module also implements AES GCM for being used in the TLS v1.2 and v1.3 protocols. AES GCM IV generation is in compliance with [FIPS140-3_IG] IG C.H for both protocols as follows:
The module provides password-based key derivation (PBKDF), compliant with SP800-132. The module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132] and IG D.N, the following requirements shall be met.
To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that implements the TLS protocol. Additionally, the module’s approved Key Pair Generation service (see Section 4.1.1) must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPSvalidated module. As part of this service, the module will internally perform the full public key validation of the generated public key.
All of the RSA modulus sizes used by the cryptographic module have been CAVP tested and the certificates are listed in Table 5 of this security policy. There are no untested RSA modulus sizes used by the cryptographic module. © 2024 SUSE, LLC / atsec information security.
RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack. The module uses the following blinding technique: instead of using the RSA decryption directly, a blinded value y = x re mod n is decrypted and the unblinded value x' = y' r−1 mod n returned. The blinding value r is a random value with the size of the modulus n.
Modular exponentiation used in DSA and RSA is vulnerable to cache-timing attacks. The module implements a variant of the modular exponentiation proposed by Colin Percival to defend against these attacks.
Arithmetic errors in RSA signatures might leak the private key. The module verifies the RSA signature generated after the cryptographic operation is performed. © 2024 SUSE, LLC / atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard © 2024 SUSE, LLC / atsec information security.
Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM FIPS 140-3 Cryptographic Module Validation Program Management Manual (Draft) April, 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3CMVP%20Management%20Manual.pdf FIPS180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://datatracker.ietf.org/doc/html/rfc5288 RFC8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://datatracker.ietf.org/doc/html/rfc8446 © 2024 SUSE, LLC / atsec information security.
SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38A- NIST Special Publication 800-38A-Addendum - Recommendation Addendum for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a-add.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-52rev2 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80052r2.pdf SP800-56Arev3 NIST Special Publication 800-56A Revision 2 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Ar3.pdf SP800-56Crev2 NIST Special Publication 800-56C Revision 2 - Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Cr2.pdf SP800-57rev5 NIST Special Publication 800-57 Part 1 Revision 5 Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r5.pdf © 2024 SUSE, LLC / atsec information security.
SP800-90Arev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108rev1 NIST Special Publication 800-108 Revision 1 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) August 2022 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Arev2 NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133rev2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800133r2.pdf SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800140B.pdf © 2024 SUSE, LLC / atsec information security.