| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/25/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | SUSE, LLC |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for SUSE Linux Enterprise GnuTLS Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-tests<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for SUSE Linux Enterprise GnuTLS Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-tests<br/>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;SUSE Linux Enterprise GnuTLS Cryptographic Module version 1.1 Version 1.2 Last update: 2024-07-25 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security 2.9 4.1 4.1.1 5.1 5.2 5.3 6.1 6.2 6.3 9.1 9.2 9.3 9.4 9.5 9.6 10.1 © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module 10.2 10.2.1 10.2.2 10.2.3 10.3 11.1 11.1.1 11.1.2 11.1.3 11.1.4 11.2 11.2.1 11.2.2 11.2.3 11.2.4 11.2.5 © 2024 SUSE, LLC / atsec information security.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| Section 6. [Number | Section 6. [Number | ||
| Below] | Below] | ||
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services, and Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | N/A |
| 8 | 8 | Non-invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
| Overall | Overall | 1 |
SUSE Linux Enterprise GnuTLS Cryptographic Module This document is the non-proprietary FIPS 140-3 Security Policy for version 1.1 of the SUSE Linux Enterprise GnuTLS Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. and including this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. N/A N/A N/A Table 1 - Security Levels © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
2.1 Module Embodiment The SUSE Linux Enterprise GnuTLS Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. 2.2 Module Design, Components, Versions The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1 - Cryptographic Boundary © 2024 SUSE, LLC / atsec information security.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | SUSE Linux Enterprise Server 15 SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 1 |
| 2 | SUSE Linux Enterprise Server 15 SP4 | GIGABYTE R181-Z90-00 | AMD EPYCÔ 7371 | With and without AES-NI (PAA) | 2 |
| 3 | SUSE Linux Enterprise Server 15 SP4 | GIGABYTE G242-P32-QZ | ARM Ampere® Altra® Q80-30 | With and without Crypto Extensions (PAA) | 3 |
| 4 | SUSE Linux Enterprise Server 15 SP4 | IBM z/15 | z15 | With and without CPACF (PAI) | 4 |
| 5 | SUSE Linux Enterprise Server 15 SP4 on PowerVM (VIOS 3.1.4.00) | IBM Power E1080 (9080- HEX) | Power10 | With and without ISA (PAA) | 5 |
| 1 | SUSE Linux Enterprise Server 15SP4 | IBM LinuxONE III LT1 | z15 | With and without CPACF (PAI) | 1 |
| 2 | SUSE Linux Enterprise Micro 5.3 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 2 |
| 3 | SUSE Linux Enterprise Micro 5.3 | GIGABYTE R181-Z90-00 | AMD EPYCÔ 7371 | With and without AES-NI (PAA) | 3 |
| 4 | SUSE Linux Enterprise Micro 5.3 | GIGABYTE G242-P32-QZ | ARM Ampere® Altra® Q80- 30 | With and without Cryptography Extensions (PAA) | 4 |
| 5 | SUSE Linux Enterprise Micro 5.3 | IBM z/15 | z15 | With and without CPACF (PAI) | 5 |
| 6 | SUSE Linux Enterprise Micro 5.3 | IBM LinuxONE III LT1 | z15 | With and without CPACF (PAI) | 6 |
| 7 | SUSE Linux Enterprise Server for SAP 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 7 |
| 8 | SUSE Linux Enterprise Server for SAP 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCÔ 7371 | With and without AES-NI (PAA) | 8 |
| 9 | SUSE Linux Enterprise Server for SAP 15SP4 | IBM Power E1080 (9080- HEX) | Power10 | With and without ISA (PAA) | 9 |
| 10 | SUSE Linux Enterprise Base Container Image 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 10 |
| 11 | SUSE Linux Enterprise Base Container Image 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCÔ 7371 | With and without AES-NI (PAA) | 11 |
| 12 | SUSE Linux Enterprise Base Container Image 15SP4 | GIGABYTE G242-P32-QZ | ARM Ampere® Altra® Q80- 30 | With and without Cryptography Extensions (PAA) | 12 |
| 13 | SUSE Linux Enterprise Base Container Image 15SP4 | IBM z/15 | z15 | With and without CPACF (PAI) | 13 |
| 14 | SUSE Linux Enterprise Base Container Image 15SP4 | IBM LinuxONE III LT1 | z15 | With and without CPACF (PAI) | 14 |
| 15 | SUSE Linux Enterprise Base Container Image 15SP4 | IBM Power E1080 (9080- HEX) | Power10 | With and without ISA (PAA) | 15 |
| 16 | SUSE Linux Enterprise Desktop 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 16 |
| 17 | SUSE Linux Enterprise Desktop 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCÔ 7371 | With and without AES-NI (PAA) | 17 |
| 18 | SUSE Linux Enterprise Real Time 15SP4 | Supermicro Super Server SYS-6019P- WTR | Intel® Xeon® Silver 4215R | With and without AES-NI (PAA) | 18 |
| 19 | SUSE Linux Enterprise Real Time 15SP4 | GIGABYTE R181-Z90-00 | AMD EPYCÔ 7371 | With and without AES-NI (PAA) | 19 |
| Components | Description |
|---|---|
| /usr/lib64/libgnutls.so.30 | Provides the API for the calling applications to request cryptographic services, and implements the TLS protocol, DRBG, RSA Key Generation, Diffie-Hellman and EC Diffie- Hellman. |
| /usr/lib64/libnettle.so.8 | Provides the cryptographic algorithm implementations, including AES, SHA, HMAC, RSA Digital Signature and ECDSA. |
| /usr/lib64/libhogweed.so.6 | Provides primitives used by libgnutls and libnettle to support the asymmetric cryptographic operations. |
| /usr/lib64/libgmp.so.10 | Provides big number arithmetic operations to support the asymmetric cryptographic operations. |
| /usr/lib64/.libgnutls.so.30.hmac | The .hmac files contain the HMAC-SHA2-256 values of their associated library for integrity check during the power-up. |
| /usr/lib64/.libnettle.so.8.hmac | |
| /usr/lib64/.libhogweed.so.6.hmac | |
| /usr/lib64/.libgmp.so.10.hmac |
Table 2 lists the software components of the cryptographic module, which defines its cryptographic boundary. Table 2
SUSE Linux Enterprise GnuTLS Cryptographic Module # E1080 (9080HEX) Table 3 - Tested Operational Environments 2.5 Vendor-Affirmed Operational Environments In addition to the platforms listed in Table 3, SUSE, LLC has also tested the module on the platforms in Table 4, and claims vendor affirmation on them. Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. # 5.3 5.3 5.3 Altra® Q8030 5.3 5.3 E1080 (9080HEX) SYS-6019PWTR SYS-6019PWTR © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Altra® Q8030 E1080 (9080HEX) # SYS-6019PWTR SYS-6019PWTR SYS-6019PWTR Table 4 - Vendor-Affirmed Operational Environments 2.6 Approved Algorithms Table 5 lists all security functions of the module, including specific key strengths employed for approved services, and implemented modes of operation. The module supports RSA modulus sizes which are not tested by CAVP in compliance with FIPS 140-3 IG C.F. © 2024 SUSE, LLC / atsec information security.
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES | A2984, A2985, | CBC | 128, 192, 256-bit | Symmetric encryption; |
| FIPS197, | A2986, A2987, | keys with 128-256 | Symmetric decryption | |
| SP800-38A | A2992, A2996, | bits of key strength | ||
| AES | A2984, A2996, | CCM | 128, 256-bit keys | Symmetric encryption; |
| SP800-38C | A3004, A3007 | with 128 or 256 | Symmetric decryption; | |
| bits of key strength | bits of key strength | Authenticated symmetric | ||
| AES | A2989, A2990, | CFB8 | 128, 192, 256-bit | Symmetric encryption; |
| FIPS197, | A2995 | keys with 128-256 | Symmetric decryption | |
| SP800-38A | bits of key strength | |||
| AES | A2984, A2987, | CMAC | 128, 256-bit keys | Message authentication |
| SP800-38B | A2992, A2996, | with 128 or 256 | code (MAC) | |
| A3004 | A3004 | bits of key strength | ||
| AES | A2984, A2985, | GCM | 128, 256-bit keys | Symmetric encryption and |
| SP800-38D | A2986, A2987, | with 128 or 256 | decryption in the context | |
| A2992, A2996, | A2992, A2996, | bits of key strength | of the Transport Layer | |
| A2997, A3004, | A2997, A3004, | Security (TLS) network | ||
| A3007 | A3007 | protocol | ||
| AES | A2992 | GMAC | 128, 256-bit keys | Message authentication |
| SP800-38D | with 128 or 256 | code (MAC) | ||
| AES | A2993 | XTS | 128, 256-bit keys | Symmetric encryption (for |
| SP800-38E | with 128 or 256 | data storage); | ||
| bits of key strength | bits of key strength | Symmetric decryption (for | ||
| CKG | Vendor Affirmed | Key pair | RSA: 2048, 3072, | Key pair generation |
| SP800- | generation | 4096-bit keys with | ||
| 133rev2 | (FIPS-186-4, | 112, 128, 149 bits | ||
| SP800-56Arev3, | SP800-56Arev3, | of key strength | ||
| SP800-90Arev1); | SP800-90Arev1); | ECDH/ECDSA: P- | ||
| DRBG | A2992 | CTR_DRBG: | AES 256-bit key | Random number |
| SP800- | AES-256 without | with 256 bits of | generation | |
| 90Arev1 | DF, without PR | key strength | ||
| ECDSA | A2992 | ECDSA KeyGen | P-256, P-384, | Key pair generation |
| FIPS186-4 | (B.4.2 Testing | P-521 elliptic | ||
| Candidates) | Candidates) | curves with 128- | ||
| ECDSA KeyVer | ECDSA KeyVer | P-256, P-384, | Public key verification | |
| ECDSA SigGen | ECDSA SigGen | P-256, P-384, P- | Digital signature | |
| (SHA2-224, | (SHA2-224, | 521 elliptic curves | generation | |
| SHA2-256, SHA2- | SHA2-256, SHA2- | with 128-256 bits | ||
| 384, SHA2-512) | 384, SHA2-512) | of key strength | ||
| ECDSA SigVer | ECDSA SigVer | P-256, P-384, P- | Digital signature | |
| (SHA2-224, | (SHA2-224, | 521 elliptic curves | verification | |
| SHA2-256, SHA2- | SHA2-256, SHA2- | with 128-256 bits | ||
| 384, SHA2-512) | 384, SHA2-512) | of key strength | ||
| HMAC | A2987, A2992, | SHA-1, SHA2- | 112-524288 bits | Message authentication |
| FIPS198-1 | A2998, A3007 | 224, SHA2-256, | with 112-256 bits | code (MAC) |
| SHA2-384, SHA2- | SHA2-384, SHA2- | of security strength | ||
| KAS-ECC-SSC | A2992 | ECC | P-256, P-384, P- | EC Diffie-Hellman shared |
| SP800- | Ephemeral | 521 elliptic curves | secret computation; | |
| 56Arev3 | Unified Scheme | keys with 128-256 | Transport Layer Security | |
| bits of key strength | bits of key strength | (TLS) network protocol | ||
| KAS-FFC-SSC | A2992 | Safe Prime | 2048, 3072, 4096, | Diffie-Hellman shared |
| SP800- | Groups: | 6144, 8192-bit | secret computation; | |
| 56Arev3 | ffdhe2048, | keys with 112-200 | Transport Layer Security | |
| ffdhe3072, | ffdhe3072, | bits of key strength | (TLS) network protocol | |
| KDA HKDF | A2991 | HMAC-SHA2-224, | HKDF derived key | HKDF key derivation Transport Layer Security (TLS) network protocol |
| SP800-56Cr1 | HMAC-SHA2-256, | with 112 to 256 | ||
| HMAC-SHA2-384, | HMAC-SHA2-384, | bits of key strength | ||
| KDF TLS | A2992 | SHA-1 | TLS Derived key | TLS key derivation |
| v1.0/1.1 | with 112 to 256 | |||
| SP800- | bits of key strength | |||
| TLS v1.2 KDF | A2992 | SHA2-256, | TLS Derived key | TLS key derivation |
| SP800- | SHA2-384 | with 112 to 256 | ||
| 135rev1 | bits of key strength | |||
| AES CCM | A2984, A2996, | KTS per IG D.G | 128, 256-bit keys | Key wrapping; Key unwrapping |
| SP800-38C | A3004, A3007 | with 128 or 256 | ||
| AES GCM | A2984, A2985, | KTS per IG D.G | 128, 256-bit keys | |
| SP800-38D | A2986, A2987, | with 128 or 256 | ||
| A2992, A2996, | A2992, A2996, | bits of key strength | ||
| AES CBC and | AES | KTS per IG D.G | 128, 256-bit keys | |
| HMAC | A2984, A2985, | with 128 or 256 | ||
| SP800-38A, | A2986, A2987, | bits of key strength | ||
| FIPS198-1 | A2992, A2996, | |||
| PBKDF | A2992 | HMAC-SHA-1, | 8-128 characters | Password-based key derivation |
| SP800-132 | HMAC-SHA2-224, | with password | ||
| HMAC-SHA2-256, | HMAC-SHA2-256, | strength between | ||
| HMAC-SHA2-384, | HMAC-SHA2-384, | 108 and 10128 | ||
| RSA | A2992 | RSA KeyGen | 2048-15360 bits | Key pair generation |
| FIPS186-4 | (B.3.2 Random | keys with 112-256 | ||
| Provable Primes) | Provable Primes) | bits of security | ||
| RSA SigGen | RSA SigGen | 2048-15360 bits | Digital signature generation | |
| (PKCS#1v1.5: | (PKCS#1v1.5: | keys with 112-256 | ||
| SHA2-224, SHA2- | SHA2-224, SHA2- | bits of security | ||
| 256, SHA2-384, | 256, SHA2-384, | strength | ||
| RSA SigGen | RSA SigGen | 2048-15360 bits | ||
| (PSS: SHA2-256, | (PSS: SHA2-256, | keys with 112-256 | ||
| SHA2-384, SHA2- | SHA2-384, SHA2- | bits of security | ||
| 512) | 512) | strength | ||
| RSA SigVer | RSA SigVer | 2048-15360 bits | Digital signature verification | |
| (PKCS#1v1.5: | (PKCS#1v1.5: | keys with 112-256 | ||
| SHA2-224, SHA2- | SHA2-224, SHA2- | bits of security | ||
| 256, SHA2-384, | 256, SHA2-384, | strength | ||
| RSA SigVer (PSS: | RSA SigVer (PSS: | 2048-15360 bits | ||
| SHA2-256, SHA2- | SHA2-256, SHA2- | keys with 112-256 | ||
| 384, SHA2-512) | 384, SHA2-512) | bits of security | ||
| Safe Primes | A2992 | Safe Prime | 2048, 3072, 4096, | Key pair generation |
| SP800- | ffdhe3072, | bits of key strength | ||
| 56Arev3 | ffdhe4096, | |||
| SHA-3 | A2988, A2994 | SHA3-224, SHA3- | N/A | Message digest |
| FIPS202 | 256, SHA3-384, | |||
| SHA | A2987, A2992, | SHA-1, SHA2- | N/A | Message digest |
| FIPS180-4 | A2998, A3007 | 224, |
SUSE Linux Enterprise GnuTLS Cryptographic Module SP800133rev2 © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SP80090Arev1 SP800Ephemeral SP80056Arev3 © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SP800135rev1 (CVL) SP800135rev1 © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SP80056Arev3 C.C SHA-1, SHA2N/A Table 5 - Approved Algorithms © 2024 SUSE, LLC / atsec information security.
| Name | Use Function | Use/Function |
|---|---|---|
| MD5 | Only allowed as the PRF in TLSv1.0 and v1.1 per IG 2.4.A | Message digest used in TLS v1.0/1.1 KDF only |
| AES GCM when not used in the context of the TLS protocol. | Symmetric encryption; Symmetric decryption | |
| Blowfish | Symmetric encryption; Symmetric decryption | |
| Camellia | Symmetric encryption; Symmetric decryption | |
| CAST | Symmetric encryption; Symmetric decryption | |
| ChaCha20 | Symmetric encryption; Symmetric decryption | |
| Chacha20 and Poly1305 | Authenticated encryption; Authenticated decryption | |
| CMAC with Triple-DES | Message authentication code (MAC) | |
| DES | Symmetric encryption; Symmetric decryption | |
| Diffie-Hellman with keys generated with domain parameters other than safe primes | Key agreement; Diffie-Hellman shared secret computation |
| Name | Use Function | Use/Function |
|---|---|---|
| MD5 | Only allowed as the PRF in TLSv1.0 and v1.1 per IG 2.4.A | Message digest used in TLS v1.0/1.1 KDF only |
| AES GCM when not used in the context of the TLS protocol. | Symmetric encryption; Symmetric decryption | |
| Blowfish | Symmetric encryption; Symmetric decryption | |
| Camellia | Symmetric encryption; Symmetric decryption | |
| CAST | Symmetric encryption; Symmetric decryption | |
| ChaCha20 | Symmetric encryption; Symmetric decryption | |
| Chacha20 and Poly1305 | Authenticated encryption; Authenticated decryption | |
| CMAC with Triple-DES | Message authentication code (MAC) | |
| DES | Symmetric encryption; Symmetric decryption | |
| Diffie-Hellman with keys generated with domain parameters other than safe primes | Key agreement; Diffie-Hellman shared secret computation | |
| DSA | Key pair generation; Domain parameter generation; Digital signature generation; Digital signature verification | |
| ECDSA with curves not listed in Table 5. | Key pair generation; Public key verification; Digital signature generation; Digital signature verification | |
| EC Diffie-Hellman with curves not listed in Table 5 | Key agreement; EC Diffie-Hellman shared secret computation | |
| GMAC | Message authentication code (MAC) | |
| GOST | Symmetric encryption; Symmetric decryption; Message digest | |
| HMAC with keys smaller than 112-bit | Message authentication code (MAC) | |
| HMAC with GOST | Message authentication code (MAC) | |
| MD2, MD4, MD5 | Message digest; Message authentication code (MAC) | |
| Non-supported cipher suites (not listed in Appendix A) | Transport Layer Security (TLS) Network Protocol | |
| PBKDF with non-approved message digest algorithms | Password-based key derivation | |
| RC2, RC4 | Symmetric encryption; Symmetric decryption | |
| RMD160 | Message digest; Message authentication code (MAC) | |
| RSA with keys smaller than 2048 bits or greater than 4096 bits | Key pair generation; Digital signature generation | |
| RSA with keys smaller than 1024 bits or greater than 4096 bits | Digital signature verification | |
| RSA encryption and decryption with any key sizes | Key encapsulation; Key un-encapsulation | |
| Salsa20 | Symmetric encryption; Symmetric decryption | |
| SEED | Symmetric encryption; Symmetric decryption | |
| Serpent | Symmetric encryption; Symmetric decryption | |
| SHA-1 | Digital signature generation | |
| SRP | Key agreement | |
| STREEBOG | Message digest; Message authentication code (MAC) | |
| Triple-DES | Symmetric encryption; Symmetric decryption | |
| Twofish | Symmetric encryption; Symmetric decryption | |
| UMAC | Message authentication code (MAC) | |
| Yarrow | Random number generation |
SUSE Linux Enterprise GnuTLS Cryptographic Module 2.7 Non-Approved Algorithms Allowed in the Approved Mode of Operation The module does not implement non-approved algorithms that are allowed in the approved mode of operation. 2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Table 6 lists the non-approved algorithms that are allowed in the approved mode of operation with no security claimed. These algorithms are used by the approved services listed in Table 10. Table 6 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed 2.9 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 7 lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in Table 11.
1 These algorithms do not claim any security and are not used to meet FIPS 140-3 requirements. Therefore, SSPs do not
map to these algorithms. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 7 - Non-Approved Not Allowed in the Approved Mode of Operation © 2024 SUSE, LLC / atsec information security.
| Name | Physical Port | Logical Interface |
|---|---|---|
| Data Input | API input parameters, kernel I/O network or files on filesystem, TLS protocol input messages. | Data Input |
| Data Output | API output parameters, kernel I/O network or files on filesystem, TLS protocol output messages. | Data Output |
| Control Input | API function calls, API input parameters for control. | Control Input |
| Status Output | API return codes, API output parameters for status output. | Status Output |
SUSE Linux Enterprise GnuTLS Cryptographic Module
As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. The following table shows the logical interfaces implemented in the module. All data output via data output interface is inhibited when the module is performing preoperational test conditional cryptographic algorithms self-tests or zeroization or when the module enters error state. Table 8 - Ports and Interfaces
2 The control output interface is omitted on purpose because the module does not implement it.
© 2024 SUSE, LLC / atsec information security.
| Name | Roles | Input | Output |
|---|---|---|---|
| Authenticated symmetric encryption | Crypto Officer (CO) | Key, Plaintext, IV | Ciphertext, MAC tag |
| Authenticated symmetric decryption | Key, Ciphertext, MAC tag | Plaintext | |
| Key pair generation | RSA key size, Diffie-Hellman Safe Prime or Elliptic Curve | Key pair | |
| Diffie-Hellman shared secret computation | Private key, public key from peer | Shared secret | |
| Digital signature generation | Message, private key, hash algorithm | Digital signature | |
| Digital signature verification | Signature, message, public key, hash algorithm | Verification result | |
| Domain parameter generation | Domain parameters input | Generated domain parameters | |
| EC Diffie-Hellman shared secret computation | Private key, public key from peer | Shared secret | |
| HKDF key derivation | Shared secret | HKDF derived key | |
| TLS key derivation | TLS Pre-master secret | Derived key | |
| Key agreement | Key pair | Shared secret | |
| Key encapsulation | Key to be encapsulated, Key encapsulating key | Encapsulated key | |
| Key un-encapsulation | Encapsulated key, Key encapsulating key | Unencapsulated key | |
| Key unwrapping | Wrapped key, Key unwrapping key | Unwrapped key | |
| Key wrapping | Key to be wrapped, Key wrapping key | Wrapped key | |
| Message authentication code (MAC) | Message, HMAC key or AES key | Message authentication code | |
| Message digest | Message | Digest of the message | |
| Password-based key derivation | Password or passphrase, salt, iteration count | PBKDF Derived key | |
| Public key verification | Key pair | Pass/fail | |
| Random number generation | Number of bits | Random number | |
| Self-tests | Module reset or API call | Result of self-test (pass/fail) | |
| Symmetric decryption | Key, Ciphertext | Plaintext | |
| Symmetric encryption | Key, Plaintext | Ciphertext | |
| Show module name and version | None | Name and version information | |
| Show status | N/A | Return codes and/or log messages | |
| Transport Layer Security (TLS) network protocol | Cipher-suites, Digital Certificate, Public and Private Keys, Application Data | Return codes and/or log messages, Application data |
SUSE Linux Enterprise GnuTLS Cryptographic Module
4.1 Services The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support authentication. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module N/A N/A Table 9 - Roles, Service Commands, Input and Output The module provides services to the users that assume one of the available roles. All services are shown in Table 10 and Table 11. 4.1.1 Approved Services Table 10 lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or SSPs involved, and their access type(s). The following convention is used to specify access rights to an SSP:
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Symmetric encryption | Perform AES encryption | CO | AES key | AES-CBC AES-CCM AES-CFB8 AES-CMAC AES-GMAC AES-XTS | W, E | GNUTLS_FIPS140_OP_ APPROVED |
| Symmetric decryption | Perform AES decryption | AES key | AES-CBC AES-CCM AES-CFB8 AES-CMAC AES-GMAC AES-XTS | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Authenticated symmetric encryption | Encrypt a plaintext | AES key | AES-CCM | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Authenticated symmetric decryption | Decrypt a ciphertext | AES key | AES-CCM | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Key wrapping | Key wrapping (as part of the cipher suites in the TLS protocol) | AES key | AES-CCM AES-GCM | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| AES-CBC, HMAC | AES key | AES-CBC, HMAC | W, E | |||
| HMAC key | HMAC key | W, E | ||||
| Key unwrapping | Key unwrapping (as part of the cipher suites in the TLS protocol) | AES key | AES-CCM AES-GCM | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| AES-CBC, HMAC | AES key | AES-CBC, HMAC | W, E | |||
| HMAC key | HMAC key | W, E | ||||
| Key pair generation | Generate RSA, DH, ECDH and ECDSA key pairs | Module- generated Diffie-Hellman public key | CKG DRBG Safe primes key pair generation RSA ECDSA | G, E, R | GNUTLS_FIPS140_OP_ APPROVED | |
| Module- generated Diffie-Hellman private key | Module- generated Diffie-Hellman private key | G, E, R | ||||
| Module- generated RSA public key | Module- generated RSA public key | G, E, R | ||||
| Module- generated RSA private key | Module- generated RSA private key | G, E, R | ||||
| Module- generated ECDSA public key | Module- generated ECDSA public key | G, E, R | ||||
| Module- generated ECDSA private key | Module- generated ECDSA private key | G, E, R | ||||
| Module- generated EC Diffie-Hellman private key | Module- generated EC Diffie-Hellman private key | G, E, R | ||||
| Module- generated EC Diffie-Hellman public key | Module- generated EC Diffie-Hellman public key | G, E, R | ||||
| Digital signature generation | Generate RSA and ECDSA signature | RSA private key | SHA, RSA ECDSA | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Digital signature verification | Verify RSA, and ECDSA signature | RSA public key | SHA RSA ECDSA | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Public key verification | Verify ECDSA public key | ECDSA public key | ECDSA | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Random number generation | Generate random bitstrings | Entropy input | DRBG, Non- Physical Entropy Source | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| DRBG internal state: V value, key | DRBG internal state: V value, key | G, E | GNUTLS_FIPS140_OP_ APPROVED | |||
| DRBG seed | DRBG seed | E, G | ||||
| Message digest | Compute SHA hashes | None | SHA | N/A | GNUTLS_FIPS140_OP_ APPROVED | |
| Message authentication code (MAC) | Compute HMAC | HMAC key | HMAC | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Compute AES- based CMAC | Compute AES- based CMAC | AES key | AES-CMAC | W, E | ||
| Compute AES- based GMAC | Compute AES- based GMAC | AES key | AES-GMAC | W, E | ||
| Diffie-Hellman shared secret computation | Perform shared secret computation | Diffie-Hellman public key | KAS-FFC-SSC | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| Diffie-Hellman private key | Diffie-Hellman private key | W, E | ||||
| Diffie-Hellman shared secret | Diffie-Hellman shared secret | G, R | ||||
| EC Diffie- Hellman shared secret computation | Perform shared secret computation | EC Diffie- Hellman public key | KAS-ECC-SSC | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| EC Diffie- Hellman private key | EC Diffie- Hellman private key | W, E | ||||
| EC Diffie- Hellman shared secret | EC Diffie- Hellman shared secret | G, R | ||||
| HKDF key derivation | Perform key derivation using HKDF (in the context of TLS 1.3) | Diffie-Hellman shared Secret | KDA HKDF | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| EC Diffie- Hellman shared secret | EC Diffie- Hellman shared secret | W, E | ||||
| HKDF derived key | HKDF derived key | G, R | ||||
| Password-based key derivation | Perform password-based key derivation | Password or passphrase | PBKDF | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| PBKDF derived key | PBKDF derived key | G, R | ||||
| TLS KDF key derivation | Perform key derivation using TLS 1.0/1.1, 1.2 KDF | TLS Pre-master secret | TLS KDF v1.0/1.1 TLS KDF v1.2 RFC7627 | W, E | GNUTLS_FIPS140_OP_ APPROVED | |
| TLS Master secret | TLS Master secret | W, E, G | ||||
| TLS Derived key | TLS Derived key | G, R | ||||
| Transport Layer Security (TLS) network protocol | Establish TLS session | CO | RSA public key, RSA private key ECDSA public key, ECDSA private key | Supported cipher suites in FIPS-validated configuration (see Appendix A for the complete list of valid cipher suites) | W, E | GNUTLS_FIPS140_OP_ APPROVED |
| Diffie-Hellman public key, EC Diffie- Hellman public key | Diffie-Hellman public key, EC Diffie- Hellman public key | W, E, G, R | ||||
| TLS pre-master secret, TLS Master secret, TLS Derived key, HKDF derived key, Diffie-Hellman private key, EC Diffie- Hellman private key | TLS pre-master secret, TLS Master secret, TLS Derived key, HKDF derived key, Diffie-Hellman private key, EC Diffie- Hellman private key | E, G | ||||
| Show status | Show module status | CO | None | N/A | N/A | Implicit (always approved) |
| Self-tests | Perform self- tests | None | AES, Diffie- Hellman, EC Diffie-Hellman, ECDSA, DRBG, HMAC, RSA, SHS, HKDF KDA, TLSv1.2 KDF (RFC7627) | N/A | Implicit (always approved) | |
| Show module name and version | Show module name and version | None | N/A | N/A | Implicit (always approved) |
SUSE Linux Enterprise GnuTLS Cryptographic Module W, E W, E W, E W, E W, E W, E W, E W, E W, E W, E Modulegenerated G, E, R Modulegenerated G, E, R Modulegenerated RSA G, E, R Modulegenerated RSA G, E, R © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Modulegenerated G, E, R Modulegenerated G, E, R Modulegenerated EC G, E, R Modulegenerated EC G, E, R W, E W, E W, E W, E G, E E, G N/A W, E W, E W, E W, E W, E G, R © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module W, E EC DiffieHellman W, E G, R W, E W, E G, R W, E G, R W, E W, E, G G, R 1.3) W, E W, E, G, R © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module EC DiffieHellman E, G N/A N/A N/A Z Perform selftests AES, DiffieNone N/A N/A N/A Table 10 - Approved Services Table 11 lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-Approved mode can be found in Table 7. © 2024 SUSE, LLC / atsec information security.
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| Symmetric encryption | Compute the cipher for encryption | CO | AES GCM when not used in the context of the TLS protocol. Blowfish Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 SEED Serpent Triple-DES Twofish |
| Symmetric decryption | Compute the cipher for decryption | AES GCM when not used in the context of the TLS protocol. Blowfish Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 SEED Serpent Triple-DES Twofish | |
| Key pair generation | Generate RSA, DSA, and ECDSA key pairs | DSA ECDSA with curves not listed in Table 5 RSA with keys smaller than 2048 bits or greater than 4096 bits | |
| Digital signature generation | Sign RSA, DSA, and ECDSA signatures | DSA ECDSA with curves not listed in Table 5 RSA with keys smaller than 2048 bits or greater than 4096 bits SHA-1 | |
| Digital signature verification | Verify RSA, DSA, and ECDSA signatures | DSA ECDSA with curves not listed in Table 5 RSA with keys smaller than 1024 bits or greater than 4096 bits. | |
| Domain parameter generation | Generate domain parameter | DSA | |
| Message digest | Compute message digest | GOST MD2, MD4, MD5 RMD160 STREEBOG | |
| Message authentication code (MAC) | Compute message authentication code | CMAC with Triple-DES GMAC HMAC with keys smaller than 112-bit HMAC with GOST MD2, MD4, MD5 RMD160 STREEBOG UMAC | |
| Key encapsulation | Perform RSA key encapsulation | RSA encryption and decryption with any key sizes | |
| Key un- encapsulation | Perform RSA key un- encapsulation | RSA encryption and decryption with any key sizes | |
| Diffie-Hellman shared secret computation | Shared secret computation using DH | Diffie-Hellman with keys generated with domain parameters other than safe primes | |
| EC Diffie-Hellman shared secret computation | Shared secret computation using ECDH | EC Diffie-Hellman with curves not listed in Table 5 | |
| Key agreement | Perform key agreement | Diffie-Hellman with keys generated with domain parameters other than safe primes EC Diffie-Hellman with curves not listed in Table 5 SRP | |
| Password-based key derivation | Perform key derivation using PBKDF | PBKDF with non-approved message digest algorithms | |
| Public key verification | Verify ECDSA public key | ECDSA with curves not listed in Table 5. | |
| Transport Layer Security (TLS) Network Protocol | Establish non-supported TLS channel | Non-supported cipher suites (see Appendix A for the complete list of valid cipher suites) |
SUSE Linux Enterprise GnuTLS Cryptographic Module © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Key unencapsulation © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
5.1 Integrity Techniques The integrity of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time for each software component of the module listed in section 2. If the HMAC values do not match, the test fails, and the module enters the error state. 5.2 On-Demand Integrity Test The module provides the Self-Test service to perform self-tests on demand which includes the preoperational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The SelfTests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the SelfTest service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible. 5.3 Executable Code The module consists of executable code in the form of libgnutls, libnettle, libhogweed, and libgmp shared libraries as stated in the Table 2. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
6.1 Applicability This module operates in a modifiable operational environment per the FIPS 140-3 level 1 specifications. The SUSE Linux Enterprise Server operating system is used as the basis of other products. Compliance is maintained for SUSE products whenever the binary is found unchanged per the vendor affirmation from SUSE based on the allowance FIPS 140-3 management manual section 7.9.1 bullet 1 a i). Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when supported if the specific operational environment is not listed on the validation certificate. 6.2 Policy The module does not support concurrent operators. Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment. 6.3 Requirements The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
The module is comprised of software only, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.
| Name | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Use | Import Export |
|---|---|---|---|---|---|---|---|---|
| AES key | AES-XTS: 128, 256 Other modes: 128, 192, 256 | AES-CBC, AES-CCM, AES-CFB8, AES-CMAC, AES-GCM, AES-GMAC, AES-XTS A2984, A2985, A2986, A2987, A2989, A2990, A2992, A2993, A2995, A2996, A2997, A3004, A3007 | N/A | N/A | RAM | gnutls_cipher_ deinit() gnutls_aead_ci pher_deinit() | Use: Symmetric encryption; Symmetric decryption; Authenticated symmetric encryption; Authenticated symmetric decryption; Message authentication code (MAC); Key wrapping; Key unwrapping; Related SSPs: N/A | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| HMAC key | 112-256 | HMAC A2987, A2992, A2998, A3007 | N/A | N/A | RAM | gnutls_hmac_d einit() | Use: Message Authentication Code (MAC); Key wrapping; Key unwrapping; Related SSPs: N/A | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| Module- generated RSA public key | 112 to 256 | RSA CTR_DRBG A2992 | Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG. | N/A | RAM | gnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit() | Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated RSA private key | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| Module- generated RSA private key | 112 to 256 | RSA CTR_DRBG A2992 | Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from | N/A | RAM | gnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit() | Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated RSA public key | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. |
| the SP800- 90Arev1 DRBG. | the SP800- 90Arev1 DRBG. | Import: None | ||||||
| RSA private key | 112-256 | RSA A2992 | N/A | N/A | RAM | gnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit() | Use: Digital signature generation; Transport Layer Security (TLS) network protocol Related SSPs: RSA public key | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| RSA public key | 112-256 | RSA A2992 | N/A | N/A | RAM | gnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit() | Use: Digital signature verification; Transport Layer Security (TLS) network protocol Related SSPs: RSA private key | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| Module- generated ECDSA private key | 128, 192, 256 | ECDSA CTR_DRBG A2992 | Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG. | N/A | RAM | gnutls_pk_par ams_clear() | Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated ECDSA public key | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| Module- generated ECDSA public key | 128, 192, 256 | ECDSA CTR_DRBG A2992 | Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG | N/A | RAM | gnutls_pk_par ams_clear() | Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated ECDSA private key | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| ECDSA public key | 128, 192, 256 | ECDSA A2992 | N/A | N/A | RAM | gnutls_pk_par ams_clear() | Use: Digital signature verification; Public key verification; Transport Layer Security (TLS) network protocol Related SSPs: ECDSA private key | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| ECDSA private key | 128, 192, 256 | ECDSA A2992 | N/A | N/A | RAM | gnutls_pk_par ams_clear() | Use: Digital signature generation; Transport Layer Security (TLS) network protocol; Public key verification; Related SSPs: ECDSA public key | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| Module- generated Diffie- Hellman public key | 112 to 200 | KAS-FFC-SSC CTR_DRBG A2992 | Generated using the SP 800-56Arev3 Safe Primes key generation method; random values are obtained from the SP800- 90Arev1 DRBG. | N/A | RAM | gnutls_dh_par ams_deinit() gnutls_pk_par ams_clear() | Use: Key pair generation; Transport Layer Security (TLS) network protocol Related SSPs: Module- generated Diffie-Hellman private key; DRBG internal state: V value, key; TLS pre- master secret | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| Module- generated Diffie- Hellman private key | 112 to 200 | KAS-FFC-SSC CTR_DRBG A2992 | Generated using the SP 800-56Arev3 Safe Primes key generation method; random values are obtained from the SP800- 90Arev1 DRBG. | N/A | RAM | gnutls_dh_par ams_deinit() gnutls_pk_par ams_clear() | Use: Key pair generation; Transport Layer Security (TLS) network protocol Related SSPs: Module- generated Diffie-Hellman public key; DRBG internal state: V value, key; TLS pre- master secret | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| Diffie- Hellman public key | 112 to 200 | KAS-FFC-SSC A2992 | N/A | RAM | gnutls_dh_par ams_deinit() gnutls_pk_par ams_clear() | Use: Diffie- Hellman shared secret computation; Transport Layer Security (TLS) network protocol Related keys: Diffie- Hellman private key; Diffie-Hellman shared secret | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None | |
| Diffie- Hellman private key | 112 to 200 | KAS-FFC-SSC A2992 | N/A | RAM | gnutls_dh_par ams_deinit() gnutls_pk_par ams_clear() | Use: Diffie- Hellman shared secret computation; | MD/EE | |
| Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None | Transport Layer Security (TLS) network protocol Related keys: Diffie- Hellman public key; Diffie- Hellman shared secret | Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None | ||||||
| Module- generated EC Diffie- Hellman private key | 128, 192, 256 | KAS-ECC-SSC CTR_DRBG A2992 | Generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4] and [SP800- 56Arev3]; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG | N/A | RAM | gnutls_pk_par ams_clear() | Use: Key pair generation; Transport Layer Security (TLS) network protocol Related keys: Module- generated EC Diffie-Hellman public key; DRBG internal state: V value, key; TLS pre- master secret | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| Module- generated EC Diffie- Hellman public key | 128, 192, 256 | KAS-ECC-SSC CTR_DRBG A2992 | Generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4] and [SP800- 56Arev3]; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG | N/A | RAM | gnutls_pk_par ams_clear() | Use: Key pair generation; Transport Layer Security (TLS) network protocol Related keys: Module- generated EC Diffie-Hellman private key; DRBG internal state: V value, key; TLS pre- master secret | MD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| EC Diffie- Hellman private key | 128, 192, 256 | KAS-ECC-SSC A2992 | N/A | N/A | RAM | gnutls_pk_par ams_clear() | Use: EC Diffie- Hellman shared secret computation; Related keys: EC Diffie-Hellman shared secret; EC Diffie- Hellman public key | MD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| EC Diffie- Hellman public key | 128, 192, 256 | KAS-ECC-SSC A2992 | N/A | N/A | RAM | gnutls_pk_par ams_clear() | Use: EC Diffie- Hellman shared secret computation; Related keys: EC | MD/EE Import: CM from TOEPP Path. |
| Passed to the module via API parameters in plaintext (P) format. Export: None | Diffie-Hellman private key; EC Diffie-Hellman shared secret | Passed to the module via API parameters in plaintext (P) format. Export: None | ||||||
| Diffie- Hellman shared secret | 112 to 200 | KAS-FFC-SSC A2992 | N/A | Generate d during the Diffie- Hellman key agreeme nt and shared secret computat ion per SP800- 56Arev3. | RAM | zeroize_key() | Use: Diffie- Hellman shared secret computation; HKDF key derivation Related keys: Diffie- Hellman public key, Diffie- Hellman private key; | MD/EE Import: CM to/from TOEPP Path. Passed to/from the module via API parameters in plaintext (P) format Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. |
| EC Diffie- Hellman shared secret | 112 to 256 | KAS-ECC-SSC A2992 | N/A | Generate d during the EC Diffie- Hellman key agreeme nt and shared secret computat ion per SP800- 56Arev3. | RAM | zeroize key() | Use: EC Diffie- Hellman shared secret computation; HKDF key derivation Related keys: EC Diffie-Hellman public key; EC Diffie-Hellman private key; | MD/EE Import: CM to/from TOEPP Path. Passed to/from the module via API parameters in plaintext (P) format. Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. |
| PBKDF password or passphrase | Password strength 1020 - 10128 | PBKDF A2992 | N/A (key material is entered via API parameters) | N/A | RAM | Internal PBKDF state is zeroized automatically when function returns. | Use: Password- based key derivation Related keys: PBKDF derived key | MD/EE Import: CM to TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None |
| PBKDF derived key | 112-256 bits | PBKDF A2992 | Derived during the PBKDF | N/A | RAM | zeroize_key() | Use: Password- based key derivation Related keys: PBKDF password or passphrase | MD/EE Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. |
| Entropy input IG D.L compliant | 192 to 384 bits | DRBG A2992 ESV E28, E29 | N/A | N/A | RAM | gnutls_global_ deinit() | Use: Random number generation Related keys: DRBG seed | Import: None Export: None it remains within the cryptographic boundary. |
| DRBG seed IG D.L compliant | 192 to 384 bits | CTR_DRBG A2992 ESV E28, E29 | Generated from the entropy input as defined in SP800- 90Arev1 | N/A | RAM | gnutls_global_ deinit() | Use: Random number generation Related SSPs: Entropy input; DRBG internal state: V value, key | Import: None Export: None it remains within the cryptographic boundary. |
| DRBG internal state: V value, key IG D.L compliant | 128 to 256 bits | CTR_DRBG A2992 | Generated from the DRBG seed as defined in SP800-90Arev1 | N/A | RAM | gnutls_global_ deinit() | Use: Random number generation Related keys: DRBG seed, Module- generated ECDSA public key, Module- generated ECDSA private key, Module- generated RSA public key, Module- generated RSA private key, Module- generated Diffie-Hellman public key, Module- generated Diffie-Hellman private key, Module- generated EC Diffie-Hellman public key, Module- generated EC Diffie-Hellman private key | Import: None Export: None |
| TLS pre- master secret | DH 112 to 200 ECDH 112 to 256 bits | KDF TLS, TLS v1.2 KDF RFC7627 A2992 | N/A | Generate d during the EC Diffie- Hellman / Diffie- Hellman key agreeme nt and shared secret computat | RAM | gnutls_deinit() | Use: Transport Layer Security (TLS) network protocol; TLS key derivation Related keys: TLS master secret | MD/EE Export: None Import: CM to TOEPP Path. Passed to the module via API parameters in plaintext (P) format. |
| TLS master secret | 112 to 256 bits | KDF TLS, TLS v1.2 KDF RFC7627 A2992 | Derived from TLS pre-master secret using TLS KDF per SP800-135rev1 (TLSv1.0/1.1) TLS v1.2 KDF RFC7627 | N/A | RAM | gnutls_deinit() | Use: Transport Layer Security (TLS) network protocol; TLS key derivation Related keys: TLS pre- master secret, TLS Derived key | MD/EE Export: None Import: None |
| TLS Derived key | 112 to 256 bits | KDF TLS, TLS v1.2 KDF RFC7627 A2992 | Derived from TLS master secret during the TLS KDF per SP800-135rev1 (TLSv1.0/1.1) TLS v1.2 KDF RFC7627 | N/A | RAM | gnutls_deinit() | Use: Transport Layer Security (TLS) network protocol; TLS key derivation Related keys: TLS pre- master secret; TLS master secret | MD/EE Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
| HKDF derived key | 112 to 256 bits | KDA HKDF A2991 | Derived (as part of TLSv1.3) with KDA HKDF | N/A | RAM | gnutls_deinit() | Use: Transport Layer Security (TLS) network protocol; HKDF key derivation Related keys: EC Diffie- Hellman shared secret; Diffie-Hellman shared secret | MD/EE Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None |
SUSE Linux Enterprise GnuTLS Cryptographic Module
Table 12 summarizes the SSPs that are used by the cryptographic services implemented in the Modulegenerated e N/A N/A N/A N/A N/A Modulegenerated RSA Module112 to Modulegenerated RSA N/A
3 see Table 5 for the certificate number of each algorithm listed in this column.
© 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module e N/A N/A N/A N/A Modulegenerated N/A Modulegenerated Modulegenerated N/A Modulegenerated N/A N/A © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module N/A e N/A Modulegenerated DiffieHellman N/A SSPs: Modulegenerated Modulegenerated DiffieHellman N/A SSPs: Modulegenerated DiffieHellman N/A Use: DiffieHellman keys: DiffieHellman DiffieHellman N/A Use: DiffieHellman © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module e key; DiffieHellman Modulegenerated EC DiffieHellman N/A [SP800Import: None Modulegenerated EC DiffieHellman N/A [SP800Import: None EC DiffieHellman N/A N/A EC DiffieHellman N/A N/A © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module e DiffieHellman N/A Use: DiffieHellman key, DiffieHellman EC DiffieHellman N/A N/A N/A Passwordzeroized N/A Passwordbased key © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module e N/A N/A N/A in SP800the N/A seed, Modulegenerated key, Modulegenerated Modulegenerated RSA Modulegenerated Modulegenerated Modulegenerated EC Modulegenerated EC N/A DiffieHellman / DiffieHellman TLS premaster © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module e SP80056Arev3. N/A N/A EC DiffieHellman N/A Table 12 - SSPs 9.1 The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90Arev1] for the creation of seeds for asymmetric keys, random numbers for security functions (e.g. ECDSA signature generation), and server and client random numbers for the TLS protocol. In addition, the module provides a Random Number Generation service to calling applications. The DRBG supports the CTR_DRBG with AES-256, without derivation function and without prediction resistance. The module uses an SP800-90B-compliant entropy source specified in Table 13. This entropy source is located within the physical perimeter, but outside of the cryptographic boundary of the module. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it, © 2024 SUSE, LLC / atsec information security.
| Non-Physical Entropy Source ESV E28, E29 | 256 bits of entropy in the 256-bit output | Userspace Standalone CPU Time Jitter RNG version 3.4.0 entropy source (using SHA-3 as the vetted conditioning component) is located within the physical perimeter of the operational environment but outside the module cryptographic boundary. |
|---|
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 13 - Non-Deterministic Random Number Generation Specification 9.2 SSP Generation In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys according to section 4, 5.1 and 5.2 of [SP800-133rev2] by obtaining a random bit string directly from an approved [SP800-90Arev1] DRBG and that can support the required security strength requested by the caller (without any V, as described in Additional Comments 2 of IG D.H).
SUSE Linux Enterprise GnuTLS Cryptographic Module For Diffie-Hellman, the module supports the use of safe primes from RFC7919 for domain parameters and key generation, which are used in the TLS key agreement implemented by the module.
SUSE Linux Enterprise GnuTLS Cryptographic Module 9.4 SSP Entry and Output The module does not support manual SSP entry or intermediate SSP generation output. The SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] IG 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry on the Key Establishment Table. 9.5 SSP Storage All SSPs not generated by the module are provided by the calling application. The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. 9.6 SSP Zeroization The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in Table 12. Calling the gnutls_global_deinit() will zeroize the SSPs stored in the TLS protocol internal state and also invoke the corresponding API functions listed in Table 12 to zeroize SSPs. The zeroization functions overwrite the memory occupied by SSPs with “zeros” and deallocate the memory with the regular memory deallocation operating system call. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. © 2024 SUSE, LLC / atsec information security.
| Algorithm | Test |
|---|---|
| AES | KAT AES CBC mode with 128, 256-bit keys, encryption and decryption (separately tested); KAT AES GCM mode with 256-bit key, encryption and decryption (separately tested); KAT AES XTS mode with 256-bit keys, encryption and decryption (separately tested); KAT AES CFB8 mode with 256-bit keys, encryption and decryption (separately tested); KAT AES CMAC mode with 256-bit keys, encryption and decryption (separately tested); |
| Diffie-Hellman | Primitive “Z” Computation KAT with 3072-bit key using ffdhe3072 safe- prime. |
| DRBG | KAT CTR_DRBG with AES with 256-bit keys without DF, without PR Health tests according to section 11.3 of [SP800-90Arev1] |
| EC Diffie-Hellman | Primitive “Z” Computation KAT with P-256 curve |
| ECDSA | KAT ECDSA with P-256 using SHA-256, P-384 using SHA-384, and P-521 using SHA-512, signature generation and verification (separately tested) |
| HKDF KDA | KAT with HMAC-SHA2-256 |
| HMAC | KAT HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC- SHA2-512 |
SUSE Linux Enterprise GnuTLS Cryptographic Module Self-tests The module performs the pre-operational self-test and CASTs automatically when the module is loaded into memory. The pre-operational self-test ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational tests and CASTs are completed successfully. After the pre-operational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state.
The module performs the integrity test using HMAC-SHA2-256. The details of integrity test are provided in 5.1.
Table 14 specifies all the CASTs. The CASTs are performed in the form of the Known Answer Tests (KATs) and are run prior to performing the integrity test. A KAT includes the comparison of a calculated output with an expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. © 2024 SUSE, LLC / atsec information security.
| Name | Use Function |
|---|---|
| Test | Algorithm |
| PCT using SHA2-256, signature generation and verification. | ECDSA key generation |
| PCT using SHA2-256, signature generation and verification. | RSA key generation |
| PCT according to section 5.6.2.1.4 of [SP800-56Arev3] | Diffie-Hellman key generation |
| Covered by ECDSA PCT as allowed by IG 10.3.A additional comment 1 | EC Diffie-Hellman key generation |
| Algorithm | Test |
|---|---|
| PBKDF2 KDF | KAT with HMAC-SHA2-256 |
| RSA | KAT RSA with 2048-bit key using SHA2-256, signature generation and verification (separately tested); |
| SHA-3 | KAT SHA3-224, SHA3-256, SHA3-384, SHA3-512 |
| TLSv1.2 KDF (RFC7627) | KAT with SHA2-256 |
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 14 - Conditional Cryptographic Algorithms Self-Tests
The module performs the Pair-wise Consistency Tests (PCT) shown in the following table. If at least one of the tests fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output, and cryptographic operations are not allowed. Table 15 - Pairwise Consistency Test
The module provides the Self-Test service to perform self-tests on demand which includes the preoperational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The SelfTests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the SelfTest service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible.
When the module fails any pre-operational self-test or conditional test, the module will return an error code to indicate the error and enters error state. Any further cryptographic operations and the data output via the data output interface are inhibited. The calling application can obtain the module state by calling the gnutls_fips140_get_operation_state() API function. The function returns GNUTLS_FIPS140_OP_ERROR if the module is in the Error state. The following table shows the error codes and the corresponding condition: © 2024 SUSE, LLC / atsec information security.
| Error | Cause of Error | Status Indicator |
|---|---|---|
| State | ||
| Error State | When the integrity tests or KATs fail at power-up. | GNUTLS_E_SELF_TEST_ERROR (-400) |
| When the KAT of DRBG fails during pre- operational tests | GNUTLS_E_RANDOM_FAILED (-206) | |
| When the newly generated RSA, ECDSA, Diffie-Hellman or EC Diffie-Hellman key pair fails the PCT | GNUTLS_E_PK_GENERATION_ERROR (-403) | |
| When the module is in error state and caller requests cryptographic operations | GNUTLS_E_LIB_IN_ERROR_STATE (-402) |
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 16 - Error States Self-test errors transition the module into an error state that keeps the module operational but prevents any cryptographic related operations. The module must be restarted and perform the per-operational self-test and the CASTs to recover from these errors. If failures persist, the module must be re-installed. A completed list of the error codes can be found in Appendix C “Error Codes and Descriptions” in the gnutls.pdf provided with the module's code. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
The following sections describe the Delivery and Operation and Crypto Officer Guidance of the module.
The Crypto Officer can install the RPM packages containing the module as listed in Table 18 using the zypper tool. The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error.
The operating environment needs to be configured to support FIPS, so the following steps shall be performed with the root privilege:
Table 17 includes the information on module installation process for the vendor affirmed platforms that are listed in Table 4. © 2024 SUSE, LLC / atsec information security.
| Name | Processor | Package |
|---|---|---|
| Intel 64-bit | Intel 64-bit | libgnutls30-3.7.3-150400.4.35.1.x86_64.rpm libnettle8-3.7.3-150400.2.21.x86_64.rpm libhogweed6-3.7.3-150400.2.21.x86_64.rpm libgmp10-6.1.2-4.9.1.x86_64.rpm |
| AMD 64-bit | AMD 64-bit | libgnutls30-3.7.3-150400.4.35.1.x86_64.rpm |
| libnettle8-3.7.3-150400.2.21.x86_64.rpm libhogweed6-3.7.3-150400.2.21.x86_64.rpm libgmp10-6.1.2-4.9.1.x86_64.rpm | libnettle8-3.7.3-150400.2.21.x86_64.rpm libhogweed6-3.7.3-150400.2.21.x86_64.rpm libgmp10-6.1.2-4.9.1.x86_64.rpm | |
| IBM z15 | IBM z15 | libgnutls30-3.7.3-150400.4.35.1.s390x.rpm libnettle8-3.7.3-150400.2.21.s390x.rpm libhogweed6-3.7.3-150400.2.21.s390x.rpm libgmp10-6.1.2-4.9.1.s390x.rpm |
| ARMv8 64-bit | ARMv8 64-bit | libgnutls30-3.7.3-150400.4.35.1.aarch64.rpm libnettle8-3.7.3-150400.2.21.aarch64.rpm libhogweed6-3.7.3-150400.2.21.aarch64.rpm libgmp10-6.1.2-4.9.1.aarch64.rpm |
| IBM Power10 64-bit | IBM Power10 64-bit | libgnutls30-3.7.3-150400.4.35.1.ppc64le.rpm libnettle8-3.7.3-150400.2.21.ppc64le.rpm libhogweed6-3.7.3-150400.2.21.ppc64le.rpm libgmp10-6.1.2-4.9.1.ppc64le.rpm |
| Product | Link |
|---|---|
| SUSE Linux Enterprise Micro 5.3 | https://documentation.suse.com/sle-micro/5.3/single-html/SLE-Micro- security/#sec-fips-slemicro-install |
| SUSE Linux Enterprise Server for SAP 15SP4 | https://documentation.suse.com/sles/15-SP4/html/SLES-all/book- security.html |
| SUSE Linux Enterprise Base Container Image 15SP4 | https://documentation.suse.com/smart/linux/html/concept- bci/index.html |
| SUSE Linux Enterprise Desktop 15SP4 | https://documentation.suse.com/sled/15-SP4/html/SLED-all/book- security.html |
| SUSE Linux Enterprise Real Time 15SP4 | https://documentation.suse.com/sle-rt/15-SP4/ |
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 17 - Installation for Vendor Affirmed Platforms Note: Per section 7.9 in the FIPS 140-3 Management Manual [FIPS140-3_MM], the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certificate.
For secure sanitization of the cryptographic module, the module needs first to be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. The module does not possess persistent storage of SSPs, so further sanitization steps are not needed.
The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow section 11.1.1 and 11.1.2 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. Table 16 lists the RPM packages that contain the FIPS validated module. The "Show module name and version" service returns the value “GnuTLS version 3.7.3-150400.4.35.1”, which matches the version included in the RPM package filenames, and map to version 1.1 of the cryptogtaphic module. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 18 - RPM packages
The TLS protocol implementation provides both server and client sides. In order to operate in the approved mode, digital certificates used for server and client authentication shall comply with the restrictions of key size and message digest algorithms imposed by [SP800-131Arev2]. In addition, as required also by [SP800-131Arev2], Diffie-Hellman with keys smaller than 2048 bits must not be used. The TLS protocol lacks the support to negotiate the used Diffie-Hellman key sizes. To ensure full support for all TLS protocol versions, the TLS client implementation of the module accepts DiffieHellman key sizes smaller than 2048 bits offered by the TLS server. For complying with the requirement to not allow Diffie-Hellman key sizes smaller than 2048 bits, the Crypto Officer must ensure that:
The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. The module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical (in compliance with IG C.I). Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not an Approved service. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module
The module implements AES GCM for being used in the TLS v1.2 and v1.3 protocols. AES GCM IV generation is in compliance with [FIPS140-3_IG] IG C.H for both protocols as follows:
The module cannot use the following environment variables:
The module provides password-based key derivation (PBKDF), compliant with SP800-132 and IG D.N. The module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132], the following requirements shall be met.
SUSE Linux Enterprise GnuTLS Cryptographic Module
SUSE Linux Enterprise GnuTLS Cryptographic Module
The module does not offer mitigation of other attacks. © 2024 SUSE, LLC / atsec information security.
| Name | Reference | ID |
|---|---|---|
| TLS_DH_RSA_WITH_AES_128_CBC_SHA | RFC3268 | { 0x00, 0x31 } |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | RFC3268 | { 0x00, 0x33 } |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA | RFC3268 | { 0x00, 0x37 } |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | RFC3268 | { 0x00, 0x39 } |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | RFC5246 | { 0x00,0x3F } |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | RFC5246 | { 0x00,0x67 } |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | RFC5246 | { 0x00,0x69 } |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | RFC5246 | { 0x00,0x6B } |
| TLS_PSK_WITH_AES_128_CBC_SHA | RFC4279 | { 0x00, 0x8C } |
| TLS_PSK_WITH_AES_256_CBC_SHA | RFC4279 | { 0x00, 0x8D } |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | RFC5288 | { 0x00, 0x9E } |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | RFC5288 | { 0x00, 0x9F } |
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | RFC5288 | { 0x00, 0xA0 } |
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | RFC5288 | { 0x00, 0xA1 } |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | RFC4492 | { 0xC0, 0x04 } |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | RFC4492 | { 0xC0, 0x05 } |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | RFC4492 | { 0xC0, 0x09 } |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | RFC4492 | { 0xC0, 0x0A } |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | RFC4492 | { 0xC0, 0x0E } |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | RFC4492 | { 0xC0, 0x0F } |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | RFC4492 | { 0xC0, 0x13 } |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | RFC4492 | { 0xC0, 0x14 } |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | RFC5289 | { 0xC0, 0x23 } |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | RFC5289 | { 0xC0, 0x24 } |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | RFC5289 | { 0xC0, 0x25 } |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | RFC5289 | { 0xC0, 0x26 } |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | RFC5289 | { 0xC0, 0x27 } |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | RFC5289 | { 0xC0, 0x28 } |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | RFC5289 | { 0xC0, 0x29 } |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | RFC5289 | { 0xC0, 0x2A } |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | RFC5289 | { 0xC0, 0x2B } |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | RFC5289 | { 0xC0, 0x2C } |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | RFC5289 | { 0xC0, 0x2D } |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | RFC5289 | { 0xC0, 0x2E } |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | RFC5289 | { 0xC0, 0x2F } |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | RFC5289 | { 0xC0, 0x30 } |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | RFC5289 | { 0xC0, 0x31 } |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | RFC5289 | { 0xC0, 0x32 } |
| TLS_DHE_RSA_WITH_AES_128_CCM | RFC6655 | { 0xC0, 0x9E } |
| TLS_DHE_RSA_WITH_AES_256_CCM | RFC6655 | { 0xC0, 0x9F } |
| TLS_DHE_RSA_WITH_AES_128_CCM_8 | RFC6655 | { 0xC0, 0xA2 } |
| TLS_DHE_RSA_WITH_AES_256_CCM_8 | RFC6655 | { 0xC0, 0xA3 } |
| TLS_AES_128_GCM_SHA256 | RFC8446 | { 0x13, 0x01 } |
| TLS_AES_256_GCM_SHA384 | RFC8446 | { 0x13, 0x02 } |
| TLS_AES_128_CCM_SHA256 | RFC8446 | { 0x13, 0x04 } |
| TLS_AES_128_CCM_8_SHA256 | RFC8446 | { 0x13, 0x05 } |
SUSE Linux Enterprise GnuTLS Cryptographic Module Appendix A. The module supports the following cipher suites for the TLS protocol version 1.0, 1.1, 1.2 and 1.3, compliant with section 3.3.1 of [SP800-52rev2]. Each cipher suite defines the key exchange algorithm, the bulk encryption algorithm (including the symmetric key size) and the MAC algorithm. © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Table 19 - TLS Cipher Suites © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DF Derivation Function DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback O/S Operating System PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SHS Secure Hash Standard SSH Secure Shell SSP Sensitive Security Parameter TDES Triple-DES XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module Appendix C. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM FIPS 140-3 Cryptographic Module Validation Program Management Manual April 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3CMVP%20Management%20Manual.pdf FIPS180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 https://www.ietf.org/rfc/rfc3394.txt © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038e.pdfhttps://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-80038E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52rev2 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SP800-56Arev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Crev2 NIST Special Publication 800-56C Revision 2 - Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57rev5 NIST Special Publication 800-57 Part 1 Revision 5 Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r5.pdf SP800-90Arev1 NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108rev1 NIST Special Publication 800-108 Revision 1 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) August 2022 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Arev2 NIST Special Publication 800-131 Revision 2 - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800132.pdf SP800-133rev2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf © 2024 SUSE, LLC / atsec information security.
SUSE Linux Enterprise GnuTLS Cryptographic Module SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf RFC7627 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension September 2015 https://www.rfc-editor.org/rfc/rfc7627.txt RFC5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.rfc-editor.org/rfc/rfc5288.txt RFC8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.rfc-editor.org/rfc/rfc8446.txt © 2024 SUSE, LLC / atsec information security.