All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Red Hat Enterprise Linux 9 libgcrypt

Certificate#4754StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorRed Hat(R), Inc.
Medium review priority  ·  no TCB surface named  ·  libgcrypt upstream has published 2 CVEs since this module's initial validation  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy
VendorRed Hat(R), Inc.

Approved Algorithms (229)

AlgorithmACVP Cert
AES-CBCA3757
AES-CBCA3759
AES-CBCA3760
AES-CBCA3762
AES-CBCA4675
AES-CBCA4676
AES-CCMA3757
AES-CCMA3757
AES-CCMA3757
AES-CCMA3759
AES-CCMA3759
AES-CCMA3759
AES-CCMA3760
AES-CCMA3760
AES-CCMA3760
AES-CCMA3762
AES-CCMA3762
AES-CCMA3762
AES-CFB128A3757
AES-CFB128A3759
AES-CFB128A3760
AES-CFB128A3762
AES-CFB128A4675
AES-CFB128A4676
AES-CFB8A3757
AES-CFB8A3759
AES-CFB8A3760
AES-CFB8A3762
AES-CFB8A4675
AES-CFB8A4676
AES-CMACA3757
AES-CMACA3759
AES-CMACA3760
AES-CMACA3762
AES-CTRA3757
AES-CTRA3759
AES-CTRA3760
AES-CTRA3762
AES-CTRA4675
AES-CTRA4676
AES-ECBA3757
AES-ECBA3759
AES-ECBA3760
AES-ECBA3762
AES-ECBA4675
AES-ECBA4676
AES-KWA3757
AES-KWA3757
AES-KWA3759
AES-KWA3759
AES-KWA3760
AES-KWA3760
AES-KWA3762
AES-KWA3762
AES-OFBA3757
AES-OFBA3759
AES-OFBA3760
AES-OFBA3762
AES-XTS Testing Revision 2.0A3757
AES-XTS Testing Revision 2.0A3759
AES-XTS Testing Revision 2.0A3760
AES-XTS Testing Revision 2.0A3762
AES-XTS Testing Revision 2.0A4675
AES-XTS Testing Revision 2.0A4676
Counter DRBGA3757
Counter DRBGA3759
Counter DRBGA3760
Counter DRBGA3762
ECDSA KeyGen (FIPS186-4)A3757
ECDSA KeyGen (FIPS186-4)A3759
ECDSA KeyGen (FIPS186-4)A3760
ECDSA KeyGen (FIPS186-4)A3761
ECDSA KeyGen (FIPS186-4)A3762
ECDSA KeyVer (FIPS186-4)A3757
ECDSA KeyVer (FIPS186-4)A3759
ECDSA KeyVer (FIPS186-4)A3760
ECDSA KeyVer (FIPS186-4)A3761
ECDSA KeyVer (FIPS186-4)A3762
ECDSA SigGen (FIPS186-4)A3757
ECDSA SigGen (FIPS186-4)A3759
ECDSA SigGen (FIPS186-4)A3760
ECDSA SigGen (FIPS186-4)A3761
ECDSA SigGen (FIPS186-4)A3762
ECDSA SigVer (FIPS186-4)A3757
ECDSA SigVer (FIPS186-4)A3759
ECDSA SigVer (FIPS186-4)A3760
ECDSA SigVer (FIPS186-4)A3761
ECDSA SigVer (FIPS186-4)A3762
Hash DRBGA3757
Hash DRBGA3759
Hash DRBGA3760
Hash DRBGA3761
Hash DRBGA3762
HMAC DRBGA3757
HMAC DRBGA3759
HMAC DRBGA3760
HMAC DRBGA3761
HMAC DRBGA3762
HMAC-SHA-1A3757
HMAC-SHA-1A3758
HMAC-SHA-1A3759
HMAC-SHA-1A3760
HMAC-SHA-1A3761
HMAC-SHA-1A3762
HMAC-SHA2-224A3757
HMAC-SHA2-224A3759
HMAC-SHA2-224A3760
HMAC-SHA2-224A3761
HMAC-SHA2-224A3762
HMAC-SHA2-256A3757
HMAC-SHA2-256A3759
HMAC-SHA2-256A3760
HMAC-SHA2-256A3761
HMAC-SHA2-256A3762
HMAC-SHA2-384A3757
HMAC-SHA2-384A3759
HMAC-SHA2-384A3760
HMAC-SHA2-384A3761
HMAC-SHA2-384A3762
HMAC-SHA2-512A3757
HMAC-SHA2-512A3759
HMAC-SHA2-512A3760
HMAC-SHA2-512A3761
HMAC-SHA2-512A3762
HMAC-SHA2-512/224A3757
HMAC-SHA2-512/224A3759
HMAC-SHA2-512/224A3760
HMAC-SHA2-512/224A3761
HMAC-SHA2-512/224A3762
HMAC-SHA2-512/256A3757
HMAC-SHA2-512/256A3759
HMAC-SHA2-512/256A3760
HMAC-SHA2-512/256A3761
HMAC-SHA2-512/256A3762
HMAC-SHA3-224A3757
HMAC-SHA3-224A3761
HMAC-SHA3-224A3762
HMAC-SHA3-256A3757
HMAC-SHA3-256A3761
HMAC-SHA3-256A3762
HMAC-SHA3-384A3757
HMAC-SHA3-384A3761
HMAC-SHA3-384A3762
HMAC-SHA3-512A3757
HMAC-SHA3-512A3761
HMAC-SHA3-512A3762
PBKDFA3757
PBKDFA3759
PBKDFA3760
PBKDFA3761
PBKDFA3762
RSA KeyGen (FIPS186-4)A3757
RSA KeyGen (FIPS186-4)A3759
RSA KeyGen (FIPS186-4)A3760
RSA KeyGen (FIPS186-4)A3761
RSA KeyGen (FIPS186-4)A3762
RSA SigGen (FIPS186-4)A3757
RSA SigGen (FIPS186-4)A3759
RSA SigGen (FIPS186-4)A3760
RSA SigGen (FIPS186-4)A3761
RSA SigGen (FIPS186-4)A3762
RSA SigVer (FIPS186-2)A3757
RSA SigVer (FIPS186-2)A3759
RSA SigVer (FIPS186-2)A3760
RSA SigVer (FIPS186-2)A3761
RSA SigVer (FIPS186-2)A3762
RSA SigVer (FIPS186-4)A3757
RSA SigVer (FIPS186-4)A3759
RSA SigVer (FIPS186-4)A3760
RSA SigVer (FIPS186-4)A3761
RSA SigVer (FIPS186-4)A3762
SHA-1A3757
SHA-1A3758
SHA-1A3759
SHA-1A3760
SHA-1A3761
SHA-1A3762
SHA2-224A3757
SHA2-224A3759
SHA2-224A3760
SHA2-224A3761
SHA2-224A3762
SHA2-256A3757
SHA2-256A3759
SHA2-256A3760
SHA2-256A3761
SHA2-256A3762
SHA2-256A4675
SHA2-256A4676
SHA2-384A3757
SHA2-384A3759
SHA2-384A3760
SHA2-384A3761
SHA2-384A3762
SHA2-512A3757
SHA2-512A3759
SHA2-512A3760
SHA2-512A3761
SHA2-512A3762
SHA2-512A4675
SHA2-512A4676
SHA2-512/224A3757
SHA2-512/224A3759
SHA2-512/224A3760
SHA2-512/224A3761
SHA2-512/224A3762
SHA2-512/256A3757
SHA2-512/256A3759
SHA2-512/256A3760
SHA2-512/256A3761
SHA2-512/256A3762
SHA3-224A3757
SHA3-224A3761
SHA3-224A3762
SHA3-256A3757
SHA3-256A3761
SHA3-256A3762
SHA3-384A3757
SHA3-384A3761
SHA3-384A3762
SHA3-512A3757
SHA3-512A3761
SHA3-512A3762
SHAKE-128A3757
SHAKE-128A3761
SHAKE-128A3762
SHAKE-256A3757
SHAKE-256A3761
SHAKE-256A3762

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Red Hat Enterprise Linux 9 libgcrypt
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric encryption and decryption<br/>Symmetric encryption and decryption with AES XTS…<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Red Hat Enterprise Linux 9 libgcrypt
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric encryption and decryption<br/>Symmetric encryption and decryption with AES XTS…<br/>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Red Hat, Inc. Red Hat Enterprise Linux 9 libgcrypt Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 Document version: 1.0 www.atsec.com Last update: 2024-07-30

Page 2

Red Hat Enterprise Linux 9 libgcrypt Table of Contents © 2024 Red Hat, Inc., atsec information security.

Page 3

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 4

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 5

Red Hat Enterprise Linux 9 libgcrypt List of Tables Table 2: Tested Module Identification

Page 6
Security level
NameISO SectionLevel
111
221
331
441
551
661
77N/A
88N/A
991
10101
11111
12121

Red Hat Enterprise Linux 9 libgcrypt

1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 1.10.08b6840b590cedd43 of the Red Hat Enterprise Linux 9 libgcrypt. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module.

1.2 Security Levels
1.3 Additional Information

This Security Policy describes the features and design of the module named Red Hat Enterprise Linux 9 libgcrypt using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. intact and including this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2024 Red Hat, Inc., atsec information security.

Page 7

Red Hat Enterprise Linux 9 libgcrypt

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Red Hat Enterprise Linux 9 libgcrypt (hereafter referred to as “the module”) is a software library implementing general purpose cryptographic algorithms. The module provides cryptographic services to applications running in the user space of the underlying operating system through an application program interface (API). Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The module consists of the shared library file (i.e. libgcrypt.so.20.4.0) which constitutes the cryptographic boundary. The block diagram in Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP is the general-purpose computer on which the module is installed. Figure 1: Block Diagram © 2024 Red Hat, Inc., atsec information security.

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
/usr/lib64/libgcrypt.so.20.4.01.10.0- 8b6840b590cedd43N/A/usr/lib64/libgcrypt.so.20.4.0HMAC-SHA-256
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9Dell PowerEdge R4401.10.0- 8b6840b590cedd43Intel(R) Xeon(R) Silver 4216AES-NI, SHA extensions (PAA)N/A
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9IBM z16 3931-A011.10.0- 8b6840b590cedd43IBM z16CPACF (PAI)N/A
Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00IBM 9080- HEX1.10.0- 8b6840b590cedd43IBM POWER10ISA (PAA)N/A
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9Intel(R) Xeon(R) E5
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
/usr/lib64/libgcrypt.so.20.4.01.10.0- 8b6840b590cedd43N/A/usr/lib64/libgcrypt.so.20.4.0HMAC-SHA-256
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9Dell PowerEdge R4401.10.0- 8b6840b590cedd43Intel(R) Xeon(R) Silver 4216AES-NI, SHA extensions (PAA)N/A
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9IBM z16 3931-A011.10.0- 8b6840b590cedd43IBM z16CPACF (PAI)N/A
Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00IBM 9080- HEX1.10.0- 8b6840b590cedd43IBM POWER10ISA (PAA)N/A
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9Intel(R) Xeon(R) E5
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
/usr/lib64/libgcrypt.so.20.4.01.10.0- 8b6840b590cedd43N/A/usr/lib64/libgcrypt.so.20.4.0HMAC-SHA-256
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9Dell PowerEdge R4401.10.0- 8b6840b590cedd43Intel(R) Xeon(R) Silver 4216AES-NI, SHA extensions (PAA)N/A
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9IBM z16 3931-A011.10.0- 8b6840b590cedd43IBM z16CPACF (PAI)N/A
Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00IBM 9080- HEX1.10.0- 8b6840b590cedd43IBM POWER10ISA (PAA)N/A
Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9Intel(R) Xeon(R) E5
2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

2.3 Excluded Components

The module does not claim any excluded components. © 2024 Red Hat, Inc., atsec information security.

Page 9
Service
NameDescriptionIndicatorType
Non- approved ModeAutomatically entered whenever a non-approved service is requestedEquivalent to the indicator of the requested serviceNon- Approved
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3757Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3757Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3757Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3757Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3757Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3757Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3757Curve - P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3757Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3757Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
Hash DRBGA3757Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3757Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 224A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 256A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 384A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 512A3757Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3757Iteration Count - Iteration Count: 1000- 10000000 Increment 1 Password Length - Password Length: 8-128 Increment 1SP 800-132
RSA KeyGen (FIPS186-4)A3757Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3757Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-2)A3757Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536FIPS 186-4
RSA SigVer (FIPS186-4)A3757Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3757Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3757Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A3757Output Length - Output Length: 16-65536 Increment 8FIPS 202
HMAC-SHA-1A3758Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
SHA-1A3758Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
AES-CBCA3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3759Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3759Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3759Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3759Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3759Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3759Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3759Curve - P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3759Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-FIPS 186-4
ECDSA SigVer (FIPS186-4)A3759Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
Hash DRBGA3759Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3759Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3759Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3759Iteration Count - Iteration Count: 1000- 10000000 Increment 1 Password Length - Password Length: 8-128 Increment 1SP 800-132
RSA KeyGen (FIPS186-4)A3759Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3759Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-2)A3759Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536FIPS 186-4
RSA SigVer (FIPS186-4)A3759Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3759Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
AES-CBCA3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3760Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3760Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3760Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3760Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3760Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3760Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3760Curve - P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3760Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3760Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
Hash DRBGA3760Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3760Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3760Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3760Iteration Count - Iteration Count: 1000- 10000000 Increment 1 Password Length - Password Length: 8-128 Increment 1SP 800-132
RSA KeyGen (FIPS186-4)A3760Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3760Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-2)A3760Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536FIPS 186-4
RSA SigVer (FIPS186-4)A3760Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3760Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
ECDSA KeyGen (FIPS186-4)A3761Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3761Curve - P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3761Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3761Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
Hash DRBGA3761Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3761Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 224A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 256A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 384A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 512A3761Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3761Iteration Count - Iteration Count: 1000- 10000000 Increment 1 Password Length - Password Length: 8-128 Increment 1SP 800-132
RSA KeyGen (FIPS186-4)A3761Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3761Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-2)A3761Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536FIPS 186-4
RSA SigVer (FIPS186-4)A3761Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3761Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3761Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A3761Output Length - Output Length: 16-65536 Increment 8FIPS 202
AES-CBCA3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3762Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3762Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3762Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3762Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3762Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3762Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3762Curve - P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3762Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3762Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
Hash DRBGA3762Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3762Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 224A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 256A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 384A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 512A3762Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3762Iteration Count - Iteration Count: 1000- 10000000 Increment 1 Password Length - Password Length: 8-128 Increment 1SP 800-132
RSA KeyGen (FIPS186-4)A3762Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3762Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-2)A3762Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536FIPS 186-4
RSA SigVer (FIPS186-4)A3762Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3762Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3762Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A3762Output Length - Output Length: 16-65536 Increment 8FIPS 202
AES-CBCA4675Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A4675Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A4675Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4675Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4675Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A4675Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
SHA2-256A4675Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A4675Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
AES-CBCA4676Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A4676Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A4676Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4676Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4676Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A4676Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
SHA2-256A4676Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A4676Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4

Red Hat Enterprise Linux 9 libgcrypt

2.4 Modes of Operation

Modes List and Description: Nonapproved NonApproved Table 5: Modes List and Description Mode Change Instructions and Status: When the module starts up successfully, after passing all the pre-operational self-test and the cryptographic algorithms self-tests (CASTs), the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in the Non-Approved Services table. The module will transition back to approved mode when approved service is called. Section 4 provides details on the service indicator implemented by the module. The service indicator identifies when an approved service is called. The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: © 2024 Red Hat, Inc., atsec information security.

Page 10

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 © 2024 Red Hat, Inc., atsec information security.

Page 11

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA3384 HMAC-SHA3512 © 2024 Red Hat, Inc., atsec information security.

Page 12

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 13

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 © 2024 Red Hat, Inc., atsec information security.

Page 14

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 15

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 © 2024 Red Hat, Inc., atsec information security.

Page 16

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2224 © 2024 Red Hat, Inc., atsec information security.

Page 17

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 © 2024 Red Hat, Inc., atsec information security.

Page 18

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 19

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 © 2024 Red Hat, Inc., atsec information security.

Page 20

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 21

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 22
Service
NameApproved FunctionsProperties
Cryptographic Key Generation (CKG) with RSARSA (FIPS 186-4):2048, 3072, 4096 with 112, 128, 149 bits of strengthlibgcrypt (64 bit) (No Acceleration)SP 800- 133Rev2
Cryptographic Key Generation (CKG) with ECDSAECDSA:P-224, P-256, P- 384, P-521 with 112, 128, 192, 256 bits of strengthlibgcrypt (64 bit) (No Acceleration)SP 800- 133Rev2
MD5Message Digest
ECDHShared Secret Computation
AES-GCM, AES-GCM-SIV, AES-OCB, AES-EAXSymmetric encryption and decryption
RSASignature generation/verification primitives
RSAEncryption/decryption primitives
RSA using public key flags not listed in section 4.8Key generation
RSA using public key flags not listed in section 4.8Signature generation/verification
ECDSASignature generation/verification primitives
ECDSA using public key flags not listed in section 4.8Key generation
ECDSA using public key flags not listed in section 4.8Signature generation/verification
Service
NameApproved FunctionsProperties
Cryptographic Key Generation (CKG) with RSARSA (FIPS 186-4):2048, 3072, 4096 with 112, 128, 149 bits of strengthlibgcrypt (64 bit) (No Acceleration)SP 800- 133Rev2
Cryptographic Key Generation (CKG) with ECDSAECDSA:P-224, P-256, P- 384, P-521 with 112, 128, 192, 256 bits of strengthlibgcrypt (64 bit) (No Acceleration)SP 800- 133Rev2
MD5Message Digest
ECDHShared Secret Computation
AES-GCM, AES-GCM-SIV, AES-OCB, AES-EAXSymmetric encryption and decryption
RSASignature generation/verification primitives
RSAEncryption/decryption primitives
RSA using public key flags not listed in section 4.8Key generation
RSA using public key flags not listed in section 4.8Signature generation/verification
ECDSASignature generation/verification primitives
ECDSA using public key flags not listed in section 4.8Key generation
ECDSA using public key flags not listed in section 4.8Signature generation/verification

Red Hat Enterprise Linux 9 libgcrypt Table 6: Approved Algorithms The above table lists all approved cryptographic algorithms of the module, including specific key lengths employed for approved services, and implemented modes or methods of operation of the algorithms. Vendor-Affirmed Algorithms: SP 800133Rev2 SP 800133Rev2 Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: 4.8 4.8 Table 8: Non-Approved, Not Allowed Algorithms The table above lists all non-approved cryptographic algorithms of the module employed by the non-approved services. © 2024 Red Hat, Inc., atsec information security.

Page 23
Service
NameDescriptionApproved FunctionsTypeProperties
Symmetric encryption and decryptionEncryption, decryption using AESAES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-OFB AES-OFB AES-OFB AES-OFBBC-UnAuthKeys:128, 192, 256- bit keys with 128-256 bits key strength
Message authentication generation using AES CMACMessage authentication generation using AES CMACAES-CMAC AES-CMAC AES-CMAC AES-CMACMACAES-CMAC keys:128, 192, 256-bit keys with 128, 192, 256 bits of strength
Key wrapping with AESKey wrapping with AESAES-KW AES-KW AES-KW AES-KW AES-CCM AES-CCM AES-CCM AES-CCMKTS-WrapKeys:128, 192, 256- bit keys with 128-256 bits of strength Compliance:Compliant with IG D.G AES Mode:KW, CCM
Key unwrapping with AESKey unwrapping with AESAES-KW AES-KW AES-KW AES-KW AES-CCM AES-CCM AES-CCM AES-CCMKTS-WrapKeys:128, 192, 256- bit keys with 128-256 bits of strength Compliance:Compliant with IG D.G AES Mode:KW, CCM
Authenticated symmetric encryption and decryptionEncryption, decryption using AES CCMAES-CCM AES-CCM AES-CCM AES-CCMBC-AuthKeys:128, 192, 256 bits with 128, 192, 256 bits of strength
Symmetric encryption and decryption with AES XTS (for data storage)Encryption, decryption using AES XTS (for data storage)AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0BC-UnAuthKeys:128, 256-bit keys with 128, 256 bits of strength
Random number generation with CTR_DRBGRandom number generation using CTR_DRBGCounter DRBG Counter DRBG Counter DRBG Counter DRBGDRBGCTR_DRBG:AES-128, AES-192, AES-256 with DF, with/without PR
Random number generation with HMAC_DRBGRandom number generation using HMAC_DRBGHMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBGDRBGHMAC_DRBG:SHA-1, SHA-256, SHA-512 with/without PR
Random number generation with Hash_DRBGRandom number generation using Hash_DRBGHash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBGDRBGHash_DRBG:SHA-1, SHA-256, SHA-512 with/without PR
Key pair generation with ECDSAKey pair generation using ECDSAECDSA KeyGen (FIPS186-4) ECDSACKGCurves:P-224, P-256, P-384, P-521 with 112, 128, 192, 256 bits of strength

Red Hat Enterprise Linux 9 libgcrypt

2.6 Security Function Implementations

© 2024 Red Hat, Inc., atsec information security.

Page 24

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 25
Service
NameDescriptionRole AccessApproved FunctionsType
Key pair generation with RSAKeys:2048, 3072, 4096 with 112, 128, 149 bits of strength Method:B.3.3 Random Probable PrimesKey pair generation using RSA IG D.H compliantRSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4)CKG
Public key verification with ECDSACurves:P-224, P-256, P-384, P-521 with 112, 128, 192, 256 bits of strengthPublic key verification using ECDSAECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4)AsymKeyPair- KeyVer
Digital signature generation with ECDSACurves:P-224, P-256, P-384, P-521 with 112, 128, 192, 256 bits of strength Hash:SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512Digital signature generation using ECDSAECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4)DigSig-SigGen
Digital signature generation with RSAPadding:PKCS#1v1.5, PSS Hash:SHA-224, SHA- 256, SHA-384, SHA- 512, SHA2-512/224, SHA2-512/256 Keys:2048, 3072,Digital signature generation using RSARSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4)DigSig-SigGen
4096 with 112, 128, 149 bits of strength4096 with 112, 128, 149 bits of strengthRSA SigGen (FIPS186-4)
Digital signature verification with ECDSACurves:P-224, P-256, P-384, P-521 with 112, 128, 192, 256 bits of strength Hash:SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512Digital signature verification using ECDSAECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4)DigSig-SigVer
FIPS 186-4 Digital signature verification with RSAPadding:PKCS#1v1.5, PSS Hash:SHA-224, SHA- 256, SHA-384, SHA- 512, SHA2-512/224, SHA2-512/256 Keys:2048, 3072, 4096 with 112, 128, 149 bits of strengthFIPS 186-4 Digital signature verification using RSARSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4)DigSig-SigVer
FIPS 186-2 Digital signature verification with RSAPadding:PKCS#1v1.5, PSS Hash:SHA-224, SHA- 256, SHA-384, SHA- 512 Keys:1024, 1536 with 80, 92 bits of strength Compliance:FIPS 186- 2, IG C.FFIPS 186-2 Digital signature verification using RSA Only for Legacy useRSA SigVer (FIPS186-2) RSA SigVer (FIPS186-2) RSA SigVer (FIPS186-2) RSA SigVer (FIPS186-2) RSA SigVer (FIPS186-2)DigSig-SigVer
Message authentication code with HMACKeys:112, 192, 256 bits with 112-256 bits of strength Hash:SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA- 512/224, SHA- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512Message authentication code using HMACHMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2-MAC

Red Hat Enterprise Linux 9 libgcrypt AsymKeyPairKeyVer © 2024 Red Hat, Inc., atsec information security.

Page 26

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 © 2024 Red Hat, Inc., atsec information security.

Page 27

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA3224 © 2024 Red Hat, Inc., atsec information security.

Page 28
Service
NameDescriptionApproved FunctionsType
Key derivation with PBKDFKey derivation using PBKDFPBKDF PBKDF PBKDF PBKDF PBKDFPBKDFDerived key::112 to 256 bits HMAC:SHA-1, SHA- 224, SHA-256, SHA- 384, SHA-512, SHA2- 512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512
Message digest with SHA-1Message digest using SHA-1SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1SHA
Message digest with SHA-2Message digest using SHA-2SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384SHA

Red Hat Enterprise Linux 9 libgcrypt HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3384 HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA3512 HMAC-SHA3512 © 2024 Red Hat, Inc., atsec information security.

Page 29
Service
NameDescriptionApproved FunctionsType
Message digest with SHA-3Message digest with SHA-3SHA3-224 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-256 SHA3-384 SHA3-384 SHA3-384 SHA3-512 SHA3-512 SHA3-512 SHAKE-128 SHAKE-128 SHAKE-128 SHAKE-256 SHAKE-256 SHAKE-256SHA

Red Hat Enterprise Linux 9 libgcrypt Table 9: Security Function Implementations

2.7 Algorithm Specific Information

AES XTS The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. © 2024 Red Hat, Inc., atsec information security.

Page 30
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
RHEL Userspace CPU Time Jitter RNG Entropy SourceNon- Physical256-bitsRed Hat Enterprise Linux 9 running on Dell PowerEdge R440 with Intel(R) Xeon(R) Silver 4216; Red Hat Enterprise Linux 9 running on IBM z16 3931-A01 with IBM z16; Red Hat Enterprise Linux 9 with PowerVM FW1040.00 with VIOS 3.1.3.00 running on225-bitsHMAC-SHA2- 512 DRBG
CertVendor
NumberName
E47Red Hat, Inc.

The AES-XTS mode shall only be used for the cryptographic protection of data on storage devices. The AES-XTS shall not be used for other purposes, such as the encryption of data in transit. Key derivation using SP800-132 PBKDF The module provides password-based key derivation (PBKDF), compliant with SP800-132. The module supports option 1a from Section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132] and FIPS 140-3 IG D.N, the following requirements shall be met.

2.8 RBG and Entropy

Table 10: Entropy Certificates NonPhysical © 2024 Red Hat, Inc., atsec information security.

Page 31

Red Hat Enterprise Linux 9 libgcrypt Table 11: Entropy Sources The Module provides an SP800-90A-compliant Deterministic Random Bit Generator (DRBG) for creation of key components of asymmetric keys, and random number generation. The seeding (and automatic reseeding) of the DRBG is done with getrandom(). The module supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG. The DRBG is initialized during module initialization; the module loads by default the DRBG using the HMAC_DRBG mechanism with SHA-256 and without prediction resistance. A different DRBG mechanism can be chosen by invoking the gcry_control(GCRYCTL_DRBG_REINIT) function. The module uses an [SP800-90B]-compliant entropy source specified in the above table. This entropy source is located within the module’s physical perimeter but outside of the module’s cryptographic boundary. The module obtains 384 bits to seed the DRBG and 256 bits to reseed it, respectivly corresponding to 337 bits of entropy for seeding and 225 bits for reseeding, which is not full entropy. Therefore, the module generates SSPs (e.g., keys) whose strengths are modified by available entropy. The module performs the DRBG health tests as defined in Section 11.3 of [SP800-90A].

2.9 Key Generation

KeyGenerationSubTable From Web Cryptik KeyGenerationSubTable The module provides an [SP800-90Arev1]-compliant Deterministic Random Bit Generator (DRBG) for the creation of key components of asymmetric keys, and random number generation. The Cryptographic Key Generation (CKG) methods implemented in the module for Approved services in approved mode are compliant with section 5.1 of [SP800-133rev2] and with IG D.H. For generating RSA and ECDSA keys the module implements asymmetric key © 2024 Red Hat, Inc., atsec information security.

Page 32

Red Hat Enterprise Linux 9 libgcrypt generation services compliant with [FIPS186-4]. A seed (i.e., the random value) used in asymmetric key generation is directly obtained from the [SP800-90Arev1] DRBG. Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service

2.10 Key Establishment

KeyAgreementSubTable From Web Cryptik KeyAgreementSubTable KeyTransportSubTable From Web Cryptik KeyTransportSubTable The module provides the following key transport mechanisms:

2.11 Industry Protocols

The module does not implement industry protocols, therefore this section is not applicable.

2.12 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 33
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI input parameters for data.
N/AN/AData OutputAPI output parameters for data.
N/AN/AControl InputAPI function calls, API input parameters for control input, /proc/sys/crypto/fips_enabled control file.
N/AN/AStatus OutputAPI return codes, API output parameters for status output.

Red Hat Enterprise Linux 9 libgcrypt

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 12: Ports and Interfaces As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. All data output via data output interface is inhibited when the module is performing preoperational test or zeroization or when the module enters error state. The module does not implement a control output interface.

3.2 Trusted Channel Specification
3.3 Control Interface Not Inhibited
3.4 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 34
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Symmetric encryption and decryptionEncrypt a plaintext / Decrypt a ciphertextCrypto Officer - AES keys: W,ESymme tric encrypti on and decrypti on Authent icated symmet ric encrypti on and decrypti on Symme tric encrypti on and decrypti on with AES XTS (for data storage )gcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_CIPHE R, ...) returns GPG_ERR_NO_E RRORAES key, plaintext/ci phertextCipher text/ plaint ext
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Symmetric encryption and decryptionEncrypt a plaintext / Decrypt a ciphertextCrypto Officer - AES keys: W,ESymme tric encrypti on and decrypti on Authent icated symmet ric encrypti on and decrypti on Symme tric encrypti on and decrypti on with AES XTS (for data storage )gcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_CIPHE R, ...) returns GPG_ERR_NO_E RRORAES key, plaintext/ci phertextCipher text/ plaint ext
Key Pair Generation with RSAGenerate a key pairCrypto Officer - RSA Private Key: G,R - RSA Public Key: G,R - Interm ediate key genera tion value: G,E,ZKey pair generat ion with RSAgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_PK_FLA GS, ...) returns GPG_ERR_NO_E RRORModulus bitsRSA public key, RSA privat e key
Key Pair Generation with ECDSAGenerate a key pairCrypto Officer - ECDSA Private Key: G,R - ECDSA Public Key: G,R - Interm ediate key genera tion value: G,E,ZKey pair generat ion with ECDSAgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_PK_FLA GS, ...) returns GPG_ERR_NO_E RRORCurveECDS A public key, ECDS A privat e key
Digital signature generation with RSAGenerate a signatureCrypto Officer - RSA Private Key: W,EDigital signatur e generat ion with RSAgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_PK_FLA GS, ...) and gcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MD, ...) returnRSA private key, messageSignat ure
Digital signature generation with ECDSAGenerate a signatureCrypto Officer - ECDSA Private Key: W,EDigital signatur e generat ion with ECDSAgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_PK_FLA GS, ...) and gcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MD, ...) return GPG_ERR_NO_E RRORECDSA private key, messageSignat ure
Digital signature verification with RSAVerify a signatureCrypto Officer - RSA Public Key: W,EFIPS 186-4 Digital signatur e verificat ion with RSA FIPS 186-2 Digital signatur e verificat ion with RSAgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_PK_FLA GS, ...) and gcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MD, ...) return GPG_ERR_NO_E RRORRSA public key, message, signaturePass/f ail
Digital signature verification with ECDSAVerify a signatureCrypto Officer - ECDSA Public Key: W,EDigital signatur e verificat ion with ECDSAgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_PK_FLA GS, ...) and gcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MD, ...) return GPG_ERR_NO_E RRORECDSA public key, message, signaturePass/f ail
Public key verificationVerify ECDSA public keyCrypto Officer - ECDSA PublicPublic key verificat ion with ECDSAgcry_mpi_ec_cu rve_point() returns GPG_ERR_NO_E RRORECDSA public keyPass/f ail
Random Number Generation with CTR_DRBG/H MAC_DRBGGenerate random bitstrings from CTR_DRBG/H MAC_DRBGCrypto Officer - Entrop y Input: W,E - DRBG seed: G,E - DRBG interna l state (V value, Key): G,W,ERandom number generat ion with CTR_DR BG Random number generat ion with HMAC_ DRBGgcry_randomize (), gcry_random_by tes(), gcry_random_by tes_secure() return GPG_ERR_NO_E RROROutput lengthRando m bytes
Random Number Generation with Hash_DRBGGenerate random bitstrings from Hash_DRBGCrypto Officer - Entrop y Input: W,E - DRBG seed: G,E - DRBG interna l state (V value, C value): G,W,ERandom number generat ion with Hash_D RBGgcry_randomize (), gcry_random_by tes(), gcry_random_by tes_secure() return GPG_ERR_NO_E RROROutput lengthRando m bytes
Message digestCompute SHA hashesCrypto OfficerMessag e digest with SHA-3 Messag e digest with SHA-1 Messag e digestgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MD, ...) returns GPG_ERR_NO_E RRORMessageDigest value
Message authenticatio n code (MAC) with HMACCompute HMACCrypto Officer - HMAC keys: W,EMessag e authent ication code with HMACgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MAC, .. .) returns GPG_ERR_NO_E RRORHMAC keyMAC tag
Message authenticatio n code (MAC) with CMACCompute AES-based CMACCrypto Officer - AES keys: W,EMessag e authent ication generat ion with AES- CMACgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_MAC, .. .) returns GPG_ERR_NO_E RRORAES keyMAC tag
Key wrappingPerform AES- based key wrappingCrypto Officer - AES keys: W,EKey wrappin g with AESgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_CIPHE R, ...) returns GPG_ERR_NO_E RRORAES key, any CSPWrapp ed CSP
Key unwrappingPerform AES- based key unwrappingCrypto Officer - AES keys: W,EKey unwrap ping with AESgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_CIPHE R, ...) returns GPG_ERR_NO_E RRORAES key, wrapped CSPUnwra pped CSP
Key derivationPerform key derivationCrypto Officer - Passwo rd or passph rase: W,E - Derive d key: G,RKey derivati on with PBKDFgcry_control(GC RYCTL_FIPS_ SERVICE_INDICA TOR_KDF, ... ) returns GPG_ERR_NO_E RRORPassword, salt, iteration countDerive d key
On-demand Integrity testPerform on- demand integrity testCrypto OfficerMessag e authent icationN/AN/APass/f ail

Red Hat Enterprise Linux 9 libgcrypt

4 Roles, Services, and Authentication

N/A for this module. The module does not support authentication.

4.2 Roles

Table 13: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module.

4.3 Approved Services

y ) s W,E © 2024 Red Hat, Inc., atsec information security.

Page 35

Red Hat Enterprise Linux 9 libgcrypt y A A e s G,R G,R G,E,Z G,R G,R G,E,Z W,E © 2024 Red Hat, Inc., atsec information security.

Page 36

Red Hat Enterprise Linux 9 libgcrypt y s e W,E e e W,E e W,E © 2024 Red Hat, Inc., atsec information security.

Page 37

Red Hat Enterprise Linux 9 libgcrypt (), (), y m m s W,E y W,E G,E (V G,W,E y W,E G,E (V C G,W,E © 2024 Red Hat, Inc., atsec information security.

Page 38

Red Hat Enterprise Linux 9 libgcrypt y e e AESCMAC s W,E W,E W,E W,E Perform ondemand N/A W,E G,R N/A e © 2024 Red Hat, Inc., atsec information security.

Page 39
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorInputOutput
Show statusShow module statusNoneCrypto OfficerN/AN/AModul e status
Self-testsPerform self- testsNoneCrypto OfficerN/AN/APass/f ail
Show module name and versionShow module name and versionNoneCrypto OfficerN/AN/AModul e name and versio n inform ation
Symmetric encryption/decryptionCOAES encryption/decryption using non-approved AES modesAES-GCM, AES- GCM-SIV, AES- OCB, AES-EAX
Message digestCONon-approved message digestMD5
Shared Secret ComputationCOECDH Shared Secret ComputationECDH
Key generation with RSACOGenerate RSA key pairs using public key flags not listed in section 4.8.RSA using public key flags not listed in section 4.8 RSA using public key flags not listed in section 4.8
Key generation with ECDSACOGenerate ECDSA key pairs using public key flags not listed in section 4.8.ECDSA using public key flags not listed in section 4.8 ECDSA using public key flags not listed in section 4.8
Digital signature generation/verification with RSACOGenerate/verify a signature using RSA Signature generation/verification primitivesRSA
Digital signature generation/verification with ECDSACOGenerate/verify a signature using ECDSA Signature generation/verification primitivesECDSA
Asymmetric encryption/decryptionCOPerform encryption/decryption using RSA encryption/decryption primitivesRSA

Red Hat Enterprise Linux 9 libgcrypt y N/A N/A e N/A N/A N/A N/A N/A e n Perform selftests N/A s Table 14: Approved Services The table above lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). The following convention is used to specify access rights to a CSP: • G = Generate: The module generates or derives the SSP. • R = Read: The SSP is read from the module (e.g., the SSP is output). • W = Write: The SSP is updated, imported, or written to the module. • E = Execute: The module uses the SSP in performing a cryptographic operation. • Z = Zeroise: The module zeroises the SSP. • N/A: the calling application does not access any CSP or key during its operation. The details of the approved cryptographic algorithms including the CAVP certificate numbers can be found in the Approved Algorithm table. In order to check whether it utilizes an approved security function or not, the operator is responsible to invoke the gcry_control() API along with dedicated controls in the form of API input parameters. The module implements the following controls depending on the requested service:

  1. GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER - For symmetric algorithms and the related modes.
  2. GCRYCTL_FIPS_SERVICE_INDICATOR_KDF - For KDF operations. © 2024 Red Hat, Inc., atsec information security.
Page 40

Red Hat Enterprise Linux 9 libgcrypt

  1. GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS - For asymmetric operations.1
  2. GCRYCTL_FIPS_SERVICE_INDICATOR_MD - For digest operations.
  3. GCRYCTL_FIPS_SERVICE_INDICATOR_MAC - For MAC operations. In addition to that, for the below-mentioned services, the approved service indicator corresponds to the GPG_ERR_NO_ERROR returned from listed functions in the indicator column below. They don’t use gcry_control() API:
  4. Random number generation service: gcry_randomize(), gcry_random_bytes(), gcry_random_bytes_secure().
  5. Public key validation service: gcry_mpi_ec_curve_point(). For all approved services, GPG_ERR_NO_ERROR (i.e., “0”) return code indicates the service is approved. In case the above-mentioned controls are used in conjunction, the operator is responsible to check that all of the called functions return GPG_ERR_NO_ERROR (i.e., “0”). For all non-approved services, "non-zero" return code indicates the service is not approved.

1 The list of public key flags allowed in approved mode of operation is described in Section 4.8 Additional

Information. © 2024 Red Hat, Inc., atsec information security.

Page 41

Red Hat Enterprise Linux 9 libgcrypt Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not have the capability of loading software or firmware from an external source.

4.6 Bypass Actions and Status
4.7 Cryptographic Output Actions and Status
4.8 Additional Information

Below are listed the approved public key flags for an input s-expression: d e n q r s © 2024 Red Hat, Inc., atsec information security.

Page 42

Red Hat Enterprise Linux 9 libgcrypt

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified comparing the HMAC-SHA-256 value calculated at run time with the HMAC-SHA-256 value embedded in the module’s ELF header that was computed at build time for each software component of the module. If the HMAC values do not match, the test fails and the module enters the error state.

5.2 Initiate on Demand

Integrity tests are performed as part of the Pre-Operational Self-Tests. The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational tests (i.e., integrity test) and cryptographic algorithm self-tests (CASTs). This service can be invoked relying on the gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible. In order to verify whether the self-tests have succeeded and the module is in the Operational state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function will return TRUE if the module is in the operational state, FALSE if the module is in the Error state.

5.3 Open-Source Parameters
5.4 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 43

Red Hat Enterprise Linux 9 libgcrypt

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module should be compiled and installed as stated in section 11. The user should confirm that the module is installed correctly by running: 1. fips-mode-setup --check command to verify that the system is operating in Approved mode 2. check the output of the gcry_get_config() API, which should output Red Hat Enterprise Linux 9 libgcrypt 1.10.0-8b6840b590cedd43 The module does not support concurrent operators.

6.2 Configuration Settings and Restrictions

Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.

6.3 Additional Information

The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 Red Hat, Inc., atsec information security.

Page 44
Temp/Voltage TypeTemperature or VoltageEFPResult
or
EFT
LowTemperature
HighTemperature
LowVoltage
HighVoltage
TemperatureTemperature
Type
LowTemperature
HighTemperature

Red Hat Enterprise Linux 9 libgcrypt

7 Physical Security

The module is comprised of software only and therefore this section is not applicable.

7.1 Mechanisms and Actions Required

Not Applicable. N/A for this module.

7.2 User Placed Tamper Seals

Not Applicable. Number: Placement: Surface Preparation: Operator Responsible for Securing Unused Seals: Part Numbers:

7.3 Filler Panels
7.4 Fault Induction Mitigation

Not Applicable. Not Applicable. Table 16: EFP/EFT Information

7.6 Hardness Testing Temperature Ranges

Not Applicable. Table 17: Hardness Testing Temperatures © 2024 Red Hat, Inc., atsec information security.

Page 45

Red Hat Enterprise Linux 9 libgcrypt

7.7 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 46

Red Hat Enterprise Linux 9 libgcrypt

8 Non-Invasive Security

This module does not implement any non-invasive security mechanism, and therefore this Section is not applicable.

8.1 Mitigation Techniques
8.2 Effectiveness
8.3 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 47
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary storage for SSPs used by the module as part of service execution. The module does not perform persistent storage of SSPs
Service
NameApproved FunctionsTypeFromToDistributio n Type
API input parameter s (plaintext)Electroni cPlaintex tCalling application within TOEPPCryptographi c moduleManual
API output parameter s (plaintext)Electroni cPlaintex tCryptographi c moduleCalling application within TOEPPManual
ZeroizationDescriptionRationaleOperator Initiation
Method
Wipe and Free memory block allocatedZeroizes the SSPs contained within the cipher handle.Memory occupied by SSPs is overwritten with zeroes and then it is released, which renders the SSP values irretrievable. The completion of the zeroization routineBy calling the cipher related zeroization API which are the following: gcry_free(), gcry_cipher_close(), gcry_mac_close(), gcry_sexp_release(), gcry_mpi_release(), gcry_ctx_release(), gcry_mpi_point_release(),

Red Hat Enterprise Linux 9 libgcrypt

9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 18: Storage Areas destroyed when released by the appropriate zeroization function calls. s s t c t c m Table 19: SSP Input-Output Methods API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry on the Key Establishment Table. © 2024 Red Hat, Inc., atsec information security.

Page 48
Self test
NameAlgorithm Or TestTest MethodDetailsOperator Initiation gcry ctrl(GCRYCTL TE RM SECMEM)
AutomaticMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable.AutomaticAutomatically zeroized by the module when no longer neededN/A
Module ResetVolatile memory used by the module is overwritten within nanoseconds when power is removed.Module ResetDe-allocates the volatile memory used to store SSPsBy unloading and reloading the module
Sensitive security parameter
NameTypeDescriptionStrengthUse
AES keysSymmetri c key - CSPAES key used for encryptio n, decryptio n, and computin g MAC tagsAES-XTS: 128, 256; Other modes: 128, 192, 256 - AES- XTS: 128, 256; Other modes: 128, 192, 256Symmetric encryption and decryption Message authenticat ion generation with AES- CMAC Authenticat ed symmetric encryption and decryption Symmetric encryption

Red Hat Enterprise Linux 9 libgcrypt N/A Table 20: SSP Zeroization Methods The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in the above table. Calling gcry_free(), which will zeroize the SSPs and also invoke the corresponding API functions listed in the above table to zeroize SSPs. The zeroization functions overwrite the memory deallocation operating system call. In case of abnormal termination, or swap in/out of a physical memory page of a process, the keys in physical memory are overwritten by the Linux kernel before the physical memory is allocated to another process. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. n, with AESCMAC © 2024 Red Hat, Inc., atsec information security.

Page 49
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroizationInput
HMAC keysSymmetri c key - CSPHMAC key used for computin g MAC tags112-256 bits - 112-256 bitsMessage authenticat ion code with HMAC
RSA Private KeyPrivate key - CSPPrivate key used for RSA signature generatio n2048, 3072, 4096 bits - 112, 128, 149 bitsKey pair generatio n with RSADigital signature generation with RSA
RSA Public KeyPublic key - PSPPublic key used for RSA signature verificatio n2048, 3072, 4096 bits bits - 112, 128, 149 bitsKey pair generatio n with RSAFIPS 186-4 Digital signature verification with RSA FIPS 186-2 Digital signature verification with RSA
ECDSA Private KeyPrivate key - CSPPrivate key used for ECDSA signature generatio nP-224, P-256, P-384, P-521 - 112, 128, 192, 256 bitsKey pair generatio n with ECDSAPublic key verification with ECDSA Digital signature generation with ECDSA
ECDSA Public KeyPublic key - PSPPublic key used for ECDSA signature verificatio nP-224, P-256, P-384, P-521 - 112, 128, 192, 256 bitsKey pair generatio n with ECDSADigital signature verification with ECDSA
Intermedi ate key generatio n valueIntermedi ate value - CSPIntermedi ate key pair generatio n value generated during key generatio112-256 - 112-256 bitsKey pair generatio n with RSA Key pair generatio n with ECDSAKey pair generation with RSA Key pair generation with ECDSA
Password or passphras ePassword - CSPPassword used to derive symmetri c keysMinimum of 8 character - N/AKey derivation with PBKDF
Derived keySymmetri c key - CSPSymmetri c key derived from a key derivation key, shared secret, or password112-4096 bits - 112- 256 bitsKey derivation with PBKDF
Entropy InputEntropy input - CSPEntropy input used to seed the DRBG (IG D.L compliant )128-384 bits - 112-337 bitsRandom number generation with CTR_DRBG Random number generation with HMAC_DRB G Random number generation with Hash_DRB G
DRBG internal state (V value, C value)Internal state - CSPInternal state of the Hash_DRB G (IG D.L compliant )880, 1776 bits - 128, 256 bitsRandom number generatio n with Hash_DRB GRandom number generation with Hash_DRB G
DRBG internal state (V value, Key)Internal state - CSPInternal state of the CTR_DRB G and HMAC_DR BG (IG D.L compliant )CTR_DRBG: 256, 320, 384 bits; HMAC_DRBG: 320, 512, 1024 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bitsRandom number generatio n with CTR_DRB G Random number generatio n with HMAC_DR BGRandom number generation with CTR_DRBG Random number generation with HMAC_DRB G
DRBG seedSeed - CSPDRBG seed derived from entropy input as defined in SP 800- 90Ar1 (IG D.L compliant )CTR_DRBG: 256, 320, 384 bits; HMAC_DBRG: 440, 880 bits;Hash_DR BG: 440, 880 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits; Hash_DRBG: 128, 256 bits;Random number generatio n with CTR_DRB G Random number generatio n with HMAC_DR BG Random number generatio n with Hash_DRB GRandom number generation with CTR_DRBG Random number generation with HMAC_DRB G Random number generation with Hash_DRB G
AES keysRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext)From service invocation until cipherhandl e is freed
HMAC keysRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext)From service invocation until cipherhandl e is freed

Red Hat Enterprise Linux 9 libgcrypt n n n n © 2024 Red Hat, Inc., atsec information security.

Page 50

Red Hat Enterprise Linux 9 libgcrypt e (SP 800133r2 5.2) D.L ) ) bits - 112256 bits G G G G © 2024 Red Hat, Inc., atsec information security.

Page 51
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroizationInputRelated SSPs
DRBG internal state (V value, Key)Internal state - CSPInternal state of the CTR_DRB G and HMAC_DR BG (IG D.L compliant )CTR_DRBG: 256, 320, 384 bits; HMAC_DRBG: 320, 512, 1024 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bitsRandom number generatio n with CTR_DRB G Random number generatio n with HMAC_DR BGRandom number generation with CTR_DRBG Random number generation with HMAC_DRB G
DRBG seedSeed - CSPDRBG seed derived from entropy input as defined in SP 800- 90Ar1 (IG D.L compliant )CTR_DRBG: 256, 320, 384 bits; HMAC_DBRG: 440, 880 bits;Hash_DR BG: 440, 880 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits; Hash_DRBG: 128, 256 bits;Random number generatio n with CTR_DRB G Random number generatio n with HMAC_DR BG Random number generatio n with Hash_DRB GRandom number generation with CTR_DRBG Random number generation with HMAC_DRB G Random number generation with Hash_DRB G
AES keysRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext)From service invocation until cipherhandl e is freed
HMAC keysRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext)From service invocation until cipherhandl e is freed
RSA Private KeyRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext) API output parameter s (plaintext)From service invocation until cipherhandl e is freedRSA Public Key:Paired With DRBG internal state (V value, Key):Generated from Intermediate key generation value:Generated from
RSA Public KeyRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext) API output parameter s (plaintext)From service invocation until cipherhandl e is freedRSA Private Key:Paired With DRBG internal state (V value, C value):Generated from Intermediate key generation value:Generated from
ECDSA Private KeyRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext) API output parameter s (plaintext)From service invocation until cipherhandl e is freedECDSA Public Key:Paired With DRBG internal state (V value, C value):Generated from Intermediate key generation value:Generated from
ECDSA Public KeyRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext) API output parameter s (plaintext)From service invocation until cipherhandl e is freedECDSA Private Key:Paired With DRBG internal state (V value, C value):Generated from Intermediate key generation value:Generated from
Intermediat e key generation valueRAM:Plaintex tAutomaticFrom service invocation until cipherhandl e is freedRSA Private Key:Generates RSA Public Key:Generates ECDSA Private Key:Generates ECDSA Public Key:Generates
Password or passphraseRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI input parameter s (plaintext)From service invocation until cipherhandl e is freedDerived key:Derivation of
Derived keyRAM:Plaintex tWipe and Free memory block allocated Module ResetAPI output parameter s (plaintext)From service invocation until cipherhandl e is freedPassword or passphrase:Derive d From
Entropy InputRAM:Plaintex tAutomaticFrom service invocation until cipherhandl e is freedDRBG seed:Derivation of
DRBG internal state (V value, C value)RAM:Plaintex tAutomaticFrom service invocation until cipherhandl e is freedDRBG seed:Generated from
DRBG internal state (V value, Key)RAM:Plaintex tAutomaticFrom service invocation until cipherhandl e is freedDRBG seed:Generated from
DRBG seedRAM:Plaintex tAutomaticFrom service invocation until cipherhandl e is freedEntropy Input:Derived From DRBG internal state (V value, C value):Generation of DRBG internal state (V value, Key):Generation of

Red Hat Enterprise Linux 9 libgcrypt ) D.L ) G G G G G G Table 21: SSP Table 1 s s t t n © 2024 Red Hat, Inc., atsec information security.

Page 52

Red Hat Enterprise Linux 9 libgcrypt s s s s s s s s n t t t t t © 2024 Red Hat, Inc., atsec information security.

Page 53

Red Hat Enterprise Linux 9 libgcrypt s s t t t t t t n Table 22: SSP Table 2 The tables above summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module. © 2024 Red Hat, Inc., atsec information security.

Page 54

Red Hat Enterprise Linux 9 libgcrypt

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030.

9.6 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 55
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC- SHA2-256 (A3760)HMAC- SHA2-256 (A3760)Message authenticatio nSW/FW Integrit yIntegrity test for /usr/lib64/libgcrypt.so.20.4 .0256-bit keyModule becomes operation al and services are available for use
AES-ECB (A3757)AES-ECB (A3757)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3759)AES-ECB (A3759)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3760)AES-ECB (A3760)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3762)AES-ECB (A3762)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
HMAC- SHA2-256 (A3760)HMAC- SHA2-256 (A3760)Message authenticatio nSW/FW Integrit yIntegrity test for /usr/lib64/libgcrypt.so.20.4 .0256-bit keyModule becomes operation al and services are available for use
AES-ECB (A3757)AES-ECB (A3757)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3759)AES-ECB (A3759)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3760)AES-ECB (A3760)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3762)AES-ECB (A3762)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A4675)AES-ECB (A4675)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A4676)AES-ECB (A4676)KATCASTSymmetric operation128, 192, 256-bit keys, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3757)AES-ECB (A3757)KATCASTSymmetric operation128, 192, 256-bit keys, decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3759)AES-ECB (A3759)KATCASTSymmetric operation128, 192, 256-bit keys, decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3760)AES-ECB (A3760)KATCASTSymmetric operation128, 192, 256-bit keys, decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A3762)AES-ECB (A3762)KATCASTSymmetric operation128, 192, 256-bit keys, decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A4675)AES-ECB (A4675)KATCASTSymmetric operation128, 192, 256-bit keys, decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A4676)AES-ECB (A4676)KATCASTSymmetric operation128, 192, 256-bit keys, decryptModule becomes operationalTest runs at power-on before the integrity test
AES-CMAC (A3757)AES-CMAC (A3757)KATCASTMessage authentication128-bit key MAC generation, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-CMAC (A3759)AES-CMAC (A3759)KATCASTMessage authentication128-bit key MACModule becomes operationalTest runs at power-on before the
generation, encryptgeneration, encryptintegrity test
AES-CMAC (A3760)AES-CMAC (A3760)KATCASTMessage authentication128-bit key MAC generation, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-CMAC (A3762)AES-CMAC (A3762)KATCASTMessage authentication128-bit key MAC generation, encryptModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A3757)Counter DRBG (A3757)KATCASTCompliant with SP 800- 90Ar1AES 128-bit key with DF, with and without PRModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A3759)Counter DRBG (A3759)KATCASTCompliant with SP 800- 90Ar1AES 128-bit key with DF, with and without PRModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A3760)Counter DRBG (A3760)KATCASTCompliant with SP 800- 90Ar1AES 128-bit key with DF, with and without PRModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A3762)Counter DRBG (A3762)KATCASTCompliant with SP 800- 90Ar1AES 128-bit key with DF, with and without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3757)Hash DRBG (A3757)KATCASTCompliant with SP 800- 90Ar1SHA2-256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3759)Hash DRBG (A3759)KATCASTCompliant with SP 800- 90Ar1SHA2-256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3760)Hash DRBG (A3760)KATCASTCompliant with SP 800- 90Ar1SHA2-256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3761)Hash DRBG (A3761)KATCASTCompliant with SP 800- 90Ar1SHA2-256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3762)Hash DRBG (A3762)KATCASTCompliant with SP 800- 90Ar1SHA2-256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3757)Hash DRBG (A3757)KATCASTCompliant with SP 800- 90Ar1SHA-1 without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3759)Hash DRBG (A3759)KATCASTCompliant with SP 800- 90Ar1SHA-1 without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3760)Hash DRBG (A3760)KATCASTCompliant with SP 800- 90Ar1SHA-1 without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3761)Hash DRBG (A3761)KATCASTCompliant with SP 800- 90Ar1SHA-1 without PRModule becomes operationalTest runs at power-on before the integrity test
Hash DRBG (A3762)Hash DRBG (A3762)KATCASTCompliant with SP 800- 90Ar1SHA-1 without PRModule becomes operationalTest runs at power-on before the integrity test
HMAC DRBG (A3757)HMAC DRBG (A3757)KATCASTCompliant with SP 800- 90Ar1HMAC-SHA2- 256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
HMAC DRBG (A3759)HMAC DRBG (A3759)KATCASTCompliant with SP 800- 90Ar1HMAC-SHA2- 256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
HMAC DRBG (A3760)HMAC DRBG (A3760)KATCASTCompliant with SP 800- 90Ar1HMAC-SHA2- 256 with and without PRModule becomes operationalTest runs at power-on before the
HMAC DRBG (A3761)HMAC DRBG (A3761)KATCASTCompliant with SP 800- 90Ar1HMAC-SHA2- 256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
HMAC DRBG (A3762)HMAC DRBG (A3762)KATCASTCompliant with SP 800- 90Ar1HMAC-SHA2- 256 with and without PRModule becomes operationalTest runs at power-on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3757)ECDSA SigGen (FIPS186- 4) (A3757)KATCASTDigital signature generationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3759)ECDSA SigGen (FIPS186- 4) (A3759)KATCASTDigital signature generationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3760)ECDSA SigGen (FIPS186- 4) (A3760)KATCASTDigital signature generationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3761)ECDSA SigGen (FIPS186- 4) (A3761)KATCASTDigital signature generationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3762)ECDSA SigGen (FIPS186- 4) (A3762)KATCASTDigital signature generationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3757)ECDSA SigVer (FIPS186- 4) (A3757)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3759)ECDSA SigVer (FIPS186- 4) (A3759)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3760)ECDSA SigVer (FIPS186- 4) (A3760)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3761)ECDSA SigVer (FIPS186- 4) (A3761)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3762)ECDSA SigVer (FIPS186- 4) (A3762)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3757)ECDSA SigVer (FIPS186- 4) (A3757)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3759)ECDSA SigVer (FIPS186- 4) (A3759)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3760)ECDSA SigVer (FIPS186- 4) (A3760)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3761)ECDSA SigVer (FIPS186- 4) (A3761)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3762)ECDSA SigVer (FIPS186- 4) (A3762)KATCASTDigital signature verificationP-256 and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC-SHA- 1 (A3757)HMAC-SHA- 1 (A3757)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC-SHA- 1 (A3758)HMAC-SHA- 1 (A3758)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the
HMAC-SHA- 1 (A3759)HMAC-SHA- 1 (A3759)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC-SHA- 1 (A3760)HMAC-SHA- 1 (A3760)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC-SHA- 1 (A3761)HMAC-SHA- 1 (A3761)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC-SHA- 1 (A3762)HMAC-SHA- 1 (A3762)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-224 (A3757)HMAC- SHA2-224 (A3757)KATCASTMessage authenticationSHA2-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-224 (A3759)HMAC- SHA2-224 (A3759)KATCASTMessage authenticationSHA2-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-224 (A3760)HMAC- SHA2-224 (A3760)KATCASTMessage authenticationSHA2-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-224 (A3761)HMAC- SHA2-224 (A3761)KATCASTMessage authenticationSHA2-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-224 (A3762)HMAC- SHA2-224 (A3762)KATCASTMessage authenticationSHA2-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A3757)HMAC- SHA2-256 (A3757)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A3759)HMAC- SHA2-256 (A3759)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A3760)HMAC- SHA2-256 (A3760)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A3761)HMAC- SHA2-256 (A3761)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A3762)HMAC- SHA2-256 (A3762)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-384 (A3757)HMAC- SHA2-384 (A3757)KATCASTMessage authenticationSHA2-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-384 (A3759)HMAC- SHA2-384 (A3759)KATCASTMessage authenticationSHA2-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-384 (A3760)HMAC- SHA2-384 (A3760)KATCASTMessage authenticationSHA2-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-384 (A3761)HMAC- SHA2-384 (A3761)KATCASTMessage authenticationSHA2-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-384 (A3762)HMAC- SHA2-384 (A3762)KATCASTMessage authenticationSHA2-384Module becomes operationalTest runs at power-on before the
HMAC- SHA2-512 (A3757)HMAC- SHA2-512 (A3757)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-512 (A3759)HMAC- SHA2-512 (A3759)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-512 (A3760)HMAC- SHA2-512 (A3760)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-512 (A3761)HMAC- SHA2-512 (A3761)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-512 (A3762)HMAC- SHA2-512 (A3762)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-224 (A3757)HMAC- SHA3-224 (A3757)KATCASTMessage authenticationSHA3-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-224 (A3761)HMAC- SHA3-224 (A3761)KATCASTMessage authenticationSHA3-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-224 (A3762)HMAC- SHA3-224 (A3762)KATCASTMessage authenticationSHA3-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-256 (A3757)HMAC- SHA3-256 (A3757)KATCASTMessage authenticationSHA3-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-256 (A3761)HMAC- SHA3-256 (A3761)KATCASTMessage authenticationSHA3-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-256 (A3762)HMAC- SHA3-256 (A3762)KATCASTMessage authenticationSHA3-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-384 (A3757)HMAC- SHA3-384 (A3757)KATCASTMessage authenticationSHA3-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-384 (A3761)HMAC- SHA3-384 (A3761)KATCASTMessage authenticationSHA3-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-384 (A3762)HMAC- SHA3-384 (A3762)KATCASTMessage authenticationSHA3-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-512 (A3757)HMAC- SHA3-512 (A3757)KATCASTMessage authenticationSHA3-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-512 (A3761)HMAC- SHA3-512 (A3761)KATCASTMessage authenticationSHA3-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-512 (A3762)HMAC- SHA3-512 (A3762)KATCASTMessage authenticationSHA3-512Module becomes operationalTest runs at power-on before the integrity test
RSA SigGen (FIPS186- 4) (A3757)RSA SigGen (FIPS186- 4) (A3757)KATCASTDigital signature generationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigGenRSA SigGenKATCASTDigital signature generationPKCS#1 v1.5 with 2048-bitModule becomes operationalTest runs at power-on before the
(FIPS186- 4) (A3759)(FIPS186- 4) (A3759)key and SHA2-256integrity test
RSA SigGen (FIPS186- 4) (A3760)RSA SigGen (FIPS186- 4) (A3760)KATCASTDigital signature generationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigGen (FIPS186- 4) (A3761)RSA SigGen (FIPS186- 4) (A3761)KATCASTDigital signature generationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigGen (FIPS186- 4) (A3762)RSA SigGen (FIPS186- 4) (A3762)KATCASTDigital signature generationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186- 4) (A3757)RSA SigVer (FIPS186- 4) (A3757)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186- 4) (A3759)RSA SigVer (FIPS186- 4) (A3759)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186- 4) (A3760)RSA SigVer (FIPS186- 4) (A3760)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186- 4) (A3761)RSA SigVer (FIPS186- 4) (A3761)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186- 4) (A3762)RSA SigVer (FIPS186- 4) (A3762)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048-bit key and SHA2-256Module becomes operationalTest runs at power-on before the integrity test
SHA-1 (A3757)SHA-1 (A3757)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA-1 (A3758)SHA-1 (A3758)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA-1 (A3759)SHA-1 (A3759)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA-1 (A3760)SHA-1 (A3760)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA-1 (A3761)SHA-1 (A3761)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA-1 (A3762)SHA-1 (A3762)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-224 (A3757)SHA2-224 (A3757)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-224 (A3759)SHA2-224 (A3759)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-224 (A3760)SHA2-224 (A3760)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-224 (A3761)SHA2-224 (A3761)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-224 (A3762)SHA2-224 (A3762)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the
SHA2-256 (A3757)SHA2-256 (A3757)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-256 (A3759)SHA2-256 (A3759)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-256 (A3760)SHA2-256 (A3760)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-256 (A3761)SHA2-256 (A3761)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-256 (A3762)SHA2-256 (A3762)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-256 (A4675)SHA2-256 (A4675)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-256 (A4676)SHA2-256 (A4676)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-384 (A3757)SHA2-384 (A3757)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-384 (A3759)SHA2-384 (A3759)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-384 (A3760)SHA2-384 (A3760)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-384 (A3761)SHA2-384 (A3761)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-384 (A3762)SHA2-384 (A3762)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A3757)SHA2-512 (A3757)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A3759)SHA2-512 (A3759)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A3760)SHA2-512 (A3760)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A3761)SHA2-512 (A3761)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A3762)SHA2-512 (A3762)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A4675)SHA2-512 (A4675)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the integrity test
SHA2-512 (A4676)SHA2-512 (A4676)KATCASTMessage digestMessage digestModule becomes operationalTest runs at power-on before the
PBKDF (A3757)PBKDF (A3757)KATCASTPassword- based key derivationSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3759)PBKDF (A3759)KATCASTPassword- based key derivationSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3760)PBKDF (A3760)KATCASTPassword- based key derivationSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3761)PBKDF (A3761)KATCASTPassword- based key derivationSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3762)PBKDF (A3762)KATCASTPassword- based key derivationSHA-1 password length 24Module becomes operationalTest runs at power-on before the
characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitscharacters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsintegrity test
PBKDF (A3757)PBKDF (A3757)KATCASTPassword- based key derivationSHA2-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3759)PBKDF (A3759)KATCASTPassword- based key derivationSHA2-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3760)PBKDF (A3760)KATCASTPassword- based key derivationSHA2-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3761)PBKDF (A3761)KATCASTPassword- based key derivationSHA2-256 password length 24 characters, master key length of 320 bits, iteration count ofModule becomes operationalTest runs at power-on before the integrity test
PBKDF (A3762)PBKDF (A3762)KATCASTPassword- based key derivationSHA2-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsModule becomes operationalTest runs at power-on before the integrity test
RSA KeyGen (FIPS186- 4) (A3757)RSA KeyGen (FIPS186- 4) (A3757)PCTPCTSignature generation and verificationPKCS#1 v1.5 with SHA2- 256Key pair generation is successfulKey pair generation
RSA KeyGen (FIPS186- 4) (A3759)RSA KeyGen (FIPS186- 4) (A3759)PCTPCTSignature generation and verificationPKCS#1 v1.5 with SHA2- 256Key pair generation is successfulKey pair generation
RSA KeyGen (FIPS186- 4) (A3760)RSA KeyGen (FIPS186- 4) (A3760)PCTPCTSignature generation and verificationPKCS#1 v1.5 with SHA2- 256Key pair generation is successfulKey pair generation
RSA KeyGen (FIPS186- 4) (A3761)RSA KeyGen (FIPS186- 4) (A3761)PCTPCTSignature generation and verificationPKCS#1 v1.5 with SHA2- 256Key pair generation is successfulKey pair generation
RSA KeyGen (FIPS186- 4) (A3762)RSA KeyGen (FIPS186- 4) (A3762)PCTPCTSignature generation and verificationPKCS#1 v1.5 with SHA2- 256Key pair generation is successfulKey pair generation
ECDSA KeyGen (FIPS186- 4) (A3757)ECDSA KeyGen (FIPS186- 4) (A3757)PCTPCTSignature generation and verificationSHA2-256Key pair generation is successfulKey pair generation
ECDSA KeyGen (FIPS186- 4) (A3759)ECDSA KeyGen (FIPS186- 4) (A3759)PCTPCTSignature generation and verificationSHA2-256Key pair generation is successfulKey pair generation
ECDSA KeyGen (FIPS186- 4) (A3760)ECDSA KeyGen (FIPS186- 4) (A3760)PCTPCTSignature generation and verificationSHA2-256Key pair generation is successfulKey pair generation
ECDSA KeyGenECDSA KeyGenPCTPCTSignature generationSHA2-256Key pair generationKey pair generation
(FIPS186- 4) (A3761)(FIPS186- 4) (A3761)and verificationis successful
ECDSA KeyGen (FIPS186- 4) (A3762)ECDSA KeyGen (FIPS186- 4) (A3762)PCTPCTSignature generation and verificationSHA2-256Key pair generation is successfulKey pair generation
HMAC-SHA2- 256 (A3760)HMAC-SHA2- 256 (A3760)Message authenticationSW/FW IntegrityOn demandManually
AES-ECB (A3757)AES-ECB (A3757)KATCASTOn DemandManually
AES-ECB (A3759)AES-ECB (A3759)KATCASTOn DemandManually
AES-ECB (A3760)AES-ECB (A3760)KATCASTOn DemandManually
AES-ECB (A3762)AES-ECB (A3762)KATCASTOn DemandManually
AES-ECB (A4675)AES-ECB (A4675)KATCASTOn DemandManually
AES-ECB (A4676)AES-ECB (A4676)KATCASTOn DemandManually
AES-ECB (A3757)AES-ECB (A3757)KATCASTOn DemandManually
AES-ECB (A3759)AES-ECB (A3759)KATCASTOn DemandManually
AES-ECB (A3760)AES-ECB (A3760)KATCASTOn DemandManually
AES-ECB (A3762)AES-ECB (A3762)KATCASTOn DemandManually
AES-ECB (A4675)AES-ECB (A4675)KATCASTOn DemandManually
AES-ECB (A4676)AES-ECB (A4676)KATCASTOn DemandManually
AES-CMAC (A3757)AES-CMAC (A3757)KATCASTOn DemandManually

Red Hat Enterprise Linux 9 libgcrypt

10 Self-Tests
10.1 Pre-Operational Self-Tests

HMACSHA2-256 s n y .0 Table 23: Pre-Operational Self-Tests The module performs pre-operational self-tests automatically when the module is becoming available for the consuming application. Pre-operational self-tests ensure that the module is not corrupted. While the module is executing the pre-operational self-tests, services are not available, input and output are inhibited. The module is not available for use by the calling application until the pre-operational self-tests are completed successfully. After the preoperational self-tests and the CASTs succeed, the module becomes operational. If any of the pre-operational self-tests or any of the CASTs fail an error message is returned, and the module transitions to the error state.

10.2 Conditional Self-Tests

© 2024 Red Hat, Inc., atsec information security.

Page 56

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 57

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 58

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 59

Red Hat Enterprise Linux 9 libgcrypt (FIPS1864) (A3757) (FIPS1864) (A3759) (FIPS1864) (A3760) (FIPS1864) (A3761) (FIPS1864) (A3762) (FIPS1864) (A3757) (FIPS1864) (A3759) © 2024 Red Hat, Inc., atsec information security.

Page 60

Red Hat Enterprise Linux 9 libgcrypt (FIPS1864) (A3760) (FIPS1864) (A3761) (FIPS1864) (A3762) (FIPS1864) (A3757) (FIPS1864) (A3759) (FIPS1864) (A3760) (FIPS1864) (A3761) (FIPS1864) (A3762) © 2024 Red Hat, Inc., atsec information security.

Page 61

Red Hat Enterprise Linux 9 libgcrypt HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 © 2024 Red Hat, Inc., atsec information security.

Page 62

Red Hat Enterprise Linux 9 libgcrypt HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 © 2024 Red Hat, Inc., atsec information security.

Page 63

Red Hat Enterprise Linux 9 libgcrypt HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA3-224 HMACSHA3-224 HMACSHA3-224 HMACSHA3-256 © 2024 Red Hat, Inc., atsec information security.

Page 64

Red Hat Enterprise Linux 9 libgcrypt HMACSHA3-256 HMACSHA3-256 HMACSHA3-384 HMACSHA3-384 HMACSHA3-384 HMACSHA3-512 HMACSHA3-512 HMACSHA3-512 (FIPS1864) (A3757) © 2024 Red Hat, Inc., atsec information security.

Page 65

Red Hat Enterprise Linux 9 libgcrypt (FIPS1864) (A3759) (FIPS1864) (A3760) (FIPS1864) (A3761) (FIPS1864) (A3762) (FIPS1864) (A3757) (FIPS1864) (A3759) (FIPS1864) (A3760) (FIPS1864) (A3761) (FIPS1864) (A3762) © 2024 Red Hat, Inc., atsec information security.

Page 66

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 67

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 68

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 69

Red Hat Enterprise Linux 9 libgcrypt Passwordbased key Passwordbased key Passwordbased key Passwordbased key Passwordbased key © 2024 Red Hat, Inc., atsec information security.

Page 70

Red Hat Enterprise Linux 9 libgcrypt Passwordbased key Passwordbased key Passwordbased key Passwordbased key © 2024 Red Hat, Inc., atsec information security.

Page 71

Red Hat Enterprise Linux 9 libgcrypt (FIPS1864) (A3757) (FIPS1864) (A3759) (FIPS1864) (A3760) (FIPS1864) (A3761) (FIPS1864) (A3762) (FIPS1864) (A3757) (FIPS1864) (A3759) (FIPS1864) (A3760) Passwordbased key with SHA2256 with SHA2256 with SHA2256 with SHA2256 with SHA2256 © 2024 Red Hat, Inc., atsec information security.

Page 72
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
(FIPS186- 4) (A3761)(FIPS186- 4) (A3761)and verificationis successful
ECDSA KeyGen (FIPS186- 4) (A3762)ECDSA KeyGen (FIPS186- 4) (A3762)PCTPCTSignature generation and verificationKey pair generation is successfulSHA2-256Key pair generation
HMAC-SHA2- 256 (A3760)HMAC-SHA2- 256 (A3760)Message authenticationSW/FW IntegrityOn demandManually
AES-ECB (A3757)AES-ECB (A3757)KATCASTOn DemandManually
AES-ECB (A3759)AES-ECB (A3759)KATCASTOn DemandManually
AES-ECB (A3760)AES-ECB (A3760)KATCASTOn DemandManually
AES-ECB (A3762)AES-ECB (A3762)KATCASTOn DemandManually
AES-ECB (A4675)AES-ECB (A4675)KATCASTOn DemandManually
AES-ECB (A4676)AES-ECB (A4676)KATCASTOn DemandManually
AES-ECB (A3757)AES-ECB (A3757)KATCASTOn DemandManually
AES-ECB (A3759)AES-ECB (A3759)KATCASTOn DemandManually
AES-ECB (A3760)AES-ECB (A3760)KATCASTOn DemandManually
AES-ECB (A3762)AES-ECB (A3762)KATCASTOn DemandManually
AES-ECB (A4675)AES-ECB (A4675)KATCASTOn DemandManually
AES-ECB (A4676)AES-ECB (A4676)KATCASTOn DemandManually
AES-CMAC (A3757)AES-CMAC (A3757)KATCASTOn DemandManually
AES-CMAC (A3759)AES-CMAC (A3759)KATCASTOn DemandManually
AES-CMAC (A3760)AES-CMAC (A3760)KATCASTOn DemandManually
AES-CMAC (A3762)AES-CMAC (A3762)KATCASTOn DemandManually
Counter DRBG (A3757)Counter DRBG (A3757)KATCASTOn DemandManually
Counter DRBG (A3759)Counter DRBG (A3759)KATCASTOn DemandManually
Counter DRBG (A3760)Counter DRBG (A3760)KATCASTOn DemandManually
Counter DRBG (A3762)Counter DRBG (A3762)KATCASTOn DemandManually
Hash DRBG (A3757)Hash DRBG (A3757)KATCASTOn DemandManually
Hash DRBG (A3759)Hash DRBG (A3759)KATCASTOn DemandManually
Hash DRBG (A3760)Hash DRBG (A3760)KATCASTOn DemandManually
Hash DRBG (A3761)Hash DRBG (A3761)KATCASTOn DemandManually
Hash DRBG (A3762)Hash DRBG (A3762)KATCASTOn DemandManually
Hash DRBG (A3757)Hash DRBG (A3757)KATCASTOn DemandManually
Hash DRBG (A3759)Hash DRBG (A3759)KATCASTOn DemandManually
Hash DRBG (A3760)Hash DRBG (A3760)KATCASTOn DemandManually
Hash DRBG (A3761)Hash DRBG (A3761)KATCASTOn DemandManually
Hash DRBG (A3762)Hash DRBG (A3762)KATCASTOn DemandManually
HMAC DRBG (A3757)HMAC DRBG (A3757)KATCASTOn DemandManually
HMAC DRBG (A3759)HMAC DRBG (A3759)KATCASTOn DemandManually
HMAC DRBG (A3760)HMAC DRBG (A3760)KATCASTOn DemandManually
HMAC DRBG (A3761)HMAC DRBG (A3761)KATCASTOn DemandManually
HMAC DRBG (A3762)HMAC DRBG (A3762)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3757)ECDSA SigGen (FIPS186-4) (A3757)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3759)ECDSA SigGen (FIPS186-4) (A3759)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3760)ECDSA SigGen (FIPS186-4) (A3760)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3761)ECDSA SigGen (FIPS186-4) (A3761)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3762)ECDSA SigGen (FIPS186-4) (A3762)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3757)ECDSA SigVer (FIPS186-4) (A3757)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3759)ECDSA SigVer (FIPS186-4) (A3759)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3760)ECDSA SigVer (FIPS186-4) (A3760)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3761)ECDSA SigVer (FIPS186-4) (A3761)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3762)ECDSA SigVer (FIPS186-4) (A3762)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3757)ECDSA SigVer (FIPS186-4) (A3757)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3759)ECDSA SigVer (FIPS186-4) (A3759)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3760)ECDSA SigVer (FIPS186-4) (A3760)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3761)ECDSA SigVer (FIPS186-4) (A3761)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3762)ECDSA SigVer (FIPS186-4) (A3762)KATCASTOn DemandManually
HMAC-SHA-1 (A3757)HMAC-SHA-1 (A3757)KATCASTOn DemandManually
HMAC-SHA-1 (A3758)HMAC-SHA-1 (A3758)KATCASTOn DemandManually
HMAC-SHA-1 (A3759)HMAC-SHA-1 (A3759)KATCASTOn DemandManually
HMAC-SHA-1 (A3760)HMAC-SHA-1 (A3760)KATCASTOn DemandManually
HMAC-SHA-1 (A3761)HMAC-SHA-1 (A3761)KATCASTOn DemandManually
HMAC-SHA-1 (A3762)HMAC-SHA-1 (A3762)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3757)HMAC-SHA2- 224 (A3757)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3759)HMAC-SHA2- 224 (A3759)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3760)HMAC-SHA2- 224 (A3760)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3761)HMAC-SHA2- 224 (A3761)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3762)HMAC-SHA2- 224 (A3762)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3757)HMAC-SHA2- 256 (A3757)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3759)HMAC-SHA2- 256 (A3759)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3760)HMAC-SHA2- 256 (A3760)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3761)HMAC-SHA2- 256 (A3761)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3762)HMAC-SHA2- 256 (A3762)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3757)HMAC-SHA2- 384 (A3757)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3759)HMAC-SHA2- 384 (A3759)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3760)HMAC-SHA2- 384 (A3760)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3761)HMAC-SHA2- 384 (A3761)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3762)HMAC-SHA2- 384 (A3762)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3757)HMAC-SHA2- 512 (A3757)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3759)HMAC-SHA2- 512 (A3759)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3760)HMAC-SHA2- 512 (A3760)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3761)HMAC-SHA2- 512 (A3761)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3762)HMAC-SHA2- 512 (A3762)KATCASTOn DemandManually
HMAC-SHA3- 224 (A3757)HMAC-SHA3- 224 (A3757)KATCASTOn DemandManually
HMAC-SHA3- 224 (A3761)HMAC-SHA3- 224 (A3761)KATCASTOn DemandManually
HMAC-SHA3- 224 (A3762)HMAC-SHA3- 224 (A3762)KATCASTOn DemandManually
HMAC-SHA3- 256 (A3757)HMAC-SHA3- 256 (A3757)KATCASTOn DemandManually
HMAC-SHA3- 256 (A3761)HMAC-SHA3- 256 (A3761)KATCASTOn DemandManually
HMAC-SHA3- 256 (A3762)HMAC-SHA3- 256 (A3762)KATCASTOn DemandManually
HMAC-SHA3- 384 (A3757)HMAC-SHA3- 384 (A3757)KATCASTOn DemandManually
HMAC-SHA3- 384 (A3761)HMAC-SHA3- 384 (A3761)KATCASTOn DemandManually
HMAC-SHA3- 384 (A3762)HMAC-SHA3- 384 (A3762)KATCASTOn DemandManually
HMAC-SHA3- 512 (A3757)HMAC-SHA3- 512 (A3757)KATCASTOn DemandManually
HMAC-SHA3- 512 (A3761)HMAC-SHA3- 512 (A3761)KATCASTOn DemandManually
HMAC-SHA3- 512 (A3762)HMAC-SHA3- 512 (A3762)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3757)RSA SigGen (FIPS186-4) (A3757)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3759)RSA SigGen (FIPS186-4) (A3759)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3760)RSA SigGen (FIPS186-4) (A3760)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3761)RSA SigGen (FIPS186-4) (A3761)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3762)RSA SigGen (FIPS186-4) (A3762)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3757)RSA SigVer (FIPS186-4) (A3757)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3759)RSA SigVer (FIPS186-4) (A3759)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3760)RSA SigVer (FIPS186-4) (A3760)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3761)RSA SigVer (FIPS186-4) (A3761)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3762)RSA SigVer (FIPS186-4) (A3762)KATCASTOn DemandManually
SHA-1 (A3757)SHA-1 (A3757)KATCASTOn DemandManually
SHA-1 (A3758)SHA-1 (A3758)KATCASTOn DemandManually
SHA-1 (A3759)SHA-1 (A3759)KATCASTOn DemandManually
SHA-1 (A3760)SHA-1 (A3760)KATCASTOn DemandManually
SHA-1 (A3761)SHA-1 (A3761)KATCASTOn DemandManually
SHA-1 (A3762)SHA-1 (A3762)KATCASTOn DemandManually
SHA2-224 (A3757)SHA2-224 (A3757)KATCASTOn DemandManually
SHA2-224 (A3759)SHA2-224 (A3759)KATCASTOn DemandManually
SHA2-224 (A3760)SHA2-224 (A3760)KATCASTOn DemandManually
SHA2-224 (A3761)SHA2-224 (A3761)KATCASTOn DemandManually
SHA2-224 (A3762)SHA2-224 (A3762)KATCASTOn DemandManually
SHA2-256 (A3757)SHA2-256 (A3757)KATCASTOn DemandManually
SHA2-256 (A3759)SHA2-256 (A3759)KATCASTOn DemandManually
SHA2-256 (A3760)SHA2-256 (A3760)KATCASTOn DemandManually
SHA2-256 (A3761)SHA2-256 (A3761)KATCASTOn DemandManually
SHA2-256 (A3762)SHA2-256 (A3762)KATCASTOn DemandManually
SHA2-256 (A4675)SHA2-256 (A4675)KATCASTOn DemandManually
SHA2-256 (A4676)SHA2-256 (A4676)KATCASTOn DemandManually
SHA2-384 (A3757)SHA2-384 (A3757)KATCASTOn DemandManually
SHA2-384 (A3759)SHA2-384 (A3759)KATCASTOn DemandManually
SHA2-384 (A3760)SHA2-384 (A3760)KATCASTOn DemandManually
SHA2-384 (A3761)SHA2-384 (A3761)KATCASTOn DemandManually
SHA2-384 (A3762)SHA2-384 (A3762)KATCASTOn DemandManually
SHA2-512 (A3757)SHA2-512 (A3757)KATCASTOn DemandManually
SHA2-512 (A3759)SHA2-512 (A3759)KATCASTOn DemandManually
SHA2-512 (A3760)SHA2-512 (A3760)KATCASTOn DemandManually
SHA2-512 (A3761)SHA2-512 (A3761)KATCASTOn DemandManually
SHA2-512 (A3762)SHA2-512 (A3762)KATCASTOn DemandManually
SHA2-512 (A4675)SHA2-512 (A4675)KATCASTOn DemandManually
SHA2-512 (A4676)SHA2-512 (A4676)KATCASTOn DemandManually
PBKDF (A3757)PBKDF (A3757)KATCASTOn DemandManually
PBKDF (A3759)PBKDF (A3759)KATCASTOn DemandManually
PBKDF (A3760)PBKDF (A3760)KATCASTOn DemandManually
PBKDF (A3761)PBKDF (A3761)KATCASTOn DemandManually
PBKDF (A3762)PBKDF (A3762)KATCASTOn DemandManually
PBKDF (A3757)PBKDF (A3757)KATCASTOn DemandManually
PBKDF (A3759)PBKDF (A3759)KATCASTOn DemandManually
PBKDF (A3760)PBKDF (A3760)KATCASTOn DemandManually
PBKDF (A3761)PBKDF (A3761)KATCASTOn DemandManually
PBKDF (A3762)PBKDF (A3762)KATCASTOn DemandManually
RSA KeyGen (FIPS186-4) (A3757)RSA KeyGen (FIPS186-4) (A3757)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3759)RSA KeyGen (FIPS186-4) (A3759)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3760)RSA KeyGen (FIPS186-4) (A3760)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3761)RSA KeyGen (FIPS186-4) (A3761)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3762)RSA KeyGen (FIPS186-4) (A3762)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3757)ECDSA KeyGen (FIPS186-4) (A3757)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3759)ECDSA KeyGen (FIPS186-4) (A3759)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3760)ECDSA KeyGen (FIPS186-4) (A3760)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3761)ECDSA KeyGen (FIPS186-4) (A3761)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3762)ECDSA KeyGen (FIPS186-4) (A3762)PCTPCTOn DemandManually

Red Hat Enterprise Linux 9 libgcrypt (FIPS1864) (A3761) (FIPS1864) (A3762) Table 24: Conditional Self-Tests

10.3 Periodic Self-Test Information

Table 25: Pre-Operational Periodic Information © 2024 Red Hat, Inc., atsec information security.

Page 73

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 74

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 75

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 76

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 77

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 78

Red Hat Enterprise Linux 9 libgcrypt © 2024 Red Hat, Inc., atsec information security.

Page 79
Service
NameDescriptionRole AccessIndicator
Error StateThe module will return an error code to indicate the error and will enter the Error state. Any further cryptographic operation is inhibited.Failure of pre- operational tests or conditional tests.An error message related to the cause of the failure.The error can be recovered by a restart (i.e., powering off and powering on) of the module.
Fatal Error stateThe module will abort and will not be available.Random numbers are requested in the error state or cipher operationsThe module is abortedThe error can be recovered by a restart (i.e., powering off and
are requested on a deallocated handle.are requested on a deallocated handle.powering on) of the module.

Red Hat Enterprise Linux 9 libgcrypt Table 26: Conditional Periodic Information This information can be found in Section 5.2.

10.4 Error States

© 2024 Red Hat, Inc., atsec information security.

Page 80

Red Hat Enterprise Linux 9 libgcrypt Table 27: Error States After the pre-operational self-tests and the CASTs succeed, the module becomes operational. If any of the pre-operational self-tests or any of the CASTs fail an error message is returned, and the module transitions to the error state. When the module fails any pre-operational self-test or conditional test, the module will return an error code to indicate the error and will enter the Error state. Any further cryptographic operation is inhibited. The calling application can obtain the module state by calling the gcry_control(GCRYCTL_OPERATIONAL_P) API function. The function returns FALSE if the module is in the Error state, TRUE if the module is in the Operational state. In the Error state, all data output is inhibited, and no cryptographic operation is allowed. The error can be recovered by a restart (i.e., powering off and powering on) of the module. If random numbers are requested while the module is in Error state, or if cipher operations are requested on a deallocated handle the module will transition to Fatal Error state, the module will abort and will not be available.

10.5 Operator Initiation of Self-Tests

The software integrity tests and the CASTs can be invoked relying on the gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module. The PCTs can be invoked on demand by requesting the Key Generation service.

10.6 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 81

Red Hat Enterprise Linux 9 libgcrypt

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Crypto Officer can install the RPM package of the Module (i.e. libgcrypt-1.10.010.el9_0.rpm or libgcrypt-1.10.0-10.el9_2.rpm) using standard tools recommended for the installation of RPM packages on a Red Hat Enterprise Linux system (for example, dnf, rpm, and the RHN remote management tool). The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error. Before the RPM package of the module is installed, the RHEL 9 system must operate in FIPSvalidated configuration. This can be achieved by:

11.2 Administrator Guidance

All the functions, ports and logical interfaces described in this document are available to the Crypto Officer. The user must not call malloc/free to create/release space for keys, let libgcrypt manage space for keys, which will ensure that the key memory is overwritten before it is released. gcry_control(GCRYCTL_TERM_SECMEM) needs to be called before the process is terminated.

11.3 Non-Administrator Guidance

The module implements only the Crypto Officer. There are no requirements for nonadministrator guidance.

11.4 Design and Rules
11.5 Maintenance Requirements

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 82

Red Hat Enterprise Linux 9 libgcrypt

11.6 End of Life

For secure sanitization of the cryptographic module, the module must first to be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. The module does not possess persistent storage of SSPs, so further sanitization steps are not required.

11.7 Additional Information

Not Applicable. © 2024 Red Hat, Inc., atsec information security.

Page 83

Red Hat Enterprise Linux 9 libgcrypt

12 Mitigation of Other Attacks
12.1 Attack List
12.2 Mitigation Effectiveness

RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack. By default, the module uses the following blinding technique: instead of using the RSA decryption directly, a blinded value y = x re mod n is decrypted and the unblinded value x' = y' r−1 mod n returned. The blinding value r is a random value with the size of the modulus n. © 2024 Red Hat, Inc., atsec information security.

Page 84

Red Hat Enterprise Linux 9 libgcrypt Appendix A. Glossary and Abbreviations AES API CAST CAVP CBC CCM CFB CKG CMAC CMVP CSP CTR DF DRBG ECB ECC ECDSA FIPS GCM HMAC KAT KW MAC NIST OFB PAA PAI PBKDF2 PCT PKCS PR PSS RNG RSA SHA SHS SSP XOF XTS Advanced Encryption Standard Application Programming Interface Cryptographic Algorithm Self-Test Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cryptographic Key Generation Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Mode Derivation Function Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Algorithm Federal Information Processing Standards Publication Galois Counter Mode Hash Message Authentication Code Known Answer Test AES Key Wrap Message Authentication Code National Institute of Science and Technology Output Feedback Processor Algorithm Acceleration Processor Algorithm Implementation Password-based Key Derivation Function v2 Pair-wise Consistency Test Public-Key Cryptography Standards Prediction Resistance Probabilistic Signature Scheme Random Number Generator Rivest, Shamir, Addleman Secure Hash Algorithm Secure Hash Standard Sensitive Security Parameter Extendable Output Function XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Red Hat, Inc., atsec information security.

Page 85

Red Hat Enterprise Linux 9 libgcrypt Appendix B. References FIPS140-3 FIPS140-3_IG FIPS140-3_MM FIPS180-4 FIPS186-4 FIPS186-2 FIPS197 FIPS198-1 FIPS202 PKCS#1 SP800-38A SP800-38B SP800-38C SP800-38E FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 140-3 Cryptographic Module Validation Program - Management Manual (Draft) December 2022 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/Draft%20FIPS-140-3CMVP%20Management%20Manual%20v1.2%20%5BDec%2023%202022%5D.p df Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf Digital Signature Standard (DSS) January 2000 https://csrc.nist.gov/files/pubs/fips/186-2/final/docs/fips186-2.pdf Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38e.pdf © 2024 Red Hat, Inc., atsec information security.

Page 86

Red Hat Enterprise Linux 9 libgcrypt SP800-38F SP800-90Arev1 SP800-90B SP800-132 SP800-133rev2 SP800-140Br1 NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf NIST Special Publication 800-140B

Referenced URLs