All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

Certificate#4793StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCanonical Ltd.
Medium review priority  ·  no TCB surface named  ·  libgcrypt upstream has published 2 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/9/2029
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified Section 11 in the Security Policy.
VendorCanonical Ltd.

Approved Algorithms (203)

AlgorithmACVP Cert
AES-CBCA3700
AES-CBCA3701
AES-CBCA3703
AES-CBCA3704
AES-CCMA3700
AES-CCMA3701
AES-CCMA3703
AES-CCMA3704
AES-CFB128A3700
AES-CFB128A3701
AES-CFB128A3703
AES-CFB128A3704
AES-CFB8A3700
AES-CFB8A3701
AES-CFB8A3703
AES-CFB8A3704
AES-CMACA3700
AES-CMACA3701
AES-CMACA3703
AES-CMACA3704
AES-CTRA3700
AES-CTRA3701
AES-CTRA3703
AES-CTRA3704
AES-ECBA3700
AES-ECBA3701
AES-ECBA3703
AES-ECBA3704
AES-KWA3700
AES-KWA3701
AES-KWA3703
AES-KWA3704
AES-OFBA3700
AES-OFBA3701
AES-OFBA3703
AES-OFBA3704
AES-XTS Testing Revision 2.0A3700
AES-XTS Testing Revision 2.0A3701
AES-XTS Testing Revision 2.0A3703
AES-XTS Testing Revision 2.0A3704
Counter DRBGA3700
Counter DRBGA3701
Counter DRBGA3703
Counter DRBGA3704
ECDSA KeyGen (FIPS186-4)A3700
ECDSA KeyGen (FIPS186-4)A3701
ECDSA KeyGen (FIPS186-4)A3703
ECDSA KeyGen (FIPS186-4)A3704
ECDSA KeyGen (FIPS186-4)A3705
ECDSA KeyVer (FIPS186-4)A3700
ECDSA KeyVer (FIPS186-4)A3701
ECDSA KeyVer (FIPS186-4)A3703
ECDSA KeyVer (FIPS186-4)A3704
ECDSA KeyVer (FIPS186-4)A3705
ECDSA SigGen (FIPS186-4)A3700
ECDSA SigGen (FIPS186-4)A3701
ECDSA SigGen (FIPS186-4)A3703
ECDSA SigGen (FIPS186-4)A3704
ECDSA SigGen (FIPS186-4)A3705
ECDSA SigVer (FIPS186-4)A3700
ECDSA SigVer (FIPS186-4)A3701
ECDSA SigVer (FIPS186-4)A3703
ECDSA SigVer (FIPS186-4)A3704
ECDSA SigVer (FIPS186-4)A3705
Hash DRBGA3700
Hash DRBGA3701
Hash DRBGA3703
Hash DRBGA3704
Hash DRBGA3705
HMAC DRBGA3700
HMAC DRBGA3701
HMAC DRBGA3703
HMAC DRBGA3704
HMAC DRBGA3705
HMAC-SHA-1A3699
HMAC-SHA-1A3700
HMAC-SHA-1A3701
HMAC-SHA-1A3702
HMAC-SHA-1A3703
HMAC-SHA-1A3704
HMAC-SHA-1A3705
HMAC-SHA2-224A3700
HMAC-SHA2-224A3701
HMAC-SHA2-224A3703
HMAC-SHA2-224A3704
HMAC-SHA2-224A3705
HMAC-SHA2-256A3700
HMAC-SHA2-256A3701
HMAC-SHA2-256A3703
HMAC-SHA2-256A3704
HMAC-SHA2-256A3705
HMAC-SHA2-384A3700
HMAC-SHA2-384A3701
HMAC-SHA2-384A3703
HMAC-SHA2-384A3704
HMAC-SHA2-384A3705
HMAC-SHA2-512A3700
HMAC-SHA2-512A3701
HMAC-SHA2-512A3703
HMAC-SHA2-512A3704
HMAC-SHA2-512A3705
HMAC-SHA2-512/224A3700
HMAC-SHA2-512/224A3701
HMAC-SHA2-512/224A3703
HMAC-SHA2-512/224A3704
HMAC-SHA2-512/224A3705
HMAC-SHA2-512/256A3700
HMAC-SHA2-512/256A3701
HMAC-SHA2-512/256A3703
HMAC-SHA2-512/256A3704
HMAC-SHA2-512/256A3705
HMAC-SHA3-224A3700
HMAC-SHA3-224A3701
HMAC-SHA3-224A3705
HMAC-SHA3-256A3700
HMAC-SHA3-256A3701
HMAC-SHA3-256A3705
HMAC-SHA3-384A3700
HMAC-SHA3-384A3701
HMAC-SHA3-384A3705
HMAC-SHA3-512A3700
HMAC-SHA3-512A3701
HMAC-SHA3-512A3705
PBKDFA3700
PBKDFA3701
PBKDFA3703
PBKDFA3704
PBKDFA3705
RSA KeyGen (FIPS186-4)A3700
RSA KeyGen (FIPS186-4)A3701
RSA KeyGen (FIPS186-4)A3703
RSA KeyGen (FIPS186-4)A3704
RSA KeyGen (FIPS186-4)A3705
RSA SigGen (FIPS186-4)A3700
RSA SigGen (FIPS186-4)A3701
RSA SigGen (FIPS186-4)A3703
RSA SigGen (FIPS186-4)A3704
RSA SigGen (FIPS186-4)A3705
RSA Signature PrimitiveA3700
RSA Signature PrimitiveA3701
RSA Signature PrimitiveA3703
RSA Signature PrimitiveA3704
RSA Signature PrimitiveA3705
RSA SigVer (FIPS186-4)A3700
RSA SigVer (FIPS186-4)A3701
RSA SigVer (FIPS186-4)A3703
RSA SigVer (FIPS186-4)A3704
RSA SigVer (FIPS186-4)A3705
SHA-1A3699
SHA-1A3700
SHA-1A3701
SHA-1A3702
SHA-1A3703
SHA-1A3704
SHA-1A3705
SHA2-224A3700
SHA2-224A3701
SHA2-224A3703
SHA2-224A3704
SHA2-224A3705
SHA2-256A3700
SHA2-256A3701
SHA2-256A3703
SHA2-256A3704
SHA2-256A3705
SHA2-384A3700
SHA2-384A3701
SHA2-384A3703
SHA2-384A3704
SHA2-384A3705
SHA2-512A3700
SHA2-512A3701
SHA2-512A3703
SHA2-512A3704
SHA2-512A3705
SHA2-512/224A3700
SHA2-512/224A3701
SHA2-512/224A3703
SHA2-512/224A3704
SHA2-512/224A3705
SHA2-512/256A3700
SHA2-512/256A3701
SHA2-512/256A3703
SHA2-512/256A3704
SHA2-512/256A3705
SHA3-224A3700
SHA3-224A3701
SHA3-224A3705
SHA3-256A3700
SHA3-256A3701
SHA3-256A3705
SHA3-384A3700
SHA3-384A3701
SHA3-384A3705
SHA3-512A3700
SHA3-512A3701
SHA3-512A3705
SHAKE-128A3700
SHAKE-128A3701
SHAKE-128A3705
SHAKE-256A3700
SHAKE-256A3701
SHAKE-256A3705

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Non-Invasive Security8
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric encryption<br/>Symmetric decryption<br/>Symmetric encryption (for data storage)</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric encryption<br/>Symmetric decryption<br/>Symmetric encryption (for data storage)</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Canonical Ltd. Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module version 1.9.4-3ubuntu3+Fips1.2 Document version 1.1 Last updated: 2024-08-30 Prepared by: Prepared for: atsec information security corporation Canonical Ltd.

4516 Seton Center Parkway, Suite 250
110 Southwark Street, Blue Fin Building,

5th Floor Austin, TX 78759 London, SE1 0SU www.atsec.com www.canonical.com

Page 2

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table of Contents © 2024 Canonical Ltd. / atsec information security.

Page 3

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 4

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 5

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 6

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module List of Tables Table 2: Tested Module Identification

Page 7

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module List of Figures © 2024 Canonical Ltd. / atsec information security.

Page 8
Security level
NameISO SectionLevel
111
221
331
441
551
661
77N/A
88N/A
991
10101
11111
12121

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 1.9.43ubuntu3+Fips1.2 of the Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] standard, starting with Section B.2.1 named “General” that maps to Section 1 in this document and ending with Section B.2.12 named “Mitigation of Other Attacks” that maps to Section 12 in this document.

1.2 Security Levels

N/A N/A Table 1: Security Levels © 2024 Canonical Ltd. / atsec information security.

Page 9

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

1.3 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 10

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The module is software library implementing general purpose cryptographic algorithms. The module provides cryptographic services to applications running in the user space of the underlying operating system through an application program interface (API). The module is implemented as a set of shared library / binary file; as shown in Figure 1. The shared library file constitutes the cryptographic boundary. Module Type: Software Module Embodiment: Multi-Chip standalone Module Characteristics: Cryptographic Boundary: The Tested Module Identification

Page 11
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
libgcrypt.so.20.3.41.9.4- 3ubuntu3+Fips1.2N/Alibgcrypt.so.20.3.4HMAC-SHA2-256
.libgcrypt.so.20.hmac1.9.4- 3ubuntu3+Fips1.2N/A.libgcrypt.so.20.hmacHMAC-SHA2-256
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitSupermicro SYS-1019P- WTR1.9.4- 3ubuntu3+Fips1.2Intel Xeon Gold 6226AESNI, SSSE3, SHLDN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitAmazon Web Services (AWS) c6g.metal1.9.4- 3ubuntu3+Fips1.2AWS Graviton2NEONN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitIBM z151.9.4- 3ubuntu3+Fips1.2IBM z15CPACFN/A
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
libgcrypt.so.20.3.41.9.4- 3ubuntu3+Fips1.2N/Alibgcrypt.so.20.3.4HMAC-SHA2-256
.libgcrypt.so.20.hmac1.9.4- 3ubuntu3+Fips1.2N/A.libgcrypt.so.20.hmacHMAC-SHA2-256
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitSupermicro SYS-1019P- WTR1.9.4- 3ubuntu3+Fips1.2Intel Xeon Gold 6226AESNI, SSSE3, SHLDN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitAmazon Web Services (AWS) c6g.metal1.9.4- 3ubuntu3+Fips1.2AWS Graviton2NEONN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitIBM z151.9.4- 3ubuntu3+Fips1.2IBM z15CPACFN/A

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

Page 12
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa PaiHypervisor
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitSupermicro SYS-1019P- WTR1.9.4- 3ubuntu3+Fips1.2Intel Xeon Gold 6226NoN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitAmazon Web Services (AWS) c6g.metal1.9.4- 3ubuntu3+Fips1.2AWS Graviton2NoN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitIBM z151.9.4- 3ubuntu3+Fips1.2IBM z15NoN/A
Ubuntu Core 22Ubuntu Core 22Supermicro SYS-1019P-WTR
Ubuntu Core 22Ubuntu Core 22Amazon Web Services (AWS) c6g.metal
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa PaiHypervisor
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitSupermicro SYS-1019P- WTR1.9.4- 3ubuntu3+Fips1.2Intel Xeon Gold 6226NoN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitAmazon Web Services (AWS) c6g.metal1.9.4- 3ubuntu3+Fips1.2AWS Graviton2NoN/A
Ubuntu 22.04 LTS 64-bitUbuntu 22.04 LTS 64-bitIBM z151.9.4- 3ubuntu3+Fips1.2IBM z15NoN/A
Ubuntu Core 22Ubuntu Core 22Supermicro SYS-1019P-WTR
Ubuntu Core 22Ubuntu Core 22Amazon Web Services (AWS) c6g.metal

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module SYS-1019PWTR N/A 1.9.43ubuntu3+Fips1.2 N/A 1.9.43ubuntu3+Fips1.2 N/A 1.9.43ubuntu3+Fips1.2 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no excluded components from the module.

2.4 Modes of Operation

Modes List and Description: © 2024 Canonical Ltd. / atsec information security.

Page 13
Service
NameDescriptionIndicatorType
Non- approved modeAutomatically entered whenever a non-approved service is requestedEquivalent to the indicator of the requested serviceNon- Approved
Approved algorithm
NameCAVP CertPropertiesReference
HMAC-SHA-1A3699Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
SHA-1A3699Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
AES-CBCA3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3700Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3700Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3700Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3700Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3700Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3700Secret Generation Mode: Testing Candidate Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3700Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3700Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigVer (FIPS186-4)A3700Curves: P-224, P-256, P-384, P-521FIPS 186-4
Hash DRBGA3700Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3700Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A3700Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3700Password; derived key with 112-512 bits key size and 112-256 bits key strengthSP 800-132
RSA KeyGen (FIPS186-4)A3700Key Generation Mode: B.3.3 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigGen (FIPS186-4)A3700Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3700Private Key Format: standard Public Exponent Mode: randomFIPS 186-4
RSA SigVer (FIPS186-4)A3700Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3700- Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3700Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3700Message Length - Message Length: 16- 65536 Increment 8FIPS 202
SHAKE-256A3700Message Length - Message Length: 16- 65536 Increment 8FIPS 202
AES-CBCA3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3701Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3701Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3701Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3701Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3701Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3701Secret Generation Mode: Testing Candidate Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3701Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3701Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigVer (FIPS186-4)A3701Curves: P-224, P-256, P-384, P-521FIPS 186-4
Hash DRBGA3701Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3701Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A3701Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3701Password; derived key with 112-512 bits key size and 112-256 bits key strengthSP 800-132
RSA KeyGen (FIPS186-4)A3701Key Generation Mode: B.3.3 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigGen (FIPS186-4)A3701Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3701Private Key Format: standard Public Exponent Mode: randomFIPS 186-4
RSA SigVer (FIPS186-4)A3701Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3701- Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3701Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3701Message Length - Message Length: 16- 65536 Increment 8FIPS 202
SHAKE-256A3701Message Length - Message Length: 16- 65536 Increment 8FIPS 202
HMAC-SHA-1A3702Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
SHA-1A3702Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
AES-CBCA3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3703Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3703Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3703Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3703Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3703Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3703Secret Generation Mode: Testing Candidate Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3703Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3703Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigVer (FIPS186-4)A3703Curves: P-224, P-256, P-384, P-521FIPS 186-4
Hash DRBGA3703Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3703Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3703Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3703Password; derived key with 112-512 bits key size and 112-256 bits key strengthSP 800-132
RSA KeyGen (FIPS186-4)A3703Key Generation Mode: B.3.3 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigGen (FIPS186-4)A3703Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3703Private Key Format: standardFIPS 186-4
RSA SigVer (FIPS186-4)A3703Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3703Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
AES-CBCA3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3704Key Length - 128, 192, 256SP 800-38C
AES-CFB128A3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3704Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3704Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3704Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3704Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A3704Secret Generation Mode: Testing Candidate Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3704Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3704Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigVer (FIPS186-4)A3704Curves: P-224, P-256, P-384, P-521FIPS 186-4
Hash DRBGA3704Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3704Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3704Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3704Password; derived key with 112-512 bits key size and 112-256 bits key strengthSP 800-132
RSA KeyGen (FIPS186-4)A3704Key Generation Mode: B.3.3 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigGen (FIPS186-4)A3704Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3704Private Key Format: standard Public Exponent Mode: randomFIPS 186-4
RSA SigVer (FIPS186-4)A3704Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3704Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3704Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3704Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3704Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-512A3704Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3704Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3704Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
ECDSA KeyGen (FIPS186-4)A3705Secret Generation Mode: Testing Candidate Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A3705Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3705Curves: P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigVer (FIPS186-4)A3705Curves: P-224, P-256, P-384, P-521FIPS 186-4
Hash DRBGA3705Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA3705Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A3705Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
PBKDFA3705Password; derived key with 112-512 bits key size and 112-256 bits key strengthSP 800-132
RSA KeyGen (FIPS186-4)A3705Key Generation Mode: B.3.3 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigGen (FIPS186-4)A3705Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3705Private Key Format: standard Public Exponent Mode: randomFIPS 186-4
RSA SigVer (FIPS186-4)A3705Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 Signature Type - PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3705Message Length - Message Length: 0- 65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3705Message Length - Message Length: 16- 65536 Increment 8FIPS 202
SHAKE-256A3705Message Length - Message Length: 16- 65536 Increment 8FIPS 202

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Nonapproved NonApproved Table 5: Modes List and Description Mode Change Instructions and Status [O]: When the module starts up successfully, after passing all the pre-operational self-test, the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in the Non-Approved Services table. See Section 4 for the details on service indicator provided by the module that identifies when an approved service is called. There is no degraded mode of operation implemented within the module.

2.5 Algorithms

Approved Algorithms: © 2024 Canonical Ltd. / atsec information security.

Page 14

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 15

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 16

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 17

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 18

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 19

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 20

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 21

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 22

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 23

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 24

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 25

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 26

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 27

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 28

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 29

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 30

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 31

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 32

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 6: Approved Algorithms The table above lists all implemented modes of operation for every security function employed for approved services by the module. Vendor-Affirmed Algorithms: © 2024 Canonical Ltd. / atsec information security.

Page 33
Service
NameApproved FunctionsProperties
Cooperative Key Generation (CKG)Key Type:Asymmetric RSA:2048, 3072, 4096 bits (112, 128, 149 bits) ECDSA:P-224, P-256, P- 384, P-521 (112, 128, 192, 256 bits)N/AFIPS 186-4, SP800-133r2 Section 4 example 1
MD5Message digest
ECDHShared secret computation
RSAEncryption primitives; Decryption primitives; Signature verification primitives
RSA with non-approved public key flagsKey generation; Signature generation; Signature verification
ECDSASignature generation primitives
ECDSA with non-approved public key flagsKey generation; Signature generation; Signature verification
Service
NameDescriptionApproved FunctionsTypeProperties
Cooperative Key Generation (CKG)Key Type:Asymmetric RSA:2048, 3072, 4096 bits (112, 128, 149 bits) ECDSA:P-224, P-256, P- 384, P-521 (112, 128, 192, 256 bits)N/AFIPS 186-4, SP800-133r2 Section 4 example 1
MD5Message digest
ECDHShared secret computation
RSAEncryption primitives; Decryption primitives; Signature verification primitives
RSA with non-approved public key flagsKey generation; Signature generation; Signature verification
ECDSASignature generation primitives
ECDSA with non-approved public key flagsKey generation; Signature generation; Signature verification
AES-GCMAuthenticated symmetric encryption; Authenticated symmetric decryption
AES-OCBAuthenticated symmetric encryption; Authenticated symmetric decryption
AES-EAXAuthenticated symmetric encryption; Authenticated symmetric decryption
AES-SIVAuthenticated symmetric encryption; Authenticated symmetric decryption
Message authentication codeMessage authentication codeAES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 224MACAES-CMAC:128, 192, 256-bit keys with 128-256 bits key strength HMAC-SHA- 1:112-524288 bit key size with 112 -256 bits key strength HMAC-SHA2- 224:112-524288 bit key size with 112-256 bits key strength HMAC-SHA2- 256:112-524288 bit key size with 112-256 bits key strength

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module N/A Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: © 2024 Canonical Ltd. / atsec information security.

Page 34
Service
NameDescriptionApproved FunctionsTypeProperties
AES-GCMAuthenticated symmetric encryption; Authenticated symmetric decryption
AES-OCBAuthenticated symmetric encryption; Authenticated symmetric decryption
AES-EAXAuthenticated symmetric encryption; Authenticated symmetric decryption
AES-SIVAuthenticated symmetric encryption; Authenticated symmetric decryption
Message authentication codeMessage authentication codeAES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 224MACAES-CMAC:128, 192, 256-bit keys with 128-256 bits key strength HMAC-SHA- 1:112-524288 bit key size with 112 -256 bits key strength HMAC-SHA2- 224:112-524288 bit key size with 112-256 bits key strength HMAC-SHA2- 256:112-524288 bit key size with 112-256 bits key strength

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 8: Non-Approved, Not Allowed Algorithms The table above lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in the Non-Approved Services table.

2.6 Security Function Implementations

HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 © 2024 Canonical Ltd. / atsec information security.

Page 35
Service
NameDescriptionApproved Functions
HMAC-SHA2- 384:112-524288 bit key size with 112-256 bits key strength HMAC-SHA2- 512:112-524288 bit key size with 112-256 bits key strength HMAC-SHA2- 512/224:112- 524288 bit key size with 112-256 bits key strength HMAC-SHA2- 512/256:112- 524288 bit key size with 112-256 bits key strength HMAC-SHA3- 224:112-524288 bit key size with 112-256 bits key strength HMAC-SHA3- 256:112-524288 bit key size with 112-256 bits key strength HMAC-SHA3- 384:112-524288 bit key size with 112-256 bits key strength HMAC-SHA3- 512:112-524288 bit key size with 112-256 bits key strengthHMAC-SHA2- 384:112-524288 bit key size with 112-256 bits key strength HMAC-SHA2- 512:112-524288 bit key size with 112-256 bits key strength HMAC-SHA2- 512/224:112- 524288 bit key size with 112-256 bits key strength HMAC-SHA2- 512/256:112- 524288 bit key size with 112-256 bits key strength HMAC-SHA3- 224:112-524288 bit key size with 112-256 bits key strength HMAC-SHA3- 256:112-524288 bit key size with 112-256 bits key strength HMAC-SHA3- 384:112-524288 bit key size with 112-256 bits key strength HMAC-SHA3- 512:112-524288 bit key size with 112-256 bits key strengthHMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 224 HMAC-SHA2- 256 HMAC-SHA2- 256 HMAC-SHA2- 256 HMAC-SHA2- 256 HMAC-SHA2- 256 HMAC-SHA2- 256 HMAC-SHA2- 384 HMAC-SHA2- 384 HMAC-SHA2- 384 HMAC-SHA2- 384 HMAC-SHA2- 384 HMAC-SHA2- 384 HMAC-SHA2- 512 HMAC-SHA2- 512 HMAC-SHA2- 512 HMAC-SHA2- 512 HMAC-SHA2- 512 HMAC-SHA2- 512 HMAC-SHA2-

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 © 2024 Canonical Ltd. / atsec information security.

Page 36

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module HMAC-SHA3224 HMAC-SHA3224 HMAC-SHA3224 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3384 © 2024 Canonical Ltd. / atsec information security.

Page 37
Service
NameDescriptionApproved FunctionsTypeProperties
Message digestMessage digestSHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512SHA XOFSHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA2- 512/224:N/A SHA2- 512/256:N/A SHA3-224:N/A SHA3-256:N/A SHA3-384:N/A SHA3-512:N/A SHAKE-128:N/A SHAKE-256:N/A
Symmetric encryptionSymmetric encryptionAES-CBC AES-CBC AES-CBC AES-CBC AES-CBCBC-UnAuthAES-CBC:128, 192, 256-bit keys with 128-256 bits key strength AES-CFB128:128,

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module HMAC-SHA3384 HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA3512 HMAC-SHA3512 HMAC-SHA3512 SHA2512/224:N/A SHA2512/256:N/A © 2024 Canonical Ltd. / atsec information security.

Page 38

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 39
Service
NameDescriptionCsps AccessedApproved FunctionsType
Symmetric decryptionSymmetric decryptionAES-CBC:128, 192, 256-bit keys with 128-256 bits key strength AES-CFB128:128, 192, 256-bit keys with 128-256 bits key strength AES-CFB8:128, 192, 256-bit keys with 128-256 bitsAES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128BC-UnAuth
key strength AES-CTR:128, 192, 256-bit keys with 128-256 bits key strength AES-ECB:128, 192, 256-bit keys with 128-256 bits key strength AES-OFB:128, 192, 256-bit keys with 128-256 bits key strengthkey strength AES-CTR:128, 192, 256-bit keys with 128-256 bits key strength AES-ECB:128, 192, 256-bit keys with 128-256 bits key strength AES-OFB:128, 192, 256-bit keys with 128-256 bits key strengthAES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB
Authenticated symmetric encryptionAuthenticated symmetric encryptionAES-CCM:128, 192, 256-bit keys with 128-256 bits key strengthAES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCMBC-Auth
Authenticated symmetric decryptionAuthenticated symmetric decryptionAES-CCM:128, 192, 256-bit keys with 128-256 bits key strengthAES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCMBC-Auth
Key wrappingSP800-38C and SP800-AES-KW:128, 192, 256-bit keys withAES-KW AES-KWKTS-Wrap
38F. KTS (Key wrapping) per IG D.G38F. KTS (Key wrapping) per IG D.G128-256 bits key strength AES-CCM:128, 192, 256-bit keys with 128-256 bits key strengthAES-KW AES-KW AES-KW AES-KW AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM
Key unwrappingSP800-38C and SP800- 38F. KTS (Key unwrapping) per IG D.GAES-KW:128, 192, 256-bit keys with 128-256 bits key strength AES-CCM:128, 192, 256-bit keys with 128-256 bits key strengthAES-KW AES-KW AES-KW AES-KW AES-KW AES-KW AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCMKTS-Wrap
Symmetric encryption (for data storage)Symmetric encryption (for data storage)AES-XTS Testing Revision 2.0:128, 256-bit keys with 128-256 bits key strengthAES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0BC-UnAuth
Symmetric decryption (for data storage)Symmetric decryption (for data storage)AES-XTS Testing Revision 2.0:128, 256-bit keys with 128-256 bits key strengthAES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0BC-UnAuth
Random number generationRandom number generationCounter DRBG:128, 192, 256-bit keys with 128-256 bits key strength HMAC DRBG:112- 256 bits key strength Hash DRBG:N/ACounter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBGDRBG
Key pair generationKey pair generationECDSA KeyGen (FIPS186-4):P- 224, P-256, P- 384, P-521 with 112-256 bits strength RSA KeyGen (FIPS186-4):2048, 3072, 4096 with 112-149 bits strengthECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4)AsymKeyPair- KeyGen CKG
Public key verificationPublic key verificationECDSA KeyVer (FIPS186-4):P- 224, P-256, P- 384, P-521 with 112-256 bits strengthECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA KeyVerAsymKeyPair- KeyVer
Digital signature generationDigital signature generationECDSA SigGen (FIPS186-4):P- 224, P-256, P- 384, P-521 with 112-256 bits strength RSA SigGen (FIPS186-4):2048, 3072, 4096 with 112-149 bits strengthECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4)DigSig-SigGen
Digital signature verificationDigital signature verificationECDSA SigVer (FIPS186-4):P- 224, P-256, P- 384, P-521 with 112-256 bits strengthECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4)DigSig-SigVer
RSA SigVer (FIPS186-4):2048, 3072, 4096 with 112-149 bits strengthRSA SigVer (FIPS186-4):2048, 3072, 4096 with 112-149 bits strengthECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4)
Key derivationKey derivationPBKDF:Password; derived key with 112-512 bits key size and 112-256 bits key strengthPBKDF PBKDF PBKDF PBKDF PBKDF PBKDFPBKDF
Digital signature generation primitiveDigital signature generation primitiveRSA Signature Primitive:2048 with 112 bits strengthRSA Signature Primitive RSA Signature Primitive RSA Signature Primitive RSA Signature Primitive RSA Signature Primitive RSA Signature PrimitiveDigSig-SigGen

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 40

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 41

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 42

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 43

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module AsymKeyPairKeyGen AsymKeyPairKeyVer © 2024 Canonical Ltd. / atsec information security.

Page 44

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 45

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 9: Security Function Implementations © 2024 Canonical Ltd. / atsec information security.

Page 46

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

2.7 Algorithm Specific Information
2.7.1 AES XTS

The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The AES-XTS shall not be used for other purposes, such as the encryption of data in transit. In addition, the length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical.

2.7.2 Key Derivation using SP800-132 PBKDF

The module provides password-based key derivation (PBKDF), compliant with SP800132. The module supports option 1a from Section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132] and FIPS 140-3 IG D.N, the following requirements shall be met.

112 bits for the MK or DPK.

A portion of the salt, with a length of at least 128 bits, shall be generated randomly using the SP800-90A DRBG. The iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. The module only allows minimum iteration count to be 1000. Passwords or passphrases, used as an input for the PBKDF, shall not be used as cryptographic keys. The minimum length of the password or passphrase accepted by the module is

14 characters. The probability of guessing the value, assuming a worst-case

scenario of all digits, is estimated to be at most 10-14. Combined with the minimum iteration count, this provides an acceptable trade-off between user experience and security against brute-force attacks. The calling application shall also observe the rest of the requirements and recommendations specified in [SP800-132]. © 2024 Canonical Ltd. / atsec information security.

Page 47
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Userspace CPU Time Jitter RNG Entropy Source (version 2.2.0)Non- Physical64Ubuntu 22.04 LTS 64- bit on Supermicro SYS- 1019P-WTR with Intel Xeon Gold 6226; Ubuntu 22.04 LTS 64- bit on Amazon Web Services (AWS) c6g.metal with AWS Graviton2; Ubuntu 22.04 LTS 64-bit on IBM z15 with IBM z15Full entropyAES-256-CTR- DRBG (A3814)
CertVendor
NumberName
E60Canonical Ltd.
2.8 RBG and Entropy

Table 10: Entropy Certificates 2.2.0) Table 11: Entropy Sources The module provides an SP800-90A-compliant Deterministic Random Bit Generator (DRBG) for creation of key components of asymmetric keys, and random number generation. The seeding (and automatic reseeding) of the DRBG is done with getrandom(). The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The DRBG is initialized during module initialization; the module loads by default the DRBG using the HMAC_DRBG mechanism with SHA-256 and without prediction resistance. A different DRBG mechanism can be chosen by invoking the gcry_control(GCRYCTL_DRBG_REINIT) function. The module uses an [SP800-90B]-compliant entropy source specified in the table above. This entropy source is located within the module’s physical perimeter, but outside of the module’s cryptographic boundary. This is in compliance with IG 9.3.A Resolution 1(b). The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it. © 2024 Canonical Ltd. / atsec information security.

Page 48

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module The module performs the DRBG health tests as defined in Section 11.3 of [SP80090A].

2.9 Key Generation

The module provides an [SP800-90Arev1]-compliant Deterministic Random Bit Generator (DRBG) for the creation of key components of asymmetric keys and random number generation. The Cryptographic Key Generation (CKG) methods implemented in the module for Approved services in approved mode are compliant with Section 4 example 1 of [SP800-133rev2]. For generating RSA and ECDSA keys, the module implements asymmetric key generation services compliant with [FIPS186-4]. A seed (i.e., the random value) used in asymmetric key generation is directly obtained from the [SP800-90Arev1] DRBG. Additionally, the module implements the PBKDF2 key derivation method compliant with option 1a of SP 800-132. This implementation shall only be used to derive keys for use in storage applications.

2.10 Key Establishment

The module provides the following key transport mechanisms:

2.11 Industry Protocols

The module does not support any industry protocols listed within the publication of SP 800-135rev1. Therefore, this section is not applicable.

2.12 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 49
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI input parameters for data.
N/AN/AData OutputAPI output parameters for data.
N/AN/AControl InputAPI function calls, API input parameters for control input, /proc/sys/crypto/fips_enabled control file.
N/AN/AStatus OutputAPI return codes, API output parameters for status output.

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 12: Ports and Interfaces As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. All data output via data output interface is inhibited when the module is performing pre-operational test or zeroization or when the module enters error state.

3.2 Trusted Channel Specification [O]
3.3 Control Interface Not Inhibited [O]
3.4 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 50
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Symme tric encryp tionPerfor m AES encryp tionCrypt o Offic er - AES key: W,ESymme tric encryp tion Symme tric encryp tion (for data storag e)gcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key, Plain textCipher text
Symme tricPerfor m AESCrypt o Offic erSymme tric decryp tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key,Plaint ext
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Symme tric encryp tionPerfor m AES encryp tionCrypt o Offic er - AES key: W,ESymme tric encryp tion Symme tric encryp tion (for data storag e)gcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key, Plain textCipher text
Symme tricPerfor m AESCrypt o Offic erSymme tric decryp tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key,Plaint ext
decryp tiondecryp tion- AES key: W,ESymme tric decryp tion (for data storag e)Ciphe rtext
Authen ticated symme tric encryp tionPerfor m authen ticated AES encryp tionCrypt o Offic er - AES key: W,EAuthen ticated symme tric encryp tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key, IV, Plain textCipher text, MAC tag
Authen ticated symme tric decryp tionPerfor m authen ticated AES decryp tionCrypt o Offic er - AES key: W,EAuthen ticated symme tric decryp tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key, Ciphe rtext, MAC tagPlaint ext or failure
RSA key genera tionGener ate RSA key pairsCrypt o Offic er - RSA privat e key: G,E - RSA publi c key: G,EKey pair genera tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) return GPG_ERR_NO_ERRORKey sizeRSA privat e key, RSA public key
ECDSA key genera tionGener ate ECDSA key pairsCrypt o Offic er - ECDS A privat e key: G,E - ECDS A publi c key: G,EKey pair genera tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) return GPG_ERR_NO_ERRORKey sizeECDS A privat e key, ECDS A public key
RSA Digital signatu re genera tionRSA signat ure genera tion withou t pre- compu ted hashCrypt o Offic er - RSA privat e key: W,EDigital signatu re genera tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) and gcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MD) return GPG_ERR_NO_ERRORRSA priva te key, Mess age, Hash algori thmSignat ure
RSA Digital signatu re genera tion (with pre- compuRSA signat ure primiti veCrypt o Offic er - RSA privat e key: W,EDigital signatu re genera tion primiti vegcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) returns GPG_ERR_NO_ERRORRSA priva te key, Mess age diges tSignat ure
ECDSA Digital signatu re genera tionECDSA signat ure genera tionCrypt o Offic er - ECDS A privat e key: W,EDigital signatu re genera tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) and gcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MD) return GPG_ERR_NO_ERRORECDS A priva te key, Mess age, Hash algori thmSignat ure
RSA Digital signatu re verifica tionRSA signat ure verific ationCrypt o Offic er - RSA publi c key: W,EDigital signatu re verifica tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) and gcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MD) return GPG_ERR_NO_ERRORRSA publi c key, Signa ture, Hash algori thmSignat ure verific ation result (verifi ed/fail )
ECDSA Digital signatu re verifica tionECDSA signat ure verific ationCrypt o Offic er - ECDS A publi c key: W,EDigital signatu re verifica tiongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_PK_FLAGS) and gcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MD) return GPG_ERR_NO_ERRORECDS A publi c key, Signa ture, Hash algori thmSignat ure verific ation result (verifi ed/fail )
Public key verifica tionVerify ECDSA public keyCrypt o Offic er -Public key verifica tiongcry_mpi_ec_curve_point() returns GPG_ERR_NO_ERRORECDS A publi c keyKey verific ation result (verifi
ed/fail )ECDS A publi c key: W,Eed/fail )
Rando m numbe r genera tionGener ate rando m bitstri ngsCrypt o Offic er - Entro py input: W,E - DRBG seed: G,W,E - DRBG inter nal state: (V value, C value ): G,W,E - DRBG inter nal state: (V value, key): G,W,ERando m numbe r genera tiongcry_randomize(), gcry_random_bytes(), gcry_random_bytes_secure() return GPG_ERR_NO_ERROR
Messa ge digestCompu te SHA hashesCrypt o Offic erMessa ge digestgcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MD) returns GPG_ERR_NO_ERRORMess ageMessa ge digest
Hash- based Messa ge authen ticatio n codeCompu te HMACCrypt o Offic er - HMA C key: W,EMessa ge authen ticatio n codegcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MAC) returns GPG_ERR_NO_ERRORHMA C key, Mess ageMAC tag
AES- based Messa ge authen ticatio n codeCompu te AES- based CMACCrypt o Offic er - AES key: W,EMessa ge authen ticatio n codegcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_MAC) returns GPG_ERR_NO_ERRORAES key, Mess ageMAC tag
Key wrappi ngPerfor m AES- based key wrappi ngCrypt o Offic er - AES key: W,EKey wrappi nggcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key, Key to be wrap pedWrapp ed key
Key unwra ppingPerfor m AES- based key unwra ppingCrypt o Offic er - AES key: W,EKey unwra ppinggcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_CIPHER) returns GPG_ERR_NO_ERRORAES key, Key to be unwr appe dUnwra pped key
Key derivat ionPerfor m key derivat ionCrypt o Offic er - Pass word or passp hrase : W,E - Deriv ed key: G,RKey derivat iongcry_control(GCRYCTL_FIPS_SE RVICE_INDICATOR_KDF) returns GPG_ERR_NO_ERRORPass word or passp hraseDerive d key
Show statusShow modul e statusCrypt o Offic erNoneN/ANoneModul e status
Zeroiza tionZeroiz e SSPsCrypt o Offic er - AES key: Z - HMA C key: Z - RSA publi c key: Z - RSA privat e key:NoneN/ANoneNone

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

4 Roles, Services, and Authentication

N/A for this module. The module does not support authentication.

4.2 Roles

Table 13: Roles The module supports the Crypto Office role only. This sole role is implicitly assumed by the operator of the module when performing a service.

4.3 Approved Services

o e) s o © 2024 Canonical Ltd. / atsec information security.

Page 51

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module m

Page 52

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module s t precompu precompu t A A

Page 53

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module s A

Page 54

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module s ) m r m A W,E m r

Page 55

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

Page 56

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module s o : W,E G,R e N/A e

Page 57

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module s Z A Z A Z :Z Z (V C ): Z © 2024 Canonical Ltd. / atsec information security.

Page 58
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutputSecuri ty Functi ons
Self- testsPerfor m self- testsCrypt o Offic erNoneN/ANoneResult of self- test (pass/ fail)
Show modul e name and versionShow modul e name and versio nCrypt o Offic erNoneN/ANoneModul e's name and versio n
MD5Message digestMD5CO
ECDHShared secret computationECDHCO
RSAEncryption primitives; Decryption primitives; Signature verification primitivesRSACO
RSA with non- approved public key flagsKey generation; Signature generation; Signature verificationRSA with non- approved public key flagsCO
ECDSASignature verification primitivesECDSACO
ECDSA with non- approved public key flagsKey generation; Signature generation; Signature verificationECDSA with non- approved public key flagsCO
AES-GCMAuthenticated symmetric encryption; Authenticated symmetric decryptionAES-GCMCO
AES-OCBAuthenticated symmetric encryption; Authenticated symmetric decryptionAES-OCBCO
AES-EAXAuthenticated symmetric encryption; Authenticated symmetric decryptionAES-EAXCO
AES-SIVAuthenticated symmetric encryption; Authenticated symmetric decryptionAES-SIVCO

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module s (V Z Z Selftests m selftests N/A selftest o e n N/A e's n

Page 59

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module • N/A: the calling application does not access any CSP or key during its operation. The details of the approved cryptographic algorithms including the CAVP certificate numbers can be found in the Approved Services table. In order to check whether it utilizes an approved security function or not, the operator is responsible to invoke the gcry_control() API along with dedicated controls in the form of API input parameters. The module implements the following controls depending on the requested service:

  1. GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER - For symmetric algorithms.
  2. GCRYCTL_FIPS_SERVICE_INDICATOR_KDF - For KDF functions.
  3. GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS - For asymmetric functions.1
  4. GCRYCTL_FIPS_SERVICE_INDICATOR_MD - For digest functions.
  5. GCRYCTL_FIPS_SERVICE_INDICATOR_MAC - For MAC functions.
  6. GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION - For non-approved public key functions. In addition to that, for some of the below-mentioned services, the approved service indicator corresponds to the successful completion of the service. This affects the following APIs: 1. gcry_randomize, gcry_random_bytes, gcry_random_bytes_secure – API for Random number generation service. 2. gcry_mpi_ec_curve_point – API for Public key verification service. For all approved services, GPG_ERR_NO_ERROR (i.e., “0”) return code indicates the service is approved. In case the dedicated functions are used in conjunction with the APIs representing the requested services, the operator is responsible to check that all of the called functions return GPG_ERR_NO_ERROR (i.e., “0”). For all non-approved services, "non-zero" return code indicates the service is not approved.
4.4 Non-Approved Services

The list of public key flags allowed in approved mode of operation is described in 0. © 2024 Canonical Ltd. / atsec information security.

Page 60

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 15: Non-Approved Services The table above lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-approved mode can be found in the NonApproved, Not Allowed Algorithms table.

4.5 External Software/Firmware Loaded

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 61

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

4.6 Bypass Actions and Status [O]
4.7 Cryptographic Output Actions and Status [O]
4.8 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 62

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified comparing the HMAC-SHA2-256 value calculated at run time with the HMAC-SHA2-256 value stored in the .hmac file that was computed at build time for each software component of the module. If the HMAC values do not match, the test fails and the module enters the Error state.

5.2 Initiate on Demand

Integrity tests are performed as part of the Pre-Operational Self-Tests. The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational self-test (i.e., integrity test) and cryptographic algorithm self-tests (CASTs). This service can be invoked relying on the gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible. In addition, the integrity tests cannot be modified. In order to verify whether the self-tests have succeeded and the module is in the Operational state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function will return TRUE if the module is in the operational state, FALSE if the module is in the Error state.

5.3 Open-Source Parameters [O]
5.4 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 63

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied [O]: The module shall be installed as stated in Section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions [O]

The application that requests cryptographic services is the single user of the module, even when the application is serving multiple clients. In the approved mode of operation, the ptrace(2) system call, the debugger (gdb(1)), and strace(1) shall be not used.

6.3 Additional Information [O]

The module does not support multiple concurrent operators. © 2024 Canonical Ltd. / atsec information security.

Page 64
Temp/Voltage TypeTemperature or VoltageEFPResult
or
EFT
LowTemperature
HighTemperature
LowVoltage
HighVoltage

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

7 Physical Security
7.1 Mechanisms and Actions Required [O]

N/A for this module. The module is comprised of software only, and therefore this section is not applicable.

7.2 User Placed Tamper Seals [O]

Number: Not applicable. Placement: Not applicable. Surface Preparation: Not applicable. Operator Responsible for Securing Unused Seals: Not applicable. Part Numbers: Not applicable.

7.3 Filler Panels [O]
7.4 Fault Induction Mitigation [O]

Not applicable. Table 16: EFP/EFT Information Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 65
TemperatureTemperature
Type
LowTemperature
HighTemperature

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

7.6 Hardness Testing Temperature Ranges [O]

Table 17: Hardness Testing Temperatures Not applicable.

7.7 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 66

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

8 Non-Invasive Security
8.1 Mitigation Techniques [O]

This module does not implement any non-invasive security mechanism, and therefore this section is not applicable.

8.2 Effectiveness [O]
8.3 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 67
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary storage for SSPs used by the module as part of service execution. The module does not perform persistent storage of SSPs
Service
NameApproved FunctionsTypeFromToDistributi on Type
API input paramete rsElectron icPlainte xtOperator calling application (TOEPP)Cryptograp hic moduleManual
API output paramete rsElectron icPlainte xtCryptograp hic moduleOperator calling application (TOEPP)Manual

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 18: Storage Areas stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

m Table 19: SSP Input-Output Methods output. The SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry on the Key Establishment Table. © 2024 Canonical Ltd. / atsec information security.

Page 68
ZeroizationDescriptionRationaleOperator Initiation
Method
Wipe and free memory block allocatedZeroizes the SSPs contained within the cipher handleMemory occupied by SSPs is overwritten with zeroes and then it is released, which renders the SSP values irretrievable. The completion of the zeroization routine indicates that the zeroization procedure succeeded.By calling the cipher related zeroization API: gcry_cipher_close() and gcry_free() clears and frees symmetric ciphers context, gcry_mac_close() and gcry_free() clears and frees HMAC context, gcry_sexp_release() and gcry_mpi_release() and gcry_free() clears and frees RSA key structure, gcry_sexp_release() and gcry_mpi_release() and gcry_ctx_release() and gcry_mpi_point_release() and gcry_free() clears and frees ECDSA key structures, gcry_free() clears PBKDF context, gcry_ctrl(GCRYCTL_TERM_SECMEM) clears DRBG contexts
Module ResetDe-allocates the volatile memory used to store SSPsVolatile memory used by the module is overwritten within nanoseconds when power is removed.By unloading and reloading the module

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 20: SSP Zeroization Methods system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in the table above. Calling gcry_free(), which will zeroize the SSPs and also invoke the corresponding API functions listed above to zeroize SSPs. The zeroization functions the regular memory deallocation operating system call. In case of abnormal © 2024 Canonical Ltd. / atsec information security.

Page 69
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUseSize - Strengt h
AES keySymmet ric key - CSPUsed for symmetric encryption, symmetric decryption, authenticate d symmetric encryption, authenticate d symmetric decryption, message authenticati on, key wrapping and unwrapping128, 192, 256 - 128, 192, 256Symmetric encryption Symmetric decryption Symmetric encryption (for data storage) Symmetric decryption (for data storage) Authenticat ed symmetric encryption Authenticat ed symmetric decryption Key wrapping Key unwrapping Message authenticati on code
HMAC keySymmet ric key - CSPUsed for hash-based message112-256 - 112- 256Message authenticati on code
RSA public keyPublic key - PSPUsed for digital signature verification2048, 3072, 4096 - 112, 128, 149Key pair generati onDigital signature verification
RSA private keyPrivate key - CSPUsed for digital signature generation2048, 3072, 4096 - 112, 128, 149Key pair generati onDigital signature generation
ECDSA public keyPublic key - PSPUsed for digital signature verification, and public key verificationP-224, P-256, P-384, P-521 - 112, 128, 192, 256Key pair generati onDigital signature verification Public key verification
ECDSA private keyPrivate key - CSPUsed for digital signature generation and public key verificationP-224, P-256, P-384, P-521 - 112, 128, 192, 256Key pair generati onDigital signature generation Public key verification
Passwor d or passphra sePasswor d - CSPUsed for key derivationAt least 14 characte rs - N/AKey derivation
Derived keySymmet ric key - CSPUsed for key derivation112-256 - 112- 256Key derivation
Entropy inputEntropy Input - CSPUsed for random number generation (compliant with IG D.L)256 - 256Random number generation
DRBG internal state: (V value, C value)Internal state - CSPUsed for random number generation (compliant with IG D.L)112-256 - 112- 256Random number generati onRandom number generation
DRBG internal state: (V value, key)Internal state - CSPUsed for random number generation (compliant with IG D.L)112-256 - 112- 256Random number generati onRandom number generation
DRBG seedSeed - CSPUsed for random number generation (compliant with IG D.L)256 - 256Random number generati onRandom number generation
AES keyFrom service invocation to serviceAPI input parameter sWipe and free memory block allocatedRAM:Plainte xt
completio ncompletio nModule Reset
HMAC keyFrom service invocation to service completio nAPI input parameter sWipe and free memory block allocated Module ResetRAM:Plainte xt
RSA public keyFrom service invocation to service completio nAPI input parameter s API output parameter sWipe and free memory block allocated Module ResetRSA private key:Paired With DRBG internal state: (V value, C value):Generated From DRBG internal state: (V value, key):Generated FromRAM:Plainte xt
RSA private keyFrom service invocation to service completio nAPI input parameter s API output parameter sWipe and free memory block allocated Module ResetRSA public key:Paired With DRBG internal state: (V value, C value):Generated From DRBG internal state: (V value, key):Generated FromRAM:Plainte xt
ECDSA public keyFrom service invocation to service completio nAPI input parameter s API output parameter sWipe and free memory block allocated Module ResetECDSA private key:Paired With DRBG internal state: (V value, C value):Generated From DRBG internal state: (V value,RAM:Plainte xt
ECDSA private keyFrom service invocation to service completio nAPI input parameter s API output parameter sWipe and free memory block allocated Module ResetECDSA public key:Paired With DRBG internal state: (V value, C value):Generated From DRBG internal state: (V value, key):Generated FromRAM:Plainte xt
Password or passphras eFrom service invocation to service completio nAPI input parameter sWipe and free memory block allocated Module ResetDerived key:DerivesRAM:Plainte xt
Derived keyFrom service invocation to service completio nAPI output parameter sWipe and free memory block allocated Module ResetPassword or passphrase:Deriv ed FromRAM:Plainte xt
Entropy inputFrom service invocation to service completio nWipe and free memory block allocated Module ResetDRBG seed:GeneratesRAM:Plainte xt

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module termination, or swap in/out of a physical memory page of a process, the keys in physical memory are overwritten by the Linux kernel before the physical memory is allocated to another process. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. All data output is inhibited during zeroization.

9.4 SSPs

h y - 112256 © 2024 Canonical Ltd. / atsec information security.

Page 70

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module h y - 112256 © 2024 Canonical Ltd. / atsec information security.

Page 71

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module h y - 112256 - 112256 Table 21: SSP Table 1 s n © 2024 Canonical Ltd. / atsec information security.

Page 72

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module n n s n s s n s s n s s n © 2024 Canonical Ltd. / atsec information security.

Page 73

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module n s s n e s n s n n © 2024 Canonical Ltd. / atsec information security.

Page 74
Sensitive security parameter
NameStorageZeroizationRelated SSPs
DRBG internal state: (V value, C value)RAM:Plainte xtWipe and free memory block allocated Module ResetFrom service invocation to service completio nDRBG seed:Generated From
DRBG internal state: (V value, key)RAM:Plainte xtWipe and free memory block allocated Module ResetFrom service invocation to service completio nDRBG seed:Generated From
DRBG seedRAM:Plainte xtWipe and free memory block allocated Module ResetFrom service invocation to service completio nEntropy input:Generated From DRBG internal state: (V value, C value):Generates DRBG internal state: (V value, key):Generates

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module n n n n Table 22: SSP Table 2 The tables above summarize the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module.

9.5 Transitions [O]

The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes starting January 1, 2030. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 has been withdrawn since February 3, 2024. © 2024 Canonical Ltd. / atsec information security.

Page 75

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

9.6 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 76
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest PropertiesCondition s
HMAC- SHA2-256 (A3700)HMAC- SHA2-256 (A3700)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3701)HMAC- SHA2-256 (A3701)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3703)HMAC- SHA2-256 (A3703)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3704)HMAC- SHA2-256 (A3704)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3705)HMAC- SHA2-256 (A3705)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
AES-ECB (A3700)AES-ECB (A3700)KATCAS TSymmetric operationModule becomes operationa lEncrypt with 128, 192, 256 bit keysTest runs at power- on before the
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorTest PropertiesCondition s
HMAC- SHA2-256 (A3700)HMAC- SHA2-256 (A3700)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3701)HMAC- SHA2-256 (A3701)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3703)HMAC- SHA2-256 (A3703)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3704)HMAC- SHA2-256 (A3704)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
HMAC- SHA2-256 (A3705)HMAC- SHA2-256 (A3705)Message authenticatio nSW/FW Integrit yIntegrity test for libgcrypt.so.20.3. 4Key size: 232 bitsModule is operationa l
AES-ECB (A3700)AES-ECB (A3700)KATCAS TSymmetric operationModule becomes operationa lEncrypt with 128, 192, 256 bit keysTest runs at power- on before the
AES-ECB (A3701)AES-ECB (A3701)KATCAS TSymmetric operationModule becomes operationa lEncrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES-ECB (A3703)AES-ECB (A3703)KATCAS TSymmetric operationModule becomes operationa lEncrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES-ECB (A3704)AES-ECB (A3704)KATCAS TSymmetric operationModule becomes operationa lEncrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES-ECB (A3700)AES-ECB (A3700)KATCAS TSymmetric operationModule becomes operationa lDecrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES-ECB (A3701)AES-ECB (A3701)KATCAS TSymmetric operationModule becomes operationa lDecrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES-ECB (A3703)AES-ECB (A3703)KATCAS TSymmetric operationModule becomes operationa lDecrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES-ECB (A3704)AES-ECB (A3704)KATCAS TSymmetric operationModule becomes operationa lDecrypt with 128, 192, 256 bit keysTest runs at power- on before the integrity test
AES- CMAC (A3700)AES- CMAC (A3700)KATCAS TMessage authenticatio nModule becomes operationa l128, 192, 256 bit keys, MAC generation , encryptTest runs at power- on before the integrity test
AES- CMAC (A3701)AES- CMAC (A3701)KATCAS TMessage authenticatio nModule becomes operationa l128, 192, 256 bit keys, MAC generation , encryptTest runs at power- on before the integrity test
AES- CMAC (A3703)AES- CMAC (A3703)KATCAS TMessage authenticatio nModule becomes operationa l128, 192, 256 bit keys, MAC generation , encryptTest runs at power- on before the integrity test
AES- CMAC (A3704)AES- CMAC (A3704)KATCAS TMessage authenticatio nModule becomes operationa l128, 192, 256 bit keys, MACTest runs at power- on before the
generation , encryptgeneration , encryptintegrity test
Counter DRBG (A3700)Counter DRBG (A3700)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lAES with 128-bit key with DF, with and without PRTest runs at power- on before the integrity test
Counter DRBG (A3701)Counter DRBG (A3701)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lAES with 128-bit key with DF, with and without PRTest runs at power- on before the integrity test
Counter DRBG (A3703)Counter DRBG (A3703)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lAES with 128-bit key with DF, with and without PRTest runs at power- on before the integrity test
Counter DRBG (A3704)Counter DRBG (A3704)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lAES with 128-bit key with DF, with and without PRTest runs at power- on before the integrity test
Hash DRBG (A3700)Hash DRBG (A3700)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA-1 without PRTest runs at power- on before the integrity test
Hash DRBG (A3701)Hash DRBG (A3701)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA-1 without PRTest runs at power- on before the integrity test
Hash DRBG (A3703)Hash DRBG (A3703)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA-1 without PRTest runs at power- on before the integrity test
Hash DRBG (A3704)Hash DRBG (A3704)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA-1 without PRTest runs at power- on before the integrity test
Hash DRBG (A3705)Hash DRBG (A3705)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA-1 without PRTest runs at power- on before the integrity test
Hash DRBG (A3700)Hash DRBG (A3700)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA2-256 with and without PRTest runs at power- on before the integrity test
Hash DRBG (A3701)Hash DRBG (A3701)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA2-256 with and without PRTest runs at power- on before the
Hash DRBG (A3703)Hash DRBG (A3703)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA2-256 with and without PRTest runs at power- on before the integrity test
Hash DRBG (A3704)Hash DRBG (A3704)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA2-256 with and without PRTest runs at power- on before the integrity test
Hash DRBG (A3705)Hash DRBG (A3705)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lSHA2-256 with and without PRTest runs at power- on before the integrity test
HMAC DRBG (A3700)HMAC DRBG (A3700)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lHMAC- SHA2-256 with and without PRTest runs at power- on before the integrity test
HMAC DRBG (A3701)HMAC DRBG (A3701)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lHMAC- SHA2-256 with and without PRTest runs at power- on before the integrity test
HMAC DRBG (A3703)HMAC DRBG (A3703)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lHMAC- SHA2-256 with and without PRTest runs at power- on before the integrity test
HMAC DRBG (A3704)HMAC DRBG (A3704)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lHMAC- SHA2-256 with and without PRTest runs at power- on before the integrity test
HMAC DRBG (A3705)HMAC DRBG (A3705)KATCAS TCompliant with SP 800- 90Ar1Module becomes operationa lHMAC- SHA2-256 with and without PRTest runs at power- on before the integrity test
RSA SigGen (FIPS186- 4) (A3700)RSA SigGen (FIPS186- 4) (A3700)KATCAS TDigital signature generationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigGen (FIPS186- 4) (A3701)RSA SigGen (FIPS186- 4) (A3701)KATCAS TDigital signature generationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigGen (FIPS186- 4) (A3703)RSA SigGen (FIPS186- 4) (A3703)KATCAS TDigital signature generationModule becomes operationa lPKCS#1 v1.5 with 2048 bitTest runs at power- on before the
key and SHA2-256key and SHA2-256integrity test
RSA SigGen (FIPS186- 4) (A3704)RSA SigGen (FIPS186- 4) (A3704)KATCAS TDigital signature generationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigGen (FIPS186- 4) (A3705)RSA SigGen (FIPS186- 4) (A3705)KATCAS TDigital signature generationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigVer (FIPS186- 4) (A3700)RSA SigVer (FIPS186- 4) (A3700)KATCAS TDigital signature verificationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigVer (FIPS186- 4) (A3701)RSA SigVer (FIPS186- 4) (A3701)KATCAS TDigital signature verificationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigVer (FIPS186- 4) (A3703)RSA SigVer (FIPS186- 4) (A3703)KATCAS TDigital signature verificationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigVer (FIPS186- 4) (A3704)RSA SigVer (FIPS186- 4) (A3704)KATCAS TDigital signature verificationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
RSA SigVer (FIPS186- 4) (A3705)RSA SigVer (FIPS186- 4) (A3705)KATCAS TDigital signature verificationModule becomes operationa lPKCS#1 v1.5 with 2048 bit key and SHA2-256Test runs at power- on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3700)ECDSA SigGen (FIPS186- 4) (A3700)KATCAS TDigital signature generationModule becomes operationa lP-256 with SHA-256Test runs at power- on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3701)ECDSA SigGen (FIPS186- 4) (A3701)KATCAS TDigital signature generationModule becomes operationa lP-256 with SHA-256Test runs at power- on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3703)ECDSA SigGen (FIPS186- 4) (A3703)KATCAS TDigital signature generationModule becomes operationa lP-256 with SHA-256Test runs at power- on before the integrity test
ECDSA SigGen (FIPS186- 4) (A3704)ECDSA SigGen (FIPS186- 4) (A3704)KATCAS TDigital signature generationModule becomes operationa lP-256 with SHA-256Test runs at power- on before the
ECDSA SigGen (FIPS186- 4) (A3705)ECDSA SigGen (FIPS186- 4) (A3705)KATCAS TDigital signature generationModule becomes operationa lP-256 with SHA-256Test runs at power- on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3700)ECDSA SigVer (FIPS186- 4) (A3700)KATCAS TDigital signature verificationModule becomes operationa lP-256 with SHA2-256Test runs at power- on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3701)ECDSA SigVer (FIPS186- 4) (A3701)KATCAS TDigital signature verificationModule becomes operationa lP-256 with SHA2-256Test runs at power- on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3703)ECDSA SigVer (FIPS186- 4) (A3703)KATCAS TDigital signature verificationModule becomes operationa lP-256 with SHA2-256Test runs at power- on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3704)ECDSA SigVer (FIPS186- 4) (A3704)KATCAS TDigital signature verificationModule becomes operationa lP-256 with SHA2-256Test runs at power- on before the integrity test
ECDSA SigVer (FIPS186- 4) (A3705)ECDSA SigVer (FIPS186- 4) (A3705)KATCAS TDigital signature verificationModule becomes operationa lP-256 with SHA2-256Test runs at power- on before the integrity test
HMAC- SHA-1 (A3699)HMAC- SHA-1 (A3699)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the integrity test
HMAC- SHA-1 (A3700)HMAC- SHA-1 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the integrity test
HMAC- SHA-1 (A3701)HMAC- SHA-1 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the integrity test
HMAC- SHA-1 (A3702)HMAC- SHA-1 (A3702)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the integrity test
HMAC- SHA-1 (A3703)HMAC- SHA-1 (A3703)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the
HMAC- SHA-1 (A3704)HMAC- SHA-1 (A3704)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the integrity test
HMAC- SHA-1 (A3705)HMAC- SHA-1 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA-1Test runs at power- on before the integrity test
HMAC- SHA2-224 (A3700)HMAC- SHA2-224 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-224Test runs at power- on before the integrity test
HMAC- SHA2-224 (A3701)HMAC- SHA2-224 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-224Test runs at power- on before the integrity test
HMAC- SHA2-224 (A3703)HMAC- SHA2-224 (A3703)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-224Test runs at power- on before the integrity test
HMAC- SHA2-224 (A3704)HMAC- SHA2-224 (A3704)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-224Test runs at power- on before the integrity test
HMAC- SHA2-224 (A3705)HMAC- SHA2-224 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-224Test runs at power- on before the integrity test
HMAC- SHA2-256 (A3700)HMAC- SHA2-256 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-256Test runs at power- on before the integrity test
HMAC- SHA2-256 (A3701)HMAC- SHA2-256 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-256Test runs at power- on before the integrity test
HMAC- SHA2-256 (A3703)HMAC- SHA2-256 (A3703)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-256Test runs at power- on before the integrity test
HMAC- SHA2-256 (A3704)HMAC- SHA2-256 (A3704)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-256Test runs at power- on before the
HMAC- SHA2-256 (A3705)HMAC- SHA2-256 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-256Test runs at power- on before the integrity test
HMAC- SHA2-384 (A3700)HMAC- SHA2-384 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-384Test runs at power- on before the integrity test
HMAC- SHA2-384 (A3701)HMAC- SHA2-384 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-384Test runs at power- on before the integrity test
HMAC- SHA2-384 (A3703)HMAC- SHA2-384 (A3703)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-384Test runs at power- on before the integrity test
HMAC- SHA2-384 (A3704)HMAC- SHA2-384 (A3704)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-384Test runs at power- on before the integrity test
HMAC- SHA2-384 (A3705)HMAC- SHA2-384 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-384Test runs at power- on before the integrity test
HMAC- SHA2-512 (A3700)HMAC- SHA2-512 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-512Test runs at power- on before the integrity test
HMAC- SHA2-512 (A3701)HMAC- SHA2-512 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-512Test runs at power- on before the integrity test
HMAC- SHA2-512 (A3703)HMAC- SHA2-512 (A3703)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-512Test runs at power- on before the integrity test
HMAC- SHA2-512 (A3704)HMAC- SHA2-512 (A3704)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-512Test runs at power- on before the integrity test
HMAC- SHA2-512 (A3705)HMAC- SHA2-512 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA2-512Test runs at power- on before the
HMAC- SHA3-224 (A3700)HMAC- SHA3-224 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-224Test runs at power- on before the integrity test
HMAC- SHA3-224 (A3701)HMAC- SHA3-224 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-224Test runs at power- on before the integrity test
HMAC- SHA3-224 (A3705)HMAC- SHA3-224 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-224Test runs at power- on before the integrity test
HMAC- SHA3-256 (A3700)HMAC- SHA3-256 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-256Test runs at power- on before the integrity test
HMAC- SHA3-256 (A3701)HMAC- SHA3-256 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-256Test runs at power- on before the integrity test
HMAC- SHA3-256 (A3705)HMAC- SHA3-256 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-256Test runs at power- on before the integrity test
HMAC- SHA3-384 (A3700)HMAC- SHA3-384 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-384Test runs at power- on before the integrity test
HMAC- SHA3-384 (A3701)HMAC- SHA3-384 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-384Test runs at power- on before the integrity test
HMAC- SHA3-384 (A3705)HMAC- SHA3-384 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-384Test runs at power- on before the integrity test
HMAC- SHA3-512 (A3700)HMAC- SHA3-512 (A3700)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-512Test runs at power- on before the integrity test
HMAC- SHA3-512 (A3701)HMAC- SHA3-512 (A3701)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-512Test runs at power- on before the
HMAC- SHA3-512 (A3705)HMAC- SHA3-512 (A3705)KATCAS TMessage authenticatio nModule becomes operationa lSHA3-512Test runs at power- on before the integrity test
PBKDF (A3700)PBKDF (A3700)KATCAS TPassword- based key derivationModule becomes operationa lSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
PBKDF (A3701)PBKDF (A3701)KATCAS TPassword- based key derivationModule becomes operationa lSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
PBKDF (A3703)PBKDF (A3703)KATCAS TPassword- based key derivationModule becomes operationa lSHA-1 password length 24 characters,Test runs at power- on before the
master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsmaster key length of 200 bits, iteration count of 4096, and salt length of 288 bitsintegrity test
PBKDF (A3704)PBKDF (A3704)KATCAS TPassword- based key derivationModule becomes operationa lSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
PBKDF (A3705)PBKDF (A3705)KATCAS TPassword- based key derivationModule becomes operationa lSHA-1 password length 24 characters, master key length of 200 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
PBKDF (A3700)PBKDF (A3700)KATCAS TPassword- based key derivationModule becomes operationa lSHA-256 password length 24 characters, master keyTest runs at power- on before the
length of 320 bits, iteration count of 4096, and salt length of 288 bitslength of 320 bits, iteration count of 4096, and salt length of 288 bitsintegrity test
PBKDF (A3701)PBKDF (A3701)KATCAS TPassword- based key derivationModule becomes operationa lSHA-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
PBKDF (A3703)PBKDF (A3703)KATCAS TPassword- based key derivationModule becomes operationa lSHA-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
PBKDF (A3704)PBKDF (A3704)KATCAS TPassword- based key derivationModule becomes operationa lSHA-256 password length 24 characters, master key length ofTest runs at power- on before the integrity test
PBKDF (A3705)PBKDF (A3705)KATCAS TPassword- based key derivationModule becomes operationa lSHA-256 password length 24 characters, master key length of 320 bits, iteration count of 4096, and salt length of 288 bitsTest runs at power- on before the integrity test
RSA KeyGen (FIPS186- 4) (A3700)RSA KeyGen (FIPS186- 4) (A3700)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
RSA KeyGen (FIPS186- 4) (A3701)RSA KeyGen (FIPS186- 4) (A3701)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
RSA KeyGen (FIPS186- 4) (A3703)RSA KeyGen (FIPS186- 4) (A3703)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
RSA KeyGen (FIPS186- 4) (A3704)RSA KeyGen (FIPS186- 4) (A3704)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
RSA KeyGen (FIPS186- 4) (A3705)RSA KeyGen (FIPS186- 4) (A3705)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
ECDSA KeyGen (FIPS186- 4) (A3700)ECDSA KeyGen (FIPS186- 4) (A3700)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
ECDSA KeyGen (FIPS186- 4) (A3701)ECDSA KeyGen (FIPS186- 4) (A3701)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
ECDSA KeyGen (FIPS186- 4) (A3703)ECDSA KeyGen (FIPS186- 4) (A3703)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
ECDSA KeyGen (FIPS186- 4) (A3704)ECDSA KeyGen (FIPS186- 4) (A3704)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verificationKey pair generation
ECDSA KeyGen (FIPS186- 4) (A3705)ECDSA KeyGen (FIPS186- 4) (A3705)PCTPCTSignature generation & verificationSuccessful key pair generationSignature generation and verification with SHA2- 256Key pair generation
HMAC-SHA2- 256 (A3700)HMAC-SHA2- 256 (A3700)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on
HMAC-SHA2- 256 (A3701)HMAC-SHA2- 256 (A3701)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

10 Self-Tests
10.1 Pre-Operational Self-Tests

s HMACSHA2-256 n y l HMACSHA2-256 n y l HMACSHA2-256 n y l HMACSHA2-256 n y l HMACSHA2-256 n y l Table 23: Pre-Operational Self-Tests The module performs the integrity test using HMAC-SHA-256. Further details of the integrity test are provided in Section 5.1.

10.2 Conditional Self-Tests

d e T l s © 2024 Canonical Ltd. / atsec information security.

Page 77

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l T l T l T l T l © 2024 Canonical Ltd. / atsec information security.

Page 78

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e AESCMAC s T l T l T l n AESCMAC T l n AESCMAC T l n AESCMAC T l n © 2024 Canonical Ltd. / atsec information security.

Page 79

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l T l T l T l T l © 2024 Canonical Ltd. / atsec information security.

Page 80

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l T l T l T l T l T l © 2024 Canonical Ltd. / atsec information security.

Page 81

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l T l T l HMACSHA2-256 T l HMACSHA2-256 T l © 2024 Canonical Ltd. / atsec information security.

Page 82

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e HMACSHA2-256 HMACSHA2-256 s T l T l HMACSHA2-256 T l (FIPS1864) (A3700) T l (FIPS1864) (A3701) T l T l © 2024 Canonical Ltd. / atsec information security.

Page 83

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s (FIPS1864) (A3704) T l (FIPS1864) (A3705) T l (FIPS1864) (A3700) T l (FIPS1864) (A3701) T l (FIPS1864) (A3703) T l © 2024 Canonical Ltd. / atsec information security.

Page 84

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e (FIPS1864) (A3704) (FIPS1864) (A3705) s T l T l (FIPS1864) (A3700) T l (FIPS1864) (A3701) T l (FIPS1864) (A3703) T l (FIPS1864) (A3704) T l © 2024 Canonical Ltd. / atsec information security.

Page 85

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s (FIPS1864) (A3705) T l (FIPS1864) (A3700) T l (FIPS1864) (A3701) T l (FIPS1864) (A3703) T l (FIPS1864) (A3704) T l © 2024 Canonical Ltd. / atsec information security.

Page 86

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e (FIPS1864) (A3705) HMACSHA-1 HMACSHA-1 s T l T l n T l n HMACSHA-1 T l n HMACSHA-1 T l n HMACSHA-1 T l n © 2024 Canonical Ltd. / atsec information security.

Page 87

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s HMACSHA-1 T l n HMACSHA-1 T l n HMACSHA2-224 T l n HMACSHA2-224 T l n HMACSHA2-224 T l n © 2024 Canonical Ltd. / atsec information security.

Page 88

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e HMACSHA2-224 HMACSHA2-224 HMACSHA2-256 s T l n T l n T l n HMACSHA2-256 T l n HMACSHA2-256 T l n HMACSHA2-256 T l n © 2024 Canonical Ltd. / atsec information security.

Page 89

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s HMACSHA2-256 T l n HMACSHA2-384 T l n HMACSHA2-384 T l n HMACSHA2-384 T l n HMACSHA2-384 T l n © 2024 Canonical Ltd. / atsec information security.

Page 90

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e HMACSHA2-384 HMACSHA2-512 HMACSHA2-512 s T l n T l n T l n HMACSHA2-512 T l n HMACSHA2-512 T l n HMACSHA2-512 T l n © 2024 Canonical Ltd. / atsec information security.

Page 91

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s HMACSHA3-224 T l n HMACSHA3-224 T l n HMACSHA3-224 T l n HMACSHA3-256 T l n HMACSHA3-256 T l n © 2024 Canonical Ltd. / atsec information security.

Page 92

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e HMACSHA3-256 HMACSHA3-384 HMACSHA3-384 s T l n T l n T l n HMACSHA3-384 T l n HMACSHA3-512 T l n HMACSHA3-512 T l n © 2024 Canonical Ltd. / atsec information security.

Page 93

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s HMACSHA3-512 T l n T l Passwordbased key T l Passwordbased key T l Passwordbased key © 2024 Canonical Ltd. / atsec information security.

Page 94

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l Passwordbased key T l Passwordbased key T l Passwordbased key © 2024 Canonical Ltd. / atsec information security.

Page 95

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l Passwordbased key T l Passwordbased key T l Passwordbased key © 2024 Canonical Ltd. / atsec information security.

Page 96

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s T l Passwordbased key (FIPS1864) (A3700) with SHA2256 (FIPS1864) (A3701) with SHA2256 (FIPS1864) (A3703) with SHA2256 © 2024 Canonical Ltd. / atsec information security.

Page 97

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d (FIPS1864) (A3704) with SHA2256 (FIPS1864) (A3705) e s with SHA2256 (FIPS1864) (A3700) with SHA2256 (FIPS1864) (A3701) with SHA2256 (FIPS1864) (A3703) with SHA2256 (FIPS1864) (A3704) © 2024 Canonical Ltd. / atsec information security.

Page 98
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorCondition s
ECDSA KeyGen (FIPS186- 4) (A3705)ECDSA KeyGen (FIPS186- 4) (A3705)PCTPCTSignature generation & verificationSignature generation and verification with SHA2- 256Successful key pair generationKey pair generation
HMAC-SHA2- 256 (A3700)HMAC-SHA2- 256 (A3700)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on
HMAC-SHA2- 256 (A3701)HMAC-SHA2- 256 (A3701)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on
HMAC-SHA2- 256 (A3703)HMAC-SHA2- 256 (A3703)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on
HMAC-SHA2- 256 (A3704)HMAC-SHA2- 256 (A3704)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on
HMAC-SHA2- 256 (A3705)HMAC-SHA2- 256 (A3705)Message authenticationSW/FW IntegrityWhenever the module is powered onUpon every power on
AES-ECB (A3700)AES-ECB (A3700)KATCASTOn DemandManually
AES-ECB (A3701)AES-ECB (A3701)KATCASTOn DemandManually
AES-ECB (A3703)AES-ECB (A3703)KATCASTOn DemandManually
AES-ECB (A3704)AES-ECB (A3704)KATCASTOn DemandManually
AES-ECB (A3700)AES-ECB (A3700)KATCASTOn DemandManually
AES-ECB (A3701)AES-ECB (A3701)KATCASTOn DemandManually
AES-ECB (A3703)AES-ECB (A3703)KATCASTOn DemandManually
AES-ECB (A3704)AES-ECB (A3704)KATCASTOn DemandManually
AES-CMAC (A3700)AES-CMAC (A3700)KATCASTOn DemandManually
AES-CMAC (A3701)AES-CMAC (A3701)KATCASTOn DemandManually
AES-CMAC (A3703)AES-CMAC (A3703)KATCASTOn DemandManually
AES-CMAC (A3704)AES-CMAC (A3704)KATCASTOn DemandManually
Counter DRBG (A3700)Counter DRBG (A3700)KATCASTOn DemandManually
Counter DRBG (A3701)Counter DRBG (A3701)KATCASTOn DemandManually
Counter DRBG (A3703)Counter DRBG (A3703)KATCASTOn DemandManually
Counter DRBG (A3704)Counter DRBG (A3704)KATCASTOn DemandManually
Hash DRBG (A3700)Hash DRBG (A3700)KATCASTOn DemandManually
Hash DRBG (A3701)Hash DRBG (A3701)KATCASTOn DemandManually
Hash DRBG (A3703)Hash DRBG (A3703)KATCASTOn DemandManually
Hash DRBG (A3704)Hash DRBG (A3704)KATCASTOn DemandManually
Hash DRBG (A3705)Hash DRBG (A3705)KATCASTOn DemandManually
Hash DRBG (A3700)Hash DRBG (A3700)KATCASTOn DemandManually
Hash DRBG (A3701)Hash DRBG (A3701)KATCASTOn DemandManually
Hash DRBG (A3703)Hash DRBG (A3703)KATCASTOn DemandManually
Hash DRBG (A3704)Hash DRBG (A3704)KATCASTOn DemandManually
Hash DRBG (A3705)Hash DRBG (A3705)KATCASTOn DemandManually
HMAC DRBG (A3700)HMAC DRBG (A3700)KATCASTOn DemandManually
HMAC DRBG (A3701)HMAC DRBG (A3701)KATCASTOn DemandManually
HMAC DRBG (A3703)HMAC DRBG (A3703)KATCASTOn DemandManually
HMAC DRBG (A3704)HMAC DRBG (A3704)KATCASTOn DemandManually
HMAC DRBG (A3705)HMAC DRBG (A3705)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3700)RSA SigGen (FIPS186-4) (A3700)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3701)RSA SigGen (FIPS186-4) (A3701)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3703)RSA SigGen (FIPS186-4) (A3703)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3704)RSA SigGen (FIPS186-4) (A3704)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A3705)RSA SigGen (FIPS186-4) (A3705)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3700)RSA SigVer (FIPS186-4) (A3700)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3701)RSA SigVer (FIPS186-4) (A3701)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3703)RSA SigVer (FIPS186-4) (A3703)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3704)RSA SigVer (FIPS186-4) (A3704)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A3705)RSA SigVer (FIPS186-4) (A3705)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3700)ECDSA SigGen (FIPS186-4) (A3700)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3701)ECDSA SigGen (FIPS186-4) (A3701)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3703)ECDSA SigGen (FIPS186-4) (A3703)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3704)ECDSA SigGen (FIPS186-4) (A3704)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A3705)ECDSA SigGen (FIPS186-4) (A3705)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3700)ECDSA SigVer (FIPS186-4) (A3700)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3701)ECDSA SigVer (FIPS186-4) (A3701)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3703)ECDSA SigVer (FIPS186-4) (A3703)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3704)ECDSA SigVer (FIPS186-4) (A3704)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A3705)ECDSA SigVer (FIPS186-4) (A3705)KATCASTOn DemandManually
HMAC-SHA-1 (A3699)HMAC-SHA-1 (A3699)KATCASTOn DemandManually
HMAC-SHA-1 (A3700)HMAC-SHA-1 (A3700)KATCASTOn DemandManually
HMAC-SHA-1 (A3701)HMAC-SHA-1 (A3701)KATCASTOn DemandManually
HMAC-SHA-1 (A3702)HMAC-SHA-1 (A3702)KATCASTOn DemandManually
HMAC-SHA-1 (A3703)HMAC-SHA-1 (A3703)KATCASTOn DemandManually
HMAC-SHA-1 (A3704)HMAC-SHA-1 (A3704)KATCASTOn DemandManually
HMAC-SHA-1 (A3705)HMAC-SHA-1 (A3705)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3700)HMAC-SHA2- 224 (A3700)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3701)HMAC-SHA2- 224 (A3701)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3703)HMAC-SHA2- 224 (A3703)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3704)HMAC-SHA2- 224 (A3704)KATCASTOn DemandManually
HMAC-SHA2- 224 (A3705)HMAC-SHA2- 224 (A3705)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3700)HMAC-SHA2- 256 (A3700)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3701)HMAC-SHA2- 256 (A3701)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3703)HMAC-SHA2- 256 (A3703)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3704)HMAC-SHA2- 256 (A3704)KATCASTOn DemandManually
HMAC-SHA2- 256 (A3705)HMAC-SHA2- 256 (A3705)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3700)HMAC-SHA2- 384 (A3700)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3701)HMAC-SHA2- 384 (A3701)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3703)HMAC-SHA2- 384 (A3703)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3704)HMAC-SHA2- 384 (A3704)KATCASTOn DemandManually
HMAC-SHA2- 384 (A3705)HMAC-SHA2- 384 (A3705)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3700)HMAC-SHA2- 512 (A3700)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3701)HMAC-SHA2- 512 (A3701)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3703)HMAC-SHA2- 512 (A3703)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3704)HMAC-SHA2- 512 (A3704)KATCASTOn DemandManually
HMAC-SHA2- 512 (A3705)HMAC-SHA2- 512 (A3705)KATCASTOn DemandManually
HMAC-SHA3- 224 (A3700)HMAC-SHA3- 224 (A3700)KATCASTOn DemandManually
HMAC-SHA3- 224 (A3701)HMAC-SHA3- 224 (A3701)KATCASTOn DemandManually
HMAC-SHA3- 224 (A3705)HMAC-SHA3- 224 (A3705)KATCASTOn DemandManually
HMAC-SHA3- 256 (A3700)HMAC-SHA3- 256 (A3700)KATCASTOn DemandManually
HMAC-SHA3- 256 (A3701)HMAC-SHA3- 256 (A3701)KATCASTOn DemandManually
HMAC-SHA3- 256 (A3705)HMAC-SHA3- 256 (A3705)KATCASTOn DemandManually
HMAC-SHA3- 384 (A3700)HMAC-SHA3- 384 (A3700)KATCASTOn DemandManually
HMAC-SHA3- 384 (A3701)HMAC-SHA3- 384 (A3701)KATCASTOn DemandManually
HMAC-SHA3- 384 (A3705)HMAC-SHA3- 384 (A3705)KATCASTOn DemandManually
HMAC-SHA3- 512 (A3700)HMAC-SHA3- 512 (A3700)KATCASTOn DemandManually
HMAC-SHA3- 512 (A3701)HMAC-SHA3- 512 (A3701)KATCASTOn DemandManually
HMAC-SHA3- 512 (A3705)HMAC-SHA3- 512 (A3705)KATCASTOn DemandManually
PBKDF (A3700)PBKDF (A3700)KATCASTOn DemandManually
PBKDF (A3701)PBKDF (A3701)KATCASTOn DemandManually
PBKDF (A3703)PBKDF (A3703)KATCASTOn DemandManually
PBKDF (A3704)PBKDF (A3704)KATCASTOn DemandManually
PBKDF (A3705)PBKDF (A3705)KATCASTOn DemandManually
PBKDF (A3700)PBKDF (A3700)KATCASTOn DemandManually
PBKDF (A3701)PBKDF (A3701)KATCASTOn DemandManually
PBKDF (A3703)PBKDF (A3703)KATCASTOn DemandManually
PBKDF (A3704)PBKDF (A3704)KATCASTOn DemandManually
PBKDF (A3705)PBKDF (A3705)KATCASTOn DemandManually
RSA KeyGen (FIPS186-4) (A3700)RSA KeyGen (FIPS186-4) (A3700)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3701)RSA KeyGen (FIPS186-4) (A3701)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3703)RSA KeyGen (FIPS186-4) (A3703)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3704)RSA KeyGen (FIPS186-4) (A3704)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A3705)RSA KeyGen (FIPS186-4) (A3705)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3700)ECDSA KeyGen (FIPS186-4) (A3700)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3701)ECDSA KeyGen (FIPS186-4) (A3701)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3703)ECDSA KeyGen (FIPS186-4) (A3703)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3704)ECDSA KeyGen (FIPS186-4) (A3704)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A3705)ECDSA KeyGen (FIPS186-4) (A3705)PCTPCTOn DemandManually

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module d e s with SHA2256 (FIPS1864) (A3705) with SHA2256 Table 24: Conditional Self-Tests The table above lists the CASTs and PCTs performed by the module. All CASTs performed are in the form of the Known Answer Tests (KATs) and are run prior to performing the integrity test. The details of the integrity test are provided in Section 5.1. The KAT includes comparison of the calculated output with the expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. The module also performs the Pair-wise Consistency Tests (PCT) shown in the table above. If at least one of the tests fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output, and cryptographic operations are not allowed.

10.3 Periodic Self-Test Information

© 2024 Canonical Ltd. / atsec information security.

Page 99

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 25: Pre-Operational Periodic Information © 2024 Canonical Ltd. / atsec information security.

Page 100

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 101

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 102

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 103

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 104

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 105

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 106

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 107

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module © 2024 Canonical Ltd. / atsec information security.

Page 108
Service
NameDescriptionRole AccessIndicator
Error stateThe module immediately stopsSoftware integrity test failureAn error message related to theRestart of the module
functioning due to a self-test failurefunctioning due to a self-test failureCAST failure PCT failurecause of the failure
Fatal Error stateThe module immediately halts all cryptographic operations and transits to shutdownRandom numbers are requested in the Error state Cipher operations are requested on a deallocated handleThe module is aborted and is not available for useRestart of the module

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 26: Conditional Periodic Information The module does not implement periodic self-tests.

10.4 Error States

© 2024 Canonical Ltd. / atsec information security.

Page 109

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Table 27: Error States When the module fails any pre-operational self-test or conditional test, the module will return an error code to indicate the error and will enter the Error state. Any further cryptographic operation is inhibited. The calling application can obtain the module state by calling the gcry_control(GCRYCTL_OPERATIONAL_P) API function. The function returns FALSE if the module is in the Error state, TRUE if the module is in the Operational state. In the Error state, all data output is inhibited, and no cryptographic operation is allowed. The error can be recovered by a restart (i.e., The table above shows the error codes and their corresponding condition.

10.5 Operator Initiation of Self-Tests [O]

On-Demand self-tests can be performed by powering-off and reloading the module, which cause the module to run the pre-operational tests again. Invoking the gcry_control(GCRYCTL_SELFTEST) API function will run the pre-operational self-test and CASTs on demand. Information on the execution of these tests are detailed in Section 5.2.

10.6 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 110

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Once the operating environment is configured following the instructions provided below, the Crypto Officer can install the Ubuntu packages containing the module listed in Section 11.2 using the Advanced Package Tool (APT) with the following command line: $ sudo apt-get install libcgrypt20 libgcrypt20-hmac All the Ubuntu packages are associated with hashes for integrity check. The integrity of the Ubuntu package is automatically verified by the packing tool during the installation of the module. The Crypto Officer shall not install the package if the integrity fails. Once the Debian packages have been installed, the operator needs to check the output of the gcry_version() API, which should show the following name and version: Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module 1.9.4-3ubuntu3+Fips1.2 FIPS configuration can be enabled automatically via the Ubuntu Advantage tool after attaching your subscription. (1) To install the tool type the following commands: $ sudo apt update $ sudo apt install ubuntu-advantage-tools (2) To activate the Ubuntu Pro subscription run: $ sudo pro attach <your_pro_token> (3) To enable approved mode run: $ sudo pro enable fips (4) To verify that approved mode is enabled run: $ sudo pro status The pro client will install the necessary packages for the approved mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into approved mode. The reboot will boot into FIPS supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in approved mode. If you do not reboot after installing and configuring the bootloader, approved mode is not yet enabled. © 2024 Canonical Ltd. / atsec information security.

Page 111

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

11.2 Administrator Guidance

The binaries of the module are contained in the Ubuntu packages for delivery. The Crypto Officer shall follow this Security Policy (Section 11.1) to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. The following Ubuntu packages contain the FIPS validated module:

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Design and Rules [O]

The user must not call malloc/free to create/release space for keys, let libgcrypt manage space for keys, which will ensure that the key memory is overwritten before it is released. gcry_control(GCRYCTL_TERM_SECMEM) needs to be called before the process is terminated.

11.5 Maintenance Requirements [O]

There are no maintenance requirements.

11.6 End of Life [O]

For secure sanitization of the cryptographic module, the module must first be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. © 2024 Canonical Ltd. / atsec information security.

Page 112

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module The module does not possess persistent storage of SSPs, so further sanitization steps are not required.

11.7 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 113

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module

12 Mitigation of Other Attacks
12.1 Attack List [O]

The module implements blinding against RSA Timing Attacks. RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack.

12.2 Mitigation Effectiveness [O]

By default, the module uses the following blinding technique: instead of using the RSA decryption directly, a blinded value y = x re mod n is decrypted and the unblinded value x' = y' r−1 mod n returned.

12.3 Guidance and Constraints [O]

The blinding value r is a random value with the size of the modulus n.

12.4 Additional Information [O]

Not applicable. © 2024 Canonical Ltd. / atsec information security.

Page 114
Approved algorithm
NameKey Size
dcurvedataeecdsaflags
hashgenkeyhash-algonnbitspkcs1
pssprivate-keypublic-keyqrraw
rsa-use-ersassalt-lengthsig-valvalue

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Below are listed the approved public key flags for an input s-expression: d e n q r s © 2024 Canonical Ltd. / atsec information security.

Page 115

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DF Derivation Function DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm © 2024 Canonical Ltd. / atsec information security.

Page 116

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module SHS Secure Hash Standard XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Canonical Ltd. / atsec information security.

Page 117

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module Appendix C. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS1403_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program September 2020 https://csrc.nist.gov/Projects/cryptographic-module-validationprogram/fips-140-3-ig-announcements FIPS180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP80038A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf © 2024 Canonical Ltd. / atsec information security.

Page 118

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module SP80038B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/detail/sp/800-38b/final SP80038C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-80038E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80038F.pdf SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r5.pdf SP80090A NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf SP80090B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090B.pdf © 2024 Canonical Ltd. / atsec information security.

Page 119

Canonical Ltd. Ubuntu 22.04 Libgcrypt Cryptographic Module SP800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800133r2.pdf SP800140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800140B.pdf © 2024 Canonical Ltd. / atsec information security.

Referenced URLs