All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module

Certificate#4855StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCanonical Ltd.
Medium review priority  ·  no TCB surface named  ·  GnuTLS upstream has published 9 CVEs since this module's initial validation  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date10/27/2029
CaveatInterim validation. When operated in the approved mode. When installed, initialized, and configured as specified in section 11.1 of the Security Policy.
VendorCanonical Ltd.

Approved Algorithms (90)

AlgorithmACVP Cert
AES-CBCA3665
AES-CBCA3667
AES-CBCA3708
AES-CBCA3709
AES-CBCA3711
AES-CBCA3712
AES-CBCA3713
AES-CBCA3714
AES-CCMA3665
AES-CCMA3708
AES-CCMA3711
AES-CFB8A3670
AES-CFB8A3716
AES-CFB8A3717
AES-CMACA3667
AES-CMACA3708
AES-CMACA3711
AES-CMACA3714
AES-GCMA3665
AES-GCMA3667
AES-GCMA3708
AES-GCMA3709
AES-GCMA3711
AES-GCMA3712
AES-GCMA3713
AES-GMACA3667
AES-XTS Testing Revision 2.0A3668
Counter DRBGA3667
ECDSA KeyGen (FIPS186-4)A3667
ECDSA KeyVer (FIPS186-4)A3667
ECDSA SigGen (FIPS186-4)A3667
ECDSA SigVer (FIPS186-4)A3667
HMAC-SHA-1A3665
HMAC-SHA-1A3667
HMAC-SHA-1A3710
HMAC-SHA-1A3714
HMAC-SHA2-224A3665
HMAC-SHA2-224A3667
HMAC-SHA2-224A3710
HMAC-SHA2-224A3714
HMAC-SHA2-256A3665
HMAC-SHA2-256A3667
HMAC-SHA2-256A3710
HMAC-SHA2-256A3714
HMAC-SHA2-384A3665
HMAC-SHA2-384A3667
HMAC-SHA2-384A3710
HMAC-SHA2-384A3714
HMAC-SHA2-512A3665
HMAC-SHA2-512A3667
HMAC-SHA2-512A3710
HMAC-SHA2-512A3714
KAS-ECC-SSC Sp800-56Ar3A3667
KAS-FFC-SSC Sp800-56Ar3A3667
KDA HKDF Sp800-56Cr1A3666
KDF TLSA3667
PBKDFA3667
RSA KeyGen (FIPS186-4)A3667
RSA SigGen (FIPS186-4)A3667
RSA SigVer (FIPS186-4)A3667
Safe Primes Key GenerationA3667
SHA-1A3665
SHA-1A3667
SHA-1A3710
SHA-1A3714
SHA2-224A3665
SHA2-224A3667
SHA2-224A3710
SHA2-224A3714
SHA2-256A3665
SHA2-256A3667
SHA2-256A3710
SHA2-256A3714
SHA2-384A3665
SHA2-384A3667
SHA2-384A3710
SHA2-384A3714
SHA2-512A3665
SHA2-512A3667
SHA2-512A3710
SHA2-512A3714
SHA3-224A3669
SHA3-224A3715
SHA3-256A3669
SHA3-256A3715
SHA3-384A3669
SHA3-384A3715
SHA3-512A3669
SHA3-512A3715
TLS v1.2 KDF RFC7627A3667

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>status output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>status output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Canonical Ltd. Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module Version 3.7.3-4ubuntu1.2+Fips1.1 Version 1.3 Last updated: 10-22-2024 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com

Page 2
Table of Contents
#SectionPage
Page 3

© 2024 Canonical Ltd. / atsec information security.

Page 4

© 2024 Canonical Ltd. / atsec information security.

Page 5
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid9
Table 4: Modes List and Description9
Table 5: Approved Algorithms14
Table 6: Vendor-Affirmed Algorithms14
Table 7: Non-Approved, Allowed Algorithms with No Security Claimed14
Table 8: Non-Approved, Not Allowed Algorithms16
Table 9: Security Function Implementations22
Table 10: Entropy Certificates25
Table 11: Entropy Sources25
Table 12: Ports and Interfaces28
Table 13: Roles29
Table 14: Approved Services35
Table 15: Non-Approved Services37
Table 16: EFP/EFT Information40
Table 17: Hardness Testing Temperatures41
Table 18: Storage Areas43
Table 19: SSP Input-Output Methods43
Table 20: SSP Zeroization Methods44
Table 21: SSP Table 148
Table 22: SSP Table 251
Table 23: Pre-Operational Self-Tests52
Table 24: Conditional Self-Tests59
Table 25: Pre-Operational Periodic Information60
Table 26: Conditional Periodic Information65
Table 27: Error States66
Figure 1: Block Diagram7
Page 6
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3.7.3-4ubuntu1.2+Fips1.1 of the Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module. It has a one-to-one mapping to SP 800140B starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module (hereafter referred to as “the module”) provides cryptographic services to applications running in the user space of the underlying operating system through a C language Application Program Interface (API). Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1: Block Diagram Tested Operational Environment’s Physical Perimeter (TOEPP): © 2024 Canonical Ltd. / atsec information security.

Page 8

The TOEPP (tested operational environment’s physical perimeter) of the module is defined as the general-purpose computer on which the module is installed.

2.2 Tested and Vendor Affirmed Module Version and

Identification Tested Module Identification

Page 9

Operating Hardware Processors PAA/PAI Hypervisor Version(s) System Platform or Host OS Ubuntu 22.04 Supermicro SYS- Intel® Xeon® No N/A 3.7.3LTS (Jammy 1019P-WTR Gold 6226 4ubuntu1.2+Fips1.1 Jellyfish) Ubuntu 22.04 Amazon Web AWS No N/A 3.7.3LTS (Jammy Services (AWS) Graviton2 4ubuntu1.2+Fips1.1 Jellyfish) c6g.metal Ubuntu 22.04 IBM z15 z15 No N/A 3.7.3LTS (Jammy 4ubuntu1.2+Fips1.1 Jellyfish) Table 3: Tested Operational Environments - Software, Firmware, Hybrid The module makes use of hardware acceleration provided by the hardware platform. Namely, AES-NI from the Intel based platform, NEON and Cryptography Extension for the Graviton2 based platform and CPACF for the z15 based platforms, listed in the Tested Operational Environments - Software, Firmware, Hybrid table. Out of these, only CPACF is considered as PAI and other two are considered as PAA. Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator mode approved service is requested of the requested service Non-approved Automatically entered whenever a Non- Equivalent to the indicator mode non-approved service is requested Approved of the requested service Table 4: Modes List and Description When the module starts up successfully, after passing all the pre-operational and conditional cryptographic algorithms self-tests (CASTs), the module is operating in the approved mode of operation by default. Please see section 4 for the details on service indicator provided by the module that identifies when an approved service is called. Mode Change Instructions and Status: If the module is in the approved mode, it can be transitioned to the non-approved mode by calling one of the non-approved services listed in section 4. If the module is in the non-approved mode, the module can be transitioned to the approved mode by calling one of the approved services listed in section 4. © 2024 Canonical Ltd. / atsec information security.

Page 10
2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A3665 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3665 Key Length - 128, 256 SP 800-38C AES-GCM A3665 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 HMAC-SHA-1 A3665 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3665 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3665 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3665 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3665 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 SHA-1 A3665 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3665 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3665 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3665 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3665 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 AES-CBC A3667 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3667 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-GCM A3667 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GMAC A3667 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 Counter DRBG A3667 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No ECDSA KeyGen A3667 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates © 2024 Canonical Ltd. / atsec information security.

Page 11

Algorithm CAVP Properties Reference Cert ECDSA KeyVer A3667 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3667 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2ECDSA SigVer A3667 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2HMAC-SHA-1 A3667 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3667 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3667 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3667 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3667 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 KAS-ECC-SSC A3667 Domain Parameter Generation Methods - P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3667 Domain Parameter Generation Methods - ffdhe2048, SP 800-56A Sp800-56Ar3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- Rev. 3 2048, MODP-3072, MODP-4096, MODP-6144, MODP8192 Scheme dhEphem KAS Role - initiator, responder KDF TLS (CVL) A3667 TLS Version - v1.0/1.1 SP 800-135 Rev. 1 PBKDF A3667 Iteration Count - Iteration Count: 10-1000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A3667 Key Generation Mode - B.3.2 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Algorithm - SHA2-384 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3667 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3667 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Safe Primes A3667 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Key Generation ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, Rev. 3 MODP-4096, MODP-6144, MODP-8192 SHA-1 A3667 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3667 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3667 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 © 2024 Canonical Ltd. / atsec information security.

Page 12

Algorithm CAVP Properties Reference Cert SHA2-384 A3667 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3667 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A3667 Hash Algorithm - SHA2-256, SHA2-384 SP 800-135 RFC7627 (CVL) Rev. 1 AES-CBC A3708 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3708 Key Length - 128, 256 SP 800-38C AES-CMAC A3708 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-GCM A3708 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-CBC A3709 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3709 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-CBC A3711 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3711 Key Length - 128, 256 SP 800-38C AES-CMAC A3711 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-GCM A3711 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-CBC A3712 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3712 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-CBC A3713 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3713 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-CBC A3714 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3714 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 HMAC-SHA-1 A3714 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3714 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3714 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3714 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.

Page 13

Algorithm CAVP Properties Reference Cert HMAC-SHA2- A3714 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 SHA-1 A3714 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3714 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3714 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3714 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3714 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 AES-CFB8 A3670 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3716 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3717 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS A3668 Direction - Decrypt, Encrypt SP 800-38E Testing Key Length - 128, 256 Revision 2.0 HMAC-SHA-1 A3710 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3710 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3710 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3710 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3710 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 SHA-1 A3710 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3710 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3710 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3710 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3710 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 KDA HKDF A3666 Derived Key Length - 2048 SP 800-56C Sp800-56Cr1 Shared Secret Length - Shared Secret Length: 224-65336 Rev. 2 Increment 8 HMAC Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 SHA3-224 A3669 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A3669 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A3669 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3669 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 © 2024 Canonical Ltd. / atsec information security.

Page 14

Algorithm CAVP Properties Reference Cert SHA3-224 A3715 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A3715 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A3715 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3715 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG RSA:Asymmetric N/A SP 800-133r2 section 4 example 1 (asymmetric) ECDSA:Asymmetric without the use of V (refer to EC Diffie-Hellman additional comment 2 of IG D.H) :Asymmetric Safe primes:Asymmetric CKG AES:Symmetric N/A SP 800-133r2 section 4 example 1 (symmetric) HMAC:Symmetric without the use of V (refer to additional comment 2 of IG D.H) Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Only allowed as the PRF in TLSv1.0 and Message digest used in TLS 1.0 / 1.1 KDF only v1.1 per IG 2.4.A for legacy use Table 7: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Name Use and Function Blowfish Symmetric encryption; Symmetric decryption Camellia Symmetric encryption; Symmetric decryption CAST Symmetric encryption; Symmetric decryption ChaCha20 Symmetric encryption; Symmetric decryption Chacha20 and Poly1305 Authenticated encryption; Authenticated decryption CMAC with Triple-DES Message authentication code (MAC) © 2024 Canonical Ltd. / atsec information security.

Page 15

Name Use and Function DES Symmetric encryption; Symmetric decryption Diffie-Hellman (with domain parameters other than Key agreement; Shared secret safe primes) computation DSA Key generation; Domain parameter generation; Digital signature generation; Digital signature verification ECDSA (with curves other than P-256, P-384, P-512) Key generation; Public key verification ECDSA (with curves other than P-256, P-384, P-512 or Digital signature generation; Digital hash functions other than SHA2-224, SHA2-256, SHA2- signature verification 384, SHA2-512) EC Diffie-Hellman (with curves other than P-256, P-384, Key agreement; Shared secret P-512) computation GMAC Message authentication code (MAC) GOST Symmetric encryption; Symmetric decryption; Message digest HMAC (with keys smaller than 112-bits) Message authentication code (MAC) HMAC (with GOST) Message authentication code (MAC) MD2, MD4, MD5 Message digest; Message authentication code (MAC) PBKDF (with non-approved message digest algorithms Key derivation or using input parameters not meeting requirements stated in section 2.7 of the security policy) RC2, RC4 Symmetric encryption; Symmetric decryption RMD160 Message digest; Message authentication code (MAC) RSA (with keys smaller than 2048 bits or greater than Key generation

4096 bits)

RSA (with keys smaller than 2048 bits or greater than Digital signature generation

4096 bits and/or hash functions other than SHA2-224,

SHA2-256, SHA2-384, SHA2-512) RSA (with keys smaller than 1024 bits or greater than Digital signature verification

4096 bits and/or hash functions other than SHA2-224,

SHA2-256, SHA2-384, SHA2-512) RSA (encapsulation and un-encapsulation with any key Key encapsulation; Key un-encapsulation sizes) Salsa20 Symmetric encryption; Symmetric decryption SEED Symmetric encryption; Symmetric decryption Serpent Symmetric encryption; Symmetric decryption SRP Key agreement STREEBOG Message digest; Message authentication code (MAC) Triple-DES Symmetric encryption; Symmetric decryption Twofish Symmetric encryption; Symmetric decryption UMAC Message authentication code (MAC) Yarrow Random number generation AES-GCM (when not used in the context of the TLS Symmetric encryption; Symmetric protocol) decryption © 2024 Canonical Ltd. / atsec information security.

Page 16

Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Symmetric BC-UnAuth Symmetric AES-CBC:128, AES-CBC encryption BC-Auth encryption. AES-GCM 192, 256-bit keys AES-CBC is considered with 128-256 bits AES-CBC approved by the of key strength AES-CBC module only used in AES-CCM:128, AES-CBC the context of the 256-bit keys with AES-CBC TLS protocol. 128 and 256 bits AES-CBC of key strength AES-CBC AES-GCM:128, AES-CCM 256-bit keys with AES-CCM

128 and 256 bits AES-CCM

of key strength AES-GCM AES-CFB8:128, AES-GCM 192, 256-bit keys AES-GCM with 128-256 bits AES-GCM of key strength AES-GCM AES-XTS Testing AES-GCM Revision 2.0:128, AES-GCM 256-bit keys with AES-CFB8

128 and 256 bits AES-CFB8

of key strength AES-CFB8 AES-XTS Testing Revision 2.0 Symmetric BC-UnAuth Symmetric AES-CBC:128, AES-CBC decryption BC-Auth decryption. AES-GCM 192, 256-bit keys AES-CBC is considered with 128-256 bits AES-CBC approved by the of key strength AES-CBC module only used in AES-CCM:128, AES-CBC the context of the 256-bit keys with AES-CBC TLS protocol 128 and 256 bits AES-CBC of key strength AES-CBC AES-GCM:128, AES-CCM 256-bit keys with AES-CCM

128 and 256 bits AES-CCM

of key strength AES-GCM AES-CFB8:128, AES-GCM 192, 256-bit keys AES-GCM with 128-256 bits AES-GCM of key strength AES-GCM AES-XTS Testing AES-GCM Revision 2.0:128, AES-GCM 256-bit keys with AES-CFB8

128 and 256 bits AES-CFB8

of key strength AES-CFB8 AES-XTS Testing Revision 2.0 Message MAC Message HMAC-SHA- HMAC-SHA-1 authentication authentication code 1:112-524288 bit HMAC-SHA-1 code (MAC) (MAC) keys with HMAC-SHA-1 © 2024 Canonical Ltd. / atsec information security.

Page 17

Name Type Description Properties Algorithms strength of 112- HMAC-SHA-1

256 bits HMAC-SHA2-224

HMAC-SHA2- HMAC-SHA2-224 224:112-524288 HMAC-SHA2-224 bit keys with HMAC-SHA2-224 strength of 112- HMAC-SHA2-256

256 bits HMAC-SHA2-256

HMAC-SHA2- HMAC-SHA2-256 256:112-524288 HMAC-SHA2-256 bit keys with HMAC-SHA2-384 strength of 112- HMAC-SHA2-384

256 bits HMAC-SHA2-384

HMAC-SHA2- HMAC-SHA2-384 384:112-524288 HMAC-SHA2-512 bit keys with HMAC-SHA2-512 strength of 112- HMAC-SHA2-512

256 bits HMAC-SHA2-512

HMAC-SHA2- SHA-1 512:112-524288 SHA-1 bit keys with SHA-1 strength of 112- SHA-1

256 bits SHA2-224

AES-CMAC:128, SHA2-224 256-bit keys with SHA2-224

128 and 256 bits SHA2-224

of key strength SHA2-256 AES-GMAC:128, SHA2-256 256-bit keys with SHA2-256

128 and 256 bits SHA2-256

of key strength SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-GMAC Message digest SHA Message digest SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 © 2024 Canonical Ltd. / atsec information security.

Page 18

Name Type Description Properties Algorithms SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Deterministic CKG Deterministic random Counter Counter DRBG random bit DRBG bit generation in DRBG:256-bit generation compliance with keys with 256 SP800-90Ar1 bits of key strength Asymmetric key AsymKeyPair- Asymmetric key ECDSA KeyGen ECDSA KeyGen generation KeyGen generation (FIPS186-4):P- (FIPS186-4) CKG 256, P-384, P- RSA KeyGen

521 elliptic (FIPS186-4)

curves with 128- Safe Primes Key

256 bits of key Generation

strength Counter DRBG RSA KeyGen (FIPS1864):2048, 3072, 4096-bit keys with 112-149 bits of key strength Safe Primes Key Generation:2048, 3072, 4096, 6144, 8192-bit keys with 112-

200 bits of key

strength Public key AsymKeyPair- Public key verification ECDSA KeyVer ECDSA KeyVer verification KeyVer (FIPS186-4):P- (FIPS186-4) 256, P-384, P-

521 elliptic
256 bits of key

strength Digital signature DigSig-SigGen Digital signature ECDSA SigGen ECDSA SigGen generation generation (FIPS186-4):P- (FIPS186-4) 256, P-384, P- RSA SigGen

521 elliptic (FIPS186-4)

curves with 128- Counter DRBG

256 bits of SHA2-224

strength SHA2-224 RSA SigGen SHA2-224 © 2024 Canonical Ltd. / atsec information security.

Page 19

Name Type Description Properties Algorithms (FIPS186- SHA2-224 4):2048, 3072, SHA2-256 4096-bit keys SHA2-256 with 112-149 bits SHA2-256 of key strength SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 Digital signature DigSig-SigVer Digital signature ECDSA SigVer ECDSA SigVer verification verification (FIPS186-4):P- (FIPS186-4) 256, P-384, P- RSA SigVer

521 elliptic (FIPS186-4)
256 bits of key SHA2-224

strength SHA2-224 RSA SigVer SHA2-224 (FIPS186- SHA2-256 4):2048, 3072, SHA2-256 4096-bit keys SHA2-256 with 112-149 bits SHA2-256 of key strength SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 (EC Diffie- KAS-SSC EC Diffie-Hellman KAS-ECC-SSC KAS-ECC-SSC Hellman) shared shared secret Sp800-56Ar3:P- Sp800-56Ar3 secret computation 256, P-384, Pcomputation compliant with 521 elliptic scenario 2(1) of IG D.F curves with 128-

256 bits of

strength (Diffie-Hellman) KAS-SSC EC Diffie-Hellman KAS-FFC-SSC KAS-FFC-SSC shared secret shared secret Sp800- Sp800-56Ar3 computation computation 56Ar3:2048, compliant with 3072, 4096, scenario 2(1) of IG D.F 6144, 8192-bit keys with 112-

200 bits of key

strength Key derivation KAS-135KDF Key derivation KDF TLS KDF TLS KAS-56CKDF (CVL):TLS PBKDF PBKDF derived secret TLS v1.2 KDF with 112 to 256 RFC7627 bits of key KDA HKDF strength Sp800-56Cr1 PBKDF:128-4096 HMAC-SHA-1 © 2024 Canonical Ltd. / atsec information security.

Page 20

Name Type Description Properties Algorithms bit keys with HMAC-SHA-1 strength of 128- HMAC-SHA-1

256 bits HMAC-SHA-1

TLS v1.2 KDF HMAC-SHA2-224 RFC7627 HMAC-SHA2-224 (CVL):TLS HMAC-SHA2-224 derived secret HMAC-SHA2-224 with 112 to 256 HMAC-SHA2-256 bits of key HMAC-SHA2-256 strength HMAC-SHA2-256 KDA HKDF HMAC-SHA2-256 Sp800-56Cr1:TLS HMAC-SHA2-384 derived secret HMAC-SHA2-384 with 112 to 256 HMAC-SHA2-384 bits of key HMAC-SHA2-384 strength HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 Key wrapping KTS-Wrap Key AES-CBC:128, AES-CCM wrapping/unwrapping 192, 256-bit keys AES-CCM using AES-CCM, AES- with 128-256 bits AES-CCM GCM, or AES-CBC with of key strength AES-GCM HMAC with 128-bit or AES-CCM:128, AES-GCM 256-bit keys; used in 256-bit keys with AES-GCM the context of the 128 and 256 bits AES-GCM TLS protocol, in of key strength AES-GCM compliance with IG AES-GCM:128, AES-GCM D.G and additional 256-bit keys with AES-GCM comment 8 of IG D.G 128 and 256 bits AES-CBC of key strength AES-CBC HMAC-SHA- AES-CBC 1:112-524288 bit AES-CBC keys with AES-CBC strength of 112- AES-CBC © 2024 Canonical Ltd. / atsec information security.

Page 21

Name Type Description Properties Algorithms

256 bits AES-CBC

HMAC-SHA2- AES-CBC 224:112-524288 HMAC-SHA-1 bit keys with HMAC-SHA-1 strength of 112- HMAC-SHA-1

256 bits HMAC-SHA-1

HMAC-SHA2- HMAC-SHA2-224 256:112-524288 HMAC-SHA2-224 bit keys with HMAC-SHA2-224 strength of 112- HMAC-SHA2-224

256 bits HMAC-SHA2-256

HMAC-SHA2- HMAC-SHA2-256 384:112-524288 HMAC-SHA2-256 bit keys with HMAC-SHA2-256 strength of 112- HMAC-SHA2-384

256 bits HMAC-SHA2-384

HMAC-SHA2- HMAC-SHA2-384 512:112-524288 HMAC-SHA2-384 bit keys with HMAC-SHA2-512 strength of 112- HMAC-SHA2-512

256 bits HMAC-SHA2-512

HMAC-SHA2-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 EC Diffie- KAS-Full EC Diffie-Hellman KAS-ECC-SSC KAS-ECC-SSC Hellman compliant with Sp800-56Ar3:P- Sp800-56Ar3 scenario 2(2) of IG D.F 256, P-384, P- KDF TLS

521 elliptic TLS v1.2 KDF
256 bits of KDA HKDF

strength Sp800-56Cr1 KDF TLS (CVL):TLS derived secret with 112 to 256 bits of key strength © 2024 Canonical Ltd. / atsec information security.

Page 22

Name Type Description Properties Algorithms TLS v1.2 KDF RFC7627 (CVL):TLS derived secret with 112 to 256 bits of key strength KDA HKDF Sp800-56Cr1:TLS derived secret with 112 to 256 bits of key strength Diffie-Hellman KAS-Full Diffie-Hellman KAS-FFC-SSC KAS-FFC-SSC compliant with SP800- Sp800-56Ar3 scenario 2(2) of IG D.F 56Ar3:2048, KDF TLS 3072, 4096, TLS v1.2 KDF 6144, 8192-bit RFC7627 keys with 112- KDA HKDF

200 bits of key Sp800-56Cr1

strength KDF TLS (CVL):TLS derived secret with 112 to 256 bits of key strength TLS v1.2 KDF RFC7627 (CVL):TLS derived secret with 112 to 256 bits of key strength KDA HKDF Sp800-56Cr1:TLS derived secret with 112 to 256 bits of key strength Table 9: Security Function Implementations

2.7 Algorithm Specific Information

Hash Algorithms In compliance with IG C.B, every approved hash algorithm implementation was CAVP tested and validated on all the module’s operational environments. Section 2.5 of this security policy contains a table of the CAVP certificates of the approved hash functions. For the higher-level algorithms that use the approved hash functions - Counter DRBG, ECDSA SigGen, ECDSA SigVer, HMAC, KDA HKDF Sp800-56Cr1, KDF TLS (CVL), TLS v1.2 KDF RFC7627 (CVL), PBKDF2, RSA SigGen, RSA SigVer

Page 23

tested and validated on all the module’s operational environments. Section 2.5 of this security policy contains a table of the CAVP certificates of these higher-level algorithms. SHA-3 The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of each SHA-3 function was tested and validated on all the module’s operating environments. SHAKE functions are not implemented. SHA-3 hash functions are not used as part of a higher-level algorithm. RSA Key Generation In compliance with IG C.E, the module generates RSA signature keys using an approved method of FIPS 186-4: generation of random primes that are provably prime. The CAVP certificate #A3667 indicates that the RSA key generating algorithm has been tested and validated for conformance to the methods in FIPS 186-4. RSA Signature Generation and Signature Verification The module provides RSA signature generation and signature verification compliant with IG C.F. The module supports RSA modulus lengths of 2048, 3072, and 4096 bits for both signature generation and signature verification. The RSA signature generation and signature verification implementations have been tested for all implemented RSA modulus lengths. The number of Miller-Rabin tests is consistent with the bit sizes of p and q from Table B.1 of FIPS 186-4. AES-GCM The module implements AES GCM for being used in the TLS v1.2 and v1.3 protocols. AES GCM IV generation is compliant with [FIPS140-3_IG] IG C.H for both protocols as follows:

Page 24

“Asymmetric key generation” service must be used to generate ephemeral Diffie-Hellman or EC DiffieHellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3. Key Transport Methods Please refer to section 2.10 of this security policy. Cryptographic Key Generation In compliance with IG D.H, the module generates symmetric keys and seeds for asymmetric keys using the method described in section 4 example 1 of SP 800-133r2 without the use of V (direct DRBG output as described in additional comment 2 of IG D.H). Please refer to section 2.9 for more information on the key generation methods employed by the module. DRBGs In compliance with IG D.L, the entropy input, DRBG seed, DRBG internal state (values of V and Key) are considered CSPs. The DRBG internal state is contained within the DRBG mechanism boundary and is not accessible by other mechanisms. PBKDF2 The module provides password-based key derivation (PBKDF), compliant with SP800-132 and IG D.N. The module supports option 1a from section 5.4 of SP800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP800-132, the following requirements shall be met.

Page 25

The requirements of input parameters (derived key length, salt length, iteration count and password length) are verified by the module when providing the service indicator. The calling application shall also observe the rest of the requirements and recommendations specified in SP800-132. TLS v1.2 KDF In compliance with IG D.Q, the module supports the TLS 1.2 KDF with the extended master secret: TLS v1.2 KDF RFC7627 (CVL).

2.8 RBG and Entropy

Cert Vendor Number Name E60 Canonical Table 10: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Userspace Non- Ubuntu 22.04 LTS (Jammy Jellyfish) 256 256 LFSR CPU Time Physical on Supermicro SYS-1019P-WTR on Jitter RNG Intel® Xeon® Gold 6226; Ubuntu Entropy 22.04 LTS (Jammy Jellyfish) on Source Amazon Web Services (AWS) c6g.metal on AWS Graviton2; Ubuntu 22.04 LTS (Jammy Jellyfish) on IBM z15 on z15 Table 11: Entropy Sources The module implements CTR_DRBG with AES-256, according to SP800-90Arev1, without a derivation function and without prediction resistance. The module uses an SP800-90B-compliant entropy source as specified above. This entropy source is located within the physical perimeter, but outside of the cryptographic boundary of the module. The public use document of the entropy source is found at: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/entropy/E60_PublicUse.pdf The module obtains 384 bits from the entropy source to seed the DRBG, and 256 bits to reseed it, sufficient to provide a DRBG with 256 bits of security strength. The largest key strength generated by the module is 256 bits.

2.9 Key Generation

The module generates symmetric keys and seeds for asymmetric keys using the method described in section 4 example 1 of SP 800-133r2 without the use of V (direct output of DRBG as described in additional comment 2 of IG D.H). The module generates the following keys:

Page 26
2.10 Key Establishment

Key Agreement The module provides Diffie-Hellman and EC Diffie-Hellman shared secret computation compliant with SP800-56Arev3, in accordance with scenario 2 (1) of IG D.F and used as part of the TLS protocol key exchange in accordance with scenario 2 (2) of IG D.F; that is, the shared secret computation (KAS-FFCSSC and KAS-ECC-SSC) followed by the derivation of the keying material using KDF TLS (CVL), TLS v1.2 KDF RFC7627 (CVL), or KDA HKDF Sp800-56Cr1. The Diffie-Hellman shared secret computation, EC DiffieHellman shared secret computation, KDF TLS (CVL), TLS v1.2 KDF RFC7627 (CVL), and KDA HKDF Sp80056Cr1 have been CAVP tested. The EC Diffie-Hellman shared secret computation uses the Ephemeral Unified Model. The module supports EC Diffie-Hellman shared secret computation with P-256, P-384, and P-521 curves which have a security strength of 128-256 bits. The Diffie-Hellman shared secret computation uses the DH Ephemeral scheme. The module supports Diffie-Hellman shared secret computation with the MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, and ffdhe8192 groups which have a security strength of 112-200 bits. Key Transport The module provides key wrapping (KTS), compliant with IG D.G, using AES-CCM, AES-GCM, and AES-CBC with HMAC, used in the context of the TLS protocol cipher suites with 128-bit or 256-bit keys, with strengths of 128 bits and 256 bits respectively. When using AES-CBC with HMAC, the entire wrapped message is authenticated. AES-CCM, AES-GCM, AES-GCM, and HMAC have been tested and validated by the CAVP and the algorithms’ certificate numbers are in section 2.5 of the security policy. © 2024 Canonical Ltd. / atsec information security.

Page 27
2.11 Industry Protocols

The TLS protocol implementation provides both server and client sides. To operate in the approved mode, digital certificates used for server and client authentication shall comply with the restrictions of key size and message digest algorithms imposed by SP800-131Arev2. No parts of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

2.12 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 28
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters, kernel I/O network or files on filesystem, TLS protocol input messages. N/A Data Output API output parameters, kernel I/O network or files on filesystem, TLS protocol output messages. N/A Control Input API function calls, API input parameters for control. N/A Status API return codes, API output parameters for status output. Output Table 12: Ports and Interfaces The module does not have a control output interface.

3.2 Trusted Channel Specification
3.3 Control Interface Not Inhibited
3.4 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 29
4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role Crypto Officer None Table 13: Roles

4.3 Approved Services

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access Symmetri Generate gnutls_fips140_get_opera Key size Key Determini Crypto c key AES and tion_state() returns stic Officer generatio HMAC GNUTLS_FIPS140_OP_APP random - AES n key ROVED bit key: G,R generatio - HMAC n key: G,R Symmetri Perform gnutls_fips140_get_opera Key, IV Ciphertext, Symmetri Crypto c AES tion_state() returns (for MAC tag c Officer encryptio encryptio GNUTLS_FIPS140_OP_APP AEAD), (for AEAD) encryptio - AES n n ROVED Plainte n key: W,E xt Symmetri Perform gnutls_fips140_get_opera Key, IV Plaintext Symmetri Crypto c AES tion_state() returns (for c Officer decryptio decryptio GNUTLS_FIPS140_OP_APP AEAD), decryptio - AES n n ROVED Ciphert n key: W,E ext, , MAC tag (for AEAD) Asymmetr Generate gnutls_fips140_get_opera RSA key Key pair Asymmetr Crypto ic key RSA, DH, tion_state() returns size, ic key Officer generatio or GNUTLS_FIPS140_OP_APP Elliptic generatio - RSA n ECDSA/E ROVED Curve, n public CDH key or Safe key: G,R pairs prime - RSA group private key: G,R - ECDSA public key: G,R - ECDSA private key: G,R - EC Diffie© 2024 Canonical Ltd. / atsec information security.

Page 30

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access Hellman public key: G,R - EC DiffieHellman private key: G,R - DiffieHellman public key: G,R - DiffieHellman private key: G,R Intermed iate key generati on value: G,E,Z Digital Generate gnutls_fips140_get_opera Messag Digital Digital Crypto signature RSA or tion_state() returns e, hash signature signature Officer generatio ECDSA GNUTLS_FIPS140_OP_APP algorith generatio - RSA n signature ROVED m, n private private key: W,E key - ECDSA private key: W,E Digital Verify gnutls_fips140_get_opera Messag Verificatio Digital Crypto signature RSA or tion_state() returns e, n result signature Officer verificatio ECDSA GNUTLS_FIPS140_OP_APP signatu (success/fa verificatio - RSA n signature ROVED re, hash ilure) n public algorith key: W,E m, - ECDSA public public key key: W,E Public key Verify gnutls_fips140_get_opera ECDSA Verificatio Public key Crypto verificatio ECDSA tion_state() returns public n result verificatio Officer n public GNUTLS_FIPS140_OP_APP key (success/fa n - ECDSA key ROVED ilure) public key: W,E Random Generate gnutls_fips140_get_opera Numbe Random Determini Crypto number random tion_state() returns r of bits bytes stic Officer generatio bitstrings GNUTLS_FIPS140_OP_APP random - Entropy n ROVED bit input: generatio W,E n - DRBG seed: G,E - DRBG internal state: V © 2024 Canonical Ltd. / atsec information security.

Page 31

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access value, key: G,E Message Compute gnutls_fips140_get_opera Messag Hash Message Crypto digest SHA tion_state() returns e digest digest Officer hashes GNUTLS_FIPS140_OP_APP ROVED Message Compute gnutls_fips140_get_opera Messag Message Message Crypto authentic AES- tion_state() returns e, authenticat authentic Officer ation based GNUTLS_FIPS140_OP_APP HMAC ion code ation - AES code CMAC or ROVED key or (MAC) code key: W,E (MAC) AES- AES key (MAC) - HMAC based key: W,E GMAC or HMAC Diffie- Perform gnutls_fips140_get_opera Diffie- Shared (Diffie- Crypto Hellman DH tion_state() returns Hellma secret Hellman) Officer shared shared GNUTLS_FIPS140_OP_APP n shared - Diffiesecret secret ROVED private secret Hellman computati computa key, computati public on tion Diffie- on key: W,E Hellma - Diffien public Hellman key private from key: W,E peer - DiffieHellman Shared secret: G,R EC Diffie- Perform gnutls_fips140_get_opera EC Shared (EC Diffie- Crypto Hellman ECDH tion_state() returns Diffie- secret Hellman) Officer shared shared GNUTLS_FIPS140_OP_APP Hellma shared - EC secret secret ROVED n secret Diffiecomputati computa private computati Hellman on tion key, EC on public Diffie- key: W,E Hellma - EC n public Diffiekey Hellman from private peer key: W,E - EC DiffieHellman Shared secret: G,R HMAC- Perform gnutls_fips140_get_opera Diffie- HKDF Key Crypto based key key tion_state() returns Hellma derived key derivation Officer derivation derivatio GNUTLS_FIPS140_OP_APP n - Diffien ROVED shared Hellman secret Shared or EC secret: Diffie- W,E © 2024 Canonical Ltd. / atsec information security.

Page 32

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access Hellma - EC n Diffieshared Hellman secret Shared secret: W,E - HKDF derived key: G,R Transport Provide gnutls_fips140_get_opera Cipher- Return Symmetri Crypto Layer supporte tion_state() returns suites codes c Officer Security d cipher GNUTLS_FIPS140_OP_APP (see and/or log encryptio - RSA (TLS) suites in ROVED Append messages, n public network approved ix A for Application Symmetri key: W,E protocol mode the data c - ECDSA comple decryptio public te list n key: W,E of valid Message - Diffiecipher authentic Hellman suites), ation public Digital code key: W,E Certific (MAC) - Diffieate, Digital Hellman Public signature private and generatio key: W,E Private n - EC Keys, Digital DiffieApplica signature Hellman tion verificatio public Data n key: W,E (EC Diffie- - EC Hellman) Diffieshared Hellman secret private computati key: W,E on - TLS pre(Diffie- master Hellman) secret: shared G,E secret - TLS computati derived on secret: Key G,E derivation - TLS Key master wrapping secret: G,E - RSA private key: W,E - ECDSA private key: W,E © 2024 Canonical Ltd. / atsec information security.

Page 33

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access Show Show Implicit (always approved) None Return None Crypto status module codes Officer status and/or log messages Zeroizatio Zeroize Implicit (always approved) Context None None Crypto n SSPs containi Officer ng SSPs - AES key: Z - HMAC key: Z - RSA public key: Z - RSA private key: Z - ECDSA public key: Z - ECDSA private key: Z - DiffieHellman public key: Z - DiffieHellman private key: Z - EC DiffieHellman public key: Z - EC DiffieHellman private key: Z - DiffieHellman Shared secret: Z - EC DiffieHellman Shared secret: Z - PBKDF passwor d or passphra se: Z © 2024 Canonical Ltd. / atsec information security.

Page 34

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access - PBKDF derived key: Z - Entropy input: Z - DRBG seed: Z - DRBG internal state: V value, key: Z - TLS premaster secret: Z - TLS master secret: Z - TLS derived secret: Z Intermed iate key generati on value: Z - HKDF derived key: Z Self-tests Perform Implicit (always approved) Module Result of None Crypto self-tests reset self-tests Officer (pass/fail) Show Show Implicit (always approved) None Name and None Crypto module module version Officer name and name informatio version and n version TLS key Perform gnutls_fips140_get_opera TLS pre- TLS Key Crypto derivation key tion_state() returns master derived derivation Officer derivatio GNUTLS_FIPS140_OP_APP secret secret - TLS pren ROVED master secret: W,E - TLS master secret: G,E - TLS derived secret: G,R © 2024 Canonical Ltd. / atsec information security.

Page 35

Name Descript Indicator Inputs Outputs Security SSP ion Functions Access Password- Perform gnutls_fips140_get_opera PBKDF PBKDF Key Crypto based key key tion_state() returns passwo derived key derivation Officer derivation derivatio GNUTLS_FIPS140_OP_APP rd or - PBKDF n ROVED passphr passwor ase d or passphra se: W,E - PBKDF derived key: G,R Diffie- Perform gnutls_fips140_get_opera Diffie- HKDF Diffie- Crypto Hellman DH key tion_state() returns Hellma derived Hellman Officer agreeme GNUTLS_FIPS140_OP_APP n key, TLS - Diffient ROVED private derived Hellman key, secret public Diffie- key: W,E Hellma - Diffien public Hellman key private from key: W,E peer - TLS derived secret: G,R - HKDF derived key: G,R EC Diffie- Perform gnutls_fips140_get_opera EC HKDF EC Diffie- Crypto Hellman ECDH tion_state() returns Diffie- derived Hellman Officer key GNUTLS_FIPS140_OP_APP Hellma key, TLS - EC agreeme ROVED n derived Diffient private secret Hellman key, EC public Diffie- key: W,E Hellma - EC n public Diffiekey Hellman from private peer key: W,E - TLS derived secret: G,R - HKDF derived key: G,R Table 14: Approved Services The “Indicator” column shows the service indicator API functions that must be used to verify the service indicator for each of the services. The function gnutls_fips140_get_operation_state() indicates GNUTLS_FIPS140_OP_NOT_APPROVED or GNUTLS_FIPS140_OP_APPROVED depending on whether the API invoked corresponds to an approved or non-approved algorithm. © 2024 Canonical Ltd. / atsec information security.

Page 36
4.4 Non-Approved Services

Name Description Algorithms Role Symmetric Blowfish, Camellia, CAST, ChaCha20, Blowfish CO encryption; DES, Salsa20, SEED, Serpent, Triple-DES, Camellia Symmetric Twofish, AES-GCM (when not used in CAST decryption (non- the context of the TLS protocol), GOST, ChaCha20 approved) RC2, RC4 DES Salsa20 SEED Serpent Triple-DES Twofish AES-GCM (when not used in the context of the TLS protocol) GOST RC2, RC4 Authenticated Chacha20 and Poly1305 Chacha20 and Poly1305 CO encryption; Authenticated decryption (nonapproved) Message HMAC (with GOST), HMAC (with keys HMAC (with GOST) CO authentication code smaller than 112-bits), UMAC, CMAC HMAC (with keys smaller (non-approved) with Triple-DES, GMAC than 112-bits) UMAC CMAC with Triple-DES GMAC Message digest MD2, MD4, MD5, RMD160, STREEBOG, MD2, MD4, MD5 CO (non-approved) GOST RMD160 STREEBOG GOST Key derivation PBKDF (with non-approved message PBKDF (with non-approved CO (non-approved) digest algorithms or using input message digest algorithms parameters not meeting requirements or using input parameters stated in section 2.7 of the security not meeting requirements policy) stated in section 2.7 of the security policy) Domain parameter DSA DSA CO generation (nonapproved) Public key ECDSA (with curves other than P-256, P- ECDSA (with curves other CO verification (non- 384, P-512) than P-256, P-384, P-512) approved) Key generation RSA (with keys smaller than 2048 bits or RSA (with keys smaller than CO (non-approved) greater than 4096 bits), DSA, ECDSA 2048 bits or greater than (with curves other than P-256, P-384, P- 4096 bits) 512) DSA ECDSA (with curves other than P-256, P-384, P-512) Digital signature RSA (with keys smaller than 1024 bits or RSA (with keys smaller than CO verification (non- greater than 4096 bits and/or hash 1024 bits or greater than approved) functions other than SHA2-224, SHA2- 4096 bits and/or hash 256, SHA2-384, SHA2-512), DSA, ECDSA functions other than SHA2© 2024 Canonical Ltd. / atsec information security.

Page 37

Name Description Algorithms Role (with curves other than P-256, P-384, P- 224, SHA2-256, SHA2-384,

512 or hash functions other than SHA2- SHA2-512)

224, SHA2-256, SHA2-384, SHA2-512) DSA ECDSA (with curves other than P-256, P-384, P-512 or hash functions other than SHA2-224, SHA2-256, SHA2384, SHA2-512) Digital signature RSA (with keys smaller than 2048 bits or RSA (with keys smaller than CO generation (non- greater than 4096 bits and/or hash 2048 bits or greater than approved) functions other than SHA2-224, SHA2- 4096 bits and/or hash 256, SHA2-384, SHA2-512), DSA, ECDSA functions other than SHA2(with curves other than P-256, P-384, P- 224, SHA2-256, SHA2-384,

512 or hash functions other than SHA2- SHA2-512)

224, SHA2-256, SHA2-384, SHA2-512) ECDSA (with curves other than P-256, P-384, P-512 or hash functions other than SHA2-224, SHA2-256, SHA2384, SHA2-512) DSA Key agreement; SRP, Diffie-Hellman (with domain SRP CO Shared secret parameters other than safe primes), EC Diffie-Hellman (with domain computation (non- Diffie-Hellman (with curves other than parameters other than safe approved) P-256, P-384, P-512) primes) EC Diffie-Hellman (with curves other than P-256, P384, P-512) Key encapsulation; RSA (encapsulation and un- RSA (encapsulation and un- CO Key un- encapsulation with any key sizes) encapsulation with any key encapsulation (non- sizes) approved) Random number Yarrow Yarrow CO generation (nonapproved) Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not support the loading of external software/firmware.

4.6 Bypass Actions and Status
4.7 Cryptographic Output Actions and Status
4.8 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 38
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time for each software component of the module listed in section 2. If the HMAC values do not match, the test fails, and the module enters the error state.

5.2 Initiate on Demand

The pre-operational integrity self-test can be initiated on demand by calling the Self-Test service (via the gnutls_fips140_run_self_tests() function) or by powering-off and reloading the module. During the execution of the on-demand integrity self-test, services are not available, and no data output is possible.

5.3 Open-Source Parameters
5.4 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 39
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: N/A

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.3 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 40
7 Physical Security

The module is comprised of software only, and therefore this section is not applicable.

7.1 Mechanisms and Actions Required
7.2 User Placed Tamper Seals

Number: Placement: Surface Preparation: Operator Responsible for Securing Unused Seals: Part Numbers: N/A

7.3 Filler Panels
7.4 Fault Induction Mitigation
7.5 EFP/EFT Information

Temp/Voltage Temperature EFP Result Type or Voltage or EFT LowTemperature HighTemperature LowVoltage HighVoltage Table 16: EFP/EFT Information

7.6 Hardness Testing Temperature Ranges

Temperature Temperature Type LowTemperature HighTemperature © 2024 Canonical Ltd. / atsec information security.

Page 41

Table 17: Hardness Testing Temperatures

7.7 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 42
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism, and therefore this section is not applicable.

8.1 Mitigation Techniques
8.2 Effectiveness
8.3 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 43
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service Dynamic execution. Table 18: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator Cryptographic Plaintext Manual Electronic parameters calling module application (within TOEPP) API output CryptographicOperator Plaintext Manual Electronic parameters module calling application (within TOEPP) Table 19: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Wipe and Zeroizes the Memory occupied by To zeroize AES keys, call Free SSPs contained SSPs is overwritten gnutls_cipher_deinit() or memory within the with zeroes and then gnutls_aead_cipher_deinit(); to zeroize block cipher handle. it is released, which HMAC keys, call gnutls_hmac_deinit(); to allocated renders the SSP zeroize RSA or ECDSA public/private keys, values irretrievable. call gnutls_privkey_deinit() or The completion of gnutls_x509_privkey_deinit() or the zeroization gnutls_rsa_params_deinit(); to zeroize routine indicates that Diffie-Hellman public/private keys, call the zeroization has gnutls_dh_params_deinit() or been completed gnutls_pk_params_clear(); to zeroize EC Diffie-Hellman public/private keys, call gnutls_pk_params_clear(); to zeroize (Diffie-Hellman) Shared secret or (EC Diffie-Hellman) Shared secret, call zeroize_key(); to zeroize entropy input, DRBG seed, or DRBG internal state, call gnutls_global_deinit(); to zeroize TLS premaster secret, TLS master secret, TLS derived secret, or PBKDF derived key, call gnutls_deinit() © 2024 Canonical Ltd. / atsec information security.

Page 44

Zeroization Description Rationale Operator Initiation Method Automatic Automatically Memory occupied by N/A zeroized by the SSPs is overwritten module when with zeroes, which no longer renders the SSP needed values irretrievable. Module De-allocates Volatile memory By unloading and reloading the module Reset the volatile used by the module memory used is overwritten within to store SSPs nanoseconds when power is removed. The completion of module power-off indicates that the zeroization has been completed Table 20: SSP Zeroization Methods All data output is inhibited when the module is performing zeroization.

9.4 SSPs

Name Description Size - Type - Generated Establishe Used By Strength Category By d By AES key Used for 128, 192, Symmetric Deterministi Symmetric Symmetric 256 bits - key - CSP c random encryption encryption; 128, 192, bit Symmetric Symmetric 256 bits generation decryption decryption; Message Message authenticatio authenticatio n code (MAC) n code (MAC); HMAC key Used for 112 to Symmetric Deterministi Message Message 256 bits - key - CSP c random authenticatio Authenticatio 112 to bit n code (MAC) n Code (MAC) 256 bits generation RSA public Used for 2048, Public key - Asymmetric Digital key Digital 3072, PSP key signature signature 4096-bit generation verification verification; modulus Transport 112, 128, Layer 149 bits Security (TLS) network protocol RSA private Used for 2048, Private key Asymmetric Digital key Digital 3072, - CSP key signature signature 4096-bit generation generation generation; modulus Transport 112, 128, Layer 149 bits Security (TLS) © 2024 Canonical Ltd. / atsec information security.

Page 45

Name Description Size - Type - Generated Establishe Used By Strength Category By d By network protocol ECDSA Used for P-256, P- Public key - Asymmetric Digital public key Digital 384, P- PSP key signature signature 521 - 128, generation verification verification; 192, 256 Public key bits verification; Transport Layer Security (TLS) network protocol ECDSA Used for P-256, P- Private key Asymmetric Digital private key Digital 384, P- - CSP key signature signature 521 - 128, generation generation generation; 192, 256 Transport bits Layer Security (TLS) network protocol Diffie- Used for ffdhe204 Public key - Asymmetric (DiffieHellman Shared secret 8, PSP key Hellman) public key computation; ffdhe307 generation shared secret Transport 2, computation Layer ffdhe409 Security (TLS) 6, network ffdhe614 protocol 4, ffdhe819 2, MODP2048, MODP3072, MODP4096, MODP6144, MODP-

8192 -
112 to
200 bits

Diffie- Used for ffdhe204 Private key Asymmetric (DiffieHellman Shared secret 8, - CSP key Hellman) private key computation; ffdhe307 generation shared secret Transport 2, computation Layer ffdhe409 Security (TLS) 6, network ffdhe614 protocol 4, ffdhe819 2, MODP2048, © 2024 Canonical Ltd. / atsec information security.

Page 46

Name Description Size - Type - Generated Establishe Used By Strength Category By d By MODP3072, MODP4096, MODP6144, MODP-

8192 -
112 to
200 bits

EC Diffie- Used for P-256, P- Public key - Asymmetric (EC DiffieHellman Shared secret 384, P- PSP key Hellman) public key computation; 521 - 128, generation shared secret Transport 192, 256 computation Layer bits Security (TLS) network protocol EC Diffie- Used for P-256, P- Private key Asymmetric (EC DiffieHellman Shared secret 384, P- - CSP key Hellman) private key computation; 521 - 128, generation shared secret Transport 192, 256 computation Layer bits Security (TLS) network protocol Diffie- Used for Key ffdhe204 Shared (Diffie- Key Hellman derivation 8, secret - CSP Hellman) derivation Shared ffdhe307 shared secret 2, secret ffdhe409 computatio 6, n ffdhe614 4, ffdhe819 2, MODP2048, MODP3072, MODP4096, MODP6144, MODP-

8192 -
112 to
200 bits

EC Diffie- Used for Key P-256, P- Shared (EC Diffie- Key Hellman derivation 384, P- secret - CSP Hellman) derivation Shared 521 - 128, shared secret 192, 256 secret bits computatio n © 2024 Canonical Ltd. / atsec information security.

Page 47

Name Description Size - Type - Generated Establishe Used By Strength Category By d By PBKDF Used for Key 20 Password - Key password derivation character CSP derivation or s or more passphrase - N/A PBKDF Used for 112 to Symmetric Key derived key protection of 256 bits - key - CSP derivation storage data 112 to

256 bits

Entropy Used for 256 to Entropy Deterministic input Random 384 bits - Input - CSP random bit number 256 bits generation generation DRBG seed Used for 256 to Seed - CSP Deterministi Deterministic Random 384 bits - c random random bit number 256 to bit generation generation 384 bits generation DRBG Used for V: 128 Internal Deterministi Deterministic internal Random bits; Key: state - CSP c random random bit state: V number 256 bits - bit generation value, key generation. 256 bits generation This SSP is a CSP in compliance with IG D.L TLS pre- Used for ffdhe204 Shared (EC Diffie- Key master Transport 8, secret - CSP Hellman) derivation secret Layer ffdhe307 shared Security (TLS) 2, secret network ffdhe409 computatio protocol 6, n ffdhe614 (Diffie4, Hellman) ffdhe819 shared 2, MODP- secret 2048, computatio MODP- n 3072, MODP4096, MODP6144, MODP8192, P256, P384, P-

521 - 112

to 256 bits TLS master Used for 384 bits - Intermediat Key Key secret Transport 112 to e secret derivation derivation Layer 256 bits value - CSP Security (TLS) network protocol © 2024 Canonical Ltd. / atsec information security.

Page 48

Name Description Size - Type - Generated Establishe Used By Strength Category By d By TLS derived Used in 112 to Derived key Key secret Transport 256 bits - - CSP derivation Layer 112 to Security (TLS) 256 bits network protocol Intermediat Used in 256 to Intermediat Asymmetric Asymmetric e key Asymmetric 8192 bits e key key key generation key - 112 to generation generation generation value generation 256 bits value - CSP HKDF Key derived 112 to Symmetric Key derived key from HKDF 256 bits - key - CSP derivation

112 to
256 bits

Table 21: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext Until Wipe and DRBG internal state: parameters explicitly Free V value, API output zeroized by memory key:Generated from parameters operator block allocated Module Reset HMAC key API input RAM:Plaintext Until Wipe and DRBG internal state: parameters explicitly Free V value, API output zeroized by memory key:Generated from parameters operator block allocated Module Reset RSA public API input RAM:Plaintext Until Wipe and RSA private key parameters explicitly Free key:Paired With API output zeroized by memory Intermediate key parameters operator block generation allocated value:Generated from Module Reset RSA private API input RAM:Plaintext Until Wipe and RSA public key:Paired key parameters explicitly Free With API output zeroized by memory Intermediate key parameters operator block generation allocated value:Generated from Module Reset ECDSA public API input RAM:Plaintext Until Wipe and ECDSA private key parameters explicitly Free key:Paired With API output zeroized by memory Intermediate key parameters operator block generation allocated value:Generated from Module Reset © 2024 Canonical Ltd. / atsec information security.

Page 49

Name Input - Storage Storage Zeroization Related SSPs Output Duration ECDSA API input RAM:Plaintext Until Wipe and ECDSA public private key parameters explicitly Free key:Paired With API output zeroized by memory Intermediate key parameters operator block generation allocated value:Generated from Module Reset Diffie- API input RAM:Plaintext Until Wipe and Diffie-Hellman Shared Hellman parameters explicitly Free secret:Used to public key API output zeroized by memory compute parameters operator block Diffie-Hellman private allocated key:Paired With Module Intermediate key Reset generation value:Generated from Diffie- API input RAM:Plaintext Until Wipe and Diffie-Hellman Shared Hellman parameters explicitly Free secret:Used to private key API output zeroized by memory compute parameters operator block Diffie-Hellman public allocated key:Paired With Module Intermediate key Reset generation value:Generated from EC Diffie- API input RAM:Plaintext Until Wipe and EC Diffie-Hellman Hellman parameters explicitly Free Shared secret:Used to public key API output zeroized by memory compute parameters operator block EC Diffie-Hellman allocated private key:Paired Module With Reset Intermediate key generation value:Generated from EC Diffie- API input RAM:Plaintext Until Wipe and EC Diffie-Hellman Hellman parameters explicitly Free Shared secret: Used private key API output zeroized by memory to compute parameters operator block EC Diffie-Hellman allocated public key:Paired Module With Reset Intermediate key generation value:Generated from Diffie- API input RAM:Plaintext Until Wipe and Diffie-Hellman public Hellman parameters explicitly Free key:Computed using Shared secret API output zeroized by memory Diffie-Hellman private parameters operator block key:Computed using allocated HKDF derived Module key:Used to derive Reset EC Diffie- API input RAM:Plaintext Until Wipe and EC Diffie-Hellman Hellman parameters explicitly Free public key:Computed Shared secret API output zeroized by memory using parameters operator block EC Diffie-Hellman allocated private key:Computed using © 2024 Canonical Ltd. / atsec information security.

Page 50

Name Input - Storage Storage Zeroization Related SSPs Output Duration Module HKDF derived Reset key:Used to derive PBKDF API input RAM:Plaintext From service Automatic PBKDF derived password or parameters invocation key:Used to derive passphrase to service completion PBKDF API output RAM:Plaintext Until Wipe and PBKDF password or derived key parameters explicitly Free passphrase:Derived zeroized by memory From operator block allocated Module Reset Entropy input RAM:Plaintext Until Automatic DRBG seed:Used to explicitly Module compute zeroized by Reset operator DRBG seed RAM:Plaintext Until Automatic Entropy explicitly Module input:Computed from zeroized by Reset DRBG internal state: operator V value, key:Used to compute DRBG RAM:Plaintext Until Wipe and DRBG internal state: explicitly Free seed:Computed from V value, key zeroized by memory operator block allocated Module Reset TLS pre- RAM:Plaintext Until Wipe and TLS master master secret explicitly Free secret:Used to zeroized by memory compute operator block allocated Module Reset TLS master RAM:Plaintext Until Wipe and TLS pre-master secret explicitly Free secret:Computed zeroized by memory from operator block TLS derived allocated secret:Used to derive Module Reset TLS derived API output RAM:Plaintext Until Wipe and TLS master secret parameters explicitly Free secret:Derived From zeroized by memory operator block allocated Module Reset Intermediate RAM:Plaintext From service Automatic RSA public key invocation key:Intermediate value obtained during © 2024 Canonical Ltd. / atsec information security.

Page 51

Name Input - Storage Storage Zeroization Related SSPs Output Duration generation to service generated of value completion RSA private key:Intermediate value obtained during generated of ECDSA public key:Intermediate value obtained during generated of ECDSA private key:Intermediate value obtained during generated of Diffie-Hellman public key:Intermediate value obtained during generated of Diffie-Hellman private key:Intermediate value obtained during generated of EC Diffie-Hellman public key:Intermediate value obtained during generated of EC Diffie-Hellman private key:Intermediate value obtained during generated of HKDF derived API output RAM:Plaintext Until Wipe and Diffie-Hellman Shared key parameters explicitly Free secret:Derived From zeroized by memory EC Diffie-Hellman operator block Shared secret:Derived allocated From Module Reset Table 22: SSP Table 2

9.5 Transitions
9.6 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 52
10 Self-Tests

The module performs the pre-operational self-test and cryptographic algorithm self-tests (CASTs) automatically when the module is loaded into memory. The module’s services are not available for use and data input and output are inhibited until the pre-operational tests and CASTs are completed successfully. If any of the pre-operational integrity self-tests or CASTs fail, an error message is returned and the module transitions to the error state.

10.1 Pre-Operational Self-Tests

Algorithm or Test Test Test Type Indicator Details Test Properties Method HMAC-SHA2- SHA2-256 KAT SW/FW Module becomes MAC tag

256 (A3665) Integrity operational and services computation and

are available for use verification HMAC-SHA2- SHA2-256 KAT SW/FW Module becomes MAC tag

256 (A3667) Integrity operational and services computation and

are available for use verification HMAC-SHA2- SHA2-256 KAT SW/FW Module becomes MAC tag

256 (A3714) Integrity operational and services computation and

are available for use verification HMAC-SHA2- SHA2-256 KAT SW/FW Module becomes MAC tag

256 (A3710) Integrity operational and services computation and

are available for use verification Table 23: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3665) becomes Decryption initialization operational and services are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3667) becomes Decryption initialization operational and services are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3708) becomes Decryption initialization operational and services are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3709) becomes Decryption initialization operational and services © 2024 Canonical Ltd. / atsec information security.

Page 53

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3711) becomes Decryption initialization operational and services are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3712) becomes Decryption initialization operational and services are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3713) becomes Decryption initialization operational and services are available for use AES-CBC 256-bit key KAT CAST Module Encryption, On module (A3714) becomes Decryption initialization operational and services are available for use AES-CFB8 256-bit key KAT CAST Module Encryption, On module (A3670) becomes Decryption initialization operational and services are available for use AES-CFB8 256-bit key KAT CAST Module Encryption, On module (A3716) becomes Decryption initialization operational and services are available for use AES-CFB8 256-bit key KAT CAST Module Encryption, On module (A3717) becomes Decryption initialization operational and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3665) becomes Decryption initialization operational and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3667) becomes Decryption initialization operational © 2024 Canonical Ltd. / atsec information security.

Page 54

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3708) becomes Decryption initialization operational and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3709) becomes Decryption initialization operational and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3711) becomes Decryption initialization operational and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3712) becomes Decryption initialization operational and services are available for use AES-GCM 256-bit key KAT CAST Module Encryption, On module (A3713) becomes Decryption initialization operational and services are available for use AES-XTS 256-bit key KAT CAST Module Encryption, On module Testing becomes Decryption initialization Revision 2.0 operational (A3668) and services are available for use KAS-FFC-SSC 3072-bit key KAT CAST Module Primitive “Z” On module Sp800-56Ar3 and safe becomes computation initialization (A3667) prime operational ffdhe3072 and services are available for use Counter 256-bit key KAT CAST Module Random bit On module DRBG without DF, becomes generation initialization (A3667) without PR operational and services are available for use KAS-ECC- P-256 KAT CAST Module Primitive “Z” On module SSC Sp800- becomes Computation initialization © 2024 Canonical Ltd. / atsec information security.

Page 55

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type 56Ar3 operational (A3667) and services are available for use ECDSA P-256 using KAT CAST Module Signature On module SigGen SHA2-256 becomes generation initialization (FIPS186-4) operational (A3667) and services are available for use ECDSA P-256 using KAT CAST Module Signature On module SigVer SHA2-256 becomes verification initialization (FIPS186-4) operational (A3667) and services are available for use KDA HKDF HMAC- KAT CAST Module Key derivation On module Sp800-56Cr1 SHA2-256 becomes initialization (A3666) operational and services are available for use HMAC-SHA- SHA-1 KAT CAST Module MAC generation On module

1 (A3665) becomes initialization

operational and services are available for use HMAC-SHA- SHA-1 KAT CAST Module MAC generation On module

1 (A3667) becomes initialization

operational and services are available for use HMAC-SHA- SHA-1 KAT CAST Module MAC generation On module

1 (A3714) becomes initialization

operational and services are available for use HMAC-SHA- SHA-1 KAT CAST Module MAC generation On module

1 (A3710) becomes initialization

operational and services are available for use HMAC- SHA-224 KAT CAST Module MAC generation On module SHA2-224 becomes initialization (A3665) operational and services are available for use © 2024 Canonical Ltd. / atsec information security.

Page 56

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- SHA-224 KAT CAST Module MAC generation On module SHA2-224 becomes initialization (A3667) operational and services are available for use HMAC- SHA-224 KAT CAST Module MAC generation On module SHA2-224 becomes initialization (A3714) operational and services are available for use HMAC- SHA-224 KAT CAST Module MAC generation On module SHA2-224 becomes initialization (A3710) operational and services are available for use HMAC- SHA-256 KAT CAST Module MAC generation On module SHA2-256 becomes initialization (A3665) operational and services are available for use HMAC- SHA-256 KAT CAST Module MAC generation On module SHA2-256 becomes initialization (A3667) operational and services are available for use HMAC- SHA-256 KAT CAST Module MAC generation On module SHA2-256 becomes initialization (A3714) operational and services are available for use HMAC- SHA-256 KAT CAST Module MAC generation On module SHA2-256 becomes initialization (A3710) operational and services are available for use HMAC- SHA-384 KAT CAST Module MAC generation On module SHA2-384 becomes initialization (A3665) operational and services are available for use HMAC- SHA-384 KAT CAST Module MAC generation On module SHA2-384 becomes initialization (A3667) operational and services © 2024 Canonical Ltd. / atsec information security.

Page 57

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type are available for use HMAC- SHA-384 KAT CAST Module MAC generation On module SHA2-384 becomes initialization (A3714) operational and services are available for use HMAC- SHA-384 KAT CAST Module MAC generation On module SHA2-384 becomes initialization (A3710) operational and services are available for use HMAC- SHA-512 KAT CAST Module MAC generation On module SHA2-512 becomes initialization (A3665) operational and services are available for use HMAC- SHA-512 KAT CAST Module MAC generation On module SHA2-512 becomes initialization (A3667) operational and services are available for use HMAC- SHA-512 KAT CAST Module MAC generation On module SHA2-512 becomes initialization (A3714) operational and services are available for use HMAC- SHA-512 KAT CAST Module MAC generation On module SHA2-512 becomes initialization (A3710) operational and services are available for use PBKDF HMAC- KAT CAST Module Key derivation On module (A3667) SHA2-256 becomes initialization operational and services are available for use RSA SigGen 2048-bit key KAT CAST Module Signature On module (FIPS186-4) using SHA2- becomes generation initialization (A3667) 256 operational and services are available for use RSA SigVer 2048-bit key KAT CAST Module Signature On module (FIPS186-4) using SHA2- becomes verification initialization (A3667) 256 operational © 2024 Canonical Ltd. / atsec information security.

Page 58

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use SHA3-224 SHA3-224 KAT CAST Module Hash digest On module (A3669) becomes initialization operational and services are available for use SHA3-224 SHA3-224 KAT CAST Module Hash digest On module (A3715) becomes initialization operational and services are available for use SHA3-256 SHA3-256 KAT CAST Module Hash digest On module (A3669) becomes initialization operational and services are available for use SHA3-256 SHA3-256 KAT CAST Module Hash digest On module (A3715) becomes initialization operational and services are available for use SHA3-384 SHA3-384 KAT CAST Module Hash digest On module (A3669) becomes initialization operational and services are available for use SHA3-384 SHA3-384 KAT CAST Module Hash digest On module (A3715) becomes initialization operational and services are available for use SHA3-512 SHA3-512 KAT CAST Module Hash digest On module (A3669) becomes initialization operational and services are available for use SHA3-512 SHA3-512 KAT CAST Module Hash digest On module (A3715) becomes initialization operational and services are available for use © 2024 Canonical Ltd. / atsec information security.

Page 59

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type TLS v1.2 KDF HMAC- KAT CAST Module Key derivation, On module RFC7627 SHA2-256 becomes using extended initialization (A3667) operational master secret and services are available for use ECDSA SHA2-256 PCT PCT Module Signature After every KeyGen remains generation and ECDSA and (FIPS186-4) operational verification ECDH key (A3667) and services generation remain available for use RSA KeyGen SHA2-256 PCT PCT Module Signature After every (FIPS186-4) remains generation and RSA key (A3667) operational verification generation and services remain available for use Safe Primes Section PCT PCT Module Modular After every Key 5.6.2.1.4 of remains exponentiation DiffieGeneration SP800- operational with private key Hellman key (A3667) 56Arev3 and services generation remain available for use Table 24: Conditional Self-Tests

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2- KAT SW/FW On demand Manually by unloading then

256 (A3665) Integrity loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT SW/FW On demand Manually by unloading then

256 (A3667) Integrity loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT SW/FW On demand Manually by unloading then

256 (A3714) Integrity loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT SW/FW On demand Manually by unloading then

256 (A3710) Integrity loading module, or by calling

the © 2024 Canonical Ltd. / atsec information security.

Page 60

Algorithm or Test Method Test Type Period Periodic Method Test gnutls_fips140_run_self_tests() function Table 25: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Method Test AES-CBC KAT CAST On demand Manually by unloading then (A3665) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3667) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3708) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3709) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3711) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3712) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3713) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CBC KAT CAST On demand Manually by unloading then (A3714) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CFB8 KAT CAST On demand Manually by unloading then (A3670) loading module, or by calling the gnutls_fips140_run_self_tests() function © 2024 Canonical Ltd. / atsec information security.

Page 61

Algorithm or Test Method Test Type Period Periodic Method Test AES-CFB8 KAT CAST On demand Manually by unloading then (A3716) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-CFB8 KAT CAST On demand Manually by unloading then (A3717) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3665) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3667) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3708) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3709) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3711) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3712) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-GCM KAT CAST On demand Manually by unloading then (A3713) loading module, or by calling the gnutls_fips140_run_self_tests() function AES-XTS KAT CAST On demand Manually by unloading then Testing loading module, or by calling Revision 2.0 the (A3668) gnutls_fips140_run_self_tests() function KAS-FFC-SSC KAT CAST On demand Manually by unloading then Sp800-56Ar3 loading module, or by calling (A3667) the © 2024 Canonical Ltd. / atsec information security.

Page 62

Algorithm or Test Method Test Type Period Periodic Method Test gnutls_fips140_run_self_tests() function Counter DRBG KAT CAST On demand Manually by unloading then (A3667) loading module, or by calling the gnutls_fips140_run_self_tests() function KAS-ECC-SSC KAT CAST On demand Manually by unloading then Sp800-56Ar3 loading module, or by calling (A3667) the gnutls_fips140_run_self_tests() function ECDSA SigGen KAT CAST On demand Manually by unloading then (FIPS186-4) loading module, or by calling (A3667) the gnutls_fips140_run_self_tests() function ECDSA SigVer KAT CAST On demand Manually by unloading then (FIPS186-4) loading module, or by calling (A3667) the gnutls_fips140_run_self_tests() function KDA HKDF KAT CAST On demand Manually by unloading then Sp800-56Cr1 loading module, or by calling (A3666) the gnutls_fips140_run_self_tests() function HMAC-SHA-1 KAT CAST On demand Manually by unloading then (A3665) loading module, or by calling the gnutls_fips140_run_self_tests() function HMAC-SHA-1 KAT CAST On demand Manually by unloading then (A3667) loading module, or by calling the gnutls_fips140_run_self_tests() function HMAC-SHA-1 KAT CAST On demand Manually by unloading then (A3714) loading module, or by calling the gnutls_fips140_run_self_tests() function HMAC-SHA-1 KAT CAST On demand Manually by unloading then (A3710) loading module, or by calling the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

224 (A3665) loading module, or by calling

the gnutls_fips140_run_self_tests() function © 2024 Canonical Ltd. / atsec information security.

Page 63

Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2- KAT CAST On demand Manually by unloading then

224 (A3667) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

224 (A3714) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

224 (A3710) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

256 (A3665) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

256 (A3667) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

256 (A3714) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

256 (A3710) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

384 (A3665) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

384 (A3667) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

384 (A3714) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

384 (A3710) loading module, or by calling

the © 2024 Canonical Ltd. / atsec information security.

Page 64

Algorithm or Test Method Test Type Period Periodic Method Test gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

512 (A3665) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

512 (A3667) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

512 (A3714) loading module, or by calling

the gnutls_fips140_run_self_tests() function HMAC-SHA2- KAT CAST On demand Manually by unloading then

512 (A3710) loading module, or by calling

the gnutls_fips140_run_self_tests() function PBKDF KAT CAST On demand Manually by unloading then (A3667) loading module, or by calling the gnutls_fips140_run_self_tests() function RSA SigGen KAT CAST On demand Manually by unloading then (FIPS186-4) loading module, or by calling (A3667) the gnutls_fips140_run_self_tests() function RSA SigVer KAT CAST On demand Manually by unloading then (FIPS186-4) loading module, or by calling (A3667) the gnutls_fips140_run_self_tests() function SHA3-224 KAT CAST On demand Manually by unloading then (A3669) loading module, or by calling the gnutls_fips140_run_self_tests() function SHA3-224 KAT CAST On demand Manually by unloading then (A3715) loading module, or by calling the gnutls_fips140_run_self_tests() function SHA3-256 KAT CAST On demand Manually by unloading then (A3669) loading module, or by calling the gnutls_fips140_run_self_tests() function © 2024 Canonical Ltd. / atsec information security.

Page 65

Algorithm or Test Method Test Type Period Periodic Method Test SHA3-256 KAT CAST On demand Manually by unloading then (A3715) loading module, or by calling the gnutls_fips140_run_self_tests() function SHA3-384 KAT CAST On demand Manually by unloading then (A3669) loading module, or by calling the gnutls_fips140_run_self_tests() function SHA3-384 KAT CAST On demand Manually by unloading then (A3715) loading module, or by calling the gnutls_fips140_run_self_tests() function SHA3-512 KAT CAST On demand Manually by unloading then (A3669) loading module, or by calling the gnutls_fips140_run_self_tests() function SHA3-512 KAT CAST On demand Manually by unloading then (A3715) loading module, or by calling the gnutls_fips140_run_self_tests() function TLS v1.2 KDF KAT CAST On demand Manually by unloading then RFC7627 loading module, or by calling (A3667) the gnutls_fips140_run_self_tests() function ECDSA PCT PCT On demand By calling the "Asymmetric key KeyGen Generation" service (FIPS186-4) (A3667) RSA KeyGen PCT PCT On demand By calling the "Asymmetric key (FIPS186-4) Generation" service (A3667) Safe Primes PCT PCT On demand By calling the "Asymmetric key Key Generation" service Generation (A3667) Table 26: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error Prevents any When the Restarting GNUTLS_E_SELF_TEST_ERROR (-400); State cryptographic integrity test or the GNUTLS_E_RANDOM_FAILED (-206); related KAT (not the module GNUTLS_E_PK_GENERATION_ERROR (operations and DRBG KAT) fail; 403); GNUTLS_E_LIB_IN_ERROR_STATE (data output When the DRBG 402) © 2024 Canonical Ltd. / atsec information security.

Page 66

Name Description Conditions Recovery Indicator Method KAT fails; When a newly generated RSA, ECDSA, DiffieHellman or EC Diffie-Hellman key pair fails the PCT; When the module is in error state and caller requests cryptographic operations; Table 27: Error States The calling application can obtain the module state by calling the gnutls_fips140_get_operation_state() API function. The function returns GNUTLS_FIPS140_OP_ERROR if the module is in the Error state.

10.5 Operator Initiation of Self-Tests

The operator can initiate the pre-operational integrity self-test and cryptographic algorithm self-tests by calling the Self-Test service (via the gnutls_fips140_run_self_tests() function) or by powering-off and reloading the module. The operator can initiate a pairwise consistency self-test by calling the “Asymmetric key generation” service. During the execution of the pre-operational integrity self-test and cryptographic algorithm self-tests, services are not available, and no data output is possible.

10.6 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 67
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
11.1.1 Configuration of the Operating Environment

The module needs to be set to run in the FIPS validated operational environment. This can be enabled automatically via the Ubuntu Advantage tool after attaching your subscription. (1) To install the tool, type the following commands: $ sudo apt update $ sudo apt install ubuntu-advantage-tools (2) To activate the Ubuntu Pro subscription run: $ sudo pro attach <your_pro_token> (3) To enable the FIPS validated operational environment run: $ sudo pro enable fips (4) To verify that the FIPS validated operational environment is enabled run: $ sudo pro status The pro client will install the necessary packages that are part of the FIPS validated operational environment, including the kernel and the bootloader. After this step you MUST reboot to enter the FIPS validated operational environment. The reboot will boot into the kernel of the FIPS validated operational environment and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in the approved mode of operation. If you do not reboot after installing and configuring the bootloader, you will not be in the FIPS validated operational environment. To verify that the FIPS validated operational environment is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in the approved mode of operation. If the file is missing, the correct kernel (which is part of the FIPS validated operational environment) is not installed. You can verify that the FIPS validated operational environment has been properly enabled with the pro status command. Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment. If the module is not installed, initialized, and configured according to this section, the module is in a noncompliant state. If the module is in a non-compliant state, it can be placed into the compliant state by un-initializing and uninstalling the module and then installing, initializing, and configuring the module according to this section.

11.1.2 Delivery of the Module

On the Supermicro SYS-1019P-WTR hardware platform with the Intel Xeon Gold 6226 processor, the module is delivered through the following Ubuntu packages: © 2024 Canonical Ltd. / atsec information security.

Page 68

libgnutls30_3.7.3-4ubuntu1.2+Fips1.1_amd64.deb libnettle8_3.7.3-1ubuntu0.1~Fips1_amd64.deb libhogweed6_3.7.3-1ubuntu0.1~Fips1_amd64.deb libgmp10_6.2.1+dfsg-3ubuntu1+Fips1_amd64.deb On the Amazon Web Services (AWS) c6g.metal hardware platform with the AWS Graviton2 processor, the module is delivered through the following Ubuntu packages: libgnutls30_3.7.3-4ubuntu1.2+Fips1.1_arm64.deb libnettle8_3.7.3-1ubuntu0.1~Fips1_arm64.deb libhogweed6_3.7.3-1ubuntu0.1~Fips1_arm64.deb libgmp10_6.2.1+dfsg-3ubuntu1+Fips1_arm64.deb On the IBM z15 hardware platform with the z15 processor, the module is delivered through the following Ubuntu packages: libgnutls30_3.7.3-4ubuntu1.2+Fips1.1_s390x.deb libnettle8_3.7.3-1ubuntu0.1~Fips1_s390x.deb libhogweed6_3.7.3-1ubuntu0.1~Fips1_s390x.deb libgmp10_6.2.1+dfsg-3ubuntu1+Fips1_s390x.deb

11.1.3 Installation of the Module

After the operating environment has been configured according to the instructions of section 11.1.1, the Crypto Officer can install the Ubuntu packages containing the module using the Advanced Package Tool (APT) with the following commands: $ sudo apt-get install libgnutls30=3.7.3-4ubuntu1.2+Fips1.1 $ sudo apt-get install libgmp10=2:6.2.1+dfsg-3ubuntu1+Fips1 $ sudo apt-get install libhogweed6=3.7.3-1ubuntu0.1~Fips1 $ sudo apt-get install libnettle8=3.7.3-1ubuntu0.1~Fips1 All the Ubuntu packages are associated with hashes for integrity check. The integrity of the Ubuntu package is automatically verified by the packing tool during the installation of the module. The Crypto Officer shall not install the package if the integrity fails. The module cannot use the following environment variables: GNUTLS_NO_EXPLICIT_INIT GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS The module can only be used with the cryptographic algorithms provided. Therefore, the following API functions are forbidden in the approved mode of operation: gnutls_crypto_register_cipher gnutls_crypto_register_aead_cipher gnutls_crypto_register_mac gnutls_crypto_register_digest gnutls_privkey_import_ext4

11.2 Administrator Guidance

© 2024 Canonical Ltd. / atsec information security.

Page 69

The Crypto Officer shall follow this Security Policy to configure the operational environment and install the module to be operated in the approved mode. The output of the “Show module name and version” service is: “Canonical Ltd. Ubuntu 22.04 GnuTLS Cryptographic Module” and "3.7.3-4ubuntu1.2+Fips1.1".

11.3 Non-Administrator Guidance

The approved security functions are listed in section 2.6 of this security policy. The logical interfaces available to the users of the cryptographic module are listed in section 3.1. For the secure operation of the module, the operator must follow the instructions in section 11.1 of this security policy.

11.4 Design and Rules
11.5 Maintenance Requirements
11.6 End of Life

For secure sanitization of the cryptographic module, the module needs first to be powered off, which will zeroize all keys and CSPs in volatile memory. The module does not possess persistent storage of SSPs, so further sanitization steps are not needed.

11.7 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 70
12 Mitigation of Other Attacks

The module does not mitigate other attacks.

12.1 Attack List
12.2 Mitigation Effectiveness
12.3 Guidance and Constraints
12.4 Additional Information

N/A © 2024 Canonical Ltd. / atsec information security.

Page 71

Appendix A: TLS Cipher Suites The module supports the following cipher suites for the TLS protocol version 1.0, 1.1, 1.2 and 1.3, compliant with section 3.3.1 of SP800-52rev2. Each cipher suite defines the key exchange algorithm, the bulk encryption algorithm (including the symmetric key size) and the MAC algorithm. Cipher Suite ID Reference TLS_DH_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x31 } RFC3268 TLS_DHE_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x33 } RFC3268 TLS_DH_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x37 } RFC3268 TLS_DHE_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x39 } RFC3268 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x3F } RFC5246 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x67 } RFC5246 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 { 0x00,0x69 } RFC5246 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 { 0x00,0x6B } RFC5246 TLS_PSK_WITH_AES_128_CBC_SHA { 0x00, 0x8C } RFC4279 TLS_PSK_WITH_AES_256_CBC_SHA { 0x00, 0x8D } RFC4279 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 { 0x00, 0x9E } RFC5288 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 { 0x00, 0x9F } RFC5288 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 { 0x00, 0xA0 } RFC5288 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 { 0x00, 0xA1 } RFC5288 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA { 0xC0, 0x04 } RFC4492 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA { 0xC0, 0x05 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { 0xC0, 0x09 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { 0xC0, 0x0A } RFC4492 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA { 0xC0, 0x0E } RFC4492 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA { 0xC0, 0x0F } RFC4492 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { 0xC0, 0x13 } RFC4492 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0, 0x14 } RFC4492 © 2024 Canonical Ltd. / atsec information security.

Page 72

Cipher Suite ID Reference TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x23 } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x24 } RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x25 } RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x26 } RFC5289 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x27 } RFC5289 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x28 } RFC5289 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x29 } RFC5289 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x2A } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2B } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x2C } RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2D } RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x2E } RFC5289 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2F } RFC5289 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x30 } RFC5289 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x31 } RFC5289 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x32 } RFC5289 TLS_DHE_RSA_WITH_AES_128_CCM { 0xC0, 0x9E } RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM { 0xC0, 0x9F } RFC6655 TLS_DHE_RSA_WITH_AES_128_CCM_8 { 0xC0, 0xA2 } RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM_8 { 0xC0, 0xA3 } RFC6655 TLS_AES_128_GCM_SHA256 { 0x13, 0x01 } RFC8446 TLS_AES_256_GCM_SHA384 { 0x13, 0x02 } RFC8446 TLS_AES_128_CCM_SHA256 { 0x13, 0x04 } RFC8446 TLS_AES_128_CCM_8_SHA256 { 0x13, 0x05 } RFC8446 © 2024 Canonical Ltd. / atsec information security.

Page 73

Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DF Derivation Function DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback OS Operating System PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard © 2024 Canonical Ltd. / atsec information security.

Page 74

SSH Secure Shell SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Canonical Ltd. / atsec information security.

Page 75

Appendix C. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 https://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 https://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a.pdf © 2024 Canonical Ltd. / atsec information security.

Page 76

SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038e.pdfhttps://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-80038E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52rev2 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP800-56Arev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Crev2 NIST Special Publication 800-56C Revision 2 - Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57rev5 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf © 2024 Canonical Ltd. / atsec information security.

Page 77

SP800-90Arev1 NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108rev1 NIST Special Publication 800-108 Revision 1 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) August 2022 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Arev2 NIST Special Publication 800-131 Revision 2 - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800132.pdf SP800-133rev2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 Canonical Ltd. / atsec information security.