| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/2/2029 |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11.1 of the Security Policy with module Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module validated to FIPS 140-3 under Cert. #4794, operating in the approved mode, and with module Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module validated to FIPS 140-3 under Cert. #4894, operating in the approved mode. |
| Vendor | Canonical Ltd. |
flowchart LR
%% Deterministic review-risk graph for Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>selftest<br/>self-test<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>selftest<br/>self-test<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module Version: 5.9.5-2ubuntu2.1+Fips1 Document Version: 1.1 Last Update: 2024-11-27 Prepared by: Prepared for: atsec information security corporation Canonical Ltd.
4516 Seton Center Parkway, Suite 250 110 Southwark Street, Blue Fin Building, 5th Floor
Austin, TX 78759 London, SE1 0SU www.atsec.com www.canonical.com © 2024 Canonical Ltd./ atsec information security.
| # | Section | Page |
|---|
© 2024 Canonical Ltd./ atsec information security.
| Item | Page |
|---|---|
| Table 1 - Security Levels | 5 |
| Table 2 - Software, Firmware, Hybrid Tested Operating Environments | 8 |
| Table 3 - Executable Code Sets | 9 |
| Table 4 - Modes List and Description | 9 |
| Table 5 - Approved Algorithms | 12 |
| Table 6 - Entropy | 12 |
| Table 7 - SSP Generation | 13 |
| Table 8 - SSP Agreement | 13 |
| Table 9 - Ports and Interfaces | 15 |
| Table 10 - Roles | 16 |
| Table 11 - Approved Services | 19 |
| Table 12 - Storage Areas | 24 |
| Table 13 - SSP Input-Output | 24 |
| Table 14 - SSP Zeroization Methods | 25 |
| Table 15 - SSP Information First | 27 |
| Table 16 - SSP Information Second | 29 |
| Table 17 - Pre-Operational Self-Tests | 30 |
| Table 18 - Conditional Self-Tests | 31 |
| Table 19 - Error States | 32 |
| Figure 1 - Block Diagram | 7 |
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security Not Applicable
8 Non-invasive Security Not Applicable
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-cycle Assurance 1
12 Mitigation of Other Attacks Not Applicable
Table 1 - Security Levels © 2024 Canonical Ltd./ atsec information security.
2. Cryptographic Module Specification 2.1. Description Purpose and Use: The Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module (hereafter referred to as “the module”) provides cryptographic services for the Internet Key Exchange (IKE) protocol in the Ubuntu Operating System user space. The module uses the Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module as a bound module (also referred to as “the bound OpenSSL module”), which provides the underlying cryptographic algorithms necessary for establishing and maintaining IKE sessions. The Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module is a FIPS-validated module with certificate #4794. The module also uses the Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module as a bound module (also referred to as “the bound Kernel Crypto API module”) for performing integrity tests. The Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module is a FIPS-validated module with certificate #4894. Module Type: Software Module Embodiment: Multi-chip standalone Module Characteristics: N/A Cryptographic Boundary: The cryptographic boundary of the module is defined as the IKEv2 daemon, the libraries and plugins, and the ipsec command. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment's Physical Perimeter (TOEPP) The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Picture or Block Diagram © 2024 Canonical Ltd./ atsec information security.
Figure 1 - Block Diagram 2.2. Version Information Hardware Versions: N/A Software Versions: 5.9.5-2ubuntu2.1+Fips1 Firmware Versions: N/A 2.3. Operating Environments Hardware Operating Environments: N/A Software, Firmware, Hybrid Tested Operating Environments: Operating Hypervisor or Hardware Platform Processors PAA/PAI System Host OS Ubuntu 22.04 Supermicro SYS-1019P-WTR Intel Xeon Gold AES-NI, SHA extensions N/A 6226 Ubuntu 22.04 Amazon Web Services (AWS) AWS Graviton2 NEON, Crypto N/A c6g.metal Extensions Ubuntu 22.04 IBM z15 IBM z15 CPACF N/A Ubuntu 22.04 Supermicro SYS-1019P-WTR Intel Xeon Gold None N/A 6226 Ubuntu 22.04 Amazon Web Services (AWS) AWS Graviton2 None N/A c6g.metal © 2024 Canonical Ltd./ atsec information security.
Operating Hypervisor or Hardware Platform Processors PAA/PAI System Host OS Ubuntu 22.04 IBM z15 IBM z15 None N/A Table 2 - Software, Firmware, Hybrid Tested Operating Environments Executable Code Sets: Hybrid Software/ Package or File Name Features Hardware Integrity Test Firmware Version Version /usr/sbin/ipsec 5.9.5- N/A N/A HMAC SHA-256 /usr/lib/ipsec/stroke 2ubuntu2.1+Fips1 /usr/lib/ipsec/starter /usr/lib/ipsec/charon /usr/lib/ipsec/pool /usr/lib/ipsec/_updown /usr/lib/ipsec/_fipscheck /usr/lib/ipsec/ikev2-kdf-selftest /usr/lib/ipsec/libstrongswan.so.0.0.0 /usr/lib/ipsec/plugins/ libstrongswan-openssl.so /usr/lib/ipsec/libcharon.so.0.0.0 /usr/lib/ipsec/plugins/libstrongswanfips-prf.so /usr/lib/ipsec/plugins/libstrongswannonce.so /usr/lib/ipsec/plugins/libstrongswandnskey.so /usr/lib/ipsec/plugins/libstrongswanpem.so /usr/lib/ipsec/plugins/libstrongswanpgp.so /usr/lib/ipsec/plugins/libstrongswanpkcs1.so /usr/lib/ipsec/plugins/libstrongswanpkcs7.so /usr/lib/ipsec/plugins/libstrongswanpkcs8.so /usr/lib/ipsec/plugins/libstrongswanpkcs12.so /usr/lib/ipsec/plugins/libstrongswanpubkey.so /usr/lib/ipsec/plugins/libstrongswansshkey.so /usr/lib/ipsec/plugins/libstrongswanx509.so /usr/lib/ipsec/plugins/libstrongswanconstraints.so /usr/lib/ipsec/plugins/libstrongswanrevocation.so /usr/lib/ipsec/plugins/libstrongswankernel-netlink.so /usr/lib/ipsec/plugins/libstrongswansocket-default.so © 2024 Canonical Ltd./ atsec information security.
Hybrid Software/ Package or File Name Features Hardware Integrity Test Firmware Version Version /usr/lib/ipsec/plugins/libstrongswanstroke.so /usr/lib/ipsec/plugins/libstrongswanattr.so /usr/lib/ipsec/plugins/libstrongswanresolve.so /usr/lib/ipsec/plugins/libstrongswanupdown.so Kernel Bound Module /boot/vmlinuz-5.15.0-73-fips 5.15.0-73-fips N/A N/A HMAC SHA-512 *.ko files in /usr/lib/modules/5.15.0- RSA signature verification 73-fips/kernel/crypto/ *.ko files in /usr/lib/modules/5.15.073-fips/kernel/arch/x86/crypto/ *.ko files in /usr/lib/modules/5.15.073-fips/kernel/arch/arm64/crypto/ *.ko files in /usr/lib/modules/5.15.073-fips/kernel/arch/s390/crypto/ /usr/lib/*-linux-gnu/libkcapi.so.1.4.0 1.4.0- HMAC SHA-512 /usr/bin/sha512hmac 1ubuntu0.1~Fips1 OpenSSL Bound Module /usr/lib/x86_64-linux-gnu/ossl- 3.0.5- N/A N/A HMAC-SHA-256 modules-3/fips.so 0ubuntu0.1+Fips2.1 Table 3 - Executable Code Sets Vendor Affirmed Operating Environments: N/A 2.4. Excluded Components There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements. 2.5. Modes of Operation Modes List and Description: Name Description Type Status Indicator Approved mode Automatically entered when the Approved Equivalent to the indicator of the module is operational. requested service. Table 4 - Modes List and Description The module enters Approved mode after passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up. The approved mode of operation is assumed once the module is operational. Mode change instructions and status indicators: The Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module implements the approved service indicator relying on a global service indicator (In compliance with IG 2.4.C - Table) which is the successful establishment of the IKE connection. Degraded Mode Description: The module does not implement a degraded mode of operation. © 2024 Canonical Ltd./ atsec information security.
2.6. Algorithms Approved Algorithms: Description / Key Algorithm and CAVP Cert Mode / Method Size(s) / Key Use / Function Standard Strengths A40171 KDF IKEv2 (CVL) HMAC with SHA-1, SHA- 112-256 bits Key derivation in the 256, SHA-384, SHA-512 IKEv2 protocol OpenSSL Bound Module A3958 A3959 AES [FIPS 197, CBC, CCM 128, 192, 256 bits Authenticated Encryption A3960 A3973 SP 800-38A, SP Authenticated Decryption A3980 A3981 800-38A A3982 Addendum, SP 800-38F] A3961 A3974 AES [FIPS 197, GCM (internal IV) 128, 192, 256 bits Authenticated Encryption A3975 A3976 SP 800-38D] A3988 A3989 A3990 A3994 A3995 A3996 A3997 A3998 A3999 A4000 A4001 A4002 A3961 A3974 AES [FIPS 197, GCM (external IV) 128, 192, 256 bits Authenticated Decryption A3975 A3976 SP 800-38D] A3988 A3989 A3990 A3994 A3995 A3996 A3997 A3998 A3999 A4000 A4001 A4002 A3970 CTR_DRBG [SP AES-128, AES-192, AES-256, 128, 192, 256 bits Random number 800-90Ar1] with/without derivation generation function, with/without prediction resistance A3962 A3977 ECDSA [FIPS SHA-224, SHA-256, SHA- P-224, P-256, P-384, Signature generation A3983 A3993 186-4] 384, SHA-512, SHA- P-521 (112-256 bits) A4003 A4004 512/224, SHA-512/256 A4005 A3964 A3972 SHA3-224, SHA3-256, A3979 SHA3-384, SHA3-512 A3962 A3977 SHA-1, SHA-224, SHA-256, P-224, P-256, P-384, Signature verification A3983 A3993 SHA-384, SHA- 512, SHA- P-521 (112-256 bits) A4003 A4004 512/224, SHA-512/256 A4005 A3964 A3972 SHA3- 224, SHA3-256, A3979 SHA3-384, SHA3-512 Although HMAC and SHA are implemented by the bound OpenSSL module, the CAVP certificate still contains HMAC and SHA as prerequisite algorithms. © 2024 Canonical Ltd./ atsec information security.
Description / Key Algorithm and CAVP Cert Mode / Method Size(s) / Key Use / Function Standard Strengths A3962 A3977 Appendix B.4.2 Testing P-224, P-256, P-384, Key pair generation A3983 A3993 Candidates P-521 (112-256 bits) A4003 A4004 A4005 A3962 A3977 N/A P-224, P-256, P-384, Key pair verification A3983 A3993 P-521 (112-256 bits) A4003 A4004 A4005 A3962 A3977 RSA [FIPS 186-4] PKCS#1 v1.5 and PSS with 2048-16384 bits Signature generation A3983 A3993 SHA-224, SHA-256, SHA- (112-256 bits) A4003 A4004 384, SHA-512, SHAA4005 512/224, SHA-512/256 A3962 A3977 PKCS#1 v1.5 and PSS with 2048-16384 bits Signature verification A3983 A3993 SHA-1, SHA-224, SHA-256, (112-256 bits) A4003 A4004 SHA-384, SHA-512, SHAA4005 512/224, SHA-512/256 A3962 A3977 HMAC [FIPS 198- SHA-1, SHA-224, SHA-256, 112-524288 bits Message authentication A3983 A3993 1] SHA-384, SHA- 512, SHA- (112-256 bits) A4003 A4004 512/224, SHA-512/256 A4005 A3962 A3977 SHA [FIPS 180-4] SHA-1, SHA-224, SHA-256, N/A Message digest A3983 A3993 SHA-384, SHA- 512, SHAA4003 A4004 512/224, SHA-512/256 A4005 A3963 HMAC [FIPS 198- SHA-256 112-524288 bits Message authentication 1] (112-256 bits) SHA [FIPS 180-4] SHA-256 N/A Message digest A3992 KAS-FFC-SSC [SP dhEphem MODP-2048, MODP- Shared secret 800-56Ar3] (initiator/responder) 3072, MODP-4096, computation MODP-6144, MODP8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 (112-200 bits) A3962 A3977 KAS-ECC-SSC [SP Ephemeral Unified Model P-224, P-256, P-384, Shared secret A3983 A3993 800-56Ar3] (initiator/responder) P-521 (112-256 bits) computation A4003 A4004 A4005 A3992 Safe primes [SP SP 800-56Ar3 Section MODP-2048, MODP- Key pair generation 800-56Ar3] 5.6.1.1.4 Testing 3072, MODP-4096, Key pair verification Candidates MODP-6144, MODP8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 (112-200 bits) © 2024 Canonical Ltd./ atsec information security.
Description / Key Algorithm and CAVP Cert Mode / Method Size(s) / Key Use / Function Standard Strengths Kernel Bound Module A3812 A3813 SHA [FIPS 180-4] SHA-256 N/A Message digest A3814 A3832 A3850 A3851 A3852 A3853 A3857 A3858 A3812 A3813 HMAC [FIPS 198- SHA-256 128-524288 bits (128 Message authentication A3814 A3832 1] bits) A3850 A3851 A3852 A3853 A3857 A3858 Table 5 - Approved Algorithms Vendor Affirmed Algorithms: N/A Non-Approved, Allowed Algorithms: The module does not implement non-approved algorithms allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: The module does not implement non-approved algorithms allowed in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: The module does not implement non-approved algorithms not allowed in the approved mode of operation. 2.7. RNG and Entropy Entropy Information: Operational Entropy Per Name Type Sample Size Conditioning Component Environment Sample OpenSSL Non-physical See Table 2 64 bits 64 bits Linear-Feedback Shift Register CPU (LFSR) Time Jitter RNG Entropy Source (Cert. #E62) Table 6 - Entropy RNG Information: The module does not implement any random number generator. Instead, it uses the Random Number Generation (RNG) service provided by the bound Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module, which implements a Deterministic Random Bit Generator (DRBG) based on [SP800-90Ar1]. The DRBG is seeded with 384 bits of entropy and 256 bits of entropy are used to reseed the DRBG. The highest SSP security strength generated by the module is 256 bits. © 2024 Canonical Ltd./ atsec information security.
2.8. SSP Generation The module implements the key derivation portion of the DH and ECDH key agreement, using the NIST SP 800-135 IKEv2 (CVL) in compliance with Section 6.2 of SP 800-132r2. The DH and ECDH key pairs to be used in the IKEv2 protocol are generated by the bound OpenSSL module. Below are listed the SSP generation methods provided by the bound OpenSSL module: Name Type Properties Safe primes key pair CKG Key type: Diffie-Hellman key pair generation Groups: MODP-2048, MODP-3072, MODP4096, MODP-6144, MODP8192 Security strength: 112-200 bits Method: SP 800-56Ar3 (safe primes) Section 5.6.1.1.4 Testing Candidates Compliant to SP 800-133r2, Section 5.2. Random seeds are obtained directly from an SP 800-90Arev1 compliant DRBG in compliance with SP 800-133rev2 section 4 (without the use of V, as described in the additional comment 2 of IG D.H). EC key pair generation CKG Key type: EC Diffie-Hellman key pair Curves: P-224, P-256, P-384, P-521 Security strength: 112, 128, 192, 256 bits Method: FIPS 186-4 Appendix B.4.2 Testing Candidates Compliant to SP 800-133r2, Section 5.1 and 5.2. Random seeds are obtained directly from an SP 800-90Arev1 compliant DRBG in compliance with SP 800-133rev2 section 4 (without the use of V, as described in the additional comment 2 of IG D.H). Table 7 - SSP Generation 2.9. SSP Establishment The Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module and the bound OpenSSL module together provide the Diffie Hellman and EC Diffie Hellman key agreement. The Canonical Ltd. Ubuntu
22.04 Strongswan Cryptographic Module only implements the NIST SP 800-135 IKEv2 KDF (CVL) part
of the key agreement using the HMAC portion of the SSP agreement and the bound OpenSSL module provides the shared secret computation. Below are listed the SSP agreement methods provided by the bound OpenSSL module: Name Type Properties Diffie-Hellman key agreement KAS Groups: MODP-2048, MODP-3072, MODP4096, MODPwith IKE KDF 6144, MODP-8192 Security strength: 112-200 bits Compliant with Scenario 2 (2) of FIPS 140-3 IG D.F EC Diffie-Hellman key KAS Curves: P-224, P-256, P-384, P-521 agreement with IKE KDF Security strength: 112, 128, 192, 256 bits Compliant with Scenario 2 (2) of FIPS 140-3 IG D.F Table 8 - SSP Agreement The module does not implement any key transport method. 2.10. Design and Rules The module performs pre-operational self-test and cryptographic algorithm self-tests when it is loaded into memory without operator intervention. Pre-operational self-tests ensure that the © 2024 Canonical Ltd./ atsec information security.
module is not corrupted and that the cryptographic algorithms work as expected. While the module is executing the self-tests, services are not available, and input and output are inhibited. The module is not available for use until the self-tests complete successfully. If any pre-operational self-test fails, the module will return the error message listed in Table 19, enter the error state and terminate. Therefore, no cryptographic operations or data output are possible. Note: The bound Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module and the Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module perform their own pre-operational and cryptographic algorithm self-tests automatically when they are loaded into memory. The Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module ensures that both bound modules complete their pre-operational self-tests successfully. 2.11. Initialisation There are no specific initialization requirements. © 2024 Canonical Ltd./ atsec information security.
3. Cryptographic Module Interfaces 3.1. Description Physical Port Logical Interface Data that passes over the port/interface As a software-only module, the module Data Input /etc/ipsec.secrets file, private does not have physical ports. Physical key file, certificate files under Ports are interpreted to be the physical the /etc/ipsec.d directory, input ports of the hardware platform on data received from the network which it runs. (IKEv2 protocol), input data received from the bound OpenSSL module via its API parameters. Data Output Output data sent through the network (IKEv2 protocol),output data sent to the bound OpenSSL module via its API parameters. Control Input Invocation of the ipsec command on the command line, control parameters via the ipsec command and the /etc/ipsec.conf file, IKEv2 protocol message requests received from the network. Status Output Status messages returned after execution of the ipsec command, status of processing IKEv2 protocol message requests sent through the network. Power Input N/A Table 9 - Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. 3.2. Trusted Channel Specification The module does not implement a trusted channel. 3.3. Control Interface Not Inhibited The module does not implement a control output interface. © 2024 Canonical Ltd./ atsec information security.
4. Roles, Services, and Authentication 4.1. Authentication Methods The module does not implement operator authentication. 4.2. Roles Name Type Operator Type Authentication Methods Crypto Officer Role CO N/A Table 10 - Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators. 4.3. Approved Services Security Name Description Indicator Inputs Outputs SSP Access Functions Start IKEv2 Start IKE daemon Successful N/A Success/F N/A N/A daemon establishment of the ail IKE connection. Configure Configure IKEv2 Successful Pre-shared Success/F N/A Pre-shared IKEv2 daemon daemon establishment of the Key or Post- ail Key or PostIKE connection. Quantum Quantum Pre-shared Pre-shared Key RSA Key; RSA public key public key; RSA private RSA private key key; EC EC public key public key; EC private EC private key key: R IKE_SA_INIT Key exchange Successful Private and Shared Diffie- DH public Exchange establishment of the public key secret Hellman key, DH IKE connection. (modp2048, private key, modp3072, EC public modp4096, key, EC modp6144, private key, modp8192) Shared with key secret: G, R size between
EC DiffieHellman with NIST curves P224, P-256, P-384, P© 2024 Canonical Ltd./ atsec information security.
Security Name Description Indicator Inputs Outputs SSP Access Functions Key derivation Successful N/A Success/F SP800- Derivation establishment of the ail 135r1 IKEv2 key (SK_d), IKE connection. KDF (CVL) Encryption using key (SK_ei, HMAC with SK_er), SHA-1, SHA- Authenticat 256, SHA- ion key
SHA-512 SK_ar), Authenticat ion payload key (SK_pi, SK_pr), Shared secret: G IKE_AUTH Signature Successful Private and Success/F RSA RSA public Exchange generation establishment of the public key ail PKCS#1 key, RSA Signature IKE connection. v1.5 and private key, verification PSS with EC public SHA-1, SHA- key, EC 224, SHA- private key, 256, SHA- RSA Peer’s 384, SHA- public key, 512, SHA- Peer’s EC 512/224, public key: SHA- W 512/256 ECDSA (P224, P-256, P-384, P521) with SHA-1, SHA224, SHA256, SHA384, SHA512, SHA512/224, SHA512/256 Authenticated Successful Encryption Success/F AES-CBC + Encryption Encryption establishment of the key ail HMAC with key (SK_ei, Authenticated IKE connection. SHA-1, SHA- SK_er): W Decryption Authenticati 256, SHAon key 384, SHA- Authenticat
(SL_ai, AES-GCM SK_ar): W AES-CCM CREATE_CHILD Authenticated Successful Encryption Success/F AES-CBC + Encryption _SA Exchange Encryption establishment of the key ail HMAC with key (SK_ei, Authenticated IKE connection. SHA-1, SHA- SK_er): W Decryption Authenticati 256, SHAon key 384, SHA- Authenticat © 2024 Canonical Ltd./ atsec information security.
Security Name Description Indicator Inputs Outputs SSP Access Functions
(SK_ai, AES-GCM SK_ar): W AES-CCM CREATE_CHILD Key exchange Successful N/A Shared Diffie- DH public _SA Exchange establishment of the secret Hellman key, DH IKE connection. (modp2048, private key, modp3072, EC public modp4096, key, EC modp6144, private key, modp8192) Shared with key secret: G size between
EC DiffieHellman with NIST curves P224, P-256, P-384, PCREATE_CHILD Key derivation Successful Derivation Derived SP800- Derivation _SA Exchange establishment of the key key 135r1 IKEv2 key (SK_d): IKE connection. KDF (CVL) W; New using derivation HMAC with key (SK_d), SHA-1, SHA- New 256, SHA- encryption
SHA-512 SK_er), New authenticati on key (SK_ai, SK_ar), New authenticati on payload key (SK_pi, SK_pr): G INFORMATION Authenticated Successful Encryption Success/F AES-CBC + Encryption AL Exchange Encryption establishment of the key ail HMAC with key (SK_ei, Authenticated IKE connection. SHA-1, SHA- SK_er): W Decryption Authenticati 256, SHAon key 384, SHA- Authenticat
(SK_ai, AES-GCM SK_ar): W AES-CCM Show version Return the module None N/A Module N/A N/A name and version name and information version © 2024 Canonical Ltd./ atsec information security.
Security Name Description Indicator Inputs Outputs SSP Access Functions Show status Return the module None N/A Module N/A N/A status status Self-test Perform the CASTs None N/A Success/f See Section N/A and integrity tests ail 10 Zeroization Close Security None Any SSP Success/F N/A All SSPs: Z Association ail Terminate IKEv2 None Any SSP Success/F N/A All SSPs: Z daemon ail Table 11 - Approved Services Table 11 lists the approved services. The following convention is used to specify access rights to SSPs:
5. Software/Firmware Security 5.1. Integrity Techniques The integrity of the module is verified by comparing an HMAC-SHA-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time, for each of the components that comprise the module. The HMAC-SHA-256 algorithm for integrity test is provided by the bound Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module. If the HMAC values do not match, the test fails and the module enters the error state. 5.2. Initiate on Demand Integrity test is performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test can be invoked on demand by unloading and subsequently reinitializing the module, which will perform (among others) the software integrity tests. © 2024 Canonical Ltd./ atsec information security.
6. Operational Environment 6.1. Operational Environment Type and Requirements Type of Operating Environment: modifiable; the module executes as part of a general-purpose operating system (Canonical Ubuntu 22.04), which allows modification, loading, and execution of software that is not part of the validated module. How Requirements are Satisfied: If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. Processes that are spawned by the cryptographic module are owned by the module and are not owned by external processes/operators. 6.2. Configuration Settings and Restrictions The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a nonvalidated operational environment. © 2024 Canonical Ltd./ atsec information security.
7. Physical Security The module is comprised of software only and therefore this section is not applicable. © 2024 Canonical Ltd./ atsec information security.
8. Non-Invasive Security This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2024 Canonical Ltd./ atsec information security.
9. Sensitive Security Parameters Management 9.1. Storage Areas Storage Area Persistence Description Name Type RAM Temporary storage for SSPs used by the module as part of service Dynamic execution Table 12 - Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. Public and private keys for IKEv2 authentication are stored in the /etc/ipsec.d/certs and /etc/ipsec.d/private directories, which are within the module’s physical perimeter, but outside its cryptographic boundary. 9.2. SSP Input-Output Methods Format Distribution Entry Related Name From To Type Type Type SFI Key files Operator Cryptographic Plaintext Manual Electronic N/A within TOEPP Module IKE protocol messages (input) Operator Cryptographic Plaintext Manual Electronic N/A within TOEPP Module API parameters (input) OpenSSL Cryptographic Plaintext Manual Electronic N/A bound Module module IKE protocol messages Cryptographic Operator Plaintext Manual Electronic N/A (output) Module within TOEPP API parameters (output) Cryptographic OpenSSL Plaintext Manual Electronic N/A Module bound module Operator Table 13 - SSP Input-Output The module does not support manual key entry or intermediate key generation key output. The keys are entered from or output to the module electronically. 9.3. SSP Zeroization Methods Zeroization Method Description Rationale Operator Initiation IKE SA Close Close of the Memory occupied by SSPs is By closing an IKE IKEv2 Security overwritten with zeroes, which connection (i.e., the Association (SA) renders the SSP values irretrievable. command ipsec down). IKEv2 Daemon Terminate Termination of Memory occupied by SSPs is The command ipsec stop. the IKEv2 overwritten with zeroes, which daemon. renders the SSP values irretrievable. Remove power from the De-allocates Volatile memory used by the module By removing power. module the volatile is overwritten within nanoseconds memory used when power is removed. to store SSPs. © 2024 Canonical Ltd./ atsec information security.
Table 14 - SSP Zeroization Methods The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The module calls appropriate key zeroization functions provided by the bound OpenSSL module and calls its own appropriate key zeroization functions. In both cases, these functions overwrite the memory with zeroes and deallocate the memory with the regular memory deallocation operating system call. All data output is inhibited during zeroization. 9.4. SSPs Type - Generated Established Name Description Size - Strength Used By Category By By RSA private key RSA private 2048-16384 Private N/A N/A IKE_AUTH key. bits (112-256 Key Exchange bits) Configure IKEv2 daemon RSA public key RSA public key. 2048-16384 Public Key N/A N/A IKE_AUTH bits (112-256 Exchange bits) Configure IKEv2 daemon RSA Peer’s RSA Peer’s 2048-16384 Public Key N/A N/A IKE_AUTH public key public keys. bits (112-256 Exchange bits) DH public key DH public key. MODP-2048, Public Key N/A N/A IKE_SA_INIT MODP-3072, (Generated Exchange MODP4096, by the CREATE_CHILD_SA MODP-6144, bound Exchange MODP-8192 module (112-200 bits) OpenSSL) DH private key DH private key. MODP-2048, Private N/A N/A IKE_SA_INIT MODP-3072, Key (Generated Exchange MODP4096, by the CREATE_CHILD_SA MODP-6144, bound Exchange MODP-8192 module (112-200 bits) OpenSSL) Peer’s DH public Peer’s DH MODP-2048, Public Key N/A N/A IKE_SA_INIT key public key. MODP-3072, Exchange MODP4096, CREATE_CHILD_SA MODP-6144, Exchange MODP-8192 (112-200 bits) EC private key Private key for P-224, P-256, P- Private N/A N/A IKE_SA_INIT ECDSA or 384, P-521 (112, Key (Generated Exchange ECDH. 128, 192, 256 by the CREATE_CHILD_SA bits) bound Exchange module IKE_AUTH OpenSSL) Exchange Configure IKEv2 daemon EC public key Public key for P-224, P-256, P- Public Key N/A N/A IKE_SA_INIT ECDSA or 384, P-521 (112, (Generated Exchange ECDH. 128, 192, 256 by the CREATE_CHILD_SA bits) bound Exchange © 2024 Canonical Ltd./ atsec information security.
Type - Generated Established Name Description Size - Strength Used By Category By By module IKE_AUTH OpenSSL) Exchange Configure IKEv2 daemon Peer’s EC public Peer’s public P-224, P-256, P- Public Key N/A N/A IKE_SA_INIT key keys for ECDSA 384, P-521 (112, Exchange or ECDH. 128, 192, 256 CREATE_CHILD_SA bits) Exchange IKE_AUTH Exchange Shared secret Shared secret 112-256 bits Shared N/A N/A IKE_SA_INIT for DH or Secret (Established Exchange ECDH. by the bound CREATE_CHILD_SA module Exchange OpenSSL) Derivation key Derivation key 112-256 bits Symmetric NIST SP800- N/A IKE_SA_INIT (SK_d) (SK_d) from Key 135r1 IKEv2 Exchange IKE_SA KDF (CVL) CREATE_CHILD_SA Exchange Encryption key Encryption keys 112-256 bits Symmetric NIST SP800- N/A IKE_SA_INIT (SK_ei, SK_er) from IKE_SA Key 135r1 IKEv2 Exchange (SK_ei, SK_er) KDF (CVL) CREATE_CHILD_SA (AES) Exchange IKE_AUTH Exchange INFORMATIONAL Exchange Authentication Authentication 112-256 bits Symmetric NIST SP800- N/A IKE_SA_INIT key (SK_ai, keys from Key 135r1 IKEv2 Exchange SK_ar) IKE_SA (SK_ai, KDF (CVL) CREATE_CHILD_SA SK_ar) (HMAC) Exchange IKE_AUTH Exchange INFORMATIONAL Exchange Authentication Authentication 112-256 bits Symmetric NIST SP800- N/A IKE_SA_INIT payload key payload keys Key 135r1 IKEv2 Exchange (SK_pi, SK_pr) from IKE_SA KDF (CVL) (SK_pi, SK_pr) (HMAC) New Derivation New Derivation 112-256 bits Symmetric NIST SP800- N/A CREATE_CHILD_SA key (SK_d) Key from Key 135r1 IKEv2 Exchange CHILD_SA KDF (CVL) (SK_d) (HMAC) New Encryption New Encryption 112-256 bits Symmetric NIST SP800- N/A CREATE_CHILD_SA key (SK_ei, keys from Key 135r1 IKEv2 Exchange SK_er) CHILD_SA KDF (CVL) (SK_ei, SK_er) (HMAC) © 2024 Canonical Ltd./ atsec information security.
Type - Generated Established Name Description Size - Strength Used By Category By By New New 112-256 bits Symmetric NIST SP800- N/A CREATE_CHILD_SA Authentication Authentication Key 135r1 IKEv2 Exchange key (SK_ai, keys from KDF (CVL) SK_ar) CHILD_SA (SK_ai, SK_ar) (HMAC) New New 112-256 bits Symmetric NIST SP800- N/A CREATE_CHILD_SA Authentication Authentication Key 135r1 IKEv2 Exchange payload key payload keys KDF (CVL) (SK_pi, SK_pr) from CHILD_SA (SK_pi, SK_pr) (HMAC) Pre-shared Key Pre-shared Key 112-256 bits Symmetric N/A N/A Configure IKEv2 or Post- or Post- Key daemon Quantum Pre- Quantum Preshared Key shared Key Table 15 - SSP Information First Storage Related Name Input - Output Storage Type Duration SSPs RSA private key Input: Read from the private key files. RAM For the CSP RSA public Output: To the bound OpenSSL module via duration of key API parameters. the service. RSA public key Input: Read from the host key files. RAM For the PSP RSA private Output: To the network peer via IKE_AUTH duration of key exchange message. the service. RSA Peer’s public Input: From the network peer via IKE_AUTH RAM For the PSP None key exchange message. duration of Output: To the bound OpenSSL module via the service. API parameters. DH public key Input: From the bound OpenSSL module via RAM For the PSP DH private API parameters. duration of key Output: To the network peer via the service. IKE_SA_INIT or CREATE_CHILD_SA exchange messages. DH private key Input: From the bound OpenSSL module via RAM For the CSP DH public API parameters. duration of key Output: To the bound OpenSSL module via the service. API parameters. Peer’s DH public Input: From the network peer IKE_SA_INIT RAM For the PSP None key or CREATE_CHILD_SA exchange messages duration of Output: To the bound OpenSSL module via the service. API parameters. EC private key Input ECDSA: Read from the private key RAM For the CSP EC public files. duration of key Output ECDSA: To the bound OpenSSL the service. module via API parameters. Input ECDH: From the bound OpenSSL RAM For the CSP EC public module via API parameters. duration of key the service. © 2024 Canonical Ltd./ atsec information security.
Storage Related Name Input - Output Storage Type Duration SSPs Output ECDH: To the bound OpenSSL module via API parameters. EC public key Input ECDSA: Read from the host key files. RAM For the PSP EC private Output ECDSA: To the network peer via duration of key IKE_AUTH exchange message. the service. Input ECDH: From the bound OpenSSL RAM For the PSP EC private module via API parameters. duration of key Output ECDH: to the network peer via the service. IKE_SA_INIT or CREATE_CHILD_SA exchange messages. Peer’s EC public key Input ECDSA: From the network peer via RAM For the PSP None IKE_AUTH exchange message. duration of Output ECDSA: To the bound OpenSSL the service. module via API parameters. Input ECDH: From the network peer RAM For the PSP None IKE_SA_INIT or CREATE_CHILD_SA duration of exchange messages. the service. Output ECDH: To the bound OpenSSL module via API parameters. Shared secret Input: From the bound OpenSSL module via RAM For the CSP DH public API parameters. duration of key Output: N/A. the service. DH private key EC public key EC private key Peer’s DH public key Peer’s EC public key Derivation key Input: N/A RAM For the CSP None (SK_d) Output: N/A duration of the service. Encryption key Input: N/A RAM For the CSP None (SK_ei, SK_er) Output: To the bound OpenSSL module via duration of API parameters. the service. Authentication key Input: N/A RAM For the CSP None (SK_ai, SK_ar) Output: To the bound OpenSSL module via duration of API parameters. the service. Authentication Input: N/A RAM For the CSP None payload key (SK_pi, Output: To the bound OpenSSL module via duration of SK_pr) API parameters. the service. New Derivation key Input: N/A RAM For the CSP None (SK_d) Output: N/A duration of the service. New Encryption key Input: N/A RAM For the CSP None (SK_ei, SK_er) Output: To the bound Kernel Crypto API duration of module via API parameters. the service. © 2024 Canonical Ltd./ atsec information security.
Storage Related Name Input - Output Storage Type Duration SSPs New Authentication Input: N/A RAM For the CSP None key (SK_ai, SK_ar) Output: To the bound Kernel Crypto API duration of module via API parameters. the service. New Authentication Input: N/A RAM For the CSP None payload key (SK_pi, Output: To the bound Kernel Crypto API duration of SK_pr) module via API parameters. the service. Pre-shared Key or Input: Read from the private key files. RAM For the CSP None Post-Quantum Pre- Output: N/A. duration of shared Key the service. Table 16 - SSP Information Second 9.5. Transitions The SHA-1 algorithm as implemented by the bound OpenSSL module will be non-approved for all purposes, starting January 1, 2030. The RSA algorithm as implemented by the bound OpenSSL module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 will be withdrawn on February 3, 2024. © 2024 Canonical Ltd./ atsec information security.
10. Self-Tests 10.1. Pre-Operational Self-Tests Algorithm Implementation Test Test Method Test Indicator Details Properties Type HMAC C 256-bit HMAC SHA-256 value Software Module Integrity test SHA-256 keys calculated at run time is integrity becomes performed by the compared with the operational bound Kernel Crypto precomputed HMAC API module to check SHA-256 value. the fipscheck tool and the Strongswan executables. Table 17 - Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. 10.2. Conditional Self-Tests The module performs the self-test on the following Approved cryptographic algorithm supported in Approved mode using the Known Answer Test (KAT) shown below: Test Test Algorithm Implementation Test Type Indicator Details Conditions Properties Method SP800-135r1 C HMAC- KAT CAST Module is KDF used for Module IKEv2 KDF SHA-1 operational IKEv2 initialization (CVL) OpenSSL Bound Module HMAC SHA- C 256 bit KAT CAST Module is Message Module
256 keys operational authentication initialization
SHA-1 C 0-8184 bit KAT CAST Module is Message digest Module messages operational initialization SHA-512 C 0-8184 bit KAT CAST Module is Message digest Module messages operational initialization AES-GCM C 256-bit key KAT CAST Module is Encryption, Module operational Decryption initialization (separately) CTR_DRBG C 128 bit key KAT CAST Module is DRBG Module with operational generation and initialization derivation reseed function Health tests and according to prediction section 11.3 of resistance [SP800- 90Ar1] KAS-FFC-SSC C ffdhe2048 KAT CAST Module is Shared secret Module operational computation initialization © 2024 Canonical Ltd./ atsec information security.
Test Test Algorithm Implementation Test Type Indicator Details Conditions Properties Method KAS-ECC-SSC C P-256 KAT CAST Module is Shared secret Module operational computation initialization RSA C PKCS#1 KAT CAST Module is Signature Module SigGen/Sigver v1.5 with operational generation and initialization SHA-256 Signature and 2048- verification bit key ECDSA C SHA-256 KAT CAST Module is Signature Module SigGen/Sigver and P-224, operational generation and initialization B-233 Signature verification DH KeyGen C ffdhe2048 PCT PCT Module is SP800-56Ar3 Key pair (Safe Primes) operational Section generation 5.6.2.1.4 RSA KeyGen C PKCS#1 PCT PCT Module is Signature Key pair v1.5 operational generation and generation padding Signature SHA-256 verification ECDSA C SHA-256 PCT PCT Module is Signature Key pair KeyGen operational generation and generation Signature verification Kernel Bound Module HMAC SHA- C 32, 160, KAT CAST Module Self-test for Module
256 1048 bit becomes the algorithm initialization
keys operational provided by the bound Kernel Crypto API module used for the integrity test Table 18 - Conditional Self-Tests For the KAT, the module calculates the result and compares it with the known answer. If the calculated value does not match the known answer, the KAT fails and the module enters the error state. The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 18. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state. 10.3. Periodic Self-Tests The module does not implement any periodic self-tests. 10.4. Error States If the module fails any of the self-tests, it will return an error message to indicate the error and then enter the error state. In the error state, the module immediately stops functioning and ends the © 2024 Canonical Ltd./ atsec information security.
application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). The following table shows the list of error messages when the module fails any self-test. Recovery Name Description Conditions Indicator Method Error Strongswan Integrity Test failure Restart of the ipsec: strongswan fips file State stops module integrity check failed executing KAT failure ipsec: strongswan fips ikev2 kdf self-test failed Self-test failure in Canonical Ltd. ipsec start command returns error Ubuntu 22.04 OpenSSL code 2 with the following cause Cryptographic Module 'unable to load OpenSSL FIPS provider'. PCT Failure: ipsec status command returns error code 1 or 2 and the OpenSSL bound module's OSSL_PROV_PARAM_STATUS is set to 0. Self-test failure in Canonical Ltd. Kernel panics with message Ubuntu 22.04 Kernel Crypto API failure “alg: <algo_name>: test Cryptographic Module failed”. Table 19 - Error States To recover from the error state, the module must be restarted and perform self-tests again. If the failure persists, the module must be reinstalled. Note: Self-test failures in the bound Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module or Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module will prevent the Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module from operating. 10.5. Operator Initiation The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. On-demand selftests can be invoked by powering off and reloading the module, which cause the module to run the self-tests again. During the execution of the on-demand self-tests, services are not available and no data output or input is possible. © 2024 Canonical Ltd./ atsec information security.
11. Life-Cycle Assurance 11.1. Startup Procedures The module is distributed as a part of Ubuntu 22.04 in the form of the following deb packages:
boot into the FIPS supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in Approved mode. If you do not reboot after installing and configuring the bootloader, Approved mode is not yet enabled. To verify that Approved mode is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the modules will not run in Approved mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the pro status command. The module can only operate in Approved mode as stated in section 3.2. With the operational environment setup as stated in the above section, the following restrictions are applicable. No more cipher addition is possible by configuration or command line options. Configure Charon as specified in ipsec.conf(5), and ipsec.secrets(5) man pages
University of Applied Sciences Rapperswil, Switzerland FIPS module name: Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module FIPS module version: 5.9.5-2ubuntu2.1+Fips1 11.2. Administrator Guidance 11.2.1. Managing the IKEv2 Daemon To start the IKEv2 daemon, use the following command: # ipsec start To stop the IKEv2 daemon, use the following command: # ipsec stop To start the IKEv2 daemon automatically at the system boot time, use the following command: # systemctl enable strongswan To prevent the IKEv2 daemon from automatically starting, use the following command: # systemctl disable strongswan See the ipsec(8), ipsec.conf(5) and ipsec.secrets(5) man pages for more information about how to operate the module. 11.2.2. AES GCM IV The Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module is bound to the Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module which implements AES-GCM. This module, Strongswan, generates the IV for AES-GCM in OpenSSL through the IKEv2 key establishment protocol which is compliant with IG C.H provision 1) (b), "IPSec protocol IV generation". The AES-GCM IV generation is in compliance with [RFC5282]. The module uses the [RFC7296] compliant IKEv2 protocol to establish the shared secret SKEYSEED from which the AES-GCM encryption keys are derived. By the virtue of the lifetime limit (see above Section 11.1.1), the IV is renegotiated before reaching 2^64. The IV does not get stored permanently. In case or normal or abnormal termination of the IKE connection, the SA has to be renegotiated by the module. In the event the module’s power is lost and restored, the operator must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. 11.2.3. RSA Signatures To meet the requirement stated in IG C.F, the bound OpenSSL module implements only the FIPS 186-
4 approved modulus sizes of 2048, 3072, and 4096 bits for signature generation. For signature
verification, the bound OpenSSL module implements only the FIPS 186-4 approved modulus sizes of 1024, 2048, 3072, and 4096 bits. Each modulus size was tested, and corresponding certificates can be found detailed in Section 2 for the bound OpenSSL module. © 2024 Canonical Ltd./ atsec information security.
11.2.4. Compliance to SP 800-56ARev3 Assurances The bound OpenSSL module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3. The Canonical Ltd. Ubuntu 22.04 Strongswan Cryptographic Module implements the NIST SP 800-135 IKEv2 KDF (CVL) part of the key agreement using the HMAC portion of the SSP agreement, while the bound OpenSSL module provides the SP 800-56Arev3-compliant DH and ECDH shared secret computation. Therefore, the module meets the requirements of IG D.F scenario 2 (2). In order to meet the required assurances listed in section 5.6 of SP 800-56ARev3, the following steps are performed.
12. Mitigation of Other Attacks The module does not implement security mechanisms to mitigate other attacks. © 2024 Canonical Ltd./ atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CKG Cryptographic Key Generation CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm ENT (NP) Non-physical Entropy Source FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IG Implementation Guidance IKE Internet Key Exchange IPSEC Internet Protocol Security KAS Key Agreement Scheme KAT Known Answer Test NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RAM Random Access Memory RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security TOEPP Tested Operational Environment's Physical Perimeter © 2024 Canonical Ltd./ atsec information security.
Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-1403-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) February 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Addendum Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf © 2024 Canonical Ltd./ atsec information security.
SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 Canonical Ltd./ atsec information security.