| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/2/2030 |
| Caveat | When operated in approved mode and installed, initialized and configured as specified in Section 11.1 of the Security Policy. |
| Vendor | Oracle Corporation |
flowchart LR
%% Deterministic review-risk graph for Oracle Linux 9 GnuTLS Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: gnutls</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Oracle Linux 9 GnuTLS Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: gnutls</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Oracle Corporation Oracle Linux 9 GnuTLS Cryptographic Module Software Version: 3.7.6-39e2433a29b33b55 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com Document Version 1.4. ©Oracle Corporation
Title: Oracle 9 GnuTLS Cryptographic Module Security Policy Date: August 28th, 2025 Contributing Authors: Oracle Linux Engineering Security Evaluations
Austin, TX 78741 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy i
| # | Section | Page |
|---|
Oracle Linux 9 GnuTLS Cryptographic Module Security Policy iii
| Item | Page |
|---|---|
| Table 1: Security Levels | 1 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 3 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 3 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 3 |
| Table 5: Modes List and Description | 4 |
| Table 6: Approved Algorithms | 7 |
| Table 7: Vendor-Affirmed Algorithms | 7 |
| Table 8: Non-Approved, Not Allowed Algorithms | 8 |
| Table 9: Security Function Implementations | 10 |
| Table 10: Entropy Certificates | 12 |
| Table 11: Entropy Sources | 12 |
| Table 12: Ports and Interfaces | 14 |
| Table 13: Roles | 15 |
| Table 14: Approved Services | 19 |
| Table 15: Non-Approved Services | 21 |
| Table 16: Storage Areas | 26 |
| Table 17: SSP Input-Output Methods | 26 |
| Table 18: SSP Zeroization Methods | 26 |
| Table 19: SSP Table 1 | 28 |
| Table 20: SSP Table 2 | 30 |
| Table 21: Pre-Operational Self-Tests | 31 |
| Table 22: Conditional Self-Tests | 35 |
| Table 23: Pre-Operational Periodic Information | 35 |
| Table 24: Conditional Periodic Information | 36 |
| Table 25: Error States | 37 |
| Item | Page |
|---|---|
| Figure 1: Cryptographic Boundary | 2 |
This document is the non-proprietary FIPS 140-3 Security Policy for version 3.7.6-39e2433a29b33b55 of the Oracle
9 GnuTLS Cryptographic Module. It contains the security rules under which the module must operate and
describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module.
Section Title Security Level
Overall Level 1 Table 1: Security Levels
This Security Policy describes the features and design of the module named GnuTLS Cryptographic Module using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Purpose and Use: The Oracle 9 GnuTLS Cryptographic Module (hereafter referred to as “the module”) is a cryptographic module that provides cryptographic services to applications running in the user space of the underlying operating system through a C language Application Program Interface (API). Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the information flow between the module and operator (depicted through the arrows). The module components consist of the libgnutls.so.30, libnettle.so.8, libhogweed.so.6, and libgmp.so.10. The module integrity is verified for each of the component separately using HMAC at power on by comparing with the pre-computed HMAC values stored in .libgnutls.so.30.hmac file Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Cryptographic Boundary Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Tested Module Identification
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Mode Name Description Type Status Indicator Approved mode Automatically entered whenever an approved Approved Equivalent to the indicator of the requested service as service is requested defined in section 4.3 Non-approved Automatically entered whenever a non-approved Non- Equivalent to the indicator of the requested service as mode service is requested Approved defined in section 4.3 Table 5: Modes List and Description Mode Change Instructions and Status: When the module starts up successfully, after passing the pre-operational and all conditional cryptographic algorithms self-tests (CASTs), the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in Non-Approved Services table. Please see Section 4 or the details on service indicator provided by the module that identifies when an approved service is called.
Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A4743 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4744 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4745 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4746 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4751 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4755 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4743 Key Length - 128, 256 SP 800-38C AES-CCM A4755 Key Length - 128, 256 SP 800-38C AES-CFB8 A4748 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4749 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4754 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A4743 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CMAC A4746 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm CAVP Cert Properties Reference AES-CMAC A4751 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-ECB A4751 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4743 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A4744 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A4745 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A4746 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A4751 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A4755 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GMAC A4751 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-XTS Testing A4752 - SP 800-38E Revision 2.0 Counter DRBG A4751 Prediction Resistance - No SP 800-90A Rev. Mode - AES-256 1 Derivation Function Enabled - No ECDSA KeyGen A4751 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4751 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4751 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 ECDSA SigVer A4751 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 HMAC-SHA-1 A4746 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4751 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4755 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4746 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4751 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4755 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4746 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4751 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4755 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4746 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm CAVP Cert Properties Reference HMAC-SHA2-384 A4751 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4755 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4746 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4751 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4755 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 KAS-ECC-SSC Sp800- A4751 Domain Parameter Generation Methods - P-256, P-384, P-521 SP 800-56A Rev. 56Ar3 Scheme - 3 ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC Sp800- A4751 Domain Parameter Generation Methods - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, SP 800-56A Rev. 56Ar3 ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 3 Scheme dhEphem KAS Role - initiator, responder KDA HKDF Sp800- A4750 Derived Key Length - 2048 SP 800-56C Rev. 56Cr1 Shared Secret Length - Shared Secret Length: 224-65336 Increment 8 2 HMAC Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 PBKDF A4751 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A4751 Key Generation Mode - B.3.2 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A4751 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4751 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Safe Primes Key A4751 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- SP 800-56A Rev. Generation 2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 3 SHA-1 A4746 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA-1 A4751 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA-1 A4755 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-224 A4746 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-224 A4751 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-224 A4755 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-256 A4746 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-256 A4751 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-256 A4755 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-384 A4746 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-384 A4751 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-384 A4755 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-512 A4746 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-512 A4751 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA2-512 A4755 Large Message Sizes - 1, 2, 4, 8 FIPS 180-4 SHA3-224 A4747 - FIPS 202 SHA3-224 A4753 - FIPS 202 SHA3-256 A4747 - FIPS 202 SHA3-256 A4753 - FIPS 202 SHA3-384 A4747 - FIPS 202 SHA3-384 A4753 - FIPS 202 SHA3-512 A4747 - FIPS 202 SHA3-512 A4753 - FIPS 202 Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm CAVP Cert Properties Reference TLS v1.2 KDF A4751 - SP 800-135 Rev. RFC7627 (CVL) 1 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key Type:Symmetric and Asymmetric N/A SP 800-133r2 RSA (asymmetric):2048, 3072, 4096 bits with 112, 128, 149 bits of key strength. section 4 example 1 ECDSA (asymmetric):P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength Safe Primes (asymmetric):ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 2048, 3072, 4096, 6144, 8192bit keys (112-200 bits of key strength) CTR_DRBG (symmetric):112-256 bit keys (112-256 bits of strength) Table 7: Vendor-Affirmed Algorithms Non-Approved, Not Allowed Algorithms: Name Use and Function Blowfish Symmetric Encryption; Symmetric Decryption Camellia Symmetric Encryption; Symmetric Decryption CAST Symmetric Encryption; Symmetric Decryption ChaCha20 Symmetric Encryption; Symmetric Decryption Chacha20 and Poly1305 Authenticated Encryption; Authenticated Decryption CMAC with Triple-DES Message Authentication Code (MAC) DES Symmetric Encryption; Symmetric Decryption Diffie-Hellman using keys generated with domain parameters other than Shared Secret Computation safe primes DSA Key Generation; Domain Parameter Generation; Digital Signature Generation; Digital Signature Verification ECDSA with curves not listed in the Approved Algorithms Table Key Generation; Public Key Verification ECDSA with curves/hash functions not listed in the Approved Algorithms Digital Signature Generation; Digital Signature Verification Table EC Diffie-Hellman with curves not listed in the Approved Algorithms Table Shared Secret Computation GMAC with keys not listed in the Approved Algorithms Table Message Authentication Code (MAC) GOST Symmetric Encryption; Symmetric Decryption; Message Digest HMAC with keys smaller than 112-bit Message Authentication Code (MAC) HMAC with GOST Message Authentication Code (MAC) MD2, MD4, MD5 Message Digest; Message Authentication Code (MAC) PBKDF with non-approved message digest algorithms or using input Key Derivation parameters not meeting requirements stated in section 2.7 RC2, RC4 Symmetric Encryption; Symmetric Decryption RMD160 Message Digest; Message Authentication Code (MAC) RSA with keys smaller than 2048 bits. Key Generation RSA with keys smaller than 2048 bits and/or hash functions not listed in the Digital Signature Generation; Digital Signature Verification Approved Algorithms Table RSA encryption and decryption with any key sizes Key Encapsulation; Key Un-encapsulation Salsa20 Symmetric Encryption; Symmetric Decryption SEED Symmetric Encryption; Symmetric Decryption Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Use and Function Serpent Symmetric Encryption; Symmetric Decryption SRP Key Agreement STREEBOG Message Digest; Message Authentication Code (MAC) Triple-DES Symmetric Encryption; Symmetric Decryption Twofish Symmetric Encryption; Symmetric Decryption UMAC Message Authentication Code (MAC) Yarrow Random Number Generation DRBG generation of keys smaller than 112 bits Random Number Generation Non-supported cipher suites (see Appendix A for the complete list of valid Transport Layer Security (TLS) network protocol cipher suites) AES GCM with keys not listed in the Approved Algorithms Table Authenticated Encryption; Authenticated Decryption Table 8: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms KAS-ECC-SSC KAS-SSC Shared Secret Computation Curves:P-224, P-256, P-384, KAS-ECC-SSC Sp800-56Ar3: P-521 elliptic curves with (A4751) 112-256 bits of key strength Compliance: Compliant with IG D.F scenario 2(1) KAS-FFC-SSC KAS-SSC Shared Secret Computation Keys:2048, 3072, 4096, KAS-FFC-SSC Sp800-56Ar3: 6144, 8192-bit keys with (A4751) 112-200 bits of key strength Compliance:Compliant with IG D.F scenario 2(1) AES CBC with HMAC KTS-Wrap Key Wrapping, Key Keys:128, 192, 256 bits AES-CBC: (A4743, A4744, Unwrapping with 128-256 bits of key A4745, A4746, A4751, strength A4755) Compliance:Compliant with HMAC-SHA-1: (A4746, IG D.G A4751, A4755) HMAC-SHA2-224: (A4746, A4751, A4755) HMAC-SHA2-256: (A4746, A4751, A4755) HMAC-SHA2-384: (A4746, A4751, A4755) HMAC-SHA2-512: (A4746, A4751, A4755) AES CCM (Key KTS-Wrap Key Wrapping, Key Keys:128 and 256 bits with AES-CCM: (A4743, A4755) Wrapping/Unwrapping) Unwrapping 128 and 256 bits of key strength Compliance:Compliant with IG D.G AES GCM (Key KTS-Wrap Key Wrapping, Key Keys:128 and 256 bits with AES-GCM: (A4743, A4744, Wrapping/Unwrapping) Unwrapping 128 and 256 bits of key A4745, A4746, A4751, strength A4755) Compliance:Compliant with IG D.G AES CCM (Authenticated BC-Auth Authenticated Keys:128 and 256 bits with AES-CCM: (A4743, A4755) Encryption/Decryption) Encryption/Decryption 128 and 256 bits of key strength Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Type Description Properties Algorithms AES GCM (Authenticated BC-Auth Authenticated Keys:128 and 256 bits with AES-GCM: (A4743, A4744, Encryption/Decryption) Encryption/Decryption 128 and 256 bits of key A4745, A4746, A4751, strength A4755) AES-CBC BC-UnAuth Encryption/Decryption Keys:128, 192, 256 bits AES-CBC: (A4743, A4744, with 128-256 bits of key A4745, A4746, A4751, strength A4755) AES-CMAC MAC Message authentication Keys:128 and 256 bits with AES-CMAC: (A4743, A4746, code (MAC) 128 and 256 bits of key A4751) strength HMAC MAC Message authentication Keys:112-524288 bits with HMAC-SHA-1: (A4746, code (MAC) 112-256 bits of key A4751, A4755) strength HMAC-SHA2-224: (A4746, A4751, A4755) HMAC-SHA2-256: (A4746, A4751, A4755) HMAC-SHA2-384: (A4746, A4751, A4755) HMAC-SHA2-512: (A4746, A4751, A4755) Hashes SHA Hashing SHA-1: (A4746, A4751, A4755) SHA2-224: (A4746, A4751, A4755) SHA2-256: (A4746, A4751, A4755) SHA2-384: (A4746, A4751, A4755) SHA2-512: (A4746, A4751, A4755) SHA3-224: (A4747, A4753) SHA3-256: (A4747, A4753) SHA3-384: (A4747, A4753) SHA3-512: (A4747, A4753) AES-CFB8 BC-UnAuth Encryption/Decryption Keys:128, 192, 256 bits AES-CFB8: (A4748, A4749, with 128-256 bits of key A4754) strength AES-XTS BC-UnAuth Encryption/Decryption Keys:128, 256 bits with 128 AES-XTS Testing Revision and 256 bits of key 2.0: (A4752) strength AES-GMAC MAC Message authentication Keys:128 and 256 bits with AES-GMAC: (A4751) code (MAC) 128 and 256 bits of key strength Counter DRBG DRBG Random Number Compliance:Compliant with Counter DRBG: (A4751) Generation SP800-90ARev1 ECDSA Signature DigSig-SigGen Signature Generation Curves: P-224, P-256, P- ECDSA SigGen (FIPS186-4): Generation 384, P-521 (A4751) Hashes:SHA2-224, SHA2256, SHA2-384, SHA2-512 ECDSA Key Generation CKG Key Generation Curves:P-224, P-256, P-384, ECDSA KeyGen (FIPS186-4): P-521 (A4751) ECDSA Signature DigSig-SigVer Signature Verification Curves: P-224, P-256, P- ECDSA SigVer (FIPS186-4): Verification 384, P-521 (A4751) Hashes:SHA2-224, SHA2256, SHA2-384, SHA2-512 ECDSA Key Verification AsymKeyPair-KeyVer Key Verification Curves:P-224, P-256, P-384, ECDSA KeyVer (FIPS186-4): P-521 (A4751) RSA Signature Generation DigSig-SigGen Signature Generation Keys:2048-16384 bits RSA SigGen (FIPS186-4): Hashes:SHA2-224, SHA2- (A4751) 256, SHA2-384, SHA2-512 Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Type Description Properties Algorithms RSA Key Generation CKG Key Generation Keys:2048-15360 bits RSA KeyGen (FIPS186-4): (A4751) RSA Signature Verification DigSig-SigVer Signature Verification Keys:1024-16384 bits RSA SigVer (FIPS186-4): Hashes:SHA2-224, SHA2- (A4751) 256, SHA2-384, SHA2-512 Safe Primes Key Generation CKG Key Generation Groups:MODP-2048, Safe Primes Key MODP-3072, MODP-4096, Generation: (A4751) MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 HKDF Key Derivation KAS-56CKDF Key Derivation HKDF derived key:112-256 KDA HKDF Sp800-56Cr1: bits with 112-256 bits of (A4750) key strength Password-based Key PBKDF Key Derivation PBKDF Derived key:112- PBKDF: (A4751) Derivation 4096 bits with 112-256 bits of key strength TLS 1.2 Key Derivation KAS-135KDF Key Derivation Derived secret::112-256 TLS v1.2 KDF RFC7627: bits with112-256 bits of key (A4751) strength AES-ECB BC-UnAuth Encryption/Decryption Keys:128, 192, 256 bits AES-ECB: (A4751) TLS Handshake KAS-Full Key Agreement Curves:P-224, P-256, P-384, KAS-ECC-SSC Sp800-56Ar3: P-521 elliptic curves with (A4751) 112-256 bits of key KAS-FFC-SSC Sp800-56Ar3: strength (A4751) Keys:2048, 3072, 4096, KDA HKDF Sp800-56Cr1: 6144, 8192-bit keys with (A4750) 112-200 bits of key TLS v1.2 KDF RFC7627: strength (A4751) Compliance:Compliant with IG D.F scenario 2(2) Symmetric Key Generation CKG Symmetric Key Generation Keys:112-256 bits with 112- Counter DRBG: (A4751) with Counter DRBG 256 bits of key strength Compliance:SP 800-133r2 section 6.1 Table 9: Security Function Implementations
The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The module is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary. This is in compliance with Scenario 2 of FIPS 140-3 IG C.H. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection. The IV generated in both TLS 1.2 and TLS 1.3 scenarios is only used within the context of the TLS protocol implementation.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132], the module ensures that the following requirements are met when running the PBKDF approved service.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
The module offers DH and ECDH shared secret computation services compliant to the SP 800-56Ar3. To meet the required assurances listed in section 5.6 of SP 800-56Ar3, the module shall be used together with an application that implements the “TLS protocol” and the following steps shall be performed. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Cert Vendor Name Number E99 Oracle Corporation Table 10: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Oracle User Space Non- Oracle Linux 9 on KVM on Oracle Linux 8 on AMD AMD EPYC(TM) 256 bits 256 bits AES-256 CTR DRBG CPU Time Jitter RNG Physical 7001 Series AMD EPYC 7J13; Ampere Ampere(R) Altra(R) (CAVP cert #A4751) Entropy Source Ampere(R) Altra(R) Q80-30; Intel Ice Lake Intel(R) Xeon(R) Platinum 8358 Table 11: Entropy Sources RNG Information: The module employs a Deterministic Random Bit Generator (DRBG) based on SP 800-90Ar1 for keys and random numbers for security functions (e.g. ECDSA signature generation), and server and client random numbers for the TLS protocol. In addition, the module provides a Random Number Generation service to calling applications. The DRBG supports the CTR_DRBG with AES-256, without a derivation function and without prediction resistance. The module uses an [SP800-90B]-compliant entropy source specified in the Entropy Source table. This entropy source is located within the physical perimeter, but outside of the cryptographic boundary of the module. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it, sufficient to provide a DRBG with 256 bits of security strength.
The module implements key generation methods according to SP 800-133r2 section 4 example 1, without the use of V. The key generation methods are specified in the Vendor Affirmed Algorithms table and the Security Function Implementations table. Additionally, the module implements key derivation methods according to section 6.2 of SP 800-133r2. The key derivation methods are specified in the Security Function Implementations table.
The module implements SSP agreement, compliant with IG D.F scenario 2(1) and scenario 2(2). Additionally, the module implements SSP transport, compliant with IG D.G. The Key Establishment methods are specified in the Security Function Implementations table. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
The module implements KDF for the TLS protocol TLSv1.2. No parts of the TLS 1.2, other than the key derivation functions mentioned above, have been tested by the CAVP and CMVP. The module implements HKDF for the TLS protocol TLSv1.3. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters, kernel I/O network or files on filesystem, TLS protocol input messages. N/A Data Output API output parameters, kernel I/O network or files on filesystem, TLS protocol output messages. N/A Control Input API function calls, API input parameters for control. N/A Status Output API return codes, API output parameters for status output. Table 12: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface.
The module does not implement a trusted channel.
The module does not implement a control output interface. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
The module does not implement authentication for roles.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 13: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. The module does not support multiple concurrent operators.
Name Description Indicator Inputs Outputs Security Functions SSP Access Message Digest Compute a GNUTLS_FIPS140_OP_APPROVED Message Digest value Hashes Crypto Officer message digest Encryption Encrypt a GNUTLS_FIPS140_OP_APPROVED AES Key, Ciphertext AES-CBC Crypto Officer plaintext plaintext AES-CFB8 - AES Key: W,E AES-XTS AES-ECB Decryption Decrypt a GNUTLS_FIPS140_OP_APPROVED AES Key, Plaintext AES-CBC Crypto Officer ciphertext ciphertext AES-CFB8 - AES Key: W,E AES-XTS AES-ECB Authenticated Authenticated GNUTLS_FIPS140_OP_APPROVED AES key, IV, Plaintext or AES CCM (Authenticated Crypto Officer Decryption Decryption MAC tag, failure Encryption/Decryption) - AES Key: W,E ciphertext AES GCM (Authenticated Encryption/Decryption) Authenticated Authenticated GNUTLS_FIPS140_OP_APPROVED AES Key, IV, Ciphertext, AES CCM (Authenticated Crypto Officer Encryption Encryption plaintext MAC tag Encryption/Decryption) - AES Key: W,E AES GCM (Authenticated Encryption/Decryption) AES Message Message GNUTLS_FIPS140_OP_APPROVED AES Key, MAC tag AES-CMAC Crypto Officer Authentication Authentication message AES-GMAC - AES Key: W,E HMAC Message Message GNUTLS_FIPS140_OP_APPROVED HMAC Key, MAC tag HMAC Crypto Officer Authentication Authentication message - HMAC Key: W,E ECDH Shared Compute a GNUTLS_FIPS140_OP_APPROVED EC Private Key, Shared secret KAS-ECC-SSC Crypto Officer Secret shared secret EC Public Key - EC Private Computation Key: W,E - EC Public Key: W,E - Shared Secret: G,R Key Derivation Derive a key GNUTLS_FIPS140_OP_APPROVED Shared Secret HKDF derived HKDF Key Derivation Crypto Officer key TLS 1.2 Key Derivation - Shared Secret: W,E - TLS PreMaster Secret: W,E - TLS Master Secret: W,E - TLS Derived Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Indicator Inputs Outputs Security Functions SSP Access Secret: G,R - HKDF Derived Key: G,R Password-Based Derive a key GNUTLS_FIPS140_OP_APPROVED Password PBKDF derived Password-based Key Crypto Officer Key Derivation from a password key Derivation - Password: W,E - PBKDF Derived Key: G,R DH Key Pair Key Pair GNUTLS_FIPS140_OP_APPROVED DH Group Module Safe Primes Key Crypto Officer Generation Generation generated DH Generation - Module private key, Generated DH Module Public Key: generated DH G,R public key - Module Generated DH Private Key: G,R - Intermediate Key Generation Value: G EC Key Pair Key Pair GNUTLS_FIPS140_OP_APPROVED Curve Module ECDSA Key Generation Crypto Officer Generation Generation generated EC - Module private key, Generated EC Module Public Key: generated EC G,R public key - Module Generated EC Private Key: G,R - Intermediate Key Generation Value: G RSA Key Pair Key Pair GNUTLS_FIPS140_OP_APPROVED Modulus Module RSA Key Generation Crypto Officer Generation Generation generated RSA - Module private key, Generated Module RSA Private generated RSA Key: G,R public key - Module Generated RSA Public Key: G,R - Intermediate Key Generation Value: G,R Public Key Verify an EC GNUTLS_FIPS140_OP_APPROVED EC public key Return ECDSA Key Verification Crypto Officer Verification public key codes/log - EC Private messages Key: W,E - EC Public Key: W,E Key Wrapping Wrap a key GNUTLS_FIPS140_OP_APPROVED AES Key, key Wrapped key AES CCM (Key Crypto Officer to be wrapped Wrapping/Unwrapping) - AES Key: W,E AES CBC with HMAC AES GCM (Key Wrapping/Unwrapping) Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Indicator Inputs Outputs Security Functions SSP Access Key Unwrapping Unwrap a key GNUTLS_FIPS140_OP_APPROVED AES Key, key Unwrapped AES CCM (Key Crypto Officer to be key Wrapping/Unwrapping) - AES Key: W,E unwrapped AES CBC with HMAC AES GCM (Key Wrapping/Unwrapping) Random Generate GNUTLS_FIPS140_OP_APPROVED Output length Random bytes Counter DRBG Crypto Officer Number random bytes - Entropy Generation Input: W,E - DRBG Seed: G,E - Internal State (V, Key): G,E Signature Verify a digital GNUTLS_FIPS140_OP_APPROVED Message, EC Pass/fail ECDSA Signature Crypto Officer Verification signature Public Key or Verification - EC Public RSA Public RSA Signature Key: W,E Key, signature, Verification - RSA Public hash algorithm Key: W,E Signature Signature GNUTLS_FIPS140_OP_APPROVED Message, EC Signature ECDSA Signature Crypto Officer Generation Generation Private Key or Generation - EC Private RSA Private RSA Signature Key: W,E Key, hash Generation - RSA Private algorithm Key: W,E Show Version Return the None N/A Module name None Crypto Officer module name and version and version information Show Status Return the None N/A Module status None Crypto Officer module status Self-Test Perform the None N/A Pass/Fail KAS-ECC-SSC Crypto Officer CASTs and KAS-FFC-SSC integrity tests AES CCM (Key Wrapping/Unwrapping) AES GCM (Key Wrapping/Unwrapping) AES-CBC AES-CMAC HMAC Hashes AES-CFB8 AES-XTS AES-GMAC Counter DRBG ECDSA Signature Generation ECDSA Key Generation ECDSA Signature Verification RSA Signature Generation RSA Key Generation RSA Signature Verification Safe Primes Key Generation HKDF Key Derivation Password-based Key Derivation TLS 1.2 Key Derivation AES-ECB AES CCM (Authenticated Encryption/Decryption) Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Indicator Inputs Outputs Security Functions SSP Access AES GCM (Authenticated Encryption/Decryption) Zeroization Zeroize all SSPs None Any SSP N/A None Crypto Officer - Modulegenerated AES Key: Z - AES Key: Z - Modulegenerated HMAC Key: Z - HMAC Key: Z - Shared Secret: Z - Password: Z - Entropy Input: Z - DRBG Seed: Z - Internal State (V, Key): Z - DH Public Key: Z - DH Private Key: Z - Module Generated DH Public Key: Z - Module Generated DH Private Key: Z - EC Private Key: Z - EC Public Key: Z - Module Generated EC Private Key: Z - Module Generated EC Public Key: Z - RSA Private Key: Z - RSA Public Key: Z - Module Generated RSA Private Key: Z - Module Generated RSA Public Key: Z - Intermediate Key Generation Value: Z - TLS PreMaster Secret: Z - TLS Master Secret: Z - TLS Derived Secret: Z Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Indicator Inputs Outputs Security Functions SSP Access - PBKDF Derived Key: Z - HKDF Derived Key: Z Transport Layer Provide GNUTLS_FIPS140_OP_APPROVED Cipher-suites, Return codes AES CBC with HMAC Crypto Officer Security (TLS) supported Digital and/or log AES-CBC - AES Key: W,E Network cipher suites in Certificate, messages, Hashes - HMAC Key: Protocol approved mode Public and Application ECDSA Signature W,E Private Keys, data Generation - RSA Public Application ECDSA Key Generation Key: W,E Data ECDSA Signature - RSA Private Verification Key: W,E ECDSA Key Verification - EC Public RSA Signature Key: W,E Generation - EC Private RSA Signature Key: W,E Verification - Module Safe Primes Key Generated DH Generation Public Key: TLS Handshake G,E AES CCM (Authenticated - Module Encryption/Decryption) Generated DH AES GCM (Authenticated Private Key: Encryption/Decryption) G,E - Module Generated EC Private Key: G,E - Module Generated EC Public Key: G,E - TLS Master Secret: G,E - TLS PreMaster Secret: G,E - TLS Derived Secret: G,R - HKDF Derived Key: G,R Symmetric Key Generate a key GNUTLS_FIPS140_OP_APPROVED N/A Module Symmetric Key Crypto Officer Generation generated AES Generation with Counter - Modulekey, Module DRBG generated AES generated Key: G,R HMAC key - Modulegenerated HMAC Key: G,R DH Shared Compute a GNUTLS_FIPS140_OP_APPROVED DH Public Key, Shared secret KAS-FFC-SSC Crypto Officer Secret shared secret DH Private Key - DH Public Computation Key: W,E - DH Private Key: W,E - Shared Secret: G,R Table 14: Approved Services The following convention is used to specify access rights to SSPs:
Name Description Algorithms Role Symmetric Key Generation Generate symmetric key other DRBG generation of keys smaller than 112 bits CO than AES and HMAC keys Symmetric Encryption/Decryption Compute the cipher for encryption Blowfish CO and decryption Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 SEED Serpent Triple-DES Twofish Asymmetric Key Generation Generate RSA, DSA, and ECDSA key DSA CO pairs ECDSA with curves not listed in the Approved Algorithms Table RSA with keys smaller than 2048 bits. Digital Signature Generation Sign RSA, DSA, and ECDSA DSA CO signatures ECDSA with curves/hash functions not listed in the Approved Algorithms Table RSA with keys smaller than 2048 bits and/or hash functions not listed in the Approved Algorithms Table Digital Signature Verification Verify RSA, DSA, and ECDSA DSA CO signatures ECDSA with curves/hash functions not listed in the Approved Algorithms Table RSA with keys smaller than 2048 bits and/or hash functions not listed in the Approved Algorithms Table Message Digest Compute message digest MD2, MD4, MD5 CO RMD160 STREEBOG Message Authentication Code Compute MAC CMAC with Triple-DES CO (MAC) GMAC with keys not listed in the Approved Algorithms Table HMAC with keys smaller than 112-bit HMAC with GOST UMAC Key Encapsulation/Un- Perform RSA key RSA encryption and decryption with any key sizes CO encapsulation encapsulation/un-encapsulation Key Derivation Perform key derivation PBKDF with non-approved message digest algorithms or using CO input parameters not meeting requirements stated in section 2.7 Transport Layer Security (TLS) Provide non-supported cipher Non-supported cipher suites (see Appendix A for the complete CO network protocol suites list of valid cipher suites) Random Number Generation Generate random numbers Yarrow CO DRBG generation of keys smaller than 112 bits Key Agreement Perform key agreement SRP CO Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Algorithms Role Authenticated Perform authenticated encryption Chacha20 and Poly1305 CO Encryption/Decryption or decryption AES GCM with keys not listed in the Approved Algorithms Table Shared Secret Computation Perform shared secret Diffie-Hellman using keys generated with domain parameters CO computation other than safe primes EC Diffie-Hellman with curves not listed in the Approved Algorithms Table Public Key Verification Verify ECDSA public keys ECDSA with curves not listed in the Approved Algorithms Table CO Table 15: Non-Approved Services
The module does not load external software or firmware. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
The integrity of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time for the software components of the module listed in section 2. If the HMAC values do not match, the test fails, and the module enters the error state.
The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The Self-Tests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the Self-Test service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
The module shall be installed as stated in Section 11.1. There are no concurrent operators. The module does not have the capability of loading software or firmware from an external source. Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
The module is comprised of software only and therefore this section is not applicable. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
This module does not implement any non-invasive security mechanism and therefore this section is not applicable. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. The module does not perform Dynamic persistent storage of SSPs. Table 16: Storage Areas
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input parameters Operating calling application Cryptographic module Plaintext Manual Electronic (TOEPP) API output Cryptographic module Operator calling application Plaintext Manual Electronic parameters (TOEPP) Table 17: SSP Input-Output Methods The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment. The SSPs are provided to the module via API input parameters in the plaintext form and output via API output parameters in the plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] IG 9.5.A.
Zeroization Description Rationale Operator Initiation Method Free Cipher Zeroizes the SSPs Memory occupied by By calling the appropriate zeroization functions: AES Key: gnutls_cipher_deinit(); Handle referenced. In the SSPs is overwritten AES Key: gnutls_aead_cipher_deinit(); HMAC Key: gnutls_hmac_deinit(); RSA function name with zeroes, which Public and Private Keys: gnutls_privkey_deinit(), gnutls_x509_privkey_deinit(), renders the SSP values gnutls_rsa_params_deinit(); ECDSA Public and Private Keys: irretrievable. gnutls_privkey_deinit(), gnutls_x509_privkey_deinit(), gnutls_rsa_params_deinit(); Diffie-Hellman Public and Private Keys: gnutls_dh_params_deinit(); TLS Pre-master Secret: gnutls_deinit(); TLS Master Secret: gnutls_deinit(); TLS Derived Secret: gnutls_deinit(); Diffie-Hellman Public and Private Keys: gnutls_pk_params_clear(); EC Diffie-Hellman Public and Private Keys: gnutls_pk_params_clear(); Diffie-Hellman Shared Secret: zeroize key(); EC Diffie-Hellman Shared Secret: zeroize key(); All SSPs: gnutls_global_deinit() Module Reset De-allocates the Memory occupied by By unloading and reloading the module. volatile memory SSPs is overwritten used to store SSPs with zeroes, which renders the SSP values irretrievable Automatic Automatically Automatically zeroized N/A zeroized by the by the module when module when no no longer needed longer needed Table 18: SSP Zeroization Methods All data output is inhibited during zeroization. Once the zeroization is started, all data output via the data output interface is inhibited until the zeroization is completed successfully. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Size - Strength Type - Generated By Established Used By Category By Module- AES key generated during 128, 192, 256 bits Symmetric key - Symmetric Key generated AES Symmetric Key Generation - 128, 192, 256 CSP Generation with Key bits Counter DRBG AES Key AES key used for 128, 192, 256 bits Symmetric key - AES CCM (Key encryption, decryption, - 128, 192, 256 CSP Wrapping/Unwrapping) authenticated encryption, bits AES CBC with HMAC authenticated decryption AES GCM (Key and computing MAC tags Wrapping/Unwrapping) AES-CBC AES-CMAC AES-CFB8 AES-XTS AES-GMAC AES CCM (Authenticated Encryption/Decryption) AES GCM (Authenticated Encryption/Decryption) Module- HMAC key generated HMAC key Authentication Symmetric Key generated during Symmetric Key generated during key - CSP Generation with HMAC Key Generation Symmetric Key Counter DRBG Generation - 112-
HMAC Key HMAC Key 112-524288 bits - Authentication HMAC 112-256 bits key - CSP Shared Secret Shared secret generated by 224-8192 bits - Shared secret - KAS-ECC-SSC HKDF Key Derivation DH/ECDH 112-256 bits CSP KAS-FFC-SSC TLS 1.2 Key Derivation KDA HKDF Sp800-56Cr1 (A4750) Password PBKDF password 112-256 bits - N/A Password - CSP Password-based Key Derivation PBKDF Derived PBKDF2 derived key 112-4096 bits - Derived Key - Password-based Key 112-256 bits CSP Key Derivation Entropy Input Entropy input used to seed 128-448 bits - Entropy - CSP Counter DRBG the DRBGs 128-256 bits DRBG Seed DRBG seed derived from 128, 192, 256 bits SEED - CSP Counter DRBG Counter DRBG entropy input as defined in - 128-256 bits SP 800-90Ar1 Internal State Internal state of CTR_DRBG 128, 192, 256 bits DRBG Internal Counter DRBG Counter DRBG (V, Key) - 128-256 bits state - CSP DH Public Key Public key used for DH 2048, 3072, 4096, Public key - PSP KAS-FFC-SSC 6144, 8192 bits 112-200 bits DH Private Key Private key used for DH 2048, 3072, 4096, Private key - KAS-FFC-SSC 6144, 8192 bits - CSP 112-200 bits Module DH public key generated by 2048, 3072, 4096, Public key - PSP Safe Primes Key TLS Handshake Generated DH the module 6144, 8192 bits - Generation Public Key 112-200 bits Module DH private key generated 2048, 3072, 4096, Private key - Safe Primes Key TLS Handshake Generated DH by the module 6144, 8192 bits - CSP Generation Private Key 112-200 bits EC Private Key Private key used for ECDSA P-224, P-256, P- Private key - KAS-ECC-SSC signature generation and 384, P-521 - 128- CSP Shared Secret 256 bits Computation Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Size - Strength Type - Generated By Established Used By Category By EC Public Key Public key used for ECDSA P-224, P-256, P- Public key - PSP KAS-ECC-SSC signature verification 384, P-521 - 128primitive and Shared 256 bits Secret Computation Module EC private key generated P-224, P-256, P- Private key - ECDSA Key TLS Handshake Generated EC by the module 384, P-521 - 128- CSP Generation Private Key 256 bits Module EC public key generated by P-224, P-256, P- Public key - PSP ECDSA Key TLS Handshake Generated EC the module 384, P-521 - 128- Generation Public Key 256 bits RSA Private Key Private key used for RSA 2048, 3072, 4096 Private key - RSA Signature Generation signature generation bits - 112, 128, CSP
RSA Public Key Public key used for RSA 1024, 2048, 3072, Public key - PSP RSA Signature Verification signature verification 4096 bits - 80, 112, 128, 150 bits Module RSA private key generated 2048, 3072, 4096 Private key - RSA Key Generated RSA by the module bits - 112, 128, CSP Generation Private Key 150 bits Module RSA public key generated 2048, 3072, 4096 Public key - PSP RSA Key Generated RSA by the module bits - 112, 128, Generation Public Key 150 bits TLS Pre-Master TLS pre-master secret used 112-256 bits - N/A TLS Pre-master KAS-ECC-SSC TLS Handshake Secret for deriving the TLS master secret - CSP KAS-FFC-SSC secret TLS Master TLS master secret used for 112-256 bits - N/A TLS Master TLS 1.2 Key TLS Handshake Secret deriving the TLS derived secret - CSP Derivation secret TLS Derived TLS derived secret, derived 112-256 bits - Symmetric key - TLS 1.2 Key TLS Handshake Secret from TLS master secret 112-256 bits CSP Derivation Intermediate Intermediate key 224-4096 bits - Intermediate ECDSA Key ECDSA Key Generation Key Generation generation value 112-256 bits value - CSP Generation RSA Key Generation Value RSA Key Safe Primes Key Generation Generation Safe Primes Key Generation HKDF Derived HKDF derived key 112-256 - 112-256 Derived key - KDA HKDF Key bits CSP Sp800-56Cr1 (A4750) Table 19: SSP Table 1 Name Input - Storage Storage Duration Zeroization Related SSPs Output Module-generated AES API output RAM:Plaintext For the duration of the service Free Cipher Internal State (V, Key):Generated Key parameters Handle from Module Reset AES Key API input RAM:Plaintext For the duration of the service Free Cipher parameters Handle Module Reset Module-generated API output RAM:Plaintext For the duration of the service Free Cipher Internal State (V, Key):Generated HMAC Key parameters Handle from Module Reset HMAC Key API input RAM:Plaintext For the duration of the service Free Cipher parameters Handle Module Reset Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Input - Storage Storage Duration Zeroization Related SSPs Output Shared Secret API output RAM:Plaintext For the duration of the service Free Cipher DH Public Key:Used With parameters Handle DH Private Key:Used With Module Reset EC Private Key:Used With EC Public Key:Used With Password API input RAM:Plaintext For the duration of the service Free Cipher PBKDF Derived Key:Derivation of parameters Handle Module Reset PBKDF Derived Key API output RAM:Plaintext For the duration of the service Free Cipher Password:Derived From parameters Handle Module Reset Entropy Input RAM:Plaintext From generation until DRBG Automatic DRBG Seed:Generation of seed is created DRBG Seed RAM:Plaintext While the DRBG is being Automatic Entropy Input:Derived From instantiated Internal State (V, Key):Generation of Internal State (V, Key) RAM:Plaintext From DRBG instantiation until Automatic DRBG Seed:Generated From DRBG termination Module-generated AES Key:Generation Of Module-generated HMAC Key:Generation Of DH Public Key API input RAM:Plaintext For the duration of the service Free Cipher DH Private Key:Paired With parameters Handle Shared Secret:Generation Of Module Reset DH Private Key API input RAM:Plaintext For the duration of the service Free Cipher DH Public Key:Paired With parameters Handle Shared Secret:Generation Of Module Reset Module Generated DH API output RAM:Plaintext For the duration of the service Free Cipher Module Generated DH Private Public Key parameters Handle Key:Paired With Module Reset Intermediate Key Generation Value:Generated From Module Generated DH API output RAM:Plaintext For the duration of the service Free Cipher Module Generated DH Public Private Key parameters Handle Key:Paired With Module Reset Intermediate Key Generation Value:Generated From EC Private Key API input RAM:Plaintext For the duration of the service Free Cipher EC Public Key:Paired With parameters Handle Shared Secret:Generation Of Module Reset EC Public Key API input RAM:Plaintext For the duration of the service Free Cipher EC Private Key:Paired With parameters Handle Shared Secret:Generation Of Module Reset Module Generated EC API output RAM:Plaintext For the duration of the service Free Cipher Module Generated EC Public Private Key parameters Handle Key:Paired With Module Reset Intermediate Key Generation Value:Generated From Module Generated EC API output RAM:Plaintext For the duration of the service Free Cipher Module Generated EC Private Public Key parameters Handle Key:Paired With Module Reset Intermediate Key Generation Value:Generated From RSA Private Key API input RAM:Plaintext For the duration of the service Free Cipher RSA Public Key:Paired With parameters Handle Module Reset RSA Public Key API input RAM:Plaintext For the duration of the service Free Cipher RSA Private Key:Paired With parameters Handle Module Reset Module Generated RSA API output RAM:Plaintext For the duration of the service Free Cipher Module Generated RSA Public Private Key parameters Handle Key:Paired With Module Reset Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Input - Storage Storage Duration Zeroization Related SSPs Output Module Generated RSA API output RAM:Plaintext For the duration of the service Free Cipher Module Generated RSA Private Public Key parameters Handle Key:Paired With Module Reset TLS Pre-Master Secret RAM:Plaintext For the duration of the service Free Cipher TLS Master Secret:Generation Of Handle DH Public Key:Used With Module Reset DH Private Key:Used With EC Private Key:Used With EC Public Key:Used With TLS Master Secret RAM:Plaintext For the duration of the service Free Cipher TLS Pre-Master Secret:Derived Handle From Module Reset TLS Derived Secret:Derivation Of TLS Derived Secret API output RAM:Plaintext For the duration of the service Free Cipher TLS Master Secret:Derived From parameters Handle Module Reset Intermediate Key RAM:Plaintext For the duration of the service Automatic Module Generated DH Public Generation Value Key:Generation Of Module Generated DH Private Key:Generation Of Module Generated EC Private Key:Generation Of Module Generated EC Public Key:Generation Of Module Generated RSA Private Key:Generation Of Module Generated RSA Public Key:Generation Of HKDF Derived Key API output RAM:Plaintext For the duration of the service Free Cipher Shared Secret:Derived From parameters Handle Table 20: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. The RSA, ECDSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 will be withdrawn on February 3, 2024. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm or Test Test Method Test Indicator Details Test Properties Type HMAC-SHA2-256 256-bit key Message SW/FW Module becomes operational Integrity test for libgnutls.so.30, (A4746) Authentication Integrity and services are available for use libnettle.so.8, libhogweed.so.6, libgmp.so.10 HMAC-SHA2-256 256-bit key Message SW/FW Module becomes operational Integrity test for libgnutls.so.30, (A4751) Authentication Integrity and services are available for use libnettle.so.8, libhogweed.so.6, libgmp.so.10 HMAC-SHA2-256 256-bit key Message SW/FW Module becomes operational Integrity test for libgnutls.so.30, (A4755) Authentication Integrity and services are available for use libnettle.so.8, libhogweed.so.6, libgmp.so.10 Table 21: Pre-Operational Self-Tests The pre-operational software integrity test is performed automatically (after the CASTs) when the module is powered on, before the module transitions into the operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-test has passed successfully. If the pre-operational self-test fails, the module transitions to the error state.
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type ECDSA KeyGen SHA2-256 Signature generation and PCT Successful key Signature generation and Key pair (FIPS186-4) Signature verification generation verification generation (A4751) RSA KeyGen SHA2-256 Signature generation and PCT Successful key Signature generation and Key pair (FIPS186-4) Signature verification generation verification generation (A4751) Safe Primes Key N/A Diffie-Hellman key PCT Successful key PCT according to section Key pair Generation generation generation 5.6.2.1.4 of [SP800-56Ar3] generation (A4751) SHA3-224 SHA3-224 KAT SHA3-224 CAST Module is Message Digest Module (A4747) operational and initialization services are available for use SHA3-224 SHA3-224 KAT SHA3-224 CAST Module is Message Digest Module (A4753) operational and initialization services are available for use AES-CBC (A4743) 256-bit keys Encrypt/Decrypt KAT for CBC CAST Module is Encryption/Decryption Module operational and initialization services are available for use AES-CBC (A4744) 256-bit keys Encrypt/Decrypt KAT for CBC CAST Module is Encryption/Decryption Module operational and initialization services are available for use AES-CBC (A4745) 256-bit keys Encrypt/Decrypt KAT for CBC CAST Module is Encryption/Decryption Module operational and initialization services are available for use Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type AES-CBC (A4746) 256-bit keys Encrypt/Decrypt KAT for CBC CAST Module is Encryption/Decryption Module operational and initialization services are available for use AES-CBC (A4751) 256-bit keys Encrypt/Decrypt KAT for CBC CAST Module is Encryption/Decryption Module operational and initialization services are available for use AES-CBC (A4755) 256-bit keys Encrypt/Decrypt KAT for CBC CAST Module is Encryption/Decryption Module operational and initialization services are available for use AES-CFB8 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4748) CFB8 operational and initialization services are available for use AES-CFB8 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4749) CFB8 operational and initialization services are available for use AES-CFB8 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4754) CFB8 operational and initialization services are available for use AES-GCM 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4743) GCM operational and initialization services are available for use AES-GCM 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4744) GCM operational and initialization services are available for use AES-GCM 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4745) GCM operational and initialization services are available for use AES-GCM 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4746) GCM operational and initialization services are available for use AES-GCM 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4751) GCM operational and initialization services are available for use AES-GCM 256-bit keys Encrypt/Decrypt KAT for CAST Module is Encryption/Decryption Module (A4755) GCM operational and initialization services are available for use AES-XTS Testing 256-bit keys Encrypt/Decrypt KAT for XTS CAST Module is Encryption/Decryption Module Revision 2.0 operational and initialization (A4752) services are available for use KDA HKDF HMAC-SHA2- KAT with HMAC-SHA2-256 CAST Module is Key Derivation Module Sp800-56Cr1 256 for HKDF operational and initialization (A4750) services are available for use TLS v1.2 KDF HMAC-SHA2- KAT with HMAC-SHA2-256 CAST Module is Key Derivation Module RFC7627 (A4751) 256 for TLS 1.2 KDF operational and initialization Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type services are available for use PBKDF (A4751) HMAC-SHA2- KAT with HMAC-SHA2-256 CAST Module is Key Derivation Module
256 for PBKDF operational and initialization
services are available for use Counter DRBG 256-bit key; CTR_DRBG with AES without CAST Module is KAT CTR_DRBG with AES with Module (A4751) Health tests DF, without PR KAT; SP800- operational and 256-bit keys without DF, without initialization 90Ar1 Section 11.3 Health services are PR; Health tests Test available for use KAS-FFC-SSC 3072-bit key Primitive "Z" computation CAST Module is Shared Secret Computation Module Sp800-56Ar3 KAT operational and initialization (A4751) services are available for use KAS-ECC-SSC Curve P-256 Primitive "Z" computation CAST Module is Shared Secret Computation Module Sp800-56Ar3 KAT operational and initialization (A4751) services are available for use ECDSA SigGen Curve P-256 KAT ECDSA with P-256 using CAST Module is Signature Generation Module (FIPS186-4) and SHA2-256 SHA2-256 operational and initialization (A4751) services are available for use ECDSA SigVer Curve P-256 KAT ECDSA with P-256 using CAST Module is Signature Verification Module (FIPS186-4) and SHA2-256 SHA2-256 operational and initialization (A4751) services are available for use HMAC-SHA-1 128-bit key HMAC KAT with 128-bit key CAST Module is MAC Module (A4746) operational and initialization services are available for use HMAC-SHA-1 128-bit key HMAC KAT with 128-bit key CAST Module is MAC Module (A4751) operational and initialization services are available for use HMAC-SHA-1 128-bit key HMAC KAT with 128-bit key CAST Module is MAC Module (A4755) operational and initialization services are available for use RSA SigGen SHA2-256 RSA KAT with PKCS#1 v1.5 CAST Module is Signature generation Module (FIPS186-4) with SHA-256 and 2048-bit operational and initialization (A4751) key services are available for use RSA SigVer SHA2-256 RSA KAT with PKCS#1 v1.5 CAST Module is Signature verification Module (FIPS186-4) with SHA-256 and 2048-bit operational and initialization (A4751) key services are available for use HMAC-SHA2-224 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4746) operational and initialization services are available for use HMAC-SHA2-224 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4751) operational and initialization services are available for use HMAC-SHA2-224 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4755) operational and initialization services are available for use Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type HMAC-SHA2-256 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4746) operational and initialization services are available for use HMAC-SHA2-256 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4751) operational and initialization services are available for use HMAC-SHA2-256 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4755) operational and initialization services are available for use HMAC-SHA2-384 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4746) operational and initialization services are available for use HMAC-SHA2-384 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4751) operational and initialization services are available for use HMAC-SHA2-384 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4755) operational and initialization services are available for use HMAC-SHA2-512 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4746) operational and initialization services are available for use HMAC-SHA2-512 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4751) operational and initialization services are available for use HMAC-SHA2-512 160-bit key HMAC KAT with 160-bit key CAST Module is MAC Module (A4755) operational and initialization services are available for use SHA3-256 SHA3-256 KAT SHA3-256 CAST Module is Message Digest Module (A4747) operational and initialization services are available for use SHA3-256 SHA3-256 KAT SHA3-256 CAST Module is Message Digest Module (A4753) operational and initialization services are available for use SHA3-384 SHA3-384 KAT SHA3-384 CAST Module is Message Digest Module (A4747) operational and initialization services are available for use SHA3-384 SHA3-384 KAT SHA3-384 CAST Module is Message Digest Module (A4753) operational and initialization services are available for use SHA3-512 SHA3-512 KAT SHA3-512 CAST Module is Message Digest Module (A4747) operational and initialization services are available for use SHA3-512 SHA3-512 KAT SHA3-512 CAST Module is Message Digest Module (A4753) operational and initialization Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type services are available for use Table 22: Conditional Self-Tests If any conditional self-test fails, the module transitions to the error state.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 (A4746) Message Authentication SW/FW Integrity On demand Manually HMAC-SHA2-256 (A4751) Message Authentication SW/FW Integrity On demand Manually HMAC-SHA2-256 (A4755) Message Authentication SW/FW Integrity On demand Manually Table 23: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method ECDSA KeyGen (FIPS186-4) Signature generation and PCT On demand Manually (A4751) Signature verification RSA KeyGen (FIPS186-4) Signature generation and PCT On demand Manually (A4751) Signature verification Safe Primes Key Generation Diffie-Hellman key PCT On demand Manually (A4751) generation SHA3-224 (A4747) KAT SHA3-224 CAST On demand Manually SHA3-224 (A4753) KAT SHA3-224 CAST On demand Manually AES-CBC (A4743) Encrypt/Decrypt KAT for CAST On demand Manually CBC AES-CBC (A4744) Encrypt/Decrypt KAT for CAST On demand Manually CBC AES-CBC (A4745) Encrypt/Decrypt KAT for CAST On demand Manually CBC AES-CBC (A4746) Encrypt/Decrypt KAT for CAST On demand Manually CBC AES-CBC (A4751) Encrypt/Decrypt KAT for CAST On demand Manually CBC AES-CBC (A4755) Encrypt/Decrypt KAT for CAST On demand Manually CBC AES-CFB8 (A4748) Encrypt/Decrypt KAT for CAST On demand Manually CFB8 AES-CFB8 (A4749) Encrypt/Decrypt KAT for CAST On demand Manually CFB8 AES-CFB8 (A4754) Encrypt/Decrypt KAT for CAST On demand Manually CFB8 AES-GCM (A4743) Encrypt/Decrypt KAT for CAST On demand Manually GCM AES-GCM (A4744) Encrypt/Decrypt KAT for CAST On demand Manually GCM AES-GCM (A4745) Encrypt/Decrypt KAT for CAST On demand Manually GCM AES-GCM (A4746) Encrypt/Decrypt KAT for CAST On demand Manually GCM AES-GCM (A4751) Encrypt/Decrypt KAT for CAST On demand Manually GCM Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A4755) Encrypt/Decrypt KAT for CAST On demand Manually GCM AES-XTS Testing Revision Encrypt/Decrypt KAT for CAST On demand Manually
KDA HKDF Sp800-56Cr1 KAT with HMAC-SHA2-256 CAST On demand Manually (A4750) for HKDF TLS v1.2 KDF RFC7627 KAT with HMAC-SHA2-256 CAST On demand Manually (A4751) for TLS 1.2 KDF PBKDF (A4751) KAT with HMAC-SHA2-256 CAST On demand Manually for PBKDF Counter DRBG (A4751) CTR_DRBG with AES CAST On demand Manually without DF, without PR KAT; SP800-90Ar1 Section
KAS-FFC-SSC Sp800-56Ar3 Primitive "Z" computation CAST On demand Manually (A4751) KAT KAS-ECC-SSC Sp800-56Ar3 Primitive "Z" computation CAST On demand Manually (A4751) KAT ECDSA SigGen (FIPS186-4) KAT ECDSA with P-256 CAST On demand Manually (A4751) using SHA2-256 ECDSA SigVer (FIPS186-4) KAT ECDSA with P-256 CAST On demand Manually (A4751) using SHA2-256 HMAC-SHA-1 (A4746) HMAC KAT with 128-bit key CAST On demand Manually HMAC-SHA-1 (A4751) HMAC KAT with 128-bit key CAST On demand Manually HMAC-SHA-1 (A4755) HMAC KAT with 128-bit key CAST On demand Manually RSA SigGen (FIPS186-4) RSA KAT with PKCS#1 v1.5 CAST On demand Manually (A4751) with SHA-256 and 2048-bit key RSA SigVer (FIPS186-4) RSA KAT with PKCS#1 v1.5 CAST On demand Manually (A4751) with SHA-256 and 2048-bit key HMAC-SHA2-224 (A4746) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-224 (A4751) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-224 (A4755) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-256 (A4746) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-256 (A4751) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-256 (A4755) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-384 (A4746) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-384 (A4751) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-384 (A4755) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-512 (A4746) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-512 (A4751) HMAC KAT with 160-bit key CAST On demand Manually HMAC-SHA2-512 (A4755) HMAC KAT with 160-bit key CAST On demand Manually SHA3-256 (A4747) KAT SHA3-256 CAST On demand Manually SHA3-256 (A4753) KAT SHA3-256 CAST On demand Manually SHA3-384 (A4747) KAT SHA3-384 CAST On demand Manually SHA3-384 (A4753) KAT SHA3-384 CAST On demand Manually SHA3-512 (A4747) KAT SHA3-512 CAST On demand Manually SHA3-512 (A4753) KAT SHA3-512 CAST On demand Manually Table 24: Conditional Periodic Information Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Name Description Conditions Recovery Method Indicator Error The module stops When the Pre- The module must be restarted GNUTLS_E_SELF_TEST_ERROR (-400); functioning and ends Operational Self- and successfully perform the GNUTLS_E_RANDOM_FAILED (-206); the Application Test or a CAST fails pre-operational self-test and GNUTLS_E_PK_GENERATION_ERROR (-403); process When a PCT fails the CASTs to recover from GNUTLS_E_LIB_IN_ERROR_STATE (-402) Crypto operations these errors. requested in the Error state Table 25: Error States In the error state, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). The calling application can obtain the module state by calling the gnutls_fips140_get_operation_state() API function.
The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational test (i.e., integrity test) and CASTs. The Self-Tests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms selftests. Additionally, the Self-Test service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible. The PCTs can be invoked on demand by requesting the Asymmetric Key Generation service. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
The module is distributed as a part of the Oracle Linux 9 (OL9) RPM in the form of gnutls-3.7.6-21.0.1.el9_2_fips, nettle-3.8-3.el9_0, gmp-6.2.0-10.el9 RPM packages that are in the “Oracle Linux 9 Security Validation (Update 3)” yum repository (ol9_u3_security_validation). Note: libhogweed is provided by nettle-3.8-3.el9_0. The Oracle Linux 9 system FIPS validated configuration can be achieved by:
The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the logical interfaces are specified in section 3.1. The requirements and restrictions that shall be considered when operating the module in approved mode are specified in section 2.7 (for algorithm-specific information) and section 6 (for operational environment). The installation, initialization, and startup procedures specified in section 11.1 shall be followed.
The module does not have any guidance for non-administrator.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the gnutls-3.7.6-21.0.1.el9_2_fips, nettle-3.83.el9_0, gmp-6.2.0-10.el9 RPM packages can be uninstalled from the Oracle Linux 9 system. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
The module does not offer mitigation of other attacks. Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Appendix A. TLS Cipher Suites The module supports the following cipher suites for the TLS protocol version 1.2 and 1.3, compliant with section
3.3.1 of [SP800-52rev2]. Each cipher suite defines the key exchange algorithm, the bulk encryption algorithm
(including the symmetric key size) and the MAC algorithm. Cipher Suite ID Reference TLS_DH_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x31 } RFC3268 TLS_DHE_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x33 } RFC3268 TLS_DH_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x37 } RFC3268 TLS_DHE_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x39 } RFC3268 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x3F } RFC5246 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x67 } RFC5246 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 { 0x00,0x69 } RFC5246 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 { 0x00,0x6B } RFC5246 TLS_PSK_WITH_AES_128_CBC_SHA { 0x00, 0x8C } RFC4279 TLS_PSK_WITH_AES_256_CBC_SHA { 0x00, 0x8D } RFC4279 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 { 0x00, 0x9E } RFC5288 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 { 0x00, 0x9F } RFC5288 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 { 0x00, 0xA0 } RFC5288 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 { 0x00, 0xA1 } RFC5288 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA { 0xC0, 0x04 } RFC4492 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA { 0xC0, 0x05 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { 0xC0, 0x09 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { 0xC0, 0x0A } RFC4492 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA { 0xC0, 0x0E } RFC4492 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA { 0xC0, 0x0F } RFC4492 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { 0xC0, 0x13 } RFC4492 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0, 0x14 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x23 } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x24 } RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x25 } RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x26 } RFC5289 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x27 } RFC5289 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x28 } RFC5289 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x29 } RFC5289 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x2A } RFC5289 Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Cipher Suite ID Reference TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2B } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x2C } RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2D } RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x2E } RFC5289 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2F } RFC5289 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x30 } RFC5289 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x31 } RFC5289 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x32 } RFC5289 TLS_DHE_RSA_WITH_AES_128_CCM { 0xC0, 0x9E } RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM { 0xC0, 0x9F } RFC6655 TLS_DHE_RSA_WITH_AES_128_CCM_8 { 0xC0, 0xA2 } RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM_8 { 0xC0, 0xA3 } RFC6655 TLS_AES_128_GCM_SHA256 { 0x13, 0x01 } RFC8446 TLS_AES_256_GCM_SHA384 { 0x13, 0x02 } RFC8446 TLS_AES_128_CCM_SHA256 { 0x13, 0x04 } RFC8446 TLS_AES_128_CCM_8_SHA256 { 0x13, 0x05 } RFC8446 Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter TOEPP Tested Operational Environment’s Physical Perimeter XTS XEX-based Tweaked-codebook mode with cipher text Stealing Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
Appendix C. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf Oracle Linux 9 GnuTLS Cryptographic Module Security Policy
SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf Oracle Linux 9 GnuTLS Cryptographic Module Security Policy