Wickr FIPS Object Module For OpenSSL - NIST
Wickr FIPS Object Module for OpenSSLVersion 2.0.16Wickr FIPS 140-2 Non-proprietary Security PolicyVersion 1.0December 20, 2019
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyCopyright NoticeCopyright 2019 Wickr, Inc.This document was derived from the OpenSSL FIPS 140-2 Security Policy document for theCMVP FIPS validation certificate #2398.This document may be freely reproduced in whole or part without permission and withoutrestriction.Page 2 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyReferencesReferenceFull Specification Name[ANS X9.31]Digital Signatures Using Reversible Public Key Cryptography for the Financial ServicesIndustry (rDSA)[FIPS 140-2]Security Requirements for Cryptographic Modules[FIPS 180-4]Secure Hash Standard[FIPS 186-2]Digital Signature Standard[FIPS 186-4]Digital Signature Standard[FIPS 197]Advanced Encryption Standard[FIPS 198-1]The Keyed-Hash Message Authentication Code (HMAC)[SP 800-38A]Recommendation for Block Cipher Modes of Operation[SP 800-38B]Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication[SP 800-38C]Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authenticationand Confidentiality[SP 800-38D]Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) andGMAC[SP 800-38E]Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode forConfidentiality on Storage Devices[SP 800-56A]Recommendation for Pair-Wise Key Establishment Schemes Using Discrete LogarithmCryptography[SP 800-56B]Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography[SP 800-57]Recommendation for Key Management Part 1: General[SP 800-67]Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher[SP 800-89]Recommendation for Obtaining Assurances for Digital Signature Applications[SP 800-90A]Recommendation for Random Number Generation Using Deterministic Random Bit Generators[SP 800-131A]Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and KeyLengthsPage 3 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyTable of Contents1Introduction . 52Tested Configurations . 73Ports and Interfaces . 84Modes of Operation and Cryptographic Functionality . 94.1Critical Security Parameters and Public Keys . 135Roles, Authentication and Services . 156Self-test. 177Operational Environment . 198Mitigation of other Attacks . 20Appendix AInstallation and Usage Guidance . 21Appendix BControlled Distribution File Fingerprint .24Appendix CCompilers .25Page 4 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy1IntroductionThis document is the non-proprietary security policy for the Wickr FIPS Object Module forOpenSSL, hereafter referred to as the Module.The Module is a software library providing a C-language application program interface (API) foruse by other processes that require cryptographic functionality. The Module is classified by FIPS140-2 as a software module, multi-chip standalone module embodiment. The physicalcryptographic boundary is the general purpose computer on which the module is installed. Thelogical cryptographic boundary of the Module is the fipscanister object module, a single objectmodule file named fipscanister.o (Linux /Unix ) or fipscanister.lib (Microsoft Windows ).The Module performs no communications other than with the calling application (the processthat invokes the Module services).123Note that the Module is a rebranding module to OEM OpenSSL (Cert. #2398) version 2.0.16.Version 2.0.16 is fully backwards compatible with all earlier revisions of the OpenSSL FIPSObject Module SE. The v2.0.16 Module incorporate support for new platforms withoutdisturbing functionality for any previously tested platforms. The v2.0.16 Module can be used inany environment supported by the earlier revisions of the Module, and those earlier revisionsremain valid.The FIPS 140-2 security levels for the Module are as follows:Security RequirementSecurity LevelCryptographic Module Specification1Cryptographic Module Ports and Interfaces1Roles, Services, and Authentication2Finite State Model1Physical SecurityNAOperational Environment1Cryptographic Key Management1EMI/EMC1Self-Tests1Design Assurance3Mitigation of Other AttacksNATable 1 – Security Level of Security Requirements1Linux is the registered trademark of Linus Torvalds in the U.S. and other countriesUNIX is a registered trademark of The Open Group3Windows is a registered trademark of Microsoft Corporation in the United States and othercountries.2Page 5 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyThe Module’s software version for this validation is 2.0.16. The v2.0.16 Module incorporateschanges from earlier revisions of the Module to support additional platforms. The v2.0.16Module can be used in all the environments supported by the earlier v2.0.9, v2.0.10, v2.0.11,v2.0.12, v2.0.13, v2.0.14, and v2.0.15 revisions of the Module.Page 6 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy2Tested Configurations#Operational dows 10 April 2018 UpdateWindows 10 April 2018 UpdatemacOS Mojave 64 bitIntel Core i7-6820HQIntel Core i7-6820HQIntel Core i5 (x86)NoneAES-NINoneBKPBKPBKPU2U2U245678910macOS Mojave 64 bitiOS 13.1 64 bitiOS 13.1 64 bitAndroid 9 64 bitAndroid 9 64 bitUbuntu 18.04 64 bitUbuntu 18.04 64 bitIntel Core i5 (x86)Apple A11 Bionic (ARMv8)Apple A11 Bionic (ARMv8)Qualcomm Snapdragon 855Qualcomm Snapdragon 855Intel Core i7-6820HQIntel Core BKPBKPBKPBKPU2U2U2U2U2U2U2Table 2 - Tested Configurations (B Build Method; EC Elliptic Curve Support). The EC column indicatessupport for prime curve only (P), or all NIST defined B, K, and P curves (BKP).See Appendix A for additional information on build method and optimizations. See Appendix Cfor a list of the specific compilers used to generate the Module for the respective operationalenvironments.Page 7 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy3Ports and InterfacesThe physical ports of the Module are the same as the computer system on which it is executing.The logical interface is a C-language application program interface (API).Logical interface typeDescriptionControl inputAPI entry point and corresponding stack parametersData inputAPI entry point data input stack parametersStatus outputAPI entry point return values and status stack parametersData outputAPI entry point data output stack parametersTable 3 - Logical interfacesAs a software module, control of the physical ports is outside module scope. However, when themodule is performing self-tests, or is in an error state, all output on the logical data outputinterface is inhibited. The module is single-threaded and in error scenarios returns only an errorvalue (no data output is returned).Page 8 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy4Modes of Operation and Cryptographic FunctionalityThe Module supports only a FIPS 140-2 Approved mode. Tables 4a and 4b list the Approved andNon-approved but Allowed algorithms, respectively.FunctionRandom NumberGeneration;Symmetric keygenerationEncryption,Decryption andCMACAlgorithm[SP 800-90A] DRBG4Prediction resistancesupported for all variationsCert #C1359[SP 800-67]53-Key Triple-DES TECB, TCBC, TCFB, TOFB;CMAC generate and verifyC1359[FIPS 197] AES128/ 192/256 ECB, CBC, OFB, CFB 1, CFB 8,CFB 128, CTR, XTS; CCM; GCM; CMACgenerate and verifyC1359SHA-1, SHA-2 (224, 256, 384, 512)C1359[SP 800-38A] ECB, CBC,OFB, CFB, CTR[SP 800-38B] CMAC[SP 800-38C] CCM[SP 800-38D] GCM[SP 800-38E] XTS6Message DigestsOptionsHash DRBGHMAC DRBGCTR DRBG (AES)[FIPS 180-4]4For all DRBGs the "supported security strengths" is just the highest supported security strength per[SP800-90A] and [SP800-57].5Per FIPS 140-2 Implementation Guidance A.13, it is the calling application's responsibility to limita single Triple-DES key to 2 16 encryptions. Failure to comply with this requirement will place themodule in a non-Approved mode.6AES in XTS mode is only allowed for usage in storage applications. The calling application isresponsible for ensuring that the length of XTS-AES encrypted data does not exceed 2 20 blocks.Page 9 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy[FIPS 198] HMACSHA-1, SHA-2 (224, 256, 384, 512)C1359[FIPS 186-2] RSASigVer9.31, SigVerPKCS1.5,SigVerPSS (1024/1536/2048/3072/4096with all SHA-1 and SHA-2 sizes)C1359[FIPS 186-4] RSASigGen9.31 (2048 SHA( 256 , 384 , 512 ))(3072 SHA( 256 , 384 , 512 )) ,C1359Keyed HashDigital Signature andAsymmetric KeyGeneration[FIPS 186-4] DSA[FIPS 186-2] ECDSASigGenPKCS1.5 (2048 SHA( 224 , 256 , 384 ,512 )) (3072 SHA( 224 , 256 , 384 , 512 )),SigGenPSS (2048 SHA( 224 SaltLen( 0 ) , 256SaltLen( 0 ) , 384 SaltLen( 0 ) , 512SaltLen( 0 ) )) (3072 SHA( 224 SaltLen( 0 ) ,256 SaltLen( 0 ) , 384 SaltLen( 0 ) , 512SaltLen( 0 ) ))C1359PQG Gen, Key Pair Gen, Sig Gen (2048/3072with all SHA-2 sizes)PQG Ver, Sig Ver (1024/2048/3072 with all SHAsizes]PKG: CURVES( P-224 P-384 P-521 K-233 K283 K-409 K-571 B-233 B-283 B-409 B-571 )PKV: CURVES( P-192 P-224 P-256 P-384 P521 K-163 K-233 K-283 K-409 K-571 B-163 B233 B-283 B-409 B-571 )Page 10 of 25C1359
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy[FIPS 186-4] ECDSAPKG: CURVES( P-224 P-256 P-384 P-521 K224 K-256 K-384 K-521 B-224 B-256 B-384 B521 ExtraRandomBits TestingCandidates )PKV: CURVES( ALL-P ALL-K ALL-B )SigGen: CURVES( P-224: (SHA-224, 256, 384,512) P-256: (SHA-224, 256, 384, 512) P-384:(SHA-224, 256, 384, 512) P-521: (SHA-224,256, 384, 512) K-233: (SHA-224, 256, 384,512) K-283: (SHA-224, 256, 384, 512) K-409:(SHA-224, 256, 384, 512) K-571: (SHA-224,256, 384, 512) B-233: (SHA-224, 256, 384, 512)B-283: (SHA-224, 256, 384, 512) B-409: (SHA224, 256, 384, 512) B-571: (SHA-224, 256, 384,512) )SigVer: CURVES( P-192: (SHA-1, 224, 256,384, 512) P-224: (SHA-1, 224, 256, 384, 512) P256: (SHA-1, 224, 256, 384, 512) P-384: (SHA1, 224, 256, 384, 512) P-521: (SHA-1, 224, 256,384, 512) K-163: (SHA-1, 224, 256, 384, 512)K-233: (SHA-1, 224, 256, 384, 512) K-283:(SHA-1, 224, 256, 384, 512) K-409: (SHA-1,224, 256, 384, 512) K-571: (SHA-1, 224, 256,384, 512 B-163: (SHA-1, 224, 256, 384, 512) B233: (SHA-1, 224, 256, 384, 512) B-283: (SHA1, 224, 256, 384, 512) B-409: (SHA-1, 224, 256,384, 512) B-571: (SHA-1, 224, 256, 384, 512) )C1359[SP 800-56A] (§5.7.1.2)All NIST defined B, K and P curves except sizes163 and 192C1359ECC CDH (KASComponent)Table 4a – FIPS Approved Cryptographic FunctionsThe Module supports only NIST defined curves for use with ECDSA and ECC CDH. TheModule supports two operational environment configurations for elliptic curve; NIST primecurve only (listed in Table 2 with the EC column marked "P") and all NIST defined curves (listedin Table 2 with the EC column marked "BKP").Page 11 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyCategoryKey AgreementAlgorithmEC DHDescriptionNon-compliant (untested) DH scheme using elliptic curve, supporting allNIST defined B, K and P curves. Key agreement is a service providedfor calling process use, but is not used to establish keys into the Module.Table 4b – Non-FIPS Approved But Allowed Cryptographic FunctionsThe Module implements the following services which are Non-Approved per the SP 800-131Atransitions:FunctionRandom NumberGeneration;Symmetric keygenerationDigital Signature andAsymmetric KeyGenerationAlgorithmOptions/Description[ANS X9.31] RNG[SP 800-90A] DRBGAES 128/192/256Dual EC DRBG[FIPS 186-2] RSAGenKey9.31, SigGen9.31,SigGenPKCS1.5, SigGenPSS[FIPS 186-2] DSAPQG Gen, Key Pair Gen, Sig Gen (1024 withall SHA sizes, 2048/3072 with SHA-1),PQG Gen, Key Pair Gen, Sig Gen (1024 with allSHA sizes, 2048/3072 with SHA-1)PKG: CURVES( P-192 K-163 B-163 )SIG(gen): CURVES( P-192 P-224 P-256 P-384P-521 K-163 K-233 K-283 K-409 K-571 B-163B-233 B-283 B-409 B-571 )PKG: CURVES( P-192 K-163 B-163 )SigGen: CURVES( P-192: (SHA-1, 224, 256,384, 512) P-224:(SHA-1) P-256:(SHA-1) P384:(SHA-1) P-521:(SHA-1) K-163: (SHA-1,224, 256, 384, 512) K-233:(SHA-1) K283:(SHA-1) K-409:(SHA-1) K-571:(SHA-1)B-163: (SHA-1, 224, 256, 384, 512) B233:(SHA-1) B-283:(SHA-1) B-409:(SHA-1) B571:(SHA-1) )All NIST Recommended B, K and P curves sizes163 and 192[FIPS 186-4] DSA[FIPS 186-2] ECDSA[FIPS 186-4] ECDSAECC CDH (CVL)[SP 800-56A] (§5.7.1.2)Key Encryption,DecryptionRSARSA encryption and decryption is supported bythe module, but in itself is not Approved forusage in the FIPS mode of operation. No CSPsare established into or exported out of the moduleusing these services.Table 4c – FIPS Non-Approved Cryptographic FunctionsX9.31 RNG is Non-Approved effective December 31, 2015, per the CMVP Notice "X9.31 RNGtransition, December 31, 2015".These algorithms shall not be used when operating in the FIPS Approved mode of operation.EC DH Key Agreement provides a maximum of 256 bits of security strength. RSA KeyWrapping provides a maximum of 256 bits of security strength.The Module requires an initialization sequence (see IG 9.5): the calling application invokesPage 12 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyFIPS mode set()7,which returns a “1” for success and “0” for failure. If FIPS mode set()fails then all cryptographic services fail from then on. The application can test to see if FIPSmode has been successfully performed.The Module is a cryptographic engine library, which can be used only in conjunction withadditional software. Aside from the use of the NIST defined elliptic curves as trusted third partydomain parameters, all other FIPS 186-4 assurances are outside the scope of the Module, and arethe responsibility of the calling process.4.1Critical Security Parameters and Public KeysAll CSPs used by the Module are described in this section. All access to these CSPs by Moduleservices are described in Section 4. The CSP names are generic, corresponding to API parameterdata structures.CSP NameDescriptionRSA SGKRSA (2048 to 16384 bits) signature generation keyRSA KDKRSA (2048 to 16384 bits) key decryption (private key transport) keyDSA SGKECDSA SGK[FIPS 186-4] DSA (2048/3072) signature generation key or [FIPS 186-2] DSA (1024)signature generation keyECDSA (All NIST defined B, K, and P curves) signature generation keyEC DH PrivateEC DH (All NIST defined B, K, and P curves) private key agreement key.AES EDKAES (128/192/256) encrypt / decrypt keyAES CMACAES (128/192/256) CMAC generate / verify keyAES GCMAES (128/192/256) encrypt / decrypt / generate / verify keyAES XTSAES (256/512) XTS encrypt / decrypt keyTriple-DES EDKTriple-DES (3-Key) encrypt / decrypt keyTriple-DES CMACTriple-DES (3-Key) CMAC generate / verify keyHMAC KeyKeyed hash key (160/224/256/384/512)Hash DRBG CSPsCO-AD-DigestV (440/888 bits) and C (440/888 bits), entropy input (length dependent on securitystrength)V (160/224/256/384/512 bits) and Key (160/224/256/384/512 bits), entropy input(length dependent on security strength)V (128 bits) and Key (AES 128/192/256), entropy input (length dependent on securitystrength)Pre-calculated HMAC-SHA-1 digest used for Crypto Officer role authenticationUser-AD-DigestPre-calculated HMAC-SHA-1 digest used for User role authenticationHMAC DRBG CSPsCTR DRBG CSPsTable 4.1a – Critical Security ParametersAuthentication data is loaded into the module during the module build process, performed by anauthorized operator (Crypto Officer), and otherwise cannot be accessed.The module does not output intermediate key generation values.7The function call in the Module is FIPS module mode set() which is typically used by anapplication via the FIPS mode set() wrapper function.Page 13 of 25
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security PolicyCSP NameDescriptionRSA SVKRSA (1024 to 16384 bits) signature verification public keyRSA KEKRSA (1024 to 16384 bits) key encryption (public key transport) keyDSA SVKECDSA SVK[FIPS 186-4] DSA (1024/2048/3072) signature verification key or [FIPS 186-2] DSA(1024) signature verification keyECDSA (All NIST defined B, K and P curves) signature verification keyEC DH PublicEC DH (All NIST defined B, K and P curves) public key agreement key.Table 4.1b – Public KeysFor all CSPs and Public Keys:Storage: RAM, associated to entities by memory location. The Module stores RNG andDRBG state values for the lifetime of the RNG or DRBG instance. The module uses CSPspassed in by the calling application on the stack. The Module does not store any CSPpersistently (beyond the lifetime of an API call), with the exception of RNG and DRBG statevalues used for the Modules' default key generation service.Generation: The Module implements SP 800-90A compliant DRBG services for creation ofsymmetric keys, and for generation of DSA, elliptic curve, and RSA keys as shown in Table4a. The calling application is responsible for storage of generated keys returned by themodule. Keys generated while operating in the FIPS Approved mode shall not be used inthe non-Approved mode and vice versa.Entry: All CSPs enter the Module’s logical boundary in plaintext as API parameters,associated by memory location. However, none cross the physical boundary.Output: The Module does not output CSPs, other than as explicit results of key generationservices. However, none cross the physical boundary.Destruction: Zeroization of sensitive data is performed automatically by API function callsfor temporarily stored CSPs. In addition, the module provides functions to explicitly destroyCSPs related to random number generation services. The calling application is responsiblefor parameters passed in and out of the module.Private and secret keys as well as seeds and entropy input are provided to the Module by thecalling application, and are destroyed when released by the appropriate API function calls. Keysresiding in internally allocated data structures (during the lifetime of an API call) can only beaccessed using the Module defined API. The operating system protects memory and processspace from unauthorized access. Only the calling application that creates or imports keys canuse or export such keys. All API functions are executed by the invoking calling application in anon-overlapping sequence such that no two API functions will execute concurrently. Anauthorized application as user (Crypto-Officer and User) has access to all key data generatedduring the operation of the Module.In the event Module power is lost and restored the calling application must ensure that anyAES-GCM keys used for encryption or decryption are re-distributed.Module users (the calling applications) shall use entropy sources that meet the security strengthrequire
Wickr FIPS Object Module for OpenSSL FIPS 140-2 Security Policy 1 Introduction This document is the non-proprietary security policy for the Wickr FIPS Object Module for OpenSSL, hereafter referred to as the Module. The Module is a software library providing a C-language application program interface (API) for
FIPS 140-2 Security Policy KeyPair FIPS Object Module for OpenSSL Page 4 of 18 1 Introduction This document is the non-proprietary security policy for the KeyPair FIPS Object Module for OpenSSL (FIPS 140-2 Cert. #3503), hereafter referred to as the Module. The Module is a software library providing a C language application program interface (API) for use by
An “OpenSSL FIPS Object Module” (a.k.a. “FIPS module”) had been previously created. The FIPS module is a specially devised software component that was designed for compatibility with OpenSSL and created so that users can use a version of OpenSSL as a FIPS 140-validated cryptographic module. The FIPS module is about one-sixth the
918 - OpenSSL FIPS Object Module v1.1.2 - 02/29/2008 140-2 L1 1051 - OpenSSL FIPS Object Module v 1.2 - 11/17/2008 140-2 L1 1111 - OpenSSL FIPS Runtime Module v 1.2 - 4/03/2009 140-2 L1 Note: Windows FIPS algorithms used in this product may have only been tested when the FIPS mode bit was set. While the
ColorTokens OpenSSL FIPS Object Module This document is the non-proprietary security policy for the ColorTokens OpenSSL FIPS Object Module, hereafter referred to as the Module. The Module is a software cryptographic module that is built from the OpenSSL. The module is a
The VMware's OpenSSL FIPS Object Module is a software cryptographic module with a multiple-chip standalone embodiment. The overall security level of the module is 1. The software version of the module is 2.0.20-vmw, and it is developed and built from the 2.0.16 version of the OpenSSL FIPS Object Module source code. 1 N/A – Not Applicable
The VMware OpenSSL FIPS Object Module is a software cryptographic module with a multiple-chip standalone embodiment. The overall security level of the module is 1. The software version of the module is 2.0.9, and it is built from the 2.0.9 version of the OpenSSL FIPS Object Module source code. 1 N/A – Not Applicable
918 - OpenSSL FIPS Object Module v1.1.2 - 02/29/2008 140-2 L1 1051 - OpenSSL FIPS Object Module v 1.2 - 11/17/2008 140-2 L1 1111 - OpenSSL FIPS Runtime Module v 1.2 - 4/03/2009 140-2 L1 Note: Windows FIPS algorithms used in this product may have only been tested when the FIPSmode bit was set. While the
Mata kulian Anatomi dan Fisiologi Ternak di fakultas Peternakan merupakan mata kuliah wajib bagi para mahasiswa peternakan dan m.k. ini diberikan pada semester 3 dengan jumlah sks 4 (2 kuliah dan 2 praktikum.Ilmu Anatomi dan Fisiologi ternak ini merupakan m.k. dasar yang harus dipahami oleh semua mahasiswa peternakan. Ilmu Anatomi dan Fisiologi Ternak ini yang mendasari ilmu-ilmu yang akan .
