Amazon Linux 2 Libgcrypt Cryptographic Module Module Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Document Version 1.1 Last update: 2020-Jan-27 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2020 Amazon Web Services, Inc./atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. Amazon Linux 2 Libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1 Introduction ....................................................................................................... 6 1.1 Purpose of the Security Policy ............................................................................................. 6 1.2 Target Audience ................................................................................................................... 6 2 Cryptographic Module Specification ..................................................................... 7 2.1 Module Overview ................................................................................................................. 7 2.2 FIPS 140-2 Validation Scope ................................................................................................ 7 2.3 Definition of the Cryptographic Module ............................................................................... 7 2.4 Definition of the Physical Cryptographic Boundary ............................................................. 8 2.5 Tested Environments ........................................................................................................... 9 2.6 Modes of Operation.............................................................................................................. 9 3 Module Ports and Interfaces .............................................................................. 11 4 Roles, Services and Authentication .................................................................... 12 4.1 Roles .................................................................................................................................. 12 4.2 Services ............................................................................................................................. 12 4.2.1 Services in the FIPS-Approved Mode of Operation ........................................................ 12 4.2.2 Services in the Non-FIPS-Approved Mode of Operation ................................................. 13 4.3 Algorithms .......................................................................................................................... 14 4.3.1 FIPS-Approved Algorithms.............................................................................................. 15 4.3.2 Non-Approved-but-Allowed Algorithms .......................................................................... 16 4.3.3 Non-Approved Algorithms .............................................................................................. 16 4.4 Operator Authentication .................................................................................................... 17 5 Physical Security .............................................................................................. 18 6 Operational Environment .................................................................................. 19 6.1 Applicability ....................................................................................................................... 19 6.2 Policy .................................................................................................................................. 19 7 Cryptographic Key Management ........................................................................ 20 7.1 Random Number Generation ............................................................................................. 21 7.2 Key Generation .................................................................................................................. 21 7.3 Key Entry and Output ........................................................................................................ 21 7.4 Key/CSP Storage ................................................................................................................ 21 7.5 Key/CSP Zeroization ........................................................................................................... 21 7.6 Key Establishment ............................................................................................................. 21 7.7 Handling of Keys and CSPs between Modes of Operation ................................................. 22 8 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) ............... 23 9 Self-Tests......................................................................................................... 24 9.1 Power-on Self-Tests ........................................................................................................... 24 © 2020 Amazon Web Services, Inc.; atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 2 of 33 Amazon Linux 2 Libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 9.2 Conditional Self-Tests ........................................................................................................ 25 9.3 On-Demand Self-tests ........................................................................................................ 25 9.4 Error States ........................................................................................................................ 25 10 Guidance ......................................................................................................... 26 10.1 Crypto-Officer Guidance .................................................................................................... 26 10.2 User Guidance.................................................................................................................... 27 10.2.1 Triple-DES Data Encryption ............................................................................................ 27 10.2.2 Key Usage and Management ......................................................................................... 27 11 Mitigation of Other Attacks ............................................................................... 28 12 Acronyms, Terms and Abbreviations .................................................................. 30 13 References ....................................................................................................... 31 © 2020 Amazon Web Services, Inc.; atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 3 of 33 Amazon Linux 2 Libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy List of Tables Table 1: FIPS 140-2 Security Requirements. ........................................................................................... 7 Table 2: Components of the module. ...................................................................................................... 7 Table 3: Tested operational environment. .............................................................................................. 9 Table 4: Ports and interfaces. ............................................................................................................... 11 Table 5: Services in the FIPS-approved mode of operation. ................................................................. 12 Table 6: Services in the non-FIPS approved mode of operation. .......................................................... 14 Table 7: FIPS-approved cryptographic algorithms. ............................................................................... 15 Table 8: Non-Approved-but-allowed cryptographic algorithms. ........................................................... 16 Table 9: Non-FIPS approved cryptographic algorithms. ....................................................................... 17 Table 10: Lifecycle of keys and other Critical Security Parameters (CSPs). ......................................... 20 Table 11: Self-tests. .............................................................................................................................. 24 Table 12: Conditional self-tests............................................................................................................. 25 List of Figures Figure 1: Logical cryptographic boundary. ............................................................................................. 8 Figure 2: Hardware block diagram. ......................................................................................................... 9 © 2020 Amazon Web Services, Inc.; atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 4 of 33 Amazon Linux 2 Libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Copyrights and Trademarks Amazon is a registered trademark of Amazon Web Services, Inc. or its affiliates. © 2020 Amazon Web Services, Inc.; atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. 5 of 33 Amazon Linux 2 Libgcrypt Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1 Introduction This document is the non-proprietary