| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim validation. No assurance of the minimum strength of generated SSPs. |
| Vendor | KAYTUS SYSTEM PTE. LTD. |
flowchart LR
%% Deterministic review-risk graph for Linux OpenSSL FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load<br/>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Show Status<br/>Self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Linux OpenSSL FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load<br/>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Show Status<br/>Self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Linux OpenSSL FIPS Provider v3.1 Non-Proprietary Cryptographic Module FIPS 140-3 Security Policy FIPS 140-3 Security Level: 1 Document version: 1.3 Date: June 29, 2024
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Table of Contents
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. List of Tables List of Figures
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
This is a non-proprietary Cryptographic Module Security Policy for the Linux OpenSSL FIPS Provider from KAYTUS SYSTEM PTE. LTD.. This Security Policy describes how the Linux OpenSSL FIPS Provider meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program. This document also describes how to run the Linux OpenSSL FIPS Provider in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation. The Linux OpenSSL FIPS Provider is referred to in this document as the provider, cryptographic module, or the module.
This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
This document is the non-proprietary FIPS 140-3 Security Policy of the Linux OpenSSL FIPS Provider cryptographic module. For the purpose of the FIPS 140-3 validation, the module is a software cryptographic module validated at overall security level 1. The following table shows the claimed security level for each of the twelve sections that comprise the FIPS 140-3 standard. Table 1
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
Linux OpenSSL FIPS Provider is a software library that provides a C-language Application Program Interface (API) for use by application that require cryptographic functionality. In the OpenSSL, providers are containers for algorithm implementations. Whenever a cryptographic algorithm is used via the OpenSSL high level APIs a provider is selected. It is that provider implementation that actually does the required work. Based on the OpenSSL new approach, the Linux OpenSSL FIPS Provider is a provider that can be used with any OpenSSL version from 3.0.4. The cryptographic boundary of the Module is the provider itself, a dynamically loadable library. The module performs no communication other than with the calling application via APIs that are invoked by the module. Based on that, the cryptographic boundary consists of the following shared library and the integrity check file used for the integrity test. The following table enumerates the files that comprise the module (surrounded with red lines in Figure 1
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Figure 1
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Table 3
1 Linux 5.4.85 N/A
Server Cortex A7) KR2280V2 Rack AST2600 (ARM
2 Linux 5.15.50 N/A
Server Cortex A7) Note: The operational environments include OpenSSL version 3.0.4. There is no additional vendor affirmed operating environments.
The module supports the following Approved Algorithms listed in Table 4 below: Table 4
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2512/256 SHA3-224, SHA3256, SHA3-384, SHA3-512 KMAC-128, KMACA4198 KMAC [SP 800-185] KMAC-128, KMAC-256 Message Authentication Ephemeral Unified Domain Parameter Generation KAS-ECC-SSC P-224, P-256, P-384, P-521, KDomain Parameter Shared Secret Computation for Key A4198 233, K-283, K-409, K-571, B[SP 800-56Arev3] Validation Agreement 233, B-283, B-409, B-571 Key Pair Generation Full Public Key Validation dhEphem Domain Parameter Generation ffdhe2048, ffdhe3072, KAS-FFC-SSC [SP 800- Domain Parameter ffdhe4096, ffdhe6144, Shared Secret Computation for Key A4198 56Arev3] Validation ffdhe8192 safe prime groups Agreement per SP 800-56Ar3 Key Pair Generation Full Public Key Validation KAS1, KAS2 Key Generation Methods: rsakpg1-crt, rsakpg2-crt, KAS-RSA-SSC [SP 800- Modulus: 2048, 3072, 4096, Shared Secret Computation for Key A4198 rsakpg1-basic, 56Brev2] 6144, 8192 Agreement rsakpg2-basic, rsakpg1-primefactor, rsakpg2-primefactor P-224, P-256, P-384, P-521 , KCVL [SP 800-56Arev3] ECC CDH Primitive in Shared Secret A4198 K-233, K-283, K-409, K-571, BKAS-ECC-CDH Computation 233, B-283, B-409, B-571 Safe Prime Groups: ffdhe2048, Key Generation for ffdhe3072, ffdhe4096, Asymmetric Key Generation DH ffdhe6144, ffdhe8192 A4198 Safe Primes Safe Prime Groups: ffdhe2048, Key Verification for ffdhe3072, ffdhe4096, Asymmetric Key Verification DH ffdhe6144, ffdhe8192
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. L = 2048, N = 224 Key Pair Generation L = 2048, N = 256 Asymmetric Key Generation L = 3072, N = 256 L = 2048, N = 224 Signature L = 2048, N = 256 Generation Digital Signature Generation L = 3072, N = 256 With all SHA-2 sizes L = 1024, N = 160 Signature L = 2048, N = 224 A4198 Verification L = 2048, N = 256 Digital Signature Verification DSA [FIPS 186-4] L = 3072, N = 256 With all SHA sizes L = 2048, N = 224 L = 2048, N = 256 PQG Generation Primitive Generation L = 3072, N = 256 With all SHA-2 sizes L = 1024, N = 160 L = 2048, N = 224 PQG Verification L = 2048, N = 256 Primitive Verification L = 3072, N = 256 With all SHA sizes Key Pair Generation Modulus: 2048, 3072, 4096 Asymmetric Key Generation ANSI X9.31 Signature Modulus: 2048, 3072, 4096 Generation (PKCS#1 With SHA-224, SHA-256, SHA- Digital Signature Generation v1.5) 384 and SHA-512 Signature Modulus: 2048, 3072 and 4096 Generation (ANSI With SHA-256, SHA-384 and Digital Signature Generation X9.31) SHA-512 Modulus: 2048, 3072 RSA A4198 With SHA-224, SHA-256, SHA[FIPS 186-4] 384, SHA-512, SHA-512/224 Signature Generation (PKCS and SHA-512/256 Digital Signature Generation PSS) Modulus: 4096 With SHA-224, SHA-256, SHA-
Modulus: 1024, 2048, 3072, Signature 4096 Verification With SHA-1, SHA-224, SHA-256, Digital Signature Verification (PKCS PSS and SHA-384, SHA-512, SHAPKCS#1 v1.5) 512/224 and SHA-512/256
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Modulus: 1024, 2048, 3072, Signature 4096 Verification (ANSI Digital Signature Verification X9.31) With SHA-1, SHA-256, SHA-384 and SHA-512 RSA Signature A4198 CVL [FIPS 186-4] Generation Modulus: 2048 Digital Signature Generation Primitive Primitive Curves: P-224, P-256, P-384, P-521 Key Pair Generation K-233, K-283, K-409, K-571 Asymmetric Key Generation B-233. B-283, B-409, B-571 Testing Candidates Curves: P-192, P-224, P-256, P-384, PKey Pair Verification K-163, K-233, K-283, K-409, K- Asymmetric Key Verification B-163, B-233. B-283, B-409, BECDSA A4198 Curves: [FIPS 186-4] P-224, P-256, P-384, P-521 Signature K-233, K-283, K-409, K-571 Digital Signature Generation Generation B-233. B-283, B-409, B-571 With all SHA-2 sizes Curves: P-192, P-224, P-256, P-384, PSignature K-163, K-233, K-283, K-409, KDigital Signature Verification Verification 571 B-163, B-233. B-283, B-409, BWith SHA-1 and all SHA-2 sizes SHA-1 Hash DRBG SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 DRBG Deterministic Random Number A4198 SHA-1 [SP 800-90Arev1] Generation HMAC DRBG SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 CTR DRBG AES-128, AES-192, AES-256 N/A KTS [SP 800-38F] AES KW, KWP AES KW, KWP Key Transport
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. AES CCM AES CCM AES GCM AES GCM (AES Cert #A4198; key establishment methodology provides between
encryption strength) AES and HMAC (AES Cert #A4198 and HMAC Cert #A4198; key establishment AES (any mode) and HMAC methodology provides between
encryption strength) AES and CMAC, GMAC (AES Cert #A4198 and AES Cert #A4198; key establishment AES (any mode) and CMAC, methodology GMAC provides between
encryption strength) Key encapsulation with RSA-OAEP, RSADP, RSAEP (Cert #A4198; key KTS-RSA Modulus: 2048, 3072, 4096, A4198 establishment Key Transport [SP 800-56Brev2] methodology 6144 provides between
encryption strength) One-Step KDF A4198 KDA [SP 800-56Crev2] (Section 4), Two N/A Key Derivation Function Step KDF (Section 5) HMAC-based HKDF [SP 800- Extracted-andA4198 N/A Key Derivation Function 56Crev2] Expand Key Derivation Function HMAC-SHA-1, SHA2-224, 256, A4198 PBKDF2 [SP 800-132] Option 1a Password-Based Key Derivation 384, 512, 512/224, 512/256
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. (C = 1 - 10.000, sLen = 16
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. AES-CBC/A4198 AES-CBC-CS1/A4198 AES-CBC-CS2/A4198 AES-CBC-CS3/A4198 AES-CFB1/A4198 AES-CFB128/A4198 AES-CFB8/A4198 AES-CTR/A4198 AES-ECB/A4198 AES-OFB/A4198 Per IG D.G, approved key transport method. HMAC-SHA-1/A4198 Key Transport scheme using any KTS3 KTS Provides between 128 and mode of AES with HMAC HMAC-SHA2-224/A4198
strength. HMAC-SHA2-256/A4198 HMAC-SHA2-384/A4198 HMAC-SHA2-512/A4198 HMAC-SHA2512/224/A4198 HMAC-SHA2512/256/A4198 HMAC-SHA3-224/A4198 HMAC-SHA3-256/A4198 HMAC-SHA3-384/A4198 HMAC-SHA3-512/A4198 AES-CBC/A4198 AES-CBC-CS1/A4198 AES-CBC-CS2/A4198 AES-CBC-CS3/A4198 AES-CFB1/A4198 Per IG D.G, approved key Key Transport scheme using any AES-CFB128/A4198 transport method. Provides KTS4 KTS mode of AES with AES CMAC or between 128 and 256 bits AES-CFB8/A4198 AES GMAC of encryption strength. AES-CMAC/A4198 AES-CTR/A4198 AES-ECB/A4198 AES-GMAC/A4198 AES-OFB/A4198 Per IG D.G, approved key transport method. Provides KTS5 KTS Key Transport scheme using RSA KTS-IFC/A4198 between 128 and 176 bits of encryption strength.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. KAS-ECC-SSC Sp800Uses the KAS_ECC_SSC shared 56Ar3/A4198 secret computation which is then fed into one of the KDF TLS 1.2 module's SP 800-135 compliant D.F scenario 2, path (1), no RFC7627/A4198 KAS-ECC KAS KDFs (TLS 1.2 and 1.3, SSHv2, key confirmation, key KDF SSHv2/A4198 ANSI X9.63-2001 and ANSI derivation per IG 2.4.B X9.42-2001) to derive keys for KDF ANSI X9.63/A4198 their respective industry KDF ANSI X9.42/A4198 standard protocols TLS v1.3 KDF/A4198 KAS-FFC-SSC Sp800Uses the KAS_FFC_SSC shared 56Ar3/A4198 secret computation which is then fed into one of the KDF TLS 1.2 module's SP 800-135 compliant D.F scenario 2, path (1), no RFC7627/A4198 KAS-FFC KAS KDFs (TLS 1.2 and 1.3, SSHv2, key confirmation, key KDF SSHv2/A4198 ANSI X9.63-2001 and ANSI derivation per IG 2.4.B X9.42-2001) to derive keys for KDF ANSI X9.63/A4198 their respective industry KDF ANSI X9.42/A4198 standard protocols TLS v1.3 KDF/A4198 KAS-IFC-SSC Sp800Uses the KAS_RSA_SSC shared 56Br2/A4198 secret computation which is then fed into one of the KDF TLS 1.2 module's SP 800-135 compliant D.F scenario 1, path (1), no RFC7627/A4198 KAS-RSA KAS KDFs (TLS 1.2 and 1.3, SSHv2, key confirmation, key KDF SSHv2/A4198 ANSI X9.63-2001 and ANSI derivation per IG 2.4.B X9.42-2001) to derive keys for KDF ANSI X9.63/A4198 their respective industry KDF ANSI X9.42/A4198 standard protocols TLS v1.3 KDF/A4198
The module supports only one mode of operation: Approved. The module will be in Approved mode when all pre-operational self-tests have been completed successfully, and only Approved security functions can be invoked (see Table 4 and Table 5 above). The module does not support degraded operation.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
As a software module, the provider does not have physical ports. For the purpose of the FIPS 140-3 validation, the module interfaces are defined as Software or Firmware Module Interfaces (SMFI), and the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. The logical interface is a C language Application Program Interface (API) through which calling application request services. In addition, data output interface is inhibited when the module is performing pre-operational and conditional tests, zeroisation or when the module is in the error state. The following table summarizes the FIPS 140-3 logical interfaces: Table 7
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The sections below describe the module's authorized roles, services, and operator authentication method employed.
The module supports the following roles: Crypto Officer role, which performs the module installation and configuration; and User role, which performs all services with the exception of module installation and configuration. Table 8
All services implemented by the module are listed in tables below. The approved services are shown in Table 9. Please note that the Sensitive Security Parameters (SSPs) listed below indicate the type of access required using the following notation:
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Table 9
Linux OpenSSL FIPS Provider v3.1 Cryptographic Module KAYTUS SYSTEM PTE. LTD. AES ECB key
Linux OpenSSL FIPS Provider v3.1 Cryptographic Module KAYTUS SYSTEM PTE. LTD. SSP and Type of Approved Security Name Roles Description Input Output Indicator Access Function AES CTR IV
Linux OpenSSL FIPS Provider v3.1 Cryptographic Module KAYTUS SYSTEM PTE. LTD. SSP and Type of Approved Security Name Roles Description Input Output Indicator Access Function Derive keying material Shared Secret
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The cryptographic module is composed of a software shared library as well as file where the a precomputed HMAC-SHA-256 signature is stored. The integrity of the software module is achieved by comparing the pre-computed HMAC value to the one calculated at run time. The module also provides on-demand integrity test. The integrity test is performed by the Self-Test On demand service by invoking the SELF_TEST_post() function or rebooting the cryptographic module. This test is performed as part of the pre-operational self-tests as well.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module runs on a commercially available general-purpose operating system. The operating system is restricted to a single operator. Concurrent operators are explicitly excluded. The application that requests cryptographic services is the single user of the module. All SSPs are under the control of the OS, which protects its CSPs against unauthorized disclosure, modification, and substitution and PSPs against unauthorized modification and substitution. Additionally, the OS provides dedicated process space to each executing process, and the module operates entirely within the calling application’s process space. The module only allows access to SSPs through its well-defined API. The module does not have the ability of spawning new processes.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module is a software module and this section does not apply.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module does not implement any non-invasive attack mitigation technique to protect itself and the module’s unprotected SSPs from non-invasive attacks.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The following section includes all the information related to the Sensitive Security Parameters (SSPs) and its management. Table 10 below identifies all the SSPs handled by the cryptographic module as well as its purpose, generation method, input and output method, where they are stored and how they are zeroized. Table 10
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Security Use & Key Strength Function Cert Generation Import/Export Establishment Storage Zeroization Related Keys Number Plaintext / Not Initialization 56, 64, 72, 80, Power cycle or AES CCM IV A4198 External Never exits the N/A persistently Vector for 88, 96, 104 bits OPENSSL_cleanse() module stored AES_CCM Plaintext / Not Authenticated 128, 192, 256- Power cycle or AES GCM Key A4198 External Never exits the N/A persistently encryption and bit key OPENSSL_cleanse() module stored decryption External or Plaintext / Not Initialization Power cycle or AES GCM IV 96-bits value A4198 internally Never exits the N/A persistently vector for OPENSSL_cleanse() generated module stored AES_GCM Plaintext / Not 128, 192, 256- Power cycle or Message AES CMAC Key A4198 External Never exits the N/A persistently bit key OPENSSL_cleanse() Authentication module stored Plaintext / Not 128, 192, 256- Power cycle or Message AES GMAC Key A4198 External Never exits the N/A persistently bit key OPENSSL_cleanse() Authentication module stored Plaintext / Not 112-bits or Power cycle or Message HMAC Key A4198 External Never exits the N/A persistently greater OPENSSL_cleanse() Authentication module stored Plaintext / Not 128-bits or Power cycle or Message KMAC Key A4198 External Never exits the N/A persistently greater OPENSSL_cleanse() Authentication module stored External or Not Signature 1024, 2048, Plaintext / Power cycle or verification DSA Public Key A4198 internally N/A persistently 3072-bit key Plaintext EVP_PKEY_free() generated stored External or Not DSA Private 224 and 256- Plaintext / Power cycle or Signature A4198 internally N/A persistently Key bit key Plaintext EVP_PKEY_free() generation generated stored
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Security Use & Key Strength Function Cert Generation Import/Export Establishment Storage Zeroization Related Keys Number External or Not Signature ECDSA Public From 192-576 Plaintext / Power cycle or verification A4198 internally N/A persistently Key bits Plaintext EVP_PKEY_free() generated stored External or Not ECDSA Private From 224-576 Plaintext / Power cycle or Signature A4198 internally N/A persistently Key bits Plaintext EVP_PKEY_free() generation generated stored Power cycle or Signature 2048, 3072, External or Not Generation RSA Private Plaintext / 4096, 6144-bit A4198 internally N/A persistently EVP_PKEY_free() Key Plaintext OAEP key generated stored Decryption Signature 1024, 2048, External or Not Power cycle or Verification Plaintext / RSA Public Key 3072, 4096, A4198 internally N/A persistently Plaintext EVP_PKEY_free() OAEP 6144-bit key generated stored Encryption External or Not Diffie-Hellman From 2048-bit Plaintext / Power cycle or Derive Shared A4198 internally N/A persistently Public Key to 8192-bit key Plaintext EVP_PKEY_free() Secret generated stored External or Not Diffie-Hellman From 2048-bit Plaintext / Power cycle or Derive Shared A4198 internally N/A persistently Private Key to 8192-bit key Plaintext EVP_PKEY_free() Secret generated stored External or Not ECDH Public From 224-576 Plaintext / Power cycle or Derive Shared A4198 internally N/A persistently Key bits Plaintext EVP_PKEY_free() Secret generated stored External or Not ECDH Private From 224-576 Plaintext / Power cycle or Derive Shared A4198 internally N/A persistently Key bits Plaintext EVP_PKEY_free() Secret generated stored Not Shared Secret Shared secret Internally Power cycle or Shared Secret A4198 NA / Plaintext N/A persistently for deriving bitstring derived OPENSSL_cleanse() stored keying material
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Security Use & Key Strength Function Cert Generation Import/Export Establishment Storage Zeroization Related Keys Number Plaintext / Not Power cycle or Key Derivation HKDF salt Salt bitstring A4198 External Never exits the N/A persistently OPENSSL_cleanse() Function module stored Keying material derived from key derivation function (SP Not Keying material Internally Power cycle or 800-108rev1 Keying material A4198 NA / Plaintext N/A persistently bitstring derived OPENSSL_cleanse() KBKDF, SP 800stored
HKDF, KDA, SP 800-135rev1 KDFs, TLS 1.3 KDF) From 8 to 128 characters Plaintext / Not PBKDF2 Key PBKDF2 Power cycle or (bytes) with A4198 External Never exits the N/A persistently derivation password EVP_KDF_free() increment of 8 module stored function characters. From 128 to 4096-bit salt Plaintext / Not PBKDF2 Key Power cycle or PBKDF2 salt bitstring with A4198 External Never exits the N/A persistently derivation EVP_KDF_free() increment of 8- module stored function bits
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Entropy input For CTR_DRBG: A4198 External Plaintext / N/A Not Power cycle or Entropy string 128, 256-bits Never exits the persistently OPENSSL_cleanse() material for for AES-128 DF module stored HASH DRBG/HMAC 256, 384, 512DRBG/CTR bits for AESDRBG 192/256 DF 256-bits for AES-128 NODF 320-bits for AES-192 NODF 384-bits for AES-256 NODF For HASH DRBG: 128, 192, 256bits for SHA-1 192, 256-bits for SHA-224 256, 320-bits for SHA-256, SHA-384, SHA512, SHA512/224, SHA512/256 For HMAC DRBG: 160-256 bits in increment of
HMAC-SHA-1 192, 256-bits for HMAC-SHA-
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Security Use & Key Strength Function Cert Generation Import/Export Establishment Storage Zeroization Related Keys Number 256, 384, 448, 512-bits for HMAC-SHA384, 448, 512bits for HMACSHA-384 512-1024-bits in increment of
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Security Use & Key Strength Function Cert Generation Import/Export Establishment Storage Zeroization Related Keys Number DRBG seed For HASH A4198 External Plaintext / N/A Not Power cycle or Seeding DRBG and Never exits the persistently OPENSSL_cleanse() material for HMAC DRBG: module stored HASH 440-bits DRBG/HMAC random data DRBG/CTR for SHA-1, SHA- DRBG
256; 888-bits random data for SHA-384, SHA-512. For CTR DRBG: 256-bits random data for CTR-128DF/CTR-128NODF 320-bits random data for CTR-192DF/ CTR-192NODF 384-bits random data for CTR-256DF/ CTR-256NODF Not Internal state Internally NA / Never exits Power cycle or Used for HASH DRBG ‘C’ value A4198 N/A persistently value generated the module EVP_RAND_CTX_free() DRBG stored
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Security Use & Key Strength Function Cert Generation Import/Export Establishment Storage Zeroization Related Keys Number Used for CTR Not Internal state Internally NA / Never exits Power cycle or DRBG/HASH DRBG ‘V’ value A4198 N/A persistently value generated the module EVP_RAND_CTX_free() DRBG/HMAC stored DRBG 128, 192, 256bit key for CTRDRBG Not Used for CTR DRBG ‘Key’ Internally NA / Never exits Power cycle or A4198 N/A persistently DRBG/HMAC value 160, 224, 256, generated the module EVP_RAND_CTX_free() stored DRBG 384, 512 for HMAC-DRBG
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module employs a Deterministic Random Bit Generator (DRBG) for the creation cryptographic key material. The module contains the following Deterministic Random Bit Generator (DRBG) compliant with the [SP 800-90Arev1]: - HMAC-DRBG - HASH-DRBG - CTR-DRBG The module does not implement Non-Determinist Random Bit Generator or entropy source. A minimum of 112-bits of entropy must be supplied. This entropy is supplied by means of callback functions. Those functions must return an error if the minimum entropy strength cannot be met.
For generation of RSA, DSA and ECDSA key pairs, the module implements approved key generation services compliant with [FIPS 186-4] where the key material is directly obtained from approved [SP 80090Arev1] DRBGs according to the [SP 800-133rev2]. The public and private key pairs used in the Diffie-Hellman and EC Diffie-Hellman KAS are generated internally. They are compliant with NIST [SP 800-56Arev3]. Cryptographic Key Generation: the module uses an Approved Hash, CTR or/and HMAC DRBG specified in NIST SP 800-90Arev1 to generate random cryptographic material. The resulting generated material are unmodified outputs from the DRBG. According to FIPS 140-3 Implementation Guidance D.H. a component key generation (CKG) using the unmodified output of an approved DRBG can be used to generate cryptographic material for:
The module provides Diffie-Hellman, EC Diffie-Hellman and RSA key agreement shared secret computation to obtain “shared secret” values. The security strength of the preceding algorithms is as follows:
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module provides the following SSP Derivation methods: - Key-Based Key Derivation (KDKDF algorithm) - Password-Based Key Derivation (PBKDF2 algorithm) - Protocol-Suite Key Derivation: TLS 1.2 KDF, TLS 1.3 KDF, ANSI X9.42, ANSI X9.63 and SSHv2 KDF as key derivation functions. - Key Derivation based on SP 800-56Crev2: HKDF and KDA.
The module provides approved key transport methods according to [IG] D.G. The key transport methods are provided either by:
The keys and SSPs to be entered or exited are provided to the module via API input/output parameters in plaintext form and output via API output parameters in plaintext form. This is allowed per section 7.9.5 of the ISO/IEC 19790:2012 since all CSPs or key components are maintained within the environment and the requirements from section 7.6.3 are met. The module does not support either manual key entry or intermediate key generation values. The module does not output intermediate key generation values. Additionally, the module implements two independent internal actions in order to prevent the inadvertent output of any plaintext SSPs. The mechanism implemented by the module is described below:
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. When these two actions are completed without errors, the Key/SSP exits the module in plaintext. Information for the input and output for each SSP, if applicable, is provided under columns "Input" and "Output" of Table 10.
Symmetric keys, HMAC keys, public and private keys are provided to the module by the calling application via API input parameters and are destroyed by the module when invoking the appropriate API function calls. No physical storage is offered within the cryptographic boundary, and therefore the module does not store any SSPs persistently beyond the lifetime of the API call. Any persistent key storage occurs outside the module’s cryptographic boundary but within the physical perimeter and the management of these keys is responsibility of the calling application. Table 11 - Storage Areas Name Description Type RAM System Memory Dynamic Information for storage of each SSP, is provided under column "Storage" of Table 10.
SSP zeroisation functions are implemented in the fips.so library, and they depend on the SSP to be zeroized. Information for zeroising each SSP is provided under column “Zeroization” of Table 10. The zeroization functions overwrite the memory occupied by SSP with ‘zeros’ and deallocate the memory with the regular memory deallocation operating system call. In case of abnormal termination, or swap in/out of a physical memory page of a process, the keys in physical memory are overwritten by the Linux kernel before the physical memory is allocated to another process. The zeroization of the SSPs starts just after the invocation of the zeroization command. Once invoked, these techniques take effect immediately and do not allow sufficient time to compromise any plaintext secret, private keys and CSPs. During the zeroization process, services are not available and input and output are inhibited.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
FIPS 140-3 requires that the module performs a set of self-test in order to provide the operator assurance that faults have not been introduced that would prevent the module's correct operation. The module performs the pre-operational self-test and conditional cryptographic algorithms self-tests during the initialization of the module. In addition, some functions require continuous testing of the cryptographic functionality, such as the asymmetric key generation. The following sections list the self-tests performed by the module, their expected error status and error resolutions.
The module executes the following pre-operational self-tests when it is loaded into memory, without operator intervention. These pre-operational self-tests ensure that the module is not corrupted:
256 key module in order to verify its integrity.
During compilation, the module compiles the HMAC key into fips.so. Once compiled, during the installation, the module calculates the HMAC-SHA2-256 for fips.so and stores in fipsmodule.cnf file. At runtime and prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Test (CAST) is performed. If the CAST of the HMAC-SHA-256 is successful, the module computes the HMAC of fips.so. This value is compared with the one stored in fipsmodule.cnf file, and if they are the same value, the test is passed. Otherwise, the test fails and the module enters in Critical Error state. In this state, an internal flag is set to prevent subsequent invocation of any cryptographic calls. While the module is executing the pre-operational self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational tests are completed successfully. The verify_integrity() API function is in charge of performing the pre-operational self-tests. This API function is called from the SELF_TEST_post() API function, which also performs the KAT tests for each algorithm. The API function returns a ‘1’ if all pre-operational and KAT self-tests succeed, and a ‘0’ otherwise.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
Conditional self-tests are performed by the cryptographic module when conditions specified for the following tests occur: Cryptographic Algorithm Self-Test, Pair-Wise Consistency Test and Critical Function Tests. The module does not implement any functions requiring a Software/Firmware Load Test, Manual Entry Tests nor Conditional Bypass Test; therefore, these tests are not performed by the module. While the module is executing the conditional self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until these tests are completed successfully. If any of this tests fails, the module enters in Critical Error state.
In addition to the pre-operational self-tests, the module also performs the Conditional Cryptographic Algorithm Self-Tests (CASTs) for all cryptographic functions of each approved cryptographic algorithm implemented by the module during the module initialization. Therefore, all CASTs are performed prior to the first operational use of the cryptographic algorithm. These tests are detailed in the table below: Table 13 - Conditional Cryptographic Algorithm Self-Tests Algorithm OE Test Properties Type Details Conditions HMAC- Used for module Power-Up and Both KAT SHA256 integrity test On-demand Power-Up and SHS Both SHA-1, SHA2-512 and SHA3-256 KAT Generation On-demand Power-Up and AES Both ECB mode with 128-bit key KAT Decrypt On-demand Power-Up and AES GCM Both 256 bits key size KAT Encrypt and Decrypt On-demand
2048 bits key size with SHA2-256 and Power-Up and
RSA Both KAT Sign and Verify mode PKCS#1v1.5. On-demand Power-Up and DSA Both 2048, 224 bits key size with SHA2-256 KAT Sign and Verify On-demand Power-Up and ECDSA Both P-224 and K-233 curves with SHA2-256 KAT Sign and Verify On-demand CTR_DRBG: AES 128-bit key with derivation function. Power-Up and DRBG Both KAT Random Bit Generation HASH_DRBG: SHA2-256. On-demand HMAC_DRBG: SHA-1 Power-Up and KBKDF Both Counter Mode (HMAC-SHA2-256). KAT Key Derivation On-demand
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Algorithm OE Test Properties Type Details Conditions Derivation of the Master Key (MK) (per Power-Up and PBKDF2 Both KAT Section 5.3 of SP 800- On-demand 132). SP 800TLS 1.2, SSHv2, ANSI X9.63-2001 and ANSI Power-Up and 135rev1 Both KAT Key Derivation X9.42-2001 KDFs. On-demand KDFs TLS v1.3 TLS v1.3 KDF (per Section 7.1 of RFC Power-Up and Both KAT Key Derivation KDF 8446). On-demand Shared Secret KAS-FFC- ffdhe2048 safe prime group with Computation (per Power-Up and Both KAT SSC dhEphem scheme Section 6 of SP 800- On-demand 56Arev3). Shared Secret KAS-ECC- P-256 curve with Ephemeral Unified Computation (per Power-Up and Both KAT SSC scheme Section 6 of SP 800- On-demand 56Arev3). RSA Primitive Computation (per Scenario 1 of IG D.F KAS-RSA- Power-Up and Both 2048 bits key size KAT and Section 8.2.2 in SP SSC On-demand 800-56Brev2) as part of KTS-RSA Encryption KAT. One-step KDF (per Section 4 of SP 800Power-Up and KDA Both KAT 56Crev2) and Two-Step On-demand KDF (per Section 5 of SP 800-56Crev2). Encrypt and Decrypt for Basic and Decrypt Power-Up and KTS-RSA Both 2048 bits key size KAT for CRT (per IG D.G and On-demand SP 800-56Brev2). The SELF_TEST_kats() API function is in charge of performing all the KAT self-tests for each algorithm prior to their first use, without any operator intervention. This function is called from the SELF_TEST_post() API function, called during the initialization of the module. The API function returns a ‘1’ if all pre-operational and KAT self-tests succeed, and a ‘0’ otherwise.
The Pairwise Conditional Self-tests are run when an asymmetric key pair is generated. In case of failure the module enters in Critical Error state and needs to be reloaded to clear the error.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Table 14 - Conditional Pair-wise Consistency Tests Algorithm OE Test Properties Type Details Conditions Pairwise Consistency Test on DSA Both Generated Key size. PCT Key Generation. Generation of a DSA Key Pair. Pairwise Consistency Test on ECDSA Both Generated curve. PCT Key Generation. Generation of an ECDSA Key Pair. Pairwise Consistency Test on RSA Both Generated Key size. PCT Key Generation. Generation of an RSA Key Pair.
The module obtains the following assurances per SP 800-56Arev3 and SP 800-56Brev2: Table 15 - Assurances Standard Assurances SP 800-56Arev3 Per Section 5.6.2 of SP 800-56Arev3, required per [IG] D.F SP 800-56Brev2 Per Section 6.4 of SP 800-56Brev2, required per [IG] D.F The module performs the following DRBG health checks when initializing the DRBG for the first time during the power-up of the module:
Pre-operational self-tests and Conditional Cryptographic Algorithms self-test performed by the module during its initialization, are available on demand by resetting the module or by calling the SELF_TEST_post() API function. During the execution of the on-demand self-tests, services are not available and no data output or input is possible.
If any of the self-tests described in sections 10.1, 10.2 and 10.3 fails, the module enters in Critical Error state and needs to be reloaded to exercise any cryptographic service. In the Critical Error State, no cryptographic services are provided, and data output is prohibited. In this state, an internal flag is set to prevent subsequent invocation of any cryptographic calls. The only method to recover from the Critical Error state is to power cycle the device which results in the module being reloaded into memory and performing the pre-operational software integrity test and the
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Conditional CASTs. The module will only enter the operational state after successfully passing the preoperational software integrity test and the Conditional CASTs. In addition, if the AES XTS check fails during the CSP entry, the module will flow to Soft Error state, not allowing any cryptographic service and no data output or input is allowed, until the error is cleared. The table below shows the different causes that lead to the error states and the status indicators reported. Table 16
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module is delivered already compiled and in the binary form for the following operational environments:
Crypto Officer The Crypto Officer shall run the following command in order to generate the fipsmodule.cnf file: $ openssl fipsinstall –out fipsmodule.cnf -module fips.so -self_test_onload After this step, the module is ready to use. In order to check that the installation has been successfully performed, the Crypto Officer can execute the following command: $ openssl list –providers And the Linux provider should be indicated. User Guidance The module only supports one mode of operation: Approved. The module will be in Approved mode when all pre-operational self-tests have been completed successfully, and only Approved security functions are invoked. There are no additional installation, configuration, or usage instructions for operators intending to use the Linux OpenSSL FIPS Module. For ensure the correct SSP Zeroization, the user shall ensure that all the contexts that use that SSP shall also be zeroized.
The operator shall follow the Crypto Officer instructions in section 11.2.
The module does not implement the TLS protocol itself, however, it provides the cryptographic functions required for implementing the protocol. AES GCM encryption is used in the context of the TLS protocol versions 1.2 and 1.3 (per Scenario 1 and Scenario 5 in [IG] C.H, respectively). For TLS v1.2, the mechanism for IV generation is compliant with RFC 5288. The counter portion of the IV is strictly increasing. When the IV exhausts the maximum number of possible values for a given session key, this results in a failure in
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with RFC 5246. For TLS v1.3, the mechanism for IV generation is compliant with RFC 8446. The module also supports internal IV generation using the module’s Approved DRBG. The IV is at least 96bits in length per NIST SP 800-38D, Section 8.2.1. Per [IG] C.H Scenario 2 and NIST SP 800-38D, the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2-32. In the event that the module power is lost and restored, the user must ensure that the AES-GCM encryption/decryption keys are re-distributed.
The AES algorithm in XTS mode can be used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the AES-XTS shall not exceed
The module implements a check to ensure that the two AES keys used in AES-XTS algorithm are not identical. Based on the previous information, the module AES XTS implementation is compliant with FIPS 140-3 IG C.I.
The module is compliant to the FIPS 140-3 IG C.C regarding the SHA-3 family algorithms. All the SHA-3 and SHAKE functions have been tested and validated with the CAVP tool (#A4198), as it is indicated in Table 4. In addition, every higher-level algorithm that uses a SHA-3 family algorithm, are also validated with the CAVP, together in the same CAVP certificate (#A4198).
The module provides different algorithms for digital signature. Among them is the RSA FIPS 186-4, which is compliant with FIPS 140-3 IG C.F. RSA digital signature generation can be performed with 2048-, 3072- or 4096-bits modulus length. As it is indicated in Table 4, all the RSA signature algorithm implementations are tested with the CAVP (#A4198). In the CAVP Certificate, it is indicated that the modulus used by the RSA signature generation are 2048,
3072 and 4096. Therefore, all different modulus length used by the RSA signature generation are tested
by the CAVP. Regarding the Miller-Rabin tests round, the module performs 128 rounds when the modulus is higher than 2048 bits. For the signature verification, the module has tested and validated all the different RSA modulus length implemented by the module: 1024, 2048, 3072 and 4096. This is also indicated in CAVP Cert. #A4198.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
Regarding PBKDF, in line with the requirements for SP 800-132, keys generated using the approved PBKDF must only be used for storage applications. Any other use of the approved PBKDF is non-conformant. As the module is a general purpose software module, it is not possible to anticipate all the levels of use for the PBKDF, however a user of the module should also note that a password should at least contain enough security strength to be unguessable and also contain enough strength to reflect the security strength required for the key being generated. The password length should be between 8 and 128 bytes with an increment of 8 bytes. For the iteration count, as the functionality of the module relies on the usage that a user performs with the module, it is recommended a minimum of 1.000 bits. In addition, users are referred to Appendix A, “Security Considerations” in SP 800-132 for further information on password, salt, and iteration count selection.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module implements two mitigations against timing-based side-channel attacks, namely Constanttime Implementations and Blinding. Constant-time Implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric Blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
The module implements TLS versions 1.2 and 1.3. The AES GCM supported ciphersuites for each version are listed below: Supported AES GCM ciphersuites for TLS v1.2:
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD.
Table 17 - References Abbreviation Full Specification Name FIPS 140-3 FIPS 140-3 Security Requirements for Cryptographic modules NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 ISO 19790 ISO/IEC 19790:2012/Cor.1:2015(E), Information technology
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Abbreviation Full Specification Name NIST SP 800-57 Part 1 NIST SP 800-57 Part 1, Rev5, Recommendation for Key Management: Part 1
Table 18 - Acronyms definitions Acronym Definition AES Advanced Encryption Standard API Application Program Interface CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CKG Cryptographic Key Generation CMVP Cryptographic Module Validation Program CTR Counter Mode CVL Component Validation List DH Diffie-Hellman DSA Digital Signature Algorithm DRGB Deterministic Random Bit Generator ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptographic FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode
Linux OpenSSL FIPS Provider v3.1 KAYTUS SYSTEM PTE. LTD. Acronym Definition GPC General Purpose Computer HMAC Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function MAC Message Authentication Code NIST National Institute of Science and Technology PCT Pair-wise Consistency Test RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSC Shared Secret Computation TLS Transport Layer Security