| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 8/13/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Amazon Web Services Inc. |
flowchart LR
%% Deterministic review-risk graph for AWS-LC Cryptographic Module (dynamic)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery<br/>upgrade</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for AWS-LC Cryptographic Module (dynamic)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery<br/>upgrade</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;AWS-LC Cryptographic Module (dynamic) Module Version: AWS-LC FIPS 2.0.0 Document version: 1.0 Last update: 2024-08-13 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 Amazon Web Services, Inc., atsec information security.
© 2024 Amazon Web Services, Inc., atsec information security.
© 2024 Amazon Web Services, Inc., atsec information security.
© 2024 Amazon Web Services, Inc., atsec information security.
© 2024 Amazon Web Services, Inc., atsec information security.
Amazon is a registered trademark of Amazon Web Services, Inc. or its affiliates. © 2024 Amazon Web Services, Inc., atsec information security.
This document is the non-proprietary FIPS 140-3 Security Policy for version AWS-LC FIPS 2.0.0 of the AWS-LC Cryptographic Module (dynamic). It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module.
Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. ISO/IEC 24759 Section 6. FIPS 140-3 Section Title Security Level Subsections
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-cycle Assurance 1
12 Mitigation of Other Attacks 1
This Security Policy describes the features and design of the module named AWS-LC Cryptographic Module (dynamic) using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. and including this notice. Other documentation is proprietary to their authors. © 2024 Amazon Web Services, Inc., atsec information security.
was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2024 Amazon Web Services, Inc., atsec information security.
Purpose and Use: The AWS-LC Cryptographic Module (dynamic) (hereafter referred to as “the module”) provides cryptographic services to applications running in the user space of the underlying operating system through a C language Application Program Interface (API). Module Type: Software Module Embodiment: Multi-chip standalone Module Characteristics: N/A Cryptographic Boundary: The block diagram in Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows). The module components consist of the bcm.o (AWS-LC FIPS 2.0.0), which is dynamically linked to the userspace application during the compilation process. Figure 1: Block diagram
Tested Module Identification
Tested Operational Environments - Software, Firmware, Hybrid: Operating System Hardware Platform Processor(s) PAA/PAI Hypervisor Version(s) or Host OS Amazon Linux 2 Amazon EC2 c5.metal Intel ®Xeon ® AES-NI and SHA N/A AWS-LC with 192 GiB system Platinum extensions FIPS 2.0.0 Amazon Linux 2023 memory and Elastic 8275CL (PAA) Block Store (EBS) 200 GiB Ubuntu 22.04 Amazon Linux 2 Amazon EC2 c5.metal Intel ®Xeon ® None with 192 GiB system Platinum Amazon Linux 2023 memory and Elastic 8275CL Ubuntu 22.04 Block Store (EBS) 200 GiB Amazon Linux 2 Amazon EC2 c7g.metal Graviton3 Neon and AWS-LC with 128 GiB system Crypto FIPS 2.0.0 Amazon Linux 2023 memory and Elastic Extension (CE) Ubuntu 22.04 Block Store (EBS) 200 (PAA) GiB Amazon Linux 2 Amazon EC2 c7g.metal Graviton3 None with 128 GiB system Amazon Linux 2023 memory and Elastic Block Store (EBS) 200 Ubuntu 22.04 GiB Table 3: Tested Operational Environments
The module does not claim any excluded components.
Name Description Type Status Indicator Approved Mode Automatically entered whenever an Approved Equivalent to the indicator of the approved service is requested. requested service. Non-approved Automatically entered whenever a non- Non-Approved Equivalent to the indicator of the Mode approved service is requested. requested service. Table 4: Modes of Operation of the Module Mode change instructions and status indicators: When the module starts up successfully, after passing a set of cryptographic algorithms self-tests (CASTs) and the pre-operational self-test, the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in Table 15. The module will transition back to approved mode when approved service is called. Section 4 provides details on the service indicator implemented by the module. The service indicator identifies when an approved service is called. Degraded Mode Description: The module does not implement a degraded mode of operation. © 2024 Amazon Web Services, Inc., atsec information security.
Approved Algorithms: Algorithm CAVP Cert Algorithm OE (Implementation) Reference Name Numbers Capabilities AES-CBC A4489, A4493, Encryption, Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, A4501, A4484, Decryption using Graviton3: AES_C, CE, VPAES SP800-38A A4487, A4497 128,192,256 bits key Ubuntu on EC2 bare metal on Amazon Graviton3 AWS Graviton: AES_C, CE, VPAES Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: AES_C, CE, VPAES Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM AES-CCM A4489, A4493, Authenticated Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, Graviton3: AES_C, BAES_CTASM, CE, VPAES A4501, A4484, Encryption, SP800-38C, IG A4487, A4497 Authenticated Ubuntu on EC2 bare metal on Amazon Graviton3 D.G Decryption, Key AWS Graviton: AES_C, BAES_CTASM, CE, VPAES Wrapping, Key Unwrapping using 128 Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: AES_C, BAES_CTASM, CE, VPAES bit key Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM AES-CMAC A4489, A4493, Message Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, Graviton3: AES_C, BAES_CTASM, CE, VPAES A4501, A4487, Authentication SP800-38B A4497 Generation 128- or Ubuntu on EC2 bare metal on Amazon Graviton3 256-bits key AWS Graviton: AES_C, BAES_CTASM, CE, VPAES Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: AES_C, BAES_CTASM, CE, VPAES Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm CAVP Cert Algorithm OE (Implementation) Reference Name Numbers Capabilities AES-CTR A4489, A4493, Encryption, Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, SP A4501, A4484, Decryption Graviton3: AES_C, BAES_CTASM, CE, VPAES 800-38A A4487, A4497 128,192,256 bits key Ubuntu on EC2 bare metal on Amazon Graviton3 AWS Graviton: AES_C, BAES_CTASM, CE, VPAES Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: AES_C, BAES_CTASM, CE, VPAES Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM AES-ECB A4489, A4490, Encryption, Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, SP A4493, A4494, Decryption using 128, Graviton3: AES_C, AES_C_GCM, CE, 800-38A CE_GCM_UNROLL8_EOR3, CE_GCM, VPAES, VPAES_GCM A4496, A4501, 192, 256 bits key A4502, A4503, Ubuntu on EC2 bare metal on Amazon Graviton3 A4504, A4484, AWS Graviton: AES_C, AES_C_GCM, CE, A4485, A4486, CE_GCM_UNROLL8_EOR3, CE_GCM, VPAES, VPAES_GCM A4487, A4488, Amazon Linux 2 on EC2 bare metal on Amazon A4495, A4497, Graviton3: AES_C, AES_C_GCM, CE, A4498, A4499, CE_GCM_UNROLL8_EOR3, CE_GCM, VPAES VPAES_GCM A4500 Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESNI_AVX, AESNI_ASM, AESASM, AESASM_AVX, AES_CLMULNI, AESASM_ASM, AESASM_CLMULNI, AESNI_CLMULNI, BAES_CTASM, BAES_CTASM_AVX, BAES_CTASM_CLMULNI, BAES_CTASM_ASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESNI_AVX, AESNI_ASM, AESASM, AESASM_AVX, AES_CLMULNI, AESASM_ASM, AESASM_CLMULNI, AESNI_CLMULNI, BAES_CTASM, BAES_CTASM_AVX, BAES_CTASM_CLMULNI, BAES_CTASM_ASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESNI_AVX, AESNI_ASM, AESASM, AESASM_AVX, AES_CLMULNI, AESASM_ASM, AESASM_CLMULNI, AESNI_CLMULNI, BAES_CTASM, BAES_CTASM_AVX, BAES_CTASM_CLMULNI, BAES_CTASM_ASM AES-GCM A4490, A4494, Authenticated Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, Graviton3: AES_C, AES_C_GCM, CE_GCM_UNROLL8_EOR3, A4496, A4502, Encryption (with SP800-38D, IG CE_GCM, VPAES_GCM A4503, A4504, Internal IV Mode D.G A4485, A4486, 8.2.2) and Key Ubuntu on EC2 bare metal on Amazon Graviton3 A4488, A4495, Wrapping using 128 AWS Graviton: AES_C, AES_C_GCM, CE_GCM_UNROLL8_EOR3, CE_GCM, VPAES_GCM A4498, A4499, or 256 bits key A4500 Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: AES_C, AES_C_GCM, CE_GCM_UNROLL8_EOR3, CE_GCM, VPAES_GCM AES-GCM Authenticated FIPS 197, Decryption (with Amazon Linux 2 on EC2 bare metal on Intel Cascade SP800-38D, IG Lake Xeon Platinum 8275CL: ASENI_AVX, AESNI_ASM, external IV) and Key D.G AESASM_AVX, AES_CLMULNI, AESASM_ASM, Unwrapping using 128- or 256-bits key © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm CAVP Cert Algorithm OE (Implementation) Reference Name Numbers Capabilities AES-GMAC Message AESASM_CLMULNI, AESNI_CLMULNI, BAES_CTASM_AVX, FIPS 197, Authentication BAES_CTASM_CLMULNI, BAES_CTASM_ASM SP800-38D Generation using 128- Amazon Linux 2023 on EC2 bare metal on Intel or 256-bits key Cascade Lake Xeon Platinum 8275CL: ASENI_AVX, AESNI_ASM, AESASM_AVX, AES_CLMULNI, AESASM_ASM, AESASM_CLMULNI, AESNI_CLMULNI, BAES_CTASM_AVX, BAES_CTASM_CLMULNI, BAES_CTASM_ASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: ASENI_AVX, AESNI_ASM, AESASM_AVX, AES_CLMULNI, AESASM_ASM, AESASM_CLMULNI, AESNI_CLMULNI, BAES_CTASM_AVX, BAES_CTASM_CLMULNI, BAES_CTASM_ASM AES-KW A4489, A4493, Key Wrapping, Key Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 197, SP800A4501, A4484, Unwrapping using Graviton3: AES_C, BAES_CTASM, CE, VPAES 38F, IG D.G AES-KWP A4487, A4497 128, 192, 256 bits key Ubuntu on EC2 bare metal on Amazon Graviton3 AWS Graviton: AES_C, BAES_CTASM, CE, VPAES AES-XTS Encryption, FIPS 197, SP Decryption using 256 Amazon Linux 2 on EC2 bare metal on Amazon 800-38E Graviton3: AES_C, BAES_CTASM, CE, VPAES bits key Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM CTR_DRBG A4489, A4493, Random Number Amazon Linux 2023 on EC2 bare metal on Amazon SP800-90Arev1 Graviton3: AES_C, CE, VPAES A4501, A4484, Generation using AES A4487, A4497 256 bits without Ubuntu on EC2 bare metal on Amazon Graviton3 derivation function or AWS Graviton: AES_C, CE, VPAES prediction resistance. Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: AES_C, CE, VPAES Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: AESNI, AESASM, BAES_CTASM ECDSA A4483, A4491, Key Generation using Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 186-5 Graviton3: SHA_ASM, SHA_CE, NEON A4492, A4505, P-224, P-256, P-384, A.2.2 FIPS 186A4506, A4507, P-521 Ubuntu on EC2 bare metal on Amazon Graviton3 5 Rejection A4508 AWS Graviton: SHA_ASM, SHA_CE, NEON Sampling; SP800-133rev2 Amazon Linux 2 on EC2 bare metal on Amazon Graviton3: SHA_ASM, SHA_CE, NEON sections 4, 5.1, 5.2 Amazon Linux 2 on EC2 bare metal on Intel Cascade Key Verification using Lake Xeon Platinum 8275CL: SHA_SHANI, SHA_AVX2, FIPS 186-5 for P-224, P-256, P-384, SHA_AVX, SHA_SSSE3 all except FIPS P-521 Amazon Linux 2023 on EC2 bare metal on Intel 186-4 for Cascade Lake Xeon Platinum 8275CL: SHA_SHANI, signature ECDSA with Signature Generation SHA_AVX2, SHA_AVX, SHA_SSSE3 verification with SHA2-224, using P-224, P-256, P- SHA-1 SHA2-256, 384, P-521 Ubuntu on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: SHA_SHANI, SHA_AVX2, SHA2-384, SHA_AVX, SHA_SSSE3 SHA2-512 © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm CAVP Cert Algorithm OE (Implementation) Reference Name Numbers Capabilities ECDSA with Signature Verification SHA-1, SHA2- using P-224, P-256, P224, SHA2-256, 384, P-521 SHA2-384, SHA2-512 HMAC-SHA-1, A4483, A4491, Message Amazon Linux 2023 on EC2 bare metal on Amazon FIPS 198-1 Graviton3: SHA_ASM, SHA_CE, NEON HMAC-SHA2- A4492, A4505, Authentication 224, A4506, A4507, Generation using 112- Ubuntu on EC2 bare metal on Amazon Graviton3 HMAC-SHA2- A4508 524288 bits key AWS Graviton: SHA_ASM, SHA_CE, NEON 256, Amazon Linux 2 on EC2 bare metal on Amazon HMAC-SHA2- Graviton3: SHA_ASM, SHA_CE, NEON 384, HMAC-SHA2- Amazon Linux 2 on EC2 bare metal on Intel Cascade 512, Lake Xeon Platinum 8275CL: SHA_SHANI, SHA_AVX2, SHA_AVX, SHA_SSSE3 HMAC-SHA2512/256 Amazon Linux 2023 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: SHA_SHANI, KAS-ECC-SSC A4483, A4491, Shared Secret SHA_AVX2, SHA_AVX, SHA_SSSE3 SP800-56ARev3, ECC Ephemeral A4492, A4505, Computation using P- IG D.F scenario Ubuntu on EC2 bare metal on Intel Cascade Lake Unified scheme A4506, A4507, 224, P-256, P-384, P- Xeon Platinum 8275CL: SHA_SHANI, SHA_AVX2, 2(1) A4508 521 SHA_AVX, SHA_SSSE3 KDA HKDF with A4483, A4491, Key Derivation SP800-56Crev1; HMAC-SHA-1, A4492, A4505, SP800-133rev2 HMAC-SHA2- A4506, A4507, Derived Key Length: section 6.2 224, HMAC- A4508 2048 SHA-256, Shared Secret Length: HMAC-SHA2224-2048 Increment 8 384, HMACSHA2-512 KDF TLS (CVL) A4483, A4491, Key Derivation SP800-135rev1; TLS 1.0/1.1, A4492, A4505, SP800-133rev2 TLS 1.2 (RFC A4506, A4507, section 6.2 7627) with A4508 SHA2-256, SHA2-384, SHA2-512 PBKDF with A4483, A4491, Amazon Linux 2023 on EC2 bare metal on Amazon SP800-132 Password based key Graviton3: SHA_ASM, SHA_CE, NEON HMAC-SHA-1, A4492, A4505, derivation: Option 1a; HMAC-SHA2- A4506, A4507, Iteration Count: 1000- Ubuntu on EC2 bare metal on Amazon Graviton3 SP800-133rev2 224, HMAC- A4508 10000 Increment 1 AWS Graviton: SHA_ASM, SHA_CE, NEON section 6.2 SHA2-256, Password Length: 14- Amazon Linux 2 on EC2 bare metal on Amazon HMAC-SHA2- 128 Increment 1 Graviton3: SHA_ASM, SHA_CE, NEON 384, HMAC- Salt Length: 128-4096 SHA2-512 Increment 8 Amazon Linux 2 on EC2 bare metal on Intel Cascade Lake Xeon Platinum 8275CL: SHA_SHANI, SHA_AVX2, Key Data Length: SHA_AVX, SHA_SSSE3 128-4096 Increment 8 Amazon Linux 2023 on EC2 bare metal on Intel RSA A4483, A4491, Key Generation using Cascade Lake Xeon Platinum 8275CL: SHA_SHANI, FIPS 186-5 SHA_AVX2, SHA_AVX, SHA_SSSE3 A4492, A4505, 2048,3072, 4096 bits A.1.3 Random A4506, A4507, key Ubuntu on EC2 bare metal on Intel Cascade Lake Probable A4508 Xeon Platinum 8275CL: SHA_SHANI, SHA_AVX2, Primes; SP800SHA_AVX, SHA_SSSE3 133rev2 sections 4, 5.1 © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm CAVP Cert Algorithm OE (Implementation) Reference Name Numbers Capabilities RSA Signature Generation PKCS#1v1.5 using 2048,3072, with SHA2-224, 4096 bits key SHA2-256, SHA2-384, SHA2-512 RSA PSS with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/256 RSA Signature Verification FIPS 186-5 PKCS#1v1.5 using 1024, 2048, except FIPS with SHA-1, 3072, 4096 bits key. 186-4 for use of SHA2-224, SHA-1 and 1024 SHA2-256, bit key SHA2-384, SHA2-512; RSA PSS with SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/256 SSH KDF (CVL) A4483, A4491, Key Derivation SP800-135rev1; with AES-128, A4492, A4505, SP800-133rev2 AES-192, AES- A4506, A4507, section 6.2 256; SHA-1, A4508 SHA2-224, SHA2-256, SHA2-384, SHA2-512 SHA-1, SHA2- A4483, A4491, Message Digest FIPS 180-4 224, SHA2-256, A4492, A4505, SHA2-384, A4506, A4507, SHA2-512, A4508 SHA2-512/256 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Algorithm Name Algorithm Capabilities OE (Implementation) References CKG (ECDSA KeyGen) ECDSA KeyGen (FIPS 186-5): P- Software; OE same as in FIPS 186-5, A.2.2 Rejection 224, P-256, P 384, P-521 elliptic Table 3 Sampling; SP 800-133Rev2 curves with 112-256 bits of key section 4 and IG D.H strength comment 2 (without any V, as described in Additional Comments 2 of IG D.H) CKG (RSA KeyGen) RSA KeyGen (FIPS 186-5): 2048, FIPS 186-5, A.1.3 Random 3072, 4096 bits with 112, 128, Probable Primes; SP 800-
149 bits of key strength. 133Rev2 section 4 and IG
D.H comment 2 (without any V, as described in Additional Comments 2 of IG D.H) Table 6: Vendor Affirmed Algorithms © 2024 Amazon Web Services, Inc., atsec information security.
Non-Approved, Allowed Algorithms: The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: Algorithm Caveat Use/Function MD5 Allowed per IG 2.4.A Message Digest used in TLS 1.0/1.1 KDF only Table 7: Non-Approved Allowed Algorithms with No Security Claimed Non-Approved Not Allowed Algorithms: Algorithm/Functions Use/Function AES with OFB or CFB1, CFB8 modes Encryption, Decryption AES GCM, GCM, GMAC, XTS with keys not listed in Table 5 Encryption, Decryption AES using aes_*_generic function Encryption, Decryption AES GMAC using aes_*_generic Message Authentication Generation Curve secp256k1 Signature Generation, Signature Verification, Shared Secret Computation Diffie Hellman Shared Secret Computation HMAC-MD4, HMAC-MD5, HMAC-SHA1, HMAC-SHA-3, HMAC- Message Authentication Generation RIPEMD-160 MD4 Message Digest MD5 Message Digest (outside of TLS) RSA using RSA_generate_key_ex Key Generation ECDSA using EC_KEY_generate_key Key Generation RSA using keys less than 2048 bits Signature Generation RSA using keys less than 1024 bits Signature Verification RSA Key Encapsulation/Un-encapsulation, sign/verify primitive operations without hashing RSA with PKCS#1 v1.5 and OAEP padding Encryption primitive SHA-1, SHA-3 Signature Generation SHAKE, RIPEMD-160, SHA-3 Message Digest TLS KDF using any SHA algorithms not listed in Table 5 or Key Derivation TLS KDF using non extended master secret Table 8: Non-Approved Algorithms, Not Allowed in the Approved Mode of Operation
Name Type Description SF Capabilities Algorithms KAS-ECC-SSC KAS SP800-56Ar3. Ephemeral Unified scheme KAS-ECC-SSC: A4483, A4491, KAS-ECC-SSC per Curves: P-224, P-256, P-384, P-521 elliptic A4492, A4505, A4506, A4507, IG D.F 2 path (1) curves with 112-256 bits of strength A4508 AES KW, AES-KWP KTS SP 800-38F. KTS 128, 192, 256 bits with AES: A4489, A4493, A4501, (Key Wrapping, 128-256 bits of key strength A4484, A4487, A4497 Key Unwrapping) per IG D.G © 2024 Amazon Web Services, Inc., atsec information security.
AES GCM [SP 800- KTS SP800-38D. KTS 128, 256 bits with AES: A4490, A4494, A4496, 38D] (Key Wrapping, 128 and 256 bits of key strength A4502, A4503, A4504, A4485, Key Unwrapping) A4486, A4488, A4495, A4498, per IG D.G A4499, A4500 AES CCM [SP 800- KTS SP 800-38C. KTS 128 bits with AES: A4489, A4493, A4501, 38C] (Key Wrapping, 128 bits of key strength A4484, A4487, A4497 Key Unwrapping) per IG D.G Table 9: Security Function Implementation
The module offers three AES GCM implementations. The GCM IV generation for these implementations complies respectively with IG C.H under Scenario 1, Scenario 2, and Scenario 5. The GCM shall only be used in the context of the AES-GCM encryption executing under each scenario, and using the referenced APIs explained next. Scenario 1, TLS 1.2 For TLS 1.2, the module offers the GCM implementation via the functions EVP_aead_aes_128_gcm_tls12() and EVP_aead_aes_256_gcm_tls12(), and uses the context of Scenario 1 of IG C.H. The module is compliant with SP800-52rev2 and the mechanism for IV generation is compliant with RFC5288. The module supports acceptable AES-GCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 2^{64-1} for a given session key. If this exhaustion condition is observed, the module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Scenario 2, Random IV In this implementation, the module offers the interfaces EVP_aead_aes_128_gcm_randnonce() and EVP_aead_aes_256_gcm_randnonce() for compliance with Scenario 2 of IG C.H and SP800-38D Section 8.2.2. The AES-GCM IV is generated randomly internal to the module using module’s approved DRGB. The DRBG receives a LOAD command with entropy obtained from inside the physical perimeter of the operational environment but outside of module's cryptographic boundary. The GCM IV is 96 bits in length and is expected to have 96 bits of entropy. Scenario 5, TLS 1.3 For TLS 1.3, the module offers the AES-GCM implementation via the functions EVP_aead_aes_128_gcm_tls13() and EVP_aead_aes_256_gcm_tls13(), and uses the context of Scenario 5 of IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the ciphersuites that explicitly select AES-GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES-GCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module implements, within its boundary, an IV generation unit for TLS 1.3 that keeps control of the 64-bit counter value within the AES-GCM IV. If the exhaustion condition is observed, the module will return an error indication to the calling application, who will then need to either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection. © 2024 Amazon Web Services, Inc., atsec information security.
In the event the module’s power is lost and restored, the consuming application must ensure that new AES-GCM keys encryption or decryption under this scenario are established. TLS 1.3 provides session resumption, but the resumption procedure derives new AES-GCM encryption keys.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2 20 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 80038E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
The module offers ECDH shared secret computation services compliant to the SP 800-56ARev3 and meeting IG D.F scenario 2 path (1). To meet the required assurances listed in section 5.6 of SP 800-56ARev3, the module shall be used together with an application that implements the “TLS protocol” and the following steps shall be performed.
Following IG C.F, RSA SigGen (FIPS 186-5) and RSA SigVer (FIPS 186-4 and FIPS 186-5) have been CAVP tested with all supported approved RSA modulus lengths (i.e., 1024 (SigVer only), 2048, 3072, 4096). This is documented in the Approved Algorithms table. There are no modulus sizes available in approved services which have not been CAVP tested. The minimum number of the Miller-Rabin tests used in primality testing is consistent with Table B.1 in FIPS 186-5.
The cryptographic module implements the following cryptographic algorithms for legacy use:
The module provides an SP800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) using CTR_DRBG mechanism with AES-256, without a derivation function, for generation of key components of asymmetric keys, and random number generation. The DRBG receives a LOAD command with entropy obtained from inside the physical perimeter of the operational environment but outside of module's cryptographic boundary. This corresponds to scenario 2 (b) of IG 9.3.A. The calling application shall use an entropy source that meets the security strength required for the CTR_DRBG as shown in NIST SP 800-90Arev1, Table 3 and should return an error if minimum strength cannot be met. Per the IG 9.3.A requirement, the module includes the caveat "No assurance of the minimum strength of generated keys".
Name Type Properties ECDSA CKG EC: P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength Method: FIPS 186-5 A.2.2 Rejection Sampling using a DRBG compliant with SP800-90Arev1, per SP800-133Rev2 section 4 (without any V, as described in Additional Comments 2 of IG D.H) and SP800-133Rev2 section 5.1 and 5.2 RSA CKG RSA: 2048, 3072, 4096 bits with 112, 128, 149 bits of key strength. Method: FIPS 186-5 A.1.3 Random Probable Primes using a DRBG compliant with SP80090Arev1, per SP800-133Rev2 section 4 (without any V, as described in Additional Comments
KDA HKDF Key Key type: Symmetric key; Security strength: 112-256 bits Derivation Method: SP 800-56Cr1; (HMAC) SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 per SP800-133Rev2 section 6.2 PBKDF Key Key type: Symmetric key; Security strength: 112-256 bits Derivation Method: option 1a of SP 800-132; (HMAC) SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 per SP800-133Rev2 section 6.2 SSH KDF Key Key type: Symmetric key; Security strength: 112-256 bits (CVL) Derivation Method: SP 800-135r1; AES-128, AES-192, AES-256 with SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512 per SP800-133Rev2 section 6.2 KDF TLS Key Key type: Symmetric key; Security strength: 112-256 bits (CVL) TLS Derivation Method: SP 800-135r1; MD5 (TLS 1.0/1.1 only), SHA2-256, SHA2-384, SHA2-512 1.0/1.1, per SP800-133Rev2 section 6.2 TLS 1.2 © 2024 Amazon Web Services, Inc., atsec information security.
(RFC 7627) Table 10: Key Generation
Name Type Properties KAS-ECC-SSC [SP800-56Arev3] KAS (Shared Secret Curves: P-224, P-256, P-384, P-521 elliptic curves with Computation) 112-256 bits of key strength Compliant with IG D.F scenario 2(1) AES GCM [SP 800-38D] KTS 128 and 256 bits with (Key wrapping, Key 128 and 256 bits of key strength unwrapping) Compliant with IG D.G AES CCM [SP 800-38C] 128 bits with 128 bits of key strength Compliant with IG D.G AES KW, AES KWP [SP 800-38F] 128, 192, 256 bits with 128-256 bits of key strength Compliant with IG D.G Table 11: Key Establishment
The module implements the SSH key derivation function for use in the SSH protocol (RFC 4253 and RFC 6668). GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the following key derivation functions for use in the TLS protocol:
As a Software module, the module interfaces are defined as Software or Firmware Module Interfaces (SMFI), and there are no physical ports. Logical Interface Data that passes over port/interface Data Input API input parameters for data. Data Output API output parameters for data. Control Input API function calls. Status Output API return codes, error message. Table 12: Ports and Interfaces 1
1 The control output interface is omitted on purpose because the module does not implement it. The physical ports are not
applicable because the module is software only. © 2024 Amazon Web Services, Inc., atsec information security.
The module does not support authentication.
The module does not support concurrent operators. Name Type Operator Type Authentication Crypto Officer Role CO N/A (Implicitly assumed) Table 13: Roles
Name Description Indicator Inputs Outputs Security Roles SSP Access Functions Encryption Encryption Return AES key, Ciphertext AES-CBC, AES- CO AES Key: W, E value 1 plaintext CTR, AES-ECB, from the AES-XTS Decryption Decryption function: AES key, Plaintext ciphertext listed in Table FIPS_ 5 service_ Authenticated Authenticated indicator_ AES key, IV, Ciphertext, AES-CCM, AES Key: W, E Encryption Encryption check_appr plaintext MAC tag AES-GCM listed Authenticated Authenticated oved() AES key, Plaintext in Table 5 Decryption Decryption ciphertext, MAC tag, IV Key wrapping Encrypting a AES key Wrapped key AES-KW, AES- AES key: W, E key wrapping KWP, AES-CCM, key, Key to AES-GCM be wrapped Key Decrypting a AES key Unwrapped AES-KW, AES- AES key: W, E unwrapping key unwrapping key KWP, AES-CCM, key AES-GCM Message MAC AES key, MAC tag AES-CMAC, AES Key: W, E Authentication computation message AES-GMAC Generation HMAC key, HMAC HMAC Key: W, E message Message Digest Generating Message Message SHA N/A message digest digest Random Generating Output Random CTR_DRBG Entropy Input: W, E Number random length bytes Generation numbers DRBG Seed: G, E DRBG Internal State (V, Key): G, E Key Generation Generating Modulus size Module RSA listed in Module generated RSA key pair generated Table 5, CKG Public Key: G, R RSA public key, Module Module generated RSA generated Private Key: G, R RSA private Intermediate Key key Generation Value: G, E, Z © 2024 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Roles SSP Access Functions Curve Module ECDSA listed in Module generated EC generated Table 5, CKG Public Key: G, R EC public key, Module Module generated EC generated Private Key: G, R EC private Intermediate Key key Generation Value: G, E, Z Key Verification Verifying the EC Public Success/ ECDSA listed in EC Public Key: W, E public key key error Table 5 Signature Generating Message, EC Digital RSA, ECDSA EC Private Key: W, E Generation signature private key signature listed in Table or RSA 5 RSA Private Key: W, E private key Signature Verifying Signature, Digital RSA, ECDSA EC Public Key: W, E Verification signature EC public signature listed in Table key or RSA verification 5 RSA Public Key: W, E public key result Shared Secret Calculating EC public Shared KAS-ECC-SSC EC Public Key: W, E Computation the Shared key, EC Secret Secret private key EC Private Key: W, E Shared Secret: G, R Key Derivation Deriving Keys TLS Pre- TLS Master TLS KDF (CVL) TLS Pre-Master Secret: Master secret TLS 1.0/1.1, W, E Secret TLS 1.2 TLS Master Secret: G TLS Master TLS Derived TLS KDF (CVL) TLS Master Secret: E Secret Key TLS 1.0/1.1, (AES/HMAC) TLS 1.2 (RFC TLS Derived Key 7627) (AES/HMAC): G, R Password, PBKDF PBKDF2 PBKDF Derived Key: G, salt, iteration Derived Key R count Password: W, E Shared KDA HKDF KDA HKDF KDA HKDF Derived Key: Secret, Key Derived Key G, R Length, Digest Shared Secret: W, E Shared SSH KDF SSH KDF SSH KDF Derived Key: Secret, Key Derived Key G, R Length Shared Secret: W, E Zeroization Zeroize PSP N/A SSP N/A None All SSPs: Z in volatile memory On-Demand Initiate N/A Pass or fail AES, HMAC, N/A Self-test power-on SHA, self-tests by CTR_DRBG, reset RSA, ECDSA, KAS-ECC-SSC, TLS KDF (CVL) TLS 1.0/1.1, TLS 1.2, KDA HKDF, PBKDF2 On-Demand Initiate N/A HMAC-SHA2- N/A Integrity Test integrity test 256 on-demand © 2024 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Roles SSP Access Functions Show Status Show status N/A Module N/A N/A of the module status state Show Version Show the N/A Module N/A N/A version of the name and module using version awslc_versi on_string Table 14: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
Service Description Algorithms Accessed Role Indicator Encryption Encryption AES listed in Table 8 CO Return value
Decryption Decryption function Message Authentication MAC computation AES GMAC and HMAC listed in Table 8 FIPS_ Generation service_ indicator_ Message Digest Generating message digest MD4, MD5 outside TLS 1.0 usage, check_ SHAKE, SHA-3, RIPEMD-160 approved() Signature Generation Generating signature Using SHA-1, SHAKE, SHA-3 © 2024 Amazon Web Services, Inc., atsec information security.
Service Description Algorithms Accessed Role Indicator RSA listed in Table 8, Curve secp256k1 Signature Verification Verifying signature RSA listed in Table 8, Curve secp256k1 Key Generation Generating key pair RSA or ECDSA listed in Table 8 Shared Secret Computation Calculating shared secret Diffie-Hellman, Curve secp256k1 Key Derivation Deriving TLS keys TLS KDF listed in Table 8 Key Encapsulation Decrypting a key RSA Key Un-encapsulation Encrypting a key RSA Encryption Primitive Asymmetric encryption RSA with PKCS#1 v1.5 and OAEP padding Table 15: Non-Approved Services
The module does not support loading of external software or firmware. © 2024 Amazon Web Services, Inc., atsec information security.
The integrity of the module is verified by comparing a HMAC value calculated at run time on the bcm.o file, with the HMAC-SHA2-256 value stored within the module that was computed at build time.
The module provides on-demand integrity test. The integrity test can be performed on demand by reloading the module. Additionally, the integrity test can be performed using the On-Demand Integrity Test service, which calls the BORINGSSL_integrity_test function. © 2024 Amazon Web Services, Inc., atsec information security.
Type of Operational Environment: The module operates in a modifiable operational environment. The module runs on a commercially available general-purpose operating system executing on the hardware specified in section
Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2024 Amazon Web Services, Inc., atsec information security.
The module is comprised of software only and therefore this section is not applicable. © 2024 Amazon Web Services, Inc., atsec information security.
The module claims no non-invasive security techniques. © 2024 Amazon Web Services, Inc., atsec information security.
Storage Area Name Description Persistence Type RAM Temporary storage for SSPs used by the module as part Dynamic of service execution. The module does not perform persistent storage of SSPs Table 16: Storage Areas
Name From To Format Distribution Entry Type Type Type API input Operator calling application Cryptographic module Plaintext Manual (MD) Electronic (EE) parameters (TOEPP) API output Cryptographic module Operator calling application Plaintext Manual (MD) Electronic (EE) parameters (TOEPP) Table 17: SSP Input-Output The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment. The SSPs are provided to the module via API input parameters in the plaintext form and output via API output parameters in the plaintext form to and from the calling application running on the same operational environment.
Zeroization Method Description Rationale Operator Initiation Free Cipher Handle Zeroizes the SSPs Memory occupied by SSPs is By calling the appropriate zeroization contained within the cipher overwritten with zeroes, which functions: handle. renders the SSP values irretrievable. OpenSSL_cleanse, EVP_CIPHER_CTX_cleanup, EVP_AEAD_CTX_zero, HMAC_CTX_cleanup, CTR_DRBG_clear, RSA_free, EC_KEY_free Module Reset De-allocates the volatile Volatile memory used by the By unloading and reloading the module. memory used to store SSPs module is overwritten within nanoseconds when power is removed. Table 18: Zeroization Methods
Name Description Size Strength Type Generation Established By AES Key AES key used for 128, 192, 256 128-256 bits of Symmetric key N/A N/A encryption, bits strength decryption, and computing MAC tags © 2024 Amazon Web Services, Inc., atsec information security.
Name Description Size Strength Type Generation Established By HMAC Key HMAC key for 112-524288 112-256 bits of Authentication N/A N/A Message bits strength key Authentication Generation Entropy Input Entropy input used 256 bits 256 bits of Entropy N/A N/A (per IG D.L) to seed the DRBGs strength DRBG Seed DRBG seed derived 256 bits 256 bits of DRBG seed CTR_DRBG N/A (per IG D.L) from entropy input strength (according to as defined in SP SP800800-90Ar1 90Arev1) DRBG Internal Internal state of 256 bits 256 bits of Internal state CTR_DRBG N/A State (V, Key) CTR_DRBG strength (derived from (per IG D.L) DRBG seed according to SP800-90Ar1) RSA Public Key RSA public key 1024, 2048, 80-150 bits of Public key N/A N/A used for signature 3072, 4096 strength verification bits RSA Private RSA private key 2048, 3072, 112-150 bits of Private key N/A Key used for signature 4096 bits strength generation Module RSA public key 112-50 bits of Public key RSA (generated generated RSA generated by the strength according to Public Key module FIPS 186-5) Module RSA private key 112-150 bits of Private key DRBG (for generated RSA generated by the strength generation of Private Key module random values) EC Public Key EC public key used P-224, P-256, 112-256 bits of Public key N/A N/A for key verification, P-384, P-521 strength signature verification, shared secret computation EC Private Key EC private key Private key N/A used for signature generation, shared secret computation Module EC public key Public key ECDSA N/A generated EC generated by the (generated Public Key module according to FIPS 186-5) Module EC private key Private key N/A generated EC generated by the DRBG (for Private Key module generation of random values) Shared Secret Shared Secret Shard secret N/A KAS-ECC-SSC generated by KAS- (established ECC-SSC according to SP80056Arev3) TLS Pre-Master TLS Pre-Master P-224, P-256, 112-256 bits TLS pre-master N/A N/A Secret secret used for P-384, P-521 secret deriving the TLS Master Secret TLS Master TLS Master secret 384 bits 112-256 bits TLS master KDF TLS (CVL) N/A Secret used for deriving secret TLS 1.0/1.1, the TLS Derived TLS 1.2 (RFC Key 7627) (derived © 2024 Amazon Web Services, Inc., atsec information security.
Name Description Size Strength Type Generation Established By TLS Derived TLS Derived Key AES: 128-256 AES: 128-256 bits Symmetric key according to N/A key from TLS Master bits of strength SP800(AES/HMAC) Secret 135rev1) HMAC: 112 to HMAC: 112-256
KDA HKDF KDA HKDF derived 112 to 2048 112-256 bits of Symmetric key KDA HKDF N/A derived key key bits strength (derived according to SP80056Crev1) SSH KDF SSH KDF derived 112 to 256 bits SSH KDF (CVL) derived key key (derived according to SP800135rev1) PBKDF PBKDF derived key 112–4096 bits PBKDF (derived derived key according to SP800-132) Password Password for 112-1024 bits N/A Password N/A N/A PBKDF Intermediate Intermediate key 224-4096 bits 112-256 bits of Intermediate CKG N/A Key generation value strength value Generation Value Table 19: SSP Information First Name Used By Inputs/Outputs Storage Zeroization Category Related SSPs AES Key Encryption, API input RAM Free Cipher Handle, CSP None Decryption, parameters Module Reset Authenticated (input) Encryption, Authentication Decryption, Key wrapping, Key unwrapping, Message Authentication Generation HMAC Key Message API input CSP None Authentication parameters Generation (input) Entropy Input (per Random Number API input Automatically CSP DRBG Seed IG D.L) Generation parameters (input) DRBG Seed (per Random Number N/A CSP Entropy Input, IG D.L) Generation DRBG Internal State (V, Key) DRBG Internal Random Number N/A Free Cipher Handle, CSP DRBG Seed State (V, Key) Generation Module Reset (per IG D.L) RSA Public Key Signature API input PSP RSA Private Verification parameters Key (input) RSA Private Key Signature CSP RSA Public Key Generation © 2024 Amazon Web Services, Inc., atsec information security.
Name Used By Inputs/Outputs Storage Zeroization Category Related SSPs Module N/A API output PSP Module generated RSA parameters generated RSA Public Key (output) Private Key, Intermediate Key Generation Value Module N/A CSP Module generated RSA generated RSA Private Key Public Key, Intermediate Key Generation Value EC Public Key Key Verification, API input PSP EC Private Key, Signature parameters Shared Secret Verification, (input) Shared Secret Computation EC Private Key Signature CSP EC Public Key, Generation, Shared Secret Shared Secret Computation Module EC Public Key API output PSP Module generated EC generated by the parameters generated EC Public Key module (output) Private Key, Intermediate Key Generation Value Module EC Private Key CSP Module generated EC generated by the generated EC Private Key module Public Key, Intermediate Key Generation Value Shared Secret Key Derivation API output CSP EC Public Key, parameters EC Private Key (output) TLS Pre-Master Key Derivation API input CSP TLS Master Secret parameters Secret (input) TLS Master Key Derivation N/A CSP TLS Pre-Master Secret Secret, TLS Derived Key (AES/HMAC) TLS Derived Key N/A API output CSP TLS Master (AES/HMAC) parameters Secret (output) KDA HKDF CSP Shared Secret Derived Key SSH KDF Derived CSP Shared Secret Key PBKDF Derived CSP Password Key © 2024 Amazon Web Services, Inc., atsec information security.
Name Used By Inputs/Outputs Storage Zeroization Category Related SSPs Password API input CSP PBKDF Derived parameters Key (input) Intermediate Key Key Generation N/A Automatically CSP Module Generation Value generated RSA Private Key, Module generated RSA Public Key, Module generated EC Private Key, Module generated EC Public Key Table 20: SSP Information Second
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm Implementation Test Test Method Test Type Indicator Details Properties HMAC-SHA2-256 SHA_ASM, SHA_CE, SHA2-256 Message Software Module becomes N/A NEON, SHA_SHANI, Authentication Integrity operational SHA_AVX2, SHA_AVX, SHA_SSSE3 Table 21: Pre-Operational Self-Tests The module performs the pre-operational self-test automatically when the module is loaded into memory; the pre-operational self-test is the software integrity test that ensures that the module is not corrupted. While the module is executing the pre-operational self-test, services are not available, and input and output are inhibited. The software integrity test is performed after a set of conditional cryptographic algorithm selftests (CASTs). The set of CASTs includes the self-test for HMAC-SHA2-256 algorithm used in the pre-operational self-test.
Algorithm or Test Test Test Type Indicator Details Condition Coverage Coverage Properties Method Notes AES CBC 128-bit AES Encrypt CAST Module is Encrypt Power up Self N/A AES GCM key KAT for operational AES_C, AES_C_GCM, CBC AESNI, AESNI_AVX, AESNI_ASM, Decrypt Decrypt Self and ECB, IG 10.3.A, AESAESM, KAT for KW, KWP, XTS resolution AESASM_AVX, CBC (all 1.c AESASM_CLMULNI, implementatio AESASM_ASM, CE, ns) CE_GCM_UNROLL8_E OR3, CE_GCM, VPAES, Encrypt Encrypt Self and CCM, IG 10.3.A, VPAES_GCM, KAT for CMAC, CTR, resolution AESNI_CLMULNI, GCM ECB, GMAC, 1.d.(i) BAES_CTASM, KW, KWP, XTS BAES_CTASM_AVX, all BAES_CTASM_CLMUL implementatio NI, BAES_CTASM_ASM ns) Decrypt Decrypt Self N/A KAT for GCM SHA-1 N/A SHA-1 CAST Message Power up Self N/A SHA2-256 KAT digest SHA2-512 SHA_CE, SHA_ASM, SHA2-256 Self and SHA2- IG 10.3.A, NEON, SHA_SHANI, KAT 224 all resolution 2 SHA_AVX2, SHA_AVX, implementatio SHA_SSSE3 ns) SSH KDF (all IG 10.3.A, implementatio resolution ns) 12, note 18 SHA2-512 Self and SHA2- IG 10.3.A, © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Test Test Type Indicator Details Condition Coverage Coverage Properties Method Notes KAT 384, SHA2- resolution 2 512/256 (all implementatio ns) HMAC SHA2-256 HMAC CAST Message Power up Self and IG 10.3.A SHA_CE, SHA_ASM, KAT authenticati HMAC-SHA-1, resolution 5 NEON, SHA_SHANI, on HMAC-SHA2SHA_AVX2, SHA_AVX, 224, SHA_SSSE3 HMAC-SHA2384, HMAC-SHA2512, HMAC-SHA2512/256 CTR_DRBG AES 256 CTR_DRB CAST Seed Power up Self N/A AES_C, AESNI, G KAT Generation AESASM, AESASM_AVX, CE, N/A SP800- Seed Power up Self N/A VPAES, BAES_CTASM 90Ar1 Generation Section 11.3 Health Test ECDSA P-256 Curve Sign KAT CAST Sign Signature Self N/A SHA_ASM, SHA_CE, and SHA2- Generation NEON, SHA_SHANI, 256 or Key SHA_AVX2, SHA_AVX, Generation SHA_SSSE3 service request ECDSA P-256 Curve Verify Verify Signature Self N/A and SHA2- KAT verification SHA_ASM, SHA_CE, 256 or Key NEON, SHA_SHANI, Generation SHA_AVX2, SHA_AVX, service SHA_SSSE3 request KAS-ECC-SSC P-256 Curve Z Shared Shared Self N/A C computati secret secret on computation computatio n request ECDSA Respective Signature PCT Sign and Key Self and KAS- IG 10.3.A SHA_ASM, SHA_CE, Curve and generatio Verify generation ECC-SSC additional NEON, SHA_SHANI, SHA2-256 n and PCT comment 1. SHA_AVX2, SHA_AVX, verificatio SHA_SSSE3 n KDF TLS (CVL) SHA2-256 TLS 1.2 CAST Key Power up Self N/A SHA_ASM, SHA_CE, KAT derivation NEON, SHA_SHANI, SHA_AVX2, SHA_AVX, SHA_SSSE3 KDA HKDF HMAC- KAT CAST Key Power up Self N/A SHA_ASM, SHA_CE, SHA2-256 derivation NEON, SHA_SHANI, SHA_AVX2, SHA_AVX, SHA_SSSE3 PBKDF2 HMAC- KAT CAST Key Power up Self N/A SHA_ASM, SHA_CE, SHA2-256 derivation © 2024 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Test Test Type Indicator Details Condition Coverage Coverage Properties Method Notes NEON, SHA_SHANI, SHA_AVX2, SHA_AVX, SHA_SSSE3 RSA PKCS#1 Sign KAT CAST Sign Signature Self N/A SHA_ASM, SHA_CE, v1.5 with Generation NEON, SHA_SHANI, 2048 bit or Key SHA_AVX2, SHA_AVX, key and Generation SHA_SSSE3 SHA2-256 service request RSA PKCS#1 Verify CAST Verify Signature Self N/A SHA_ASM, SHA_CE, v1.5 with KAT Verification NEON, SHA_SHANI, 2048 bit or Key SHA_AVX2, SHA_AVX, key and Generation SHA_SSSE3 SHA2-256 service request RSA SHA2-256 Signature PCT Sign and Key Self N/A SHA_ASM, SHA_CE, and generatio Verify generation NEON, SHA_SHANI, respective n and SHA_AVX2, SHA_AVX, keys verificatio SHA_SSSE3 n Table 22: Conditional Self-Tests
The module performs self-tests on approved cryptographic algorithms, using the tests shown in Table 22. Data output through the data output interface is inhibited during the self-tests. The CASTs are performed in the form of Known Answer Tests (KATs), in which the calculated output is compared with the expected known answer (that are hard coded in the module). A failed match causes a failure of the self-test. If any of these self-tests fails, the module transitions to error state.
The module implements RSA and ECDSA key generation service and performs the respective pairwise consistency test (PCT) using sign and verify functions when the keys are generated (Table 22). If any of these self-tests fails, the module transitions to error state and is aborted.
The module does not support periodic self-tests.
Name Description Condition Recovery Status Indicator Method Error The library is Pre-operational Module reset Error message is output on the stderr and then the aborted with test failure module is aborted. SIGABRT signal. Module is no longer Conditional Module reset For CAST failure, an error message is output on the operational the test failure stderr and then the module is aborted. For PCT failure, data output an error message is output in the error queue and then © 2024 Amazon Web Services, Inc., atsec information security.
Name Description Condition Recovery Status Indicator Method interface is the module generates new key, If the PCT still does not inhibited pass, eventually the module will be aborted after 5 tries. Table 23: Error States If the module fails any of the self-tests, the module enters the error state. To recover from the Error state, the module needs to be rebooted.
The software integrity tests and the CASTs for AES, SHA, DRBG, KAS-ECC-SSC, TLS KDF, KDA HKDF, PBKDF2 can be invoked by unloading and subsequently re-initializing the module. The CASTs for ECDSA and RSA can be invoked by requesting the corresponding Key Generation or Digital Signature services. Additionally, all the CASTs can be invoked by calling the BORINGSSL_self_test function. The PCTs can be invoked on demand by requesting the Key Generation service. © 2024 Amazon Web Services, Inc., atsec information security.
The module bcm.o is embedded into the shared library libcrypto.so which can be obtained by building the source code at the following location [1]. The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during module build. [1] https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-2.0.0.zip. The downloaded zip file can be verified by issuing the “sha256sum AWS-LC-FIPS-2.0.0.zip” command. The expected SHA2-256 digest value is: 6241EC2F13A5F80224EE9CD8592ED66A97D426481066FEAA4EFC6F24E60BBC96 After the zip file is extracted, the instructions listed below will compile the module. The compilation instructions must be executed separately on platforms that have different processors and/or operating systems. Due to six possible combinations of OS/processor, the module count is six (i.e., there are six separate binaries generated, one for each entry listed in Table 3). Amazon Linux 2 and Amazon Linux 2023: 1. sudo yum groupinstall "Development Tools" 2. sudo yum install cmake3 golang 3. cd aws-lc-fips-2022-11-02/ 4. mkdir build 5. cd build 6. cmake3 -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. 7. make Ubuntu 22.04: 1. sudo apt-get install build-essential 2. sudo apt-get install cmake 3. Get latest Golang archive for your architecture 4. sudo tar -C /usr/local -xzf go*.tar.gz 5. cd aws-lc-fips-2022-11-02/ 6. mkdir build 7. cd build 8. cmake -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 -DGO_EXECUTABLE=/usr/local/go/bin/go .. 9. make Upon completion of the build process, the module’s status can be verified by the command below. If the value obtained is “1” then the module has been installed and configured to operate in FIPS compliant manner. ./tool/bssl isfips © 2024 Amazon Web Services, Inc., atsec information security.
Lastly, the user can call the “show version” service using awslc_version_string function and the expected output is “AWS-LC FIPS 2.0.0” which is the module version. This will confirm that the module is in the operational mode. Additionally, the “AWS-LC FIPS” also acts as the module identifier and the verification of the "dynamic" part can be done using following command with an application that was used for dynamic linking. The "U" in the output confirms that the module is dynamically linked. Command: nm <application_name> | grep awslc_version_string Example Output: “ U awslc_version_string”
When the module is at end of life, for the GitHub repo, the README will be modified to mark the library as deprecated. After a 6-month window, more restrictive branch permissions will be added such that only administrators can read from the FIPS branch. The module does not possess persistent storage of SSPs. The SSP value only exists in volatile memory and that value vanishes when the module is powered off. So as a first step for the secure sanitization, the module needs to be powered off. Then for actual deprecation, the module will be upgraded to newer version that is approved. This upgrade process will uninstall/remove the old/terminated module and provide a new replacement. © 2024 Amazon Web Services, Inc., atsec information security.
RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack. The module provides the mechanism to use the blinding for RSA. When the blinding is on, the module generates a random value to form a blinding factor in the RSA key before the RSA key is used in the RSA cryptographic operations. © 2024 Amazon Web Services, Inc., atsec information security.
AES Advanced Encryption Standard AESNI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CAST Cryptographic Algorithm Self-Test CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback OS Operating System PAA Processor Algorithm Acceleration PCT Pair-Wise Consistency Test PR Prediction Resistance PSP Public Security Parameter PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm © 2024 Amazon Web Services, Inc., atsec information security.
FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program August 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt SP800-38A Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf © 2024 Amazon Web Services, Inc., atsec information security.
SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56Arev3 NIST Special Publication 800-56A Revision 2 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography May 2013 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf SP800-90Arev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-131Arev1 NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths November 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf SP800-133rev2 NIST Special Publication 800-133rev2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf © 2024 Amazon Web Services, Inc., atsec information security.