All modules
CMVP Validated Module · FIPS 140-3 Security Policy

IBM DataPower FIPS Provider

Certificate#4789StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorIBM
Medium review priority  ·  no TCB surface named  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/5/2026
CaveatInterim validation. When operated in approved mode.
VendorIBM

Approved Algorithms (236)

AlgorithmACVP Cert
AES-CBCA4357
AES-CBCA4358
AES-CBCA4359
AES-CBC-CS1A4357
AES-CBC-CS1A4358
AES-CBC-CS1A4359
AES-CBC-CS2A4357
AES-CBC-CS2A4358
AES-CBC-CS2A4359
AES-CBC-CS3A4357
AES-CBC-CS3A4358
AES-CBC-CS3A4359
AES-CCMA4357
AES-CCMA4358
AES-CCMA4359
AES-CFB1A4357
AES-CFB1A4358
AES-CFB1A4359
AES-CFB128A4357
AES-CFB128A4358
AES-CFB128A4359
AES-CFB8A4357
AES-CFB8A4358
AES-CFB8A4359
AES-CMACA4357
AES-CMACA4358
AES-CMACA4359
AES-CTRA4357
AES-CTRA4358
AES-CTRA4359
AES-ECBA4357
AES-ECBA4358
AES-ECBA4359
AES-ECBA4370
AES-ECBA4377
AES-ECBA4378
AES-ECBA4379
AES-ECBA4380
AES-GCMA4360
AES-GCMA4363
AES-GCMA4364
AES-GCMA4371
AES-GCMA4372
AES-GCMA4373
AES-GCMA4374
AES-GCMA4375
AES-GCMA4376
AES-GMACA4360
AES-GMACA4363
AES-GMACA4364
AES-GMACA4371
AES-GMACA4372
AES-GMACA4373
AES-GMACA4374
AES-GMACA4375
AES-GMACA4376
AES-KWA4357
AES-KWA4358
AES-KWA4359
AES-KWPA4357
AES-KWPA4358
AES-KWPA4359
AES-OFBA4357
AES-OFBA4358
AES-OFBA4359
AES-XTS Testing Revision 2.0A4357
AES-XTS Testing Revision 2.0A4358
AES-XTS Testing Revision 2.0A4359
Counter DRBGA4356
ECDSA KeyGen (FIPS186-5)A4361
ECDSA KeyGen (FIPS186-5)A4365
ECDSA KeyGen (FIPS186-5)A4366
ECDSA KeyGen (FIPS186-5)A4367
ECDSA KeyGen (FIPS186-5)A4368
ECDSA KeyVer (FIPS186-5)A4361
ECDSA KeyVer (FIPS186-5)A4365
ECDSA KeyVer (FIPS186-5)A4366
ECDSA KeyVer (FIPS186-5)A4367
ECDSA KeyVer (FIPS186-5)A4368
ECDSA SigGen (FIPS186-5)A4361
ECDSA SigGen (FIPS186-5)A4362
ECDSA SigGen (FIPS186-5)A4365
ECDSA SigGen (FIPS186-5)A4366
ECDSA SigGen (FIPS186-5)A4367
ECDSA SigGen (FIPS186-5)A4368
ECDSA SigVer (FIPS186-5)A4361
ECDSA SigVer (FIPS186-5)A4362
ECDSA SigVer (FIPS186-5)A4365
ECDSA SigVer (FIPS186-5)A4366
ECDSA SigVer (FIPS186-5)A4367
ECDSA SigVer (FIPS186-5)A4368
Hash DRBGA4356
HMAC DRBGA4356
HMAC-SHA-1A4361
HMAC-SHA-1A4365
HMAC-SHA-1A4366
HMAC-SHA-1A4367
HMAC-SHA-1A4368
HMAC-SHA2-224A4361
HMAC-SHA2-224A4365
HMAC-SHA2-224A4366
HMAC-SHA2-224A4367
HMAC-SHA2-224A4368
HMAC-SHA2-256A4361
HMAC-SHA2-256A4365
HMAC-SHA2-256A4366
HMAC-SHA2-256A4367
HMAC-SHA2-256A4368
HMAC-SHA2-384A4361
HMAC-SHA2-384A4365
HMAC-SHA2-384A4366
HMAC-SHA2-384A4367
HMAC-SHA2-384A4368
HMAC-SHA2-512A4361
HMAC-SHA2-512A4365
HMAC-SHA2-512A4366
HMAC-SHA2-512A4367
HMAC-SHA2-512A4368
HMAC-SHA2-512/224A4361
HMAC-SHA2-512/224A4365
HMAC-SHA2-512/224A4366
HMAC-SHA2-512/224A4367
HMAC-SHA2-512/224A4368
HMAC-SHA2-512/256A4361
HMAC-SHA2-512/256A4365
HMAC-SHA2-512/256A4366
HMAC-SHA2-512/256A4367
HMAC-SHA2-512/256A4368
HMAC-SHA3-224A4362
HMAC-SHA3-256A4362
HMAC-SHA3-384A4362
HMAC-SHA3-512A4362
KAS-ECC-SSC Sp800-56Ar3A4361
KAS-ECC-SSC Sp800-56Ar3A4365
KAS-ECC-SSC Sp800-56Ar3A4366
KAS-ECC-SSC Sp800-56Ar3A4367
KAS-ECC-SSC Sp800-56Ar3A4368
KAS-FFC-SSC Sp800-56Ar3A4383
KDA HKDF Sp800-56Cr1A4355
KDA OneStep SP800-56Cr2A4382
KDA TwoStep SP800-56Cr2A4382
KDF ANS 9.42A4361
KDF ANS 9.42A4362
KDF ANS 9.42A4365
KDF ANS 9.42A4366
KDF ANS 9.42A4367
KDF ANS 9.42A4368
KDF ANS 9.63A4361
KDF ANS 9.63A4362
KDF ANS 9.63A4365
KDF ANS 9.63A4366
KDF ANS 9.63A4367
KDF ANS 9.63A4368
KDF SP800-108A4381
KDF SSHA4370
KDF SSHA4377
KDF SSHA4378
KDF SSHA4379
KDF SSHA4380
PBKDFA4361
PBKDFA4362
PBKDFA4365
PBKDFA4366
PBKDFA4367
PBKDFA4368
RSA KeyGen (FIPS186-5)A4361
RSA KeyGen (FIPS186-5)A4365
RSA KeyGen (FIPS186-5)A4366
RSA KeyGen (FIPS186-5)A4367
RSA KeyGen (FIPS186-5)A4368
RSA SigGen (FIPS186-5)A4361
RSA SigGen (FIPS186-5)A4362
RSA SigGen (FIPS186-5)A4365
RSA SigGen (FIPS186-5)A4366
RSA SigGen (FIPS186-5)A4367
RSA SigGen (FIPS186-5)A4368
RSA SigVer (FIPS186-4)A4361
RSA SigVer (FIPS186-4)A4365
RSA SigVer (FIPS186-4)A4366
RSA SigVer (FIPS186-4)A4367
RSA SigVer (FIPS186-4)A4368
RSA SigVer (FIPS186-5)A4361
RSA SigVer (FIPS186-5)A4362
RSA SigVer (FIPS186-5)A4365
RSA SigVer (FIPS186-5)A4366
RSA SigVer (FIPS186-5)A4367
RSA SigVer (FIPS186-5)A4368
Safe Primes Key GenerationA4383
Safe Primes Key VerificationA4383
SHA-1A4361
SHA-1A4365
SHA-1A4366
SHA-1A4367
SHA-1A4368
SHA2-224A4361
SHA2-224A4365
SHA2-224A4366
SHA2-224A4367
SHA2-224A4368
SHA2-256A4361
SHA2-256A4365
SHA2-256A4366
SHA2-256A4367
SHA2-256A4368
SHA2-384A4361
SHA2-384A4365
SHA2-384A4366
SHA2-384A4367
SHA2-384A4368
SHA2-512A4361
SHA2-512A4365
SHA2-512A4366
SHA2-512A4367
SHA2-512A4368
SHA2-512/224A4361
SHA2-512/224A4365
SHA2-512/224A4366
SHA2-512/224A4367
SHA2-512/224A4368
SHA2-512/256A4361
SHA2-512/256A4365
SHA2-512/256A4366
SHA2-512/256A4367
SHA2-512/256A4368
SHA3-224A4362
SHA3-256A4362
SHA3-384A4362
SHA3-512A4362
SHAKE-128A4362
SHAKE-256A4362
TLS v1.2 KDF RFC7627A4361
TLS v1.2 KDF RFC7627A4365
TLS v1.2 KDF RFC7627A4366
TLS v1.2 KDF RFC7627A4367
TLS v1.2 KDF RFC7627A4368
TLS v1.3 KDFA4355

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for IBM DataPower FIPS Provider
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for IBM DataPower FIPS Provider
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

IBM IBM DataPower FIPS Provider Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2024 IBM Corporation/ atsec information security.

Page 2
Table of Contents
#SectionPage
Page 3

© 2024 IBM Corporation/ atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)7
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description8
Table 5: Approved Algorithms24
Table 6: Vendor-Affirmed Algorithms24
Table 7: Non-Approved, Not Allowed Algorithms25
Table 8: Security Function Implementations44
Table 9: Entropy Certificates45
Table 10: Entropy Sources46
Table 11: Ports and Interfaces48
Table 12: Roles49
Table 13: Approved Services54
Table 14: Non-Approved Services55
Table 15: Storage Areas61
Table 16: SSP Input-Output Methods61
Table 17: SSP Zeroization Methods61
Table 18: SSP Table 164
Table 19: SSP Table 266
Table 20: Pre-Operational Self-Tests67
Table 21: Conditional Self-Tests76
Table 22: Pre-Operational Periodic Information76
Table 23: Conditional Periodic Information81
Table 24: Error States82
Figure 1: Block Diagram7
Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.9B3346E1D91BA83B7BAB52F472F3E6A0D of the IBM DataPower FIPS Provider. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.

1.2 Security Levels
1 1
2 1
3 1
4 1
5 1
6 1
7 N/A
8 N/A
9 1
10 1
11 1
12 1

Table 1: Security Levels © 2024 IBM Corporation/ atsec information security.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The IBM DataPower FIPS Provider (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider”, which implements the FIPS requirements and the cryptographic functionality provided to the operator. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the fips.so shared library, which contains the compiled code implementing the FIPS provider. Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by the component painted in orange, which consists only of the shared library implementing the FIPS provider (fips.so). Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. © 2024 IBM Corporation/ atsec information security.

Page 7

Figure 1: Block Diagram Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed.

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

N/A for this module. Tested Operational Environments - Software, Firmware, Hybrid: Operati Hardwa Process PAA/ Hypervis Version(s) ng re ors PAI or or System Platfor Host OS m CentOS IBM Intel Yes 3.0.9Stream 8 DataPow Xeon B3346E1D91BA83B7BAB52F472F er Gold 3E6A0D Gateway 6326 X3 CentOS IBM Intel No 3.0.9Stream 8 DataPow Xeon B3346E1D91BA83B7BAB52F472F er Gold 3E6A0D Gateway 6326 X3 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module.

2.3 Excluded Components

There are no components excluded from the requirements of the FIPS 140-3 standard.

2.4 Modes of Operation

Modes List and Description: Table Name Description Type Status Indicator Approved Automatically entered whenever Approved Equivalent to the mode an approved service is requested indicator of the requested service Non- Automatically entered whenever Non- Equivalent to the approved a non-approved service is Approved indicator of the mode requested requested service Table 4: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. In the operational state, the module accepts service requests from calling applications through its logical interfaces. At any point in the operational state, a calling application can end its process, thus causing the module to end its operation. Mode Change Instructions and Status: © 2024 IBM Corporation/ atsec information security.

Page 9

The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference KDA HKDF Sp800- A4355 Derived Key Length: 2048 SP 800-56C 56Cr1 Shared Secret Length: 224-2048 Rev. 2 Increment 8 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2512/256, SHA3-224, SHA3-256, SHA3-384 TLS v1.3 KDF (CVL) A4355 HMAC Algorithm: SHA2-256, SHA2- SP 800-135 Rev.

384 1

KDF Running Modes: DHE, PSK, PSK-DHE Counter DRBG A4356 Prediction Resistance: Yes, No SP 800-90A Supports Reseed Rev. 1 Mode: AES-128, AES-192, AES-256 Derivation Function Enabled: Yes, No Hash DRBG A4356 Prediction Resistance: Yes, No SP 800-90A Supports Reseed Rev. 1 Mode: SHA-1, SHA2-256, SHA2HMAC DRBG A4356 Prediction Resistance: Yes, No SP 800-90A Supports Reseed Rev. 1 Mode: SHA-1, SHA2-256, SHA2AES-CBC A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS1 A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS2 A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS3 A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CCM A4357 Key Length: 128, 192, 256 SP 800-38C Tag Length: 32, 48, 64, 80, 96, 112, 128 IV Length: 56, 64, 72, 80, 88, 96, AES-CFB1 A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CFB128 A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CFB8 A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CMAC A4357 Direction: Generation, Verification SP 800-38B © 2024 IBM Corporation/ atsec information security.

Page 10

Algorithm CAVP Cert Properties Reference Key Length: 128, 192, 256 MAC Length: 128 AES-CTR A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-ECB A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-KW A4357 Direction: Decrypt, Encrypt SP 800-38F Key Length: 128, 192, 256 AES-KWP A4357 Direction: Decrypt, Encrypt SP 800-38F Key Length: 128, 192, 256 AES-OFB A4357 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-XTS Testing A4357 Direction: Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length: 128, 256 Tweak Mode: Hex Data Unit Length Matches Payload AES-CBC A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS1 A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS2 A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS3 A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CCM A4358 Key Length: 128, 192, 256 SP 800-38C Tag Length: 32, 48, 64, 80, 96, 112, 128 IV Length: 56, 64, 72, 80, 88, 96, AES-CFB1 A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CFB128 A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CFB8 A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CMAC A4358 Direction: Generation, Verification SP 800-38B Key Length: 128, 192, 256 MAC Length: 128 AES-CTR A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-ECB A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-KW A4358 Direction: Decrypt, Encrypt SP 800-38F Key Length: 128, 192, 256 AES-KWP A4358 Direction: Decrypt, Encrypt SP 800-38F Key Length: 128, 192, 256 AES-OFB A4358 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-XTS Testing A4358 Direction: Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length: 128, 256 Tweak Mode: Hex Data Unit Length Matches Payload AES-CBC A4359 Direction: Decrypt, Encrypt SP 800-38A © 2024 IBM Corporation/ atsec information security.

Page 11

Algorithm CAVP Cert Properties Reference Key Length: 128, 192, 256 AES-CBC-CS1 A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS2 A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CBC-CS3 A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CCM A4359 Key Length: 128, 192, 256 SP 800-38C Tag Length: 32, 48, 64, 80, 96, 112, 128 IV Length: 56, 64, 72, 80, 88, 96, AES-CFB1 A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CFB128 A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CFB8 A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-CMAC A4359 Direction: Generation, Verification SP 800-38B Key Length: 128, 192, 256 MAC Length: 128 AES-CTR A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-ECB A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-KW A4359 Direction: Decrypt, Encrypt SP 800-38F Key Length: 128, 192, 256 AES-KWP A4359 Direction: Decrypt, Encrypt SP 800-38F Key Length: 128, 192, 256 AES-OFB A4359 Direction: Decrypt, Encrypt SP 800-38A Key Length: 128, 192, 256 AES-XTS Testing A4359 Direction: Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length: 128, 256 Tweak Mode: Hex Data Unit Length Matches Payload AES-GCM A4360 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4360 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 ECDSA KeyGen A4361 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode: testing candidates ECDSA KeyVer A4361 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) © 2024 IBM Corporation/ atsec information security.

Page 12

Algorithm CAVP Cert Properties Reference ECDSA SigGen A4361 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 ECDSA SigVer A4361 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 HMAC-SHA-1 A4361 MAC: 160 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4361 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4361 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4361 MAC: 384 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4361 MAC: 512 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/224 A4361 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/256 A4361 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 KAS-ECC-SSC Sp800- A4361 P-224, P-256, P-384, P-521 SP 800-56A 56Ar3 Scheme: ephemeralUnified Rev. 3 KAS Role: initiator, responder KDF ANS 9.42 (CVL) A4361 Hash Algorithm: SHA-1, SHA2-224, SP 800-135 Rev. SHA2-256, SHA2-384, SHA2-512, 1 SHA2-512/224, SHA2-512/256 zz Length: 8-4096 Increment 8 Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A4361 Hash Algorithm: SHA2-224, SHA2- SP 800-135 Rev. 256, SHA2-384, SHA2-512, SHA2- 1 512/224, SHA2-512/256 Shared Info Length: 0-1024 Increment 8 Key Data Length: 128-4096 Increment 8 PBKDF A4361 Iteration Count: 1000-10000 SP 800-132 Increment 1 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 Password Length: 8-128 Increment Salt Length: 128-4096 Increment 8 © 2024 IBM Corporation/ atsec information security.

Page 13

Algorithm CAVP Cert Properties Reference Key Data Length: 128-4096 Increment 8 RSA KeyGen A4361 Key Generation Mode: FIPS 186-5 (FIPS186-5) probableWithProbableAux Modulo: 2048, 3072, 4096 Private Key Format: standard Public Exponent Mode: random RSA SigGen A4361 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss RSA SigVer A4361 Hash Algorithm: SHA2-224, SHA2- FIPS 186-4 (FIPS186-4) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 1024 Signature Type: pkcs1v1.5, pss RSA SigVer A4361 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss SHA-1 A4361 - FIPS 180-4 SHA2-224 A4361 - FIPS 180-4 SHA2-256 A4361 - FIPS 180-4 SHA2-384 A4361 - FIPS 180-4 SHA2-512 A4361 - FIPS 180-4 SHA2-512/224 A4361 - FIPS 180-4 SHA2-512/256 A4361 - FIPS 180-4 TLS v1.2 KDF A4361 Hash Algorithm: SHA2-256, SHA2- SP 800-135 Rev. RFC7627 (CVL) 384, SHA2-512 1 Key Block Length: 1024 ECDSA SigGen A4362 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA3-224, SHA3256, SHA3-384, SHA3-512 ECDSA SigVer A4362 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA3-224, SHA3256, SHA3-384, SHA3-512 HMAC-SHA3-224 A4362 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA3-256 A4362 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA3-384 A4362 MAC: 384 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA3-512 A4362 MAC: 512 FIPS 198-1 Key Length: 112-524288 Increment 8 KDF ANS 9.42 (CVL) A4362 Hash Algorithm: SHA3-224, SHA3- SP 800-135 Rev. 256, SHA3-384, SHA3-512 1 zz Length: 8-4096 Increment 8 © 2024 IBM Corporation/ atsec information security.

Page 14

Algorithm CAVP Cert Properties Reference Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A4362 Hash Algorithm: SHA3-224, SHA3- SP 800-135 Rev. 256, SHA3-384, SHA3-512 1 Shared Info Length: 0-1024 Increment 8 Key Data Length: 128-4096 Increment 8 PBKDF A4362 Iteration Count: 1000-10000 SP 800-132 Increment 1 HMAC Algorithm: SHA3-224, SHA3256, SHA3-384, SHA3-512 Password Length: 8-128 Increment Salt Length: 128-4096 Increment 8 Key Data Length: 128-4096 Increment 8 RSA SigGen A4362 Hash Algorithm: SHA3-224, SHA3- FIPS 186-5 (FIPS186-5) 256, SHA3-384, SHA3-512 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss RSA SigVer A4362 Hash Algorithm: SHA3-224, SHA3- FIPS 186-5 (FIPS186-5) 256, SHA3-384, SHA3-512 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss SHA3-224 A4362 - FIPS 202 SHA3-256 A4362 - FIPS 202 SHA3-384 A4362 - FIPS 202 SHA3-512 A4362 - FIPS 202 SHAKE-128 A4362 - FIPS 202 SHAKE-256 A4362 - FIPS 202 AES-GCM A4363 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4363 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 AES-GCM A4364 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4364 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External © 2024 IBM Corporation/ atsec information security.

Page 15

Algorithm CAVP Cert Properties Reference Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 ECDSA KeyGen A4365 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode: testing candidates ECDSA KeyVer A4365 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4365 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 ECDSA SigVer A4365 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 HMAC-SHA-1 A4365 MAC: 160 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4365 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4365 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4365 MAC: 384 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4365 MAC: 512 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/224 A4365 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/256 A4365 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 KAS-ECC-SSC Sp800- A4365 P-224, P-256, P-384, P-521 SP 800-56A 56Ar3 Scheme: ephemeralUnified Rev. 3 KAS Role: initiator, responder KDF ANS 9.42 (CVL) A4365 Hash Algorithm: SHA-1, SHA2-224, SP 800-135 Rev. SHA2-256, SHA2-384, SHA2-512, 1 SHA2-512/224, SHA2-512/256 zz Length: 8-4096 Increment 8 Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A4365 Hash Algorithm: SHA2-224, SHA2- SP 800-135 Rev. 256, SHA2-384, SHA2-512, SHA2- 1 512/224, SHA2-512/256 Shared Info Length: 0-1024 Increment 8 Key Data Length: 128-4096 © 2024 IBM Corporation/ atsec information security.

Page 16

Algorithm CAVP Cert Properties Reference Increment 8 PBKDF A4365 Iteration Count: 1000-10000 SP 800-132 Increment 1 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 Password Length: 8-128 Increment Salt Length: 128-4096 Increment 8 Key Data Length: 128-4096 Increment 8 RSA KeyGen A4365 Key Generation Mode: FIPS 186-5 (FIPS186-5) probableWithProbableAux Modulo: 2048, 3072, 4096 Private Key Format: standard Public Exponent Mode: random RSA SigGen A4365 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss RSA SigVer A4365 Hash Algorithm: SHA2-224, SHA2- FIPS 186-4 (FIPS186-4) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 1024 Signature Type: pkcs1v1.5, pss RSA SigVer A4365 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss SHA-1 A4365 - FIPS 180-4 SHA2-224 A4365 - FIPS 180-4 SHA2-256 A4365 - FIPS 180-4 SHA2-384 A4365 - FIPS 180-4 SHA2-512 A4365 - FIPS 180-4 SHA2-512/224 A4365 - FIPS 180-4 SHA2-512/256 A4365 - FIPS 180-4 TLS v1.2 KDF A4365 Hash Algorithm: SHA2-256, SHA2- SP 800-135 Rev. RFC7627 (CVL) 384, SHA2-512 1 Key Block Length: 1024 ECDSA KeyGen A4366 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode: testing candidates ECDSA KeyVer A4366 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4366 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 ECDSA SigVer A4366 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2© 2024 IBM Corporation/ atsec information security.

Page 17

Algorithm CAVP Cert Properties Reference 512/224, SHA2-512/256 HMAC-SHA-1 A4366 MAC: 160 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4366 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4366 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4366 MAC: 384 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4366 MAC: 512 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/224 A4366 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/256 A4366 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 KAS-ECC-SSC Sp800- A4366 P-224, P-256, P-384, P-521 SP 800-56A 56Ar3 Scheme: ephemeralUnified Rev. 3 KAS Role: initiator, responder KDF ANS 9.42 (CVL) A4366 Hash Algorithm: SHA-1, SHA2-224, SP 800-135 Rev. SHA2-256, SHA2-384, SHA2-512, 1 SHA2-512/224, SHA2-512/256 zz Length: 8-4096 Increment 8 Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A4366 Hash Algorithm: SHA2-224, SHA2- SP 800-135 Rev. 256, SHA2-384, SHA2-512, SHA2- 1 512/224, SHA2-512/256 Shared Info Length: 0-1024 Increment 8 Key Data Length: 128-4096 Increment 8 PBKDF A4366 Iteration Count: 1000-10000 SP 800-132 Increment 1 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 Password Length: 8-128 Increment Salt Length: 128-4096 Increment 8 Key Data Length: 128-4096 Increment 8 RSA KeyGen A4366 Key Generation Mode: FIPS 186-5 (FIPS186-5) probableWithProbableAux Modulo: 2048, 3072, 4096 Private Key Format: standard Public Exponent Mode: random © 2024 IBM Corporation/ atsec information security.

Page 18

Algorithm CAVP Cert Properties Reference RSA SigGen A4366 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss RSA SigVer A4366 Hash Algorithm: SHA2-224, SHA2- FIPS 186-4 (FIPS186-4) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 1024 Signature Type: pkcs1v1.5, pss RSA SigVer A4366 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss SHA-1 A4366 - FIPS 180-4 SHA2-224 A4366 - FIPS 180-4 SHA2-256 A4366 - FIPS 180-4 SHA2-384 A4366 - FIPS 180-4 SHA2-512 A4366 - FIPS 180-4 SHA2-512/224 A4366 - FIPS 180-4 SHA2-512/256 A4366 - FIPS 180-4 TLS v1.2 KDF A4366 Hash Algorithm: SHA2-256, SHA2- SP 800-135 Rev. RFC7627 (CVL) 384, SHA2-512 1 Key Block Length: 1024 ECDSA KeyGen A4367 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode: testing candidates ECDSA KeyVer A4367 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4367 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 ECDSA SigVer A4367 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 HMAC-SHA-1 A4367 MAC: 160 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4367 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4367 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4367 MAC: 384 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4367 MAC: 512 FIPS 198-1 Key Length: 112-524288 Increment 8 © 2024 IBM Corporation/ atsec information security.

Page 19

Algorithm CAVP Cert Properties Reference HMAC-SHA2-512/224 A4367 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/256 A4367 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 KAS-ECC-SSC Sp800- A4367 P-224, P-256, P-384, P-521 SP 800-56A 56Ar3 Scheme: ephemeralUnified Rev. 3 KAS Role: initiator, responder KDF ANS 9.42 (CVL) A4367 Hash Algorithm: SHA-1, SHA2-224, SP 800-135 Rev. SHA2-256, SHA2-384, SHA2-512, 1 SHA2-512/224, SHA2-512/256 zz Length: 8-4096 Increment 8 Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A4367 Hash Algorithm: SHA2-224, SHA2- SP 800-135 Rev. 256, SHA2-384, SHA2-512, SHA2- 1 512/224, SHA2-512/256 Shared Info Length: 0-1024 Increment 8 Key Data Length: 128-4096 Increment 8 PBKDF A4367 Iteration Count: 1000-10000 SP 800-132 Increment 1 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 Password Length: 8-128 Increment Salt Length: 128-4096 Increment 8 Key Data Length: 128-4096 Increment 8 RSA KeyGen A4367 Key Generation Mode: FIPS 186-5 (FIPS186-5) probableWithProbableAux Modulo: 2048, 3072, 4096 Private Key Format: standard Public Exponent Mode: random RSA SigGen A4367 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss RSA SigVer A4367 Hash Algorithm: SHA2-224, SHA2- FIPS 186-4 (FIPS186-4) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 1024 Signature Type: pkcs1v1.5, pss RSA SigVer A4367 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss SHA-1 A4367 - FIPS 180-4 © 2024 IBM Corporation/ atsec information security.

Page 20

Algorithm CAVP Cert Properties Reference SHA2-224 A4367 - FIPS 180-4 SHA2-256 A4367 - FIPS 180-4 SHA2-384 A4367 - FIPS 180-4 SHA2-512 A4367 - FIPS 180-4 SHA2-512/224 A4367 - FIPS 180-4 SHA2-512/256 A4367 - FIPS 180-4 TLS v1.2 KDF A4367 Hash Algorithm: SHA2-256, SHA2- SP 800-135 Rev. RFC7627 (CVL) 384, SHA2-512 1 Key Block Length: 1024 ECDSA KeyGen A4368 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode: testing candidates ECDSA KeyVer A4368 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4368 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 ECDSA SigVer A4368 Curve: P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 HMAC-SHA-1 A4368 MAC: 160 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4368 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4368 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4368 MAC: 384 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4368 MAC: 512 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/224 A4368 MAC: 224 FIPS 198-1 Key Length: 112-524288 Increment 8 HMAC-SHA2-512/256 A4368 MAC: 256 FIPS 198-1 Key Length: 112-524288 Increment 8 KAS-ECC-SSC Sp800- A4368 P-224, P-256, P-384, P-521 SP 800-56A 56Ar3 Scheme: ephemeralUnified Rev. 3 KAS Role: initiator, responder KDF ANS 9.42 (CVL) A4368 Hash Algorithm: SHA-1, SHA2-224, SP 800-135 Rev. SHA2-256, SHA2-384, SHA2-512, 1 SHA2-512/224, SHA2-512/256 zz Length: 8-4096 Increment 8 Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A4368 Hash Algorithm: SHA2-224, SHA2- SP 800-135 Rev. © 2024 IBM Corporation/ atsec information security.

Page 21

Algorithm CAVP Cert Properties Reference 256, SHA2-384, SHA2-512, SHA2- 1 512/224, SHA2-512/256 Shared Info Length: 0-1024 Increment 8 Key Data Length: 128-4096 Increment 8 PBKDF A4368 Iteration Count: 1000-10000 SP 800-132 Increment 1 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 Password Length: 8-128 Increment Salt Length: 128-4096 Increment 8 Key Data Length: 128-4096 Increment 8 RSA KeyGen A4368 Key Generation Mode: FIPS 186-5 (FIPS186-5) probableWithProbableAux Modulo: 2048, 3072, 4096 Private Key Format: standard Public Exponent Mode: random RSA SigGen A4368 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss RSA SigVer A4368 Hash Algorithm: SHA2-224, SHA2- FIPS 186-4 (FIPS186-4) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 1024 Signature Type: pkcs1v1.5, pss RSA SigVer A4368 Hash Algorithm: SHA2-224, SHA2- FIPS 186-5 (FIPS186-5) 256, SHA2-384, SHA2-512, SHA2512/224, SHA2-512/256 Modulo: 2048, 3072, 4096 Signature Type: pkcs1v1.5, pss SHA-1 A4368 - FIPS 180-4 SHA2-224 A4368 - FIPS 180-4 SHA2-256 A4368 - FIPS 180-4 SHA2-384 A4368 - FIPS 180-4 SHA2-512 A4368 - FIPS 180-4 SHA2-512/224 A4368 - FIPS 180-4 SHA2-512/256 A4368 - FIPS 180-4 TLS v1.2 KDF A4368 Hash Algorithm: SHA2-256, SHA2- SP 800-135 Rev. RFC7627 (CVL) 384, SHA2-512 1 Key Block Length: 1024 KDF SSH (CVL) A4370 Hash Algorithm: SHA-1, SHA2-256, SP 800-135 Rev. SHA2-384, SHA2-512 1 AES-GCM A4371 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, © 2024 IBM Corporation/ atsec information security.

Page 22

Algorithm CAVP Cert Properties Reference 120, 128 IV Length: 96, 128 AES-GMAC A4371 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 AES-GCM A4372 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4372 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 AES-GCM A4373 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4373 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 AES-GCM A4374 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4374 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 AES-GCM A4375 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 © 2024 IBM Corporation/ atsec information security.

Page 23

Algorithm CAVP Cert Properties Reference IV Length: 96, 128 AES-GMAC A4375 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 AES-GCM A4376 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External, Internal IV Generation Mode: 8.2.2 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96, 128 AES-GMAC A4376 Direction: Decrypt, Encrypt SP 800-38D IV Generation: External Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96 KDF SSH (CVL) A4377 Hash Algorithm: SHA-1, SHA2-256, SP 800-135 Rev. SHA2-384, SHA2-512 1 KDF SSH (CVL) A4378 Hash Algorithm: SHA-1, SHA2-256, SP 800-135 Rev. SHA2-384, SHA2-512 1 KDF SSH (CVL) A4379 Hash Algorithm: SHA-1, SHA2-256, SP 800-135 Rev. SHA2-384, SHA2-512 1 KDF SSH (CVL) A4380 Hash Algorithm: SHA-1, SHA2-256, SP 800-135 Rev. SHA2-384, SHA2-512 1 KDF SP800-108 A4381 KDF Mode: Counter, Feedback SP 800-108 Rev. MAC Mode: HMAC-SHA-1, HMAC- 1 SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMACSHA2-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, CMAC-AES128, CMAC-AES192, CMAC-AES256 Supported Lengths: 8, 72, 128, 776, 3456, 4096 Fixed Data Order: Before Fixed Data Counter Length: 32 KDA OneStep SP800- A4382 Auxiliary Function: SHA-1, SHA2- SP 800-56C 56Cr2 224, SHA2-256, SHA2-384, SHA2- Rev. 2 512, SHA2-512/224, SHA2512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, HMACSHA-1, HMAC-SHA2-224, HMACSHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 © 2024 IBM Corporation/ atsec information security.

Page 24

Algorithm CAVP Cert Properties Reference Derived Key Length: 2048 Shared Secret Length: 224-2048 Increment 8 KDA TwoStep SP800- A4382 KDF Mode: feedback SP 800-56C 56Cr2 MAC Modes: HMAC-SHA-1, HMAC- Rev. 2 SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMACSHA2-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384 Derived Key Length: 2048 Shared Secret Length: 224-2048 Increment 8 KAS-FFC-SSC Sp800- A4383 ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A 56Ar3 ffdhe6144, ffdhe8192, Rev. 3 MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme: dhEphem KAS Role: initiator, responder Safe Primes Key A4383 ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Generation ffdhe6144, ffdhe8192, Rev. 3 MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Safe Primes Key A4383 ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Verification ffdhe6144, ffdhe8192, Rev. 3 MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key N/A SP 800-133r2, Section 4, example 1 Type:Asymmetric Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES GCM (external IV) Encryption HMAC (< 112-bit keys) Message authentication © 2024 IBM Corporation/ atsec information security.

Page 25

Name Use and Function KBKDF, KDA OneStep, KDA TwoStep, HKDF, ANS X9.42 Key derivation KDF, ANS X9.63 KDF (< 112-bit input or output keys) KDA OneStep, KDA TwoStep (SHAKE128, SHAKE256) Key derivation ANS X9.42 KDF (SHAKE128, SHAKE256) Key derivation ANS X9.63 KDF (SHA-1, SHAKE128, SHAKE256) Key derivation SSH KDF (SHA-512/224, SHA-512/256, SHA-3, SHAKE128, Key derivation SHAKE256) TLS 1.2 KDF (SHA-1, SHA-224, SHA-512/224, Key derivation SHA-512/256, SHA-3) TLS 1.3 KDF (SHA-1, SHA-224, SHA-512, SHA-512/224, Key derivation SHA-512/256, SHA-3) PBKDF2 (short password; short salt; insufficient iterations; Password-based key < 112-bit output keys) derivation KAS-IFC-SSC (KAS1 and KAS2 schemes) Shared secret computation RSA and ECDSA (pre-hashed message) Signature generation; Signature verification RSA-PSS (invalid salt length) Signature generation; Signature verification RSA-OAEP Asymmetric encryption; Asymmetric decryption Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithm s Random number DRBG Random number Counter generation generation DRBG HMAC DRBG Hash DRBG AES-ECB AES-ECB AES-ECB HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 © 2024 IBM Corporation/ atsec information security.

Page 26

Name Type Description Properties Algorithm s HMACSHA2-224 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/256 HMACSHA2512/256 © 2024 IBM Corporation/ atsec information security.

Page 27

Name Type Description Properties Algorithm s HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA3-224 HMACSHA3-256 HMACSHA3-384 HMACSHA3-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2© 2024 IBM Corporation/ atsec information security.

Page 28

Name Type Description Properties Algorithm s 512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Encryption/ BC-UnAuth Encryption/ AES-CBC Decryption BC-Auth Decryption AES-CBC KTS-Wrap AES-CBC AES-CBCCS1 AES-CBCCS1 AES-CBCCS1 AES-CBCCS2 AES-CBCCS2 AES-CBCCS2 AES-CBCCS3 AES-CBCCS3 AES-CBCCS3 AES-CCM AES-CCM AES-CCM AES-CFB1 AES-CFB1 AES-CFB1 AESCFB128 AESCFB128 AESCFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR AES-CTR AES-CTR AES-ECB © 2024 IBM Corporation/ atsec information security.

Page 29

Name Type Description Properties Algorithm s AES-ECB AES-ECB AES-KW AES-KW AES-KW AES-KWP AES-KWP AES-KWP AES-OFB AES-OFB AES-OFB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Message MAC Message AES-CMAC authentication authentication AES-CMAC AES-CMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMAC© 2024 IBM Corporation/ atsec information security.

Page 30

Name Type Description Properties Algorithm s SHA-1 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 © 2024 IBM Corporation/ atsec information security.

Page 31

Name Type Description Properties Algorithm s HMACSHA2512/224 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA3-224 HMACSHA3-256 HMACSHA3-384 HMACSHA3-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2512/224 © 2024 IBM Corporation/ atsec information security.

Page 32

Name Type Description Properties Algorithm s SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Signature generation DigSig- Signature generation ECDSA SigGen SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) SHA2-224 © 2024 IBM Corporation/ atsec information security.

Page 33

Name Type Description Properties Algorithm s SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Signature verification DigSig- Signature verification ECDSA SigVer SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA © 2024 IBM Corporation/ atsec information security.

Page 34

Name Type Description Properties Algorithm s SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-5) SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 © 2024 IBM Corporation/ atsec information security.

Page 35

Name Type Description Properties Algorithm s SHA2-512 SHA2-512 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Shared secret KAS-SSC Shared secret KAS-ECC-SSC KAS-ECCcomputation computation Strength:112 SSC Sp800-256 bits 56Ar3 KAS-ECC-FFC KAS-ECCStrength:112 SSC Sp800-200 bits 56Ar3 KAS-ECCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Key derivation KAS-135KDF Key derivation KDF ANS KAS-56CKDF 9.42 KBKDF KDF ANS 9.42 KDF ANS 9.42 KDF ANS 9.42 KDF ANS © 2024 IBM Corporation/ atsec information security.

Page 36

Name Type Description Properties Algorithm s 9.42 KDF ANS 9.42 KDF ANS 9.63 KDF ANS 9.63 KDF ANS 9.63 KDF ANS 9.63 KDF ANS 9.63 KDF ANS 9.63 TLS v1.2 KDF RFC7627 TLS v1.2 KDF RFC7627 TLS v1.2 KDF RFC7627 TLS v1.2 KDF RFC7627 TLS v1.2 KDF RFC7627 KDF SSH KDF SSH KDF SSH KDF SSH KDF SSH KDF SP800KDA OneStep SP80056Cr2 KDA TwoStep SP80056Cr2 KDA HKDF Sp80056Cr1 TLS v1.3 KDF AES-CMAC AES-CMAC AES-CMAC © 2024 IBM Corporation/ atsec information security.

Page 37

Name Type Description Properties Algorithm s HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2512/224 © 2024 IBM Corporation/ atsec information security.

Page 38

Name Type Description Properties Algorithm s HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA3-224 HMACSHA3-256 HMACSHA3-384 HMACSHA3-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 © 2024 IBM Corporation/ atsec information security.

Page 39

Name Type Description Properties Algorithm s SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Password-based key PBKDF Password-based key PBKDF derivation derivation PBKDF PBKDF PBKDF PBKDF PBKDF HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA-1 HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 © 2024 IBM Corporation/ atsec information security.

Page 40

Name Type Description Properties Algorithm s HMACSHA2-224 HMACSHA2-224 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-384 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/224 HMACSHA2512/256 HMAC© 2024 IBM Corporation/ atsec information security.

Page 41

Name Type Description Properties Algorithm s SHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA2512/256 HMACSHA3-224 HMACSHA3-256 HMACSHA3-384 HMACSHA3-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2© 2024 IBM Corporation/ atsec information security.

Page 42

Name Type Description Properties Algorithm s 512/224 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Key pair generation AsymKeyPair Key pair generation ECDSA -KeyGen KeyGen AsymKeyPair (FIPS186-5) -SafePri ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) Safe Primes Key Generation Key pair verification AsymKeyPair Key pair verification ECDSA -KeyVer KeyVer AsymKeyPair (FIPS186-5) -SafePri ECDSA KeyVer © 2024 IBM Corporation/ atsec information security.

Page 43

Name Type Description Properties Algorithm s (FIPS186-5) ECDSA KeyVer (FIPS186-5) ECDSA KeyVer (FIPS186-5) ECDSA KeyVer (FIPS186-5) Safe Primes Key Verification Message digest SHA Message digest SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/224 SHA2512/256 SHA2512/256 SHA2© 2024 IBM Corporation/ atsec information security.

Page 44

Name Type Description Properties Algorithm s 512/256 SHA2512/256 SHA2512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 XOF XOF XOF SHAKE-128 SHAKE-256 Table 8: Security Function Implementations

2.7 Algorithm Specific Information

AES-GCM: For TLS 1.2, the module offers the AES-GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. OpenSSL 3 is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES-GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary, compliant to Scenario 2 of FIPS 140-3 IG C.H. The module also provides a non-approved AES-GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL iv value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3. Finally, for TLS 1.3, the AES-GCM implementation uses the context of Scenario 5 of FIPS 140-

3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of

August 2018, using the cipher-suites that explicitly select AES-GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES-GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS

1.3 connection and each time when the AES-GCM key is changed. After reading or writing a

record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection. AES-XTS: The length of a single data unit encrypted or decrypted with AES-XTS shall not exceed 2 20 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. © 2024 IBM Corporation/ atsec information security.

Page 45

The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. PBKDF2: The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:  Derived keys shall only be used in storage applications. The MK shall not be used for other purposes. The length of the MK or DPK shall be 112 bits or more.  Passwords or passphrases, used as an input for the PBKDF2, shall not be used as cryptographic keys.  The length of the password or passphrase shall be at least 8 characters, and shall consist of lowercase, uppercase, and numeric characters. The probability of guessing the value is estimated to be at most 1/628 = 4 x 10-15. Combined with the minimum iteration count as described below, this provides an acceptable trade-off between user experience and security against brute-force attacks.  A portion of the salt, with a length of at least 128 bits, shall be generated randomly using the SP 800-90Ar1 DRBG provided by the module.  The iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. The minimum value is 1000. If any of these requirements is not met, the requested service is non-approved. RSA: For RSA key pair generation, signature generation, and signature verification, the module supports any modulus size between 2048 and 16384 bits. Additionally, the module supports a modulus size of 1024 bits for RSA signature verification. Only modulus sizes 1024, 2048, 3072, and 4096 bits have been CAVP tested. Any other modulus size is untested. SP 800-56Ar3 assurances: To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that implements the TLS protocol. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 80056Ar3. Legacy use: Digital Signature Verification using RSA with a 1024-bit modulus is allowed for legacy use only.

2.8 RBG and Entropy

Cert Vendor Name Number E91 IBM Corporation Table 9: Entropy Certificates © 2024 IBM Corporation/ atsec information security.

Page 46

Name Type Operational Sample Entrop Conditioning Environment Size y per Component Sample Entropy Source Non- IBM DataPower 256 bits 256 bits SHA3-256 (A4294); for the IBM Physical Gateway X3 AES-256 CTR DRBG DataPower FIPS (A4294); AES-256 Provider CTR DRBG (A4356) Table 10: Entropy Sources The module employs two Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1. These DRBGs are used internally by the module (e.g. to generate seeds for asymmetric key pairs and random numbers for security functions). They can also be accessed using the specified API functions. The following parameters are used:

  1. Private DRBG: AES-256 CTR_DRBG with derivation function. This DRBG is used to generate secret random values (e.g. during asymmetric key pair generation). It can be accessed using the RAND_priv_bytes API function.
  2. Public DRBG: AES-256 CTR_DRBG with derivation function. This DRBG is used to generate general purpose random values that do not need to remain secret (e.g. initialization vectors). It can be accessed using the RAND_bytes API function. The DRBGs are seeded with 384 bits of seed material (corresponding to 384 bits of entropy) obtained from an SP 800-90B compliant entropy source. During reseeding, the DRBGs obtain

256 bits of seed material (corresponding to 256 bits of entropy). These DRBGs will always

employ prediction resistance. More information regarding the configuration and design of these DRBGs can be found in the module’s manual pages. The module complies with the Public Use Document for ESV certificate E91 seeding the aforementioned DRBGs using the EVP_RAND_generate function, which corresponds to the GetEntropy() function. The operational environment of the module is identical to the one listed on the ESV certificate. There are no maintenance requirements for the entropy source.

2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 80090Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The following methods are implemented:  Safe primes key pair generation: compliant with SP 800-133r2, Section 5.2, which maps to SP 800-56Ar3. The method described in Section 5.6.1.1.4 of SP 800-56Ar3 (“Testing Candidates”) is used.  RSA key pair generation: compliant with SP 800-133r2, Section 5.1, which maps to FIPS 186-5. The method described in Appendix A.1.6 of FIPS 186-5 (“Probable Primes with Conditions Based on Auxiliary Probable Primes”) is used.  ECDSA key pair generation: compliant with SP 800-133r2, Section 5.1, which maps to FIPS 186-5. The method described in Appendix B.2.2 of FIPS 186-5 (“Rejection Sampling”) is used. Note that this generation method is also used to generate ECDH key pairs. Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service. Additionally, the module implements the following key derivation methods, with a security strength of 112-256 bits:  KBKDF: compliant with SP 800-108r1. This implementation can be used to derive secret keys from a pre-existing key-derivation-key. © 2024 IBM Corporation/ atsec information security.

Page 47

 KDA OneStep, KDA TwoStep, HKDF: compliant with SP 800-56Cr2. These implementations shall only be used to derive secret keys in the context of an SP 80056Ar3 key agreement scheme.  ANS X9.42 KDF, ANS X9.63 KDF: compliant with SP 800-135r1. These implementations shall only be used to derive secret keys in the context of an ANS X9.42-2001 resp. ANS X9.63- 2001 key agreement scheme.  SSH KDF, TLS 1.2 KDF, TLS 1.3 KDF: compliant with SP 800-135r1 and RFC 8446. These implementations shall only be used to derive secret keys in the context of the SSH, TLS 1.2, or TLS 1.3 protocols, respectively.  PBKDF2: compliant with option 1a of SP 800-132. This implementation shall only be used to derive keys for use in storage applications.

2.10 Key Establishment

The module implements SSP agreement and SSP transport methods as listed in the SFI table.

2.11 Industry Protocols

The module implements the SSH key derivation function for use in the SSH protocol (RFC

4253 and RFC 6668).

GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. For Diffie-Hellman, the module supports the use of the following safe primes:  IKE (RFC 3526): MODP-2048 (ID = 14), MODP-3072 (ID = 15), MODP-4096 (ID = 16), MODP-6144 (ID = 17), MODP-8192 (ID = 18)  TLS (RFC 7919): ffdhe2048 (ID = 256), ffdhe3072 (ID = 257), ffdhe4096 (ID = 258), ffdhe6144 (ID = 259), ffdhe8192 (ID = 260) No parts of the SSH, TLS, or IKE protocols, other than those mentioned above, have been tested by the CAVP or CMVP. © 2024 IBM Corporation/ atsec information security.

Page 48
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Port Logical Data That Interface(s) Passes As a software-only module, the module does not have Data Input API input physical ports. Physical Ports are interpreted to be the parameters physical ports of the hardware platform on which it runs. As a software-only module, the module does not have Data Output API output physical ports. Physical Ports are interpreted to be the parameters physical ports of the hardware platform on which it runs. As a software-only module, the module does not have Control Input API function physical ports. Physical Ports are interpreted to be the calls physical ports of the hardware platform on which it runs. As a software-only module, the module does not have Status API return physical ports. Physical Ports are interpreted to be the Output codes, error physical ports of the hardware platform on which it queue runs. Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. © 2024 IBM Corporation/ atsec information security.

Page 49
4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descr Indicator Input Outp Security SSP iption s uts Functions Acces s Messag Comp EVP_DigestFinal_ex returns 1 Mess Diges Message Crypto e ute a age t digest Officer digest messa value ge digest XOF Comp EVP_DigestFinalXOF returns 1 Mess Diges XOF Crypto ute age, t Officer the outpu value output t of an lengt XOF h Encrypt Encryp EVP_EncryptFinal_ex returns 1 Plaint Ciphe Encryption/ Crypto ion t a ext, rtext Decryption Officer plainte IV, - AES xt AES key: key W,E Decryp Decry EVP_DecryptFinal_ex returns 1 Ciphe Plaint Encryption/ Crypto tion pt a rtext, ext Decryption Officer cipher IV, - AES text AES key: key W,E Authen Encryp AES GCM: Plaint Ciphe Encryption/ Crypto ticated t a EVP_CIPHER_DATAPOWER_FIPS_ ext, rtext, Decryption Officer encrypt plainte INDICATOR_APPROVED; Others: IV, MAC - AES ion xt EVP_EncryptFinal_ex returns 1 AES tag key: key W,E Authen Decry AES GCM: Ciphe Plaint Encryption/ Crypto ticated pt a EVP_CIPHER_DATAPOWER_FIPS_ rtext, ext or Decryption Officer decrypt cipher INDICATOR_APPROVED; Others: IV, fail - AES ion text EVP_DecryptFinal_ex returns 1 AES key: key, W,E © 2024 IBM Corporation/ atsec information security.

Page 50

Name Descr Indicator Input Outp Security SSP iption s uts Functions Acces s MAC tag Messag Comp HMAC: Mess MAC Message Crypto e ute a EVP_MAC_DATAPOWER_FIPS_IN age, tag authenticati Officer authen MAC DICATOR_APPROVED; Others: key on - AES tication tag EVP_MAC_final returns 1 key: W,E HMAC key: W,E Key Derive EVP_KDF_DATAPOWER_FIPS_IN Key- Deriv Key Crypto derivati a key DICATOR_APPROVED deriv ed derivation Officer on from a ation key - Keykey- key deriva deriva or tion tion share key: key or d W,E a secre shared t, Share secret outpu d t secret: lengt W,E h Derive d key: G,R Passwo Derive EVP_KDF_DATAPOWER_FIPS_IN Pass Deriv Password- Crypto rd- a key DICATOR_APPROVED word, ed based key Officer based from a salt, key derivation key passw iterati Passw derivati ord on ord: on count W,E , outpu Derive t d key: lengt G,R h Rando Gener RAND_bytes, RAND_priv_bytes, Outp Rand Random Crypto m ate RAND_bytes_ex, ut om number Officer numbe rando RAND_priv_bytes_ex returns 1 lengt bytes generation r m h Entrop genera bytes y tion input: W,E,Z DRBG seed: G,E,Z DRBG intern © 2024 IBM Corporation/ atsec information security.

Page 51

Name Descr Indicator Input Outp Security SSP iption s uts Functions Acces s al state (V, Key): G,E DRBG intern al state (V, C): G,E Shared Comp EVP_PKEY_derive returns 1 Owne Shared Crypto secret ute a r secret Officer comput shared privat computatio - DH ation secret e n public key, key: peer W,E public - DH key privat e key: W,E - EC public key: W,E - EC privat e key: W,E Share d secret: G,R Signatu Gener RSA: Mess Signa Signature Crypto re ate a OSSL_DP_FIPSINDICATOR_APPR age, ture generation Officer genera signat OVED and privat - EC tion ure EVP_SIGNATURE_DATAPOWER_F e key privat IPS_INDICATOR_APPROVED; e key: ECDSA: W,E OSSL_DP_FIPSINDICATOR_APPR - RSA OVED privat e key: W,E Signatu Verify RSA: Mess Pass/ Signature Crypto re a OSSL_DP_FIPSINDICATOR_APPR age, fail verification Officer verifica signat OVED and public - EC tion ure EVP_SIGNATURE_DATAPOWER_F key, public IPS_INDICATOR_APPROVED; signa key: ECDSA: ture W,E OSSL_DP_FIPSINDICATOR_APPR - RSA © 2024 IBM Corporation/ atsec information security.

Page 52

Name Descr Indicator Input Outp Security SSP iption s uts Functions Acces s OVED public key: W,E Key Gener EVP_PKEY_generate returns 1 Grou Key Key pair Crypto pair ate a p, pair generation Officer genera key curve - DH tion pair , or public modu key: lus G,R size - DH privat e key: G,R - EC public key: G,R - EC privat e key: G,R - RSA public key: G,R - RSA privat e key: G,R Interm ediate key gener ation value: G,E,Z Key Verify Successful execution and non- Key Pass/ Key pair Crypto pair a key approved indicator is not pair fail verification Officer verifica pair present - DH tion public key: W,E - DH privat e key: W,E - EC public key: W,E - EC © 2024 IBM Corporation/ atsec information security.

Page 53

Name Descr Indicator Input Outp Security SSP iption s uts Functions Acces s privat e key: W,E Show Return None None Modu None Crypto version the le Officer name name and and versio versi n on inform ation Show Return None None Modu None Crypto status the le Officer modul statu e s status Self- Perfor None None Pass/ None Crypto test m the fail Officer CASTs and integri ty test Zeroiza Zeroiz None Any None None Crypto tion e any SSP Officer SSP - AES key: Z HMAC key: Z - Keyderiva tion key: Z Share d secret: Z Passw ord: Z Derive d key: Z DRBG intern al state (V, Key): © 2024 IBM Corporation/ atsec information security.

Page 54

Name Descr Indicator Input Outp Security SSP iption s uts Functions Acces s Z DRBG intern al state (V, C): Z - DH public key: Z - DH privat e key: Z - EC public key: Z - EC privat e key: Z - RSA public key: Z - RSA privat e key: Z Table 13: Approved Services The following convention is used to specify access rights to SSPs:  Generate (G): The module generates or derives the SSP.  Read (R): The SSP is read from the module (e.g. the SSP is output).  Write (W): The SSP is updated, imported, or written to the module.  Execute (E): The module uses the SSP in performing a cryptographic operation.  Zeroize (Z): The module zeroizes the SSP.  N/A: The module does not access any SSP or key during its operation. To interact with the module, a calling application must use the EVP API layer provided by OpenSSL. This layer will delegate the request to the FIPS provider, which will in turn perform the requested service. Additionally, this EVP API layer can be used to retrieve the approved service indicator for the module. The datapower_ossl_query_fipsindicator API function indicates whether an EVP API function is approved. After a cryptographic service was performed by the module, the API context associated with this request can contain a parameter which represents the approved service indicator. The contexts and parameters are listed in the table below. Context Service Indicator EVP_CIPHER_CTX OSSL_CIPHER_PARAM_DATAPOWER_FIPS_INDICATOR EVP_MAC_CTX OSSL_MAC_PARAM_DATAPOWER_FIPS_INDICATOR EVP_KDF_CTX OSSL_KDF_PARAM_DATAPOWER_FIPS_INDICATOR © 2024 IBM Corporation/ atsec information security.

Page 55

EVP_PKEY_CTX OSSL_SIGNATURE_PARAM_DATAPOWER_FIPS_INDICATOR EVP_PKEY_CTX OSSL_ASYM_CIPHER_PARAM_DATAPOWER_FIPS_INDICATOR EVP_PKEY_CTX OSSL_KEM_PARAM_DATAPOWER_FIPS_INDICATOR The details to use these functions and parameters are described in the module’s manual pages.

4.4 Non-Approved Services

Name Description Algorithms Role Encryption Encrypt a plaintext AES GCM (external IV) Crypto Officer Message Compute a MAC tag HMAC (< 112-bit keys) Crypto authentication Officer Key derivation Derive a key from a KBKDF, KDA OneStep, KDA Crypto key-derivation key or a TwoStep, HKDF, ANS X9.42 KDF, Officer shared secret ANS X9.63 KDF (< 112-bit input or output keys) KDA OneStep, KDA TwoStep (SHAKE128, SHAKE256) ANS X9.42 KDF (SHAKE128, SHAKE256) ANS X9.63 KDF (SHA-1, SHAKE128, SHAKE256) SSH KDF (SHA-512/224, SHA-512/256, SHA-3, SHAKE128, SHAKE256) TLS 1.2 KDF (SHA-1, SHA-224, SHA-512/224, SHA-512/256, SHA-3) TLS 1.3 KDF (SHA-1, SHA-224, SHA-512, SHA-512/224, SHA-512/256, SHA-3) Password-based Derive a key from a PBKDF2 (short password; short Crypto key derivation password salt; insufficient iterations; < 112- Officer bit output keys) Shared secret Compute a shared KAS-IFC-SSC (KAS1 and KAS2 Crypto computation secret schemes) Officer Signature Generate a signature RSA and ECDSA (pre-hashed Crypto generation message) Officer RSA-PSS (invalid salt length) Signature Verify a signature RSA and ECDSA (pre-hashed Crypto verification message) Officer RSA-PSS (invalid salt length) Asymmetric Encrypt a plaintext RSA-OAEP Crypto encryption Officer Asymmetric Decrypt a ciphertext RSA-OAEP Crypto decryption Officer Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

© 2024 IBM Corporation/ atsec information security.

Page 56

The module does not load external software or firmware. © 2024 IBM Corporation/ atsec information security.

Page 57
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing a HMAC-SHA2-256 value calculated at run time with the HMAC-SHA2-256 value embedded in the fips.so file that was computed at build time.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by resetting the module, or by calling the OSSL_PROVIDER_self_test API function. This will perform (among others) the software integrity test. © 2024 IBM Corporation/ atsec information security.

Page 58
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: Any SSPs contained within the module are protected by the process isolation and memory separation mechanisms provided by the Linux kernel, and only the module has control over these SSPs.

6.2 Configuration Settings and Restrictions

Instrumentation tools like the ptrace system call, gdb and strace, user space live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2024 IBM Corporation/ atsec information security.

Page 59
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2024 IBM Corporation/ atsec information security.

Page 60
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2024 IBM Corporation/ atsec information security.

Page 61
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution Table 15: Storage Areas SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorithm API input Operator RAM Plaintext Manual Electronic parameters calling application (TOEPP) API output RAM Operator Plaintext Manual Electronic parameters calling application (TOEPP) Table 16: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Free cipher Zeroizes the SSPs Memory occupied by SSPs is By calling the handle contained within overwritten with zeroes and then it appropriate the cipher handle is released, which renders the SSP zeroization API values irretrievable. The functions completion of the zeroization routine indicates that the zeroization procedure succeeded. Automatic Automatically Memory occupied by SSPs is N/A zeroized by the overwritten with zeroes, which module when no renders the SSP values longer needed irretrievable Module reset De-allocates the Volatile memory used by the By unloading volatile memory module is overwritten within the module used to store SSPs nanoseconds when the module is unloaded Table 17: SSP Zeroization Methods © 2024 IBM Corporation/ atsec information security.

Page 62

All data output is inhibited during zeroization.

9.4 SSPs

Name Descripti Size - Type - Generat Establish Used By on Strength Categor ed By ed By y AES key AES key XTS: 256, Symmetri Encryption/ used for 512 bits; c key - Decryption encryptio Other CSP Message n, modes: authentication decryptio 128, 192, n, and 256 bits computin XTS: 128, g MAC 256 bits; tags Other modes: 128, 192,

256 bits

HMAC HMAC 112- Symmetri Message key key used 524288 c key - authentication computin bits - 112- CSP g MAC 256 bits tags Key- Key- 112-4096 Symmetri Key derivation derivation derivation bits - 112- c key key key used 256 bits CSP for: Key derivation Shared Shared 224-8192 Shared Shared Key derivation secret secret bits - 112- secret - secret generate 256 bits CSP computati d by (EC) on DiffieHellman Password Password 8-128 Password Password-based used to characters - CSP key derivation derive - N/A symmetri c keys Derived Symmetri 8-4096 Symmetri Key key c key bits - 112- c key - derivatio derived 256 bits CSP n from a Passwor key- d-based derivation key key, derivatio shared n secret, or password Entropy Entropy 128-384 Entropy Random input input bits - 128- input - number used to 384 bits CSP generati seed the on © 2024 IBM Corporation/ atsec information security.

Page 63

Name Descripti Size - Type - Generat Establish Used By on Strength Categor ed By ed By y DRBG DRBG DRBG CTR_DRB Seed - Random Random number seed seed G: 256, CSP number generation derived 320, 348 generati from bits; on entropy Hash_DRB input G: 440,

888 bits;

HMAC_DR BG: 160, 256, 512 bits CTR_DRB G: 128, 192, 256 bits; Hash_DRB G: 128,

256 bits;
256 bits

DRBG Internal CTR_DRB Internal Random Random number internal state of G: 256, state - number generation state (V, CTR_DRB 320, 348 CSP generati Key) G and bits on HMAC_DR HMAC_DR BG BG: 320, instances 512, 1024 bits CTR_DRB G: 128, 192, 256 bits; HMAC_DR BG: 128,

256 bits

DRBG Internal Hash_DRB Internal Random Random number internal state of G: 880, state - number generation state (V, Hash_DR 1776 bits CSP generati C) BG - on instances Hash_DRB G: 128,

256 bits

DH public Public key 2048- Public key Key pair Shared secret key used for 8192 bits - PSP generati computation Diffie- - 112-200 on Key pair Hellman bits verification DH Private 2048- Private Key pair Shared secret private key used 8192 bits key - CSP generati computation key for Diffie- - 112-200 on Key pair © 2024 IBM Corporation/ atsec information security.

Page 64

Name Descripti Size - Type - Generat Establish Used By on Strength Categor ed By ed By y Hellman bits verification EC public Public key P-224, Public key Key pair Signature key used for P-256, - PSP generati verification ECDH and P-384, on Shared secret ECDSA P-521 - computation 112-256 Key pair bits verification EC Private P-224, Private Key pair Signature private key used P-256, key - CSP generati generation key for ECDH P-384, on Shared secret and P-521 - computation ECDSA 112-256 Key pair bits verification RSA Public key Signature Public key Key pair Signature public used for: verificatio - PSP generati verification key Signature n: 1024 on verificatio and 2048n, Key 16384 pair bits; Key generatio pair n; generatio Related n: 2048keys: RSA 16384 private bits key Signature verificatio n: 80 and 112-256 bits; Key pair generatio n: 112-

256 bits

RSA Private 2048- Private Key pair Signature private key used 16384 key - CSP generati generation key RSA bits - 112- on signature 256 bits verificatio n Intermedi Temporar 2048- Intermedi Key pair Key pair ate key y value 16384 ate value generati generation generatio generate bits - 112- - CSP on n value d during 256 bits key pair generatio n services Table 18: SSP Table 1 © 2024 IBM Corporation/ atsec information security.

Page 65

Name Input - Storage Storage Zeroizatio Related SSPs Output Duration n AES key API input RAM:Plaintex Until the Free cipher parameter t cipher handle s handle is Module freed reset HMAC key API input RAM:Plaintex Until the Free cipher parameter t cipher handle s handle is Module freed reset Key- API input RAM:Plaintex Until the Free cipher derivation parameter t cipher handle key s handle is Module freed reset Shared API input RAM:Plaintex Until the Free cipher secret parameter t cipher handle s handle is Module API output freed reset parameter s Password API input RAM:Plaintex Until the Free cipher parameter t cipher handle s handle is Module freed reset Derived key API output RAM:Plaintex Until the Free cipher Key-derivation parameter t cipher handle key:Derived s handle is Module From freed reset Shared secret:Derived From Password:Derive d From Entropy RAM:Plaintex From Automatic input t generation Module until DRBG reset seed is created DRBG seed RAM:Plaintex While the Automatic Entropy t DRBG is Module input:Derived being reset From instantiate d DRBG RAM:Plaintex Until the Free cipher DRBG internal t cipher handle seed:Derived state (V, handle is Module From Key) freed reset DRBG RAM:Plaintex Until the Free cipher DRBG internal t cipher handle seed:Derived state (V, C) handle is Module From freed reset DH public API input RAM:Plaintex Until the Free cipher DH private key parameter t cipher handle key:Paired With s handle is Module © 2024 IBM Corporation/ atsec information security.

Page 66

Name Input - Storage Storage Zeroizatio Related SSPs Output Duration n API output freed reset parameter s DH private API input RAM:Plaintex Until the Free cipher DH public key parameter t cipher handle key:Paired With s handle is Module API output freed reset parameter s EC public API input RAM:Plaintex Until the Free cipher EC private key parameter t cipher handle key:Paired With s handle is Module API output freed reset parameter s EC private API input RAM:Plaintex Until the Free cipher EC public key parameter t cipher handle key:Paired With s handle is Module API output freed reset parameter s RSA public API input RAM:Plaintex Until the Free cipher RSA private key parameter t cipher handle key:Paired With s handle is Module API output freed reset parameter s RSA private API input RAM:Plaintex Until the Free cipher RSA public key parameter t cipher handle key:Paired With s handle is Module API output freed reset parameter s Intermediat RAM:Plaintex From Automatic e key t service generation invocation value to service completion Table 19: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2024 IBM Corporation/ atsec information security.

Page 67
10 Self-Tests

While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed.

10.1 Pre-Operational Self-Tests

Algorith Test Test Method Test Indicator Detail m or Test Propertie Type s s HMAC- 256-bit keyMessage SW/FW OSSL_PROV_PARAM_STATU Used SHA2-256 authenticatio Integrit S is set to 1 for (A4365) n y fips.so Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is initialized, before the module transitions into the operational state. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 24-bit KAT CAST Module Message Test runs at (A4361) message becomes digest power-on operational before the integrity test SHA-1 24-bit KAT CAST Module Message Test runs at (A4365) message becomes digest power-on operational before the integrity test SHA-1 24-bit KAT CAST Module Message Test runs at (A4366) message becomes digest power-on operational before the integrity test SHA-1 24-bit KAT CAST Module Message Test runs at (A4367) message becomes digest power-on operational before the integrity test SHA-1 24-bit KAT CAST Module Message Test runs at (A4368) message becomes digest power-on operational before the integrity test SHA2-512 24-bit KAT CAST Module Message Test runs at (A4361) message becomes digest power-on operational before the integrity test SHA2-512 24-bit KAT CAST Module Message Test runs at (A4365) message becomes digest power-on operational before the © 2024 IBM Corporation/ atsec information security.

Page 68

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type integrity test SHA2-512 24-bit KAT CAST Module Message Test runs at (A4366) message becomes digest power-on operational before the integrity test SHA2-512 24-bit KAT CAST Module Message Test runs at (A4367) message becomes digest power-on operational before the integrity test SHA2-512 24-bit KAT CAST Module Message Test runs at (A4368) message becomes digest power-on operational before the integrity test SHA3-256 32-bit KAT CAST Module Message Test runs at (A4362) message becomes digest power-on operational before the integrity test SHA3-256 32-bit KAT CAST Module Message Test runs at (A4362) message becomes digest power-on operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4360) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4363) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4364) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4371) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4372) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4373) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4374) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4375) with 256-bit becomes operation power-on key operational before the © 2024 IBM Corporation/ atsec information security.

Page 69

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type integrity test AES-GCM Encryption KAT CAST Module Symmetric Test runs at (A4376) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4360) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4363) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4364) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4371) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4372) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4373) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4374) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4375) with 256-bit becomes operation power-on key operational before the integrity test AES-GCM Decryption KAT CAST Module Symmetric Test runs at (A4376) with 256-bit becomes operation power-on key operational before the integrity test AES-ECB Decryption KAT CAST Module Symmetric Test runs at (A4357) with 128-bit becomes operation power-on key operational before the integrity test AES-ECB Decryption KAT CAST Module Symmetric Test runs at (A4358) with 128-bit becomes operation power-on key operational before the integrity test AES-ECB Decryption KAT CAST Module Symmetric Test runs at (A4359) with 128-bit becomes operation power-on key operational before the © 2024 IBM Corporation/ atsec information security.

Page 70

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type integrity test KDF SP800- Counter KAT CAST Module Key Test runs at

108 mode, becomes derivation power-on

(A4381) HMAC-SHA2- operational before the

256 integrity test

KDA SHA2-224 KAT CAST Module Key Test runs at OneStep becomes derivation power-on SP800- operational before the 56Cr2 integrity test (A4382) KDA HKDF SHA2-256 KAT CAST Module Key Test runs at Sp800- becomes derivation power-on 56Cr1 operational before the (A4355) integrity test KDF ANS SHA-1 KAT CAST Module Key Test runs at

9.42 becomes derivation power-on

(A4361) operational before the integrity test KDF ANS SHA-1 KAT CAST Module Key Test runs at

9.42 becomes derivation power-on

(A4362) operational before the integrity test KDF ANS SHA-1 KAT CAST Module Key Test runs at

9.42 becomes derivation power-on

(A4365) operational before the integrity test KDF ANS SHA-1 KAT CAST Module Key Test runs at

9.42 becomes derivation power-on

(A4366) operational before the integrity test KDF ANS SHA-1 KAT CAST Module Key Test runs at

9.42 becomes derivation power-on

(A4367) operational before the integrity test KDF ANS SHA-1 KAT CAST Module Key Test runs at

9.42 becomes derivation power-on

(A4368) operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Key Test runs at

9.63 becomes derivation power-on

(A4361) operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Key Test runs at

9.63 becomes derivation power-on

(A4362) operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Key Test runs at

9.63 becomes derivation power-on

(A4365) operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Key Test runs at

9.63 becomes derivation power-on

© 2024 IBM Corporation/ atsec information security.

Page 71

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type (A4366) operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Key Test runs at

9.63 becomes derivation power-on

(A4367) operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Key Test runs at

9.63 becomes derivation power-on

(A4368) operational before the integrity test KDF SSH SHA-1 KAT CAST Module Key Test runs at (A4370) becomes derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Key Test runs at (A4377) becomes derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Key Test runs at (A4378) becomes derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Key Test runs at (A4379) becomes derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Key Test runs at (A4380) becomes derivation power-on operational before the integrity test TLS v1.2 SHA2-256 KAT CAST Module Key Test runs at KDF becomes derivation power-on RFC7627 operational before the (A4361) integrity test TLS v1.2 SHA2-256 KAT CAST Module Key Test runs at KDF becomes derivation power-on RFC7627 operational before the (A4365) integrity test TLS v1.2 SHA2-256 KAT CAST Module Key Test runs at KDF becomes derivation power-on RFC7627 operational before the (A4366) integrity test TLS v1.2 SHA2-256 KAT CAST Module Key Test runs at KDF becomes derivation power-on RFC7627 operational before the (A4367) integrity test TLS v1.2 SHA2-256 KAT CAST Module Key Test runs at KDF becomes derivation power-on RFC7627 operational before the (A4368) integrity test TLS v1.3 SHA2-256, KAT CAST Module Key Test runs at KDF extract and becomes derivation power-on © 2024 IBM Corporation/ atsec information security.

Page 72

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type (A4355) expand operational before the integrity test PBKDF SHA2-256, KAT CAST Module Password- Test runs at (A4361) 24-character becomes based key power-on password, operational derivation before the 288-bit salt, integrity test iteration count: 4096 PBKDF SHA2-256, KAT CAST Module Password- Test runs at (A4362) 24-character becomes based key power-on password, operational derivation before the 288-bit salt, integrity test iteration count: 4096 PBKDF SHA2-256, KAT CAST Module Password- Test runs at (A4365) 24-character becomes based key power-on password, operational derivation before the 288-bit salt, integrity test iteration count: 4096 PBKDF SHA2-256, KAT CAST Module Password- Test runs at (A4366) 24-character becomes based key power-on password, operational derivation before the 288-bit salt, integrity test iteration count: 4096 PBKDF SHA2-256, KAT CAST Module Password- Test runs at (A4367) 24-character becomes based key power-on password, operational derivation before the 288-bit salt, integrity test iteration count: 4096 PBKDF SHA2-256, KAT CAST Module Password- Test runs at (A4368) 24-character becomes based key power-on password, operational derivation before the 288-bit salt, integrity test iteration count: 4096 Counter AES-128 KAT CAST Module Instantiate, Test runs at DRBG becomes generate, power-on (A4356) operational reseed, before the generate integrity test (compliant with SP 80090Ar1) Hash DRBG SHA2-256 KAT CAST Module Instantiate, Test runs at (A4356) becomes generate, power-on operational reseed, before the generate integrity test (compliant with SP 80090Ar1) © 2024 IBM Corporation/ atsec information security.

Page 73

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC HMAC-SHA2- KAT CAST Module Instantiate, Test runs at DRBG 256 becomes generate, power-on (A4356) operational reseed, before the generate integrity test (compliant with SP 80090Ar1) KAS-FFC- ffdhe2048 KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation power-on 56Ar3 operational before the (A4383) integrity test KAS-ECC- P-256 KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation power-on 56Ar3 operational before the (A4361) integrity test KAS-ECC- P-256 KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation power-on 56Ar3 operational before the (A4365) integrity test KAS-ECC- P-256 KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation power-on 56Ar3 operational before the (A4366) integrity test KAS-ECC- P-256 KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation power-on 56Ar3 operational before the (A4367) integrity test KAS-ECC- P-256 KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation power-on 56Ar3 operational before the (A4368) integrity test RSA SigGen PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4361) key and operational generation before the SHA2-256 integrity test RSA SigGen PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4362) key and operational generation before the SHA2-256 integrity test RSA SigGen PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4365) key and operational generation before the SHA2-256 integrity test RSA SigGen PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4366) key and operational generation before the SHA2-256 integrity test RSA SigGen PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4367) key and operational generation before the SHA2-256 integrity test RSA SigGen PKCS#1 v1.5 KAT CAST Module Digital Test runs at © 2024 IBM Corporation/ atsec information security.

Page 74

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type (FIPS186-5) with 2048 bit becomes signature power-on (A4368) key and operational generation before the SHA2-256 integrity test RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4361) key and operational verification before the SHA2-256 integrity test RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4362) key and operational verification before the SHA2-256 integrity test RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4365) key and operational verification before the SHA2-256 integrity test RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4366) key and operational verification before the SHA2-256 integrity test RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4367) key and operational verification before the SHA2-256 integrity test RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A4368) key and operational verification before the SHA2-256 integrity test ECDSA P-224, KAT CAST Module Digital Test runs at SigGen P-256, becomes signature power-on (FIPS186-5) P-384, and operational generation before the (A4361) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigGen P-256, becomes signature power-on (FIPS186-5) P-384, and operational generation before the (A4362) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigGen P-256, becomes signature power-on (FIPS186-5) P-384, and operational generation before the (A4365) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigGen P-256, becomes signature power-on (FIPS186-5) P-384, and operational generation before the (A4366) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigGen P-256, becomes signature power-on (FIPS186-5) P-384, and operational generation before the (A4367) P-521 with integrity test SHA2-256 © 2024 IBM Corporation/ atsec information security.

Page 75

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type ECDSA P-224, KAT CAST Module Digital Test runs at SigGen P-256, becomes signature power-on (FIPS186-5) P-384, and operational generation before the (A4368) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigVer P-256, becomes signature power-on (FIPS186-5) P-384, and operational verification before the (A4361) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigVer P-256, becomes signature power-on (FIPS186-5) P-384, and operational verification before the (A4362) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigVer P-256, becomes signature power-on (FIPS186-5) P-384, and operational verification before the (A4365) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigVer P-256, becomes signature power-on (FIPS186-5) P-384, and operational verification before the (A4366) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigVer P-256, becomes signature power-on (FIPS186-5) P-384, and operational verification before the (A4367) P-521 with integrity test SHA2-256 ECDSA P-224, KAT CAST Module Digital Test runs at SigVer P-256, becomes signature power-on (FIPS186-5) P-384, and operational verification before the (A4368) P-521 with integrity test SHA2-256 Safe Primes N/A PCT PCT Successful SP 800-56Ar3 Key pair Key key pair Section generation Generation generation 5.6.2.1.4 (A4383) ECDSA SHA2-256 PCT PCT Successful Signature Key pair KeyGen key pair generation & generation (FIPS186-5) generation verification (A4361) ECDSA SHA2-256 PCT PCT Successful Signature Key pair KeyGen key pair generation & generation (FIPS186-5) generation verification (A4365) ECDSA SHA2-256 PCT PCT Successful Signature Key pair KeyGen key pair generation & generation (FIPS186-5) generation verification (A4366) ECDSA SHA2-256 PCT PCT Successful Signature Key pair © 2024 IBM Corporation/ atsec information security.

Page 76

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type KeyGen key pair generation & generation (FIPS186-5) generation verification (A4367) ECDSA SHA2-256 PCT PCT Successful Signature Key pair KeyGen key pair generation & generation (FIPS186-5) generation verification (A4368) RSA PKCS#1 v1.5 PCT PCT Successful Signature Key pair KeyGen with SHA2- key pair generation & generation (FIPS186-5) 256 generation verification (A4361) RSA PKCS#1 v1.5 PCT PCT Successful Signature Key pair KeyGen with SHA2- key pair generation & generation (FIPS186-5) 256 generation verification (A4365) RSA PKCS#1 v1.5 PCT PCT Successful Signature Key pair KeyGen with SHA2- key pair generation & generation (FIPS186-5) 256 generation verification (A4366) RSA PKCS#1 v1.5 PCT PCT Successful Signature Key pair KeyGen with SHA2- key pair generation & generation (FIPS186-5) 256 generation verification (A4367) RSA PKCS#1 v1.5 PCT PCT Successful Signature Key pair KeyGen with SHA2- key pair generation & generation (FIPS186-5) 256 generation verification (A4368) Table 21: Conditional Self-Tests Upon generation of a DH, RSA or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in the table above, which provides some assurance that the generated key pair is well formed. For DH key pairs, this tests consists of the PCT described in Section 5.6.2.1.4 of SP 800-56Ar3. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually

256 (A4365) authentication

Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A4361) KAT CAST On demand Manually SHA-1 (A4365) KAT CAST On demand Manually SHA-1 (A4366) KAT CAST On demand Manually SHA-1 (A4367) KAT CAST On demand Manually SHA-1 (A4368) KAT CAST On demand Manually © 2024 IBM Corporation/ atsec information security.

Page 77

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-512 KAT CAST On demand Manually (A4361) SHA2-512 KAT CAST On demand Manually (A4365) SHA2-512 KAT CAST On demand Manually (A4366) SHA2-512 KAT CAST On demand Manually (A4367) SHA2-512 KAT CAST On demand Manually (A4368) SHA3-256 KAT CAST On demand Manually (A4362) SHA3-256 KAT CAST On demand Manually (A4362) AES-GCM KAT CAST On demand Manually (A4360) AES-GCM KAT CAST On demand Manually (A4363) AES-GCM KAT CAST On demand Manually (A4364) AES-GCM KAT CAST On demand Manually (A4371) AES-GCM KAT CAST On demand Manually (A4372) AES-GCM KAT CAST On demand Manually (A4373) AES-GCM KAT CAST On demand Manually (A4374) AES-GCM KAT CAST On demand Manually (A4375) AES-GCM KAT CAST On demand Manually (A4376) AES-GCM KAT CAST On demand Manually (A4360) AES-GCM KAT CAST On demand Manually (A4363) AES-GCM KAT CAST On demand Manually (A4364) AES-GCM KAT CAST On demand Manually (A4371) AES-GCM KAT CAST On demand Manually (A4372) AES-GCM KAT CAST On demand Manually (A4373) AES-GCM KAT CAST On demand Manually (A4374) AES-GCM KAT CAST On demand Manually (A4375) AES-GCM KAT CAST On demand Manually (A4376) AES-ECB KAT CAST On demand Manually (A4357) © 2024 IBM Corporation/ atsec information security.

Page 78

Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On demand Manually (A4358) AES-ECB KAT CAST On demand Manually (A4359) KDF SP800-108 KAT CAST On demand Manually (A4381) KDA OneStep KAT CAST On demand Manually SP800-56Cr2 (A4382) KDA HKDF KAT CAST On demand Manually Sp800-56Cr1 (A4355) KDF ANS 9.42 KAT CAST On demand Manually (A4361) KDF ANS 9.42 KAT CAST On demand Manually (A4362) KDF ANS 9.42 KAT CAST On demand Manually (A4365) KDF ANS 9.42 KAT CAST On demand Manually (A4366) KDF ANS 9.42 KAT CAST On demand Manually (A4367) KDF ANS 9.42 KAT CAST On demand Manually (A4368) KDF ANS 9.63 KAT CAST On demand Manually (A4361) KDF ANS 9.63 KAT CAST On demand Manually (A4362) KDF ANS 9.63 KAT CAST On demand Manually (A4365) KDF ANS 9.63 KAT CAST On demand Manually (A4366) KDF ANS 9.63 KAT CAST On demand Manually (A4367) KDF ANS 9.63 KAT CAST On demand Manually (A4368) KDF SSH KAT CAST On demand Manually (A4370) KDF SSH KAT CAST On demand Manually (A4377) KDF SSH KAT CAST On demand Manually (A4378) KDF SSH KAT CAST On demand Manually (A4379) KDF SSH KAT CAST On demand Manually (A4380) TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A4361) TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A4365) © 2024 IBM Corporation/ atsec information security.

Page 79

Algorithm or Test Method Test Type Period Periodic Test Method TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A4366) TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A4367) TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A4368) TLS v1.3 KDF KAT CAST On demand Manually (A4355) PBKDF (A4361) KAT CAST On demand Manually PBKDF (A4362) KAT CAST On demand Manually PBKDF (A4365) KAT CAST On demand Manually PBKDF (A4366) KAT CAST On demand Manually PBKDF (A4367) KAT CAST On demand Manually PBKDF (A4368) KAT CAST On demand Manually Counter DRBG KAT CAST On demand Manually (A4356) Hash DRBG KAT CAST On demand Manually (A4356) HMAC DRBG KAT CAST On demand Manually (A4356) KAS-FFC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A4383) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A4361) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A4365) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A4366) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A4367) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A4368) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4361) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4362) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4365) RSA SigGen KAT CAST On demand Manually (FIPS186-5) © 2024 IBM Corporation/ atsec information security.

Page 80

Algorithm or Test Method Test Type Period Periodic Test Method (A4366) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4367) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4368) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4361) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4362) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4365) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4366) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4367) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4368) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4361) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4362) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4365) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4366) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4367) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A4368) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4361) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4362) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4365) © 2024 IBM Corporation/ atsec information security.

Page 81

Algorithm or Test Method Test Type Period Periodic Test Method ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4366) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4367) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A4368) Safe Primes Key PCT PCT On demand Manually Generation (A4383) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4361) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4365) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4366) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4367) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4368) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4361) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4365) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4366) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4367) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A4368) Table 23: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The module Software Module OSSL_PROV_PARAM_STATUS is immediately integrity test reset set to 0 or Module is aborted stops functioning failure © 2024 IBM Corporation/ atsec information security.

Page 82

Name Description Conditions Recovery Indicator Method CAST failure PCT failure Table 24: Error States In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

The software integrity tests and cryptographic algorithm self-tests can be invoked on demand by resetting the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. © 2024 IBM Corporation/ atsec information security.

Page 83
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The IBM DataPower security appliance ships with signed firmware which contains the module embedded in it. No additional steps are required to install or initialize the module.

11.2 Administrator Guidance

After delivery of the DataPower security appliance, the module name and version can be verified by executing the “openssl list -providers” command. The FIPS provider will be listed in the output as follows: fips name: IBM DataPower FIPS Provider version: 3.0.9-B3346E1D91BA83B7BAB52F472F3E6A0D status: active The cryptographic boundary consists only of the FIPS provider as listed. If any other OpenSSL or third-party provider is invoked, the user is not interacting with the module specified in this Security Policy.

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.6 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. © 2024 IBM Corporation/ atsec information security.

Page 84
12 Mitigation of Other Attacks

Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:  Big number operations: computing GCDs, modular inversion, multiplication, division, and modular exponentiation (using Montgomery multiplication)  Elliptic curve point arithmetic: addition and multiplication (using the Montgomery ladder)  Vector-based AES implementations In addition, RSA, ECDSA, ECDH, and DH employ blinding techniques to further impede timing and power analysis. No configuration is needed to enable the aforementioned countermeasures. © 2024 IBM Corporation/ atsec information security.

Page 85

Appendix A. Glossary and abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF CP Assist for Cryptographic Functions CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IKE Internet Key Exchange KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSP Public Security Parameter PSS Probabilistic Signature Scheme RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function © 2024 IBM Corporation/ atsec information security.

Page 86

XTS XEX-based Tweaked-codebook mode with cipher text Stealing Glossary and abbreviations © 2024 IBM Corporation/ atsec information security.

Page 87

Appendix B. References ANS X9.42- Public Key Cryptography for the Financial Services Industry:

2001 Agreement of Symmetric Keys Using Discrete Logarithm

Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63- Public Key Cryptography for the Financial Services Industry, Key

2001 Agreement and Key Transport Using Elliptic Curve Cryptography

2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/ fips-140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt © 2024 IBM Corporation/ atsec information security.

Page 88

RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Addendum Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf © 2024 IBM Corporation/ atsec information security.

Page 89

SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800- Transitioning the Use of Cryptographic Algorithms and Key 131Ar2 Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP 800- CMVP Security Policy Requirements 140Br1 November 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800140Br1.pdf © 2024 IBM Corporation/ atsec information security.