| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/10/2029 |
| Caveat | Interim validation; When operated in approved mode; When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Canonical Ltd. |
flowchart LR
%% Deterministic review-risk graph for Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Canonical Ltd. Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module Document Version: 1.1 Last Updated: 2024-08-28 Prepared by: Prepared for: atsec information security corporation Canonical Ltd.
4516 Seton Center Parkway, Suite 250 110 Southwark Street, Blue Fin Building,
5th Floor Austin, TX 78759 London, SE1 0SU www.atsec.com www.canonical.com
| # | Section | Page |
|---|
© 2024 Canonical Ltd. / atsec information security.
© 2024 Canonical Ltd. / atsec information security.
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 9 |
| Table 4: Modes List and Description | 9 |
| Table 5: Approved Algorithms | 31 |
| Table 6: Vendor-Affirmed Algorithms | 31 |
| Table 7: Non-Approved, Not Allowed Algorithms | 32 |
| Table 8: Security Function Implementations | 44 |
| Table 9: Entropy Certificates | 46 |
| Table 10: Entropy Sources | 46 |
| Table 11: Ports and Interfaces | 50 |
| Table 12: Roles | 51 |
| Table 13: Approved Services | 58 |
| Table 14: Non-Approved Services | 59 |
| Table 15: EFP/EFT Information | 63 |
| Table 16: Hardness Testing Temperatures | 63 |
| Table 17: Storage Areas | 66 |
| Table 18: SSP Input-Output Methods | 66 |
| Table 19: SSP Zeroization Methods | 67 |
| Table 20: SSP Table 1 | 69 |
| Table 21: SSP Table 2 | 72 |
| Table 22: Pre-Operational Self-Tests | 74 |
| Table 23: Conditional Self-Tests | 89 |
| Table 24: Pre-Operational Periodic Information | 90 |
| Table 25: Conditional Periodic Information | 96 |
| Table 26: Error States | 96 |
| Figure 1: Block Diagram | 8 |
This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.50ubuntu0.1+Fips2.1 of the Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. whole and intact and including this notice. Other documentation is proprietary to their authors.
module, which was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2024 Canonical Ltd. / atsec information security.
Purpose and Use: The Canonical Ltd. Ubuntu 22.04 OpenSSL Cryptographic Module (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider” i.e., fips.so, which implements the FIPS requirements and the cryptographic functionality provided to the operator. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. Tested Operational Environment’s Physical Perimeter (TOEPP): Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by the components painted in orange blocks, which consists only of the shared library implementing the FIPS provider (fips.so). Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. © 2024 Canonical Ltd. / atsec information security.
Identification Tested Module Identification
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS Ubuntu Supermicro SYS-1019P- Intel Xeon Gold Yes N/A 3.0.5-
22.04 WTR 6226 0ubuntu0.1+Fips2.1
Ubuntu Amazon Web Services AWS Graviton2 Yes N/A 3.0.5-
22.04 (AWS) c6g.metal 0ubuntu0.1+Fips2.1
Ubuntu IBM z15 IBM z15 Yes N/A 3.0.5-
22.04 0ubuntu0.1+Fips2.1
Ubuntu Supermicro SYS-1019P- Intel Xeon Gold No N/A 3.0.5-
22.04 WTR 6226 0ubuntu0.1+Fips2.1
Ubuntu Amazon Web Services AWS Graviton2 No N/A 3.0.5-
22.04 (AWS) c6g.metal 0ubuntu0.1+Fips2.1
Ubuntu IBM z15 IBM z15 No N/A 3.0.5-
22.04 0ubuntu0.1+Fips2.1
Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
There are no components excluded from the module.
Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of mode approved service is requested the requested service Non-approved Automatically entered whenever a non- Non- Equivalent to the indicator of mode approved service is requested Approved the requested service Table 4: Modes List and Description The module supports two modes of operation: (1) the approved mode of operation, in which the approved or vendor affirmed services are available as specified in the Approved Services table and (2) the non-approved mode of operation, in which the non-approved services are available as specified in the Non-Approved Services table. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: © 2024 Canonical Ltd. / atsec information security.
The module does not implement a degraded mode of operation.
Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3958 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3958 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3958 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3958 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3958 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A3958 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3958 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3958 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3958 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-CBC A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3959 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3959 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3959 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3959 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert AES-CFB128 A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3959 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A3959 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3959 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3959 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3959 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-CBC A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3960 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3960 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3960 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3960 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3960 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A3960 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3960 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3960 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert AES-XTS Testing A3960 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-GCM A3961 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3961 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 ECDSA KeyGen A3962 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3962 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3962 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A3962 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A3962 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A3962 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A3962 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A3962 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert PBKDF A3962 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A3962 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3962 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3962 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A3962 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A3962 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 HMAC-SHA2- A3963 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 SHA2-256 A3963 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 ECDSA SigGen A3964 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A3964 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 HMAC-SHA3- A3964 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3964 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3964 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3964 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert KDF ANS 9.42 A3964 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Rev. 1 Key Data Length - Key Data Length: 112-4096 Increment 8 KMAC-128 A3964 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3964 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 PBKDF A3964 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 SHA3-224 A3964 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A3964 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A3964 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3964 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A3964 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A3964 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 KDA OneStep A3965 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: 224-2048 Rev. 2 Increment 8 ECDSA KeyGen A3966 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3966 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3966 Component - No FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A3966 Component - No FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K283, K-409, K-571 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigGen A3967 Component - No FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A3967 Component - No FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K283, K-409, K-571 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 KAS-ECC-SSC A3968 Domain Parameter Generation Methods - B-233, B-283, B- SP 800-56A Sp800-56Ar3 409, B-571, K-233, K-283, K-409, K-571 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert KDA HKDF A3969 Derived Key Length - 2048 SP 800-56C Sp800-56Cr1 Shared Secret Length - Shared Secret Length: 224-2048 Rev. 2 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384 TLS v1.3 KDF A3969 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Counter DRBG A3970 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes Hash DRBG A3970 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A3970 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 AES-ECB A3971 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 KDF SSH (CVL) A3971 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 Rev. 1 ECDSA SigGen A3972 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A3972 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 HMAC-SHA3- A3972 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3972 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3972 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3972 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 KDF ANS 9.42 A3972 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Rev. 1 Key Data Length - Key Data Length: 112-4096 Increment 8 KMAC-128 A3972 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3972 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 PBKDF A3972 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 SHA3-224 A3972 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A3972 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert SHA3-384 A3972 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3972 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A3972 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A3972 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 AES-CBC A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3973 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3973 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3973 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3973 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3973 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A3973 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3973 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3973 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3973 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-GCM A3974 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3974 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3975 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3975 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3976 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3976 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 ECDSA KeyGen A3977 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3977 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3977 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A3977 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A3977 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A3977 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A3977 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A3977 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A3977 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A3977 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3977 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3977 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A3977 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A3977 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 AES-ECB A3978 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 KDF SSH (CVL) A3978 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 Rev. 1 ECDSA SigGen A3979 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A3979 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 HMAC-SHA3- A3979 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3979 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert HMAC-SHA3- A3979 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A3979 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 KDF ANS 9.42 A3979 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Rev. 1 Key Data Length - Key Data Length: 112-4096 Increment 8 KMAC-128 A3979 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3979 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 PBKDF A3979 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 SHA3-224 A3979 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A3979 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A3979 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3979 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A3979 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A3979 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 AES-CBC A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3980 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3980 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3980 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3980 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3980 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert AES-KW A3980 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3980 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3980 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3980 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-CBC A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3981 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3981 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3981 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3981 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3981 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A3981 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3981 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3981 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3981 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-CBC A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3982 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3982 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3982 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert AES-CCM A3982 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3982 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A3982 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3982 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3982 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3982 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 ECDSA KeyGen A3983 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3983 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3983 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A3983 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert HMAC-SHA2- A3983 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A3983 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A3983 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A3983 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A3983 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A3983 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3983 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3983 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A3983 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A3983 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 AES-ECB A3984 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 KDF SSH (CVL) A3984 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 Rev. 1 AES-ECB A3985 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert KDF SSH (CVL) A3985 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 Rev. 1 AES-ECB A3986 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 KDF SSH (CVL) A3986 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 Rev. 1 AES-ECB A3987 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 KDF SSH (CVL) A3987 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 Rev. 1 AES-GCM A3988 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3988 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3989 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3989 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3990 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3990 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 KDF SP800-108 A3991 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 112-4096 Increment Rev. 1 KAS-FFC-SSC A3992 Domain Parameter Generation Methods - ffdhe2048, SP 800-56A Sp800-56Ar3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder Safe Primes Key A3992 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Generation ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- Rev. 3 4096, MODP-6144, MODP-8192 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert Safe Primes Key A3992 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Verification ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- Rev. 3 4096, MODP-6144, MODP-8192 ECDSA KeyGen A3993 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3993 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3993 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A3993 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A3993 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A3993 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A3993 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A3993 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A3993 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A3993 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert RSA SigGen A3993 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3993 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A3993 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A3993 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 AES-GCM A3994 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3994 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3995 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3995 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3996 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3996 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3997 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3997 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3998 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3998 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3999 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3999 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A4000 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A4000 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A4001 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A4001 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A4002 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A4002 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 ECDSA KeyGen A4003 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert ECDSA KeyVer A4003 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4003 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A4003 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4003 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A4003 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A4003 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A4003 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A4003 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A4003 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A4003 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4003 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert SHA2-224 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4003 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A4003 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 ECDSA KeyGen A4004 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A4004 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4004 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A4004 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4004 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A4004 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A4004 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A4004 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A4004 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A4004 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A4004 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4004 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4004 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A4004 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 ECDSA KeyGen A4005 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A4005 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4005 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer A4005 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 HMAC-SHA-1 A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert HMAC-SHA2- A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4005 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 KAS-ECC-SSC A4005 Domain Parameter Generation Methods - P-224, P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF ANS 9.42 A4005 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, Rev. 1 SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 112-4096 Increment 8 KDF ANS 9.63 A4005 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SP 800-135 (CVL) SHA2-512/224, SHA2-512/256 Rev. 1 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A4005 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A4005 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A4005 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4005 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4005 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Properties Reference Cert TLS v1.2 KDF A4005 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 Table 5: Approved Algorithms The table above lists all implemented modes or methods of operation for the approved cryptographic algorithms of the module that are employed for approved services (Approved Services table). Vendor-Affirmed Algorithms: Name Properties Implementation Reference Cryptographic Key Key Type:Asymmetric N/A SP800-133rev2, Generation (CKG) RSA:2048, 3072, 4096-bit keys Section 4, ECDSA:P-224, P-256, P-384, P-521, B-233, B- example 1 283, B-409, B-571, K-233, K-283, K-409, K-571 elliptic curves Safe Prime Groups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP8192 Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES GCM (external IV) Encryption DSA Signature generation DSA Signature verification DSA Key pair generation DSA Key pair verification ECDSA with curve P-192 Key pair generation RSA and ECDSA (pre-hashed message) Signature generation (pre-hashed message) RSA and ECDSA (pre-hashed message) Signature verification (pre-hashed message) RSA X9.31 Signature generation RSA X9.31 Signature verification RSA primitive Asymmetric encryption RSA primitive Asymmetric decryption RSA-OAEP Asymmetric encryption RSA-OAEP Asymmetric decryption RSASVE Secret value encapsulation © 2024 Canonical Ltd. / atsec information security.
Name Use and Function RSASVE Secret value decapsulation Table 7: Non-Approved, Not Allowed Algorithms The table above lists all the non-approved cryptographic algorithms of the module employed by the non-approved services in the Non-Approved Services table.
Name Type Description Properties Algorithms Symmetric BC-UnAuth Symmetric AES-CBC:128, 192, AES-CBC encryption BC-Auth encryption 256 bits AES-CBC AES-CBC-CS1:128, AES-CBC 192, 256 bits AES-CBC AES-CBC-CS2:128, AES-CBC 192, 256 bits AES-CBC AES-CBC-CS3:128, AES-CBC 192, 256 bits AES-CBC-CS1 AES-CCM:128, 192, AES-CBC-CS1
AES-CFB1:128, 192, AES-CBC-CS1
AES-CFB128:128, AES-CBC-CS1 192, 256 bits AES-CBC-CS1 AES-CFB8:128, 192, AES-CBC-CS2
AES-CTR:128, 192, AES-CBC-CS2
AES-ECB:128, 192, AES-CBC-CS2
AES-OFB:128, 192, AES-CBC-CS2
AES-XTS Testing AES-CBC-CS3 Revision 2.0:128, AES-CBC-CS3
AES-GCM:128, 192, AES-CBC-CS3
AES-CBC-CS3 AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB128 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms Revision 2.0 AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Symmetric BC-UnAuth Symmetric AES-CBC:128, 192, AES-CBC decryption BC-Auth decryption 256 bits AES-CBC AES-CBC-CS1:128, AES-CBC 192, 256 bits AES-CBC AES-CBC-CS2:128, AES-CBC 192, 256 bits AES-CBC AES-CBC-CS3:128, AES-CBC 192, 256 bits AES-CBC-CS1 AES-CCM:128, 192, AES-CBC-CS1
AES-CFB1:128, 192, AES-CBC-CS1
AES-CFB128:128, AES-CBC-CS1 192, 256 bits AES-CBC-CS1 AES-CFB8:128, 192, AES-CBC-CS2
AES-CTR:128, 192, AES-CBC-CS2
AES-ECB:128, 192, AES-CBC-CS2
AES-OFB:128, 192, AES-CBC-CS2
AES-XTS Testing AES-CBC-CS3 Revision 2.0:128, AES-CBC-CS3
AES-GCM:128, 192, AES-CBC-CS3
AES-CBC-CS3 AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM AES-CCM © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB1 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Key wrapping KTS-Wrap Key wrapping AES-KW:128, 192, AES-KW (compliant with IG 256 bits AES-KW D.G) AES-KWP:128, 192, AES-KW
AES-KW AES-KW AES-KW AES-KWP AES-KWP AES-KWP AES-KWP AES-KWP AES-KWP AES-KWP Key unwrapping KTS-Wrap Key unwrapping AES-KW:128, 192, AES-KW (compliant with IG 256 bits AES-KW D.G) AES-KWP:128, 192, AES-KW
AES-KW AES-KW AES-KW AES-KWP AES-KWP AES-KWP AES-KWP AES-KWP © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms AES-KWP AES-KWP Key pair generation AsymKeyPair- Key pair generation ECDSA KeyGen ECDSA KeyGen KeyGen (FIPS186-4):P-224, (FIPS186-4) P-256, P-384, P-521, ECDSA KeyGen K-233, K-283, K-409, (FIPS186-4) K-571, B-233, B- ECDSA KeyGen 283, B-409, B-571 (FIPS186-4) (112, 128, 192, 256 ECDSA KeyGen bits) (FIPS186-4) RSA KeyGen ECDSA KeyGen (FIPS186-4):2048- (FIPS186-4)
bits) (FIPS186-4) Safe Primes Key ECDSA KeyGen Generation:MODP- (FIPS186-4) 2048, MODP-3072, ECDSA KeyGen MODP-4096, (FIPS186-4) MODP-6144, RSA KeyGen MODP-8192, (FIPS186-4) ffdhe2048, RSA KeyGen ffdhe3072, (FIPS186-4) ffdhe4096, RSA KeyGen ffdhe6144, (FIPS186-4) ffdhe8192 (112-200 RSA KeyGen bits) (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) Safe Primes Key Generation Key pair verification AsymKeyPair- Key pair verification ECDSA KeyVer ECDSA KeyVer KeyVer (FIPS186-4):P-192, (FIPS186-4) P-224, P-256, P-384, ECDSA KeyVer P-521, K-163, K-233, (FIPS186-4) K-283, K-409, K-571, ECDSA KeyVer B-163, B-233, B- (FIPS186-4) 283, B-409, B-571 ECDSA KeyVer (80-256 bits) (FIPS186-4) Safe Primes Key ECDSA KeyVer Verification:MODP- (FIPS186-4) 2048, MODP-3072, ECDSA KeyVer MODP-4096, (FIPS186-4) MODP-6144, ECDSA KeyVer MODP-8192, (FIPS186-4) ffdhe2048, ECDSA KeyVer ffdhe3072, (FIPS186-4) ffdhe4096, Safe Primes Key ffdhe6144, Verification © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms ffdhe8192 (112-200 bits) Digital signature DigSig-SigGen Digital signature ECDSA SigGen ECDSA SigGen generation generation (FIPS186-4):P-224, (FIPS186-4) P-256, P-384, P-521, ECDSA SigGen K-233, K-283, K-409, (FIPS186-4) K-571, B-233, B- ECDSA SigGen 283, B-409, B-571 (FIPS186-4) (112, 128, 192, 256 ECDSA SigGen bits) (FIPS186-4) RSA SigGen ECDSA SigGen (FIPS186-4):2048- (FIPS186-4)
bits) (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) Digital signature DigSig-SigVer Digital signature RSA SigVer RSA SigVer verification verification (FIPS186-4):1024- (FIPS186-4)
bits) (FIPS186-4) ECDSA SigVer RSA SigVer (FIPS186-4):1024- (FIPS186-4)
bits) (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms RSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) Message MAC Message AES-CMAC:128, AES-CMAC authentication authentication 192, 256 bits AES-CMAC AES-GMAC:128, AES-CMAC 192, 256 bits AES-CMAC HMAC-SHA-1:112- AES-CMAC
HMAC-SHA2- AES-GMAC 224:112-524288 AES-GMAC bits (112-256 bits) AES-GMAC HMAC-SHA2- AES-GMAC 256:112-524288 AES-GMAC bits (112-256 bits) AES-GMAC HMAC-SHA2- AES-GMAC 384:112-524288 AES-GMAC bits (112-256 bits) AES-GMAC HMAC-SHA2- AES-GMAC 512:112-524288 AES-GMAC bits (112-256 bits) AES-GMAC HMAC-SHA2- AES-GMAC 512/224:112- AES-GMAC
HMAC-SHA2- HMAC-SHA-1 512/256:112- HMAC-SHA-1
© 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms
HMAC-SHA3- HMAC-SHA-1 224:112-524288 HMAC-SHA-1 bits (112-256 bits) HMAC-SHA-1 HMAC-SHA3- HMAC-SHA2-224 256:112-524288 HMAC-SHA2-224 bits (112-256 bits) HMAC-SHA2-224 HMAC-SHA3- HMAC-SHA2-224 384:112-524288 HMAC-SHA2-224 bits (112-256 bits) HMAC-SHA2-224 HMAC-SHA3- HMAC-SHA2-224 512:112-524288 HMAC-SHA2-256 bits (112-256 bits) HMAC-SHA2-256 KMAC-128:128- HMAC-SHA2-256
bits) HMAC-SHA2-256 KMAC-256:128- HMAC-SHA2-256
bits) HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA2512/256 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA3-224 HMAC-SHA3-224 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-256 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-384 HMAC-SHA3-384 HMAC-SHA3-512 HMAC-SHA3-512 HMAC-SHA3-512 KMAC-128 KMAC-128 KMAC-128 KMAC-256 KMAC-256 KMAC-256 Shared secret KAS-SSC Shared secret KAS-FFC-SSC KAS-FFC-SSC computation computation Sp800- Sp800-56Ar3 56Ar3:MODP-2048, KAS-ECC-SSC MODP-3072, Sp800-56Ar3 MODP-4096, KAS-ECC-SSC MODP-6144, Sp800-56Ar3 MODP-8192, KAS-ECC-SSC ffdhe2048, Sp800-56Ar3 ffdhe3072, KAS-ECC-SSC ffdhe4096, Sp800-56Ar3 ffdhe6144, KAS-ECC-SSC ffdhe8192 (112-200 Sp800-56Ar3 bits) KAS-ECC-SSC KAS-ECC-SSC Sp800-56Ar3 Sp800-56Ar3:P-224, KAS-ECC-SSC P-256, P-384, P-521, Sp800-56Ar3 K-233, K-283, K-409, KAS-ECC-SSC K-571, B-233, B- Sp800-56Ar3 283, B-409, B-571 (112, 128, 192, 256 bits) Key derivation KAS-135KDF Key derivation KDF ANS 9.42:112- KDF ANS 9.42 KAS-56CKDF 4096 bits (112-256 KDF ANS 9.42 KBKDF bits) KDF ANS 9.42 KDF ANS 9.63:128- KDF ANS 9.42
© 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms bits) KDF ANS 9.42 TLS v1.2 KDF KDF ANS 9.42 RFC7627:TLS KDF ANS 9.42 derived secret (112KDF ANS 9.42
KDA OneStep KDF ANS 9.63 SP800- KDF ANS 9.63 56Cr2:Shared KDF ANS 9.63 secret (224-2048 KDF ANS 9.63 bits) KDF ANS 9.63 KDA HKDF Sp800- KDF ANS 9.63 56Cr1:224-2048 KDF ANS 9.63 bits (112-256 bits) TLS v1.2 KDF TLS v1.3 KDF:TLS RFC7627 derived secret (112TLS v1.2 KDF
KDF SSH:112-256 TLS v1.2 KDF bits RFC7627 KDF SP800- TLS v1.2 KDF 108:112-4096 bits RFC7627 (112-256 bits) TLS v1.2 KDF RFC7627 TLS v1.2 KDF RFC7627 TLS v1.2 KDF RFC7627 KDA OneStep SP800-56Cr2 KDA HKDF Sp80056Cr1 TLS v1.3 KDF KDF SSH KDF SSH KDF SSH KDF SSH KDF SSH KDF SSH KDF SP800-108 Message digest SHA Message digest SHA-1:N/A SHA-1 XOF SHA2-224:N/A SHA-1 SHA2-256:N/A SHA-1 SHA2-384:N/A SHA-1 SHA2-512:N/A SHA-1 SHA2-512/224:N/A SHA-1 SHA2-512/256:N/A SHA-1 SHA3-224:N/A SHA2-224 SHA3-256:N/A SHA2-224 SHA3-384:N/A SHA2-224 SHA3-512:N/A SHA2-224 SHAKE-128:N/A SHA2-224 SHAKE-256:N/A SHA2-224 SHA2-224 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA3-224 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-256 SHA3-384 SHA3-384 SHA3-384 SHA3-512 SHA3-512 SHA3-512 SHAKE-128 SHAKE-128 SHAKE-128 SHAKE-256 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms SHAKE-256 SHAKE-256 Password-based PBKDF Deriving keys from PBKDF:112-256 bits PBKDF key derivation a password-based PBKDF KDF PBKDF PBKDF PBKDF PBKDF PBKDF PBKDF PBKDF PBKDF Random number DRBG Random number Counter DRBG:128, Counter DRBG generation generation 192, 256 bits HMAC DRBG HMAC DRBG:128, Hash DRBG
Table 8: Security Function Implementations
For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The module is compliant with SP 800-52r2 Section
The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary in compliance with Scenario 2 of IG C.H. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. The service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL iv value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in © 2024 Canonical Ltd. / atsec information security.
RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key
In accordance to FIPS 140-3 IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. In addition, Section 4 of SP 800-38E states that the length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2²⁰ AES blocks, that is 16MB, of data per XTS instance. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
The module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3 and meeting IG D.F scenario 2 path (1). The key agreement schemes provided by the module are dhEphem and Unified Model, pertaining to the C(2e, 0s) schemes in section 6.1.2 . In order to meet the required assurances listed in section
5.6 of SP 800-56Arev3, the module shall be used together with an application that
implements the “TLS protocol” and the following steps shall be performed.
The module utilizes the following legacy algorithms as defined in SP 800-131Arev2:
Cert Vendor Number Name E62 Canonical Ltd. Table 9: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Canonical Non- Ubuntu 22.04 on Supermicro SYS- 64 bits Full AES-256-CTROpenSSL FIPS Physical 1019P-WTR with Intel Xeon Gold entropy DRBG (A3814); provider CPU Time 6226; Ubuntu 22.04 on Amazon AES-256-CTRJitter Entropy Web Services (AWS) c6g.metal with DRBG (A3970) source (version AWS Graviton2; Ubuntu 22.04 on 2.2.0) IBM z15 with IBM z15 Table 10: Entropy Sources © 2024 Canonical Ltd. / atsec information security.
The module employs two Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1. These DRBGs are used internally by the module (e.g. to generate seeds for asymmetric key pairs and random numbers for security functions). They can also be accessed using the specified API functions. The following parameters are used:
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. This method does not use the value V as described in Additional Comment 2 of FIPS 140-3 IG D.H. The following methods are implemented:
The module implements SSP agreement and SSP transport methods as listed in the SFI table. The module provides Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) shared secret computation compliant with SP800-56Ar3, in accordance with scenario 2 (1) of FIPS 140-3 IG D.F. According to FIPS 140-3 IG D.B, for shared secret computation, the key sizes of DH provide 112-200 bits of security strength, while the key sizes of ECDH provide 112-
The module also supports the AES KW and AES KWP key wrapping mechanisms compliant with IG D.G and SP 800-38F. These algorithms can be used to wrap SSPs with a security strength of 128, 192, or 256 bits, depending on the wrapping key size.
The module implements the SSH KDF (CVL) for use in the SSH protocol (RFC 4253 and RFC 6668). GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC
generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 KDF (CVL) and
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Physical Port Logical Data That Passes Interface(s) As a software-only module, the module does not have physical ports. Data Input API input Physical Ports are interpreted to be the physical ports of the parameters hardware platform on which it runs. As a software-only module, the module does not have physical ports. Data Output API output Physical Ports are interpreted to be the physical ports of the parameters hardware platform on which it runs. As a software-only module, the module does not have physical ports. Control API function calls Physical Ports are interpreted to be the physical ports of the Input hardware platform on which it runs. As a software-only module, the module does not have physical ports. Status API return codes, Physical Ports are interpreted to be the physical ports of the Output error queue hardware platform on which it runs. Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The table above summarizes the logical interfaces. As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs. The module does not implement a control output interface.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for a maintenance role.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access Message Comput UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Messag Messag Message Crypto digest ea PPROVED_USAGE returns 0 e e digest digest Officer message digest Symmetri Encrypt UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Ciphert Symmetri Crypto c a PPROVED_USAGE returns 0 key, ext c Officer encryptio plaintext Plainte encryptio - AES n xt n key: W,E Symmetri Decrypt UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Plaintex Symmetri Crypto c a PPROVED_USAGE returns 0 key, t c Officer decryptio cipherte Ciphert decryptio - AES n xt ext n key: W,E Authentic Encrypt UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Ciphert Symmetri Crypto ated and PPROVED_USAGE returns 0 key, ext, c Officer symmetric authenti Plainte MAC encryptio - AES encryptio cate a xt, IV tag n key: W,E n plaintext Authentic Decrypt UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Plaintex Symmetri Crypto ated and PPROVED_USAGE returns 0 key, t or c Officer symmetric authenti Ciphert Failure decryptio - AES decryptio cate a ext, n key: W,E n cipherte MAC xt tag Key Perform UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Wrappe Key Crypto wrapping AES- PPROVED_USAGE returns 0 key, d key wrapping Officer based Key to - AES key be key: W,E wrappin wrappe g d © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access Key Perform UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Unwrap Key Crypto unwrappi AES- PPROVED_USAGE returns 0 key, ped key unwrappi Officer ng based Key to ng - AES key unwrap key: W,E unwrapp ing AES- Comput UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES MAC Message Crypto based e a MAC PPROVED_USAGE returns 0 key, tag authentic Officer message tag Messag ation - AES authentic using e key: W,E ation AES generatio n AES- Verify a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA AES Pass/fai Message Crypto based MAC tag PPROVED_USAGE returns 0 key, l authentic Officer message using Messag ation - AES authentic AES e, MAC key: W,E ation tag verificatio n HMAC- Comput UBUNTU_OSSL_PROV_FIPS_PARAM_UNA HMAC MAC Message Crypto based e a MAC PPROVED_USAGE returns 0 key, tag authentic Officer message tag Messag ation - HMAC authentic using e key: W,E ation HMAC generatio n HMAC- Verify a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA HMAC Pass/fai Message Crypto based MAC tag PPROVED_USAGE returns 0 key, l authentic Officer message using Messag ation - HMAC authentic HMAC e, MAC key: W,E ation tag verificatio n KMAC- Comput UBUNTU_OSSL_PROV_FIPS_PARAM_UNA KMAC MAC Message Crypto based e a MAC PPROVED_USAGE returns 0 key, tag authentic Officer message tag Messag ation - KMAC authentic using e key: W,E ation KMAC generatio n KMAC- Verify UBUNTU_OSSL_PROV_FIPS_PARAM_UNA KMAC Pass/fai Message Crypto based MAC tag PPROVED_USAGE returns 0 key, l authentic Officer message using Messag ation - KMAC authentic KMAC e, MAC key: W,E ation tag verificatio n © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access TLS-based TLS key UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Shared TLS Key Crypto key derivatio PPROVED_USAGE returns 0 secret Derived derivation Officer derivation n key - Shared secret: W,E - TLS Derived key: G,R Key-based Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Key- KBKDF Key Crypto key key from PPROVED_USAGE returns 0 derivati Derived derivation Officer derivation a key- on key key - Keyderivatio derivatio n key n key: W,E - KBKDF Derived key: G,R ANS X9.42 Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Shared ANS Key Crypto key key from PPROVED_USAGE returns 0 secret X9.42 derivation Officer derivation a shared Derived - Shared secret key secret: W,E - ANS X9.42 Derived key: G,R ANS X9.63 Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Shared ANS Key Crypto key key from PPROVED_USAGE returns 0 secret X9.63 derivation Officer derivation a shared Derived - Shared secret key secret: W,E - ANS X9.63 Derived key: G,R HKDF key Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Shared HKDF Key Crypto derivation key from PPROVED_USAGE returns 0 secret Derived derivation Officer a shared key - Shared secret secret: W,E - HKDF Derived key: G,R OneStep Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Shared OneSte Key Crypto KDA key key from PPROVED_USAGE returns 0 secret p KDA derivation Officer derivation a shared Derived - Shared secret key secret: W,E OneStep © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access KDA Derived key: G,R SSH KDF Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Shared SSH Key Crypto key key from PPROVED_USAGE returns 0 secret KDF derivation Officer derivation a shared Derived - Shared secret key secret: W,E - SSH KDF Derived key: G,R Password- Derive a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Passwo PBKDF Password- Crypto based key key from PPROVED_USAGE returns 0 rd Derived based key Officer derivation a key derivation passwor Passwor d d: W,E,Z - PBKDF Derived key: G,R Random Generat UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Numbe Random Random Crypto number e PPROVED_USAGE returns 0 r of bits number number Officer generatio random generatio - Entropy n number n input: W,E - DRBG Internal state (V, Key): G,W,E - DRBG Internal state (V, C): G,W,E - DRBG seed: G,W,E Diffie- Comput UBUNTU_OSSL_PROV_FIPS_PARAM_UNA DH Shared Shared Crypto Hellman ea PPROVED_USAGE returns 0 private secret secret Officer shared shared key computati - DH secret secret (owner) on private computati , DH key: W,E on public - DH key public (peer) key: W,E - Shared secret: G,R EC Diffie- Comput UBUNTU_OSSL_PROV_FIPS_PARAM_UNA EC Shared Shared Crypto Hellman ea PPROVED_USAGE returns 0 private secret secret Officer © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access shared shared key computati - EC secret secret (owner) on private computati , EC key: W,E on public - EC key public (peer) key: W,E - Shared secret: G,R RSA Generat UBUNTU_OSSL_PROV_FIPS_PARAM_UNA RSA Signatu Digital Crypto Digital ea PPROVED_USAGE returns 0 private re signature Officer signature digital key, generatio - RSA generatio signatur Messag n private n e with e, Hash key: W,E RSA algorith m ECDSA Generat UBUNTU_OSSL_PROV_FIPS_PARAM_UNA EC Signatu Digital Crypto digital ea PPROVED_USAGE returns 0 private re signature Officer signature digital key, generatio - EC generatio signatur Messag n private n e with e, Hash key: W,E ECDSA algorith m RSA Verify a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA RSA Pass or Digital Crypto Digital digital PPROVED_USAGE returns 0 public Fail signature Officer signature signatur key, verificatio - RSA verificatio e using Messag n public n RSA e, key: W,E Signatu re, Hash algorith m ECDSA Verify a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA EC Pass or Digital Crypto digital digital PPROVED_USAGE returns 0 public Fail signature Officer signature signatur key, verificatio - EC verificatio e using Messag n public n RSA e, key: W,E Signatu re, Hash algorith m RSA key Generat UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Key RSA Key pair Crypto pair e an RSA PPROVED_USAGE returns 0 length private generatio Officer generatio key pair key, n - RSA n RSA private public key: G,R key - RSA public © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access key: G,R Intermed iate key generati on value: G,E,Z ECDSA Generat UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Key EC Key pair Crypto key pair e an EC PPROVED_USAGE returns 0 length private generatio Officer generatio key pair key, EC n - EC n public private key key: G,R - EC public key: G,R Intermed iate key generati on value: G,E,Z Safe Generat UBUNTU_OSSL_PROV_FIPS_PARAM_UNA Group DH Key pair Crypto primes e an DH PPROVED_USAGE returns 0 private generatio Officer key pair key pair key, DH n - DH generatio public private n key key: G,R - DH public key: G,R Intermed iate key generati on value: G,E,Z ECDSA Verify an UBUNTU_OSSL_PROV_FIPS_PARAM_UNA EC Pass or Key pair Crypto key pair EC key PPROVED_USAGE returns 0 private Fail verificatio Officer verificatio pair key, EC n - EC n public private key key: E,W - EC public key: E,W Safe Verify a UBUNTU_OSSL_PROV_FIPS_PARAM_UNA DH Pass or Key pair Crypto prime key DH key PPROVED_USAGE returns 0 private Fail verificatio Officer pair pair key, DH n - DH verificatio public private n key key: E,W - DH public key: E,W © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access Show Return UBUNTU_OSSL_PROV_FIPS_PARAM_UNA None Module None Crypto version the PPROVED_USAGE returns 0 name Officer name and and version version informat ion Show Return UBUNTU_OSSL_PROV_FIPS_PARAM_UNA None Module None Crypto status the PPROVED_USAGE returns 0 status Officer module status Self-test Perform None None Pass or None Crypto the Fail of Officer CASTs selfand tests integrity test Zeroizatio Zeroize None An SSP None None Crypto n any SSP Officer - AES key: Z - HMAC key: Z - KMAC key: Z - Keyderivatio n key: Z - Shared secret: Z Passwor d: Z - PBKDF Derived key: Z - KBKDF Derived key: Z - ANS X9.42 Derived key: Z - ANS X9.63 Derived key: Z - HKDF Derived key: Z © 2024 Canonical Ltd. / atsec information security.
Name Descript Indicator Inputs Output Security SSP ion s Functions Access OneStep KDA Derived key: Z - TLS Derived key: Z - Entropy input: Z - DRBG Internal state (V, Key): Z - DRBG Internal state (V, C): Z - DRBG seed: Z - DH private key: Z - DH public key: Z - EC private key: Z - EC public key: Z - RSA private key: Z - RSA public key: Z Intermed iate key generati on value: Z Table 13: Approved Services The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The Approved Services table and the Non-Approved Services table define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP. © 2024 Canonical Ltd. / atsec information security.
Name Description Algorithms Role Encryption AES GCM (external IV) AES GCM (external IV) CO DSA Key pair generation; Key pair verification; DSA CO Signature generation; Signature verification ECDSA with curve P- Key pair generation ECDSA with curve P- CO
192 192
RSA and ECDSA (pre- Signature generation (pre-hashed message); RSA and ECDSA (pre- CO hashed message) Signature verification (pre-hashed message) hashed message) RSA X9.31 Signature generation; Signature verification RSA X9.31 CO RSA primitive Asymmetric encryption; Asymmetric decryption RSA primitive CO RSA-OAEP Asymmetric encryption; Asymmetric decryption RSA-OAEP CO RSASVE Secret value encapsulation; Secret value RSASVE CO decapsulation Table 14: Non-Approved Services The table above lists the non-approved services in this module, the algorithms involved, the roles that can request the service. In this table, CO specifies the Crypto Officer role.
The module does not have the capability of loading software or firmware from an external source.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
The integrity of the module is verified by comparing a HMAC-SHA2-256 value calculated at run time with the HMAC-SHA2-256 value embedded in the fips.so file that was computed at build time.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently re-initializing the module, or by calling the OSSL_PROVIDER_self_test function. This will perform (among others) the software integrity test.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.
There are no concurrent operators. © 2024 Canonical Ltd. / atsec information security.
The module is comprised of software only, and therefore this section is not applicable.
Number: Not applicable. Placement: Not applicable. Surface Preparation: Not applicable. Operator Responsible for Securing Unused Seals: Not applicable. Part Numbers: Not applicable.
Temp/Voltage Temperature EFP Result Type or Voltage or EFT LowTemperature HighTemperature LowVoltage HighVoltage Table 15: EFP/EFT Information Not applicable.
Temperature Temperature Type LowTemperature HighTemperature Table 16: Hardness Testing Temperatures Not applicable. © 2024 Canonical Ltd. / atsec information security.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
This module does not implement any non-invasive security mechanism, and therefore this section is not applicable.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. Dynamic The module does not perform persistent storage of SSPs Table 17: Storage Areas SSPs are provided to the module by the calling application and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of SSPs.
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling Cryptographic Plaintext Manual Electronic parameters application (TOEPP) module API output Cryptographic Operator calling Plaintext Manual Electronic parameters module application (TOEPP) Table 18: SSP Input-Output Methods The module only supports SSP entry and output to and from the calling application running on the same operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. There is no entry or output of cryptographically protected SSPs. SSPs can be entered into the module via API input parameters, when required by a service. SSPs can also be output from the module via API output parameters, immediately after generation of the SSP (see Section 9.2).
Zeroization Description Rationale Operator Method Initiation Free cipher Zeroizes the SSPs contained within the cipher Memory occupied by SSPs By calling the handle handle: EVP_CIPHER_CTX_free() clears and is overwritten with zeroes cipher frees symmetric cipher context, and then it is released, related EVP_MAC_CTX_free() clears and frees MAC which renders the SSP zeroization context, EVP_KDF_CTX_free() clears and frees values irretrievable. The API KDF context, EVP_RAND_CTX_free() clears and completion of the frees DRBG context, EVP_PKEY_free() clears zeroization routine and frees asymetric key pair structures indicates that the zeroization procedure succeeded © 2024 Canonical Ltd. / atsec information security.
Zeroization Description Rationale Operator Method Initiation Automatic Automatically zeroized by the module when no Memory occupied by SSPs N/A longer needed is overwritten with zeroes, which renders the SSP values irretrievable. Module De-allocates the volatile memory used to store Volatile memory used by By unloading reset SSPs the module is overwritten and within nanoseconds when reloading the power is removed. module Table 19: SSP Zeroization Methods The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The operator is responsible for calling the appropriate destruction functions provided in the module's API. The destruction functions, listed above, overwrite the memory occupied by SSPs with zeroes and de-allocate the memory with the regular memory de-allocation operating system call. All data output is inhibited during zeroization.
Name Description Size - Strength Type - Generated Established Used By Category By By AES key Used for 128, 192, 256 Symmetric Symmetric encryption, bits - 128, 192, key - CSP encryption decryption, and 256 bits Symmetric message decryption authentication Message authentication HMAC key Used for hash- 112-524288 Symmetric Message based message bits - 112-256 key - CSP authentication authentication bits KMAC key Used for 128-1024 bits - Symmetric Message message 128-256 bits key - CSP authentication authentication Key- Used for key 112-4096 bits - Symmetric Key derivation derivation derivation 112-256 bits key - CSP key Shared Generated by 224-8192 bits - Shared Shared Key derivation secret shared secret 112-256 bits secret - CSP secret computation computation and used for key derivation Password Used for At least 8 Password - Passwordpassword- characters - CSP based key based key N/A derivation derivation PBKDF Generated from 112-256 bits - Symmetric Key Key derivation Derived key password- 112-256 bits key - CSP derivation © 2024 Canonical Ltd. / atsec information security.
Name Description Size - Strength Type - Generated Established Used By Category By By based key derivation KBKDF Generated from 112-256 bits - Symmetric Key Key derivation Derived key key-based key 112-256 bits key - CSP derivation derivation ANS X9.42 Generated from 112-256 bits - Symmetric Key Key derivation Derived key ANS X9.42 key 112-256 bits key - CSP derivation derivation ANS X9.63 Generated from 112-256 bits - Symmetric Key Key derivation Derived key ANS X9.63 key 112-256 bits key - CSP derivation derivation HKDF Generated from 112-256 bits - Symmetric Key Key derivation Derived key HKDF key 112-256 bits key - CSP derivation derivation OneStep Generated from 112-256 bits - Symmetric Key Key derivation KDA Derived OneStep KDA 112-256 bits key - CSP derivation key key derivation TLS Derived Generated by 112-256 bits - Symmetric Key Key derivation key TLS-based key 112-256 bits key - CSP derivation derivation Entropy Used for 128-384 bits - Entropy Random input random 128-256 bits Input - CSP number number generation generation and seeding a DRBG (compliant with IG D.L) DRBG Used for CTR_DRBG: Internal state Random Random Internal random 256, 320, 348 - CSP number number state (V, Key) number bits; generation generation generation HMAC_DRBG: (compliant with 320, 512, 1024 IG D.L) bits CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits DRBG Used for 880, 1776 bits - Internal state Random Random Internal random 128, 256 bits - CSP number number state (V, C) number generation generation generation (compliant with IG D.L) DRBG seed Used for 128-256 bits - Seed - CSP Random Random random 128-256 bits number number number generation generation generation © 2024 Canonical Ltd. / atsec information security.
Name Description Size - Strength Type - Generated Established Used By Category By By (compliant with IG D.L) DH private Used for shared 2048-8192 bits Private key - Key pair Shared secret key secret - 112-200 bits CSP generation computation computation Key pair and key pair verification verification DH public Used for shared 2048-8192 bits Public key - Key pair Shared secret key secret - 112-200 bits PSP generation computation computation Key pair and key pair verification verification EC private Used for shared P-224, P-256, P- Private key - Key pair Digital key secret 384, P-521, K- CSP generation signature computation, 233, K-283, K- generation digital 409, K-571, B- Shared secret signature 233, B- 283, B- computation generation, and 409, B-571 bits Key pair key pair - 112, 128, 192, verification verification 256 bits EC public key Used for shared P-192, P-224, P- Public key - Key pair Digital secret 256, P-384, P- PSP generation signature computation, 521, K-163, K- verification signature 233, K-283, K- Shared secret verification, 409, K-571, B- computation and key pair 163, B-233, B- Key pair verification 283, B-409, B- verification
RSA private Used for 2048-16384 Private key - Key pair Digital key signature bits - 112-256 CSP generation signature generation bits generation RSA public Used for 1024-16384 Public key - Key pair Digital key signature bits - 80-256 PSP generation signature verification bits verification Intermediate Used for key 112-16384 bits intermediate Key pair Key pair key pair generation - 112-256 bits key generation generation generation generation value value - CSP SSH KDF Generated from 112-256 bits - Symmetric Key Derived key SSH KDF key 112-256 bits key - CSP derivation derivation Table 20: SSP Table 1 © 2024 Canonical Ltd. / atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output AES key API input RAM:PlaintextFrom service Free cipher parameters invocation to handle service completion Module reset HMAC key API input RAM:Plaintext From service Free cipher parameters invocation to handle service completion Module reset KMAC key API input RAM:Plaintext From service Free cipher parameters invocation to handle service completion Module reset Key-derivation API input RAM:Plaintext From service Free cipher KBKDF Derived key parameters invocation to handle key:Derives service completion Module reset Shared secret API input RAM:Plaintext From service Free cipher DH private parameters invocation to handle key:Generated From API output service completion Module DH public parameters reset key:Generated From EC private key:Generated From EC public key:Generated From OneStep KDA Derived key:Derives HKDF Derived key:Derives ANS X9.42 Derived key:Derives ANS X9.63 Derived key:Derives TLS Derived key:Derives SSH KDF Derived key:Derives Password API input RAM:Plaintext From service Free cipher PKBDF Derived parameters invocation to handle key:Derives service completion Module reset PBKDF Derived API output RAM:Plaintext From service Free cipher Password:Derived key parameters invocation to handle From service completion Module reset KBKDF Derived API output RAM:Plaintext From service Free cipher Key derivation key parameters invocation to handle key:Derived From service completion Module reset © 2024 Canonical Ltd. / atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output ANS X9.42 API output RAM:Plaintext From service Free cipher Shared secret:Derived Derived key parameters invocation to handle From service completion Module reset ANS X9.63 API output RAM:Plaintext From service Free cipher Shared secret:Derived Derived key parameters invocation to handle From service completion Module reset HKDF Derived API output RAM:Plaintext From service Free cipher Shared secret:Derived key parameters invocation to handle From service completion Module reset OneStep KDA API output RAM:Plaintext From service Free cipher Shared secret:Derived Derived key parameters invocation to handle From service completion Module reset TLS Derived key API output RAM:Plaintext From service Free cipher Shared secret:Derived parameters invocation to handle From service completion Module reset Entropy input RAM:Plaintext From service Automatic DRBG seed:Generates invocation to Module service completion reset DRBG Internal RAM:Plaintext From DRBG Free cipher DRBG seed:Generated state (V, Key) instantiation to un- handle From instantiation or Module internal zeroization reset DRBG Internal RAM:Plaintext From DRBG Free cipher DRBG seed:Generated state (V, C) instantiation to un- handle From instantiation or Module internal zeroization reset DRBG seed RAM:Plaintext From service Automatic DRBG Internal state invocation to Module (V, Key):Generates service completion reset DRBG Internal state (V, C):Generates DH private key API input RAM:Plaintext From service Free cipher DH public key:Paired parameters invocation to handle With API output service completion Module Intermediate key parameters reset generation value:Generated From Shared secret:Generates DH public key API input RAM:Plaintext From service Free cipher DH private key:Paired parameters invocation to handle With API output service completion Module Intermediate key parameters reset generation value:Generated From Shared secret:Generates © 2024 Canonical Ltd. / atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output EC private key API input RAM:Plaintext From service Free cipher EC public key:Paired parameters invocation to handle With API output service completion Module Intermediate key parameters reset generation value:Generated By Shared secret:Generates EC public key API input RAM:Plaintext From service Free cipher EC private key:Paired parameters invocation to handle With API output service completion Module Intermediate key parameters reset generation value:Generated By Shared secret:Generates RSA private key API input RAM:Plaintext From service Free cipher RSA public key:Paired parameters invocation to handle With API output service completion Module Intermediate key parameters reset generation value:Generated By RSA public key API input RAM:Plaintext From service Free cipher RSA private key:Paired parameters invocation to handle With API output service completion Module Intermediate key parameters reset generation value:Generated From Intermediate RAM:Plaintext From service Automatic RSA private key generation invocation to key:Generates value service completion EC private key:Generates DH private key:Generates RSA public key:Generates EC public key:Generates DH public key:Generates SSH KDF API output RAM:Plaintext From service Free cipher Shared secret:Derived Derived key parameters invocation to handle From service completion Module reset Table 21: SSP Table 2 The tables above summarize the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module in the approved services (Approved Services table). SSPs, including CSPs, are directly imported as input parameters and exported as output parameters from the module. Because these SSPs are only transiently used for a specific service, they are, by definition, exclusive between approved and nonapproved services. © 2024 Canonical Ltd. / atsec information security.
The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes starting January 1, 2030. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 has been withdrawn since February 3, 2024.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Indicator Details Test Properties HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A3962) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A3963) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A3977) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A3983) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A3993) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A4003) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A4004) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A4005) Authentication Integrity operational and services are for fips.so
available for use Table 22: Pre-Operational Self-Tests The module performs pre-operational tests automatically when the module is powered on. The pre-operational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational selftests are passed successfully. The integrity of the shared library component of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the corresponding HMAC value embedded in the fips.so file that was computed at build time. If the software integrity test fails, the module transitions to the error state (Section 10.3). The HMAC and SHA2-256 algorithms go through their respective CASTs before the software integrity test is performed. © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A3962) becomes power-on operational before the integrity test SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A3977) becomes power-on operational before the integrity test SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A3983) becomes power-on operational before the integrity test SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A3993) becomes power-on operational before the integrity test SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A4003) becomes power-on operational before the integrity test SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A4004) becomes power-on operational before the integrity test SHA-1 24-bit message KAT CAST Module Message digest Test runs at (A4005) becomes power-on operational before the integrity test SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A3962) becomes power-on operational before the integrity test SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A3977) becomes power-on operational before the integrity test SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A3983) becomes power-on operational before the integrity test SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A3993) becomes power-on operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A4003) becomes power-on operational before the integrity test SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A4004) becomes power-on operational before the integrity test SHA2-512 24-bit message KAT CAST Module Message digest Test runs at (A4005) becomes power-on operational before the integrity test SHA3-256 32-bit message KAT CAST Module Message digest Test runs at (A3964) becomes power-on operational before the integrity test SHA3-256 32-bit message KAT CAST Module Message digest Test runs at (A3972) becomes power-on operational before the integrity test SHA3-256 32-bit message KAT CAST Module Message digest Test runs at (A3979) becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3961) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3974) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3975) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3976) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3988) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3989) key becomes power-on operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3990) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3994) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3995) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3996) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3997) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3998) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3999) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A4000) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A4001) key becomes power-on operational before the integrity test AES-GCM Encrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A4002) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3961) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3974) key becomes power-on operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3975) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3976) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3988) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3989) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3990) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3994) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3995) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3996) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3997) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3998) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3999) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A4000) key becomes power-on operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A4001) key becomes power-on operational before the integrity test AES-GCM Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A4002) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3958) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3959) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3960) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3971) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3973) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3978) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3980) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3981) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3982) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3984) key becomes power-on operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3985) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3986) key becomes power-on operational before the integrity test AES-ECB Decrypt with 256-bit KAT CAST Module Symmetric operation Test runs at (A3987) key becomes power-on operational before the integrity test KDF SP800- HMAC-SHA2-256 in KAT CAST Module Key based key Test runs at
108 (A3991) counter mode becomes derivation power-on
operational before the integrity test KDA SHA2-224 KAT CAST Module Shared secret key Test runs at OneStep becomes derivation power-on SP800-56Cr2 operational before the (A3965) integrity test KDA HKDF SHA2-256 KAT CAST Module Shared secret key Test runs at Sp800-56Cr1 becomes derivation power-on (A3969) operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3962) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3964) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3972) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3977) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3979) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3983) becomes X9.42 key derivation power-on
operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A3993) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A4003) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A4004) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA-1 KAT CAST Module Industry-based ANS Test runs at
9.42 (A4005) becomes X9.42 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A3962) becomes X9.63 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A3977) becomes X9.63 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A3983) becomes X9.63 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A3993) becomes X9.63 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A4003) becomes X9.63 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A4004) becomes X9.63 key derivation power-on
operational before the integrity test KDF ANS SHA2-256 KAT CAST Module Industry-based ANS Test runs at
9.63 (A4005) becomes X9.63 key derivation power-on
operational before the integrity test KDF SSH SHA-1 KAT CAST Module Industry-based SSH Test runs at (A3971) becomes KDF key derivation power-on operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type KDF SSH SHA-1 KAT CAST Module Industry-based SSH Test runs at (A3978) becomes KDF key derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Industry-based SSH Test runs at (A3984) becomes KDF key derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Industry-based SSH Test runs at (A3985) becomes KDF key derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Industry-based SSH Test runs at (A3986) becomes KDF key derivation power-on operational before the integrity test KDF SSH SHA-1 KAT CAST Module Industry-based SSH Test runs at (A3987) becomes KDF key derivation power-on operational before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A3962) operational derivation before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A3977) operational derivation before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A3983) operational derivation before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A3993) operational derivation before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A4003) operational derivation before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A4004) operational derivation before the integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at RFC7627 becomes v1.2 KDF key power-on (A4005) operational derivation before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type TLS v1.3 KDF SHA2-256 KAT CAST Module Industry-based TLS Test runs at (A3969) becomes v1.3 KDF key power-on operational derivation before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3962) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3964) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3972) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3977) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3979) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3983) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A3993) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A4003) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A4004) iterations and 288- becomes derivation power-on bit salt operational before the integrity test PBKDF SHA2-256 with 4096 KAT CAST Module Password-based key Test runs at (A4005) iterations and 288- becomes derivation power-on bit salt operational before the integrity test Counter AES-128 with KAT CAST Module Compliant with SP Test runs at DRBG derivation function becomes 800-90Ar1 power-on (A3970) and prediction operational before the resistance integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC DRBG HMAC-SHA-1 with KAT CAST Module Compliant with SP Test runs at (A3970) prediction becomes 800-90Ar1 power-on resistance operational before the integrity test KAS-FFC-SSC ffdhe2048 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3992) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3962) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3968) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3977) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3983) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3993) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A4003) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A4004) operational before the integrity test KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A4005) operational before the integrity test HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at
512 (A3964) becomes authentication power-on
operational before the integrity test HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at
512 (A3972) becomes authentication power-on
operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at
512 (A3979) becomes authentication power-on
operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A3962) bit key operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A3977) bit key operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A3983) bit key operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A3993) bit key operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A4003) bit key operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A4004) bit key operational before the integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes generation power-on (A4005) bit key operational before the integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A3962) bit key operational before the integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A3977) bit key operational before the integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A3983) bit key operational before the integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A3993) bit key operational before the integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A4003) bit key operational before the integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A4004) bit key operational before the integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) SHA2-256 and 2048- becomes verification power-on (A4005) bit key operational before the integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3962) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3964) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3966) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3967) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3972) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3977) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3979) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3983) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A3993) integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A4003) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A4004) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigGen with SHA2-256 becomes generation power-on (FIPS186-4) operational before the (A4005) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3962) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3964) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3966) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3967) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3972) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3977) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3979) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3983) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A3993) integrity test © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A4003) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A4004) integrity test ECDSA Curves P-224, B-233 KAT CAST Module Digital signature Test runs at SigVer with SHA2-256 becomes verification power-on (FIPS186-4) operational before the (A4005) integrity test Safe Primes SHA-1 password PCT PCT Successful Public key re- Key pair Key length 24 key pair computation and generation Generation characters, master generation comparison with the (A3992) key length of 200 existing public key per bits, iteration count SP800-56Arev3, of 4096, and salt section 5.6.2.1.4 length of 288 bits RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Generation of an RSA Key pair (FIPS186-4) SHA2-256 key pair key pair generation (A3962) generation RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Signature generation Key pair (FIPS186-4) SHA2-256 key pair & verification generation (A3977) generation RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Signature generation Key pair (FIPS186-4) SHA2-256 key pair & verification generation (A3983) generation RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Signature generation Key pair (FIPS186-4) SHA2-256 key pair & verification generation (A3993) generation RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Signature generation Key pair (FIPS186-4) SHA2-256 key pair & verification generation (A4003) generation RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Signature generation Key pair (FIPS186-4) SHA2-256 key pair & verification generation (A4004) generation RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful Signature generation Key pair (FIPS186-4) SHA2-256 key pair & verification generation (A4005) generation ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A3962) ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A3966) © 2024 Canonical Ltd. / atsec information security.
Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A3977) ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A3983) ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A3993) ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A4003) ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A4004) ECDSA SHA2-256 PCT PCT Successful Signature generation Key pair KeyGen key pair & verification generation (FIPS186-4) generation (A4005) Table 23: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. The CASTs can be performed on demand by unloading and re-initializing the module. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A3962) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A3963) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A3977) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A3983) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A3993) Authentication © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A4003) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A4004) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A4005) Authentication Table 24: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method SHA-1 (A3962) KAT CAST On Demand Manually SHA-1 (A3977) KAT CAST On Demand Manually SHA-1 (A3983) KAT CAST On Demand Manually SHA-1 (A3993) KAT CAST On Demand Manually SHA-1 (A4003) KAT CAST On Demand Manually SHA-1 (A4004) KAT CAST On Demand Manually SHA-1 (A4005) KAT CAST On Demand Manually SHA2-512 (A3962) KAT CAST On Demand Manually SHA2-512 (A3977) KAT CAST On Demand Manually SHA2-512 (A3983) KAT CAST On Demand Manually SHA2-512 (A3993) KAT CAST On Demand Manually SHA2-512 (A4003) KAT CAST On Demand Manually SHA2-512 (A4004) KAT CAST On Demand Manually SHA2-512 (A4005) KAT CAST On Demand Manually SHA3-256 (A3964) KAT CAST On Demand Manually SHA3-256 (A3972) KAT CAST On Demand Manually SHA3-256 (A3979) KAT CAST On Demand Manually AES-GCM (A3961) KAT CAST On Demand Manually AES-GCM (A3974) KAT CAST On Demand Manually AES-GCM (A3975) KAT CAST On Demand Manually AES-GCM (A3976) KAT CAST On Demand Manually AES-GCM (A3988) KAT CAST On Demand Manually AES-GCM (A3989) KAT CAST On Demand Manually AES-GCM (A3990) KAT CAST On Demand Manually AES-GCM (A3994) KAT CAST On Demand Manually AES-GCM (A3995) KAT CAST On Demand Manually AES-GCM (A3996) KAT CAST On Demand Manually AES-GCM (A3997) KAT CAST On Demand Manually AES-GCM (A3998) KAT CAST On Demand Manually AES-GCM (A3999) KAT CAST On Demand Manually AES-GCM (A4000) KAT CAST On Demand Manually AES-GCM (A4001) KAT CAST On Demand Manually AES-GCM (A4002) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A3961) KAT CAST On Demand Manually AES-GCM (A3974) KAT CAST On Demand Manually AES-GCM (A3975) KAT CAST On Demand Manually AES-GCM (A3976) KAT CAST On Demand Manually AES-GCM (A3988) KAT CAST On Demand Manually AES-GCM (A3989) KAT CAST On Demand Manually AES-GCM (A3990) KAT CAST On Demand Manually AES-GCM (A3994) KAT CAST On Demand Manually AES-GCM (A3995) KAT CAST On Demand Manually AES-GCM (A3996) KAT CAST On Demand Manually AES-GCM (A3997) KAT CAST On Demand Manually AES-GCM (A3998) KAT CAST On Demand Manually AES-GCM (A3999) KAT CAST On Demand Manually AES-GCM (A4000) KAT CAST On Demand Manually AES-GCM (A4001) KAT CAST On Demand Manually AES-GCM (A4002) KAT CAST On Demand Manually AES-ECB (A3958) KAT CAST On Demand Manually AES-ECB (A3959) KAT CAST On Demand Manually AES-ECB (A3960) KAT CAST On Demand Manually AES-ECB (A3971) KAT CAST On Demand Manually AES-ECB (A3973) KAT CAST On Demand Manually AES-ECB (A3978) KAT CAST On Demand Manually AES-ECB (A3980) KAT CAST On Demand Manually AES-ECB (A3981) KAT CAST On Demand Manually AES-ECB (A3982) KAT CAST On Demand Manually AES-ECB (A3984) KAT CAST On Demand Manually AES-ECB (A3985) KAT CAST On Demand Manually AES-ECB (A3986) KAT CAST On Demand Manually AES-ECB (A3987) KAT CAST On Demand Manually KDF SP800-108 KAT CAST On Demand Manually (A3991) KDA OneStep KAT CAST On Demand Manually SP800-56Cr2 (A3965) KDA HKDF Sp800- KAT CAST On Demand Manually 56Cr1 (A3969) KDF ANS 9.42 KAT CAST On Demand Manually (A3962) KDF ANS 9.42 KAT CAST On Demand Manually (A3964) KDF ANS 9.42 KAT CAST On Demand Manually (A3972) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method KDF ANS 9.42 KAT CAST On Demand Manually (A3977) KDF ANS 9.42 KAT CAST On Demand Manually (A3979) KDF ANS 9.42 KAT CAST On Demand Manually (A3983) KDF ANS 9.42 KAT CAST On Demand Manually (A3993) KDF ANS 9.42 KAT CAST On Demand Manually (A4003) KDF ANS 9.42 KAT CAST On Demand Manually (A4004) KDF ANS 9.42 KAT CAST On Demand Manually (A4005) KDF ANS 9.63 KAT CAST On Demand Manually (A3962) KDF ANS 9.63 KAT CAST On Demand Manually (A3977) KDF ANS 9.63 KAT CAST On Demand Manually (A3983) KDF ANS 9.63 KAT CAST On Demand Manually (A3993) KDF ANS 9.63 KAT CAST On Demand Manually (A4003) KDF ANS 9.63 KAT CAST On Demand Manually (A4004) KDF ANS 9.63 KAT CAST On Demand Manually (A4005) KDF SSH (A3971) KAT CAST On Demand Manually KDF SSH (A3978) KAT CAST On Demand Manually KDF SSH (A3984) KAT CAST On Demand Manually KDF SSH (A3985) KAT CAST On Demand Manually KDF SSH (A3986) KAT CAST On Demand Manually KDF SSH (A3987) KAT CAST On Demand Manually TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A3962) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A3977) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A3983) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A3993) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A4003) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A4004) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A4005) TLS v1.3 KDF KAT CAST On Demand Manually (A3969) PBKDF (A3962) KAT CAST On Demand Manually PBKDF (A3964) KAT CAST On Demand Manually PBKDF (A3972) KAT CAST On Demand Manually PBKDF (A3977) KAT CAST On Demand Manually PBKDF (A3979) KAT CAST On Demand Manually PBKDF (A3983) KAT CAST On Demand Manually PBKDF (A3993) KAT CAST On Demand Manually PBKDF (A4003) KAT CAST On Demand Manually PBKDF (A4004) KAT CAST On Demand Manually PBKDF (A4005) KAT CAST On Demand Manually Counter DRBG KAT CAST On Demand Manually (A3970) HMAC DRBG KAT CAST On Demand Manually (A3970) KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3992) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3962) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3968) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3977) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3983) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3993) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A4003) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A4004) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A4005) HMAC-SHA3-512 KAT CAST On Demand Manually (A3964) HMAC-SHA3-512 KAT CAST On Demand Manually (A3972) HMAC-SHA3-512 KAT CAST On Demand Manually (A3979) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3962) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3977) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3983) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3993) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4003) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4004) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4005) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3962) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3977) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3983) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3993) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4003) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4004) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4005) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3962) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3964) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3966) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3967) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3972) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3977) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3979) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3983) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3993) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4003) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4004) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4005) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3962) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3964) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3966) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3967) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3972) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3977) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3979) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3983) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3993) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4003) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4004) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4005) Safe Primes Key PCT PCT On Demand Manually Generation (A3992) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3962) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3977) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3983) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3993) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4003) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4004) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4005) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3962) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3966) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3977) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3983) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3993) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4003) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4004) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4005) Table 25: Conditional Periodic Information The module does not implement periodic self-tests.
Name Description Conditions Recovery Method Indicator Error The module immediately Software integrity Re-initialization of Module will not load; stops functioning test failure the module Module is aborted for PCT CAST failure failure PCT failure Table 26: Error States If the module fails any of the self-tests, the module enters the error state. In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). Regarding the PCT failure, an OSSL_PROV_PARAM_STATUS parameter can be queried from the FIPS provider to check the status of the cryptographic module. © 2024 Canonical Ltd. / atsec information security.
The table above lists the error states and the status indicator values that explain the error that has occurred.
The software integrity tests and cryptographic algorithm self-tests can be invoked on demand by resetting the module or by invoking the OSSL_PROVIDER_self_test method. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
The binaries of the FIPS validated module are contained in the following Ubuntu packages for delivery:
$ sudo pro enable fips (4) To verify that Approved mode is enabled run: $ sudo pro status The pro client will install the necessary packages for the Approved mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into Approved mode. The reboot will boot into FIPS supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in Approved mode. If you do not reboot after installing and configuring the bootloader, Approved mode is not yet enabled. To verify that FIPS is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in Approved mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the pro status command.
The Crypto Officer shall follow this Security Policy to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. In addition, the Crypto Officer shall consider the following requirements and restrictions provided in Section 2.7 when using the module.
There is no non-administrator guidance.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the Ubuntu packages can be uninstalled from the Ubuntu 22.04 system.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:
RSA, ECDSA, ECDH, and DH employ blinding techniques to further impede timing and power analysis.
No configuration is needed to enable the aforementioned countermeasures.
Not applicable. © 2024 Canonical Ltd. / atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF CP Assist for Cryptographic Functions CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm ENT (NP) Non-physical Entropy Source EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code © 2024 Canonical Ltd. / atsec information security.
IKE Internet Key Exchange KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KMAC KECCAK Message Authentication Code KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RSADP RSA Decryption Primitive RSAEP RSA Encryption Primitive RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Canonical Ltd. / atsec information security.
Appendix B. References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt © 2024 Canonical Ltd. / atsec information security.
RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Addendum Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf © 2024 Canonical Ltd. / atsec information security.
SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 Canonical Ltd. / atsec information security.