All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Oracle Linux 9 NSS Cryptographic Module

Certificate#4801StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorOracle Corporation
Medium review priority  ·  no TCB surface named  ·  NSS upstream has published 0 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy.
VendorOracle Corporation

Approved Algorithms (49)

AlgorithmACVP Cert
AES-CBCA4760
AES-CBCA4767
AES-CBCA4769
AES-CBC-CS1A4765
AES-CMACA4762
AES-CTRA4760
AES-CTRA4769
AES-ECBA4760
AES-ECBA4767
AES-ECBA4769
AES-GCMA4760
AES-GCMA4760
AES-GCMA4767
AES-GCMA4767
AES-GCMA4769
AES-GCMA4769
AES-KWA4761
AES-KWA4766
AES-KWA4768
AES-KWPA4761
AES-KWPA4766
AES-KWPA4768
DSA SigVer (FIPS186-4)A4760
ECDSA KeyGen (FIPS186-4)A4760
ECDSA KeyVer (FIPS186-4)A4760
ECDSA SigGen (FIPS186-4)A4760
ECDSA SigVer (FIPS186-4)A4760
Hash DRBGA4760
HMAC-SHA2-224A4760
HMAC-SHA2-256A4760
HMAC-SHA2-384A4760
HMAC-SHA2-512A4760
KAS-ECC-SSC Sp800-56Ar3A4760
KAS-FFC-SSC Sp800-56Ar3A4760
KDA HKDF Sp800-56Cr1A4759
KDF IKEv2A4764
KDF SP800-108A4763
KDF TLSA4760
PBKDFA4760
RSA KeyGen (FIPS186-4)A4760
RSA SigGen (FIPS186-4)A4760
RSA SigVer (FIPS186-2)A4760
RSA SigVer (FIPS186-4)A4760
Safe Primes Key GenerationA4760
SHA2-224A4760
SHA2-256A4760
SHA2-384A4760
SHA2-512A4760
TLS v1.2 KDF RFC7627A4760

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Oracle Linux 9 NSS Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Show Status<br/>Self-Test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Oracle Linux 9 NSS Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Show Status<br/>Self-Test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Oracle Linux 9 NSS Cryptographic Module FIPS 140-3 Level 1 Validation Software Version: 4.35.0-381552536e763d0c Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com Document Version 1.1 ©Oracle Corporation

Page 2

Title: Oracle Linux 9 NSS Cryptographic Module Date: September 6th, 2024 Contributing Authors: Oracle Linux Engineering Security Evaluations

2300 Oracle Way

Austin, TX 78741 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may be reproduced or distributed whole and Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 9 NSS Cryptographic Module Security Policy i

Page 3
Table of Contents
#SectionPage
Page 4

Oracle Linux 9 NSS Cryptographic Module Security Policy iii

Page 5
List of Tables
ItemPage
Table 1 - Security Levels1
Table 2 - Tested Module Identification3
Table 3 - Tested Operational Environments3
Table 4 - Vendor Affirmed Operational Environments3
Table 5 - Modes List and Description3
Table 6 - Approved Algorithms9
Table 7 - Vendor Affirmed Algorithms9
Table 8 - Non-Approved, Not Allowed Algorithms10
Table 9 - Security Function Implementations11
Table 10 – Entropy12
Table 11 - Key Generation13
Table 12 - Key Establishment14
Table 13 - Ports and Interfaces15
Table 14 – Roles16
Table 15 – Approved Services18
Table 16 - Non-Approved Services19
Table 17 – Storage Areas24
Table 18 – SSP Input-Output24
Table 19 - SSP Zeroization Methods24
Table 20 – SSP Information First26
Table 21 – SSP Information Second28
Table 22 - Pre-Operational Self-Tests29
Table 23 - Conditional Self-Tests30
Table 24 - Error States31
Figure 1 – Block Diagram2
Page 6
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for software version 4.35.0-381552536e763d0c of the Oracle Linux 9 NSS Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. Other documentation is proprietary to their authors.

1.1.1 How this Security Policy Was Prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. ISO/IEC 24759 Section 6 Subsections FIPS 140-3 Section Title Security Level

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security Not Applicable

8 Non-invasive Security Not Applicable

9 Sensitive Security Parameter Management 1

10 Self-tests 1

11 Life-cycle Assurance 1

12 Mitigation of Other Attacks 1

Overall Level 1 Table 1 - Security Levels Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Oracle Linux 9 NSS Cryptographic Module (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, IKEv2, PKCS#5, PKCS#7, PKCS#11, PKCS#12, S/MIME, X.509 v3 certificates, and other security standards supporting FIPS 140-

3 validated cryptographic algorithms. It combines a vertical stack of Linux components intended to limit the external interface

each separate component may provide. Module Type: Software Module Embodiment: Multi-chip standalone Module Characteristics: N/A Cryptographic Boundary: Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows). Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1

Page 8
2.2 Tested and Vendor Affirmed Version and Identification

Hardware Operating Environments: N/A Tested Module Identification

8358 SHA Extensions

ORACLE SERVER E4-2c AMD EPYC 7J13 With and without AES-NI and SHA Extensions ORACLE SERVER A1-2c Ampere® Altra® Q80-30 With and without NEON and Cryptography Extensions (CE) Table 3 - Tested Operational Environments Vendor Affirmed Operating Environments: Operating Systems Hardware Platforms Virtual Platforms Oracle Linux 9 Oracle X Series Servers Oracle Linux KVM Oracle E Series Servers VmWare ESXi Oracle A Series Servers Marvell T93 LiquidIO III (ARM v8.x) SmartNIC Pensando DSC-200-R (ARM v8.x) SmartNIC Table 4 - Vendor Affirmed Operational Environments Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated SSPs when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Name Description Type Status Indicator Approved mode Automatically entered whenever an Approved Equivalent to the indicator of the approved service is requested requested service Non-approved mode Automatically entered whenever a non- Non-approved Equivalent to the indicator of the approved service is requested requested service Table 5 - Modes List and Description After passing all pre-operational self-tests and conditional cryptographic algorithm self-tests (CASTs) executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 9

Mode change instructions and status indicators: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm Name CAVP Numbers Algorithms OE (Implementation) Reference Capabilities SHA2-224 #A4760 N/A Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 180-4 on AMD EPYCTM 7001 Series AMD EPYC 7J13: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C SHA2-256 #A4760 N/A Oracle Linux 9 on KVM on Oracle Linux 8 on AMD EPYCTM 7001 Series AMD EPYC 7J13: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C SHA2-384 #A4760 N/A Oracle Linux 9 on KVM on Oracle Linux 8 on AMD EPYCTM 7001 Series AMD EPYC 7J13: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C SHA2-512 #A4760 N/A Oracle Linux 9 on KVM on Oracle Linux 8 on AMD EPYCTM 7001 Series AMD EPYC 7J13: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C AES-ECB #A4760, #A4767, #A4769 Encryption, Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Decryption using on AMD EPYCTM 7001 Series AMD EPYC SP 800-38A 128, 192, 256-bit 7J13: Generic C, CE, AESNI SP 800-38A keys Addendum Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C, CE, AESNI Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 10

Algorithm Name CAVP Numbers Algorithms OE (Implementation) Reference Capabilities Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C, CE, AESNI AES-CBC #A4760, #A4767, #A4769 Encryption, Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Decryption using on AMD EPYCTM 7001 Series AMD EPYC SP 800-38A 128, 192, 256-bit 7J13: Generic C, CE, AESNI SP 800-38A keys Addendum Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C, CE, AESNI Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C, CE, AESNI AES-CBC-CS1 #A4765 Encryption, Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Decryption using on AMD EPYCTM 7001 Series AMD EPYC SP 800-38A 128, 192, 256-bit 7J13: Generic C CTS Addendum keys Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C CTS Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C CTS AES-CTR #A4760, #A4769 Encryption, Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Decryption using on AMD EPYCTM 7001 Series AMD EPYC SP 800-38A 128, 192, 256-bit 7J13: Generic C, AESNI SP 800-38A keys Addendum Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C, AESNI Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C, AESNI AES-CMAC #A4762 Message Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Authentication on AMD EPYCTM 7001 Series AMD EPYC SP 800-38B using 128, 192, 7J13: Generic C CMAC 256-bit keys Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C CMAC Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C CMAC AES-GCM #A4760, #A4767, #A4769 Authenticated Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Encryption on AMD EPYCTM 7001 Series AMD EPYC SP 800-38D (internal IV), 7J13: Generic C, CE, AESNI Authenticated Oracle Linux 9 on KVM on Oracle Linux 8 Decryption on Ampere® Altra® Q80-30: Generic C, (external IV) CE, AESNI using 128, 192, 256-bit keys Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C, CE, AESNI Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 11

Algorithm Name CAVP Numbers Algorithms OE (Implementation) Reference Capabilities IV Generation: Internal & External IV Generation Mode: 8.2.1 and 8.2.2 AES-KW #A4761, #A4766, #A4768 Key Wrapping, Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Key Unwrapping on AMD EPYCTM 7001 Series AMD EPYC SP 800-38F using 128, 192, 7J13: Generic C KW, AESNI KW 256-bit keys Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C KW, AESNI KW Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C KW, AESNI KW AES-KWP #A4761, #A4766, #A4768 Key Wrapping, Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 197 Key Unwrapping on AMD EPYCTM 7001 Series AMD EPYC SP 800-38F using 128, 192, 7J13: Generic C KW, AESNI KW 256-bit keys Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C KW, AESNI KW Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C KW, AESNI KW HMAC #A4760 SHA-224, SHA- Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 198-1 256, SHA-384, on AMD EPYCTM 7001 Series AMD EPYC FIPS 180-4 SHA-512 7J13: Generic C 112-524288-bit Oracle Linux 9 on KVM on Oracle Linux 8 keys on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C KBKDF #A4763 Modes: counter, Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-108r1 feedback, double on AMD EPYCTM 7001 Series AMD EPYC pipeline 7J13: Generic C KBKDF CMAC and HMAC Oracle Linux 9 on KVM on Oracle Linux 8 SHA-1, SHA-224, on Ampere® Altra® Q80-30: Generic C SHA-256, SHAKBKDF 384, SHA-512 Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C KBKDF HKDF #A4759 Key Derivation Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-56Cr1 with HMAC SHA- on AMD EPYCTM 7001 Series AMD EPYC 224, SHA-256, 7J13: TLS v1.3 SHA-384, SHAOracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: TLS v1.3 Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: TLS v1.3 Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 12

Algorithm Name CAVP Numbers Algorithms OE (Implementation) Reference Capabilities TLS 1.0/1.1 KDF #A4760 Key Derivation Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-135r1 (CVL) with SHA1 on AMD EPYCTM 7001 Series AMD EPYC 7J13: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C TLS 1.2 KDF (CVL #A4760 Hashes: SHA-256, Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-135r1 RFC 7627) SHA-384, SHA- on AMD EPYCTM 7001 Series AMD EPYC

512 7J13: Generic C

Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C IKEv2 KDF (CVL) #A4764 Hashes: SHA-1, Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-135r1 SHA-256, SHA- on AMD EPYCTM 7001 Series AMD EPYC 384, SHA-512 7J13: IKE KDF Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: IKE KDF Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: IKE KDF PBKDF2 #A4760 Option 1a Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-132 Password length: on AMD EPYCTM 7001 Series AMD EPYC 7-128 characters 7J13: Generic C Salt length: 128Oracle Linux 9 on KVM on Oracle Linux 8

4096 bytes

on Ampere® Altra® Q80-30: Generic C Iteration count: 1000-10000 Oracle Linux 9 on KVM on Oracle Linux 8 Hashes: SHA-1, on Intel® Xeon® Platinum 8358: Generic C SHA-224, SHA256, SHA-384, SHA-512 Hash_DRBG #A4760 Hashes: SHA-256 Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-90Ar1 With/without on AMD EPYCTM 7001 Series AMD EPYC prediction 7J13: Generic C resistance Oracle Linux 9 on KVM on Oracle Linux 8 on Ampere® Altra® Q80-30: Generic C Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C KAS-FFC-SSC #A4760 Scheme: Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-56Ar3 dhEphem on AMD EPYCTM 7001 Series AMD EPYC Roles: initiator, 7J13: Generic C responder Oracle Linux 9 on KVM on Oracle Linux 8 Groups: MODPon Ampere® Altra® Q80-30: Generic C 2048, MODP3072, MODP- Oracle Linux 9 on KVM on Oracle Linux 8 4096, MODP- on Intel® Xeon® Platinum 8358: Generic C 6144, MODP8192, ffdhe2048, ffdhe3072, Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 13

Algorithm Name CAVP Numbers Algorithms OE (Implementation) Reference Capabilities ffdhe4096, ffdhe6144, ffdhe8192 KAS-ECC-SSC #A4760 Scheme: Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-56Ar3 Ephemeral on AMD EPYCTM 7001 Series AMD EPYC Unified Model 7J13: Generic C Roles: initiator, Oracle Linux 9 on KVM on Oracle Linux 8 responder on Ampere® Altra® Q80-30: Generic C Curves: P-256, P384, P-521 Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C DSA1 #A4760 Signature Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 186-4 Verification on AMD EPYCTM 7001 Series AMD EPYC Hashes: SHA-224, 7J13: Generic C SHA-256, SHAOracle Linux 9 on KVM on Oracle Linux 8 384, SHA-512 on Ampere® Altra® Q80-30: Generic C Keys: (L = 1024, N= 160); (L = Oracle Linux 9 on KVM on Oracle Linux 8 2048, N = 224); (L on Intel® Xeon® Platinum 8358: Generic C = 2048, N = 256); (L = 3072, N = 256) RSA #A4760 Signature Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 186-4 Generation & on AMD EPYCTM 7001 Series AMD EPYC Verification 7J13: Generic C Padding: PKCS#1 Oracle Linux 9 on KVM on Oracle Linux 8 v1.5 and PSS on Ampere® Altra® Q80-30: Generic C Hashes: SHA-224, SHA-256, SHA- Oracle Linux 9 on KVM on Oracle Linux 8 384, SHA-512 on Intel® Xeon® Platinum 8358: Generic C Modulus: 2048-

4096 bits

RSA #A4760 Signature Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 186-2 Verification on AMD EPYCTM 7001 Series AMD EPYC FIPS 186-4 Padding: PKCS#1 7J13: Generic C v1.5 and PSS Oracle Linux 9 on KVM on Oracle Linux 8 Hashes: SHA-224, on Ampere® Altra® Q80-30: Generic C SHA-256, SHA384, SHA-512 Oracle Linux 9 on KVM on Oracle Linux 8 Modulus: 1024, on Intel® Xeon® Platinum 8358: Generic C 1280, 1536, 1792 bits ECDSA #A4760 Signature Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 186-4 Generation & on AMD EPYCTM 7001 Series AMD EPYC Verification 7J13: Generic C Hashes: SHA-224, Oracle Linux 9 on KVM on Oracle Linux 8 SHA-256, SHAon Ampere® Altra® Q80-30: Generic C 384, SHA-512 Curves: P-256, P- Oracle Linux 9 on KVM on Oracle Linux 8 384, P-521 on Intel® Xeon® Platinum 8358: Generic C Safe Primes #A4760 Key Pair Oracle Linux 9 on KVM on Oracle Linux 8 SP 800-56Ar3 Generation on AMD EPYCTM 7001 Series AMD EPYC 7J13: Generic C The following are allowed for legacy use only; DSA signature verification with L=1024 and N=224. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 14

Algorithm Name CAVP Numbers Algorithms OE (Implementation) Reference Capabilities Mode: Testing Oracle Linux 9 on KVM on Oracle Linux 8 Candidates on Ampere® Altra® Q80-30: Generic C (Appendix Oracle Linux 9 on KVM on Oracle Linux 8 5.6.1.1.4) on Intel® Xeon® Platinum 8358: Generic C Groups: MODP2048, MODP3072, MODP4096, MODP6144, MODP8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 RSA #A4760 Key Pair Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 186-4 Generation on AMD EPYCTM 7001 Series AMD EPYC Mode: Probable 7J13: Generic C Primes (Appendix Oracle Linux 9 on KVM on Oracle Linux 8 B.3.3) on Ampere® Altra® Q80-30: Generic C Modulus: 2048-

4096 bits Oracle Linux 9 on KVM on Oracle Linux 8

on Intel® Xeon® Platinum 8358: Generic C ECDSA #A4760 Key Pair Oracle Linux 9 on KVM on Oracle Linux 8 FIPS 186-4 Generation on AMD EPYCTM 7001 Series AMD EPYC Mode: Extra 7J13: Generic C Random Bits Oracle Linux 9 on KVM on Oracle Linux 8 (Appendix B.4.1) on Ampere® Altra® Q80-30: Generic C Curves: P-256, P384, P-521 Oracle Linux 9 on KVM on Oracle Linux 8 on Intel® Xeon® Platinum 8358: Generic C Table 6 - Approved Algorithms Vendor Affirmed Algorithms: Algorithm Name Algorithm Capabilities OE (Implementation) References Cryptographic Key Generation Symmetric Key Generation using SP 800- Same as in Table 6 SP 800-133Rev2 section 4 example (CKG) 90Ar1 Hash_DRBG : 112-256 bits of key 1 and section 6.1 strength Safe Primes: MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 groups (112-200 bits of key strength) RSA: 2048, 3072, 4096-bit keys (112, 128, 150 bits of key strength) ECDSA: P-256, P-384, P-521 elliptic curves (128-

256 bits of key strength)

Table 7 - Vendor Affirmed Algorithms Non-Approved, Allowed Algorithms: The module does not implement non-approved algorithms allowed in the approved mode of operation. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 15

Non-Approved, Allowed Algorithms with No Security Claimed: Algorithm Name Caveat Use/Function MD5 Only allowed as the PRF in TLSv1.0 and v1.1 Message digest used in TLS 1.0/1.1 KDF only per IG 2.4.A Table 8 - Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Name Use and Function MD2, MD5, SHA-1 Message Digest RC2, RC4, DES, Triple-DES, CDMF, Camellia, SEED, ChaCha20 (-Poly1305) Encryption Decryption AES GCM (external IV) Encryption CBC-MAC, AES XCBC-MAC, AES XCBC-MAC-96 Message Authentication HMAC-SHA-1, HMAC (MD2, MD5; < 112-bit keys) HMAC/SSLv3 MAC (constant-time implementation) RSA OAEP Key Encapsulation/Decapsulation SEED, ANS X9.63 KDF, SSL 3 PRF, 40v1 PRF Key Derivation KBKDF, HKDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF, IKEv2 PRF (< 112-bit keys) KBKDF (MD2, MD5) TLS 1.2 KDF (without extended master secret) IKEv1 KDF IKEv2 PRF (MD2, MD5) PKCS#5 PBE, PKCS#12 PBE Password-Based Key Derivation PBKDF2 (short password; short salt; insufficient iterations; < 112-bit keys) J-PAKE Shared Secret Computation KAS-FFC-SSC (FIPS 186-type groups) KAS-ECC-SSC (P-192) DSA Parameter Generation Parameter Verification Key Pair Generation Signature Generation RSA with SHA-1, RSA (primitive; PKCS#1 v1.5 or PSS with MD2, MD5) Signature Generation ECDSA (P-192) Signature Verification RSA Asymmetric Encryption Asymmetric Decryption DH (FIPS 186-type groups) Key Pair Generation RSA (< 2048 bits) ECDSA (P-192) Symmetric key generation (< 112 bits) Secret Key Generation Table 9 - Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description SF Capabilities Algorithms KAS-ECC-SSC [SP 800-56ARev3] KAS Shared Secret Ephemeral Unified scheme KAS-ECC-SSC: #A4760 Computation Curves: P-256, P-384, P-521 elliptic curves with 128-256 bits of key strength Compliant with IG D.F scenario 2(1) KAS-FFC-SSC [SP 800-56ARev3] Ephemeral Unified scheme KAS-FFC-SSC: #A4760 Keys: 2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 16

Compliant with IG D.F scenario 2(1) AES-GCM [SP 800-38D] KTS Key Wrapping (internal 128, 192, 256 bits with AES-GCM: #A4760, #A4767, IV), Key Unwrapping 128-256 bits of key strength #A4769 (external IV) IV Generation: Internal & External IV Generation Mode: 8.2.1 and 8.2.2 Complaint with IG D.G AES-KW, AES-KWP [SP 800-38F] Key Wrapping, Key 128, 192, 256 bits with AES-KW, AES-KWP: Unwrapping 128-256 bits of key strength #A4761, #A4766, #A4768 Complaint with IG D.G Table 10 - Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. NSS is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation compliant with Scenario 2 of FIPS 140-3 IG C.H. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary. Additionally, the module offers an internal deterministic IV generation mode compliant with Scenario 3 of FIPS 140-3 IG C.H. The size of the fixed (name) field used by this IV generation mode is at least 32 bits. The module then internally generates a 32 bit or longer deterministic non-repetitive counter. The module explicitly ensures that this counter is monotonically increasing at each invocation of the AES-GCM for the same encryption key, and that this counter does not exhaust all its possible values. The generated GCM IV is at least 96 bits in length. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section

3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for

protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection.

2.7.2 Key Derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:

Page 17
2.7.3 SP 800-56Ar3 Assurances

The module offers DH and ECDH shared secret computation services compliant to the SP 800-56Ar3 and meeting IG D.F scenario

2 path (1). To meet the required assurances listed in section 5.6 of SP 800-56Ar3, the module shall be used together with an

application that implements the “TLS protocol” and the following steps shall be performed.

2.8 RNG and Entropy

Entropy Information: Name Type Operational Environment Sample Size Entropy Per Sample Conditioning Component Oracle Userspace CPU Non-physical See Table 3 256 bits 256 bits HMAC-SHA2-512-DRBG Time Jitter RNG Entropy (CAVP cert A4162) Source (Cert. #E99) Table 11

2.9 Key Generation

Name Type Properties Direct Generation of Symmetric Keys CKG Key type: Symmetric key Security strength: 112-256 bits Method: Direct Generation Compliant to SP 800-133r2, Section 6.1 Safe Primes Key Pair Generation Key type: DH key pair Groups: MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Security strength: 112-200 bits Method: SP 800-56Ar3 (safe primes) Section 5.6.1.1.4 Testing Candidates Compliant to SP 800-133r2, Section 5.2 ECDSA Key Pair Generation Key type: EC key pair Curves: P-256, P-384, P-521 Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 18

Security strength: 128-256 bits Method: FIPS 186-4 Appendix B.4.1 Extra Random Bits Compliant to SP 800-133r2, Section 4 RSA Key Pair Generation Key type: RSA key pair Modulus: 2048-4096 bits Security strength: 112-150 bits Method: FIPS 186-4 Appendix B.3.3 Probable Primes Compliant to SP 800-133r2, Section 4 KBKDF Key Derivation Key type: Symmetric key Security strength: 112-256 bits Method: Counter, feedback and double pipeline mode, using CMAC and HMAC SHA1, SHA-224, SHA-256, SHA-384, SHA-512 HKDF Key type: Symmetric key Security strength: 112-256 bits Method: (HMAC) SHA-224, SHA-256, SHA-384, SHA-512 Compliant to SP 800-56Cr1 TLS 1.0/1.1 KDF Key type: Symmetric key Security strength: 112-256 bits Method: SHA1 Compliant to SP 800-135r1 TLS 1.2 KDF (RFC 7627) Key type: Symmetric key Security strength: 112-256 bits Method: SHA-256, SHA-384, SHA-512 Compliant to SP 800-135r1 IKEv2 KDF Key type: Symmetric key Security strength: 112-256 bits Method: SHA-1, SHA-256, SHA-384, SHA-512 Compliant to SP 800-135r1 PBKDF2 Key type: Symmetric key Security strength: 112-256 bits Method: Option 1a with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Compliant to option 1a of SP 800-132 Table 12 - Key Generation Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 19
2.10 Key Establishment

Name Type Properties KAS-FFC-SSC [SP800-56Arev3] KAS (Shared Secret Computation) Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Security strength: 112-200 bits Compliant with: Scenario 2 (1) of FIPS 140-3 IG D.F: Shared Secret Computation KAS-ECC-SSC [SP800-56Arev3] Curves: P-256, P-384, P-521 Security strength: 128-256 bits Compliant with: Scenario 2 (1) of FIPS 140-3 IG D.F: Shared Secret Computation AES GCM [SP 800-38D] KTS-Wrap (Key Wrapping) Keys: 128, 192, or 256 bits IV generated internally Security strength: 128, 192, or 256 bits Compliant with IG D.G KTS-Wrap (Key Unwrapping) Keys: 128, 192, or 256 bits IV provided externally Security strength: 128, 192, or 256 bits Compliant with IG D.G AES KW, AES KWP [SP 800-38F] KTS-Wrap (Key Wrapping, Key Keys: 128, 192, or 256 bits Unwrapping) Security strength: 128, 192, or 256 bits Compliant with IG D.G Table 13 - Key Establishment

2.11 Industry Protocols

For DH, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS) as listed in Table 13. Note that the module only implements domain parameter generation, key pair generation and verification, and shared secret computation. TLS 1.0/1.1 KDF, TLS 1.2 KDF (RFC 7627), IKEv2 implementations shall only be used to generate secret keys in the context of the TLS 1.0/1.1, TLS 1.2, IKE protocols respectively. No parts of this protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 20
3 Cryptographic Module Interfaces
3.1 Description

Physical Port Logical Interface Data That Passes Over the Port/Interface As a software-only module, the module does not Data Input API data input parameters have physical ports. Physical Ports are interpreted Data Output API output parameters to be the physical ports of the hardware platform Control Input API function calls, API control input parameters on which it runs. Status Output API return code, error queue Table 14 - Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design.

3.2 Trusted Channel Specification

The module does not implement a trusted channel.

3.3 Control Interface Not Inhibited

The module does not implement a control output interface. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 21
4 Roles, Services, and Authentication
4.1 Authentication Methods

The module does not implement authentication.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO N/A (Implicitly assumed) Table 15

4.3 Approved Services

Name Description Indicator Inputs Outputs Security Roles SSP Access Functions Message Digest Compute a CKS_NSS_FI Message Digest value SHA2-224, CO N/A message PS_OK SHA2-256, digest SHA2-384, SHA2-512 Encryption Encrypt a AES Key, Ciphertext AES-ECB, AES- AES Key: W, E plaintext plaintext CBC, AES-CBCCS1, AES-CTR, AES-GCM (internal IV) Decryption Decrypt a AES Key, Plaintext AES-ECB, AESciphertext ciphertext CBC, AES-CBCCS1, AES-CTR, AES-GCM (external IV) Key Wrapping Wrap a key AES Key, Key To Wrapped AES-GCM, AES- AES Key: W, E Be Wrapped key KW, AES-KWP Wrapped Key: R Key To Be Wrapped: W, E Key Unwrapping Unwrap a key AES Key, Key To Unwrapped AES Key: W, E Be Unwrapped key Unwrapped Key: R Key To Be Unwrapped: W, E Message Compute a AES Key, MAC tag AES-CMAC AES Key: W, E Authentication MAC tag message HMAC Key, HMAC-SHA- HMAC Key: W, E message 224, HMACSHA-256, HMAC-SHA384, HMACSHA-512 Message Verify a MAC AES Key, Pass/fail AES-CMAC AES Key: W, E Authentication tag message, MAC Verification tag HMAC Key, HMAC-SHA- HMAC Key: W, E message, MAC 224, HMACtag SHA-256, HMAC-SHA384, HMACSHA-512 Shared Secret Compute a DH Private Key, Shared KAS-FFC-SSC DH Private Key: W, E; Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 22

Name Description Indicator Inputs Outputs Security Roles SSP Access Functions Computation shared secret DH Public Key Secret DH Public Key: W, E; Shared Secret: G, R EC Private Key, KAS-ECC-SSC EC Private Key: W, E; EC Public Key EC Public Key: W, E; Shared Secret: G, R Signature Generate a Message, Signature RSA PKCS#1 RSA Private Key: W, E; Generation digital private key v1.5 and PSS ECDSA Private Key: W, E signature with SHA-224, SHA-256, SHA384, SHA-512, ECDSA with SHA-224, SHA256, SHA-384, SHA-512 Signature Verify a digital Message, public Pass/fail RSA PKCS#1 RSA Public Key: W, E; Verification signature key, signature v1.5 and PSS ECDSA Public Key: W, E; with, SHA-224, DSA Public Key: W, E SHA-256, SHA384, SHA-512, ECDSA with SHA-224, SHA256, SHA-384, SHA-512 DSA with SHA224, SHA-256, SHA-384, SHAKey Pair Generate a DH Group DH Private Safe Primes DH Private Key: G, R; Generation key pair Key, DH DH Public Key: G, R; Public Key Intermediate Key Generation Value: G Curve EC Private ECDSA EC Private Key: G, R; Key, EC EC Public Key: G, R; Public Key Intermediate Key Generation Value: G Modulus RSA Private RSA RSA Private Key: G, R; Key, RSA RSA Public Key: G, R; Public Key Intermediate Key Generation Value: G Secret Key Generate a Key size Symmetric CKG Symmetric Key (AES Key, HMAC Key Generation secret key Key (Symmetric Key Key-Derivation Key): G Generation) Key Derivation Derive a key Shared Secret Derived Key HKDF, TLS Shared Secret: W, E; 1.0/1.1 KDF, Derived Key: G, R TLS 1.2 KDF, IKEv2 KDF Key-Based Key Derive a key Key-Derivation KBKDF Key-Derivation Key: W, E; Derivation from a key Key Derived Key: G, R Password-Based Derive a key Password PBKDF2 Password: W, E; Key Derivation from a Derived Key: G, R password Random Generate CKR_OK Output length Random Hash_DRBG, Entropy Input: W, E; Number random bytes bytes DRBG Seed: E, G; Generation Internal State (V, C): W, E, G Show Version Return the None N/A Module N/A N/A Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 23

Name Description Indicator Inputs Outputs Security Roles SSP Access Functions module name name and and version version information Show Status Return the None N/A Module N/A N/A module status status Self-Test Perform the None N/A Pass/fail SHA-224, SHA- N/A CASTs and 256, SHA-384, integrity tests SHA-512 AES-GCM, AESECB, AES-CBC, AES-CMAC, HMAC, KBKDF, HKDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF, IKEv2 KDF, PBKDF2, Hash_DRBG, KAS-FFC-SSC, KAS-ECC-SSC, RSA, ECDSA, DSA See Table 24 for specifics Zeroization Zeroize all None Any SSP N/A N/A All SSPs: Z SSPs Table 16 – Approved Services Table 16 lists the approved services. The following convention is used to specify access rights to SSPs: • Generate (G): The module generates or derives the SSP. • Read (R): The SSP is read from the module (e.g. the SSP is output). • Write (W): The SSP is updated, imported, or written to the module. • Execute (E): The module uses the SSP in performing a cryptographic operation. • Zeroize (Z): The module zeroizes the SSP. To interact with the module, a calling application must use the FIPS token APIs provided by Softoken. The FIPS token API layer can be used to retrieve the approved service indicator for the module. This indicator consists of four independent service indicators.

  1. The session indicator, which must be used for all cryptographic services except the key derivation service. It can be accessed by invoking the NSC_NSSGetFIPSStatus function with the CKT_NSS_SESSION_LAST_CHECK parameter. If the output parameter is set to CKS_NSS_FIPS_OK (1), the service was approved.
  2. The object indicator, which must be used for the key derivation service. It can be accessed by invoking the NSC_NSSGetFIPSStatus function with the CKT_NSS_OBJECT_CHECK parameter and the output derived key. If the output parameter is set to CKS_NSS_FIPS_OK (1), the service was approved.
  3. The DRBG service indicator, which must be used for the DRBG service. It can be accessed by invoking the C_SeedRandom or C_GenerateRandom functions. If any of these functions returns CKR_OK, the service was approved. Oracle Linux 9 NSS Cryptographic Module Security Policy
Page 24
4.4 Non-Approved Services

Name Description Security Functions Role Message Digest Compute a message digest MD2, MD5, SHA-1 CO Encryption Encrypt a plaintext RC2, RC4, DES, Triple-DES, CDMF, Camellia, SEED, ChaCha20(-Poly1305), AES GCM (external IV) Decryption Decrypt a ciphertext RC2, RC4, DES, Triple-DES, CDMF, Camellia, SEED, ChaCha20(-Poly1305) Message Authentication Compute a MAC tag CBC-MAC, AES XCBC-MAC, AES XCBC-MAC-96; HMAC-SHA-1, HMAC (MD2, MD5; < 112-bit keys); HMAC/SSLv3 MAC (constant-time implementation) Key Encapsulation/Decapsulation Encapsulate/Decapsulate a key RSA OAEP Key Derivation Derive a key SEED, ANS X9.63 KDF, SSL 3 PRF, IKEv1 KDF, KBKDF, HKDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF, IKEv2 KDF (< 112-bit keys), KBKDF (MD2, MD5), TLS 1.2 KDF (without extended master secret), IKEv2 KDF (MD2, MD5) Password-Based Key Derivation Derive a key from a password PKCS#5 PBE, PKCS#12 PBE, PBKDF2 (short password; short salt; insufficient iterations; < 112-bit keys) Shared Secret Computation Compute a shared secret J-PAKE, KAS-FFC-SSC (FIPS 186-type groups), KAS-ECC-SSC (P-192) Signature Generation Generate a signature DSA, RSA with SHA-1, RSA (primitive; PKCS#1 v1.5 or PSS with MD2, MD5), ECDSA (P-192) Signature Verification Verify a signature RSA with SHA-1, RSA (primitive; PKCS#1 v1.5 or PSS with MD2, MD5), ECDSA (P-192) Asymmetric Encryption Encrypt a plaintext RSA Asymmetric Decryption Decrypt a plaintext Parameter Generation Generate domain parameters DSA Parameter Verification Verify domain parameters Key Pair Generation Generate a key pair DH (FIPS 186-type groups), RSA (< 2048 bits), DSA, ECDSA (P-192) Secret Key Generation Generate a secret key CKG (< 112 bits) Table 17 - Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware.

4.6 Bypass Actions and Status

The module does not implement a bypass capability.

4.7 Cryptographic Output Actions and Status

The module does not implement a self-initiated cryptographic output capability. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 25
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing a HMAC-SHA-256 value calculated at run time with the HMAC-SHA-256 value embedded in the module that was computed at build time. If the integrity test fails, the module enters the Power-On Error state.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently re-initializing the module. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 26
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operating Environment: modifiable: the module executes on a general-purpose operating system (Oracle Linux 9), which allows modification, loading, and execution of software that is not part of the validated module. How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configurable Settings and Restrictions

The module shall be installed as stated in Section 11.1. There are no concurrent operators. The module does not have the capability of loading software or firmware from an external source. Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 27
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 28
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 29
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Name Description Persistence Type RAM Temporary storage for SSPs used by the module as part of service Dynamic execution. The module does not perform persistent storage of SSPs. Table 18

9.2 SSP Input-Output Methods

Name From To Format Type Distribution Type Entry Type Related SFI API input parameters Calling application Cryptographic Plaintext (P) Manual (MD) Electronic (EE) AES-KW, AES(plaintext) (TOEPP) module KWP [SP 800API input parameters Encrypted (E) 38F]; AES(encrypted) with AES GCM, GCM [SP 800KW, KWP 38D] API output parameters Cryptographic module Calling application Plaintext (P) (plaintext) (TOEPP) API output parameters Encrypted (E) (encrypted) with AES GCM, KW, KWP Table 19

9.3 SSP Zeroization Methods

Zeroization Method Description Rationale Operator Initiation Calling the zeroization API Zeroizes the Memory occupied by SSPs is By calling the C_DestroyObject function SSPs overwritten with zeroes, which renders the SSP values irretrievable. Automatic Automatically N/A zeroized by the module when no longer needed Remove power from the De-allocates Volatile memory used by the module By removing power module the volatile is overwritten within nanoseconds memory used when power is removed to store SSPs Table 20 - SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Description Size Strength Type Generated By Established By AES Key AES key used for 128-256 bits 128-256 bits Symmetric key CKG (SP 800-133r2, N/A Encryption, Section 6.1) Decryption, Key Wrapping, Key Unwrapping, Message Authentication, Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 30

Name Description Size Strength Type Generated By Established By Message Authentication Verification Wrapped Key Wrapped key 128-8192 bits 112-256 bits Wrapped key N/A AES-GCM, AESKW, AES-KWP Unwrapped Key Unwrapped key 128-8192 bits 112-256 bits Unwrapped key N/A AES-GCM, AESKW, AES-KWP Key To Be Key To Be 128-256 bits 112-256 bits Key To Be Wrapped N/A AES-GCM, AESWrapped Wrapped KW, AES-KWP Key To Be Key To Be 128-256 bits 112-256 bits Key To Be N/A AES-GCM, AESUnwrapped Unwrapped Unwrapped KW, AES-KWP HMAC Key HMAC key used 112-524288 bits 112-256 bits Authentication key CKG (SP 800-133r2, N/A for Message Section 6.1) Authentication, Message Authentication Verification Key-Derivation Key for key 112-4096 bits 112-256 bits Key-derivation key CKG (SP 800-133r2, N/A Key derivation with Section 6.1) KBKDF Shared Secret Shared secret 256-8192 bits 112-256 bits Shared secret N/A KAS-ECC-SSC, established by KAS-FFC-SSC KAS-ECC-SSC/KAS- (according to SP FFC-SSC 800-56Ar3) Password PBKDF2 password 64-1024 bits N/A Password N/A N/A Derived Key KBKDF derived key 128-4096 bits 112-256 bits Derived key KBKDF PBKDF2 derived 128-4096 bits PBKDF2 key KDA HKDF derived 2048 bits KDA HKDF key TLS 1.0/1.1 KDF 384 bits TLS 1.0/1.1 KDF derived key TLS v1.2 KDF 1024 bits TLS v1.2 KDF (RFC7627) derived key IKEv2 KDF derived 1056 and 3072 bits IKEv2 KDF key Entropy Input Entropy input 256 bits 256 bits Entropy ENT (NP) N/A used to seed the See Table 11 DRBG DRBG Seed DRBG seed 256 bits 256 bits Seed Hash_DRBG N/A IG D.L compliant derived from (according to SP800entropy input as 90Ar1) defined in SP 80090Ar1 Internal State (V, Internal state of Hash_DRBG: 128, 256 bits Internal state Hash_DRBG (derived N/A C) Hash_DRBG 256 bits from DRBG Seed as IG D.L compliant defined in SP80090Ar1) DH Public Key Public key used by 2048, 3072, 4096, 112-200 bits Public key Safe Primes (SP 800- N/A DH 6144, 8192 bits 56Ar3 section DH Private Key Private key used Private key 5.6.1.1.4 Testing by DH Candidates) Hash_DRBG (for generation of random values per SP 800Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 31

Name Description Size Strength Type Generated By Established By 90Ar1) EC Private Key Private key used P-256, P-384, P- 128-256 bits Private key ECDSA (FIPS 186-4 N/A for ECDSA 521 Appendix B.4.1 Signature Extra Random Bits) Generation and Shared Secret Hash_DRBG (for Computation generation of random EC Public Key Public key used for Public key values per SP 800ECDSA Signature 90Ar1) Verification and Shared Secret Computation RSA Private Key Private key used 2048, 3072, 4096 112, 128, 150 bits Private key RSA (FIPS 186-4 N/A for RSA signature bits Appendix B.3.3 generation Probable Primes) RSA Public Key Public key used for 1024, 2048, 3072, 80, 112, 128, 150 bits Public key RSA signature 4096 bits Hash_DRBG (for verification generation of random values per SP 80090Ar1) DSA Public Key Public key used for (1024, 160), (2048, 80, 112, 128 bits Public key N/A N/A DSA signature 224), (2048, 256), verification (3072, 256) Intermediate Key Intermediate key 112-8192 bits 112-256 bits Intermediate Value CKG (SP 800-133r2 N/A Generation Value generation value Section 4, 6.1) Table 21

Page 32

Name Used By Inputs/Outputs Storage Storage Duration Zeroization Type Related SSPs Message (encrypted); Authentication API output Verification parameters (encrypted) Key-Derivation Key-Based Key API input Used for deriving Key Derivation parameters a key (i.e., (encrypted); Derived Key) API output parameters (encrypted) Shared Secret Shared Secret API input Established using Computation, parameters DH public, DH Key Derivation (encrypted); Private Key, EC API output Public Key, EC parameters Private Key, (encrypted) Derived Key Password Password-Based API input Used for deriving Key Derivation parameters a key (i.e., (plaintext); Derived Key) No output Derived Key Key Derivation, No input; Derived from Key-Based Key API output Key-Derivation Derivation, parameters Key, Shared Password-Based (encrypted) Secret or Key Derivation Password Entropy Input Random Number No input; From generation until Automatic, Used for deriving Generation No output DRBG Seed is created remove power DRBG Seed DRBG Seed While the DRBG from the Derived from IG D.L compliant is instantiated module Entropy Input; used for the generation of Internal State (V, C) Internal State While the module Remove power Generated from (V, C) is operational from the DRBG Seed IG D.L compliant module DH Public Key Shared Secret API input For the duration of Destroy object, PSP Paired with DH Computation, parameters the service remove power Private Key; used Key Pair (encrypted); from the for establishing Generation API output module Shared Secret DH Private Key parameters CSP Paired with DH (encrypted) Public Key, used for establishing Shared Secret EC Public Key Shared Secret API input PSP Paired with EC Computation, parameters Private Key; used Signature (encrypted); for establishing Verification API output Shared Secret parameters EC Private Key Shared Secret CSP Paired with EC (encrypted) Computation, Public Key; used Signature for establishing Generation Shared Secret RSA Public Key Signature API input PSP Paired with RSA Verification parameters Private Key Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 33

Name Used By Inputs/Outputs Storage Storage Duration Zeroization Type Related SSPs RSA Private Key Signature (encrypted); CSP Paired with RSA Generation API output Public Key parameters (encrypted) DSA Public Key Signature API input PSP N/A Verification parameters (encrypted); No output Intermediate Key Pair N/A Automatically CSP Generated Key Generation Generation during the Value generation of RSA Public Key, RSA Private Key, DH Public Key, DH Private Key, EC Public Key, EC Private Key Table 22

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. The RSA, ECDSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 will be withdrawn on February 3, 2024. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 34
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Implementation Test Properties Test Method Test Type Indicator Details HMAC-SHA-256 Generic C 256-bit key Message Software Module becomes Integrity test for Authentication integrity operational libfreeblpriv3.so and libfsoftokn3.so Table 23 - Pre-Operational Self-Tests The pre-operational software integrity test is performed automatically, after the CASTs, when the module is powered on before the module transitions into the operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-test has passed successfully. If the pre-operational self-test fails, the module transitions to the error (i.e., Power-On Error) state.

10.2 Conditional Self-Tests

Algorithm Implementation Test Properties Test Method Type Indicator Details Conditions SHA-224 Generic C 512-bit message KAT CAST Module is Message Freebl operational Digest initialization SHA-256 SHA-384 SHA-512 AES-ECB AESNI, CE, Generic 128, 192, 256-bit Encryption C key Decryption 128-bit plaintext AES-CBC 128, 192, 256-bit Encryption key Decryption AES-GCM Encryption Decryption AES-CMAC Generic C 128, 192, 256-bit Message key Authentication 128-bit message HMAC SHA-224 288-bit key HMAC SHA-256 HMAC SHA-384 HMAC SHA-512 KBKDF Counter mode Key Derivation Softoken HMAC SHA-256 initialization 576-bit input key HKDF SHA-256 512-bit input secret TLS 1.0/1.1 KDF MD5-SHA-1 Freebl 288-bit input initialization secret TLS 1.2 KDF SHA-256 288-bit input secret IKEv2 PRF SHA-1, SHA-256, Softoken SHA-384, initialization Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 35

Algorithm Implementation Test Properties Test Method Type Indicator Details Conditions SHA-512 80, 128, 144-bit input secret PBKDF2 SHA-256 14-character password 128-bit salt Iteration count: 5 Hash_DRBG SHA-256 without Instantiate Freebl prediction Generate initialization resistance Reseed Generate (compliant with SP 80090A Section 11.3) KAS-FFC-SSC 2048-bit key Shared Secret KAS-ECC-SSC P-256 Computation RSA PKCS#1 v1.5 with Signature Softoken SHA-256, Generation initialization SHA-384, SHA-512 Signature 2048-bit key Verification DSA 1024-bit key Signature Freebl Verification initialization ECDSA SHA-256 Signature Freebl P-256 Generation initialization Signature Verification Safe Primes N/A PCT Conditional Key Pair Generation SP 800-56Ar3 Key Pair ECDH Pairwise is successful Section Generation Consistency 5.6.2.1.4 RSA PKCS#1 v1.5 with Self-Test Signature SHA-256 Generation & ECDSA SHA-256 Signature Verification Table 24 - Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 24. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the Power-On Error state. Upon generation of a DH, EC or RSA key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 24, which provides some assurance that the generated key pair is well formed. The test for DH and ECDH consists of the PCT described in Section 5.6.2.1.4 of SP 800-56Ar3. For ECDSA or RSA key pairs, the tests consist of performing signature generation and verification using the generated key pairs. Services are not available, and data output (via the data output interface) is inhibited during execution of the PCT. If a PCT test fails, the module transitions to the PCT Error state.

10.3 Periodic Self-Tests

The module does not implement any periodic self-tests.

10.4 Error States

Name Description Conditions Recovery Method Indicator Power-On Error An error occurred during Software integrity test Restart of the Module will not load the self-tests executed failure module Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 36

Name Description Conditions Recovery Method Indicator on power-on CAST failure PCT Error An error occurred PCT failure during a PCT Module stops functioning (sftk_fatalError is set to TRUE) Table 25 - Error States In any error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation

The software integrity tests and CASTs can be invoked on demand by unloading and subsequently re-initializing the module. The PCTs can be invoked on demand by requesting the key pair generation service. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 37
11 Life-Cycle Assurance
11.1 Startup Procedures

The module is distributed as part of the Oracle Linux 9 (OL9) RPM package in the form of nss-softokn-3.90.0-3.0.1.el9_2_fips and nss-softokn-freebl-3.90.0-3.0.1.el9_2_fips RPM packages that are located in the “Oracle Linux 9 Security Validation (Update 3)” yum repository (ol9_u3_security_validation). The module can achieve the FIPS validated configuration by:

11.2 Administrator Guidance

See section 2.7 for algorithm-specific information.

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Maintenance Requirements

There are no maintenance requirements.

11.5 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the nss-softokn-3.90.0-3.0.1.el9_2_fips and nss-softokn-freebl-3.90.03.0.1.el9_2_fips RPM packages can be uninstalled from the Oracle Linux 9 system. Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 38
12 Mitigation of Other Attacks

Timing attacks on RSA: RSA blinding: Timing attack on RSA was first demonstrated by Paul Kocher in 1996, who contributed the mitigation code to our module. Most recently Boneh and Brumley showed that RSA blinding is an effective defense against timing attacks on RSA. Specific Limit: None Cache-timing attacks on the modular exponentiation operation used in RSA: Cache invariant modular exponentiation: This is a variant of a modular exponentiation implementation that Colin Percival showed to defend against cache-timing attacks. Specific Limit: This mechanism requires intimate knowledge of the cache line sizes of the processor. The mechanism may be ineffective when the module is running on a processor whose cache line sizes are unknown. Arithmetic errors in RSA signatures: Double-checking RSA signatures: Arithmetic errors in RSA signatures might leak the private key. Ferguson and Schneier recommend that every RSA signature generation should verify the signature just generated. Specific Limit: None Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 39
13 Glossary and Abbreviations

AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator DSA Digital Signature Algorithm ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm ENT (NP) Non-physical Entropy Source FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code KAT Known Answer Test KBKDF Key-based Key Derivation Function MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter TOEPP Tested Operational Environment’s Physical Perimeter Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 40
14 References

FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf Oracle Linux 9 NSS Cryptographic Module Security Policy

Page 41

SP 800-56Cr1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf Oracle Linux 9 NSS Cryptographic Module Security Policy