All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Red Hat Enterprise Linux 8 Kernel Cryptographic API

Certificate#4804StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorRed Hat(R), Inc.
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 10212 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/18/2026
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy. The module generates random strings whose strengths are modified by available entropy.
VendorRed Hat(R), Inc.

Approved Algorithms (122)

AlgorithmACVP Cert
AES-CBCA3648
AES-CBCA3654
AES-CBCA3657
AES-CBC-CS3A3651
AES-CBC-CS3A3661
AES-CCMA3648
AES-CCMA3657
AES-CFB128A3650
AES-CFB128A3660
AES-CMACA3648
AES-CMACA3657
AES-CTRA3648
AES-CTRA3654
AES-CTRA3657
AES-ECBA3648
AES-ECBA3652
AES-ECBA3653
AES-ECBA3654
AES-ECBA3655
AES-ECBA3656
AES-ECBA3657
AES-ECBA3658
AES-ECBA3659
AES-GCMA3648
AES-GCMA3652
AES-GCMA3653
AES-GCMA3654
AES-GCMA3655
AES-GCMA3656
AES-GCMA3657
AES-GCMA3658
AES-GCMA3659
AES-GMACA3648
AES-GMACA3657
AES-XTS Testing Revision 2.0A3648
AES-XTS Testing Revision 2.0A3654
AES-XTS Testing Revision 2.0A3657
Counter DRBGA3648
Counter DRBGA3652
Counter DRBGA3653
Counter DRBGA3654
Counter DRBGA3655
Counter DRBGA3656
Counter DRBGA3657
Counter DRBGA3658
Counter DRBGA3659
Hash DRBGA3648
Hash DRBGA3652
Hash DRBGA3653
Hash DRBGA3654
Hash DRBGA3655
Hash DRBGA3656
Hash DRBGA3657
Hash DRBGA3658
Hash DRBGA3659
Hash DRBGA3662
Hash DRBGA3663
Hash DRBGA3664
HMAC DRBGA3648
HMAC DRBGA3652
HMAC DRBGA3653
HMAC DRBGA3654
HMAC DRBGA3655
HMAC DRBGA3656
HMAC DRBGA3657
HMAC DRBGA3658
HMAC DRBGA3659
HMAC DRBGA3662
HMAC DRBGA3663
HMAC DRBGA3664
HMAC-SHA-1A3648
HMAC-SHA-1A3662
HMAC-SHA-1A3663
HMAC-SHA-1A3664
HMAC-SHA2-224A3648
HMAC-SHA2-224A3662
HMAC-SHA2-224A3663
HMAC-SHA2-224A3664
HMAC-SHA2-256A3648
HMAC-SHA2-256A3662
HMAC-SHA2-256A3663
HMAC-SHA2-256A3664
HMAC-SHA2-384A3648
HMAC-SHA2-384A3662
HMAC-SHA2-384A3663
HMAC-SHA2-384A3664
HMAC-SHA2-512A3648
HMAC-SHA2-512A3662
HMAC-SHA2-512A3663
HMAC-SHA2-512A3664
HMAC-SHA3-224A3649
HMAC-SHA3-256A3649
HMAC-SHA3-384A3649
HMAC-SHA3-512A3649
RSA SigVer (FIPS186-4)A3648
RSA SigVer (FIPS186-4)A3662
RSA SigVer (FIPS186-4)A3663
RSA SigVer (FIPS186-4)A3664
SHA-1A3648
SHA-1A3662
SHA-1A3663
SHA-1A3664
SHA2-224A3648
SHA2-224A3662
SHA2-224A3663
SHA2-224A3664
SHA2-256A3648
SHA2-256A3662
SHA2-256A3663
SHA2-256A3664
SHA2-384A3648
SHA2-384A3662
SHA2-384A3663
SHA2-384A3664
SHA2-512A3648
SHA2-512A3662
SHA2-512A3663
SHA2-512A3664
SHA3-224A3649
SHA3-256A3649
SHA3-384A3649
SHA3-512A3649

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Red Hat Enterprise Linux 8 Kernel Cryptographic API
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Red Hat Enterprise Linux 8 Kernel Cryptographic API
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Red Hat, Inc. Red Hat Enterprise Linux 8 Kernel Cryptographic API Document Version: 1.3 Last Modified: 09/16/2024 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2024 Red Hat, Inc./ atsec information security corporation.

Page 2
Table of Contents
#SectionPage
Page 3

© 2024 Red Hat, Inc./ atsec information security corporation.

Page 4

© 2024 Red Hat, Inc./ atsec information security corporation.

Page 5
List of Tables
ItemPage
Table 1: Security Levels6
Table 3: Tested Operational Environments - Software, Firmware, Hybrid9
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid9
Table 5: Modes List and Description9
Table 6: Approved Algorithms12
Table 7: Non-Approved, Not Allowed Algorithms13
Table 8: Security Function Implementations18
Table 9: Entropy Certificates19
Table 10: Entropy Sources19
Table 11: Ports and Interfaces21
Table 12: Roles22
Table 13: Approved Services26
Table 14: Non-Approved Services27
Table 15: EFP/EFT Information30
Table 16: Hardness Testing Temperatures30
Table 17: Storage Areas32
Table 18: SSP Input-Output Methods32
Table 19: SSP Zeroization Methods33
Table 20: SSP Table 134
Table 21: SSP Table 235
Table 22: Pre-Operational Self-Tests36
Table 23: Conditional Self-Tests54
Table 24: Pre-Operational Periodic Information55
Table 25: Conditional Periodic Information60
Table 26: Error States60
Figure 1: Block Diagram8
Page 6
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version kernel 4.18.0372.52.1.el8_6; libkcapi 1.2.0-2.el8 of the Red Hat Enterprise Linux 8 Kernel Cryptographic API module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.

1.1.1 How this Security Policy was prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

1.3 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Red Hat Enterprise Linux 8 Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: Multi-chip standalone Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP) [O]: The TOEPP of the module is defined as the general-purpose computer on which the module is installed. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 8
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9

N/A for this module. Tested Operational Environments - Software, Firmware, Hybrid: Operating Hardware Processors PAA/PAI Hypervisor Version(s) System Platform or Host OS Red Hat Dell Intel Xeon Yes N/A 4.18.0Enterprise PowerEdge Silver 4216 372.52.1.el8_6 Linux 8 R440 1.2.0-2.el8 Red Hat Dell Intel Xeon No N/A 4.18.0Enterprise PowerEdge Silver 4216 372.52.1.el8_6; Linux 8 R440 1.2.0-2.el8 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating System Hardware Platform Red Hat Enterprise Linux 8 Intel Xeon E5 Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically entered Approved Equivalent to the indicator of mode whenever an approved the requested service as service is requested defined in section 4.3 Non- Automatically entered Non- Equivalent to the indicator of approved whenever a non-approved Approved the requested service as mode service is requested defined in section 4.3 Table 5: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. Mode Change Instructions and Status [O]: © 2024 Red Hat, Inc./ atsec information security corporation.

Page 10

The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description [O]: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A3648 - SP 800-38A AES-CCM A3648 - SP 800-38C AES-CMAC A3648 - SP 800-38B AES-CTR A3648 - SP 800-38A AES-ECB A3648 - SP 800-38A AES-GCM A3648 - SP 800-38D AES-GMAC A3648 - SP 800-38D AES-XTS Testing Revision 2.0 A3648 - SP 800-38E Counter DRBG A3648 - SP 800-90A Rev. 1 Hash DRBG A3648 - SP 800-90A Rev. 1 HMAC DRBG A3648 - SP 800-90A Rev. 1 HMAC-SHA-1 A3648 - FIPS 198-1 HMAC-SHA2-224 A3648 - FIPS 198-1 HMAC-SHA2-256 A3648 - FIPS 198-1 HMAC-SHA2-384 A3648 - FIPS 198-1 HMAC-SHA2-512 A3648 - FIPS 198-1 RSA SigVer (FIPS186-4) A3648 - FIPS 186-4 SHA-1 A3648 - FIPS 180-4 SHA2-224 A3648 - FIPS 180-4 SHA2-256 A3648 - FIPS 180-4 SHA2-384 A3648 - FIPS 180-4 SHA2-512 A3648 - FIPS 180-4 HMAC-SHA3-224 A3649 - FIPS 198-1 HMAC-SHA3-256 A3649 - FIPS 198-1 HMAC-SHA3-384 A3649 - FIPS 198-1 HMAC-SHA3-512 A3649 - FIPS 198-1 SHA3-224 A3649 - FIPS 202 SHA3-256 A3649 - FIPS 202 SHA3-384 A3649 - FIPS 202 SHA3-512 A3649 - FIPS 202 AES-CFB128 A3650 - SP 800-38A AES-CBC-CS3 A3651 - SP 800-38A AES-ECB A3652 - SP 800-38A AES-GCM A3652 - SP 800-38D Counter DRBG A3652 - SP 800-90A Rev. 1 Hash DRBG A3652 - SP 800-90A Rev. 1 HMAC DRBG A3652 - SP 800-90A Rev. 1 © 2024 Red Hat, Inc./ atsec information security corporation.

Page 11

Algorithm CAVP Cert Properties Reference AES-ECB A3653 - SP 800-38A AES-GCM A3653 - SP 800-38D Counter DRBG A3653 - SP 800-90A Rev. 1 Hash DRBG A3653 - SP 800-90A Rev. 1 HMAC DRBG A3653 - SP 800-90A Rev. 1 AES-CBC A3654 - SP 800-38A AES-CTR A3654 - SP 800-38A AES-ECB A3654 - SP 800-38A AES-GCM A3654 - SP 800-38D AES-XTS Testing Revision 2.0 A3654 - SP 800-38E Counter DRBG A3654 - SP 800-90A Rev. 1 Hash DRBG A3654 - SP 800-90A Rev. 1 HMAC DRBG A3654 - SP 800-90A Rev. 1 AES-ECB A3655 - SP 800-38A AES-GCM A3655 - SP 800-38D Counter DRBG A3655 - SP 800-90A Rev. 1 Hash DRBG A3655 - SP 800-90A Rev. 1 HMAC DRBG A3655 - SP 800-90A Rev. 1 AES-ECB A3656 - SP 800-38A AES-GCM A3656 - SP 800-38D Counter DRBG A3656 - SP 800-90A Rev. 1 Hash DRBG A3656 - SP 800-90A Rev. 1 HMAC DRBG A3656 - SP 800-90A Rev. 1 AES-CBC A3657 - SP 800-38A AES-CCM A3657 - SP 800-38C AES-CMAC A3657 - SP 800-38B AES-CTR A3657 - SP 800-38A AES-ECB A3657 - SP 800-38A AES-GCM A3657 - SP 800-38D AES-GMAC A3657 - SP 800-38D AES-XTS Testing Revision 2.0 A3657 - SP 800-38E Counter DRBG A3657 - SP 800-90A Rev. 1 Hash DRBG A3657 - SP 800-90A Rev. 1 HMAC DRBG A3657 - SP 800-90A Rev. 1 AES-ECB A3658 - SP 800-38A AES-GCM A3658 - SP 800-38D Counter DRBG A3658 - SP 800-90A Rev. 1 Hash DRBG A3658 - SP 800-90A Rev. 1 HMAC DRBG A3658 - SP 800-90A Rev. 1 AES-ECB A3659 - SP 800-38A AES-GCM A3659 - SP 800-38D Counter DRBG A3659 - SP 800-90A Rev. 1 Hash DRBG A3659 - SP 800-90A Rev. 1 HMAC DRBG A3659 - SP 800-90A Rev. 1 AES-CFB128 A3660 - SP 800-38A AES-CBC-CS3 A3661 - SP 800-38A Hash DRBG A3662 - SP 800-90A Rev. 1 HMAC DRBG A3662 - SP 800-90A Rev. 1 HMAC-SHA-1 A3662 - FIPS 198-1 HMAC-SHA2-224 A3662 - FIPS 198-1 © 2024 Red Hat, Inc./ atsec information security corporation.

Page 12

Algorithm CAVP Cert Properties Reference HMAC-SHA2-256 A3662 - FIPS 198-1 HMAC-SHA2-384 A3662 - FIPS 198-1 HMAC-SHA2-512 A3662 - FIPS 198-1 RSA SigVer (FIPS186-4) A3662 - FIPS 186-4 SHA-1 A3662 - FIPS 180-4 SHA2-224 A3662 - FIPS 180-4 SHA2-256 A3662 - FIPS 180-4 SHA2-384 A3662 - FIPS 180-4 SHA2-512 A3662 - FIPS 180-4 Hash DRBG A3663 - SP 800-90A Rev. 1 HMAC DRBG A3663 - SP 800-90A Rev. 1 HMAC-SHA-1 A3663 - FIPS 198-1 HMAC-SHA2-224 A3663 - FIPS 198-1 HMAC-SHA2-256 A3663 - FIPS 198-1 HMAC-SHA2-384 A3663 - FIPS 198-1 HMAC-SHA2-512 A3663 - FIPS 198-1 RSA SigVer (FIPS186-4) A3663 - FIPS 186-4 SHA-1 A3663 - FIPS 180-4 SHA2-224 A3663 - FIPS 180-4 SHA2-256 A3663 - FIPS 180-4 SHA2-384 A3663 - FIPS 180-4 SHA2-512 A3663 - FIPS 180-4 Hash DRBG A3664 - SP 800-90A Rev. 1 HMAC DRBG A3664 - SP 800-90A Rev. 1 HMAC-SHA-1 A3664 - FIPS 198-1 HMAC-SHA2-224 A3664 - FIPS 198-1 HMAC-SHA2-256 A3664 - FIPS 198-1 HMAC-SHA2-384 A3664 - FIPS 198-1 HMAC-SHA2-512 A3664 - FIPS 198-1 RSA SigVer (FIPS186-4) A3664 - FIPS 186-4 SHA-1 A3664 - FIPS 180-4 SHA2-224 A3664 - FIPS 180-4 SHA2-256 A3664 - FIPS 180-4 SHA2-384 A3664 - FIPS 180-4 SHA2-512 A3664 - FIPS 180-4 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2024 Red Hat, Inc./ atsec information security corporation.

Page 13

Name Use and Function AES-GCM with external Encryption IV KBKDF (libkcapi) Key derivation HKDF (libkcapi) Key derivation PBKDF2 (libkcapi) Password-based key derivation RSA Encryption primitive; Decryption primitive RSA with PKCS#1 v1.5 Signature generation (pre-hashed message); Signature padding verification (pre-hashed message); Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption with BC-UnAuth Encrypt a Key size(s):128, AES-CBC AES plaintext with 192, 256 bits AES-CBC AES (XTS mode 128 AES-CBC and 256 bits AES-CBC-CS3 only) AES-CBC-CS3 AES-CFB128 AES-CFB128 AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 Decryption with BC-UnAuth Decrypt a Key size(s):128, AES-CBC AES ciphertext with 192, 256 bits AES-CBC AES (XTS mode 128 AES-CBC and 256 bits AES-CBC-CS3 only) AES-CBC-CS3 AES-CFB128 AES-CFB128 AES-CTR © 2024 Red Hat, Inc./ atsec information security corporation.

Page 14

Name Type Description Properties Algorithms AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 Hashing SHA Compute a SHA-1:N/A SHA-1 message digest SHA2-224:N/A SHA-1 SHA2-256:N/A SHA-1 SHA2-384:N/A SHA-1 SHA2-512:N/A SHA2-224 SHA3-224:N/A SHA2-224 SHA3-256:N/A SHA2-224 SHA3-384:N/A SHA2-224 SHA3-512:N/A SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Message MAC Compute a MAC HMAC key AES-CMAC authentication tag for size(s):112- AES-CMAC authentication 524288 bits AES-GMAC (112-256 bits) AES-GMAC AES key HMAC-SHA-1 size(s):128, 192, HMAC-SHA-1

256 bits HMAC-SHA-1

HMAC-SHA-1 © 2024 Red Hat, Inc./ atsec information security corporation.

Page 15

Name Type Description Properties Algorithms HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA3HMAC-SHA3HMAC-SHA3HMAC-SHA3Random DRBG Generate Counter Counter DRBG number random DRBG:128, 192, Counter DRBG generation with numbers from 256 bits Counter DRBG DRBGs DRBGs HMAC Counter DRBG DRBG:SHA-1, Counter DRBG SHA-256, SHA- Counter DRBG

512 Counter DRBG

Hash Counter DRBG DRBG:SHA-1, Counter DRBG SHA-256, SHA- Hash DRBG

512 Hash DRBG

Hash DRBG © 2024 Red Hat, Inc./ atsec information security corporation.

Page 16

Name Type Description Properties Algorithms Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG Signature DigSig-SigVer Verify a Padding:PKCS#1 RSA SigVer verification with signature with v1.5 (FIPS186-4) RSA RSA Hashes:SHA-256 RSA SigVer Key size(s):3072 (FIPS186-4) bits (128 bits) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) Authenticated BC-Auth Encrypt and Key size(s):128, AES-CCM encryption with authenticate a 192, 256 bits AES-CCM AES plaintext with AES-GCM AES AES-GCM AES-GCM AES-CBC AES-CBC AES-CBC AES-CTR AES-CTR AES-CTR HMAC-SHA-1 HMAC-SHA2HMAC-SHA2© 2024 Red Hat, Inc./ atsec information security corporation.

Page 17

Name Type Description Properties Algorithms HMAC-SHA2HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2Authenticated BC-Auth Decrypt and Key size(s):128, AES-CCM decryption with authenticate a 192, 256 bits AES-CCM AES ciphertext with AES-GCM AES AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-CBC AES-CBC AES-CBC AES-CTR AES-CTR AES-CTR HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2© 2024 Red Hat, Inc./ atsec information security corporation.

Page 18

Name Type Description Properties Algorithms HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2Key wrapping KTS-Wrap Key wrapping Key size(s):128, AES-GCM 192, 256 bits AES-GCM AES-GCM Key unwrapping KTS-Wrap Key unwrapping Key size(s):128, AES-GCM 192, 256 bits AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Table 8: Security Function Implementations

2.7 Algorithm Specific Information

Legacy use: Digital Signature Verification with SHA-1 is allowed for legacy use only.

2.7.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario

1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs

generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 19

The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in section 4.3.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.3 RSA

For RSA signature verification, the module supports modulus size 3072 and 4096 bits. The supported modulus size has been CAVP tested.

2.7.4 SHA-3

The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of each SHA-3 function was tested and validated on all the module’s operating environments. SHAKE functions are not implemented. SHA-3 hash functions are also used as part of a higher-level algorithm for HMAC.

2.8 RBG and Entropy

Cert Vendor Number Name E54 Red Hat, Inc. Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample RHEL Kernel Non- Red Hat Enterprise 64 bits 59.62 Linear-Feedback CPU Time Physical Linux 8 on Dell bits Shift Register Jitter RNG PowerEdge R440 (LFSR) Entropy Source Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each of these DRBG implementations can be instantiated by the operator of the module. When instantiated, these DRBGs can be used to generate random numbers for external usage. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 20

Additionally, the module employs a specific HMAC-SHA2-512 DRBG implementation for internal purposes (e.g. to generate initialization vectors). This DRBG is initially seeded with

384 output bits from the entropy source (357 bits of entropy) and reseeded with 256 output

bits from the entropy source (238 bits of entropy).

2.9 Key Generation

The module does not provide key generation.

2.10 Key Establishment

As permitted by IG D.G, the module provides key transport methods by using AES-GCM encryption mode in the context of IPsec protocol.

2.11 Industry Protocols

AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP.

2.12 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 21
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Port Logical Data That Passes Interface(s) As a software-only module, the module Data Input API data input parameters, does not have physical ports. Physical ports AF_ALG type sockets are interpreted to be the physical ports of the hardware platform on which it runs. As a software-only module, the module Data Output API data output parameters, does not have physical ports. Physical ports AF_ALG type sockets are interpreted to be the physical ports of the hardware platform on which it runs. As a software-only module, the module Control Input API function calls, API control does not have physical ports. Physical ports input parameters, AF_ALG are interpreted to be the physical ports of type sockets, kernel the hardware platform on which it runs. command line As a software-only module, the module Status API return values, AF_ALG does not have physical ports. Physical Ports Output type sockets, kernel logs are interpreted to be the physical ports of the hardware platform on which it runs. Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design, AF_ALG type socket that allows the applications running in the user space to request cryptographic services from the module.

3.2 Trusted Channel Specification [O]

The module does not implement a trusted channel.

3.3 Control Interface Not Inhibited [O]

The module does not implement a control output interface.

3.4 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 22
4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not implement authentication.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descripti Indicator Inputs Outputs Security SSP on Function Acce s ss Message Compute crypto_shash_init Messag Digest Hashing Crypt digest a returns 0 e value o message Offic digest er Key Wrap a crypto_skcipher_set AES wrapped Key Crypt wrapping key key returns 0; key, key wrapping o crypto_shash_init key to Offic returns 0 be er wrappe - AES d key: W,E HMA C key: W,E Key Unwrap a crypto_skcipher_set AES unwrapped Key Crypt unwrappin key key returns 0; key, key unwrappin o g crypto_shash_init key to g Offic returns 0 be er unwrap - AES ped key: W,E HMA C © 2024 Red Hat, Inc./ atsec information security corporation.

Page 23

Name Descripti Indicator Inputs Outputs Security SSP on Function Acce s ss key: W,E Encryption Encrypt a crypto_skcipher_set AES Ciphertext Encryption Crypt plaintext key returns 0 key, with AES o plaintex Offic t er - AES key: W,E Decryptio Decrypt a crypto_skcipher_set AES Plaintext Decryptio Crypt n ciphertext key returns 0 key, n with AES o cipherte Offic xt er - AES key: W,E Authentica Encrypt For all except AES AES Ciphertext, Authentic Crypt ted and GCM: key, MAC tag ated o encryption authentic crypto_aead_setkey plaintex encryption Offic ate a returns 0; For AES t with AES er plaintext GCM: - AES crypto_aead_get_fla key: gs(tfm) has the W,E CRYPTO_TFM_ FIPS_COMPLIANCE flag set Authentica Encrypt For all except AES AES Plaintext or Authentic Crypt ted and GCM: key, failure ated o decryption authentic crypto_aead_setkey cipherte decryption Offic ate a returns 0; For AES xt, MAC with AES er ciphertext GCM: tag - AES crypto_aead_get_fla key: gs(tfm) has the W,E CRYPTO_TFM_ FIPS_COMPLIANCE flag set Message Compute crypto_shash_init AES: MAC tag Message Crypt authentica a MAC tag returns 0 AES authentica o tion key, tion Offic generatio messag er n e; - AES HMAC: key: HMAC W,E key, messag HMA e C key: W,E © 2024 Red Hat, Inc./ atsec information security corporation.

Page 24

Name Descripti Indicator Inputs Outputs Security SSP on Function Acce s ss Message Compute crypto_shash_init AES: Success/Fa Message Crypt authentica a MAC tag returns 0 AES ilure authentica o tion key, tion Offic verificatio messag er n e, MAC - AES tag; key: HMAC: W,E HMAC key, HMA messag C e, MAC key: tag W,E Random Generate crypto_rng_get_byt Output Random Random Crypt number random es returns 0 length bytes number o generatio bytes generatio Offic n n with er DRBGs Entro py input: W,E DRB G seed: G,E DRB G Inter nal state (V, Key): G,W, E DRB G Inter nal state (V, C): G,W, E Error Compute None Messag EDC None Crypt detection an EDC e o code (crc32, Offic crct10dif) er © 2024 Red Hat, Inc./ atsec information security corporation.

Page 25

Name Descripti Indicator Inputs Outputs Security SSP on Function Acce s ss Compressi Compress None Data Compresse None Crypt on data d data

Page 26

Name Descripti Indicator Inputs Outputs Security SSP on Function Acce s ss decryption with AES Zeroizatio Zeroize None Any SSP N/A None Crypt n all SSPs

Page 27
4.4 Non-Approved Services

Name Description Algorithms Role AES GCM external IV Encrypt a plaintext using AES AES-GCM with CO encryption GCM with an external IV external IV Key derivation Derive a key from a key- KBKDF (libkcapi) CO derivation key or a shared HKDF (libkcapi) secret Password-based key Derive a key from a password PBKDF2 (libkcapi) CO derivation RSA encryption primitive Compute the raw RSA RSA CO encryption of a plaintext RSA decryption primitive Compute the raw RSA RSA CO decryption of a cipertext RSA signature generation Generate a digital signature for RSA with PKCS#1 CO (pre-hashed message) a pre-hashed message v1.5 padding RSA signature verification Verify a digital signature for a RSA with PKCS#1 CO (pre-hashed message) pre-hashed message v1.5 padding Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware.

4.6 Bypass Actions and Status [O]

The module does not implement a bypass capability.

4.7 Cryptographic Output Actions and Status [O]

The module does not implement a self-initiated cryptographic output capability.

4.8 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 28
5 Software/Firmware Security
5.1 Integrity Techniques

The Linux kernel binary is integrity tested using an HMAC-SHA2-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). An HMAC-SHA2-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity. The kernel crypto object files listed in section 2.2 are loaded on start-up by the module and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-256, and a 3072-bit key.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests.

5.3 Open-Source Parameters [O]
5.4 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 29
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied [O]: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions [O]

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.

6.3 Additional Information [O]

The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to:

Page 30
7 Physical Security
7.1 Mechanisms and Actions Required [O]

N/A for this module. The module is comprised of software only and therefore this section is not applicable.

7.2 User Placed Tamper Seals [O]
7.3 Filler Panels [O]
7.4 Fault Induction Mitigation [O]
7.5 EFP/EFT Information [O]

Temp/Voltage Temperature EFP Result Type or Voltage or EFT LowTemperature HighTemperature LowVoltage HighVoltage Table 15: EFP/EFT Information Not applicable.

7.6 Hardness Testing Temperature Ranges [O]

Temperature Temperature Type LowTemperature HighTemperature Table 16: Hardness Testing Temperatures Not applicable.

7.7 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 31
8 Non-Invasive Security
8.1 Mitigation Techniques [O]

This module does not implement any non-invasive security mechanism and therefore this section is not applicable.

8.2 Effectiveness [O]
8.3 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 32
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution Table 17: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameters; calling c module t c AF_ALG_typ applicatio e sockets n (TOEPP) (input) Table 18: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate handle SSPs SSPs is overwritten with zeroization functions: AES key: contained zeroes, which renders crypto_free_skcipher and within the the SSP values crypto_free_aead; HMAC key: cipher handle irretrievable. The crypto_free_shash and completion of the crypto_free_ahash; DRBG zeroization routine internal state: crypto_free_rng; indicates that the DRBG seed: crypto_free_rng; zeroization procedure Entropy input string: succeeded. crypto_free_rng; Remove De-allocates Volatile memory used By removing power power from the volatile by the module is the module memory used overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. The © 2024 Red Hat, Inc./ atsec information security corporation.

Page 33

Zeroization Description Rationale Operator Initiation Method successful removal of power implicitly indicates that the zeroization is complete. Table 19: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h AES AES key 128, Symmetric Encryption key used for 192, 256 Key - CSP with AES encryption, bits - Decryption decryption, 128, with AES and 192, 256 Authenticate computing bits d encryption MAC tags. with AES Authenticate d decryption with AES Key wrapping Key unwrapping HMAC HMAC key. 112- Authenticatio Message key 524288 n key - CSP authenticatio bits - n 112-256 bits Entrop Entropy 128-384 Entropy Random y input input used bits - input - CSP number to seed the 117-357 generation DRBGs. bits with DRBGs Compliant with IG D.L. DRBG DRBG seed Counter Seed - CSP Random Random seed derived DRBG: number number from 128, generation generation entropy 192, 256 with with DRBGs input. bits; DRBGs Compliant Hash with IG D.L. DRBG: 128, 256 bits; HMAC DRBG: 128, 256 © 2024 Red Hat, Inc./ atsec information security corporation.

Page 34

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h bits Counter DRBG: 128, 192, 256 bits; Hash DRBG: 128, 256 bits; HMAC DRBG: 128, 256 bits DRBG Internal Counter Internal state Random Random Interna state of DRBG: - CSP number number l state Counter 128, generation generation (V, DRBG and 192, 256 with with DRBGs Key) HMAC bits; DRBGs DRBG HMAC instances. DRBG: Compliant 128, 256 with IG D.L. bits Counter DRBG: 128, 192, 256 bits; HMAC DRBG: 128, 256 bits DRBG Internal Hash Internal state Random Random Interna state of DRBG: - CSP number number l state Hash DRBG 128, 256 generation generation (V, C) instances. bits - with with DRBGs Compliant Hash DRBGs with IG D.L. DRBG: 128, 256 bits Table 20: SSP Table 1 Name Input - Storage Storage Zeroization Related Output Duration SSPs AES key API input RAM:Plaintext Until cipher Free cipher parameters; handle is handle AF_ALG_type freed or Remove sockets module power from (input) powered off the module © 2024 Red Hat, Inc./ atsec information security corporation.

Page 35

Name Input - Storage Storage Zeroization Related Output Duration SSPs HMAC API input RAM:Plaintext Until cipher Free cipher key parameters; handle is handle AF_ALG_type freed or Remove sockets module power from (input) powered off the module Entropy RAM:Plaintext From Free cipher DRBG input generation handle seed:Derives until DRBG Remove seed/reseed power from the module DRBG RAM:Plaintext While the Free cipher Entropy seed DRBG is being handle input:Derived instantiated Remove From power from DRBG Internal the module state (V, Key):Derives DRBG Internal state (V, C):Derives DRBG RAM:Plaintext From DRBG Free cipher DRBG Internal instantiation handle seed:Derived state (V, until DRBG Remove From Key) termination power from the module DRBG RAM:Plaintext From DRBG Free cipher DRBG Internal instantiation handle seed:Derived state (V, until DRBG Remove From C) termination power from the module Table 21: SSP Table 2

9.5 Transitions [O]

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 will be withdrawn on February 3, 2024.

9.6 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 36
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-512 Authentication Integrity becomes vmlinuz, (A3664) operational libkcapi and services components are available and for use. sha512hmac binary RSA SigVer 3072-bit key Signature SW/FW Module Integrity test for (FIPS186-4) with SHA- Verification Integrity becomes kernel object (A3648) 256 operational files and services are available for use. Table 22: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A3648) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A3662) messages becomes digest initialization operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 37

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A3663) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A3664) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A3648) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A3662) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A3663) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A3664) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A3648) messages becomes digest initialization operational © 2024 Red Hat, Inc./ atsec information security corporation.

Page 38

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A3662) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A3663) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A3664) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A3648) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A3662) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A3663) messages becomes digest initialization operational and services are © 2024 Red Hat, Inc./ atsec information security corporation.

Page 39

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A3664) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A3648) message becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A3662) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A3663) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A3664) messages becomes digest initialization operational and services are available for use. SHA3-224 0-8184 bit KAT CAST Module Message Module (A3649) message becomes digest initialization operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 40

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA3-256 0-8184 bit KAT CAST Module Message Module (A3649) message becomes digest initialization operational and services are available for use. SHA3-384 0-8184 bit KAT CAST Module Message Module (A3649) message becomes digest initialization operational and services are available for use. SHA3-512 0-8184 bit KAT CAST Module Message Module (A3649) message becomes digest initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3648) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3652) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3653) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3654) 256 bit keys becomes Decryption initialization operational © 2024 Red Hat, Inc./ atsec information security corporation.

Page 41

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3655) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3656) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3658) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3659) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A3657) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Encryption, Module (A3648) 256 bit keys becomes Decryption initialization operational and services are © 2024 Red Hat, Inc./ atsec information security corporation.

Page 42

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-CBC 128, 192, KAT CAST Module Encryption, Module (A3654) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CBC- 128 bit keys KAT CAST Module Encryption, Module CS3 becomes Decryption initialization (A3661) operational and services are available for use. AES- 128, 192, KAT CAST Module Encryption, Module CFB128 256 bit keys becomes Decryption initialization (A3660) operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption, Module (A3648) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption, Module (A3657) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CCM 128, 192, KAT CAST Module Encryption, Module (A3657) 256 bit keys; becomes Decryption initialization 128-bit IVs operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 43

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128, 192, KAT CAST Module Encryption, Module (A3648) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A3652) 256 bit keys, becomes initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A3653) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A3654) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A3655) 256 bit keys, becomes initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A3656) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A3657) 256 bit keys, becomes Decryption initialization 96-bit IVs operational © 2024 Red Hat, Inc./ atsec information security corporation.

Page 44

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A3658) 256 bit keys, becomes initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A3659) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption, Module Testing bit keys becomes Decryption initialization Revision operational

2.0 and

(A3648) services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption, Module Testing bit keys becomes Decryption initialization Revision operational

2.0 and

(A3657) services are available for use. AES-CMAC 128 and 256 KAT CAST Module Message Module (A3657) bit keys becomes authentication initialization operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A3648) operational and services are © 2024 Red Hat, Inc./ atsec information security corporation.

Page 45

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A3662) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A3663) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A3664) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A3648) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A3662) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A3663) operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 46

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A3664) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A3648) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A3662) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A3663) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A3664) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A3648) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A3662) operational © 2024 Red Hat, Inc./ atsec information security corporation.

Page 47

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A3663) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A3664) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A3648) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A3662) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A3663) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A3664) operational Before and integrity services test. are © 2024 Red Hat, Inc./ atsec information security corporation.

Page 48

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-224 keys becomes authentication initialization (A3649) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-256 keys becomes authentication initialization (A3649) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-384 keys becomes authentication initialization (A3649) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-512 keys becomes authentication initialization (A3649) operational and services are available for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3648) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3652) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 49

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3653) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3654) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3655) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3656) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3657) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3658) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A3659) With/without operational © 2024 Red Hat, Inc./ atsec information security corporation.

Page 50

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3648) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3652) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3653) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3654) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3655) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3656) PR; Health operational test per and section 11.3 services are © 2024 Red Hat, Inc./ atsec information security corporation.

Page 51

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3657) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3658) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3659) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3662) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3663) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A3664) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 52

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3648) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3652) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3653) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3654) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3655) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3656) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3657) With/without operational © 2024 Red Hat, Inc./ atsec information security corporation.

Page 53

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3658) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3659) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3662) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3663) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A3664) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186- with SHA- becomes initialization. 4) (A3648) 256 operational Before and integrity services test. are © 2024 Red Hat, Inc./ atsec information security corporation.

Page 54

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186- with SHA- becomes initialization.

  1. (A3662) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186- with SHA- becomes initialization.
  2. (A3663) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186- with SHA- becomes initialization.
  3. (A3664) 256 operational Before and integrity services test. are available for use. Entropy 1024 RCT CAST Module Entropy Entropy Source samples becomes source start- source operational up test initialization and services are available for use. Entropy 1024 APT CAST Module Entropy Entropy Source samples becomes source start- source operational up test initialization and services are available for use. Entropy Cutoff C = RCT CAST Entropy Entropy Continuously Source 61 source is source operationalcontinuous test Entropy Cutoff C = APT CAST Entropy Entropy Continuously Source 355 source is source operational continuous test Table 23: Conditional Self-Tests © 2024 Red Hat, Inc./ atsec information security corporation.
Page 55

The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. Services are not available, and data output (via the data output interface) is inhibited during the conditional self-tests. If any of these tests fails, the module transitions to the Error State.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually

512 (A3664) Authentication

RSA SigVer Signature SW/FW Integrity On demand Manually (FIPS186-4) Verification (A3648) Table 24: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A3648) KAT CAST On demand Manually SHA-1 (A3662) KAT CAST On demand Manually SHA-1 (A3663) KAT CAST On demand Manually SHA-1 (A3664) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A3648) SHA2-224 KAT CAST On demand Manually (A3662) SHA2-224 KAT CAST On demand Manually (A3663) SHA2-224 KAT CAST On demand Manually (A3664) SHA2-256 KAT CAST On demand Manually (A3648) SHA2-256 KAT CAST On demand Manually (A3662) SHA2-256 KAT CAST On demand Manually (A3663) SHA2-256 KAT CAST On demand Manually (A3664) SHA2-384 KAT CAST On demand Manually (A3648) SHA2-384 KAT CAST On demand Manually (A3662) SHA2-384 KAT CAST On demand Manually (A3663) SHA2-384 KAT CAST On demand Manually (A3664) SHA2-512 KAT CAST On demand Manually (A3648) © 2024 Red Hat, Inc./ atsec information security corporation.

Page 56

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-512 KAT CAST On demand Manually (A3662) SHA2-512 KAT CAST On demand Manually (A3663) SHA2-512 KAT CAST On demand Manually (A3664) SHA3-224 KAT CAST On demand Manually (A3649) SHA3-256 KAT CAST On demand Manually (A3649) SHA3-384 KAT CAST On demand Manually (A3649) SHA3-512 KAT CAST On demand Manually (A3649) AES-ECB KAT CAST On demand Manually (A3648) AES-ECB KAT CAST On demand Manually (A3652) AES-ECB KAT CAST On demand Manually (A3653) AES-ECB KAT CAST On demand Manually (A3654) AES-ECB KAT CAST On demand Manually (A3655) AES-ECB KAT CAST On demand Manually (A3656) AES-ECB KAT CAST On demand Manually (A3658) AES-ECB KAT CAST On demand Manually (A3659) AES-ECB KAT CAST On demand Manually (A3657) AES-CBC KAT CAST On demand Manually (A3648) AES-CBC KAT CAST On demand Manually (A3654) AES-CBC-CS3 KAT CAST On demand Manually (A3661) AES-CFB128 KAT CAST On demand Manually (A3660) AES-CTR KAT CAST On demand Manually (A3648) AES-CTR KAT CAST On demand Manually (A3657) AES-CCM KAT CAST On demand Manually (A3657) AES-GCM KAT CAST On demand Manually (A3648) AES-GCM KAT CAST On demand Manually (A3652) © 2024 Red Hat, Inc./ atsec information security corporation.

Page 57

Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On demand Manually (A3653) AES-GCM KAT CAST On demand Manually (A3654) AES-GCM KAT CAST On demand Manually (A3655) AES-GCM KAT CAST On demand Manually (A3656) AES-GCM KAT CAST On demand Manually (A3657) AES-GCM KAT CAST On demand Manually (A3658) AES-GCM KAT CAST On demand Manually (A3659) AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A3648) AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A3657) AES-CMAC KAT CAST On demand Manually (A3657) HMAC-SHA-1 KAT CAST On demand Manually (A3648) HMAC-SHA-1 KAT CAST On demand Manually (A3662) HMAC-SHA-1 KAT CAST On demand Manually (A3663) HMAC-SHA-1 KAT CAST On demand Manually (A3664) HMAC-SHA2- KAT CAST On demand Manually

224 (A3648)

HMAC-SHA2- KAT CAST On demand Manually

224 (A3662)

HMAC-SHA2- KAT CAST On demand Manually

224 (A3663)

HMAC-SHA2- KAT CAST On demand Manually

224 (A3664)

HMAC-SHA2- KAT CAST On demand Manually

256 (A3648)

HMAC-SHA2- KAT CAST On demand Manually

256 (A3662)

HMAC-SHA2- KAT CAST On demand Manually

256 (A3663)

HMAC-SHA2- KAT CAST On demand Manually

256 (A3664)

HMAC-SHA2- KAT CAST On demand Manually

384 (A3648)

HMAC-SHA2- KAT CAST On demand Manually

384 (A3662)

© 2024 Red Hat, Inc./ atsec information security corporation.

Page 58

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On demand Manually

384 (A3663)

HMAC-SHA2- KAT CAST On demand Manually

384 (A3664)

HMAC-SHA2- KAT CAST On demand Manually

512 (A3648)

HMAC-SHA2- KAT CAST On demand Manually

512 (A3662)

HMAC-SHA2- KAT CAST On demand Manually

512 (A3663)

HMAC-SHA2- KAT CAST On demand Manually

512 (A3664)

HMAC-SHA3- KAT CAST On demand Manually

224 (A3649)

HMAC-SHA3- KAT CAST On demand Manually

256 (A3649)

HMAC-SHA3- KAT CAST On demand Manually

384 (A3649)

HMAC-SHA3- KAT CAST On demand Manually

512 (A3649)

Counter DRBG KAT CAST On demand Manually (A3648) Counter DRBG KAT CAST On demand Manually (A3652) Counter DRBG KAT CAST On demand Manually (A3653) Counter DRBG KAT CAST On demand Manually (A3654) Counter DRBG KAT CAST On demand Manually (A3655) Counter DRBG KAT CAST On demand Manually (A3656) Counter DRBG KAT CAST On demand Manually (A3657) Counter DRBG KAT CAST On demand Manually (A3658) Counter DRBG KAT CAST On demand Manually (A3659) Hash DRBG KAT CAST On demand Manually (A3648) Hash DRBG KAT CAST On demand Manually (A3652) Hash DRBG KAT CAST On demand Manually (A3653) Hash DRBG KAT CAST On demand Manually (A3654) Hash DRBG KAT CAST On demand Manually (A3655) Hash DRBG KAT CAST On demand Manually (A3656) © 2024 Red Hat, Inc./ atsec information security corporation.

Page 59

Algorithm or Test Method Test Type Period Periodic Test Method Hash DRBG KAT CAST On demand Manually (A3657) Hash DRBG KAT CAST On demand Manually (A3658) Hash DRBG KAT CAST On demand Manually (A3659) Hash DRBG KAT CAST On demand Manually (A3662) Hash DRBG KAT CAST On demand Manually (A3663) Hash DRBG KAT CAST On demand Manually (A3664) HMAC DRBG KAT CAST On demand Manually (A3648) HMAC DRBG KAT CAST On demand Manually (A3652) HMAC DRBG KAT CAST On demand Manually (A3653) HMAC DRBG KAT CAST On demand Manually (A3654) HMAC DRBG KAT CAST On demand Manually (A3655) HMAC DRBG KAT CAST On demand Manually (A3656) HMAC DRBG KAT CAST On demand Manually (A3657) HMAC DRBG KAT CAST On demand Manually (A3658) HMAC DRBG KAT CAST On demand Manually (A3659) HMAC DRBG KAT CAST On demand Manually (A3662) HMAC DRBG KAT CAST On demand Manually (A3663) HMAC DRBG KAT CAST On demand Manually (A3664) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A3648) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A3662) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A3663) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A3664) Entropy Source RCT CAST On demand Manually Entropy Source APT CAST On demand Manually © 2024 Red Hat, Inc./ atsec information security corporation.

Page 60

Algorithm or Test Method Test Type Period Periodic Test Method Entropy Source RCT CAST On demand Manually Entropy Source APT CAST On demand Manually Table 25: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 26: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests [O]

All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module.

10.6 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 61
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the Red Hat Enterprise Linux 8 (RHEL 8) package in the form of the kernel-4.18.0-372.52.1.el8_6, libkcapi-1.2.0-2.el8, and libkcapi-hmaccalc1.2.0-2.el8 RPM packages. The module can achieve the approved mode by:

11.2 Administrator Guidance

After installation of the kernel-4.18.0-372.52.1.el8_6, libkcapi-1.2.0-2.el8, and libkcapihmaccalc-1.2.0-2.el8 RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Red Hat Enterprise Linux 8 - Kernel Cryptographic API Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapi” commands. These commands must output the following (one line per output): 4.18.0-372.52.1.el8_6.x86_64 libkcapi-1.2.0-2.el8.x86_64

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Design and Rules [O]

Not applicable for this module.

11.5 Maintenance Requirements [O]

There are no maintenance requirements.

11.6 End of Life [O]

© 2024 Red Hat, Inc./ atsec information security corporation.

Page 62

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-4.18.0-372.52.1.el8_6, libkcapi-1.2.0-2.el8, and libkcapi-hmaccalc-1.2.0-2.el8 RPM packages can be uninstalled from the RHEL 8 system.

11.7 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 63
12 Mitigation of Other Attacks
12.1 Attack List [O]

The module does not offer mitigation of other attacks and therefore this section is not applicable.

12.2 Mitigation Effectiveness [O]
12.3 Guidance and Constraints [O]
12.4 Additional Information [O]

Not applicable. © 2024 Red Hat, Inc./ atsec information security corporation.

Page 64

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Red Hat, Inc./ atsec information security corporation.

Page 65

Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2024 Red Hat, Inc./ atsec information security corporation.

Page 66

SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf © 2024 Red Hat, Inc./ atsec information security corporation.