All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Amazon Linux 2023 Kernel Cryptographic API

Certificate#4808StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorAmazon Web Services, Inc.
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 10212 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy.
VendorAmazon Web Services, Inc.

Approved Algorithms (193)

AlgorithmACVP Cert
AES-CBCA4551
AES-CBCA4554
AES-CBCA4557
AES-CBCA4558
AES-CBCA4561
AES-CBCA4563
AES-CBCA4566
AES-CBC-CS3A4551
AES-CBC-CS3A4554
AES-CBC-CS3A4557
AES-CBC-CS3A4558
AES-CBC-CS3A4566
AES-CCMA4551
AES-CCMA4554
AES-CCMA4557
AES-CCMA4558
AES-CCMA4566
AES-CFB128A4551
AES-CFB128A4554
AES-CFB128A4558
AES-CFB128A4566
AES-CMACA4551
AES-CMACA4554
AES-CMACA4557
AES-CMACA4558
AES-CMACA4566
AES-CTRA4551
AES-CTRA4554
AES-CTRA4557
AES-CTRA4558
AES-CTRA4561
AES-CTRA4563
AES-CTRA4566
AES-ECBA4551
AES-ECBA4552
AES-ECBA4553
AES-ECBA4554
AES-ECBA4555
AES-ECBA4556
AES-ECBA4557
AES-ECBA4558
AES-ECBA4559
AES-ECBA4560
AES-ECBA4561
AES-ECBA4563
AES-ECBA4564
AES-ECBA4565
AES-ECBA4566
AES-ECBA4567
AES-ECBA4568
AES-GCMA4551
AES-GCMA4552
AES-GCMA4553
AES-GCMA4554
AES-GCMA4555
AES-GCMA4556
AES-GCMA4558
AES-GCMA4559
AES-GCMA4560
AES-GCMA4563
AES-GCMA4564
AES-GCMA4565
AES-GCMA4566
AES-GCMA4567
AES-GCMA4568
AES-GMACA4551
AES-GMACA4554
AES-GMACA4558
AES-GMACA4566
AES-KWA4551
AES-KWA4554
AES-KWA4558
AES-KWA4566
AES-OFBA4551
AES-OFBA4554
AES-OFBA4558
AES-OFBA4566
AES-XTS Testing Revision 2.0A4551
AES-XTS Testing Revision 2.0A4554
AES-XTS Testing Revision 2.0A4557
AES-XTS Testing Revision 2.0A4558
AES-XTS Testing Revision 2.0A4561
AES-XTS Testing Revision 2.0A4563
AES-XTS Testing Revision 2.0A4566
Counter DRBGA4551
Counter DRBGA4552
Counter DRBGA4553
Counter DRBGA4554
Counter DRBGA4555
Counter DRBGA4556
Counter DRBGA4558
Counter DRBGA4559
Counter DRBGA4560
Counter DRBGA4563
Counter DRBGA4564
Counter DRBGA4565
Counter DRBGA4566
Counter DRBGA4567
Counter DRBGA4568
ECDSA KeyGen (FIPS186-4)A4551
Hash DRBGA4551
Hash DRBGA4569
Hash DRBGA4570
Hash DRBGA4571
HMAC DRBGA4551
HMAC DRBGA4569
HMAC DRBGA4570
HMAC DRBGA4571
HMAC-SHA-1A4551
HMAC-SHA-1A4557
HMAC-SHA-1A4569
HMAC-SHA-1A4570
HMAC-SHA-1A4571
HMAC-SHA2-224A4551
HMAC-SHA2-224A4557
HMAC-SHA2-224A4561
HMAC-SHA2-224A4562
HMAC-SHA2-224A4569
HMAC-SHA2-224A4570
HMAC-SHA2-224A4571
HMAC-SHA2-256A4551
HMAC-SHA2-256A4557
HMAC-SHA2-256A4561
HMAC-SHA2-256A4562
HMAC-SHA2-256A4569
HMAC-SHA2-256A4570
HMAC-SHA2-256A4571
HMAC-SHA2-384A4551
HMAC-SHA2-384A4557
HMAC-SHA2-384A4562
HMAC-SHA2-384A4569
HMAC-SHA2-384A4570
HMAC-SHA2-384A4571
HMAC-SHA2-512A4551
HMAC-SHA2-512A4557
HMAC-SHA2-512A4562
HMAC-SHA2-512A4569
HMAC-SHA2-512A4570
HMAC-SHA2-512A4571
HMAC-SHA3-224A4551
HMAC-SHA3-224A4557
HMAC-SHA3-256A4551
HMAC-SHA3-256A4557
HMAC-SHA3-384A4551
HMAC-SHA3-384A4557
HMAC-SHA3-512A4551
HMAC-SHA3-512A4557
KAS-ECC-SSC Sp800-56Ar3A4551
KAS-FFC-SSC Sp800-56Ar3A4551
RSA SigVer (FIPS186-4)A4551
RSA SigVer (FIPS186-4)A4569
RSA SigVer (FIPS186-4)A4570
RSA SigVer (FIPS186-4)A4571
Safe Primes Key GenerationA4551
SHA-1A4551
SHA-1A4557
SHA-1A4569
SHA-1A4570
SHA-1A4571
SHA2-224A4551
SHA2-224A4557
SHA2-224A4561
SHA2-224A4562
SHA2-224A4569
SHA2-224A4570
SHA2-224A4571
SHA2-256A4551
SHA2-256A4557
SHA2-256A4561
SHA2-256A4562
SHA2-256A4569
SHA2-256A4570
SHA2-256A4571
SHA2-384A4551
SHA2-384A4557
SHA2-384A4562
SHA2-384A4569
SHA2-384A4570
SHA2-384A4571
SHA2-512A4551
SHA2-512A4557
SHA2-512A4562
SHA2-512A4569
SHA2-512A4570
SHA2-512A4571
SHA3-224A4551
SHA3-224A4557
SHA3-256A4551
SHA3-256A4557
SHA3-384A4551
SHA3-384A4557
SHA3-512A4551
SHA3-512A4557

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Amazon Linux 2023 Kernel Cryptographic API
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Error State</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status<br/>Self-Test<br/>Error State</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Amazon Linux 2023 Kernel Cryptographic API
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Error State</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status<br/>Self-Test<br/>Error State</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Amazon Linux 2023 Kernel Cryptographic API Versions: Kernel 6.1.41-64.118.amzn2023, 6.1.41-64.118.fips.amzn2023 Libkcapi 1.4.0-105.amzn2023 Document Version: 1.2 Document Date: 2024-09-20 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com © 2024 Amazon Web Services, Inc., atsec information security.

Page 2

Amazon Linux 2023 Kernel Cryptographic API Table of Contents © 2024 Amazon Web Services, Inc., atsec information security.

2 of 36
Page 3

Amazon Linux 2023 Kernel Cryptographic API © 2024 Amazon Web Services, Inc., atsec information security.

3 of 36
Page 4

Amazon Linux 2023 Kernel Cryptographic API List of Tables List of Figures © 2024 Amazon Web Services, Inc., atsec information security.

4 of 36
Page 5

Amazon Linux 2023 Kernel Cryptographic API Amazon is a registered trademark of Amazon Web Services, Inc. or its affiliates. © 2024 Amazon Web Services, Inc., atsec information security.

5 of 36
Page 6
Security level
NameISO SectionRequirementLevel
SubsectionsSubsections
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityNot Applicable
88Non-invasive SecurityNot Applicable
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other AttacksNot Applicable
OverallOverall1
Integrity TestIntegrity Test
Package/File NamesPackage/File NamesSoftware/ Firmware Version
ImplementedImplemented
EC2 c7g.metal: /boot/vmlinuz-6.1.41-64.118.amzn2023.aarch64EC2 c7g.metal: /boot/vmlinuz-6.1.41-64.118.amzn2023.aarch64EC2 c7g.metal, EC2 c6i.metal: 6.1.41-64.118.amzn2023 AWS Snowball, AWS Snowblade, AWS Snowcone: 6.1.41-64.118.fips.amzn2023HMAC-SHA-512
EC2 c6i.metal: /boot/vmlinuz-6.1.41-64.118.amzn2023.x86_64EC2 c6i.metal: /boot/vmlinuz-6.1.41-64.118.amzn2023.x86_64
AWS Snowball, AWS Snowblade, AWS Snowcone: /boot/vmlinuz-6.1.41-64.118.fips.amzn2023.x86_64AWS Snowball, AWS Snowblade, AWS Snowcone: /boot/vmlinuz-6.1.41-64.118.fips.amzn2023.x86_64
EC2 c7g.metal: *.ko and *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.aarch64/kernel/crypto/ *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.aarch64/kernel/arch/aarch64/cryptoEC2 c7g.metal: *.ko and *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.aarch64/kernel/crypto/ *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.aarch64/kernel/arch/aarch64/cryptoRSA Signature Verification
EC2 c6i.metal: *.ko and *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.x86_64/kernel/crypto/ *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.x86_64/kernel/arch/x86/crypto/EC2 c6i.metal: *.ko and *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.x86_64/kernel/crypto/ *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.amzn2023.x86_64/kernel/arch/x86/crypto/
AWS Snowball, AWS Snowblade, AWS Snowcone: *.ko and *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.fips.amzn2023.x86_64/kernel/crypto/ *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.fips.amzn2023.x86_64/kernel/arch/x86/cryptoAWS Snowball, AWS Snowblade, AWS Snowcone: *.ko and *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.fips.amzn2023.x86_64/kernel/crypto/ *.ko.xz files in /usr/lib/modules/6.1.41- 64.118.fips.amzn2023.x86_64/kernel/arch/x86/crypto
/usr/lib64/libkcapi.so.1.4.0 /usr/lib/sha512hmac/usr/lib64/libkcapi.so.1.4.0 /usr/lib/sha512hmac1.4.0-105.amzn2023HMAC-SHA-512

Amazon Linux 2023 Kernel Cryptographic API 1.1 Overview This document is the non-proprietary FIPS 140-3 Security Policy for Amazon Linux 2023 Kernel Cryptographic API versions:

6 of 36
Page 7

Amazon Linux 2023 Kernel Cryptographic API The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2024 Amazon Web Services, Inc., atsec information security.

7 of 36
Page 8

Amazon Linux 2023 Kernel Cryptographic API Cryptographic Module Specification 2.1 Description Purpose and Use: The Amazon Linux 2023 Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a generalpurpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: Multi-chip standalone Module Characteristics: N/A Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1

8 of 36
Page 9
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa Pai
Amazon Linux 2023Amazon Linux 2023EC2 c7g.metal6.1.41-64.118.amzn2023 and 1.4.0-105.amzn2023AWS Graviton3Neon, Cryptography Extensions (PAA)
Amazon Linux 2023Amazon Linux 2023EC2 c6i.metalIntel Xeon Platinum 8375CAES-NI (PAA)
SnowOS 1.0SnowOS 1.0AWS Snowball6.1.41-64.118.fips.amzn2023 and 1.4.0-105.amzn2023AMD EPYC 7702
SnowOS 1.0SnowOS 1.0AWS SnowbladeIntel Xeon Gold 6314U
SnowOS 1.0SnowOS 1.0AWS SnowconeIntel Atom C3558
Amazon Linux 2023Amazon Linux 2023EC2 c7g.metal6.1.41-64.118.amzn2023 and 1.4.0-105.amzn2023AWS Graviton3None
Amazon Linux 2023Amazon Linux 2023EC2 c6i.metalIntel Xeon Platinum 8375C
SnowOS 1.0SnowOS 1.0AWS Snowball6.1.41-64.118.fips.amzn2023 and 1.4.0-105.amzn2023AMD EPYC 7702
SnowOS 1.0SnowOS 1.0AWS SnowbladeIntel Xeon Gold 6314U
SnowOS 1.0SnowOS 1.0AWS SnowconeIntel Atom C3558
Bottlerocket v1.20.0Bottlerocket v1.20.0EC2 c7g.metal with Intel Xeon Platinum 8375C (PAA: AES-NI)
Bottlerocket v1.20.0Bottlerocket v1.20.0EC2 c6i.metal with AWS Graviton3 processor (PAA: Neon, Cryptography Extensions)
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa Pai
Amazon Linux 2023Amazon Linux 2023EC2 c7g.metal6.1.41-64.118.amzn2023 and 1.4.0-105.amzn2023AWS Graviton3Neon, Cryptography Extensions (PAA)
Amazon Linux 2023Amazon Linux 2023EC2 c6i.metalIntel Xeon Platinum 8375CAES-NI (PAA)
SnowOS 1.0SnowOS 1.0AWS Snowball6.1.41-64.118.fips.amzn2023 and 1.4.0-105.amzn2023AMD EPYC 7702
SnowOS 1.0SnowOS 1.0AWS SnowbladeIntel Xeon Gold 6314U
SnowOS 1.0SnowOS 1.0AWS SnowconeIntel Atom C3558
Amazon Linux 2023Amazon Linux 2023EC2 c7g.metal6.1.41-64.118.amzn2023 and 1.4.0-105.amzn2023AWS Graviton3None
Amazon Linux 2023Amazon Linux 2023EC2 c6i.metalIntel Xeon Platinum 8375C
SnowOS 1.0SnowOS 1.0AWS Snowball6.1.41-64.118.fips.amzn2023 and 1.4.0-105.amzn2023AMD EPYC 7702
SnowOS 1.0SnowOS 1.0AWS SnowbladeIntel Xeon Gold 6314U
SnowOS 1.0SnowOS 1.0AWS SnowconeIntel Atom C3558
Bottlerocket v1.20.0Bottlerocket v1.20.0EC2 c7g.metal with Intel Xeon Platinum 8375C (PAA: AES-NI)
Bottlerocket v1.20.0Bottlerocket v1.20.0EC2 c6i.metal with AWS Graviton3 processor (PAA: Neon, Cryptography Extensions)

Table 2 - Tested Module Identification Tested Operational Environments - Software, Firmware, Hybrid: The module has been tested on the following platforms with the corresponding module variants and configuration options with and without PAA: Table 3 - Tested Operational Environments Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: The vendor affirms the following platforms with the corresponding module variants and configuration options with and without PAA: Table 4 - Software, Hardware, Hybrid Vendor Affirmed Operational Environment 2.3 Excluded Components There are no components excluded from the requirements of the FIPS 140-3 standard. © 2024 Amazon Web Services, Inc., atsec information security.

9 of 36
Page 10
Service
NameDescriptionIndicatorType
Non-approved modeAutomatically entered whenever a non-approved service is requestedEquivalent to the indicator of the requested serviceNon-approved
Approved algorithm
NameCAVP CertReferenceAlgorithm CapabilitiesOE (Implementation)
AES-CBCA4551, A4554, A4557,FIPS 197Key size: 128, 192, 256 bitsAmazon Linux 2023 on EC2 c7g.metal Amazon Linux 2023 on EC2
A4558, A4561, A4563,A4558, A4561, A4563,SP 800-38A
AES-CBC-CS3A4551, A4554, A4557,FIPS 197Key size: 128, 192, 256 bitsc6i.metal SnowOS 1.0 on AWS Snowball SnowOS 1.0 on AWS Snowblade SnowOS 1.0 on AWS Snowcone
A4558, A4561, A4566A4558, A4561, A4566SP 800-38A
AES-CCMA4551, A4554, A4557,FIPS 197Key size: 128, 192, 256 bits
A4558, A4566A4558, A4566SP 800-38C
AES-CFB128A4551, A4554, A4558,FIPS 197Key size: 128, 192, 256 bits
A4566A4566SP 800-38A
AES-CMACA4551, A4554, A4557,FIPS 197Key size: 128, 192, 256 bits
A4558, A4566A4558, A4566SP 800-38B
AES-CTRA4551, A4554, A4557,FIPS 197Key size: 128, 192, 256 bits
A4558, A4561, A4563,A4558, A4561, A4563,SP 800-38A
AES-ECBA4551, A4552, A4553,FIPS 197Key size: 128, 192, 256 bits
A4554, A4555, A4556,A4554, A4555, A4556,SP 800-38A
AES-GCMA4551, A4552, A4553,FIPS 197Key size: 128, 192, 256 bits
A4554, A4555, A4556,A4554, A4555, A4556,SP 800-38DIV Generation: Internal (encryption) & External
A4558, A4559, A4560,A4558, A4559, A4560,(decryption)
A4563, A4564, A4565,A4563, A4564, A4565,IV Generation Mode: 8.2.2
AES-GMACA4551, A4554, A4558,FIPS 197Key size: 128, 192, 256 bits
A4566A4566SP 800-38D
AES-KWA4551, A4554, A4558,FIPS 197Key size: 128, 192, 256 bits
A4566A4566SP 800-38F
AES-OFBA4551, A4554, A4558,FIPS 197Key size: 128, 192, 256 bits
A4566A4566SP 800-38A
AES-XTSA4551, A4554, A4557,FIPS 197Key size: 128, 256 bits
A4558, A4561, A4563,A4558, A4561, A4563,SP 800-38E
CTR_DRBGA4551, A4552, A4553,SP 800-90Ar1Size: AES-128, AES-192, AES-256
A4554, A4555, A4556,A4554, A4555, A4556,Without derivation function
A4558, A4559, A4560,A4558, A4559, A4560,With/without prediction resistance
ECDSAA4551FIPS 186-4Key Pair Generation
Hash_DRBGA4551, A4569, A4570,SP 800-90Ar1Hashes: SHA-1, SHA-256, SHA-512
A4571A4571With/without prediction resistance
HMAC_DRBGA4551, A4569, A4570,SP 800-90Ar1Hashes: SHA-1, SHA-256, SHA-512
A4571A4571With/without prediction resistance
HMACA4551, A4557, A4569,FIPS 198-1SHA-1
A4570, A4571A4570, A4571FIPS 180-4Key size: 112-524288 bits
A4551, A4557, A4561,A4551, A4557, A4561,FIPS 198-1SHA-224, SHA-256
A4562, A4569, A4570,A4562, A4569, A4570,FIPS 180-4Key size: 112-524288 bits
A4551, A4557, A4562,A4551, A4557, A4562,FIPS 198-1SHA-384, SHA-512
A4569, A4570, A4571A4569, A4570, A4571FIPS 180-4Key size: 112-524288 bits
A4551, A4557A4551, A4557FIPS 198-1SHA3-224, SHA3-256, SHA3-384, SHA3-512
Key size: 112-524288 bitsFIPS 202Key size: 112-524288 bits
KAS-ECC-SSCA4551SP 800-56Ar3Scheme: Ephemeral Unified Model
KAS-FFC-SSCA4551Scheme: dhEphem
RSAA4551, A4569, A4570,FIPS 186-4Signature Verification
A4571A4571Padding: PKCS#1 v1.5
Safe PrimesA4551SP 800-56Ar3Key Pair Generation
SHA-1A4551, A4557, A4569,FIPS 180-4N/A
SHA-224A4551, A4557, A4561,N/A
SHA-256A4562, A4569, A4570, A4571
SHA-384A4551, A4557, A4562,N/A
SHA-512A4569, A4570, A4571
SHA3-224A4551, A4557FIPS 202N/A

Amazon Linux 2023 Kernel Cryptographic API 2.4 Modes of Operation Modes List and Description: Table 5 - Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. Mode change instructions and status indicators: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status Degraded Mode Description: The module does not implement a degraded mode of operation. 2.5 Algorithms Approved Algorithms: Table 6 lists all approved cryptographic algorithms of the module, including specific key lengths employed for approved services (Table 14), and implemented modes or methods of operation of the algorithms. © 2024 Amazon Web Services, Inc., atsec information security.

10 of 36
Page 11

Amazon Linux 2023 Kernel Cryptographic API N/A © 2024 Amazon Web Services, Inc., atsec information security.

11 of 36
Page 12
Service
NameDescriptionApproved FunctionsTypeOE (Implementation)ReferencesSF Capabilities
Cryptographic Key Generation (CKG)Key Pair Generation using Safe Primes and ECAmazon Linux 2023 on EC2 c7g.metalSP 800-133r2 Section 4, 5.1, and 5.2
AES GCM with external IVEncryption
KBKDF (libkcapi)Key Derivation
HKDF (libkcapi)Key Derivation
PBKDF2 (libkcapi)Password-Based Key Derivation
RSAEncryption Primitive Decryption Primitive
RSA with PKCS#1 v1.5 paddingSignature Generation (pre-hashed message) Signature Verification (pre-hashed message)
Key Encapsulation Key Un-encapsulationKey Encapsulation Key Un-encapsulation
KAS-ECC-SSCEC Diffie-Hellman Shared Secret ComputationKAS-ECC-SSC (SP 800- 56Ar3)KASSecurity strength: 128, 192 bits Compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F
KAS-FFC-SSCDiffie-Hellman Shared Secret ComputationKAS-FFC-SSC (SP 800- 56Ar3)KASSecurity strength: 112-200 bits Compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F
AES-KWKey wrapping/unwrappingAES-KW (SP 800-38F)KTSSecurity strength: 128, 192, 256 bits
AES-CCMKey wrapping/unwrapping using authenticated encryption (as permitted by IG D.G)AES-CCM (SP 800-38C)KTSSecurity strength: 128, 192, 256 bits
AES-GCM/WRAPKey wrapping using authenticated encryptionAES-GCM (SP 800-38D)KTSIV generated internally Security strength: 128, 192, 256 bits
Service
NameDescriptionApproved FunctionsTypeOE (Implementation)ReferencesSF Capabilities
Cryptographic Key Generation (CKG)Key Pair Generation using Safe Primes and ECAmazon Linux 2023 on EC2 c7g.metalSP 800-133r2 Section 4, 5.1, and 5.2
AES GCM with external IVEncryption
KBKDF (libkcapi)Key Derivation
HKDF (libkcapi)Key Derivation
PBKDF2 (libkcapi)Password-Based Key Derivation
RSAEncryption Primitive Decryption Primitive
RSA with PKCS#1 v1.5 paddingSignature Generation (pre-hashed message) Signature Verification (pre-hashed message)
Key Encapsulation Key Un-encapsulationKey Encapsulation Key Un-encapsulation
KAS-ECC-SSCEC Diffie-Hellman Shared Secret ComputationKAS-ECC-SSC (SP 800- 56Ar3)KASSecurity strength: 128, 192 bits Compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F
KAS-FFC-SSCDiffie-Hellman Shared Secret ComputationKAS-FFC-SSC (SP 800- 56Ar3)KASSecurity strength: 112-200 bits Compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F
AES-KWKey wrapping/unwrappingAES-KW (SP 800-38F)KTSSecurity strength: 128, 192, 256 bits
AES-CCMKey wrapping/unwrapping using authenticated encryption (as permitted by IG D.G)AES-CCM (SP 800-38C)KTSSecurity strength: 128, 192, 256 bits
AES-GCM/WRAPKey wrapping using authenticated encryptionAES-GCM (SP 800-38D)KTSIV generated internally Security strength: 128, 192, 256 bits
Service
NameDescriptionApproved FunctionsTypeOE (Implementation)ReferencesSF Capabilities
Cryptographic Key Generation (CKG)Key Pair Generation using Safe Primes and ECAmazon Linux 2023 on EC2 c7g.metalSP 800-133r2 Section 4, 5.1, and 5.2
AES GCM with external IVEncryption
KBKDF (libkcapi)Key Derivation
HKDF (libkcapi)Key Derivation
PBKDF2 (libkcapi)Password-Based Key Derivation
RSAEncryption Primitive Decryption Primitive
RSA with PKCS#1 v1.5 paddingSignature Generation (pre-hashed message) Signature Verification (pre-hashed message)
Key Encapsulation Key Un-encapsulationKey Encapsulation Key Un-encapsulation
KAS-ECC-SSCEC Diffie-Hellman Shared Secret ComputationKAS-ECC-SSC (SP 800- 56Ar3)KASSecurity strength: 128, 192 bits Compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F
KAS-FFC-SSCDiffie-Hellman Shared Secret ComputationKAS-FFC-SSC (SP 800- 56Ar3)KASSecurity strength: 112-200 bits Compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F
AES-KWKey wrapping/unwrappingAES-KW (SP 800-38F)KTSSecurity strength: 128, 192, 256 bits
AES-CCMKey wrapping/unwrapping using authenticated encryption (as permitted by IG D.G)AES-CCM (SP 800-38C)KTSSecurity strength: 128, 192, 256 bits
AES-GCM/WRAPKey wrapping using authenticated encryptionAES-GCM (SP 800-38D)KTSIV generated internally Security strength: 128, 192, 256 bits
AES-GCM/UNWRAPKey unwrapping using authenticated encryption (as permitted by IG D.G)AES-GCM (SP 800-38D)KTSIV provided externally Security strength: 128, 192, 256 bits
AES-CBC with HMACKey wrapping/unwrapping using “combination” mode encryption (as permitted by IG D.G)AES-CBC (SP 800-38A) HMAC (FIPS 198-1)KTSSecurity strength: 128, 192, 256 bits Hashes: SHA-1, SHA-256, SHA-384, SHA-512
AES-CTR with HMACAES-CTR (SP 800-38A) HMAC (FIPS 198-1)KTS

Table 6 - Approved Algorithms Vendor Affirmed Algorithms: Table 7 - Vendor Affirmed Algorithms Non-Approved, Allowed Algorithms: The module does not implement non-approved algorithms allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: The module does not implement non-approved algorithms allowed in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: Table 8 lists all non-approved cryptographic algorithms of the module employed by the non-approved services in Table 15. Table 8 - Non-Approved, Not Allowed Algorithms 2.6 © 2024 Amazon Web Services, Inc., atsec information security.

12 of 36
Page 13

Amazon Linux 2023 Kernel Cryptographic API Table 9 - Security Function Implementations 2.7 Algorithm Specific Information The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC

7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption

keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in Table 14.

2.7.2 AES XTS

In accordance with IG C.I, the module implements a check to ensure that the two AES keys used in the AES-XTS algorithm are not identical. The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2 20 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.3 RSA

For RSA signature verification, all supported, approved modulus sizes have been CAVP tested

2.7.4 SP 800-56Ar3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the DiffieHellman and elliptic curve Diffie-Hellman shared secret computation algorithms with the NVMe and Bluetooth related protocols. Additionally, the module’s approved key pair generation service (see Table 14) must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, and the partial public key validation of the peer EC public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3. © 2024 Amazon Web Services, Inc., atsec information security.

13 of 36
Page 14
Sensitive security parameter
NameTypeStrengthOperational EnvironmentEntropy Per SampleConditioning Component
Amazon Kernel CPU Time Jitter RNG Entropy SourceNon- physical256 bitsSee Table 3256 bitsSHA3-256 (A4551)
Vendor NameCertificate Number
AmazonCert. E105

Amazon Linux 2023 Kernel Cryptographic API

2.7.5 Legacy Use

Digital signature verification using SHA-1 is allowed for legacy use only. 2.8 RBG and Entropy Table 10 - Entropy Certificates Nonphysical The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of these DRBG implementations can be instantiated by the operator of the module, using the parameters listed in Table 6. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA-512 DRBG implementation for internal purposes (e.g. to generate asymmetric key pairs). This DRBG is initially seeded with 384 output bits from the entropy source (corresponding to 384 bits of entropy) and reseeded with 256 output bits from the entropy source (corresponding to 256 bits of entropy). The module complies with the Public Use Document for ESV certificate E105 seeding the aforementioned DRBG using the jent_kcapi_random function, which corresponds to the GetEntropy() function. The operational environment of the module is identical to the one listed on the ESV certificate. There are no maintenance requirements for the entropy source. The following is the link to the Public Use Document of Amazon Kernel CPU Time Jitter RNG Entropy https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E105_PublicUse.pdf 2.9 Key Generation The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800133r2. When random values are required, they are directly obtained as output from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without XOR). The following methods are implemented:

14 of 36
Page 15

Amazon Linux 2023 Kernel Cryptographic API

2.10 Key Establishment

The module implements SSP agreement and SSP transport methods as listed in Table 9. The module implements the P-256 and P-384 curves. For P-256, N is 256 bits and s is 128 bits. For P-384, N is 384 bits and s is 192 bits. The module implements the ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, and ffdhe8192 safe prime groups. For ffdhe2048, N is 2048 bits and s is 112 bits For ffdhe3072, N is 3072 bits and s is 128 bits For ffdhe4096, N is 4096 bits and s is 152 bits For ffdhe6144, N is 6144 bits and s is 176 bits For ffdhe8192, N is 8192 bits and s is 200 bits (N is the bit length of the private key and s is the maximum security strength supported)

2.11 Industry Protocols

AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. Diffie-Hellman and EC Diffie-Hellman shall only be used with the NVMe and Bluetooth related protocols. No other parts of the NVMe, Bluetooth, or IPSec protocols, other than those mentioned above, have been tested by the CAVP and CMVP. © 2024 Amazon Web Services, Inc., atsec information security.

15 of 36
Page 16
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs.As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs.Data InputAPI data input parameters, AF_ALG type sockets
Data OutputData OutputAPI output parameters, AF_ALG type sockets
Control InputControl InputAPI function calls, API control input parameters, AF_ALG type sockets, kernel command line
Status OutputStatus OutputAPI return values, AF_ALG type sockets, kernel logs

Amazon Linux 2023 Kernel Cryptographic API Cryptographic Module Interfaces 3.1 Ports and Interfaces Table 12 - Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a © 2024 Amazon Web Services, Inc., atsec information security.

16 of 36
Page 17
Service
NameDescriptionRolesRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleN/A
Message DigestCompute a message digestCON/ASHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512crypto_shash_init returns 0MessageDigest value
EncryptionEncrypt a plaintextAES key: W, EAES CBC, CBC-CS3, CFB128, CTR, ECB, KW, OFB, XTScrypto_skcipher_setkey returns 0AES key, IV, plaintextCiphertext
DecryptionDecrypt a ciphertextAES key, IV, ciphertextPlaintext
Authenticated EncryptionEncrypt a plaintextAES key: W, E HMAC key: W, EAES CCM, GCM (internal IV) AES CBC or CTR with HMAC-SHA-1, HMAC- SHA-256, HMAC-SHA- 384, or HMAC-SHA- 512For all except AES GCM: crypto_aead_setkey returns 0 For AES GCM: crypto_aead_get_flags(tf m) has the CRYPTO_TFM_FIPS_COMP LIANCE flag setAES key, IV, plaintextCiphertext, MAC tag
Authenticated DecryptionDecrypt a ciphertextAES CCM, GCM (external IV) AES CBC or CTR with HMAC-SHA-1, HMAC- SHA-256, HMAC-SHA- 384, or HMAC-SHA- 512AES key, IV, ciphertext, MAC tagPlaintext
Message AuthenticationCompute a MAC tagAES key: W, EAES CMAC, GMACcrypto_shash_init returns 0AES key, messageMAC tag
HMAC key, messageHMAC key: W, EHMAC-SHA-1, HMAC- SHA-224, HMAC-SHA- 256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512HMAC key, message
Shared Secret ComputationCompute a shared secretDH private key: W, E DH public key: W, E Shared secret: G, RKAS-FFC-SSCcrypto_kpp_compute_sha red_secret returns 0DH private key, DH public keyShared secret
EC private key, EC public keyEC private key: W, E EC public key: W, E Shared secret: G, RKAS-ECC-SSCEC private key, EC public key
Key Pair GenerationGenerate a key pairDH private key: G, R DH public key: G, R Intermediate key generation value: G,Safe Primes Key Pair Generationcrypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0GroupDH private key, DH public key
Service
NameDescriptionRolesRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleN/A
Message DigestCompute a message digestCON/ASHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512crypto_shash_init returns 0MessageDigest value
EncryptionEncrypt a plaintextAES key: W, EAES CBC, CBC-CS3, CFB128, CTR, ECB, KW, OFB, XTScrypto_skcipher_setkey returns 0AES key, IV, plaintextCiphertext
DecryptionDecrypt a ciphertextAES key, IV, ciphertextPlaintext
Authenticated EncryptionEncrypt a plaintextAES key: W, E HMAC key: W, EAES CCM, GCM (internal IV) AES CBC or CTR with HMAC-SHA-1, HMAC- SHA-256, HMAC-SHA- 384, or HMAC-SHA- 512For all except AES GCM: crypto_aead_setkey returns 0 For AES GCM: crypto_aead_get_flags(tf m) has the CRYPTO_TFM_FIPS_COMP LIANCE flag setAES key, IV, plaintextCiphertext, MAC tag
Authenticated DecryptionDecrypt a ciphertextAES CCM, GCM (external IV) AES CBC or CTR with HMAC-SHA-1, HMAC- SHA-256, HMAC-SHA- 384, or HMAC-SHA- 512AES key, IV, ciphertext, MAC tagPlaintext
Message AuthenticationCompute a MAC tagAES key: W, EAES CMAC, GMACcrypto_shash_init returns 0AES key, messageMAC tag
HMAC key, messageHMAC key: W, EHMAC-SHA-1, HMAC- SHA-224, HMAC-SHA- 256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512HMAC key, message
Shared Secret ComputationCompute a shared secretDH private key: W, E DH public key: W, E Shared secret: G, RKAS-FFC-SSCcrypto_kpp_compute_sha red_secret returns 0DH private key, DH public keyShared secret
EC private key, EC public keyEC private key: W, E EC public key: W, E Shared secret: G, RKAS-ECC-SSCEC private key, EC public key
Key Pair GenerationGenerate a key pairDH private key: G, R DH public key: G, R Intermediate key generation value: G,Safe Primes Key Pair Generationcrypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0GroupDH private key, DH public key
CurveEC private key: G, R EC public key: G, R Intermediate key generation value: G, E, ZEC Key Pair GenerationCurveEC private key, EC public key
Random Number GenerationGenerate random bytesEntropy input: W, E DRBG seed: E, G Internal state: E, GCTR_DRBG, Hash_DRBG, HMAC_DRBGcrypto_rng_get_bytes returns 0Output lengthRandom bytes
Error Detection CodeCompute an EDC (crc32, crct10dif)N/AN/ANoneMessageEDC
CompressionCompress data (deflate, lz4, lz4hc, lzo, zlib- deflate, zstd)N/AN/ANoneDataCompressed data
Generic System CallUse the kernel to perform various non- cryptographic operationsN/AN/ANoneIdentifier, various argumentsVarious return values
Show VersionReturn the module name and version informationN/AN/ANoneN/AModule name and version
Show StatusReturn the module statusN/AN/ANoneN/AModule status
Self-TestPerform the CASTs and integrity testsN/ASHA, SHA-3, AES, HMAC, KAS-FFC-SSC, KAS-ECC-SSC, CTR_DRBG, Hash_DRBG, HMAC_DRBG, RSA See Table 22 for specificsNoneN/APass/fail

Amazon Linux 2023 Kernel Cryptographic API 4.1 The module does not implement authentication. 4.2 N/A Table 13 - Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators. 4.3 Approved Services N/A HMAC-SHA-1, HMACSHA-256, HMAC-SHA384, or HMAC-SHA512 HMAC-SHA-1, HMACSHA-256, HMAC-SHA384, or HMAC-SHA512 © 2024 Amazon Web Services, Inc., atsec information security.

17 of 36
Page 18
Sensitive security parameter
NameDescriptionSecurity FunctionRole
AES GCM External IV EncryptionEncrypt a plaintext using AES GCM with an external IVAES GCM (external IV)CO
Key DerivationDerive a key from a key-derivation key or a shared secretKBKDF (libkcapi)
Password-Based Key DerivationDerive a key from a passwordPBKDF2 (libkcapi)
Encryption PrimitiveCompute the raw RSA encryption of a plaintext/ciphertextRSA
Decryption PrimitiveCompute the raw RSA decryption of a plaintext/ciphertext
Signature Generation (pre-hashed message)Generate a digital signature for a pre-hashed messageRSA with PKCS#1 v1.5 padding
Signature Verification (pre-hashed message)Verify a digital signature for a pre-hashed message
Key EncapsulationEncapsulate a secret key using RSA with PKCS#1 v1.5 padding
Key Un-encapsulationUn-encapsulate a secret key using RSA with PKCS#1 v1.5 padding

Amazon Linux 2023 Kernel Cryptographic API E, Z E, Z N/A N/A N/A N/A various noncryptographic N/A N/A N/A N/A N/A N/A N/A N/A N/A Table 14 - Approved Services The following convention is used to specify access rights to SSPs:

18 of 36
Page 19

Amazon Linux 2023 Kernel Cryptographic API Table 15 - Non-Approved Services 4.5 External Software/Firmware Loaded The module does not load external software or firmware. © 2024 Amazon Web Services, Inc., atsec information security.

19 of 36
Page 20

Amazon Linux 2023 Kernel Cryptographic API Software/Firmware Security 5.1 Integrity Techniques The Linux kernel binary is integrity tested using an HMAC-SHA-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations) which compares the computed HMAC value with a precomputed HMAC value. An HMAC-SHA-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity by comparing the computed HMAC value with a precomputed HMAC value. The kernel crypto object files listed in Table 3. are loaded on start-up by the module and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-512, and a 4096-bit key. 5.2 Initiate On-Demand Integrity Test Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently reinitializing the module, which will perform (among others) the software integrity tests. © 2024 Amazon Web Services, Inc., atsec information security.

20 of 36
Page 21

Amazon Linux 2023 Kernel Cryptographic API Operational Environment 6.1 Operational Environment Type and Requirements Type of Operating Environment: The module operates in a modifiable operational environment. The module runs on commercially available general-purpose operating systems (Amazon Linux 2023 and SnowOS 1.0), which allows modification, loading, and execution of software that is not part of the validated module. How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. 6.2 Configurable Settings and Restrictions The module shall be installed as stated in Section 11. Instrumentation tools like the ptrace system call, gdb and strace, user space live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2024 Amazon Web Services, Inc., atsec information security.

21 of 36
Page 22

Amazon Linux 2023 Kernel Cryptographic API Physical Security The module is comprised of software only and therefore this section is not applicable. © 2024 Amazon Web Services, Inc., atsec information security.

22 of 36
Page 23

Amazon Linux 2023 Kernel Cryptographic API Non-Invasive Security This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2024 Amazon Web Services, Inc., atsec information security.

23 of 36
Page 24
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStrength
RAMDynamicTemporary storage for SSPs used by the module as part of service execution
AES KeySymmetric keyAES key used for encryption, decryption, and computing MAC tagsXTS: 256, 512 bits Other modes: 128, 192, 256 bitsN/AN/AXTS: 128, 256 bits Other modes: 128, 192, 256 bits
Service
NameTypeFromToDistribution TypeEntry Type
API input parametersPlaintextOperator calling application (TOEPP)Cryptographic moduleManualElectronic
API output parametersCryptographic moduleOperator calling application (TOEPP)
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputStrengthTemporary Storage DurationCategoryRelated SSPs
RAMDynamicTemporary storage for SSPs used by the module as part of service execution
AES KeySymmetric keyAES key used for encryption, decryption, and computing MAC tagsXTS: 256, 512 bits Other modes: 128, 192, 256 bitsN/AN/AXTS: 128, 256 bits Other modes: 128, 192, 256 bits
HMAC KeySymmetric keyHMAC key used for computing MAC tags112-524288 bitsN/AN/A112-256 bits
Shared SecretShared secretShared secret generated by (EC) Diffie-HellmanP-256, P-384N/ASP 800-56Ar3 (KAS- ECC-SSC)128, 192 bits
ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192SP 800-56Ar3 (KAS- FFC-SSC)112-200 bits
Entropy inputEntropy inputEntropy input used to seed the DRBGs (IG D.L)256-384 bitsEntropy Source See Table 11N/A256-384 bits
DRBG SeedSeedDRBG seed derived from entropy input (IG D.L)CTR_DRBG: 256, 320, 384 bits Hash_DRBG: 440, 888 bits HMAC_DRBG: 160, 256, 512 bitsCTR_DRBG, Hash_DRBG, HMAC_DRBGN/ACTR_DRBG: 128, 192, 256 bits Hash_DRBG: 128, 256 bits HMAC_DRBG: 128, 256 bits
Internal State (V, Key)Internal stateInternal state of CTR_DRBG and HMAC_DRBG instances (IG D.L)CTR_DRBG: 256, 320, 348 bits HMAC_DRBG: 320, 512, 1024 bitsCTR_DRBG, HMAC_DRBGN/A
Internal State (V, C)Internal stateInternal state of Hash_DRBG instances (IG D.L)Hash_DRBG: 880, 1776 bitsHash_DRBGN/A
DH Public KeyPublic keyPublic key used for Diffie-Hellmanffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192SP 800-56Ar3 (Safe Primes) Section 5.6.1.1.4 Testing CandidatesN/A112-200 bits
DH Private KeyPrivate keyPrivate key used for Diffie-Hellman112-200 bits
EC Public KeyPublic keyPublic key used for ECDHP-256, P-384FIPS 186-4 Appendix B.4.2 Testing CandidatesN/A128, 192 bits
EC Private KeyPrivate keyPrivate key used for ECDH
Intermediate Key Generation ValueIntermediate valueTemporary value generated during Key Pair Generation services2048-8192 bitsCKGN/A112-200 bits
AES KeyRAMFree cipher handle Remove power from the moduleEncryption Decryption Authenticated Encryption Authenticated Decryption Message AuthenticationAPI input parameters AF_ALG type sockets (input) No outputFor the duration of the serviceCSPNone
HMAC KeyMessage Authentication Authenticated Encryption Authenticated DecryptionCSPNone
Shared SecretAutomatic Remove power from the moduleShared Secret ComputationNo input API output parameters, AF_ALG type sockets (output)CSPDH Public Key, DH Private Key, EC Public Key, EC Private Key
Entropy InputRandom Number GenerationNo input No outputFrom generation until DRBG Seed is createdCSPDRBG Seed
MethodDescriptionRationaleOperator Initiation Capability
Free cipher handleZeroizes the SSPs contained within the cipher handleMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable.By calling the appropriate zeroization functions: AES Key: crypto_free_skcipher and crypto_free_aead HMAC Key: crypto_free_shash and crypto_free_ahash Internal State (V, Key), Internal State (V, C): crypto_free_rng DH Public Key & DH Private Key: crypto_free_kpp EC Public Key & EC Private Key: crypto_free_kpp RSA Public Key: public_key_free
AutomaticAutomatically zeroized by the module when no longer neededMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable.N/A
Remove power from the moduleDe-allocates the volatile memory used to store SSPsVolatile memory used by the module is overwritten within nanoseconds when power is removedBy removing power

Amazon Linux 2023 Kernel Cryptographic API Sensitive Security Parameters Management 9.1 Storage Areas Table 16 - Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in released by the appropriate zeroization function calls. 9.2 Table 17 - SSP Input-Output Methods 9.3 N/A Table 18 - SSP Zeroization Methods All data output is inhibited during zeroization. 9.4 N/A © 2024 Amazon Web Services, Inc., atsec information security.

24 of 36
Page 25
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputStrengthTemporary Storage DurationCategoryRelated SSPs
HMAC KeySymmetric keyHMAC key used for computing MAC tags112-524288 bitsN/AN/A112-256 bits
Shared SecretShared secretShared secret generated by (EC) Diffie-HellmanP-256, P-384N/ASP 800-56Ar3 (KAS- ECC-SSC)128, 192 bits
ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192SP 800-56Ar3 (KAS- FFC-SSC)112-200 bits
Entropy inputEntropy inputEntropy input used to seed the DRBGs (IG D.L)256-384 bitsEntropy Source See Table 11N/A256-384 bits
DRBG SeedSeedDRBG seed derived from entropy input (IG D.L)CTR_DRBG: 256, 320, 384 bits Hash_DRBG: 440, 888 bits HMAC_DRBG: 160, 256, 512 bitsCTR_DRBG, Hash_DRBG, HMAC_DRBGN/ACTR_DRBG: 128, 192, 256 bits Hash_DRBG: 128, 256 bits HMAC_DRBG: 128, 256 bits
Internal State (V, Key)Internal stateInternal state of CTR_DRBG and HMAC_DRBG instances (IG D.L)CTR_DRBG: 256, 320, 348 bits HMAC_DRBG: 320, 512, 1024 bitsCTR_DRBG, HMAC_DRBGN/A
Internal State (V, C)Internal stateInternal state of Hash_DRBG instances (IG D.L)Hash_DRBG: 880, 1776 bitsHash_DRBGN/A
DH Public KeyPublic keyPublic key used for Diffie-Hellmanffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192SP 800-56Ar3 (Safe Primes) Section 5.6.1.1.4 Testing CandidatesN/A112-200 bits
DH Private KeyPrivate keyPrivate key used for Diffie-Hellman112-200 bits
EC Public KeyPublic keyPublic key used for ECDHP-256, P-384FIPS 186-4 Appendix B.4.2 Testing CandidatesN/A128, 192 bits
EC Private KeyPrivate keyPrivate key used for ECDH
Intermediate Key Generation ValueIntermediate valueTemporary value generated during Key Pair Generation services2048-8192 bitsCKGN/A112-200 bits
AES KeyRAMFree cipher handle Remove power from the moduleEncryption Decryption Authenticated Encryption Authenticated Decryption Message AuthenticationAPI input parameters AF_ALG type sockets (input) No outputFor the duration of the serviceCSPNone
HMAC KeyMessage Authentication Authenticated Encryption Authenticated DecryptionCSPNone
Shared SecretAutomatic Remove power from the moduleShared Secret ComputationNo input API output parameters, AF_ALG type sockets (output)CSPDH Public Key, DH Private Key, EC Public Key, EC Private Key
Entropy InputRandom Number GenerationNo input No outputFrom generation until DRBG Seed is createdCSPDRBG Seed

Amazon Linux 2023 Kernel Cryptographic API N/A D.L) D.L) (V, C) N/A N/A N/A N/A N/A N/A N/A Table 19 - SSP Information First © 2024 Amazon Web Services, Inc., atsec information security.

25 of 36
Page 26
Approved algorithm
NameUse Function
DRBG SeedDRBG SeedNo input No outputWhile the DRBG is instantiatedCSPEntropy Input, Internal State
Internal State (V, Key)Internal State (V, Key)No input No outputFrom DRBG instantiation until DRBG terminationCSPDRBG SeedFree cipher handle Remove power from the module
Internal State (V, C)Internal State (V, C)No input No outputCSPDRBG Seed
Shared Secret Computation Key Pair GenerationDH public KeyAPI input parameters AF_ALG type sockets (input) API output parameters AF_ALG type sockets (output)For the duration of the servicePSPDH Private Key, Shared Secret
Shared Secret Computation Key Pair GenerationDH private KeyCSPDH Public Key, Shared Secret
Shared Secret Computation Key Pair GenerationEC Public KeyPSPEC Private Key, Shared Secret
Shared Secret Computation Key Pair GenerationEC Private KeyCSPEC Public Key, Shared Secret
Key Pair GenerationIntermediate Key Generation ValueNo input No outputCSPDH Private Key, DH Public Key, EC Private Key, EC Public KeyAutomatic

Amazon Linux 2023 Kernel Cryptographic API (V, C) Table 20 - SSP Information Second 9.5 Transitions The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 will be withdrawn on February 3, 2024. © 2024 Amazon Web Services, Inc., atsec information security.

26 of 36
Page 27
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTest PropertiesIndicatorTest MethodCondition
HMAC-SHA-512HMAC-SHA-512Message AuthenticationSoftware integrityIntegrity test for vmlinuz and libkcapi componentsAVX2, C, CE128-bit keyModule becomes operational
RSARSASignature VerificationIntegrity test for kernel object filesCPKCS#1 v1.5 with SHA-512 4096-bit key
AES-CBCAES-CBC128, 192, 256-bit keysCASTEncryption DecryptionAESNI, C, CE, NEONModule is operationalKATModule initialization
AES-CBC-CS3AES-CBC-CS3128-bit keysAESNI, C, CE, NEON
AES-CCMAES-CCM128, 192, 256-bit keys 128-bit IVsAESNI, C, CE
AES-CFB128AES-CFB128128, 192, 256-bit keysAESNI, C, CE
AES-CMACAES-CMAC128, 256-bit keysMessage AuthenticationAESNI, C, CE, NEON
AES-CTRAES-CTR128, 192, 256-bit keysEncryption DecryptionAESNI, C, CE, NEON
AES-ECBAES-ECB128, 192, 256-bit keysAESNI, C, CE, NEON
AES-GCM (internal IV)AES-GCM (internal IV)128, 192, 256-bit keys 96-bit IVsEncryptionAESNI, C
AES-GCM (external IV)AES-GCM (external IV)128, 192, 256-bit keysDecryptionAESNI, C
AES-OFBAES-OFB128-bit keysEncryption DecryptionAESNI, C, CE
AES-XTSAES-XTS128, 256-bit keysAESNI, C, CE, NEON
CTR_DRBGCTR_DRBGAES-128, AES-192, AES-256 without prediction resistance AES-128 with prediction resistanceInstantiate Seed Reseed Generate (compliant to SP 800-90A Section 11.3)C
Hash_DRBGHash_DRBGSHA-256 with/without prediction resistanceC
HMAC_DRBGHMAC_DRBGSHA-256, SHA-512 without prediction resistance SHA-256 with prediction resistanceC
HMAC-SHA-1HMAC-SHA-132-64-bit keysMessage AuthenticationC, CE
HMAC-SHA-224HMAC-SHA-22432-1048-bit keysC, CE
HMAC-SHA-256HMAC-SHA-25632-64-bit keysC, CEBefore integrity test
HMAC-SHA-384HMAC-SHA-38432-1048-bit keysAVX2, C, CEModule
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTest PropertiesIndicatorTest MethodCondition
HMAC-SHA-512HMAC-SHA-512Message AuthenticationSoftware integrityIntegrity test for vmlinuz and libkcapi componentsAVX2, C, CE128-bit keyModule becomes operational
RSARSASignature VerificationIntegrity test for kernel object filesCPKCS#1 v1.5 with SHA-512 4096-bit key
AES-CBCAES-CBC128, 192, 256-bit keysCASTEncryption DecryptionAESNI, C, CE, NEONModule is operationalKATModule initialization
AES-CBC-CS3AES-CBC-CS3128-bit keysAESNI, C, CE, NEON
AES-CCMAES-CCM128, 192, 256-bit keys 128-bit IVsAESNI, C, CE
AES-CFB128AES-CFB128128, 192, 256-bit keysAESNI, C, CE
AES-CMACAES-CMAC128, 256-bit keysMessage AuthenticationAESNI, C, CE, NEON
AES-CTRAES-CTR128, 192, 256-bit keysEncryption DecryptionAESNI, C, CE, NEON
AES-ECBAES-ECB128, 192, 256-bit keysAESNI, C, CE, NEON
AES-GCM (internal IV)AES-GCM (internal IV)128, 192, 256-bit keys 96-bit IVsEncryptionAESNI, C
AES-GCM (external IV)AES-GCM (external IV)128, 192, 256-bit keysDecryptionAESNI, C
AES-OFBAES-OFB128-bit keysEncryption DecryptionAESNI, C, CE
AES-XTSAES-XTS128, 256-bit keysAESNI, C, CE, NEON
CTR_DRBGCTR_DRBGAES-128, AES-192, AES-256 without prediction resistance AES-128 with prediction resistanceInstantiate Seed Reseed Generate (compliant to SP 800-90A Section 11.3)C
Hash_DRBGHash_DRBGSHA-256 with/without prediction resistanceC
HMAC_DRBGHMAC_DRBGSHA-256, SHA-512 without prediction resistance SHA-256 with prediction resistanceC
HMAC-SHA-1HMAC-SHA-132-64-bit keysMessage AuthenticationC, CE
HMAC-SHA-224HMAC-SHA-22432-1048-bit keysC, CE
HMAC-SHA-256HMAC-SHA-25632-64-bit keysC, CEBefore integrity test
HMAC-SHA-384HMAC-SHA-38432-1048-bit keysAVX2, C, CEModule
HMAC-SHA-512HMAC-SHA-51232-1048-bit keysAVX2, C, CE, SSSE3initialization
HMAC-SHA3-224HMAC-SHA3-22432-1048-bit keysC, CE
HMAC-SHA3-256HMAC-SHA3-25632-1048-bit keysC, CE
HMAC-SHA3-384HMAC-SHA3-38432-1048-bit keysC, CE
HMAC-SHA3-512HMAC-SHA3-51232-1048-bit keysC, CE
KAS-ECC-SSCKAS-ECC-SSCP-256, P-384Shared Secret ComputationC
KAS-FFC-SSCKAS-FFC-SSCffdhe2048C
SHA-1SHA-10–8184-bit messagesMessage DigestAVX, AVX2, C, CE, SSSE3
SHA-224SHA-224ARM64, AVX, AVX2, C, CE, NEON, SSSE3
SHA-384SHA-384ARM64, AVX, AVX2, C, CE, SSSE3
SHA3-224SHA3-224C, CE
SHA3-256SHA3-256C, CE
SHA3-384SHA3-384C, CE
SHA3-512SHA3-512C, CE
RSARSAPKCS#1 v1.5 with SHA-256 4096-bit keySignature VerificationC
Safe PrimesSafe PrimesN/APCTSP 800-56Ar3 Section 5.6.2.1.4CKey Pair Generation is successfulPCTKey Pair Generation
ECECN/AC
Entropy SourceEntropy SourceCutoff C = 61 1024 samplesCASTEntropy source start-up testCEntropy source is operationalRCTEntropy source initialization
Cutoff C = 355 Window W = 512 1024 samplesCutoff C = 355 Window W = 512 1024 samplesAPT
Intermittent cutoff C = 31 Permanent cutoff C = 61Intermittent cutoff C = 31 Permanent cutoff C = 61Entropy source continuous testjent_kcapi_ran dom returns 0RCTContinuously
Intermittent cutoff C = 325 Permanent cutoff C = 355 Window W = 512Intermittent cutoff C = 325 Permanent cutoff C = 355 Window W = 512APT

Amazon Linux 2023 Kernel Cryptographic API

10 Self-Tests
10.1 Pre-Operational Self-Tests

C Table 21 - Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. While the module is executing the selftests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the preoperational self-tests are passed successfully.

10.2 Conditional Self-Tests

C C C © 2024 Amazon Web Services, Inc., atsec information security.

27 of 36
Page 28

Amazon Linux 2023 Kernel Cryptographic API C C C C N/A C N/A C 5.6.2.1.4 Table 22 - Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 22. Upon generation of a DH or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 22, which provides some assurance that the generated key pair is well formed. This test consists of the PCT described in Section 5.6.2.1.4 of SP 800-56Ar3. Data output through the data output interface is inhibited during the conditional self-tests. The module does not return control to the calling application until the tests are completed. If any of these tests fails, the module transitions to the error state (Section 10.4).

10.3 Periodic Self-Tests

The module does not implement periodic self-tests. © 2024 Amazon Web Services, Inc., atsec information security.

28 of 36
Page 29
Service
NameDescriptionRole AccessIndicatorRecovery Method
Error StateThe Linux kernel immediately stops executingAny self-test failureKernel panicRestart of the module

Amazon Linux 2023 Kernel Cryptographic API

10.4 Error States

Table 23 - Error States If the module fails any of the self-tests, the module enters the error state. In the error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

The software integrity tests, CASTs and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The PCTs can be invoked on demand by requesting the Key Pair Generation service. © 2024 Amazon Web Services, Inc., atsec information security.

29 of 36
Page 30

Amazon Linux 2023 Kernel Cryptographic API

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the Amazon Linux 2023 and SnowOS 1.0 package in the form of the kernel-6.1.41-64.118.amzn2023.rpm, kernel-6.1.41-64.118.fips.amzn2023.rpm, and libkcapihmaccalc-1.4.0-105.amzn2023.0.1.rpm packages.

11.2 Administrator Guidance

Before the RPM packages are installed, the Amazon Linux 2023 or SnowOS 1.0 system must operate in the approved mode. This can be achieved by switching the system into the approved mode after the installation. Execute the fips-mode-setup --enable command. Restart the system. More information can be found at the vendor documentation. The Crypto Officer must verify the Amazon Linux 2023 or SnowOS 1.0 system operates in the approved mode by executing the fips-mode-setup --check command, which should output “FIPS mode is enabled.” After installation of the RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Amazon Linux 2023 Kernel Cryptographic API Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapihmaccalc” commands. These commands must output the following (one line per output): EC2 c7g.metal: 6.1.41-64.118.amzn2023.aarch64 libkcapi-hmaccalc-1.4.0-105.amzn2023.0.1.aarch64 EC2 c6i.metal: 6.1.41-64.118.amzn2023.x86_64 libkcapi-hmaccalc-1.4.0-105.amzn2023.0.1.x86_64 AWS Snowball, AWS Snowblade, AWS Snowcone: 6.1.41-64.118.fips.amzn2023.x86_64 libkcapi-hmaccalc-1.4.0-105.amzn2023.0.1.x86_64

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life Procedures

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the RPM packages can be uninstalled from the Amazon Linux 2023 or SnowOS 1.0 system. © 2024 Amazon Web Services, Inc., atsec information security.

30 of 36
Page 31

Amazon Linux 2023 Kernel Cryptographic API

12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this section is not applicable. © 2024 Amazon Web Services, Inc., atsec information security.

31 of 36
Page 32
AESAdvanced Encryption Standard
AES-NIAdvanced Encryption Standard New Instructions
APIApplication Programming Interface
CASTCryptographic Algorithm Self-Test
CAVPCryptographic Algorithm Validation Program
CBCCipher Block Chaining
CCMCounter with Cipher Block Chaining-Message Authentication Code
CECryptography Extensions
CFBCipher Feedback
CKGCryptographic Key Generation
CMACCipher-based Message Authentication Code
CMVPCryptographic Module Validation Program
CSPCritical Security Parameter
CTRCounter
CTSCiphertext Stealing
DHDiffie-Hellman
DRBGDeterministic Random Bit Generator
ECBElectronic Code Book
ECDHElliptic Curve Diffie-Hellman
ECDSAElliptic Curve Digital Signature Algorithm
FIPSFederal Information Processing Standards
GCMGalois Counter Mode
GMACGalois Counter Mode Message Authentication Code
HKDFHMAC-based Key Derivation Function
HMACKeyed-Hash Message Authentication Code
IPsecInternet Protocol Security
KASKey Agreement Scheme
KATKnown Answer Test
KBKDFKey-based Key Derivation Function
KTSKey Transport Scheme

Amazon Linux 2023 Kernel Cryptographic API Appendix A. Glossary and Abbreviations © 2024 Amazon Web Services, Inc., atsec information security.

32 of 36
Page 33
MACMessage Authentication Code
NISTNational Institute of Science and Technology
OFBOutput Feedback
PAAProcessor Algorithm Acceleration
PBKDF2Password-based Key Derivation Function v2
PCTPair-Wise Consistency Test
PKCSPublic-Key Cryptography Standards
RSARivest, Shamir, Adleman
SHASecure Hash Algorithm
SSCShared Secret Computation
SSPSensitive Security Parameter
XTSXEX-based Tweaked-codebook mode with cipher text Stealing

Amazon Linux 2023 Kernel Cryptographic API KW Key Wrap © 2024 Amazon Web Services, Inc., atsec information security.

33 of 36
Page 34
Approved algorithm
NameUse Function
FIPS 140-3FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
FIPS 140-3 IGImplementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig- announcements
FIPS 180-4Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS 186-4Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS 186-5Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
FIPS 197Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
FIPS 198-1The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
FIPS 202SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
PKCS#1Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt
RFC 4106The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) June 2005 https://datatracker.ietf.org/doc/html/rfc4106
SP 800-38ARecommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP 800-38A AddendumRecommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf
SP 800-38BRecommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
SP 800-38CRecommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf
SP 800-38DRecommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
SP 800-38ERecommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
SP 800-38FRecommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
SP 800-56Ar3Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
SP 800-90Ar1Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
SP 800-90BRecommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf
SP 800-108r1NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
SP 800-131Ar2Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
SP 800-133r2Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf
SP 800-140Br1CMVP Security Policy Requirements November 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Br1.pdf

Amazon Linux 2023 Kernel Cryptographic API Appendix B. References © 2024 Amazon Web Services, Inc., atsec information security.

34 of 36
Page 35

Amazon Linux 2023 Kernel Cryptographic API © 2024 Amazon Web Services, Inc., atsec information security.

35 of 36
Page 36

Amazon Linux 2023 Kernel Cryptographic API © 2024 Amazon Web Services, Inc., atsec information security.

36 of 36

Referenced URLs