| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/30/2029 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Amazon Web Services Inc. |
flowchart LR
%% Deterministic review-risk graph for AWS-LC Cryptographic Module (static)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>upgrade</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for AWS-LC Cryptographic Module (static)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>upgrade</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Amazon Web Services Inc. AWS-LC Cryptographic Module (static) Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 7 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Modes List and Description | 8 |
| Table 5: Approved Algorithms | 23 |
| Table 6: Vendor-Affirmed Algorithms | 24 |
| Table 7: Non-Approved, Allowed Algorithms with No Security Claimed | 24 |
| Table 8: Non-Approved, Not Allowed Algorithms | 25 |
| Table 9: Security Function Implementations | 32 |
| Table 10: Ports and Interfaces | 36 |
| Table 11: Roles | 37 |
| Table 12: Approved Services | 42 |
| Table 13: Non-Approved Services | 43 |
| Table 14: EFP/EFT Information | 46 |
| Table 15: Hardness Testing Temperatures | 46 |
| Table 16: Storage Areas | 48 |
| Table 17: SSP Input-Output Methods | 48 |
| Table 18: SSP Zeroization Methods | 48 |
| Table 19: SSP Table 1 | 51 |
| Table 20: SSP Table 2 | 52 |
| Table 21: Pre-Operational Self-Tests | 54 |
| Table 22: Conditional Self-Tests | 55 |
| Table 23: Pre-Operational Periodic Information | 56 |
| Table 24: Conditional Periodic Information | 56 |
| Table 25: Error States | 57 |
| Figure 1: Block Diagram | 6 |
This document is the non-proprietary FIPS 140-3 Security Policy for version AWS-LC FIPS
2.0.0 of the AWS-LC Cryptographic Module (static). It contains the security rules under which
the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module.
Section Title Security Level
Overall Level 1 Table 1: Security Levels
This Security Policy describes the features and design of the module named AWS-LC Cryptographic Module (static) using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. intact and including this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
Purpose and Use: The AWS-LC Cryptographic Module (static) (hereafter referred to as “the module”) provides cryptographic services to applications running in the user space of the underlying operating system through a C language Application Program Interface (API). Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The block diagram in Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows). The cryptographic boundary is defined as the AWS-LC Cryptographic Module (static) which is a cryptographic library consisting of the bcm.o file (version AWS-LC FIPS 2.0.0). This file is statically linked to the userspace application during the compilation process. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP is the general-purpose computer on which the module is installed. Figure 1: Block Diagram
Identification Tested Module Identification
Platinum 8275CL bcm.o on Amazon Linux AWS-LC FIPS 2.0.0 N/A HMAC-SHA2-256
® Platinum 8275CL bcm.o on Ubuntu 22.04 AWS-LC FIPS 2.0.0 N/A HMAC-SHA2-256 with Intel ®Xeon ® Platinum 8275CL bcm.o on Amazon Linux AWS-LC FIPS 2.0.0 N/A HMAC-SHA2-256
bcm.o on Amazon Linux AWS-LC FIPS 2.0.0 N/A HMAC-SHA2-256
bcm.o on Ubuntu 22.04 AWS-LC FIPS 2.0.0 N/A HMAC-SHA2-256 with Gravition3 Table 2: Tested Module Identification
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS Amazon Amazon EC2 c7g.metal with 128 Graviton3 Yes N/A AWS-LC FIPS Linux 2023 GiB system memory and Elastic 2.0.0 Block Store (EBS) 200 GiB Ubuntu 22.04 Amazon EC2 c7g.metal with 128 Graviton3 Yes N/A AWS-LC FIPS GiB system memory and Elastic 2.0.0 Block Store (EBS) 200 GiB Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
The module does not claim any excluded components.
Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of Mode approved service is requested. the requested service. Non-approved Automatically entered whenever a non- Non- Equivalent to the indicator of Mode approved service is requested. Approved the requested service. Table 4: Modes List and Description Mode Change Instructions and Status: When the module starts up successfully, after passing the pre-operational self-test and the cryptographic algorithms self-tests (CASTs), the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in the Non-Approved Services table. The module will transition back to approved mode when approved service is called. Section 4 provides details on the service indicator implemented by the module. The service indicator identifies when an approved service is called. Degraded Mode Description: The module does not implement a degraded mode of operation.
Approved Algorithms: Algorithm CAVP Cert Properties Reference ECDSA KeyGen A4509 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A4509 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4509 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 Component - No ECDSA SigVer A4509 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1 ECDSA SigVer A4509 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 HMAC-SHA-1 A4509 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-224 A4509 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4509 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4509 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4509 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4509 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4509 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4509 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 KDF SSH (CVL) A4509 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4509 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4509 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4509 Key Generation Mode - probable FIPS 186-5 5) Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard
Algorithm CAVP Cert Properties Reference RSA SigGen (FIPS186- A4509 Modulo - 2048, 3072, 4096 FIPS 186-5
Algorithm CAVP Cert Properties Reference AES-ECB A4512 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4512 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4512 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-CBC A4513 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4513 Key Length - 128 SP 800-38C AES-CMAC A4513 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CTR A4513 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4513 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4513 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A4513 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-XTS Testing A4513 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 Counter DRBG A4513 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No AES-ECB A4514 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4514 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4514 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-CBC A4515 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4515 Key Length - 128 SP 800-38C AES-CMAC A4515 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CTR A4515 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4515 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4515 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A4515 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256
Algorithm CAVP Cert Properties Reference AES-XTS Testing A4515 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 Counter DRBG A4515 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No AES-ECB A4516 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4516 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4516 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 ECDSA KeyGen A4517 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A4517 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4517 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 Component - No ECDSA SigVer A4517 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1 ECDSA SigVer A4517 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 HMAC-SHA-1 A4517 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-224 A4517 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4517 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4517 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4517 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4517 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4517 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4517 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512
Algorithm CAVP Cert Properties Reference KDF SSH (CVL) A4517 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4517 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4517 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4517 Key Generation Mode - probable FIPS 186-5
Algorithm CAVP Cert Properties Reference HMAC-SHA2-224 A4518 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4518 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4518 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4518 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4518 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4518 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4518 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 KDF SSH (CVL) A4518 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4518 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4518 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4518 Key Generation Mode - probable FIPS 186-5
Algorithm CAVP Cert Properties Reference SHA2-512 A4518 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4518 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 AES-CBC A4519 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4519 Key Length - 128 SP 800-38C AES-CMAC A4519 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CTR A4519 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4519 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4519 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A4519 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-XTS Testing A4519 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 Counter DRBG A4519 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No AES-ECB A4520 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4520 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4520 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-ECB A4521 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4521 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4521 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-ECB A4522 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4522 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4522 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal
Algorithm CAVP Cert Properties Reference IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-CBC A4523 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4523 Key Length - 128 SP 800-38C AES-CMAC A4523 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CTR A4523 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4523 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4523 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A4523 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-XTS Testing A4523 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 Counter DRBG A4523 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No AES-ECB A4524 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4524 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4524 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-ECB A4525 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4525 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4525 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-ECB A4526 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4526 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4526 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-CBC A4527 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256
Algorithm CAVP Cert Properties Reference AES-CCM A4527 Key Length - 128 SP 800-38C AES-CMAC A4527 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CTR A4527 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4527 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4527 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A4527 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-XTS Testing A4527 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 Counter DRBG A4527 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No AES-ECB A4528 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4528 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4528 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-ECB A4529 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4529 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4529 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-ECB A4530 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4530 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 AES-GMAC A4530 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 256 ECDSA KeyGen A4531 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A4531 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4531 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-
Algorithm CAVP Cert Properties Reference 384, SHA2-512 Component - No ECDSA SigVer A4531 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1 ECDSA SigVer A4531 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 HMAC-SHA-1 A4531 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-224 A4531 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4531 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4531 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4531 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4531 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4531 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4531 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 KDF SSH (CVL) A4531 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4531 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4531 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4531 Key Generation Mode - probable FIPS 186-5
Algorithm CAVP Cert Properties Reference SHA2-224 A4531 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4531 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4531 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4531 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4531 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 ECDSA KeyGen A4532 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A4532 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4532 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 Component - No ECDSA SigVer A4532 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1 ECDSA SigVer A4532 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 HMAC-SHA-1 A4532 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-224 A4532 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4532 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4532 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4532 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4532 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4532 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4532 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512
Algorithm CAVP Cert Properties Reference KDF SSH (CVL) A4532 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4532 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4532 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4532 Key Generation Mode - probable FIPS 186-5
Algorithm CAVP Cert Properties Reference HMAC-SHA2-224 A4533 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4533 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4533 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4533 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4533 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4533 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4533 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 KDF SSH (CVL) A4533 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4533 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4533 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4533 Key Generation Mode - probable FIPS 186-5
Algorithm CAVP Cert Properties Reference SHA2-512 A4533 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4533 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 ECDSA KeyGen A4534 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A4534 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A4534 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 Component - No ECDSA SigVer A4534 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1 ECDSA SigVer A4534 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 HMAC-SHA-1 A4534 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-224 A4534 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-256 A4534 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-384 A4534 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512 A4534 Key Length - Key Length: 112-524288 Increment FIPS 198-1 HMAC-SHA2-512/256 A4534 Key Length - Key Length: 112-524288 Increment FIPS 198-1 KAS-ECC-SSC Sp800- A4534 Domain Parameter Generation Methods - P-224, SP 800-56A 56Ar3 P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A4534 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 KDF SSH (CVL) A4534 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, Rev. 1 SHA2-384, SHA2-512 KDF TLS (CVL) A4534 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A4534 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen (FIPS186- A4534 Key Generation Mode - probable FIPS 186-5 5) Modulo - 2048, 3072, 4096
Algorithm CAVP Cert Properties Reference Primality Tests - 2powSecStr Private Key Format - standard RSA SigGen (FIPS186- A4534 Modulo - 2048, 3072, 4096 FIPS 186-5
Name Properties Implementation Reference EC (FIPS 186-5):P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength. Cryptographic Key RSA (FIPS 186-5):2048, 3072, AWS-LC Cryptographic SP 800-133Rev2 Generation (CKG) 4096 bits with 112, 128, 149 bits Module (static build) section 5.1 and of key strength. (SHA_AVX2) 5.2 EC (FIPS 186-5):P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength. Cryptographic Key RSA (FIPS 186-5):2048, 3072, AWS-LC Cryptographic SP 800-133Rev2 Generation (CKG) 4096 bits with 112, 128, 149 bits Module (static build) section 5.1 and of key strength. (SHA_AVX) 5.2 EC (FIPS 186-5):P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength. Cryptographic Key RSA (FIPS 186-5):2048, 3072, AWS-LC Cryptographic SP 800-133Rev2 Generation (CKG) 4096 bits with 112, 128, 149 bits Module (static build) section 5.1 and of key strength. (SHA_SSSE3) 5.2 EC (FIPS 186-5):P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength. Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Allowed per IG 2.4.A Message Digest used in TLS 1.0/1.1 KDF only Table 7: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Name Use and Function AES with OFB or CFB1, CFB8 modes Encryption, Decryption AES GCM, GCM, GMAC, XTS with keys not listed in Table 5 Encryption, Decryption AES using aes_*_generic function Encryption, Decryption AES GMAC using aes_*_generic Message Authentication Generation Curve secp256k1 Signature Generation, Signature Verification, Shared Secret Computation Diffie Hellman Shared Secret Computation HMAC-MD4, HMAC-MD5, HMAC-SHA1, HMAC-SHA-3, HMAC- Message Authentication Generation RIPEMD-160 MD4 Message Digest
Name Use and Function MD5 (outside of TLS) Message Digest RSA using RSA_generate_key_ex Key Generation ECDSA using EC_KEY_generate_key Key Generation RSA using keys less than 2048 bits Signature Generation RSA using keys less than 1024 bits Signature Verification RSA without hashing Sign/Verify primitive operations RSA encryption primitive with PKCS#1 v1.5 and OAEP padding Encryption SHA-1, SHA-3 Signature Generation SHAKE, RIPEMD-160, SHA-3 Message Digest TLS KDF using any SHA algorithms other than SHA2-256, Key Derivation SHA2-384, SHA2-512; or TLS KDF using non-extended master secret RSA Key Encapsulation/Un-encapsulation Table 8: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Shared Secret KAS-SSC Shared secret Curves:P-224, P-256, KAS-ECC-SSC Computation with EC computation per P-384, P-521 elliptic Sp800-56Ar3 Diffie-Hellman SP 800-56ARev3 curves with 112-256 KAS-ECC-SSC bits of key strength Sp800-56Ar3 Compliance:Compliant KAS-ECC-SSC with IG D.F scenario Sp800-56Ar3 2(1) KAS-ECC-SSC Sp800-56Ar3 KAS-ECC-SSC Sp800-56Ar3 KAS-ECC-SSC Sp800-56Ar3 KAS-ECC-SSC Sp800-56Ar3 Key KTS-Wrap Key wrapping, key Keys:128, 192, 256 AES-KW Wrapping/Unwrapping unwrapping using bits with 128-256 bits AES-KWP with AES KW, AES- AES KW/KWP of key strength AES-KW KWP Compliance:Compliant AES-KWP with IG D.G AES-KW AES-KWP AES-KW AES-KWP AES-KW AES-KWP AES-KW AES-KWP Key KTS-Wrap Key wrapping, key Keys:128 and 256 bits AES-GCM Wrapping/Unwrapping unwrapping using with 128 and 256 bits AES-GCM with AES GCM AES GCM of key strength AES-GCM Compliance: AES-GCM Compliant with IG D.G AES-GCM AES-GCM AES-GCM
Name Type Description Properties Algorithms AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Key KTS-Wrap Key wrapping, key Keys:128 bits with AES-CCM Wrapping/Unwrapping unwrapping using 128 bits of key AES-CCM with AES CCM AES CCM strength AES-CCM Compliance:Compliant AES-CCM with IG D.G AES-CCM AES-CCM Encryption/Decryption BC-UnAuth Encryption, Keys:128, 192, 256 AES-CBC with AES decryption using bits keys with 128- AES-CTR AES 256 of key strength AES-ECB AES-XTS Testing Revision 2.0 AES-ECB AES-ECB AES-CBC AES-CTR AES-ECB AES-XTS Testing Revision 2.0 AES-ECB AES-CBC AES-CTR AES-ECB AES-XTS Testing Revision 2.0 AES-ECB AES-CBC AES-CTR AES-ECB AES-XTS Testing Revision 2.0 AES-ECB AES-ECB AES-ECB AES-CBC AES-CTR AES-ECB AES-XTS Testing Revision 2.0 AES-ECB AES-ECB AES-ECB AES-CBC AES-CTR AES-ECB AES-XTS Testing Revision 2.0 AES-ECB AES-ECB AES-ECB Signature Generation DigSig-SigGen Digital signature Keys:2048, 3072, RSA SigGen with RSA generation using 4096 bits with 112- (FIPS186-5) RSA 150 bits of strength RSA SigGen
Name Type Description Properties Algorithms (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) RSA SigGen (FIPS186-5) Signature Generation DigSig-SigGen Digital signature Curves:P-224, P-256, ECDSA SigGen with ECDSA generation using P-384, P-521 with (FIPS186-5) ECDSA 112-256 bits of key ECDSA SigGen strength (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) ECDSA SigGen (FIPS186-5) Key Generation with AsymKeyPair- Key generation Keys:2048, 3072, RSA KeyGen RSA KeyGen using RSA 4096 bits key with (FIPS186-5) 112-150 bits of RSA KeyGen strength (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) RSA KeyGen (FIPS186-5) Key Generation with AsymKeyPair- Key generation Curves:P-224, P-256, ECDSA KeyGen ECDSA KeyGen using ECDSA P-384, P-521 with (FIPS186-5) 112-256 bits of ECDSA KeyGen strength (FIPS186-5) ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) ECDSA KeyGen (FIPS186-5) Signature Verification DigSig-SigVer Signature Curves:P-224, P-256, ECDSA SigVer with ECDSA verification using P-384, P-521 with (FIPS186-4) ECDSA 112-256 bits of ECDSA SigVer strength (FIPS186-4)
Name Type Description Properties Algorithms ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) ECDSA SigVer (FIPS186-5) Signature Verification DigSig-SigVer Signature Keys:1024, 2048, RSA SigVer with RSA verification using 3072, 4096 bits with (FIPS186-4) RSA 80-150 bits of RSA SigVer strength (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-5) Key Verification with AsymKeyPair- Key verification Curves:P-224, P-256, ECDSA KeyVer ECDSA KeyVer using ECDSA P-384, P-521 with (FIPS186-5) 112-256 bits of ECDSA KeyVer strength (FIPS186-5) ECDSA KeyVer (FIPS186-5)
Name Type Description Properties Algorithms ECDSA KeyVer (FIPS186-5) ECDSA KeyVer (FIPS186-5) ECDSA KeyVer (FIPS186-5) ECDSA KeyVer (FIPS186-5) Key Derivation with KAS-135KDF Key derivation Derived keys:112 to KDF TLS TLS KDF using TLS KDF 256 bits KDF TLS KDF TLS KDF TLS KDF TLS KDF TLS KDF TLS Key Derivation with KAS-135KDF Key derivation SSH Derived keys:112 KDF SSH SSH KDF using SSH KDF to 256 bits KDF SSH KDF SSH KDF SSH KDF SSH KDF SSH KDF SSH Key Derivation with KAS-56CKDF Key derivation Derived keys:112 to KDA HKDF Sp800KDA HKDF using KDA HKDF 256 bits 56Cr1 KDA HKDF Sp80056Cr1 KDA HKDF Sp80056Cr1 KDA HKDF Sp80056Cr1 KDA HKDF Sp80056Cr1 KDA HKDF Sp80056Cr1 KDA HKDF Sp80056Cr1 Key Derivation with PBKDF Key derivation Derived keys:112 to PBKDF PBKDF using PBKDF 256 bits PBKDF PBKDF PBKDF PBKDF PBKDF PBKDF Message Digest with SHA Message digest SHA-1 SHA using SHA SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 SHA-1 SHA2-224
Name Type Description Properties Algorithms SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256 Random Number DRBG Random number Compliance:Compliant Counter DRBG Generation with generation using with SP800-90ARev1 Counter DRBG DRBG DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Message MAC Message SHA algorithm:SHA-1, HMAC-SHA-1 Authentication authentication SHA2-224, SHA2-256, HMAC-SHA2-224 Generation with generation using SHA2-384, SHA2-512, HMAC-SHA2-256 HMAC HMAC SHA2-512/256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256
Name Type Description Properties Algorithms HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2512/256 Message MAC Message Keys:128 or 256 bits AES-CMAC Authentication authentication with 128 or 256 bits AES-GMAC Generation with AES generation using of strength AES-GMAC AES CMAC/GMAC AES-CMAC AES-GMAC AES-CMAC AES-GMAC AES-CMAC AES-GMAC AES-GMAC AES-GMAC AES-CMAC AES-GMAC AES-GMAC AES-GMAC AES-CMAC AES-GMAC AES-GMAC AES-GMAC Authenticated BC-Auth Authenticated Keys:128 bits with AES-CCM Encryption/Decryption encryption and 128 bits of strength AES-CCM with AES CCM decryption using AES-CCM AES CCM AES-CCM AES-CCM AES-CCM Authenticated BC-Auth Authenticated Keys:128 or 256 bits AES-GCM Encryption/Decryption encryption and with 128 or 256 bits AES-GCM with AES GCM decryption using of strength AES-GCM AES GCM Authenticated AES-GCM Encryption:Internal IV AES-GCM Mode 8.2.2 AES-GCM Authenticated AES-GCM Decryption:External IV AES-GCM
Name Type Description Properties Algorithms AES-GCM AES-GCM AES-GCM AES-GCM Table 9: Security Function Implementations
GCM IV The module offers three AES GCM implementations. The GCM IV generation for these implementations complies respectively with IG C.H under Scenario 1, Scenario 2, and Scenario 5. The GCM shall only be used in the context of the AES-GCM encryption executing under each scenario, and using the referenced APIs explained next. Scenario 1, TLS 1.2 For TLS 1.2, the module offers the GCM implementation via the functions EVP_aead_aes_128_gcm_tls12() and EVP_aead_aes_256_gcm_tls12(), and uses the context of Scenario 1 of IG C.H. The module is compliant with SP800-52rev2 and the mechanism for IV generation is compliant with RFC5288. The module supports acceptable AES-GCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 2^{64-1} for a given session key. If this exhaustion condition is observed, the module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Scenario 2, Random IV In this implementation, the module offers the interfaces EVP_aead_aes_128_gcm_randnonce() and EVP_aead_aes_256_gcm_randnonce() for compliance with Scenario 2 of IG C.H and SP800-38D Section 8.2.2. The AES-GCM IV is generated randomly internal to the module using module’s approved DRBG. The DRBG seeds itself from the entropy source. The GCM IV is 96 bits in length. Per Section 9, this 96bit IV contains 96 bits of entropy. Scenario 5, TLS 1.3 August 2018, using the ciphersuites that explicitly select AES-GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES-GCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module implements, within its boundary, an IV generation unit for TLS 1.3 that keeps control of the 64-bit counter value within the AES-GCM IV. If the exhaustion condition is observed, the module will return an error indication to the calling application, who will then need to either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection.
In the event the module’s power is lost and restored, the consuming application must ensure that new AES-GCM keys encryption or decryption under this scenario are established. TLS
1.3 provides session resumption, but the resumption procedure derives new AES-GCM
encryption keys. AES XTS The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. Key Derivation using SP 800-132 PBKDF2 The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
N/A for this module. N/A for this module. The module provides an SP800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) using CTR_DRBG mechanism with AES-256 for generation of key components of asymmetric keys, and random number generation. The DRBG is seeded with 256-bit of entropy input provided from an external entity to the module. This corresponds to scenario 2 (b) of IG 9.3.A i.e., the DRBG that receives a LOAD command with entropy obtained from inside the physical perimeter of the operational environment but outside of module's cryptographic boundary. The calling application shall use an entropy source that meets the security strength required for the CTR_DRBG as shown in NIST SP 800-90Arev1, Table 3 and should return an error if minimum strength cannot be met. Per the IG 9.3.A requirement, the module includes the caveat "No assurance of the minimum strength of generated keys".
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133Rev2. When random values are required, they are obtained from the SP 800-90ARev1 approved DRBG, compliant with Section 4 of SP 800-133Rev2. The following methods are implemented: ECDSA (FIPS 186-5, A.2.2 Rejection Sampling): P-224, P-256, P 384, P-521 elliptic curves with 112-256 bits of key strength. RSA (FIPS 186-5, A.1.3 Random Probable Primes): 2048, 3072, 4096 bits with 112, 128, 149 bits of key strength. Additionally, the module implements the following key derivation methods per SP800133Rev2 section 6.2: KDA HKDF (SP 800-56CRev1): 112-256 bits of key strength, using (HMAC) SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512. PBKDF (SP 800-133Rev2, option 1a): 112-256 bits of key strength, using (HMAC) SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512. SSH KDF (SP 800-135Rev1): 112-256 bits of key strength, using AES-128, AES-192, AES-256 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512. KDF TLS (SP 800-135Rev1): 112-256 bits of key strength, using SHA2-256, SHA2-384, SHA2512.
The module implements SSP agreement and SSP transport methods as listed in the Security Function Implementations table.
The module implements the SSH key derivation function for use in the SSH protocol (RFC
GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. No parts of the SSH, TLS, other than those mentioned above, have been tested by the CAVP and CMVP.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters for data. N/A Data Output API output parameters for data. N/A Control Input API function calls. N/A Status Output API return codes, error message. Table 10: Ports and Interfaces As a Software module, the module interfaces are defined as Software or Firmware Module Interfaces (SMFI), and there are no physical ports. The module does not implement a control output interface.
N/A for this module. The module does not support authentication.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 11: Roles The module does not support concurrent operators.
Name Description Indicator Inputs Outputs Security SSP Functions Access Encryption Encryption Return value 1 AES key, Ciphertext Encryption/Decrypt Crypto from the plaintext ion with AES Officer function: FIPS_ - AES Key: service_ W,E indicator_ check_approve d() Decryption Decryption Return value 1 AES key, Plaintext Encryption/Decrypt Crypto from the ciphertext ion with AES Officer function: FIPS_ - AES Key: service_ W,E indicator_ check_approve d() Authenticate Authenticated Return value 1 AES key, Ciphertext Authenticated Crypto d Encryption Encryption from the plaintext Encryption/Decrypt Officer function: FIPS_ ion with AES CCM - AES Key: service_ Authenticated W,E indicator_ Encryption/Decrypt check_approve ion with AES GCM d() Authenticate Authenticated Return value 1 AES key, Plaintext Authenticated Crypto d Decryption Decryption from the ciphertext Encryption/Decrypt Officer function: FIPS_ ion with AES CCM - AES Key: service_ Authenticated W,E indicator_ Encryption/Decrypt check_approve ion with AES GCM d() Key Encrypting a key Return value 1 AES key Wrapped Key Crypto Wrapping from the wrapping key Wrapping/Unwrapp Officer function: FIPS_ key, Key ing with AES KW, - AES Key: service_ AES-KWP W,E
Name Description Indicator Inputs Outputs Security SSP Functions Access indicator_ to be Key check_approve wrapped Wrapping/Unwrapp d() ing with AES GCM Key Wrapping/Unwrapp ing with AES CCM Key Decrypting a key Return value 1 AES key Unwrappe Key Crypto unwrapping from the unwrappi d key Wrapping/Unwrapp Officer function: FIPS_ ng key, ing with AES KW, - AES Key: service_ Key to be AES-KWP W,E indicator_ unwrappe Key check_approve d Wrapping/Unwrapp d() ing with AES GCM Key Wrapping/Unwrapp ing with AES CCM Message MAC computation Return value 1 AES key MAC tag Message Crypto Authenticati from the or HMAC Authentication Officer on function: FIPS_ key, Generation with - HMAC Generation service_ message HMAC Key: W,E indicator_ Message check_approve Authentication d() Generation with AES Message Generating Return value 1 Message Message Message Digest Crypto Digest message digest from the digest with SHA Officer function: FIPS_ service_ indicator_ check_approve d() Random Generating Return value 1 Output Random Random Number Crypto Number random numbers from the length bytes Generation with Officer Generation function: FIPS_ DRBG - Entropy service_ Input: W,E indicator_ - DRBG check_approve Seed: G,E d() - DRBG Internal State (V, Key): G,W,E Key Generating a key Return value 1 Modulus RSA public Key Generation Crypto Generation pair from the size / key, RSA with RSA Officer function: FIPS_ Curve private Key Generation - RSA service_ key / EC with ECDSA Public Key indicator_ public : G,R check_approve key, EC - RSA d() private Private key Key: G,R - EC Public Key: G,R - EC Private Key: G,R
Name Description Indicator Inputs Outputs Security SSP Functions Access Key Verifying the Return value 1 Public key Success/ Key Verification Crypto Verification public key from the error with ECDSA Officer function: FIPS_ - EC Public service_ Key: W,E indicator_ check_approve d() Signature Generating Return value 1 Message, Digital Signature Crypto Generation signature from the EC private signature Generation with Officer function: FIPS_ key or RSA - RSA service_ RSA Signature Private indicator_ private Generation with Key: W,E check_approve key ECDSA - EC d() Private Key: W,E Signature Verifying Return value 1 Signature, Digital Signature Crypto Verification signature from the EC public signature Verification with Officer function: FIPS_ key or verificatio ECDSA - RSA service_ RSA n result Signature Public Key indicator_ public key Verification with : W,E check_approve RSA - EC Public d( Key: W,E Shared Calculating the Return value 1 EC public Shared Shared Secret Crypto Secret Shared Secret from the key, EC Secret Computation with Officer Computation function: FIPS_ private EC Diffie-Hellman - EC Public service_ key Key: W,E indicator_ - EC check_approve Private d() Key: W,E - Shared Secret: G,R Key Deriving Keys Return value 1 TLS Pre- TLS Key Derivation with Crypto Derivation from the Master Master TLS KDF Officer with TLS function: FIPS_ Secret / secret / - TLS PreKDF service_ TLS TLS Master indicator_ Master Derived Secret: check_approve Secret Key W,E d() (AES/HMA - TLS C) Master Secret : G,W,E - TLS Derived Key (AES/HMAC ): G Key Deriving Keys Return value 1 Password, PBKDF Key Derivation with Crypto Derivation from the salt, Derived PBKDF Officer with PBKDF function: FIPS_ iteration Key - PBKDF service_ count Derived indicator_ Key: G,R check_approve d() Password: W,E
Name Description Indicator Inputs Outputs Security SSP Functions Access Key Deriving Keys Return value 1 Shared KDA Key Derivation with Crypto Derivation from the Secret, Derived KDA HKDF Officer with KDA function: FIPS_ Key Key - KDA HKDF service_ Length, Derived indicator_ Digest Key: G,R check_approve - Shared d() Secret: W,E Key Deriving Keys Return value 1 Shared SSH Key Derivation with Crypto Derivation from the Secret, Derived SSH KDF Officer with SSH function: FIPS_ Key Key - SSH KDF service_ Length Derived indicator_ Key: G,R check_approve - Shared d() Secret: W,E Zeroization Zeroize SSP in N/A SSP N/A None Crypto volatile memory Officer - AES Key: Z - HMAC Key: Z - Entropy Input: Z - DRBG Seed: Z - DRBG Internal State (V, Key): Z - RSA Public Key :Z - RSA Private Key: Z - RSA Private Key: Z - EC Public Key: Z - EC Private Key: Z - Shared Secret: Z - TLS PreMaster Secret: Z - TLS Master Secret : Z - TLS Derived Key (AES/HMAC ): Z
Name Description Indicator Inputs Outputs Security SSP Functions Access - TLS Derived Key (AES/HMAC ): Z Password: Z Intermedia te Key Generation Value: Z On-Demand Initiate power-on N/A N/A Pass or Shared Secret Crypto Self-test self-tests by reset fail Computation with Officer EC Diffie-Hellman Key Wrapping/Unwrapp ing with AES KW, AES-KWP Key Wrapping/Unwrapp ing with AES GCM Key Wrapping/Unwrapp ing with AES CCM Encryption/Decrypt ion with AES Signature Generation with RSA Signature Generation with ECDSA Key Generation with RSA Key Generation with ECDSA Key Generation with RSA Signature Verification with ECDSA Signature Verification with RSA Key Verification with ECDSA Key Derivation with TLS KDF Key Derivation with SSH KDF Key Derivation with KDA HKDF Key Derivation with PBKDF Message Digest
Name Description Indicator Inputs Outputs Security SSP Functions Access with SHA Random Number Generation with DRBG Message Authentication Generation with HMAC Message Authentication Generation with AES Authenticated Encryption/Decrypt ion with AES CCM Authenticated Encryption/Decrypt ion with AES GCM On-Demand Initiate integrity N/A N/A Pass or Message Crypto Integrity test on-demand fail Authentication Officer Test Generation with HMAC Show Status Show status of N/A N/A Module None Crypto the module state status Officer Show Show the version N/A N/A Module None Crypto Version of the module name and Officer using version awslc_version_stri ng Table 12: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
int after = FIPS_service_indicator_after_call();
Name Description Algorithms Role Encryption Encryption AES with OFB or CFB1, CFB8 modes CO AES GCM, GCM, GMAC, XTS with keys not listed in Table AES using aes_*_generic function AES GMAC using aes_*_generic RSA encryption primitive with PKCS#1 v1.5 and OAEP padding Decryption Decryption AES with OFB or CFB1, CFB8 modes CO AES GCM, GCM, GMAC, XTS with keys not listed in Table AES using aes_*_generic function AES GMAC using aes_*_generic Message MAC computation AES GMAC using aes_*_generic CO Authentication HMAC-MD4, HMAC-MD5, HMAC-SHA1, HMAC-SHA-3, Generation HMAC-RIPEMD-160 Message Digest Generating MD4 CO message digest MD5 (outside of TLS) SHAKE, RIPEMD-160, SHA-3 Signature Generation Generating RSA using keys less than 2048 bits CO signatures RSA without hashing SHA-1, SHA-3 Signature Verification Verifying RSA using keys less than 1024 bits CO signatures RSA without hashing Key Generation Generating key RSA using RSA_generate_key_ex CO pair ECDSA using EC_KEY_generate_key Shared Secret Calculating Curve secp256k1 CO Computation shared secret Diffie Hellman Key Derivation Deriving TLS TLS KDF using any SHA algorithms other than SHA2- CO keys 256, SHA2-384, SHA2-512; or TLS KDF using nonextended master secret Key Encapsulation Encrypting a key RSA CO Key Un- Decrypting a key RSA CO encapsulation Table 13: Non-Approved Services
The module does not support loading of external software or firmware.
The integrity of the module is verified by comparing a HMAC value calculated at run time on the bcm.o file, with the HMAC-SHA2-256 value stored within the module that was computed at build time.
The module provides on-demand integrity test. The integrity test can be performed on demand by reloading the module. Additionally, the integrity test can be performed using the On-Demand Integrity Test service, which calls the BORINGSSL_integrity_test function.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module should be compiled and installed as stated in section 11. The user should confirm that the module is installed correctly by following steps 4 and 5 listed in section 11.
Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.
N/A for this module. The module is comprised of software only and therefore this section is not applicable.
Temp/Voltage Temperature EFP Result Type or Voltage or EFT LowTemperature HighTemperature LowVoltage HighVoltage Table 14: EFP/EFT Information
Temperature Temperature Type LowTemperature HighTemperature Table 15: Hardness Testing Temperatures
The module claims no non-invasive security techniques.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. Dynamic The module does not perform persistent storage of SSPs Table 16: Storage Areas
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling Cryptographic Plaintext Manual Electronic parameters application (TOEPP) module API output Cryptographic Operator calling Plaintext Manual Electronic parameters module application (TOEPP) Table 17: SSP Input-Output Methods The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment. The SSPs are provided to the module via API input parameters in the plaintext form and output via API output parameters in the plaintext form to and from the calling application running on the same operational environment.
Zeroization Description Rationale Operator Initiation Method Free Cipher Zeroizes the SSPs Memory occupied by By calling the appropriate zeroization Handle contained within SSPs is overwritten functions: OpenSSL_cleanse, the cipher handle. with zeroes, which EVP_CIPHER_CTX_cleanup, renders the SSP values EVP_AEAD_CTX_zero, HMAC_CTX_cleanup, irretrievable. CTR_DRBG_clear, RSA_free, EC_KEY_free Module Reset De-allocates the Volatile memory used By unloading and reloading the module. volatile memory by the module is used to store overwritten within SSPs nanoseconds when power is removed. Automatically Automatically Memory occupied by N/A zeroized when no SSPs is overwritten longer needed with zeros, which renders the SSP values irretrievable. Table 18: SSP Zeroization Methods
Name Description Size - Type - Generate Establishe Used By Strengt Category d By d By h AES Key AES key used 128-256 Symmetric Key for bits - key - CSP Wrapping/Unwrappin encryption, 128-256 g with AES KW, AESdecryption, bits KWP and Key computing Wrapping/Unwrappin MAC tags g with AES GCM Key Wrapping/Unwrappin g with AES CCM Encryption/Decryptio n with AES Message Authentication Generation with AES Authenticated Encryption/Decryptio n with AES CCM Authenticated Encryption/Decryptio n with AES GCM HMAC Key HMAC key for 112- Authenticatio Message Message 524288 n key - CSP Authentication Authenticatio bits - Generation with n Generation 112-256 HMAC bits Entropy Entropy input 256 bits Entropy - CSP Random Number Input used to seed - 256 bits Generation with the DRBGs DRBG DRBG Seed DRBG seed 256 bits DRBG seed - Random Random Number derived from - 256 bits CSP Number Generation with entropy input Generation DRBG as defined in with DRBG SP 800-90Ar1 DRBG Internal state 256 bits - Internal state Random Random Number Internal of CTR_DRBG 256 bits - CSP Number Generation with State (V, Generation DRBG Key) with DRBG RSA Public RSA public 1024, Public key - Key Key Generation with Key key used for 2048, PSP Generation RSA RSA key 3072, with RSA Signature Verification generation, 4096 bits with RSA signature - 80-150 verification bits RSA Private RSA private 2048, Private key - Key Signature Generation Key key used for 3072, CSP Generation with RSA RSA key 4096 bits with RSA Key Generation with generation, - 112-150 RSA signature bits generation
Name Description Size - Type - Generate Establishe Used By Strengt Category d By d By h EC Public EC public key P-224, P- Public key - Key Shared Secret Key used for EC 256, P- PSP Generation Computation with EC key 384, P- with ECDSA Diffie-Hellman generation, 521 - Key Generation with key 112-256 ECDSA verification, bits Signature Verification signature with ECDSA verification, shared secret computation EC Private EC private key P-224, P- Private key - Key Shared Secret Key used for EC 256, P- CSP Generation Computation with EC key 384, P- with ECDSA Diffie-Hellman generation, 521 - Signature Generation key 112-256 with ECDSA verification, bits Key Generation with signature ECDSA generation, shared secret computation Shared Shared Secret P-224, P- Shard secret - Shared Key Derivation with Secret generated by 256, P- CSP Secret TLS KDF KAS-ECC-SSC 384, P- Computation Key Derivation with
112-256 Diffie- Key Derivation with bits Hellman KDA HKDF TLS Pre- TLS Pre- 112-256 TLS pre- Key Derivation with Master Master secret bits - N/A master secret TLS KDF Secret used for - CSP Key Derivation with deriving the KDA HKDF TLS Master Secret TLS Master TLS Master 384 bits - TLS master Key Key Derivation with Secret secret used N/A secret - CSP Derivation TLS KDF for deriving with TLS Key Derivation with the TLS KDF KDA HKDF Derived Key Key Derivation with KDA HKDF TLS Derived TLS Derived AES: 128- Symmetric Key Key Derivation with Key Key from TLS 256 bits key - CSP Derivation TLS KDF (AES/HMAC) Master Secret HMAC: with TLS
KDA Derived KDA HKDF 112 to Symmetric Key Key Derivation with Key derived key 256 bits - key - CSP Derivation KDA HKDF N/A with KDA HKDF
Name Description Size - Type - Generate Establishe Used By Strengt Category d By d By h SSH Derived SSH KDF 112 to Symmetric Key Key Derivation with Key derived key 256 bits - key - CSP Derivation SSH KDF N/A with SSH KDF PBKDF PBKDF 112 to Symmetric Key Key Derivation with Derived Key derived key 256 bits - key - CSP Derivation PBKDF N/A with PBKDF Password Password for 112- Password - Key Derivation with PBKDF 524288 CSP PBKDF bits - N/A Intermediat Intermediate 224-4096 Intermediate Key Key Generation with e Key key bits - value - CSP Generation ECDSA Generation generation 112-256 with RSA Key Generation with Value value bits Key RSA Generation with ECDSA Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES Key API input RAM:Plaintext From service Free Cipher parameters invocation to Handle API output service Module Reset parameters completion HMAC Key API input RAM:Plaintext From service Free Cipher parameters invocation to Handle API output service Module Reset parameters completion Entropy Input API input RAM:Plaintext from service Automatically DRBG parameters invocation to Seed:Generation Of service completion DRBG Seed RAM:Plaintext from service Automatically Entropy invocation to Input:Derived From service completion DRBG Internal from service Automatically DRBG Seed:Derived State (V, Key) invocation to From service completion RSA Public Key API input RAM:Plaintext from service Free Cipher RSA Private parameters invocation to Handle Key:Paired With API output service Module Reset parameters completion RSA Private Key API input RAM:Plaintext from service Free Cipher RSA Public Key parameters invocation to Handle :Paired With API output service Module Reset parameters completion EC Public Key API input RAM:Plaintext from service Free Cipher EC Private Key:Paired parameters invocation to Handle With Module Reset
Name Input - Storage Storage Zeroization Related SSPs Output Duration API output service Shared parameters completion Secret:Generation Of EC Private Key API input RAM:Plaintext from service Free Cipher EC Public Key:Paired parameters invocation to Handle With API output service Module Reset Shared parameters completion Secret:Generation Of Shared Secret API output RAM:Plaintext from service Free Cipher EC Public parameters invocation to Handle Key:Derived From service Module Reset EC Private completion Key:Derived From TLS Pre-Master API input RAM:Plaintext from service Free Cipher TLS Master Secret Secret parameters invocation to Handle :Derivation Of service Module Reset completion TLS Master RAM:Plaintext from service Free Cipher TLS Pre-Master Secret invocation to Handle Secret:Derived From service Module Reset completion TLS Derived Key API output RAM:Plaintext from service Free Cipher TLS Master Secret (AES/HMAC) parameters invocation to Handle :Derived From service Module Reset completion KDA Derived Key API output RAM:Plaintext from service Free Cipher Shared parameters invocation to Handle Secret:Derived From service Module Reset completion SSH Derived Key API output RAM:Plaintext from service Free Cipher Shared parameters invocation to Handle Secret:Derived From service Module Reset completion PBKDF Derived API output RAM:Plaintext from service Free Cipher Password:Derived Key parameters invocation to Handle From service Module Reset completion Password API input RAM:Plaintext from service Free Cipher Derived parameters invocation to Handle Key:Derivation Of service Module Reset completion Intermediate Key from service Automatically RSA Public Key Generation invocation to :Generation Of Value service RSA Private completion Key:Generation Of EC Public Key:Generation Of EC Private Key:Generation Of Table 20: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030.
Algorithm or Test Test Method Test Type Indicator Details Test Properties HMAC-SHA2-256 SHA2-256 Message SW/FW Module becomes Integrity test (A4509) Authentication Integrity operational for bcm.o Table 21: Pre-Operational Self-Tests The module performs the pre-operational self-test automatically when the module is loaded into memory; the pre-operational self-test is the software integrity test that ensures that the module is not corrupted. While the module is executing the pre-operational self-test, services are not available, and input and output are inhibited. The software integrity test is performed after a set of conditional cryptographic algorithm self-tests (CASTs). The set of CASTs executed before the software integrity test consists of HMAC-SHA2-256 KAT, which is used in the pre-operational self-test, and the SHA2-256 KAT.
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type AES-CBC 128-bit AES key Encrypt KAT CAST Module is Encrypt Power up (A4513) operational AES-CBC 128-bit AES key Decrypt KAT CAST Module is Decrypt Power up (A4510) operational AES-GCM 128-bit AES key Encrypt KAT CAST Module is Encrypt Power up (A4511) operational AES-GCM 128-bit AES key Decrypt KAT CAST Module is Decrypt Power up (A4511) operational SHA-1 N/A SHA-1 KAT CAST Module is Message digest Power up (A4509) operational SHA2-256 N/A SHA2-256 KAT CAST Module is Message digest Power up (A4509) operational SHA2-512 N/A SHA2-512 KAT CAST Module is Message digest Power up (A4509) operational HMAC-SHA2- SHA2-256 HMAC KAT CAST Module is Message Power up
256 (A4509) operational authentication
Counter AES 256 CTR_DRBG KAT CAST Module is Seed Power up DRBG operational Generation (A4513) Counter N/A SP800-90Ar1 CAST Module is Seed Power up DRBG Section 11.3 operational Generation (A4513) Health Test ECDSA P-256 Curve Sign KAT CAST Module is Sign Signature SigGen and SHA2-256 operational Generation or Key (FIPS186-5) Generation (A4509) service request
Algorithm or Test Test Method Test Indicator Details Conditions Test Properties Type ECDSA SigVer P-256 Curve Verify KAT CAST Module is Verify Signature (FIPS186-4) and SHA2-256 operational verification or Key (A4509) Generation service request KAS-ECC-SSC P-256 Curve Z computation CAST Module is Shared secret Shared secret Sp800-56Ar3 operational computation computation (A4509) request ECDSA Respective Signature PCT Module is Sign and Verify Key generation KeyGen Curve and generation and operational (FIPS186-5) SHA2-256 verification (A4509) KDF TLS SHA2-256 TLS 1.2 KAT CAST Module is Key derivation Power up (A4509) operational KDA HKDF HMAC-SHA2- KDA HKDF KAT CAST Module is Key derivation Power up Sp800-56Cr1 256 operational (A4509) PBKDF HMAC-SHA2- PBKDF2 KAT CAST Module is Key derivation Power up (A4509) 256 operational RSA SigGen PKCS#1 v1.5 Sign KAT CAST Module is Sign Signature (FIPS186-5) with 2048 bit operational Generation or Key (A4509) key and SHA2- Generation
256 service request
RSA SigVer PKCS#1 v1.5 Verify KAT CAST Module is Verify Signature (FIPS186-4) with 2048 bit operational Verification or (A4509) key and SHA2- Key Generation
256 service request
RSA KeyGen SHA2-256 and Signature PCT Module is Sign and Verify Key generation (FIPS186-5) respective keys generation and operational (A4509) verification Table 22: Conditional Self-Tests Conditional Cryptographic Algorithm Tests The module performs self-tests on approved cryptographic algorithms, using the tests shown in Table 22. Data output through the data output interface is inhibited during the selftests. The CASTs are performed in the form of Known Answer Tests (KATs), in which the calculated output is compared with the expected known answer (that are hard-coded in the module). A failed match causes a failure of the self-test. If any of these self-tests fails, the module transitions to error state. Conditional Pair-Wise Consistency Tests The module implements RSA and ECDSA key generation service and performs the respective pairwise consistency test (PCT) using sign and verify functions when the keys are generated (Table 22). If any of these self-tests fails, the module transitions to error state and is aborted.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A4509) Authentication Table 23: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A4513) Encrypt KAT CAST On demand Manually AES-CBC (A4510) Decrypt KAT CAST On demand Manually AES-GCM (A4511) Encrypt KAT CAST On demand Manually AES-GCM (A4511) Decrypt KAT CAST On demand Manually SHA-1 (A4509) SHA-1 KAT CAST On demand Manually SHA2-256 (A4509) SHA2-256 KAT CAST On demand Manually SHA2-512 (A4509) SHA2-512 KAT CAST On demand Manually HMAC-SHA2-256 HMAC KAT CAST On demand Manually (A4509) Counter DRBG CTR_DRBG KAT CAST On demand Manually (A4513) Counter DRBG SP800-90Ar1 CAST On demand Manually (A4513) Section 11.3 Health Test ECDSA SigGen Sign KAT CAST On demand Manually (FIPS186-5) (A4509) ECDSA SigVer Verify KAT CAST On demand Manually (FIPS186-4) (A4509) KAS-ECC-SSC Z computation CAST On demand Manually Sp800-56Ar3 (A4509) ECDSA KeyGen Signature PCT On demand Manually (FIPS186-5) generation and (A4509) verification KDF TLS (A4509) TLS 1.2 KAT CAST On demand Manually KDA HKDF Sp800- KDA HKDF KAT CAST On demand Manually 56Cr1 (A4509) PBKDF (A4509) PBKDF2 KAT CAST On demand Manually RSA SigGen Sign KAT CAST On demand Manually (FIPS186-5) (A4509) RSA SigVer Verify KAT CAST On demand Manually (FIPS186-4) (A4509) RSA KeyGen Signature PCT On demand Manually (FIPS186-5) generation and (A4509) verification Table 24: Conditional Periodic Information The module does not support periodic self-tests.
Name Description Conditions Recovery Indicator Method Error The library is aborted Pre- Module Error message is output on the stderr and with SIGABRT signal. operational reset then the module is aborted. Module is no longer test failure operational the data output interface is inhibited PCT The library is aborted Conditional Module For CAST failure, an error message is Error with SIGABRT signal. test failure reset output on the stderr and then the module Module is no longer is aborted. For PCT failure, an error operational the data message is output in the error queue and output interface is then the module generates new key, If the inhibited PCT still does not pass, eventually the module will be aborted after 5 tries. Table 25: Error States If the module fails any of the self-tests, the module enters an error state. To recover from any error state, the module must be rebooted.
The software integrity tests and the CASTs for AES, SHS, DRBG, HMAC, KAS-ECC-SSC, TLS KDF, KDA HKDF, PBKDF2 can be invoked by unloading and subsequently re-initializing the module. The CASTs for ECDSA and RSA can be invoked by requesting the corresponding Key Generation or Digital Signature services. Additionally, all the CASTs can be invoked by calling the BORINGSSL_self_test function. The PCTs can be invoked on demand by requesting the Key Generation service.
The module bcm.o is embedded into the usersapce application which can be obtained by building the source code at the following location [1]. The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during module build. [1] https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-2.0.0.zip The downloaded zip file can be verified by issuing the “sha256sum AWS-LC-FIPS-2.0.0.zip” command. The expected SHA2-256 digest value is: 6241EC2F13A5F80224EE9CD8592ED66A97D426481066FEAA4EFC6F24E60BBC96 After the zip file is extracted, the instructions listed below will compile the module. The compilation instructions must be executed separately on platforms that have different processors and/or operating systems. Due to six possible combinations of OS/processor, the module count is six (i.e., there are six separate binaries generated, one for each entry listed in the Tested Operational Environments table). Amazon Linux 2 and Amazon Linux 2023: 1. s u d o y u m g r o u p i n s t a l l " De v e l o p me n t To o l s "
Ubuntu 22.04: 1. s udo a pt - ge t i ns t a l l bui l d- e s s e nt i a l
3 . Ge t l a t e s t Go l a n g a r c h i v e f o r y o u r a r c h i t e c t u r e
4. s udo t a r - C / us r / l oc a l - xz f go*. t a r . gz
8 . c ma k e - DFI PS=1 - DGO_ EXECUTABLE=/ u s r / l o c a l / g o / b i n / g o . .
Upon completion of the build process, the module’s status can be verified by the command below. If the value obtained is “1” then the module has been installed and configured to operate in FIPS compliant manner. . / t ool / bs s l i s f i ps
Lastly, the user can call the “show version” service using awslc_version_string function and the expected output is “AWS-LC FIPS 2.0.0” which is the module version. This will confirm that the module is in the operational mode. Additionally, the “AWS-LC FIPS” also acts as the module identifier and the verification of the "static" part can be done using following command with an application that was used for static linking. The "T" in the output confirms that the module is statically linked. Command: nm <application_name> | grep awslc_version_string Example Output: 0000000000a5bdff T awslc_version_string
When the module is at end of life, for the GitHub repo, the README will be modified to mark the library as deprecated. After a 6-month window, more restrictive branch permissions will be added such that only administrators can read from the FIPS branch. The module does not possess persistent storage of SSPs. The SSP value only exists in volatile memory and that value vanishes when the module is powered off. So as a first step for the secure sanitization, the module needs to be powered off. Then for actual deprecation, the module will be upgraded to newer version that is approved. This upgrade process will uninstall/remove the old/terminated module and provide a new replacement.
RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack. The module provides the mechanism to use the blinding for RSA. When the blinding is on, the module generates a random value to form a blinding factor in the RSA key before the RSA key is used in the RSA cryptographic operations.