All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider

Certificate#4857StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorRed Hat(R), Inc.
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 39 CVEs since this module's initial validation  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date10/28/2029
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.2 of the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.
VendorRed Hat(R), Inc.

Approved Algorithms (375)

AlgorithmACVP Cert
AES-CBCA4809
AES-CBCA4810
AES-CBCA4811
AES-CBCA5560
AES-CBCA5576
AES-CBCA5580
AES-CBC-CS1A4809
AES-CBC-CS1A4810
AES-CBC-CS1A4811
AES-CBC-CS1A5560
AES-CBC-CS1A5576
AES-CBC-CS1A5580
AES-CBC-CS2A4809
AES-CBC-CS2A4810
AES-CBC-CS2A4811
AES-CBC-CS2A5560
AES-CBC-CS2A5576
AES-CBC-CS2A5580
AES-CBC-CS3A4809
AES-CBC-CS3A4810
AES-CBC-CS3A4811
AES-CBC-CS3A5560
AES-CBC-CS3A5576
AES-CBC-CS3A5580
AES-CCMA4809
AES-CCMA4810
AES-CCMA4811
AES-CCMA5560
AES-CCMA5576
AES-CCMA5580
AES-CFB1A4809
AES-CFB1A4810
AES-CFB1A4811
AES-CFB1A5560
AES-CFB1A5576
AES-CFB1A5580
AES-CFB128A4809
AES-CFB128A4810
AES-CFB128A4811
AES-CFB128A5560
AES-CFB128A5576
AES-CFB128A5580
AES-CFB8A4809
AES-CFB8A4810
AES-CFB8A4811
AES-CFB8A5560
AES-CFB8A5576
AES-CFB8A5580
AES-CMACA4809
AES-CMACA4810
AES-CMACA4811
AES-CMACA5560
AES-CMACA5576
AES-CMACA5580
AES-CTRA4809
AES-CTRA4810
AES-CTRA4811
AES-CTRA5560
AES-CTRA5576
AES-CTRA5580
AES-ECBA4809
AES-ECBA4810
AES-ECBA4811
AES-ECBA4837
AES-ECBA4838
AES-ECBA4839
AES-ECBA4840
AES-ECBA4841
AES-ECBA5560
AES-ECBA5576
AES-ECBA5579
AES-ECBA5580
AES-ECBA5586
AES-GCMA4812
AES-GCMA4815
AES-GCMA4816
AES-GCMA4817
AES-GCMA4818
AES-GCMA4819
AES-GCMA4820
AES-GCMA4821
AES-GCMA4822
AES-GCMA5577
AES-GCMA5581
AES-GCMA5582
AES-GCMA5583
AES-GCMA5584
AES-GMACA4812
AES-GMACA4815
AES-GMACA4816
AES-GMACA4817
AES-GMACA4818
AES-GMACA4819
AES-GMACA4820
AES-GMACA4821
AES-GMACA4822
AES-GMACA5577
AES-GMACA5581
AES-GMACA5582
AES-GMACA5583
AES-GMACA5584
AES-KWA4809
AES-KWA4810
AES-KWA4811
AES-KWA5560
AES-KWA5576
AES-KWA5580
AES-KWPA4809
AES-KWPA4810
AES-KWPA4811
AES-KWPA5560
AES-KWPA5576
AES-KWPA5580
AES-OFBA4809
AES-OFBA4810
AES-OFBA4811
AES-OFBA5560
AES-OFBA5576
AES-OFBA5580
AES-XTS Testing Revision 2.0A4809
AES-XTS Testing Revision 2.0A4810
AES-XTS Testing Revision 2.0A4811
AES-XTS Testing Revision 2.0A5560
AES-XTS Testing Revision 2.0A5576
AES-XTS Testing Revision 2.0A5580
Counter DRBGA4808
ECDSA KeyGen (FIPS186-5)A4813
ECDSA KeyGen (FIPS186-5)A4823
ECDSA KeyGen (FIPS186-5)A4824
ECDSA KeyGen (FIPS186-5)A4825
ECDSA KeyGen (FIPS186-5)A4826
ECDSA KeyGen (FIPS186-5)A5578
ECDSA KeyGen (FIPS186-5)A5585
ECDSA KeyVer (FIPS186-5)A4813
ECDSA KeyVer (FIPS186-5)A4823
ECDSA KeyVer (FIPS186-5)A4824
ECDSA KeyVer (FIPS186-5)A4825
ECDSA KeyVer (FIPS186-5)A4826
ECDSA KeyVer (FIPS186-5)A5578
ECDSA KeyVer (FIPS186-5)A5585
ECDSA SigGen (FIPS186-5)A4813
ECDSA SigGen (FIPS186-5)A4814
ECDSA SigGen (FIPS186-5)A4823
ECDSA SigGen (FIPS186-5)A4824
ECDSA SigGen (FIPS186-5)A4825
ECDSA SigGen (FIPS186-5)A4826
ECDSA SigGen (FIPS186-5)A5578
ECDSA SigGen (FIPS186-5)A5585
ECDSA SigGen (FIPS186-5)A5587
ECDSA SigVer (FIPS186-5)A4813
ECDSA SigVer (FIPS186-5)A4814
ECDSA SigVer (FIPS186-5)A4823
ECDSA SigVer (FIPS186-5)A4824
ECDSA SigVer (FIPS186-5)A4825
ECDSA SigVer (FIPS186-5)A4826
ECDSA SigVer (FIPS186-5)A5578
ECDSA SigVer (FIPS186-5)A5585
ECDSA SigVer (FIPS186-5)A5587
Hash DRBGA4808
HMAC DRBGA4808
HMAC-SHA-1A4813
HMAC-SHA-1A4823
HMAC-SHA-1A4824
HMAC-SHA-1A4825
HMAC-SHA-1A4826
HMAC-SHA-1A5578
HMAC-SHA-1A5585
HMAC-SHA2-224A4813
HMAC-SHA2-224A4823
HMAC-SHA2-224A4824
HMAC-SHA2-224A4825
HMAC-SHA2-224A4826
HMAC-SHA2-224A5578
HMAC-SHA2-224A5585
HMAC-SHA2-256A4813
HMAC-SHA2-256A4823
HMAC-SHA2-256A4824
HMAC-SHA2-256A4825
HMAC-SHA2-256A4826
HMAC-SHA2-256A5578
HMAC-SHA2-256A5585
HMAC-SHA2-384A4813
HMAC-SHA2-384A4823
HMAC-SHA2-384A4824
HMAC-SHA2-384A4825
HMAC-SHA2-384A4826
HMAC-SHA2-384A5578
HMAC-SHA2-384A5585
HMAC-SHA2-512A4813
HMAC-SHA2-512A4823
HMAC-SHA2-512A4824
HMAC-SHA2-512A4825
HMAC-SHA2-512A4826
HMAC-SHA2-512A5578
HMAC-SHA2-512A5585
HMAC-SHA2-512/224A4813
HMAC-SHA2-512/224A4823
HMAC-SHA2-512/224A4824
HMAC-SHA2-512/224A4825
HMAC-SHA2-512/224A4826
HMAC-SHA2-512/224A5578
HMAC-SHA2-512/224A5585
HMAC-SHA2-512/256A4813
HMAC-SHA2-512/256A4823
HMAC-SHA2-512/256A4824
HMAC-SHA2-512/256A4825
HMAC-SHA2-512/256A4826
HMAC-SHA2-512/256A5578
HMAC-SHA2-512/256A5585
HMAC-SHA3-224A4814
HMAC-SHA3-224A5587
HMAC-SHA3-256A4814
HMAC-SHA3-256A5587
HMAC-SHA3-384A4814
HMAC-SHA3-384A5587
HMAC-SHA3-512A4814
HMAC-SHA3-512A5587
KAS-ECC-SSC Sp800-56Ar3A4813
KAS-ECC-SSC Sp800-56Ar3A4823
KAS-ECC-SSC Sp800-56Ar3A4824
KAS-ECC-SSC Sp800-56Ar3A4825
KAS-ECC-SSC Sp800-56Ar3A4826
KAS-ECC-SSC Sp800-56Ar3A5578
KAS-ECC-SSC Sp800-56Ar3A5585
KAS-FFC-SSC Sp800-56Ar3A4845
KAS-IFC-SSCA4813
KAS-IFC-SSCA4823
KAS-IFC-SSCA4824
KAS-IFC-SSCA4825
KAS-IFC-SSCA4826
KAS-IFC-SSCA5578
KAS-IFC-SSCA5585
KDA HKDF Sp800-56Cr1A4807
KDA OneStep SP800-56Cr2A4844
KDF ANS 9.42A4813
KDF ANS 9.42A4814
KDF ANS 9.42A4823
KDF ANS 9.42A4824
KDF ANS 9.42A4825
KDF ANS 9.42A4826
KDF ANS 9.42A5578
KDF ANS 9.42A5585
KDF ANS 9.42A5587
KDF ANS 9.63A4813
KDF ANS 9.63A4814
KDF ANS 9.63A4823
KDF ANS 9.63A4824
KDF ANS 9.63A4825
KDF ANS 9.63A4826
KDF ANS 9.63A5578
KDF ANS 9.63A5585
KDF ANS 9.63A5587
KDF SP800-108A4843
KDF SSHA4837
KDF SSHA4838
KDF SSHA4839
KDF SSHA4840
KDF SSHA4841
KDF SSHA5579
KDF SSHA5586
KTS-IFCA4813
KTS-IFCA4823
KTS-IFCA4824
KTS-IFCA4825
KTS-IFCA4826
KTS-IFCA5578
KTS-IFCA5585
PBKDFA4813
PBKDFA4814
PBKDFA4823
PBKDFA4824
PBKDFA4825
PBKDFA4826
PBKDFA5578
PBKDFA5585
PBKDFA5587
RSA KeyGen (FIPS186-5)A4813
RSA KeyGen (FIPS186-5)A4823
RSA KeyGen (FIPS186-5)A4824
RSA KeyGen (FIPS186-5)A4825
RSA KeyGen (FIPS186-5)A4826
RSA KeyGen (FIPS186-5)A5578
RSA KeyGen (FIPS186-5)A5585
RSA SigGen (FIPS186-5)A4813
RSA SigGen (FIPS186-5)A4823
RSA SigGen (FIPS186-5)A4824
RSA SigGen (FIPS186-5)A4825
RSA SigGen (FIPS186-5)A4826
RSA SigGen (FIPS186-5)A5578
RSA SigGen (FIPS186-5)A5585
RSA SigVer (FIPS186-4)A4813
RSA SigVer (FIPS186-4)A4823
RSA SigVer (FIPS186-4)A4824
RSA SigVer (FIPS186-4)A4825
RSA SigVer (FIPS186-4)A4826
RSA SigVer (FIPS186-4)A5578
RSA SigVer (FIPS186-4)A5585
RSA SigVer (FIPS186-5)A4813
RSA SigVer (FIPS186-5)A4823
RSA SigVer (FIPS186-5)A4824
RSA SigVer (FIPS186-5)A4825
RSA SigVer (FIPS186-5)A4826
RSA SigVer (FIPS186-5)A5578
RSA SigVer (FIPS186-5)A5585
Safe Primes Key GenerationA4845
Safe Primes Key VerificationA4845
SHA-1A4813
SHA-1A4823
SHA-1A4824
SHA-1A4825
SHA-1A4826
SHA-1A5578
SHA-1A5585
SHA2-224A4813
SHA2-224A4823
SHA2-224A4824
SHA2-224A4825
SHA2-224A4826
SHA2-224A5578
SHA2-224A5585
SHA2-256A4813
SHA2-256A4823
SHA2-256A4824
SHA2-256A4825
SHA2-256A4826
SHA2-256A5578
SHA2-256A5585
SHA2-384A4813
SHA2-384A4823
SHA2-384A4824
SHA2-384A4825
SHA2-384A4826
SHA2-384A5578
SHA2-384A5585
SHA2-512A4813
SHA2-512A4823
SHA2-512A4824
SHA2-512A4825
SHA2-512A4826
SHA2-512A5578
SHA2-512A5585
SHA2-512/224A4813
SHA2-512/224A4823
SHA2-512/224A4824
SHA2-512/224A4825
SHA2-512/224A4826
SHA2-512/224A5578
SHA2-512/224A5585
SHA2-512/256A4813
SHA2-512/256A4823
SHA2-512/256A4824
SHA2-512/256A4825
SHA2-512/256A4826
SHA2-512/256A5578
SHA2-512/256A5585
SHA3-224A4814
SHA3-224A5587
SHA3-256A4814
SHA3-256A5587
SHA3-384A4814
SHA3-384A5587
SHA3-512A4814
SHA3-512A5587
SHAKE-128A4814
SHAKE-128A5587
SHAKE-256A4814
SHAKE-256A5587
TLS v1.2 KDF RFC7627A4813
TLS v1.2 KDF RFC7627A4823
TLS v1.2 KDF RFC7627A4824
TLS v1.2 KDF RFC7627A4825
TLS v1.2 KDF RFC7627A4826
TLS v1.2 KDF RFC7627A5578
TLS v1.2 KDF RFC7627A5586
TLS v1.3 KDFA4807

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Show status<br/>Self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Show status<br/>Self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider version 3.0.7-395c1a240fbfffd8 document version 1.5 Last update: 2025-07-08 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2025 Red Hat, Inc./ atsec information security corporation.

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 Red Hat, Inc. / atsec information security corporation.

3 of 48
Page 4
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.7-395c1a240fbfffd8 of the Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. and including this notice. Other documentation is proprietary to their authors.

1.2 How this Security Policy was prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.3 Security levels

Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. ISO/IEC 24759 Section 6. [Number FIPS 140-3 Section Title Security Level Below]

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security Not Applicable

8 Non-invasive Security Not Applicable

9 Sensitive Security Parameter Management 1

10 Self-tests 1

11 Life-cycle Assurance 1

12 Mitigation of Other Attacks 1

© 2025 Red Hat, Inc. / atsec information security corporation.

4 of 48
Page 5

Overall 1 Table 1 - Security Levels © 2025 Red Hat, Inc. / atsec information security corporation.

5 of 48
Page 6
2 Cryptographic module specification
2.1 Description

The Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider”, which implements the FIPS requirements and the cryptographic functionality provided to the operator.

2.2 Operational environments

The module has been tested on the following platforms with the corresponding module variants and configuration options with and without PAA: # Operating System Hardware Platform Processor PAA/PAI Acceleration

1 Red Hat Enterprise Dell PowerEdge R440 Intel(R) Xeon(R) Silver With and

Linux 9 4216 without PAA (AES-NI, SHA extensions)

2 Red Hat Enterprise IBM z16 3931-A01 IBM z16 With and

Linux 9 without PAI (CPACF)

3 Red Hat Enterprise IBM 9080-HEX IBM POWER10 With and

Linux 9 with without PAI PowerVM FW1040.00 (ISA, Altivec) with VIOS 3.1.3.00 Table 2 - Tested Operational Environments In addition to the configurations tested by the atsec CST laboratory, the vendor affirms testing was performed on the following platforms for the module. # Operating System Hardware Platform

1 Red Hat Enterprise Linux 9 Intel(R) Xeon(R) E5

Table 3 - Vendor Affirmed Operational Environments Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated SSPs when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Approved algorithms

Table 4 lists all approved cryptographic algorithms of the module, including specific key lengths employed for approved services (Table 9), and implemented modes or methods of operation of the algorithms. The module supports RSA modulus sizes which are not tested by CAVP in compliance with FIPS 140-

3 IG C.F.

© 2025 Red Hat, Inc. / atsec information security corporation.

6 of 48
Page 7

CAVP Algorithm and Mode / Method Description / Key Size(s) Use / Function Cert / Key Strengths Standard A4813 SHA [FIPS 180-4] SHA-1, SHA-224, SHA-256, N/A Message digest A4823 SHA-384, SHA-512, SHAA4824 512/224, SHA-512/256 A4825 A4826 A5578 A5585 A4814 SHA-3 [FIPS 202] SHA3-224, SHA3-256, SHA3- N/A Message digest A5587 384, SHA3-512 SHA-3 [FIPS 202] SHAKE128, SHAKE256 N/A XOF A4809 AES [FIPS 197, SP ECB 128, 192, 256 bits with 128, Encryption A4810 800-38A] 192, 256 bits of security Decryption A4811 strength A4837 A4838 A4839 A4840 A4841 A5560 A5576 A5579 A5580 A5586 A4809 AES [FIPS 197, SP CBC, CBC-CTS-CS1, CBC- 128, 192, 256 bits with 128, Encryption A4810 800-38A, SP 800- CTS-CS2, CBC-CTS-CS3, 192, 256 bits of security Decryption A4811 38A Addendum, CFB1, CFB8, CFB128, CTR, strength A5560 SP 800-38C, SP OFB, CCM A5576 800-38F] KW, KWP (KTS) A5580 AES [FIPS 197, SP XTS 128, 256 bits with 128, 256 Encryption 800-38E] bits of security strength Decryption AES [FIPS 197, SP CMAC 128, 192, 256 bits with 128, Message 800-38B] 192, 256 bits of security authentication strength A4812 AES [FIPS 197, SP GCM (internal IV) (KTS) 128, 192, 256 bits with 128, Encryption A4815 800-38D] 192, 256 bits of security A4816 strength © 2025 Red Hat, Inc. / atsec information security corporation.

7 of 48
Page 8

A4817 AES [FIPS 197, SP GCM (external IV) (KTS) 128, 192, 256 bits with 128, Decryption A4818 800-38D] 192, 256 bits of security A4819 strength A4820 A4821 A4822 A5577 A5581 A5582 A5583 A5584 A4812 AES [FIPS 197, SP GMAC 128, 192, 256 bits with 128, Message A4815 800-38D] 192, 256 bits of security authentication A4816 strength A4817 A4818 A4819 A4820 A4821 A4822 A5577 A5581 A5582 A5583 A5584 A4813 HMAC [FIPS 198- SHA-1, SHA-224, SHA-256, 112-524288 bits with 112-256 Message A4823 1] SHA-384, SHA-512, SHA- bits of security strength authentication A4824 512/224, SHA-512/256 A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4843 KBKDF [SP 800- Counter and feedback 112-4096 bits with 112-256 KBKDF Key 108r1] mode, using CMAC and bits of security strength derivation HMAC SHA-1, SHA-224, SHA-256, SHA-384, SHA512, SHA-512/224, SHA512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512 A4844 KDA OneStep1 [SP (HMAC) SHA-1, SHA-224, 224-8192 bits with 112-256 KDA OneStep Key 800-56Cr2] SHA-256, SHA-384, SHA- bits of security strength derivation 512, SHA-512/224, SHA512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512 1This algorithm is referred to as “Single Step KDF” or “SSKDF” by OpenSSL. © 2025 Red Hat, Inc. / atsec information security corporation.

8 of 48
Page 9

A4807 HKDF [SP 800- SHA-1, SHA-224, SHA-256, 224-8192 bits with 112-256 HKDF Key derivation 56Cr2] SHA-384, SHA-512, SHA- bits of security strength 512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 A4813 ANS X9.42 KDF AES KW with SHA-1, SHA- 224-8192 bits with 112-256 ANS X9.42 KDF Key A4823 [SP 800-135r1] 224, SHA-256, SHA-384, bits of security strength derivation A4824 CVL SHA-512, SHA-512/224, A4825 SHA-512/256 A4826 A5578 A5585 A4814 AES KW with SHA3-224, A5587 SHA3-256, SHA3-384, SHA3A4813 ANS X9.63 KDF SHA-224, SHA-256, SHA- 224-8192 bits with 112-256 ANS X9.63 KDF Key A4823 [SP 800-135r1] 384, SHA-512, SHA- bits of security strength derivation A4824 CVL 512/224, SHA-512/256 A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4837 SSH KDF [SP 800- AES-128, AES-192, AES-256 224-8192 bits with 112-256 SSH KDF Key A4838 135r1] with SHA-1, SHA-224, SHA- bits of security strength derivation A4839 CVL 256, SHA-384, SHA-512 A4840 A4841 A5579 A5586 A4813 TLS 1.2 KDF [SP SHA-256, SHA-384, SHA-512 224-8192 bits with 112-256 TLS 1.2 KDF Key A4823 800-135r1] bits of security strength derivation A4824 CVL A4825 A4826 A5578 A5585 A4807 TLS 1.3 KDF [RFC SHA-256, SHA-384 224-8192 bits with 112-256 TLS 1.3 KDF Key 8446] bits of security strength derivation CVL A4813 PBKDF2 [SP 800- Option 1a with SHA-1, SHA- 8-128 characters with Password-based key A4823 132] 224, SHA-256, SHA-384, password strength between derivation A4824 SHA-512, SHA-512/224, 108 and 10128 A4825 SHA-512/256 A4826 A5578 A5585 © 2025 Red Hat, Inc. / atsec information security corporation.

9 of 48
Page 10

A4814 PBKDF2 [SP 800- Option 1a with SHA3-224, 8-128 characters with Password-based key A5587 132] SHA3-256, SHA3-384, SHA3- password strength between derivation

512 108 and 10128

A4808 CTR_DRBG [SP AES-128, AES-192, AES-256, 256, 320, 384 bits with 128, Random number 800-90Ar1] with/without derivation 192, 256 bits of security generation function, with/without strength prediction resistance Hash_DRBG [SP SHA-1, SHA-256, SHA-512 880, 1776 bits with 128, 256 Random number 800-90Ar1] with/without prediction bits of security strength generation resistance HMAC_DRBG [SP SHA-1, SHA-256, SHA-512 320, 512, 1024 bits with 128, Random number 800-90Ar1] with/without prediction 256 bits of security strength generation resistance A4813 KTS-IFC [SP 800- KTS-OAEP-basic 2048-15360 bits with 112-256 Key transport A4823 56Br2] bits of security strength A4824 A4825 A4826 A5578 A5585 A4813 KAS-IFC-SSC KAS1, KAS2 2048-15360 bits with 112-256 Shared secret A4823 bits of security strength computation A4824 A4825 A4826 A5578 A5585 A4845 KAS-FFC-SSC [SP dhEphem MODP-2048, MODP-3072, Shared secret 800-56Ar3] (initiator/responder) MODP-4096, MODP-6144, computation MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of security strength A4813 KAS-ECC-SSC [SP Ephemeral Unified Model P-224, P-256, P-384, P-521 Shared secret A4823 800-56Ar3] (initiator/responder) with 112, 128, 192, 256 bits of computation A4824 security strength A4825 A4826 A5578 A5585 A4813 RSA [FIPS 186-5] PKCS#1 v1.5 and PSS with 2048-16384 bits with 112-256 Signature A4823 SHA-224, SHA-256, SHA- bits of security strength generation A4824 384, SHA-512, SHAA4825 RSA [FIPS 186-5] 512/224, SHA-512/256, 2048-16384 bits with 112-256 Signature A4826 SHA3-224, SHA3-256, SHA3- bits of security strength verification A5578 384, SHA3-512 A5585 © 2025 Red Hat, Inc. / atsec information security corporation.

10 of 48
Page 11

A4813 RSA [FIPS 186-4] PKCS#1 v1.5 and PSS with NIST SP 800-131Ar2 Legacy Signature A4823 SHA-224, SHA-256, SHA- use: 1024 bits with 80 bits of verification A4824 384, SHA-512, SHA- security strength A4825 512/224, SHA-512/256 A4826 A5578 A5585 A4813 ECDSA [FIPS 186- SHA-224, SHA-256, SHA- P-224, P-256, P-384, P-521 Signature A4823 5] 384, SHA-512, SHA- with 112, 128, 192, 256 bits of generation A4824 512/224, SHA-512/256, security strength A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4813 ECDSA [FIPS 186- SHA-224, SHA-256, SHA- Signature A4823 5] 384, SHA-512, SHA- verification A4824 512/224, SHA-512/256, A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4845 Safe primes [SP SP 800-56Ar3 Section MODP-2048, MODP-3072, Key pair generation 800-56Ar3] 5.6.1.1.4 Testing MODP-4096, MODP-6144, Candidates MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, Safe primes [SP SP 800-56Ar3 Sections ffdhe6144, ffdhe8192 with Key pair verification 800-56Ar3] 5.6.2.1.2 and 5.6.2.1.4 112-200 bits of security strength A4813 RSA [FIPS 186-5] FIPS 186-5 Appendix A.1.6 2048-15360 bits with 112-256 Key pair generation A4823 Probable Primes with bits of security strength A4824 Conditions Based on A4825 Auxiliary Probable Primes A4826 A5578 ECDSA [FIPS 186- FIPS 186-5 Appendix A.2.2 P-224, P-256, P-384, P-521 Key pair generation A5585 5] Rejection Sampling with 112, 128, 192, 256 bits of security strength ECDSA [FIPS 186- N/A Key pair verification 5] Vendor CKG [SP 800- Safe primes MODP-2048, MODP-3072, Key pair generation affirme 133r2 Section 4] MODP-4096, MODP-6144, d MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of security strength RSA 2048-16384 bits with 112-256 bits of security strength © 2025 Red Hat, Inc. / atsec information security corporation.

11 of 48
Page 12

ECDSA P-224, P-256, P-384, P-521 with 112, 128, 192, 256 bits of security strength Vendor RSA [FIPS 186-4] PKCS#1 v1.5 and PSS with NIST SP 800-131Ar2 Legacy Signature affirme SHA3-224, SHA3-256, SHA3- use: 1024 bits with 80 bits of verification d 384, SHA3-512 security strength [FIPS 140-3 IG C.C] Table 4 - Approved Algorithms

2.4 Non-approved algorithms

The module does not offer any non-approved cryptographic algorithms that are allowed in approved services (with or without security claimed). Table 5 lists all non-approved cryptographic algorithms of the module employed by the nonapproved services in Table 10. Algorithm / Functions Use / Function AES GCM (external IV) Encryption HMAC (< 112-bit keys) Message authentication KBKDF, KDA OneStep, HKDF, ANS X9.42 KDF, ANS X9.63 KDF (< 112-bit keys) KBKDF Key derivation KDA OneStep Key derivation HKDF Key derivation ANS X9.42 KDF Key derivation ANS X9.63 KDF Key derivation KDA OneStep (SHAKE128, SHAKE256) KDA OneStep Key derivation ANS X9.42 KDF (SHAKE128, SHAKE256) ANS X9.42 KDF Key derivation ANS X9.63 KDF (SHA-1, SHAKE128, SHAKE256) ANS X9.63 KDF Key derivation SSH KDF (SHA-512/224, SHA-512/256, SHA-3, SHAKE128, SHAKE256) SSH KDF Key derivation TLS 1.2 KDF (SHA-1, SHA-224, SHA-512/224, SHA-512/256, SHA-3) TLS 1.2 KDF Key derivation TLS 1.3 KDF (SHA-1, SHA-224, SHA-512, SHA-512/224, SHA-512/256, SHA-3) TLS 1.3 KDF Key derivation PBKDF2 (short password; short salt; insufficient iterations; < 112-bit keys) Password-based key derivation RSA and ECDSA (pre-hashed message) Signature generation component Signature verification component RSA-PSS (invalid salt length) Signature generation Signature verification © 2025 Red Hat, Inc. / atsec information security corporation.

12 of 48
Page 13

Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation

2.5 Module design and components

Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by the component painted in orange block, which consists only of the shared library implementing the FIPS provider (fips.so). Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. Figure 1

2.6 Rules of operation

Upon initialization, the module immediately performs all cryptographic algorithm self-tests (CASTs) as specified in Table 13. When all those self-tests pass successfully, the module automatically performs the pre-operational integrity test using the integrity value embedded in the fips.so file. Only if this integrity test also passed successfully, the module transitions to the operational state. No operator intervention is required to reach this point. The module operates in the approved mode of operation by default and can only transition into the non-approved mode by calling one of the nonapproved services listed in Table 10 of the Security Policy. © 2025 Red Hat, Inc. / atsec information security corporation.

13 of 48
Page 14

In the operational state, the module accepts service requests from calling applications through its logical interfaces. At any point in the operational state, a calling application can end its process, thus causing the module to end its operation. The module supports two modes of operation:

14 of 48
Page 15
3 Cryptographic module interfaces

The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. Table 6 summarizes the logical interfaces: Physical Port Logical Interface Data that passes over port / interface As a software-only module, the Data Input API input parameters module does not have physical ports. Physical Ports are interpreted to be Data Output API output parameters the physical ports of the hardware Control Input API function calls platform on which it runs. Status Output API return codes, error queue Table 6 - Ports and Interfaces The module does not implement a control output interface. © 2025 Red Hat, Inc. / atsec information security corporation.

15 of 48
Page 16
4 Roles, services, and authentication
4.1 Roles

The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators or a maintenance role. Table 7 lists the roles supported by the module with corresponding services with input and output parameters. Role Service Input Output Crypto Message digest Message Digest value Officer XOF Message, output length Digest value Encryption Plaintext, AES key Ciphertext Decryption Ciphertext, AES key Plaintext Message authentication Message, AES key or HMAC MAC tag key KBKDF Key derivation Key-derivation key KBKDF Derived key KDA OneStep Key Shared secret KDA OneStep Derived key derivation HKDF Key derivation Shared secret HKDF Derived key ANS X9.42 KDF Key Shared secret ANS X9.42 KDF Derived key derivation ANS X9.63 KDF Key Shared secret ANS X9.63 KDF Derived key derivation SSH KDF Key derivation Shared secret SSH KDF Derived key TLS 1.2 KDF Key derivation Shared secret, EMS check TLS 1.2 KDF Derived key TLS 1.3 KDF Key derivation Shared secret, EMS check TLS 1.3 KDF Derived key Password-based key Password, salt, iteration PBKDF2 Derived key derivation count Random number Output length Random bytes generation Shared secret computation Owner private key, peer Shared secret public key Signature generation Pre-hashed message, Signature component private key Signature verification Pre-hashed message, public Pass/fail component key, signature Signature generation Message, private key, Signature hashing algo Signature verification Message, public key, Pass/fail signature, hashing algo Key Transport RSA public key, plaintext Wrapped key (encapsulation) key © 2025 Red Hat, Inc. / atsec information security corporation.

16 of 48
Page 17

Key Transport (un- RSA private key, wrapped Plaintext Key encapsulation) key Key pair generation Key size Key pair Key pair verification Key pair Pass/fail Show version N/A Name and version information Show status N/A Module status Self-test N/A Pass/fail results of self-tests Zeroization Any SSP N/A Table 7 - Roles, Service Commands, Input and Output

4.2 Authentication

The module does not support authentication for roles.

4.3 Services

The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The next tables define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP.

17 of 48
Page 18

Table 9 lists the approved services in this module, the algorithms involved, the Sensitive Security Parameters (SSPs) involved and how they are accessed, the roles that can request the service, and the respective service indicator. In this table, CO specifies the Crypto Officer role. Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs Message Compute a SHA-1, SHA-224, SHA- N/A CO N/A EVP_DigestFinal_ex digest message 256, SHA-384, SHA- returns 1 digest 512, SHA-512/224, SHA-512/256, SHA3224, SHA3-256, SHA3384, SHA3-512 XOF Compute the SHAKE128, SHAKE256 N/A CO N/A EVP_DigestFinalXOF output of an returns 1 XOF Encryption Encrypt a AES ECB, CBC, CBC- AES key CO W, E AES GCM: plaintext CTS-CS1, CBC-CTS- EVP_CIPHER_REDHAT CS2, CBC-CTS-CS3, _FIPS_INDICATOR_APP CFB1, CFB8, CFB128, ROVED CTR, OFB, CCM, KW, Others: KWP, GCM, XTS EVP_EncryptFinal_ex returns 1 Decryption Decrypt a CO W, E AES GCM: ciphertext EVP_CIPHER_REDHAT _FIPS_INDICATOR_APP ROVED Others: EVP_DecryptFinal_ex returns 1 Message Compute a AES CMAC AES key CO W, E HMAC: authenticati MAC tag AES GMAC HMAC key OSSL_MAC_PARAM_R on EDHAT_FIPS_INDICAT HMAC SHA-1, HMAC OR_APPROVED SHA-224, HMAC SHA256, HMAC SHA-384, Others: HMAC SHA-512, HMAC EVP_MAC_final SHA-512/224, HMAC returns 1 SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3-512 KBKDF Key Derive a key KBKDF Key-derivation CO W, E EVP_KDF_REDHAT_FIP derivation from a key- key S_INDICATOR_APPRO derivation VED key KBKDF Derived G, R key KDA Derive a key KDA OneStep DH Shared W, E OneStep from a shared secret Key secret derivation ECDH Shared W, E secret © 2025 Red Hat, Inc. / atsec information security corporation.

18 of 48
Page 19

Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs RSA Shared W, E secret KDA OneStep G, R Derived key HKDF Key HKDF DH Shared W, E derivation secret ECDH Shared W, E secret RSA Shared W, E secret HKDF Derived G, R key ANS X9.42 ANS X9.42 KDF DH Shared W, E KDF Key secret derivation ECDH Shared W, E secret RSA Shared W, E secret ANS X9.42 KDF G, R Derived key ANS X9.63 ANS X9.63 KDF DH Shared W, E KDF Key secret derivation ECDH Shared W, E secret RSA Shared W, E secret ANS X9.63 KDF G, R Derived key SSH KDF SSH KDF DH Shared W, E Key secret derivation ECDH Shared W, E secret SSH KDF G, R Derived key TLS 1.2 KDF TLS 1.2 KDF DH Shared W, E Key secret derivation ECDH Shared W, E secret TLS 1.2 KDF G, R Derived key © 2025 Red Hat, Inc. / atsec information security corporation.

19 of 48
Page 20

Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs TLS 1.3 KDF TLS 1.3 KDF DH Shared W, E Key secret derivation ECDH Shared W, E secret TLS 1.3 KDF G, R Derived key Password- Derive a key PBKDF2 Password CO W, E EVP_KDF_REDHAT_FIP based key from a S_INDICATOR_APPRO derivation password PBKDF2 Derived G, R VED key Random Generate CTR_DRBG Entropy input CO W, E EVP_RAND_generate number random bytes returns 1 generation DRBG seed E, G DRBG Internal W, E, G state (V, Key) Hash_DRBG Entropy input W, E DRBG seed E, G DRBG Internal W, E, G state (V, C) HMAC_DRBG Entropy input W, E DRBG seed E, G DRBG Internal W, E, G state (V, Key) Key Key RSA-OAEP Encrypt RSA public key CO W, E EVP_PKEY_REDHAT_FI transport wrapping PS_INDICATOR_APPR (encapsulati OVED on) using KTS- Plaintext key W, E OAEP-basic Wrapped key R Key Key RSA-OAEP Decrypt RSA private key CO W, E transport unwrapping (unencapsulatio using KTS- Wrapped key W, E n) OAEP-basic Plaintext key R Shared Compute a KAS-IFC-SSC RSA private key CO W, E EVP_PKEY_REDHAT_FI secret shared secret (owner), RSA PS_INDICATOR_APPR computation public key (peer) OVED RSA Shared G, R secret KAS-FFC-SSC DH private key W, E EVP_PKEY_derive (owner), DH returns 1 public key (peer) © 2025 Red Hat, Inc. / atsec information security corporation.

20 of 48
Page 21

Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs DH Shared G, R secret KAS-ECC-SSC EC private key W, E (owner), EC public key (peer) ECDH Shared G, R secret Signature Generate a RSA signature RSA private key CO W, E RSA: generation signature generation/verificatio EC private key OSSL_RH_FIPSINDICA n (PKCS#1 v1.5 and TOR_APPROVED and Signature Verify a PSS) RSA public key CO W, E EVP_SIGNATURE_RED verification signature ECDSA signature EC public key HAT_FIPS_INDICATOR generation/verificatio _APPROVED n ECDSA: OSSL_RH_FIPSINDICA TOR_APPROVED Key pair Generate a CKG DH private key, CO G, R EVP_PKEY_generate generation key pair CTR_DRBG, DH public key returns 1 Hash_DRBG, RSA private key, HMAC_DRBG RSA public key Safe primes key pair EC private key, generation EC public key RSA key pair Intermediate G, E, Z generation key generation ECDSA key pair value generation Key pair Verify a key Safe primes key pair DH private key, CO W, E EVP_PKEY_public_che verification pair verification DH public key ck or ECDSA key pair EC private key, EVP_PKEY_private_ch verification EC public key eck or EVP_PKEY_check returns 1 Other FIPS-related Services Show Return the N/A N/A CO N/A None version name and version information Show status Return the N/A N/A CO N/A None module status © 2025 Red Hat, Inc. / atsec information security corporation.

21 of 48
Page 22

Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs Self-test Perform the SHA-1, SHA-224, SHA- AES key CO N/A None CASTs and 256, SHA-512, SHA3- HMAC key integrity test 256 Key-derivation AES ECB, KW, GCM key HMAC Password KBKDF, KDA OneStep, DH private key, HKDF, ANS X9.42 KDF, DH public key ANS X9.63 KDF, SSH KDF, TLS 1.2 KDF, TLS RSA private key,

1.3 KDF RSA public key

PBKDF2 EC private key, EC public key CTR_DRBG, Hash_DRBG, DH Shared HMAC_DRBG secret KAS-FFC-SSC, KAS- ECDH Shared ECC-SSC secret RSA (OAEP and RSA Shared PKCS#1 v1.5) secret ECDSA KBKDF Derived key See Table 13 for specifics KDA OneStep Derived key HKDF Derived key ANS X9.42 KDF Derived key ANS X9.63 KDF Derived key SSH KDF Derived key TLS 1.2 KDF Derived key TLS 1.3 KDF Derived key PBKDF2 Derived key DRBG seed DRBG Internal state (V, Key) DRBG Internal state (V, C) Zeroization Zeroize all N/A Any SSP CO Z None SSPs Table 9 - Approved Services © 2025 Red Hat, Inc. / atsec information security corporation.

22 of 48
Page 23

Table 10 lists the non-approved services in this module, the algorithms involved, the roles that can request the service, and the respective service indicator. In this table, CO specifies the Crypto Officer role. Service Description Algorithms Accessed Role Encryption Encrypt a plaintext AES GCM (external IV) CO Message Compute a MAC tag HMAC (< 112-bit keys) CO authentication KBKDF Key Derive a key from a KBKDF (< 112-bit keys) CO derivation key-derivation key KDA OneStep Key Derive a key from a KDA OneStep (< 112-bit keys) derivation shared secret KDA OneStep (SHAKE128, SHAKE256) HKDF Key HKDF (< 112-bit keys) derivation ANS X9.42 KDF ANS X9.42 KDF (< 112-bit keys) Key derivation ANS X9.42 KDF (SHAKE128, SHAKE256) ANS X9.63 KDF ANS X9.63 KDF (< 112-bit keys) Key derivation ANS X9.63 KDF (SHA-1, SHAKE128, SHAKE256) SSH KDF Key SSH KDF (< 112-bit keys) derivation SSH KDF (SHA-512/224, SHA-512/256, SHA-3, SHAKE128, SHAKE256) TLS 1.2 KDF Key TLS 1.2 KDF (< 112-bit keys) derivation TLS 1.2 KDF (SHA-1, SHA-224, SHA-512/224, SHA512/256, SHA-3) TLS 1.3 KDF Key TLS 1.3 KDF (< 112-bit keys) derivation TLS 1.3 KDF (SHA-1, SHA-224, SHA-512, SHA-512/224, SHA-512/256, SHA-3) Password-based Derive a key from a PBKDF2 (short password; short salt; insufficient CO key derivation password iterations; < 112-bit keys) Signature Generate a signature RSA and ECDSA signature generation/verification (pre- CO generation hashed message) component Signature Verify a signature CO verification component Signature Generate a signature RSA-PSS (invalid salt length) CO generation Signature Verify a signature verification Table 10 - Non-Approved Services © 2025 Red Hat, Inc. / atsec information security corporation.

23 of 48
Page 24
5 Software/Firmware security
5.1 Integrity techniques

The integrity of the module is verified by comparing a HMAC SHA-256 value calculated at run time with the HMAC SHA-256 value embedded in the fips.so file that was computed at build time.

5.2 On-demand integrity test

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently re-initializing the module. This will perform (among others) the software integrity test. © 2025 Red Hat, Inc. / atsec information security corporation.

24 of 48
Page 25
6 Operational environment
6.1 Applicability

The module operates in a modifiable operational environment per FIPS 140-3 level 1 specification: the module executes on a general purpose operating system (Red Hat Enterprise Linux 9), which allows modification, loading, and execution of software that is not part of the validated module.

6.2 Tested operational environments

See Section 2.2. The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to:

6.3 Policy and requirements

The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. There are no concurrent operators. The module does not have the capability of loading software or firmware from an external source. Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Red Hat, Inc. / atsec information security corporation.

25 of 48
Page 26
7 Physical security

The module is comprised of software only and therefore this section is not applicable. © 2025 Red Hat, Inc. / atsec information security corporation.

26 of 48
Page 27
8 Non-invasive security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 Red Hat, Inc. / atsec information security corporation.

27 of 48
Page 28
9 Sensitive security parameters management

Table 11 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module in the approved services (Table 9). SSPs (including CSPs) are directly imported as input parameters and exported as output parameters from the module. Because these SSPs are only transiently used for a specific service, they are by definition exclusive between approved and non-approved services. Key / Strength Security Generation Import / Esta Stor Zeroiza Use and SSP Function Export blish age tion related Name / and Cert. ment keys Type Number AES key AES-XTS: 128, AES N/A MD/EE N/A RAM EVP_CI- Use: (CSP) 256 bits AES CMAC PHER_CTX_f Encryption Rest of AES GMAC ree Import: Decryption modes: 128, A4809, A4810, EVP_MAC_C 192, 256 bits A4811, A4812, API input pa- TX_free Message auA4815, A4816, rameters thentication A4817, A4818, From: Opera- Related SSPs: A4819, A4820, tor calling ap- None A4821, A4822, plication A4837, A4838, (TOEPP) A4839, A4840, To: CryptoA4841, A5560, graphic modA5576, A5577, ule A5579, A5580, A5581, A5582, A5583, A5584, Export: None A5586 HMAC key 112-256 bits HMAC N/A MD/EE N/A RAM EVP_MAC_C Use: (CSP) A4813, A4814, TX_free Message auA4823, A4824, Import: thentication A4825, A4826, Related SSPs: A5578, A5585, API input parameters None A5587 From: Operator calling application (TOEPP) To: Cryptographic module Export: None Key-deriva- 112-256 bits KBKDF N/A MD/EE N/A RAM EVP_KDF_CT Use: tion key A4843 X_free KBKDF Key deri(CSP) vation Import: API input pa- Related SSPs: rameters KBKDF Derived From: Opera- key tor calling application (TOEPP) To: Cryptographic module Export: None © 2025 Red Hat, Inc. / atsec information security corporation.

28 of 48
Page 29

DH Shared 112-256 bits KAS-FFC-SSC N/A MD/EE SP 800- RAM EVP_KDF_CT Use: secret KDA OneStep 56Ar3 X_free Shared secret (CSP) (DH computation HKDF Import: shared ANS X9.42 KDF API input pa- secret KDA OneStep rameters compu- Key derivation ANS X9.63 KDF From: Opera- tation) HKDF Key deriSSH KDF vation tor calling apTLS 1.2 KDF plication ANS X9.42 KDF TLS 1.3 KDF (TOEPP) Key derivation A4807 A4813 To: Crypto- ANS X9.63 KDF A4814 A4823 graphic mod- Key derivation A4824 A4825 ule SSH KDF Key A4826 A4837 derivation A4838 A4839 A4840 A4841 Export: TLS 1.2 KDF Key A4844 A4845 API output pa- derivation A5578 A5579 rameters TLS 1.3 KDF Key A5585 A5586 From: Crypto- derivation A5587 graphic mod- Related SSPs: ule KDA OneStep To: Operator Derived key calling appli- HKDF Derived cation (TOEPP) key ANS X9.42 KDF Derived key ANS X9.63 KDF Derived key SSH KDF Derived key TLS 1.2 KDF Derived key TLS 1.3 KDF Derived key DH private key DH public key ECDH Sha- 112-256 bits KAS-ECC-SSC N/A MD/EE SP 800- RAM EVP_KDF_CT Use: red secret KDA OneStep 56Ar3 X_free Shared secret (CSP) (ECDH computation HKDF Import: shared ANS X9.42 KDF API input pa- secret KDA OneStep rameters compu- Key derivation ANS X9.63 KDF From: Opera- tation) HKDF Key deriSSH KDF vation tor calling apTLS 1.2 KDF plication ANS X9.42 KDF TLS 1.3 KDF (TOEPP) Key derivation A4807 A4813 To: Crypto- ANS X9.63 KDF A4814 A4823 graphic mod- Key derivation A4824 A4825 ule SSH KDF Key A4826 A4837 derivation A4838 A4839 A4840 A4841 Export: TLS 1.2 KDF Key A4844 A5578 API output pa- derivation A5579 A5585 rameters TLS 1.3 KDF Key A5586 A5587 From: Crypto- derivation graphic mod- Related SSPs: ule KDA OneStep To: Operator Derived key calling appli- HKDF Derived cation (TOEPP) key ANS X9.42 KDF Derived key © 2025 Red Hat, Inc. / atsec information security corporation.

29 of 48
Page 30

ANS X9.63 KDF Derived key SSH KDF Derived key TLS 1.2 KDF Derived key TLS 1.3 KDF Derived key EC private key EC public key RSA Shared 112-256 bits KAS-IFC-SSC N/A MD/EE SP 800- RAM EVP_KDF_CT Use: secret KDA OneStep 56Br2 X_free Shared secret (CSP) (IFC computation HKDF Import: shared ANS X9.42 KDF API input pa- secret KDA OneStep rameters compu- Key derivation ANS X9.63 KDF From: Opera- tation) HKDF Key deriSSH KDF vation tor calling apTLS 1.2 KDF plication ANS X9.42 KDF TLS 1.3 KDF (TOEPP) Key derivation A4807 A4813 To: Crypto- ANS X9.63 KDF A4814 A4823 graphic mod- Key derivation A4824 A4825 ule Related SSPs: A4826 A4837 A4838 A4839 KDA OneStep A4840 A4841 Export: Derived key A4844 A5578 API output pa- HKDF Derived A5579 A5585 rameters key A5586 A5587 From: Crypto- ANS X9.42 KDF graphic mod- Derived key ule ANS X9.63 KDF To: Operator Derived key calling appli- RSA private key cation (TOEPP) RSA public key Password Password PBKDF2 N/A MD/EE N/A RAM EVP_KDF_CT Use: (CSP) strength: 108 - A4813, A4814, X_free Password-based

10128 A4823, A4824, key derivation

Import: A4825, A4826, Related SSPs: A5578, A5585, API input parameters PBKDF2 Derived A5587 key From: Operator calling application (TOEPP) To: Cryptographic module Export: None KBKDF Deri- 112-256 bits KBKDF SP 800-108r1 MD/EE N/A RAM EVP_KDF_CT Use: ved key A4843 SP 800-133r2, Sec- X_free KBKDF Key deri(CSP) tion 6.2 vation Import: None Related SSPs: Export: Key-derivation key API output parameters From: Cryptographic module To: Operator © 2025 Red Hat, Inc. / atsec information security corporation.

30 of 48
Page 31

calling application (TOEPP) KDA 112-256 bits KDA OneStep SP 800-56Cr2 MD/EE N/A RAM EVP_KDF_CT Use: OneStep A4844 SP 800-133r2, Sec- X_free KDA OneStep Derived key tion 6.2 Key derivation (CSP) Import: None Related SSPs: Export: DH Shared secret API output parameters ECDH Shared secret From: Cryptographic mod- RSA Shared seule cret HKDF Deri- HKDF To: Operator Use: ved key A4807 calling appli- HKDF Key deri(CSP) cation (TOEPP) vation Related SSPs: DH Shared secret ECDH Shared secret RSA Shared secret ANS X9.42 ANS X9.42 KDF SP 800-135r1 Use: KDF De- A4813 A4814 SP 800-133r2, Sec- ANS X9.42 KDF rived key A4823 A4824 tion 6.2 Key derivation (CSP) A4825 A4826 Related SSPs: A5578 A5585 A5587 DH Shared secret ECDH Shared secret RSA Shared secret ANS X9.63 ANS X9.63 KDF Use: KDF De- A4813 A4814 ANS X9.63 KDF rived key A4823 A4824 Key derivation (CSP) A4825 A4826 Related SSPs: A5578 A5585 A5587 DH Shared secret ECDH Shared secret RSA Shared secret SSH KDF SSH KDF Use: Derived key A4837 A4838 SSH KDF Key (CSP) A4839 A4840 derivation A4841 A5579 Related SSPs: A5586 DH Shared secret ECDH Shared secret TLS 1.2 KDF TLS 1.2 KDF Use: Derived key A4813 A4823 TLS 1.2 KDF Key (CSP) A4824 A4825 derivation A4826 A5578 Related SSPs: A5585 DH Shared secret © 2025 Red Hat, Inc. / atsec information security corporation.

31 of 48
Page 32

ECDH Shared secret TLS 1.3 KDF TLS 1.3 KDF Use: Derived key A4807 TLS 1.3 KDF Key (CSP) derivation Related SSPs: DH Shared secret ECDH Shared secret PBKDF2 De- PBKDF2 SP 800-132 Use: rived key A4813 A4814 SP 800-133r2, Sec- Password-based (CSP) A4823 A4824 tion 6.2 key derivation A4825 A4826 Related SSPs: A5578 A5585 A5587 Password Entropy in- 112-336 bits CTR_DRBG N/A Import: None N/A RAM EVP_RAND_ Use: put (CSP) Hash_DRBG Export: None CTX_free Random number HMAC_DRBG generation A4808 Related SSPs: DRBG seed DRBG seed CTR_DRBG: CTR_DRBG Import: None N/A RAM EVP_RAND_ Use: (CSP) 128, 192, 256 Hash_DRBG Export: None CTX_free Random number IG D.L com- bits HMAC_DRBG generation pliant Hash_DRBG: Related SSPs: 128, 256 bits Entropy input HMAC_DRBG: DRBG Internal 128, 256 bits state (V, Key) DRBG Internal state (V, C) DRBG Inter- CTR_DRBG CTR_DRBG Import: None N/A RAM EVP_RAND_ Use: nal state (V, HMAC_DRBG HMAC_DRBG Export: None CTX_free Random number Key) (CSP) A4808 generation IG D.L com- Related SSPs: pliant DRBG seed DRBG Inter- Hash_DRBG Hash_DRBG nal state (V, A4808 C) (CSP) IG D.L compliant DH private 112-200 bits KAS-FFC-SSC SP 800-56Ar3 (safe MD/EE N/A RAM EVP_PKEY_fr Use: key (CSP) A4845 primes) Section ee Shared secret

5.6.1.1.4 Testing computation

Candidates Import: API input pa- Key pair generarameters tion From: Opera- Key pair verificator calling ap- tion plication Related SSPs: (TOEPP) DH public key To: Crypto- Intermediate graphic mod- key generation ule value DH public 112-200 bits Use: key (PSP) Export: Shared secret API output pa- computation rameters Key pair generaFrom: tion © 2025 Red Hat, Inc. / atsec information security corporation.

32 of 48
Page 33

Cryptographic Key pair verificamodule tion To: Operator Related SSPs: calling application (TOEPP) DH private key Intermediate key generation value EC private 112, 128, 192, KAS-ECC-SSC FIPS 186-5 Appen- MD/EE N/A RAM EVP_PKEY_fr Use: key (CSP) 256 bits ECDSA dix A.2.2 Rejection ee Shared secret A4813, A4814, Sampling computation Import: A4823, A4824, Signature generA4825, A4826, API input parameters ation A5578, A5585, A5587 From: Opera- Key pair generator calling ap- tion plication Key pair verifica(TOEPP) tion To: Crypto- Related SSPs: graphic mod- EC public key ule Intermediate key generation Export: value EC public 112, 128, 192, API output pa- Use: key (PSP) 256 bits rameters Shared secret From: Crypto- computation graphic mod- Signature verifiule cation To: Operator Key pair generacalling appli- tion cation (TOEPP) Key pair verification Related SSPs: EC private key Intermediate key generation value RSA private 112-256 bits RSA KTS- FIPS 186-5 Appen- MD/EE N/A RAM EVP_PKEY_fr Use: key (CSP) IFC KAS-IFC- dix A.1.6 Probable ee Key pair generaSSC Primes with Condi- tion tions Based on Import: A4813, A4823, Shared secret A4824, A4825, Auxiliary Probable API input paPrimes rameters computation A4826, A5578, A5585 From: Opera- Signature genertor calling ap- ation plication Key un-encapsu(TOEPP) lation To: Crypto- Related SSPs: graphic mod- RSA public key ule Intermediate key generation value Export: RSA public Signature veri- Use: key (PSP) fication: 80- API output parameters Key pair genera-

256 bits tion

Others: 112- From: Cryptographic mod- Shared secret

256 bits computation

ule To: Operator Signature verificalling appli- cation cation (TOEPP) Key encapsulation © 2025 Red Hat, Inc. / atsec information security corporation.

33 of 48
Page 34

Related SSPs: RSA private key Intermediate key generation value Intermedi- 112-256 bits CKG SP 800-133r2 Sec- Import: None N/A RAM Automatic Use: ate key vendor affirmed tion 4, 5.1, and 5.2 Export: None Key pair generageneration tion value (CSP) Related SSPs: DH private key DH public key EC private key EC public key RSA private key RSA public key Table 11

9.1 Random bit generators

The module employs two Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1. These DRBGs are used internally by the module (e.g. to generate seeds for asymmetric key pairs and random numbers for security functions). They can also be accessed using the specified API functions. The following parameters are used:

  1. Private DRBG: AES-256 CTR_DRBG with derivation function. This DRBG is used to generate secret random values (e.g. during asymmetric key pair generation). It can be accessed using RAND_priv_bytes.
  2. Public DRBG: AES-256 CTR_DRBG with derivation function. This DRBG is used to generate general purpose random values that do not need to remain secret (e.g. initialization vectors). It can be accessed using RAND_bytes. These DRBGs will always employ prediction resistance. More information regarding the configuration and design of these DRBGs can be found in the module’s manual pages. Entropy Source Minimum number Details of bits of entropy SP 800-90B compliant 224 bits of entropy in OpenSSL CPU Jitter 2.2.0 entropy source is located Non-Physical Entropy the 256-bit output within the physical perimeter of the module but partially Source outside the cryptographic boundary of the module. (ESV cert. E48) Table 12 – Non-Deterministic Random Number Generation Specification The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.
9.2 SSP generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The following methods are implemented:

34 of 48
Page 35
2001 key agreement scheme.
9.3 SSP establishment

The module provides Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) shared secret computation compliant with SP800-56Ar3, in accordance with scenario 2 (1) of FIPS 140-3 IG D.F. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS). Note that the module only implements key pair generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 and 1.3 KDFs):

521 curves.

According to FIPS 140-3 IG D.B, the key sizes of DH and ECDH provide the following security strengths in the approved mode of operation:

35 of 48
Page 36

The module offers RSA key wrapping and unwrapping using KTS-OAEP-basic scheme. The implementation supports 2048-15360 bits modulus size, with both key encapsulation and un-encapsulation supported. The module does not implement key confirmation. See section 11.2.4 for operator guidance details. The SSP establishment methodology provides 112 to 256 bits of encryption strength. The module also supports the AES KW, AES KWP, and AES GCM key wrapping mechanisms. These algorithms can be used to wrap SSPs with a security strength between 128 and 256 bits, depending on the wrapping key size.

9.4 SSP entry/output

The module only supports SSP entry and output to and from the calling application running on the same operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. There is no entry or output of cryptographically protected SSPs. SSPs can be entered into the module via API input parameters in plaintext form, when required by a service. SSPs can also be output from the module via API output parameters, immediately after generation of the SSP (see Section 9.2).

9.5 SSP storage

SSPs are provided to the module by the calling application and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of SSPs.

9.6 SSP zeroization

The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The operator application is responsible for calling the appropriate destruction functions provided in the module’s API. The destruction functions (listed in Table 11) overwrite the memory occupied by SSPs with zeroes and de-allocate the memory with the regular memory de-allocation operating system call. All data output is inhibited during zeroization. © 2025 Red Hat, Inc. / atsec information security corporation.

36 of 48
Page 37
10 Self-tests

The module performs pre-operational self-tests and conditional self-tests. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. Both conditional and pre-operational self-tests can be executed on-demand by unloading and subsequently re-initializing the module. All the self-tests are listed in Table 12, with the respective condition under which those tests are performed. Note that the pre-operational integrity test is only executed after all cryptographic algorithm self-tests (CASTs) executed successfully. Algorithm Parameters Condition Type Test HMAC SHA-256 Initialization (af- Pre-operational Integrity MAC tag verification on fips.so file ter CASTs) Test SHA-1 N/A Initialization Cryptographic Algorithm KAT digest generation Self-Test SHA-512 N/A Initialization Cryptographic Algorithm KAT digest generation Self-Test SHA3-256 N/A Initialization Cryptographic Algorithm KAT digest generation Self-Test AES GCM 256-bit key Initialization Cryptographic Algorithm KAT encryption and decryption Self-Test AES ECB 128-bit key Initialization Cryptographic Algorithm KAT decryption Self-Test KBKDF HMAC SHA-256 in counter Initialization Cryptographic Algorithm KAT key derivation mode Self-Test KDA OneStep SHA-224 Initialization Cryptographic Algorithm KAT key derivation Self-Test HKDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test ANS X9.42 KDF AES-128 KW with SHA-1 Initialization Cryptographic Algorithm KAT key derivation Self-Test ANS X9.63 KDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test SSH KDF SHA-1 Initialization Cryptographic Algorithm KAT key derivation Self-Test TLS 1.2 KDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test TLS 1.3 KDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test PBKDF2 SHA-256 with 4096 iterations Initialization Cryptographic Algorithm KAT password-based key derivation and 288-bit salt Self-Test CTR_DRBG AES-128 with derivation Initialization Cryptographic Algorithm KAT DRBG generation and reseed © 2025 Red Hat, Inc. / atsec information security corporation.

37 of 48
Page 38

Algorithm Parameters Condition Type Test function and prediction re- Self-Test sistance Hash_DRBG SHA-256 with prediction resi- Initialization Cryptographic Algorithm KAT DRBG generation and reseed stance Self-Test HMAC_DRBG SHA-1 with prediction resi- Initialization Cryptographic Algorithm KAT DRBG generation and reseed stance Self-Test KAS-FFC-SSC ffdhe2048 Initialization Cryptographic Algorithm KAT shared secret computation Self-Test KAS-ECC-SCC P-256 Initialization Cryptographic Algorithm KAT shared secret computation Self-Test RSA2 OAEP with 2048-bit key Initialization Cryptographic Algorithm KAT key encapsulation and un-enSelf-Test capsulation RSA PKCS#1 v1.5 with SHA-256 Initialization Cryptographic Algorithm KAT signature generation and verifiand 2048-bit key Self-Test cation ECDSA SHA-256 and P-224, P-256, P- Initialization Cryptographic Algorithm KAT signature generation and verifi384, and P-521 Self-Test cation DH N/A DH key pair ge- Pair-wise Consistency Test Section 5.6.2.1.4 pair-wise consineration stency RSA PKCS#1 v1.5 with SHA-256 RSA key pair ge- Pair-wise Consistency Test Sign/verify pair-wise consistency neration ECDSA SHA-256 EC key pair ge- Pair-wise Consistency Test Sign/verify pair-wise consistency neration Table 13

10.1 Pre-operational tests

The module performs pre-operational tests automatically when the module is powered on. The pre-operational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. The types of pre-operational self-tests are described in the next sub-sections.

10.1.1 Pre-operational software integrity test

The integrity of the shared library component of the module is verified by comparing an HMAC SHA-256 value calculated at run time with the HMAC SHA-256 value embedded in the fips.so file that was computed at build time. If the software integrity test fails, the module transitions to the error state (Section 10.3). As mentioned previously, the HMAC and SHA-256 algorithms go through their respective CASTs before the software integrity test is performed.

2 According to FIPS IG 10.3.B and IG D.F scenario 1, this CAST also covers the self-test for the KAS-

IFC implementation. © 2025 Red Hat, Inc. / atsec information security corporation.

38 of 48
Page 39
10.2 Conditional self-tests
10.2.1 Conditional cryptographic algorithm tests

The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 13. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state (Section 10.3).

10.2.2 Conditional pair-wise consistency test

Upon generation of a DH, RSA or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 13, which provides some assurance that the generated key pair is well formed. For DH key pairs, this test consists of the PCT described in Section 5.6.2.1.4 of SP 80056Ar3. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation. If the test fails, the module transitions to the error state (Section 10.3).

10.3 Error states

If the module fails any of the self-tests, the module enters the error state. In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). Table 14 lists the error states and the status indicator values that explain the error that has occurred. Error State Cause of Error Status Indicator Error Software integrity test failure OSSL_PROV_PARAM_STATUS is set to 0 CAST failure Module will not load PCT failure Module is aborted Table 14

39 of 48
Page 40
11 Life-cycle assurance
11.1 Delivery and operation

The module is distributed as a part of the Red Hat Enterprise Linux 9 (RHEL 9) package in the form of the openssl-3.0.7-18.el9_2 RPM package. Also, the module can be distributed using the opensslfips-provider-3.0.7-2.el9 RPM package.

11.1.1 End of life procedures

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the installed RPM package can be uninstalled from the RHEL 9 system.

11.2 Crypto Officer guidance

Before the RPM package is installed, the RHEL 9 system must operate in the approved mode. This can be achieved by:

11.2.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. OpenSSL 3 is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary. This is in compliance with Scenario 2 of FIPS 140-3 IG C.H. © 2025 Red Hat, Inc. / atsec information security corporation.

40 of 48
Page 41

The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL IV value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection.

11.2.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 80038E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. In compliance with IG C.I, the module implements the check to ensure that the two AES keys used in AES XTS are not identical.

11.2.3 Key derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:

11.2.4 SP 800-56Ar3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that implements the SSH/TLS protocol. Additionally, the module’s approved key pair generation service (see Table 9) must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPSvalidated module. As part of this service, the module will internally perform the full public key validation of the generated public key. © 2025 Red Hat, Inc. / atsec information security corporation.

41 of 48
Page 42

The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3.

11.2.5 RSA Key Wrapping

To comply with SP800-56Br2 assurances found in its Section 6 (specifically SP800-56Br2 Section

6.4 Required Assurances) the entity using the module must obtain required assurances listed in

section 6.4 of SP 800-56Br2 by performing the following steps:

  1. The entity requesting the RSA key unwrapping (un-encapsulation) service from the module, shall only use an RSA private key that was generated by an active FIPS validated module that implements FIPS 186-5 compliant RSA key generation service and performs the key pair validity and the pairwise consistency as stated in section 6.4.1.1 of the SP 800-56Br2. Additionally, the entity shall renew these assurances over time by using any method described in section 6.4.1.5 of the SP 800-56Br2.
  2. For use of an RSA key wrapping (encapsulation) service in the context of key transport per IG D.G the entity using the module shall: a. verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). b. confirm the peer’s possession of private key by using any method specified in section
6.4.2.3 of the SP 800-56Br2.

Only after the above assurances are successfully met, shall the entity use the peer’s public key to perform the RSA key wrapping (encapsulation) service of the module.

11.2.6 RSA Key Agreement

To comply with the assurances found in Section 6.4 of SP 800-56Br2, the module’s approved RSA key pair generation service (see Table 9) must be used to generate the RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validity and the pairwise consistency according to section 6.4.1.1 of SP 800-56Br2. Additionally, the entity requesting the shared secret computation service shall verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). This service will perform the full public key validation of the peer’s public key, complying with Section 6.4.2.1 of SP 800-56Br2. © 2025 Red Hat, Inc. / atsec information security corporation.

42 of 48
Page 43
12 Mitigation of other attacks

Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:

43 of 48
Page 44

Appendix A. Glossary and abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IKE Internet Key Exchange KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback © 2025 Red Hat, Inc. / atsec information security corporation.

44 of 48
Page 45

PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Red Hat, Inc. / atsec information security corporation.

45 of 48
Page 46

Appendix B. References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program November 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard May 2023 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt © 2025 Red Hat, Inc. / atsec information security corporation.

46 of 48
Page 47

RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Addendum Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf © 2025 Red Hat, Inc. / atsec information security corporation.

47 of 48
Page 48

SP 800-56Br2 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf © 2025 Red Hat, Inc. / atsec information security corporation.

48 of 48