| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 10/28/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.2 of the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy. |
| Vendor | Red Hat(R), Inc. |
flowchart LR
%% Deterministic review-risk graph for Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Show status<br/>Self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Show status<br/>Self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider version 3.0.7-395c1a240fbfffd8 document version 1.5 Last update: 2025-07-08 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2025 Red Hat, Inc./ atsec information security corporation.
| # | Section | Page |
|---|
© 2025 Red Hat, Inc. / atsec information security corporation.
This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.7-395c1a240fbfffd8 of the Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. and including this notice. Other documentation is proprietary to their authors.
In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. ISO/IEC 24759 Section 6. [Number FIPS 140-3 Section Title Security Level Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security Not Applicable
8 Non-invasive Security Not Applicable
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-cycle Assurance 1
12 Mitigation of Other Attacks 1
© 2025 Red Hat, Inc. / atsec information security corporation.
Overall 1 Table 1 - Security Levels © 2025 Red Hat, Inc. / atsec information security corporation.
The Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider”, which implements the FIPS requirements and the cryptographic functionality provided to the operator.
The module has been tested on the following platforms with the corresponding module variants and configuration options with and without PAA: # Operating System Hardware Platform Processor PAA/PAI Acceleration
1 Red Hat Enterprise Dell PowerEdge R440 Intel(R) Xeon(R) Silver With and
Linux 9 4216 without PAA (AES-NI, SHA extensions)
2 Red Hat Enterprise IBM z16 3931-A01 IBM z16 With and
Linux 9 without PAI (CPACF)
3 Red Hat Enterprise IBM 9080-HEX IBM POWER10 With and
Linux 9 with without PAI PowerVM FW1040.00 (ISA, Altivec) with VIOS 3.1.3.00 Table 2 - Tested Operational Environments In addition to the configurations tested by the atsec CST laboratory, the vendor affirms testing was performed on the following platforms for the module. # Operating System Hardware Platform
1 Red Hat Enterprise Linux 9 Intel(R) Xeon(R) E5
Table 3 - Vendor Affirmed Operational Environments Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated SSPs when so ported if the specific operational environment is not listed on the validation certificate.
Table 4 lists all approved cryptographic algorithms of the module, including specific key lengths employed for approved services (Table 9), and implemented modes or methods of operation of the algorithms. The module supports RSA modulus sizes which are not tested by CAVP in compliance with FIPS 140-
© 2025 Red Hat, Inc. / atsec information security corporation.
CAVP Algorithm and Mode / Method Description / Key Size(s) Use / Function Cert / Key Strengths Standard A4813 SHA [FIPS 180-4] SHA-1, SHA-224, SHA-256, N/A Message digest A4823 SHA-384, SHA-512, SHAA4824 512/224, SHA-512/256 A4825 A4826 A5578 A5585 A4814 SHA-3 [FIPS 202] SHA3-224, SHA3-256, SHA3- N/A Message digest A5587 384, SHA3-512 SHA-3 [FIPS 202] SHAKE128, SHAKE256 N/A XOF A4809 AES [FIPS 197, SP ECB 128, 192, 256 bits with 128, Encryption A4810 800-38A] 192, 256 bits of security Decryption A4811 strength A4837 A4838 A4839 A4840 A4841 A5560 A5576 A5579 A5580 A5586 A4809 AES [FIPS 197, SP CBC, CBC-CTS-CS1, CBC- 128, 192, 256 bits with 128, Encryption A4810 800-38A, SP 800- CTS-CS2, CBC-CTS-CS3, 192, 256 bits of security Decryption A4811 38A Addendum, CFB1, CFB8, CFB128, CTR, strength A5560 SP 800-38C, SP OFB, CCM A5576 800-38F] KW, KWP (KTS) A5580 AES [FIPS 197, SP XTS 128, 256 bits with 128, 256 Encryption 800-38E] bits of security strength Decryption AES [FIPS 197, SP CMAC 128, 192, 256 bits with 128, Message 800-38B] 192, 256 bits of security authentication strength A4812 AES [FIPS 197, SP GCM (internal IV) (KTS) 128, 192, 256 bits with 128, Encryption A4815 800-38D] 192, 256 bits of security A4816 strength © 2025 Red Hat, Inc. / atsec information security corporation.
A4817 AES [FIPS 197, SP GCM (external IV) (KTS) 128, 192, 256 bits with 128, Decryption A4818 800-38D] 192, 256 bits of security A4819 strength A4820 A4821 A4822 A5577 A5581 A5582 A5583 A5584 A4812 AES [FIPS 197, SP GMAC 128, 192, 256 bits with 128, Message A4815 800-38D] 192, 256 bits of security authentication A4816 strength A4817 A4818 A4819 A4820 A4821 A4822 A5577 A5581 A5582 A5583 A5584 A4813 HMAC [FIPS 198- SHA-1, SHA-224, SHA-256, 112-524288 bits with 112-256 Message A4823 1] SHA-384, SHA-512, SHA- bits of security strength authentication A4824 512/224, SHA-512/256 A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4843 KBKDF [SP 800- Counter and feedback 112-4096 bits with 112-256 KBKDF Key 108r1] mode, using CMAC and bits of security strength derivation HMAC SHA-1, SHA-224, SHA-256, SHA-384, SHA512, SHA-512/224, SHA512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512 A4844 KDA OneStep1 [SP (HMAC) SHA-1, SHA-224, 224-8192 bits with 112-256 KDA OneStep Key 800-56Cr2] SHA-256, SHA-384, SHA- bits of security strength derivation 512, SHA-512/224, SHA512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512 1This algorithm is referred to as “Single Step KDF” or “SSKDF” by OpenSSL. © 2025 Red Hat, Inc. / atsec information security corporation.
A4807 HKDF [SP 800- SHA-1, SHA-224, SHA-256, 224-8192 bits with 112-256 HKDF Key derivation 56Cr2] SHA-384, SHA-512, SHA- bits of security strength 512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 A4813 ANS X9.42 KDF AES KW with SHA-1, SHA- 224-8192 bits with 112-256 ANS X9.42 KDF Key A4823 [SP 800-135r1] 224, SHA-256, SHA-384, bits of security strength derivation A4824 CVL SHA-512, SHA-512/224, A4825 SHA-512/256 A4826 A5578 A5585 A4814 AES KW with SHA3-224, A5587 SHA3-256, SHA3-384, SHA3A4813 ANS X9.63 KDF SHA-224, SHA-256, SHA- 224-8192 bits with 112-256 ANS X9.63 KDF Key A4823 [SP 800-135r1] 384, SHA-512, SHA- bits of security strength derivation A4824 CVL 512/224, SHA-512/256 A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4837 SSH KDF [SP 800- AES-128, AES-192, AES-256 224-8192 bits with 112-256 SSH KDF Key A4838 135r1] with SHA-1, SHA-224, SHA- bits of security strength derivation A4839 CVL 256, SHA-384, SHA-512 A4840 A4841 A5579 A5586 A4813 TLS 1.2 KDF [SP SHA-256, SHA-384, SHA-512 224-8192 bits with 112-256 TLS 1.2 KDF Key A4823 800-135r1] bits of security strength derivation A4824 CVL A4825 A4826 A5578 A5585 A4807 TLS 1.3 KDF [RFC SHA-256, SHA-384 224-8192 bits with 112-256 TLS 1.3 KDF Key 8446] bits of security strength derivation CVL A4813 PBKDF2 [SP 800- Option 1a with SHA-1, SHA- 8-128 characters with Password-based key A4823 132] 224, SHA-256, SHA-384, password strength between derivation A4824 SHA-512, SHA-512/224, 108 and 10128 A4825 SHA-512/256 A4826 A5578 A5585 © 2025 Red Hat, Inc. / atsec information security corporation.
A4814 PBKDF2 [SP 800- Option 1a with SHA3-224, 8-128 characters with Password-based key A5587 132] SHA3-256, SHA3-384, SHA3- password strength between derivation
A4808 CTR_DRBG [SP AES-128, AES-192, AES-256, 256, 320, 384 bits with 128, Random number 800-90Ar1] with/without derivation 192, 256 bits of security generation function, with/without strength prediction resistance Hash_DRBG [SP SHA-1, SHA-256, SHA-512 880, 1776 bits with 128, 256 Random number 800-90Ar1] with/without prediction bits of security strength generation resistance HMAC_DRBG [SP SHA-1, SHA-256, SHA-512 320, 512, 1024 bits with 128, Random number 800-90Ar1] with/without prediction 256 bits of security strength generation resistance A4813 KTS-IFC [SP 800- KTS-OAEP-basic 2048-15360 bits with 112-256 Key transport A4823 56Br2] bits of security strength A4824 A4825 A4826 A5578 A5585 A4813 KAS-IFC-SSC KAS1, KAS2 2048-15360 bits with 112-256 Shared secret A4823 bits of security strength computation A4824 A4825 A4826 A5578 A5585 A4845 KAS-FFC-SSC [SP dhEphem MODP-2048, MODP-3072, Shared secret 800-56Ar3] (initiator/responder) MODP-4096, MODP-6144, computation MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of security strength A4813 KAS-ECC-SSC [SP Ephemeral Unified Model P-224, P-256, P-384, P-521 Shared secret A4823 800-56Ar3] (initiator/responder) with 112, 128, 192, 256 bits of computation A4824 security strength A4825 A4826 A5578 A5585 A4813 RSA [FIPS 186-5] PKCS#1 v1.5 and PSS with 2048-16384 bits with 112-256 Signature A4823 SHA-224, SHA-256, SHA- bits of security strength generation A4824 384, SHA-512, SHAA4825 RSA [FIPS 186-5] 512/224, SHA-512/256, 2048-16384 bits with 112-256 Signature A4826 SHA3-224, SHA3-256, SHA3- bits of security strength verification A5578 384, SHA3-512 A5585 © 2025 Red Hat, Inc. / atsec information security corporation.
A4813 RSA [FIPS 186-4] PKCS#1 v1.5 and PSS with NIST SP 800-131Ar2 Legacy Signature A4823 SHA-224, SHA-256, SHA- use: 1024 bits with 80 bits of verification A4824 384, SHA-512, SHA- security strength A4825 512/224, SHA-512/256 A4826 A5578 A5585 A4813 ECDSA [FIPS 186- SHA-224, SHA-256, SHA- P-224, P-256, P-384, P-521 Signature A4823 5] 384, SHA-512, SHA- with 112, 128, 192, 256 bits of generation A4824 512/224, SHA-512/256, security strength A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4813 ECDSA [FIPS 186- SHA-224, SHA-256, SHA- Signature A4823 5] 384, SHA-512, SHA- verification A4824 512/224, SHA-512/256, A4825 A4826 A5578 A5585 A4814 SHA3-224, SHA3-256, SHA3A5587 384, SHA3-512 A4845 Safe primes [SP SP 800-56Ar3 Section MODP-2048, MODP-3072, Key pair generation 800-56Ar3] 5.6.1.1.4 Testing MODP-4096, MODP-6144, Candidates MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, Safe primes [SP SP 800-56Ar3 Sections ffdhe6144, ffdhe8192 with Key pair verification 800-56Ar3] 5.6.2.1.2 and 5.6.2.1.4 112-200 bits of security strength A4813 RSA [FIPS 186-5] FIPS 186-5 Appendix A.1.6 2048-15360 bits with 112-256 Key pair generation A4823 Probable Primes with bits of security strength A4824 Conditions Based on A4825 Auxiliary Probable Primes A4826 A5578 ECDSA [FIPS 186- FIPS 186-5 Appendix A.2.2 P-224, P-256, P-384, P-521 Key pair generation A5585 5] Rejection Sampling with 112, 128, 192, 256 bits of security strength ECDSA [FIPS 186- N/A Key pair verification 5] Vendor CKG [SP 800- Safe primes MODP-2048, MODP-3072, Key pair generation affirme 133r2 Section 4] MODP-4096, MODP-6144, d MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of security strength RSA 2048-16384 bits with 112-256 bits of security strength © 2025 Red Hat, Inc. / atsec information security corporation.
ECDSA P-224, P-256, P-384, P-521 with 112, 128, 192, 256 bits of security strength Vendor RSA [FIPS 186-4] PKCS#1 v1.5 and PSS with NIST SP 800-131Ar2 Legacy Signature affirme SHA3-224, SHA3-256, SHA3- use: 1024 bits with 80 bits of verification d 384, SHA3-512 security strength [FIPS 140-3 IG C.C] Table 4 - Approved Algorithms
The module does not offer any non-approved cryptographic algorithms that are allowed in approved services (with or without security claimed). Table 5 lists all non-approved cryptographic algorithms of the module employed by the nonapproved services in Table 10. Algorithm / Functions Use / Function AES GCM (external IV) Encryption HMAC (< 112-bit keys) Message authentication KBKDF, KDA OneStep, HKDF, ANS X9.42 KDF, ANS X9.63 KDF (< 112-bit keys) KBKDF Key derivation KDA OneStep Key derivation HKDF Key derivation ANS X9.42 KDF Key derivation ANS X9.63 KDF Key derivation KDA OneStep (SHAKE128, SHAKE256) KDA OneStep Key derivation ANS X9.42 KDF (SHAKE128, SHAKE256) ANS X9.42 KDF Key derivation ANS X9.63 KDF (SHA-1, SHAKE128, SHAKE256) ANS X9.63 KDF Key derivation SSH KDF (SHA-512/224, SHA-512/256, SHA-3, SHAKE128, SHAKE256) SSH KDF Key derivation TLS 1.2 KDF (SHA-1, SHA-224, SHA-512/224, SHA-512/256, SHA-3) TLS 1.2 KDF Key derivation TLS 1.3 KDF (SHA-1, SHA-224, SHA-512, SHA-512/224, SHA-512/256, SHA-3) TLS 1.3 KDF Key derivation PBKDF2 (short password; short salt; insufficient iterations; < 112-bit keys) Password-based key derivation RSA and ECDSA (pre-hashed message) Signature generation component Signature verification component RSA-PSS (invalid salt length) Signature generation Signature verification © 2025 Red Hat, Inc. / atsec information security corporation.
Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by the component painted in orange block, which consists only of the shared library implementing the FIPS provider (fips.so). Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. Figure 1
Upon initialization, the module immediately performs all cryptographic algorithm self-tests (CASTs) as specified in Table 13. When all those self-tests pass successfully, the module automatically performs the pre-operational integrity test using the integrity value embedded in the fips.so file. Only if this integrity test also passed successfully, the module transitions to the operational state. No operator intervention is required to reach this point. The module operates in the approved mode of operation by default and can only transition into the non-approved mode by calling one of the nonapproved services listed in Table 10 of the Security Policy. © 2025 Red Hat, Inc. / atsec information security corporation.
In the operational state, the module accepts service requests from calling applications through its logical interfaces. At any point in the operational state, a calling application can end its process, thus causing the module to end its operation. The module supports two modes of operation:
The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. Table 6 summarizes the logical interfaces: Physical Port Logical Interface Data that passes over port / interface As a software-only module, the Data Input API input parameters module does not have physical ports. Physical Ports are interpreted to be Data Output API output parameters the physical ports of the hardware Control Input API function calls platform on which it runs. Status Output API return codes, error queue Table 6 - Ports and Interfaces The module does not implement a control output interface. © 2025 Red Hat, Inc. / atsec information security corporation.
The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators or a maintenance role. Table 7 lists the roles supported by the module with corresponding services with input and output parameters. Role Service Input Output Crypto Message digest Message Digest value Officer XOF Message, output length Digest value Encryption Plaintext, AES key Ciphertext Decryption Ciphertext, AES key Plaintext Message authentication Message, AES key or HMAC MAC tag key KBKDF Key derivation Key-derivation key KBKDF Derived key KDA OneStep Key Shared secret KDA OneStep Derived key derivation HKDF Key derivation Shared secret HKDF Derived key ANS X9.42 KDF Key Shared secret ANS X9.42 KDF Derived key derivation ANS X9.63 KDF Key Shared secret ANS X9.63 KDF Derived key derivation SSH KDF Key derivation Shared secret SSH KDF Derived key TLS 1.2 KDF Key derivation Shared secret, EMS check TLS 1.2 KDF Derived key TLS 1.3 KDF Key derivation Shared secret, EMS check TLS 1.3 KDF Derived key Password-based key Password, salt, iteration PBKDF2 Derived key derivation count Random number Output length Random bytes generation Shared secret computation Owner private key, peer Shared secret public key Signature generation Pre-hashed message, Signature component private key Signature verification Pre-hashed message, public Pass/fail component key, signature Signature generation Message, private key, Signature hashing algo Signature verification Message, public key, Pass/fail signature, hashing algo Key Transport RSA public key, plaintext Wrapped key (encapsulation) key © 2025 Red Hat, Inc. / atsec information security corporation.
Key Transport (un- RSA private key, wrapped Plaintext Key encapsulation) key Key pair generation Key size Key pair Key pair verification Key pair Pass/fail Show version N/A Name and version information Show status N/A Module status Self-test N/A Pass/fail results of self-tests Zeroization Any SSP N/A Table 7 - Roles, Service Commands, Input and Output
The module does not support authentication for roles.
The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The next tables define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
Table 9 lists the approved services in this module, the algorithms involved, the Sensitive Security Parameters (SSPs) involved and how they are accessed, the roles that can request the service, and the respective service indicator. In this table, CO specifies the Crypto Officer role. Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs Message Compute a SHA-1, SHA-224, SHA- N/A CO N/A EVP_DigestFinal_ex digest message 256, SHA-384, SHA- returns 1 digest 512, SHA-512/224, SHA-512/256, SHA3224, SHA3-256, SHA3384, SHA3-512 XOF Compute the SHAKE128, SHAKE256 N/A CO N/A EVP_DigestFinalXOF output of an returns 1 XOF Encryption Encrypt a AES ECB, CBC, CBC- AES key CO W, E AES GCM: plaintext CTS-CS1, CBC-CTS- EVP_CIPHER_REDHAT CS2, CBC-CTS-CS3, _FIPS_INDICATOR_APP CFB1, CFB8, CFB128, ROVED CTR, OFB, CCM, KW, Others: KWP, GCM, XTS EVP_EncryptFinal_ex returns 1 Decryption Decrypt a CO W, E AES GCM: ciphertext EVP_CIPHER_REDHAT _FIPS_INDICATOR_APP ROVED Others: EVP_DecryptFinal_ex returns 1 Message Compute a AES CMAC AES key CO W, E HMAC: authenticati MAC tag AES GMAC HMAC key OSSL_MAC_PARAM_R on EDHAT_FIPS_INDICAT HMAC SHA-1, HMAC OR_APPROVED SHA-224, HMAC SHA256, HMAC SHA-384, Others: HMAC SHA-512, HMAC EVP_MAC_final SHA-512/224, HMAC returns 1 SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3-512 KBKDF Key Derive a key KBKDF Key-derivation CO W, E EVP_KDF_REDHAT_FIP derivation from a key- key S_INDICATOR_APPRO derivation VED key KBKDF Derived G, R key KDA Derive a key KDA OneStep DH Shared W, E OneStep from a shared secret Key secret derivation ECDH Shared W, E secret © 2025 Red Hat, Inc. / atsec information security corporation.
Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs RSA Shared W, E secret KDA OneStep G, R Derived key HKDF Key HKDF DH Shared W, E derivation secret ECDH Shared W, E secret RSA Shared W, E secret HKDF Derived G, R key ANS X9.42 ANS X9.42 KDF DH Shared W, E KDF Key secret derivation ECDH Shared W, E secret RSA Shared W, E secret ANS X9.42 KDF G, R Derived key ANS X9.63 ANS X9.63 KDF DH Shared W, E KDF Key secret derivation ECDH Shared W, E secret RSA Shared W, E secret ANS X9.63 KDF G, R Derived key SSH KDF SSH KDF DH Shared W, E Key secret derivation ECDH Shared W, E secret SSH KDF G, R Derived key TLS 1.2 KDF TLS 1.2 KDF DH Shared W, E Key secret derivation ECDH Shared W, E secret TLS 1.2 KDF G, R Derived key © 2025 Red Hat, Inc. / atsec information security corporation.
Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs TLS 1.3 KDF TLS 1.3 KDF DH Shared W, E Key secret derivation ECDH Shared W, E secret TLS 1.3 KDF G, R Derived key Password- Derive a key PBKDF2 Password CO W, E EVP_KDF_REDHAT_FIP based key from a S_INDICATOR_APPRO derivation password PBKDF2 Derived G, R VED key Random Generate CTR_DRBG Entropy input CO W, E EVP_RAND_generate number random bytes returns 1 generation DRBG seed E, G DRBG Internal W, E, G state (V, Key) Hash_DRBG Entropy input W, E DRBG seed E, G DRBG Internal W, E, G state (V, C) HMAC_DRBG Entropy input W, E DRBG seed E, G DRBG Internal W, E, G state (V, Key) Key Key RSA-OAEP Encrypt RSA public key CO W, E EVP_PKEY_REDHAT_FI transport wrapping PS_INDICATOR_APPR (encapsulati OVED on) using KTS- Plaintext key W, E OAEP-basic Wrapped key R Key Key RSA-OAEP Decrypt RSA private key CO W, E transport unwrapping (unencapsulatio using KTS- Wrapped key W, E n) OAEP-basic Plaintext key R Shared Compute a KAS-IFC-SSC RSA private key CO W, E EVP_PKEY_REDHAT_FI secret shared secret (owner), RSA PS_INDICATOR_APPR computation public key (peer) OVED RSA Shared G, R secret KAS-FFC-SSC DH private key W, E EVP_PKEY_derive (owner), DH returns 1 public key (peer) © 2025 Red Hat, Inc. / atsec information security corporation.
Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs DH Shared G, R secret KAS-ECC-SSC EC private key W, E (owner), EC public key (peer) ECDH Shared G, R secret Signature Generate a RSA signature RSA private key CO W, E RSA: generation signature generation/verificatio EC private key OSSL_RH_FIPSINDICA n (PKCS#1 v1.5 and TOR_APPROVED and Signature Verify a PSS) RSA public key CO W, E EVP_SIGNATURE_RED verification signature ECDSA signature EC public key HAT_FIPS_INDICATOR generation/verificatio _APPROVED n ECDSA: OSSL_RH_FIPSINDICA TOR_APPROVED Key pair Generate a CKG DH private key, CO G, R EVP_PKEY_generate generation key pair CTR_DRBG, DH public key returns 1 Hash_DRBG, RSA private key, HMAC_DRBG RSA public key Safe primes key pair EC private key, generation EC public key RSA key pair Intermediate G, E, Z generation key generation ECDSA key pair value generation Key pair Verify a key Safe primes key pair DH private key, CO W, E EVP_PKEY_public_che verification pair verification DH public key ck or ECDSA key pair EC private key, EVP_PKEY_private_ch verification EC public key eck or EVP_PKEY_check returns 1 Other FIPS-related Services Show Return the N/A N/A CO N/A None version name and version information Show status Return the N/A N/A CO N/A None module status © 2025 Red Hat, Inc. / atsec information security corporation.
Service Descriptio Approved Keys and/or Roles Access Indicator n Security SSPs rights to Functions Keys and/or SSPs Self-test Perform the SHA-1, SHA-224, SHA- AES key CO N/A None CASTs and 256, SHA-512, SHA3- HMAC key integrity test 256 Key-derivation AES ECB, KW, GCM key HMAC Password KBKDF, KDA OneStep, DH private key, HKDF, ANS X9.42 KDF, DH public key ANS X9.63 KDF, SSH KDF, TLS 1.2 KDF, TLS RSA private key,
PBKDF2 EC private key, EC public key CTR_DRBG, Hash_DRBG, DH Shared HMAC_DRBG secret KAS-FFC-SSC, KAS- ECDH Shared ECC-SSC secret RSA (OAEP and RSA Shared PKCS#1 v1.5) secret ECDSA KBKDF Derived key See Table 13 for specifics KDA OneStep Derived key HKDF Derived key ANS X9.42 KDF Derived key ANS X9.63 KDF Derived key SSH KDF Derived key TLS 1.2 KDF Derived key TLS 1.3 KDF Derived key PBKDF2 Derived key DRBG seed DRBG Internal state (V, Key) DRBG Internal state (V, C) Zeroization Zeroize all N/A Any SSP CO Z None SSPs Table 9 - Approved Services © 2025 Red Hat, Inc. / atsec information security corporation.
Table 10 lists the non-approved services in this module, the algorithms involved, the roles that can request the service, and the respective service indicator. In this table, CO specifies the Crypto Officer role. Service Description Algorithms Accessed Role Encryption Encrypt a plaintext AES GCM (external IV) CO Message Compute a MAC tag HMAC (< 112-bit keys) CO authentication KBKDF Key Derive a key from a KBKDF (< 112-bit keys) CO derivation key-derivation key KDA OneStep Key Derive a key from a KDA OneStep (< 112-bit keys) derivation shared secret KDA OneStep (SHAKE128, SHAKE256) HKDF Key HKDF (< 112-bit keys) derivation ANS X9.42 KDF ANS X9.42 KDF (< 112-bit keys) Key derivation ANS X9.42 KDF (SHAKE128, SHAKE256) ANS X9.63 KDF ANS X9.63 KDF (< 112-bit keys) Key derivation ANS X9.63 KDF (SHA-1, SHAKE128, SHAKE256) SSH KDF Key SSH KDF (< 112-bit keys) derivation SSH KDF (SHA-512/224, SHA-512/256, SHA-3, SHAKE128, SHAKE256) TLS 1.2 KDF Key TLS 1.2 KDF (< 112-bit keys) derivation TLS 1.2 KDF (SHA-1, SHA-224, SHA-512/224, SHA512/256, SHA-3) TLS 1.3 KDF Key TLS 1.3 KDF (< 112-bit keys) derivation TLS 1.3 KDF (SHA-1, SHA-224, SHA-512, SHA-512/224, SHA-512/256, SHA-3) Password-based Derive a key from a PBKDF2 (short password; short salt; insufficient CO key derivation password iterations; < 112-bit keys) Signature Generate a signature RSA and ECDSA signature generation/verification (pre- CO generation hashed message) component Signature Verify a signature CO verification component Signature Generate a signature RSA-PSS (invalid salt length) CO generation Signature Verify a signature verification Table 10 - Non-Approved Services © 2025 Red Hat, Inc. / atsec information security corporation.
The integrity of the module is verified by comparing a HMAC SHA-256 value calculated at run time with the HMAC SHA-256 value embedded in the fips.so file that was computed at build time.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently re-initializing the module. This will perform (among others) the software integrity test. © 2025 Red Hat, Inc. / atsec information security corporation.
The module operates in a modifiable operational environment per FIPS 140-3 level 1 specification: the module executes on a general purpose operating system (Red Hat Enterprise Linux 9), which allows modification, loading, and execution of software that is not part of the validated module.
See Section 2.2. The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to:
The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. There are no concurrent operators. The module does not have the capability of loading software or firmware from an external source. Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Red Hat, Inc. / atsec information security corporation.
The module is comprised of software only and therefore this section is not applicable. © 2025 Red Hat, Inc. / atsec information security corporation.
This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 Red Hat, Inc. / atsec information security corporation.
Table 11 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module in the approved services (Table 9). SSPs (including CSPs) are directly imported as input parameters and exported as output parameters from the module. Because these SSPs are only transiently used for a specific service, they are by definition exclusive between approved and non-approved services. Key / Strength Security Generation Import / Esta Stor Zeroiza Use and SSP Function Export blish age tion related Name / and Cert. ment keys Type Number AES key AES-XTS: 128, AES N/A MD/EE N/A RAM EVP_CI- Use: (CSP) 256 bits AES CMAC PHER_CTX_f Encryption Rest of AES GMAC ree Import: Decryption modes: 128, A4809, A4810, EVP_MAC_C 192, 256 bits A4811, A4812, API input pa- TX_free Message auA4815, A4816, rameters thentication A4817, A4818, From: Opera- Related SSPs: A4819, A4820, tor calling ap- None A4821, A4822, plication A4837, A4838, (TOEPP) A4839, A4840, To: CryptoA4841, A5560, graphic modA5576, A5577, ule A5579, A5580, A5581, A5582, A5583, A5584, Export: None A5586 HMAC key 112-256 bits HMAC N/A MD/EE N/A RAM EVP_MAC_C Use: (CSP) A4813, A4814, TX_free Message auA4823, A4824, Import: thentication A4825, A4826, Related SSPs: A5578, A5585, API input parameters None A5587 From: Operator calling application (TOEPP) To: Cryptographic module Export: None Key-deriva- 112-256 bits KBKDF N/A MD/EE N/A RAM EVP_KDF_CT Use: tion key A4843 X_free KBKDF Key deri(CSP) vation Import: API input pa- Related SSPs: rameters KBKDF Derived From: Opera- key tor calling application (TOEPP) To: Cryptographic module Export: None © 2025 Red Hat, Inc. / atsec information security corporation.
DH Shared 112-256 bits KAS-FFC-SSC N/A MD/EE SP 800- RAM EVP_KDF_CT Use: secret KDA OneStep 56Ar3 X_free Shared secret (CSP) (DH computation HKDF Import: shared ANS X9.42 KDF API input pa- secret KDA OneStep rameters compu- Key derivation ANS X9.63 KDF From: Opera- tation) HKDF Key deriSSH KDF vation tor calling apTLS 1.2 KDF plication ANS X9.42 KDF TLS 1.3 KDF (TOEPP) Key derivation A4807 A4813 To: Crypto- ANS X9.63 KDF A4814 A4823 graphic mod- Key derivation A4824 A4825 ule SSH KDF Key A4826 A4837 derivation A4838 A4839 A4840 A4841 Export: TLS 1.2 KDF Key A4844 A4845 API output pa- derivation A5578 A5579 rameters TLS 1.3 KDF Key A5585 A5586 From: Crypto- derivation A5587 graphic mod- Related SSPs: ule KDA OneStep To: Operator Derived key calling appli- HKDF Derived cation (TOEPP) key ANS X9.42 KDF Derived key ANS X9.63 KDF Derived key SSH KDF Derived key TLS 1.2 KDF Derived key TLS 1.3 KDF Derived key DH private key DH public key ECDH Sha- 112-256 bits KAS-ECC-SSC N/A MD/EE SP 800- RAM EVP_KDF_CT Use: red secret KDA OneStep 56Ar3 X_free Shared secret (CSP) (ECDH computation HKDF Import: shared ANS X9.42 KDF API input pa- secret KDA OneStep rameters compu- Key derivation ANS X9.63 KDF From: Opera- tation) HKDF Key deriSSH KDF vation tor calling apTLS 1.2 KDF plication ANS X9.42 KDF TLS 1.3 KDF (TOEPP) Key derivation A4807 A4813 To: Crypto- ANS X9.63 KDF A4814 A4823 graphic mod- Key derivation A4824 A4825 ule SSH KDF Key A4826 A4837 derivation A4838 A4839 A4840 A4841 Export: TLS 1.2 KDF Key A4844 A5578 API output pa- derivation A5579 A5585 rameters TLS 1.3 KDF Key A5586 A5587 From: Crypto- derivation graphic mod- Related SSPs: ule KDA OneStep To: Operator Derived key calling appli- HKDF Derived cation (TOEPP) key ANS X9.42 KDF Derived key © 2025 Red Hat, Inc. / atsec information security corporation.
ANS X9.63 KDF Derived key SSH KDF Derived key TLS 1.2 KDF Derived key TLS 1.3 KDF Derived key EC private key EC public key RSA Shared 112-256 bits KAS-IFC-SSC N/A MD/EE SP 800- RAM EVP_KDF_CT Use: secret KDA OneStep 56Br2 X_free Shared secret (CSP) (IFC computation HKDF Import: shared ANS X9.42 KDF API input pa- secret KDA OneStep rameters compu- Key derivation ANS X9.63 KDF From: Opera- tation) HKDF Key deriSSH KDF vation tor calling apTLS 1.2 KDF plication ANS X9.42 KDF TLS 1.3 KDF (TOEPP) Key derivation A4807 A4813 To: Crypto- ANS X9.63 KDF A4814 A4823 graphic mod- Key derivation A4824 A4825 ule Related SSPs: A4826 A4837 A4838 A4839 KDA OneStep A4840 A4841 Export: Derived key A4844 A5578 API output pa- HKDF Derived A5579 A5585 rameters key A5586 A5587 From: Crypto- ANS X9.42 KDF graphic mod- Derived key ule ANS X9.63 KDF To: Operator Derived key calling appli- RSA private key cation (TOEPP) RSA public key Password Password PBKDF2 N/A MD/EE N/A RAM EVP_KDF_CT Use: (CSP) strength: 108 - A4813, A4814, X_free Password-based
10128 A4823, A4824, key derivation
Import: A4825, A4826, Related SSPs: A5578, A5585, API input parameters PBKDF2 Derived A5587 key From: Operator calling application (TOEPP) To: Cryptographic module Export: None KBKDF Deri- 112-256 bits KBKDF SP 800-108r1 MD/EE N/A RAM EVP_KDF_CT Use: ved key A4843 SP 800-133r2, Sec- X_free KBKDF Key deri(CSP) tion 6.2 vation Import: None Related SSPs: Export: Key-derivation key API output parameters From: Cryptographic module To: Operator © 2025 Red Hat, Inc. / atsec information security corporation.
calling application (TOEPP) KDA 112-256 bits KDA OneStep SP 800-56Cr2 MD/EE N/A RAM EVP_KDF_CT Use: OneStep A4844 SP 800-133r2, Sec- X_free KDA OneStep Derived key tion 6.2 Key derivation (CSP) Import: None Related SSPs: Export: DH Shared secret API output parameters ECDH Shared secret From: Cryptographic mod- RSA Shared seule cret HKDF Deri- HKDF To: Operator Use: ved key A4807 calling appli- HKDF Key deri(CSP) cation (TOEPP) vation Related SSPs: DH Shared secret ECDH Shared secret RSA Shared secret ANS X9.42 ANS X9.42 KDF SP 800-135r1 Use: KDF De- A4813 A4814 SP 800-133r2, Sec- ANS X9.42 KDF rived key A4823 A4824 tion 6.2 Key derivation (CSP) A4825 A4826 Related SSPs: A5578 A5585 A5587 DH Shared secret ECDH Shared secret RSA Shared secret ANS X9.63 ANS X9.63 KDF Use: KDF De- A4813 A4814 ANS X9.63 KDF rived key A4823 A4824 Key derivation (CSP) A4825 A4826 Related SSPs: A5578 A5585 A5587 DH Shared secret ECDH Shared secret RSA Shared secret SSH KDF SSH KDF Use: Derived key A4837 A4838 SSH KDF Key (CSP) A4839 A4840 derivation A4841 A5579 Related SSPs: A5586 DH Shared secret ECDH Shared secret TLS 1.2 KDF TLS 1.2 KDF Use: Derived key A4813 A4823 TLS 1.2 KDF Key (CSP) A4824 A4825 derivation A4826 A5578 Related SSPs: A5585 DH Shared secret © 2025 Red Hat, Inc. / atsec information security corporation.
ECDH Shared secret TLS 1.3 KDF TLS 1.3 KDF Use: Derived key A4807 TLS 1.3 KDF Key (CSP) derivation Related SSPs: DH Shared secret ECDH Shared secret PBKDF2 De- PBKDF2 SP 800-132 Use: rived key A4813 A4814 SP 800-133r2, Sec- Password-based (CSP) A4823 A4824 tion 6.2 key derivation A4825 A4826 Related SSPs: A5578 A5585 A5587 Password Entropy in- 112-336 bits CTR_DRBG N/A Import: None N/A RAM EVP_RAND_ Use: put (CSP) Hash_DRBG Export: None CTX_free Random number HMAC_DRBG generation A4808 Related SSPs: DRBG seed DRBG seed CTR_DRBG: CTR_DRBG Import: None N/A RAM EVP_RAND_ Use: (CSP) 128, 192, 256 Hash_DRBG Export: None CTX_free Random number IG D.L com- bits HMAC_DRBG generation pliant Hash_DRBG: Related SSPs: 128, 256 bits Entropy input HMAC_DRBG: DRBG Internal 128, 256 bits state (V, Key) DRBG Internal state (V, C) DRBG Inter- CTR_DRBG CTR_DRBG Import: None N/A RAM EVP_RAND_ Use: nal state (V, HMAC_DRBG HMAC_DRBG Export: None CTX_free Random number Key) (CSP) A4808 generation IG D.L com- Related SSPs: pliant DRBG seed DRBG Inter- Hash_DRBG Hash_DRBG nal state (V, A4808 C) (CSP) IG D.L compliant DH private 112-200 bits KAS-FFC-SSC SP 800-56Ar3 (safe MD/EE N/A RAM EVP_PKEY_fr Use: key (CSP) A4845 primes) Section ee Shared secret
Candidates Import: API input pa- Key pair generarameters tion From: Opera- Key pair verificator calling ap- tion plication Related SSPs: (TOEPP) DH public key To: Crypto- Intermediate graphic mod- key generation ule value DH public 112-200 bits Use: key (PSP) Export: Shared secret API output pa- computation rameters Key pair generaFrom: tion © 2025 Red Hat, Inc. / atsec information security corporation.
Cryptographic Key pair verificamodule tion To: Operator Related SSPs: calling application (TOEPP) DH private key Intermediate key generation value EC private 112, 128, 192, KAS-ECC-SSC FIPS 186-5 Appen- MD/EE N/A RAM EVP_PKEY_fr Use: key (CSP) 256 bits ECDSA dix A.2.2 Rejection ee Shared secret A4813, A4814, Sampling computation Import: A4823, A4824, Signature generA4825, A4826, API input parameters ation A5578, A5585, A5587 From: Opera- Key pair generator calling ap- tion plication Key pair verifica(TOEPP) tion To: Crypto- Related SSPs: graphic mod- EC public key ule Intermediate key generation Export: value EC public 112, 128, 192, API output pa- Use: key (PSP) 256 bits rameters Shared secret From: Crypto- computation graphic mod- Signature verifiule cation To: Operator Key pair generacalling appli- tion cation (TOEPP) Key pair verification Related SSPs: EC private key Intermediate key generation value RSA private 112-256 bits RSA KTS- FIPS 186-5 Appen- MD/EE N/A RAM EVP_PKEY_fr Use: key (CSP) IFC KAS-IFC- dix A.1.6 Probable ee Key pair generaSSC Primes with Condi- tion tions Based on Import: A4813, A4823, Shared secret A4824, A4825, Auxiliary Probable API input paPrimes rameters computation A4826, A5578, A5585 From: Opera- Signature genertor calling ap- ation plication Key un-encapsu(TOEPP) lation To: Crypto- Related SSPs: graphic mod- RSA public key ule Intermediate key generation value Export: RSA public Signature veri- Use: key (PSP) fication: 80- API output parameters Key pair genera-
256 bits tion
Others: 112- From: Cryptographic mod- Shared secret
256 bits computation
ule To: Operator Signature verificalling appli- cation cation (TOEPP) Key encapsulation © 2025 Red Hat, Inc. / atsec information security corporation.
Related SSPs: RSA private key Intermediate key generation value Intermedi- 112-256 bits CKG SP 800-133r2 Sec- Import: None N/A RAM Automatic Use: ate key vendor affirmed tion 4, 5.1, and 5.2 Export: None Key pair generageneration tion value (CSP) Related SSPs: DH private key DH public key EC private key EC public key RSA private key RSA public key Table 11
The module employs two Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1. These DRBGs are used internally by the module (e.g. to generate seeds for asymmetric key pairs and random numbers for security functions). They can also be accessed using the specified API functions. The following parameters are used:
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The following methods are implemented:
The module provides Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) shared secret computation compliant with SP800-56Ar3, in accordance with scenario 2 (1) of FIPS 140-3 IG D.F. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS). Note that the module only implements key pair generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 and 1.3 KDFs):
According to FIPS 140-3 IG D.B, the key sizes of DH and ECDH provide the following security strengths in the approved mode of operation:
The module offers RSA key wrapping and unwrapping using KTS-OAEP-basic scheme. The implementation supports 2048-15360 bits modulus size, with both key encapsulation and un-encapsulation supported. The module does not implement key confirmation. See section 11.2.4 for operator guidance details. The SSP establishment methodology provides 112 to 256 bits of encryption strength. The module also supports the AES KW, AES KWP, and AES GCM key wrapping mechanisms. These algorithms can be used to wrap SSPs with a security strength between 128 and 256 bits, depending on the wrapping key size.
The module only supports SSP entry and output to and from the calling application running on the same operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. There is no entry or output of cryptographically protected SSPs. SSPs can be entered into the module via API input parameters in plaintext form, when required by a service. SSPs can also be output from the module via API output parameters, immediately after generation of the SSP (see Section 9.2).
SSPs are provided to the module by the calling application and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of SSPs.
The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The operator application is responsible for calling the appropriate destruction functions provided in the module’s API. The destruction functions (listed in Table 11) overwrite the memory occupied by SSPs with zeroes and de-allocate the memory with the regular memory de-allocation operating system call. All data output is inhibited during zeroization. © 2025 Red Hat, Inc. / atsec information security corporation.
The module performs pre-operational self-tests and conditional self-tests. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. Both conditional and pre-operational self-tests can be executed on-demand by unloading and subsequently re-initializing the module. All the self-tests are listed in Table 12, with the respective condition under which those tests are performed. Note that the pre-operational integrity test is only executed after all cryptographic algorithm self-tests (CASTs) executed successfully. Algorithm Parameters Condition Type Test HMAC SHA-256 Initialization (af- Pre-operational Integrity MAC tag verification on fips.so file ter CASTs) Test SHA-1 N/A Initialization Cryptographic Algorithm KAT digest generation Self-Test SHA-512 N/A Initialization Cryptographic Algorithm KAT digest generation Self-Test SHA3-256 N/A Initialization Cryptographic Algorithm KAT digest generation Self-Test AES GCM 256-bit key Initialization Cryptographic Algorithm KAT encryption and decryption Self-Test AES ECB 128-bit key Initialization Cryptographic Algorithm KAT decryption Self-Test KBKDF HMAC SHA-256 in counter Initialization Cryptographic Algorithm KAT key derivation mode Self-Test KDA OneStep SHA-224 Initialization Cryptographic Algorithm KAT key derivation Self-Test HKDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test ANS X9.42 KDF AES-128 KW with SHA-1 Initialization Cryptographic Algorithm KAT key derivation Self-Test ANS X9.63 KDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test SSH KDF SHA-1 Initialization Cryptographic Algorithm KAT key derivation Self-Test TLS 1.2 KDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test TLS 1.3 KDF SHA-256 Initialization Cryptographic Algorithm KAT key derivation Self-Test PBKDF2 SHA-256 with 4096 iterations Initialization Cryptographic Algorithm KAT password-based key derivation and 288-bit salt Self-Test CTR_DRBG AES-128 with derivation Initialization Cryptographic Algorithm KAT DRBG generation and reseed © 2025 Red Hat, Inc. / atsec information security corporation.
Algorithm Parameters Condition Type Test function and prediction re- Self-Test sistance Hash_DRBG SHA-256 with prediction resi- Initialization Cryptographic Algorithm KAT DRBG generation and reseed stance Self-Test HMAC_DRBG SHA-1 with prediction resi- Initialization Cryptographic Algorithm KAT DRBG generation and reseed stance Self-Test KAS-FFC-SSC ffdhe2048 Initialization Cryptographic Algorithm KAT shared secret computation Self-Test KAS-ECC-SCC P-256 Initialization Cryptographic Algorithm KAT shared secret computation Self-Test RSA2 OAEP with 2048-bit key Initialization Cryptographic Algorithm KAT key encapsulation and un-enSelf-Test capsulation RSA PKCS#1 v1.5 with SHA-256 Initialization Cryptographic Algorithm KAT signature generation and verifiand 2048-bit key Self-Test cation ECDSA SHA-256 and P-224, P-256, P- Initialization Cryptographic Algorithm KAT signature generation and verifi384, and P-521 Self-Test cation DH N/A DH key pair ge- Pair-wise Consistency Test Section 5.6.2.1.4 pair-wise consineration stency RSA PKCS#1 v1.5 with SHA-256 RSA key pair ge- Pair-wise Consistency Test Sign/verify pair-wise consistency neration ECDSA SHA-256 EC key pair ge- Pair-wise Consistency Test Sign/verify pair-wise consistency neration Table 13
The module performs pre-operational tests automatically when the module is powered on. The pre-operational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. The types of pre-operational self-tests are described in the next sub-sections.
The integrity of the shared library component of the module is verified by comparing an HMAC SHA-256 value calculated at run time with the HMAC SHA-256 value embedded in the fips.so file that was computed at build time. If the software integrity test fails, the module transitions to the error state (Section 10.3). As mentioned previously, the HMAC and SHA-256 algorithms go through their respective CASTs before the software integrity test is performed.
2 According to FIPS IG 10.3.B and IG D.F scenario 1, this CAST also covers the self-test for the KAS-
IFC implementation. © 2025 Red Hat, Inc. / atsec information security corporation.
The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 13. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state (Section 10.3).
Upon generation of a DH, RSA or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 13, which provides some assurance that the generated key pair is well formed. For DH key pairs, this test consists of the PCT described in Section 5.6.2.1.4 of SP 80056Ar3. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation. If the test fails, the module transitions to the error state (Section 10.3).
If the module fails any of the self-tests, the module enters the error state. In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). Table 14 lists the error states and the status indicator values that explain the error that has occurred. Error State Cause of Error Status Indicator Error Software integrity test failure OSSL_PROV_PARAM_STATUS is set to 0 CAST failure Module will not load PCT failure Module is aborted Table 14
The module is distributed as a part of the Red Hat Enterprise Linux 9 (RHEL 9) package in the form of the openssl-3.0.7-18.el9_2 RPM package. Also, the module can be distributed using the opensslfips-provider-3.0.7-2.el9 RPM package.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the installed RPM package can be uninstalled from the RHEL 9 system.
Before the RPM package is installed, the RHEL 9 system must operate in the approved mode. This can be achieved by:
The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. OpenSSL 3 is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary. This is in compliance with Scenario 2 of FIPS 140-3 IG C.H. © 2025 Red Hat, Inc. / atsec information security corporation.
The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL IV value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 80038E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. In compliance with IG C.I, the module implements the check to ensure that the two AES keys used in AES XTS are not identical.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that implements the SSH/TLS protocol. Additionally, the module’s approved key pair generation service (see Table 9) must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPSvalidated module. As part of this service, the module will internally perform the full public key validation of the generated public key. © 2025 Red Hat, Inc. / atsec information security corporation.
The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3.
To comply with SP800-56Br2 assurances found in its Section 6 (specifically SP800-56Br2 Section
6.4 Required Assurances) the entity using the module must obtain required assurances listed in
section 6.4 of SP 800-56Br2 by performing the following steps:
Only after the above assurances are successfully met, shall the entity use the peer’s public key to perform the RSA key wrapping (encapsulation) service of the module.
To comply with the assurances found in Section 6.4 of SP 800-56Br2, the module’s approved RSA key pair generation service (see Table 9) must be used to generate the RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validity and the pairwise consistency according to section 6.4.1.1 of SP 800-56Br2. Additionally, the entity requesting the shared secret computation service shall verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). This service will perform the full public key validation of the peer’s public key, complying with Section 6.4.2.1 of SP 800-56Br2. © 2025 Red Hat, Inc. / atsec information security corporation.
Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:
Appendix A. Glossary and abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IKE Internet Key Exchange KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback © 2025 Red Hat, Inc. / atsec information security corporation.
PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Red Hat, Inc. / atsec information security corporation.
Appendix B. References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program November 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard May 2023 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt © 2025 Red Hat, Inc. / atsec information security corporation.
RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Addendum Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf © 2025 Red Hat, Inc. / atsec information security corporation.
SP 800-56Br2 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf © 2025 Red Hat, Inc. / atsec information security corporation.