All modules
CMVP Validated Module · FIPS 140-3 Security Policy

AWS Key Management Service HSM

Certificate#4884StandardFIPS 140-3Level3TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorAmazon Web Services, Inc.
High review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level3
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/17/2026
CaveatInterim validation. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorAmazon Web Services, Inc.

Approved Algorithms (30)

AlgorithmACVP Cert
AES-CBCA1908
AES-CTRA1908
AES-ECBA1908
AES-GCMA1908
AES-KWPA1908
Conditioning Component AES-CBC-MAC SP800-90BA1791
Counter DRBGA1908
ECDSA KeyGen (FIPS186-4)A1908
ECDSA KeyVer (FIPS186-4)A1908
ECDSA SigGen (FIPS186-4)A1908
ECDSA SigGen (FIPS186-4)A1908
ECDSA SigVer (FIPS186-4)A1908
HMAC-SHA-1A1908
HMAC-SHA2-256A1908
HMAC-SHA2-384A1908
HMAC-SHA2-512A1908
KAS-ECC Sp800-56Ar3A1908
KAS-ECC Sp800-56Ar3A1908
KDA OneStep Sp800-56Cr1A1908
KDF SP800-108A1910
KTS-IFCA1908
RSA Decryption PrimitiveA1908
RSA KeyGen (FIPS186-4)A1908
RSA SigGen (FIPS186-4)A1908
RSA Signature PrimitiveA1908
RSA SigVer (FIPS186-4)A1908
SHA-1A1908
SHA2-256A1908
SHA2-384A1908
SHA2-512A1908

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for AWS Key Management Service HSM
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for AWS Key Management Service HSM
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

AWS Key Management Service HSM Hardware version 3.0, firmware version 1.8.104 Document Version 0.35 October 25, 2024

Page 2
Table of Contents
#SectionPage
Page 3
List of Tables
ItemPage
Table 1 – Security Levels4
Table 2 - Cryptographic Module Tested Configuration5
Table 3 –Approved Algorithms9
Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation9
Table 5 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed10
Table 6 – Ports and Interfaces12
Table 7 – Roles and Authentication13
Table 8 – Roles, Service Commands, Input and Output22
Table 9 – Approved Services42
Table 10 – Physical Security Inspection Guidelines46
Table 11 – EFP/EFT46
Table 12 – Hardness Testing Temperature Ranges46
Table 13 – SSPs64
Table 14 – Non-Deterministic Random Number Generator Specification65
Figure 1 – Cryptographic Module Boundary (Front)11
Figure 2 - Cryptographic Module Boundary (Back)11
Page 4

1. General Amazon Web Services, Inc. The module meets the FIPS 140-3 overall Level 3 requirements. Table 1 lists the security level of for each area in the FIPS 140-3 validation: ISO/IEC 24759 Section FIPS 140-3 Section Title Security Level

1 General 3

2 Cryptographic module specification 3

3 Cryptographic module interfaces 3

4 Roles, services, and authentication 3

5 Software/Firmware security 3

6 Operational environment N/A

7 Physical security 3

8 Non-invasive security N/A

9 Sensitive security parameter management 3

10 Self-tests 3

11 Life-cycle assurance 3

12 Mitigation of other attacks N/A

Page 5
  1. Cryptographic Module Specification The AWS Key Management Service HSM is used exclusively by AWS as a component of the AWS Key Management Service (KMS). The module is not directly accessible to customers of KMS. The cryptographic functions of the module are used to fulfill requests under specific public AWS KMS APIs. The module runs firmware versions 1.8.104 on hardware version 3.0 and is classified as a Hardware module with a multi-chip standalone embodiment. The cryptographic boundary is defined as the module case, and the module runs on a non-modifiable operating environment. The module follows the initialization/installation requirements found in Section
  2. Model Hardware Firmware Version Distinguishing Features [Part Number and Version] AWS Key Management Service 3.0 1.8.104 DC power input. No maintenance HSM cover Table 2 - Cryptographic Module Tested Configuration The AWS Key Management Service HSM operates only in an Approved mode of operation. The module does not support any non-approved algorithms not allowed in the Approved mode of operation. The module’s cryptographic algorithm implementations have received the following certificate numbers from the Cryptographic Algorithm Validation Program (CAVP). Although additional modes and key lengths were included in the CAVP algorithm testing, the table below represents the actual modes and key lengths used by the services of the module. CAVP Cert1 Algorithm and Mode/Method Description / Key Size(s) / Key Use / Function Standard Strength(s) AWS Key Management Service Cryptographic Library A1908 AES ECB, CBC, CTR Direction: Decrypt, Encrypt Encryption, Decryption FIPS 197, SP Key Length: 128, 256 800-38A A1908 GCM2 AES GCM: Generation, AuthenticaSP 800-38D Direction: Decrypt, Encrypt tion, Encryption, Decryption IV Generation: External3 IV Generation Mode: 8.2.2 Key Length: 128, 256 Tag Length: 96, 128 IV Length: 96 Payload Length: 64, 128, 192 AAD Length: 128, 256 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. Per IG C.H (Scenario 2), IVs are internally generated using an approved DRBG, with length of 96 bits (per SP 800-38D). The IV generation is internal to the module, but external to the algorithm boundary
Page 6

CAVP Cert1 Algorithm and Mode/Method Description / Key Size(s) / Key Use / Function Standard Strength(s) A1908 KTS AES KWP Direction: Decrypt, Encrypt Key Transport using AES SP 800-38F per Cipher: Cipher KWP IG D.G Key Length: 256 Payload Length: 128, 192, 512 A1908 KTS AES GCM Direction: Decrypt, Encrypt Key Transport using AES SP 800-38D and Cipher: Cipher GCM SP 800-38F per Key Length: 256 IG D.G Payload Length: 160, 256, 384, 512, 2048, 3072, 4096 A1908 DRBG CTR DRBG Capabilities: Random Bit Generation SP 800-90A Mode: AES-256 Derivation Function Enabled: Yes Additional Input: 384 Entropy Input: 384 Nonce: 384 Personalization String Length: 384 Returned Bits: 512 A1908 ECDSA KeyGen Curve: P-256, P-384, P-521 Key Pair Generation FIPS 186-4 Secret Generation Mode: Extra Bits, Testing Candidates KeyVer Curve: P-256, P-384, P-521 Public Key Validation SigGen Component Curve: P-256, P-384, P-521 Signature Generation Hash Algorithm: SHA2-256, SHA2-384, Component SHA2-512 SigGen Curve: P-256, P-384, P-521 Signature Generation Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 SigVer Curve: P-256, P-384, P-521 Signature Verification Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 A1908 HMAC SHA-1 MAC: 80-160 Increment 8 Generation, AuthenticaFIPS 198-1 Key Length: 160 tion SHA2-256 MAC: 128-256 Increment 8 Key Length: 256 SHA2-384 MAC: 192-384 Increment 8 Key Length: 384 SHA2-512 MAC: 256-512 Increment 8 Key Length: 512

Page 7

CAVP Cert1 Algorithm and Mode/Method Description / Key Size(s) / Key Use / Function Standard Strength(s) A1908 RSA KeyGen Capabilities: Key Pair Generation FIPS 186-4 Key Generation Mode: B.3.3 Properties: Modulo: 2048, 3072, 4096 Primality Tests: Table C.2 Properties: Modulo: 2048, 3072, 4096 Primality Tests: Table C.3 Public Exponent Mode: Random Private Key Format: Chinese Remainder Theorem SigGen Signature Type: PKCSPSS Signature Generation Properties: Modulo: 2048, 3072, 4096 (Note: All supported modulus sizes have been algorithm tested according to IG C.F) Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 0 SigVer Signature Type: PKCSPSS Signature Verification Properties: Modulo: 2048, 3072, 4096 (Note: All supported modulus sizes have been algorithm tested according to IG C.F) Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 0 Decryption Primitive Modulo Length: 2048 Component Test Signature Primitive Private Key Format: standard Signature Generation Public Exponent Mode: random Component

Page 8

CAVP Cert1 Algorithm and Mode/Method Description / Key Size(s) / Key Use / Function Standard Strength(s) A1908 SHS SHA-1 Message Length: 0-65536 Increment 8 non-Digital Signature FIPS 180-4 Applications SHA2-256 Message Length: 0-65536 Increment 8 Digital Signature Generation and Verification SHA2-384 Message Length: 0-65536 Increment 8 Digital Signature Generation and Verification SHA2-512 Message Length: 0-65536 Increment 8 Digital Signature Generation and Verification A1908 KTS-IFC RSA-OAEP without key Modulo: 2048, 3072, 4096 Key Transport, SP 800-56Brev2 confirmation Key Generation Methods: rsakpg1-basic, Optional RSA encapsulaper IG D.G Key sizes: 2048, 3072, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- tion schemes for and 4096 bits basic, rsakpg2-crt, rsakpg2-prime-factor protecting keys that cusScheme: tomers import into AWS Hybrid Key-Transport KMS KTS-OAEP-basic: scheme incorporating Key Transport Method: KTS-OAEP and SP 80038F Hash Algorithms: SHA-1, SHA2-256 Supports Null Associated Data Associated Data Encoding: concatenation KAS Role: initiator, responder Key Length: 1024 SSP establishment methodology provides between 112 and 150 bits of encryption strength A1908 KAS KAS-ECC Key Agreement SP 800-56Arev3 (Cofactor) Ephemeral P-384 curve providing 192 bits of encrypper IG D.F Sce- Unified scheme with key tion strength nario 2, path (2) confirmation A1908 KAS KAS-ECC P-384 curve providing 192 bits of encryp- Key Agreement SP 800-56Arev3 (Cofactor) One-Pass Dif- tion strength per IG D.F Sce- fie-Hellman scheme with nario 2, path (2) key confirmation A1908 KDA [SP 800-56Crev1] Auxiliary Function Methods: Key Derivation SP 800-56Crev1 One-step key derivation Auxiliary Function Name: SHA2-256 MAC Salting Methods: default, random Auxiliary Function Methods: Auxiliary Function Name: SHA2-384 MAC Salting Methods: default, random

Page 9

CAVP Cert1 Algorithm and Mode/Method Description / Key Size(s) / Key Use / Function Standard Strength(s) Vendor CKG [SP 800-133rev2, Section N/A Key Generation Affirmed SP 800-133rev2 4] IG D.H Seeding for asymmetric key generation uses unmodified DRBG output [SP 800-133rev2, Section 6.1] Symmetric key generation uses unmodified DRBG output [SP 800-133rev2, Section 6.2] Symmetric keys can be derived AWS Key Management Service Key Derivation Function Library A1910 KBKDF Counter Mode Capabilities: KDF Mode: Counter MAC Key Derivation SP 800-108 HMAC-based KDF with Mode: HMAC-SHA2-256 Supported SHA2-256 Lengths: 8-4096 Increment 8 Fixed Data Order: Before Fixed Data Counter Length: 32 Supports Empty IV Custom Key In Length: 0 Entropy Source N/A ENT (P) Entropy source 384 bits Provides seeding mateSP 800-90B rial for the DRBG A1791 Conditioning AES-ECB Key Length: 128 Provides seeding mateComponents AES-CBC-MAC Payload Length: 128 rial for the DRBG Counter DRBG Table 3 –Approved Algorithms Algorithm Caveat Use / Function ECDSA secp256k1 key agreement; key establishment methodol- [IG C.A] ogy provides 128 bits of encryption strength Curves: secp256k1 may only be used in blockchain related applications Table 4

Page 10

Algorithm Caveat Use / Function HMAC-MD5 No security Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) claimed which operates completely independently from the rest of the module’s functionality HMAC-SHA2-256-128 No security Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) (non-compliant) claimed which operates completely independently from the rest of the module’s functionality AES-CBC-128 (non- No security Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) compliant) claimed which operates completely independently from the rest of the module’s functionality Table 5 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed

Page 11

The cryptographic boundary consists of the entire module as shown in Figures 1 and 2. Figure 1

Page 12

3. Cryptographic Module Interfaces The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to four FIPS 140-3 defined logical interfaces: data input, data output, control input, and status output. The control output interface is not applicable. The logical interfaces and their mapping are provided in the following table: Physical port Logical inter- Data that passes over port/interface face

25 Gigabit Ethernet Port Data Input Main session interface for cryptographic services

25 Gigabit Ethernet Port Data Output Main session interface for cryptographic services

25 Gigabit Ethernet Port Control Input Main session interface for cryptographic services

IPMI / Gigabit Ethernet Port Control Input Provides serial console access, query power on / off

25 Gigabit Ethernet Port Status Output Main session interface for cryptographic services

IPMI / Gigabit Ethernet Port Status Output Provides serial console access, query power on / off Power Power N/A Table 6

Page 13
  1. Roles, Services, and Authentication Operators of the module may assume the following three roles implicitly: KMS Front End Role (KMS-FE) - The KMS front end hosts perform actions on behalf of customers of AWS KMS. KMS Coordinator Role (KMS-C) - Non-public facing KMS hosts perform actions on behalf of KMS administrators in the Administrator Role. Administrator Role (Admin) - Employees of AWS who are authorized to manage the module. For FIPS 140-3 purposes, the KMS Coordinator and Administrator roles serve as the Cryptographic Officer role per FIPS 140-3 requirements. The KMS-Front End role serves as the User role per FIPS 140-3 requirements. The module supports only identity-based authentication and requires RSA or ECDSA signatures using RSA with 2048bit, 3072-bit, or 4096-bit keys, or ECDSA with P-384. Operators of the module are identified by unique Operator Signature Public Key (QOS). The list of operator keys and the role of each operator are configured using either the Initialize or InitializeAndCreateDomain service. Operators interact with the module by submitting digitally signed commands to the module. The module authenticates operators by verifying the digitally signed commands submitted to the module. Role Authentication Method Authentication Strength KMS Front End Role (KMS-FE) Identity based authentication. Com- 112 to 192 bits of security mands are signed using the operator’s RSA 2048, 3072, 4096 or ECDSA P384 key KMS Coordinator Role (KMS-C) Identity based authentication. Com- 112 to 192 bits of security mands are signed using the operator’s RSA 2048, 3072, 4096 or ECDSA P384 key Administrator Role (Admin) Identity based authentication. Com- 112 to 192 bits of security mands are signed using the operator’s RSA 2048, 3072, 4096 or ECDSA P384 key Table 7 – Roles and Authentication The list of services supported by the module are listed in Table
  2. Unless otherwise specified, access to services can be configured to require one or more members of one or more roles listed in Table
  3. These services are used only by components of KMS to fulfill requests under specific public AWS KMS APIs and cannot be used directly by KMS customers. See http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html for a list of the current public AWS KMS APIs. Strength of Authentication Authentication to the module requires RSA (2048 or 4096-bit) or ECDSA (P-384) signature verification. These authentication methods are cryptographically strong and provide between 112 to 192 bits of security. The possibility of a single random authentication attempt succeeding is 2-112 which is far less than the required minimum of less than 1/1,000,000.
Page 14

Assuming an upper bound of 232 authentication requests per second, the possibility of a random authentication succeeding within a one-minute period is (60*232)/2112 = 15/278 which is significantly less than 1/100,000. The cryptographic strengths of the digital signatures used for authentication create such difficulty in achieving a successful random authentication attempt that even the theoretical maximum bandwidth of the 25 Gb/second Ethernet port is not significant enough to allow enough attempts in a one-minute period.

Page 15

Services Role Service Input Output Cryptographic Services KMS-FE, Create None A HSM Backing Key encrypted with the active DoKMS-C, main Key (DKn), or Admin An Import Wrapping Key Pair (dIWK, QIWK) The IWK private key is encrypted with the active Domain Key (DKn) The IWK public key KMS-FE, ImportKey The private key of an Import Wrapping Key Pair The Customer Supplied Key, encrypted with the curKMS-C, (IWK) encrypted with the active or a recent iter- rent active domain key (DKn) Admin ation of domain key (DKn or DKn-1) Customer Supplied Key (CSK), encrypted with the public key of the Import Wrapping Key. This may use the wrapping methods as defined in section 9.2 or 9.3 of SP 800-56B, using the ephemeral Import Wrapping Envelope Key (IWEK) KMS-FE, RefreshKey HBK or CSK encrypted with a recent iteration of HBK or CSK encrypted with the active domain key KMS-C, a Domain Key (DKn-1) (DKn) Admin KMS-FE, Encrypt A HBK or CSK encrypted with the active or a re- N/A (encrypted ciphertext) KMS-C, cent iteration of domain key (DKn or DKn-1) Admin KMS-FE, Decrypt A HBK or CSK encrypted with a Domain Key Arbitrary data or CDK encrypted using the HOSK KMS-C, (DKn) Admin Ciphertext or encrypted Customer Data Key (CDK) Customer Data Encryption Public Key (QCDEK)

Page 16

Role Service Input Output KMS-FE, ReEncrypt A HBK or CSK encrypted with the active or a re- N/A (encrypted ciphertext) KMS-C, cent iteration of domain key (DKn or DKn-1) Admin used to decrypt the provided ciphertext A HBK or CSK encrypted with the active or a recent iteration of domain key (DKn or DKn-1) used to encrypt the resulting plaintext Ciphertext or encrypted Customer Data Key (CDK) KMS-FE, Sign HBK or CSK encrypted with the active domain None (signature) KMS-C, key (DKn) Admin KMS-FE, Verify HBK or CSK encrypted with the active domain None KMS-C, key (DKn) Admin (signature to be verified) KMS-FE, EncryptRandomBytes HBK or CSK encrypted by the active domain key A number of random bytes that may be used as CusKMS-C, (DKn) tomer Data Keys (CDK) encrypted by the HBK or CSK Admin KMS-FE, GenerateAndEncryptRandomBytes HBK or CSK encrypted by the active domain key A number of random bytes that may be used as CusKMS-C, (DKn) tomer Data Keys (CDK) encrypted by the HOSK Admin Customer Data Encryption Public Key (QCDEK) A number of random bytes that may be used as Customer Data Keys (CDK) encrypted by the HBK or CSK KMS-FE, GenerateDataKeyPair HBK or CSK encrypted by the active domain key An asymmetric Customer Data Key (CDK) private key KMS-C, (DKn) encrypted by the HOSK Admin Customer Data Encryption Public Key (QCDEK) An asymmetric Customer Data Key (CDK) private key encrypted by the HBK or CSK KMS-FE, GenerateDataKeyPairWithoutPlaintext HBK or CSK encrypted by the active domain key An asymmetric Customer Data Key (CDK) private key KMS-C, (DKn) encrypted by the HBK or CSK Admin KMS-FE, Generate Customer Data Encryption Public Key (QCDEK) None KMS-C, Admin

Page 17

Role Service Input Output KMS-FE, GetParametersForReplication None Public Replication Agreement Key (QRAK1) KMS-C, Private Replication Agreement Key (dRAK1) enAdmin crypted by the active domain key (DKn) KMS-FE, WrapKeyForReplication Public Replication Agreement Key (QRAK1) Public Replication Agreement Key (QRAK2) KMS-C, HBK encrypted by the active domain key (DKn) Customer Replicated Key (CRK) encrypted by the Admin Replication Wrapping Key (RWK) Replication Agreement Key Pair (dRAK2, QRAK2) KMS-FE, ImportReplicatedKey Private Replication Agreement Key (dRAK1) en- HBK encrypted by the active domain key (DKn) KMS-C, crypted by the active domain key (DKn) Customer Replication Key (CRK) Admin Public Replication Agreement Key (QRAK2) Customer Supplied Key (CSK) encrypted by the Replication Wrapping Key (RWK) Configuration Services KMS-FE, CreateDomain List of Operator Signature Public Keys (QOS) A Domain Token containing: KMS-C,

Page 18

Role Service Input Output KMS-FE, IngestDomain A Domain Token containing the following CSPs: The unmodified input Domain Token KMS-C,

Page 19

Role Service Input Output KMS-FE, ChangeDomain A Domain Token containing: An updated Domain Token containing the following KMS-C,

Page 20

Role Service Input Output All (un- InitializeAndCreateDomain List of Operator Signature Public Keys (QOS) A Domain Token containing: authenti

Page 21

Role Service Input Output One NegotiateSessionKey Operator Ephemeral Agreement Public Key Encrypted HSM-Operator Session Key (HOSK) enmember (QOEAK) crypted with the Domain Key (DKn) or HSM Session from any Key Encryption Key (HSKEK) role HSM-Operator Session Key (HOSK) encrypted with a 256-bit key derived from the shared secret established using elliptic curve Diffie Hellman key exchange (NIST-P384) using the HSM Ephemeral Agreement Public Key (QE) and the Operator Ephemeral Agreement Public Key (QOEAK) HSM Ephemeral Agreement Public Key (QE) KMS-FE, UpdateHostConfiguration None None KMS-C, Admin Audit Log Services KMS-FE, ListLogs None None KMS-C, Admin KMS-FE, GetLog None None KMS-C, Admin KMS-FE, DeleteLog None None KMS-C, Admin Other Services All (un- Ping None Returns “healthy” if the module is operating in Apauthenti proved mode. Returns “failure” if the module is not cated) operating in Approved mode. All (un- Approved None Returns “healthy” if the module is operating in Apauthenti proved mode. Returns “failure” if the module is not cated) operating in Approved mode. All (un- Version None Module name, hardware version and firmware verauthenti sion cated)

Page 22

Role Service Input Output All (un- Hardware monitoring None Hardware sensor data authenti cated) All (un- Power management None None authenti cated) All (un- Serial over LAN (SOL) None None authenti cated) Table 8

Page 23

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs ImportKey Decrypts a Cus- AES GCM The private key of an Import Wrapping Key KMS-FE, Read “healthy” tomer Supplied Key KBKDF Pair (dIWK, QIWK) KMS-C, Execute (CSK) and re-en- Customer Supplied Key (CSK) Admin KTS-IFC (RSA-OAEP) Zeroize crypts it with the Active Domain Key (DKn) Write active Domain Key (DKn) HSM-to-Operator Session Key (HOSK) RefreshKey Re-encrypts an AES GCM HBK or CSK encrypted with a recent itera- KMS-FE, Read “healthy” HSM Backing Key KBKDF tion of a Domain Key (DKn or DKn-1) KMS-C, Execute (HBK) key or Cus- Active or a recent iteration of Domain Key Admin Zeroize tomer Supplied Key (DKn or DKn-1) (CSK) encrypted Write HSM-to-Operator Session Key (HOSK) with a recent iteration of the domain key (DKn-1) with the active domain key (DKn) Encrypt Encrypt an arbitrary AES GCM A HBK or CSK encrypted with the active or KMS-FE, Read “healthy” set of bytes using a recent iteration of domain key (DKn or KMS-C, Execute the DEK derived DKn-1) Admin Zeroize from the provided Active or a recent iteration of Domain Key HBK or CSK Write (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) Data Encryption Key (DEK)

Page 24

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Decrypt Decrypts ciphertext AES GCM A HBK or CSK encrypted with a Domain Key KMS-FE, Read “healthy” using the DEK de- (DKn) KMS-C, Execute rived from the Ciphertext or encrypted Customer Data Admin Zeroize provided HBK or Key (CDK) CSK Write Arbitrary data or CDK encrypted using the Generate HOSK Active or a recent iteration of domain key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) Data Encryption Key (DEK) Customer Data Encryption Public Key (QCDEK) Customer Data Encryption Symmetric Key (SCDEK) ReEncrypt Decrypts ciphertext AES GCM A HBK or CSK encrypted with the active or KMS-FE, Read “healthy” using the DEK de- a recent iteration of domain key (DKn or KMS-C, Execute rived from the DKn-1) used to decrypt the provided cipher- Admin Zeroize provided HBK or text CSK, then re-en- Write A HBK or CSK encrypted with the active or crypts the resulting a recent iteration of domain key (DKn or plaintext under the DKn-1) used to encrypt the resulting DEK from a sepa- plaintext rately provided HBK Ciphertext or encrypted Customer Data or CSK Key (CDK) This operation does Active or a recent iteration of Domain Key not expose the (DKn or DKn-1) plaintext HSM-to-Operator Session Key (HOSK) Data Encryption Key (DEK)

Page 25

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Sign Performs an ECDSA CTR DRBG HBK or CSK encrypted with the active do- KMS-FE, Read “healthy” or RSA sign opera- AES GCM main key (DKn) KMS-C, Execute tion, or HMAC Domain Key (DKn or DKn-1) Admin RSA Zeroize operation using the ECDSA HSM-to-Operator Session Key (HOSK) Write provided HBK or CSK SHS DRBG (CTR AES) V and AES key HMAC Verify Performs an ECDSA AES GCM HBK or CSK encrypted with the active do- KMS-FE, Read “healthy” or RSA verify, or RSA main key (DKn) KMS-C, Execute HMAC operation Domain Key (DKn or DKn-1) Admin ECDSA Zeroize using the provided SHS HSM-to-Operator Session Key (HOSK) Write HBK or CSK HMAC EncryptRan- Generate a number CTR DRBG HBK or CSK encrypted with the active do- KMS-FE, Read “healthy” domBytes of random bytes AES GCM main key (DKn) KMS-C, Execute and encrypt it using A number of random bytes that may be Admin CKG Zeroize the DEK derived used as Customer Data Keys (CDK) enfrom the specified Write crypted by the HBK or CSK HBK or CSK Domain Key (DKn or DKn-1) The random bytes HSM-to-Operator Session Key (HOSK) may be used as cryptographic key DRBG (CTR AES) V and AES key material as Cus- Data Encryption Key (DEK) tomer Data Keys (CDK)

Page 26

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs GenerateAndEn- Generate a number CTR DRBG HBK or CSK encrypted with the active do- KMS-FE, Generate “healthy” cryptRandomBytes of random bytes for AES GCM main key (DKn) KMS-C, Read use and encrypt it A number of random bytes that may be Admin CKG Execute using the DEK de- used as Customer Data Keys (CDK) enrived from the Zeroize crypted by the HBK or CSK specified HBK or Write A number of random bytes that may be CSK used as Customer Data Keys (CDK) enThe random bytes crypted by the HOSK may be used as Domain Key (DKn or DKn-1) cryptographic key material as Cus- HSM-to-Operator Session Key (HOSK) tomer Data Keys DRBG (CTR AES) V and AES key (CDK) Data Encryption Key (DEK) Note that the Gen- Customer Data Encryption Public Key erateAndEncryptRa (QCDEK) ndomBytes API will Customer Data Encryption Symmetric Key return encrypted (SCDEK) versions of the random bytes in 2 forms

Page 27

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs GenerateDataKey- Generate an asym- CTR DRBG HBK or CSK encrypted by the active do- KMS-FE, Generate “healthy” Pair metric key pair and RSA (keygen) main key (DKn) KMS-C, Read encrypt it with the An asymmetric Customer Data Key (CDK) Admin ECDSA (keygen) Execute specified HBK or private key encrypted by the HOSK CSK The asymmet- AES GCM Zeroize An asymmetric Customer Data Key (CDK) ric key pair will be CKG Write private key encrypted by the HBK or CSK used as cryptographic key Active or a recent iteration of domain key material as Cus- (DKn or DKn-1) tomer Data Keys HSM-to-Operator Session Key (HOSK) (CDK) DRBG (CTR AES) V and AES key Customer Data Encryption Public Key Note that the Gen- (QCDEK) erateDataKeyPair API will return en- Customer Data Encryption Symmetric Key crypted versions of (SCDEK) the CDK in 2 forms GenerateDataKey- Generate an asym- CTR DRBG HBK or CSK encrypted by the active do- KMS-FE, Generate “healthy” PairWithoutPlainte metric key pair and RSA (keygen) main key (DKn) KMS-C, Read xt encrypt it with the An asymmetric Customer Data Key (CDK) Admin ECDSA (keygen) Execute specified HBK or private key encrypted by the HBK or CSK CSK The asymmet- AES GCM Zeroize Active or a recent iteration of domain key ric key pair will be CKG Write (DKn or DKn-1) used as cryptographic key HSM-to-Operator Session Key (HOSK) material as Cus- DRBG (CTR AES) V and AES key tomer Data Keys (CDK)

Page 28

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Generate Generate a speci- CTR DRBG HSM-to-Operator Session Key (HOSK) KMS-FE, Read “healthy” fied number of AES GCM DRBG (CTR AES) V and AES key KMS-C, Execute random bytes, up Admin CKG Customer Data Encryption Public Key Zeroize to 1024 bytes (QCDEK) Write Customer Data Encryption Symmetric Key (SCDEK) GetParameters- This API generates CTR DRBG Public Replication Agreement Key (QRAK1) KMS-FE, Generate “healthy” ForReplication a new Replication ECDSA (keygen) Private Replication Agreement Key (dRAK1) KMS-C, Read Agreement Key Pair encrypted by the active domain key (DKn) Admin AES GCM Execute (dRAK1, QRAK1) CKG Replication Agreement Key Pair (dRAK1, Zeroize The Private Replica- QRAK1) tion Agreement Key HSM-to-Operator Session Key (HOSK) (dRAK1) is encrypted with the Active or a recent iteration of domain key domain key (DKn) (DKn or DKn-1) Active or a recent iteration of a Private Replication Signing Key (dRSKn or dRSKn-1) The API also signs all output with the DRBG (CTR AES) V and AES key Private Replication Signing Key (dRSKn or dRSKn-1)

Page 29

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs WrapKeyForRepli- This API takes an in- KAS (ECCDH) Public Replication Agreement Key (QRAK1) KMS-FE, Read “healthy” cation put a public KDA (one-step KDF HBK encrypted by the active domain key KMS-C, Execute Replication Agree- SHA2) (DKn) Admin Zeroize ment Key (QRAK1) AES GCM Replication Agreement Key Pair (dRAK2, Write generated from an ECDSA QRAK2) HSM, and generates a new Public Replication Agreement Key (QRAK2) Replication Agree- Customer Replicated Key (CRK) encrypted ment Key pair by the Replication Wrapping Key (RWK) (dRAK2, QRAK2) HSM-to-Operator Session Key (HOSK) QRAK1 and dRAK2 Active or a recent iteration of domain key are combined using (DKn or DKn-1) the Diffie-Hellmann key exchange to Active or a recent iteration of the Private produce a shared Replication Signing Key (dRSKn or dRSKn-1) secret and derive a Active or a recent iteration of the Public symmetric secret Replication Singing Key (QRSKn or QRSKn-1) key (the Replication Replication Agreement RWK Shared Secret Wrapping Key, Z (RRZ) RWK) Customer Replication Key (CRK) The RWK is then used to encrypt an HBK, resulting in a Customer Replicated Key (CRK)

Page 30

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs ImportReplicat- This API combines KAS (ECCDH) Private Replication Agreement Key (dRAK1) KMS-FE, Read “healthy” edKey two Replication KDA (one-step KDF encrypted by the active domain key (DKn) KMS-C, Execute Agreement Key SHA2) Public Replication Agreement Key (QRAK2) Admin Zeroize (dRAK1 and QRAK2) AES GCM Customer Supplied Key (CSK) encrypted by Write using the DiffieECDSA the Replication Wrapping Key (RWK) Hellmann key exchange to produce SHS HBK encrypted by the active domain key a shared secret and (DKn) derive a Replication HSM-to-Operator Session Key (HOSK) Wrapping Key Active or a recent iteration of domain key (RWK) (DKn or DKn-1) The RWK is used to Active or a recent iteration of the Public decrypt the Cus- Replication Singing Key (QRSKn or QRSKn-1) tomer Replicated Key (CRK), obtain- Replication Agreement RWK Shared Secret ing an HBK, which is Z (RRZ) then re-encrypted Customer Replication Key (CRK) using the Domain Key (DKn) The API also validates input using the Public Replication Signing Key (QRSKn or QRSKn-1)

Page 31

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs CreateDomain Creates a new do- CTR DRBG List of Operator Signature Public Keys KMS-FE, Generate “healthy” main token for a KAS (ECCDH) (QOS) KMS-C, Read new domain, but HSM Signature Key Pair (dHSK, QHSK) Admin KDA (one-step KDF Execute does not join the SHA2) HSM Agreement Key Pair (dHAK, QHAK) Zeroize HSM to the domain yet AES GCM HSM Agreement DKEK Shared Secret Z ECDSA (HDKZ) RSA HSM Agreement DKEK Wrapping Key SHS (HDWK) Initial Domain Key (DK0) Replication Signing Key (dRSK0, QRSK0) A Domain Token containing:

Page 32

IngestDomain Joins a domain or CTR DRBG A Domain Token containing the following KMS-FE, Read “healthy” receive an updated KAS (ECCDH) CSPs: KMS-C, Execute domain token

Page 33

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs particular domain SHA2

Page 34

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs ChangeDomain Modifies the cur- CTR DRBG A Domain Token containing: KMS-FE, Generate “healthy” rent state of an KAS (ECCDH)

Page 35

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Initialize Initializes the HSM CTR DRBG One or more Domain Tokens. Each Domain All / unauthenti- Generate “healthy” by generating the ECDSA (keygen, Token contains: cated Read HSM Signature Key sign)

Page 36

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs InitializeAndCre- Initializes the HSM CTR DRBG List of Operator Signature Public Keys All / unauthenti- Generate “healthy” ateDomain by generating the ECDSA (keygen, (QOS) cated Read HSM Signature Key sign) HSM Signature Key Pair (dHSK, QHSK) Execute and HSM AgreeKAS (EC-CDH) HSM Agreement Key Pair (dHAK, QHAK) Zeroize ment Key, configuring the list (one-step KDF HSM Agreement DKEK Shared Secret Z of operators, roles SHA2) (HDKZ) and the quorum- AES GCM based access con- HSM Agreement DKEK Wrapping Key CKG trol ruleset for all (HDWK) services / APIs HSM Agreement HSKEK Shared Secret Z (HHKZ) The InitializeAndCreateDomain HSM Session Key Encryption Key (HSKEK) API is only used Initial Domain Key (DK0) during the module A Domain Token containing: setup and initialization process

Page 37

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Attest The Attest API is CTR DRBG HSM Signature Public Key (QHSK) KMS-FE, Read “healthy” used by operators ECDSA (verify) HSM Agreement Public Key (QHAK) KMS-C, Execute to attest an initial- Admin Zeroize SHA2 HSM Signature Key Pair (dHSK, QHSK) ized HSM to ensure that the system is AES GCM Operator Signature Public Key(s) (QOS) running the correct HSM Agreement HSKEK Shared Secret Z software, and to (HHKZ) obtain an authentic HSM Session Key Encryption Key (HSKEK) copy of its credentials prior to being HSM-to-Operator Session Key (HOSK) added to a domain DRBG (CTR AES) V and AES key GetAttestationChal- The GetAttestation- AES GCM Active or a recent iteration of Domain Key KMS-FE, Read “healthy” lenge Challenge API is (DKn or DKn-1) KMS-C, Execute used by operators HSM-to-Operator Session Key (HOSK) Admin Zeroize to retrieve a token that can be used to validate the identity of another HSM GetAttestationIden- The GetAttesta- AES GCM Active or a recent iteration of Domain Key KMS-FE, Read “healthy” tity tionIdentity API is (DKn or DKn-1) KMS-C, Execute used by operators HSM-to-Operator Session Key (HOSK) Admin Zeroize to retrieve information to attest the identity of the HSM

Page 38

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Wipe The Wipe API will N/A HSM Signature Key Pair (dHSK, QHSK) All / unauthenti- Zeroize “healthy” delete the HSM Sig- HSM Agreement Key Pair (dHAK, QHAK) cated nature Key and HSM Session Key Encryption Key (HSKEK) HSM Agreement Key from volatile memory The Wipe API will fail unless all previously created domains in the module have been deleted using the ForgetDomain API GetInitialDomain- Retrieves the initial N/A N/A All / unauthenti- N/A “healthy” Name domain name from cated an initialized HSM that is used as part of the domain creation bootstrap process

Page 39

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs DeactivateAndRe- The Deactivate- N/A N/A All / unauthenti- N/A “healthy” boot AndReboot API cated returns the HSM to the factory state and reboots after verifying the HSM Signature Key and HSM Agreement Key have been deleted by the Wipe API (The module will perform self-tests after during reboot process)

Page 40

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs NegotiateSes- Uses a set of iden- CTR DRBG Operator Ephemeral Agreement Public Key One member from Generate “healthy” sionKey tity keys to securely RSA (verify) (QOEAK) any role Read negotiate a session ECDSA (verify) Execute key that can be SHA2 HSM Ephemeral Agreement Key Pair (dE, Zeroize used between a QE) KMS host and any KAS (ECCDH) HSM in the domain HSM-Operator Session Key (HOSK) (one-step KDF The NegotiateSes- SHA2) sionKey API will AES GCM Encrypted HSM-Operator Session Key return encrypted (HOSK) encrypted with the Domain Key versions of the (DKn) or HSM Session Key Encryption Key HSM-Operator Ses- (HSKEK) sion Key (HOSK) in HSM-Operator Session Key (HOSK) en-

2 forms crypted with a 256 bit key derived from

the shared secret established using elliptic curve Diffie Hellman key exchange (NISTP384) using the HSM Ephemeral Agreement Key (QE) and the Operator Ephemeral Agreement Public Key (QOEAK) HSM Ephemeral Agreement Public Key (QE) Operator Signature Public Key (QOS) HSM Signature Key (dHSK) DRBG (CTR AES) V and AES key UpdateHostConfig- Allows updates of RSA (verify) Operator Signature Public Key (QOS) KMS-FE, Execute “healthy” uration non-security-rele- ECDSA (verify) KMS-C, vant host Admin SHA2 configuration

Page 41

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs ListLogs Returns a list of au- RSA (verify) Operator Signature Public Key (QOS) KMS-FE, Execute “healthy” dit log file names ECDSA (verify) KMS-C, Admin SHA2 GetLog Retrieves specified RSA (verify) Operator Signature Public Key (QOS) KMS-FE, Execute “healthy” audit log files ECDSA (verify) KMS-C, Admin SHA2 DeleteLog Deletes specified RSA (verify) Operator Signature Public Key (QOS) KMS-FE, Execute “healthy” audit log file ECDSA (verify) KMS-C, Admin SHA2 Ping Returns “healthy” if N/A N/A All / unauthenti- None “healthy” the module is ini- cated tialized and has ingested a domain Returns “failure” otherwise Approved Approved mode in- N/A N/A All / unauthenti- None “healthy” dicator that apply cated to approved services on the 25G Ethernet port Returns “healthy” if the module is operating in Approved mode Returns “failure” if the module is not operating in Approved mode

Page 42

Access rights Keys and/or Description Approved Functions Indicator to Keys Service Security SSPs Roles and/or SSPs Version Returns the module N/A N/A All / unauthenti- None N/A name, hardware cated version and firmware version Hardware monitor- Provide access via None N/A All / unauthenti- None Successful compleing IPMI to hardware cated tion of service sensor data to monitor temperatures, fan speed, etc Power manage- Turns on and off None N/A All / unauthenti- None Successful complement the module via cated tion of service IPMI Serial over LAN Provides access to None N/A All / unauthenti- None Successful comple(SOL) the module’s con- cated tion of service sole before the module enters Approved mode via IPMI In Approved mode, the SOL link is active but the module firmware blocks all input commands and status output to the console Table 9

Page 43

W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP.

Page 44

5. Software/Firmware Security The module performs integrity check on all firmware components using a 256-bit error detection code (EDC) on all module components. The integrity check is performed upon the initialization of the module and does not require operator intervention to run. If the check fails, the module will enter into an error state. The module does not support firmware loading. The operator can run the integrity test on demand by rebooting the module using the DeactivateAndReboot API.

Page 45

6. Operational Environment The module has a non-modifiable operational environment and does not allow loading of any additional firmware while the module is operating in Approved mode.

Page 46
  1. Physical Security The module is a hardware module with a multiple-chip standalone embodiment and conforms to the Level 3 requirements for physical security. The module’s production-grade enclosure is made of hard metal, and the enclosure does not provide a removable cover. The baffles installed by AWS satisfy FIPS 140-3 requirements for module opacity and probing. Physical Security Mechanism Recommended Frequency of Inspec- Inspection/Test Guidance Details tion/Test Tamper-evident physical enclosure Inspect when the module unexpectedly re- Inspect the physical enclosure for evidence of with no removable cover boots or becomes unresponsive tampering, such as dents, signs of drilling or prying, cracks in the hard plastic portion of the enclosure Table 10 – Physical Security Inspection Guidelines The module supports environments failure protection and shuts down if the temperature or voltage is outside of the values described in Table
  2. Temperature or voltage Specify EFP or Specify if this condition results in a shutdown or measurement EFT zeroisation Low Temperature - 8 °C EFP Shutdown High Temperature 54 °C EFP Shutdown Low Voltage 10 V EFP Shutdown High Voltage 14 V EFP Shutdown Table 11 – EFP/EFT Hardness tested temperature measurement Low Temperature - 8 °C High Temperature 52 °C Table 12 – Hardness Testing Temperature Ranges
Page 47

8. Non-invasive Security This section is not applicable. The module does not implement non-invasive attack mitigation techniques.

Page 48

9. Sensitive Security Parameters Management Table 13 provides a complete list of Critical Security Parameters used within the module. All keys and SSPs are zeroized by powering off the module. Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys HSM Backing 256 bits (AES) AES GCM Internally using Input: En- N/A Volatile memory Overwrite with Used as input to Key (HBK) RSA DRBG or im- crypted with the all zeros a SP 800-108 CSP/PSP 160-256 bits ECDSA ported from Domain Key us- KBKDF to derive (HMAC) HMAC another mem- ing AES GCM the DEK (A1908) ber of a Domain (electronically)

112 – 128 bits CKG Output: En-

(RSA 2048, 3072 crypted with the or 4096 bits) Domain Key us-

128 – 256 bits ing AES GCM

(ECDSA P-256, (electronically) P-384, P-521, or secp256k1)

Page 49

Customer Data For symmetric AES Internally using Input: En- N/A Volatile memory Overwriting Used outside of Key (CDK) keys, random RSA DRBG or im- crypted using with all zeros the module bits length spec- ECDSA ported from AES GCM with CSP/PSP ified by (A1908) another mem- the DEK derived customer (in the ber of a Domain from an HBK or CKG range of 8 bits CSK (electronito 65536 bits) cally)

112 – 128 bits Output: En-

(RSA 2048, 3072 crypted in 2 or 4096 bits) forms by the GenerateAndEn-

128 – 256 bits

cryptRandomBy (ECDSA P-256, tes and GenerP-384, P-521, or ateDataKeyPair secp256k1) APIs:

  1. Encrypted with the DEK derived from an HBK or CSK; and
  2. Encrypted with the HOSK to provide secure transport to the requesting service operator/role EncryptRandomBytes and GenerateDataKeyPairWit houtPlaintext APIs export the CDK encrypted with the DEK from an HBK or CSK (electronically)
Page 50

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Data Encryption 256 bits (AES) AES GCM Derived inter- Input: N/A N/A Volatile memory Overwriting The DEK is deKey (DEK) (A1908) nally using SP with all zeros rived from either Output: N/A 800-108 KBKDF the HBK or CSK CSP and is used to encrypt the CDK HSM Agreement 192 bits KAS Internally using Input: N/A N/A Volatile memory Overwriting The dHAK/QHAK Key Pair (ECDH P384) (A1908) DRBG with all zeros are used in key Output: The (dHAK, QHAK) agreement operCKG public key ations to encrypt CSP/PSP (QHAK) is exthe DKEK ported in plaintext (electronically) HSM Ephemeral 192 bits KAS Internally using Input: N/A N/A Volatile memory Overwriting The dE/QE is Agreement Key (ECDH P384) (A1908) DRBG with all zeros used in key Output: The Pair agreement operpublic key (QE) (dE, QE) ations to encrypt is exported in the DKEK CSP/PSP plaintext (electronically) HSM Agreement 192 bits KAS N/A N/A KAS (SP 800- Volatile memory Overwriting The HDKZ is the DKEK Shared Se- (ECDH P384) (A1908) 56Arev3) with all zeros shared secret cret Z value Z com(Cofactor) Oneputed using the (HDKZ) Pass Diffie-HellHSM Agreement man (ECC CDH) CSP Key (dHAK) and scheme with the HSM Ephemkey confirmaeral Agreement tion Key (QE) The HDKZ is used to derive the HDWK

Page 51

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys HSM Agreement 256 bits KDA N/A N/A KAS (SP 800- Volatile memory Overwriting The HDWK is deDKEK Wrapping (One-Step KDF (A1908) 56Arev3) with all zeros rived from the Key SHA2-256) HDKZ and is used (Cofactor) Oneto wrap the (HDWK) Pass Diffie-HellDKEK man (ECC CDH) CSP scheme with key confirmation

Page 52

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Domain Key En- 256 bits (AES) AES GCM Internally using Input: The DKEK KAS (SP 800- Volatile memory Overwriting The DKEK is used cryption Key (A1908) DRBG or im- is encrypted 56Arev3) with all zeros to encrypt the ported from with the HDWK DKn when im(DKEK) (Cofactor) Oneanother mem- derived using ported to other Pass Diffie-HellCSP ber of a Domain the shared se- members of a man (ECC CDH) cret (HDKZ) Domain scheme with generated from key confirmathe HSM’s Key tion Agreement Key (QHAK) and an- KTS (SP 800other HSM’s 38F) Ephemeral Key Agreement Key (dE) (electronically) Output: The DKEK is encrypted with the HDWK derived using the shared secret (HDKZ) generated from the HSM’s Key Agreement Key (dHAK) and another HSM’s Ephemeral Key Agreement Key (QE) (electronically)

Page 53

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Domain Key 256 bits (AES) AES GCM Internally using Input: DKn en- N/A Volatile memory Overwriting Keys derived DRBG or im- crypted with the with all zeros from the DKn are (DKn) (A1908) ported from DKEK and may used to encrypt CSP KBKDF another mem- be imported HBKs and CSKs ber of a Domain from other (A1910) members of a Domain (electronically) Output: DKn encrypted with the DKEK and may be exported to other members of a Domain (electronically) HSM Agreement 192 bits KAS N/A N/A KAS (SP 800- Volatile memory Overwriting The HHKZ is the HSKEK Shared (ECDH P384) (A1908) 56Arev3) with all zeros shared secret Secret Z (HHKZ) value Z com(Cofactor) Oneputed using the CSP Pass Diffie-HellHSM Agreement man (ECC CDH) Key (dHAK) and scheme with the Operator key confirmaEphemeral tion Agreement Public Key (QOEAK) The HHKZ is used to derive the HSKEK

Page 54

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys HSM Session 256 bits (AES) AES GCM Internally using Input: N/A KAS (SP 800- Volatile memory Overwriting The HSKEK enKey Encryption (A1908) DRBG 56Arev3) with all zeros crypts the HSMOutput: N/A Key (HSKEK) Operator Session (Cofactor) OneKey (HOSK) for CSP Pass Diffie-Hellthe following opman (ECC CDH) erations: scheme with Initialize, Inikey confirmatializeAndCreate tion Domain, Attest, GetAttestationIdentity, and Wipe HSM Signature 192 bits (ECDSA ECDSA Internally using Input: N/A N/A Volatile memory Overwriting The dHSK is used Key Pair (dHSK, P384) (A1908) DRBG with all zeros to sign data creOutput: The QHSK) ated on the HSM CKG public key CSP/PSP (QHSK) is exported in plaintext (electronically)

Page 55

HSM-Operator 256 bits (AES) AES GCM Internally using Input: The HOSK KAS (SP 800- Volatile memory Overwriting The HOSK is Session Key DRBG, or im- is input en- 56Arev3) with all zeros used to encrypt (A1908) (HOSK) ported from an crypted with the communications (Cofactor) OneHSM that is a domain key between a user CSP Pass Diffie-Hellmember of the (DKn) (electroni- and HSMs in the man (ECC CDH) same domain cally) same Domain scheme with Output: The key confirmaHOSK is en- tion crypted in two KTS (SP 800forms to be out38F) put The first form is encrypted with either the Domain Key (DKn) or the HSM Session Key Encryption Key (HSKEK) using AES GCM (electronically) The second form is encrypted using AES GCM with a 256-bit key derived from the shared secret established using elliptic curve Diffie-Hellman key exchange (NIST-P384) using the HSM Ephemeral Agreement Key Pair (dE,QE) and the Operator Ephemeral Agreement Public Key (dOEAK,

Page 56

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys QOEAK) (electronically) Import Wrap- 112

Page 57

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Import Wrap- 256 bits (AES) AES KWP Externally by Input: IWEK is KTS-RSA Volatile memory Overwriting This key is generping Envelope (A1908) AWS KMS cus- encrypted using with all zeros ated by a Key (IWEK) tomers the Import customer exterWrapping Key nal to the AWS CSP (QIWK) when KMS system and used with the is used to enImportKey API crypt CSKs for when the cus- the ImportKey tomer imports a API when AESCSK into the KWP is used per AWS KMS sys- SP 800-56B tem (electronically) Output: N/A

Page 58

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Customer Sup- 256 bits (AES) AES GCM Externally by Input: CSK is en- KTS-OAEP with- Volatile memory Overwriting This key is generplied Key (CSK) AWS KMS cus- crypted using out key with all zeros ated by a 160-256 bits HMAC tomers Import Wrap- confirmation customer of KMS CSP/PSP (HMAC) RSA ping Key (QIWK) outside the AWS KTS-RSA Hybrid

112

ECDSA Key-Transport (RSA 2048, 3072 the ephemeral sign or encrypt scheme incorpoor 4096 bits) (A1908) Import Wrap- plaintext rating KTS-OAEP ping Envelope

128

Key (IWEK)) (ECDSA P-256, used to encrypt when used with P-384, P-521, or CDKs the ImportKey secp256k1) API when the customer imports the key into the AWS KMS system After import, the CSK is encrypted with the Domain Key using AES GCM (electronically) Output: CSK encrypted by a Domain Key (DKn) (electronically) Entropy Input 384 bits Random Num- Internal entropy Input: N/A N/A Volatile memory Overwriting Random NumString ber Generation source with all zeros ber Generation Output: N/A ENT (P) CSP

Page 59

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys DRBG (CTR AES) SP 800-90A CTR DRBG Internal entropy Input:N/A N/A Volatile memory Overwriting Entropy input DRBG source with all zeros (length dependV and AES key AES CTR Output: N/A ent on security V (128 bits) CSP AES-ECB strength) AES key (256 (A1908) bits) DRBG (CTR AES) 256 bits DRBG Internal entropy Input: N/A N/A Volatile memory Overwriting Seeding mateSeed source with all zeros rial for the AES CTR Output: N/A DRBG. Used to CSP AES-ECB derive the DRBG (AES CTR) V and (A1908) AES key Replication Sign- 192 bits (ECDSA ECDSA Internally using Input: dRSKn en- N/A Volatile memory Overwriting The private key ing Key Pair P384) (A1908) DRBG or im- crypted with the with all zeros (dRSKn) is used (dRSKn, QRSKn) ported from DKEK may be to sign the outanother mem- imported from puts of CSP/PSP ber of a Domain other members GetParametersof a Domain; ForReplication QRSKn may be and Wrapimported by an KeyForReplicatio operator (elec- n APIs tronically) The public key Output: dRKSn (QRSKn) is used encrypted with to verify the inthe DKEK may put of be exported to WrapKeyForRepother members lication and of a Domain; ImportReplicatQRSKn may be edKey APIs exported in plaintext (electronically)

Page 60

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Replication 192 bits (ECDH ECDH Internally using Input: QRAKk N/A Volatile memory Overwriting Keys used for Agreement Key P384) (A1908) DRBG or im- may be im- with all zeros key agreement (dRAKk, QRAKk) ported from a ported in to derive a RepliCKG member of a plaintext from cation Wrapping CSP/PSP different Do- another HSM; Key (RWK) main dRAKk may be imported encrypted with the domain key (DKn) from another HSM (electronically) Output: QRAKk may be exported in plaintext; dRAKk may be exported encrypted with the domain key (DKn) (electronically)

Page 61

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Replication 192 bits KAS N/A N/A KAS (SP 800- Volatile memory Overwriting The RRZ is the Agreement RWK (ECDH P384) (A1908) 56Arev3) with all zeros shared secret Shared Secret Z value Z com(Cofactor) Oneputed using the (RRZ) Pass Diffie-Hellprivate portion man (ECC CDH) CSP of a region’s scheme with Replication key confirmaAgreement Key tion (dRAKk) and the public portion of another region’s Replication Agreement Key (QRAKk) The RRZ is used to derive the RWK Replication 256 bits (AES) AES GCM Internally de- Input: N/A KAS (SP 800- Volatile memory Overwriting The RWK is used Wrapping Key (A1908) rived from a 56Arev3) with all zeros to encrypt an Output: N/A (RWK) Public Replica- HBK. It is derived (Cofactor) Onetion Agreement from a key CSP Pass Diffie-HellKey (QRAK1) and agreement operman (ECC CDH) a Private Repli- ation between scheme with cation the QRAKk from key confirmaAgreement Key an HSM in antion (dRAK2) other security domain and the dRAKk in the local HSM security domain

Page 62

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Customer Repli- 256 bits (AES, AES GCM Internally from Input: CRK may KAS (SP 800- Volatile memory Overwriting The CRK is the cation Key (CRK) HMAC) an HBK en- be imported by 56Arev3) with all zeros customer key HMAC crypted with a decrypting an that is being CSP/PSP 112 to 128 bits (Cofactor) OneRSA domain key HBK using a do- transmitted be(RSA: 2048, Pass Diffie-Hell(DKn) main key (DKn) tween two HSMs 3072, or 4096 ECDSA man (ECC CDH) and re-encryptbits) scheme with CRKs are (A1908) ing it using a key confirma- wrapped with

128 to 256 bits Replication

tion the RWK (ECDSA: P256, Wrapping Key P384, P521, or (RWK) (elecsecp256k1) tronically) Output: CRK is exported encrypted with a Replication Wrapping Key (RWK) (electronically) Operator 192 bits (ECDH ECDH (A1908) Externally by Input: When an N/A Volatile memory Overwriting The QOEAK is Ephemeral P384) the module op- operator calls with all zeros provided by an Agreement Pub- erator the NegotiateS- operator to eslic Key (QOEAK) essionKey tablish a session service (elec- key (HOSK) PSP tronically) It is used with Output: N/A the HSM ephemeral agreement key (dE) using ECC CDH

Page 63

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Operator Signa- 192 bits (ECDSA ECDSA Externally by Input: The pub- N/A Volatile memory Overwriting The QOS is used ture Public Key P384) the module op- lic key (QOS) is with all zeros by the HSM to RSA (QOS) erator imported in authenticate op-

112 to 128 bits

(A1908) plaintext when erators PSP (RSA: 2048, an administra3072, or 4096 tor calls bits) InitializeAndCreateDomain, CreateDomain, and ChangeDomain They are also imported by APIs that accept a Domain Token (electronically) Output: The public keys are exported from the HSM in plaintext by APIs that export a Domain Token (electronically)

Page 64

Establishment Security FuncUse & related Key/SSP Generation Zeroisation tion and Cert. Strength Import / Name/Type Number Export Storage keys Customer Data 112 to 128 bits RSA (A1908) Externally by Input: The pub- N/A Volatile memory Overwriting The QCDEK is Encryption Pub- (RSA: 2048, the module op- lic key (QCDEK) with all zeros provided by an lic Key (QCDEK) 3072, or 4096 erator is optionally operator or cusbits) provided when tomer to encrypt PSP an operator the SCDEK, calls Generate, which encrypts GenerateAndEn- customer data cryptRandomBy tes, GenerateDataKeyPair, and Decrypt (electronically) Output: N/A Customer Data 128 bits, 256 AES GCM Internally using Input: N/A N/A Volatile memory Overwriting The SCDEK enEncryption Sym- bits (AES) DRBG with all zeros crypts customer AES CBC Output: Enmetric Key plaintext data. If crypted by (SCDEK) (A1908) a QCDEK is opQCDEK (electionally provided PSP tronically) for Generate, GenerateAndEncryptRandomByt es, GenerateDataKeyPair, or Decrypt, a SCDEK will be generated within the module to encrypt the resulting customer plaintext data. Table 13

Page 65

Entropy sources Minimum number of Details bits of entropy Intel Deterministic Random Number Generator 384 bits of seed material is Used only to seed the DRBG in the module. 512 bits of entropy data with 0.7 bits of min requested from the entropy entropy per bit is provided to the vetted conditioning function, 128-bit AES-CBC-MAC. source which provides full The conditioning function is called three times for the 384-bit entropy input into the entropy DRBG. Table 14

Page 66

10. Self-Tests FIPS 140-3 requires the module to perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality at start up. Some functions require conditional tests during normal operation of the module. All of these tests are listed and described in this section. In the event of a self-test error, the module will log the error and enter the error state. Once in the error state, all SSPs are zeroized and the module becomes unusable. Pre-Operational Self-Tests Pre-operational self-tests are run upon the initialization of the module and do not require operator intervention to run. If any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the operator. The module implements the following pre-operational self-tests: Integrity Check 256-bit error detection code (EDC) on all module components The module performs all pre-operational self-tests automatically when the module is initialized. All pre-operational self-tests must be passed before a Crypto Officer can perform services. The pre-operational self-tests can be run on demand by rebooting the module. Conditional Self-Tests The module performs all conditional self-tests automatically when the module is initialized. All conditional self-tests must be passed before a Crypto Officer can perform services.. If any of these tests fail, the module will enter an error state, where no services can be accessed by the operators. The module can be re-initialized to clear the error and resume Approved mode of operation. Each module performs the following conditional self-tests: Cryptographic Algorithm Self Tests

Page 67
Page 68
  1. Life-cycle Assurance Delivery and Operation The AWS Key Management Service HSM is designed to be mounted in a rack only. Before mounting onto a rack, the module should be inspected for signs of physical tampering. Connect the power interface to the power connector in the rack. Power up the module. The module will start up in the approved mode of operation. No other configuration is necessary. End of Life To prepare a module for disposal:
  2. Remove all domain information on the module using the ForgetDomain API
  3. Delete the HSM Signature Key and HSM Agreement Key from the HSM using the Wipe API
  4. Return the HSM to the factory state using the DeactivateAndReboot API. This step also zeroizes volatile memory as part of the reboot process
  5. Power down the module by disconnecting the module from the power source To securely destroy a module:
  6. To open the chassis, drill though all fasteners that secure the cover to the chassis and remove the cover.
  7. Remove and destroy the solid state drive and memory modules in accordance with NIST SP 800-88rev1.
Page 69

12. Mitigation of Other Attacks Not Applicable.

Page 70

Appendix A - Acronyms AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface AWS Amazon Web Services CBC Cipher Block Chaining CDK Customer Data Key CMK Customer Managed Key CMVP Cryptographic Module Validation Program CO Crypto Officer CSE Communications Security Establishment Canada CSK Customer Supplied Key CSP Critical Security Parameter CTR Counter DH Diffie-Hellman DKn Domain Key DKEK Domain Key Encryption Key DRBG Deterministic Random Bit Generator ECB Electronic Codebook EC Elliptic Curve ECDSA Elliptic Curve Digital Signature Algorithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standard GCM Galois/Counter Mode HBK HSM Backing Key HMAC (Keyed-) Hash Message Authentication Code HOSK HSM-to-Operator Session Key HSK HSM Signature Key Pair HSKEK HSM Session Key Encryption Key HSM Hardware Security Module IPMI Intelligent Platform Management Interface KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key Based Key Derivation Function KDF Key Derivation Function KMS Key Management Service KTS Key Transport Scheme

Page 71

MAC Message Authentication Code MD Message Digest NIST National Institute of Standards and Technology NMI Non-Maskable Interrupt OAEP Optimal Asymmetric Encryption Padding PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme QOEAK Operator Ephemeral Agreement Public Key QOS Operator Signature Public Key RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SP Special Publication SSP Sensitive Security Parameter