All modules
CMVP Validated Module · FIPS 140-3 Security Policy

AIX FIPS Crypto Provider for OpenSSL 3

Certificate#4889StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorIBM
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 39 CVEs since this module's initial validation  ·  last validated 13 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/10/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys).
VendorIBM

Approved Algorithms (101)

AlgorithmACVP Cert
AES‐CBCA4481
AES‐CBC‐CS1A4481
AES‐CBC‐CS2A4481
AES‐CBC‐CS3A4481
AES‐CCMA4481
AES‐CFB1A4481
AES‐CFB128A4481
AES‐CFB8A4481
AES‐CTRA4481
AES‐ECBA4481
AES‐GCMA4481
AES‐KWA4481
AES‐KWPA4481
AES‐OFBA4481
AES‐XTS Testing Revision 2.0A4481
KAS‐ECC CDH‐ComponentA4481
KAS‐ECC‐SSC Sp800‐56Ar3A4481
KAS‐FFC‐SSC Sp800‐56Ar3A4481
KAS‐IFC‐SSCA4481
KDA HKDF SP800‐56Cr2A4481
KDA OneStep SP800‐56Cr2A4481
KDA TwoStep SP800‐56Cr2A4481
KDF ANS 9.42 (CVL)A4481
KDF ANS 9.63 (CVL)A4481
KDF SP800‐108A4481
KDF SSH (CVL)A4481
PBKDFA4481
TLS v1.2 KDF RFC7627 (CVL)A4481
TLS v1.3 KDF (CVL)A4481
DSA KeyGen (FIPS186‐4)A4481
DSA PQGGen (FIPS186‐4)A4481
DSA PQGVer (FIPS186‐4)A4481
ECDSA KeyGen (FIPS186‐4)A4481
ECDSA KeyVer (FIPS186‐4)A4481
EDDSA KeyGenA4481
EDDSA KeyVerA4481
RSA KeyGen (FIPS186‐4)A4481
KTS‐IFCA4481
AES‐CMACA4481
AES‐GMACA4481
HMAC‐SHA‐1A4481
HMAC‐SHA2‐224A4481
HMAC‐SHA2‐256A4481
HMAC‐SHA2‐384A4481
HMAC‐SHA2‐512A4481
HMAC‐SHA2‐512/224A4481
HMAC‐SHA2‐512/256A4481
HMAC‐SHA3‐224A4481
HMAC‐SHA3‐256A4481
HMAC‐SHA3‐384A4481
HMAC‐SHA3‐512A4481
SHA‐1A4481
SHA2‐224A4481
SHA2‐256A4481
SHA2‐384A4481
SHA2‐512A4481
SHA2‐512/224A4481
SHA2‐512/256A4481
SHA3‐224A4481
SHA3‐256A4481
SHA3‐384A4481
SHA3‐512A4481
SHAKE‐128A4481
SHAKE‐256A4481
Counter DRBGA4481
Hash DRBGA4481
HMAC DRBGA4481
ECDSA SigGen (FIPS186‐4)A4481
ECDSA SigVer (FIPS186‐4)A4481
DSA SigGen (FIPS186‐4)A4481
DSA SigVer (FIPS186‐4)A4481
EDDSA SigGenA4481
EDDSA SigVerA4481
RSA SigGen (FIPS186‐4)A4481
RSA SigGen (FIPS186‐5)A4481
RSA Signature Primitive (CVL)A4481
RSA SigVer (FIPS186‐4)A4481
RSA SigVer (FIPS186‐5)A4481
DSA SigGen
DSA SigVer
ECDSA SigGen
ECDSA SigVer
EDDSA ED448
EDDSA ED25519
KAS‐ECC‐SSC
Sp800‐56Ar3
KAS‐FFC‐SSC
KAS‐KDF
OneStep SP800‐
56Cr2
TwoStep SP800‐
KDF ANS 9.42
KDF ANS 9.63
KDF SSH
RSA SigGen
RSA SigVer
TLS v1.2 KDF
TLS v1.3 KDF
DSA KeyGen
ECDSA KeyGen
RSA KeyGen

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical SecurityN/A
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for AIX FIPS Crypto Provider for OpenSSL 3
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Self‐test<br/>failure</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Cipher (Unauth)<br/>Cipher<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for AIX FIPS Crypto Provider for OpenSSL 3
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Self‐test<br/>failure</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Cipher (Unauth)<br/>Cipher<br/>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

IBM AIX FIPS Crypto Provider for OpenSSL 3 FIPS 140‐3 Non‐Proprietary Security Policy Document Version 1.2 March 19, 2025 Prepared for: Prepared by: IBM

1 New Orchard Road

Armonk, NY 10504‐1722 ibm.com KeyPair Consulting Inc.

987 Osos Street

San Luis Obispo, CA 93401 keypair.us +1 805.316.5024 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 2

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table of Contents 1.1 1.2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 6.1 5.1 5.2 5.3 4.1 4.2 4.3 4.4 4.5 3.1 9.1 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 3

FIPS 140‐3 Security Policy 9.2 9.3 9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 12.1 12.2 12.3 AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 4

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 List of Tables List of Figures This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non‐invasive securityN/A
99Sensitive security parameter management1
1010Self‐tests1
1111Life‐cycle assurance3
1212Mitigation of other attacks1
Overall LevelOverall Level1

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

1.1 Overview

This document defines the Non‐Proprietary Security Policy for the AIX FIPS Crypto Provider for OpenSSL 3 cryptographic module by IBM, hereafter denoted the Module. The Module meets FIPS 140‐3 overall Level 1 requirements, with security levels as shown in Section 1.2. In accordance with AS02.05, ISO/IEC 19790:2012 §7.7 Physical Security is optional and does not apply to the Module.

1.2 Security Levels
2.1 Description

Purpose and Use: The Module is a cryptographic software library, intended for use by US and Canadian Federal agencies and other markets that require FIPS 140‐3 validated cryptographic functionality. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Embodiment: MultiChipStand This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 6

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. The pre‐operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The General Purpose Computer is the TOEPP. Figure 1: Block Diagram This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 7
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so3.0.10 with KP_1.2N/Afips.soHMAC‐SHA2‐256 #A4481 over the complete module file image
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)YesPowerVM 1060
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)NoPowerVM 1060
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)YesPowerVM 1060
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)NoPowerVM 1060
AIX 7.1 32‐bitAIX 7.1 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.1 64‐bitAIX 7.1 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.1 32‐bitAIX 7.1 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.1 64‐bitAIX 7.1 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 10 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 10 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 10 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 10 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 8 processor
VIOS 3.1 64‐bitVIOS 3.1 64‐bitIBM Hardware platform with Power 8 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 9 processor
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so3.0.10 with KP_1.2N/Afips.soHMAC‐SHA2‐256 #A4481 over the complete module file image
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)YesPowerVM 1060
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)NoPowerVM 1060
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)YesPowerVM 1060
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)NoPowerVM 1060
AIX 7.1 32‐bitAIX 7.1 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.1 64‐bitAIX 7.1 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.1 32‐bitAIX 7.1 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.1 64‐bitAIX 7.1 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 10 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 10 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 10 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 10 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 8 processor
VIOS 3.1 64‐bitVIOS 3.1 64‐bitIBM Hardware platform with Power 8 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 9 processor
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so3.0.10 with KP_1.2N/Afips.soHMAC‐SHA2‐256 #A4481 over the complete module file image
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)YesPowerVM 1060
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)NoPowerVM 1060
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)YesPowerVM 1060
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Power E1080 (9080‐HEX)3.0.10 with KP_1.2IBM POWER10 (PPC)NoPowerVM 1060
AIX 7.1 32‐bitAIX 7.1 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.1 64‐bitAIX 7.1 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.1 32‐bitAIX 7.1 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.1 64‐bitAIX 7.1 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.2 32‐bitAIX 7.2 32‐bitIBM Hardware platform with Power 10 processor
AIX 7.2 64‐bitAIX 7.2 64‐bitIBM Hardware platform with Power 10 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 8 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 8 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 9 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 9 processor
AIX 7.3 32‐bitAIX 7.3 32‐bitIBM Hardware platform with Power 10 processor
AIX 7.3 64‐bitAIX 7.3 64‐bitIBM Hardware platform with Power 10 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 8 processor
VIOS 3.1 64‐bitVIOS 3.1 64‐bitIBM Hardware platform with Power 8 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 9 processor
VIOS 3.1 64‐bitVIOS 3.1 64‐bitIBM Hardware platform with Power 9 processor
VIOS 3.1 32‐bitVIOS 3.1 32‐bitIBM Hardware platform with Power 10 processor
VIOS 3.1 64‐bitVIOS 3.1 64‐bitIBM Hardware platform with Power 10 processor
VIOS 4.1 32‐bitVIOS 4.1 32‐bitIBM Hardware platform with Power 8 processor
VIOS 4.1 64‐bitVIOS 4.1 64‐bitIBM Hardware platform with Power 8 processor
VIOS 4.1 32‐bitVIOS 4.1 32‐bitIBM Hardware platform with Power 9 processor
VIOS 4.1 64‐bitVIOS 4.1 64‐bitIBM Hardware platform with Power 9 processor
VIOS 4.1 32‐bitVIOS 4.1 32‐bitIBM Hardware platform with Power 10 processor
VIOS 4.1 64‐bitVIOS 4.1 64‐bitIBM Hardware platform with Power 10 processor

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Service
NameDescriptionType
NominalApproved mode of operationApproved

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 4: Vendor‐Affirmed Operational Environments ‐ Software, Firmware, Hybrid The CMVP makes no statement as to the correct operation of the Module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

N/A for this Module. Modes List and Description: Table 5: Modes List and Description The Module only supports an Approved mode of operation. The conditions for using the Module in the Approved mode of operation are: 1. Installation of the Module as described in Section 11.1 results in the settings described below, which are required for operation in the Approved mode: a. security‐checks = 1 Enforce minimum key strengths and approved curve names. b. allow‐plaintext‐csp‐output = 1 Enforce the AS09.16 and AS09.17 requirement for a second independent action to output CSPs as a result of calls that produce CSPs, such as key generation, key unwrap (or decapsulate) and shared secret calculation. c. conditional‐errors = 1 Enforce the Module entering the error state on conditional test errors such as PCT failure. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 9
Approved algorithm
NameCAVP CertPropertiesReference
AES‐CBCA4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CBC‐CS1A4481Direction ‐ decrypt, encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CBC‐CS2A4481Direction ‐ decrypt, encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CBC‐CS3A4481Direction ‐ decrypt, encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CCMA4481Key Length ‐ 128, 192, 256SP 800‐38C
AES‐CFB1A4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CFB128A4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CFB8A4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐CTRA4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐ECBA4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐GCMA4481Direction ‐ Decrypt, Encrypt IV Generation ‐ External, Internal IV Generation Mode ‐ 8.2.1 Key Length ‐ 128, 192, 256SP 800‐38D
AES‐KWA4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38F
AES‐KWPA4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38F
AES‐OFBA4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256SP 800‐38A
AES‐XTS Testing Revision 2.0A4481Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 256SP 800‐38E
KAS‐ECC CDH‐ComponentA4481Curve ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521SP 800‐56A Rev. 3
KAS‐ECC‐SSC Sp800‐56Ar3A4481Domain Parameter Generation Methods ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 Scheme ‐ ephemeralUnified ‐ KAS Role ‐ initiator, responderSP 800‐56A Rev. 3
KAS‐FFC‐SSC Sp800‐56Ar3A4481Domain Parameter Generation Methods ‐ FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192 Scheme ‐ dhEphem ‐ KAS Role ‐ initiator, responderSP 800‐56A Rev. 3
KAS‐IFC‐SSCA4481Modulo ‐ 2048, 3072, 4096, 6144, 8192 Key Generation Methods ‐ rsakpg1‐basic, rsakpg1‐crt, rsakpg1‐prime‐factor, rsakpg2‐basic, rsakpg2‐crt, rsakpg2‐prime‐factor Scheme ‐ KAS1 ‐ KAS Role ‐ initiator, responder Scheme ‐ KAS2 ‐ KAS Role ‐ initiator, responderSP 800‐56A Rev. 3
KDA HKDF SP800‐56Cr2A4481Derived Key Length ‐ 2048 Shared Secret Length ‐ Shared Secret Length: 224‐8192 Increment 8 HMAC Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256, SHA3‐224, SHA3‐256, SHA3‐384, SHA3‐512SP 800‐56C Rev. 2
KDA OneStep SP800‐56Cr2A4481Derived Key Length ‐ 2048 Shared Secret Length ‐ Shared Secret Length: 224‐8192 Increment 8SP 800‐56C Rev. 2
KDA TwoStep SP800‐56Cr2A4481MAC Salting Methods ‐ default, random KDF Mode ‐ feedback Derived Key Length ‐ 2048 Shared Secret Length ‐ Shared Secret Length: 224‐8192 Increment 8SP 800‐56C Rev. 2
KDF ANS 9.42 (CVL)A4481KDF Type ‐ DER Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256, SHA3‐ 224, SHA3‐256, SHA3‐384, SHA3‐512 Key Data Length ‐ Key Data Length: 8‐4096 Increment 8SP 800‐135 Rev. 1
KDF ANS 9.63 (CVL)A4481Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512 Key Data Length ‐ Key Data Length: 128, 4096SP 800‐135 Rev. 1
KDF SP800‐108A4481KDF Mode ‐ Counter, Feedback Supported Lengths ‐ Supported Lengths: 8, 72, 128, 776, 3456, 4096SP 800‐108 Rev. 1
KDF SSH (CVL)A4481Cipher ‐ AES‐128, AES‐192, AES‐256 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512SP 800‐135 Rev. 1
PBKDFA4481Iteration Count ‐ Iteration Count: 1‐10000 Increment 1 Password Length ‐ Password Length: 8‐128 Increment 8SP 800‐132
TLS v1.2 KDF RFC7627 (CVL)A4481Hash Algorithm ‐ SHA2‐256, SHA2‐384, SHA2‐512SP 800‐135 Rev. 1
TLS v1.3 KDF (CVL)A4481HMAC Algorithm ‐ SHA2‐256, SHA2‐384 KDF Running Modes ‐ DHE, PSK, PSK‐DHESP 800‐135 Rev. 1
DSA KeyGen (FIPS186‐4)A4481L ‐ 2048, 3072 N ‐ 224, 256FIPS 186‐4
DSA PQGGen (FIPS186‐4)A4481L ‐ 2048, 3072 N ‐ 224, 256 Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256FIPS 186‐4
DSA PQGVer (FIPS186‐4)A4481L ‐ 1024, 2048, 3072 N ‐ 160, 224, 256 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256FIPS 186‐4
ECDSA KeyGen (FIPS186‐4)A4481Curve ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 Secret Generation Mode ‐ Testing CandidatesFIPS 186‐4
ECDSA KeyVer (FIPS186‐4)A4481Curve ‐ B‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521FIPS 186‐4
EDDSA KeyGenA4481Curve ‐ ED‐25519, ED‐448FIPS 186‐5
EDDSA KeyVerA4481Curve ‐ ED‐25519, ED‐448FIPS 186‐5
Safe Primes Key GenerationA4481Safe Prime Groups ‐ ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192SP 800‐56A Rev. 3
Safe Primes Key VerificationA4481Safe Prime Groups ‐ ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192SP 800‐56A Rev. 3
RSA KeyGen (FIPS186‐4)A4481Key Generation Mode ‐ B.3.3 Modulo ‐ 2048, 3072, 4096 Primality Tests ‐ Table C.2 Private Key Format ‐ StandardFIPS 186‐4
KTS‐IFCA4481Modulo ‐ 2048, 3072, 4096, 6144 Key Generation Methods ‐ rsakpg1‐basic, rsakpg1‐crt, rsakpg1‐prime‐factor, rsakpg2‐basic, rsakpg2‐crt, rsakpg2‐prime‐factor Scheme ‐ KTS‐OAEP‐basic ‐ KAS Role ‐ initiator, responder Key Transport Method ‐ Key Length ‐ 1024SP 800‐56B Rev. 2
AES‐CMACA4481Direction ‐ Generation, Verification Key Length ‐ 128, 192, 256SP 800‐38B
AES‐GMACA4481Direction ‐ Decrypt, Encrypt IV Generation ‐ External, Internal IV Generation Mode ‐ 8.2.1 Key Length ‐ 128, 192, 256SP 800‐38D
HMAC‐SHA‐1A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA2‐224A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA2‐256A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA2‐384A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA2‐512A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA2‐512/224A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA2‐512/256A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA3‐224A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA3‐256A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA3‐384A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
HMAC‐SHA3‐512A4481Key Length ‐ Key Length: 112‐2048 Increment 8FIPS 198‐1
KMAC‐128A4481Message Length ‐ Message Length: 0‐65536 Increment 8 Key Data Length ‐ Key Data Length: 128‐1024 Increment 8SP 800‐185
KMAC‐256A4481Message Length ‐ Message Length: 0‐65536 Increment 8 Key Data Length ‐ Key Data Length: 128‐1024 Increment 8SP 800‐185
SHA‐1A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA2‐224A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA2‐256A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA2‐384A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA2‐512A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA2‐512/224A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA2‐512/256A4481Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 180‐4
SHA3‐224A4481Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 202
SHA3‐256A4481Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 202
SHA3‐384A4481Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 202
SHA3‐512A4481Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4FIPS 202
SHAKE‐128A4481Output Length ‐ Output Length: 16‐65536 Increment 8FIPS 202
SHAKE‐256A4481Output Length ‐ Output Length: 16‐65536 Increment 8FIPS 202
Counter DRBGA4481Prediction Resistance ‐ Yes Mode ‐ AES‐128, AES‐192, AES‐256 Derivation Function Enabled ‐ No, YesSP 800‐90A Rev. 1
Hash DRBGA4481Prediction Resistance ‐ Yes Mode ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256SP 800‐90A Rev. 1
HMAC DRBGA4481Prediction Resistance ‐ Yes Mode ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256SP 800‐90A Rev. 1
ECDSA SigGen (FIPS186‐4)A4481Component ‐ No, Yes Curve ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256FIPS 186‐4
ECDSA SigVer (FIPS186‐4)A4481Component ‐ No Curve ‐ B‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256FIPS 186‐4
DSA SigGen (FIPS186‐4)A4481L ‐ 2048, 3072 N ‐ 224, 256 Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256FIPS 186‐4
DSA SigVer (FIPS186‐4)A4481L ‐ 1024, 2048, 3072 N ‐ 160, 224, 256 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256FIPS 186‐4
EDDSA SigGenA4481Curve ‐ ED‐25519, ED‐448FIPS 186‐5
EDDSA SigVerA4481Curve ‐ ED‐25519, ED‐448FIPS 186‐5
RSA SigGen (FIPS186‐4)A4481Signature Type ‐ ANSI X9.31, PKCS 1.5, PKCSPSS Modulo ‐ 2048, 3072, 4096FIPS 186‐4
RSA SigGen (FIPS186‐5)A4481Modulo ‐ 2048, 3072, 4096 Signature Type ‐ pkcs1v1.5, pssFIPS 186‐5
RSA Signature Primitive (CVL)A4481Private Key Format ‐ crtFIPS 186‐4
RSA SigVer (FIPS186‐4)A4481Signature Type ‐ ANSI X9.31, PKCS 1.5, PKCSPSS Modulo ‐ 1024, 2048, 3072, 4096FIPS 186‐4
RSA SigVer (FIPS186‐5)A4481Modulo ‐ 2048, 3072, 4096 Signature Type ‐ pkcs1v1.5, pssFIPS 186‐5

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 2. The Module is a cryptographic library used by a calling application. The calling application is responsible for: a. Use of the primitives in the correct sequence. b. Use of keys in accordance with SP 800‐140D Rev. 2 (as the keys used by the Module for cryptographic purposes are provided over the call stack by the calling application). c. Use of a SP 800‐90B compliant entropy source outside the Module boundary with at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met.

2.5 Algorithms

Approved Algorithms: Cipher This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 10

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 6: Approved Algorithms ‐ Cipher Key agreement Table 7: Approved Algorithms ‐ Key agreement Key derivation This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 11

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 8: Approved Algorithms ‐ Key derivation Key management This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 12

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 9: Approved Algorithms ‐ Key management Table 10: Approved Algorithms ‐ Key transport Message authentication This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 13

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 11: Approved Algorithms ‐ Message authentication Message digest Table 12: Approved Algorithms ‐ Message digest This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 14

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Random Table 13: Approved Algorithms ‐ Random Table 14: Approved Algorithms ‐ Signature This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 15
Service
NameDescriptionApproved FunctionsTypePropertiesReference
CKG Section 4KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐133 Rev. 2
CKG Section 5KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐133 Rev. 2
CKG Section 6.2KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐133 Rev. 2
Hash DRBG with SHA3‐256, SHA3‐512KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐90A Rev. 1
HMAC DRBG with SHA3‐256, SHA3‐512KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐90A Rev. 1
Cipher (Unauth)AES ciphersAES‐CBC AES‐CBC‐CS1 AES‐CBC‐CS2 AES‐CBC‐CS3 AES‐CFB1 AES‐CFB128 AES‐CFB8 AES‐CTR AES‐ECB AES‐OFB AES‐XTS Testing Revision 2.0BC‐UnAuth
Cipher (Auth)Authenticated ciphersAES‐CCM AES‐GCM AES‐KW AES‐KWPBC‐Auth
CKG Section 4Using the Output of a Random BitCKG Section 4CKG
Service
NameDescriptionApproved FunctionsTypePropertiesReference
CKG Section 4KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐133 Rev. 2
CKG Section 5KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐133 Rev. 2
CKG Section 6.2KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐133 Rev. 2
Hash DRBG with SHA3‐256, SHA3‐512KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐90A Rev. 1
HMAC DRBG with SHA3‐256, SHA3‐512KeyPair FIPS Provider for OpenSSL 3NIST, SP 800‐90A Rev. 1
Cipher (Unauth)AES ciphersAES‐CBC AES‐CBC‐CS1 AES‐CBC‐CS2 AES‐CBC‐CS3 AES‐CFB1 AES‐CFB128 AES‐CFB8 AES‐CTR AES‐ECB AES‐OFB AES‐XTS Testing Revision 2.0BC‐UnAuth
Cipher (Auth)Authenticated ciphersAES‐CCM AES‐GCM AES‐KW AES‐KWPBC‐Auth
CKG Section 4Using the Output of a Random BitCKG Section 4CKG
CKG Section 5Generation of Key Pairs for Asymmetric‐Key AlgorithmsCKG Section 5CKG
CKG Section 6.2Derivation of Symmetric KeysCKG Section 6.2CKG
Key agreementKey agreementKAS‐ECC CDH‐Component SP800‐56Ar3 KAS‐ECC‐SSC Sp800‐56Ar3 KAS‐FFC‐SSC Sp800‐56Ar3 KAS‐IFC‐SSCKAS‐SSCKAS:KAS‐ECC‐SSC provides
Key derivationKAS‐KDF HKDF SP800‐56Cr2 KAS‐KDF OneStep SP800‐56Cr2 KAS‐KDF TwoStep SP800‐56Cr2 KDF ANS 9.42 KDF ANS 9.63 KDF SP800‐108 KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDFKAS‐135KDF
Key management ECCECDSA KeyGen (FIPS186‐4) ECDSA KeyVer (FIPS186‐4)AsymKeyPair‐KeyGen
Key management EdwardsEDDSA KeyGen EDDSA KeyVerAsymKeyPair‐KeyGen
Key management FFCDSA KeyGen (FIPS186‐4) DSA PQGGen (FIPS186‐4) DSA PQGVer (FIPS186‐4) Safe Primes Key Generation Safe Primes Key VerificationAsymKeyPair‐KeyGen
Key management IFCRSA KeyGen (FIPS186‐4)AsymKeyPair‐KeyGen
Key transportKTS‐IFCKTS‐EncapKTS:2048, 3072, 4096 or 6144‐bit
KTS (Cipher w/ CMAC, GMAC, HMAC, KMAC)SP 800‐38F Section 3.1 ProvisionsAES‐CBC AES‐CBC‐CS1 AES‐CBC‐CS2 AES‐CBC‐CS3 AES‐CFB1 AES‐CFB128BC‐AuthKTS:128, 192 or 256‐bit keys
BC‐UnAuthBC‐UnAuthprovide between 128 and 256 bits
MACMACof encryption strength
KTS (AES KW, KWP)AES‐KW AES‐KWPBC‐AuthKTS:128, 192 or 256‐bit keys
MAC AES (CMAC, GMAC)AES‐GMAC AES‐CMACMAC
MAC HMACHMAC‐SHA‐1 HMAC‐SHA2‐224 HMAC‐SHA2‐256 HMAC‐SHA2‐384 HMAC‐SHA2‐512 HMAC‐SHA2‐512/224 HMAC‐SHA2‐512/256 HMAC‐SHA3‐224 HMAC‐SHA3‐256 HMAC‐SHA3‐384 HMAC‐SHA3‐512MAC
MAC KMAC (XOF)KMAC‐128 KMAC‐256XOF
Message DigestSHA‐1 SHA2‐224 SHA2‐256 SHA2‐384 SHA2‐512 SHA2‐512/224 SHA2‐512/256 SHA3‐224 SHA3‐256 SHA3‐384 SHA3‐512SHA
Message Digest (XOF SHAKE)SHAKE‐128 SHAKE‐256XOF
RandomCounter DRBG Hash DRBG HMAC DRBGDRBG
Signature DSADSA SigGen (FIPS186‐4) DSA SigVer (FIPS186‐4)DigSig‐SigGen
Signature ECDSAECDSA SigGen (FIPS186‐4) ECDSA SigVer (FIPS186‐4)DigSig‐SigGen
Signature EDDSAEDDSA SigGen EDDSA SigVerDigSig‐SigGen
Signature RSARSA SigGen (FIPS186‐4) RSA SigGen (FIPS186‐5) RSA Signature Primitive RSA SigVer (FIPS186‐4) RSA SigVer (FIPS186‐5)DigSig‐SigGen

FIPS 140‐3 Security Policy Vendor‐Affirmed Algorithms: Table 15: Vendor‐Affirmed Algorithms Non‐Approved, Allowed Algorithms: N/A for this module. Non‐Approved, Allowed Algorithms with No Security Claimed: N/A for this Module. Non‐Approved, Not Allowed Algorithms: N/A for this Module.

2.6 Security Function Implementations

This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 16

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 17

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 18

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 16: Security Function Implementations This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 19

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

2.7 Algorithm Specific Information

AES‐GCM: The Module supports internal IV generation using the Approved DRBG. The IV is at least 96 bits in length per SP 800‐38D Section 8.2.2, and the Approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2‐32 per SP 800‐38D Section 8. AES‐GCM IVs shall be used in compliance with FIPS 140‐3 IG C.H scenario 1a (TLS/DTLS 1.2, per RFC 5288), 1d (SSHv2, per RFC 5647) and 5 (TLS 1.3, per RFC 8446). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from SP 800‐52 Rev. 1 Section 3.3.1. The Module’s implementation of AES‐GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; these protocols have not been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re‐distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power‐cycles: AES‐GCM key/IVs are not stored in non‐volatile persistent memory (i.e., disk), hence no re‐connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264‐1 for a given session key. If this exhaustion condition is observed, the Module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. XTS‐AES: In accordance with SP 800‐38E, the XTS‐AES algorithm is to be used for confidentiality on storage devices. The Module complies with FIPS 140‐3 IG C.I by:   Generating Key_1 and Key_2 independently according to the rules for component symmetric keys from SP 800‐133 Rev. 2, Section 6.3. Explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS‐AES algorithm to process data with them. Key Agreement: The Module implements the following Approved key agreement methods which have been CAVP tested and validated:    KAS‐ECC‐SSC per SP 800‐56A Rev. 3 (FIPS 140‐3 IG D.F Scenario 2, path 1). KAS‐FFC‐SSC per SP 800‐56A Rev. 3 (FIPS 140‐3 IG D.F Scenario 2, path 1). KAS‐IFC‐SSC per SP 800‐56B Rev. 2 (FIPS 140‐3 IG D.F Scenario 1, path 1). The Module obtains the FIPS 140‐3 IG D.F required key agreement assurances:   SP 800‐56A Rev. 3 in accordance with Section 5.6.2. SP 800‐56B Rev. 2 in accordance with Section 6.4. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 20

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 PBKDF: The implemented PBKDF uses Option 1a specified in SP 800‐132 Section 5.4. FIPS 140‐3 IG D.N SP 800‐132 Password‐Based Key Derivation for Storage Applications notes that: The strength of the Data Protection Key is based on the strength of the Password and/or Passphrase used in key derivation. SP 800‐132 does not impose any strictly defined requirements on the strength of a password. It says that “passwords should be strong enough so that it is infeasible for attackers to get access by guessing a password.” The choice to use the PBKDF with a password or passphrase is entirely outside the scope of the Module, managed by the calling application

Page 21

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 SHA‐3 and SHAKE: The Module complies with FIPS 140‐3 IG C.C as follows:  All implemented SHA‐3 and SHAKE functions have been tested and validated on all of the Module’s operating environments.  Vendor affirmation is claimed for use of the SHA3‐256 and SHA3‐512 hash functions as part of the Hash DRBG and HMAC DRBG, for which CAVP testing with SHA‐3 is not available.

2.8 RBG and Entropy

N/A for this Module. The calling application is responsible for use of a SP 800‐90B compliant entropy source outside the Module boundary providing at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The following caveat applies per FIPS 140‐3 IG 9.3.A: No assurance of the minimum strength of generated SSPs (e.g., keys).

2.9 Key Generation

The Module:  Produces random values in accordance with SP 800‐133 Rev. 2 Section 4, in that the DRBG output is provided directly as the random output.  Does not provide any service beyond random value generation for symmetric key generation. SSPs used with symmetric key algorithms are provided by the calling application.  Produces asymmetric keys in accordance with SP 800‐133 Rev. 2 Section 5, in that all asymmetric keys generated by the Module (the Key management service) provide the output of the approved key generation algorithm with no post‐processing or manipulation of the generated key pairs. As noted in the previous item, random values used in the asymmetric key generation algorithms are direct outputs of the DRBG. Keys produced by the Module use an internal Counter DRBG for which the minimum key size and equivalent security strength is 128 bits.  Supports symmetric key derivation in accordance with SP 800‐133 Rev. 2 Section 6.2, using the approved and CAVP listed KDF algorithms.

2.10 Key Establishment

The Module implements key agreement methods compliant with FIPS 140‐3 IG D.F and key transport methods compliant with FIPS 140‐3 IG D.G. Strengths are provided in Section 2.6.

2.11 Industry Protocols

The Module conforms to FIPS 140‐3 IG D.C References to the Support of Industry Protocols: while it provides SP 800‐56A Rev. 3 conformant schemes and API entry points oriented to TLS usage, the Module does not contain the full implementation of TLS. The following caveat is required: No parts of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 22
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/A (API ‐ input)N/A (API ‐ input)Control Input Data InputAPI input: stack frame including non‐sensitive parameters.
N/A (API ‐ output)N/A (API ‐ output)Data Output Status OutputAPI output: output parameters and return value resulting from call execution.
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
COCORole
CipherEncrypt or decrypt data, including AEAD modes (CCM, GCM).COCipher (Unauth) Cipher (Auth)FIPS_OKEncryption or decryptionStatus return. Plaintext or ciphertext data.
key; plaintext or‐ SC_EDK_AES: W,Ekey; plaintext or
ciphertext data; flags.‐ SC_EDK_XTS: W,Eciphertext data; flags.
Get capabilitiesReports information on the requested capabilities.FIPS_OKProvider context,Description of capabilities.
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
COCORole
CipherEncrypt or decrypt data, including AEAD modes (CCM, GCM).COCipher (Unauth) Cipher (Auth)FIPS_OKEncryption or decryptionStatus return. Plaintext or ciphertext data.
key; plaintext or‐ SC_EDK_AES: W,Ekey; plaintext or
ciphertext data; flags.‐ SC_EDK_XTS: W,Eciphertext data; flags.
Get capabilitiesReports information on the requested capabilities.FIPS_OKProvider context,Description of capabilities.
InitializeModule initialization,CORandom MAC HMACFIPS_OKCore handle, dispatch inInitialization status (1 = pass, 0 = fail).
including instantiation ofincluding instantiation of‐ DRBG_EI: W,E,Zand out, provider context.
the opaque (managedthe opaque (managed‐ DRBG_Seed: G,E,Z
within the module) Counterwithin the module) Counter‐ DRBG_Key: G,W,E
DRBG instance.DRBG instance.‐ DRBG_V: G,W,E
Key agreementPerform key agreementCOCKG Section 5 Key agreementFIPS_OKKey structs (keyStatus return; key agreement shared secret.
primitives on behalf of theprimitives on behalf of the‐ KAS_Private_ECC: W,Eagreement keys); flags.
calling process (does notcalling process (does not‐ KAS_Public_ECC: W,E
establish keys into theestablish keys into the‐ KAS_Private_FFC: W,E
module).module).‐ KAS_Public_FFC: W,E
Key derivationDerive keying material fromCOKey derivation CKG Section 6.2FIPS_OKKey agreement sharedStatus return; derived keying material.
a shared secret.a shared secret.‐ KD_DKM_KDF: G,Rsecret; flags.
Key managementGenerate asymmetric keyCOKey management ECC Key management Edwards Key management FFC Key management IFC CKG Section 4FIPS_OKECDSA, EdDSA: curveStatus return; general digital signature private and public keys.
pairs.pairs.‐ DRBG_C: G,W,Eidentifier. DSA, RSA:
domain parameter‐ DRBG_Key: W,G,Edomain parameter
targets.‐ DRBG_V: W,G,Etargets.
Key transportEncapsulate or decapsulateCOCKG Section 5 Key transport KTS (Cipher w/ CMAC, GMAC, HMAC, KMAC) KTS (AES KW, KWP)FIPS_OKKey encapsulation/Status return; key transport shared secret.
key material on behalf ofkey material on behalf of‐ KTS_KDK_IFC: W,Edecapsulation key or Key
the calling process.the calling process.‐ KTS_KEK_IFC: W,Ewrap/unwrap key.
Message authenticationGenerate or verify dataCOMAC AES (CMAC, GMAC) MAC HMAC MAC KMAC (XOF)FIPS_OKKeyed hash key.Status return; MAC
integrity.integrity.‐ KH_Key_AES‐CMAC: W,Eoutput value.
Message digestGenerate a message digest.Message Digest Message Digest (XOF SHAKE)FIPS_OKMessage; flags.Status return; Hash
QueryReport available cryptoFIPS_OKProvider context, operation ID.Array of available
operations.operations.operations.
RandomGenerate random bits usingCORandom CKG Section 4FIPS_OKDRBG struct (RBG State); DRBG_Seed.Status return; Random
the DRBG.the DRBG.‐ DRBG_C: W,Evalue.
Self‐testPerform the self‐testFIPS_OKProvider context.Status (1 = pass, 0 =
sequence.sequence.fail).
Show module name and versioning informationReturn module name andFIPS_OKProvider context, parameter types (array).Parameter types
versioning information.versioning information.(array) with: Name,
Show statusOpenSSL core metadataFIPS_OKProvider context, parameter types (array).Parameter types with:
(Gettable parameters; Get(Gettable parameters; GetBuildInfo, Status,
parameters).parameters).SecurityChecks; Status
SignatureGenerate or verify digitalCOCKG Section 5 Signature DSA Signature ECDSA Signature EDDSA Signature RSAFIPS_OKSign: signing key; message. Verify: signature value; flags; sizes.Status return;
signatures. (SSPs are passedsignatures. (SSPs are passed‐ DS_SGK_ECC: W,ESignature value.
in by the calling process.)in by the calling process.)‐ DS_SVK_ECC: W,E
TeardownUninstantiate the module;COFIPS_OKProvider context.None.
zeroizes internal CTR DRBGzeroizes internal CTR DRBG‐ DRBG_Key: Z
state (DRBG_Key, DRBG_V).state (DRBG_Key, DRBG_V).‐ DRBG_V: Z
ZeroizeZeroization of allocated keyCOFIPS_OKMemory pointer.Void.
structures usingstructures using‐ DRBG_C: Z
openssl_cleanse.openssl_cleanse.‐ DRBG_EI: Z

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Table 17: Ports and Interfaces The Module does not interact with physical ports. The Control Output interface is not applicable, as the Module does not control other components.

4 Roles, Services, and Authentication
4.2 Roles

Table 18: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified), and does not support a maintenance role or a bypass capability. The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document and in associated Guidance Documentation.

4.3 Approved Services

This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 23

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 24

FIPS 140‐3 Security Policy This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 25

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 26

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 19: Approved Services All services implemented by the Module correspond to the functionality described by the fips_query function, which returns available services based on an operation_id input. The fips_get_params function provides access to the current status of the Module as well as the name and version; this information correlates to the validation listing. A 1 value returned in status indicates the Module is running without error (FIPS_OK); a 0 return indicates an error (with additional error details indicated as described in the release specific API documentation). Services are only operational in the running state. Any attempts to access services in any other state will result in an error being returned. If the integrity test or any CAST fails then any attempt to access any service will result in an error being returned. The OpenSSL toolkit OSSL_PROVIDER_get_params function is used to invoke fips_get_params, when called with the Module’s global handle and a pointer to a parameter structure (initialized using provider_gettable_params or the equivalent). Regarding the Indicator of approved security services, the Module conforms to FIPS 140‐3 IG 2.4.C Approved Security Service Indicator, similar to example 2. Each service provides context sensitive status responses as described in the OpenSSL 3 API manual pages; generally, functions of return type int return the value 1 for success with other error codes as appropriate for the call (described in API documentation). The Module’s name and version parameters (as cited in Section 2) along with the Module’s internal indicators of the security‐check and conditional‐errors settings are used to confirm the Module is the validated Module operating in the approved mode with only approved security services. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module.

4.4 Non‐Approved Services
4.5 External Software/Firmware Loaded

N/A for this Module. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 27

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC‐SHA2‐256 as the approved integrity technique; the file fips.so.mac contains the integrity reference value. The Module is provided in an executable form (as fips.so shared object for use in Linux environments).

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.

5.3 Open‐Source Parameters

In accordance with ISO/IEC 19790:2012 Annex B, as the Module is open source, the tools used to build the Module as tested are:    gcc version 9.3.0 perl v5.30.0 gnu make v4.2.1

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable No operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2.4. The Module conforms to FIPS 140‐3 IG 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES‐NI functions are identified by FIPS 140‐3 IG 2.3.C as a known PAA.

7 Physical Security
8 Non‐Invasive Security

N/A for this Module. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 28
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
RAMDynamicR: Random access memory
DRBG_CHash_DRBG_C ‐ CSPElement of Hash DRBG state.Size: 440‐888 ‐ Strength: 160 ≤ s ≤ 256RandomRandom
DRBG_EIOther ‐ CSPEntropy input from an external source used for DRBG seeding.Size: 128‐2^35 ‐ Strength: 128 ≤ s ≤ 256Random
DRBG_KeyCTR_DRBG_Key, HMAC_DRBG_KeyElement of CTR DRBG or HMAC DRBG state.Size: 128‐256, 128‐256 ‐ Strength: 128 ≤ s ≤ 256, 160 ≤ s ≤ 256RandomRandom
Service
NameApproved FunctionsTypeFromToDistribution Type
IElectronicPlaintextCalling processCall stack (API) input parametersManual
OElectronicPlaintextCall stack (API) output parametersCalling processManual
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUse
RAMDynamicR: Random access memory
DRBG_CHash_DRBG_C ‐ CSPElement of Hash DRBG state.Size: 440‐888 ‐ Strength: 160 ≤ s ≤ 256RandomRandom
DRBG_EIOther ‐ CSPEntropy input from an external source used for DRBG seeding.Size: 128‐2^35 ‐ Strength: 128 ≤ s ≤ 256Random
DRBG_KeyCTR_DRBG_Key, HMAC_DRBG_KeyElement of CTR DRBG or HMAC DRBG state.Size: 128‐256, 128‐256 ‐ Strength: 128 ≤ s ≤ 256, 160 ≤ s ≤ 256RandomRandom
DRBG_SeedOther ‐ CSPSeed used for DRBG Instantiation and Reseed.Size: 128‐256 ‐RandomRandom
DRBG_VCTR_DRBG_Key, Hash_DRBG_Key, HMAC_DRBG_Key ‐ CSPElement of CTR, Hash or HMAC DRBG state.Size: 128‐256, 128‐256, 128‐256RandomRandom
DS_SGK_ECCB‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ CSPSigGen (private) key.Size: 233, 283, 409, 571, 233,Signature
283, 409, 571, 224, 256, 384,283, 409, 571, 224, 256, 384,ECDSA
DS_SGK_EdwardsEdwards25519, Edwards448 ‐ CSPSigGen (private) key.Size: 255, 448 ‐Signature
Strength: s = 128, s = 224Strength: s = 128, s = 224EDDSA
DS_SGK_FFCL=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ CSPSigGen (private) key.Size: 2048, 2048, 3072 ‐Signature DSA
DS_SGK_IFCk=2048, k=3072, k=4096, k=6144, k=8192 ‐ CSPSigGen (private) key.Size: 2048, 3072, 4096, 6144,Signature RSA
DS_SVK_ECCB‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521 ‐ PSPSigVer (public) key.Size: 163, 233, 283, 409, 571,Signature
163, 233, 283, 409, 571, 192,163, 233, 283, 409, 571, 192,ECDSA
DS_SVK_EdwardsEdwards25519, Edwards448 ‐ PSPSigVer (public) key.Size: 255, 448 ‐Signature
Strength: s = 128, s = 224Strength: s = 128, s = 224EDDSA
DS_SVK_FFCL=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ PSPSigVer (public) key.Size: 1024, 2048, 2048, 3072 ‐Signature DSA
DS_SVK_IFCk=1024, k=2048, k=3072, k=4096, k=6144, k=8192 ‐ PSPSigVer (public) key.Size: 1024, 2048, 3072, 4096,Signature RSA
GKP_Private_ECCB‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ CSPGeneral ECDSA (private) key.Size: 233, 283, 409, 571, 233,KeyKey
283, 409, 571, 224, 256, 384,283, 409, 571, 224, 256, 384,managementmanagement
521 ‐521 ‐ECCECC
GKP_Private_EdwardsEdwards25519, Edwards448 ‐ CSPGeneral EdDSA (private) key.Size: 255, 448 ‐KeyKey
Strength: s = 128, s = 224Strength: s = 128, s = 224managementmanagement
EdwardsEdwardsEdwards
GKP_Private_FFCL=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ CSPGeneral FFC (private) key.Size: 2048, 2048, 3072 ‐KeyKey
Strength: s = 112, s = 112, s =Strength: s = 112, s = 112, s =managementmanagement
128128FFCFFC
GKP_Private_IFCk=2048, k=3072, k=4096, k=6144, k=8192 ‐ CSPGeneral RSA (private) key.Size: 2048, 3072, 4096, 6144,KeyKey
8192 ‐8192 ‐managementmanagement
Strength: s = 112, s = 128, s =Strength: s = 112, s = 128, s =IFCIFC
GKP_Public_ECCB‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ PSPGeneral ECDSA (public) key.Size: 233, 283, 409, 571, 233,KeyKey
283, 409, 571, 224, 256, 384,283, 409, 571, 224, 256, 384,managementmanagement
521 ‐521 ‐ECCECC
GKP_Public_EdwardsEdwards25519, Edwards448 ‐ PSPGeneral EdDSA (public) key.Size: 255, 448 ‐KeyKey
Strength: s = 128, s = 224Strength: s = 128, s = 224managementmanagement
EdwardsEdwardsEdwards
GKP_Public_FFCL=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ PSPGeneral FFC (public) key.Size: 2048, 2048, 3072 ‐KeyKey
Strength: s = 112, s = 112, s =Strength: s = 112, s = 112, s =managementmanagement
128128FFCFFC
GKP_Public_IFCk=2048, k=3072, k=4096, k=6144, k=8192 ‐ PSPGeneral RSA (public) key.Size: 2048, 3072, 4096, 6144,KeyKey
8192 ‐8192 ‐managementmanagement
Strength: s = 112, s = 128, s =Strength: s = 112, s = 128, s =IFCIFC
KAS_Private_ECCB‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ CSPKey pair component used for shared secret generation.Size: 233, 283, 409, 571, 233,Key agreement
KAS_Private_FFCffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 ‐ CSPKey pair component used for shared secret generation.Size: 2048, 3072, 4096, 6144,Key agreement
KAS_Private_IFCk=2048, k=3072, k=4096, k=6144, k=8192 ‐ CSPKey pair component used for shared secret generation.Size: 2048, 3072, 4096, 6144,Key agreement
KAS_Public_ECCB‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ PSPPeer key pair component used for shared secret generation.Size: 233, 283, 409, 571, 233,Key agreement
KAS_Public_FFCffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 ‐ PSPPeer key pair component used for shared secret generation.Size: 2048, 3072, 4096, 6144,Key agreement
KAS_Public_IFCk=2048, k=3072, k=4096, k=6144, k=8192 ‐ PSPPeer key pair component used for shared secret generation.Size: 2048, 3072, 4096, 6144,Key agreement
KAS_SS_ECCOther ‐ CSPShared secret calculation z output value (for KDF).Size: 112 ‐ 256 ‐KeyKey agreement
Strength: 112 ‐ 256Strength: 112 ‐ 256agreement
KAS_SS_FFCOther ‐ CSPShared secret calculation z output value (for KDF).Size: 112 ‐ 256 ‐KeyKey agreement
Strength: 112 ‐ 200Strength: 112 ‐ 200agreement
KAS_SS_IFCOther ‐ CSPShared secret calculation z output value (for KDF).Size: 112 ‐ 256 ‐KeyKey agreement
Strength: 112 ‐ 200Strength: 112 ‐ 200agreement
KD_DKM_KDFOther ‐ CSPKey derivation derived keying material.Size: 128 ‐ 256 ‐Key derivationKey derivation
KD_DKM_PBKDFOther ‐ CSPPBKDF derived key materialSize: 128 ‐Key derivationKey derivation
KD_PW_PBKDFOther ‐ CSPPBKDF password input.Size: 128 ‐Key derivationKey derivation
KD_SKOther ‐ CSPKey derivation source key material.Size: 128 ‐ 256 ‐Key derivation
KH_Key_AES‐CMACAES‐128, AES‐192, AES‐256 ‐ CSPKeyed Hash key.Size: 128, 192, 256 ‐MAC AES
Strength: s = 128, s = 192, s =Strength: s = 128, s = 192, s =(CMAC, GMAC)
KH_Key_AES‐GMACAES‐128, AES‐192, AES‐256 ‐ CSPKeyed Hash key.Size: 128, 192, 256 ‐MAC AES
Strength: s = 128, s = 192, s =Strength: s = 128, s = 192, s =(CMAC, GMAC)
KH_Key_HMACOther ‐ CSPKeyed Hash key.Size: 112 ‐ 2048 ‐MAC HMAC
KH_Key_KMACKMAC128, KMAC256 ‐ CSPKeyed Hash key.Size: 128, 256 ‐MAC KMAC
Strength: 112 ≤ s ≤ 128, 112 ≤ s ≤Strength: 112 ≤ s ≤ 128, 112 ≤ s ≤(XOF)
KTS_KDK_IFCOther ‐ CSPRSA key de‐ encapsulation Key (key transport).Size: 2048, 3072, 4096, 6144 ‐Key transport
KTS_KEK_IFCOther ‐ PSPRSA key encapsulation Key (key transport).Size: 2048, 3072, 4096, 6144 ‐Key transport
KTS_SS_IFCOther ‐ CSPRSA key transport shared secret.Size: 112 ‐ 256 ‐KeyKey transport
Strength: s = 112 ‐ s = 176Strength: s = 112 ‐ s = 176transport
SC_EDK_AESAES‐128, AES‐192, AES‐256 ‐ CSPSymmetric encryption and decryption.Size: 128, 192, 256 ‐Cipher
Strength: s = 128, s = 192, s =Strength: s = 128, s = 192, s =(Unauth)
256256Cipher (Auth)
SC_EDK_XTSXTS‐128, XTS‐256 ‐ CSPSymmetric encryption and decryption.Size: 256, 512 ‐Cipher
Strength: s = 128, s = 256Strength: s = 128, s = 256(Unauth)
Zeroization MethodDescriptionRationaleOperator Initiation
CC (Cleanse): Caller invocation of openssl_cleanse.Overwrites with zerosCaller invocation of openssl_cleanse
TT (Teardown): Module unload ‐ invokes cleanse internally.Overwrites with zerosOccurs when module is unloaded

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input‐Output Methods

I O Table 21: SSP Input‐Output Methods

9.3 SSP Zeroization Methods

C T Table 22: SSP Zeroization Methods All SSPs are zeroized (overwritten with 0s) when they are no longer needed:

9.4 SSPs

This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 29

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 30

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 31

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 32

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 23: SSP Table 1 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 33
Sensitive security parameter
NameStorageZeroizationInputStorage DurationRelated SSPs
DRBG_CRAM:PlaintextCICall lifetimeDRBG_Seed:Derived From
OODRBG_V:Used with
DRBG_EIRAM:PlaintextCICall lifetimeDRBG_Seed:Constituent
DRBG_KeyRAM:PlaintextCICall lifetime (module up time for internal DRBG)DRBG_Seed:Derived From
OTODRBG_V:Used with
DRBG_SeedRAM:PlaintextCCall lifetimeDRBG_C:Derives
DRBG_VRAM:PlaintextCICall lifetime (module up time for internal DRBG)DRBG_Seed:Derived From
OTODRBG_Key:Used with
DS_SGK_ECCRAM:PlaintextCICall lifetimeDS_SVK_ECC:Paired With
DS_SGK_EdwardsRAM:PlaintextCICall lifetimeDS_SVK_Edwards:Paired With
DS_SGK_FFCRAM:PlaintextCICall lifetimeDS_SVK_FFC:Paired With
DS_SGK_IFCRAM:PlaintextCICall lifetimeDS_SVK_IFC:Paired With
DS_SVK_ECCRAM:PlaintextCICall lifetimeDS_SGK_ECC:Paired With
DS_SVK_EdwardsRAM:PlaintextCICall lifetimeDS_SGK_Edwards:Paired With
DS_SVK_FFCRAM:PlaintextCICall lifetimeDS_SGK_FFC:Paired With
DS_SVK_IFCRAM:PlaintextCICall lifetimeDS_SGK_IFC:Paired With
GKP_Private_ECCRAM:PlaintextCOCall lifetimeGKP_Public_ECC:Paired With
GKP_Private_EdwardsRAM:PlaintextCOCall lifetimeGKP_Public_Edwards:Paired With
GKP_Private_FFCRAM:PlaintextCOCall lifetimeGKP_Public_FFC:Paired With
GKP_Private_IFCRAM:PlaintextCOCall lifetimeGKP_Public_IFC:Paired With
GKP_Public_ECCRAM:PlaintextCOCall lifetimeGKP_Private_ECC:Paired With
GKP_Public_EdwardsRAM:PlaintextCOCall lifetimeGKP_Private_Edwards:Paired With
GKP_Public_FFCRAM:PlaintextCOCall lifetimeGKP_Private_FFC:Paired With
GKP_Public_IFCRAM:PlaintextCOCall lifetimeGKP_Private_IFC:Paired With
KAS_Private_ECCRAM:PlaintextCICall lifetimeKAS_Public_ECC:Paired With
KAS_Private_FFCRAM:PlaintextCICall lifetimeKAS_Public_FFC:Paired With
KAS_Private_IFCRAM:PlaintextCICall lifetimeKAS_Public_IFC:Paired With
KAS_Public_ECCRAM:PlaintextCICall lifetimeKAS_Private_ECC:Paired With
KAS_Public_FFCRAM:PlaintextCICall lifetimeKAS_Private_FFC:Paired With
KAS_Public_IFCRAM:PlaintextCICall lifetimeKAS_Private_IFC:Paired With
KAS_SS_ECCRAM:PlaintextCOCall lifetimeKAS_Private_ECC:Calculated From
KAS_SS_FFCRAM:PlaintextCOCall lifetimeKAS_Private_FFC:Calculated From
KAS_SS_IFCRAM:PlaintextCOCall lifetimeKAS_Private_IFC:Calculated From
KD_DKM_KDFRAM:PlaintextCOCall lifetimeKD_SK:Derived From
KD_DKM_PBKDFRAM:PlaintextCOCall lifetimeKD_PW_PBKDF:Derived From
KD_PW_PBKDFRAM:PlaintextCICall lifetimeKD_DKM_PBKDF:Derives
KD_SKRAM:PlaintextCICall lifetimeKD_DKM_KDF:Derives
KH_Key_AES‐CMACRAM:PlaintextCICall lifetime
KH_Key_AES‐GMACRAM:PlaintextCICall lifetime
KH_Key_HMACRAM:PlaintextCICall lifetime
KH_Key_KMACRAM:PlaintextCICall lifetime
KTS_KDK_IFCRAM:PlaintextCICall lifetimeKTS_SS_IFC:Unwraps
KTS_KEK_IFCRAM:PlaintextCICall lifetimeKTS_SS_IFC:Wraps
KTS_SS_IFCRAM:PlaintextCOCall lifetimeKTS_KDK_IFC:Unwrapped By
SC_EDK_AESRAM:PlaintextCICall lifetime
SC_EDK_XTSRAM:PlaintextCICall lifetime

FIPS 140‐3 Security Policy I O I I O I O I I I I I I I I O O O O O O O O I I I I I I O AIX FIPS Crypto Provider for OpenSSL 3 C C C T C C T C C C C C C C C C C C C C C C C C C C C C C C This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 34

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 O C O C O O I I I I I I I I O C C C C C C C C C C C Table 24: SSP Table 2 I I C C Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. The Module maintains only the Counter DRBG state used for key generation as a persistent CSP; this DRBG instance is used exclusively for approved services. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 35

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

9.5 Additional Information

Key/Algorithm Type Equivalent Strengths: Reference sources for the strengths provided in SSP Table 1 are specified below. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). Block Cipher (and related functions):  AES (AES‐128, AES‐192, AES‐256): SP 800‐57 Part 1 Rev. 5 Table

  1. Digital Signature:     ECC (B‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521): SP 800‐186 Table 1 (provides approximate elliptic curve security strengths). SP 800‐186 and FIPS 140‐3 IG C.K indicate that the Binary (B‐) and Koblitz (K‐) curves are deprecated. EdDSA (ED‐25519, ED‐448): SP 800‐186 Table
  2. FFC (DSA: L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256): SP 800‐57 Part 1 Rev. 5 Table
  3. Security strength for L=2048/N=256 is determined in accordance with FIPS 140‐3 IG D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112. IFC (RSA: k=1024, k=2048, k=3072, k=4096): SP 800‐57 Part 1 Rev. 5 Table
  4. In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Secure Hash (and related functions):    SHA‐1, SHA2 (SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256): SP 800‐107 Rev. 1 Table
  5. SHA3 (SHA3‐224, SHA3‐256, SHA3‐384, SHA3‐512): SP 800‐57 Part 1 Rev. 5 Table
  6. SHAKE (SHAKE128, SHAKE256): SP 800‐185 Section 8.1. Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in SP 800‐57 Part 1 Rev. 5 Table
  7. Message Authentication:  KMAC (KMAC128, KMAC256): SP 800‐56C Rev. 2 Table
  8. Key Agreement:    KAS‐ECC‐SSC (B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521): SP 800‐56A Rev. 3 Table
  9. KAS‐FFC‐SSC (FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192): SP 800‐56A Rev. 3 Tables 25 and
  10. KAS‐IFC‐SSC (k=2048, k=3072, k=4096, k=6144, k=8192): SP 800‐56B Rev. 2 Table 4 (provides approximate security strengths). Key Agreement Key Derivation:  KDA OneStep: SP 800‐56C Rev. 2 Table 1 (hash), Table 2 (HMAC) and Table 3 (KMAC). This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
Page 36
Self test
NameAlgorithm Or TestTest MethodTest TypeTest PropertiesIndicator
SW IntegritySW IntegrityHMAC over the complete module file imageSW/FW IntegrityHMAC‐SHA2‐256 #A4481FIPS_OK or PROV_R_FIPS_MODULE_IN_ERROR_STATE
Approved algorithm
NamePropertiesTestIndicatorDetailsConditions
TestType
AES‐ECB128‐bitCASTFIPS_OKEncryptPerformed on module load.
AES‐ECB128‐bitCASTFIPS_OKDecryptPerformed on module load.
AES‐GCM256‐bitCASTFIPS_OKEncryptPerformed on module load.
AES‐GCM256‐bitCASTFIPS_OKDecryptPerformed on module load.
Counter DRBGAES‐128 with derivationCASTFIPS_OKInstantiate, Generate, ReseedPerformed on module load.
DSA SigGen2048‐bit with SHA2‐384CASTFIPS_OKSignPerformed on module load.
DSA SigVer2048‐bit with SHA2‐384CASTFIPS_OKVerifyPerformed on module load.
ECDSA SigGenP‐224 with SHA2‐512CASTFIPS_OKSignPerformed on module load.
ECDSA SigVerP‐224 with SHA2‐512CASTFIPS_OKVerifyPerformed on module load.
EDDSA ED448Edwards448 SigGen with SHA2‐CASTFIPS_OKSignPerformed on module load.
SigGen256
EDDSA ED448Edwards448 SigVer with SHA2‐CASTFIPS_OKVerifyPerformed on module load.
SigVer256
EDDSA ED25519Edwards25519 SigGen withCASTFIPS_OKSignPerformed on module load.
SigGenSHA2‐512
EDDSA ED25519Edwards25519 SigVer withCASTFIPS_OKVerifyPerformed on module load.
SigVerSHA2‐512
Hash DRBGSHA2‐256CASTFIPS_OKInstantiate, Generate, ReseedPerformed on module load.
HMAC DRBGSHA‐1CASTFIPS_OKInstantiate, Generate, ReseedPerformed on module load.
HMAC‐SHA2‐256SHA2‐256 with a 256‐bit keyCASTFIPS_OKGeneratePerformed on module load.
TestType
KAS‐ECC‐SSCP‐256CASTFIPS_OKEphemeral Unified Shared SecretPerformed on module load.
Sp800‐56Ar3(Z) Computation
KAS‐FFC‐SSCL=2048/N=256CASTFIPS_OKdhEphem Shared Secret (Z)Performed on module load.
Sp800‐56Ar3Computation
KAS‐IFC‐SSCk=2048CASTFIPS_OKSP 800‐56B Rev. 2 Section 8.2.2 RSAPerformed on module load.
KAS‐KDFSHA2‐224CASTFIPS_OKSP 800‐56C Rev. 2 Section 4Performed on module load.
OneStep SP800‐OneStep KDF (AKA OpenSSL single‐
56Cr2step or SS‐KDF)
KAS‐KDFSHA2‐256CASTFIPS_OKSP 800‐56C Rev. 2 Section 5Performed on module load.
TwoStep SP800‐TwoStep KDF (HKDF variant)
KDF ANS 9.42Fixed input KATCASTFIPS_OKSP 800‐135 Rev. 1 Section 5.1 ANSIPerformed on module load.
KDF ANS 9.63Fixed input KATCASTFIPS_OKSP 800‐135 Rev. 1 Section 5.1Performed on module load.
KDF SP800‐108HMAC‐SHA2‐256CASTFIPS_OKSP 800‐108 Rev. 1 Section 4.1 KATPerformed on module load.
KDF SSHFixed input KATCASTFIPS_OKSP 800‐135 Rev. 1 Section 5.2Performed on module load.
KTS‐IFCk=2048CASTFIPS_OKSP 800‐56B Rev. 2 Decrypt for CRTPerformed on module load.
KTS‐IFCk=2048CASTFIPS_OKSP 800‐56B Rev. 2 Encrypt for BasicPerformed on module load.
KTS‐IFCk=2048CASTFIPS_OKSP 800‐56B Rev. 2 Decrypt for BasicPerformed on module load.
PBKDFSHA2‐256, 24‐byte password, 36‐byte salt, iteration count of 4096CASTFIPS_OKSP 800‐132 Section 5.3 KAT ofPerformed on module load.
RSA SigGenk=2048 with SHA2‐256CASTFIPS_OKSignPerformed on module load.
RSA SigVerk=2048 with SHA2‐256CASTFIPS_OKVerifyPerformed on module load.
SHA‐1SHA‐1CASTFIPS_OKSimple SHA KATPerformed on module load.
SHA2‐512SHA2‐512CASTFIPS_OKSimple SHA KATPerformed on module load.
SHA3‐256SHA3‐256CASTFIPS_OKSimple SHA KATPerformed on module load.
TLS v1.2 KDFFixed input KATCASTFIPS_OKSP 800‐135 Rev. 1 Section 4.2.2 TLSPerformed on module load.
RFC76271.2 KAT

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

10 Self‐Tests
10.1 Pre‐Operational Self‐Tests

Table 25: Pre‐Operational Self‐Tests

10.2 Conditional Self‐Tests

This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 37

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 OneStep SP80056Cr2 TwoStep SP80056Cr2 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 38
Approved algorithm
NameMode MethodPropertiesTestIndicatorDetailsConditions
TestType
TLS v1.3 KDFKATFixed input KATCASTFIPS_OKRFC8446 Section 7.1 TLS v1.3 KDF KATPerformed on module load.
DSA KeyGenPCTPCT performed using thePCTFIPS_OKSign, VerifyPerformed on FFC (DSA, KAS‐FFC‐SSC) key pair
(FIPS186‐4)generated key pairgeneration, prior to returning the key pair on
ECDSA KeyGenPCTPCT performed using thePCTFIPS_OKSign, VerifyPerformed on ECC (ECDSA) key pair generation,
(FIPS186‐4)generated key pairprior to returning the key pair on conclusion of
EDDSA KeyGenPCTPCT performed using thePCTFIPS_OKSign, VerifyPerformed on Edwards (EdDSA) key pair
generated key pairgenerated key pairgeneration, prior to returning the key pair on
RSA KeyGenPCTPCT performed using thePCTFIPS_OKSign, VerifyPerformed on IFC (RSA, KAS‐IFC‐SSC, KTS‐IFC) key
(FIPS186‐4)generated key pairpair generation, prior to returning the key pair on
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
SW IntegritySW IntegrityHMAC over the complete module file imageSW/FW IntegrityOn demandModule load
AES‐ECBAES‐ECBKATCASTOn demandOn power on or reset
AES‐ECBAES‐ECBKATCASTOn demandOn power on or reset
AES‐GCMAES‐GCMKATCASTOn demandOn power on or reset
AES‐GCMAES‐GCMKATCASTOn demandOn power on or reset
Counter DRBGCounter DRBGKATCASTOn demandOn power on or reset
DSA SigGen (FIPS186‐4)DSA SigGen (FIPS186‐4)KATCASTOn demandOn power on or reset
DSA SigVer (FIPS186‐4)DSA SigVer (FIPS186‐4)KATCASTOn demandOn power on or reset
ECDSA SigGen (FIPS186‐4)ECDSA SigGen (FIPS186‐4)KATCASTOn demandOn power on or reset
ECDSA SigVer (FIPS186‐4)ECDSA SigVer (FIPS186‐4)KATCASTOn demandOn power on or reset
EDDSA ED448 SigGenEDDSA ED448 SigGenKATCASTOn demandOn power on or reset
EDDSA ED448 SigVerEDDSA ED448 SigVerKATCASTOn demandOn power on or reset
EDDSA ED25519 SigGenEDDSA ED25519 SigGenKATCASTOn demandOn power on or reset
EDDSA ED25519 SigVerEDDSA ED25519 SigVerKATCASTOn demandOn power on or reset
Hash DRBGHash DRBGKATCASTOn demandOn power on or reset
HMAC DRBGHMAC DRBGKATCASTOn demandOn power on or reset
HMAC‐SHA2‐256HMAC‐SHA2‐256KATCASTOn demandOn power on or reset
KAS‐ECC‐SSC Sp800‐56Ar3KAS‐ECC‐SSC Sp800‐56Ar3KATCASTOn demandOn power on or reset
KAS‐FFC‐SSC Sp800‐56Ar3KAS‐FFC‐SSC Sp800‐56Ar3KATCASTOn demandOn power on or reset
KAS‐IFC‐SSCKAS‐IFC‐SSCKATCASTOn demandOn power on or reset
KAS‐KDF OneStep SP800‐56Cr2KAS‐KDF OneStep SP800‐56Cr2KATCASTOn demandOn power on or reset
KAS‐KDF TwoStep SP800‐56Cr2KAS‐KDF TwoStep SP800‐56Cr2KATCASTOn demandOn power on or reset
KDF ANS 9.42KDF ANS 9.42KATCASTOn demandOn power on or reset
KDF ANS 9.63KDF ANS 9.63KATCASTOn demandOn power on or reset
KDF SP800‐108KDF SP800‐108KATCASTOn demandOn power on or reset
KDF SSHKDF SSHKATCASTOn demandOn power on or reset
KTS‐IFCKTS‐IFCKATCASTOn demandOn power on or reset
KTS‐IFCKTS‐IFCKATCASTOn demandOn power on or reset
KTS‐IFCKTS‐IFCKATCASTOn demandOn power on or reset
PBKDFPBKDFKATCASTOn demandOn power on or reset
RSA SigGen (FIPS186‐4)RSA SigGen (FIPS186‐4)KATCASTOn demandOn power on or reset
RSA SigVer (FIPS186‐4)RSA SigVer (FIPS186‐4)KATCASTOn demandOn power on or reset
SHA‐1SHA‐1KATCASTOn demandOn power on or reset
SHA2‐512SHA2‐512KATCASTOn demandOn power on or reset
SHA3‐256SHA3‐256KATCASTOn demandOn power on or reset
TLS v1.2 KDF RFC7627TLS v1.2 KDF RFC7627KATCASTOn demandOn power on or reset
TLS v1.3 KDFTLS v1.3 KDFKATCASTOn demandOn power on or reset
DSA KeyGen (FIPS186‐4)DSA KeyGen (FIPS186‐4)PCTPCTOn demandOn power on or reset
ECDSA KeyGen (FIPS186‐4)ECDSA KeyGen (FIPS186‐4)PCTPCTOn demandOn power on or reset
EDDSA KeyGenEDDSA KeyGenPCTPCTOn demandOn power on or reset
RSA KeyGen (FIPS186‐4)RSA KeyGen (FIPS186‐4)PCTPCTOn demandOn power on or reset

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3 Table 26: Conditional Self‐Tests The intended usage of asymmetric key pairs generated by the Module is not known at the time when the key pair is generated and the pairwise consistency test (PCT) is performed. In all cases, a sign and verify PCT is performed.

10.3 Periodic Self‐Test Information

Table 27: Pre‐Operational Periodic Information This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 39

FIPS 140‐3 Security Policy Table 28: Conditional Periodic Information AIX FIPS Crypto Provider for OpenSSL 3 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.

Page 40
Service
NameDescriptionRole AccessIndicatorRecovery Method
Self‐testThe self‐test failure errorIf one of the KATs fails or integrity testPROV_R_FIPS_MODULE_IN_ERROR_STATEReload the Module into
failurestatefailsmemory

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

10.4 Error States
10.5 Operator Initiation of Self‐Tests

Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. The pre‐operational self‐tests are available on demand by reloading the Module. On instantiation, the Module performs the pre‐operational self‐test and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. The fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11.

11 Life‐Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

During the manufacturing process, IBM executes the build and installation instructions for the Module. The Module is pre‐installed and configured in supported IBM solutions. The approved mode is enabled by default. There are no additional installation, configuration, or usage instructions for operators intending to use the Module.

11.2 Administrator Guidance

Guidance Documentation is inclusive of all information required per ISO/IEC 19790:2012 Section 7.11.9.

11.3 Non‐Administrator Guidance
11.4 Design and Rules

The inherent properties of the Module are:

  1. Manual key entry is not supported.
  2. Data output is inhibited during self‐tests, zeroization, SSP generation, and error states.
  3. The Module does not perform any cryptographic function if any self‐test has failed. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
Page 41

FIPS 140‐3 Security Policy AIX FIPS Crypto Provider for OpenSSL 3

12 Mitigation of Other Attacks
12.1 Attack List

The Module implements mitigations for constant‐time implementations and blinding attacks.

12.2 Mitigation Effectiveness

Constant‐time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant‐time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.

12.3 Guidance and Constraints

The mitigation mechanisms described in Section 12.2 are inherent within the validated algorithms. No other guidance or constraints are specified. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.