| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/20/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. |
| Vendor | Canonical Ltd. |
flowchart LR
%% Deterministic review-risk graph for Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Canonical Ltd. Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module Version 5.15.0-73-fips Version 1.2 Last update: 11-08-2024 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 Canonical Ltd./ atsec information security.
| # | Section | Page |
|---|
© 2024 Canonical Ltd. / atsec information security.
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 9 |
| Table 4: Modes List and Description | 9 |
| Table 5: Approved Algorithms | 15 |
| Table 6: V endor-Affirmed Algorithms | 15 |
| Table 7: Non-Approved , Not Allowed Algorithms | 16 |
| Table 8: Security Function Implementations | 26 |
| Table 9: Entrop y Certificates | 27 |
| Table 10: Entropy Sources | 27 |
| Table 11: Ports and Interfaces | 30 |
| Table 12: Roles | 31 |
| Table 13: Approved Services | 35 |
| Table 14: Non-Approved Services | 36 |
| Table 15: Storag e Areas | 41 |
| Table 16: SSP Input-Output Methods | 41 |
| Table 17: SSP Zeroization Methods | 41 |
| Table 18: SSP Table 1 | 44 |
| Table 19: SSP Table 2 | 45 |
| Table 20: Pre-Operational Self-Tests | 47 |
| Table 21: Conditional Self-Tests | 84 |
| Table 22: Pre-Operational Period ic Information | 85 |
| Table 23: Conditional Periodic Information | 96 |
| Table 24: Error States | 96 |
| Item | Page |
|---|---|
| Figure 1: Block Diagram | 7 |
This document is the non-proprietary FIPS 140-3 Security Policy for version 5.15.0-73-fips of the Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.
Overall 1 Table 1: Security Levels
which was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2024 Canonical Ltd. / atsec information security.
Purpose and Use: The Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Block Diagram © 2024 Canonical Ltd. / atsec information security.
Identification Tested Module Identification
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS Ubuntu 22.04 LTS Amazon Web Services AWS Graviton2 No N/A 5.15.0-7364-bit (AWS) c6g.metal fips Ubuntu Core 22 Amazon Web Services AWS Graviton2 Yes N/A 5.15.0-7364-bit (AWS) c6g.metal fips Ubuntu Core 22 Amazon Web Services AWS Graviton2 No N/A 5.15.0-7364-bit (AWS) c6g.metal fips Ubuntu 22.04 LTS IBM z15 IBM z15 Yes N/A 5.15.0-7364-bit fips Ubuntu 22.04 LTS IBM z15 IBM z15 No N/A 5.15.0-7364-bit fips Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of the mode approved service is requested requested service defined in section 4.3 Non-approved Automatically entered whenever a Non- Equivalent to the indicator of the mode non-approved service is requested Approved requested service defined in section 4.3 Table 4: Modes List and Description Mode Change Instructions and Status: After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: Not applicable. © 2024 Canonical Ltd. / atsec information security.
Approved Algorithms: Algorithm CAVP Cert Reference AES-ECB A3812 SP 800-38A Counter DRBG A3812 SP 800-90A Rev. 1 Hash DRBG A3812 SP 800-90A Rev. 1 HMAC DRBG A3812 SP 800-90A Rev. 1 HMAC-SHA-1 A3812 FIPS 198-1 HMAC-SHA2-224 A3812 FIPS 198-1 HMAC-SHA2-256 A3812 FIPS 198-1 HMAC-SHA2-384 A3812 FIPS 198-1 HMAC-SHA2-512 A3812 FIPS 198-1 KAS-FFC-SSC Sp800-56Ar3 A3812 SP 800-56A Rev. 3 Safe Primes Key Generation A3812 SP 800-56A Rev. 3 SHA-1 A3812 FIPS 180-4 SHA2-224 A3812 FIPS 180-4 SHA2-256 A3812 FIPS 180-4 SHA2-384 A3812 FIPS 180-4 SHA2-512 A3812 FIPS 180-4 AES-ECB A3813 SP 800-38A Counter DRBG A3813 SP 800-90A Rev. 1 ECDSA KeyGen (FIPS186-4) A3813 FIPS 186-4 Hash DRBG A3813 SP 800-90A Rev. 1 HMAC DRBG A3813 SP 800-90A Rev. 1 HMAC-SHA-1 A3813 FIPS 198-1 HMAC-SHA2-224 A3813 FIPS 198-1 HMAC-SHA2-256 A3813 FIPS 198-1 HMAC-SHA2-384 A3813 FIPS 198-1 HMAC-SHA2-512 A3813 FIPS 198-1 KAS-ECC-SSC Sp800-56Ar3 A3813 SP 800-56A Rev. 3 SHA-1 A3813 FIPS 180-4 SHA2-224 A3813 FIPS 180-4 SHA2-256 A3813 FIPS 180-4 SHA2-384 A3813 FIPS 180-4 SHA2-512 A3813 FIPS 180-4 AES-CBC A3814 SP 800-38A AES-CCM A3814 SP 800-38C AES-CMAC A3814 SP 800-38B AES-CTR A3814 SP 800-38A AES-ECB A3814 SP 800-38A AES-GCM A3814 SP 800-38D AES-GMAC A3814 SP 800-38D AES-XTS Testing Revision 2.0 A3814 SP 800-38E Counter DRBG A3814 SP 800-90A Rev. 1 Hash DRBG A3814 SP 800-90A Rev. 1 HMAC DRBG A3814 SP 800-90A Rev. 1 HMAC-SHA-1 A3814 FIPS 198-1 HMAC-SHA2-224 A3814 FIPS 198-1 HMAC-SHA2-256 A3814 FIPS 198-1 HMAC-SHA2-384 A3814 FIPS 198-1 HMAC-SHA2-512 A3814 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Reference RSA SigVer (FIPS186-4) A3814 FIPS 186-4 SHA-1 A3814 FIPS 180-4 SHA2-224 A3814 FIPS 180-4 SHA2-256 A3814 FIPS 180-4 SHA2-384 A3814 FIPS 180-4 SHA2-512 A3814 FIPS 180-4 AES-KW A3815 SP 800-38F HMAC-SHA3-224 A3816 FIPS 198-1 HMAC-SHA3-256 A3816 FIPS 198-1 HMAC-SHA3-384 A3816 FIPS 198-1 HMAC-SHA3-512 A3816 FIPS 198-1 SHA3-224 A3816 FIPS 202 SHA3-256 A3816 FIPS 202 SHA3-384 A3816 FIPS 202 SHA3-512 A3816 FIPS 202 AES-CFB128 A3817 SP 800-38A AES-OFB A3818 SP 800-38A AES-CBC-CS3 A3819 SP 800-38A AES-ECB A3820 SP 800-38A AES-GCM A3820 SP 800-38D Counter DRBG A3820 SP 800-90A Rev. 1 Hash DRBG A3820 SP 800-90A Rev. 1 HMAC DRBG A3820 SP 800-90A Rev. 1 AES-ECB A3821 SP 800-38A AES-GCM A3821 SP 800-38D Counter DRBG A3821 SP 800-90A Rev. 1 Hash DRBG A3821 SP 800-90A Rev. 1 HMAC DRBG A3821 SP 800-90A Rev. 1 AES-CBC A3822 SP 800-38A AES-CCM A3822 SP 800-38C AES-CMAC A3822 SP 800-38B AES-CTR A3822 SP 800-38A AES-ECB A3822 SP 800-38A AES-GCM A3822 SP 800-38D AES-GMAC A3822 SP 800-38D AES-XTS Testing Revision 2.0 A3822 SP 800-38E Counter DRBG A3822 SP 800-90A Rev. 1 Hash DRBG A3822 SP 800-90A Rev. 1 HMAC DRBG A3822 SP 800-90A Rev. 1 AES-KW A3823 SP 800-38F AES-ECB A3824 SP 800-38A AES-GCM A3824 SP 800-38D Counter DRBG A3824 SP 800-90A Rev. 1 Hash DRBG A3824 SP 800-90A Rev. 1 HMAC DRBG A3824 SP 800-90A Rev. 1 AES-ECB A3825 SP 800-38A AES-GCM A3825 SP 800-38D Counter DRBG A3825 SP 800-90A Rev. 1 Hash DRBG A3825 SP 800-90A Rev. 1 HMAC DRBG A3825 SP 800-90A Rev. 1 AES-CFB128 A3826 SP 800-38A AES-OFB A3827 SP 800-38A © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Reference AES-CBC-CS3 A3828 SP 800-38A AES-CBC A3829 SP 800-38A AES-CCM A3829 SP 800-38C AES-CMAC A3829 SP 800-38B AES-CTR A3829 SP 800-38A AES-ECB A3829 SP 800-38A AES-GCM A3829 SP 800-38D AES-GMAC A3829 SP 800-38D AES-XTS Testing Revision 2.0 A3829 SP 800-38E Counter DRBG A3829 SP 800-90A Rev. 1 AES-ECB A3830 SP 800-38A AES-GCM A3830 SP 800-38D Counter DRBG A3830 SP 800-90A Rev. 1 Hash DRBG A3830 SP 800-90A Rev. 1 HMAC DRBG A3830 SP 800-90A Rev. 1 AES-ECB A3831 SP 800-38A AES-GCM A3831 SP 800-38D Counter DRBG A3831 SP 800-90A Rev. 1 Hash DRBG A3831 SP 800-90A Rev. 1 HMAC DRBG A3831 SP 800-90A Rev. 1 AES-CBC A3832 SP 800-38A AES-CCM A3832 SP 800-38C AES-CMAC A3832 SP 800-38B AES-CTR A3832 SP 800-38A AES-ECB A3832 SP 800-38A AES-GCM A3832 SP 800-38D AES-GMAC A3832 SP 800-38D AES-XTS Testing Revision 2.0 A3832 SP 800-38E Counter DRBG A3832 SP 800-90A Rev. 1 Hash DRBG A3832 SP 800-90A Rev. 1 HMAC DRBG A3832 SP 800-90A Rev. 1 HMAC-SHA-1 A3832 FIPS 198-1 HMAC-SHA2-224 A3832 FIPS 198-1 HMAC-SHA2-256 A3832 FIPS 198-1 HMAC-SHA2-384 A3832 FIPS 198-1 HMAC-SHA2-512 A3832 FIPS 198-1 RSA SigVer (FIPS186-4) A3832 FIPS 186-4 SHA-1 A3832 FIPS 180-4 SHA2-224 A3832 FIPS 180-4 SHA2-256 A3832 FIPS 180-4 SHA2-384 A3832 FIPS 180-4 SHA2-512 A3832 FIPS 180-4 AES-ECB A3833 SP 800-38A AES-GCM A3833 SP 800-38D Counter DRBG A3833 SP 800-90A Rev. 1 Hash DRBG A3833 SP 800-90A Rev. 1 HMAC DRBG A3833 SP 800-90A Rev. 1 AES-ECB A3834 SP 800-38A AES-GCM A3834 SP 800-38D Counter DRBG A3834 SP 800-90A Rev. 1 Hash DRBG A3834 SP 800-90A Rev. 1 HMAC DRBG A3834 SP 800-90A Rev. 1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Reference AES-KW A3835 SP 800-38F AES-CFB128 A3836 SP 800-38A AES-OFB A3837 SP 800-38A AES-CBC-CS3 A3838 SP 800-38A HMAC-SHA3-224 A3839 FIPS 198-1 HMAC-SHA3-256 A3839 FIPS 198-1 HMAC-SHA3-384 A3839 FIPS 198-1 HMAC-SHA3-512 A3839 FIPS 198-1 SHA3-224 A3839 FIPS 202 SHA3-256 A3839 FIPS 202 SHA3-384 A3839 FIPS 202 SHA3-512 A3839 FIPS 202 AES-CBC A3840 SP 800-38A AES-CTR A3840 SP 800-38A AES-ECB A3840 SP 800-38A AES-GCM A3840 SP 800-38D AES-XTS Testing Revision 2.0 A3840 SP 800-38E Counter DRBG A3840 SP 800-90A Rev. 1 Hash DRBG A3840 SP 800-90A Rev. 1 HMAC DRBG A3840 SP 800-90A Rev. 1 AES-ECB A3841 SP 800-38A AES-GCM A3841 SP 800-38D Counter DRBG A3841 SP 800-90A Rev. 1 Hash DRBG A3841 SP 800-90A Rev. 1 HMAC DRBG A3841 SP 800-90A Rev. 1 AES-ECB A3842 SP 800-38A AES-GCM A3842 SP 800-38D Counter DRBG A3842 SP 800-90A Rev. 1 Hash DRBG A3842 SP 800-90A Rev. 1 HMAC DRBG A3842 SP 800-90A Rev. 1 AES-CBC A3843 SP 800-38A AES-CCM A3843 SP 800-38C AES-CMAC A3843 SP 800-38B AES-CTR A3843 SP 800-38A AES-ECB A3843 SP 800-38A AES-GCM A3843 SP 800-38D AES-GMAC A3843 SP 800-38D AES-XTS Testing Revision 2.0 A3843 SP 800-38E Counter DRBG A3843 SP 800-90A Rev. 1 Hash DRBG A3843 SP 800-90A Rev. 1 HMAC DRBG A3843 SP 800-90A Rev. 1 AES-ECB A3844 SP 800-38A AES-GCM A3844 SP 800-38D Counter DRBG A3844 SP 800-90A Rev. 1 Hash DRBG A3844 SP 800-90A Rev. 1 HMAC DRBG A3844 SP 800-90A Rev. 1 AES-ECB A3845 SP 800-38A AES-GCM A3845 SP 800-38D Counter DRBG A3845 SP 800-90A Rev. 1 Hash DRBG A3845 SP 800-90A Rev. 1 HMAC DRBG A3845 SP 800-90A Rev. 1 AES-KW A3846 SP 800-38F © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Reference AES-CFB128 A3847 SP 800-38A AES-OFB A3848 SP 800-38A AES-CBC-CS3 A3849 SP 800-38A Hash DRBG A3850 SP 800-90A Rev. 1 HMAC DRBG A3850 SP 800-90A Rev. 1 HMAC-SHA-1 A3850 FIPS 198-1 HMAC-SHA2-224 A3850 FIPS 198-1 HMAC-SHA2-256 A3850 FIPS 198-1 HMAC-SHA2-384 A3850 FIPS 198-1 HMAC-SHA2-512 A3850 FIPS 198-1 RSA SigVer (FIPS186-4) A3850 FIPS 186-4 SHA-1 A3850 FIPS 180-4 SHA2-224 A3850 FIPS 180-4 SHA2-256 A3850 FIPS 180-4 SHA2-384 A3850 FIPS 180-4 SHA2-512 A3850 FIPS 180-4 Hash DRBG A3851 SP 800-90A Rev. 1 HMAC DRBG A3851 SP 800-90A Rev. 1 HMAC-SHA-1 A3851 FIPS 198-1 HMAC-SHA2-224 A3851 FIPS 198-1 HMAC-SHA2-256 A3851 FIPS 198-1 HMAC-SHA2-384 A3851 FIPS 198-1 HMAC-SHA2-512 A3851 FIPS 198-1 RSA SigVer (FIPS186-4) A3851 FIPS 186-4 SHA-1 A3851 FIPS 180-4 SHA2-224 A3851 FIPS 180-4 SHA2-256 A3851 FIPS 180-4 SHA2-384 A3851 FIPS 180-4 SHA2-512 A3851 FIPS 180-4 Hash DRBG A3852 SP 800-90A Rev. 1 HMAC DRBG A3852 SP 800-90A Rev. 1 HMAC-SHA-1 A3852 FIPS 198-1 HMAC-SHA2-224 A3852 FIPS 198-1 HMAC-SHA2-256 A3852 FIPS 198-1 HMAC-SHA2-384 A3852 FIPS 198-1 HMAC-SHA2-512 A3852 FIPS 198-1 RSA SigVer (FIPS186-4) A3852 FIPS 186-4 SHA-1 A3852 FIPS 180-4 SHA2-224 A3852 FIPS 180-4 SHA2-256 A3852 FIPS 180-4 SHA2-384 A3852 FIPS 180-4 SHA2-512 A3852 FIPS 180-4 AES-CBC A3853 SP 800-38A AES-CBC-CS3 A3853 SP 800-38A AES-CCM A3853 SP 800-38C AES-CMAC A3853 SP 800-38B AES-CTR A3853 SP 800-38A AES-ECB A3853 SP 800-38A AES-XTS Testing Revision 2.0 A3853 SP 800-38E HMAC-SHA-1 A3853 FIPS 198-1 HMAC-SHA2-224 A3853 FIPS 198-1 HMAC-SHA2-256 A3853 FIPS 198-1 © 2024 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Reference SHA-1 A3853 FIPS 180-4 SHA2-224 A3853 FIPS 180-4 SHA2-256 A3853 FIPS 180-4 AES-CBC A3854 SP 800-38A AES-CBC-CS3 A3854 SP 800-38A AES-CCM A3854 SP 800-38C AES-CFB128 A3854 SP 800-38A AES-CMAC A3854 SP 800-38B AES-CTR A3854 SP 800-38A AES-ECB A3854 SP 800-38A AES-GCM A3854 SP 800-38D AES-GMAC A3854 SP 800-38D AES-KW A3854 SP 800-38F AES-OFB A3854 SP 800-38A AES-XTS Testing Revision 2.0 A3854 SP 800-38E Counter DRBG A3854 SP 800-90A Rev. 1 AES-ECB A3855 SP 800-38A AES-GCM A3855 SP 800-38D Counter DRBG A3855 SP 800-90A Rev. 1 Hash DRBG A3855 SP 800-90A Rev. 1 HMAC DRBG A3855 SP 800-90A Rev. 1 AES-ECB A3856 SP 800-38A AES-GCM A3856 SP 800-38D Counter DRBG A3856 SP 800-90A Rev. 1 Hash DRBG A3856 SP 800-90A Rev. 1 HMAC DRBG A3856 SP 800-90A Rev. 1 AES-CBC A3857 SP 800-38A AES-CTR A3857 SP 800-38A AES-ECB A3857 SP 800-38A AES-XTS Testing Revision 2.0 A3857 SP 800-38E HMAC-SHA2-224 A3857 FIPS 198-1 HMAC-SHA2-256 A3857 FIPS 198-1 SHA2-224 A3857 FIPS 180-4 SHA2-256 A3857 FIPS 180-4 HMAC-SHA2-224 A3858 FIPS 198-1 HMAC-SHA2-256 A3858 FIPS 198-1 HMAC-SHA2-384 A3858 FIPS 198-1 HMAC-SHA2-512 A3858 FIPS 198-1 SHA2-224 A3858 FIPS 180-4 SHA2-256 A3858 FIPS 180-4 SHA2-384 A3858 FIPS 180-4 SHA2-512 A3858 FIPS 180-4 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference ECC and Key Type:Asymmetric N/A SP800-133r2, section DH CKG ECC Curves:P-256, P-384 (strength of 128, 192 4 (without XOR) bits) DH groups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 (strength of 112-200 bits) Table 6: Vendor-Affirmed Algorithms © 2024 Canonical Ltd. / atsec information security.
Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with Encryption external IV KBKDF (libkcapi) Key derivation HKDF (libkcapi) Key derivation PBKDF2 (libkcapi) Password-based key derivation RSA Encryption primitive; Decryption primitive RSA with PKCS#1 Signature generation (pre-hashed message); Signature verification (pre-hashed v1.5 padding message); Key encapsulation; Key un-encapsulation Table 7: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Encryption and BC-UnAuth SP800-38A. AES-ECB keys:128, AES-ECB Decryption with Encryption, 192, 256 bits with AES-ECB AES Decryption; SP800- 128, 192, 256 bits AES-ECB 38F. KTS (key of strength AES-ECB wrapping and key AES-CBC keys:128, AES-ECB unwrapping) per IG 192, 256 bits with AES-ECB D.G 128, 192, 256 bits AES-ECB of strength AES-ECB AES-CTR keys:128, AES-ECB 192, 256 bits with AES-ECB 128, 192, 256 bits AES-ECB of strength AES-ECB AES-XTS Testing AES-ECB Revision 2.0 AES-ECB keys:128, 256 bits AES-ECB with 128 and 256 AES-ECB bits of strength AES-ECB AES-KW keys:128, AES-ECB 192, 256 bits with AES-ECB 128, 192, 256 bits AES-ECB of strength AES-ECB AES-CFB128 AES-ECB keys:128, 192, 256 AES-ECB bits with 128, 192, AES-ECB
AES-OFB keys:128, AES-CBC 192, 256 bits with AES-CBC 128, 192, 256 bits AES-CBC of strength AES-CBC AES-CBC-CS3 AES-CBC © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms keys:128, 192, 256 AES-CBC bits with 128, 192, AES-CBC
AES-CBC AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-KW AES-KW AES-KW AES-KW AES-KW AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB128 AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 AES-CBC-CS3 Random Number DRBG SP800-90Ar1. Counter DRBG:128, Counter DRBG Generation with Random number 192, 256 bits Counter DRBG HMAC DRBG, Hash generation HMAC DRBG:128, Counter DRBG © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms DRBG or Counter 256 bits Counter DRBG DRBG Hash DRBG:128, Counter DRBG
Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG Counter DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Message MAC SP800-38B, SP800- HMAC-SHA-1 HMAC-SHA-1 Authentication with 38D, FISP198-1. keys:112-524288 HMAC-SHA-1 AES or HMAC Message bits with 112-256 HMAC-SHA-1 authentication bits of strength HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA-1 keys:112-524288 HMAC-SHA-1 bits 112-256 bits HMAC-SHA-1 with 112-256 bits of HMAC-SHA-1 strength HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-224 keys:112-524288 HMAC-SHA2-224 bits with 112-256 HMAC-SHA2-224 bits of strength HMAC-SHA2-224 HMAC-SHA2-384 HMAC-SHA2-224 keys:112-524288 HMAC-SHA2-224 bits with 112-256 HMAC-SHA2-224 bits of strength HMAC-SHA2-224 HMAC-SHA2-512 HMAC-SHA2-224 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-256 bits of strength HMAC-SHA2-256 AES-CMAC HMAC-SHA2-256 keys:128, 192, 256 HMAC-SHA2-256 bits with 128, 192, HMAC-SHA2-256
AES-GMAC HMAC-SHA2-256 keys:128, 192, 256 HMAC-SHA2-256 bits with 128, 192, HMAC-SHA2-256
HMAC-SHA3-224 HMAC-SHA2-384 keys:112-524288 HMAC-SHA2-384 bits with 112-256 HMAC-SHA2-384 bits of strength HMAC-SHA2-384 HMAC-SHA3-256 HMAC-SHA2-384 keys:112-524288 HMAC-SHA2-384 bits with 112-256 HMAC-SHA2-384 bits of strength HMAC-SHA2-512 HMAC-SHA3-384 HMAC-SHA2-512 keys:112-524288 HMAC-SHA2-512 bits with 112-256 HMAC-SHA2-512 bits of strength HMAC-SHA2-512 HMAC-SHA3-512 HMAC-SHA2-512 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms keys:112-524288 HMAC-SHA2-512 bits with 112-256 HMAC-SHA2-512 bits of strength AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-CMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC AES-GMAC HMAC-SHA3-224 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-384 HMAC-SHA3-512 HMAC-SHA3-512 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-384 SHA3-256 SHA3-512 SHA3-512 Shared Secret KAS-SSC SP 800-56Ar3. KAS- KAS-FFC-SSC KAS-FFC-SSC Computation with ECC-SSC and KAS- Sp800-56Ar3 Sp800-56Ar3 KAS-FFC-SSC or FFC-SSC per IG D.F keys:ffdhe2048, KAS-ECC-SSC KAS-ECC-SSC Scenario 2 (1) ffdhe3072, Sp800-56Ar3 ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of strength KAS-ECC-SSC Sp800-56Ar3 curves:P-256, P-384 with 128, 192 bits of strength Message Digest SHA FIPS180-4, FIPS202. SHA-1:N/A SHA-1 with SHA Message digest SHA2-224:N/A SHA-1 SHA2-256:N/A SHA-1 SHA2-384:N/A SHA-1 SHA2-512:N/A SHA-1 SHA3-224:N/A SHA-1 SHA3-256:N/A SHA-1 SHA3-384:N/A SHA-1 SHA3-512:N/A SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-384 SHA3-384 SHA3-512 SHA3-512 Key Pair Generation AsymKeyPair- FIPS186-4, SP800- Safe Primes Key Safe Primes Key with ECDSA or Safe KeyGen 56Ar3. ECDSA Key Generation Generation Primes pair generation keys:ffdhe2048, ECDSA KeyGen according to ffdhe3072, (FIPS186-4) FIPS186-4, ffdhe4096, Appendix B.4.2 per ffdhe6144, IG D.H and SP800- ffdhe8192 with 133r2, section 4 112-200 bits of (without XOR) 5.1, strength 5.2; Safe Primes ECDSA KeyGen Key Generation (FIPS186-4) according to SP800- curves:P-256, P-384 56Ar3, Section with 128, 192 bits
and SP800-133r2, section 4 (without XOR), 5.2 Authenticated BC-Auth SP800-38C. AES-CCM keys:128, AES-CCM Encryption and KTS-Wrap Authenticated 192, 256 bits with AES-CCM Authenticated encryption, 128, 192, 256 bits AES-CCM Decryption with Authenticated of strength AES-CCM AES-CCM decryption, KTS AES-CCM (key wrapping and AES-CCM AES-CCM © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms key unwrapping) per IG D.G Authenticated BC-Auth SP800-38D. AES-GCM keys:128, AES-GCM Decryption with KTS-Wrap Authenticated 192, 256 bits with AES-GCM AES-GCM decryption, KTS 128, 192, 256 bits AES-GCM (key unwrapping) of strength AES-GCM per IG D.G Compliance: FIPS AES-GCM 140-3 IG D.G AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Signature DigSig-SigVer FIPS186-4. RSA SigVer RSA SigVer Verification with Signature (FIPS186-4) (FIPS186-4) RSA verification keys:4096 bits with RSA SigVer
RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA-1 SHA2-224 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms SHA2-256 SHA2-384 SHA2-512 Authenticated BC-Auth SP800-38D. AES-GCM keys:128, AES-GCM Encryption with KTS-Wrap Authenticated 192, 256 bits with AES-GCM AES-GCM encryption KTS (key 128, 192, 256 bits AES-GCM wrapping) per IG of strength AES-GCM D.G AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM Authenticated BC-Auth SP800-38A, FIPS AES-CBC keys:128, HMAC-SHA-1 Encryption and KTS-Wrap 198-1. KTS (key 192, 256 bits with HMAC-SHA2-256 Authenticated wrapping and key 128, 192, 256 bits HMAC-SHA2-384 Decryption with unwrapping) per IG of security HMAC-SHA2-512 AES-CBC or AES- D.G AES-CTR keys:128, HMAC-SHA-1 CTR with HMAC 192, 256 bits with HMAC-SHA2-256 128, 192, 256 bits HMAC-SHA2-384 of security HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA2-256 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA2-384 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA-1 keys:112-524288 HMAC-SHA2-256 bits with 112-256 HMAC-SHA2-384 bits of security HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-256 © 2024 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CBC AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 © 2024 Canonical Ltd. / atsec information security.
Table 8: Security Function Implementations
For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 (b) of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSE ED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in the Approved Services table.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical.
The module offers DH and ECDH shared secret computation services compliant to the SP 80056Ar3 and meeting IG D.F scenario 2 path (1). In order to meet the required assurances listed in Section 5.6 of SP 800-56Ar3, the module shall be used together with an application that implements the IPSec protocol and the following steps shall be performed: 1. The entity using the module, must use the module's "Key pair generation" service: the set_secret and generate_public_key API functions, to generate DH/ECDH ephemeral key pairs. This meets the assurances required by key pair owner defined in the section
© 2024 Canonical Ltd. / atsec information security.
The module implements HMAC with SHA3-224, SHA3-256, SHA3-384, SHA3-512. The CAVP certificates have been obtained for the HMAC algorithm as well as for all the SHA3 implementations. The CAVP certificates are listed in the Approved Algorithms table.
The module implements FIPS 186-4 RSA SigVer. All RSA modulus lengths (i.e., 2048, 3072,
4096 bits) have been CAVP tested. The CAVP certificates are listed in the Approved Algorithms
Cert Vendor Number Name E59 Canonical Ltd. Table 9: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Canonical Non- Ubuntu 22.04 LTS 64-bit on Intel(R) Xeon(R) 64 bits 59.43 LinearKernel CPU Physical Gold 6226 on Supermicro SYS-1019P-WTR; bits Feedback Shift Time Jitter Ubuntu Core 22 64-bit on Intel(R) Xeon(R) Register (LFSR) RNG Entropy Gold 6226 on Supermicro SYS-1019P-WTR; source Ubuntu 22.04 LTS 64-bit on AWS Graviton2 on Amazon Web Services (AWS) c6g.metal; Ubuntu Core 22 64-bit on AWS Graviton2 on Amazon Web Services (AWS) c6g.metal; Ubuntu 22.04 LTS 64-bit on IBM z15 on IBM z15 Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each of these DRBG implementations can be instantiated by the operator of the module, using the parameters listed specified in the Security Function Implementations table. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC SHA-512 DRBG implementation for internal purposes (e.g. to generate asymmetric key pairs). This DRBG is initially seeded with © 2024 Canonical Ltd. / atsec information security.
448 output bits from the entropy source (416 bits of entropy) and reseeded with 320 output
bits from the entropy source (297 bits of entropy).
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are directly obtained as output from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without XOR). The following methods are implemented:
The module implements SSP agreement and SSP transport methods as listed in the Security Function Implementations table. The module implements the following SSP establishment methods: Key agreement:
security strength, and 112-524288 bits HMAC keys with 112-256 bits of security strength.
AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. For Diffie-Hellman, the module supports the use of the following safe primes:
Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type sockets N/A Data Output API output parameters, AF_ALG type sockets N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel command line N/A Status API return values, AF_ALG type sockets, kernel logs Output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. © 2024 Canonical Ltd. / atsec information security.
Name Type Operator Type Authentication Methods CO Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.
Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Message Compute a crypto_shash_init returns 0 Message Digest Message CO Digest message Value Digest with digest SHA Encryption Encrypt a crypto_skcipher_setkey AES Key, Ciphertex Encryption CO plaintext returns 0 plaintext t and - AES Key: Decryption W,E with AES Decryption Decrypt a crypto_skcipher_setkey AES Key, Plaintext Encryption CO ciphertext returns 0 cipherte and - AES Key: xt Decryption W,E with AES Authenticat Encrypt a For all except AES GCM: AES Key, Ciphertex Authenticat CO ed plaintext crypto_aead_setkey returns 0; IV, t, MAC tag ed - AES Key: Encryption For AES GCM: plaintext Encryption W,E crypto_aead_get_flags(tfm) and has the Authenticat CRYPTO_ALG_FIPS140_COMP ed LIANT flag set Decryption with AESCCM Authenticat ed Encryption with AESGCM Authenticat ed Encryption and Authenticat ed © 2024 Canonical Ltd. / atsec information security.
Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Decryption with AESCBC or AESCTR with HMAC Authenticat Decrypt a For all except AES GCM: AES key, Plaintext Authenticat CO ed ciphertext crypto_aead_setkey returns 0; IV, MAC or failure ed - AES Key: Decryption For AES GCM: tag, Encryption W,E crypto_aead_get_flags(tfm) cipherte and has the xt Authenticat CRYPTO_ALG_FIPS140_COMP ed LIANT flag set Decryption with AESCCM Authenticat ed Decryption with AESGCM Authenticat ed Encryption and Authenticat ed Decryption with AESCBC or AESCTR with HMAC Message Compute a crypto_shash_init returns 0 AES Key MAC tag Message CO Authenticati MAC tag or HMAC Authenticati - AES Key: on key, on with AES W,E message or HMAC - HMAC Key: W,E Random Generate crypto_rng_get_bytes returns Output Random Random CO Number random 0 length bytes Number - Entropy Generation bytes Generation Input (IG with HMAC D.L): W,E DRBG, Hash - DRBG DRBG or Seed (IG Counter D.L): G,E DRBG - DRBG Internal State (V, Key) (IG D.L): G,W,E - DRBG Internal State (V, C) (IG D.L): G,W,E © 2024 Canonical Ltd. / atsec information security.
Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Shared Compute a crypto_kpp_compute_shared_ DH Shared Shared CO Secret shared secret returns 0 private secret Secret - DH Public Computatio secret key, DH Computatio Key: W,E n public n with KAS- - DH key or FFC-SSC or Private EC KAS-ECC- Key: W,E private SSC - EC Public key, EC Key: W,E public - EC key Private Key: W,E - Shared Secret: G,R Key Pair Generate a crypto_kpp_set_secret and Safe Safe Key Pair CO Generation key pair crypto_kpp_generate_public_ Primes: Primes: Generation key return 0 Group; DH with ECDSA Intermedia ECDSA: private or Safe te Key Curve key, DH Primes Generatio public n Value: key; G,E,Z ECDSA: EC - DH Public private Key: G,R key, EC - DH public key Private Key: G,R - EC Public Key: G,R - EC Private Key: G,R Error Compute None Message EDC None CO Detection an EDC Code (crc32, crct10dif) Compressio Compress None Data Compress None CO n data ed data (deflate, lz4, lz4hc, lzo, zlibdeflate, zstd) Generic Use the None Identifie Various None CO System Call kernel to r, various return perform argumen values various ts noncryptograp hic operations Show Return the None N/A Module None CO Version module name and name and version version © 2024 Canonical Ltd. / atsec information security.
Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access informatio n Show Status Return the None N/A Module None CO module status status Self-Test Perform None N/A Pass/fail Encryption CO the CASTs and and Decryption integrity with AES tests Random Number Generation with HMAC DRBG, Hash DRBG or Counter DRBG Message Authenticati on with AES or HMAC Shared Secret Computatio n with KASFFC-SSC or KAS-ECCSSC Message Digest with SHA Authenticat ed Encryption and Authenticat ed Decryption with AESCCM Authenticat ed Decryption with AESGCM Signature Verification with RSA Authenticat ed Encryption with AESGCM © 2024 Canonical Ltd. / atsec information security.
Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Zeroization Zeroize all None Any SSP N/A None CO SSPs - AES Key: Z - HMAC Key: Z - Shared Secret: Z - Entropy Input (IG D.L): Z - DRBG Seed (IG D.L): Z - DRBG Internal State (V, Key) (IG D.L): Z - DRBG Internal State (V, C) (IG D.L): Z - DH Public Key: Z - DH Private Key: Z - EC Public Key: Z - EC Private Key: Z Intermedia te Key Generatio n Value: Z Table 13: Approved Services The following convention is used to specify access rights to SSPs:
Name Description Algorithms Role AES-GCM with Encryption AES-GCM with CO external IV external IV KBKDF (libkcapi) Key derivation KBKDF (libkcapi) CO HKDF (libkcapi) Key derivation HKDF (libkcapi) CO PBKDF2 Password-based key derivation PBKDF2 (libkcapi) CO (libkcapi) RSA Encryption primitive; Decryption primitive RSA CO RSA with Signature generation (pre-hashed message); Signature RSA with PKCS#1 CO PKCS#1 v1.5 verification (pre-hashed message); Key encapsulation; Key v1.5 padding padding un-encapsulation Table 14: Non-Approved Services
Not applicable. © 2024 Canonical Ltd. / atsec information security.
The Linux kernel binary is integrity tested using an HMAC SHA-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). The kernel crypto object files listed in the Tested Module Identification
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. © 2024 Canonical Ltd. / atsec information security.
Type of Operational Environment: Modifiable How Requirements are Satisfied: the module executes as part of a general-purpose operating system (Canonical Ubuntu 22.04 and Canonical Ubuntu Core 22), which allows modification, loading, and execution of software that is not part of the validated module. The approved cryptographic algorithms of the module are part of the Linux kernel, which operates in Linux kernel space. This ensures that any SSPs contained within the module are protected by the process isolation and memory separation mechanisms provided by the Linux kernel, and only the module has control over these SSPs. The user space libkcapi and sha512hmac components, though not processing any SSPs, are similarly protected by the operating environment.
The module shall be installed as specified in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2024 Canonical Ltd. / atsec information security.
The module is comprised of software only and therefore this section is not applicable. © 2024 Canonical Ltd. / atsec information security.
This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2024 Canonical Ltd. / atsec information security.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the Dynamic module as part of service Dynamic execution Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling Cryptographic Plaintext Manual Electronic parameters; application module AF_ALG_type (TOEPP) sockets (input) API output Cryptographic Operator calling Plaintext Manual Electronic parameters; module application AF_ALG type (TOEPP) sockets (output) Table 16: SSP Input-Output Methods
Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the SSPs Memory occupied by By calling the appropriate zeroization handle contained within SSPs is overwritten functions: AES key: crypto_free_skcipher and the cipher handle with zeroes, which crypto_free_aead; HMAC key: renders the SSP crypto_free_shash and crypto_free_ahash; values irretrievable Internal state: crypto_free_rng; DH public & private key: crypto_free_kpp; EC public & private key: crypto_free_kpp Automatic Automatically Memory occupied by N/A zeroized by the SSPs is overwritten module when no with zeroes, which longer needed renders the SSP values irretrievable. Remove De-allocates the Volatile memory By removing power power from volatile memory used by the module the module used to store SSPs is overwritten within nanoseconds when power is removed. Table 17: SSP Zeroization Methods © 2024 Canonical Ltd. / atsec information security.
All data output is inhibited during zeroization.
Name Description Size - Strength Type - Generated Established Used By Category By By AES Key AES key used XTS: 128, 256 Symmetric Encryption and for Encryption; bits; ECB, CBC, key - CSP Decryption Decryption; CTR, CFB128, with AES Authenticated CBC-CTS-CS3, Message encryption; KW, OFB, CCM, Authentication Authenticated GCM, CMAC, with AES or decryption; CMAC: 128, 192, HMAC Message 256 bits - XTS: authentication; 128, 256 bits; ECB, CBC, CTR, CFB128, CBCCTS-CS3, KW, OFB, CCM, GCM, CMAC, CMAC: 128, 192,
HMAC Key HMAC key used 112-524288 bits Symmetric Message for Message - 112-256 bits key - CSP Authentication authentication with AES or code (MAC); HMAC Shared Shared secret KAS-FFC- Shared Shared Secret established SSC:ffdhe2048, secret - CSP Secret during Shared ffdhe3072, Computation Secret ffdhe4096, with KASComputation ffdhe6144, FFC-SSC or ffdhe8192; KAS- KAS-ECC-SSC ECC-SSC: P-256, P-384 bits KAS-FFC-SSC: 112-200 bits; KAS-ECC-SSC: 128, 192 bits Entropy Entropy input 128-448 bits - Entropy Random Input (IG D.L) used to seed 128-256 bits input - CSP Number the DRBGs Generation with HMAC DRBG, Hash DRBG or Counter DRBG DRBG Seed DRBG seed Counter DRBG: Seed - CSP Random Random (IG D.L) derived from 256, 320, 384 Number Number Entropy Input bits; Generation Generation Hash_DRBG: with HMAC with HMAC 440, 888 bits; DRBG, DRBG, Hash HMAC DRBG: Hash DRBG DRBG or 160, 256, 512 or Counter Counter DRBG bits - Counter DRBG DRBG: 128, 192, © 2024 Canonical Ltd. / atsec information security.
Name Description Size - Strength Type - Generated Established Used By Category By By
DRBG: 128, 256 bits; HMAC DRBG: 128, 256 bits DRBG Internal state Counter DRBG: Internal Random Random Internal of Counter 256, 320, 348 state - CSP Number Number State (V, DRBG and bits; HMAC Generation Generation Key) (IG D.L) HMAC DRBG DRBG: 320, 512, with HMAC with HMAC instances 1024 bits - DRBG, DRBG, Hash Counter DRBG: Hash DRBG DRBG or 128, 192, 256 or Counter Counter DRBG bits; HMAC DRBG DRBG: 128, 256 bits DRBG Internal state 440, 888 bits - Internal Random Random Internal of Hash DRBG 128, 256 bits state - CSP Number Number State (V, C) instance Generation Generation (IG D.L) with HMAC with HMAC DRBG, DRBG, Hash Hash DRBG DRBG or or Counter Counter DRBG DRBG DH Public Public key used ffdhe2048, Public key - Key Pair Shared Secret Key for KAS-FFC- ffdhe3072, PSP Generation Computation SSC ffdhe4096, with with KAS-FFCffdhe6144, ECDSA or SSC or KASffdhe8192 - Safe ECC-SSC 112-200 bits Primes DH Private DH private key ffdhe2048, Private key - Key Pair Shared Secret Key used for KAS- ffdhe3072, CSP Generation Computation FFC-SSC ffdhe4096, with with KAS-FFCffdhe6144, ECDSA or SSC or KASffdhe8192 - Safe ECC-SSC 112-200 bits Primes EC Public Public key used P-256, P-384 - Public key - Key Pair Shared Secret Key for KAS-ECC- 128, 192 bits PSP Generation Computation SSC with with KAS-FFCECDSA or SSC or KASSafe ECC-SSC Primes EC Private EC private key P-521, P-384 - Private key - Key Pair Shared Secret Key used for KAS- 128, 192 bits CSP Generation Computation ECC-SSC with with KAS-FFCECDSA or SSC or KASSafe ECC-SSC Primes Intermediate Intermediate 2048-8192 bits Intermediate Key Pair Key Pair Key value - 112-200 bits value - CSP Generation Generation Generation generated with with ECDSA or Value during Key Pair ECDSA or Safe Primes Generation Safe Primes © 2024 Canonical Ltd. / atsec information security.
Table 18: SSP Table 1 Name Input - Output Storage Storage Zeroization Related SSPs Duration AES Key API input RAM:Plaintext From service Free cipher parameters; invocation to handle AF_ALG_type service Remove sockets (input) completion power from the module HMAC Key API input RAM:Plaintext From service Free cipher parameters; invocation to handle AF_ALG_type service Remove sockets (input) completion power from the module Shared Secret API output RAM:Plaintext From service Free cipher DH Public parameters; invocation to handle Key:Derived From AF_ALG type service Remove DH Private sockets (output) completion power from Key:Derived From the module EC Public Key:Derived From EC Private Key:Derived From Entropy Input RAM:Plaintext From service Automatic DRBG Seed (IG (IG D.L) invocation to Remove D.L):Derives service power from completion the module DRBG Seed (IG RAM:Plaintext From service Automatic Entropy Input (IG D.L) invocation to Remove D.L):Derived From service power from DRBG Internal State completion the module (V, Key) (IG D.L):Derives DRBG Internal State (V, C) (IG D.L):Derives DRBG Internal RAM:Plaintext From service Free cipher DRBG Seed (IG State (V, Key) invocation to handle D.L):Derived From (IG D.L) service Remove completion power from the module DRBG Internal RAM:Plaintext From service Free cipher DRBG Seed (IG State (V, C) (IG invocation to handle D.L):Derived From D.L) service Remove completion power from the module DH Public Key API input RAM:Plaintext From service Free cipher DH Private parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From DH Private Key API input RAM:Plaintext From service Free cipher DH Public Key:Paired parameters; invocation to handle With AF_ALG_type Remove Shared © 2024 Canonical Ltd. / atsec information security.
Name Input - Output Storage Storage Zeroization Related SSPs Duration sockets (input) service power from Secret:Derives API output completion the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From EC Public Key API input RAM:Plaintext From service Free cipher EC Private parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From EC Private Key API input RAM:Plaintext From service Free cipher EC Public Key:Paired parameters; invocation to handle With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets (output) From Intermediate RAM:Plaintext From service Automatic DH Public Key Generation invocation to Key:Generates Value service DH Private completion Key:Generates EC Public Key:Generates EC Private Key:Generates Table 19: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 was withdrawn on February 3, 2024. © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Indicator Details Test Properties Type HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3812) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3813) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3814) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3832) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3850) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3851) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3852) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3853) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3857) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for libkcapi
256 (A3858) Authentication Integrity operational and
services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3812) Authentication Integrity operational and and sha512hmac
services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3813) Authentication Integrity operational and and sha512hmac
binaries © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Indicator Details Test Properties Type services are available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3814) Authentication Integrity operational and and sha512hmac
services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3832) Authentication Integrity operational and and sha512hmac
services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3850) Authentication Integrity operational and and sha512hmac
services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3851) Authentication Integrity operational and and sha512hmac
services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3852) Authentication Integrity operational and and sha512hmac
services are available binaries for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for kernel
512 (A3858) Authentication Integrity operational and and sha512hmac
services are available binaries for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3814) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3832) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3850) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3851) services are available for use RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for kernel (FIPS186-4) with SHA-512 Verification Integrity operational and crypto object files (A3852) services are available for use Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3812) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3813) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3820) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3821) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3824) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3825) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3830) keys, encrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3831) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3833) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3834) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3841) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3842) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3844) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3845) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, encrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3855) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3856) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3857) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3812) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3813) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3820) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3821) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, decrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3824) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3825) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3830) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3831) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3833) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3834) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3841) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3842) keys, decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3844) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3845) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3855) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3856) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-ECB 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3857) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, encrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3857) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3857) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3819) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3828) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3838) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3849) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CBC-CS3 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3819) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3828) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3838) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3849) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use AES-CBC-CS3 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3817) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3826) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3836) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3847) keys, encrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-CFB128 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3817) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3826) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3836) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3847) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CFB128 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, encrypt becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3857) keys, encrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CTR 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3857) keys, decrypt becomes power-on operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3853) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, 128-bit IVs, becomes power-on encrypt operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3853) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-CCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, 128-bit IVs, becomes power-on decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3814) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3820) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3821) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3822) keys, 96-bit (internal becomes power-on IV), encrypt operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3824) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3825) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3829) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3830) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3831) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3832) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3833) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3834) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3840) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3841) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3842) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3843) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3844) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3845) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3854) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3855) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Encryption Test runs at (A3856) keys, 96-bit (internal becomes power-on IV), encrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3814) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3820) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3821) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3822) keys, 96-bit (internal becomes power-on IV), decrypt operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3824) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3825) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3829) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3830) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3831) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3832) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3833) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3834) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3840) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3841) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3842) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3843) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3844) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3845) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3854) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3855) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-GCM 128, 192, 256 bit KAT CAST Module Decryption Test runs at (A3856) keys, 96-bit (internal becomes power-on IV), decrypt operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3818) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3827) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3837) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3848) becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-OFB 128 bit keys, encrypt KAT CAST Module Encryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3818) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3827) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3837) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3848) becomes power-on operational and before the services are integrity test available for use AES-OFB 128 bit keys, decrypt KAT CAST Module Decryption Test runs at (A3854) becomes power-on operational and before the services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3814) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3822) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3829) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3832) services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3840) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3843) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3853) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3854) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Encryption Test runs at Testing encrypt becomes power-on Revision 2.0 operational and before the (A3857) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3814) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3822) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3829) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3832) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3840) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Revision 2.0 services are before the (A3843) available for use integrity test AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3853) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3854) services are integrity test available for use AES-XTS 128 and 256 bit keys, KAT CAST Module Decryption Test runs at Testing decrypt becomes power-on Revision 2.0 operational and before the (A3857) services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3814) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3822) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3829) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3832) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3843) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3853) encrypt becomes authentication power-on operational and before the services are integrity test available for use AES-CMAC 128 and 256 bit keys, KAT CAST Module Message Test runs at (A3854) encrypt becomes authentication power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3857) becomes power-on operational and before the services are integrity test available for use SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3853) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3857) becomes power-on operational and before the services are integrity test available for use SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3812) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3813) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3814) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3832) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3850) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3851) becomes power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3852) becomes power-on operational and before the services are integrity test available for use SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A3858) becomes power-on operational and before the services are integrity test available for use SHA3-224 SHA3-224 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-224 SHA3-224 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use SHA3-256 SHA3-256 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-256 SHA3-256 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use SHA3-384 SHA3-384 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-384 SHA3-384 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use SHA3-512 SHA3-512 KAT CAST Module Message digest Test runs at (A3816) becomes power-on operational and before the services are integrity test available for use SHA3-512 SHA3-512 KAT CAST Module Message digest Test runs at (A3839) becomes power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3812) becomes authentication power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3813) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3814) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3832) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3850) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3851) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3852) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A3853) becomes authentication power-on operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3812) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3813) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3814) becomes authentication power-on
operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3832) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3850) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3851) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3852) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3853) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3857) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at
224 (A3858) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3812) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3813) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3814) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3832) becomes authentication power-on
operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3850) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3851) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3852) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3853) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3857) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at
256 (A3858) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3812) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3813) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3814) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3832) becomes authentication power-on
operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3850) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3851) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3852) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at
384 (A3858) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3812) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3813) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3814) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3832) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3850) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3851) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3852) becomes authentication power-on
operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at
512 (A3858) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-224 KAT CAST Module Message Test runs at
224 (A3816) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-224 KAT CAST Module Message Test runs at
224 (A3839) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-256 KAT CAST Module Message Test runs at
256 (A3816) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-256 KAT CAST Module Message Test runs at
256 (A3839) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-384 KAT CAST Module Message Test runs at
384 (A3816) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-384 KAT CAST Module Message Test runs at
384 (A3839) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at
512 (A3816) becomes authentication power-on
operational and before the services are integrity test available for use HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at
512 (A3839) becomes authentication power-on
operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3812) PR operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3813) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3814) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3820) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3821) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3822) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3824) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3825) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3829) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3830) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3831) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3832) PR operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3833) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3834) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3840) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3841) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3842) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3843) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3844) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3845) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3854) PR operational and before the services are integrity test available for use Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3855) PR operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Counter 128, 192, 256 bit KAT CAST Module SP800-90Arev1 Test runs at DRBG keys, with/without becomes health test power-on (A3856) PR operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3812) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3813) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3814) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3820) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3821) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3822) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3824) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3825) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3830) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3831) With/without PR becomes health test power-on operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3832) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3833) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3834) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3840) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3841) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3842) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3843) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3844) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3845) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3850) With/without PR becomes health test power-on operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3851) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3852) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3855) With/without PR becomes health test power-on operational and before the services are integrity test available for use Hash DRBG SHA2-256 KAT CAST Module SP800-90Arev1 Test runs at (A3856) With/without PR becomes health test power-on operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3812) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3813) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3814) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3820) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3821) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3822) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3824) HMAC-SHA2-512, becomes health test power-on with/without PR operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3825) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3830) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3831) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3832) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3833) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3834) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3840) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3841) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3842) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3843) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3844) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3845) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3850) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3851) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3852) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3855) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use HMAC DRBG HMAC-SHA2-256, KAT CAST Module SP800-90Arev1 Test runs at (A3856) HMAC-SHA2-512, becomes health test power-on with/without PR operational and before the services are integrity test available for use KAS-ECC-SSC P-256, P-384 curves KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3813) operational and before the services are integrity test available for use KAS-FFC-SSC ffdhe2048 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A3812) operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3814) SHA2-256 operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3832) SHA2-256 operational and © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3850) SHA2-256 operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3851) SHA2-256 operational and before the services are integrity test available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module Digital signature Test runs at (FIPS186-4) 2048 bit key and becomes verification power-on (A3852) SHA2-256 operational and before the services are integrity test available for use Safe Primes ffdhe2048, PCT PCT Successful key Signature Key pair Key ffdhe3072, pair generation generation & generation Generation ffdhe4096, verification (A3812) ffdhe6144, ffdhe8192, Section
Candidates ECDSA SHA2-256, P-256, P- PCT PCT Successful key Signature Key pair KeyGen 384 curves, Appendix pair generation generation & generation (FIPS186-4) B.4.2 Testing verification (A3813) Candidates Entropy 1024 samples RCT CAST Module Entropy source Entropy source Source becomes startup test initialization operational and services are available for use Entropy 1024 samples APT CAST Module Entropy source Entropy source Source becomes startup test initialization operational and services are available for use Entropy Continuously RCT CAST Entropy source Entropy source Continuously Source is operational continuous test Entropy Continuously APT CAST Entropy source Entropy source Continuously Source is operational continuous test Table 21: Conditional Self-Tests If any conditional self-test fails, the module enters the Error State.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3812) Authentication © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3813) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3814) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3832) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3850) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3851) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3852) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3853) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3857) Authentication HMAC-SHA2-256 Message SW/FW Integrity On Demand Manually (A3858) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3812) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3813) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3814) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3832) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3850) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3851) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3852) Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A3858) Authentication RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3814) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3832) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3850) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3851) Verification RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-4) (A3852) Verification Table 22: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A3812) KAT CAST On Demand Manually AES-ECB (A3813) KAT CAST On Demand Manually AES-ECB (A3814) KAT CAST On Demand Manually AES-ECB (A3820) KAT CAST On Demand Manually AES-ECB (A3821) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A3822) KAT CAST On Demand Manually AES-ECB (A3824) KAT CAST On Demand Manually AES-ECB (A3825) KAT CAST On Demand Manually AES-ECB (A3829) KAT CAST On Demand Manually AES-ECB (A3830) KAT CAST On Demand Manually AES-ECB (A3831) KAT CAST On Demand Manually AES-ECB (A3832) KAT CAST On Demand Manually AES-ECB (A3833) KAT CAST On Demand Manually AES-ECB (A3834) KAT CAST On Demand Manually AES-ECB (A3840) KAT CAST On Demand Manually AES-ECB (A3841) KAT CAST On Demand Manually AES-ECB (A3842) KAT CAST On Demand Manually AES-ECB (A3843) KAT CAST On Demand Manually AES-ECB (A3844) KAT CAST On Demand Manually AES-ECB (A3845) KAT CAST On Demand Manually AES-ECB (A3853) KAT CAST On Demand Manually AES-ECB (A3854) KAT CAST On Demand Manually AES-ECB (A3855) KAT CAST On Demand Manually AES-ECB (A3856) KAT CAST On Demand Manually AES-ECB (A3857) KAT CAST On Demand Manually AES-ECB (A3812) KAT CAST On Demand Manually AES-ECB (A3813) KAT CAST On Demand Manually AES-ECB (A3814) KAT CAST On Demand Manually AES-ECB (A3820) KAT CAST On Demand Manually AES-ECB (A3821) KAT CAST On Demand Manually AES-ECB (A3822) KAT CAST On Demand Manually AES-ECB (A3824) KAT CAST On Demand Manually AES-ECB (A3825) KAT CAST On Demand Manually AES-ECB (A3829) KAT CAST On Demand Manually AES-ECB (A3830) KAT CAST On Demand Manually AES-ECB (A3831) KAT CAST On Demand Manually AES-ECB (A3832) KAT CAST On Demand Manually AES-ECB (A3833) KAT CAST On Demand Manually AES-ECB (A3834) KAT CAST On Demand Manually AES-ECB (A3840) KAT CAST On Demand Manually AES-ECB (A3841) KAT CAST On Demand Manually AES-ECB (A3842) KAT CAST On Demand Manually AES-ECB (A3843) KAT CAST On Demand Manually AES-ECB (A3844) KAT CAST On Demand Manually AES-ECB (A3845) KAT CAST On Demand Manually AES-ECB (A3853) KAT CAST On Demand Manually AES-ECB (A3854) KAT CAST On Demand Manually AES-ECB (A3855) KAT CAST On Demand Manually AES-ECB (A3856) KAT CAST On Demand Manually AES-ECB (A3857) KAT CAST On Demand Manually AES-CBC (A3814) KAT CAST On Demand Manually AES-CBC (A3822) KAT CAST On Demand Manually AES-CBC (A3829) KAT CAST On Demand Manually AES-CBC (A3832) KAT CAST On Demand Manually AES-CBC (A3840) KAT CAST On Demand Manually AES-CBC (A3843) KAT CAST On Demand Manually AES-CBC (A3853) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A3854) KAT CAST On Demand Manually AES-CBC (A3857) KAT CAST On Demand Manually AES-CBC (A3814) KAT CAST On Demand Manually AES-CBC (A3822) KAT CAST On Demand Manually AES-CBC (A3829) KAT CAST On Demand Manually AES-CBC (A3832) KAT CAST On Demand Manually AES-CBC (A3840) KAT CAST On Demand Manually AES-CBC (A3843) KAT CAST On Demand Manually AES-CBC (A3853) KAT CAST On Demand Manually AES-CBC (A3854) KAT CAST On Demand Manually AES-CBC (A3857) KAT CAST On Demand Manually AES-CBC-CS3 KAT CAST On Demand Manually (A3819) AES-CBC-CS3 KAT CAST On Demand Manually (A3828) AES-CBC-CS3 KAT CAST On Demand Manually (A3838) AES-CBC-CS3 KAT CAST On Demand Manually (A3849) AES-CBC-CS3 KAT CAST On Demand Manually (A3853) AES-CBC-CS3 KAT CAST On Demand Manually (A3854) AES-CBC-CS3 KAT CAST On Demand Manually (A3819) AES-CBC-CS3 KAT CAST On Demand Manually (A3828) AES-CBC-CS3 KAT CAST On Demand Manually (A3838) AES-CBC-CS3 KAT CAST On Demand Manually (A3849) AES-CBC-CS3 KAT CAST On Demand Manually (A3853) AES-CBC-CS3 KAT CAST On Demand Manually (A3854) AES-CFB128 KAT CAST On Demand Manually (A3817) AES-CFB128 KAT CAST On Demand Manually (A3826) AES-CFB128 KAT CAST On Demand Manually (A3836) AES-CFB128 KAT CAST On Demand Manually (A3847) AES-CFB128 KAT CAST On Demand Manually (A3854) AES-CFB128 KAT CAST On Demand Manually (A3817) AES-CFB128 KAT CAST On Demand Manually (A3826) AES-CFB128 KAT CAST On Demand Manually (A3836) AES-CFB128 KAT CAST On Demand Manually (A3847) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-CFB128 KAT CAST On Demand Manually (A3854) AES-CTR (A3814) KAT CAST On Demand Manually AES-CTR (A3822) KAT CAST On Demand Manually AES-CTR (A3829) KAT CAST On Demand Manually AES-CTR (A3832) KAT CAST On Demand Manually AES-CTR (A3840) KAT CAST On Demand Manually AES-CTR (A3843) KAT CAST On Demand Manually AES-CTR (A3853) KAT CAST On Demand Manually AES-CTR (A3854) KAT CAST On Demand Manually AES-CTR (A3857) KAT CAST On Demand Manually AES-CTR (A3814) KAT CAST On Demand Manually AES-CTR (A3822) KAT CAST On Demand Manually AES-CTR (A3829) KAT CAST On Demand Manually AES-CTR (A3832) KAT CAST On Demand Manually AES-CTR (A3840) KAT CAST On Demand Manually AES-CTR (A3843) KAT CAST On Demand Manually AES-CTR (A3853) KAT CAST On Demand Manually AES-CTR (A3854) KAT CAST On Demand Manually AES-CTR (A3857) KAT CAST On Demand Manually AES-CCM (A3814) KAT CAST On Demand Manually AES-CCM (A3822) KAT CAST On Demand Manually AES-CCM (A3829) KAT CAST On Demand Manually AES-CCM (A3832) KAT CAST On Demand Manually AES-CCM (A3843) KAT CAST On Demand Manually AES-CCM (A3853) KAT CAST On Demand Manually AES-CCM (A3854) KAT CAST On Demand Manually AES-CCM (A3814) KAT CAST On Demand Manually AES-CCM (A3822) KAT CAST On Demand Manually AES-CCM (A3829) KAT CAST On Demand Manually AES-CCM (A3832) KAT CAST On Demand Manually AES-CCM (A3843) KAT CAST On Demand Manually AES-CCM (A3853) KAT CAST On Demand Manually AES-CCM (A3854) KAT CAST On Demand Manually AES-GCM (A3814) KAT CAST On Demand Manually AES-GCM (A3820) KAT CAST On Demand Manually AES-GCM (A3821) KAT CAST On Demand Manually AES-GCM (A3822) KAT CAST On Demand Manually AES-GCM (A3824) KAT CAST On Demand Manually AES-GCM (A3825) KAT CAST On Demand Manually AES-GCM (A3829) KAT CAST On Demand Manually AES-GCM (A3830) KAT CAST On Demand Manually AES-GCM (A3831) KAT CAST On Demand Manually AES-GCM (A3832) KAT CAST On Demand Manually AES-GCM (A3833) KAT CAST On Demand Manually AES-GCM (A3834) KAT CAST On Demand Manually AES-GCM (A3840) KAT CAST On Demand Manually AES-GCM (A3841) KAT CAST On Demand Manually AES-GCM (A3842) KAT CAST On Demand Manually AES-GCM (A3843) KAT CAST On Demand Manually AES-GCM (A3844) KAT CAST On Demand Manually AES-GCM (A3845) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A3854) KAT CAST On Demand Manually AES-GCM (A3855) KAT CAST On Demand Manually AES-GCM (A3856) KAT CAST On Demand Manually AES-GCM (A3814) KAT CAST On Demand Manually AES-GCM (A3820) KAT CAST On Demand Manually AES-GCM (A3821) KAT CAST On Demand Manually AES-GCM (A3822) KAT CAST On Demand Manually AES-GCM (A3824) KAT CAST On Demand Manually AES-GCM (A3825) KAT CAST On Demand Manually AES-GCM (A3829) KAT CAST On Demand Manually AES-GCM (A3830) KAT CAST On Demand Manually AES-GCM (A3831) KAT CAST On Demand Manually AES-GCM (A3832) KAT CAST On Demand Manually AES-GCM (A3833) KAT CAST On Demand Manually AES-GCM (A3834) KAT CAST On Demand Manually AES-GCM (A3840) KAT CAST On Demand Manually AES-GCM (A3841) KAT CAST On Demand Manually AES-GCM (A3842) KAT CAST On Demand Manually AES-GCM (A3843) KAT CAST On Demand Manually AES-GCM (A3844) KAT CAST On Demand Manually AES-GCM (A3845) KAT CAST On Demand Manually AES-GCM (A3854) KAT CAST On Demand Manually AES-GCM (A3855) KAT CAST On Demand Manually AES-GCM (A3856) KAT CAST On Demand Manually AES-OFB (A3818) KAT CAST On Demand Manually AES-OFB (A3827) KAT CAST On Demand Manually AES-OFB (A3837) KAT CAST On Demand Manually AES-OFB (A3848) KAT CAST On Demand Manually AES-OFB (A3854) KAT CAST On Demand Manually AES-OFB (A3818) KAT CAST On Demand Manually AES-OFB (A3827) KAT CAST On Demand Manually AES-OFB (A3837) KAT CAST On Demand Manually AES-OFB (A3848) KAT CAST On Demand Manually AES-OFB (A3854) KAT CAST On Demand Manually AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3814) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3822) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3829) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3832) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3840) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3843) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3853) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3854) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3857) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3814) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3822) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3829) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3832) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3840) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3843) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3853) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3854) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3857) AES-CMAC (A3814) KAT CAST On Demand Manually AES-CMAC (A3822) KAT CAST On Demand Manually AES-CMAC (A3829) KAT CAST On Demand Manually AES-CMAC (A3832) KAT CAST On Demand Manually AES-CMAC (A3843) KAT CAST On Demand Manually AES-CMAC (A3853) KAT CAST On Demand Manually AES-CMAC (A3854) KAT CAST On Demand Manually SHA-1 (A3812) KAT CAST On Demand Manually SHA-1 (A3813) KAT CAST On Demand Manually SHA-1 (A3814) KAT CAST On Demand Manually SHA-1 (A3832) KAT CAST On Demand Manually SHA-1 (A3850) KAT CAST On Demand Manually SHA-1 (A3851) KAT CAST On Demand Manually SHA-1 (A3852) KAT CAST On Demand Manually SHA-1 (A3853) KAT CAST On Demand Manually SHA2-224 (A3812) KAT CAST On Demand Manually SHA2-224 (A3813) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method SHA2-224 (A3814) KAT CAST On Demand Manually SHA2-224 (A3832) KAT CAST On Demand Manually SHA2-224 (A3850) KAT CAST On Demand Manually SHA2-224 (A3851) KAT CAST On Demand Manually SHA2-224 (A3852) KAT CAST On Demand Manually SHA2-224 (A3853) KAT CAST On Demand Manually SHA2-224 (A3857) KAT CAST On Demand Manually SHA2-224 (A3858) KAT CAST On Demand Manually SHA2-256 (A3812) KAT CAST On Demand Manually SHA2-256 (A3813) KAT CAST On Demand Manually SHA2-256 (A3814) KAT CAST On Demand Manually SHA2-256 (A3832) KAT CAST On Demand Manually SHA2-256 (A3850) KAT CAST On Demand Manually SHA2-256 (A3851) KAT CAST On Demand Manually SHA2-256 (A3852) KAT CAST On Demand Manually SHA2-256 (A3853) KAT CAST On Demand Manually SHA2-256 (A3857) KAT CAST On Demand Manually SHA2-256 (A3858) KAT CAST On Demand Manually SHA2-384 (A3812) KAT CAST On Demand Manually SHA2-384 (A3813) KAT CAST On Demand Manually SHA2-384 (A3814) KAT CAST On Demand Manually SHA2-384 (A3832) KAT CAST On Demand Manually SHA2-384 (A3850) KAT CAST On Demand Manually SHA2-384 (A3851) KAT CAST On Demand Manually SHA2-384 (A3852) KAT CAST On Demand Manually SHA2-384 (A3858) KAT CAST On Demand Manually SHA2-512 (A3812) KAT CAST On Demand Manually SHA2-512 (A3813) KAT CAST On Demand Manually SHA2-512 (A3814) KAT CAST On Demand Manually SHA2-512 (A3832) KAT CAST On Demand Manually SHA2-512 (A3850) KAT CAST On Demand Manually SHA2-512 (A3851) KAT CAST On Demand Manually SHA2-512 (A3852) KAT CAST On Demand Manually SHA2-512 (A3858) KAT CAST On Demand Manually SHA3-224 (A3816) KAT CAST On Demand Manually SHA3-224 (A3839) KAT CAST On Demand Manually SHA3-256 (A3816) KAT CAST On Demand Manually SHA3-256 (A3839) KAT CAST On Demand Manually SHA3-384 (A3816) KAT CAST On Demand Manually SHA3-384 (A3839) KAT CAST On Demand Manually SHA3-512 (A3816) KAT CAST On Demand Manually SHA3-512 (A3839) KAT CAST On Demand Manually HMAC-SHA-1 KAT CAST On Demand Manually (A3812) HMAC-SHA-1 KAT CAST On Demand Manually (A3813) HMAC-SHA-1 KAT CAST On Demand Manually (A3814) HMAC-SHA-1 KAT CAST On Demand Manually (A3832) HMAC-SHA-1 KAT CAST On Demand Manually (A3850) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA-1 KAT CAST On Demand Manually (A3851) HMAC-SHA-1 KAT CAST On Demand Manually (A3852) HMAC-SHA-1 KAT CAST On Demand Manually (A3853) HMAC-SHA2-224 KAT CAST On Demand Manually (A3812) HMAC-SHA2-224 KAT CAST On Demand Manually (A3813) HMAC-SHA2-224 KAT CAST On Demand Manually (A3814) HMAC-SHA2-224 KAT CAST On Demand Manually (A3832) HMAC-SHA2-224 KAT CAST On Demand Manually (A3850) HMAC-SHA2-224 KAT CAST On Demand Manually (A3851) HMAC-SHA2-224 KAT CAST On Demand Manually (A3852) HMAC-SHA2-224 KAT CAST On Demand Manually (A3853) HMAC-SHA2-224 KAT CAST On Demand Manually (A3857) HMAC-SHA2-224 KAT CAST On Demand Manually (A3858) HMAC-SHA2-256 KAT CAST On Demand Manually (A3812) HMAC-SHA2-256 KAT CAST On Demand Manually (A3813) HMAC-SHA2-256 KAT CAST On Demand Manually (A3814) HMAC-SHA2-256 KAT CAST On Demand Manually (A3832) HMAC-SHA2-256 KAT CAST On Demand Manually (A3850) HMAC-SHA2-256 KAT CAST On Demand Manually (A3851) HMAC-SHA2-256 KAT CAST On Demand Manually (A3852) HMAC-SHA2-256 KAT CAST On Demand Manually (A3853) HMAC-SHA2-256 KAT CAST On Demand Manually (A3857) HMAC-SHA2-256 KAT CAST On Demand Manually (A3858) HMAC-SHA2-384 KAT CAST On Demand Manually (A3812) HMAC-SHA2-384 KAT CAST On Demand Manually (A3813) HMAC-SHA2-384 KAT CAST On Demand Manually (A3814) HMAC-SHA2-384 KAT CAST On Demand Manually (A3832) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-384 KAT CAST On Demand Manually (A3850) HMAC-SHA2-384 KAT CAST On Demand Manually (A3851) HMAC-SHA2-384 KAT CAST On Demand Manually (A3852) HMAC-SHA2-384 KAT CAST On Demand Manually (A3858) HMAC-SHA2-512 KAT CAST On Demand Manually (A3812) HMAC-SHA2-512 KAT CAST On Demand Manually (A3813) HMAC-SHA2-512 KAT CAST On Demand Manually (A3814) HMAC-SHA2-512 KAT CAST On Demand Manually (A3832) HMAC-SHA2-512 KAT CAST On Demand Manually (A3850) HMAC-SHA2-512 KAT CAST On Demand Manually (A3851) HMAC-SHA2-512 KAT CAST On Demand Manually (A3852) HMAC-SHA2-512 KAT CAST On Demand Manually (A3858) HMAC-SHA3-224 KAT CAST On Demand Manually (A3816) HMAC-SHA3-224 KAT CAST On Demand Manually (A3839) HMAC-SHA3-256 KAT CAST On Demand Manually (A3816) HMAC-SHA3-256 KAT CAST On Demand Manually (A3839) HMAC-SHA3-384 KAT CAST On Demand Manually (A3816) HMAC-SHA3-384 KAT CAST On Demand Manually (A3839) HMAC-SHA3-512 KAT CAST On Demand Manually (A3816) HMAC-SHA3-512 KAT CAST On Demand Manually (A3839) Counter DRBG KAT CAST On Demand Manually (A3812) Counter DRBG KAT CAST On Demand Manually (A3813) Counter DRBG KAT CAST On Demand Manually (A3814) Counter DRBG KAT CAST On Demand Manually (A3820) Counter DRBG KAT CAST On Demand Manually (A3821) Counter DRBG KAT CAST On Demand Manually (A3822) Counter DRBG KAT CAST On Demand Manually (A3824) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method Counter DRBG KAT CAST On Demand Manually (A3825) Counter DRBG KAT CAST On Demand Manually (A3829) Counter DRBG KAT CAST On Demand Manually (A3830) Counter DRBG KAT CAST On Demand Manually (A3831) Counter DRBG KAT CAST On Demand Manually (A3832) Counter DRBG KAT CAST On Demand Manually (A3833) Counter DRBG KAT CAST On Demand Manually (A3834) Counter DRBG KAT CAST On Demand Manually (A3840) Counter DRBG KAT CAST On Demand Manually (A3841) Counter DRBG KAT CAST On Demand Manually (A3842) Counter DRBG KAT CAST On Demand Manually (A3843) Counter DRBG KAT CAST On Demand Manually (A3844) Counter DRBG KAT CAST On Demand Manually (A3845) Counter DRBG KAT CAST On Demand Manually (A3854) Counter DRBG KAT CAST On Demand Manually (A3855) Counter DRBG KAT CAST On Demand Manually (A3856) Hash DRBG (A3812) KAT CAST On Demand Manually Hash DRBG (A3813) KAT CAST On Demand Manually Hash DRBG (A3814) KAT CAST On Demand Manually Hash DRBG (A3820) KAT CAST On Demand Manually Hash DRBG (A3821) KAT CAST On Demand Manually Hash DRBG (A3822) KAT CAST On Demand Manually Hash DRBG (A3824) KAT CAST On Demand Manually Hash DRBG (A3825) KAT CAST On Demand Manually Hash DRBG (A3830) KAT CAST On Demand Manually Hash DRBG (A3831) KAT CAST On Demand Manually Hash DRBG (A3832) KAT CAST On Demand Manually Hash DRBG (A3833) KAT CAST On Demand Manually Hash DRBG (A3834) KAT CAST On Demand Manually Hash DRBG (A3840) KAT CAST On Demand Manually Hash DRBG (A3841) KAT CAST On Demand Manually Hash DRBG (A3842) KAT CAST On Demand Manually Hash DRBG (A3843) KAT CAST On Demand Manually Hash DRBG (A3844) KAT CAST On Demand Manually Hash DRBG (A3845) KAT CAST On Demand Manually Hash DRBG (A3850) KAT CAST On Demand Manually Hash DRBG (A3851) KAT CAST On Demand Manually © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method Hash DRBG (A3852) KAT CAST On Demand Manually Hash DRBG (A3855) KAT CAST On Demand Manually Hash DRBG (A3856) KAT CAST On Demand Manually HMAC DRBG KAT CAST On Demand Manually (A3812) HMAC DRBG KAT CAST On Demand Manually (A3813) HMAC DRBG KAT CAST On Demand Manually (A3814) HMAC DRBG KAT CAST On Demand Manually (A3820) HMAC DRBG KAT CAST On Demand Manually (A3821) HMAC DRBG KAT CAST On Demand Manually (A3822) HMAC DRBG KAT CAST On Demand Manually (A3824) HMAC DRBG KAT CAST On Demand Manually (A3825) HMAC DRBG KAT CAST On Demand Manually (A3830) HMAC DRBG KAT CAST On Demand Manually (A3831) HMAC DRBG KAT CAST On Demand Manually (A3832) HMAC DRBG KAT CAST On Demand Manually (A3833) HMAC DRBG KAT CAST On Demand Manually (A3834) HMAC DRBG KAT CAST On Demand Manually (A3840) HMAC DRBG KAT CAST On Demand Manually (A3841) HMAC DRBG KAT CAST On Demand Manually (A3842) HMAC DRBG KAT CAST On Demand Manually (A3843) HMAC DRBG KAT CAST On Demand Manually (A3844) HMAC DRBG KAT CAST On Demand Manually (A3845) HMAC DRBG KAT CAST On Demand Manually (A3850) HMAC DRBG KAT CAST On Demand Manually (A3851) HMAC DRBG KAT CAST On Demand Manually (A3852) HMAC DRBG KAT CAST On Demand Manually (A3855) HMAC DRBG KAT CAST On Demand Manually (A3856) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3813) © 2024 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3812) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3814) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3832) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3850) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3851) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3852) Safe Primes Key PCT PCT On Demand Manually Generation (A3812) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3813) Entropy Source RCT CAST On Demand Manually Entropy Source APT CAST On Demand Manually Entropy Source RCT CAST On Demand Manually Entropy Source APT CAST On Demand Manually Table 23: Conditional Periodic Information
Name Description Conditions Recovery Method Indicator Error The Linux kernel immediately stops Any self-test Restart of the Kernel State executing failure module Panic Table 24: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).
The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. © 2024 Canonical Ltd. / atsec information security.
On the Ubuntu 22.04 LTS operational environments, the module is distributed in the form of the following deb packages:
On the Ubuntu 22.04 LTS operational environments, versions of the installed packages can be verified using the following command: $ dpkg-query -W linux-image-5.15.0-73-fips linux-modules-5.15.0-73-fips linux-image-hmac5.15.0-73-fips libkcapi1 kcapi-tools On the Ubuntu Core 22 operational environments, revisions of the installed snaps can be verified using the following command: $ snap list fips-kernel
The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the physical ports and logical interfaces are specified in section 3.1.
The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3.1. The Approved and non-Approved modes of operation are specified in section 2.4. The algorithmspecific information is listed in section 2.7.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. If desired, the linux-image-5.15.0-73-fips, linux-modules-5.15.0-73-fips, linux-image-hmac5.15.0-73-fips, libkcapi1, and kcapi-tools deb packages can be uninstalled from the Ubuntu
The Ubuntu Core 22 system is distributed as an operating system image, so removing this image will also uninstall the module. Alternatively, the “snap remodel” command can be used to switch to a generic model with a different kernel. © 2024 Canonical Ltd. / atsec information security.
The module does not offer mitigation of other attacks and therefore this section is not applicable. © 2024 Canonical Ltd. / atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KW Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Canonical Ltd. / atsec information security.
Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validationprogram/fips-140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) June 2005 https://datatracker.ietf.org/doc/html/rfc4106 RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2) October 2014 https://datatracker.ietf.org/doc/html/rfc7296 © 2024 Canonical Ltd. / atsec information security.
SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Addendum Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80038F.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Ar3.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090B.pdf © 2024 Canonical Ltd. / atsec information security.
SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800133r2.pdf SP 800-140Br1 CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800140Br1.pdf © 2024 Canonical Ltd. / atsec information security.