All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Amazon Linux 2023 Libgcrypt Cryptographic Module

Certificate#4971StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorAmazon Web Services, Inc.
Low review priority  ·  no TCB surface named  ·  libgcrypt upstream has published 2 CVEs since this module's initial validation  ·  last validated 17 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date2/23/2030
CaveatWhen operated in approved mode and installed, initialized and configured as specified in Section 11 of the Security Policy.
VendorAmazon Web Services, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Amazon Linux 2023 Libgcrypt Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>status output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Amazon Linux 2023 Libgcrypt Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>status output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Amazon Web Services, Inc. Amazon Linux 2023 Libgcrypt Cryptographic Module Document Version 1.2 Last update: 2025-02-05 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250
Page 2

www.atsec.com © 2025 Amazon Web Services, Inc./atsec information security.

Page 3
Table of Contents
#SectionPage
Page 4

© 2025 Amazon Web Services, Inc./atsec information security.

Page 5

© 2025 Amazon Web Services, Inc./atsec information security.

Page 6
List of Tables
ItemPage
Table : Security Levels8
Table : Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)11
Table : Tested Operational Environments - Software, Firmware, Hybrid11
Table : Modes List and Description12
Table : Approved Algorithms27
Table : Vendor-Affirmed Algorithms28
Table : Non-Approved, Not Allowed Algorithms29
Table : Security Function Implementations37
Table : Entropy Certificates38
Table : Entropy Sources38
Table : Ports and Interfaces40
Table : Roles41
Table : Approved Services47
Table : Non-Approved Services49
Table : Storage Areas54
Table : SSP Input-Output Methods54
Table : SSP Zeroization Methods55
Table : SSP Table 158
Table : SSP Table 259
Table : Pre-Operational Self-Tests61
Table : Conditional Self-Tests80
Table : Pre-Operational Periodic Information81
Table : Conditional Periodic Information89
Table : Error States89
Page 7
List of Figures
ItemPage
Figure 1: Block Diagram8
Page 8
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 1.10.2- 752a14d13e4ce9c0 of the Amazon Linux 2023 Libgcrypt Cryptographic Module. It has a one-to- one mapping to the SP 800-140Brev1 starting with Section B.2.1 named “General” that maps to Section 1 General in this document and ending with Section B.2.12 named “Mitigation of other attacks” that maps to Section 12 Mitigation of Other Attacks in this document.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels © 2025 Amazon Web Services, Inc./atsec information security.

Page 9
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Amazon Linux 2023 Libgcrypt Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. The module is a software library implementing general purpose cryptographic algorithms. The module provides cryptographic services to applications running in the user space of the underlying operating system through an application program interface (API). Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The module is implemented as shared library / binary file; as shown in the diagram below, the shared library file constitutes the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed on. © 2025 Amazon Web Services, Inc./atsec information security.

Page 10
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 11

Software/ Firmware Package or File Name Features Integrity Test Version libgcrypt.so.20.4.2 on 1.10.2-e4ddf5ed7abe8d45 N/A HMAC-SHA-256 Amazon Linux 2023 with Intel Xeon Platinum 8375C libgcrypt.so.20.4.2 on 1.10.2-e4ddf5ed7abe8d45 N/A HMAC-SHA-256 SnowOS 1.0 with AMD EPYC 7702 Table 2: Tested Module Identification

2023 e4ddf5ed7abe8d45

Amazon Linux EC2 c6i.metal Intel Xeon Platinum Yes N/A 1.10.2-

2023 8375C e4ddf5ed7abe8d45

SnowOS 1.0 AWS AMD EPYC 7702 Yes N/A 1.10.2Snowball e4ddf5ed7abe8d45 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components excluded from the module. © 2025 Amazon Web Services, Inc./atsec information security.

Page 12
2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an approved Approved Equivalent to the indicator of the Mode service is requested requested service Non-approved Automatically entered whenever a non- Non- Equivalent to the indicator of the mode approved service is requested Approved requested service Table 4: Modes List and Description Mode Change Instructions and Status: When the module starts up successfully, after passing the pre-operational self-test and cryptographic algorithms self-tests, the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in the table above. Refer to Section 4 Roles, Services, and Authentication for details on the service indicators provided by the module that identify when an approved service is called. Degraded Mode Description: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: CAVP Algorithm Properties Reference Cert AES-CBC A4597 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4598 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4600 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4601 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2025 Amazon Web Services, Inc./atsec information security.

Page 13

CAVP Algorithm Properties Reference Cert AES-CCM A4597 Key Length - 128, 192, 256 SP 800-38C AES-CCM A4598 Key Length - 128, 192, 256 SP 800-38C AES-CCM A4600 Key Length - 128, 192, 256 SP 800-38C AES-CCM A4601 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A4597 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4598 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4600 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4601 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4597 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4598 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4600 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4601 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A4597 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A4598 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A4600 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 © 2025 Amazon Web Services, Inc./atsec information security.

Page 14

CAVP Algorithm Properties Reference Cert AES-CMAC A4601 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A4597 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A4598 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A4600 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A4601 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4597 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4598 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4600 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4601 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4597 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A4598 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A4600 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A4601 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A4597 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2025 Amazon Web Services, Inc./atsec information security.

Page 15

CAVP Algorithm Properties Reference Cert AES-OFB A4598 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A4600 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A4601 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A4597 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A4598 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A4600 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A4601 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A4597 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A4598 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A4600 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A4601 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes ECDSA KeyGen A4597 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates © 2025 Amazon Web Services, Inc./atsec information security.

Page 16

CAVP Algorithm Properties Reference Cert ECDSA KeyGen A4598 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4600 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4601 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4602 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A4597 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4598 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4600 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4601 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4602 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4597 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigGen A4598 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigGen A4600 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 © 2025 Amazon Web Services, Inc./atsec information security.

Page 17

CAVP Algorithm Properties Reference Cert Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigGen A4601 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigGen A4602 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigVer A4597 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigVer A4598 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigVer A4600 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigVer A4601 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 © 2025 Amazon Web Services, Inc./atsec information security.

Page 18

CAVP Algorithm Properties Reference Cert ECDSA SigVer A4602 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Hash DRBG A4597 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A4598 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A4600 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A4601 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A4602 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A4597 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A4598 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A4600 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A4601 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A4602 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC-SHA-1 A4596 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2025 Amazon Web Services, Inc./atsec information security.

Page 19

CAVP Algorithm Properties Reference Cert HMAC-SHA-1 A4599 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2025 Amazon Web Services, Inc./atsec information security.

Page 20

CAVP Algorithm Properties Reference Cert HMAC-SHA2-512 A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA2- A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA2- A4600 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA2- A4601 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA2- A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA3-224 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-224 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-224 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2025 Amazon Web Services, Inc./atsec information security.

Page 21

CAVP Algorithm Properties Reference Cert HMAC-SHA3-256 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-256 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-256 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-384 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-384 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-384 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-512 A4597 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-512 A4598 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA3-512 A4602 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 PBKDF A4597 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 PBKDF A4598 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 PBKDF A4600 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 PBKDF A4601 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 PBKDF A4602 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A4597 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA KeyGen A4598 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 © 2025 Amazon Web Services, Inc./atsec information security.

Page 22

CAVP Algorithm Properties Reference Cert Primality Tests - Table C.2 Private Key Format - Standard RSA KeyGen A4600 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA KeyGen A4601 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA KeyGen A4602 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A4597 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigGen A4598 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigGen A4600 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigGen A4601 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigGen A4602 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4597 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1024, 1536 RSA SigVer A4598 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1024, 1536 RSA SigVer A4600 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1024, 1536 © 2025 Amazon Web Services, Inc./atsec information security.

Page 23

CAVP Algorithm Properties Reference Cert RSA SigVer A4601 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1024, 1536 RSA SigVer A4602 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1024, 1536 RSA SigVer A4597 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4598 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4600 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4601 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4602 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 SHA-1 A4596 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4599 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 © 2025 Amazon Web Services, Inc./atsec information security.

Page 24

CAVP Algorithm Properties Reference Cert SHA2-224 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 © 2025 Amazon Web Services, Inc./atsec information security.

Page 25

CAVP Algorithm Properties Reference Cert SHA2-384 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4600 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 © 2025 Amazon Web Services, Inc./atsec information security.

Page 26

CAVP Algorithm Properties Reference Cert SHA2-512/256 A4601 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A4597 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A4598 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A4602 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 © 2025 Amazon Web Services, Inc./atsec information security.

Page 27

CAVP Algorithm Properties Reference Cert SHAKE-128 A4597 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-128 A4598 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-128 A4602 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A4597 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A4598 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A4602 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Capabilities:Key generation Amazon Linux 2023 Libgcrypt FIPS 186-4, SP 800RSA:2048, 3072, 4096 (112, 128, 149 Cryptographic Module (Full Acceleration) 133rev2 Section 5.1 bits) ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) CKG Capabilities:Key generation Amazon Linux 2023 Libgcrypt FIPS 186-4, SP 800RSA:2048, 3072, 4096 (112, 128, 192 Cryptographic Module (No Acceleration) 133rev2 Section 5.1 bits) ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) CKG Capabilities:Key generation Amazon Linux 2023 Libgcrypt FIPS 186-4, SP 800RSA:2048, 3072, 4096 (112, 128, 149 Cryptographic Module (AESNI AVX) 133rev2 Section 5.1 bits) ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) CKG Capabilities:Key generation Amazon Linux 2023 Libgcrypt FIPS 186-4, SP 800RSA:2048, 3072, 4096 (112, 128, 149 Cryptographic Module (SSSE3) 133rev2 Section 5.1 bits) ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) © 2025 Amazon Web Services, Inc./atsec information security.

Page 28

Name Properties Implementation Reference CKG Capabilities:Key generation Amazon Linux 2023 Libgcrypt FIPS 186-4, SP 800RSA:2048, 3072, 4096 (112, 128, 149 Cryptographic Module (SHLD) 133rev2 Section 5.1 bits) ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: Name Use and Function MD5 Message Digest ECDH Shared Secret Computation AES-GCM, AES-GCM-SIV, AES- Symmetric encryption; Symmetric decryption OCB, AES-EAX RSA Signature generation primitives; Signature verification primitives; Encryption primitives; Decryption primitives RSA with non-approved public Key generation; Signature generation; Signature verification key flags ECDSA Signature generation primitives; Signature verification primitives ECDSA with non-approved public Key generation; Signature generation; Signature verification key flags © 2025 Amazon Web Services, Inc./atsec information security.

Page 29

Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Key wrapping using KTS-Wrap Key wrapping using Key:128, 192, 256 bits AES-CCM AES CCM AES CCM keys with 128, 192, AES-CCM

256 bits of key AES-CCM

strength, respectively AES-CCM Key unwrapping KTS-Wrap Key unwrapping Key:128, 192, 256 bits AES-CCM using AES CCM using AES CCM keys with 128, 192, AES-CCM

256 bits of key AES-CCM

strength, respectively AES-CCM Key wrapping using KTS-Wrap Key wrapping using Key:128, 192, 256 bits AES-KW AES KW AES KW keys with 128, 192, AES-KW

256 bits of key AES-KW

strength, respectively AES-KW Key unwrapping KTS-Wrap Key wrapping using Key:128, 192, 256 bits AES-KW using AES KW AES KW keys with 128, 192, AES-KW

256 bits of key AES-KW

strength, respectively AES-KW Encryption with BC-UnAuth Encryption using XTS mode key sizes AES-CBC AES AES and strength:128, 256 AES-CBC bits keys with 128, 256 AES-CBC bits of key strength, AES-CBC respectively AES-OFB Other modes key sizes AES-OFB and strength:128, 192, AES-OFB

256 bits keys with 128, AES-OFB

192, 256 bits of key AES-CFB128 strength, respectively AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR © 2025 Amazon Web Services, Inc./atsec information security.

Page 30

Name Type Description Properties Algorithms AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 Authenticated BC-Auth Authenticated Key:128, 192, 256 bits AES-CCM encryption with AES encryption using keys with 128, 192, AES-CCM AES 256 bits of key AES-CCM strength, respectively AES-CCM AES-KW AES-KW AES-KW AES-KW Decryption with BC-UnAuth Decryption using XTS mode key sizes AES-CBC AES AES and strength:128, 256 AES-CBC bits keys with 128, 256 AES-CBC bits of key strength, AES-CBC respectively AES-OFB Other modes key sizes AES-OFB and strength:128, 192, AES-OFB

256 bits keys with 128, AES-OFB

192, 256 bits of key AES-CFB128 strength, respectively AES-CFB128 AES-CFB128 AES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR © 2025 Amazon Web Services, Inc./atsec information security.

Page 31

Name Type Description Properties Algorithms AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 Authenticated BC-Auth Authenticated Key:128, 192, 256 bits AES-CCM decryption with AES decryption using keys with 128, 192, AES-CCM AES 256 bits of key AES-CCM strength, respectively AES-CCM AES-KW AES-KW AES-KW AES-KW Key Pair Generation AsymKeyPair- Key pair generation Mode:B.3.3. Random RSA KeyGen with RSA KeyGen for RSA Probable Primes (FIPS186-4) Modulus:2048, 3072, RSA KeyGen

4096 (112, 128, 149 (FIPS186-4)

bits) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) Key Pair Generation AsymKeyPair- Key pair generation Mode:B.4.2 Testing ECDSA KeyGen with ECDSA KeyGen for ECDSA Candidates (FIPS186-4) Curves:P-224, P-256, ECDSA KeyGen P-384, P-521 (112, (FIPS186-4) 128, 192, 256 bits) ECDSA KeyGen (FIPS186-4) © 2025 Amazon Web Services, Inc./atsec information security.

Page 32

Name Type Description Properties Algorithms ECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) Public Key AsymKeyPair- Verify public key for Curves:P-224, P-256, ECDSA KeyVer Verification with KeyVer ECDSA P-384, P-521 (112, (FIPS186-4) ECDSA 128, 192, 256 bits) ECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA KeyVer (FIPS186-4) Signature DigSig-SigGen Digital signature Padding:PKCS#1 v1.5, RSA SigGen Generation with generation using PSS (FIPS186-4) RSA RSA Keys:2048, 3072, 4096 RSA SigGen bits (112, 128, 149 (FIPS186-4) bits) RSA SigGen Hashes:SHA-224, (FIPS186-4) SHA-256, SHA-384, RSA SigGen SHA-512, SHA- (FIPS186-4) 512/224, SHA-512/256 RSA SigGen (FIPS186-4) Signature DigSig-SigVer Digital signature Padding:PKCS#1 v1.5, RSA SigVer Verification with verification using PSS (FIPS186-2) RSA RSA Keys:1024, 1536, 2048, RSA SigVer 3072, 4096 (80, 96, (FIPS186-2) 112, 128, 149 bits) RSA SigVer Hashes:SHA-224, (FIPS186-2) SHA-256, SHA-384, RSA SigVer SHA-512, SHA- (FIPS186-2) 512/224, SHA-512/256 RSA SigVer (FIPS186-2) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer © 2025 Amazon Web Services, Inc./atsec information security.

Page 33

Name Type Description Properties Algorithms (FIPS186-4) RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) Signature DigSig-SigGen Digital signature Curves:P-224, P-256, ECDSA SigGen Generation with generation using P-384, P-521 (112, (FIPS186-4) ECDSA ECDSA 128, 192, 256 bits) ECDSA SigGen Hashes:SHA-224, (FIPS186-4) SHA-256, SHA-384, ECDSA SigGen SHA-512, SHA- (FIPS186-4) 512/224, SHA- ECDSA SigGen 512/256, SHA3-224, (FIPS186-4) SHA3-256, SHA3-384, ECDSA SigGen SHA3-512 (FIPS186-4) Signature DigSig-SigVer Digital signature Curves:P-224, P-256, ECDSA SigVer Verification with verification using P-384, P-521 (112, (FIPS186-4) ECDSA ECDSA 128, 192, 256 bits) ECDSA SigVer Hashes:SHA-224, (FIPS186-4) SHA-256, SHA-384, ECDSA SigVer SHA-512, SHA- (FIPS186-4) 512/224, SHA- ECDSA SigVer 512/256, SHA3-224, (FIPS186-4) SHA3-256, SHA3-384, ECDSA SigVer SHA3-512 (FIPS186-4) Hashes SHA Compute a message SHA-1 digest using Secure SHA-1 Hash Algorithms SHA-1 SHA-1 SHA-1 SHA-1 SHA-1 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 © 2025 Amazon Web Services, Inc./atsec information security.

Page 34

Name Type Description Properties Algorithms SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/224 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA3-224 SHA3-224 SHA3-224 SHA3-256 SHA3-256 SHA3-256 SHA3-384 SHA3-384 SHA3-384 SHA3-512 SHA3-512 SHA3-512 Extendable Output XOF Compute a message SHAKE-128 Functions digest from XOFs SHAKE-128 SHAKE-128 SHAKE-256 SHAKE-256 SHAKE-256 © 2025 Amazon Web Services, Inc./atsec information security.

Page 35

Name Type Description Properties Algorithms Message MAC Compute MAC tags Keys:112-256 bits HMAC-SHA-1 Authentication Code using AES-based HMAC-SHA-1 CMAC or HMAC HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-224 HMAC-SHA2-224 HMAC-SHA2-224 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-256 HMAC-SHA2-256 HMAC-SHA2-256 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2-512 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/224 HMAC-SHA2512/256 HMAC-SHA2512/256 © 2025 Amazon Web Services, Inc./atsec information security.

Page 36

Name Type Description Properties Algorithms HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA3-224 HMAC-SHA3-224 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-256 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-384 HMAC-SHA3-384 HMAC-SHA3-512 HMAC-SHA3-512 HMAC-SHA3-512 AES-CMAC AES-CMAC AES-CMAC AES-CMAC Random Number DRBG Random number Compliance:Compliant Counter DRBG Generation with generation using with SP 800-90Arev1 Counter DRBG DRBG DRBG Counter DRBG Counter DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG HMAC DRBG Key Derivation with PBKDF Key derivation using Derived keys:112-256 PBKDF PBKDF PBKDF bits PBKDF PBKDF © 2025 Amazon Web Services, Inc./atsec information security.

Page 37

Name Type Description Properties Algorithms PBKDF PBKDF Table 8: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES XTS

The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in SP 800-38E. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. The AES-XTS mode shall only be used for the cryptographic protection of data on storage devices. The AESXTS shall not be used for other purposes, such as the encryption of data in transit.

2.7.2 Key Derivation using SP 800-132 PBKDF

The module provides password-based key derivation (PBKDF), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met.

Page 38
2.8 RBG and Entropy

Cert Vendor Name Number E124 Amazon Web Services, Inc. Table 9: Entropy Certificates Entropy Sample Conditioning Name Type Operational Environment per Size Component Sample Userspace CPU Time Non- Amazon Linux 2023 on EC2 64 bits Full SHA3-256 (A4551); Jitter RNG Entropy Physical c7g.metal; Amazon Linux 2023 on entropy HMAC_DRBG Source version 3.4.0 EC2 c6i.metal; SnowOS 1.0 on AWS (A4551) Snowball Table 10: Entropy Sources The module provides an SP 800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) for creation of key components of asymmetric keys, and random number generation. This entropy source is located within the module’s physical perimeter but outside of the module’s cryptographic boundary. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it. The seeding (and automatic reseeding) of the DRBG is done with getrandom(). The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The DRBG is initialized during module initialization; the module loads by default the DRBG using the HMAC_DRBG mechanism with SHA-256 and without prediction resistance. A different DRBG mechanism can be chosen by invoking the gcry_control(GCRYCTL_DRBG_REINIT) function. The module performs the DRBG health tests as defined in Section 11.3 of SP 800-90Arev1.

2.9 Key Generation

The module provides an SP 800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) for the creation of key components of asymmetric keys, and random number generation. The Cryptographic Key Generation (CKG) methods implemented in the module for Approved services in the approved mode are compliant with Section 5.1 of SP 800-133rev2. For generating RSA and ECDSA keys the module implements asymmetric key generation services compliant with FIPS 186-4. A seed (i.e., the random value) used in asymmetric key generation is directly obtained from the SP 800-90Arev1 DRBG. © 2025 Amazon Web Services, Inc./atsec information security.

Page 39

Additionally, the module implements key derivation with PBKDF2 using option 1a, compliant with SP800-132.

2.10 Key Establishment

The module implements the SSP transport methods as specified in the Security Function Implementations table.

2.11 Industry Protocols

The module does not support any industry protocols listed within the publication of SP 800-135rev1. Therefore, this section is not applicable. © 2025 Amazon Web Services, Inc./atsec information security.

Page 40
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Logical Physical Port Data That Passes Interface(s) As a software-only module, the module does not have physical ports. The Data Input API input parameters operator can only interact with the module through the API provided by for data the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. As a software-only module, the module does not have physical ports. The Data API output operator can only interact with the module through the API provided by Output parameters for data the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. As a software-only module, the module does not have physical ports. The Control API function calls, operator can only interact with the module through the API provided by Input API input parameters the module. Thus, the physical ports are interpreted to be the physical for control input ports of the hardware platform on which the module runs. As a software-only module, the module does not have physical ports. The Status API return codes, API operator can only interact with the module through the API provided by Output output parameters for the module. Thus, the physical ports are interpreted to be the physical status output ports of the hardware platform on which the module runs. Table 11: Ports and Interfaces All data output via data output interface is inhibited when the module is performing the pre-operational selftest, conditional self-tests, zeroization, or when the module enters an error state. The module does not implement a control output interface. © 2025 Amazon Web Services, Inc./atsec information security.

Page 41
4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not implement authentication methods.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service.

4.3 Approved Services

Descripti Output Security SSP Name Indicator Inputs on s Functions Access Symmetri Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND AES key, Ciphert Encryptio Crypto c AES ICATOR_CIPHER, ...) returns Plaintext ext n with Officer encryptio encryptio GPG_ERR_NO_ERROR AES - AES n n keys: W,E Symmetri Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND AES key, Plainte Decryptio Crypto c AES ICATOR_CIPHER, ...) returns Ciphertext xt n with Officer decryptio decryptio GPG_ERR_NO_ERROR AES - AES n n keys: W,E Authenti Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND AES key, Ciphert Authentic Crypto cated AES ICATOR_CIPHER, ...) returns Plaintext, IV ext, ated Officer symmetri encryptio GPG_ERR_NO_ERROR MAC encryptio - AES c n and tag n with keys: AES W,E © 2025 Amazon Web Services, Inc./atsec information security.

Page 42

Descripti Output Security SSP Name Indicator Inputs on s Functions Access encryptio authentic n ation Authenti Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND AES key, Plainte Authentic Crypto cated AES ICATOR_CIPHER, ...) returns Ciphertext, xt or ated Officer symmetri decryptio GPG_ERR_NO_ERROR MAC tag fail decryptio - AES c n and n with keys: decryptio authentic AES W,E n ation RSA Key Generate gcry_control(GCRYCTL_FIPS_SERVICE_IND Key size RSA Key Pair Crypto generatio RSA key ICATOR_PK_FLAGS, ...) returns public Generatio Officer n pairs GPG_ERR_NO_ERROR key, n with - RSA RSA RSA public private keys: key G,R - RSA private keys: G,R ECDSA Generate gcry_control(GCRYCTL_FIPS_SERVICE_IND Key size ECDSA Key Pair Crypto Key ECDSA ICATOR_PK_FLAGS, ...) returns public Generatio Officer generatio key pairs GPG_ERR_NO_ERROR key, n with n ECDSA ECDSA ECDSA private public key keys: G,R ECDSA private keys: G,R ECDSA ECDSA gcry_control(GCRYCTL_FIPS_SERVICE_IND ECDSA Signatu Signature Crypto Digital signature ICATOR_PK_FLAGS, ...) and private key, re Generatio Officer signature generatio gcry_control(GCRYCTL_FIPS_SERVICE_IND message, hash n with generatio n ICATOR_MD, ...) return algorithm ECDSA ECDSA n GPG_ERR_NO_ERROR private keys: W,E © 2025 Amazon Web Services, Inc./atsec information security.

Page 43

Descripti Output Security SSP Name Indicator Inputs on s Functions Access RSA RSA gcry_control(GCRYCTL_FIPS_SERVICE_IND RSA private Signatu Signature Crypto Digital signature ICATOR_PK_FLAGS, ...) and key, message, re Generatio Officer signature generatio gcry_control(GCRYCTL_FIPS_SERVICE_IND hash n with - RSA generatio n ICATOR_MD, ...) return algorithm RSA private n GPG_ERR_NO_ERROR keys: W,E ECDSA ECDSA gcry_control(GCRYCTL_FIPS_SERVICE_IND Signature, Signatu Signature Crypto Digital signature ICATOR_PK_FLAGS, ...) and hash re Verificati Officer signature verificati gcry_control(GCRYCTL_FIPS_SERVICE_IND algorithm, verifica on with verificati on ICATOR_MD, ...) return ECDSA public tion ECDSA ECDSA on GPG_ERR_NO_ERROR key result public keys: W,E Digital RSA gcry_control(GCRYCTL_FIPS_SERVICE_IND Signature, Signatu Signature Crypto signature signature ICATOR_PK_FLAGS, ...) and hash re Verificati Officer verificati verificati gcry_control(GCRYCTL_FIPS_SERVICE_IND algorithm, verifica on with - RSA on on ICATOR_MD, ...) return RSA public tion RSA public GPG_ERR_NO_ERROR key result keys: W,E Public Verify gcry_mpi_ec_curve_point() returns ECDSA public Return Public Crypto key ECDSA GPG_ERR_NO_ERROR key, ECDSA codes/l Key Officer verificati public private key og Verificati on key messag on with ECDSA es ECDSA public keys: W,E Random Generate gcry_randomize(), gcry_random_bytes(), Size Rando Random Crypto number random gcry_random_bytes_secure() return m Number Officer generatio bitstrings GPG_ERR_NO_ERROR number Generatio n n with Entrop DRBG y input: W,E DRBG seed: G,E © 2025 Amazon Web Services, Inc./atsec information security.

Page 44

Descripti Output Security SSP Name Indicator Inputs on s Functions Access DRBG interna l state (V value, key): W,E DRBG interna l state (V value, C value): W,E Message Compute gcry_control(GCRYCTL_FIPS_SERVICE_IND Message Messag Hashes Crypto digest SHA ICATOR_MD, ...) returns e digest Extendabl Officer hashes GPG_ERR_NO_ERROR e Output Functions Message Compute gcry_control(GCRYCTL_FIPS_SERVICE_IND Message, key MAC Message Crypto authentic HMAC ICATOR_MAC, ...) returns tag Authentic Officer ation or AES- GPG_ERR_NO_ERROR ation code based Code HMAC (MAC) CMAC keys: W,E - AES keys: W,E Key Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND Key wrapping Wrapp Key Crypto wrapping AES- ICATOR_CIPHER, ...) returns key, key to be ed key wrapping Officer based key GPG_ERR_NO_ERROR wrapped using AES - AES wrapping CCM keys: Key W,E wrapping using AES KW © 2025 Amazon Web Services, Inc./atsec information security.

Page 45

Descripti Output Security SSP Name Indicator Inputs on s Functions Access Key Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND Wrapped key, Unwra Key Crypto unwrappi AES- ICATOR_CIPHER, ...) returns key pped unwrappi Officer ng based GPG_ERR_NO_ERROR unwrapping key ng using - AES unwrappi key AES CCM keys: ng Key W,E unwrappi ng using AES KW Key Perform gcry_control(GCRYCTL_FIPS_SERVICE_IND Password/pass Derive Key Crypto derivatio key ICATOR_KDF, ...) returns phrase; d key Derivatio Officer n derivatio GPG_ERR_NO_ERROR Derived key n with n PBKDF Derive d key: G,R Passwo rd or passphr ase: W,E Show Show N/A None Current None Crypto status module status Officer status of the module Zeroizati Zeroize N/A N/A N/A None Crypto on SSPs Officer - AES keys: Z HMAC keys: Z - RSA public keys: Z - RSA private keys: Z © 2025 Amazon Web Services, Inc./atsec information security.

Page 46

Descripti Output Security SSP Name Indicator Inputs on s Functions Access ECDSA public keys: Z ECDSA private keys: Z Passwo rd or passphr ase: Z Derive d key: Z Entrop y input: Z DRBG interna l state (V value, key): Z DRBG interna l state (V value, C value): Z DRBG seed: Z © 2025 Amazon Web Services, Inc./atsec information security.

Page 47

Descripti Output Security SSP Name Indicator Inputs on s Functions Access Self-tests Perform N/A Power on of N/A None Crypto self-tests the module Officer Show Show N/A N/A Display None Crypto module module module Officer name and name and name version version and version Table 13: Approved Services The table above lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). The following convention is used to specify access rights to a CSP: • G = Generate: The module generates or derives the SSP. • R = Read: The SSP is read from the module (e.g., the SSP is output). • W = Write: The SSP is updated, imported, or written to the module. • E = Execute: The module uses the SSP in performing a cryptographic operation. • Z = Zeroise: The module zeroises the SSP. • N/A: the calling application does not access any CSP or key during its operation. The details of the approved cryptographic algorithms including the CAVP certificate numbers can be found in the Approved Algorithms table in Section 2.5 Algorithms. In order to check whether it utilizes an approved security function or not, the operator is responsible to invoke the gcry_control() API along with dedicated controls in the form of API input parameters. The module implements the following controls depending on the requested service:

  1. GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER - For symmetric algorithms and the related modes.
  2. GCRYCTL_FIPS_SERVICE_INDICATOR_KDF - For KDF operations.
  3. GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS - For asymmetric operations. 1
  4. GCRYCTL_FIPS_SERVICE_INDICATOR_MD - For digest operations.
  5. GCRYCTL_FIPS_SERVICE_INDICATOR_MAC - For MAC operations. 1The list of public key flags allowed in approved mode of operation is described in Appendix A. Approved Public Key Flags. © 2025 Amazon Web Services, Inc./atsec information security.
Page 48

In addition to that, for the below-mentioned services, the approved service indicator corresponds to the GPG_ERR_NO_ERROR returned from listed functions in the indicator column below. They don’t use gcry_control() API:

  1. Random number generation service: gcry_randomize(), gcry_random_bytes(), gcry_random_bytes_secure().
  2. Public key validation service: gcry_mpi_ec_curve_point(). For all approved services, GPG_ERR_NO_ERROR (i.e., “0”) return code indicates the service is approved. In case the above-mentioned controls are used in conjunction, the operator is responsible to check that all the called functions return GPG_ERR_NO_ERROR (i.e., “0”). For all non-approved services, "non-zero" return code indicates the service is not approved.
4.4 Non-Approved Services

Name Description Algorithms Role Symmetric encryption AES encryption using non-approved AES AES-GCM, AES-GCM-SIV, CO modes AES-OCB, AES-EAX Symmetric decryption AES decryption using non-approved AES AES-GCM, AES-GCM-SIV, CO modes AES-OCB, AES-EAX Message digest Message digest using non-approved MD5 CO algorithms Shared Secret ECDH Shared Secret Computation ECDH CO Computation Key generation Generate RSA/ECDSA key pairs with non- RSA CO approved public key flags ECDSA Digital signature RSA/ECDSA signature generation with non- RSA with non-approved public CO generation approved public key flags key flags ECDSA with non-approved public key flags Digital signature RSA/ECDSA signature verification with non- RSA with non-approved public CO verification approved public key flags key flags ECDSA with non-approved public key flags Asymmetric encryption RSA encryption primitives RSA CO primitives © 2025 Amazon Web Services, Inc./atsec information security.

Page 49

Name Description Algorithms Role Asymmetric decryption RSA decryption primitives RSA CO primitives Signature generation RSA/ECDSA signature generation primitives RSA CO primitives ECDSA Signature verification RSA/ECDSA signature verification primitives RSA CO primitives ECDSA Table 14: Non-Approved Services The table above lists the non-approved services. The details of the non-approved cryptographic algorithms not available in non-approved mode can be found in the Not Allowed, Non-Approved Algorithms table. For the services listed above, the module implements an additional service indicator in the form of a control named GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. The operator is responsible to invoke the gcry_control() API along with the following input parameters: GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION control; the name of the API 2 representing the service.

4.5 External Software/Firmware Loaded

The module does not load any external software/firmware.

2 The list of APIs supported by the module can be found in the documentation included in the optional

libgcrypt-devel package. © 2025 Amazon Web Services, Inc./atsec information security.

Page 50
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing the HMAC SHA-256 value calculated at run time with the HMAC SHA-256 value embedded in the module’s ELF header that was computed at build time for each software component of the module. If the HMAC values do not match, the test fails, and the module enters the Error state.

5.2 Initiate on Demand

Integrity test is performed as part of the Pre-Operational Self-Test. The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational self-test (i.e., integrity test) and cryptographic algorithm self-tests (CASTs). This service can be invoked relying on the gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output or input is possible. In order to verify whether the self-tests have succeeded and the module is in the Operational state, the calling application may invoke the gcry_control(GCRYCTL_OPERATIONAL_P). The function will return TRUE if the module is in the Operational state and FALSE if the module is in the Error state. © 2025 Amazon Web Services, Inc./atsec information security.

Page 51
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module shall be installed as stated in Section 11 Life-Cycle Assurance. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11 Life-Cycle Assurance. Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Amazon Web Services, Inc./atsec information security.

Page 52
7 Physical Security

The module is comprised of software only, and therefore this section is not applicable. © 2025 Amazon Web Services, Inc./atsec information security.

Page 53
8 Non-Invasive Security

The module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2025 Amazon Web Services, Inc./atsec information security.

Page 54
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Persistence Area Description Type Name RAM Temporary storage for SSPs used by the module as part of service execution Dynamic Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Format Distribution Entry SFI or Name From To Type Type Type Algorithm API input Operator calling Cryptographic module Plaintext Manual Electronic parameters application (TOEPP) API output Cryptographic module Operator calling Plaintext Manual Electronic parameters application (TOEPP) Table 16: SSP Input-Output Methods The module does not support manual SSP input or intermediate SSP generation output. The SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by FIPS 140-3 IG 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry in the table above. © 2025 Amazon Web Services, Inc./atsec information security.

Page 55
9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate zeroization functions: AES key: handle SSPs SSPs is overwritten gcry_cipher_close HMAC key: gcry_mac_close, gcry_free contained with zeroes, which Key-derivation key: gcry_free Derived key: gcry_free RSA within the renders the SSP values keys: gcry_mpi_release, gcry_sexp_release, gcry_free EC provided irretrievable. The keys: gcry_mpi_release, gcry_free, cipher handle completion of a gcry_mpi_point_release, gcry_sexp_release, zeroization routine gcry_ctx_release Entropy input: will indicate that a gcry_ctrl(GCRYCTL_TERM_SECMEM) Internal state: zeroization procedure gcry_ctrl(GCRYCTL_TERM_SECMEM) succeeded. Remove De-allocates Volatile memory used By unloading the module power from the volatile by the module is the module memory used overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. Table 17: SSP Zeroization Methods The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in the table above. Calling gcry_free() will zeroize the SSPs and also invoke the corresponding API functions listed in table to zeroize SSPs. The zeroization functions overwrite the memory occupied by SSPs with “zeros” and deallocate the memory with the regular memory deallocation operating system call. In case of abnormal termination, or swap in/out of a physical memory page of a process, the keys in physical memory are overwritten by the Linux kernel before the physical memory is allocated to another process. Data output via the data output interface is inhibited during zeroization. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. The user must not call malloc/free to create/release space for keys, and must let libgcrypt manage space for keys, which ensures that the key memory is overwritten before it is released. gcry_control(GCRYCTL_TERM_SECMEM) needs to be called before the process is terminated. © 2025 Amazon Web Services, Inc./atsec information security.

Page 56
9.4 SSPs

Type - Generated Established Name Description Size - Strength Used By Category By By AES keys AES key used for XTS: 256, 512 bits; Symmetric Key wrapping encryption, Other modes: 128, 192, key - CSP using AES CCM decryption, key 256 bits - XTS: 128, 256 Key wrapping wrapping, key bits; Other modes; 128, using AES KW unwrapping, and 192, 256 bits Key computing MAC unwrapping tags using AES CCM Key unwrapping using AES KW Encryption with AES Decryption with AES HMAC HMAC key used 112 to 256 bits - 112 to Symmetric Message keys for message 256 bits key - CSP Authentication authentication Code code RSA public Public key used 1024, 1536, 2048, 3072, Public key Key Pair Key Pair keys for RSA signature 4096 bits - 80, 96, 112, - PSP Generation Generation verification 128, 149 bits with RSA with RSA Signature Verification with RSA RSA Private key used 2048, 3072, 4096 bits - Private key Key Pair Key Pair private for RSA signature 112, 128, 149 bits - CSP Generation Generation keys generation with RSA with RSA Signature Generation with RSA ECDSA Public key used P-224, P-256, P-384, P- Public key Key Pair Key Pair public keys for ECDSA 521 - 112, 128, 192, 256 - PSP Generation Generation signature bits with with ECDSA verification ECDSA Signature © 2025 Amazon Web Services, Inc./atsec information security.

Page 57

Type - Generated Established Name Description Size - Strength Used By Category By By Verification with ECDSA ECDSA Private key used P-224, P-256, P-384, P- Private key Key Pair Key Pair private for ECDSA 521 - 112, 128, 192, 256 - CSP Generation Generation keys signature bits with with ECDSA generation ECDSA Signature Generation with ECDSA Password PBKDF2 password At least 8 characters - Password Key Derivation or N/A or with PBKDF passphrase passphrase - CSP Derived PBKDF2 derived 112-256 bits - 112-256 Symmetric Key Key Derivation key key bits key - CSP Derivation with PBKDF with PBKDF Entropy Entropy input 128-384 bits - 128-256 Entropy Random input used to seed the bits input - CSP Number DRBGs Generation with DRBG DRBG Internal state of CTR_DRBG: 256, 320, Internal Random Random internal CTR_DRBG and 348 bits; state - CSP Number Number state (V HMAC_DRBG HMAC_DRBG: 320, Generation Generation value, key) 512, 1024 bits - with DRBG with DRBG CTR_DRBG: 128, 192,

256 bits;
256 bits

DRBG Internal state of 880, 1776 bits - 128, Internal Random Random internal Hash_DRBG 256 bits state - CSP Number Number state (V Generation Generation value, C with DRBG with DRBG value) © 2025 Amazon Web Services, Inc./atsec information security.

Page 58

Type - Generated Established Name Description Size - Strength Used By Category By By DRBG seed DRBG seed CTR_DRBG: 256, 320, Seed - CSP Random Random derived from 348 bits; Hash DRBG: Number Number entropy input 440, 888 bits; Generation Generation HMAC_DRBG: 160, with DRBG with DRBG 256, 512 bits CTR_DRBG: 128, 192,

256 bits; Hash_DRBG:
256 bits

Table 18: SSP Table 1 Input - Storage Name Storage Zeroization Related SSPs Output Duration AES keys API input RAM:Plaintext For the Free cipher parameters duration of handle the service Remove power from the module HMAC keys API input RAM:Plaintext For the Free cipher parameters duration of handle the service Remove power from the module RSA public keys API input RAM:Plaintext For the Free cipher RSA private keys:Paired parameters duration of handle With API output the service Remove power parameters from the module RSA private keys API input RAM:Plaintext For the Free cipher RSA public keys:Paired parameters duration of handle With API output the service Remove power parameters from the module ECDSA public API input RAM:Plaintext For the Free cipher ECDSA private keys:Paired keys parameters duration of handle With API output the service Remove power parameters from the module © 2025 Amazon Web Services, Inc./atsec information security.

Page 59

Input - Storage Name Storage Zeroization Related SSPs Output Duration ECDSA private API input RAM:Plaintext For the Free cipher ECDSA public keys:Paired keys parameters duration of handle With API output the service Remove power parameters from the module Password or API input RAM:Plaintext For the Free cipher Derived key:Derives passphrase parameters duration of handle the service Remove power from the module Derived key API output RAM:Plaintext For the Free cipher Password or parameters duration of handle passphrase:Derived From the service Remove power from the module Entropy input RAM:Plaintext For the Free cipher DRBG seed:Generates duration of handle the service Remove power from the module DRBG internal RAM:Plaintext For the Free cipher DRBG seed:Generated state (V value, duration of handle from key) the service Remove power from the module DRBG internal RAM:Plaintext For the Free cipher DRBG seed:Generated state (V value, C duration of handle from value) the service Remove power from the module DRBG seed RAM:Plaintext For the Free cipher Entropy input:Generated duration of handle from the service Remove power DRBG internal state (V from the module value, key):Generates DRBG internal state (V value, C value):Generates Table 19: SSP Table 2 © 2025 Amazon Web Services, Inc./atsec information security.

Page 60
9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. The RSA and ECDSA algorithms as implemented by the module conform to FIPS 186-4, which has been superseded by FIPS 186-5. FIPS 186-4 has been withdrawn since February 3, 2024. © 2025 Amazon Web Services, Inc./atsec information security.

Page 61
10 Self-Tests
10.1 Pre-Operational Self-Tests

Test Algorithm or Test Test Method Test Type Indicator Details Properties HMAC-SHA2-256 Key size: 376 Message SW/FW Module is Integrity test for (A4597) bits Authentication Integrity operational libgcrypt.so.20.4.2 HMAC-SHA2-256 Key size: 376 Message SW/FW Module is Integrity test for (A4598) bits Authentication Integrity operational libgcrypt.so.20.4.2 HMAC-SHA2-256 Key size: 376 Message SW/FW Module is Integrity test for (A4600) bits Authentication Integrity operational libgcrypt.so.20.4.2 HMAC-SHA2-256 Key size: 376 Message SW/FW Module is Integrity test for (A4601) bits Authentication Integrity operational libgcrypt.so.20.4.2 HMAC-SHA2-256 Key size: 376 Message SW/FW Module is Integrity test for (A4602) bits Authentication Integrity operational libgcrypt.so.20.4.2 Table 20: Pre-Operational Self-Tests The details of integrity test are provided in Section 5.1 Integrity Techniques. Data output via the data output interface is inhibited during the execution of the pre-operational self-test.

10.2 Conditional Self-Tests

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Encryption Module (A4597) 256-bit keys for encryption operational initialization or on demand through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Encryption Module (A4598) 256-bit keys for encryption operational initialization or on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 62

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Encryption Module (A4600) 256-bit keys for encryption operational initialization or on demand through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Encryption Module (A4601) 256-bit keys for encryption operational initialization or on demand through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Decryption Module (A4597) 256-bit keys for decryption operational initialization or on demand through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Decryption Module (A4598) 256-bit keys for decryption operational initialization or on demand through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Decryption Module (A4600) 256-bit keys for decryption operational initialization or on demand through API function call AES-ECB AES ECB mode with 128, 192, KAT CAST Module is Decryption Module (A4601) 256-bit keys for decryption operational initialization or on demand through API function call AES-CMAC AES CMAC with 128-bit key, KAT CAST Module is Message Module (A4597) MAC generation operational Authentication initialization or © 2025 Amazon Web Services, Inc./atsec information security.

Page 63

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type on demand through API function call AES-CMAC AES CMAC with 128-bit key, KAT CAST Module is Message Module (A4598) MAC generation operational Authentication initialization or on demand through API function call AES-CMAC AES CMAC with 128-bit key, KAT CAST Module is Message Module (A4600) MAC generation operational Authentication initialization or on demand through API function call AES-CMAC AES CMAC with 128-bit key, KAT CAST Module is Message Module (A4597) MAC generation operational Authentication initialization or on demand through API function call Counter CTR_DRBG with 129-bit key KAT CAST Module is Compliant with Module DRBG with DF, with and without PR operational section 11.3 of initialization or (A4597) SP 800-90Ar1 on demand through API function call Counter CTR_DRBG with 129-bit key KAT CAST Module is Compliant with Module DRBG with DF, with and without PR operational section 11.3 of initialization or (A4598) SP 800-90Ar1 on demand through API function call Counter CTR_DRBG with 129-bit key KAT CAST Module is Compliant with Module DRBG with DF, with and without PR operational section 11.3 of initialization or (A4600) SP 800-90Ar1 on demand through API function call © 2025 Amazon Web Services, Inc./atsec information security.

Page 64

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type Counter CTR_DRBG with 129-bit key KAT CAST Module is Compliant with Module DRBG with DF, with and without PR operational section 11.3 of initialization or (A4601) SP 800-90Ar1 on demand through API function call Hash DRBG SHA-256 with and without PR; KAT CAST Module is Compliant with Module (A4597) SHA-1 without PR operational section 11.3 of initialization or SP 800-90Ar1 on demand through API function call Hash DRBG SHA-256 with and without PR; KAT CAST Module is Compliant with Module (A4598) SHA-1 without PR operational section 11.3 of initialization or SP 800-90Ar1 on demand through API function call Hash DRBG SHA-256 with and without PR; KAT CAST Module is Compliant with Module (A4597) SHA-1 without PR operational section 11.3 of initialization or SP 800-90Ar1 on demand through API function call Hash DRBG SHA-256 with and without PR; KAT CAST Module is Compliant with Module (A4597) SHA-1 without PR operational section 11.3 of SP initialization or 800-90Ar1 on demand through API function call Hash DRBG SHA-256 with and without PR; KAT CAST Module is Compliant with Module (A4597) SHA-1 without PR operational section 11.3 of initialization or SP 800-90Ar1 on demand through API function call HMAC SHA-256 with and without PR KAT CAST Module is Compliant with Module DRBG operational section 11.3 of initialization or (A4597) SP 800-90Ar1 on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 65

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call HMAC SHA-256 with and without PR KAT CAST Module is Compliant with Module DRBG operational section 11.3 of initialization or (A4598) SP 800-90Ar1 on demand through API function call HMAC SHA-256 with and without PR KAT CAST Module is Compliant with Module DRBG operational section 11.3 of initialization or (A4600) SP 800-90Ar1 on demand through API function call HMAC SHA-256 with and without PR KAT CAST Module is Compliant with Module DRBG operational section 11.3 of initialization or (A4601) SP 800-90Ar1 on demand through API function call HMAC SHA-256 with and without PR KAT CAST Module is Compliant with Module DRBG operational section 11.3 of initialization or (A4602) SP 800-90Ar1 on demand through API function call ECDSA ECDSA signature generation KAT CAST Module is Signature Module SigGen with P-256 and SHA-256 operational generation initialization or (FIPS186-4) on demand (A4597) through API function call ECDSA ECDSA signature generation KAT CAST Module is Signature Module SigGen with P-256 and SHA-256 operational generation initialization or (FIPS186-4) on demand (A4598) through API function call ECDSA ECDSA signature generation KAT CAST Module is Signature Module SigGen with P-256 and SHA-256 operational generation initialization or © 2025 Amazon Web Services, Inc./atsec information security.

Page 66

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type (FIPS186-4) on demand (A4600) through API function call ECDSA ECDSA signature generation KAT CAST Module is Signature Module SigGen with P-256 and SHA-256 operational generation initialization or (FIPS186-4) on demand (A4601) through API function call ECDSA ECDSA signature generation KAT CAST Module is Signature Module SigGen with P-256 and SHA-256 operational generation initialization or (FIPS186-4) on demand (A4602) through API function call ECDSA ECDSA signature verification KAT CAST Module is Signature Module SigVer with P-256 and SHA-256 operational verification initialization or (FIPS186-4) on demand (A4597) through API function call ECDSA ECDSA signature verification KAT CAST Module is Signature Module SigVer with P-256 and SHA-256 operational verification initialization or (FIPS186-4) on demand (A4598) through API function call ECDSA ECDSA signature verification KAT CAST Module is Signature Module SigVer with P-256 and SHA-256 operational verification initialization or (FIPS186-4) on demand (A4600) through API function call ECDSA ECDSA signature verification KAT CAST Module is Signature Module SigVer with P-256 and SHA-256 operational verification initialization or (FIPS186-4) on demand (A4601) through API function call © 2025 Amazon Web Services, Inc./atsec information security.

Page 67

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type ECDSA ECDSA signature verification KAT CAST Module is Signature Module SigVer with P-256 and SHA-256 operational verification initialization or (FIPS186-4) on demand (A4602) through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4596) on demand through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4598) on demand through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4599) on demand through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4600) on demand through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4601) on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 68

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call HMAC- HMAC-SHA-1 KAT CAST Module is Message Module SHA-1 operational authentication initialization or (A4602) on demand through API function call HMAC- HMAC-SHA-224 KAT CAST Module is Message Module SHA2-224 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA-224 KAT CAST Module is Message Module SHA2-224 operational authentication initialization or (A4598) on demand through API function call HMAC- HMAC-SHA-224 KAT CAST Module is Message Module SHA2-224 operational authentication initialization or (A4600) on demand through API function call HMAC- HMAC-SHA-224 KAT CAST Module is Message Module SHA2-224 operational authentication initialization or (A4601) on demand through API function call HMAC- HMAC-SHA-224 KAT CAST Module is Message Module SHA2-224 operational authentication initialization or (A4602) on demand through API function call © 2025 Amazon Web Services, Inc./atsec information security.

Page 69

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA-256 KAT CAST Module is Message Module SHA2-256 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA-256 KAT CAST Module is Message Module SHA2-256 operational authentication initialization or (A4598) on demand through API function call HMAC- HMAC-SHA-256 KAT CAST Module is Message Module SHA2-256 operational authentication initialization or (A4600) on demand through API function call HMAC- HMAC-SHA-256 KAT CAST Module is Message Module SHA2-256 operational authentication initialization or (A4601) on demand through API function call HMAC- HMAC-SHA-256 KAT CAST Module is Message Module SHA2-256 operational authentication initialization or (A4602) on demand through API function call HMAC- HMAC-SHA-384 KAT CAST Module is Message Module SHA2-384 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA-384 KAT CAST Module is Message Module SHA2-384 operational authentication initialization or (A4598) on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 70

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call HMAC- HMAC-SHA-384 KAT CAST Module is Message Module SHA2-384 operational authentication initialization or (A4600) on demand through API function call HMAC- HMAC-SHA-384 KAT CAST Module is Message Module SHA2-384 operational authentication initialization or (A4601) on demand through API function call HMAC- HMAC-SHA-384 KAT CAST Module is Message Module SHA2-384 operational authentication initialization or (A4602) on demand through API function call HMAC- HMAC-SHA-512 KAT CAST Module is Message Module SHA2-512 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA-512 KAT CAST Module is Message Module SHA2-512 operational authentication initialization or (A4598) on demand through API function call HMAC- HMAC-SHA-512 KAT CAST Module is Message Module SHA2-512 operational authentication initialization or (A4600) on demand through API function call © 2025 Amazon Web Services, Inc./atsec information security.

Page 71

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA-512 KAT CAST Module is Message Module SHA2-512 operational authentication initialization or (A4601) on demand through API function call HMAC- HMAC-SHA-512 KAT CAST Module is Message Module SHA2-512 operational authentication initialization or (A4602) on demand through API function call HMAC- HMAC-SHA3-224 KAT CAST Module is Message Module SHA3-224 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA3-224 KAT CAST Module is Message Module SHA3-224 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA3-224 KAT CAST Module is Message Module SHA3-224 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA3-256 KAT CAST Module is Message Module SHA3-256 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA3-256 KAT CAST Module is Message Module SHA3-256 operational authentication initialization or (A4598) on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 72

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call HMAC- HMAC-SHA3-256 KAT CAST Module is Message Module SHA3-256 operational authentication initialization or (A4602) on demand through API function call HMAC- HMAC-SHA3-384 KAT CAST Module is Message Module SHA3-384 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA3-384 KAT CAST Module is Message Module SHA3-384 operational authentication initialization or (A4598) on demand through API function call HMAC- HMAC-SHA3-384 KAT CAST Module is Message Module SHA3-384 operational authentication initialization or (A4602) on demand through API function call HMAC- HMAC-SHA3-512 KAT CAST Module is Message Module SHA3-512 operational authentication initialization or (A4597) on demand through API function call HMAC- HMAC-SHA3-512 KAT CAST Module is Message Module SHA3-512 operational authentication initialization or (A4598) on demand through API function call © 2025 Amazon Web Services, Inc./atsec information security.

Page 73

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA3-512 KAT CAST Module is Message Module SHA3-512 operational authentication initialization or (A4602) on demand through API function call RSA SigGen PKCS#1 v1.5 with 2048-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4597) on demand through API function call RSA SigGen PKCS#1 v1.5 with 2048-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4598) on demand through API function call RSA SigGen PKCS#1 v1.5 with 2048-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4597) on demand through API function call RSA SigGen PKCS#1 v1.5 with 2048-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4601) on demand through API function call RSA SigGen PKCS#1 v1.5 with 2048-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4602) on demand through API function call RSA SigVer PKCS#1 v1.5 with 2084-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4597) on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 74

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call RSA SigVer PKCS#1 v1.5 with 2084-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4598) on demand through API function call RSA SigVer PKCS#1 v1.5 with 2084-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4600) on demand through API function call RSA SigVer PKCS#1 v1.5 with 2084-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4601) on demand through API function call RSA SigVer PKCS#1 v1.5 with 2084-bit key KAT CAST Module is Message Module (FIPS186-4) and SHA-256 operational authentication initialization or (A4602) on demand through API function call SHA-1 SHA-1 KAT CAST Module is Message digest Module (A4596) operational initialization or on demand through API function call SHA-1 SHA-1 KAT CAST Module is Message digest Module (A4597) operational initialization or on demand through API function call SHA-1 SHA-1 KAT CAST Module is Message digest Module (A4598) operational initialization or © 2025 Amazon Web Services, Inc./atsec information security.

Page 75

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type on demand through API function call SHA-1 SHA-1 KAT CAST Module is Message digest Module (A4600) operational initialization or on demand through API function call SHA-1 SHA-1 KAT CAST Module is Message digest Module (A4601) operational initialization or on demand through API function call SHA-1 SHA-1 KAT CAST Module is Message digest Module (A4602) operational initialization or on demand through API function call SHA2-224 SHA-224 KAT CAST Module is Message digest Module (A4597) operational initialization or on demand through API function call SHA2-224 SHA-224 KAT CAST Module is Message digest Module (A4598) operational initialization or on demand through API function call SHA2-224 SHA-224 KAT CAST Module is Message digest Module (A4600) operational initialization or on demand through API function call © 2025 Amazon Web Services, Inc./atsec information security.

Page 76

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type SHA2-224 SHA-224 KAT CAST Module is Message digest Module (A4601) operational initialization or on demand through API function call SHA2-224 SHA-224 KAT CAST Module is Message digest Module (A4602) operational initialization or on demand through API function call SHA2-256 SHA-256 KAT CAST Module is Message digest Module (A4597) operational initialization or on demand through API function call SHA2-256 SHA-256 KAT CAST Module is Message digest Module (A4598) operational initialization or on demand through API function call SHA2-256 SHA-256 KAT CAST Module is Message digest Module (A4600) operational initialization or on demand through API function call SHA2-256 SHA-256 KAT CAST Module is Message digest Module (A4601) operational initialization or on demand through API function call SHA2-256 SHA-256 KAT CAST Module is Message digest Module (A4602) operational initialization or on demand © 2025 Amazon Web Services, Inc./atsec information security.

Page 77

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type through API function call SHA2-384 SHA-384 KAT CAST Module is Message digest Module (A4597) operational initialization or on demand through API function call SHA2-384 SHA-384 KAT CAST Module is Message digest Module (A4598) operational initialization or on demand through API function call SHA2-384 SHA-384 KAT CAST Module is Message digest Module (A4600) operational initialization or on demand through API function call SHA2-384 SHA-384 KAT CAST Module is Message digest Module (A4601) operational initialization or on demand through API function call SHA2-384 SHA-384 KAT CAST Module is Message digest Module (A4602) operational initialization or on demand through API function call SHA2-512 SHA-512 KAT CAST Module is Message digest Module (A4597) operational initialization or on demand through API function call SHA2-512 SHA-512 KAT CAST Module is Message digest Module (A4598) operational initialization or © 2025 Amazon Web Services, Inc./atsec information security.

Page 78

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type on demand through API function call SHA2-512 SHA-512 KAT CAST Module is Message digest Module (A4600) operational initialization or on demand through API function call SHA2-512 SHA-512 KAT CAST Module is Message digest Module (A4601) operational initialization or on demand through API function call SHA2-512 SHA-512 KAT CAST Module is Message digest Module (A4602) operational initialization or on demand through API function call PBKDF SHA-1 password length 24 KAT CAST Module is Password-based Module (A4597) characters, master key length of operational key derivation initialization or

200 bits, iteration count of 4096, on demand

and salt length of 288 bits; SHA- through API

256 password length 24 function call

characters, master key length of

320 bits, iteration count of 4096,

and salt length of 288 bits PBKDF SHA-1 password length 24 KAT CAST Module is Password-based Module (A4598) characters, master key length of operational key derivation initialization or

200 bits, iteration count of 4096, on demand

and salt length of 288 bits; SHA- through API

256 password length 24 function call

characters, master key length of

320 bits, iteration count of 4096,

and salt length of 288 bits © 2025 Amazon Web Services, Inc./atsec information security.

Page 79

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type PBKDF SHA-1 password length 24 KAT CAST Module is Password-based Module (A4600) characters, master key length of operational key derivation initialization or

200 bits, iteration count of 4096, on demand

and salt length of 288 bits; SHA- through API

256 password length 24 function call

characters, master key length of

320 bits, iteration count of 4096,

and salt length of 288 bits PBKDF SHA-1 password length 24 KAT CAST Module is Password-based Module (A4601) characters, master key length of operational key derivation initialization or

200 bits, iteration count of 4096, on demand

and salt length of 288 bits; SHA- through API

256 password length 24 function call

characters, master key length of

320 bits, iteration count of 4096,

and salt length of 288 bits PBKDF SHA-1 password length 24 KAT CAST Module is Password-based Module (A4602) characters, master key length of operational key derivation initialization or

200 bits, iteration count of 4096, on demand

and salt length of 288 bits; SHA- through API

256 password length 24 function call

characters, master key length of

320 bits, iteration count of 4096,

and salt length of 288 bits ECDSA Signature generation and PCT PCT Successful EC key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4597) ECDSA Signature generation and PCT PCT Successful EC key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4598) ECDSA Signature generation and PCT PCT Successful EC key pair Key generation KeyGen verification with SHA-256 key generation generation © 2025 Amazon Web Services, Inc./atsec information security.

Page 80

Algorithm Test Test Test Properties Indicator Details Conditions or Test Method Type (FIPS186-4) (A4600) ECDSA Signature generation and PCT PCT Successful EC key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4601) ECDSA Signature generation and PCT PCT Successful EC key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4602) RSA Signature generation and PCT PCT Successful RSA key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4597) RSA Signature generation and PCT PCT Successful RSA key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4598) RSA Signature generation and PCT PCT Successful RSA key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4600) RSA Signature generation and PCT PCT Successful RSA key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4601) RSA Signature generation and PCT PCT Successful RSA key pair Key generation KeyGen verification with SHA-256 key generation (FIPS186-4) generation (A4602) Table 21: Conditional Self-Tests The CASTs are run prior to performing the integrity test. Data output via the data output interface is inhibited during the execution of the conditional self-tests. © 2025 Amazon Web Services, Inc./atsec information security.

Page 81
10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity Whenever the Upon every power (A4597) Authentication module is powered on on HMAC-SHA2-256 Message SW/FW Integrity Whenever the Upon every power (A4598) Authentication module is powered on on HMAC-SHA2-256 Message SW/FW Integrity Whenever the Upon every power (A4600) Authentication module is powered on on HMAC-SHA2-256 Message SW/FW Integrity Whenever the Upon every power (A4601) Authentication module is powered on on HMAC-SHA2-256 Message SW/FW Integrity Whenever the Upon every power (A4602) Authentication module is powered on on Table 22: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A4597) KAT CAST On demand Manually AES-ECB (A4598) KAT CAST On demand Manually AES-ECB (A4600) KAT CAST On demand Manually AES-ECB (A4601) KAT CAST On demand Manually AES-ECB (A4597) KAT CAST On demand Manually AES-ECB (A4598) KAT CAST On demand Manually AES-ECB (A4600) KAT CAST On demand Manually AES-ECB (A4601) KAT CAST On demand Manually © 2025 Amazon Web Services, Inc./atsec information security.

Page 82

Algorithm or Test Test Method Test Type Period Periodic Method AES-CMAC (A4597) KAT CAST On demand Manually AES-CMAC (A4598) KAT CAST On demand Manually AES-CMAC (A4600) KAT CAST On demand Manually AES-CMAC (A4597) KAT CAST On demand Manually Counter DRBG KAT CAST On demand Manually (A4597) Counter DRBG KAT CAST On demand Manually (A4598) Counter DRBG KAT CAST On demand Manually (A4600) Counter DRBG KAT CAST On demand Manually (A4601) Hash DRBG (A4597) KAT CAST On demand Manually Hash DRBG (A4598) KAT CAST On demand Manually Hash DRBG (A4597) KAT CAST On demand Manually Hash DRBG (A4597) KAT CAST On demand Manually Hash DRBG (A4597) KAT CAST On demand Manually HMAC DRBG KAT CAST On demand Manually (A4597) HMAC DRBG KAT CAST On demand Manually (A4598) HMAC DRBG KAT CAST On demand Manually (A4600) HMAC DRBG KAT CAST On demand Manually (A4601) © 2025 Amazon Web Services, Inc./atsec information security.

Page 83

Algorithm or Test Test Method Test Type Period Periodic Method HMAC DRBG KAT CAST On demand Manually (A4602) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4597) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4598) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4600) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4601) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4602) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4597) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4598) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4600) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4601) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4602) HMAC-SHA-1 KAT CAST On demand Manually (A4596) HMAC-SHA-1 KAT CAST On demand Manually (A4597) HMAC-SHA-1 KAT CAST On demand Manually (A4598) © 2025 Amazon Web Services, Inc./atsec information security.

Page 84

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA-1 KAT CAST On demand Manually (A4599) HMAC-SHA-1 KAT CAST On demand Manually (A4600) HMAC-SHA-1 KAT CAST On demand Manually (A4601) HMAC-SHA-1 KAT CAST On demand Manually (A4602) HMAC-SHA2-224 KAT CAST On demand Manually (A4597) HMAC-SHA2-224 KAT CAST On demand Manually (A4598) HMAC-SHA2-224 KAT CAST On demand Manually (A4600) HMAC-SHA2-224 KAT CAST On demand Manually (A4601) HMAC-SHA2-224 KAT CAST On demand Manually (A4602) HMAC-SHA2-256 KAT CAST On demand Manually (A4597) HMAC-SHA2-256 KAT CAST On demand Manually (A4598) HMAC-SHA2-256 KAT CAST On demand Manually (A4600) HMAC-SHA2-256 KAT CAST On demand Manually (A4601) HMAC-SHA2-256 KAT CAST On demand Manually (A4602) © 2025 Amazon Web Services, Inc./atsec information security.

Page 85

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-384 KAT CAST On demand Manually (A4597) HMAC-SHA2-384 KAT CAST On demand Manually (A4598) HMAC-SHA2-384 KAT CAST On demand Manually (A4600) HMAC-SHA2-384 KAT CAST On demand Manually (A4601) HMAC-SHA2-384 KAT CAST On demand Manually (A4602) HMAC-SHA2-512 KAT CAST On demand Manually (A4597) HMAC-SHA2-512 KAT CAST On demand Manually (A4598) HMAC-SHA2-512 KAT CAST On demand Manually (A4600) HMAC-SHA2-512 KAT CAST On demand Manually (A4601) HMAC-SHA2-512 KAT CAST On demand Manually (A4602) HMAC-SHA3-224 KAT CAST On demand Manually (A4597) HMAC-SHA3-224 KAT CAST On demand Manually (A4597) HMAC-SHA3-224 KAT CAST On demand Manually (A4597) HMAC-SHA3-256 KAT CAST On demand Manually (A4597) © 2025 Amazon Web Services, Inc./atsec information security.

Page 86

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA3-256 KAT CAST On demand Manually (A4598) HMAC-SHA3-256 KAT CAST On demand Manually (A4602) HMAC-SHA3-384 KAT CAST On demand Manually (A4597) HMAC-SHA3-384 KAT CAST On demand Manually (A4598) HMAC-SHA3-384 KAT CAST On demand Manually (A4602) HMAC-SHA3-512 KAT CAST On demand Manually (A4597) HMAC-SHA3-512 KAT CAST On demand Manually (A4598) HMAC-SHA3-512 KAT CAST On demand Manually (A4602) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4597) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4598) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4597) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4601) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4602) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4597) © 2025 Amazon Web Services, Inc./atsec information security.

Page 87

Algorithm or Test Test Method Test Type Period Periodic Method RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4598) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4600) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4601) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4602) SHA-1 (A4596) KAT CAST On demand Manually SHA-1 (A4597) KAT CAST On demand Manually SHA-1 (A4598) KAT CAST On demand Manually SHA-1 (A4600) KAT CAST On demand Manually SHA-1 (A4601) KAT CAST On demand Manually SHA-1 (A4602) KAT CAST On demand Manually SHA2-224 (A4597) KAT CAST On demand Manually SHA2-224 (A4598) KAT CAST On demand Manually SHA2-224 (A4600) KAT CAST On demand Manually SHA2-224 (A4601) KAT CAST On demand Manually SHA2-224 (A4602) KAT CAST On demand Manually SHA2-256 (A4597) KAT CAST On demand Manually SHA2-256 (A4598) KAT CAST On demand Manually SHA2-256 (A4600) KAT CAST On demand Manually SHA2-256 (A4601) KAT CAST On demand Manually © 2025 Amazon Web Services, Inc./atsec information security.

Page 88

Algorithm or Test Test Method Test Type Period Periodic Method SHA2-256 (A4602) KAT CAST On demand Manually SHA2-384 (A4597) KAT CAST On demand Manually SHA2-384 (A4598) KAT CAST On demand Manually SHA2-384 (A4600) KAT CAST On demand Manually SHA2-384 (A4601) KAT CAST On demand Manually SHA2-384 (A4602) KAT CAST On demand Manually SHA2-512 (A4597) KAT CAST On demand Manually SHA2-512 (A4598) KAT CAST On demand Manually SHA2-512 (A4600) KAT CAST On demand Manually SHA2-512 (A4601) KAT CAST On demand Manually SHA2-512 (A4602) KAT CAST On demand Manually PBKDF (A4597) KAT CAST On demand Manually PBKDF (A4598) KAT CAST On demand Manually PBKDF (A4600) KAT CAST On demand Manually PBKDF (A4601) KAT CAST On demand Manually PBKDF (A4602) KAT CAST On demand Manually ECDSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4597) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4598) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4600) © 2025 Amazon Web Services, Inc./atsec information security.

Page 89

Algorithm or Test Test Method Test Type Period Periodic Method ECDSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4601) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4602) RSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4597) RSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4598) RSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4600) RSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4601) RSA KeyGen PCT PCT On demand Manually (FIPS186-4) (A4602) Table 23: Conditional Periodic Information

10.4 Error States

Recovery Name Description Conditions Indicator Method Error The module immediately stops Software integrity test Restart of Module will not load; state functioning due to a self-test failure the module Module stops functioning failure CAST failure for PCT failure PCT failure Fatal The module immediately halts all Random numbers are Restart of Module is aborted and is Error cryptographic operations and requested in the error the module not available for use state transits to shutdown state Cipher operations are requested on a deallocated handle Table 24: Error States © 2025 Amazon Web Services, Inc./atsec information security.

Page 90

The table above shows the error states and the corresponding condition. The calling application can obtain the module state by calling the gcry_control(GCRYCTL_OPERATIONAL_P) API function. The function returns FALSE if the module is in the Error state, TRUE if the module is in the Operational state. When the module fails any pre-operational self-test or conditional self-tests, the module will return an error code to indicate the error and enter the Error state. If random numbers are requested in the Error state or cipher operations are requested on a deallocated handle, the module will enter the Fatal Error state. Any further cryptographic operation and all data output via the data output interface are inhibited in both error states. Recovering from the Error state includes performing self-tests and restarting the module. The only way to transition from the Fatal Error state to the Operational state is to restart the cryptographic module.

10.5 Operator Initiation of Self-Tests

The module provides the Self-Test service to perform self-tests as stated in Section 5.2 Initiate on Demand. During the execution of the on-demand self-tests, services are not available, and data output is not possible. Additionally, the PCTs can be invoked on demand by requesting the asymmetric key generation services. © 2025 Amazon Web Services, Inc./atsec information security.

Page 91
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Crypto Officer can install the RPM package of the module as listed in Section 11.2 Administrator Guidance using standard tools recommended for the installation of RPM packages on an Amazon Linux 2023 or SnowOS

1.0 system (for example, dnf, rpm, and the RHN remote management tool). The integrity of the RPM package is

automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error. Before the RPM package of the module is installed, the Amazon Linux 2023 and SnowOS 1.0 systems must operate in the FIPS validated configuration. This can be achieved by executing the fips-mode-setup --enable command and then restarting the system. More information can be found at the vendor documentation. The Crypto Officer must verify the Amazon Linux 2023 and SnowOS 1.0 system operates in the FIPS validated configuration by executing the fips-mode-setup --check command, which should output “FIPS mode is enabled.”

11.2 Administrator Guidance

The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow Section 11.1 Installation, Initialization, and Startup Procedures to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. The following RPM packages contain the FIPS validated module:

Page 92
11.3 Non-Administrator Guidance

There is no non-administrator guidance. The administrator guidance is specified in section 11.2

11.4 Design and Rules

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the libgcrypt-1.10.2-1.amzn2023.0.2 RPM package can be uninstalled from the Amazon Linux 2023 and SnowOS 1.0 systems. © 2025 Amazon Web Services, Inc./atsec information security.

Page 93
12 Mitigation of Other Attacks
12.1 Attack List

RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack.

12.2 Mitigation Effectiveness

The module implements blinding against RSA Timing Attacks. By default, the module uses the following blinding technique: instead of using the RSA decryption directly, a blinded value y = x re mod n is decrypted and the unblinded value x' = y' r−1 mod n returned. The blinding value r is a random value with the size of the modulus n.

12.3 Guidance and Constraints
12.4 Additional Information

Not applicable. © 2025 Amazon Web Services, Inc./atsec information security.

Page 94

Appendix A. Approved Public Key Flags Below are listed the approved public key flags for an input s-expression: curve d data e ecdsa flags sig-val genkey hash n nbits pkcs1 private-key value pss public-key q r raw rsa salt-length rsa-use-e s © 2025 Amazon Web Services, Inc./atsec information security.

Page 95

Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DF Derivation Function DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSP Public Security Parameter PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm © 2025 Amazon Web Services, Inc./atsec information security.

Page 96

SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Amazon Web Services, Inc./atsec information security.

Page 97

Appendix C. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/detail/sp/800-38b/final © 2025 Amazon Web Services, Inc./atsec information security.

Page 98

SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-90Arev1 NIST Special Publication 800-90A