All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Amazon Linux 2023 NSS Cryptographic Module

Certificate#5014StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorAmazon Web Services, Inc.
Low review priority  ·  no TCB surface named  ·  NSS upstream has published 0 CVEs since this module's initial validation  ·  last validated 5 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date5/1/2030
CaveatWhen operated in approved mode and installed, initialized and configured as specified in Section 11 of the Security Policy.
VendorAmazon Web Services, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Amazon Linux 2023 NSS Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>UnAuth<br/>Status Output<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Amazon Linux 2023 NSS Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>UnAuth<br/>Status Output<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Amazon Web Services, Inc. Amazon Linux 2023 NSS Cryptographic Module FIPS 140 -3 Non -Proprietary Security Policy Document Version 1. 2 Last update: 202 5-12 -08 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Table of Contents © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 o f 4 9

Page 3

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 o f 4 9

Page 4

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y List of Tables Ta b le 2 : Te s t e d Mo d u le Id e n t ific a t io n

Page 5

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y List of Figures © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 5 o f 4 9

Page 6

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Amazon is a registered trademark of Amazon Web Services, Inc. or its affiliates. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 6 o f 4 9

Page 7

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

1 General
1.1 Overview

This document is the non -proprietary FIPS 140 -3 Security Policy for version 3.90.0 3e9a8358c972db98 of the Amazon Linux 2023 NSS Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140 -3 (Federal Information Processing Standards Publication 140 -3) for an overall Security Level 1 module. This Non -Proprietary Security Policy may be reproduced and distributed, but only whole and intact and including this notice. Other documentation is proprietary to their authors.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non -invasive security N/A

9 Sensitive security parameter management 1

10 Self -tests 1

11 Life -cycle assurance 1

12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

This Security Policy describes the features and design of the module named Amazon Linux

2023 NSS Cryptographic Module using the terminology contained in the FIPS 140 -3

specification. The FIPS 140 -3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptogra phic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS

140 -3. Validated products are accepted by the Federal agenc ies of both the USA and Canada

for the protection of sensitive or designated information. This Non -Proprietary Security Policy may be reproduced and distributed, but only whole and intact and including this notice. Other documentation is proprietary to their authors. The vendor has provided the non -proprietary Security Policy of the cryptographic module, which was further consolidated into this document by atsec information security together with other vendor -supplied documentation. In preparing the Security Policy doc ument, the laboratory formatted the vendor -supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 7 o f 4 9

Page 8

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y d o c u m e n t wa s c o n d u c t e d it e ra t ive ly t h ro u g h o u t t h e c o n fo rm a n c e t e s t in g , wh e re in t h e Se c u rit y Po lic y wa s s u b m it t e d t o t h e ve n d o r, wh o wo u ld t h e n e d it , m o d ify, a n d a d d t e c h n ic a l c o n t e n t s . Th e ve n d o r wo u ld a ls o s u p p ly a d d it io n a l d o c u m e n t a t io n , wh ic h t h e la b o ra t o ry fo rm a t t e d in t o t h e e xis t in g Se c u rit y Po lic y, a n d re s u b m it t e d t o t h e ve n d o r fo r t h e ir fin a l e d it in g . © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 8 o f 4 9

Page 9

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Amazon Linux 2023 NSS Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) designed to support cross platform development of security -enabled client and server applications. Applications built with NSS can support SSLv3, TLS, IKEv2, PKCS#5, PKCS#7, PKCS#11, PKCS#12, S/MIME, X.509 v3 certificates, and other security standards supporting FIPS 140 -3 validated cryptographic algorithms. It combines a vertical stack of Linux components intended to limit the external interface each separate component may provide. Module Type : Software Module Embodiment : MultiChipStand Module Characteristics : Cryptographic Boundary: Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general -purpose comput er on which the module is installed) is indicated by a purple dashed line. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 9 o f 4 9

Page 10

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Figure 1: Block Diagram The cryptographic boundary is represented by the components painted in orange blocks, which consists of two software components:

  1. The Softoken library, which provides a PKCS#11 token API (libsoftokn3.so), and its associated integrity check value (libsoftokn3.chk).
  2. The Freebl cryptographic library, which implements most cryptographic algorithms used by Softoken (libfreeblpriv3.so), and its associated integrity check value (libfreeblpriv3.chk). Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section
  3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issue d by the module itself, as well as other applications using the module for cryptographic services. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general -purpose computer on which the module is installed. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 0 o f 4 9
Page 11

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components

There are no components excluded from the requirements of the FIPS 140 -3 standard.

2.4 Modes of Operation

Modes List and Description: © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 1 o f 4 9

Page 12

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Mode Name Description Type Status Indicator Approved mode of Automatically entered whenever an Approved Equivalent to the indicator of the operation approved service is requested requested service as defined in section 4.3 Non -approved mode Automatically entered whenever a non - Non - Equivalent to the indicator of the of operation approved service is requested Approved requested service as defined in section 4.3 Table 4: Modes List and Description After passing all pre -operational self -tests and cryptographic algorithm self -tests executed on start -up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. Mode Change Instructions and Status: The module automatically switches between the approved and non -approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A4576, Direction - Decrypt, Encrypt SP 800 -38A A4583, Key Length - 128, 192, 256 A4585 AES-CBC-CS1 A4581 Direction - decrypt, encrypt SP 800 -38A Key Length - 128, 192, 256 AES-CMAC A4578 Direction - Generation, Verification SP 800 -38B Key Length - 128, 192, 256 AES-CTR A4576, Direction - Decrypt, Encrypt SP 800 -38A A4585 Key Length - 128, 192, 256 AES-ECB A4576, Direction - Decrypt, Encrypt SP 800 -38A A4583, Key Length - 128, 192, 256 A4585 AES-GCM A4576, Direction - Decrypt, Encrypt SP 800 -38D A4585 IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GCM A4583 Direction - Decrypt, Encrypt SP 800 -38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A4577, Direction - Decrypt, Encrypt SP 800 -38F A4582, Key Length - 128, 192, 256 A4584 AES-KWP A4577, Direction - Decrypt, Encrypt SP 800 -38F A4582, Key Length - 128, 192, 256 A4584 © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 2 o f 4 9

Page 13

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Algorithm CAVP Cert Properties Reference DSA SigVer A4576 L - 2048 FIPS 186 -4 (FIPS186 -4) N - 224, 256 Hash Algorithm - SHA-1, SHA2 -224, SHA2 -256, SHA2-384, SHA2 -512 ECDSA KeyGen A4576 Curve - P-256, P -384, P -521 FIPS 186 -4 (FIPS186 -4) Secret Generation Mode - Extra Bits ECDSA SigGen A4576 Component - No FIPS 186 -4 (FIPS186 -4) Curve - P-256, P -384, P -521 Hash Algorithm - SHA2 -224, SHA2 -256, SHA2 -384, SHA2 -512 ECDSA SigVer A4576 Component - No FIPS 186 -4 (FIPS186 -4) Curve - P-256, P -384, P -521 Hash Algorithm - SHA-1, SHA2 -224, SHA2 -256, SHA2 -384, SHA2 -512 Hash DRBG A4576 Prediction Resistance - No, Yes SP 800 -90A Mode - SHA2-256 Rev. 1 HMAC-SHA2 -224 A4576 Key Length - Key Length: 112 -524288 Increment 8 FIPS 198 -1 HMAC-SHA2 -256 A4576 Key Length - Key Length: 112 -524288 Increment 8 FIPS 198 -1 HMAC-SHA2 -384 A4576 Key Length - Key Length: 112 -524288 Increment 8 FIPS 198 -1 HMAC-SHA2 -512 A4576 Key Length - Key Length: 112 -524288 Increment 8 FIPS 198 -1 KAS-ECC-SSC A4576 Domain Parameter Generation Methods - P-256, P -384, P -521 SP 800 -56A Sp800 -56Ar3 Scheme - Rev. 3 ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A4576 Domain Parameter Generation Methods - ffdhe2048, ffdhe3072, SP 800 -56A Sp800 -56Ar3 ffdhe4096, ffdhe6144, ffdhe8192, MODP -2048, MODP -3072, MODP - Rev. 3 4096, MODP -6144, MODP -8192 Scheme dhEphem KAS Role - initiator, responder KDA HKDF A4575 Derived Key Length - 2048 SP 800 -56C Sp800 -56Cr1 Shared Secret Length - Shared Secret Length: 224 -65336 Increment Rev. 2 HMAC Algorithm - SHA2 -224, SHA2 -256, SHA2 -384, SHA2 -512 KDF IKEv2 (CVL) A4580 Diffie -Hellman Shared Secret Length - Diffie -Hellman Shared Secret SP 800 -135 Length: 224, 2048, 8192 Rev. 1 Derived Keying Material Length - Derived Keying Material Length: 1056, 3072 Hash Algorithm - SHA-1, SHA2 -256, SHA2 -384, SHA2 -512 KDF SP800 -108 A4579 KDF Mode - Counter, Double Pipeline Iteration, Feedback SP 800 -108 Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096 Rev. 1 KDF TLS (CVL) A4576 TLS Version - v1.0/1.1 SP 800 -135 Rev. 1 PBKDF A4576 Iteration Count - Iteration Count: 1000 -10000 Increment 1 SP 800 -132 Password Length - Password Length: 8 -128 Increment 1 RSA KeyGen A4576 Key Generation Mode - B.3.3 FIPS 186 -4 (FIPS186 -4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.3 Private Key Format - Standard RSA SigGen A4576 Signature Type - PKCS 1.5, PKCSPSS FIPS 186 -4 (FIPS186 -4) Modulo - 2048, 3072, 4096 RSA SigVer A4576 Signature Type - PKCS 1.5, PKCSPSS FIPS 186 -4 (FIPS186 -2) Modulo - 1024, 1536 RSA SigVer A4576 Signature Type - PKCS 1.5, PKCSPSS FIPS 186 -4 (FIPS186 -4) Modulo - 2048, 3072, 4096 Safe Primes Key A4576 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, SP 800 -56A Generation ffdhe8192, MODP -2048, MODP -3072, MODP -4096, MODP -6144, Rev. 3 MODP-8192 SHA2-224 A4576 Message Length - Message Length: 0 -65536 Increment 8 FIPS 180 -4 Large Message Sizes - 1, 2, 4, 8 © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 3 o f 4 9

Page 14

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Algorithm CAVP Cert Properties Reference SHA2-256 A4576 Message Length - Message Length: 0 -65536 Increment 8 FIPS 180 -4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4576 Message Length - Message Length: 0 -65536 Increment 8 FIPS 180 -4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4576 Message Length - Message Length: 0 -65536 Increment 8 FIPS 180 -4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A4576 Hash Algorithm - SHA2 -256, SHA2 -384, SHA2 -512 SP 800 -135 RFC7627 (CVL) Rev. 1 Table 5: Approved Algorithms Vendor -Affirmed Algorithms: Name Properties Implementation Reference Cryptographic Key Generation Key Type :Symmetric and N/A SP 800 -133r2 Section 4, 5.1, (CKG) Asymmetric 5.2, 6.1 Table 6: Vendor -Affirmed Algorithms Non -Approved, Allowed Algorithms: N/A for this module. Non -Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Allowed per IG 2.4.A. Message digest used in TLS 1.0/1.1 KDF only Table 7: Non -Approved, Allowed Algorithms with No Security Claimed Non -Approved, Not Allowed Algorithms: Name Use and Function RC2, RC4, DES, Triple -DES, CDMF, Camellia, SEED, ChaCha20( -Poly1305) Encryption, Decryption AES GCM (external IV) Encryption CBC-MAC, AES XCBC-MAC, AES XCBC -MAC-96 Message Authentication HMAC (MD2, MD5, SHA -1; < 112 -bit keys) Message Authentication HMAC/SSLv3 MAC (constant -time implementation) Message Authentication MD2, MD5, SHA -1, SHA -224, SHA -256, SHA -384, SHA -512, DES, Triple -DES, AES, Camellia, Key Derivation SEED, ANS X9.63 KDF (SHA -1, SHA -224, SHA -256, SHA -384, SHA -512), SSL 3 PRF (MD5, SHA 1), IKEv1 PRF (AES XCBC -MAC, MD2, MD5, SHA -1, SHA -224, SHA -256, SHA -384, SHA -512) KBKDF, HKDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF, IKEv2 KDF (< 112 -bit keys) Key Derivation KBKDF (MD2, MD5) Key Derivation TLS 1.2 KDF (without extended master secret) Key Derivation IKEv2 KDF (MD2, MD5) Key Derivation PKCS#5 PBE, PKCS#12 PBE Password -based Key Derivation PBKDF2 (password<8 characters, salt<128 bits, iteration count<1000, or key<112 bits) Password -based Key Derivation J-PAKE Shared Secret Computation © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 4 o f 4 9

Page 15

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Use and Function DH (Shared secret computation; FIPS 186 -type groups) Shared Secret Computation ECDH (Shared secret computation; P -192) Shared Secret Computation DSA (SigGen) Signature Generation RSA (SigGen primitive; PKCS#1 v1.5 or PSS with MD2, MD5) Signature Generation ECDSA (SigGen; P -192) Signature Generation RSA (encryption) Asymmetric Encryption DSA (parameter generation) Parameter Generation DH (KeyGen, FIPS 186 -type groups) Key Pair Generation RSA (KeyGen, modulus < 2048 bits) Key Pair Generation ECDSA (KeyGen, P -192) Key Pair Generation Symmetric Key Generation (< 112 bits) Secret Key Generation MD2, MD5, SHA -1 Message Digest RSA (SigVer primitive; PKCS#1 v1.5 or PSS with MD2, MD5) Signature Verification ECDSA (SigVer; P -192) Signature verification RSA (decryption) Asymmetric Decryption DSA (parameter verification) Parameter verification DSA (key pair generation) Key Pair Generation Table 8: Non -Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms SHA SHA Hash function Reference:FIPS 180 -4 SHA2-224 SHA2-256 SHA2-384 SHA2-512 AES (ECB, CBC, CBC - BC-UnAuth Block cipher References:FIPS 197, AES-ECB CS1, CTR) SP 800 -38A, SP 800 - AES-ECB 38A Addendum AES-ECB AES-CBC AES-CBC AES-CBC AES-CBC-CS1 AES-CTR AES-CTR AES (KW, KWP) BC-Auth Block cipher References:FIPS 197, AES-KW SP 800 -38F AES-KWP AES-KW AES-KWP © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 5 o f 4 9

Page 16

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Type Description Properties Algorithms AES-KW AES-KWP AES (GCM, encryption, BC-Auth Block cipher References:FIPS 197, AES-GCM internal IV) SP 800 -38D AES-GCM AES-GCM AES (CMAC) MAC Message References:FIPS 197, AES-CMAC authentication code SP 800 -38B based on AES HMAC MAC Keyed -hash message Reference:FIPS 198 -1 HMAC-SHA2 -256 authentication code HMAC-SHA2 -384 HMAC-SHA2 -512 HMAC-SHA2 -224 KBKDF KBKDF Key -based key Reference:SP 800 - KDF SP800 -108 derivation function 108r1 TLS 1.0/1.1 KDF, TLS KAS-135KDF KDF component Reference:SP 800 - KDF TLS

1.2 KDF (CVL) 135r1 TLS v1.2 KDF

RFC7627 HKDF KAS-56CKDF HMAC-based key Reference:SP 800 - KDA HKDF Sp800 derivation function 56Cr1 56Cr1 PBKDF2 PBKDF Password -based key Reference:SP 800 -132 PBKDF derivation function Hash DRBG DRBG Random number Reference:SP 800 - Hash DRBG generation 90Ar1 Compliance:SP800 90ARev1 KAS-FFC-SSC KAS-SSC Diffie -Helman shared Reference:SP 800 - KAS-FFC-SSC Sp800 secret computation 56Ar3 56Ar3 Compliance:IG D.F Scenario 2(1) KAS-ECC-SSC KAS-SSC EC Diffie -Helman Reference:SP 800 - KAS-ECC-SSC Sp800 shared secret 56Ar3 56Ar3 computation Compliance:IG D.F Scenario 2(1) DSA SigVer (Legacy) DigSig -SigVer DSA signature Reference:FIPS 186 -4 DSA SigVer (FIPS186 verification Compliance:FIPS 140 - 4)

3 IG C.M legacy L: 2048 bits

algorithms N: 256 Hash Algorithm: SHA2-256 RSA SigGen DigSig -SigGen RSA signature Reference:FIPS 186 -4 RSA SigGen (FIPS186 generation

  1. RSA SigVer DigSig -SigVer RSA signature Reference:FIPS 186 -4 RSA SigVer (FIPS186 verification
  2. ECDSA SigGen DigSig -SigGen ECDSA signature Reference:FIPS 186 -4 ECDSA SigGen generation (FIPS186 -4) ECDSA SigVer DigSig -SigVer ECDSA signature Reference:FIPS 186 -4 ECDSA SigVer verification (FIPS186 -4) AES (GCM, decryption, BC-Auth Block cipher References:FIPS 197, AES-GCM external IV) SP 800 -38D AES-GCM AES-GCM AES-KW, AES-KWP, KTS-Wrap Key wrapping Reference:SP 800 - AES-KW AES-GCM (KTS, key 38F, SP 800 -38D AES-KWP wrapping) Compliance:IG D.G AES-KW Caveat:key AES-KWP establishment AES-KW methodology provides AES-KWP between 128 and 256 AES-GCM © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 6 o f 4 9
Page 17

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Type Description Properties Algorithms bits of security AES-GCM strength AES-GCM AES-KW, AES-KWP, KTS-Wrap Key unwrapping Reference:SP 800 -38D AES-GCM AES-GCM (KTS, key Compliance:IG D.G AES-GCM unwrapping) Keys :128, 192, 256 AES-GCM bits with 128 -256 bits AES-KW of keys strength AES-KWP Caveat:key AES-KW establishment AES-KWP methodology provides AES-KW between 128 and 256 AES-KWP bits of security strength Hash DRBG CKG Symmetric Key Reference:SP 800 - Hash DRBG (symmetric key Generation 133r2 section 6.1 generation) RSA KeyGen (key pair AsymKeyPair -KeyGen Key pair generation Reference:FIPS 186 -4 RSA KeyGen (FIPS186 generation) CKG with RSA

  1. ECDSA KeyGen (key AsymKeyPair -KeyGen Key pair generation Reference:FIPS 186 -4 ECDSA KeyGen pair generation) CKG with ECDSA (FIPS186 -4) Safe Primes Key AsymKeyPair -KeyGen Key pair generation Reference:SP800 - Safe Primes Key Generation (key pair CKG with Safe Primes 56Ar3 Generation generation) IKEv2 KDF (CVL) KAS-135KDF KDF component Reference:SP 800 - KDF IKEv2 135r1 RSA SigVer (Legacy) DigSig -SigVer Legacy digital Reference:FIPS186 -2, RSA SigVer (FIPS186 signature verification FIPS186 -4
  2. Compliance:FIPS 140 - RSA SigVer (FIPS186 -
3 IG C.M legacy 4)

algorithms Modulo: 1024 Hash Algorithm: SHA ECDSA SigVer DigSig -SigVer Legacy digital Reference:FIPS186 -4 ECDSA SigVer (Legacy) signature verification Compliance:FIPS 140 - (FIPS186 -4)

3 IG C.M legacy Hash Algorithm: SHA -

algorithms 1 Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140 -3 IG C.H. NSS is compliant with SP 800 -52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce _explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 7 o f 4 9

Page 18

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Alt e rn a t ive ly, t h e Cryp t

3 IG C.H. Th e p ro t o c o l t h a t p ro vid e s t h is c o m p lia n c e is TLS 1 .3 , d e fin e d in RFC8 4 4 6 o f

Au g u s t 2 0 1 8 , u s in g t h e c ip h e r-s u it e s t h a t e xp lic it ly s e le c t AES GCM a s t h e e n c ryp t io n /d e c ryp t io n c ip h e r (Ap p e n d ix B.4 o f RFC8 4 4 6 ). Th e m o d u le s u p p o rt s a c c e p t a b le AES GCM c ip h e r s u it e s fro m Se c t io n 3 .3 .1 o f SP8 0 0 -5 2 r2 . TLS 1 .3 e m p lo ys s e p a ra t e 6 4 -b it s e q u e n c e n u m b e rs , o n e fo r p ro t o c o l re c o rd s t h a t a re re c e ive d , a n d o n e fo r p ro t o c o l re c o rd s t h a t a re s e n t t o a p e e r. Th e s e s e q u e n c e n u m b e rs a re s e t a t ze ro a t t h e b e g in n in g o f a TLS

1 .3 c o n n e c t io n a n d e a c h t im e wh e n t h e AES-GCM ke y is c h a n g e d . Aft e r re a d in g o r writ in g a

re c o rd , t h e re s p e c t ive s e q u e n c e n u m b e r is in c re m e n t e d b y o n e . Th e p ro t o c o l s p e c ific a t io n d e t e rm in e s t h a t t h e s e q u e n c e n u m b e r s h o u ld n o t wra p , a n d if t h is c o n d it io n is o b s e rve d , t h e n t h e p ro t o c o l im p le m e n t a t io n m u s t e it h e r t rig g e r a re -ke y o f t h e s e s s io n (i.e ., a n e w ke y fo r AES-GCM) o r t e rm in a t e t h e c o n n e c t io n .

2.7.2 PBKDF2

The module provides password -based key derivation (PBKDF2), compliant with SP 800 -132. The module supports option 1a from Section 5.4 of SP 800 -132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accor dance to SP 800 -132 and FIPS 140 -3 IG D.N, the following requirements shall be met:

Page 19

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

2.7.3 SP 800 -56Ar3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800 -56Ar3, the operator must use the module together with an application that implements the TLS protocol. Additionally, the module’s approved Key Pair Generation service (see the Approved Services table) must be used to generate ephemeral Diffie -Hellman or EC Diffie -Hel lman key pairs, or the key pairs must be obtained from another FIPS -validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800 56Ar3.

2.7.4 KAS -SSC

The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.

2.7.5 Legacy Algorithms

Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140 -3 IG C.M .

2.8 RBG and Entropy

Cert Vendor Number Name E124 Amazon Table 10 : Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Amazon Userspace Non - Amazon Linux 2023 on EC2 c7g.metal 256 bits Full SHA3-256 (A4551); CPU Time Jitter RNG Physical on AWS Graviton3; Amazon Linux 2023 entropy HMAC-SHA-512 DRBG Entropy Source on EC2 c6i.metal on Intel Xeon Platinum (A4551) 8375C Table 11 : Entropy Sources The module employs a Deterministic Random Bit Generator (DRBG) implementation based on SP 800 -90Ar1. This DRBG is used internally by the module (e.g. to generate symmetric keys, seeds for asymmetric key pairs, and random numbers for security functions). It can also be accessed using the specified API functions. The DRBG implemented is a SHA -256 Hash_DRBG, seeded by the entropy source described in the Entropy Sources table. It does not employ prediction resistance. The DRBG is seeded with 440 bits of entropy and reseeded with 440 bits. The entropy source is located within the module’s physical perimeter, but outside of the module’s cryptographic boundary.

2.9 Key Generation

The module implements the key generation methods as specified in the Vendor -Affirmed Cryptographic Algorithms table and the Security Function Implementations table. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 1 9 o f 4 9

Page 20

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

2.10 Key Establishment

The module implements the SSP establishment methods as specified in the Security Function Implementations table.

2.11 Industry Protocols

GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.0/1.1 and 1.2 key derivation functions for use in the TLS protocol. The module implements the IKEv2 key derivation function for use in the IPSec protocol (RFC 5996). For Diffie -Hellman, the module supports the use of the following safe primes:

1 6 ), MODP-6 1 4 4 (ID = 1 7 ), MODP-8 1 9 2 (ID = 1 8 )
2 5 8 ), ffd h e 6 1 4 4 (ID = 2 5 9 ), ffd h e 8 1 9 2 (ID = 2 6 0 )

No o t h e r p a rt s o f t h e TLS o r IPSe c p ro t o c o ls , o t h e r t h a n t h e KDFs m e n t io n e d a b o ve , h a ve b e e n t e s t e d b y t h e CAVP a n d CMVP. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 0 o f 4 9

Page 21

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters N/A Data Output API output parameters N/A Control Input API function calls, API input parameters for control input N/A Status Output API return codes Table 12 : Ports and Interfaces The module does not have a control output interface. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 1 o f 4 9

Page 22

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 13 : Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Description Indicator Inputs Outputs Security SSP Access Functions Message Compute a CKS_NSS_FIPS_OK Message Digest value SHA Crypto Digest message Officer digest Encryption Encrypt a CKS_NSS_FIPS_OK AES key, Ciphertext AES (ECB, Crypto plaintext plaintext CBC, CBC- Officer CS1, CTR) - AES key: W,E Decryption Decrypt a CKS_NSS_FIPS_OK AES key, Plaintext AES (ECB, Crypto ciphertext ciphertext CBC, CBC- Officer CS1, CTR) - AES key: W,E Authenticated Encrypt a CKS_NSS_FIPS_OK Inputs of GCM: Outputs of AES (KW, Crypto Encryption plaintext AES key, IV, GCM: KWP) Officer plaintext; Inputs Ciphertext, AES (GCM, - AES key: of KW, KWP: AES MAC tag; encryption, W,E key, plaintext Outputs of KW, internal IV) KWP: Ciphertext Authenticated Decrypt a CKS_NSS_FIPS_OK Inputs of GCM: Outputs of AES (KW, Crypto Decryption ciphertext AES key, IV, GCM: Plaintext KWP) Officer MAC tag, or fail; Outputs AES (GCM, - AES key: ciphertext; of KW, KWP: decryption, W,E Inputs of KW, Plaintext external IV) KWP: AES key, ciphertext Key Wrapping Wrap a CSP CKS_NSS_FIPS_OK Inputs of KW, Outputs of KW, AES-KW, AES- Crypto KWP: AES key, KWP: Wrapped KWP, AES- Officer any CSP (except CSP; Outputs GCM (KTS, - AES key: for password); of GCM: key W,E Inputs of GCM: Wrapped CSP, wrapping) AES key, IV, any MAC tag CSP (except for password) Key Unwrap a CSP CKS_NSS_FIPS_OK Inputs of GCM: Outputs of AES-KW, AES- Crypto Unwrapping AES key, IV, GCM: KWP, AES- Officer © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 2 o f 4 9

Page 23

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Indicator Inputs Outputs Security SSP Access Functions MAC tag, Unwrapped GCM (KTS, - AES key: wrapped CSP; CSP or fail; key W,E Inputs of KW, Outputs of KW, unwrapping) KWP: AES key, KWP: wrapped CSP Unwrapped CSP Message Compute a CKS_NSS_FIPS_OK Inputs of AES - MAC tag AES (CMAC) Crypto Authentication MAC tag CMAC: AES key, HMAC Officer message. Inputs - AES key: of HMAC: HMAC W,E key, message - HMAC key: W,E Password - Derive a key CKS_NSS_FIPS_OK Password, salt, PBKDF derived PBKDF2 Crypto based Key from a iteration count key Officer Derivation password - Password: W,E - PBKDF derived key: G Random Generate CKR_OK Output length Random bytes Hash DRBG Crypto Number random bytes Officer Generation - Entropy input: W,E - DRBG seed: G,E - Internal state (V, C): G,W,E Shared Secret Compute a CKS_NSS_FIPS_OK Inputs of KAS - Shared secret KAS-FFC-SSC Crypto Computation shared secret FFC-SSC: DH KAS-ECC-SSC Officer private key - EC private (owner), DH key: W,E public key - EC public (peer). Inputs of key: W,E KAS-ECC-SSC: - Shared EC private key secret: G (owner), EC - DH private public key (peer) key: W,E - DH public key: W,E Signature Generate a CKS_NSS_FIPS_OK Inputs of RSA Signature RSA SigGen Crypto Generation signature SigGen: RSA ECDSA Officer private key, SigGen - RSA private message. Inputs key: W,E of ECDSA - EC private SigGen: EC key: W,E private key, message Signature Verify a Indicator of DSA Inputs of DSA Pass/fail DSA SigVer Crypto Verification signature SigVer: CKR_OK. SigVer: DSA (Legacy) Officer Indicator of RSA public key, RSA SigVer - DSA public SigVer: message, ECDSA key: W,E CKS_NSS_FIPS_OK. signature. Inputs SigVer - RSA public Indicator of ECDSA of RSA SigVer: RSA SigVer key: W,E SigVer: RSA public key, (Legacy) - EC public CKS_NSS_FIPS_OK message, ECDSA key: W,E signature. Inputs SigVer of ECDSA (Legacy) SigVer: EC public key, © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 3 o f 4 9

Page 24

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Indicator Inputs Outputs Security SSP Access Functions message, signature. Secret Key Generate a CKS_NSS_FIPS_OK Key size AES key, HMAC Hash DRBG Crypto Generation symmetric key, or Key - (symmetric Officer key derivation key key - AES key: G generation) - HMAC key: G - Key derivation key: G Key Pair Generate a CKS_NSS_FIPS_OK Safe Primes Key Safe Primes RSA KeyGen Crypto Generation key pair Generation: Key (key pair Officer Group; RSA Generation: DH generation) - DH private KeyGen: public & ECDSA key: G Modulus size; private key; KeyGen (key - DH public ECDSA KeyGen: RSA KeyGen: pair key: G Curve RSA public & generation) - EC private private key; Safe Primes key: G ECDSA Key - EC public KeyGen: EC Generation key: G public & (key pair - RSA private private key generation) key: G - RSA public key: G Intermediate key generation value: G,E,Z Show Version Return the None N/A Module name None Crypto module name and version Officer and version information information Show Status Return the None N/A Module status None Crypto module Officer status Self -Test Perform the None N/A Pass/fail SHA Crypto CASTs and AES (ECB, Officer integrity tests CBC, CBCCS1, CTR) AES (GCM, encryption, internal IV) AES (CMAC) HMAC KBKDF TLS 1.0/1.1 KDF, TLS 1.2 KDF (CVL) HKDF PBKDF2 Hash DRBG KAS-FFC-SSC KAS-ECC-SSC DSA SigVer (Legacy) RSA SigGen RSA SigVer ECDSA SigGen ECDSA SigVer © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 4 o f 4 9

Page 25

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Indicator Inputs Outputs Security SSP Access Functions AES (GCM, decryption, external IV) Hash DRBG (symmetric key generation) RSA KeyGen (key pair generation) ECDSA KeyGen (key pair generation) Safe Primes Key Generation (key pair generation) IKEv2 KDF (CVL) RSA SigVer (Legacy) ECDSA SigVer (Legacy) Zeroization Zeroize any None Any SSP None None Crypto SSP Officer - AES key: Z - HMAC key: Z - Key derivation key: Z - Shared secret: Z - Password: Z - PBKDF derived key: Z - Entropy input: Z - DRBG seed: Z - Internal state (V, C): Z - DH private key: Z - DH public key: Z - EC private key: Z - EC public key: Z - DSA public key: Z - RSA private key: Z - RSA public key: Z Intermediate © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 5 o f 4 9

Page 26

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Indicator Inputs Outputs Security SSP Access Functions key generation value: Z - HKDF Derived key: Z - KBKDF derived key: Z - TLS derived key: Z - IKEv2 derived key: Z Key -based Key Derive a key CKS_NSS_FIPS_OK Key -derivation KBKDF derived KBKDF Crypto Derivation from a key - key key Officer derivation - Key key derivation key: W,E - KBKDF derived key: G HMAC-based Derive a key CKS_NSS_FIPS_OK Shared secret HKDF derived HKDF Crypto Key Derivation from a shared key Officer secret - Shared secret: W,E - HKDF Derived key: G IKEv2 Key Derived a key CKS_NSS_FIPS_OK Shared secret IKEv2 derived IKEv2 KDF Crypto Derivation from a shared key (CVL) Officer secret - Shared secret: W,E - IKEv2 derived key: G TLS Key Derive a key CKS_NSS_FIPS_OK Shared secret TLS derived TLS 1.0/1.1 Crypto Derivation from a shared key KDF, TLS 1.2 Officer secret KDF (CVL) - Shared secret: W,E - TLS derived key: G Table 14 : Approved Services The following convention is used to specify access rights to SSPs:

1 . Th e s e s s io n in d ic a t o r, wh ic h m u s t b e u s e d fo r a ll c ryp t o g ra p h ic s e rvic e s e xc e p t

t h e Ke y De riva t io n s e rvic e . It c a n b e a c c e s s e d b y in vo kin g t h e © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 6 o f 4 9

Page 27

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y NSC_NSSGe t FIPSSt a t u s fu n c t io n wit h t h e CKT_NSS_SESSION_LAST_CHECK p a ra m e t e r. If t h e o u t p u t p a ra m e t e r is s e t t

2 . Th e o b je c t in d ic a t o r, wh ic h m u s t b e u s e d fo r t h e Ke y De riva t io n s e rvic e . It c a n b e

a c c e s s e d b y in vo kin g t h e NSC_NSSGe t FIPSSt a t u s fu n c t io n wit h t h e CKT_NSS_OBJECT_CHECK p a ra m e t e r a n d t h e o u t p u t d e rive d ke y. If t h e o u t p u t p a ra m e t e r is s e t t

3 . Th e Ra n d o m Nu m b e r Ge n e ra t io n s e rvic e in d ic a t o r, wh ic h m u s t b e u s e d fo r t h e

Ra n d o m Nu m b e r Ge n e ra t io n s e rvic e . It c a n b e a c c e s s e d b y in vo kin g t h e C_Se e d Ra n d o m o r C_Ge n e ra t e Ra n d o m fu n c t io n s . If a n y o f t h e s e fu n c t io n s re t u rn s CKR_OK, t h e s e rvic e wa s a p p ro ve d .

4 . Th e DSA Sig n a t u re Ve rific a t io n in d ic a t o r, wh ic h m u s t b e u s e d fo r t h e DSA

Sig n a t u re Ve rific a t io n s e rvic e . It c a n b e a c c e s s e d b y in vo kin g t h e C_Ve rifyIn it fu n c t io n wit h a n y CKM_DSA_* m e c h a n is m p a ra m e t e r. If t h is fu n c t io n re t u rn s CKR_OK, t h e s e rvic e wa s a p p ro ve d .

4.4 Non -Approved Services

Name Description Algorithms Role Message Digest Compute a message MD2, MD5, SHA -1 CO digest Encryption Encrypt a plaintext RC2, RC4, DES, Triple -DES, CDMF, Camellia, SEED, ChaCha20( - CO Poly1305) AES GCM (external IV) Decryption Decrypt a ciphertext RC2, RC4, DES, Triple -DES, CDMF, Camellia, SEED, ChaCha20( - CO Poly1305) Message Compute a MAC tag CBC-MAC, AES XCBC-MAC, AES XCBC -MAC-96 CO Authentication HMAC (MD2, MD5, SHA -1; < 112 -bit keys) HMAC/SSLv3 MAC (constant -time implementation) Key Derivation Derive a key from a MD2, MD5, SHA -1, SHA -224, SHA -256, SHA -384, SHA -512, DES, CO key -derivation key or Triple -DES, AES, Camellia, SEED, ANS X9.63 KDF (SHA -1, SHA -224, a shared secret SHA-256, SHA -384, SHA -512), SSL 3 PRF (MD5, SHA -1), IKEv1 PRF (AES XCBC-MAC, MD2, MD5, SHA -1, SHA -224, SHA -256, SHA -384, SHA-512) KBKDF, HKDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF, IKEv2 KDF (< 112 -bit keys) KBKDF (MD2, MD5) TLS 1.2 KDF (without extended master secret) IKEv2 KDF (MD2, MD5) Password -Based Derive a key from a PKCS#5 PBE, PKCS#12 PBE CO Key Derivation password PBKDF2 (password<8 characters, salt<128 bits, iteration count<1000, or key<112 bits) Shared Secret Compute a shared J-PAKE CO Computation secret DH (Shared secret computation; FIPS 186 -type groups) ECDH (Shared secret computation; P -192) Signature Generate a signature DSA (SigGen) CO Generation RSA (SigGen primitive; PKCS#1 v1.5 or PSS with MD2, MD5) ECDSA (SigGen; P -192) Asymmetric Encrypt a plaintext RSA (encryption) CO Encryption Asymmetric Decrypt a plaintext RSA (decryption) CO Decryption Parameter Generate domain DSA (parameter generation) CO Generation parameters Parameter Verify domain DSA (parameter verification) CO Verification parameters © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 7 o f 4 9

Page 28

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Algorithms Role Key Pair Generate a key pair DH (KeyGen, FIPS 186 -type groups) CO Generation RSA (KeyGen, modulus < 2048 bits) ECDSA (KeyGen, P -192) DSA (key pair generation) Secret Key Generate a Symmetric Key Generation (< 112 bits) CO Generation symmetric key Signature Verify a signature RSA (SigVer primitive; PKCS#1 v1.5 or PSS with MD2, MD5) CO Verification ECDSA (SigVer; P-192) Table 15 : Non -Approved Services The indicator value for the non -approved services specified in the Non -Approved Services table is CKS_NSS_FIPS_NOT_OK (0).

4.5 External Software/Firmware Loaded

The module does not load external software or firmware. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 8 o f 4 9

Page 29

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by performing DSA signature verification with a 2048 bit key and SHA -256. Each software component of the module has an associated integrity check value, which contains the DSA signature of the shared library.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre -operational self -tests, which are executed when the module is initialized. The integrity tests may be invoked on -demand by unloading and subsequently re -initializing the module, which will perform (among oth ers) the software integrity tests. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 2 9 o f 4 9

Page 30

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: Any SSPs contained within the module are protected by the process isolation and memory separation mechanisms provided by the Linux kernel, and only the module has control over these SSPs.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each proc ess has control over its own data and uncontrolled access to the data of other processes is prevented. Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non -validated operational environment. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 0 o f 4 9

Page 31

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 1 o f 4 9

Page 32

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

8 Non -Invasive Security

This module does not implement any non -invasive security mechanism and therefore this section is not applicable. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 2 o f 4 9

Page 33

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. Dynamic Table 16 : Storage Areas The module does not perform persistent storage of SSPs. SSPs are provided to the module by the calling process.

9.2 SSP Input -Output Methods

Name From To Format Distribution Entry SFI or Algorithm Type Type Type API input Calling application Cryptographic Plaintext Manual Electronic parameters within TOEPP module (plaintext) API input Calling application Cryptographic Encrypted Manual Electronic AES-KW, AES-KWP, parameters within TOEPP module AES-GCM (KTS, key (encrypted) unwrapping) API output Cryptographic Calling application Plaintext Manual Electronic parameters module within TOEPP (plaintext) API output Cryptographic Calling application Encrypted Manual Electronic AES-KW, AES-KWP, parameters module within TOEPP AES-GCM (KTS, key (encrypted) wrapping) Table 17 : SSP Input -Output Methods CSPs (with the exception of passwords) can only be imported to and exported from the module when they are wrapped (encrypted) using an approved security function (e.g. AES KW or KWP). PSPs can be imported and exported in plaintext. Import and export is per formed using API input and output parameters. The module only supports SSP entry and output to and from the calling application running on the same operational environment.

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Destroy Object Destroys the SSP Memory occupied by SSPs is overwritten with By calling the represented by the zeroes, which renders the SSP values irretrievable. C_DestroyObject object The completion of the zeroization routine indicates function that the zeroization procedure succeeded. Automatic Automatically zeroized Memory occupied by SSPs is overwritten with N/A by the module when no zeroes, which renders the SSP values irretrievable longer needed Remove power De -allocates the Volatile memory used by the module is By removing power from the module volatile memory used overwritten within nanoseconds when power is to store SSPs removed. Module power off indicates that the zeroization procedure succeeded. Table 18 : SSP Zeroization Methods © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 3 o f 4 9

Page 34

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y All d a t a o u t p u t is in h ib it e d d u rin g ze ro iza t io n . Me m o ry is d e a llo c a t e d a ft e r ze ro iza t io n .

9.4 SSPs

Name Description Size - Strength Type - Generated Established Used By Category By By AES key AES key used for 128, 192, 256 bits - Symmetric Hash DRBG AES (ECB, CBC, encryption, 128, 192, 256 bits key - CSP (symmetric CBC-CS1, CTR) decryption, and key AES (KW, KWP) computing MAC generation) AES (GCM, tags encryption, internal IV) AES (CMAC) AES (GCM, decryption, external IV) AES-KW, AESKWP, AES-GCM (KTS, key wrapping) AES-KW, AESKWP, AES-GCM (KTS, key unwrapping) HMAC key HMAC key used 112 -524288 bits - Symmetric Hash DRBG HMAC for computing 112 -256 bits key - CSP (symmetric MAC tags key generation) Key - Symmetric key 112 -4096 bits - 112 - Symmetric Hash DRBG KBKDF derivation key used to derive 256 bits key - CSP (symmetric symmetric keys key generation) Shared secret Shared secret 256 -8192 bits - 112 - Shared KAS-FFC-SSC TLS 1.0/1.1 generated by 256 bits secret - CSP KAS-ECC- KDF, TLS 1.2 (EC) Diffie - SSC KDF (CVL) Hellman HKDF IKEv2 KDF (CVL) Password Password used to 8-128 characters - Password - PBKDF2 derive symmetric N/A CSP keys HKDF Derived Symmetric key 2048 bits - 112 -256 Symmetric HKDF key derived from a bits key - CSP shared secret Entropy input Entropy input 440 bits - 440 bits Entropy input Hash DRBG used to seed the - CSP DRBG DRBG seed DRBG seed 440 bits - 256 bits Seed - CSP Hash DRBG Hash DRBG derived from entropy input Internal state Internal state of 880 bits - 256 bits Internal state Hash DRBG Hash DRBG (V, C) the Hash_DRBG - CSP instance DH private Private key used 2048 -8192 bits - 112 - Private key - Safe Primes KAS-FFC-SSC key for Diffie - 200 bits CSP Key Hellman Generation (key pair generation) © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 4 o f 4 9

Page 35

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Size - Strength Type - Generated Established Used By Category By By DH public key Public key used 2048 -8192 bits - 112 - Public key - Safe Primes KAS-FFC-SSC for Diffie - 200 bits PSP Key Hellman Generation (key pair generation) EC private Private key used P-256, P -384, P -521 - Private key - ECDSA KAS-ECC-SSC key for ECDH and 128, 192, 256 bits CSP KeyGen (key ECDSA SigGen ECDSA pair generation) EC public key Public key used P-256, P -384, P-521 - Public key - ECDSA KAS-ECC-SSC for ECDH and 128, 192, 256 bits PSP KeyGen (key ECDSA SigVer ECDSA pair ECDSA SigVer generation) (Legacy) DSA public Public key used (1024, 160), (2048, Public key - DSA SigVer key for DSA signature 224), (2048, 256), PSP (Legacy) verification (3072, 256) - 80, 112, 128 bits RSA private Private key used 2048 -4096 bits - 112 - Private key - RSA KeyGen RSA SigGen key for RSA signature 150 bits CSP (key pair generation generation) RSA public Public key used Signature Public key - RSA KeyGen RSA SigVer key for RSA signature verification: 1024 - PSP (key pair RSA SigVer verification 4096 bits; Key pair generation) (Legacy) generation: 2048 -

4096 bits - Signature

verification: 80 - 150 bits; Key pair generation: 112 - 150 bits Intermediate Temporary value 112 -8192 bits - 112 - Intermediate RSA KeyGen RSA KeyGen key generated during 256 bits value - CSP (key pair (key pair generation symmetric key generation) generation) value and key pair ECDSA ECDSA KeyGen generation KeyGen (key (key pair services pair generation) generation) Safe Primes Safe Primes Key Generation Key (key pair Generation generation) (key pair generation) KBKDF Symmetric key 112 -4096 bits - 112 - Symmetric KBKDF derived key derived from a 256 bits key - CSP key -derivation key TLS derived Symmetric key 112 -256 bits - 112 - Symmetric TLS 1.0/1.1 key derived from a 256 bits key - CSP KDF, TLS 1.2 shared secret KDF (CVL) IKEv2 derived Symmetric key 112 -256 bits - 112 - Symmetric IKEv2 KDF key derived from a 256 bits key - CSP (CVL) shared secret PBKDF Symmetric key 128 -2048 bits - 112 - Symmetric PBKDF2 derived key derived from a 256 bits key - CSP password Table 19 : SSP Table 1 © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 5 o f 4 9

Page 36

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Input - Output Storage Storage Duration Zeroization Related SSPs AES key API input RAM:Plaintext Until explicitly Destroy Object parameters zeroized by Remove power (encrypted) operator from the module API output parameters (encrypted) HMAC key API input RAM:Plaintext Until explicitly Destroy Object parameters zeroized by Remove power (encrypted) operator from the module API output parameters (encrypted) Key -derivation API input RAM:Plaintext Until explicitly Destroy Object KBKDF derived key:Used key parameters zeroized by Remove power to derive (encrypted) operator from the module Shared secret API input RAM:Plaintext Until explicitly Destroy Object DH private parameters zeroized by Remove power key:Established using (encrypted) operator from the module DH public API output key:Established using parameters EC private (encrypted) key:Established using EC public key:Established using TLS derived key:Used to derive IKEv2 derived key:Used to derive HKDF Derived key:Used to derive Password API input RAM:Plaintext For the duration of Destroy Object PBKDF derived key:Used parameters the service Remove power to derive (plaintext) from the module HKDF Derived API output RAM:Plaintext Until explicitly Destroy Object Shared secret:Derived key parameters zeroized by Remove power From (encrypted) operator from the module Entropy input RAM:Plaintext From generation Automatic DRBG seed:Used to until DRBG seed is Remove power derive created from the module DRBG seed RAM:Plaintext While the DRBG is Automatic Entropy input:Derived instantiated Remove power From from the module Internal state (V, C):Used to generate Internal state (V, RAM:Plaintext While the module Remove power DRBG seed:Generated C) is operational from the module from DH private key API input RAM:Plaintext Until explicitly Destroy Object DH public key:Paired parameters zeroized by Remove power With (encrypted) operator from the module Intermediate key API output generation parameters value:Generated from (encrypted) DH public key API input RAM:Plaintext Until explicitly Destroy Object DH private key:Paired parameters zeroized by Remove power With (plaintext) operator from the module Intermediate key API output generation parameters value:Generated from (plaintext) EC private key API input RAM:Plaintext Until explicitly Destroy Object EC public key:Paired With parameters zeroized by Remove power Intermediate key (encrypted) operator from the module generation API output value:Generated from © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 6 o f 4 9

Page 37

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Input - Output Storage Storage Duration Zeroization Related SSPs parameters (encrypted) EC public key API input RAM:Plaintext Until explicitly Destroy Object EC private key:Paired parameters zeroized by Remove power With (plaintext) operator from the module Intermediate key API output generation parameters value:Generated from (plaintext) DSA public key API input RAM:Plaintext Until explicitly Destroy Object parameters zeroized by Remove power (plaintext) operator from the module RSA private key API input RAM:Plaintext Until explicitly Destroy Object RSA public key:Paired parameters zeroized by Remove power With (encrypted) operator from the module Intermediate key API output generation parameters value:Generated from (encrypted) RSA public key API input RAM:Plaintext Until explicitly Destroy Object RSA private key:Paired parameters zeroized by Remove power With (plaintext) operator from the module Intermediate key API output generation parameters value:Generated from (plaintext) Intermediate key RAM:Plaintext For the duration of Automatic DH private key:Created generation value the service during generation of DH public key:Created during generation of EC private key:Created during generation of EC public key:Created during generation of RSA private key:Created during generation of RSA public key:Created during generation of KBKDF derived API output RAM:Plaintext For the duration of Destroy Object Key -derivation key parameters the service Remove power key:Derived From (encrypted) from the module TLS derived key API output RAM:Plaintext For the duration of Destroy Object Shared secret:Derived parameters the service Remove power From (encrypted) from the module IKEv2 derived key API output RAM:Plaintext For the duration of Destroy Object Shared secret:Derived parameters the service Remove power From (encrypted) from the module PBKDF derived API output RAM:Plaintext For the duration of Destroy Object Password:Derived From key parameters the service Remove power (encrypted) from the module Table 20 : SSP Table 2

9.5 Transitions

The SHA -1 algorithm as implemented by the module will be non -approved for all purposes, starting January 1, 203 1. The ECDSA, and RSA algorithms as implemented by the module conform to FIPS 186 -4, which has been superseded by FIPS 186 -5. The transition started on July 25, 2023, and ended on February 4, 2024 . FIPS 186 -4 was withdrawn on February 3, 2024. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 7 o f 4 9

Page 38

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 8 o f 4 9

Page 39

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

10 Self -Tests

Upon initialization, the module immediately performs all Freebl cryptographic algorithm self tests (CASTs) as specified in the Conditional Self -Tests table. When all those self -tests pass successfully, the module automatically performs the pre -operational integrity test on the libfreeblpriv3.so file using its associated check value. Then, the module performs the DSA CAST in the Softoken library, followed by the the pre operational integrity test on the libsoftokn3.so file using its associated check value. Finally, all remaining CASTs for the algorithms implemented in Softoken are exec uted (see the Conditional Self -Tests table). Only if all CASTs and pre -operational integrity tests passed successfully, the module transitions to the operational state. No operator intervention is required to reach this point. While the module is executing the self -tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. If any of the self -tests fail an error message is returned, and the module tr ansitions to an error state.

10.1 Pre -Operational Self -Tests

Algorithm or Test Properties Test Method Test Type Indicator Details Test DSA SigVer 2048 -bit key with Signature SW/FW Module becomes Integrity test for (FIPS186 -4) SHA-256 Verification Integrity operational libfreeblpriv3.so and (A4576) libfsoftokn3.so Table 21 : Pre -Operational Self -Tests Each software component of the module has an associated integrity check value, which contains the DSA signature of the shared library. The software integrity tests ensure that the module is not corrupted. The DSA and SHA -256 algorithms go through their res pective CASTs before the software integrity tests are performed.

10.2 Conditional Self -Tests

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA-1 (A4576) 512 -bit message KAT CAST Module becomes Message Digest Freebl operational and initialization services are available for use SHA2-224 512 -bit message KAT CAST Module becomes Message Digest Freebl (A4576) operational and initialization services are available for use SHA2-256 512 -bit message KAT CAST Module becomes Message Digest Freebl (A4576) operational and initialization services are available for use SHA2-384 512 -bit message KAT CAST Module becomes Message Digest Freebl (A4576) operational and initialization services are available for use SHA2-512 512 -bit message KAT CAST Module becomes Message Digest Freebl (A4576) operational and initialization © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 3 9 o f 4 9

Page 40

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are available for use AES-ECB 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4576) 128 -bit plaintext operational and initialization services are available for use AES-ECB 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4583) 128 -bit plaintext operational and initialization services are available for use AES-ECB 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4585) 128 -bit plaintext operational and initialization services are available for use AES-CBC 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4576) 128 -bit plaintext operational and initialization services are available for use AES-CBC 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4581) 128 -bit plaintext operational and initialization services are available for use AES-CBC 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4583) 128 -bit plaintext operational and initialization services are available for use AES-CBC 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4585) 128 -bit plaintext operational and initialization services are available for use AES-GCM 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4576) 128 -bit IV, 128 -bit operational and initialization plaintext, 112 -bit services are additional data available for use AES-GCM 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4583) 128 -bit IV, 128 -bit operational and initialization plaintext, 112 -bit services are additional data available for use AES-GCM 128, 192, 256 -bit key, KAT CAST Module becomes Encryption, Decryption Freebl (A4585) 128 -bit IV, 128 -bit operational and initialization plaintext, 112 -bit services are additional data available for use AES-CMAC 128, 192, 256 -bit key, KAT CAST Module becomes Message Authentication Freebl (A4578) 128 -bit message operational and initialization services are available for use HMAC-SHA-1 288 -bit key KAT CAST Module becomes Message Authentication Freebl (A4576) operational and initialization services are available for use HMAC-SHA2 - 288 -bit key KAT CAST Module becomes Message Authentication Freebl

224 (A4576) operational and initialization

services are available for use HMAC-SHA2 - 288 -bit key KAT CAST Module becomes Message Authentication Freebl

256 (A4576) operational and initialization

services are available for use © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 0 o f 4 9

Page 41

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC-SHA2 - 288 -bit key KAT CAST Module becomes Message Authentication Freebl

384 (A4576) operational and initialization

services are available for use HMAC-SHA2 - 288 -bit key KAT CAST Module becomes Message Authentication Freebl

512 (A4576) operational and initialization

services are available for use KDF SP800 -108 Counter mode HMAC KAT CAST Module becomes Key Derivation Softoken (A4579) SHA-256 576 -bit input operational and initialization key services are available for use KDA HKDF SHA-256, 512 -bit KAT CAST Module becomes Key Derivation Softoken Sp800 -56Cr1 input secret operational and initialization (A4575) services are available for use KDF TLS 288 -bit input secret KAT CAST Module becomes Key Derivation Freebl (A4576) operational and initialization services are available for use TLS v1.2 KDF SHA-256, 288 -bit KAT CAST Module becomes Key Derivation Freebl RFC7627 input secret operational and initialization (A4576) services are available for use KDF IKEv2 SHA-1, SHA -256, SHA - KAT CAST Module becomes Key Derivation Softoken (A4580) 384, SHA -512; 80, operational and initialization 128, 144 -bit input services are secret available for use PBKDF (A4576) SHA-256, 14 - KAT CAST Module becomes Key Derivation Softoken character password, operational and initialization

128 -bit salt, Iteration services are

count: 5 available for use Hash DRBG SHA-256 without KAT CAST Module becomes Instantiate, Generate, Freebl (A4576) prediction resistance operational and Reseed, Generate initialization services are (compliant to SP 800 -90A available for use Section 11.3) KAS-FFC-SSC 2048 -bit key KAT CAST Module becomes Shared Secret Freebl Sp800 -56Ar3 operational and Computation initialization (A4576) services are available for use KAS-ECC-SSC P-256 KAT CAST Module becomes Shared Secret Freebl Sp800 -56Ar3 operational and Computation initialization (A4576) services are available for use DSA SigVer 1024 -bit key KAT CAST Module becomes Signature verification Freebl (FIPS186 -4) operational and initialization (A4576) services are available for use RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Signature Generation Softoken (FIPS186 -4) SHA-256, SHA -384, operational and initialization (A4576) SHA-512, 2048 -bit services are key available for use RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Signature Verification Softoken (FIPS186 -4) SHA-256, SHA -384, operational and initialization (A4576) SHA-512, 2048 -bit services are key available for use © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 1 o f 4 9

Page 42

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type ECDSA SigGen SHA-256, P -256 KAT CAST Module becomes Signature Generation Freebl (FIPS186 -4) operational and initialization (A4576) services are available for use ECDSA SigVer SHA-256, P -256 KAT CAST Module becomes Signature Verification Freebl (FIPS186 -4) operational and initialization (A4576) services are available for use Safe Primes N/A PCT PCT Successful key pair SP 800 -56Ar3 section Key pair Key generation 5.6.2.1.4 generation Generation (A4576) RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key pair Signature Generation & Key pair (FIPS186 -4) SHA-256 generation Signature Verification generation (A4576) ECDSA KeyGen ECDSA KeyGen: SHA - PCT PCT Successful key pair Signature Generation & Key pair (FIPS186 -4) 256; EC KeyGen for generation Signature Verification; SP generation (A4576) ECDH 800 -56Ar3 section 5.6.2.1.4 Table 22 : Conditional Self -Tests The module performs self -tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the Conditional Self -Tests table. Upon generation of a key pair, the module will perform a pair -wise consistency test (PCT), as shown in the Conditional Self -Tests table, which provides some assurance that the generated key pair is well formed. For DH and EC key pairs, these tests consist of the PCT described in Section 5.6.2.1.4 of SP 800 -56Ar3. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation. Note that two PCTs are performed for EC key pairs.

10.3 Periodic Self -Test Information

Algorithm or Test Test Method Test Type Period Periodic Method DSA SigVer (FIPS186 - Signature Verification SW/FW Integrity On demand Manually 4) (A4576) Table 23 : Pre -Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method SHA-1 (A4576) KAT CAST On demand Manually SHA2-224 (A4576) KAT CAST On demand Manually SHA2-256 (A4576) KAT CAST On demand Manually SHA2-384 (A4576) KAT CAST On demand Manually SHA2-512 (A4576) KAT CAST On demand Manually AES-ECB (A4576) KAT CAST On demand Manually AES-ECB (A4583) KAT CAST On demand Manually AES-ECB (A4585) KAT CAST On demand Manually AES-CBC (A4576) KAT CAST On demand Manually AES-CBC (A4581) KAT CAST On demand Manually AES-CBC (A4583) KAT CAST On demand Manually AES-CBC (A4585) KAT CAST On demand Manually © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 2 o f 4 9

Page 43

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A4576) KAT CAST On demand Manually AES-GCM (A4583) KAT CAST On demand Manually AES-GCM (A4585) KAT CAST On demand Manually AES-CMAC (A4578) KAT CAST On demand Manually HMAC-SHA-1 (A4576) KAT CAST On demand Manually HMAC-SHA2 -224 KAT CAST On demand Manually (A4576) HMAC-SHA2 -256 KAT CAST On demand Manually (A4576) HMAC-SHA2 -384 KAT CAST On demand Manually (A4576) HMAC-SHA2 -512 KAT CAST On demand Manually (A4576) KDF SP800 -108 KAT CAST On demand Manually (A4579) KDA HKDF Sp800 - KAT CAST On demand Manually 56Cr1 (A4575) KDF TLS (A4576) KAT CAST On demand Manually TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A4576) KDF IKEv2 (A4580) KAT CAST On demand Manually PBKDF (A4576) KAT CAST On demand Manually Hash DRBG (A4576) KAT CAST On demand Manually KAS-FFC-SSC Sp800 - KAT CAST On demand Manually 56Ar3 (A4576) KAS-ECC-SSC Sp800 - KAT CAST On demand Manually 56Ar3 (A4576) DSA SigVer (FIPS186 - KAT CAST On demand Manually

  1. (A4576) RSA SigGen (FIPS186 - KAT CAST On demand Manually
  2. (A4576) RSA SigVer (FIPS186 - KAT CAST On demand Manually
  3. (A4576) ECDSA SigGen KAT CAST On demand Manually (FIPS186 -4) (A4576) ECDSA SigVer KAT CAST On demand Manually (FIPS186 -4) (A4576) Safe Primes Key PCT PCT On demand Manually Generation (A4576) RSA KeyGen (FIPS186 - PCT PCT On demand Manually
  4. (A4576) ECDSA KeyGen PCT PCT On demand Manually (FIPS186 -4) (A4576) Table 24 : Conditional Periodic Information
10.4 Error States

Name Description Conditions Recovery Indicator Method Power -On An error occurred during the self - Software integrity Restart of the Module will not load Error tests executed on power -on test failure module CAST failure © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 3 o f 4 9

Page 44

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Name Description Conditions Recovery Indicator Method PCT Error An error occurred during a PCT PCT failure Restart of the Module stops functioning module (sftk_fatalError is set to TRUE) Table 25 : Error States In any error state, the output interface is inhibited, and the module accepts no more inputs or requests.

10.5 Operator Initiation of Self -Tests

The software integrity tests and CASTs can be invoked on demand by unloading and subsequently re -initializing the module. The PCTs can be invoked on demand by requesting the Key Pair Generation service. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 4 o f 4 9

Page 45

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

11 Life -Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the Amazon Linux 2023 package in the form of the nss -softokn -3.90.0 -6.amzn2023.0. 1 and nss -softokn -freebl -3.90.0 -6.amzn2023.0. 1 RPM packages. The Netscape Portable Runtime (NSPR) package nspr -4.35.0 -6.amzn2023.0. 1 is a prerequisite for the module. Before the RPM packages are installed, the Amazon Linux 2023 system must operate in the FIPS validated configuration. To achieve this, the Crypto Officer must execute the fips -mode setup --enable command, then, restart the system. More information can be f ound at the vendor documentation . The Crypto Officer must verify the Amazon Linux 2023 system operates in the FIPS validated configuration by executing the fips -mode -setup --check command, which should output “FIPS mode is enabled.”

11.2 Administrator Guidance

After installation of the RPM packages, the Crypto Officer must execute the “Show Version” service by accessing the CKA_NSS_VALIDATION_MODULE_ID attribute of the CKO_NSS_VALIDATION object in the default slot. The object attribute must contain the value Amazon Linux 2023 nss 3.90.0 -3e9a8358c972db98 Alternatively, the /usr/lib64/nss/unsupported -tools/validation tool is provided as a convenience by the nss -tools -3.90.0 -6.amzn2023.0. 1 RPM package. This tool performs the same steps, and outputs the FIPS module identifier as above. The cryptographic boundary consists only of the Softoken and Freebl libraries along with their associated integrity check values as listed in the Tested Module Identification table. If any other NSS API outside of these two libraries is invoked, the user i s not interacting with the module specified in this Security Policy.

11.3 Non -Administrator Guidance

There is no non -administrator guidance.

11.6 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the nss softokn -3.90.0 -6.amzn2023.0. 1 and nss -softokn -freebl -3.90.0 -6.amzn2023.0. 1 RPM packages can be uninstalled from the Amazon Linux 2023 systems. © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 5 o f 4 9

Page 46

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y

12 Mitigation of Other Attacks

Attack Mitigation Mechanism Specific Limit Timing attacks on RSA RSA blinding None Timing attack on RSA was first demonstrated by Paul Kocher in 1996, who contributed the mitigation code to our module. Most recently Boneh and Brumley showed that RSA blinding is an effective defense against timing attacks on RSA. Cache -timing attacks on Cache invariant modular exponentiation This mechanism requires the modular This is a variant of a modular exponentiation intimate knowledge of the exponentiation implementation that Colin Percival showed to defend cache line sizes of the operation used in RSA against cache -timing attacks processor. The mechanism may be ineffective when the module is running on a processor whose cache line sizes are unknown. Arithmetic errors in RSA Double -checking RSA signatures None signatures Arithmetic errors in RSA signatures might leak the private key. Ferguson and Schneier recommend that every RSA signature generation should verify the signature just generated.

12.1 Attack List

The following attacks are mitigated:

Page 47

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES -NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CAST Cryptographic Algorithm Self -Test CBC Cipher Block Chaining CMAC Cipher -based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OS Operating System PAA Processor Algorithm Acceleration PCT Pair -Wise Consistency Test PSP Public Security Parameter PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 7 o f 4 9

Page 48

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y Appendix B. References FIPS140 -3 FIPS PUB 140 -3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140 -3 FIPS140 -3_IG Implementation Guidance for FIPS PUB 140 -3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/Projects/cryptographic -module -validation program/fips -140 -3-ig -announcements FIPS180 -4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180 -4.pdf FIPS186 -4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186 -4.pdf FIPS186 -5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186 -5.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips -197.pdf FIPS198 -1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198 -1/FIPS-198 -1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt SP800 -38A Special Publication 800 -38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800 -38a/sp800 -38a.pdf SP800 -38B NIST Special Publication 800 -38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800 -38B/SP_800 -38B.pdf SP800 -38D NIST Special Publication 800 -38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800 -38D/SP -800 -38D.pdf SP800 -38F NIST Special Publication 800 -38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 -38F.pdf © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 8 o f 4 9

Page 49

Amazon Linux 2023 NSS Cryptographic Module FIPS 1 4 0 -3 No n -Pro p rie t a ry Se c u rit y Po lic y SP800 -56Ar3 NIST Special Publication 800 -56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 56Ar3.pdf SP800 -56Cr2 NIST Special Publication 800 -56C Revision 2 - Recommendation for Key -Derivation Methods in Key -Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 56Cr2.pdf SP800 -90Ar1 NIST Special Publication 800 -90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 90Ar1.pdf SP800 -90B NIST Special Publication 800 -90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 90B.pdf SP800 -108r1 NIST Special Publication 800 -108 Revision 1 - Transitions: Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 108r1.pdf SP800 -131Ar1 NIST Special Publication 800 -131A Revision 1 - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths November 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 131Ar1.pdf SP800 -133r2 NIST Special Publication 800 -133rev2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 133r2.pdf SP800 -135r1 NIST Special Publication 800 -135 Revision 1 - Recommendation for Existing Application -Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800 135r1.pdf © 2 0 2 5 Am a zo n We b Se rvice s , In c ./a t s e c in fo rm a t io n s e c u rit y. Th is d o c u m e n t ca n b e re p ro d u ce d a n d d is t rib u t e d o n ly wh o le a n d in t a c t , in clu d in g t h is c o p yrig h t n o t ic e . Pa g e 4 9 o f 4 9