All modules
CMVP Validated Module · FIPS 140-3 Security Policy

NSS cryptography module for AlmaLinux 9

Certificate#5031StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCloudlinux Inc., TuxCare division
Low review priority  ·  no TCB surface named  ·  NSS upstream has published 0 CVEs since this module's initial validation  ·  last validated 13 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date6/24/2030
CaveatWhen operated in approved mode and installed, initialized and configured as specified in section 11 of the Security Policy.
VendorCloudlinux Inc., TuxCare division

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for NSS cryptography module for AlmaLinux 9
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for NSS cryptography module for AlmaLinux 9
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Cloudlinux Inc., TuxCare division NSS cryptography module for AlmaLinux 9 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 Document version: 1.1 www.atsec.com Last update: 2025-06-23

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)9
Table 3: Tested Operational Environments - Software, Firmware, Hybrid10
Table 4: Modes List and Description10
Table 5: Approved Algorithms15
Table 6: Vendor-Affirmed Algorithms16
Table 7: Non-Approved, Not Allowed Algorithms18
Table 8: Security Function Implementations21
Table 9: Entropy Certificates23
Table 10: Entropy Sources24
Table 11: Ports and Interfaces26
Table 12: Roles27
Table 13: Approved Services32
Table 14: Non-Approved Services35
Table 15: Storage Areas40
Table 16: SSP Input-Output Methods40
Table 17: SSP Zeroization Methods41
Table 18: SSP Table 145
Table 19: SSP Table 248
Table 20: Pre-Operational Self-Tests49
Table 21: Conditional Self-Tests56
Table 22: Pre-Operational Periodic Information56
Table 23: Conditional Periodic Information60
Table 24: Error States60
Page 5
List of Figures
ItemPage
Figure 1: Block Diagram9
Page 6
1 - General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3.90.0-b84457b0165f79bf of the NSS cryptography module for AlmaLinux 9. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. including this notice. Other documentation is proprietary to their authors.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

This security police describes the features and design of the module named NSS cryptography module for AlmaLinux 9 using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 7

Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. including this notice. Other documentation is proprietary of their authors. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 8
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The NSS cryptography module for AlmaLinux 9 (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, IKEv2, PKCS#5, PKCS#7, PKCS#11, PKCS#12, S/MIME, X.509 v3 certificates, and other security standards supporting FIPS 140-3 validated cryptographic algorithms. It combines a vertical stack of Linux components intended to limit the external interface each separate component may provide. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary consists only of the Softoken and Freebl libraries along with their associated integrity check values as listed in Section 2.2. If any other NSS API outside of these two libraries is invoked, the user is not interacting with the module specified in this Security Policy. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 9
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 10

Tested Operational Environments - Software, Firmware, Hybrid: Operating Hardware Processors PAA/PAI Hypervisor Version(s) System Platform or Host OS AlmaLinux Amazon Web Intel Cascade Lake Yes N/A 3.90.0-

9.2 Services (AWS) Xeon Platinum b84457b0165f79bf

m5.metal 8259CL AlmaLinux Amazon Web Intel Cascade Lake No N/A 3.90.0-

9.2 Services (AWS) Xeon Platinum b84457b0165f79bf

m5.metal 8259CL Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically entered Approved The approved mode indicator maps to the whenever an approved approved service indicator which is service is requested. CKS_NSS_FIPS_OK(1) or CRC_OK as stated in Section

  1. Non- Automatically entered Non- The Non-Approved mode indicator maps to the Approved whenever a non- Approved non-approved service indicator which is approved service is CKS_NSS_FIPS_NOT_OK(0) or an error as stated requested. in Section
  2. Table 4: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.
Page 11

Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5128 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5135 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A5133 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A5128 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5130 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A5128 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5135 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5128 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5135 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5128 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GCM A5135 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 12

Algorithm CAVP Properties Reference Cert AES-KW A5128 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A5129 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A5134 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5128 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5129 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5134 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 ECDSA A5128 Curve - P-256, P-384, P-521 FIPS 186-5 KeyGen Secret Generation Mode - testing candidates (FIPS186-5) ECDSA SigGen A5128 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 Component - No ECDSA SigGen A5136 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 Component - No ECDSA SigVer A5128 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A5136 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 Hash DRBG A5128 Prediction Resistance - No, Yes SP 800-90A Mode - SHA2-256 Rev. 1 Hash DRBG A5136 Prediction Resistance - No, Yes SP 800-90A Mode - SHA2-256 Rev. 1 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 13

Algorithm CAVP Properties Reference Cert HMAC-SHA2- A5128 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5136 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5128 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5136 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5128 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5136 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5128 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5136 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 KAS-ECC-SSC A5128 Domain Parameter Generation Methods - P-256, P-384, SP 800-56A Sp800-56Ar3 P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A5128 Domain Parameter Generation Methods - ffdhe2048, SP 800-56A Sp800-56Ar3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- Rev. 3 2048, MODP-3072, MODP-4096, MODP-6144, MODP8192 Scheme dhEphem KAS Role - initiator, responder KDA HKDF A5127 Derived Key Length - 2048 SP 800-56C Sp800-56Cr1 Shared Secret Length - Shared Secret Length: 224- Rev. 2

65336 Increment 8

HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512 KDF IKEv2 A5132 Diffie-Hellman Shared Secret Length - Diffie-Hellman SP 800-135 (CVL) Shared Secret Length: 224, 2048, 8192 Rev. 1 Derived Keying Material Length - Derived Keying Material Length: 1056, 3072 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 14

Algorithm CAVP Properties Reference Cert Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2KDF SP800-108 A5131 KDF Mode - Counter, Double Pipeline Iteration, SP 800-108 Feedback Rev. 1 Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096 PBKDF A5128 Iteration Count - Iteration Count: 1000-10000 Increment SP 800-132 Password Length - Password Length: 8-128 Increment 1 PBKDF A5136 Iteration Count - Iteration Count: 1000-10000 Increment SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A5128 Key Generation Mode - probable FIPS 186-5 (FIPS186-5) Modulo - 2048, 3072, 4096, 8192 Primality Tests - 2pow100 Private Key Format - standard RSA KeyGen A5136 Key Generation Mode - probable FIPS 186-5 (FIPS186-5) Modulo - 2048, 3072, 4096, 8192 Primality Tests - 2pow100 Private Key Format - standard RSA SigGen A5128 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigGen A5136 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigVer A5128 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1536 RSA SigVer A5136 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1536 RSA SigVer A5128 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024 RSA SigVer A5136 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024 RSA SigVer A5128 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 15

Algorithm CAVP Properties Reference Cert RSA SigVer A5136 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss Safe Primes A5128 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Key Generation ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, Rev. 3 MODP-4096, MODP-6144, MODP-8192 SHA2-224 A5128 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A5136 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A5128 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A5136 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A5128 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A5136 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A5128 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A5136 Message Length - Message Length: 0-65536 Increment FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A5128 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.2 KDF A5136 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 Table 5: Approved Algorithms © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 16

The table above lists all approved cryptographic algorithms of the module, including specific key lengths employed for approved services in Section 4.3, and implemented modes or methods of operation of the algorithms. Vendor-Affirmed Algorithms: Name Properties Implementation Reference Cryptographic Key AES, HMAC, key-derivation key NSS cryptography SP 800-133r2 Generation sizes:112-256 bits module for Section 4 and (Symmetric keys) Strength:112-256 bits AlmaLinux 9 6.1 Cryptographic Key RSA modulus sizes:2048, 3072, 4096 NSS cryptography SP 800-133r2 Generation (RSA) bits module for Section 4 and Strength:112-150 bits AlmaLinux 9 5.1 Cryptographic Key Safe Primes:MODP-2048, MODP- NSS cryptography SP 800-133r2 Generation (Safe 3072, MODP-4096, MODP-6144, module for Section 4 and Primes) MODP-8192, ffdhe2048, ffdhe3072, AlmaLinux 9 5.2 ffdhe4096, ffdhe6144, ffdhe8192 Strength:112-200 bits Cryptographic Key ECDSA curves:P-256, P-384, P-521 NSS cryptography SP 800-133r2 Generation Strength:112-256 bits module for Section 4 and (ECDSA) AlmaLinux 9 5.1 Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: Name Use and Function MD2, MD5, SHA-1 Message digest RC2, RC4, DES, Triple-DES, CDMF, Camellia, Encryption, Decryption SEED, ChaCha20(-Poly1305) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 17

Name Use and Function AES GCM (external IV) Encryption CBC-MAC, AES XCBC-MAC, AES XCBC-MAC- Message authentication HMAC (MD2, MD5, SHA-1; < 112-bit keys) Message authentication HMAC/SSLv3 MAC (constant-time Message authentication implementation) MD2, MD5, SHA-1, SHA-224, SHA-256, SHA- Key derivation 384, SHA-512, DES, Triple-DES, AES, Camellia, SEED ANS X9.63 KDF, SSL 3 PRF, IKEv1 PRF, TLS Key derivation 1.0/1.1 KDF KBKDF, HKDF, TLS 1.2 KDF, IKEv2 KDF (< Key derivation 112-bit keys) KBKDF (MD2, MD5) Key derivation TLS 1.2 KDF (without extended master secret) Key derivation IKEv2 KDF (MD2, MD5) Key derivation PKCS#5 PBE, PKCS#12 PBE Password-based key derivation PBKDF2 (< 8 characters password; < 128-bit Password-based key derivation salt; < 1000 iterations; < 112-bit keys) J-PAKE Shared secret computation DH (FIPS 186-type groups) Shared secret computation, Key pair generation ECDH (P-192) Shared Secret Computation ECDH (X25519) Shared secret computation DSA Signature generation, Signature verification, Parameter generation, Parameter verification, Key pair generation RSA (primitive; PKCS#1 v1.5 or PSS with MD2, Signature generation, Signature verification MD5, SHA-1) RSA (< 2048-bit keys) Signature generation © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 18

Name Use and Function RSA (< 1024-bit keys) Signature verification ECDSA (P-192) Key Pair Generation, Signature generation, Signature verification ECDSA (component; SHA-1) Signature generation, Signature verification RSA Asymmetric encryption, Asymmetric decryption RSA (< 2048 bits; > 4096 bits) Key pair generation Ed25519, X25519 Key pair generation Symmetric key generation (< 112 bits) Secret key generation Table 7: Non-Approved, Not Allowed Algorithms The table above lists all the non-approved cryptographic algorithms of the module employed by the nonapproved services in Section 4.4.

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption with BC-UnAuth Encryption using Keys:128, 192, AES-CBC: AES AES 256 bits with 128- (A5128, A5135)

256 bits of key AES-CBC-CS1:

strength (A5128, A5133) AES-CTR: (A5128, A5135) AES-ECB: (A5128, A5135) Decryption with BC-UnAuth Decryption using Keys:128, 192, AES-CBC: AES AES 256 bits with 128- (A5128, A5135)

256 bits of key AES-CTR:

strength (A5128, A5135) AES-ECB: (A5128, A5135) AES-CBC-CS1: (A5133) Authenticated BC-Auth Authenticated Keys:128, 192, AES-GCM: Encryption with encryption using 256 bits with 128- (A5128, A5135) AES AES 256 bits of key strength © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 19

Name Type Description Properties Algorithms Authenticated BC-Auth Authenticated Keys:128, 192, AES-GCM: Decryption with decryption using 256 bits with 128- (A5128, A5135) AES AES 256 bits of key strength Key Derivation PBKDF Key derivation Derived keys:112- PBKDF: (A5128, with PBKDF using PBKDF 256 bits A5136) Key Derivation KBKDF Key derivation Derived keys:112- KDF SP800-108: with KBKDF using KBKDF 256 bits (A5131) Key Derivation KAS-56CKDF Key derivation Derived keys:112- KDA HKDF with HKDF using HKDF 256 bits Sp800-56Cr1: (A5127) Key Derivation KAS-135KDF Key derivation Derived keys:112- TLS v1.2 KDF with TLS 1.2 KDF using TLS 1.2 256 bits RFC7627: KDF (A5136, A5128) Key Derivation KAS-135KDF Key derivation Derived keys:112- KDF IKEv2: with IKEv2 KDF using IKEv2 KDF 256 bits (A5132) Key Wrapping KTS-Wrap Key wrapping Keys:128, 192, AES-KW: (A5128, with AES using AES 256 bits with 128- A5129, A5134)

256 bits of key AES-KWP:

strength; (A5128, A5129, Compliant with IG A5134) D.G AES-GCM: (A5128, A5135) Key Unwrapping KTS-Wrap Key unwrapping Keys:128, 192, AES-KW: (A5128, with AES using AES 256 bits with 128- A5129, A5134)

256 bits of key AES-KWP:

strength; (A5128, A5129, Compliant with IG A5134) D.G AES-GCM: (A5128, A5135) Message MAC Message Keys:112-256 bits HMAC-SHA2-224: Authentication authentication with 112-256 bits (A5128, A5136) with HMAC using HMAC of key strength HMAC-SHA2-256: (A5128, A5136) HMAC-SHA2-384: (A5128, A5136) HMAC-SHA2-512: (A5128, A5136) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 20

Name Type Description Properties Algorithms Message MAC Message Keys:128, 192, AES-CMAC: Authentication authentication 256 bits with 128- (A5128, A5130) with CMAC using CMAC 256 bits of key strength Random Number DRBG Random number Hash:SHA2-256 Hash DRBG: Generation with generation using (A5128, A5136) Hash_DRBG Hash_DRBG Shared Secret KAS-SSC Shared secret Curves:P-256, P- KAS-ECC-SSC Computation with computation using 384, P-521 with Sp800-56Ar3: KAS-ECC-SSC KAS-ECC-SSC 128, 192 and 256 (A5128) bits of strength; Compliant with IG D.F scenario 2(1) Shared Secret KAS-SSC Shared secret Keys:MODP- KAS-FFC-SSC Computation with computation using 2048, MODP- Sp800-56Ar3: KAS-FFC-SSC KAS-FFC-SSC 3072, MODP- (A5128) 4096, MODP6144, MODP8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of key strength; Compliant with IG D.F scenario 2(1) Signature DigSig-SigGen Signature Keys:2048, 3072, RSA SigGen Generation with generation using 4096 bits with (FIPS186-5): RSA RSA 112-150 bits of (A5128, A5136) key strength Signature DigSig-SigGen Signature Curves:P-256, P- ECDSA SigGen Generation with generation using 384, P-521 with (FIPS186-5): ECDSA ECDSA 112-256 bits of (A5128, A5136) strength Signature DigSig-SigVer Signature Keys:1024, 1280, RSA SigVer Verification with verification using 1536, 1792, 2048, (FIPS186-2): RSA RSA 3072, 4096 bits (A5128, A5136) with 80-150 bits of RSA SigVer key strength (FIPS186-4): (A5128, A5136) RSA SigVer © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 21

Name Type Description Properties Algorithms (FIPS186-5): (A5128, A5136) Signature DigSig-SigVer Signature Curves:P-256, P- ECDSA SigVer Verification with verification using 384, P-521 with (FIPS186-5): ECDSA ECDSA 112-256 bits of (A5128, A5136) strength Symmetric Key CKG Direct symmetric Keys:112-256 bits Hash DRBG: Generation with key generation with 112-256 bits (A5128, A5136) Hash_DRBG using of key strength; Hash_DRBG Compliant with SP800-133r2 section 6.1 Key Pair CKG Key pair Keys:2048, 3072, RSA KeyGen Generation with generation using 4096 bits with (FIPS186-5): RSA RSA 112-150 bits of (A5128, A5136) key strength Key Pair CKG Key pair Curves:P-256, P- ECDSA KeyGen Generation with generation using 384, P-521 with (FIPS186-5): ECDSA ECDSA 128, 192 and 256 (A5128) bits of strength Key Pair CKG Key pair Keys:MODP- Safe Primes Key Generation with generation using 2048, MODP- Generation: Safe Primes Safe Primes 3072, MODP- (A5128) 4096, MODP6144, MODP8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112-200 bits of key strength Message Digest SHA Message digest SHA2-224: with SHA using SHA (A5128, A5136) SHA2-256: (A5128, A5136) SHA2-384: (A5128, A5136) SHA2-512: (A5128, A5136) Table 8: Security Function Implementations © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 22
2.7 Algorithm Specific Information
2.7.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. NSS is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation that complies with Scenario 2 of the IG C.H. These IVs are always at least 96 bits and generated using the approved DRBG internal to the module’s boundary. Additionally, the module offers an internal deterministic IV generation mode compliant with Scenario 3 of FIPS 140-3 IG C.H. The size of the fixed (name) field used by this IV generation mode is at least 32 bits. The module then internally generates a 32 bit or longer deterministic non-repetitive counter. The module explicitly ensures that this counter is monotonically increasing at each invocation of the AES-GCM for the same encryption key, and that this counter does not exhaust all its possible values. The generated GCM IV is at least 96 bits in length. In case the module’s power is lost and then restored, a new key for use with the AES-GCM encryption/decryption shall be established. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection.

2.7.2 Key Derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:

Page 23
2.7.3 SP 800-56Ar3 Assurances

To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that implements the TLS protocol. Additionally, the module’s approved Key Pair Generation service (see Section 4.3) must be used to generate ephemeral DiffieHellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3.

2.7.4 FIPS 140-3 IG C.F Compliance

The module supports RSA Signature Verification for 1024, 1280, 1536 and 1792-bit keys. This is allowed by FIPS 140-3 IG C.F. Specifically, 1280 and 1792 cannot be ACVP tested but are approved for signature verification in IG C.F. The 1024-bit modulus has been CAVP tested for RSA signature verification in compliance with FIPS 1864, while the 1536-bit modulus has been CAVP tested for RSA signature verification in compliance with FIPS 186-2. For all other approved moduli (namely 2048, 3072, and 4096 bit keys) supported by the module, RSA signature verification is approved and CAVP tested in compliance with FIPS 186-5.

2.8 RBG and Entropy

Cert Vendor Name Number E127 Cloudlinux Inc., TuxCare division Table 9: Entropy Certificates © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 24

Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Userspace CPU Non- AlmaLinux 9.2 on Amazon 64 bits 64 bits SHA3-256 (Cert. Time Jitter RNG Physical Web Services (AWS) A4026), HMACEntropy Source m5.metal on Intel Xeon SHA2-512-DRBG Version 3.4.0 Platinum 8259CL; AlmaLinux (Cert. A4025)

9.2 on Amazon Web Services

(AWS) a1.metal on AWS Graviton Table 10: Entropy Sources The module employs a Deterministic Random Bit Generator (DRBG) implementation based on SP 80090Ar1. This DRBG is used internally by the module (e.g. to generate symmetric keys, seeds for asymmetric key pairs, and random numbers for security functions). It can also be accessed using the specified API functions. The DRBG implemented is a SHA-256 Hash_DRBG, seeded by the entropy source described in the table above. It does not employ prediction resistance. The DRBG is instantiated with a 384-bits long entropy input (corresponding to 384 bits of entropy). Additionally, the DRBG is reseeded with a 256-bits long entropy input (corresponding to 256 bits of entropy).

2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The following methods are implemented:

Page 25

Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service.

2.10 Key Establishment

The module provides Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) shared secret computation compliant with SP800-56Ar3, in accordance with scenario 2 (1) of FIPS 140-3 IG D.F. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC

7919 (TLS). Note that the module only implements domain parameter generation, key pair generation

and verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 KDF and IKEv2 PRF): IKE (RFC 3526):

200 resp. 128-256 bits of security strength in an approved mode of operation.

The module also provides the following key transport mechanisms:

2.11 Industry Protocols

For DH, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS) as listed in Section 2.10. Note that the module only implements domain parameter generation, key pair generation and verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 KDF (RFC 7627) and IKEv2 KDF). TLS 1.2 KDF (RFC 7627) and IKEv2 implementations shall only be used to generate secret keys in the context of the TLS 1.2 and IKE protocols respectively. No other parts of the TLS and IKE protocols, other than the KDFs, have been tested by the CAVP or CMVP. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 26
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters N/A Data Output API output parameters N/A Control Input API function calls, API input parameters for control input N/A Status Output API return codes Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. The module does not implement a control output interface. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 27
4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not support authentication for roles.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators or a maintenance role.

4.3 Approved Services

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Encryption Encrypt a CKS_NSS_FIPS_ AES key, Ciphertex Encryption Crypto plaintext OK (1) plaintext t with AES Officer - AES Key: W,E Decryption Decrypt a CKS_NSS_FIPS_ AES key, Plaintext Decryption Crypto ciphertext OK (1) ciphertex with AES Officer t - AES Key: W,E Authenticate Encrypt a CKS_NSS_FIPS_ AES key, Ciphertex Authenticate Crypto d Encryption plaintext OK (1) IV, t, MAC d Encryption Officer plaintext tag with AES - AES Key: W,E Authenticate Decrypt a CKS_NSS_FIPS_ AES key, Plaintext Authenticate Crypto d Decryption ciphertext OK (1) IV, MAC or fail d Decryption Officer tag, with AES - AES Key: ciphertex W,E t © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 28

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Key Derive a CKS_NSS_FIPS_ Key- KBKDF Key Crypto Derivation key from a OK (1) derivatio Derived Derivation Officer from a KDK key- n key key with KBKDF - Keyderivation Derivation key Key: W,E - KBKDF Derived Key: G Key Derive a CKS_NSS_FIPS_ Shared HKDF Key Crypto Derivation key from a OK (1) secret Derived Derivation Officer from a shared key; TLS with HKDF - Shared Shared secret Derived Key Secret: Secret key; IKE Derivation W,E Derived with TLS 1.2 - HKDF key KDF Derived Key Key: G Derivation - TLS with IKEv2 Derived KDF Key: G - IKE Derived Key: G Password- Derive a CKS_NSS_FIPS_ Passwor PBKDF Key Crypto Based Key key from a OK (1) d, salt, Derived Derivation Officer Derivation password iteration key with PBKDF count Password: W,E - PBKDF Derived Key: G Key Wrap a CKS_NSS_FIPS_ AES key, Wrapped Key Crypto Wrapping CSP OK (1) any CSP CSP Wrapping Officer (except with AES - AES Key: for W,E passwor d) Key Unwrap a CKS_NSS_FIPS_ AES key, Any CSP Key Crypto Unwrapping CSP OK (1) Wrapped (except Unwrapping Officer CSP for with AES - AES Key: password W,E ) HMAC Compute a CKS_NSS_FIPS_ HMAC MAC tag Message Crypto Message MAC tag OK (1) key Authenticatio Officer © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 29

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Authenticatio n with - HMAC n HMAC Key: W,E AES-based Compute a CKS_NSS_FIPS_ AES key MAC tag Message Crypto Message MAC tag OK (1) Authenticatio Officer Authenticatio n with - AES Key: n CMAC W,E Message Compute a CKS_NSS_FIPS_ Message Digest Message Crypto Digest message OK (1) value Digest with Officer digest SHA Random Generate CKR_OK Output Random Random Crypto Number random length bytes Number Officer Generation bytes Generation - Entropy with Input: W,E Hash_DRBG - DRBG Seed: G,E - Internal State (V, C): G,W,E Shared Compute a CKS_NSS_FIPS_ DH Shared Shared Crypto Secret shared OK (1) private secret Secret Officer Computation secret key Computation - DH (DH) (owner), with KAS- Private DH FFC-SSC Key: W,E public - DH Public key Key: W,E (peer) - Shared Secret: G Shared Compute a CKS_NSS_FIPS_ EC Shared Shared Crypto Secret shared OK (1) private secret Secret Officer Computation secret key Computation - EC (ECDH) (owner), with KAS- Private EC ECC-SSC Key: W,E public - EC Public key Key: W,E (peer) - Shared Secret: G RSA Generate a CKS_NSS_FIPS_ RSA Signature Signature Crypto Signature signature OK (1) private Generation Officer Generation key, with RSA - RSA message Private Key: W,E © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 30

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access ECDSA Generate a CKS_NSS_FIPS_ EC Signature Signature Crypto Signature signature OK (1) private Generation Officer Generation key, with ECDSA - EC message Private Key: W,E RSA Verify a CKS_NSS_FIPS_ RSA Pass/fail Signature Crypto Signature signature OK (1) public Verification Officer Verification key, with RSA - RSA message Public Key: , W,E signature ECDSA Verify a CKS_NSS_FIPS_ EC Pass/fail Signature Crypto Signature signature OK (1) public Verification Officer Verification key, with ECDSA - EC Public message Key: W,E , signature Key Pair Generate a CKS_NSS_FIPS_ Group DH public Key Pair Crypto Generation key pair OK (1) key, DH Generation Officer with Safe private with Safe - DH Primes key Primes Private Key: G - DH Public Key: G Intermediat e key generation value: G,E,Z Key Pair Generate a CKS_NSS_FIPS_ Modulus RSA Key Pair Crypto Generation key pair OK (1) bits public Generation Officer with RSA key, RSA with RSA - RSA private Private key Key: G - RSA Public Key: G Intermediat e key generation value: G,E,Z © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 31

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Key Pair Generate a CKS_NSS_FIPS_ Curve EC public Key Pair Crypto Generation key pair OK (1) key, EC Generation Officer with ECDSA private with ECDSA - EC key Private Key: G - EC Public Key: G Intermediat e key generation value: G,E,Z Symmetric Generate a CKS_NSS_FIPS_ Key size AES key, Symmetric Crypto Key secret key OK (1) HMAC Key Officer Generation key or Generation - AES Key: key- with G derivation Hash_DRBG - HMAC key Key: G - KeyDerivation Key: G Show Return the None N/A Module None Crypto Version module name and Officer name and version version informatio information n Show Status Return the None N/A Module None Crypto module status Officer status Self-Test Perform None N/A Pass/fail None Crypto the CASTs Officer and integrity tests Zeroization Zeroize all N/A Any SSP None None Crypto SSPs Officer - AES Key: Z - HMAC Key: Z - KeyDerivation Key: Z © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 32

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access - Shared Secret: Z Password: Z - KBKDF Derived Key: Z - PBKDF Derived Key: Z - HKDF Derived Key: Z - TLS Derived Key: Z - IKE Derived Key: Z - Entropy Input: Z - DRBG Seed: Z - Internal State (V, C): Z - DH Private Key: Z - DH Public Key: Z - EC Private Key: Z - EC Public Key: Z - RSA Private Key: Z - RSA Public Key: Z Intermediat e key generation value: Z Table 13: Approved Services © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 33

The table above lists the approved services in this module, the algorithms involved, the Sensitive Security Parameters (SSPs) involved and how they are accessed, the roles that can request the service, and the respective service indicator. In this table, CO specifies the Crypto Officer role. The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The service tables define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP. • Generate (G): The module generates or derives the SSP. • Read (R): The SSP is read from the module (e.g. the SSP is output). • Write (W): The SSP is updated, imported, or written to the module. • Execute (E): The module uses the SSP in performing a cryptographic operation. • Zeroize (Z): The module zeroizes the SSP. • N/A: The module does not access any SSP or key during its operation. To interact with the module, a calling application must use the FIPS token APIs provided by Softoken. The FIPS token API layer can be used to retrieve the approved service indicator for the module. This indicator consists of four independent service indicators:

  1. The session indicator, which must be used for all cryptographic services except the key (pair) generation and key derivation services. It can be accessed by invoking the NSC_NSSGetFIPSStatus function with the CKT_NSS_SESSION_LAST_CHECK parameter. If the output parameter is set to CKS_NSS_FIPS_OK (1), the service was approved.
  2. The object indicator, which must be used for the key (pair) generation and key derivation services. It can be accessed by invoking the NSC_NSSGetFIPSStatus function with the CKT_NSS_OBJECT_CHECK parameter and the output derived key. If the output parameter is set to CKS_NSS_FIPS_OK (1), the service was approved.
  3. The DRBG service indicator, which must be used for the DRBG service. It can be accessed by invoking the C_SeedRandom or C_GenerateRandom functions. If any of these functions returns CKR_OK, the service was approved. Any other service indicator value not listed above such as CKS_NSS_FIPS_NOT_OK (0) indicates that non-approved service is called. Also, for DRBG service, an error returned by the specified APIs indicates that the service was not approved.
4.4 Non-Approved Services

Name Description Algorithms Role Message Digest Compute a message MD2, MD5, SHA-1 CO digest Encryption Encrypt a plaintext RC2, RC4, DES, Triple-DES, CDMF, CO Camellia, SEED, ChaCha20(-Poly1305) AES GCM (external IV) Decryption Decrypt a ciphertext RC2, RC4, DES, Triple-DES, CDMF, CO Camellia, SEED, ChaCha20(-Poly1305) Message Compute a MAC tag CBC-MAC, AES XCBC-MAC, AES XCBC- CO Authentication MAC-96 HMAC (MD2, MD5, SHA-1; < 112-bit keys) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 34

Name Description Algorithms Role HMAC/SSLv3 MAC (constant-time implementation) Key Derivation Derive a key from a key- MD2, MD5, SHA-1, SHA-224, SHA-256, CO derivation key or a shared SHA-384, SHA-512, DES, Triple-DES, secret AES, Camellia, SEED ANS X9.63 KDF, SSL 3 PRF, IKEv1 PRF, TLS 1.0/1.1 KDF KBKDF, HKDF, TLS 1.2 KDF, IKEv2 KDF (< 112-bit keys) KBKDF (MD2, MD5) TLS 1.2 KDF (without extended master secret) IKEv2 KDF (MD2, MD5) Password-Based Derive a key from a PKCS#5 PBE, PKCS#12 PBE CO Key Derivation password PBKDF2 (< 8 characters password; < 128bit salt; < 1000 iterations; < 112-bit keys) Shared Secret Compute a shared secret J-PAKE CO Computation DH (FIPS 186-type groups) ECDH (P-192) ECDH (X25519) Signature Generate a signature DSA CO Generation RSA (primitive; PKCS#1 v1.5 or PSS with MD2, MD5, SHA-1) RSA (< 2048-bit keys) ECDSA (component; SHA-1) ECDSA (P-192) Signature Verify a signature DSA CO Verification RSA (primitive; PKCS#1 v1.5 or PSS with MD2, MD5, SHA-1) RSA (< 1024-bit keys) ECDSA (component; SHA-1) ECDSA (P-192) Asymmetric Encrypt a plaintext RSA CO Encryption Asymmetric Decrypt a plaintext RSA CO Decryption Parameter Generate domain DSA CO Generation parameters Parameter Verify domain parameters DSA CO Verification © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 35

Name Description Algorithms Role Key Pair Generate a key pair DSA CO Generation DH (FIPS 186-type groups) RSA (< 2048 bits; > 4096 bits) Ed25519, X25519 ECDSA (P-192) Secret Key Generate a secret key Symmetric key generation (< 112 bits) CO Generation Table 14: Non-Approved Services The table above lists the non-approved services in this module, the algorithms involved, and the roles that can request the service. In this table, CO specifies the Crypto Officer role.

4.5 External Software/Firmware Loaded

The module does not load external software or firmware. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 36
5 Software/Firmware Security
5.1 Integrity Techniques

Each software component of the module has an associated HMAC-SHA2-256 integrity check value. The integrity of the module is verified by comparing the HMAC-SHA2-256 values calculated at run time with the integrity values embedded in the check files that were computed at build time. If the integrity test fails, the module enters the Power-On Error state.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests may be invoked on-demand by unloading and subsequently reinitializing the module, which will perform (among others) the software integrity tests. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 37
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module shall be installed as stated in Section 11.2. If properly installed, operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. There are no concurrent operators.

6.2 Configuration Settings and Restrictions

Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 38
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 39
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 40
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service Dynamic execution. The module does not perform persistent storage of SSPs Table 15: Storage Areas SSPs imported, generated, derived, or otherwise established by the module are stored in RAM while the module is operational. The operator application can use these SSPs to perform cryptographic operations, or export them as described in Section 9.2. The module maintains internal separation of the SSPs (including CSPs) in approved and non-approved modes of operation using an internal isFIPS flag for each SSP. This flag indicates whether the SSP can be used in approved or non-approved services. The module does not perform persistent storage of SSPs.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Calling Cryptographic Plaintext Manual Electronic parameters application module (plaintext) within TOEPP API input Calling Cryptographic Encrypted Manual Electronic Key parameters application module Unwrapping (encrypted) within TOEPP with AES API output Cryptographic Calling Plaintext Manual Electronic parameters module application (plaintext) within TOEPP API output Cryptographic Calling Encrypted Manual Electronic Key parameters module application Wrapping (encrypted) within TOEPP with AES Table 16: SSP Input-Output Methods CSPs (with the exception of passwords) can only be imported to and exported from the module when they are wrapped using an approved security function (e.g. AES KW or KWP). PSPs can be imported and exported in plaintext. Import and export is performed using API input and output parameters. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 41
9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Destroy Destroys the SSP Memory occupied by SSPs is overwritten By calling the Object represented by the with zeroes, which renders the SSP C_DestroyObject object values irretrievable. The completion of function. the zeroization routine indicates that the zeroization procedure succeeded. Automatic Automatically Memory occupied by SSPs is overwritten N/A zeroized by the with zeroes, which renders the SSP module when no values irretrievable. longer needed Module De-allocates the Volatile memory used by the module is Unloading and reset volatile memory overwritten within nanoseconds when the reloading the used to store SSPs module is unloaded. Module unloaded module indicates that the zeroization procedure succeeded. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization. Memory is deallocated after zeroization.

9.4 SSPs

Name Description Size - Type - Generated Established Used By Strength Category By By AES Key AES key 128, 192, Symmetric Symmetric Encryption used for 256 bits - key - CSP Key with AES encryption, 128, 192, Generation Decryption decryption, 256 bits with with AES and Hash_DRB Authenticated computing G Encryption MAC tags with AES Authenticated Decryption with AES Key Wrapping with AES Key Unwrapping with AES Message Authenticatio n with CMAC © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 42

Name Description Size - Type - Generated Established Used By Strength Category By By HMAC Key HMAC key 112-256 Symmetric Symmetric Message used for bits - 112- key - CSP Key Authenticatio computing 256 bits Generation n with HMAC MAC tags with Hash_DRB G Key- Symmetric 112-4096 Symmetric Symmetric Key Derivation key used to bits - 112- key - CSP Key Derivation Key derive 256 bits Generation with KBKDF symmetric with keys Hash_DRB G Shared Shared 256-8192 Shared Shared Key Secret secret bits - 112- secret - Secret Derivation generated 256 bits CSP Computatio with HKDF by (EC) n with KAS- Key Diffie- ECC-SSC Derivation Hellman Shared with TLS 1.2 Secret KDF Computatio Key n with KAS- Derivation FFC-SSC with IKEv2 KDF Password Password 8-128 Password - Key used to character CSP Derivation derive s - N/A with PBKDF symmetric keys PBKDF Symmetric 112-4096 Symmetric Key Derived Key key derived bits - 112- key - CSP Derivation from a 256 bits with PBKDF password KBKDF Symmetric 112-4096 Symmetric Key Derived Key key derived bits - 112- key - CSP Derivation from a key- 256 bits with KBKDF derivation key HKDF Symmetric 112-4096 Symmetric Key Derived Key key derived bits - 112- key - CSP Derivation from a 256 bits with HKDF shared © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 43

Name Description Size - Type - Generated Established Used By Strength Category By By secret with HKDF TLS Symmetric 112-4096 Symmetric Key Derived Key key derived bits - 112- key - CSP Derivation from a 256 bits with TLS 1.2 shared KDF secret with TLS 1.2 KDF IKE Derived Symmetric 112-4096 Symmetric Key Key key derived bits - 112- key - CSP Derivation from a 256 bits with IKEv2 shared KDF secret with IKEv2 KDF Entropy Entropy 128-384 Entropy Random Input input used to bits - 128- input - CSP Number seed the 256 bits Generation DRBG with Hash_DRBG DRBG Seed DRBG seed 440 bits - Seed - CSP Random Random derived from 256 bits Number Number entropy Generation Generation input with with Hash_DRB Hash_DRBG G Internal Internal 880 bits - Internal Random Random State (V, C) state of the 256 bits state - CSP Number Number Hash_DRB Generation Generation G with with Hash_DRB Hash_DRBG G DH Private Private key 2048- Private key Key Pair Shared Key used for 8192 bits - CSP Generation Secret Diffie- - 112-200 with Safe Computation Hellman bits Primes with KASFFC-SSC DH Public Public key 2048- Public key - Key Pair Shared Key used for 8192 bits PSP Generation Secret Diffie- - 112-200 with Safe Computation Hellman bits Primes with KASFFC-SSC © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 44

Name Description Size - Type - Generated Established Used By Strength Category By By EC Private Private key P-256, P- Private key Key Pair Shared Key used for EC 384, P- - CSP Generation Secret Diffie- 521 - 128, with ECDSA Computation Hellman and 192, 256 with KASsignature bits ECC-SSC generation Signature with ECDSA Generation with ECDSA EC Public Public key P-256, P- Public key - Key Pair Shared Key used for EC 384, P- PSP Generation Secret Diffie- 521 - 128, with ECDSA Computation Hellman and 192, 256 with KASsignature bits ECC-SSC verification Signature with ECDSA Verification with ECDSA RSA Private Private key 2048, Private key Key Pair Signature Key used for 3072, - CSP Generation Generation RSA 4096 bits with RSA with RSA signature - 112-150 generation bits RSA Public Public key KeyGen: Public key - Key Pair Signature Key used for 2048, PSP Generation Verification RSA 3072, with RSA with RSA signature 4096 bits; verification SigVer: 1024, 1280, 1536, 1792, 2048, 3072,

4096 bits

- KeyGen: 112-150 bits; SigVer: 80-150 bits Intermediat Temporary 256-8192 Intermediat Key Pair Key Pair e key value bits - 112- e value - Generation Generation generation generated 256 bits CSP with RSA with RSA value during key Key Pair Key Pair Generation Generation with ECDSA with ECDSA © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 45

Name Description Size - Type - Generated Established Used By Strength Category By By generation Key Pair Key Pair services Generation Generation with Safe with Safe Primes Primes Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES Key API input RAM:Plaintext Until explicitly Destroy parameters zeroized by Object (encrypted) operator Module API output reset parameters (encrypted) HMAC Key API input RAM:Plaintext Until explicitly Destroy parameters zeroized by Object (encrypted) operator Module API output reset parameters (encrypted) Key- API input RAM:Plaintext Until explicitly Destroy KBKDF Derived Derivation parameters zeroized by Object Key:Derivation Of Key (encrypted) operator Module API output reset parameters (encrypted) Shared Secret API input RAM:Plaintext Until explicitly Destroy DH Private parameters zeroized by Object Key:Derived From (encrypted) operator Module DH Public API output reset Key:Derived From parameters EC Private (encrypted) Key:Derived From EC Public Key:Derived From HKDF Derived Key:Derivation Of TLS Derived Key:Derivation Of IKE Derived Key:Derivation Of © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 46

Name Input - Storage Storage Zeroization Related SSPs Output Duration Password API input RAM:Plaintext For the Destroy PBKDF Derived parameters duration of the Object Key:Derivation Of (plaintext) service Module reset PBKDF API output RAM:Plaintext Until explicitly Destroy Password:Derived Derived Key parameters zeroized by Object From (encrypted) operator Module reset KBKDF API output RAM:Plaintext Until explicitly Destroy Key-Derivation Derived Key parameters zeroized by Object Key:Derived From (encrypted) operator Module reset HKDF Derived API output RAM:Plaintext Until explicitly Destroy Shared Key parameters zeroized by Object Secret:Derived From (encrypted) operator Module reset TLS Derived API output RAM:Plaintext Until explicitly Destroy Shared Key parameters zeroized by Object Secret:Derived From (encrypted) operator Module reset IKE Derived API output RAM:Plaintext Until explicitly Destroy Shared Key parameters zeroized by Object Secret:Derived From (encrypted) operator Module reset Entropy Input RAM:Plaintext From Automatic DRBG generation Module Seed:Derivation Of until DRBG reset Seed is created DRBG Seed RAM:Plaintext While the Automatic Entropy DRBG is Module Input:Derived From instantiated reset Internal State (V, C):Generation Of Internal State RAM:Plaintext While the Module DRBG (V, C) module is reset Seed:Generated operational From DH Private API input RAM:Plaintext Until explicitly Destroy DH Public Key parameters zeroized by Object Key:Paired With (encrypted) operator Intermediate key © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 47

Name Input - Storage Storage Zeroization Related SSPs Output Duration API output Module generation parameters reset value:Generated (encrypted) From DH Public Key API input RAM:Plaintext Until explicitly Destroy DH Private parameters zeroized by Object Key:Paired With (plaintext) operator Module Intermediate key API output reset generation parameters value:Generated (plaintext) From EC Private API input RAM:Plaintext Until explicitly Destroy EC Public Key parameters zeroized by Object Key:Paired With (encrypted) operator Module Intermediate key API output reset generation parameters value:Generated (encrypted) From EC Public Key API input RAM:Plaintext Until explicitly Destroy EC Private parameters zeroized by Object Key:Paired With (plaintext) operator Module Intermediate key API output reset generation parameters value:Generated (plaintext) From RSA Private API input RAM:Plaintext Until explicitly Destroy RSA Public Key parameters zeroized by Object Key:Paired With (encrypted) operator Module Intermediate key API output reset generation parameters value:Generated (encrypted) From RSA Public API input RAM:Plaintext Until explicitly Destroy RSA Private Key parameters zeroized by Object Key:Paired With (plaintext) operator Module Intermediate key API output reset generation parameters value:Generated (plaintext) From Intermediate RAM:Plaintext For the Automatic DH Private key duration of the Key:Generation Of generation service DH Public value Key:Generation Of EC Private Key:Generation Of EC Public Key:Generation Of RSA Private Key:Generation Of © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 48

Name Input - Storage Storage Zeroization Related SSPs Output Duration RSA Public Key:Generation Of Table 19: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 49
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 256-bit key Message SW/FW Module becomes Integrity test for SHA2-256 authentication Integrity operational and libsoftokn3.so and (A5128) services are libfreeblpriv3.so available for use Table 20: Pre-Operational Self-Tests Each software component of the module has an associated HMAC-SHA2-256 integrity check value. The software integrity tests ensure that the module is not corrupted. The HMAC-SHA2-256 algorithm goes through a CAST before the software integrity tests are performed. Upon initialization, the module immediately performs all Freebl cryptographic algorithm self-tests (CASTs) as specified in the Conditional Self-Tests table. When all those self-tests pass successfully, the module automatically performs the pre-operational integrity test on the libfreeblpriv3.so file using its associated check value. Then, the module performs the RSA CAST in the Softoken library, followed by the pre-operational integrity test on the libsoftokn3.so file using its associated check value. Finally, all remaining CASTs for the algorithms implemented in Softoken are executed (see the Conditional Self-Tests table). Only if all CASTs and pre-operational integrity tests passed successfully, the module transitions to the operational state. No operator intervention is required to reach this point. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. If any of the self-tests fails, an error message is returned, and the module transitions to an error state.

10.2 Conditional Self-Tests

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type SHA2-224 512-bit KAT CAST Module Message Digest Module (A5128) message becomes initialization operational and services are available for use SHA2-224 512-bit KAT CAST Module Message Digest Module (A5136) message becomes initialization operational and services © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 50

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type are available for use SHA2-256 512-bit KAT CAST Module Message Digest Module (A5128) message becomes initialization operational and services are available for use SHA2-256 512-bit KAT CAST Module Message Digest Module (A5136) message becomes initialization operational and services are available for use SHA2-384 512-bit KAT CAST Module Message Digest Module (A5128) message becomes initialization operational and services are available for use SHA2-384 512-bit KAT CAST Module Message Digest Module (A5136) message becomes initialization operational and services are available for use SHA2-512 512-bit KAT CAST Module Message Digest Module (A5128) message becomes initialization operational and services are available for use SHA2-512 512-bit KAT CAST Module Message Digest Module (A5136) message becomes initialization operational and services are available for use AES-ECB 128, 192, 256- KAT CAST Module Encryption and Module (A5128) bit key becomes decryption initialization operational and services © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 51

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type are available for use AES-ECB 128, 192, 256- KAT CAST Module Encryption and Module (A5135) bit key becomes decryption initialization operational and services are available for use AES-CBC 128, 192, 256- KAT CAST Module Encryption and Module (A5128) bit key becomes decryption initialization operational and services are available for use AES-CBC 128, 192, 256- KAT CAST Module Encryption and Module (A5135) bit key becomes decryption initialization operational and services are available for use AES-GCM 128, 192, 256- KAT CAST Module Encryption and Module (A5128) bit key becomes decryption initialization operational and services are available for use AES-GCM 128, 192, 256- KAT CAST Module Encryption and Module (A5135) bit key becomes decryption initialization operational and services are available for use AES-CMAC 128, 192, 256- KAT CAST Module Message Module (A5128) bit key becomes Authentication initialization operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

224 (A5128) becomes Authentication initialization

operational and services © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 52

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

224 (A5136) becomes Authentication initialization

operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

256 (A5128) becomes Authentication initialization

operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

256 (A5136) becomes Authentication initialization

operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

384 (A5128) becomes Authentication initialization

operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

384 (A5136) becomes Authentication initialization

operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

512 (A5128) becomes Authentication initialization

operational and services are available for use HMAC-SHA2- 288-bit key KAT CAST Module Message Module

512 (A5136) becomes Authentication initialization

operational and services © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 53

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type are available for use KDF SP800- HMAC-SHA2- KAT CAST Module Key Derivation Module

108 (A5131) 256 in counter becomes initialization

mode operational and services are available for use KDA HKDF SHA2-256 KAT CAST Module Key Derivation Module Sp800-56Cr1 becomes initialization (A5127) operational and services are available for use TLS v1.2 KDF SHA2-256 KAT CAST Module Key Derivation Module RFC7627 becomes initialization (A5128) operational and services are available for use TLS v1.2 KDF SHA2-256 KAT CAST Module Key Derivation Module RFC7627 becomes initialization (A5136) operational and services are available for use KDF IKEv2 SHA-1, SHA- KAT CAST Module Key Derivation Module (A5132) 256, SHA- becomes initialization 384, SHA-512 operational and services are available for use PBKDF SHA2-256 KAT CAST Module Key Derivation Module (A5128) with 5 becomes initialization iterations, operational 128-bit salt and services and 14 are available characters for use password PBKDF SHA2-256 KAT CAST Module Key Derivation Module (A5136) with 5 becomes initialization iterations, operational © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 54

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type 128-bit salt and services and 14 are available characters for use password Hash DRBG SHA-256 KAT CAST Module Instantiate Module (A5128) without becomes Generate; initialization prediction operational Reseed Generate resistance and services (compliant to SP are available 800- 90Ar1 for use Section 11.3) Hash DRBG SHA-256 KAT CAST Module Instantiate Module (A5136) without becomes Generate; initialization prediction operational Reseed Generate resistance and services (compliant to SP are available 800- 90Ar1 for use Section 11.3) KAS-FFC- ffdhe2048 KAT CAST Module Shared Secret Module SSC Sp800- becomes Computation initialization 56Ar3 operational (A5128) and services are available for use KAS-ECC- P-256 KAT CAST Module Shared Secret Module SSC Sp800- becomes Computation initialization 56Ar3 operational (A5128) and services are available for use RSA SigGen PKCS#1 v1.5 KAT CAST Module Signature Module (FIPS186-5) with SHA2- becomes Generation initialization (A5128) 256, SHA2- operational 384, SHA2- and services 512, and are available 2048-bit key for use RSA SigGen PKCS#1 v1.5 KAT CAST Module Signature Module (FIPS186-5) with SHA2- becomes Generation initialization (A5136) 256, SHA2- operational 384, SHA2- and services 512, and are available 2048-bit key for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 55

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type RSA SigVer PKCS#1 v1.5 KAT CAST Module Signature Module (FIPS186-5) with SHA2- becomes Verification initialization (A5128) 256, SHA2- operational 384, SHA2- and services 512, and are available 2048-bit key for use RSA SigVer PKCS#1 v1.5 KAT CAST Module Signature Module (FIPS186-5) with SHA2- becomes Verification initialization (A5136) 256, SHA2- operational 384, SHA2- and services 512, and are available 2048-bit key for use ECDSA SHA2-256 KAT CAST Module Signature Module SigGen and P-256 becomes Generation initialization (FIPS186-5) operational (A5128) and services are available for use ECDSA SHA2-256 KAT CAST Module Signature Module SigGen and P-256 becomes Generation initialization (FIPS186-5) operational (A5136) and services are available for use ECDSA SHA2-256 KAT CAST Module Signature Module SigVer and P-256 becomes Verification initialization (FIPS186-5) operational (A5128) and services are available for use ECDSA SHA2-256 KAT CAST Module Signature Module SigVer and P-256 becomes Verification initialization (FIPS186-5) operational (A5136) and services are available for use Safe Primes N/A PCT PCT Successful PCT according to Key Pair Key key pair section 5.6.2.1.4 Generation Generation generation of [SP800-56Ar3] with Safe (A5128) Primes © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 56

Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type ECDSA N/A PCT PCT Successful PCT according to Key Pair KeyGen key pair section 5.6.2.1.4 Generation (FIPS186-5) generation of SP 800-56A with ECDSA (A5128), SP Rev. 3 800-56A Rev.

3 PCT

ECDSA SHA-256 PCT PCT Successful Signature Key Pair KeyGen key pair Generation and Generatio (FIPS186-5) generation Signature with ECDSA (A5128), Verification signature PCT RSA KeyGen PKCS#1 v1.5 PCT PCT Successful Signature Key Pair (FIPS186-5) with SHA-256 key pair Generation and Generation (A5128) generation Signature with RSA Verification RSA KeyGen PKCS#1 v1.5 PCT PCT Successful Signature Key Pair (FIPS186-5) with SHA-256 key pair Generation and Generation (A5136) generation Signature with RSA Verification Table 21: Conditional Self-Tests The module performs self-tests on all FIPS approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the Conditional SelfTests table above. Upon generation of a key pair, the module will perform a pair-wise consistency test (PCT) as shown in the table above, which provides some assurance that the generated key pair is well formed. For DH and EC key pairs, these tests consist of the PCT described in Section 5.6.2.1.4 of SP 800-56Ar3. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation. Note that two PCTs are performed for EC key pairs.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5128) authentication Table 22: Pre-Operational Periodic Information © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 57

Algorithm or Test Method Test Type Period Periodic Method Test SHA2-224 KAT CAST On demand Manually (A5128) SHA2-224 KAT CAST On demand Manually (A5136) SHA2-256 KAT CAST On demand Manually (A5128) SHA2-256 KAT CAST On demand Manually (A5136) SHA2-384 KAT CAST On demand Manually (A5128) SHA2-384 KAT CAST On demand Manually (A5136) SHA2-512 KAT CAST On demand Manually (A5128) SHA2-512 KAT CAST On demand Manually (A5136) AES-ECB (A5128) KAT CAST On demand Manually AES-ECB (A5135) KAT CAST On demand Manually AES-CBC KAT CAST On demand Manually (A5128) AES-CBC KAT CAST On demand Manually (A5135) AES-GCM KAT CAST On demand Manually (A5128) AES-GCM KAT CAST On demand Manually (A5135) AES-CMAC KAT CAST On demand Manually (A5128) HMAC-SHA2-224 KAT CAST On demand Manually (A5128) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 58

Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2-224 KAT CAST On demand Manually (A5136) HMAC-SHA2-256 KAT CAST On demand Manually (A5128) HMAC-SHA2-256 KAT CAST On demand Manually (A5136) HMAC-SHA2-384 KAT CAST On demand Manually (A5128) HMAC-SHA2-384 KAT CAST On demand Manually (A5136) HMAC-SHA2-512 KAT CAST On demand Manually (A5128) HMAC-SHA2-512 KAT CAST On demand Manually (A5136) KDF SP800-108 KAT CAST On demand Manually (A5131) KDA HKDF KAT CAST On demand Manually Sp800-56Cr1 (A5127) TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A5128) TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A5136) KDF IKEv2 KAT CAST On demand Manually (A5132) PBKDF (A5128) KAT CAST On demand Manually PBKDF (A5136) KAT CAST On demand Manually Hash DRBG KAT CAST On demand Manually (A5128) Hash DRBG KAT CAST On demand Manually (A5136) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 59

Algorithm or Test Method Test Type Period Periodic Method Test KAS-FFC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A5128) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A5128) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5128) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5136) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5128) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5136) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5128) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5136) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5128) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5136) Safe Primes Key PCT PCT On demand Manually Generation (A5128) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5128), SP 80056A Rev. 3 PCT © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 60

Algorithm or Test Method Test Type Period Periodic Method Test ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5128), signature PCT RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5128) RSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5136) Table 23: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Power- An error occurred during Software Restart of Module will not load On Error the self-tests executed on integrity test the module power-on failure or CAST failure PCT An error occurred during a PCT failure Restart of Module stops functioning Error PCT the module (sftk_fatalError is set to TRUE) Table 24: Error States In any error state, the output interface is inhibited, and the module accepts no more inputs or requests.

10.5 Operator Initiation of Self-Tests

The software integrity tests and CASTs can be invoked on demand by unloading and subsequently reinitializing the module. The PCTs can be invoked on demand by requesting the Key Pair Generation service. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 61
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Before the nss-softokn-3.90.0-6.el9_2.tuxcare.1 and nss-softokn-freebl-3.90.0-6.el9_2.tuxcare.1 RPM packages are installed, the AlmaLinux 9 system must operate in the approved mode. This can be achieved by:

11.2 Administrator Guidance

The version of the RPMs containing the FIPS validated Module is stated in section 11.1. The RPM packages forming the Module can be installed by standard tools recommended for the installation of RPM packages on an AlmaLinux system (for example, dnf and rpm). All RPM packages are signed with the TuxCare build key, which is an RSA 4096-bit key using SHA-256 signatures. The signature is automatically verified upon installation of the RPM package. If the signature cannot be validated, the RPM tool rejects the installation of the package. In such a case, the Crypto Officer is requested to obtain a new copy of the module's RPMs from TuxCare.

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the nss-softokn-3.90.06.el9_2.tuxcare.1 and nss-softokn-freebl-3.90.0-6.el9_2.tuxcare.1 RPM packages can be uninstalled from the AlmaLinux 9 systems. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 62
12 Mitigation of Other Attacks
12.1 Attack List

Timing attacks on RSA

Page 63

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSP Public Security Parameter PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 64

Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-2 Digital Signature Standard (DSS) January 2000 https://csrc.nist.gov/files/pubs/fips/186-2/final/docs/fips186-2.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/detail/sp/800-38b/final SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-52rev2 NIST Special Publication 800-52

Page 65

August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-90Arev1 NIST Special Publication 800-90A