| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 6/29/2030 |
| Caveat | When operated in approved mode. The module generates random numbers whose strengths are modified by available entropy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs |
| Vendor | Red Hat, Inc. |
flowchart LR
%% Deterministic review-risk graph for Red Hat Enterprise Linux 9 Kernel Cryptographic API
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Red Hat Enterprise Linux 9 Kernel Cryptographic API
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Red Hat, Inc. Red Hat Enterprise Linux 9 Kernel Cryptographic API Document Version: 1.1 Last Modified: 06/23/2025 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2024 Red Hat, Inc./ atsec information security.
| # | Section | Page |
|---|
© 2024 Red Hat, Inc./ atsec information security.
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 5: Modes List and Description | 9 |
| Table 6: Approved Algorithms | 19 |
| Table 7: Non-Approved, Not Allowed Algorithms | 19 |
| Table 8: Security Function Implementations | 24 |
| Table 9: Entropy Certificates | 25 |
| Table 10: Entropy Sources | 25 |
| Table 11: Ports and Interfaces | 27 |
| Table 12: Roles | 28 |
| Table 13: Approved Services | 33 |
| Table 14: Non-Approved Services | 33 |
| Table 15: Storage Areas | 38 |
| Table 16: SSP Input-Output Methods | 38 |
| Table 17: SSP Zeroization Methods | 39 |
| Table 18: SSP Table 1 | 40 |
| Table 19: SSP Table 2 | 41 |
| Table 20: Pre-Operational Self-Tests | 42 |
| Table 21: Conditional Self-Tests | 68 |
| Table 22: Pre-Operational Periodic Information | 69 |
| Table 23: Conditional Periodic Information | 75 |
| Table 24: Error States | 76 |
| Figure 1: Block Diagram | 7 |
This document is the non-proprietary FIPS 140-3 Security Policy for version kernel 5.14.0284.57.1.el9_2; libkcapi 1.3.1-3.el9 of the Red Hat Enterprise Linux 9 Kernel Cryptographic API module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.
which was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1 Table 1: Security Levels © 2024 Red Hat, Inc./ atsec information security.
Purpose and Use: The Red Hat Enterprise Linux 9 Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. © 2024 Red Hat, Inc./ atsec information security.
Tested Module Identification
Package or File Name Software/ Feature Integrity Firmware s Test Version *.ko.xz files in /usr/lib/modules/5.14.0284.57.1.el9_2.ppc64le/kernel/arch/powerpc/cryp to /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac 1.3.1-3.el9 N/A HMAC SHA-512 Table 2: Tested Module Identification
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically entered Approved Equivalent to the indicator of mode whenever an approved the requested service as service is requested. defined in section 4.3 Non- Automatically entered Non- Equivalent to the indicator of approved whenever a non-approved Approved the requested service as mode service is requested. defined in section 4.3 Table 5: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.
Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5081 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5088 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5091 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5561 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5562 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5565 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5085 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert AES-CBC-CS3 A5096 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5570 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A5081 Key Length - 128, 192, 256 SP 800-38C AES-CCM A5091 Key Length - 128, 192, 256 SP 800-38C AES-CCM A5562 Key Length - 128, 192, 256 SP 800-38C AES-CCM A5565 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A5083 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A5094 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A5568 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A5081 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5091 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5562 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5565 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A5081 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5088 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5091 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5561 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5562 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5565 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5081 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5086 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5087 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5088 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5089 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5090 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5091 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5092 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert AES-ECB A5093 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5562 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5563 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5564 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5565 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5566 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5567 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5081 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5086 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5087 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5088 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5089 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5090 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5091 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5092 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5093 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert AES-GCM A5562 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-GCM A5563 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5564 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-GCM A5565 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-GCM A5566 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5567 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-GMAC A5081 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5091 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5562 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-GMAC A5565 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-OFB A5084 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A5095 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A5569 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A5081 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5088 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5091 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5561 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5562 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert AES-XTS Testing A5565 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A5081 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5086 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5087 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5088 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5089 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5090 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5091 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5092 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5093 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5562 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5563 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5564 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5565 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5566 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5567 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Hash DRBG A5081 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert Hash DRBG A5086 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5087 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5088 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5089 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5090 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5091 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5092 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5093 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5097 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5098 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5099 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5563 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5564 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5565 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5566 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5567 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5081 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5086 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5087 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5088 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5089 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5090 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5091 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5092 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5093 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert HMAC DRBG A5097 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5098 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5099 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5563 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5564 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5565 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5566 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5567 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC-SHA-1 A5081 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5097 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5098 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5099 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5565 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5081 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5097 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5098 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5099 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5565 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5081 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5097 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5098 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5099 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5565 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5081 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5097 Key Length - Key Length: 112- FIPS 198-1
© 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert HMAC-SHA2-384 A5098 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5099 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5565 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5081 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5097 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5098 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5099 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5565 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-224 A5082 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-224 A5571 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-256 A5082 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-256 A5571 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-384 A5082 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-384 A5571 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-512 A5082 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-512 A5571 Key Length - Key Length: 112- FIPS 198-1
RSA SigVer (FIPS186- A5081 Signature Type - PKCS 1.5 FIPS 186-4
Algorithm CAVP Properties Reference Cert RSA SigVer (FIPS186- A5565 Modulo - 2048, 3072, 4096 FIPS 186-5 5) Signature Type - pkcs1v1.5 SHA-1 A5081 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5097 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5098 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5099 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5565 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5081 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5097 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5098 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5099 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5565 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5081 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5097 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5098 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5099 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5565 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5081 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert SHA2-384 A5097 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5098 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5099 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5565 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5081 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5097 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5098 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5099 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5565 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A5082 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A5571 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-256 A5082 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-256 A5571 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A5082 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A5571 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-512 A5082 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2024 Red Hat, Inc./ atsec information security.
Algorithm CAVP Properties Reference Cert SHA3-512 A5571 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES GCM with Encryption external IV KBKDF (libkcapi) Key derivation HKDF (libkcapi) Key derivation PBKDF2 (libkcapi) Password-based key derivation RSA Encryption primitive; Decryption primitive RSA with PKCS#1 Signature generation (pre-hashed message); Signature verification v1.5 padding (pre-hashed message); Key encapsulation; Key un-encapsulation Table 7: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Encryption with BC-UnAuth Encrypt a Key size(s):128, AES-CBC: AES plaintext with 192, 256 bits (A5081, A5088, AES (XTS mode 128 A5091, A5561, and 256 bits A5562, A5565) only) AES-CBC-CS3: (A5085, A5096, A5570) AES-CFB128: (A5083, A5094, A5568) AES-CTR: (A5081, A5088, A5091, A5561, A5562, A5565) AES-ECB: © 2024 Red Hat, Inc./ atsec information security.
Name Type Description Properties Algorithms (A5081, A5086, A5087, A5088, A5089, A5090, A5091, A5092, A5093, A5562, A5563, A5564, A5565, A5566, A5567) AES-OFB: (A5084, A5095, A5569) AES-XTS Testing Revision 2.0: (A5081, A5088, A5091, A5561, A5562, A5565) Decryption with BC-UnAuth Decrypt a Key size(s):128, AES-CBC: AES ciphertext with 192, 256 bits (A5081, A5088, AES (XTS mode 128 A5091, A5561, and 256 bits A5562, A5565) only) AES-CBC-CS3: (A5085, A5096, A5570) AES-CFB128: (A5083, A5094, A5568) AES-CTR: (A5081, A5088, A5091, A5561, A5562, A5565) AES-ECB: (A5081, A5086, A5087, A5088, A5089, A5090, A5091, A5092, A5093, A5562, A5563, A5564, A5565, A5566, A5567) AES-OFB: (A5084, A5095, A5569) AES-XTS Testing Revision 2.0: (A5081, A5088, A5091, A5561, A5562, A5565) Hashing SHA Compute a SHA-1: (A5081, message digest A5097, A5098, A5099, A5565) © 2024 Red Hat, Inc./ atsec information security.
Name Type Description Properties Algorithms SHA2-224: (A5081, A5097, A5098, A5099, A5565) SHA2-256: (A5081, A5097, A5098, A5099, A5565) SHA2-384: (A5081, A5097, A5098, A5099, A5565) SHA2-512: (A5081, A5097, A5098, A5099, A5565) SHA3-224: (A5082, A5571) SHA3-256: (A5082, A5571) SHA3-384: (A5082, A5571) SHA3-512: (A5082, A5571) Message MAC Compute a MAC HMAC key AES-CMAC: authentication tag for size(s):112- (A5081, A5091, authentication 524288 bits A5562, A5565) (112-256 bits) AES-GMAC: AES key (A5081, A5091, size(s):128, 192, A5562, A5565)
(A5081, A5097, A5098, A5099, A5565) HMAC-SHA2224: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA2256: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA2384: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA2512: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA3224: (A5082, © 2024 Red Hat, Inc./ atsec information security.
Name Type Description Properties Algorithms A5571) HMAC-SHA3256: (A5082, A5571) HMAC-SHA3384: (A5082, A5571) HMAC-SHA3512: (A5082, A5571) Random DRBG Generate Counter DRBG: number random (A5081, A5086, generation with numbers from A5087, A5088, DRBGs DRBGs A5089, A5090, A5091, A5092, A5093, A5562, A5563, A5564, A5565, A5566, A5567) Hash DRBG: (A5081, A5086, A5087, A5088, A5089, A5090, A5091, A5092, A5093, A5097, A5098, A5099, A5563, A5564, A5565, A5566, A5567) HMAC DRBG: (A5081, A5086, A5087, A5088, A5089, A5090, A5091, A5092, A5093, A5097, A5098, A5099, A5563, A5564, A5565, A5566, A5567) Signature DigSig-SigVer Verify a Padding:PKCS#1 RSA SigVer verification with signature with v1.5 (FIPS186-4): RSA RSA Hashes:SHA1, (A5081, A5097, SHA-224, SHA- A5098, A5099, 256, SHA-384, A5565) SHA-512 RSA SigVer Key (FIPS186-5): size(s):2048, (A5081, A5097, 3072, 4096 bits A5098, A5099, (112, 128, 150 A5565) bits) © 2024 Red Hat, Inc./ atsec information security.
Name Type Description Properties Algorithms Authenticated BC-Auth Encrypt and Key size(s):128, AES-CCM: encryption with authenticate a 192, 256 bits (A5081, A5091, AES plaintext with A5562, A5565) AES AES-GCM: (A5081, A5086, A5087, A5088, A5089, A5090, A5091, A5092, A5093, A5562, A5563, A5564, A5565, A5566, A5567) Authenticated BC-Auth Decrypt and Key size(s):128, AES-CCM: decryption with authenticate a 192, 256 bits (A5081, A5091, AES ciphertext with A5562, A5565) AES AES-GCM: (A5081, A5087, A5088, A5090, A5091, A5092, A5086, A5089, A5093, A5562, A5563, A5564, A5565, A5566, A5567) AES CCM KTS-Wrap Key wrapping; Key size(s):128, AES-CCM: Key unwrapping 192, 256 bits (A5081, A5091, A5562, A5565) AES GCM with KTS-Wrap Key wrapping Key size(s):128, AES-GCM: internal IV 192, 256 bits (A5086, A5089, A5092, A5563, A5566) AES GCM with KTS-Wrap Key unwrapping Key AES-GCM: external IV sizes(s):128, (A5081, A5087, 192, 256 bits A5090, A5091, A5093, A5562, A5564, A5565, A5567, A5088) AES CBC with KTS-Wrap Key wrapping; Key AES-CBC: HMAC SHA-1, Key unwrapping sizes(s):128, (A5081, A5088, HMAC SHA-256, 192, 256 bits A5091, A5561, HMAC SHA-384, A5562, A5565) or HMAC SHA- HMAC-SHA-1:
512 (A5081, A5097,
A5098, A5099, A5565) HMAC-SHA2256: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA2384: (A5081, A5097, A5098, © 2024 Red Hat, Inc./ atsec information security.
Name Type Description Properties Algorithms A5099, A5565) HMAC-SHA2512: (A5081, A5097, A5098, A5099, A5565) AES CTR with KTS-Wrap Key wrapping; Key size(s):128, AES-CTR: HMAC SHA-1, Key unwrapping 192, 256 bits (A5081, A5088, HMAC SHA-256, A5091, A5561, HMAC SHA-384, A5562, A5565) or HMAC SHA- HMAC-SHA-1:
512 (A5081, A5097,
A5098, A5099, A5565) HMAC-SHA2256: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA2384: (A5081, A5097, A5098, A5099, A5565) HMAC-SHA2512: (A5081, A5097, A5098, A5099, A5565) Table 8: Security Function Implementations
The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario
1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs
generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. © 2024 Red Hat, Inc./ atsec information security.
The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in section 4.3.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
Digital signature verification using SHA-1 is allowed for legacy use only. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.
Cert Vendor Number Name E54 Red Hat, Inc. Table 9: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample RHEL Non- Red Hat Enterprise Linux 9 64 bits 59.62 LinearKernel Physical on Dell PowerEdge R440 on bits Feedback Shift CPU Time Intel(R) Xeon(R) Silver 4216; Register (LFSR) Jitter RNG Red Hat Enterprise Linux 9 Entropy on IBM z16 3931-A01 on Source IBM z16; Red Hat Enterprise Linux 9 on PowerVM FW1040.00 with VIOS
on IBM POWER10 Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of these DRBG implementations can be instantiated by the operator of the module. When instantiated, these DRBGs can be used to generate random numbers for external usage. © 2024 Red Hat, Inc./ atsec information security.
The DRBG is initially seeded with 384 output bits from the entropy source (357 bits of entropy) and reseeded with 256 output bits from the entropy source (238 bits of entropy). The module does not offer any service to directly get entropy source output. The entropy source is always internally accessed by the module’s DRBG for seeding and reseeding.
The module does not provide key generation.
As permitted by IG D.G, the module provides key transport methods either by using an approved authenticated encryption mode or by a combination of any approved symmetric encryption mode and an approved authentication method. Specifically, the module provides the following key transport methods:
AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP. © 2024 Red Hat, Inc./ atsec information security.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type sockets N/A Data Output API output parameters, AF_ALG type sockets N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel command line N/A Status API return values, AF_ALG type sockets, kernel logs Output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. © 2024 Red Hat, Inc./ atsec information security.
N/A for this module. The module does not implement authentication.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.
Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss Message Compute crypto_shash_init Messag Digest Hashing Crypt digest a returns 0 e value o message Office digest r Key Wrap a crypto_skcipher_setk AES wrapped AES CCM Crypt wrapping key ey returns 0; key, key key AES GCM o crypto_shash_init to be with Office returns 0 wrappe internal IV r d AES GCM - AES with key: external IV W,E AES CBC with HMAC HMAC SHA-1, key: HMAC W,E SHA-256, HMAC SHA-384, or HMAC SHA-512 AES CTR with HMAC SHA-1, HMAC SHA-256, HMAC © 2024 Red Hat, Inc./ atsec information security.
Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss SHA-384, or HMAC SHA-512 Key Unwrap a crypto_skcipher_setk AES unwrapp AES CCM Crypt unwrappin key ey returns 0; key, key ed key AES GCM o g crypto_shash_init to be with Office returns 0 unwrap internal IV r ped AES GCM - AES with key: external IV W,E AES CBC with HMAC HMAC SHA-1, key: HMAC W,E SHA-256, HMAC SHA-384, or HMAC SHA-512 AES CTR with HMAC SHA-1, HMAC SHA-256, HMAC SHA-384, or HMAC SHA-512 Encryption Encrypt a crypto_skcipher_setk AES Cipherte Encryption Crypt plaintext ey returns 0 key, xt with AES o plaintex Office t r - AES key: W,E Decryption Decrypt a crypto_skcipher_setk AES Plaintext Decryption Crypt ciphertext ey returns 0 key, with AES o cipherte Office xt r - AES key: W,E Authentica Encrypt For all except AES AES Cipherte Authentica Crypt ted and GCM: key, xt, MAC ted o encryption authentic crypto_aead_setkey plaintex tag encryption Office ate a returns 0; For AES t with AES r plaintext GCM: - AES crypto_aead_get_fla key: gs(tfm) has the W,E CRYPTO_TFM_ © 2024 Red Hat, Inc./ atsec information security.
Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss FIPS_COMPLIANCE flag set Authentica Encrypt For all except AES AES Plaintext Authentica Crypt ted and GCM: key, or failure ted o decryption authentic crypto_aead_setkey cipherte decryption Office ate a returns 0; For AES xt, MAC with AES r ciphertext GCM: tag - AES crypto_aead_get_fla key: gs(tfm) has the W,E CRYPTO_TFM_ FIPS_COMPLIANCE flag set Message Compute crypto_shash_init AES: MAC tag Message Crypt authentica a MAC tag returns 0 AES authentica o tion key, tion Office messag r e; - AES HMAC: key: HMAC W,E key, messag HMAC e key: W,E Random Generate crypto_rng_get_byte Output Random Random Crypt number random s returns 0 length bytes number o generation bytes generation Office with r DRBGs Entro py input: W,E DRBG seed: G,E DRBG Intern al state (V, Key): G,W, E DRBG Intern al state © 2024 Red Hat, Inc./ atsec information security.
Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss (V, C): G,W, E Signature Verify a pkcs7_verify returns Messag Pass/fail Signature Crypt verificatio digital 0 e, public verificatio o n signature key, n with RSA Office signatur r e - RSA publi c key: W,E Error Compute None Messag EDC None Crypt detection an EDC e o code (crc32, Office crct10dif) r Compressi Compress None Data Compres None Crypt on data sed data
Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss number generation with DRBGs Signature verificatio n with RSA Authentica ted encryption with AES Authentica ted decryption with AES Zeroizatio Zeroize all None Any SSP N/A None Crypt n SSPs
Table 13: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:
Name Description Algorithms Role AES GCM external IV Encrypt a plaintext using AES AES GCM with CO encryption GCM with an external IV external IV Key derivation Derive a key from a key- KBKDF (libkcapi) CO derivation key or a shared HKDF (libkcapi) secret Password-based key Derive a key from a password PBKDF2 (libkcapi) CO derivation RSA encryption primitive Compute the raw RSA RSA CO encryption of a plaintext RSA decryption primitive Compute the raw RSA RSA CO decryption of a cipertext RSA signature generation Generate a digital signature for RSA with PKCS#1 CO (pre-hashed message) a pre-hashed message v1.5 padding RSA signature verification Verify a digital signature for a RSA with PKCS#1 CO (pre-hashed message) pre-hashed message v1.5 padding Key encapsulation Encapsulate a secret key using RSA with PKCS#1 CO RSA with PKCS#1 v1.5 padding v1.5 padding Key un-encapsulation Un-encapsulate a secret key RSA with PKCS#1 CO using RSA with PKCS#1 v1.5 v1.5 padding padding Table 14: Non-Approved Services
The module does not load external software or firmware. © 2024 Red Hat, Inc./ atsec information security.
The Linux kernel binary is integrity tested using an HMAC SHA-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). An HMAC SHA-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity. The kernel crypto object files listed in section 2.2 are loaded on start-up by the module and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-256, and a 3072-bit key.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. © 2024 Red Hat, Inc./ atsec information security.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.
The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to:
The module is comprised of software only and therefore this section is not applicable. © 2024 Red Hat, Inc./ atsec information security.
This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2024 Red Hat, Inc./ atsec information security.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.
Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameters; calling c module t c AF_ALG_typ applicatio e sockets n (TOEPP) (input) Table 16: SSP Input-Output Methods
Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate handle SSPs SSPs is overwritten with zeroization functions: AES key: contained zeroes, which renders crypto_free_skcipher and within the the SSP values crypto_free_aead; HMAC key: cipher handle irretrievable. The crypto_free_shash and completion of the crypto_free_ahash; DRBG zeroization routine internal state: indicates that the crypto_free_rng; RSA public zeroization procedure key: public_key_free succeeded. Remove De-allocates Volatile memory used by By removing power power from the volatile the module is the module memory used overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. The © 2024 Red Hat, Inc./ atsec information security.
Zeroization Description Rationale Operator Initiation Method successful removal of power implicitly indicates that the zeroization is complete. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization.
Name Descripti Size - Type - Generate Establish Used By on Strength Category d By ed By AES AES key 128, 192, Symmetric Encryption key used for 256 bits - Key - CSP with AES encryption, 128, 192, Decryption decryption, 256 bits with AES and Authenticate computing d encryption MAC tags with AES Authenticate d decryption with AES AES CCM AES GCM with internal IV AES GCM with external IV AES CBC with HMAC SHA-1, HMAC SHA256, HMAC SHA-384, or HMAC SHAAES CTR with HMAC SHA-1, HMAC SHA256, HMAC SHA-384, or HMAC SHAHMAC HMAC key 112-256 Authenticati Message key bits - 112- on key - CSP authenticati
© 2024 Red Hat, Inc./ atsec information security.
Name Descripti Size - Type - Generate Establish Used By on Strength Category d By ed By Entrop Entropy 128-448 Entropy Random y input used bits - 128- input - CSP number input to seed the 256 bits generation DRBGs with DRBGs DRBG DRBG seed CTR_DRBG: Seed - CSP Random Random seed derived 128, 192, number number from 256 bits; generatio generation entropy Hash_DRBG n with with DRBGs input : 128, 256 DRBGs bits; HMAC_DRB G: 128, 256 bits CTR_DRBG: 128, 192,
Hash_DRBG : 128, 256 bits; HMAC_DRB G: 128, 256 bits DRBG Internal CTR_DRBG: Internal Random Random Intern state of 128, 192, state - CSP number number al CTR_DRBG 256 bits; generatio generation state and HMAC_DRB n with with DRBGs (V, HMAC_DRB G: 128, 256 DRBGs Key) G bits instances CTR_DRBG: 128, 192,
HMAC_DRB G: 128, 256 bits DRBG Internal Hash_DRBG Internal Random Random Intern state of : 128, 256 state - CSP number number al Hash_DRB bits - generatio generation state G Hash_DRBG n with with DRBGs (V, C) instances : 128, 256 DRBGs bits RSA Public key 2048, Public key - Signature public used for 3072, 4096 PSP verification key RSA bits - 112, with RSA signature 128, 150 verification bits Table 18: SSP Table 1 © 2024 Red Hat, Inc./ atsec information security.
Name Input - Storage Storage Zeroization Related Output Duration SSPs AES key API input RAM:Plaintext Until cipher Free cipher parameters; handled is handle AF_ALG_type freed or Remove sockets module power from (input) powered off the module HMAC API input RAM:Plaintext Until cipher Free cipher key parameters; handled is handle AF_ALG_type freed or Remove sockets module power from (input) powered off the module Entropy RAM:Plaintext From Free cipher DRBG input generation handle seed:Derives until DRBG Remove seed/reseed power from the module DRBG RAM:Plaintext While the Free cipher Entropy seed DRBG is being handle input:Derived instantiated Remove From power from DRBG Internal the module state (V, Key):Derives DRBG RAM:Plaintext From DRBG Free cipher DRBG Internal instantiation handle seed:Derived state (V, until DRBG Remove From Key) termination power from the module DRBG RAM:Plaintext From DRBG Free cipher DRBG Internal instantiation handle seed:Derived state (V, until DRBG Remove From C) termination power from the module RSA API input RAM:Plaintext Until cipher Free cipher public parameters; handled is handle key AF_ALG_type freed or Remove sockets module power from (input) powered off the module Table 19: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2031. The RSA algorithm with SHA-1 as implemented by the module conforms to FIPS 186-4. FIPS 186-4 was withdrawn on February 3, 2024 but FIPS 140-3 IG C.K allows RSA signature verification with SHA-1 under FIPS 186-4 to still be approved. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-512 Authentication Integrity becomes vmlinuz, (A5099) operational libkcapi and services components are available and for use. sha512hmac binary RSA SigVer 3072-bit key Signature SW/FW Module Integrity test for (FIPS186-5) with SHA- Verification Integrity becomes kernel object (A5081) 256 operational files and services are available for use. Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5081) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A5097) messages becomes digest initialization operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5098) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A5099) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5081) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5097) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5098) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5099) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5081) messages becomes digest initialization operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5097) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5098) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5099) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5081) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5097) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5098) messages becomes digest initialization operational and services are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5099) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5081) message becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5097) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5098) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5099) messages becomes digest initialization operational and services are available for use. SHA3-224 0-8184 bit KAT CAST Module Message Module (A5082) message becomes digest initialization operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA3-256 0-8184 bit KAT CAST Module Message Module (A5082) message becomes digest initialization operational and services are available for use. SHA3-384 0-8184 bit KAT CAST Module Message Module (A5082) message becomes digest initialization operational and services are available for use. SHA3-512 0-8184 bit KAT CAST Module Message Module (A5082) message becomes digest initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5081) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5086) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5087) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5088) 256 bit keys becomes Decryption initialization operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5089) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5090) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5092) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5093) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5091) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Encryption, Module (A5081) 256 bit keys becomes Decryption initialization operational and services are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-CBC 128, 192, KAT CAST Module Encryption, Module (A5088) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CBC- 128 bit keys KAT CAST Module Encryption, Module CS3 becomes Decryption initialization (A5096) operational and services are available for use. AES-OFB 128 bit keys KAT CAST Module Encryption, Module (A5095) becomes Decryption initialization operational and services are available for use. AES- 128, 192, KAT CAST Module Encryption, Module CFB128 256 bit keys becomes Decryption initialization (A5094) operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption, Module (A5081) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption, Module (A5091) 256 bit keys becomes Decryption initialization operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CCM 128, 192, KAT CAST Module Encryption, Module (A5091) 256 bit keys; becomes Decryption initialization 128-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5081) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5086) 256 bit keys, becomes initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5087) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5088) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5089) 256 bit keys, becomes initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5090) 256 bit keys, becomes Decryption initialization 96-bit IVs operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5091) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5092) 256 bit keys, becomes initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5093) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption, Module Testing bit keys becomes Decryption initialization Revision operational
(A5081) services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption, Module Testing bit keys becomes Decryption initialization Revision operational
(A5091) services are available for use. AES-CMAC 128 and 256 KAT CAST Module Message Module (A5091) bit keys becomes authentication initialization operational and services are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A5081) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A5097) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A5098) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A5099) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5081) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5097) operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5098) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5099) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5081) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5097) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5098) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5099) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5081) operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5097) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5098) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5099) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization (A5081) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization (A5097) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization (A5098) operational and services are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization (A5099) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-224 keys becomes authentication initialization (A5082) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-256 keys becomes authentication initialization (A5082) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-384 keys becomes authentication initialization (A5082) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-512 keys becomes authentication initialization (A5082) operational and services are available for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5081) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5086) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5087) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5088) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5089) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5090) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5091) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5092) With/without operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5093) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5081) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5086) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5087) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5088) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5089) PR; Health operational test per and section 11.3 services are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5090) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5091) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5092) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5093) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5097) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5098) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5099) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5081) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5086) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5087) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5088) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5089) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5090) With/without operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5091) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5092) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5093) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5097) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5098) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5099) With/without operational PR; Health and test per services section 11.3 are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186- with SHA- becomes initialization
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5565) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5565) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5565) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5565) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5565) messages becomes digest initialization operational and services are available for use. SHA3-224 0-8184 bit KAT CAST Module Message Module (A5571) messages becomes digest initialization operational and services are available for use. SHA3-256 0-8184 bit KAT CAST Module Message Module (A5571) messages becomes digest initialization operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. SHA3-384 0-8184 bit KAT CAST Module Message Module (A5571) messages becomes digest initialization operational and services are available for use. SHA3-512 0-8184 bit KAT CAST Module Message Module (A5571) messages becomes digest initialization operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA-1 keys becomes authentication initialization (A5565) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5565) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5565) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5565) operational and services are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization (A5565) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-224 keys becomes authentication initialization (A5571) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-256 keys becomes authentication initialization (A5571) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-384 keys becomes authentication initialization (A5571) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-512 keys becomes authentication initialization (A5571) operational and services are available for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5562) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5563) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5564) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5565) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5566) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module Seed, Module DRBG 256 bit keys becomes Generate initialization (A5567) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5563) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5564) PR; Health operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5565) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5566) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash SHA-256 KAT CAST Module Seed, Module DRBG With/without becomes Generate initialization (A5567) PR; Health operational test per and section 11.3 services of SP 800- are 90Arev1 available for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5563) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5564) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5565) With/without operational PR; Health and test per services section 11.3 are © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5566) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module Seed, Module DRBG SHA512 becomes Generate initialization (A5567) With/without operational PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5562) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5563) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5564) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5565) 256 bit keys becomes Decryption initialization operational and services are available for use. © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5566) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption, Module (A5567) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Encryption, Module (A5561) 256 bit keys becomes Decryption initialization operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5562) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5563) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5564) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5565) 256 bit keys, becomes Decryption initialization 96-bit IVs operational © 2024 Red Hat, Inc./ atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5566) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption, Module (A5567) 256 bit keys, becomes Decryption initialization 96-bit IVs operational and services are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186- with SHA- becomes initialization
© 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually
RSA SigVer Signature SW/FW Integrity On demand Manually (FIPS186-5) Verification (A5081) Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A5081) KAT CAST On demand Manually SHA-1 (A5097) KAT CAST On demand Manually SHA-1 (A5098) KAT CAST On demand Manually SHA-1 (A5099) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A5081) SHA2-224 KAT CAST On demand Manually (A5097) SHA2-224 KAT CAST On demand Manually (A5098) SHA2-224 KAT CAST On demand Manually (A5099) SHA2-256 KAT CAST On demand Manually (A5081) SHA2-256 KAT CAST On demand Manually (A5097) SHA2-256 KAT CAST On demand Manually (A5098) SHA2-256 KAT CAST On demand Manually (A5099) SHA2-384 KAT CAST On demand Manually (A5081) SHA2-384 KAT CAST On demand Manually (A5097) SHA2-384 KAT CAST On demand Manually (A5098) SHA2-384 KAT CAST On demand Manually (A5099) SHA2-512 KAT CAST On demand Manually (A5081) SHA2-512 KAT CAST On demand Manually (A5097) SHA2-512 KAT CAST On demand Manually (A5098) SHA2-512 KAT CAST On demand Manually (A5099) SHA3-224 KAT CAST On demand Manually (A5082) SHA3-256 KAT CAST On demand Manually (A5082) © 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method SHA3-384 KAT CAST On demand Manually (A5082) SHA3-512 KAT CAST On demand Manually (A5082) AES-ECB KAT CAST On demand Manually (A5081) AES-ECB KAT CAST On demand Manually (A5086) AES-ECB KAT CAST On demand Manually (A5087) AES-ECB KAT CAST On demand Manually (A5088) AES-ECB KAT CAST On demand Manually (A5089) AES-ECB KAT CAST On demand Manually (A5090) AES-ECB KAT CAST On demand Manually (A5092) AES-ECB KAT CAST On demand Manually (A5093) AES-ECB KAT CAST On demand Manually (A5091) AES-CBC KAT CAST On demand Manually (A5081) AES-CBC KAT CAST On demand Manually (A5088) AES-CBC-CS3 KAT CAST On demand Manually (A5096) AES-OFB KAT CAST On demand Manually (A5095) AES-CFB128 KAT CAST On demand Manually (A5094) AES-CTR KAT CAST On demand Manually (A5081) AES-CTR KAT CAST On demand Manually (A5091) AES-CCM KAT CAST On demand Manually (A5091) AES-GCM KAT CAST On demand Manually (A5081) AES-GCM KAT CAST On demand Manually (A5086) AES-GCM KAT CAST On demand Manually (A5087) AES-GCM KAT CAST On demand Manually (A5088) AES-GCM KAT CAST On demand Manually (A5089) AES-GCM KAT CAST On demand Manually (A5090) © 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On demand Manually (A5091) AES-GCM KAT CAST On demand Manually (A5092) AES-GCM KAT CAST On demand Manually (A5093) AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5081) AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5091) AES-CMAC KAT CAST On demand Manually (A5091) HMAC-SHA-1 KAT CAST On demand Manually (A5081) HMAC-SHA-1 KAT CAST On demand Manually (A5097) HMAC-SHA-1 KAT CAST On demand Manually (A5098) HMAC-SHA-1 KAT CAST On demand Manually (A5099) HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
© 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
Counter DRBG KAT CAST On demand Manually (A5081) Counter DRBG KAT CAST On demand Manually (A5086) Counter DRBG KAT CAST On demand Manually (A5087) Counter DRBG KAT CAST On demand Manually (A5088) Counter DRBG KAT CAST On demand Manually (A5089) Counter DRBG KAT CAST On demand Manually (A5090) Counter DRBG KAT CAST On demand Manually (A5091) Counter DRBG KAT CAST On demand Manually (A5092) Counter DRBG KAT CAST On demand Manually (A5093) Hash DRBG KAT CAST On demand Manually (A5081) Hash DRBG KAT CAST On demand Manually (A5086) Hash DRBG KAT CAST On demand Manually (A5087) Hash DRBG KAT CAST On demand Manually (A5088) Hash DRBG KAT CAST On demand Manually (A5089) Hash DRBG KAT CAST On demand Manually (A5090) Hash DRBG KAT CAST On demand Manually (A5091) Hash DRBG KAT CAST On demand Manually (A5092) Hash DRBG KAT CAST On demand Manually (A5093) Hash DRBG KAT CAST On demand Manually (A5097) © 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method Hash DRBG KAT CAST On demand Manually (A5098) Hash DRBG KAT CAST On demand Manually (A5099) HMAC DRBG KAT CAST On demand Manually (A5081) HMAC DRBG KAT CAST On demand Manually (A5086) HMAC DRBG KAT CAST On demand Manually (A5087) HMAC DRBG KAT CAST On demand Manually (A5088) HMAC DRBG KAT CAST On demand Manually (A5089) HMAC DRBG KAT CAST On demand Manually (A5090) HMAC DRBG KAT CAST On demand Manually (A5091) HMAC DRBG KAT CAST On demand Manually (A5092) HMAC DRBG KAT CAST On demand Manually (A5093) HMAC DRBG KAT CAST On demand Manually (A5097) HMAC DRBG KAT CAST On demand Manually (A5098) HMAC DRBG KAT CAST On demand Manually (A5099) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5081) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5097) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5098) Entropy source, RCT CAST On demand Manually start-up RCT Entropy source, APT CAST On demand Manually start-up APT Entropy source, RCT CAST On demand Manually continuous RCT Entropy source, APT CAST On demand Manually continuous APT SHA-1 (A5565) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A5565) SHA2-256 KAT CAST On demand Manually (A5565) © 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method SHA2-384 KAT CAST On demand Manually (A5565) SHA2-512 KAT CAST On demand Manually (A5565) SHA3-224 KAT CAST On demand Manually (A5571) SHA3-256 KAT CAST On demand Manually (A5571) SHA3-384 KAT CAST On demand Manually (A5571) SHA3-512 KAT CAST On demand Manually (A5571) HMAC-SHA-1 KAT CAST On demand Manually (A5565) HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
Counter DRBG KAT CAST On demand Manually (A5562) Counter DRBG KAT CAST On demand Manually (A5563) Counter DRBG KAT CAST On demand Manually (A5564) Counter DRBG KAT CAST On demand Manually (A5565) Counter DRBG KAT CAST On demand Manually (A5566) Counter DRBG KAT CAST On demand Manually (A5567) Hash DRBG KAT CAST On demand Manually (A5563) Hash DRBG KAT CAST On demand Manually (A5564) Hash DRBG KAT CAST On demand Manually (A5565) Hash DRBG KAT CAST On demand Manually (A5566) © 2024 Red Hat, Inc./ atsec information security.
Algorithm or Test Method Test Type Period Periodic Test Method Hash DRBG KAT CAST On demand Manually (A5567) HMAC DRBG KAT CAST On demand Manually (A5563) HMAC DRBG KAT CAST On demand Manually (A5564) HMAC DRBG KAT CAST On demand Manually (A5565) HMAC DRBG KAT CAST On demand Manually (A5566) HMAC DRBG KAT CAST On demand Manually (A5567) AES-ECB KAT CAST On demand Manually (A5562) AES-ECB KAT CAST On demand Manually (A5563) AES-ECB KAT CAST On demand Manually (A5564) AES-ECB KAT CAST On demand Manually (A5565) AES-ECB KAT CAST On demand Manually (A5566) AES-ECB KAT CAST On demand Manually (A5567) AES-CBC KAT CAST On demand Manually (A5561) AES-GCM KAT CAST On demand Manually (A5562) AES-GCM KAT CAST On demand Manually (A5563) AES-GCM KAT CAST On demand Manually (A5564) AES-GCM KAT CAST On demand Manually (A5565) AES-GCM KAT CAST On demand Manually (A5566) AES-GCM KAT CAST On demand Manually (A5567) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5099) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5565) Table 23: Conditional Periodic Information
© 2024 Red Hat, Inc./ atsec information security.
Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 24: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).
All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module. © 2024 Red Hat, Inc./ atsec information security.
The module is distributed as a part of the Red Hat Enterprise Linux 9 (RHEL 9) package in the form of the kernel-5.14.0-284.57.1.el9_2, libkcapi-1.3.1-3.el9, and libkcapi-hmaccalc1.3.1-3.el9 RPM packages. The module can achieve the approved mode by:
After installation of the kernel-5.14.0-284.57.1.el9_2, libkcapi-1.3.1-3.el9, and libkcapihmaccalc-1.3.1-3.el9 RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Red Hat Enterprise Linux 9 - Kernel Cryptographic API Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapi” commands. These commands must output the following for each tested operational environment (one line per output): Dell PowerEdge R440: 5.14.0-284.57.1.el9_2.x86_64 libkcapi-1.3.1-3.el9.x86_64 IBM z16 3931-A01: 5.14.0-284.57.1.el9_2.s390x libkcapi-1.3.1-3.el9.s390x IBM 9080-HEX: 5.14.0-284.57.1.el9_2.ppc64le libkcapi-1.3.1-3.el9.ppc64le
There is no non-administrator guidance. © 2024 Red Hat, Inc./ atsec information security.
Not applicable for this module.
There are no maintenance requirements.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-5.14.0-284.57.1.el9_2, libkcapi-1.3.1-3.el9, and libkcapi-hmaccalc-1.3.1-3.el9 RPM packages can be uninstalled from the RHEL 9 system. © 2024 Red Hat, Inc./ atsec information security.
The module does not offer mitigation of other attacks and therefore this section is not applicable. © 2024 Red Hat, Inc./ atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book ENT (NP) Non-physical Entropy Source FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 Red Hat, Inc./ atsec information security.
Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Addendum Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf © 2024 Red Hat, Inc./ atsec information security.
SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800- Transitioning the Use of Cryptographic Algorithms and Key 131Ar2 Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 Red Hat, Inc./ atsec information security.