| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/2/2030 |
| Caveat | When operated in approved mode. The module generates random strings whose strengths are modified by available entropy. |
| Vendor | Oracle Corporation |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for Oracle Linux 9 Kernel Crypto API Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Error State</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Oracle Linux 9 Kernel Crypto API Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Error State</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;Oracle Corporation Oracle Linux 9 Kernel Crypto API Cryptographic Module Software Version: kernel: 5.14.0-362.24.1.0.4.el9_3 libkcapi: 1.3.1-3.0.1.el9 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com Document Version 1.1 ©Oracle Corporation
Title: Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy Date: June 30th, 2025 Contributing Authors: Oracle Linux Engineering Security Evaluations
Austin, TX 78741 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy i
| # | Section | Page |
|---|---|---|
| 1 | General | 1 |
| 1.1 | Overview | 1 |
| 1.1.1 | How This Security Policy was prepared | 1 |
| 1.2 | Security Levels | 1 |
| 2 | Cryptographic Module Specification | 2 |
| 2.1 | Description | 2 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 3 |
| 2.3 | Excluded Components | 3 |
| 2.4 | Modes of Operation | 3 |
| 2.5 | Algorithms | 4 |
| 2.6 | Security Function Implementations | 6 |
| 2.7 | Algorithm Specific Information | 8 |
| 2.7.1 | AES GCM IV | 8 |
| 2.7.2 | AES XTS | 9 |
| 2.7.3 | SP 800-56Arev3 Assurances | 9 |
| 2.7.4 | RSA | 9 |
| 2.8 | RBG and Entropy | 9 |
| 2.9 | Key Generation | 10 |
| 2.10 | Key Establishment | 10 |
| 2.11 | Industry Protocols | 10 |
| 3 | Cryptographic Module Interfaces | 11 |
| 3.1 | Ports and Interfaces | 11 |
| 4 | Roles, Services, and Authentication | 12 |
| 4.1 | Authentication Methods | 12 |
| 4.2 | Roles | 12 |
| 4.3 | Approved Services | 12 |
| 4.4 | Non-Approved Services | 14 |
| 4.5 | External Software/Firmware Loaded | 14 |
| 5 | Software/Firmware Security | 15 |
| 5.1 | Integrity Techniques | 15 |
| 5.2 | Initiate on Demand | 15 |
| 6 | Operational Environment | 16 |
| 6.1 | Operational Environment Type and Requirements | 16 |
| 6.2 | Configuration Settings and Restrictions | 16 |
| 7 | Physical Security | 17 |
| 8 | Non-Invasive Security | 18 |
| 9 | Sensitive Security Parameters Management | 19 |
| 9.1 | Storage Areas | 19 |
| 9.2 | SSP Input-Output Methods | 19 |
| 9.3 | SSP Zeroization Methods | 19 |
| 9.4 | SSPs | 19 |
| 9.5 | Transitions | 21 |
| 10 | Self-Tests | 22 |
| 10.1 | Pre-Operational Self-Tests | 22 |
| 10.2 | Conditional Self-Tests | 22 |
| 10.3 | Periodic Self-Test Information | 29 |
| 10.4 | Error States | 32 |
| 10.5 | Operator Initiation of Self-Tests | 32 |
| 11 | Life-Cycle Assurance | 33 |
| 11.1 | Installation, Initialization, and Startup Procedures | 33 |
| 11.2 | Administrator Guidance | 33 |
| 11.3 | Non-Administrator Guidance | 33 |
| 11.4 | End of Life | 33 |
| 12 | Mitigation of Other Attacks | 34 |
| Appendix A. Glossary and Abbreviations | 35 | |
| Appendix B. References | 36 |
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy iii
| Item | Page |
|---|---|
| Table 1: Security Levels | 1 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 3 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 3 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 3 |
| Table 5: Modes List and Description | 3 |
| Table 6: Approved Algorithms | 5 |
| Table 7: Non-Approved, Not Allowed Algorithms | 6 |
| Table 8: Security Function Implementations | 8 |
| Table 9: Entropy Certificates | 9 |
| Table 10: Entropy Sources | 9 |
| Table 11: Ports and Interfaces | 11 |
| Table 12: Roles | 12 |
| Table 13: Approved Services | 14 |
| Table 14: Non-Approved Services | 14 |
| Table 15: Storage Areas | 19 |
| Table 16: SSP Input-Output Methods | 19 |
| Table 17: SSP Zeroization Methods | 19 |
| Table 18: SSP Table 1 | 20 |
| Table 19: SSP Table 2 | 21 |
| Table 20: Pre-Operational Self-Tests | 22 |
| Table 21: Conditional Self-Tests | 29 |
| Table 22: Pre-Operational Periodic Information | 29 |
| Table 23: Conditional Periodic Information | 32 |
| Table 24: Error States | 32 |
| Item | Page |
|---|---|
| Figure 1: Block Diagram | 2 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 1 |
This document is the non-proprietary FIPS 140-3 Security Policy for Oracle Linux 9 Kernel Crypto API Cryptographic Module versions:
In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
N/A N/A N/A Table 1: Security Levels Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Purpose and Use: The Oracle Linux 9 Kernel Crypto API Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the loadable kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Block Diagram Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| /boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | N/A | /boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac | HMAC-SHA-512; RSA signature verification | ||||||
| Oracle Linux 9 | Oracle Linux 9 | ORACLE SERVER X9-2c | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | Intel Xeon Platinum 8358 | Yes | KVM on Oracle Linux 8 | ||||
| Oracle Linux 9 | Oracle Linux 9 | ORACLE SERVER E4-2c | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | AMD EPYC 7J13 | Yes | KVM on Oracle Linux 8 | ||||
| Oracle Linux 9 | Oracle Linux 9 | Oracle X Series Servers | ||||||||
| Oracle Linux 9 | Oracle Linux 9 | Oracle E Series Servers |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| /boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | N/A | /boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac | HMAC-SHA-512; RSA signature verification | ||||||
| Oracle Linux 9 | Oracle Linux 9 | ORACLE SERVER X9-2c | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | Intel Xeon Platinum 8358 | Yes | KVM on Oracle Linux 8 | ||||
| Oracle Linux 9 | Oracle Linux 9 | ORACLE SERVER E4-2c | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | AMD EPYC 7J13 | Yes | KVM on Oracle Linux 8 | ||||
| Oracle Linux 9 | Oracle Linux 9 | Oracle X Series Servers | ||||||||
| Oracle Linux 9 | Oracle Linux 9 | Oracle E Series Servers |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| /boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | N/A | /boot/vmlinuz-5.14.0-362.24.1.0.4.el9_3.x86_64; *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/crypto *.ko and *.ko.xz files in /usr/lib/modules/5.14.0- 362.24.1.0.4.el9_3.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.3.1, /usr/bin/sha512hmac | HMAC-SHA-512; RSA signature verification | ||||||
| Oracle Linux 9 | Oracle Linux 9 | ORACLE SERVER X9-2c | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | Intel Xeon Platinum 8358 | Yes | KVM on Oracle Linux 8 | ||||
| Oracle Linux 9 | Oracle Linux 9 | ORACLE SERVER E4-2c | 5.14.0-362.24.1.0.4.el9_3; 1.3.1-3.0.1.el9 | AMD EPYC 7J13 | Yes | KVM on Oracle Linux 8 | ||||
| Oracle Linux 9 | Oracle Linux 9 | Oracle X Series Servers | ||||||||
| Oracle Linux 9 | Oracle Linux 9 | Oracle E Series Servers |
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- approved mode | Automatically entered whenever a non-approved service is requested. | No service indicator required for non-approved services per IG 2.4.C | Non- Approved |
Tested Module Identification
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Nonapproved Table 5: Modes List and Description Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A5278, A5285, A5288 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS3 | A5282, A5293 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CCM | A5278, A5288 | Key Length - 128, 192, 256 | SP 800-38C |
| AES-CFB128 | A5280, A5291 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CMAC | A5278, A5288 | Direction - Generation, Verification Key Length - 128, 192, 256 | SP 800-38B |
| AES-CTR | A5278, A5285, A5288 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | A5278, A5284, A5285, A5287, A5288, A5290 | Direction - Decrypt, Encrypt IV Generation - External Key Length - 128, 192, 256 | SP 800-38D |
| AES-GCM | A5283, A5286, A5289 | Direction - Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| AES-GMAC | A5278, A5288 | Direction - Decrypt, Encrypt IV Generation - External Key Length - 128, 192, 256 | SP 800-38D |
| AES-OFB | A5281, A5292 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A5278, A5285, A5288 | Direction - Decrypt, Encrypt Key Length - 128, 256 | SP 800-38E |
| Counter DRBG | A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290 | Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - Yes | SP 800-90A Rev. 1 |
| Hash DRBG | A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296 | Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512 | SP 800-90A Rev. 1 |
| HMAC DRBG | A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296 | Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A5277, A5278, A5294, A5295, A5296, A5297 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-224 | A5277, A5278, A5294, A5295, A5296, A5297 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-256 | A5277, A5278, A5294, A5295, A5296, A5297 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-384 | A5277, A5278, A5294, A5295, A5296 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512 | A5277, A5278, A5294, A5295, A5296 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-224 | A5279 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-256 | A5279 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-384 | A5279 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-512 | A5279 | Key Length - Key Length: 112-524288 Increment 8 | FIPS 198-1 |
| KAS-FFC-SSC Sp800- 56Ar3 | A5277 | Domain Parameter Generation Methods - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 Scheme - dhEphem - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| RSA SigVer (FIPS186-4) | A5278, A5294, A5295, A5296 | Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 | FIPS 186-4 |
| RSA SigVer (FIPS186-5) | A5278, A5294, A5295, A5296 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| Safe Primes Key Generation | A5277 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 | SP 800-56A Rev. 3 |
| SHA-1 | A5277, A5278, A5294, A5295, A5296, A5297 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 180-4 |
| SHA2-224 | A5277, A5278, A5294, A5295, A5296, A5297 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 180-4 |
| SHA2-256 | A5277, A5278, A5294, A5295, A5296, A5297 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 180-4 |
| SHA2-384 | A5277, A5278, A5294, A5295, A5296 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 180-4 |
| SHA2-512 | A5277, A5278, A5294, A5295, A5296 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 180-4 |
| SHA3-224 | A5279 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 202 |
| SHA3-256 | A5279 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 202 |
| SHA3-384 | A5279 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 202 |
| SHA3-512 | A5279 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2 | FIPS 202 |
After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: The module does not implement a degraded mode of operation.
Approved Algorithms: Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| AES GCM with external IV | Encryption | |||
| KBKDF (libkcapi) | Key derivation | |||
| HKDF (libkcapi) | Key derivation | |||
| PBKDF2 (libkcapi) | Password-based key derivation | |||
| RSA | Encryption primitive; Decryption primitive | |||
| RSA with PKCS#1 v1.5 padding | Signature generation (pre-hashed message); Signature verification (pre-hashed message) | |||
| KAS-FFC-SSC | Shared Secret Computation | KAS-FFC-SSC Sp800-56Ar3: (A5277) | KAS-SSC | Keys:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 bit keys with 112-200 bits of key strength Compliance:Compliant with IG D.F scenario 2(1) |
| Safe Primes Key Generation | Key Generation | Safe Primes Key Generation: (A5277) | CKG | Groups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 |
| Encryption with AES | Encrypt a plaintext with AES | AES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288) | BC-UnAuth | Key size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only) |
| Decryption with AES | Decrypt a ciphertext with AES | AES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288) | BC-UnAuth | Key size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only) |
| Hashing | Compute a message digest | SHA-1: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-224: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-256: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-384: (A5277, A5278, | SHA | SHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA3-224:N/A SHA3-256:N/A SHA3-384:N/A SHA3-512:N/A |
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| AES GCM with external IV | Encryption | |||
| KBKDF (libkcapi) | Key derivation | |||
| HKDF (libkcapi) | Key derivation | |||
| PBKDF2 (libkcapi) | Password-based key derivation | |||
| RSA | Encryption primitive; Decryption primitive | |||
| RSA with PKCS#1 v1.5 padding | Signature generation (pre-hashed message); Signature verification (pre-hashed message) | |||
| KAS-FFC-SSC | Shared Secret Computation | KAS-FFC-SSC Sp800-56Ar3: (A5277) | KAS-SSC | Keys:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 bit keys with 112-200 bits of key strength Compliance:Compliant with IG D.F scenario 2(1) |
| Safe Primes Key Generation | Key Generation | Safe Primes Key Generation: (A5277) | CKG | Groups:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 |
| Encryption with AES | Encrypt a plaintext with AES | AES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288) | BC-UnAuth | Key size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only) |
| Decryption with AES | Decrypt a ciphertext with AES | AES-CBC: (A5278, A5285, A5288) AES-CBC-CS3: (A5282, A5293) AES-CFB128: (A5280, A5291) AES-CTR: (A5278, A5285, A5288) AES-ECB: (A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) AES-OFB: (A5281, A5292) AES-XTS Testing Revision 2.0: (A5278, A5285, A5288) | BC-UnAuth | Key size(s):128, 192, 256 bits (XTS mode 128 and 256 bits only) |
| Hashing | Compute a message digest | SHA-1: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-224: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-256: (A5277, A5278, A5294, A5295, A5296, A5297) SHA2-384: (A5277, A5278, | SHA | SHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA3-224:N/A SHA3-256:N/A SHA3-384:N/A SHA3-512:N/A |
| Message authentication | Compute a MAC tag for authentication | AES-CMAC: (A5278, A5288) AES-GMAC: (A5278, A5288) HMAC-SHA-1: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-224: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-256: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-384: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA2-512: (A5277, A5278, A5294, A5295, A5296, A5297) HMAC-SHA3-224: (A5279) HMAC-SHA3-256: (A5279) HMAC-SHA3-384: (A5279) HMAC-SHA3-512: (A5279) | MAC | HMAC key size(s):112- 524288 bits (112-256 bits) AES key size(s):128, 192, 256 bits |
| Random number generation with DRBGs | Generate random numbers from DRBGs | Counter DRBG: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) Hash DRBG: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296) HMAC DRBG: (A5277, A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290, A5294, A5295, A5296) | DRBG | Counter DRBG:128, 192, 256 bits HMAC DRBG:128, 256 bits Hash DRBG:128, 256 bits |
| Signature verification with RSA | Verify a signature with RSA | RSA SigVer (FIPS186-4): (A5278, A5294, A5295, A5296) RSA SigVer (FIPS186-5): (A5278, A5294, A5295, A5296) | DigSig-SigVer | Padding:PKCS#1 v1.5 Hashes:SHA1, SHA-224, SHA-256, SHA-384, SHA- 512 Key size(s):2048, 3072, 4096 bits (112, 128, 150 bits) |
| Authenticated encryption with AES | Encrypt and authenticate a plaintext with AES | AES-CCM: (A5278, A5288) AES-GCM: (A5278, A5283, A5284, A5285, A5286, A5287, A5288, A5289, A5290) | BC-Auth | Key size(s):128, 192, 256 bits |
| Authenticated decryption with AES | Decrypt and authenticate a ciphertext with AES | AES-CCM: (A5278, A5288) AES-GCM: (A5278, A5285, A5287, A5288, A5290, A5283, A5284, A5286, A5289) | BC-Auth | Key size(s):128, 192, 256 bits |
| Key wrapping | Key wrapping | AES-CCM: (A5278, A5288) AES-GCM: (A5283, A5285, A5286, A5289) AES-CBC: (A5278, A5285, | KTS-Wrap | Key size(s):128, 192, 256 bits |
| Key unwrapping | Key unwrapping | AES-CCM: (A5278, A5288) AES-GCM: (A5278, A5284, A5287, A5288, A5290) AES-CBC: (A5278, A5285, A5288) HMAC-SHA-1: (A5277, A5295, A5296, A5278, A5294) HMAC-SHA2-256: (A5295, A5296, A5278, A5294) HMAC-SHA2-384: (A5295, A5296, A5278, A5294) HMAC-SHA2-512: (A5295, A5296, A5278, A5294) AES-CTR: (A5278, A5285, A5288) | KTS-Wrap | Key sizes(s):128, 192, 256 bits |
Table 7: Non-Approved, Not Allowed Algorithms
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Table 8: Security Function Implementations
Legacy use: Digital Signature Verification with SHA-1 is allowed for legacy use only. The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in section 4.3. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Type | Strength | Operational Environment | Entropy per Sample | Conditioning Component |
|---|---|---|---|---|---|
| Oracle Linux 9 Kernel CPU Time Jitter RNG Entropy Source | Non- Physical | 64 bits | Oracle Linux 9 on KVM on Oracle Linux 8 on Oracle SERVER X9-2c; Oracle Linux 9 on KVM on Oracle Linux 8 on ORACLE SERVER E4-2c | 57.46 bits | Linear-Feedback Shift Register (LFSR) |
| Cert | Vendor Name |
|---|---|
| Number | |
| E151 | Oracle Corporation |
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use Diffie-Hellman shared secret computation algorithm with NVMe protocol. Additionally, the module’s approved key pair generation service (see section 2.9) must be used to generate ephemeral Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer DH public key, complying with Section 5.6.2.2.2 of SP 800-56Ar3. The module is compliant to IG D.F scenario 2 path (1).
For RSA signature verification, the module supports modulus sizes 2048, 3072, and 4096 bits compliant to IG C.F. All supported modulus sizes have been CAVP tested.
Table 9: Entropy Certificates Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of these DRBG implementations can be instantiated by the operator of the module. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA2-512 DRBG implementation for internal purposes (e.g. to generate initialization vectors). This DRBG is initially seeded with 384 output bits from the entropy source (344 bits of entropy) and reseeded with 256 output bits from the entropy source (229 bits of entropy). Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The module implements safe primes key pair generation: compliant with SP 800-133r2, Section 5.2, which maps to SP 800-56Ar3. The method described in Section 5.6.1.1.4 of SP 800-56Ar3 (“Testing Candidates”) is used. Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service.
The module provides DH shared secret computation. Additionally, as permitted by IG D.G, the module provides key transport either by using an approved authenticated encryption mode or by a combination of any approved symmetric encryption mode and an approved authentication method.
AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | API data input parameters, AF_ALG type sockets |
| N/A | N/A | Data Output | API output parameters, AF_ALG type sockets |
| N/A | N/A | Control Input | API function calls, API control input parameters, AF_ALG type sockets, kernel command line |
| N/A | N/A | Status Output | API return values, AF_ALG type sockets, kernel logs |
N/A N/A N/A N/A Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | Authentication Methods |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | None | ||||||
| Message digest | Compute a message digest | Crypto Officer | Hashing | crypto_shash_init returns 0 | Message | Digest value | |||
| Key wrapping | Wrap a key | Crypto Officer - AES key: W,E - HMAC key: W,E | Key wrapping | crypto_skcipher_setkey returns 0; crypto_shash_init returns 0 | AES key, key to be wrapped | wrapped key | |||
| Key unwrapping | Unwrap a key | Crypto Officer - AES key: W,E - HMAC key: W,E | Key unwrapping | crypto_skcipher_setkey returns 0; crypto_shash_init returns 0 | AES key, key to be unwrapped | unwrapped key | |||
| Encryption | Encrypt a plaintext | Crypto Officer - AES key: W,E | Encryption with AES | crypto_skcipher_setkey returns 0 | AES key, plaintext | Ciphertext | |||
| Decryption | Decrypt a ciphertext | Crypto Officer - AES key: W,E | Decryption with AES | crypto_skcipher_setkey returns 0 | AES key, ciphertext | Plaintext | |||
| Authenticated encryption | Encrypt and authenticate a plaintext | Crypto Officer - AES key: W,E | Authenticated encryption with AES | For all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set | AES key, plaintext | Ciphertext, MAC tag | |||
| Authenticated decryption | Encrypt and authenticate a ciphertext | Crypto Officer - AES key: W,E | Authenticated decryption with AES | For all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set | AES key, ciphertext, MAC tag | Plaintext or failure | |||
| Message authentication | Compute a MAC tag | Crypto Officer - AES key: W,E - HMAC key: W,E | Message authentication | crypto_shash_init returns 0 | AES: AES key, message; HMAC: HMAC key, message | MAC tag | |||
| Shared Secret Computation | Compute a shared secret | Crypto Officer - DH private key: W,E - DH remote public key: W,E - Shared secret: G,R | KAS-FFC-SSC | crypto_kpp_compute_shared_secret returns 0 | DH private key, DH remote public key | Shared secret | |||
| Key Pair Generation | Key Pair Generation | Crypto Officer - DH private key: G,R - DH remote public key: G,R - Intermediate | Safe Primes Key Generation | crypto_kpp_set_secret and crypto_kpp_generate_public_key return 0 | Group | DH private key, DH remote public key |
| Name | Description | Roles | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | Authentication Methods |
|---|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | None | |||||||
| Message digest | Compute a message digest | Crypto Officer | Hashing | crypto_shash_init returns 0 | Message | Digest value | ||||
| Key wrapping | Wrap a key | Crypto Officer - AES key: W,E - HMAC key: W,E | Key wrapping | crypto_skcipher_setkey returns 0; crypto_shash_init returns 0 | AES key, key to be wrapped | wrapped key | ||||
| Key unwrapping | Unwrap a key | Crypto Officer - AES key: W,E - HMAC key: W,E | Key unwrapping | crypto_skcipher_setkey returns 0; crypto_shash_init returns 0 | AES key, key to be unwrapped | unwrapped key | ||||
| Encryption | Encrypt a plaintext | Crypto Officer - AES key: W,E | Encryption with AES | crypto_skcipher_setkey returns 0 | AES key, plaintext | Ciphertext | ||||
| Decryption | Decrypt a ciphertext | Crypto Officer - AES key: W,E | Decryption with AES | crypto_skcipher_setkey returns 0 | AES key, ciphertext | Plaintext | ||||
| Authenticated encryption | Encrypt and authenticate a plaintext | Crypto Officer - AES key: W,E | Authenticated encryption with AES | For all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set | AES key, plaintext | Ciphertext, MAC tag | ||||
| Authenticated decryption | Encrypt and authenticate a ciphertext | Crypto Officer - AES key: W,E | Authenticated decryption with AES | For all modes except AES GCM: crypto_aead_setkey returns 0; For AES GCM: crypto_aead_get_flags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set | AES key, ciphertext, MAC tag | Plaintext or failure | ||||
| Message authentication | Compute a MAC tag | Crypto Officer - AES key: W,E - HMAC key: W,E | Message authentication | crypto_shash_init returns 0 | AES: AES key, message; HMAC: HMAC key, message | MAC tag | ||||
| Shared Secret Computation | Compute a shared secret | Crypto Officer - DH private key: W,E - DH remote public key: W,E - Shared secret: G,R | KAS-FFC-SSC | crypto_kpp_compute_shared_secret returns 0 | DH private key, DH remote public key | Shared secret | ||||
| Key Pair Generation | Key Pair Generation | Crypto Officer - DH private key: G,R - DH remote public key: G,R - Intermediate | Safe Primes Key Generation | crypto_kpp_set_secret and crypto_kpp_generate_public_key return 0 | Group | DH private key, DH remote public key | ||||
| Random number generation | Generate random bytes | Crypto Officer - Entropy input: W,E - DRBG seed: G,E - DRBG Internal state (V, Key): G,E - DRBG Internal state (V, C): G,E | Random number generation with DRBGs | crypto_rng_get_bytes returns 0 | Output length | Random bytes | ||||
| Error detection code | Compute an EDC (crc32, crct10dif) | Crypto Officer | None | None | Message | EDC | ||||
| Compression | Compress data (deflate, lz4, lz4hc, lzo, zlibdeflate, zstd) | Crypto Officer | None | None | Data | Compressed data | ||||
| Generic system call | Use the kernel to perform various non- cryptographic operations | Crypto Officer | None | None | Identifier, various arguments | Various return values | ||||
| Show version | Return the module name and version information | Crypto Officer | None | None | N/A | Module name and version | ||||
| Show status | Return the module status | Crypto Officer | None | None | N/A | Module status | ||||
| Self-test | Perform the CASTs and integrity tests | Crypto Officer | Encryption with AES Decryption with AES Hashing Message authentication Random number generation with DRBGs Signature verification with RSA Authenticated encryption with AES Authenticated decryption with AES KAS-FFC-SSC | None | N/A | Pass/fail | ||||
| AES GCM external IV encryption | Encrypt a plaintext using AES GCM with an external IV | CO | AES GCM with external IV | |||||||
| Key derivation | Derive a key from a key-derivation key or a shared secret | CO | KBKDF (libkcapi) HKDF (libkcapi) | |||||||
| Password-based key derivation | Derive a key from a password | CO | PBKDF2 (libkcapi) | |||||||
| RSA encryption primitive | Compute the raw RSA encryption of a plaintext | CO | RSA | |||||||
| RSA decryption primitive | Compute the raw RSA decryption of a cipertext | CO | RSA | |||||||
| RSA signature generation (pre-hashed message) | Generate a digital signature for a pre-hashed message | CO | RSA with PKCS#1 v1.5 padding | |||||||
| RSA signature verification (pre-hashed message) | Verify a digital signature for a pre-hashed message | CO | RSA with PKCS#1 v1.5 padding |
The module does not implement authentication.
Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. The module does not support multiple concurrent operators.
W,E W,E W,E W,E Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
G,E (V, C): G,E noncryptographic N/A N/A N/A N/A Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| AES GCM external IV encryption | Encrypt a plaintext using AES GCM with an external IV | CO | AES GCM with external IV |
| Key derivation | Derive a key from a key-derivation key or a shared secret | CO | KBKDF (libkcapi) HKDF (libkcapi) |
| Password-based key derivation | Derive a key from a password | CO | PBKDF2 (libkcapi) |
| RSA encryption primitive | Compute the raw RSA encryption of a plaintext | CO | RSA |
| RSA decryption primitive | Compute the raw RSA decryption of a cipertext | CO | RSA |
| RSA signature generation (pre-hashed message) | Generate a digital signature for a pre-hashed message | CO | RSA with PKCS#1 v1.5 padding |
| RSA signature verification (pre-hashed message) | Verify a digital signature for a pre-hashed message | CO | RSA with PKCS#1 v1.5 padding |
(V, C): Z Table 13: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:
Table 14: Non-Approved Services
The module does not load external software or firmware. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
The Linux kernel binary is integrity tested using an HMAC-SHA2-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). An HMAC-SHA2-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity. The kernel crypto object files listed in section 2.2 are loaded on start-up by the module and verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-256, and a 3072-bit key.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
The module is comprised of software only, and therefore this section is not applicable. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
This module does not implement any non-invasive security mechanism and therefore this section is not applicable. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Approved Functions | Type | From | To | Distribution Type |
|---|---|---|---|---|---|
| API input parameters; AF_ALG_type sockets (input) | Electronic | Plaintext | Operator calling application (TOEPP) | Cryptographic module | Manual |
| API output parameters; AF_ALG type sockets (output) | Electronic | Plaintext | Cryptographic module | Operator calling application (TOEPP) | Manual |
| Name | Type | Description | Strength | Generation | Establishment | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|---|---|
| AES key | Symmetric Key - CSP | AES key used for encryption, decryption, and computing MAC tags. | 128, 192, 256 bits - 128, 192, 256 bits | Encryption with AES Decryption with AES Authenticated encryption with AES | |||||||
| HMAC key | Authentication key - CSP | HMAC key. | 112-524288 bits - 112-256 bits | Message authentication Key wrapping Key unwrapping | |||||||
| Entropy input | Entropy input - CSP | Entropy input used to seed the DRBGs. Compliant with IG D.L. | 128-384 bits - 117-357 bits | Random number generation with DRBGs | |||||||
| DRBG seed | Seed - CSP | DRBG seed derived from entropy input. Compliant with IG D.L. | CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits | Random number generation with DRBGs | Random number generation with DRBGs | ||||||
| DRBG Internal state (V, Key) | Internal state - CSP | Internal state of CTR_DRBG and HMAC_DRBG instances. Compliant with IG D.L. | CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits | Random number generation with DRBGs | Random number generation with DRBGs | ||||||
| DRBG Internal state (V, C) | Internal state - CSP | Internal state of Hash_DRBG instances. Compliant with IG D.L. | Hash_DRBG: 128, 256 bits - Hash_DRBG: 128, 256 bits | Random number generation with DRBGs | Random number generation with DRBGs | ||||||
| Intermediate Key Generation Value | Intermediate value - CSP | Temporary value generated during Key Pair Generation services. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, P-256, P-384 - 112- 200 bits | Safe Primes Key Generation | Safe Primes Key Generation | ||||||
| DH remote public key | Public key - PSP | Public key used for Diffie-Hellman. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bits | Safe Primes Key Generation | KAS-FFC-SSC Safe Primes Key Generation | ||||||
| DH private key | Private key - CSP | Private key used for Diffie-Hellman. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bits | Safe Primes Key Generation | KAS-FFC-SSC Safe Primes Key Generation | ||||||
| Shared secret | Shared secret - CSP | Shared secret generated by DH. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bits | KAS-FFC-SSC | |||||||
| AES key | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) | Until cipher handled is freed or module powered off | |||||||
| HMAC key | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) | Until cipher handled is freed or module powered off | |||||||
| Entropy input | RAM:Plaintext | Free cipher handle Power off | From generation until DRBG seed/reseed | DRBG seed:Derives | |||||||
| DRBG seed | RAM:Plaintext | Free cipher handle Power off | While the DRBG is being instantiated | Entropy input:Derived From DRBG Internal state (V, Key):Derives DRBG Internal state (V, C):Derives | |||||||
| DRBG Internal state (V, Key) | RAM:Plaintext | Free cipher handle Power off | From DRBG instantiation until DRBG termination | DRBG seed:Derived From |
| Storage | Description | Persistence |
|---|---|---|
| Area | Type | |
| Name | ||
| RAM | Temporary storage for SSPs used by the module as part of service execution | Dynamic |
| Zeroization | Description | Rationale | Operator Initiation |
|---|---|---|---|
| Method | |||
| Free cipher handle | Zeroizes the SSPs contained within the cipher handle | Memory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. The completion of the zeroization routine indicates that the zeroization procedure succeeded. | By calling the appropriate zeroization functions: AES key: crypto_free_skcipher and crypto_free_aead; HMAC key: crypto_free_shash and crypto_free_ahash; DRBG internal state: crypto_free_rng; DRBG seed: crypto_free_rng; Entropy input string: crypto_free_rng; DH remote public & private key: crypto_free_kpp |
| Power off | De-allocates the volatile memory used to store SSPs | Volatile memory used by the module is overwritten within nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. The successful removal of power implicitly indicates that the zeroization is complete. | By removing power |
Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext zeroization function calls. Table 16: SSP Input-Output Methods Table 17: SSP Zeroization Methods All data output is inhibited during zeroization. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Type | Description | Strength | Generation | Establishment | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|---|---|
| HMAC key | Authentication key - CSP | HMAC key. | 112-524288 bits - 112-256 bits | Message authentication Key wrapping Key unwrapping | |||||||
| Entropy input | Entropy input - CSP | Entropy input used to seed the DRBGs. Compliant with IG D.L. | 128-384 bits - 117-357 bits | Random number generation with DRBGs | |||||||
| DRBG seed | Seed - CSP | DRBG seed derived from entropy input. Compliant with IG D.L. | CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits | Random number generation with DRBGs | Random number generation with DRBGs | ||||||
| DRBG Internal state (V, Key) | Internal state - CSP | Internal state of CTR_DRBG and HMAC_DRBG instances. Compliant with IG D.L. | CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits - CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits | Random number generation with DRBGs | Random number generation with DRBGs | ||||||
| DRBG Internal state (V, C) | Internal state - CSP | Internal state of Hash_DRBG instances. Compliant with IG D.L. | Hash_DRBG: 128, 256 bits - Hash_DRBG: 128, 256 bits | Random number generation with DRBGs | Random number generation with DRBGs | ||||||
| Intermediate Key Generation Value | Intermediate value - CSP | Temporary value generated during Key Pair Generation services. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, P-256, P-384 - 112- 200 bits | Safe Primes Key Generation | Safe Primes Key Generation | ||||||
| DH remote public key | Public key - PSP | Public key used for Diffie-Hellman. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bits | Safe Primes Key Generation | KAS-FFC-SSC Safe Primes Key Generation | ||||||
| DH private key | Private key - CSP | Private key used for Diffie-Hellman. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bits | Safe Primes Key Generation | KAS-FFC-SSC Safe Primes Key Generation | ||||||
| Shared secret | Shared secret - CSP | Shared secret generated by DH. | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - 112-200 bits | KAS-FFC-SSC | |||||||
| AES key | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) | Until cipher handled is freed or module powered off | |||||||
| HMAC key | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) | Until cipher handled is freed or module powered off | |||||||
| Entropy input | RAM:Plaintext | Free cipher handle Power off | From generation until DRBG seed/reseed | DRBG seed:Derives | |||||||
| DRBG seed | RAM:Plaintext | Free cipher handle Power off | While the DRBG is being instantiated | Entropy input:Derived From DRBG Internal state (V, Key):Derives DRBG Internal state (V, C):Derives | |||||||
| DRBG Internal state (V, Key) | RAM:Plaintext | Free cipher handle Power off | From DRBG instantiation until DRBG termination | DRBG seed:Derived From | |||||||
| DRBG Internal state (V, C) | RAM:Plaintext | Free cipher handle Power off | From DRBG instantiation until DRBG termination | DRBG seed:Derived From | |||||||
| Intermediate Key Generation Value | RAM:Plaintext | Free cipher handle Power off | Until key pair generation service completes. | DH private key:Derived From DH remote public key:Derived From | |||||||
| DH remote public key | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) API output parameters; AF_ALG type sockets (output) | Until cipher handled is freed or module powered off | DH private key:Used With | ||||||
| DH private key | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) API output parameters; AF_ALG type sockets (output) | Until cipher handled is freed or module powered off | DH remote public key:Used With | ||||||
| Shared secret | RAM:Plaintext | Free cipher handle Power off | API input parameters; AF_ALG_type sockets (input) API output parameters; AF_ALG type sockets (output) | Until cipher handled is freed or module powered off | DH private key:Used With DH remote public key:Used With |
Table 18: SSP Table 1 Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2031. The RSA algorithm with SHA-1 as implemented by the module conforms to FIPS 186-4. FIPS 186-4 was withdrawn on February 3, 2024 but FIPS 140-3 IG C.K allows RSA signature verification with SHA-1 under FIPS 186-4 to still be approved. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Algorithm Or Test | Test Method | Details | Test | Indicator |
|---|---|---|---|---|---|
| Test | Test | Type | |||
| HMAC-SHA2-512 (A5296) | HMAC-SHA2-512 (A5296) | Message Authentication | Integrity test for vmlinuz, libkcapi components and sha512hmac binary | SW/FW Integrity | Module becomes operational and services are available for use. |
| RSA SigVer (FIPS186-4) (A5278) | RSA SigVer (FIPS186-4) (A5278) | Signature Verification | Integrity test for kernel object files | SW/FW Integrity | Module becomes operational and services are available for use. |
| Name | Properties | Test | Indicator | Details | Conditions |
|---|---|---|---|---|---|
| Test | Type | ||||
| Safe Primes Key Generation (A5277) | N/A | PCT | crypto_kpp_g enerate_publi c_key returns 0 | SP 800-56Ar3 Section 5.6.2.1.4 | Key pair generation |
| SHA-1 (A5278) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA-1 (A5294) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA-1 (A5295) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA-1 (A5296) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-224 (A5278) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-224 (A5294) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-224 (A5295) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-224 (A5296) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-256 (A5278) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-256 (A5294) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| Test | Type | ||||
| SHA2-256 (A5295) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-256 (A5296) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-384 (A5278) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-384 (A5294) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-384 (A5295) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-384 (A5296) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-512 (A5278) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-512 (A5294) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-512 (A5295) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-512 (A5296) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA3-224 (A5279) | 0, 8, 448 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA3-256 (A5279) | 0, 8, 448 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA3-384 (A5279) | 0, 8, 448 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA3-512 (A5279) | 0, 8, 448 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| AES-ECB (A5278) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5283) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5284) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5285) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5286) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5287) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| Test | Type | ||||
| AES-ECB (A5289) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5290) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5277) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-ECB (A5288) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CBC (A5278) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CBC (A5285) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CBC-CS3 (A5293) | 128 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-OFB (A5292) | 128 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CFB128 (A5291) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CTR (A5278) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CTR (A5288) | 128, 192, 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CCM (A5288) | 128, 192, 256 bit keys; 128-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-GCM (A5278) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-GCM (A5283) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption | Module initialization |
| AES-GCM (A5284) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-GCM (A5285) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-GCM (A5286) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption | Module initialization |
| AES-GCM (A5287) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-GCM (A5288) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-GCM (A5289) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption | Module initialization |
| Test | Type | ||||
| AES-GCM (A5290) | 128, 192, 256 bit keys, 96-bit IVs | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-XTS Testing Revision 2.0 (A5278) | 128 and 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-XTS Testing Revision 2.0 (A5288) | 128 and 256 bit keys | CAST | Module becomes operational and services are available for use. | Encryption, Decryption | Module initialization |
| AES-CMAC (A5288) | 128 and 256 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA-1 (A5278) | 160, 200 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA-1 (A5294) | 160, 200 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA-1 (A5295) | 160, 200 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA-1 (A5296) | 160, 200 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-224 (A5278) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-224 (A5294) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-224 (A5295) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-224 (A5296) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-256 (A5278) | 256, 296 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-256 (A5294) | 256, 296 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-256 (A5295) | 256, 296 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-256 (A5296) | 256, 296 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-384 (A5278) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-384 (A5294) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-384 (A5295) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-384 (A5296) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| Test | Type | ||||
| HMAC-SHA2-512 (A5278) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization. Before integrity test. |
| HMAC-SHA2-512 (A5294) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization. Before integrity test. |
| HMAC-SHA3-224 (A5279) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-512 (A5295) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization. Before integrity test. |
| HMAC-SHA2-512 (A5296) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization. Before integrity test. |
| HMAC-SHA3-256 (A5279) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA3-384 (A5279) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA3-512 (A5279) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| KAS-FFC-SSC Sp800-56Ar3 (A5277) | ffdhe2048 | CAST | Module becomes operational and services are available for use. | Shared secret computation | Module initialization |
| Counter DRBG (A5278) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5283) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5284) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5285) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5286) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5287) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5288) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5289) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Counter DRBG (A5290) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5278) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5283) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Test | Type | ||||
| Hash DRBG (A5284) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5285) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5286) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5287) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5288) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5289) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5290) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5294) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5295) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5296) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5278) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5283) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5284) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5285) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5286) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5287) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5288) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5289) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5290) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5294) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Test | Type | ||||
| HMAC DRBG (A5295) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5296) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| RSA SigVer (FIPS186-5) (A5278) | 4096-bit key with SHA-256 | CAST | Module becomes operational and services are available for use. | Verify | Module initialization. Before integrity test. |
| RSA SigVer (FIPS186-5) (A5294) | 4096-bit key with SHA-256 | CAST | Module becomes operational and services are available for use. | Verify | Module initialization. Before integrity test. |
| RSA SigVer (FIPS186-5) (A5295) | 4096-bit key with SHA-256 | CAST | Module becomes operational and services are available for use. | Verify | Module initialization. Before integrity test. |
| RSA SigVer (FIPS186-5) (A5296) | 4096-bit key with SHA-256 | CAST | Module becomes operational and services are available for use. | Verify | Module initialization. Before integrity test. |
| Entropy Source (RCT Start-Up) | 1024 samples | CAST | Module becomes operational and services are available for use. | Entropy source start-up test | Entropy source initialization |
| Entropy Source (APT Start-Up) | 1024 samples | CAST | Module becomes operational and services are available for use. | Entropy source start-up test | Entropy source initialization |
| Entropy Source (RCT Runtime) | Cutoff C = 61 | CAST | Entropy source is operational | Entropy source continuous test | Continuously |
| Entropy Source (APT Runtime) | Cutoff C = 355 | CAST | Entropy source is operational | Entropy source continuous test | Continuously |
| Counter DRBG (A5277) | 128, 192, 256 bit keys With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| Hash DRBG (A5277) | SHA-256 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC DRBG (A5277) | SHA-256, SHA512 With/without PR; Health test per section 11.3 of SP 800-90Arev1 | CAST | Module becomes operational and services are available for use. | Seed, Generate | Module initialization |
| HMAC-SHA-1 (A5277) | 160, 200 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA-1 (A5297) | 160, 200 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-224 (A5277) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-224 (A5297) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-256 (A5277) | 256, 296 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-256 (A5297) | 256, 296 and 640 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| HMAC-SHA2-384 (A5277) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
| SHA-1 (A5277) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| Test | Type | ||||
| SHA-1 (A5297) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-224 (A5277) | 0, 24, 448, 512, 1304 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-224 (A5297) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-256 (A5277) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-256 (A5297) | 0, 24, 448, 512 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-384 (A5277) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| SHA2-512 (A5277) | 0, 24, 448, 832, 896 and 8184 bit messages | CAST | Module becomes operational and services are available for use. | Message digest | Module initialization |
| HMAC-SHA2-512 (A5277) | 160 and 1048 bit keys | CAST | Module becomes operational and services are available for use. | Message authentication | Module initialization |
Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.
N/A Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| HMAC-SHA2-512 (A5296) | HMAC-SHA2-512 (A5296) | Message Authentication | SW/FW Integrity | On demand | Manually |
| RSA SigVer (FIPS186-4) (A5278) | RSA SigVer (FIPS186-4) (A5278) | Signature Verification | SW/FW Integrity | On demand | Manually |
| Safe Primes Key Generation (A5277) | Safe Primes Key Generation (A5277) | PCT | PCT | On demand | Manually |
| SHA-1 (A5278) | SHA-1 (A5278) | KAT | CAST | On demand | Manually |
| SHA-1 (A5294) | SHA-1 (A5294) | KAT | CAST | On demand | Manually |
| SHA-1 (A5295) | SHA-1 (A5295) | KAT | CAST | On demand | Manually |
| SHA-1 (A5296) | SHA-1 (A5296) | KAT | CAST | On demand | Manually |
| SHA2-224 (A5278) | SHA2-224 (A5278) | KAT | CAST | On demand | Manually |
| SHA2-224 (A5294) | SHA2-224 (A5294) | KAT | CAST | On demand | Manually |
| SHA2-224 (A5295) | SHA2-224 (A5295) | KAT | CAST | On demand | Manually |
| SHA2-224 (A5296) | SHA2-224 (A5296) | KAT | CAST | On demand | Manually |
| SHA2-256 (A5278) | SHA2-256 (A5278) | KAT | CAST | On demand | Manually |
| SHA2-256 (A5294) | SHA2-256 (A5294) | KAT | CAST | On demand | Manually |
| SHA2-256 (A5295) | SHA2-256 (A5295) | KAT | CAST | On demand | Manually |
| SHA2-256 (A5296) | SHA2-256 (A5296) | KAT | CAST | On demand | Manually |
| SHA2-384 (A5278) | SHA2-384 (A5278) | KAT | CAST | On demand | Manually |
| SHA2-384 (A5294) | SHA2-384 (A5294) | KAT | CAST | On demand | Manually |
| SHA2-384 (A5295) | SHA2-384 (A5295) | KAT | CAST | On demand | Manually |
| SHA2-384 (A5296) | SHA2-384 (A5296) | KAT | CAST | On demand | Manually |
| SHA2-512 (A5278) | SHA2-512 (A5278) | KAT | CAST | On demand | Manually |
| SHA2-512 (A5294) | SHA2-512 (A5294) | KAT | CAST | On demand | Manually |
| SHA2-512 (A5295) | SHA2-512 (A5295) | KAT | CAST | On demand | Manually |
| SHA2-512 (A5296) | SHA2-512 (A5296) | KAT | CAST | On demand | Manually |
| SHA3-224 (A5279) | SHA3-224 (A5279) | KAT | CAST | On demand | Manually |
| SHA3-256 (A5279) | SHA3-256 (A5279) | KAT | CAST | On demand | Manually |
| SHA3-384 (A5279) | SHA3-384 (A5279) | KAT | CAST | On demand | Manually |
| SHA3-512 (A5279) | SHA3-512 (A5279) | KAT | CAST | On demand | Manually |
| AES-ECB (A5278) | AES-ECB (A5278) | KAT | CAST | On demand | Manually |
| AES-ECB (A5283) | AES-ECB (A5283) | KAT | CAST | On demand | Manually |
| AES-ECB (A5284) | AES-ECB (A5284) | KAT | CAST | On demand | Manually |
| AES-ECB (A5285) | AES-ECB (A5285) | KAT | CAST | On demand | Manually |
| AES-ECB (A5286) | AES-ECB (A5286) | KAT | CAST | On demand | Manually |
| AES-ECB (A5287) | AES-ECB (A5287) | KAT | CAST | On demand | Manually |
| AES-ECB (A5289) | AES-ECB (A5289) | KAT | CAST | On demand | Manually |
| AES-ECB (A5290) | AES-ECB (A5290) | KAT | CAST | On demand | Manually |
| AES-ECB (A5277) | AES-ECB (A5277) | KAT | CAST | On demand | Manually |
| AES-ECB (A5288) | AES-ECB (A5288) | KAT | CAST | On demand | Manually |
| AES-CBC (A5278) | AES-CBC (A5278) | KAT | CAST | On demand | Manually |
| AES-CBC (A5285) | AES-CBC (A5285) | KAT | CAST | On demand | Manually |
| AES-CBC-CS3 (A5293) | AES-CBC-CS3 (A5293) | KAT | CAST | On demand | Manually |
| AES-OFB (A5292) | AES-OFB (A5292) | KAT | CAST | On demand | Manually |
| AES-CFB128 (A5291) | AES-CFB128 (A5291) | KAT | CAST | On demand | Manually |
| AES-CTR (A5278) | AES-CTR (A5278) | KAT | CAST | On demand | Manually |
| AES-CTR (A5288) | AES-CTR (A5288) | KAT | CAST | On demand | Manually |
| AES-CCM (A5288) | AES-CCM (A5288) | KAT | CAST | On demand | Manually |
| AES-GCM (A5278) | AES-GCM (A5278) | KAT | CAST | On demand | Manually |
| AES-GCM (A5283) | AES-GCM (A5283) | KAT | CAST | On demand | Manually |
| AES-GCM (A5284) | AES-GCM (A5284) | KAT | CAST | On demand | Manually |
| AES-GCM (A5285) | AES-GCM (A5285) | KAT | CAST | On demand | Manually |
| AES-GCM (A5286) | AES-GCM (A5286) | KAT | CAST | On demand | Manually |
| AES-GCM (A5287) | AES-GCM (A5287) | KAT | CAST | On demand | Manually |
| AES-GCM (A5288) | AES-GCM (A5288) | KAT | CAST | On demand | Manually |
| AES-GCM (A5289) | AES-GCM (A5289) | KAT | CAST | On demand | Manually |
| AES-GCM (A5290) | AES-GCM (A5290) | KAT | CAST | On demand | Manually |
| AES-XTS Testing Revision 2.0 (A5278) | AES-XTS Testing Revision 2.0 (A5278) | KAT | CAST | On demand | Manually |
| AES-XTS Testing Revision 2.0 (A5288) | AES-XTS Testing Revision 2.0 (A5288) | KAT | CAST | On demand | Manually |
| AES-CMAC (A5288) | AES-CMAC (A5288) | KAT | CAST | On demand | Manually |
| HMAC-SHA-1 (A5278) | HMAC-SHA-1 (A5278) | KAT | CAST | On demand | Manually |
| HMAC-SHA-1 (A5294) | HMAC-SHA-1 (A5294) | KAT | CAST | On demand | Manually |
| HMAC-SHA-1 (A5295) | HMAC-SHA-1 (A5295) | KAT | CAST | On demand | Manually |
| HMAC-SHA-1 (A5296) | HMAC-SHA-1 (A5296) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-224 (A5278) | HMAC-SHA2-224 (A5278) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-224 (A5294) | HMAC-SHA2-224 (A5294) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-224 (A5295) | HMAC-SHA2-224 (A5295) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-224 (A5296) | HMAC-SHA2-224 (A5296) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-256 (A5278) | HMAC-SHA2-256 (A5278) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-256 (A5294) | HMAC-SHA2-256 (A5294) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-256 (A5295) | HMAC-SHA2-256 (A5295) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-256 (A5296) | HMAC-SHA2-256 (A5296) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-384 (A5278) | HMAC-SHA2-384 (A5278) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-384 (A5294) | HMAC-SHA2-384 (A5294) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-384 (A5295) | HMAC-SHA2-384 (A5295) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-384 (A5296) | HMAC-SHA2-384 (A5296) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-512 (A5278) | HMAC-SHA2-512 (A5278) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-512 (A5294) | HMAC-SHA2-512 (A5294) | KAT | CAST | On demand | Manually |
| HMAC-SHA3-224 (A5279) | HMAC-SHA3-224 (A5279) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-512 (A5295) | HMAC-SHA2-512 (A5295) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-512 (A5296) | HMAC-SHA2-512 (A5296) | KAT | CAST | On demand | Manually |
| HMAC-SHA3-256 (A5279) | HMAC-SHA3-256 (A5279) | KAT | CAST | On demand | Manually |
| HMAC-SHA3-384 (A5279) | HMAC-SHA3-384 (A5279) | KAT | CAST | On demand | Manually |
| HMAC-SHA3-512 (A5279) | HMAC-SHA3-512 (A5279) | KAT | CAST | On demand | Manually |
| KAS-FFC-SSC Sp800-56Ar3 (A5277) | KAS-FFC-SSC Sp800-56Ar3 (A5277) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5278) | Counter DRBG (A5278) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5283) | Counter DRBG (A5283) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5284) | Counter DRBG (A5284) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5285) | Counter DRBG (A5285) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5286) | Counter DRBG (A5286) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5287) | Counter DRBG (A5287) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5288) | Counter DRBG (A5288) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5289) | Counter DRBG (A5289) | KAT | CAST | On demand | Manually |
| Counter DRBG (A5290) | Counter DRBG (A5290) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5278) | Hash DRBG (A5278) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5283) | Hash DRBG (A5283) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5284) | Hash DRBG (A5284) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5285) | Hash DRBG (A5285) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5286) | Hash DRBG (A5286) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5287) | Hash DRBG (A5287) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5288) | Hash DRBG (A5288) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5289) | Hash DRBG (A5289) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5290) | Hash DRBG (A5290) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5294) | Hash DRBG (A5294) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5295) | Hash DRBG (A5295) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5296) | Hash DRBG (A5296) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5278) | HMAC DRBG (A5278) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5283) | HMAC DRBG (A5283) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5284) | HMAC DRBG (A5284) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5285) | HMAC DRBG (A5285) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5286) | HMAC DRBG (A5286) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5287) | HMAC DRBG (A5287) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5288) | HMAC DRBG (A5288) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5289) | HMAC DRBG (A5289) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5290) | HMAC DRBG (A5290) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5294) | HMAC DRBG (A5294) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5295) | HMAC DRBG (A5295) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5296) | HMAC DRBG (A5296) | KAT | CAST | On demand | Manually |
| RSA SigVer (FIPS186-5) (A5278) | RSA SigVer (FIPS186-5) (A5278) | KAT | CAST | On demand | Manually |
| RSA SigVer (FIPS186-5) (A5294) | RSA SigVer (FIPS186-5) (A5294) | KAT | CAST | On demand | Manually |
| RSA SigVer (FIPS186-5) (A5295) | RSA SigVer (FIPS186-5) (A5295) | KAT | CAST | On demand | Manually |
| RSA SigVer (FIPS186-5) (A5296) | RSA SigVer (FIPS186-5) (A5296) | KAT | CAST | On demand | Manually |
| Entropy Source (RCT Start- Up) | Entropy Source (RCT Start- Up) | RCT | CAST | On demand | Manually |
| Entropy Source (APT Start- Up) | Entropy Source (APT Start- Up) | APT | CAST | On demand | Manually |
| Entropy Source (RCT Runtime) | Entropy Source (RCT Runtime) | RCT | CAST | On demand | Manually |
| Entropy Source (APT Runtime) | Entropy Source (APT Runtime) | APT | CAST | On demand | Manually |
| Counter DRBG (A5277) | Counter DRBG (A5277) | KAT | CAST | On demand | Manually |
| Hash DRBG (A5277) | Hash DRBG (A5277) | KAT | CAST | On demand | Manually |
| HMAC DRBG (A5277) | HMAC DRBG (A5277) | KAT | CAST | On demand | Manually |
| HMAC-SHA-1 (A5277) | HMAC-SHA-1 (A5277) | KAT | CAST | On demand | Manually |
| HMAC-SHA-1 (A5297) | HMAC-SHA-1 (A5297) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-224 (A5277) | HMAC-SHA2-224 (A5277) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-224 (A5297) | HMAC-SHA2-224 (A5297) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-256 (A5277) | HMAC-SHA2-256 (A5277) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-256 (A5297) | HMAC-SHA2-256 (A5297) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-384 (A5277) | HMAC-SHA2-384 (A5277) | KAT | CAST | On demand | Manually |
| SHA-1 (A5277) | SHA-1 (A5277) | KAT | CAST | On demand | Manually |
| SHA-1 (A5297) | SHA-1 (A5297) | KAT | CAST | On demand | Manually |
| SHA2-224 (A5277) | SHA2-224 (A5277) | KAT | CAST | On demand | Manually |
| SHA2-224 (A5297) | SHA2-224 (A5297) | KAT | CAST | On demand | Manually |
| SHA2-256 (A5277) | SHA2-256 (A5277) | KAT | CAST | On demand | Manually |
| SHA2-256 (A5297) | SHA2-256 (A5297) | KAT | CAST | On demand | Manually |
| SHA2-384 (A5277) | SHA2-384 (A5277) | KAT | CAST | On demand | Manually |
| SHA2-512 (A5277) | SHA2-512 (A5277) | KAT | CAST | On demand | Manually |
| HMAC-SHA2-512 (A5277) | HMAC-SHA2-512 (A5277) | KAT | CAST | On demand | Manually |
Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in table above. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the Error state.
Table 22: Pre-Operational Periodic Information Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Error State | The Linux kernel immediately stops executing | Any self-test failure | Kernel Panic | Restart of the module |
Table 23: Conditional Periodic Information
Table 24: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).
The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
The module is distributed as part of the Oracle Linux 9 (OL9) RPM packages in the form of kernel-5.14.0362.24.1.0.4.el9_3, libkcapi-1.3.1-3.0.1.el9 and libkcapi-hmaccalc-1.3.1-3.0.1.el9 packages that is located in the “Oracle Linux 9 Security Validation (Update 3)” yum repository (ol9_u3_security_validation). The operational environment needs to be set up in the FIPS validated configuration by installing the module as follows:
After installation of the kernel-5.14.0-362.24.1.0.4.el9_3, libkcapi-1.3.1-3.0.1.el9 and libkcapi-hmaccalc-1.3.13.0.1.el9 RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Oracle Linux 9 Kernel Crypto API Cryptographic Module Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapi” commands. These commands must output the following (one line per output): 5.14.0-362.24.1.0.4.el9_3.x86_64 libkcapi-1.3.1-3.0.1.el9.x86_64
There is no non-administrator guidance.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-5.14.0-362.24.1.0.4.el9_3, libkcapi-1.3.1-3.0.1.el9 and libkcapi-hmaccalc-1.3.1-3.0.1.el9 RPM packages can be uninstalled from the Oracle Linux 9 systems. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
The module does not offer mitigation of other attacks and therefore this section is not applicable. Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| AES | Advanced Encryption Standard |
|---|---|
| AES-NI | Advanced Encryption Standard New Instructions |
| API | Application Programming Interface |
| CAST | Cryptographic Algorithm Self-Test |
| CAVP | Cryptographic Algorithm Validation Program |
| CBC | Cipher Block Chaining |
| CCM | Counter with Cipher Block Chaining-Message Authentication Code |
| CFB | Cipher Feedback |
| CMAC | Cipher-based Message Authentication Code |
| CMVP | Cryptographic Module Validation Program |
| CSP | Critical Security Parameter |
| CTR | Counter |
| DH | Diffie-Hellman |
| DRBG | Deterministic Random Bit Generator |
| ECB | Electronic Code Book |
| ECDH | Elliptic Curve Diffie-Hellman |
| ECDH | Elliptic Curve Diffie-Hellman |
| ENT (NP) | Non-physical Entropy Source |
| FIPS | Federal Information Processing Standards |
| GCM | Galois Counter Mode |
| GMAC | Galois Counter Mode Message Authentication Code |
| HKDF | HMAC-based Key Derivation Function |
| HMAC | Keyed-Hash Message Authentication Code |
| IPsec | Internet Protocol Security |
| KAT | Known Answer Test |
| KBKDF | Key-based Key Derivation Function |
| MAC | Message Authentication Code |
| NIST | National Institute of Science and Technology |
| PAA | Processor Algorithm Acceleration |
| PBKDF2 | Password-based Key Derivation Function v2 |
| PKCS | Public-Key Cryptography Standards |
| RSA | Rivest, Shamir, Adleman |
| SHA | Secure Hash Algorithm |
| SSC | Shared Secret Computation |
| SSP | Sensitive Security Parameter |
| XTS | XEX-based Tweaked-codebook mode with cipher text Stealing |
Appendix A. Glossary and Abbreviations Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| ANS X9.42-2001 | Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 |
|---|---|
| ANS X9.63-2001 | Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 |
| FIPS 140-3 | FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf |
| FIPS 140-3 IG | Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig- announcements |
| FIPS 180-4 | Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf |
| FIPS 186-4 | Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf |
| FIPS 197 | Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf |
| FIPS 198-1 | The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf |
| FIPS 202 | SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf |
| PKCS#1 | Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt |
| RFC 3526 | More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt |
| RFC 5288 | AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt |
| RFC 7919 | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt |
Appendix B. References Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
| Name | Key Size |
|---|---|
| RFC 8446 | The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt |
| SP 800-38A | Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf |
| SP 800-38A Addendum | Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf |
| SP 800-38B | Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf |
| SP 800-38C | Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf |
| SP 800-38D | Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf |
| SP 800-38E | Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf |
| SP 800-38F | Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf |
| SP 800-52r2 | Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf |
| SP 800-56Ar3 | Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf |
| SP 800-56Cr2 | Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf |
| SP 800-90Ar1 | Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf |
| SP 800-90B | Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf |
| SP 800-108r1 | NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf |
| SP 800-131Ar2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf |
| SP 800-132 | Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf |
| SP 800-133r2 | Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf |
| SP 800-135r1 | Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf |
| SP 800-140Br1 | CMVP Security Policy Requirements November 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Br1.pdf |
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy
Oracle Linux 9 Kernel Crypto API Cryptographic Module Security Policy