All modules
CMVP Validated Module · FIPS 140-3 Security Policy

GnuTLS cryptography module for AlmaLinux 9

Certificate#5049StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCloudlinux Inc., TuxCare division
Low review priority  ·  no TCB surface named  ·  GnuTLS upstream has published 9 CVEs since this module's initial validation  ·  last validated 12 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/27/2030
CaveatWhen operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy.
VendorCloudlinux Inc., TuxCare division

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for GnuTLS cryptography module for AlmaLinux 9
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for GnuTLS cryptography module for AlmaLinux 9
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Cloudlinux Inc., TuxCare division GnuTLS cryptography module for AlmaLinux 9 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 Document version: 1.0 www.atsec.com Last update: 2025-05-06

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)9
Table 3: Tested Operational Environments - Software, Firmware, Hybrid10
Table 4: Modes List and Description10
Table 5: Approved Algorithms16
Table 6: Vendor-Affirmed Algorithms16
Table 7: Non-Approved, Not Allowed Algorithms18
Table 8: Security Function Implementations25
Table 9: Entropy Certificates27
Table 10: Entropy Sources27
Table 11: Ports and Interfaces30
Table 12: Roles31
Table 13: Approved Services43
Table 14: Non-Approved Services46
Table 15: Storage Areas51
Table 16: SSP Input-Output Methods51
Table 17: SSP Zeroization Methods52
Table 18: SSP Table 158
Table 19: SSP Table 262
Table 20: Pre-Operational Self-Tests63
Table 21: Conditional Self-Tests72
Table 22: Pre-Operational Periodic Information73
Table 23: Conditional Periodic Information76
Table 24: Error States77
Page 5
List of Figures
ItemPage
Figure 1: Block Diagram9
Page 6
1 - General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3.7.6-396796fe0a32b434 of GnuTLS cryptography module for AlmaLinux 9. It has a one-to-one mapping to the [SP 800-140Br1] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an Overall Security Level 1 module.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 7
1.3 Additional Information

This Security Policy describes the features and design of the module named GnuTLS cryptography module for AlmaLinux 9 using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. including this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 8
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The GnuTLS cryptography module for AlmaLinux 9 (hereafter referred to as “the module”) is a software library. The module is an open-source, general-purpose set of libraries designed to support cross-platform development of security-enabled client and server applications. The module is a multiple-chip standalone cryptographic module. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics [O]: Cryptographic Boundary: The block diagram in Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows). The module is implemented as a shared library. The cryptographic module boundary consists of the following components:

Page 9
2.2 Tested and Vendor Affirmed Module Version and Identification

The TOEPP is the general-purpose computer on which the module is installed. Tested Module Identification

Page 10

Tested Module Identification

9.2 (AWS) m5.metal Platinum 8259CL 396796fe0a32b434

AlmaLinux Amazon Web Services Intel Xeon No N/A 3.7.6-

9.2 (AWS) m5.metal Platinum 8259CL 396796fe0a32b434

Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

The module does not claim any excluded components.

2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered when the module starts up Approved Equivalent to the mode successfully, after passing all the pre-operational and indicator of the conditional cryptographic algorithms self-tests. requested service. Non- Automatically entered whenever a non-approved Non- Equivalent to the approved service is requested. Approved indicator of the mode requested service. Table 4: Modes List and Description Mode Change Instructions and Status: © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 11

When the module starts up successfully, after passing all the pre-operational and conditional cryptographic algorithms self-tests (CASTs), the module is operating in the approved mode of operation by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 15. Please see section 4 for the details on service indicator provided by the module that identifies when an approved service is called. Degraded Mode Description: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5114 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5115 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5116 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5117 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5122 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A5114 Key Length - 128, 256 SP 800-38C AES-CFB8 A5119 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A5120 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A5125 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 12

Algorithm CAVP Properties Reference Cert AES-CMAC A5114 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CMAC A5117 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CMAC A5122 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-ECB A5126 Direction - Encrypt SP 800-38A Key Length - 256 AES-GCM A5114 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A5115 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A5116 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A5117 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GCM A5122 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 AES-GMAC A5122 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 256 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 13

Algorithm CAVP Properties Reference Cert AES-XTS A5123 Direction - Decrypt, Encrypt SP 800-38E Testing Revision Key Length - 128, 256 2.0 Counter DRBG A5122 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No ECDSA KeyGen A5122 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A5122 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A5122 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2Component - No ECDSA SigVer A5122 Curve - P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2HMAC-SHA-1 A5117 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A5122 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5117 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5122 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5117 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5122 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5117 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 14

Algorithm CAVP Properties Reference Cert HMAC-SHA2- A5122 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5117 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5122 Key Length - Key Length: 112-524288 Increment 8 FIPS 198-1 KAS-ECC-SSC A5122 Domain Parameter Generation Methods - P-256, P-384, P-521 SP 800-56A Sp800-56Ar3 Scheme - Rev. 3 ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A5122 Domain Parameter Generation Methods - ffdhe2048, SP 800-56A Sp800-56Ar3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder KDA HKDF A5121 Derived Key Length - 2048 SP 800-56C Sp800-56Cr1 Shared Secret Length - Shared Secret Length: 224-65336 Rev. 2 Increment 8 HMAC Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2PBKDF A5122 Iteration Count - Iteration Count: 1000-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A5122 Key Generation Mode - provable FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-384 Modulo - 2048, 3072, 4096 Private Key Format - standard RSA SigGen A5122 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigVer A5122 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 15

Algorithm CAVP Properties Reference Cert Safe Primes Key A5122 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Generation ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- Rev. 3 4096, MODP-6144, MODP-8192 SHA-1 A5117 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A5122 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A5117 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A5122 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A5117 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A5122 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A5117 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A5122 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A5117 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A5122 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A5118 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A5124 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A5118 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 16

Algorithm CAVP Properties Reference Cert SHA3-256 A5124 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A5118 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A5124 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A5118 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A5124 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 TLS v1.2 KDF A5122 Hash Algorithm - SHA2-256, SHA2-384 SP 800-135 RFC7627 (CVL) Rev. 1 Table 5: Approved Algorithms The above table lists all approved cryptographic algorithms of the module, including specific key lengths employed for approved services, and implemented modes or methods of operation of the algorithms. Vendor-Affirmed Algorithms: Name Properties Implementation Reference Key Pair RSA:2048, 3072, 4096-bit keys with 112-149 GnuTLS cryptography SP 800Generation with bits key strength module for AlmaLinux 9 133r2 RSA (Generic C) section 5 Key Pair ECDSA:P-256, P-384, P-521 elliptic curves GnuTLS cryptography SP 800Generation with with 128-256 bits key strength module for AlmaLinux 9 133r2 ECDSA (Generic C) section 5 Key Pair Safe Primes:ffdhe2048, ffdhe3072, GnuTLS cryptography SP 800Generation with ffdhe4096, ffdhe6144, ffdhe8192, MODP- module for AlmaLinux 9 133r2 Safe Primes 2048, MODP-3072, MODP-4096, MODP- (Generic C) section 5 6144, MODP-8192 Keys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits key strength Table 6: Vendor-Affirmed Algorithms © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 17

Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement non-approved algorithms that are allowed in the approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement any non-approved, allowed algorithm in the approved mode of operation with no security claimed. Non-Approved, Not Allowed Algorithms: Name Use and Function Blowfish Symmetric encryption; Symmetric decryption Camellia Symmetric encryption; Symmetric decryption CAST Symmetric encryption; Symmetric decryption ChaCha20 Symmetric encryption; Symmetric decryption Chacha20, Poly1305 and AES-GCM Authenticated encryption; Authenticated decryption DES Symmetric encryption; Symmetric decryption Diffie-Hellman with keys generated with Key agreement; Shared secret computation domain parameters other than safe primes DRBG when key length is less than 112 bits Symmetric key generation DSA Key generation; Domain parameter generation; Digital signature generation; Digital signature verification ECDSA with curves not listed in Table Key generation; Public key verification; Digital signature "Approved Algorithms" generation; Digital signature verificatio EC Diffie-Hellman with curves not listed in Key agreement; Shared secret computation Table "Approved Algorithms" GOST Symmetric encryption; Symmetric decryption; Message digest HMAC with keys smaller than 112-bit Message authentication code (MAC) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 18

Name Use and Function HMAC with GOST Message authentication code (MAC) MD2, MD4, MD5 Message digest; Message authentication code (MAC) Non-supported cipher suites (not listed in Transport Layer Security (TLS) Network Protocol Appendix A) PBKDF with non-approved message digest Key derivation algorithms RC2, RC4 Symmetric encryption; Symmetric decryption RMD160 Message digest; Message authentication code (MAC) RSA with keys smaller than 2048 bits or Key generation; Digital signature generation greater than 4096 bits. RSA with keys smaller than 1024 bits or Digital signature verification greater than 4096 bits. RSA encryption and decryption with any key Key encapsulation; Key unencapsulation sizes. Salsa20 Symmetric encryption; Symmetric decryption SM3 Hashing Serpent Symmetric encryption; Symmetric decryption SHA-1 Digital signature generation; Digital Signature Verification STREEBOG Message digest; Message authentication code (MAC) Triple-DES Symmetric encryption; Symmetric decryption Twofish Symmetric encryption; Symmetric decryption UMAC Message authentication code (MAC) Yarrow Random number generation Table 7: Non-Approved, Not Allowed Algorithms The above table lists non-Approved security functions that are not allowed in the approved mode of operation. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 19
2.6 Security Function Implementations

Name Type Description Properties Algorithms Symmetric BC-UnAuth Encryption using AES-XTS mode AES-CBC Encryption with AES keys:128, 256 bits AES-CBC AES with 128, 256 of AES-CBC key strength AES-CBC Other modes AES-CFB8 keys:128, 192, 256 AES-CFB8 bits with 128-256 AES-CBC of key strength AES-CFB8 AES-XTS Testing Revision 2.0 Symmetric BC-UnAuth Decryption using AES-XTS mode AES-CBC Decryption with AES keys:128, 256 bits AES-CBC AES keys with 128, 256 AES-CBC of key strength AES-CBC Other modes AES-CFB8 keys:128, 192, 256 AES-CFB8 bits keys with 128- AES-CBC

256 of key strength AES-CFB8

AES-XTS Testing Revision 2.0 Authenticated BC-Auth Authenticated Keys:128, 256 bits AES-CCM Symmetric encryption using with 128, 256 bits Encryption with AES key strength AES Authenticated BC-Auth Authenticated Keys:128, 256 bits AES-CCM Symmetric decryption using with 128, 256 bits Decryption with AES key strength AES Authenticated BC-Auth Authenticated Keys:128, 256 bits AES-GCM Symmetric encryption using with 128, 256 bits AES-GCM Encryption (in the AES-GCM (as part key strength AES-GCM context of the TLS of TLS protocol) AES-GCM 1.2/1.3 protocol) AES-GCM with AES-GCM © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 20

Name Type Description Properties Algorithms Authenticated BC-Auth Authenticated Keys:128, 256 bits AES-GCM Symmetric decryption using with 128, 256 bits AES-GCM Decryption (in the AES-GCM (as part key strength AES-GCM context of the TLS of TLS protocol) AES-GCM 1.2/1.3 protocol) AES-GCM with AES-GCM Message Digest SHA Message digest SHA-1 with SHA using SHA SHA2-224 SHA2-384 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHA2-256 Random Number DRBG Random number Keys:AES-256 bits Counter DRBG Generation with generation using with 256 bits key AES-ECB CTR_DRBG CTR_DRBG strength AES-256:without DF, without PR Message MAC Message Hash HMAC-SHA-1 Authentication authentication Algorithm:SHA-1, HMAC-SHA2-224 Code (MAC) with generation using SHA2-224, SHA2- HMAC-SHA2-256 HMAC HMAC 256, SHA2-384, HMAC-SHA2-384 SHA2-512 HMAC-SHA2-512 HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 21

Name Type Description Properties Algorithms Message MAC Message Keys:128 or 256 AES-CMAC Authentication authentication bits with 128 or 256 AES-CMAC Code (MAC) with generation using bits of strength AES-CMAC AES AES CMAC/GMAC AES-GMAC Key Pair CKG Key Generation Keys:2048, 3072, RSA KeyGen Generation with using RSA 4096 bits with 112- (FIPS186-5) RSA 149 bits of strength Hash Algorithm:SHADigital Signature DigSig-SigGen Digital signature Keys:2048, 3072, RSA SigGen Generation with generation using 4096 bits with 112, (FIPS186-5) RSA RSA 128, 149 bits of strength PKCS#1v1.5:SHA224, SHA-256, SHA-384, SHA-512 PSS:SHA-256, SHA-384, SHA-512 Digital Signature DigSig-SigVer Signature Keys:2048, 3072, RSA SigVer Verification with Verification with 4096 bits with 112- (FIPS186-5) RSA RSA 149 bits of strength PKCS#1v1.5:SHA224, SHA-256, SHA-384, SHA-512 PSS:SHA-256, SHA-384, SHA-512 Digital Signature DigSig-SigGen Digital signature Curves:P-256, P- ECDSA SigGen Generation with generation using 384, P-521 with (FIPS186-5) ECDSA ECDSA 128-256 bits of key strength Hash Algorithm:SHA224, SHA-256, SHA-384, SHA-512 Digital Signature DigSig-SigVer Signature Curves:P-256, P- ECDSA SigVer Verification with verification using 384, P-521 with (FIPS186-5) ECDSA ECDSA 128-256 bits of © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 22

Name Type Description Properties Algorithms strength Hash Algorithm:SHA2224, SHA2-256, SHA2-384, SHA2Public Key AsymKeyPair- Public key Curves:P-256, P- ECDSA KeyVer Verification with KeyVer verification using 384, P-521 elliptic (FIPS186-5) ECDSA ECDSA curves with 128-

256 bits key

strength Compliance:B.4.2 Testing Candidates Key Pair CKG Generate ECDSA Curves:P-256, P- ECDSA KeyGen Generation with key pairs 384, P-521 elliptic (FIPS186-5) ECDSA curves with 128-

256 bits key

strength Shared Secret KAS-SSC Shared secret Curves:P-256, P- KAS-ECC-SSC Computation with computation per SP 384, P-521 elliptic Sp800-56Ar3 EC Diffie-Hellman 800-56ARev3 curves keys with 128-256 bits key strength Shared Secret KAS-SSC Shared secret Domain Parameter KAS-FFC-SSC Computation with computation per SP Generation Sp800-56Ar3 Diffie-Hellman 800-56ARev3 Methods:ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Keys:2048, 3072, 4096, 6144, 8192bit keys with 112-

200 bits key

strength © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 23

Name Type Description Properties Algorithms Key Derivation PBKDF Key derivation PBKDF Derived PBKDF with PBKDF using PBKDF key:112 to 256 bits of key strength HMAC Algorithm:SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512 Key Derivation KAS-135KDF Key derivation TLS Derived TLS v1.2 KDF with TLS 1.2 KDF using TLS KDF Secret:112-256 RFC7627 with 112-256 bits of key strength Hash Algorithm:SHA2256, SHA2-384 Key Derivation (as KAS-56CKDF Key derivation HKDF Derived KDA HKDF Sp800part of TLSv1.3) using KDA HKDF Key:112-256 bits 56Cr1 with KDA HKDF with 112-256 bits key strength HMAC Algorithm:SHA2224, SHA2-256, SHA2-384, SHA2Key Pair CKG Key Pair Safe Prime Safe Primes Key Generation with Generation with Groups::ffdhe2048, Generation Safe Primes Safe Primes ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Keys:2048, 3072, 4096, 6144, 8192bit keys with 112-

200 bits key

strength © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 24

Name Type Description Properties Algorithms Compliance:SP80056Arev3 Key Wrapping KTS-Wrap Key Wrapping (as Keys:AES-CCM AES-CCM part of the cipher 128, 256-bit keys AES-GCM suite in the TLS with 128 or 256 bits AES-GCM protocol) of key strength; AES-GCM AES-GCM: 128, AES-GCM 256-bit keys with AES-CBC

128 or 256 bits of AES-CBC

key strength; AES- AES-CBC CBC and HMAC: AES-CBC 128, 256-bit keys HMAC-SHA-1 with 128 or 256 bits HMAC-SHA2-224 of key strength HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CBC AES-GCM HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 Key Unwrapping KTS-Wrap Key Unwrapping Keys:AES-CCM AES-CCM (as part of the 128, 256-bit keys AES-CBC cipher suite in the with 128 or 256 bits AES-GCM TLS protocol) of key strength; AES-GCM AES-GCM: 128, AES-CBC 256-bit keys with AES-CBC

128 or 256 bits of AES-GCM

key strength; AES- AES-CBC CBC and HMAC: AES-GCM 128, 256-bit keys HMAC-SHA-1 with 128 or 256 bits HMAC-SHA2-224 of key strength HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CBC AES-GCM HMAC-SHA-1 HMAC-SHA2-224 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 25

Name Type Description Properties Algorithms HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 TLS Handshake KAS-Full Key Agreement Curves:P-256, P- KAS-ECC-SSC 384, P-521 elliptic Sp800-56Ar3 curves with 128, KAS-FFC-SSC 192, 256 bits of Sp800-56Ar3 strength KDA HKDF Sp800Keys:MODP-2048, 56Cr1 MODP-3072, MODP-4096, MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192; 2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength Compliance:IG D.F scenario 2(2) Table 8: Security Function Implementations

2.7 Algorithm Specific Information

AES XTS The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 220 AES blocks, that is 16MB of data. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not an Approved service. AES-GCM IV The Crypto Officer shall consider the following requirements and restrictions when using the module. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 26

For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The module is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AESGCM), or terminate the connection. Key Derivation using SP 800-132 PBKDF The module provides password-based key derivation (PBKDF), compliant with SP800-132. The module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132], the following requirements shall be met.

Page 27

In order to meet the required assurances listed in section 5.6 of SP 800-56ARev3, the module shall be used together with an application that implements the "TLS protocol" and the following steps shall be performed.

  1. The entity using the module, must use the module's "Key pair generation" service for generating DH/ECDH ephemeral keys. This meets the assurances required by key pair owner defined in the section 5.6.2.1 of SP 800-56ARev3.
  2. As part of the module's shared secret computation (SSC) service, the module internally performs the public key validation on the peer's public key passed in as input to the SSC function. This meets the public key validity assurance required by the sections 5.6.2.2.1/5.6.2.2.2 of SP 800-56ARev3. The module does not support static keys therefore the "assurance of peer's possession of private key" is not applicable.
2.8 RBG and Entropy

Cert Vendor Name Number E127 Cloudlinux Inc., TuxCare division Table 9: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Userspace CPU Non- AlmaLinux 9.2 on Amazon Web 64 bits 64 bits SHA3-256 (Cert. Time Jitter RNG Physical Services (AWS) m5.metal on Intel A4026), HMACEntropy Source Xeon Platinum 8259CL; SHA2-512-DRBG Version 3.4.0 AlmaLinux 9.2 on Amazon Web (Cert. A4025) Services (AWS) a1.metal on AWS Graviton Table 10: Entropy Sources The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90ARev1] for the generation of random value used in asymmetric keys, and for providing a RNG service to calling applications. The approved DRBG provided by the module is the CTR_DRBG with AES-256. The DRBG does not employ prediction resistance or a derivation function. The module uses an SP800-90B-compliant Entropy Source specified in the table above to seed the DRBG. The DRBG is instantiated with a 384-bits long entropy input (corresponding to 384 bits of entropy). Additionally, the DRBG is reseeded with a 256-bits long entropy input (corresponding to 256 bits of entropy). © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 28
2.9 Key Generation

In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys according to section 5.1 and 5.2 of [SP800-133rev2].

2.10 Key Establishment

The module provides Diffie-Hellman and EC Diffie-Hellman shared secret computation compliant with SP80056Arev3, in accordance with scenario 2 (1) of IG D.F and used as part of the TLS protocol key exchange in accordance with scenario 2 (2) of IG D.F; that is, the shared secret computation (KAS-FFC-SSC and KAS-ECCSSC) followed by key derivation using TLS KDF. For Diffie-Hellman, the module supports the use of safe primes from RFC7919 for domain parameters and key generation, which are used in the TLS key agreement implemented by the module.

Page 29
128 or 256 bits of encryption strength.
2.11 Industry Protocols

The module implements KDF for the TLS protocol TLSv1.0, TLSv1.1, TLSv1.2. No parts of the TLS 1.0/1.1/1.2, other than the key derivation functions mentioned above, have been tested by the CAVP and CMVP. The module implements HKDF for the TLS protocol TLSv1.3. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 30
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The logical interfaces are the API through which the applications request services. The following table summarizes the logical interfaces: Physical Port Logical Data That Passes Interface(s) As a software-only module, the module does not have physical ports. Data Input API input Physical Ports are interpreted to be the physical ports of the hardware parameters platform on which it runs. As a software-only module, the module does not have physical ports. Data API output Physical Ports are interpreted to be the physical ports of the hardware Output parameters platform on which it runs. As a software-only module, the module does not have physical ports. Control API function calls Physical Ports are interpreted to be the physical ports of the hardware Input for control platform on which it runs. As a software-only module, the module does not have physical ports. Status API return codes, Physical Ports are interpreted to be the physical ports of the hardware Output status parameters platform on which it runs. Table 11: Ports and Interfaces All data output via data output interface is inhibited when the module is performing pre-operational test conditional cryptographic algorithms self-tests or zeroization or when the module enters error state. The module does not implement a control output interface. The module does not output any control data to another cryptographic module. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 31
4 Roles, Services, and Authentication

FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not implement an authentication mechanism for Crypto Officer. The module supports the Crypto Officer role only. The Crypto Officer role is authorized to access all services provided by the module and this sole role is implicitly assumed by the operator of the module when performing a service.

4.1 Authentication Methods

N/A for this module. The module does not support authentication.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module.

4.3 Approved Services

Name Description Indicator Inputs Outputs Security SSP Access Functions Symmetric Perform GNUTLS_FI Key, Ciphertext Symmetric Crypto Encryption AES PS140_OP_ Plaintext Encryption Officer encryption APPROVED with AES - AES key: W,E Symmetric Perform GNUTLS_FI Key, Plaintext Symmetric Crypto Decryption AES PS140_OP_ Ciphertext Decryption Officer decryption APPROVED with AES - AES key: W,E Authenticated Encrypt a GNUTLS_FI Key, Ciphertext, Authenticated Crypto Symmetric plaintext PS140_OP_ Plaintext, IV MAC tag Symmetric Officer Encryption APPROVED Encryption - AES key: with AES W,E © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 32

Name Description Indicator Inputs Outputs Security SSP Access Functions Authenticated Decrypt a GNUTLS_FI Key, Plaintext Authenticated Crypto Symmetric ciphertext PS140_OP_ Ciphertext, Symmetric Officer Decryption APPROVED IV, MAC tag Decryption - AES key: with AES W,E Key Key GNUTLS_FI AES key Wrapped Key Crypto Wrapping wrapping PS140_OP_ only or AES CSP Wrapping Officer (as part of APPROVED key and - AES key: the cipher HMAC key, W,E suites in the CSP Crypto TLS Officer protocol) - HMAC key: W,E Key Key GNUTLS_FI AES key CSP Key Crypto Unwrapping Unwrappin PS140_OP_ only or AES Unwrapping Officer g (as part of APPROVED key and - AES key: the cipher HMAC key, W,E suites in the Wrapped Crypto TLS CSP Officer protocol) - HMAC key: W,E Message Compute GNUTLS_FI Message Digest of the Message Crypto Digest message PS140_OP_ message Digest with Officer digest APPROVED SHA Random Generate GNUTLS_FI Number of Random Random Crypto Number random PS140_OP_ bits number Number Officer Generation bitstrings APPROVED Generation - Entropy with Input: W,E CTR_DRBG - DRBG seed: G,E - DRBG internal state (V value, key): G,W,E Message Compute GNUTLS_FI HMAC key, Message Message Crypto Authenticatio HMAC PS140_OP_ message authenticatio Authenticatio Officer n Code APPROVED n code n Code © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 33

Name Description Indicator Inputs Outputs Security SSP Access Functions (MAC) with (MAC) with - HMAC HMAC HMAC key: W,E Message Compute GNUTLS_FI AES key, Message Message Crypto Authenticatio AES-based PS140_OP_ message authenticatio Authenticatio Officer n Code CMAC or APPROVED n code n Code - AES key: (MAC) with GMAC (MAC) with W,E AES AES Shared Secret Compute a GNUTLS_FI Private key, Shared secret Shared Secret Crypto Computation shared PS140_OP_ public key Computation Officer with Diffie- secret APPROVED from peer with Diffie- - DiffieHellman Hellman Hellman shared secret: G,R - DiffieHellman public key: W,E - DiffieHellman private key: W,E Shared Secret Compute a GNUTLS_FI Private key, Shared secret Shared Secret Crypto Computation shared PS140_OP_ public key Computation Officer with EC secret APPROVED from peer with EC - EC DiffieDiffie- Diffie- Hellman Hellman Hellman shared secret: G,R - EC DiffieHellman public key: W,E - EC DiffieHellman private key: W,E Digital Generate GNUTLS_FI Message, Digital Message Crypto Signature RSA PS140_OP_ hash signature Digest with Officer signature APPROVED SHA - RSA Digital © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 34

Name Description Indicator Inputs Outputs Security SSP Access Functions Generation algorithm, Signature private key: with RSA private key Generation W,E with RSA Digital Generate GNUTLS_FI Message, Digital Message Crypto Signature ECDSA PS140_OP_ hash signature Digest with Officer Generation signature APPROVED algorithm, SHA - ECDSA with ECDSA private key Digital private key: Signature W,E Generation with ECDSA Digital Verify RSA GNUTLS_FI Message, Verification Message Crypto Signature PS140_OP_ signature, result Digest with Officer Verification APPROVED hash SHA - RSA with RSA algorithm, Digital public key: public key Signature W,E Verification with RSA Digital Verify GNUTLS_FI Message, Verification Message Crypto Signature ECDSA PS140_OP_ signature, result Digest with Officer Verification signature APPROVED hash SHA - ECDSA with ECDSA algorithm, Digital public key: public key Signature W,E Verification with ECDSA Key Pair Generate GNUTLS_FI Key size Key pair Random Crypto Generation RSA key PS140_OP_ Number Officer with RSA pairs APPROVED Generation - Modulewith generated CTR_DRBG RSA private Key Pair key: G,W,E Generation - Modulewith RSA generated RSA public key: G,W,E Key Pair Generate GNUTLS_FI Key size, Key pair Random Crypto Generation ECDSA key PS140_OP_ enabled- Number Officer with ECDSA pairs APPROVED curve Generation - Modulewith generated © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 35

Name Description Indicator Inputs Outputs Security SSP Access Functions CTR_DRBG ECDSA Key Pair private key: Generation G,W,E with ECDSA - Modulegenerated ECDSA public key: G,W,E Key Pair Generate GNUTLS_FI Key size Key pair Random Crypto Generation DH key PS140_OP_ Number Officer with Safe pairs APPROVED Generation - ModulePrimes with generated CTR_DRBG DiffieKey Pair Hellman Generation Private Key: with Safe G,W,E Primes - Modulegenerated DiffieHellman Public Key: G,W,E Public Key Verify GNUTLS_FI Key Return Public Key Crypto Verification ECDSA PS140_OP_ codes/log Verification Officer with ECDSA public key APPROVED messages with ECDSA - ECDSA public key: W,E TLS 1.2 Key Perform GNUTLS_FI TLS Pre- TLS Master Key Crypto Derivation key PS140_OP_ master secret Derivation Officer (derivation of derivation APPROVED Secret with TLS 1.2 - TLS PreTLS Master using TLS KDF master Secret) 1.2 KDF Secret: W,E - TLS Master Secret: G,W,E © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 36

Name Description Indicator Inputs Outputs Security SSP Access Functions TLS 1.2 Key Perform GNUTLS_FI TLS Master TLS Derived Key Crypto Derivation key PS140_OP_ Secret Secret Derivation Officer (derivation of derivation APPROVED with TLS 1.2 - TLS TLS Derived using TLS KDF Master Secret) 1.2 KDF Secret: W,E - TLS Derived Secret: G,W,E HKDF Key Perform GNUTLS_FI Shared HKDF Key Crypto Derivation key PS140_OP_ Secret Derived Key Derivation (as Officer (derivation of derivation APPROVED part of - HKDF HKDF using TLSv1.3) with Derived Derived Key) HKDF KDA HKDF Key: G,R - DiffieHellman shared secret: W,E - EC DiffieHellman shared secret: W,E Key Perform GNUTLS_FI Password or PBKDF Key Crypto Derivation password- PS140_OP_ passphrase Derived key Derivation Officer with PBKDF based key APPROVED with PBKDF - PBKDF derivation password or passphrase: W,E - PBKDF Derived key: G Transport Provide GNUTLS_FI Cipher-suites Return codes Symmetric Crypto Layer Security supported PS140_OP_ listed in and/or log Encryption Officer (TLS) cipher APPROVED Appendix A, messages, with AES - AES key: Network suites Digital Application Symmetric W,E Protocol (listed in Certificate, data Decryption - HMAC Appendix Public and with AES key: W,E A) in Private Keys, Authenticated - RSA Symmetric public key: © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 37

Name Description Indicator Inputs Outputs Security SSP Access Functions approved Application Encryption W,E mode Data with AES - RSA Authenticated private key: Symmetric W,E Decryption - ECDSA with AES public key: Authenticated W,E Symmetric - ECDSA Encryption private key: (in the W,E context of the - ModuleTLS 1.2/1.3 generated protocol) Diffiewith AES- Hellman GCM Public Key: Authenticated G,E Symmetric - ModuleDecryption generated (in the Diffiecontext of the Hellman TLS 1.2/1.3 Private Key: protocol) G,E with AES- - ModuleGCM generated Message EC DiffieAuthenticatio Hellman n Code Public Key: (MAC) with G,E HMAC - ModuleMessage generated Digest with EC DiffieSHA Hellman Digital Private Key: Signature G,E Generation - TLS Prewith RSA master Digital Secret: G,E Signature - TLS Generation Master with ECDSA Secret: G,E Digital - TLS Signature Derived © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 38

Name Description Indicator Inputs Outputs Security SSP Access Functions Verification Secret: G,E with RSA - HKDF Digital Derived Signature Key: G,E Verification with ECDSA Key Pair Generation with Safe Primes Public Key Verification with ECDSA TLS Handshake Self-tests Perform N/A N/A Result of Symmetric Crypto self-tests self-test Encryption Officer (pass/fail) with AES Symmetric Decryption with AES Authenticated Symmetric Encryption with AES Authenticated Symmetric Decryption with AES Authenticated Symmetric Decryption (in the context of the TLS 1.2/1.3 protocol) with AESGCM Authenticated Symmetric Encryption © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 39

Name Description Indicator Inputs Outputs Security SSP Access Functions (in the context of the TLS 1.2/1.3 protocol) with AESGCM Message Authenticatio n Code (MAC) with AES Message Authenticatio n Code (MAC) with HMAC Message Digest with SHA Key Derivation with TLS 1.2 KDF Key Derivation (as part of TLSv1.3) with KDA HKDF Key Derivation with PBKDF Digital Signature Generation with RSA Digital Signature Generation with ECDSA Digital Signature Verification © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 40

Name Description Indicator Inputs Outputs Security SSP Access Functions with RSA Digital Signature Verification with ECDSA Key Pair Generation with RSA Key Pair Generation with ECDSA Key Pair Generation with Safe Primes Public Key Verification with ECDSA Shared Secret Computation with DiffieHellman Shared Secret Computation with EC DiffieHellman Random Number Generation with CTR_DRBG Key Wrapping Key Unwrapping Show module Show N/A N/A Name and None Crypto name and module version Officer version name and information version © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 41

Name Description Indicator Inputs Outputs Security SSP Access Functions Show Status Show N/A N/A Return codes None Crypto module and/or log Officer status messages Zeroization Zeroize N/A Context N/A None Crypto SSPs containing Officer SSPs - AES key: Z - HMAC key: Z - Modulegenerated RSA private key: Z - Modulegenerated RSA public key: Z - RSA private key: Z - RSA public key: Z - PBKDF password or passphrase: Z - PBKDF Derived key: Z - Modulegenerated ECDSA private key: Z - Modulegenerated ECDSA public key: Z - ECDSA © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 42

Name Description Indicator Inputs Outputs Security SSP Access Functions private key: Z - ECDSA public key: Z - Modulegenerated EC DiffieHellman Private Key: Z - Modulegenerated EC DiffieHellman Public Key: Z - EC DiffieHellman private key: Z - EC DiffieHellman public key: Z - Modulegenerated DiffieHellman Private Key: Z - Modulegenerated DiffieHellman Public Key: Z - DiffieHellman private key: Z - Diffie© 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 43

Name Description Indicator Inputs Outputs Security SSP Access Functions Hellman public key: Z - DiffieHellman shared secret: Z - EC DiffieHellman shared secret: Z - Entropy Input: Z - DRBG seed: Z - DRBG internal state (V value, key): Z - TLS Premaster Secret: Z - HKDF Derived Key: Z - TLS Master Secret: Z - TLS Derived Secret: Z Table 13: Approved Services The above table lists all approved services that can be used in the approved mode of operation. For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.

Page 44
4.4 Non-Approved Services

Name Description Algorithms Role Symmetric key generation Generate symmetric key DRBG when key length is less CO other than AES and HMAC than 112 bits keys Symmetric encryption Compute the cipher for Blowfish CO encryption Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 Serpent Triple-DES Twofish Symmetric decryption Compute the cipher for Blowfish CO decryption Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 Serpent Triple-DES Twofish Asymmetric key Generate RSA key pairs RSA with keys smaller than 2048 CO generation with RSA bits or greater than 4096 bits. Asymmetric key Generate DSA key pairs DSA CO generation with DSA © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 45

Name Description Algorithms Role Asymmetric key Generate ECDSA key pairs ECDSA with curves not listed in CO generation with ECDSA Table "Approved Algorithms" Digital signature Sign RSA, DSA, and ECDSA DSA CO generation signatures ECDSA with curves not listed in Table "Approved Algorithms" RSA with keys smaller than 2048 bits or greater than 4096 bits. SHA-1 Digital signature Verify RSA, DSA, and DSA CO verification ECDSA signatures ECDSA with curves not listed in Table "Approved Algorithms" RSA with keys smaller than 1024 bits or greater than 4096 bits. SHA-1 Asymmetric key Generate RSA, DSA, and DSA CO generation ECDSA key pairs ECDSA with curves not listed in Table "Approved Algorithms" RSA with keys smaller than 1024 bits or greater than 4096 bits. Message digest Compute message digest GOST CO MD2, MD4, MD5 RMD160 SM3 STREEBOG Message Authentication Compute HMAC HMAC with keys smaller than CO Code (MAC) 112-bit HMAC with GOST MD2, MD4, MD5 RMD160 STREEBOG UMAC Key encapsulation Perform RSA key RSA encryption and decryption CO encapsulation with any key sizes. Key unencapsulation Perform RSA key RSA encryption and decryption CO unencapsulation with any key sizes. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 46

Name Description Algorithms Role Shared Secret Computation Perform DH key agreement Diffie-Hellman with keys CO with Diffie-Hellman generated with domain parameters other than safe primes Shared Secret Computation Perform ECDH key EC Diffie-Hellman with curves CO with EC Diffie-Hellman agreement not listed in Table "Approved Algorithms" Key Derivation with Perform password-based key PBKDF with non-approved CO PBKDF derivation message digest algorithms Transport Layer Security Provide non-supported Non-supported cipher suites (not Crypto (TLS) Network Protocol cipher suites listed in Appendix A) Officer Random number Generate random number Yarrow CO generation Authenticated encryption Perform authenticated Chacha20, Poly1305 and AES- CO encryption GCM Authenticated decryption Perform authenticated Chacha20, Poly1305 and AES- CO decryption GCM Domain parameter Generate domain parameter DSA CO generation Table 14: Non-Approved Services The above table lists all non-approved services that can only be used in the non-approved mode of operation.

4.5 External Software/Firmware Loaded

The module does not have the capability of loading software or firmware from an external source. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 47
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time for each software component of the module listed in section

  1. The .hmac file has HMAC value for libgnutls, libnettle and libhogweed listed in section
  2. If the HMAC values do not match, the test fails, and the module enters the error state. Integrity tests are performed as part of the Pre-Operational Self-Tests.
5.2 Initiate on Demand

The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The Self-Tests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the Self-Test service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 48
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module operates in a modifiable operational environment per FIPS 140-3 level 1 specification: the module executes on a general-purpose operating system, which allows modification, loading, and execution of software that is not part of the validated module. The module shall be installed as stated in Section 11. The user should confirm that the module is installed correctly by running: 1. fips-mode-setup --check command to verify that the system is operating in Approved mode 2. check the output of the the gnutls_get_library_config() API, which should output GnuTLS cryptography module for AlmaLinux 9 3.7.6-396796fe0a32b434 If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. There are no concurrent operators.

6.2 Configuration Settings and Restrictions

Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 49
7 Physical Security

The module is comprised of software only and therefore this section is Not Applicable (N/A). © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 50
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is Not Applicable (N/A). © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 51
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. The Dynamic module does not perform persistent storage of SSPs Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. Symmetric keys, public and private keys are provided to the module by the calling application via API input parameters and are destroyed by the module when invoking the appropriate API function calls.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Calling Cryptographic Plaintext Manual Electronic parameters application module (plaintext) within TOEPP API output Cryptographic Calling Plaintext Manual Electronic parameters module application (plaintext) within TOEP Table 16: SSP Input-Output Methods SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] IG 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry on the Key Establishment Table. The module does not support entry or output of cryptographically protected SSPs. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 52
9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Zeroize The memory Memory occupied by By calling the appropriate zeroization functions: Context occupied by SSPs SSPs is overwritten AES Key: gnutls_cipher_deinit() AES Key: is allocated by with zeroes, which gnutls_aead_cipher_deinit() HMAC Key: regular memory renders the SSP values gnutls_hmac_deinit() RSA Public Key, RSA allocation irretrievable. The Private Key: gnutls_privkey_deinit() operating system completion of the gnutls_x509_privkey_deinit() calls. zeroization routine gnutls_rsa_params_deinit() ECDSA Public Key, indicates that the ECDSA Private Key: gnutls_privkey_deinit() zeroization procedure gnutls_x509_privkey_deinit() succeeded. gnutls_rsa_params_deinit() Diffie-Hellman Public Key, Diffie-Hellman private key: gnutls_dh_params_deinit() TLS Pre-master Secret: gnutls_deinit() TLS Master Secret: gnutls_deinit() HKDF Derived Key: gnutls_deinit() Diffie-Hellman Public Key, Diffie-Hellman private key: gnutls_pk_params_clear() EC Diffie-Hellman public key, EC Diffie-Hellman private key: gnutls_pk_params_clear() Diffie-Hellman Shared Secret: zeroize key() EC Diffie-Hellman Shared Secret: zeroize_key() All SSPs: gnutls_global_deinit() Automatic Automatically Memory occupied by N/A zeroized by the SSPs is overwritten module when no with zeroes, which longer needed renders the SSP values irretrievable. Reset De-allocates the Volatile memory used Unloading and reloading the module volatile memory by the module is used to store SSPs overwritten within nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. Table 17: SSP Zeroization Methods © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 53

The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in Table 20. Calling the gnutls_deinit() will zeroize the SSPs stored in the TLS protocol internal state and also invoke the corresponding API functions listed in Table 20 to zeroize SSPs. The zeroization functions overwrite the memory occupied by SSPs with “zeros” and deallocate the memory with the regular memory deallocation operating system call. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. All data output is inhibited during zeroization.

9.4 SSPs

Name Description Size - Type - Generated Established Used By Strength Category By By AES key AES key used for AES-XTS, Symmetric Symmetric encryption, AES- key - CSP Encryption decryption, and GCM, with AES computing MAC AES-CCM, Message tags AES- Authentication CMAC: Code (MAC) 128, 256 with AES bits; Other Symmetric modes: Decryption 128, 192, with AES

256 bits - Authenticated

AES-XTS, Symmetric AES- Encryption GCM, with AES AES-CCM, Authenticated AES- Symmetric CMAC: Decryption 128, 256 with AES bits; Other Authenticated modes: Symmetric 128, 192, Encryption (in

256 bits the context of

the TLS 1.2/1.3 protocol) with AES-GCM Authenticated Symmetric Decryption (in the context of the TLS 1.2/1.3 protocol) with © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 54

Name Description Size - Type - Generated Established Used By Strength Category By By AES-GCM Key Wrapping Key Unwrapping HMAC HMAC key used for 112 to 256 Symmetric Message key computing MAC bits - 112 key - CSP Authentication tags to 256 bits Code (MAC) with HMAC Key Wrapping Key Unwrapping Module- RSA private key 2048, Private Key Pair generated generated through 3072, 4096 key - CSP Generation RSA asymmetric key bits - 112, with RSA private generation 128, 149 key bits Module- RSA public key 2048, Public key Key Pair generated generated through 3072, 4096 - PSP Generation RSA asymmetric key bits - 112, with RSA public key generation 128, 149 bits RSA RSA private key 2048, Private Digital private used for digital 3072, 4096 key - CSP Signature key signature generation bits - 112- Generation

149 bits with RSA

RSA RSA private key 2048, Public key Digital public key used for digital 3072, 4096 - PSP Signature signature bits - 112- Verification verification 149 bits with RSA PBKDF Password used to 14 Password Key password derive symmetric characters - CSP Derivation or keys minimum with PBKDF passphrase - 10^-14 minimum probability © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 55

Name Description Size - Type - Generated Established Used By Strength Category By By PBKDF Key derived from 128-256 Derived Key Derived PBKDF bits - 128- key - CSP Derivation key password/passphrase 256 bits with during key PBKDF derivation Module- ECDSA private key P-256, P- Private Key Pair generated generated through 384, P-521 key - CSP Generation ECDSA the asymmetric key - 128, 192, with private generation 256 bits ECDSA key Module- ECDSA private key P-256, P- Public key Key Pair generated generated through 384, P-521 - PSP Generation ECDSA the asymmetric key - 128, 192, with public key generation 256 bits ECDSA ECDSA ECDSA private key P-256, P- Private Digital private used for digital 384, P-521 key - CSP Signature key signature generation - 128, 192, Generation

256 bits with ECDSA

Public Key Verification with ECDSA ECDSA ECDSA public key P-256, P- Public key Digital public key used for digital 384, P-521 - PSP Signature signature generation - 128, 192, Verification

256 bits with ECDSA

Public Key Verification with ECDSA Module- EC Diffie-Hellman P-256, P- Public key Key Pair TLS generated public key 384, P-521 - PSP Generation Handshake EC Diffie- generated during - 128, 192, with Hellman asymmetric key 256 bits ECDSA Public generation Key Module- EC Diffie-Hellman P-256, P- Private Key Pair TLS generated private key 384, P-521 key - CSP Generation Handshake © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 56

Name Description Size - Type - Generated Established Used By Strength Category By By EC Diffie- generated during - 128, 192, with Hellman asymmetric key 256 bits ECDSA Private generation Key EC Diffie- Public key used for P-256, P- Public key Shared Secret Hellman Shared Secret 384, P-521 - PSP Computation public key Computation - 128, 192, with EC

256 bits Diffie-

Hellman EC Diffie- Private key used for P-256, P- Private Shared Secret Hellman Shared Secret 384, P-521 key - CSP Computation private Computation - 128, 192, with EC key 256 bits DiffieHellman Module- Diffie-Hellman 2048, Public key Key Pair TLS generated public key 3072, - PSP Generation Handshake Diffie- generated during 4096, with Safe Hellman Safe Primes Key 6144, 8192 Primes Public Generation bits - 112Key 200 bits Module- Diffie-Hellman 2048, Private Key Pair TLS generated private key 3072, key - CSP Generation Handshake Diffie- generated during 4096, with Safe Hellman Safe Primes Key 6144, 8192 Primes Private Generation bits - 112Key 200 bits Diffie- Public key used for 2048-8192 Public key Shared Secret Hellman Shared Secret bits - 112- - PSP Computation public key Computation 200 bits with DiffieHellman Diffie- Private key used for 2048-8192 Private Shared Secret Hellman Shared Secret bits - 112- key - CSP Computation private Computation 200 bits with Diffiekey Hellman © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 57

Name Description Size - Type - Generated Established Used By Strength Category By By Diffie- Shared secret 2048-8192 Shared Shared Hellman generated by Diffie- bits - 112 Secret - Secret shared Hellman to 200 bits CSP Computation secret with DiffieHellman EC Diffie- Shared secret P-256, P- Shared Shared Hellman generated by EC 384, P-521 Secret - Secret shared Diffie-Hellman - 128 to CSP Computation secret 256 bits with EC DiffieHellman Entropy Entropy input used 128-256 Entropy Random Input to seed the DRBG bits - 128- Input - Number

256 bits CSP Generation

with CTR_DRBG DRBG DRBG seed derived 128 to 256 Seed - CSP Random Random seed from entropy input bits - 128 Number Number to 256 bits Generation Generation with with CTR_DRBG CTR_DRBG DRBG Internal state of the 384 bits - Internal Random Random internal CTR_DRBG 128 to 256 State - Number Number state (V bits CSP Generation Generation value, with with key) CTR_DRBG CTR_DRBG TLS Pre- TLS Pre-master 112 to 256 Secret - Shared TLS master Secret used for bits - 112 CSP Secret Handshake Secret deriving the TLS to 256 bits Computation Master Secret with DiffieHellman Shared Secret Computation with EC DiffieHellman © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 58

Name Description Size - Type - Generated Established Used By Strength Category By By TLS TLS Master Secret 384 bits - Secret - Key TLS Master used for deriving 384 bits CSP Derivation Handshake Secret the TLS Derived with TLS Secret 1.2 KDF TLS Used as encryption 112-256 Derived Key TLS Derived key or MAC key bits - 112- secret - Derivation Handshake Secret 256 bits CSP with TLS

1.2 KDF

HKDF HKDF (used as part 112-256 Derived Key TLS Derived of TLS 1.3 protocol) bits - 112- secret - Derivation Handshake Key derived key 256 bits CSP (as part of TLSv1.3) with KDA HKDF Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext Until explicitly Zeroize parameters zeroized by Context (plaintext) operator Reset HMAC key API input RAM:Plaintext Until explicitly Zeroize parameters zeroized by Context (plaintext) operator Reset Module- API output RAM:Plaintext Until explicitly Zeroize Module-generated RSA generated RSA parameters zeroized by Context public key:Paired With private key (plaintext) operator Reset DRBG internal state (V value, key):Derived From Module- API output RAM:Plaintext Until explicitly Zeroize Module-generated RSA generated RSA parameters zeroized by Context private key:Paired With public key (plaintext) operator Reset DRBG internal state (V value, key):Derived From © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 59

Name Input - Storage Storage Zeroization Related SSPs Output Duration RSA private API input RAM:Plaintext Until explicitly Zeroize RSA public key:Paired key parameters zeroized by Context With (plaintext) operator Reset RSA public API input RAM:Plaintext Until explicitly Zeroize RSA private key:Paired key parameters zeroized by Context With (plaintext) operator Reset PBKDF API input RAM:Plaintext For the Zeroize PBKDF Derived password or parameters duration of the Context key:Derived From passphrase (plaintext) service Reset PBKDF API output RAM:Plaintext Until explicitly Zeroize PBKDF password or Derived key parameters zeroized by Context passphrase:Derived (plaintext) operator Reset From Module- API output RAM:Plaintext Until explicitly Zeroize Module-generated generated parameters zeroized by Context ECDSA public ECDSA private (plaintext) operator Reset key:Paired With key DRBG internal state (V value, key):Derived From Module- API output RAM:Plaintext Until explicitly Zeroize Module-generated generated parameters zeroized by Context ECDSA private ECDSA public (plaintext) operator Reset key:Paired With key DRBG internal state (V value, key):Derived From ECDSA private API input RAM:Plaintext Until explicitly Zeroize ECDSA public key parameters zeroized by Context key:Paired With (plaintext) operator Reset ECDSA public API input RAM:Plaintext Until explicitly Zeroize ECDSA private key parameters zeroized by Context key:Paired With (plaintext) operator Reset Module- API output RAM:Plaintext For the Zeroize Module-generated EC generated EC parameters duration of the Context Diffie-Hellman Private Diffie-Hellman (plaintext) service Reset Key:Paired With Public Key DRBG internal state (V © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 60

Name Input - Storage Storage Zeroization Related SSPs Output Duration value, key):Derived From Module- API output RAM:Plaintext For the Zeroize Module-generated EC generated EC parameters duration of the Context Diffie-Hellman Public Diffie-Hellman (plaintext) service Reset Key:Paired With Private Key DRBG internal state (V value, key):Derived From EC Diffie- API input RAM:Plaintext Until explicitly Zeroize EC Diffie-Hellman Hellman parameters zeroized by Context private key:Paired With public key (plaintext) operator Reset EC Diffie-Hellman shared secret:Used With EC Diffie- API input RAM:Plaintext Until explicitly Zeroize EC Diffie-Hellman Hellman parameters zeroized by Context public key:Paired With private key (plaintext) operator Reset EC Diffie-Hellman shared secret:Used With Module- API output RAM:Plaintext For the Zeroize Module-generated generated parameters duration of the Context Diffie-Hellman Private Diffie-Hellman (plaintext) service Reset Key:Paired With Public Key DRBG internal state (V value, key):Derived From Module- API output RAM:Plaintext For the Zeroize Module-generated generated parameters duration of the Context Diffie-Hellman Public Diffie-Hellman (plaintext) service Reset Key:Paired With Private Key DRBG internal state (V value, key):Derived From Diffie-Hellman API input RAM:Plaintext Until explicitly Zeroize Diffie-Hellman private public key parameters zeroized by Context key:Paired With (plaintext) operator Reset Diffie-Hellman shared secret:Used With © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 61

Name Input - Storage Storage Zeroization Related SSPs Output Duration Diffie-Hellman API input RAM:Plaintext Until explicitly Zeroize Diffie-Hellman public private key parameters zeroized by Context key:Paired With (plaintext) operator Reset Diffie-Hellman shared API output secret:Used With parameters (plaintext) Diffie-Hellman API output RAM:Plaintext Until explicitly Zeroize Diffie-Hellman public shared secret parameters zeroized by Context key:Used With (plaintext) operator Reset Diffie-Hellman private key:Used With EC Diffie- API output RAM:Plaintext Until explicitly Zeroize EC Diffie-Hellman Hellman parameters zeroized by Context public key:Used With shared secret (plaintext) operator Reset EC Diffie-Hellman private key:Used With Entropy Input RAM:Plaintext From Zeroize DRBG seed:Derives generation Context until DRBG Automatic Seed is created DRBG seed RAM:Plaintext While the Zeroize Entropy Input:Derived DRBG is Context From instantiated Automatic DRBG internal RAM:Plaintext While the Zeroize DRBG seed:Used With state (V value, module is Context key) operational Automatic TLS Pre- RAM:Plaintext Until explicitly Zeroize TLS Master master Secret zeroized by Context secret:Derived From operator Reset Module-generated Diffie-Hellman Public Key:Used With Module-generated Diffie-Hellman Private Key:Used With Module-generated EC Diffie-Hellman Public Key:Used With Module-generated EC © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 62

Name Input - Storage Storage Zeroization Related SSPs Output Duration Diffie-Hellman Private Key:Used With TLS Master RAM:Plaintext Until explicitly Zeroize TLS Pre-master Secret zeroized by Context Secret:Derived From operator Reset TLS Derived Secret:Derived From TLS Derived API output RAM:Plaintext For the Zeroize TLS Master Secret parameters duration of the Context Secret:Derived From (plaintext) service Reset HKDF Derived API output RAM:Plaintext For the Zeroize Diffie-Hellman shared Key parameters duration of the Context secret:Derived From (plaintext) service Reset EC Diffie-Hellman shared secret:Derived From Table 19: SSP Table 2 The tables above summarize the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module.

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 63
10 Self-Tests
10.1 Pre-Operational Self-Tests

The module performs the following pre-operational tests: the integrity test of the shared libraries that comprise the module using HMAC-SHA2-256. The details of integrity test are provided in section 5.1. Algorithm Test Test Method Test Type Indicator Details or Test Properties HMAC- 256-bit Message SW/FW Module becomes Integrity test of the shared SHA2-256 key authentication Integrity operational and libraries that comprise the (A5122) services are module (for libgnutls, available for use libnettle and libhogweed) Table 20: Pre-Operational Self-Tests The module performs the pre-operational self-test and CASTs automatically when the module is loaded into memory. Pre-operational self-test ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the self-tests, the module services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational self-test and the CASTs are completed successfully. After the preoperational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state.

10.2 Conditional Self-Tests

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type AES-CBC 128 and 256- KAT CAST Module Encryption Module (A5114) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Encryption Module (A5115) bit keys becomes initialization operational and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 64

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type AES-CBC 128 and 256- KAT CAST Module Encryption Module (A5116) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Encryption Module (A5117) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Encryption Module (A5122) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Decryption Module (A5114) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Decryption Module (A5115) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Decryption Module (A5116) bit keys becomes initialization operational and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 65

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type AES-CBC 128 and 256- KAT CAST Module Decryption Module (A5117) bit keys becomes initialization operational and services are available for use AES-CBC 128 and 256- KAT CAST Module Decryption Module (A5122) bit keys becomes initialization operational and services are available for use AES-CFB8 256-bit keys KAT CAST Module Encryption Module (A5120) becomes initialization operational and services are available for use AES-CFB8 256-bit keys KAT CAST Module Encryption Module (A5125) becomes initialization operational and services are available for use AES-CFB8 256-bit keys KAT CAST Module Decryption Module (A5120) becomes initialization operational and services are available for use AES-CFB8 256-bit keys KAT CAST Module Decryption Module (A5125) becomes initialization operational and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 66

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type AES-GCM 256-bit keys KAT CAST Module Encryption Module (A5114) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Encryption Module (A5115) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Encryption Module (A5116) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Encryption Module (A5117) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Encryption Module (A5122) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Decryption Module (A5114) becomes initialization operational and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 67

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type AES-GCM 256-bit keys KAT CAST Module Decryption Module (A5115) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Decryption Module (A5116) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Decryption Module (A5117) becomes initialization operational and services are available for use AES-GCM 256-bit keys KAT CAST Module Decryption Module (A5122) becomes initialization operational and services are available for use AES-XTS 256-bit keys KAT CAST Module Encryption Module Testing becomes initialization Revision 2.0 operational (A5123) and services are available for use AES-XTS 256-bit keys KAT CAST Module Decryption Module Testing becomes initialization Revision 2.0 operational (A5123) and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 68

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type AES-CMAC 256-bit keys KAT CAST Module MAC generation Module (A5114) becomes initialization operational and services are available for use AES-CMAC 256-bit keys KAT CAST Module MAC generation Module (A5117) becomes initialization operational and services are available for use AES-CMAC 256-bit keys KAT CAST Module MAC generation Module (A5122) becomes initialization operational and services are available for use Counter 256-bit keys KAT CAST Module KAT CTR_DRBG Module DRBG without DF, becomes with AES with initialization (A5122) without PR operational 256-bit keys and services without DF, are available without PR for use Counter Health tests Health tests CAST Module is Health tests Module DRBG according to operational initialization (A5122) section 11.3 and services of [SP800- are available 90Ar1] for use KAS-FFC- ffdhe3072 KAT CAST Module Primitive “Z” Module SSC Sp800- becomes Computation initialization 56Ar3 operational (A5122) and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 69

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type KAS-ECC- P-256 KAT CAST Module Primitive “Z” Module SSC Sp800- becomes Computation initialization 56Ar3 operational (A5122) and services are available for use ECDSA P-256 using KAT CAST Module Signature Module SigGen SHA-256, P- becomes Generation initialization (FIPS186-5) 384 using operational (A5122) SHA-384, and and services P-521 using are available SHA-512 for use ECDSA P-256 using KAT CAST Module Signature Module SigVer SHA-256, P- becomes Verification initialization (FIPS186-5) 384 using operational (A5122) SHA-384, and and services P-521 using are available SHA-512 for use KDA HKDF SHA-256 KAT CAST Module Key Derivation (as Module Sp800- becomes part of TLSv1.3) initialization 56Cr1 operational with KDA HKDF (A5121) and services are available for use HMAC- 128-bit key KAT CAST Module Message Module SHA-1 becomes Authentication initialization (A5117) operational and services are available for use HMAC- 160-bit key KAT CAST Module Message Module SHA2-224 becomes Authentication initialization (A5117) operational and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 70

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type HMAC- 160-bit key KAT CAST Module Message Module SHA2-256 becomes Authentication initialization (A5117) operational and services are available for use HMAC- 160-bit key KAT CAST Module Message Module SHA2-384 becomes Authentication initialization (A5117) operational and services are available for use HMAC- 160-bit key KAT CAST Module Message Module SHA2-512 becomes Authentication initialization (A5117) operational and services are available for use PBKDF SHA-256 with KAT CAST Module Key Derivation Module (A5122) 4096 iterations becomes with PBKDF initialization and 288-bit operational salt and services are available for use RSA SigGen RSA PKCS#1 KAT CAST Module Signature Module (FIPS186-5) v1.5 with becomes Generation initialization (A5122) 2048-bit key operational using SHA-256 and services are available for use RSA SigVer RSA PKCS#1 KAT CAST Module Signature Module (FIPS186-5) v1.5 with becomes Verification initialization (A5122) 2048-bit key operational using SHA-256 and services are available for use © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 71

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type SHA3-224 32-bit message KAT CAST Module Message Digest Module (A5118) becomes initialization operational and services are available for use SHA3-256 32-bit message KAT CAST Module Message Digest Module (A5118) becomes initialization operational and services are available for use SHA3-384 64-bit message KAT CAST Module Message Digest Module (A5118) becomes initialization operational and services are available for use SHA3-512 136-bit KAT CAST Module Message Digest Module (A5118) message becomes initialization operational and services are available for use TLS v1.2 SHA-256 KAT CAST Module Key Derivation Module KDF becomes with TLS v1.2 initialization RFC7627 operational KDF RFC7627 (A5122) and services are available for use ECDSA SHA-256 with Signature PCT Successful Signature Key Pair KeyGen the respective generation key pair generation and Generation (FIPS186-5) curve and generation verification (A5122) verification © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 72

Algorithm Test Properties Test Method Test Indicator Details Conditions or Test Type RSA PKCS#1v1.5 Signature PCT Successful Signature Key Pair KeyGen with SHA-256 generation key pair generation and Generation (FIPS186-5) and generation verification (A5122) verification Safe Primes N/A PCT PCT Successful PCT according to Key Pair Key according to key pair section 5.6.2.1.4 of Generation Generation section generation [SP800-56Arev3] (A5122) 5.6.2.1.4 of [SP80056Arev3] ECDSA SHA-256 with Signature PCT Signature Signature Key Pair KeyGen the respective generation generation generation PCT Generation (FIPS186-5) curve and and that covers key (A5122) verification verification pair generation for EC DiffieHellman Table 21: Conditional Self-Tests Conditional Cryptographic Algorithm Tests The module performs self-tests on approved cryptographic algorithms, using the tests shown in the table above. Data output through the data output interface is inhibited during the self-tests. All CASTs performed are in the form of the Known Answer Tests (KATs) and are run prior to performing the integrity test. The KAT includes comparison of the calculated output with the expected known answer, hard coded as part of the test vectors used in the test. If one of the conditional self-tests fail, the module transitions to the ‘Error’ state and a corresponding error indication is given. The entropy source performs its required self-tests; those are not listed here, as the entropy source is not part of the cryptographic boundary of the module. Conditional Pair-Wise Consistency Tests The module implements RSA, ECDSA, DH and ECDH key generation service and performs the respective pairwise consistency test (PCT) using sign and verify functions when the keys are generated. If any of the tests fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output, and cryptographic operations are not allowed. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 73
10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5122) authentication Table 22: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A5114) KAT CAST On demand Manually AES-CBC (A5115) KAT CAST On demand Manually AES-CBC (A5116) KAT CAST On demand Manually AES-CBC (A5117) KAT CAST On demand Manually AES-CBC (A5122) KAT CAST On demand Manually AES-CBC (A5114) KAT CAST On demand Manually AES-CBC (A5115) KAT CAST On demand Manually AES-CBC (A5116) KAT CAST On demand Manually AES-CBC (A5117) KAT CAST On demand Manually AES-CBC (A5122) KAT CAST On demand Manually AES-CFB8 (A5120) KAT CAST On demand Manually AES-CFB8 (A5125) KAT CAST On demand Manually AES-CFB8 (A5120) KAT CAST On demand Manually AES-CFB8 (A5125) KAT CAST On demand Manually AES-GCM (A5114) KAT CAST On demand Manually AES-GCM (A5115) KAT CAST On demand Manually AES-GCM (A5116) KAT CAST On demand Manually © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 74

Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A5117) KAT CAST On demand Manually AES-GCM (A5122) KAT CAST On demand Manually AES-GCM (A5114) KAT CAST On demand Manually AES-GCM (A5115) KAT CAST On demand Manually AES-GCM (A5116) KAT CAST On demand Manually AES-GCM (A5117) KAT CAST On demand Manually AES-GCM (A5122) KAT CAST On demand Manually AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5123) AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5123) AES-CMAC KAT CAST On demand Manually (A5114) AES-CMAC KAT CAST On demand Manually (A5117) AES-CMAC KAT CAST On demand Manually (A5122) Counter DRBG KAT CAST On demand Manually (A5122) Counter DRBG Health tests CAST On demand Manually (A5122) according to section 11.3 of [SP800-90Ar1] KAS-FFC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A5122) © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 75

Algorithm or Test Test Method Test Type Period Periodic Method KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A5122) ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5122) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5122) KDA HKDF Sp800- KAT CAST On demand Manually 56Cr1 (A5121) HMAC-SHA-1 KAT CAST On demand Manually (A5117) HMAC-SHA2-224 KAT CAST On demand Manually (A5117) HMAC-SHA2-256 KAT CAST On demand Manually (A5117) HMAC-SHA2-384 KAT CAST On demand Manually (A5117) HMAC-SHA2-512 KAT CAST On demand Manually (A5117) PBKDF (A5122) KAT CAST On demand Manually RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5122) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5122) SHA3-224 (A5118) KAT CAST On demand Manually SHA3-256 (A5118) KAT CAST On demand Manually © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 76

Algorithm or Test Test Method Test Type Period Periodic Method SHA3-384 (A5118) KAT CAST On demand Manually SHA3-512 (A5118) KAT CAST On demand Manually TLS v1.2 KDF KAT CAST On demand Manually RFC7627 (A5122) ECDSA KeyGen Signature PCT On demand Manually (FIPS186-5) generation and (A5122) verification RSA KeyGen Signature PCT On demand Manually (FIPS186-5) generation and (A5122) verification Safe Primes Key PCT according to PCT On demand Manually Generation section 5.6.2.1.4 of (A5122) [SP800-56Arev3] ECDSA KeyGen Signature PCT On demand Manually (FIPS186-5) generation and (A5122) verification Table 23: Conditional Periodic Information This information can be found in Section 5.2.

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The module When the The module GNUTLS_E_SELF_TEST_ERROR (-400); State stops integrity test or must be GNUTLS_E_RANDOM_FAILED (-206); functioning KAT fail restarted and GNUTLS_E_PK_GENERATION_ERROR (and ends the When the KAT perform the 403); GNUTLS_E_LIB_IN_ERROR_STATE (application of DRBG fails pre- 402) process during CASTs operational When the newly self-test and generated RSA, the CASTs to ECDSA, Diffie- recover from Hellman or EC these errors. Diffie-Hellman © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 77

Name Description Conditions Recovery Indicator Method key pair fails the PCT When the module is in error state and caller requests cryptographic operations Table 24: Error States When the module fails any pre-operational self-test or conditional test, the module will return an error code to indicate the error and enters error state. Any further cryptographic operations and the data output via the data output interface are inhibited. The calling application can obtain the module state by calling the gnutls_fips140_get_operation_state() API function. The function returns GNUTLS_FIPS140_OP_ERROR if the module is in the Error state. Self-test errors transition the module into an error state that keeps the module operational but prevents any cryptographic related operations. The module must be restarted and perform the pre-operational self-test and the CASTs to recover from these errors. If failures persist, the module must be re-installed.

10.5 Operator Initiation of Self-Tests

The module provides the Self-Test service to perform self-tests on demand which includes the pre-operational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The Self-Tests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the Self-Test service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 78
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the GnuTLS cryptography module for AlmaLinux 9 package in the form of the gnutls-3.7.6-23.el9_2.tuxcare.3.x86_64 RPM package for x86 systems. The binaries of the ‘GnuTLS cryptography module for AlmaLinux 9 version 3.7.6-396796fe0a32b434’ are contained in the RPM packages for delivery listed below, which contain the FIPS validated module:

11.2 Administrator Guidance

All the functions, ports and logical interfaces described in this document are available to the Crypto Officer.

11.3 Non-Administrator Guidance

The module implements only the Crypto Officer. There are no requirements for non-administrator guidance.

11.4 End of Life

For secure sanitization of the cryptographic module, the module needs first to be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. The module does not possess persistent storage of SSPs, so further sanitization steps are not required. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 79
12 Mitigation of Other Attacks
12.1 Attack List
12.2 Mitigation Effectiveness

RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding is always used to protect the RSA operation from that attack. The internal API function of rsa_blind() and rsa_unblind() are called by the module for RSA signature generation and RSA decryption operations. The module generates a random blinding factor and include this random value in the RSA operations to prevent RSA timing attacks. © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 80

Appendix A. TLS Cipher Suites The module supports the following cipher suites for the TLS protocol version 1.0, 1.1, 1.2 and 1.3, compliant with section 3.3.1 of [SP800-52rev2]. Each cipher suite defines the key exchange algorithm, the bulk encryption algorithm (including the symmetric key size) and the MAC algorithm. Cipher Suite ID Reference TLS_DH_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x31 } RFC3268 TLS_DHE_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x33 } RFC3268 TLS_DH_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x37 } RFC3268 TLS_DHE_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x39 } RFC3268 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x3F } RFC5246 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x67 } RFC5246 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 { 0x00,0x69 } RFC5246 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 { 0x00,0x6B } RFC5246 TLS_PSK_WITH_AES_128_CBC_SHA { 0x00, 0x8C } RFC4279 TLS_PSK_WITH_AES_256_CBC_SHA { 0x00, 0x8D } RFC4279 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 { 0x00, 0x9E } RFC5288 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 { 0x00, 0x9F } RFC5288 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 { 0x00, 0xA0 } RFC5288 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 { 0x00, 0xA1 } RFC5288 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA { 0xC0, 0x04 } RFC4492 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA { 0xC0, 0x05 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { 0xC0, 0x09 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { 0xC0, 0x0A } RFC4492 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA { 0xC0, 0x0E } RFC4492 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA { 0xC0, 0x0F } RFC4492 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { 0xC0, 0x13 } RFC4492 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0, 0x14 } RFC4492 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x23 } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x24 } RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x25 } RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x26 } RFC5289 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 81

Cipher Suite ID Reference TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x27 } RFC5289 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x28 } RFC5289 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 { 0xC0, 0x29 } RFC5289 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 { 0xC0, 0x2A } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2B } RFC5289 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x2C } RFC5289 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2D } RFC5289 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x2E } RFC5289 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x2F } RFC5289 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x30 } RFC5289 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 { 0xC0, 0x31 } RFC5289 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 { 0xC0, 0x32 } RFC5289 TLS_DHE_RSA_WITH_AES_128_CCM { 0xC0, 0x9E } RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM { 0xC0, 0x9F } RFC6655 TLS_DHE_RSA_WITH_AES_128_CCM_8 { 0xC0, 0xA2 } RFC6655 TLS_DHE_RSA_WITH_AES_256_CCM_8 { 0xC0, 0xA3 } RFC6655 TLS_AES_128_GCM_SHA256 { 0x13, 0x01 } RFC8446 TLS_AES_256_GCM_SHA384 { 0x13, 0x02 } RFC8446 TLS_AES_128_CCM_SHA256 { 0x13, 0x04 } RFC8446 TLS_AES_128_CCM_8_SHA256 { 0x13, 0x05 } RFC8446 © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 82

Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSP Public Security Parameter PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Cloudlinux Inc., TuxCare division/atsec information security.

Page 83

Appendix C. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/detail/sp/800-38b/final SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-52rev2 NIST Special Publication 800-52

Page 84

SP800-56Crev2 NIST Special Publication 800-56C