All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Summit Linux FIPS Core Crypto Module

Certificate#5054StandardFIPS 140-3Level1TypeFirmwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorEzurio
Medium review priority  ·  no TCB surface named  ·  last validated 11 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeFirmware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date8/17/2030
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorEzurio

Approved Algorithms (70)

AlgorithmACVP Cert
AES-CBCA4712, A4716, A5002, A5003, A5004
AES-CBC-CS1A5002, A5003, A5004
AES-CBC-CS2A5002, A5003, A5004
AES-CBC-CS3A4714, A4718, A5002, A5003, A5004
AES-CCMA4712, A4716, A5002, A5003, A5004
AES-CFB1A5002, A5003, A5004
AES-CFB128A5002, A5003, A5004
AES-CFB8A5002, A5003, A5004
AES-CMACA4712, A4716, A5002, A5003, A5004
AES-CTRA4712, A4716, A5002, A5003, A5004
AES-ECBA4711, A4712, A4715, A4716, A4717, A5002, A5003, A5004, A5019
AES-GCMA4712, A4715, A4717
AES-GMACA4712, A5005, A5006, A5007, A5008
AES-KWA5002, A5003, A5004
AES-KWPA5002, A5003, A5004
AES-OFBA5002, A5003, A5004
AES-XTS Testing Revision 2.0A4712, A4716, A5002, A5003, A5004
Counter DRBGA4711, A4712, A4715, A4717
ECDSA KeyGen (FIPS186-5)A4711
ECDSA KeyVer (FIPS186-5)A5009, A5018
ECDSA SigGen (FIPS186-5)A5009, A5018
ECDSA SigVer (FIPS186-5)A5009, A5018
EDDSA KeyGenA5016
EDDSA SigGenA5016
EDDSA SigVerA5016
Hash DRBGA5015
HMAC DRBGA5015
HMAC-SHA-1A5009, A5018
HMAC-SHA2- 224A5009, A5018
HMAC-SHA2- 256A5009, A5010, A5018
HMAC-SHA2- 384A5009, A5018
HMAC-SHA2- 512A5009, A5018
HMAC-SHA2- 512/224A5009, A5018
HMAC-SHA2- 512/256A5009, A5018
HMAC-SHA3- 224A5011, A5020
HMAC-SHA3- 256A5011, A5020
HMAC-SHA3- 384A5011, A5020
HMAC-SHA3- 512A5011, A5020
KAS-ECC-SSC Sp800-56Ar3A4711
KAS-FFC-SSC Sp800-56Ar3A5014
KAS-IFC-SSCA5009, A5018
KDA HKDF Sp800-56Cr1A5013
KDA OneStep SP800-56Cr2A5012
KDA TwoStep SP800-56Cr2A5012
KDF ANS 9.42 (CVL)A5009, A5018
KDF ANS 9.63 (CVL)A5009, A5018
KDF KMAC Sp800-108r1A5017
KDF SP800- 108A5017
KDF SSH (CVL)A5019
KDF TLS (CVL)A5009, A5018
KTS-IFCA5009, A5018
PBKDFA5009, A5011, A5018, A5020
RSA KeyGen (FIPS186-5)A5009, A5018
RSA SigGen (FIPS186-5)A5009, A5018
RSA SigVer (FIPS186-5)A5009, A5018
SHA-1A5009, A5018
SHA2-224A4711, A4712, A4716, A5009, A5018
SHA2-256A4711, A4712, A4716, A5009, A5010, A5018
SHA2-384A4711, A4712, A4716, A5009, A5018
SHA2-512A4711, A4712, A4716, A5009, A5018
SHA2- 512/224A5009, A5018
SHA2- 512/256A5009, A5018
SHA3-224A4713, A5011, A5020
SHA3-256A4713, A5011, A5020
SHA3-384A4713, A5011, A5020
SHA3-512A4713, A5011, A5020
SHAKE-128A5011, A5020
SHAKE-256A5011, A5020
TLS v1.2 KDF RFC7627 (CVL)A5009, A5018
TLS v1.3 KDF (CVL)A5013

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Non-Invasive Security8
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Summit Linux FIPS Core Crypto Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Error State</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Kernel AES-ECB<br/>Kernel AES-CTR<br/>Kernel AES-CBC</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Summit Linux FIPS Core Crypto Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Error State</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Kernel AES-ECB<br/>Kernel AES-CTR<br/>Kernel AES-CBC</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Ezurio Summit Linux FIPS Core Crypto Module Document Version: 1.1 Last Modified: 04/04/2025 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com © 2025 Ezurio/atsec information security.

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.1.1How this Security Policy was prepared5
1.2Security Levels5
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification8
2.3Excluded Components9
2.4Modes of Operation9
2.5Algorithms9
2.6Security Function Implementations15
2.7Algorithm Specific Information25
2.7.1AES GCM IV25
2.7.1.1TLS version 1.225
2.7.1.2TLS version 1.326
2.7.1.3IEEE 802.11 GCMP26
2.7.2AES XTS26
2.7.3Key derivation using SP 800-132 PBKDF226
2.7.4SP 800-56Ar3 Assurances27
2.7.5RSA Key Encapsulation27
2.7.6RSA Key Agreement28
2.7.7RSA SigGen and SigVer compliance28
2.7.8SHA-3 compliance28
2.8RBG and Entropy28
2.9Key Generation29
2.10Key Establishment29
2.11Industry Protocols30
3Cryptographic Module Interfaces31
3.1Ports and Interfaces31
4Roles, Services, and Authentication32
4.1Roles32
4.2Approved Services32
4.3Non-Approved Services49
4.4External Software/Firmware Loaded49
5Software/Firmware Security50
5.1Integrity Techniques50
5.2Initiate on Demand50
6Operational Environment51
6.1Operational Environment Type and Requirements51
6.2Configuration Settings and Restrictions51
7Physical Security52
7.1Mechanisms and Actions Required52
8Non-Invasive Security53
8.1Mitigation Techniques53
9Sensitive Security Parameters Management54
9.1Storage Areas54
9.2SSP Input-Output Methods54
9.3SSP Zeroization Methods54
9.4SSPs55
9.5Transitions76
10Self-Tests77
10.1Pre-Operational Self-Tests77
10.2Conditional Self-Tests77
10.3Periodic Self-Test Information81
10.4Error States84
10.5Operator Initiation of Self-Tests84
11Life-Cycle Assurance85
11.1Installation, Initialization, and Startup Procedures85
11.2Administrator Guidance85
11.3Non-Administrator Guidance85
11.4End of Life85
12Mitigation of Other Attacks86
12.1Attack List86
Appendix A. Glossary and Abbreviations87
Appendix B. References88
Page 3

© 2025 Ezurio/atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 3: Tested Operational Environments - Software, Firmware, Hybrid9
Table 4: Modes List and Description9
Table 5: Approved Algorithms14
Table 6: Vendor-Affirmed Algorithms15
Table 7: Non-Approved, Not Allowed Algorithms15
Table 8: Security Function Implementations25
Table 9: Entropy Certificates28
Table 10: Entropy Sources29
Table 11: Ports and Interfaces31
Table 12: Roles32
Table 13: Approved Services48
Table 14: Non-Approved Services49
Table 15: Storage Areas54
Table 16: SSP Input-Output Methods54
Table 17: SSP Zeroization Methods55
Table 18: SSP Table 168
Table 19: SSP Table 276
Table 20: Pre-Operational Self-Tests77
Table 21: Conditional Self-Tests81
Table 22: Pre-Operational Periodic Information82
Table 23: Conditional Periodic Information84
Table 24: Error States84
Figure 1: Physical configurations of the tested platform (top and bottom in order).7
Figure 2: Block Diagram8
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical security1
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacks1
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the Summit Linux FIPS Core Crypto Module, firmware version 11.0. It contains the security rules under which the module must be operated and describes how this module meets the requirements as specified in FIPS 140-3 (Federal Information Processing Standards Publication 140-3) for a This Security Policy contains non-proprietary information. All other documentation submitted for FIPS 140-3 conformance testing and validation is proprietary and is releasable only under appropriate non-disclosure agreements.

1.1.1 How this Security Policy was prepared

which was further consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Table 1: Security Levels N/A © 2025 Ezurio/atsec information security.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Summit Linux FIPS Core Crypto Module (hereafter referred to as the “module”) is a firmware module supporting FIPS 140-3 Approved cryptographic algorithms. The module is composed by firmware components comprised of a kernel and OpenSSL library. These firmware components provide a C language application program interface (API) for use by other processes that require cryptographic functionality. The module offers approved cryptographic functions in the approved mode for, among other uses:

Page 7

Figure 1: Physical configurations of the tested platform (top and bottom in order). Figure 2 below shows the block diagram of the module. The cryptographic boundary is indicated with yellow blocks, distributed among firmware components. Blocks of another color do not belong to the cryptographic boundary. Users of the module interact through the API that are the logical interfaces data input, data output, control input, status output. A dotted line encompasses the module’s components that interface through the API. In Figure 2, users of the module are exemplified by applications. These applications may reside within the NAND Flash memory or may reside outside (but still within the physical perimeter), always interacting with the module’s API. The physical perimeter of the module is defined as the perimeter of the circuit board on which the module is installed. The filesystem and operating system reside on NAND Flash memory within the physical perimeter. © 2025 Ezurio/atsec information security.

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
Image.Izma, fipscheck (application and library), fips.so11.0N/AImage.Izma, fipscheck (application and library), fips.soHMAC-SHA-256
Summit Linux 11.0Summit Linux 11.0Laird WB5NBT wireless bridge11.0Microchip AT91SAM9G (ARM926EJ-S), ARMv5-basedNoN/A
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
Image.Izma, fipscheck (application and library), fips.so11.0N/AImage.Izma, fipscheck (application and library), fips.soHMAC-SHA-256
Summit Linux 11.0Summit Linux 11.0Laird WB5NBT wireless bridge11.0Microchip AT91SAM9G (ARM926EJ-S), ARMv5-basedNoN/A
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9
Service
NameDescriptionType
Non- approved modeAutomatically entered whenever a non-approved service is requestedNon- Approved
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4712, A4716, A5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS1A5002, A5003, A5004Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS2A5002, A5003, A5004Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A4714, A4718, A5002, A5003, A5004Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA4712, A4716, A5002, A5003, A5004Key Length - 128, 192, 256SP 800-38C
AES-CFB1A5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA4712, A4716, A5002, A5003, A5004Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA4712, A4716, A5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4711, A4712, A4715, A4716, A4717, A5002, A5003, A5004, A5019Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA4712, A4715, A4717Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GCMA5005, A5006, A5007, A5008Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256SP 800-38D
AES-GMACA4712, A5005, A5006, A5007, A5008Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-KWA5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWPA5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A4712, A4716, A5002, A5003, A5004Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA4711, A4712, A4715, A4717Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA5015Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-5)A4711Curve - P-256, P-384 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyGen (FIPS186-5)A5009, A5018Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyVer (FIPS186-5)A5009, A5018Curve - P-224, P-256, P-384, P-521FIPS 186-5
ECDSA SigGen (FIPS186-5)A5009, A5018Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Component - NoFIPS 186-5
ECDSA SigGen (FIPS186-5)A5011, A5020Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - NoFIPS 186-5
ECDSA SigVer (FIPS186-5)A5009, A5018Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-5
ECDSA SigVer (FIPS186-5)A5011, A5020Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-5
EDDSA KeyGenA5016Curve - ED-25519, ED-448FIPS 186-5
EDDSA SigGenA5016Curve - ED-25519, ED-448FIPS 186-5
EDDSA SigVerA5016Curve - ED-25519, ED-448FIPS 186-5
Hash DRBGA5015Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA5015Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A5009, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A5009, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A5009, A5010, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A5009, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A5009, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A5009, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A5009, A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 224A5011, A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 256A5011, A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 384A5011, A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 512A5011, A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A4711Domain Parameter Generation Methods - P- 256, P-384SP 800-56A Rev. 3
KAS-ECC-SSC Sp800-56Ar3A5009, A5018Domain Parameter Generation Methods - P- 224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A5014Domain Parameter Generation Methods - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP- 3072, MODP-4096, MODP-6144, MODP- 8192 Scheme - dhEphem - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-IFC-SSCA5009, A5018Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime- factor Scheme - KAS1 - KAS Role - initiator, responderSP 800-56A Rev. 3
KDA HKDF Sp800-56Cr1A5013Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512SP 800-56C Rev. 2
KDA OneStep SP800-56Cr2A5012Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-2048 Increment 8SP 800-56C Rev. 2
KDA TwoStep SP800-56Cr2A5012MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-2048 Increment 8SP 800-56C Rev. 2
KDF ANS 9.42 (CVL)A5009, A5018KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.42 (CVL)A5011, A5020KDF Type - DER Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.63 (CVL)A5009, A5018Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256SP 800-135 Rev. 1

Table 3: Tested Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: NonAutomatically entered Table 4: Modes List and Description NonApproved After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of

2.5 Algorithms

Approved Algorithms: © 2025 Ezurio/atsec information security.

Page 10

© 2025 Ezurio/atsec information security.

Page 11

HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 © 2025 Ezurio/atsec information security.

Page 12

© 2025 Ezurio/atsec information security.

Page 13
Approved algorithm
NameCAVP CertKey SizeProperties
KDF KMAC Sp800-108r1A5017Derived Key Length - Derived Key Length: 112-4096 Increment 8SP 800-108 Rev. 1
KDF SP800- 108A5017KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 112, 128, 776, 3456, 4096SP 800-108 Rev. 1
KDF SSH (CVL)A5019Cipher - AES-128, AES-192, AES-256, TDES Hash Algorithm - SHA-1, SHA2-256, SHA2- 384, SHA2-512SP 800-135 Rev. 1
KDF TLS (CVL)A5009, A5018TLS Version - v1.0/1.1SP 800-135 Rev. 1
KMAC-128A5011, A5020Message Length - Message Length: 0- 65536 Increment 8 Key Data Length - Key Data Length: 128- 1024 Increment 8SP 800-185
KMAC-256A5011, A5020Message Length - Message Length: 0- 65536 Increment 8 Key Data Length - Key Data Length: 128- 1024 Increment 8SP 800-185
KTS-IFCA5009, A5018Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime- factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 768SP 800-56B Rev. 2
PBKDFA5009, A5011, A5018, A5020Iteration Count - Iteration Count: 1000- 10000 Increment 1 Password Length - Password Length: 14- 128 Increment 1SP 800-132
RSA KeyGen (FIPS186-5)A5009, A5018Key Generation Mode - probableWithProbableAux Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standardFIPS 186-5
RSA SigGen (FIPS186-5)A5009, A5018Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
RSA SigVer (FIPS186-5)A5009, A5018Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
Safe Primes Key GenerationA5014Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP-3072, MODP-4096, MODP- 6144, MODP-8192SP 800-56A Rev. 3
Safe Primes Key VerificationA5014Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP-3072, MODP-4096, MODP- 6144, MODP-8192SP 800-56A Rev. 3
SHA-1A5009, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-224A4711, A4712, A4716, A5009, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-256A4711, A4712, A4716, A5009, A5010, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-384A4711, A4712, A4716, A5009, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-512A4711, A4712, A4716, A5009, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2- 512/224A5009, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2- 512/256A5009, A5018Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA3-224A4713, A5011, A5020Message Length - Message Length: 0- 65536 Increment 8FIPS 202
SHA3-256A4713, A5011, A5020Message Length - Message Length: 0- 65536 Increment 8FIPS 202
SHA3-384A4713, A5011, A5020Message Length - Message Length: 0- 65536 Increment 8FIPS 202
SHA3-512A4713, A5011, A5020Message Length - Message Length: 0- 65536 Increment 8FIPS 202
SHAKE-128A5011, A5020Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A5011, A5020Output Length - Output Length: 16-65536 Increment 8FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A5009, A5018Hash Algorithm - SHA2-256, SHA2-384, SHA2-512SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A5013HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHESP 800-135 Rev. 1

KDF SP800108 © 2025 Ezurio/atsec information security.

Page 14
Service
NameDescriptionApproved FunctionsTypeProperties
Kernel ECDSA Key GenerationCurves:P-256, P-384 (128, 192 bits)Summit Linux (ECDH_C)FIPS 186-5, SP 800-133rev2 Section 5.1, 5.2
FIPS provider Safe Primes Key GenerationSafe Primes:MODP-2048, MODP- 3072, MODP-4096, MODP-6144, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 with 112- 200 bits of key strengthFIPS provider (FFC_DH)FIPS 186-5, SP 800-133rev2 Section 5.1, 5.2
FIPS provider EDDSA Key GenerationCurves:ED-25519, ED-448 (128, 224 bits)FIPS provider (EDDSA_3_2)FIPS 186-5, SP 800-133rev2 Section 5.1
FIPS provider RSA Key GenerationKeys:2048, 3072, 4096 (112, 128, 149 bits)FIPS provider (SHA_ASM)FIPS 186-5, SP 800-133rev2 Section 5.1, 5.2
FIPS provider ECDSA Key GenerationCurves:P-224, P-256, P-384, P- 512 (112, 128, 192, 256 bits)FIPS provider (SSH_ASM)FIPS 186-5, SP 800-133rev2 Section 5.1, 5.2
FIPS provider PBKDF with salt length less than 128 bitsKey derivation
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivation
FIPS provider TLSv1.2 KDF without using EMSKey derivation
Kernel AES-CCM (KTS-Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A4712, A4716)KTS-WrapKeys: 128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES-GCM (KTS-Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A4712, A4715, A4717)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CBC with HMACKey Wrapping, Key UnwrappingAES-CBC: (A4712, A4716) HMAC- SHA2-256: (A4711, A4712, A4716) HMAC- SHA2-384: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G

SHA2512/224 SHA2512/256 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: © 2025 Ezurio/atsec information security.

Page 15
Service
NameDescriptionApproved FunctionsTypeProperties
FIPS provider ECDSA Key GenerationCurves:P-224, P-256, P-384, P- 512 (112, 128, 192, 256 bits)FIPS provider (SSH_ASM)FIPS 186-5, SP 800-133rev2 Section 5.1, 5.2
FIPS provider PBKDF with salt length less than 128 bitsKey derivation
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivation
FIPS provider TLSv1.2 KDF without using EMSKey derivation
Kernel AES-CCM (KTS-Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A4712, A4716)KTS-WrapKeys: 128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES-GCM (KTS-Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A4712, A4715, A4717)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CBC with HMACKey Wrapping, Key UnwrappingAES-CBC: (A4712, A4716) HMAC- SHA2-256: (A4711, A4712, A4716) HMAC- SHA2-384: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Service
NameDescriptionApproved FunctionsTypeProperties
FIPS provider ECDSA Key GenerationCurves:P-224, P-256, P-384, P- 512 (112, 128, 192, 256 bits)FIPS provider (SSH_ASM)FIPS 186-5, SP 800-133rev2 Section 5.1, 5.2
FIPS provider PBKDF with salt length less than 128 bitsKey derivation
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivation
FIPS provider TLSv1.2 KDF without using EMSKey derivation
Kernel AES-CCM (KTS-Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A4712, A4716)KTS-WrapKeys: 128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES-GCM (KTS-Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A4712, A4715, A4717)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CBC with HMACKey Wrapping, Key UnwrappingAES-CBC: (A4712, A4716) HMAC- SHA2-256: (A4711, A4712, A4716) HMAC- SHA2-384: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CTR with HMACKey Wrapping, Key UnwrappingAES-CTR: (A4712, A4716) HMAC- SHA2-256: (A4711, A4712, A4716) HMAC- SHA2-384: (A4711, A4712, A4716) HMAC- SHA2-512: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel KAS-ECC- SSCShared Secret ComputationKAS-ECC- SSC Sp800- 56Ar3: (A4711)KAS-SSCCurves:Curves : P- 256, P-384 elliptic curves with 128 and 192 bits of key strength Compliance : Compliant with IG D.F scenario 2(1)
Kernel AES-ECBEncryption/DecryptionAES-ECB: (A4711, A4712, A4715, A4716, A4717)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-CTREncryption/DecryptionAES-CTR: (A4712, A4716)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-CBCEncryption/DecryptionAES-CBC: (A4712, A4716)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-CBC- CS3Encryption/DecryptionAES-CBC- CS3: (A4714, A4718)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-XTSEncryption/DecryptionAES-XTS Testing Revision 2.0: (A4712, A4716)BC-UnAuthKeys:128, 256 bits with 128 and 256 bits of key strength
Kernel AES-CCM (BC-Auth)Authenticated Encryption/DecryptionAES-CCM: (A4712, A4716)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-GCM (BC-Auth)Authenticated Encryption/DecryptionAES-GCM: (A4712, A4715, A4717)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-CMACMessage authentication code (MAC)AES-CMAC: (A4712, A4716)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-GMACMessage authentication code (MAC)AES-GMAC: (A4712)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel Counter DRBGRandom Number GenerationCounter DRBG: (A4711, A4712, A4715, A4717)DRBGCompliance:Compliant with SP800-90ARev1
Kernel ECDSA Key GenerationKey GenerationECDSA KeyGen (FIPS186-5): (A4711)CKGCurves:P-256, P-384
Kernel HMACMessage authentication code (MAC)HMAC- SHA2-224: (A4711, A4712, A4716) HMAC- SHA2-256: (A4711, A4712, A4716) HMAC- SHA2-384: (A4711, A4712, A4716) HMAC- SHA2-512: (A4711, A4712, A4716) HMAC- SHA3-224: (A4713) HMAC- SHA3-256: (A4713) HMAC- SHA3-384: (A4713) HMAC-MACKeys:112-256 bits with 112-256 bits of key strength
Kernel HashesHashingSHA2-224: (A4711, A4712, A4716) SHA2-256: (A4711, A4712, A4716) SHA2-384: (A4711, A4712, A4716) SHA2-512: (A4711, A4712, A4716) SHA3-224: (A4713) SHA3-256: (A4713) SHA3-384: (A4713) SHA3-512: (A4713)SHA
FIPS provider AES-CCM (KTS-Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A5002, A5003, A5004)KTS-WrapKeys: 128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider AES-GCM (KTS-Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A5005, A5006, A5007, A5008)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider KAS-IFC- SSCShared Secret ComputationKAS-IFC- SSC: (A5009, A5018)KAS-SSCKeys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength Compliance : Compliant with IG D.F scenario 1(1)
FIPS provider KTS-IFCKey encapsulation, Key unencapsulationKTS-IFC: (A5009, A5018)KTS-EncapKeys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength respectively Compliance:Compliant with IG D.G
FIPS provider Safe Primes Key GenerationKey GenerationSafe Primes Key Generation: (A5014)CKGGroups:MODP-2048, MODP-3072, MODP- 4096, MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
FIPS provider Safe Primes Key VerificationKey VerificationSafe Primes Key Verification: (A5014)AsymKeyPair- KeyVerGroups:MODP-2048, MODP-3072, MODP- 4096, MODP-6144, MODP-8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
FIPS provider KAS-FFC- SSCShared Secret ComputationKAS-FFC- SSC Sp800- 56Ar3: (A5014)KAS-SSCKeys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength Compliance : Compliant with IG D.F scenario 2(1)
FIPS provider KAS-ECC- SSCShared Secret ComputationKAS-ECC- SSC Sp800- 56Ar3: (A5009, A5018)KAS-SSCCurves:P-224, P-256, P-384, P-521 elliptic curves with 112-256 bits of key strength Compliance : Compliant with IG D.F scenario 2(1)
FIPS provider AES KWKey Wrapping, Key UnwrappingAES-KW: (A5002, A5003, A5004)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider AES KWPKey Wrapping, Key UnwrappingAES-KWP: (A5002, A5003, A5004)KTS-WrapKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider AES-ECBEncryption/DecryptionAES-ECB: (A5002, A5003, A5004, A5019)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CTREncryption/DecryptionAES-CTR: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBCEncryption/DecryptionAES-CBC: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBC- CS1Encryption/DecryptionAES-CBC- CS1: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBC- CS2Encryption/DecryptionAES-CBC- CS2: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBC- CS3Encryption/DecryptionAES-CBC- CS3: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CFB1Encryption/DecryptionAES-CFB1: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CFB8Encryption/DecryptionAES-CFB8: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES- CFB128Encryption/DecryptionAES- CFB128: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-XTSEncryption/DecryptionAES-XTS Testing Revision 2.0: (A5002, A5003, A5004)BC-UnAuthKeys:128, 256 bits with 128 and 256 bits of key strength
FIPS provider AES-CCM (BC-Auth)Authenticated Encryption/DecryptionAES-CCM: (A5002, A5003, A5004)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-GCM (BC-Auth)Authenticated Encryption/DecryptionAES-GCM: (A5005, A5006, A5007, A5008)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-OFBEncryption/DecryptionAES-OFB: (A5002, A5003, A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CMACMessage authentication code (MAC)AES-CMAC: (A5002, A5003, A5004)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-GMACMessage authentication code (MAC)AES-GMAC: (A5005, A5006, A5007, A5008)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider Counter DRBGRandom Number GenerationCounter DRBG: (A5015)DRBGCompliance:Compliant with SP800-90ARev1
FIPS provider Hash DRBGRandom Number GenerationHash DRBG: (A5015)DRBGCompliance:Compliant with SP800-90ARev1
FIPS provider HMAC DRBGRandom Number GenerationHMAC DRBG: (A5015)DRBGCompliance:Compliant with SP800-90ARev1
FIPS provider ECDSA Key GenerationKey GenerationECDSA KeyGen (FIPS186-5): (A5009, A5018)CKGCurves:P-224, P-256, P-384, P-521
FIPS provider ECDSA Key VerificationKey VerificationECDSA KeyVer (FIPS186-5): (A5009, A5018)AsymKeyPair- KeyVerCurves:P-224, P-256, P-384, P-521
FIPS provider ECDSA Signature GenerationSignature GenerationECDSA SigGen (FIPS186-5): (A5009, A5011, A5018, A5020)DigSig- SigGenCurves:P-224, P-256, P-384, P-521
FIPS provider ECDSA Signature VerificationSignature VerificationECDSA SigVer (FIPS186-5): (A5009, A5011, A5018, A5020)DigSig-SigVerCurves:P-224, P-256, P-384, P-521
FIPS provider EDDSA Key GenerationKey GenerationEDDSA KeyGen: (A5016)CKGCurves:Ed25519, Ed448
FIPS provider EDDSA Signature GenerationSignature GenerationEDDSA SigGen: (A5016)DigSig- SigGenCurves:Ed25519, Ed448
FIPS provider EDDSASignature VerificationEDDSA SigVer: (A5016)DigSig-SigVerCurves:Ed25519, Ed448
FIPS provider RSA Key GenerationKey GenerationRSA KeyGen (FIPS186-5): (A5009, A5018)CKGKeys:2048, 3072, 4096 keys with 112- 150 bits of key strength respectively
FIPS provider RSA Signature GenerationSignature GenerationRSA SigGen (FIPS186-5): (A5009, A5018)DigSig- SigGenKeys:2048, 3072, 4096 keys with 112- 150 bits of key strength respectively
FIPS provider RSA Signature VerificationSignature VerificationRSA SigVer (FIPS186-5): (A5009, A5018)DigSig-SigVerKeys:2048, 3072, 4096 keys with 112- 150 bits of key strength respectively
FIPS provider HMACMessage authentication code (MAC)HMAC-SHA- 1: (A5009, A5018) HMAC- SHA2-224: (A5009, A5018) HMAC- SHA2-256: (A5009, A5010, A5018) HMAC- SHA2-384: (A5009, A5018) HMAC- SHA2-512: (A5009, A5018) HMAC- SHA2- 512/224: (A5009, A5018) HMAC- SHA2- 512/256: (A5009, A5018) HMAC- SHA3-224: (A5011, A5020) HMAC- SHA3-256: (A5011,MACKeys:112-256 bits with 112-256 bits of key strength
FIPS provider KMACMessage authentication code (MAC)KMAC-128: (A5011, A5020) KMAC-256: (A5011, A5020)MACKeys:112-256 bits with 112-256 bits of key strength
FIPS provider HashesHashingSHA-1: (A5009, A5018) SHA2-224: (A5009, A5018) SHA2-256: (A5009, A5010, A5018) SHA2-384: (A5009, A5018) SHA2-512: (A5009, A5018) SHA2- 512/224: (A5009, A5018) SHA2- 512/256: (A5009, A5018) SHA3-224: (A5011, A5020) SHA3-256: (A5011, A5020) SHA3-384: (A5011, A5020) SHA3-512: (A5011, A5020) SHAKE-128: (A5011, A5020)SHA
FIPS provider ANS 9.42 Key Derivation (CVL)Key DerivationKDF ANS 9.42: (A5009, A5011, A5018, A5020)KAS-135KDFOID:AES-128-KW, AES-192-KW, AES- 256-KW with 128, 192, 256 bits of key strength, respectively
FIPS provider ANS 9.63 Key Derivation (CVL)Key DerivationKDF ANS 9.63: (A5009, A5018)KAS-135KDFKey data length:128- 4096 bits
FIPS provider TLS 1.0 and 1.1 Key Derivation (CVL)Key DerivationKDF TLS: (A5009, A5018)KAS-135KDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider TLS 1.2 Key Derivation (CVL)Key DerivationTLS v1.2 KDF RFC7627: (A5009, A5018)KAS-135KDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider TLS 1.3 Key Derivation (CVL)Key DerivationTLS v1.3 KDF: (A5013)KAS-135KDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider HKDF Key DerivationKey DerivationKDA HKDF Sp800- 56Cr1: (A5013)KAS-56CKDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider Password- based Key DerivationKey DerivationPBKDF: (A5009, A5011, A5018, A5020)PBKDFDerived key:112-4096 bits with 112-150 bits of key strength
FIPS provider OneStep Key DerivationKey DerivationKDA OneStep SP800- 56Cr2: (A5012)KAS-56CKDFDerived key:2048 bits with 112 bits of key strength
FIPS provider TwoStep Key DerivationKey DerivationKDA TwoStep SP800- 56Cr2: (A5012)KAS-56CKDFDerived key:2048 bits with 112 bits of key strength
FIPS provider KMAC Key DerivationKey DerivationKDF KMAC Sp800- 108r1: (A5017)KBKDFDerived key:112-4096 bits with 112-150 bits of key strength
FIPS provider KBKDF Key DerivationKey Derivation.KDF SP800- 108: (A5017)KBKDFDerived key:112-4096 bits with 112-150 bits of key strength
FIPS provider SSH Key DerivationKey DerivationKDF SSH: (A5019)KAS-135KDFKeys:128, 192, 256 bits with 128-256 bits of key strength

Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

HMACSHA2-256: HMACSHA2-384: © 2025 Ezurio/atsec information security.

Page 16

KAS-ECCSSC AES-CBCCS3 HMACSHA2-512: HMACSHA2-256: HMACSHA2-384: HMACSHA2-512: KAS-ECCSSC Sp80056Ar3: AES-CBCCS3: © 2025 Ezurio/atsec information security.

Page 17

HMACSHA2-224: HMACSHA2-256: HMACSHA2-384: HMACSHA2-512: HMACSHA3-224: HMACSHA3-256: HMACSHA3-384: © 2025 Ezurio/atsec information security.

Page 18

KAS-IFCSSC KAS-IFCSSC: © 2025 Ezurio/atsec information security.

Page 19

AsymKeyPairKeyVer KAS-FFCSSC KAS-ECCSSC KAS-FFCSSC Sp80056Ar3: KAS-ECCSSC Sp80056Ar3: © 2025 Ezurio/atsec information security.

Page 20

AES-CBCCS1 AES-CBCCS2 AES-CBCCS3 AESCFB128 AES-CBCCS1: AES-CBCCS2: AES-CBCCS3: AESCFB128: © 2025 Ezurio/atsec information security.

Page 21

AsymKeyPairKeyVer DigSigSigGen DigSigSigGen © 2025 Ezurio/atsec information security.

Page 22

DigSigSigGen HMACSHA2-224: HMACSHA2-256: HMACSHA2-384: HMACSHA2-512: HMACSHA2512/224: HMACSHA2512/256: HMACSHA3-224: HMACSHA3-256: © 2025 Ezurio/atsec information security.

Page 23

HMACSHA3-384: HMACSHA3-512: SHA2512/224: SHA2512/256: © 2025 Ezurio/atsec information security.

Page 24

Passwordbased Key Sp80056Cr1: SP80056Cr2: SP80056Cr2: © 2025 Ezurio/atsec information security.

Page 25

Table 8: Security Function Implementations Sp800108r1: KDF SP800108:

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

AES-GCM encryption and decryption are used in the context of the TLS protocol version 1.2 and 1.3 using the FIPS provider component (corresponding to Scenario 1 and 5 of IG C.H), and in the context of IEEE 802.11 GCMP using the kernel/hardware components (corresponding to Scenario 5 of IG C.H). For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary, compliant with Scenario 2 of FIPS 140-3 IG C.H. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL iv value. When this is the case, the API will set a non-approved service indicator.

2.7.1.1 TLS version 1.2

For TLS v1.2, the module uses the context of Scenario 1 of IG C.H. The module is compliant with SP 800-52 section 3.3.1 and the mechanism for IV generation is compliant with RFC5288. For this compliance, the module’s implementation of the AES-GCM shall be used together with an application that negotiates the protocol session’s keys and the 32-bit nonce value of the IV. The setting of the counter portion of the IV is performed within the cryptographic boundary. The nonce explicit part of the IV does not exhaust the maximum number of possible values for a given session key. This condition is implicitly ensured by the design of the TLS protocol, in which the nonce_explicit is denied exhaustion by the control exerted by the protocol’s management logic (wherein the nonce_explicit is incremented per each TLS record). This management logic also implies that the probability of an exhaustion of all 264

Page 26

In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established.

2.7.1.2 TLS version 1.3

For TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established.

2.7.1.3 IEEE 802.11 GCMP

The kernel component is in compliance with FIPS 140-3 IG C.H scenario 5 for the WPA2 protocol. Specifically, GCMP is defined in IEEE 802.11ac-2013. For IEEE 802.11 GCMP, the module implements an internal production unit logic that constructs the IV deterministically upon the initialization of a GCMP connection, and therefore the initialization of a GCM encryption context." and "In case the module's power is lost and then restored, the key used for AES GCM encryption or decryption shall be re-distributed.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.3 Key derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:

Page 27
2.7.4 SP 800-56Ar3 Assurances

Kernel Component: The module offers ECDH shared secret computation services compliant to the SP 800-56ARev3. In order to meet the required assurances listed in section

5.6 of SP 800-56ARev3, the module shall be used together with an application that

implements the "IPsec protocol" and the following steps shall be performed.

  1. The entity using the module, must use the module's "key pair generation" service for generating ECDH ephemeral keys. The key generation service performs full public key validation. This meets the assurances required by key pair owner defined in the section 5.6.2.1 of SP 800-56ARev3.
  2. The consumer using the module doesn't need to obtain assurance of the peer's possession of private key as the module only makes use of ephemeral keys.
  3. As part of the module’s shared secret computation service, the module internally performs the public key validation on the peer's public key passed in as input to the SSC function. This meets the public key validity assurance required by the sections 5.6.2.2.1/5.6.2.2.2 of SP 800-56ARev3. FIPS provider Component: The module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3. To comply with the assurances found in Section

5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that

implements the TLS protocol. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3.

2.7.5 RSA Key Encapsulation

To comply with SP800-56Br2 assurances found in its Section 6 (specifically SP800-56Br2 Section 6.4 Required Assurances) the entity using the module must obtain required assurances listed in section 6.4 of SP 800-56Br2 by performing the following steps:

  1. The entity requesting the RSA key un-encapsulation service from the module, shall only use an RSA private key that was generated by an active FIPS validated module that implements FIPS 186-5 compliant RSA key generation service and performs the key pair validity and the pairwise consistency as stated in section 6.4.1.1 of the SP 800-56Br2. Additionally, the entity shall renew these assurances over time by using any method described in section 6.4.1.5 of the SP 800-56Br2.
  2. For use of an RSA key encapsulation service in the context of key transport per IG D.G the entity using the module shall: © 2025 Ezurio/atsec information security.
Page 28
CertVendor
NumberName
E119Ezurio

a. verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). b. confirm the peer’s possession of private key by using any method specified in section 6.4.2.3 of the SP 800-56Br2. Only after the above assurances are successfully met, shall the entity use the peer’s public key to perform the RSA key encapsulation service of the module.

2.7.6 RSA Key Agreement

To comply with the assurances found in Section 6.4 of SP 800-56Br2, the module’s approved RSA key pair generation service must be used to generate the RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validity and the pairwise consistency according to section 6.4.1.1 of SP 800-56Br2. Additionally, the entity requesting the shared secret computation service shall verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). This service will perform the full public key validation of the peer’s public key, complying with Section 6.4.2.1 of SP 800-56Br2.

2.7.7 RSA SigGen and SigVer compliance

The module provides RSA signature generation and signature verification compliant with IG C.F. The module supports RSA modulus lengths of 2048, 3072, and 4096 bits for signature generation and 1024, 2048, 3072, and 4096 for signature verification. The RSA signature generation and signature verification implementations have been tested for all implemented RSA modulus lengths. The number of Miller-Rabin tests is consistent with the bit sizes of p and q from Table B.1 of FIPS 186-4.

2.7.8 SHA-3 compliance

The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of each SHA-3 function was tested and validated on all of the module’s operating environments. SHAKE functions are not implemented. SHA-3 hash functions are also used as part of a higher-level algorithm for HMAC.

2.8 RBG and Entropy

Table 9: Entropy Certificates © 2025 Ezurio/atsec information security.

Page 29
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Summit CPU Time Jitter RNG Entropy SourceNon- Physical64 bitsSummit Linux 11.064 bitsA4713 (SHA3- 256)

Table 10: Entropy Sources A4713 (SHA3256) The module provides DRBG’s compliant with SP800-90A for random number generation and the creation of key components of asymmetric keys. The kernel component DRBG implements a CTR_DRBG mechanism with AES-128, AES-192 or AES-256, with selectable enabling of derivation function and prediction resistance. The FIPS provider component DRBG’s implements a CTR_DRBG mechanism with AES-128, AES-192 or AES-256 with selectable enabling of derivation function and prediction resistance. Additionally, a Hash_DRBG and HMAC_DRBG mechanism with SHA-1, SHA-256 or SHA-512 with selectable enabling of derivation function and prediction resistance is implemented. Lastly the kernel and FIPS Provider DRBG’s are seeded with 320 bits and assessed to be full entropy in the ESV certificate #E119 at 1 bit/bit or 256 bits of entropy.

2.9 Key Generation

For generating RSA, ECDSA, Diffie-Hellman, EC Diffie-Hellman keys for the FIPS Provider component and ECDSA keys for Kernel component, the module implements asymmetric key generation services compliant with FIPS186-5 or SP800-56Arev3 as applicable and using a DRBG compliant with SP800-90A. The random value used in asymmetric key generation is obtained from the DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per Section 4 of SP800-133rev2 (vendor affirmed). Additionally, the module implements the following key derivation methods according to section 6.2 of SP 800-133r2:

2.10 Key Establishment

The module implements following key establishments methods that are listed in the Security Function Implementations table: - shared secret computation for KAS-IFC-SSC, KAS-FFC-SSC KAS-ECC-SSC © 2025 Ezurio/atsec information security.

Page 30

- key transport for KTS-IFC and KTS-Wrap

2.11 Industry Protocols

For DH, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC

7919 (TLS) as listed in Approved Services table. Note that the module only implements key

pair generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 and 1.3 KDFs). SSH KDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF (RFC 7627), TLS 1.3 KDF implementations shall only be used to generate secret keys in the context of the SSH, TLS 1.0/1.1, TLS 1.2, or TLS 1.3 protocols, respectively. Note that TLS 1.2 KDF must be compliant with RFC 7627 to be considered approved. ANS X9.42 KDF and ANS X9.63 KDF implementations shall only be used to generate secret keys in the context of an ANS X9.42-2001 resp. ANS X9.63-2001 key agreement scheme. © 2025 Ezurio/atsec information security.

Page 31
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI data input parameters, AF_ALG type sockets (kernel component)
N/AN/AData OutputAPI output parameters, AF_ALG type sockets (kernel component)
N/AN/AControl InputAPI function calls, API control input parameters, AF_ALG type sockets (kernel component), kernel command line (kernel component)
N/AN/AStatus OutputAPI return values, error queue, AF_ALG type sockets (kernel component), kernel logs (kernel component)
N/AN/APowerThe hardware on which the module runs receives power from the circuit board on which the hardware resides.
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A N/A Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. © 2025 Ezurio/atsec information security.

Page 32
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
Kernel Encryptio nEncrypti onCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- XTScrypto_skcipher_setkey returns 0AES key, plaintex tcipherte xt
Kernel Decrypti onDecrypt ionCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- XTScrypto_skcipher_setkey returns 0AES key, cipherte xtplaintext
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
Kernel Encryptio nEncrypti onCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- XTScrypto_skcipher_setkey returns 0AES key, plaintex tcipherte xt
Kernel Decrypti onDecrypt ionCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- XTScrypto_skcipher_setkey returns 0AES key, cipherte xtplaintext
Kernel Authenti cated Encryptio nEncrypti onCrypto Officer - Kernel AES key: W,EKernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)crypto_aead_setkey returns 0AES key, IV, plaintex tcipherte xt, MAC tag
Kernel Authenti cated Decrypti onDecrypt ionCrypto Officer - Kernel AES key: W,EKernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)crypto_aead_setkey returns 0AES key, IV, MAC tag, cipherte xtplaintext or fail
Kernel key wrappingWrap a keyCrypto Officer - Kernel AES key: W,EKernel AES- CCM (KTS- Wrap) Kernel AES- GCM (KTS- Wrap) Kernel AES CBC with HMAC Kernel AES CTR with HMACcrypto_skcipher_setkey returns 0; crypto_aead_setkey returns 0; crypto_shash_init returns 0AES key, key to be wrappe dwrapped key
Kernel key unwrappi ngunwrap a keyCrypto Officer - Kernel AES key: W,EKernel AES- CCM (KTS- Wrap) Kernel AES- GCM (KTS- Wrap) Kernelcrypto_skcipher_setkey returns 0; crypto_aead_setkey returns 0; crypto_shash_init returns 0AES key, key to be unwrap pedunwrapp ed key
Kernel AES Message Authenti cationcomput e a MAC tagCrypto Officer - Kernel AES key: W,EKernel AES- CMAC Kernel AES- GMACcrypto_shash_init returns 0AES key, messag eMAC tag
Kernel HMAC Message Authenti cationcomput e a MAC tagCrypto Officer - Kernel HMAC key: W,EKernel HMACcrypto_shash_init returns 0HMAC key, messag eMAC tag
Kernel Message Digestcomput e a messag e digestCrypto OfficerKernel Hashescrypto_shash_init returns 0messag edigest value
Kernel ECC Shared Secret Computa tioncomput e a shared secretCrypto Officer - Kernel EC public key: W,E - Kernel EC private key: W,E - Kernel shared secret: W,EKernel KAS- ECC- SSCcrypto_kpp_compute_sh ared_secret returns 0EC public key, EC private keyShared Secret
Kernel Random Number Generati ongenerat e random bytesCrypto Officer - Entropy input: W,E - Kernel DRBG seed: G,E - DRBG Internal State (V, Key): W,E - DRBG Internal state (V, C): W,EKernel Counte r DRBGcrypto_rng_get_bytes returns 0output lengthrandom data
Kernel EC Key generati ongenerat e key pairCrypto Officer - Kernel EC public key: G,R - Kernel EC private key: G,R - Kernel Intermedi ate Key Generatio n Value: G,E,ZKernel ECDSA Key Genera tioncrypto_kpp_set_secret and crypto_kpp_generate_pu blic_key return 0CurveEC keys
FIPS provider Message Digestcomput e a mesage digestCrypto OfficerFIPS provid er Hashes_SUMMIT_FIPS_INDICAT OR_APPROVEDmessag edigest value
FIPS provider Encryptio nEncrypt plaintex tCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CTR FIPS provid er AES- CBC FIPS provid er AES- ECB FIPS provid er AES- CBC- CS1 FIPS provid er AES- CBC- CS2 FIPS provid er AES- CBC- CS3 FIPS provid er AES- CFB1 FIPS provid_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, plaintex tcipherte xt
FIPS provider Decrypti onDecrypt cipherte xtCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CTR FIPS provid er AES- CBC FIPS provid er AES- ECB FIPS provid er AES- CBC- CS1 FIPS provid er AES- CBC- CS2 FIPS provid er AES- CBC- CS3 FIPS provid er AES- CFB1 FIPS provid er AES- CFB8 FIPS_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, cipherte xtplaintext
FIPS provider Authenti cated Encryptio nEncrypt plaintex tCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CCM (BC- Auth) FIPS provid er AES- GCM (BC- Auth)_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, IV, plaintex tcipherte xt, MAC tag
FIPS provider Authenti cated Decrypti onDecrypt cipherte xtCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CCM (BC- Auth) FIPS provid er AES- GCM (BC- Auth)_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, IV, MAC tag, cipherte xtplaintext
FIPS provider AES Message Authenti cationcomput e a MAC tagCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CMAC FIPS provid er AES- GMAC_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, messag eMAC tag
FIPS provider HMAC Message Authenti cationcomput e a MAC tagCrypto Officer - FIPS provider HMAC key: W,EFIPS provid er HMAC_SUMMIT_FIPS_INDICAT OR_APPROVEDHMAC key, messag eMAC tag
FIPS provider FFC Shared Secret Computa tioncomput e a shared secretCrypto Officer - FIPS provider DH public key: W,E - FIPS provider DH private key: W,EFIPS provid er KAS- FFC- SSC_SUMMIT_FIPS_INDICAT OR_APPROVEDDH private key, DH public keyShared Secret
FIPS provider ECC Shared Secret Computa tioncomput e a shared secretCrypto Officer - FIPS provider EC public key: W,E - FIPS provider EC private key: W,E - FIPS provider shared secret: W,EFIPS provid er KAS- ECC- SSC_SUMMIT_FIPS_INDICAT OR_APPROVEDEC public key, EC private keyShared Secret
FIPS provider IFC Shared Secret Computa tioncomput e a shared secretCrypto Officer - FIPS provider RSA public key: W,E - FIPS provider RSA private key: W,E - FIPS provider shared secret: W,EFIPS provid er KAS- IFC- SSC_SUMMIT_FIPS_INDICAT OR_APPROVEDRSA public key, RSA private keyShared Secret
FIPS provider Key Derivatio nderive a keyCrypto Officer - FIPS provider shared secret: W,E - FIPS provider derivedFIPS provid er ANS 9.42 Key Derivat ion (CVL) FIPS provid_SUMMIT_FIPS_INDICAT OR_APPROVEDShared secretderived key
er ANS 9.63 Key Derivat ion (CVL) FIPS provid er TLS 1.0 and 1.1 Key Derivat ion (CVL) FIPS provid er TLS 1.2 Key Derivat ion (CVL) FIPS provid er TLS 1.3 Key Derivat ion (CVL) FIPS provid er HKDF Key Derivat ion FIPS provid er OneSte p Key Derivat ion FIPS provid er TwoSte p Keykey: G,R - FIPS provider key- derivation key: W,E - FIPS provider AES Derived Key: G,R - FIPS provider HMAC Derived Key : G,R - FIPS provider 802.11 Pre- shared key (PSK): W,E - FIPS provider 802.11 Pairwise Master Key (PMK): W,E - FIPS provider 802.11 KDF Internal State: R - FIPS provider 802.11 Temporal Keys: W,E - FIPS provider 802.11 MIC keys (KCK): W,E - FIPS provider 802.11 Keyer ANS 9.63 Key Derivat ion (CVL) FIPS provid er TLS 1.0 and 1.1 Key Derivat ion (CVL) FIPS provid er TLS 1.2 Key Derivat ion (CVL) FIPS provid er TLS 1.3 Key Derivat ion (CVL) FIPS provid er HKDF Key Derivat ion FIPS provid er OneSte p Key Derivat ion FIPS provid er TwoSte p Key
Derivat ion FIPS provid er KMAC Key Derivat ion FIPS provid er KBKDF Key Derivat ion FIPS provid er SSH Key Derivat ionEncryption Key (KEK): W,E - FIPS provider 802.11 Group Temporal Key (GTK): W,EDerivat ion FIPS provid er KMAC Key Derivat ion FIPS provid er KBKDF Key Derivat ion FIPS provid er SSH Key Derivat ion
FIPS provider Password -based key derivatio nderive a key from a passwor dCrypto Officer - FIPS provider derived key: G,R - FIPS provider Password: W,EFIPS provid er Passw ord- based Key Derivat ion_SUMMIT_FIPS_INDICAT OR_APPROVEDpasswor dderived key
FIPS provider SafePrim e key generati ongenerat e a key pairCrypto Officer - FIPS provider module generated DH public key: G,R - FIPS provider module generated DH private key: G,R - FIPS provider Intermedi ate Key GeneratioFIPS provid er Safe Primes Key Genera tion_SUMMIT_FIPS_INDICAT OR_APPROVEDDH- GroupModule generat ed DH private key, Module generat ed DH public key
FIPS provider EC Key generati ongenerat e a key pairCrypto Officer - FIPS provider module generated EC public key: G,R - FIPS provider module generated EC private key: G,R - FIPS provider Intermedi ate Key Generatio n Value: G,E,ZFIPS provid er ECDSA Key Genera tion FIPS provid er EDDSA Key Genera tion_SUMMIT_FIPS_INDICAT OR_APPROVEDCurveModule Generat ed EC Private Key, Module Generat ed EC Public Key
FIPS provider RSA key generati ongenerat e a key pairCrypto Officer - FIPS provider module generated RSA private key: G,R - FIPS provider module generated RSA public key: G,R - FIPS provider Intermedi ate Key Generatio n Value: G,E,ZFIPS provid er RSA Key Genera tion_SUMMIT_FIPS_INDICAT OR_APPROVEDModulusModule Generat ed RSA Private Key, Module Generat ed RSA Public Key
FIPS provider SafePrim e Key Verificati onverify key pairCrypto Officer - FIPS provider DH public key: WFIPS provid er Safe Primes Key_SUMMIT_FIPS_INDICAT OR_APPROVEDDH Private key, DH public keyPass/fail
Verific ation- FIPS provider DH private key: WVerific ation
FIPS provider EC Key Verificati onverify key pairCrypto Officer - FIPS provider EC public key: W - FIPS provider EC private key: WFIPS provid er ECDSA Key Verific ation_SUMMIT_FIPS_INDICAT OR_APPROVEDEC public key, EC private keyPass/fail
FIPS provider Key wrappingwrap a keyCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CCM (KTS- Wrap) FIPS provid er AES- GCM (KTS- Wrap) FIPS provid er AES KW FIPS provid er AES KWP_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, key to be wrappe dwrapped key
FIPS provider Key unwrappi ngunwrap a keyCrypto Officer - FIPS provider AES Key: W,EFIPS provid er AES- CCM (KTS- Wrap) FIPS provid er AES- GCM (KTS- Wrap) FIPS provid er AES KW FIPS_SUMMIT_FIPS_INDICAT OR_APPROVEDAES key, key to be unwrap pedunwrapp ed key
FIPS provider RSA Signatur e Verificati onverify digital signatur eCrypto Officer - FIPS provider RSA public key: W,EFIPS provid er RSA Signat ure Verific ation_SUMMIT_FIPS_INDICAT OR_APPROVEDRSA public key, signatur e, hash algorith mPass/fail
FIPS provider EC Signatur e Verificati onverify digital signatur eCrypto Officer - FIPS provider EC public key: W,EFIPS provid er ECDSA Signat ure Verific ation FIPS provid er EDDSA Signat ure Verific ation_SUMMIT_FIPS_INDICAT OR_APPROVEDMessag e, EC public key, signatur e, hash algorith m (ECDSA only)Pass/fail
FIPS provider EC Signatur e Generati ongenerat e digital signatur eCrypto Officer - FIPS provider EC private key: W,EFIPS provid er ECDSA Signat ure Genera tion FIPS provid er EDDSA Signat ure Genera tion_SUMMIT_FIPS_INDICAT OR_APPROVEDMessag e, EC public key, signatur e, hash algorith m (ECDSA only)signatur e
FIPS provider RSA Signatur e Generati ongenerat e digital signatur eCrypto Officer - FIPS provider RSA private key: W,EFIPS provid er RSA Signat ure Genera tion_SUMMIT_FIPS_INDICAT OR_APPROVEDMessag e,RSA public key, signatur e, hash algorith msignatur e
FIPS provider Random Number Generati ongenerat e random bytesCrypto Officer - Entropy input: W,E - FIPS provider DRBG seed: G,E - DRBG Internal State (V, Key): G,W,E - DRBG Internal state (V, C): G,W,EFIPS provid er Counte r DRBG FIPS provid er Hash DRBG FIPS provid er HMAC DRBG_SUMMIT_FIPS_INDICAT OR_APPROVEDoutput lengthrandom bytes
FIPS provider key encapsul ationKTSCrypto Officer - FIPS provider RSA public key: W,EFIPS provid er KTS- IFC_SUMMIT_FIPS_INDICAT OR_APPROVEDRSA public keyEncapsu lated key
FIPS provider key un- encapsul ationKTSCrypto Officer - FIPS provider RSA private key: W,EFIPS provid er KTS- IFC_SUMMIT_FIPS_INDICAT OR_APPROVEDRSA private keyDecapsu lated key
FIPS provider KMAC Message Authenti cationMACCrypto Officer - FIPS Provider KMAC Key: W,EFIPS provid er KMAC_SUMMIT_FIPS_INDICAT OR_APPROVEDKMAC keyMac tag
Show versionReturn the module name and version informa tionUnauthent icatedNoneNoneN/Amodule name and version
Show statusreturn module statusUnauthent icatedNoneNoneN/Amodule status
Self- Testsperform CASTs andUnauthent icatedNoneNoneN/APass/Fail
Zeroizati onzeroize all SSPsCrypto Officer - Kernel AES key: Z - FIPS provider AES Key: Z - Kernel shared secret: Z - Kernel HMAC key: Z - FIPS provider shared secret: Z - Entropy input: Z - Kernel DRBG seed: Z - DRBG Internal State (V, Key): Z - DRBG Internal state (V, C): Z - FIPS provider DH public key: Z - FIPS provider DH private key: Z - Kernel EC public key: Z - Kernel EC private key: Z - FIPS provider EC public key: ZNoneNoneAny SSPN/A
4 Roles, Services, and Authentication
4.1 Roles

Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.2 Approved Services

s n t AESECB AESCTR AESCBC AESCBCCS3 AESXTS AESECB AESCTR AESCBC AESCBCCS3 AESXTS W,E W,E © 2025 Ezurio/atsec information security.

Page 33

s n t d AESCCM (BCAuth) AESGCM (BCAuth) AESCCM (BCAuth) AESGCM (BCAuth) AESCCM (KTSWrap) AESGCM (KTSWrap) AESCCM (KTSWrap) AESGCM (KTSWrap) W,E W,E W,E W,E © 2025 Ezurio/atsec information security.

Page 34

s e e ea ea e KASECCSSC e AESCMAC AESGMAC W,E W,E C): W,E © 2025 Ezurio/atsec information security.

Page 35

s n ea t e t er AESCTR er AESCBC er AESECB er AESCBCCS1 er AESCBCCS2 er AESCBCCS3 er AESCFB1 G,E,Z W,E © 2025 Ezurio/atsec information security.

Page 36

s er AESCFB8 er AESCFB12 er AESXTS er AESOFB er AESCTR er AESCBC er AESECB er AESCBCCS1 er AESCBCCS2 er AESCBCCS3 er AESCFB1 er AESCFB8 W,E © 2025 Ezurio/atsec information security.

Page 37

s n t t e e er AESCFB12 er AESXTS er AESOFB er AESCCM (BCAuth) er AESGCM (BCAuth) er AESCCM (BCAuth) er AESGCM (BCAuth) er AESCMAC er AESGMAC W,E W,E W,E © 2025 Ezurio/atsec information security.

Page 38

s er KASFFCSSC ea ea er KASECCSSC ea er KASIFCSSC n W,E W,E W,E © 2025 Ezurio/atsec information security.

Page 39

s 1.0 1.1 1.2 1.3 keyderivation Preshared W,E W,E © 2025 Ezurio/atsec information security.

Page 40

s n d d DHGroup ordbased W,E W,E W,E © 2025 Ezurio/atsec information security.

Page 41

s G,E,Z G,E,Z G,E,Z © 2025 Ezurio/atsec information security.

Page 42

s d er AESCCM (KTSWrap) er AESGCM (KTSWrap) er AESCCM (KTSWrap) er AESGCM (KTSWrap) W,E W,E © 2025 Ezurio/atsec information security.

Page 43

s e e e e m m e e m e e e m e © 2025 Ezurio/atsec information security.

Page 44

s e er KTSIFC key unencapsul er KTSIFC N/A N/A N/A SelfTests G,W,E C): G,W,E © 2025 Ezurio/atsec information security.

Page 45

s N/A Z C): Z © 2025 Ezurio/atsec information security.

Page 46

s © 2025 Ezurio/atsec information security.

Page 47

s keyderivation Z Z © 2025 Ezurio/atsec information security.

Page 48

Table 13: Approved Services s Z The table above lists the approved services. The following convention is used to specify access rights to SSPs:

Page 49
Service
NameDescriptionRolesApproved Functions
FIPS provider PBKDF with salt length less than 128 bitsKey derivationCOFIPS provider PBKDF with salt length less than 128 bits
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivationCOFIPS provider TLSv1.0 and TLSv1.1 KDF using EMS
FIPS provider TLSv1.2 KDF without using EMSKey derivationCOFIPS provider TLSv1.2 KDF without using EMS
4.3 Non-Approved Services

Table 14: Non-Approved Services

4.4 External Software/Firmware Loaded

The module does not load external software or firmware. © 2025 Ezurio/atsec information security.

Page 50
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module’s firmware components (the kernel, the FIPS Provider components and fipscheck application and library) is individually verified by the fipscheck integrity test tool using HMAC-SHA2-256 implemented in the FIPS Provider. The FIPS Provider component executes its CASTs (which include the KAT for the integrity technique using HMAC-SHA2-256) before the fipscheck integrity test tool executes to verify the integrity of the module. The HMAC value of each firmware component is computed at build time and stored in the .hmac file for each component. The value is recalculated at runtime for the image of the kernel, FIPS Provider binary and fipscheck application and library, and then compared against the stored value in the file. If the comparison succeeds, then the remaining CASTs (consisting of the Known Answer Tests) for the kernel are performed.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the firmware integrity tests. © 2025 Ezurio/atsec information security.

Page 51
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Ezurio/atsec information security.

Page 52
7 Physical Security
7.1 Mechanisms and Actions Required

N/A for this module. The module is enclosed within a production-grade enclosure with components that include standard passivation techniques (e.g., a conformal coating applied over the module's circuitry to protect against environmental or other physical damage) conformant to the Level 1 requirements for physical security. © 2025 Ezurio/atsec information security.

Page 53
8 Non-Invasive Security
8.1 Mitigation Techniques

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 Ezurio/atsec information security.

Page 54
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary storage for SSPs used by the module as part of service execution. The module does not perform persistent storage of SSPs.
Service
NameApproved FunctionsTypeFromToDistributio n Type
API input parametersElectroni cPlaintex tOperating calling application (TOEPP)Cryptographi c moduleManual
Kernel AF_ALG_typ e sockets (input)Electroni cPlaintex tOperating calling application (TOEPP)Cryptographi c moduleManual
API output parametersElectroni cPlaintex tCryptographi c moduleOperator calling application (TOEPP)Manual
Kernel AF_ALG type sockets (output)Electroni cPlaintex tCryptographi c moduleOperator calling application (TOEPP)Manual
ZeroizationDescriptionRationaleOperator Initiation
Method
Kernel free cipher handleZeroizes the SSPs contained within the cipher handleMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. The completion ofBy calling the appropriate zeroization functions:- AES key: crypto_free_skcipher and crypto_free_aead; - DRBG Internal state: crypto_free_rng; - EC public
9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 15: Storage Areas the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. t c t c t c t c Table 16: SSP Input-Output Methods m © 2025 Ezurio/atsec information security.

Page 55
Sensitive security parameter
NameTypeDescriptionStrengthZeroizationUseRationale the zeroization routine(s) indicate that the zeroization procedure succeeded
By calling the appropriate zeroization functions: - EVP_CIPHER_CTX_free(): clears and frees symmetric cipher context; - EVP_MAC_CTX_free(): clears and frees MAC context; - EVP_KDF_CTX_free(): clears and frees KDF context; - EVP_RAND_CTX_free(): clears and frees DRBG context; - EVP_PKEY_free(): clears and frees asymmetric key pair structuresZeroizes the SSPsFIPS provider calling the zeroization APIMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization. The completion of the zeroization routine(s) indicate that the zeroization procedure succeeded
Intermediate key generation value: zeroized automatically by the module (after the requested service completed)Zeroizes the SSPsFIPS provider AutomaticMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization.
By removing powerDe-allocates the volatile memory used to store SSPsRemove power from the moduleVolatile memory used by the module is overwritten within nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded.
Kernel AES keySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128,Kernel AES-CCM (KTS- Wrap) Kernel
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputRationale the zeroization routine(s) indicate that the zeroization procedure succeededSize - Strengt hRelated SSPs
By calling the appropriate zeroization functions: - EVP_CIPHER_CTX_free(): clears and frees symmetric cipher context; - EVP_MAC_CTX_free(): clears and frees MAC context; - EVP_KDF_CTX_free(): clears and frees KDF context; - EVP_RAND_CTX_free(): clears and frees DRBG context; - EVP_PKEY_free(): clears and frees asymmetric key pair structuresZeroizes the SSPsFIPS provider calling the zeroization APIMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization. The completion of the zeroization routine(s) indicate that the zeroization procedure succeeded
Intermediate key generation value: zeroized automatically by the module (after the requested service completed)Zeroizes the SSPsFIPS provider AutomaticMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization.
By removing powerDe-allocates the volatile memory used to store SSPsRemove power from the moduleVolatile memory used by the module is overwritten within nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded.
Kernel AES keySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128,Kernel AES-CCM (KTS- Wrap) Kernel
192, 256 bits192, 256 bitsAES- GCM (KTS- Wrap) Kernel AES CBC with HMAC Kernel AES CTR with HMAC Kernel AES-ECB Kernel AES-CTR Kernel AES-CBC Kernel AES- CBC-CS3 Kernel AES-XTS Kernel AES-CCM (BC- Auth) Kernel AES- GCM (BC- Auth) Kernel AES- CMAC Kernel AES- GMAC
Kernel HMAC keyAuthenticat ion key - CSPHMAC key112-256 bits - 112-256 bitsKernel AES CBC with HMAC Kernel AES CTR with HMAC Kernel HMAC
Kernel Intermedi ate KeyIntermediat e value - CSPIntermediate key generation valueP-256, P-384 - 128, 192 bitsKernel ECDSA KeyKernel ECDSA Key
Generatio n ValueGenerati onGenerati on
Kernel shared secretShared secret - CSPShared secret generated by ECDHP-256, P-384 - 128 and 192 bitsKernel KAS-ECC- SSC
Kernel DRBG seedSeed - CSPDRBG seed derived from entropy input128, 192, 256 bits - 128, 192, 256 bitsKernel Counter DRBGKernel Counter DRBG
Kernel EC public keyPublic key - PSPPublic key used for ECDHP-256, P-384 - 128, 192 bitsKernel ECDSA Key Generati onKernel KAS- ECC-SSC
Kernel EC private keyPrivate key - CSPPrivate key used for ECDHP-256, P-384 - 128, 192 bitsKernel ECDSA Key Generati onKernel KAS- ECC-SSC
Entropy inputEntropy input - CSPEntropy input used to seed the DRBGs320 bits - 256 bitsKernel Counter DRBG FIPS provider Counter DRBG FIPS provider Hash DRBG FIPS provider HMAC DRBG
DRBG Internal State (V, Key)DRBG Internal state - CSPInternal state of Counter DRBGCounter DRBG: 128, 192, 256 bits; HMAC DRBG: 160-512 bits - 128-256 bitsKernel Counter DRBG FIPS provider Counter DRBG FIPS provider HMAC DRBGKernel Counter DRBG FIPS provider Counter DRBG FIPS provider HMAC DRBG
DRBG Internal state (V, C)DRBG Internal state - CSPInternal state of Hash and HMAC DRBG440, 888 bits - 256 bitsFIPS provider Hash DRBGFIPS provider Hash DRBG
FIPS provider AES KeySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128, 192, 256 bitsFIPS provider AES-CCM (KTS- Wrap) FIPS provider AES- GCM (KTS- Wrap) FIPS provider AES KWP FIPS provider AES-ECB FIPS provider AES-CTR FIPS provider AES-CBC FIPS provider AES- CBC-CS1 FIPS provider AES- CBC-CS2 FIPS provider AES- CBC-CS3 FIPS provider AES- CFB1 FIPS provider AES- CFB8 FIPS provider AES-XTS FIPS provider
FIPS provider HMAC keyAuthenticat ion key - CSPHMAC key112-256 bits - 112-256 bitsFIPS provider HMAC
FIPS provider shared secretShared secret - CSPShared secret generated by KAS-FFC-SSC, KAS-ECC-SSC, or KAS-IFC-SSC224- 8192 bits - 112-256 bitsFIPS provider KTS-IFC FIPS provider KAS-FFC- SSC FIPS provider KAS-ECC- SSCFIPS provider ANS 9.42 Key Derivatio n (CVL) FIPS provider ANS 9.63 Key Derivatio n (CVL) FIPS provider TLS 1.0 and 1.1
FIPS provider DRBG seedSeed - CSPDRBG seed derived from entropy input128,192 , 256 bits - 128, 192, 256 bitsFIPS provider Counter DRBG FIPS provider Hash DRBG FIPS provider HMAC DRBG
FIPS providerPublic key - PSPPublic key used for DH2048, 3072,FIPS provider
DH public key4096, 6144, 8192 bits - 112-200 bitsKAS-FFC- SSC
FIPS provider DH private keyPrivate key - CSPPrivate key used for DH2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider KAS-FFC- SSC
FIPS provider EC public keyPublic key - PSPPublic key used for ECDH and ECDSAP-224, P-256, P-384, P-521; Ed2551 9, Ed448 - 112, 128, 192, 256 bitsFIPS provider KAS- ECC-SSC FIPS provider ECDSA Key Verificati on FIPS provider ECDSA Signatur e Verificati on FIPS provider EDDSA Signatur e Verificati on
FIPS provider EC private keyPrivate key - CSPPrivate key used for ECDH and ECDSAP-224, P-256, P-384, P-521; Ed2551 9, Ed448 - 112, 128, 192, 256 bitsFIPS provider KAS- ECC-SSC FIPS provider ECDSA Signatur e Generati on FIPS provider EDDSA
FIPS provider module generated DH public keyPublic key - PSPDH public key generated by the module2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider Safe Primes Key Generati on
FIPS provider module generated DH private keyPrivate key - CSPDH private key generated by the module2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider Safe Primes Key Generati on
FIPS provider module generated EC public keyPublic key - PSPEC public key generated by the moduleP-224, P-256, P-384, P-521; Ed2551 9, Ed448 - 128-256 bitsFIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati on
FIPS provider module generated EC private keyPrivate key - CSPEC private key generated by the moduleP-224, P-256, P-384, P-521; Ed2551 9, Ed448 (128, 192 bits) - 128-256 bitsFIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati on
FIPS provider RSA public keyPublic key - PSPPublic key used for RSA signature generation2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider KAS-IFC- SSC FIPS provider KTS-IFC FIPS
FIPS provider RSA private keyPrivate key - CSPPrivate key used for RSA signature generation2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider KAS-IFC- SSC FIPS provider KTS-IFC FIPS provider RSA Signatur e Generati on
FIPS provider module generated RSA public keyPublic key - PSPRSA public key generated by the module2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider RSA Key Generati on
FIPS provider module generated RSA private keyPrivate key - CSPRSA private key generated by the module2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider RSA Key Generati on
FIPS provider Intermedi ate Key Generatio n ValueIntermediat e value - CSPIntermediate key generation value224- 4096 bits - 112-256 bitsFIPS provider Safe Primes Key Generati on FIPS provider ECDSA Key Generati on FIPS provider EDDSA Key GeneratiFIPS provider Safe Primes Key Generati on FIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati
on FIPS provider RSA Key Generati onon FIPS provider RSA Key Generati onon FIPS provider RSA Key Generati on
FIPS provider derived keySymmetric key - CSPSymmetric key derived from a key-derivation key , shared secret, or password112- 4096 bits - 112-256 bitsFIPS provider ANS 9.42 Key Derivatio n (CVL) FIPS provider ANS 9.63 Key Derivatio n (CVL) FIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL) FIPS provider HKDF Key Derivatio n FIPS provider Password -based Key Derivatio n FIPS provider
FIPS provider key- derivation keySymmetric key - CSPSymmetric key used to derive symmetric keys112- 4096 bits - 112-256 bitsFIPS provider KMAC Key Derivatio n FIPS provider KBKDF Key Derivatio n
FIPS provider PasswordPassword - CSPPassword used to derive symmetric keys8-128 charact ers - N/AFIPS provider Passwor d-based Key Derivatio n
FIPS provider AES Derived KeySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128, 192, 256 bitsFIPS provider TLS 1.0 and 1.1 Key Derivatio
FIPS provider HMAC Derived KeyAuthenticat ion Key - CSPHMAC key112-256 bits - 112-256 bitsFIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL) FIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 Pre- shared key (PSK)Pre-shared key - CSPUsed for pre- shared key authentication and session key establishment, as well as for 802.11 KDFUp to 256 bits of length - Up to 256 bitsFIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 Pairwise Master Key (PMK)Pairwise Master Key - CSPUsed for pre- shared key authentication and session key establishment, as well as for 802.11 KDF256 or 384 bits - 256 bitsFIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 KDF Internal StateInternal state - CSPUsed for SP800- 108 KDF to calculate the WPA2 session keysN/A - N/AFIPS provider KBKDF Key Derivatio nFIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 Temporal KeysTemporal Keys - CSPAES-CCM or AES- GCM keys used for session encryption/decry ption128 or 256 bits - 128 or 256 bitsFIPS provider KBKDF Key Derivatio nKernel AES-CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
FIPS provider 802.11 MIC keys (KCK)MIC keys - CSPKey confirmation keys (KCK) used for message authentication during session establishment128 or 192 bits - 128 or 192 bitsFIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 Key Encryptio n Key (KEK)Key Encryption Key - CSPUsed for AES Key Wrapping of the 802.11 Group Temporal Key (GTK)128 or 256 bits - 128 or 256 bitsKernel AES-CBC Kernel AES-CCM (BC-Auth) Kernel AES-GCM (BC-Auth)Kernel AES-CBC Kernel AES-CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
FIPS provider 802.11 Group Temporal Key (GTK)Group Temporal Key - CSP802.11 session key for broadcast communications128 to 256 bits - 128 to 256 bitsKernel AES-CBC Kernel AES-CCM (BC-Auth) Kernel AES-GCM (BC-Auth)Kernel AES-CBC Kernel AES-CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
Strengted ByStrengt
FIPS Provider KMAC KeyAuthenticat ion key - CSPKMAC key112-256 bits - 112-256 bitsFIPS provider KMAC
Kernel AES keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input)For the duration of the service
Kernel HMAC keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input)For the duration of the service
Kernel Intermediat e Key Generation ValueRAM:Plaintex tKernel free cipher handle Remove power from the moduleFor the duration of the serviceKernel EC public key:Generates Kernel EC private key:Generates
Kernel shared secretRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI output parameters Kernel AF_ALG type sockets (output)For the duration of the serviceKernel EC public key:Used With Kernel EC private key:Used With
Kernel DRBG seedRAM:Plaintex tKernel free cipher handle Remove power from the moduleWhile the DRBG is being instantiatedEntropy input:Derived From DRBG Internal State (V, Key):Generates
Kernel EC public keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input) API output parameters Kernel AF_ALG typeFor the duration of the serviceKernel EC private key:Paired With Kernel Intermediate Key Generation Value:Generated from

Table 17: SSP Zeroization Methods h (KTSWrap) © 2025 Ezurio/atsec information security.

Page 56

h AESGCM (KTSWrap) AESCBC-CS3 (BCAuth) AESGCM (BCAuth) AESCMAC AESGMAC © 2025 Ezurio/atsec information security.

Page 57

h KAS-ECCSSC KASECC-SSC KASECC-SSC © 2025 Ezurio/atsec information security.

Page 58

C) h (KTSWrap) AESGCM (KTSWrap) AESCBC-CS1 AESCBC-CS2 AESCBC-CS3 AESCFB1 AESCFB8 © 2025 Ezurio/atsec information security.

Page 59

h 2248192 (BCAuth) AESGCM (BCAuth) AESCMAC AESGMAC n KAS-FFCSSC KAS-ECCSSC © 2025 Ezurio/atsec information security.

Page 60

h n n n n © 2025 Ezurio/atsec information security.

Page 61

h 9, 9, KAS-FFCSSC KAS-FFCSSC KASECC-SSC e e KASECC-SSC e © 2025 Ezurio/atsec information security.

Page 62

h 9, 9, e KAS-IFCSSC © 2025 Ezurio/atsec information security.

Page 63

h 2244096 e KAS-IFCSSC e © 2025 Ezurio/atsec information security.

Page 64

h 1124096 n n © 2025 Ezurio/atsec information security.

Page 65

h keyderivation 1124096 n n n n n n n n © 2025 Ezurio/atsec information security.

Page 66

h Preshared n n n © 2025 Ezurio/atsec information security.

Page 67

h N/A N/A n n n n (BCAuth) AESGCM (BCAuth) n (BCAuth) AESGCM (BCAuth) (BCAuth) AESGCM (BCAuth) © 2025 Ezurio/atsec information security.

Page 68
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroizationUseInputSize - Strengt hRelated SSPs
Strengted ByStrengt
FIPS Provider KMAC KeyAuthenticat ion key - CSPKMAC key112-256 bits - 112-256 bitsFIPS provider KMAC
Kernel AES keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input)For the duration of the service
Kernel HMAC keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input)For the duration of the service
Kernel Intermediat e Key Generation ValueRAM:Plaintex tKernel free cipher handle Remove power from the moduleFor the duration of the serviceKernel EC public key:Generates Kernel EC private key:Generates
Kernel shared secretRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI output parameters Kernel AF_ALG type sockets (output)For the duration of the serviceKernel EC public key:Used With Kernel EC private key:Used With
Kernel DRBG seedRAM:Plaintex tKernel free cipher handle Remove power from the moduleWhile the DRBG is being instantiatedEntropy input:Derived From DRBG Internal State (V, Key):Generates
Kernel EC public keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input) API output parameters Kernel AF_ALG typeFor the duration of the serviceKernel EC private key:Paired With Kernel Intermediate Key Generation Value:Generated from

Table 18: SSP Table 1 h t t t t t t n © 2025 Ezurio/atsec information security.

Page 69
Sensitive security parameter
NameStorageZeroizationOutputRelated SSPs
Kernel EC private keyRAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_typ e sockets (input) API output parameters Kernel AF_ALG type sockets (output)For the duration of the serviceKernel EC public key:Paired With Kernel Intermediate Key Generation Value:Generated from
Entropy inputRAM:Plaintex tKernel free cipher handle FIPS provider calling the zeroization API Remove power from the moduleFrom generation until DRBG seed is createdKernel DRBG seed:Derives FIPS provider DRBG seed:Derives
DRBG Internal State (V, Key)RAM:Plaintex tKernel free cipher handle FIPS provider calling the zeroization API Remove power from the moduleFrom DRBG instantiatio n until DRBG terminationKernel DRBG seed:Generated from FIPS provider DRBG seed:Generated from
DRBG Internal state (V, C)RAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleFrom DRBG instantiatio n until DRBG terminationKernel DRBG seed:Generated from FIPS provider DRBG seed:Generated from
FIPS provider AES KeyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider HMAC keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider shared secretRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider DH public key:Established by FIPS provider DH private key:Established by FIPS provider EC public key:Established by FIPS provider EC private key:Established by FIPS provider derived key:Derives FIPS provider RSA public key:Established by FIPS provider RSA private key:Established by
FIPS provider DRBG seedRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleWhile the DRBG is being instantiatedEntropy input:Derived From DRBG Internal State (V, Key):Generates DRBG Internal state (V, C):Generates
FIPS provider DH public keyRAM:Plaintex tFIPS provider calling the zeroization APIAPI input parametersFor the duration of the serviceFIPS provider DH private key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider DH private keyRAM:Plaintex tFIPS provider calling the zeroization APIAPI input parametersFor the duration of the serviceFIPS provider DH public key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider EC public keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider EC private key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider EC private keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider EC public key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider module generated DH public keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider module generated DH private key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider module generated DH private keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider module generated DH public key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider module generated EC public keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider module generated EC private key:Paired With FIPS provider Intermediate Key Generation
FIPS provider module generated EC private keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider module generated EC public key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider RSA public keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider RSA private key:Paired With FIPS provider Intermediate Key Generation Value:Generated from FIPS provider shared secret:Establishe s
FIPS provider RSA private keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider RSA public key:Paired With FIPS provider Intermediate Key Generation Value:Generated from FIPS provider shared secret:Establishe s
FIPS provider module generated RSA public keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider module generated RSA private key:Paired With FIPS provider Intermediate Key Generation Value:Generated from
FIPS provider module generated RSA private keyRAM:Plaintex tFIPS provider calling the zeroization API RemoveAPI output parametersFor the duration of the serviceFIPS provider module generated RSA public key:Paired With FIPS provider Intermediate Key

n t t t t t © 2025 Ezurio/atsec information security.

Page 70

t t t t n © 2025 Ezurio/atsec information security.

Page 71

n t t t t t t © 2025 Ezurio/atsec information security.

Page 72

n t t t t t s s © 2025 Ezurio/atsec information security.

Page 73
Sensitive security parameter
NameGenerationStorageZeroization
FIPS provider Intermediat e Key Generation ValueFIPS provider module generated DH public key:Generates FIPS provider DH private key:Generates FIPS provider module generated DH public key:Generates FIPS provider module generated DH private key:Generates FIPS provider EC public key:Generates FIPS provider EC private key:Generates FIPS provider module generated EC public key:Generates FIPS provider module generated EC private key:Generates FIPS provider RSA public key:Generates FIPS provider RSA private key:Generates FIPS provider module generated RSA public key:Generates FIPS provider module generated RSA private key:GeneratesRAM:Plaintex tFIPS provider AutomaticFor the duration of the service

t n © 2025 Ezurio/atsec information security.

Page 74
Sensitive security parameter
NameStorageZeroizationInputRelated SSPs
FIPS provider derived keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider key-derivation key:Derived From FIPS provider shared secret:Derived From FIPS provider password:Derive d From
FIPS provider key- derivation keyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider derived key:Derives
FIPS provider PasswordRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider derived key:Derives
FIPS provider AES Derived KeyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider derived key:Derives
FIPS provider HMAC Derived KeyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider derived key:Derives
FIPS provider 802.11 Pre- shared key (PSK)RAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider derived key:Used With
FIPS provider 802.11 Pairwise Master Key (PMK)RAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider derived key:Used With
FIPS provider 802.11 KDF Internal StateFIPS provider calling the zeroization API Remove power from the moduleFor the duration of the service
FIPS provider 802.11 Temporal KeysRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceKernel AES key:Encrypts Kernel AES key:Decrypts
FIPS provider 802.11 MIC keys (KCK)RAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider 802.11 Key Encryption Key (KEK)RAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI input parametersFor the duration of the serviceKernel AES key:Encrypts
FIPS provider 802.11 Group Temporal Key (GTK)RAM:Plaintex tKernel free cipher handle Remove power from the moduleAPI output parametersFor the duration of the serviceKernel AES key:Encrypts Kernel AES key:Decrypts
FIPS Provider KMAC KeyRAM:Plaintex tFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service

n keyderivation t t t t t t © 2025 Ezurio/atsec information security.

Page 75

t t t t t t n © 2025 Ezurio/atsec information security.

Page 76
9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2025 Ezurio/atsec information security.

Page 77
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest Propertie sCondition s
HMAC- SHA2-256 (A5009)HMAC- SHA2-256 (A5009)Message AuthenticationSW/FW IntegrityIntegrity test for fips.so; Integrity test for kernel binary; Integrity test for fipsheck binary; Integrity test for fipscheck library256-bit keyModule becomes operational and services are available for use
ECDSA KeyGen (FIPS186- 5) (A4711)ECDSA KeyGen (FIPS186- 5) (A4711)PCTPCTSP 800- 56Ar3 Section 5.6.2.1.4crypto_kpp_g enerate_public_k ey returns 0N/AKey pair generation
SHA2-224 (A4711)SHA2-224 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA2-256 (A4711)SHA2-256 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA2-384 (A4711)SHA2-384 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA2-512 (A4711)SHA2-512 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA3-224 (A4713)SHA3-224 (A4713)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA3-256 (A4713)SHA3-256 (A4713)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest Propertie sCondition s
HMAC- SHA2-256 (A5009)HMAC- SHA2-256 (A5009)Message AuthenticationSW/FW IntegrityIntegrity test for fips.so; Integrity test for kernel binary; Integrity test for fipsheck binary; Integrity test for fipscheck library256-bit keyModule becomes operational and services are available for use
ECDSA KeyGen (FIPS186- 5) (A4711)ECDSA KeyGen (FIPS186- 5) (A4711)PCTPCTSP 800- 56Ar3 Section 5.6.2.1.4crypto_kpp_g enerate_public_k ey returns 0N/AKey pair generation
SHA2-224 (A4711)SHA2-224 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA2-256 (A4711)SHA2-256 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA2-384 (A4711)SHA2-384 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA2-512 (A4711)SHA2-512 (A4711)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA3-224 (A4713)SHA3-224 (A4713)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
SHA3-256 (A4713)SHA3-256 (A4713)KATCAS TMessage digestModule is operational0-8184 bit messagesModule initializatio n
10 Self-Tests
10.1 Pre-Operational Self-Tests

HMACSHA2-256 Table 20: Pre-Operational Self-Tests The pre-operational firmware integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithm used for the integrity test (i.e., HMAC-SHA2-256) is self-tested before the firmware integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

(FIPS1865) s N/A d e s SP 80056Ar3 5.6.2.1.4 T T T T T T n n n n n n © 2025 Ezurio/atsec information security.

Page 78
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorCondition s
SHA3-384 (A4713)SHA3-384 (A4713)KATCAS TMessage digest0-8184 bit messagesModule is operationalModule initializatio n
SHA3-512 (A4713)SHA3-512 (A4713)KATCAS TMessage digest0-8184 bit messagesModule is operationalModule initializatio n
AES-ECB (A4711)AES-ECB (A4711)KATCAS TEncryption, Decryption (Separately)128, 192, 256 bit keysModule is operationalModule initializatio n
AES-CBC (A4712)AES-CBC (A4712)KATCAS TEncryption, Decryption (Separately)128, 192, 256 bit keysModule is operationalModule initializatio n
AES-CTR (A4712)AES-CTR (A4712)KATCAS TEncryption, Decryption (Separately)128, 192, 256 bit keysModule is operationalModule initializatio n
AES-CCM (A4712)AES-CCM (A4712)KATCAS TEncryption, Decryption (Separately)128, 192, 256 bit keysModule is operationalModule initializatio n
AES-GCM (A4712)AES-GCM (A4712)KATCAS TMessage authenticatio n128, 192, 256 bit keysModule is operationalModule initializatio n
AES- CMAC (A4712)AES- CMAC (A4712)KATCAS TMessage authenticatio n128 and 256 bit keysModule is operationalModule initializatio n
KAS-ECC- SSC Sp800- 56Ar3 (A4711)KAS-ECC- SSC Sp800- 56Ar3 (A4711)KATCAS TShared secret computationP-256, P- 384Module is operationalModule initializatio n
Counter DRBG (A4711)Counter DRBG (A4711)KATCAS TSeed Generate128, 192, 256 bit keys with/witho ut PR; Health test per section 11.3 of SP 800-90AModule is operationalModule initializatio n
ECDSA KeyGen (FIPS186- 5) (A5009)ECDSA KeyGen (FIPS186- 5) (A5009)PCTPCTSignature generation and verificationSHA2-256Successful key generationEC key pair generation
RSA KeyGen (FIPS186- 5) (A5018)RSA KeyGen (FIPS186- 5) (A5018)PCTPCTSignature generation and verificationPKCS#1 v1.5 with SHA2-256Successful key generationRSA key pair generation
Safe Primes KeySafe Primes KeyPCTPCTPublic key re- computation andN/ASuccessful key generationSafe Primes key
Generatio n (A5014)Generatio n (A5014)comparison with the existing public key (per SP 800- 56Ar3 Section 5.6.2.1.4)pair generation
EDDSA KeyGen (A5016)EDDSA KeyGen (A5016)PCTPCTSignature generation and verificationED25519 and ED448Successful key generationEDDSA key pair generation
SHA-1 (A5009)SHA-1 (A5009)KATCAS TMessage Digest24-bit messageModule is operationalModule initializatio n
SHA2-512 (A5009)SHA2-512 (A5009)KATCAS TMessage Digest24-bit messageModule is operationalModule initializatio n
SHA3-256 (A5011)SHA3-256 (A5011)KATCAS TMessage Digest32-bit messageModule is operationalModule initializatio n
AES-ECB (A5002)AES-ECB (A5002)KATCAS TDecryption128-bit keys, 128- bit ciphertextModule is operationalModule initializatio n
AES-GCM (A5005)AES-GCM (A5005)KATCAS TEncryption, Decryption (Separately)256-bit keys, 96- bit IVs, 128-bit plaintext, 128-bit additional dataModule is operationalModule initializatio n
KDF SP800- 108 (A5017)KDF SP800- 108 (A5017)KATCAS TKey DerivationCounter mode, HMAC- SHA2-256, 128-bit input keyModule is operationalModule initializatio n
KDA OneStep SP800- 56Cr2 (A5012)KDA OneStep SP800- 56Cr2 (A5012)KATCAS TKey DerivationSHA-224, 392-bit input secretModule is operationalModule initializatio n
KDA HKDF Sp800- 56Cr1 (A5013)KDA HKDF Sp800- 56Cr1 (A5013)KATCAS TKey DerivationSHA-256, 48-bit input secretModule is operationalModule initializatio n
KDF ANS 9.42 (A5009)KDF ANS 9.42 (A5009)KATCAS TKey DerivationSHA-1 with AES-128, KW, 160-Module is operationalModule initializatio n
KDF ANS 9.63 (A5009)KDF ANS 9.63 (A5009)KATCAS TKey DerivationSHA-256, 192-bit input secretModule is operationalModule initializatio n
KDF SSH (A5019)KDF SSH (A5019)KATCAS TKey DerivationSHA-1, 1056-bit input secretModule is operationalModule initializatio n
TLS v1.2 KDF RFC7627 (A5009)TLS v1.2 KDF RFC7627 (A5009)KATCAS TKey DerivationSHA-256, 84-bit input secretModule is operationalModule initializatio n
TLS v1.3 KDF (A5013)TLS v1.3 KDF (A5013)KATCAS TKey DerivationExtract and expand modes, SHA-256Module is operationalModule initializatio n
PBKDF (A5009)PBKDF (A5009)KATCAS TKey DerivationSHA-256, 24- character password, 288-bit salt, Iteration count: 4096Module is operationalModule initializatio n
Counter DRBG (A5015)Counter DRBG (A5015)KATCAS TInstantiate, Generate, Reseed, Generate (compliant with SP 800- 90Ar1 Section 11.3)AES-128 with prediction resistanceModule is operationalModule initializatio n
HMAC DRBG (A5015)HMAC DRBG (A5015)KATCAS TInstantiate, Generate, Reseed, Generate (compliant with SP 800- 90Ar1 Section 11.3)SHA-1 with prediction resistanceModule is operationalModule initializatio n
Hash DRBG (A5015)Hash DRBG (A5015)KATCAS TInstantiate, Generate, Reseed, Generate (compliant with SP 800- 90Ar1 Section 11.3)SHA-256 with prediction resistanceModule is operationalModule initializatio n
KAS-FFC- SSC Sp800- 56Ar3 (A5014)KAS-FFC- SSC Sp800- 56Ar3 (A5014)KATCAS TShared Secret Computationffdhe2048Module is operationalModule initializatio n
KAS-ECC- SSC Sp800- 56Ar3 (A5009)KAS-ECC- SSC Sp800- 56Ar3 (A5009)KATCAS TShared Secret ComputationP-256Module is operationalModule initializatio n
RSA SigGen (FIPS186- 5) (A5009)RSA SigGen (FIPS186- 5) (A5009)KATCAS TSignature GenerationPKCS#1 v1.5 with SHA-256 and 2048- bit keyModule is operationalModule initializatio n
RSA SigVer (FIPS186- 5) (A5009)RSA SigVer (FIPS186- 5) (A5009)KATCAS TSignature VerificationPKCS#1 v1.5 with SHA-256 and 2048- bit keyModule is operationalModule initializatio n
ECDSA SigGen (FIPS186- 5) (A5009)ECDSA SigGen (FIPS186- 5) (A5009)KATCAS TSignature GenerationSHA-256 and P-224, P-256, P- 384, and P- 521Module is operationalModule initializatio n
ECDSA SigVer (FIPS186- 5) (A5009)ECDSA SigVer (FIPS186- 5) (A5009)KATCAS TSignature VerificationSHA-256 and P-224, P-256, P- 384, and P- 521Module is operationalModule initializatio n
EDDSA SigGen (A5016)EDDSA SigGen (A5016)KATCAS TSignature GenerationED25519 and ED448Module is operationalModule initializatio n
EDDSA SigVer (A5016)EDDSA SigVer (A5016)KATCAS TSignature VerificationED25519 and ED448Module is operationalModule initializatio n
KTS-IFC (A5018)KTS-IFC (A5018)KATCAS TDecryptionSHA-256, no paddingModule is operationalModule initializatio n

s d e T s T P-256, P384 T T T T T T T n n n n n n n n n n n T n N/A AESCMAC KAS-ECCSSC Sp80056Ar3 (FIPS1865) (FIPS1865) © 2025 Ezurio/atsec information security.

Page 79

s d e T SP800108 SP80056Cr2 Sp80056Cr1 s 5.6.2.1.4) T T keys, 128bit HMACSHA2-256, T T n T n T n T n T n n n n n © 2025 Ezurio/atsec information security.

Page 80

s 24character d e s T n T n T n T n T n T n T T n n © 2025 Ezurio/atsec information security.

Page 81

KAS-FFCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 (FIPS1865) (FIPS1865) (FIPS1865) (FIPS1865) s d e T s n T n P-256, P384, and P521 P-256, P384, and P521 T n T n T n T n T T T n n n Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in in the table above. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state.

10.3 Periodic Self-Test Information

© 2025 Ezurio/atsec information security.

Page 82
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2- 256 (A5009)HMAC-SHA2- 256 (A5009)Message AuthenticationSW/FW IntegrityOn-demandManually
ECDSA KeyGen (FIPS186-5) (A4711)ECDSA KeyGen (FIPS186-5) (A4711)PCTPCTOn demandManually
SHA2-224 (A4711)SHA2-224 (A4711)KATCASTOn demandManually
SHA2-256 (A4711)SHA2-256 (A4711)KATCASTOn demandManually
SHA2-384 (A4711)SHA2-384 (A4711)KATCASTOn demandManually
SHA2-512 (A4711)SHA2-512 (A4711)KATCASTOn demandManually
SHA3-224 (A4713)SHA3-224 (A4713)KATCASTOn demandManually
SHA3-256 (A4713)SHA3-256 (A4713)KATCASTOn demandManually
SHA3-384 (A4713)SHA3-384 (A4713)KATCASTOn demandManually
SHA3-512 (A4713)SHA3-512 (A4713)KATCASTOn demandManually
AES-ECB (A4711)AES-ECB (A4711)KATCASTOn demandManually
AES-CBC (A4712)AES-CBC (A4712)KATCASTOn demandManually
AES-CTR (A4712)AES-CTR (A4712)KATCASTOn demandManually
AES-CCM (A4712)AES-CCM (A4712)KATCASTOn demandManually
AES-GCM (A4712)AES-GCM (A4712)KATCASTOn demandManually
AES-CMAC (A4712)AES-CMAC (A4712)KATCASTOn demandManually
KAS-ECC-SSC Sp800-56Ar3 (A4711)KAS-ECC-SSC Sp800-56Ar3 (A4711)KATCASTOn demandManually
Counter DRBG (A4711)Counter DRBG (A4711)KATCASTOn demandManually
ECDSA KeyGen (FIPS186-5) (A5009)ECDSA KeyGen (FIPS186-5) (A5009)PCTPCTOn demandManually
RSA KeyGen (FIPS186-5) (A5018)RSA KeyGen (FIPS186-5) (A5018)PCTPCTOn demandManually
Safe Primes Key Generation (A5014)Safe Primes Key Generation (A5014)PCTPCTOn demandManually
EDDSA KeyGen (A5016)EDDSA KeyGen (A5016)PCTPCTOn demandManually
SHA-1 (A5009)SHA-1 (A5009)KATCASTOn demandManually
SHA2-512 (A5009)SHA2-512 (A5009)KATCASTOn demandManually
SHA3-256 (A5011)SHA3-256 (A5011)KATCASTOn demandManually
AES-ECB (A5002)AES-ECB (A5002)KATCASTOn demandManually
AES-GCM (A5005)AES-GCM (A5005)KATCASTOn demandManually
KDF SP800-108 (A5017)KDF SP800-108 (A5017)KATCASTOn demandManually
KDA OneStep SP800-56Cr2 (A5012)KDA OneStep SP800-56Cr2 (A5012)KATCASTOn demandManually
KDA HKDF Sp800-56Cr1 (A5013)KDA HKDF Sp800-56Cr1 (A5013)KATCASTOn demandManually
KDF ANS 9.42 (A5009)KDF ANS 9.42 (A5009)KATCASTOn demandManually
KDF ANS 9.63 (A5009)KDF ANS 9.63 (A5009)KATCASTOn demandManually
KDF SSH (A5019)KDF SSH (A5019)KATCASTOn demandManually
TLS v1.2 KDF RFC7627 (A5009)TLS v1.2 KDF RFC7627 (A5009)KATCASTOn demandManually
TLS v1.3 KDF (A5013)TLS v1.3 KDF (A5013)KATCASTOn demandManually
PBKDF (A5009)PBKDF (A5009)KATCASTOn demandManually
Counter DRBG (A5015)Counter DRBG (A5015)KATCASTOn demandManually
HMAC DRBG (A5015)HMAC DRBG (A5015)KATCASTOn demandManually
Hash DRBG (A5015)Hash DRBG (A5015)KATCASTOn demandManually
KAS-FFC-SSC Sp800-56Ar3 (A5014)KAS-FFC-SSC Sp800-56Ar3 (A5014)KATCASTOn demandManually
KAS-ECC-SSC Sp800-56Ar3 (A5009)KAS-ECC-SSC Sp800-56Ar3 (A5009)KATCASTOn demandManually
RSA SigGen (FIPS186-5) (A5009)RSA SigGen (FIPS186-5) (A5009)KATCASTOn demandManually
RSA SigVer (FIPS186-5) (A5009)RSA SigVer (FIPS186-5) (A5009)KATCASTOn demandManually
ECDSA SigGen (FIPS186-5) (A5009)ECDSA SigGen (FIPS186-5) (A5009)KATCASTOn demandManually
ECDSA SigVer (FIPS186-5) (A5009)ECDSA SigVer (FIPS186-5) (A5009)KATCASTOn demandManually
EDDSA SigGen (A5016)EDDSA SigGen (A5016)KATCASTOn demandManually
EDDSA SigVer (A5016)EDDSA SigVer (A5016)KATCASTOn demandManually
KTS-IFC (A5018)KTS-IFC (A5018)KATCASTOn demandManually

HMAC-SHA2Message Table 22: Pre-Operational Periodic Information © 2025 Ezurio/atsec information security.

Page 83

© 2025 Ezurio/atsec information security.

Page 84
Service
NameDescriptionRole AccessIndicatorRecovery Method
Error StateThe module immediately stops functioning due to a self-test failureIntegrity test failure CAST Failure PCT FailureModule rebootsReboot and successful completion of self- tests

Table 23: Conditional Periodic Information

10.4 Error States

Table 24: Error States In the error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module. © 2025 Ezurio/atsec information security.

Page 85
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Before deploying the module for usage, the Crypto Officer shall employ the following steps:

  1. Verify the HMAC values of each component of the module as listed in section 2.2.
  2. Verify that the kernel component command line is configured to run fipsInit.sh before any user mode application or init system.
  3. Verify that ‘fips=1’ parameter is present on the kernel command line for approved mode operation.
11.2 Administrator Guidance

The Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Summit Linux This output maps to the module name “Summit Linux FIPS Core Crypto Module”. Next the Crypto Officer must execute “cat /proc/sys/crypto/fips_version”. This command must output the following: 11.0 The following are the HMAC values for each of the module components:

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. © 2025 Ezurio/atsec information security.

Page 86
12 Mitigation of Other Attacks
12.1 Attack List

For the FIPS Provider component, certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The FIPS Provider component mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:

Page 87

Appendix A. Glossary and Abbreviations AES API CAST CAVP CBC CCM CFB CMAC CMVP CSP CTR CTS DH DRBG ECB ECC ECDH ECDSA EMS ENT (NP) FFC FIPS GCM GMAC HKDF HMAC IPsec KAT KBKDF MAC NIST PAA PBKDF2 PKCS RSA SFI SHA SSC SSP TOEPP XTS Advanced Encryption Standard Application Programming Interface Cryptographic Algorithm Self-Test Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Ciphertext Stealing Diffie-Hellman Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Diffie-Hellman Elliptic Curve Digital Signature Algorithm Extended Master Secret Non-physical Entropy Source Finite Field Cryptography Federal Information Processing Standards Galois Counter Mode Galois Counter Mode Message Authentication Code HMAC-based Key Derivation Function Keyed-Hash Message Authentication Code Internet Protocol Security Known Answer Test Key-based Key Derivation Function Message Authentication Code National Institute of Science and Technology Processor Algorithm Acceleration Password-based Key Derivation Function v2 Public-Key Cryptography Standards Rivest, Shamir, Addleman Security Function Implementation Secure Hash Algorithm Shared Secret Computation Sensitive Security Parameter Test Operational Environment’s Physical Perimeter XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Ezurio/atsec information security.

Page 88

Appendix B. References ANS X9.422001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.632001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 3, 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt © 2025 Ezurio/atsec information security.

Page 89

RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf © 2025 Ezurio/atsec information security.

Page 90

SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2025 Ezurio/atsec information security.

Referenced URLs