| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/3/2030 |
| Caveat | When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. The module generates random strings whose strengths are modified by available entropy. |
| Vendor | Red Hat, Inc. |
flowchart LR
%% Deterministic review-risk graph for Red Hat Enterprise Linux 8 Kernel Cryptographic API
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Red Hat Enterprise Linux 8 Kernel Cryptographic API
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Red Hat, Inc. Red Hat Enterprise Linux 8 Kernel Cryptographic API Document Version: 1.1 Last Modified: 22/10/2025 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2025 Red Hat, Inc./ atsec information security corporation.
| # | Section | Page |
|---|
© 2025 Red Hat, Inc./ atsec information security corporation.
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 5: Modes List and Description | 9 |
| Table 6: Approved Algorithms | 16 |
| Table 7: Non-Approved, Not Allowed Algorithms | 16 |
| Table 8: Security Function Implementations | 20 |
| Table 9: Entropy Certificates | 21 |
| Table 10: Entropy Sources | 21 |
| Table 11: Ports and Interfaces | 23 |
| Table 12: Roles | 24 |
| Table 13: Approved Services | 28 |
| Table 14: Non-Approved Services | 29 |
| Table 15: Storage Areas | 34 |
| Table 16: SSP Input-Output Methods | 34 |
| Table 17: SSP Zeroization Methods | 35 |
| Table 18: SSP Table 1 | 36 |
| Table 19: SSP Table 2 | 37 |
| Table 20: Pre-Operational Self-Tests | 39 |
| Table 21: Conditional Self-Tests | 62 |
| Table 22: Pre-Operational Periodic Information | 62 |
| Table 23: Conditional Periodic Information | 69 |
| Table 24: Error States | 69 |
| Figure 1: Block Diagram | 7 |
This document is the non-proprietary FIPS 140-3 Security Policy for version kernel 4.18.0477.72.1.el8_8; libkcapi 1.2.0-3.el8_8 of the Red Hat Enterprise Linux 8 Kernel Cryptographic API module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.
In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1 Table 1: Security Levels © 2025 Red Hat, Inc./ atsec information security corporation.
Purpose and Use: The Red Hat Enterprise Linux 8 Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. The PAA/PAI provided by the processor is located within the module’s physical perimeter and outside of the module’s cryptographic boundary. © 2025 Red Hat, Inc./ atsec information security corporation.
Tested Module Identification
Package or File Name Software/ Features Integrity Firmware Test Version 477.72.1.el8_8.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.2.0, /usr/bin/sha512hmac Table 2: Tested Module Identification
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically Approved For all approved algorithms except GCM: mode entered whenever respective approved service function an approved returns indicator 0; For GCM: © 2025 Red Hat, Inc./ atsec information security corporation.
Mode Description Type Status Indicator Name service is crypto_aead_get_flags(tfm) has the requested CRYPTO_TFM_ FIPS_COMPLIANCE flag set Non- Automatically Non- No service indicator required for nonapproved entered whenever Approved approved services per IG 2.4.C mode a non-approved service is requested Table 5: Modes List and Description After the module is powered on, it performs all the pre-operational self-tests and cryptographic algorithm self-tests without operator intervention. Only after all the self-tests are successful, the module automatically transitions to the approved mode. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: The module does not implement a degraded mode of operation.
Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5720 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5726 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5729 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5723 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5733 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A5720 Key Length - 128, 192, 256 SP 800-38C AES-CCM A5729 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A5722 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A5732 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A5720 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5729 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm CAVP Properties Reference Cert AES-CTR A5720 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5726 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5729 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5720 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5724 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5725 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5726 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5727 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5728 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5729 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5730 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5731 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5720 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5724 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5725 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5726 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5727 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5728 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5729 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm CAVP Properties Reference Cert IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5730 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5731 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5720 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5729 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-XTS Testing A5720 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5726 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5729 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A5720 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5724 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5725 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5726 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5727 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5728 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5729 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5730 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm CAVP Properties Reference Cert Counter DRBG A5731 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Hash DRBG A5720 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5724 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5725 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5726 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5727 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5728 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5729 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5730 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5731 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5734 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5735 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5736 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5720 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5724 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5725 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm CAVP Properties Reference Cert HMAC DRBG A5726 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5727 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5728 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5729 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5730 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5731 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5734 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5735 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5736 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC-SHA-1 A5720 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5734 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5735 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA-1 A5736 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5720 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5734 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5735 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-224 A5736 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5720 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5734 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-256 A5735 Key Length - Key Length: 112- FIPS 198-1
© 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm CAVP Properties Reference Cert HMAC-SHA2-256 A5736 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5720 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5734 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5735 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-384 A5736 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5720 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5734 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5735 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA2-512 A5736 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-224 A5721 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-256 A5721 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-384 A5721 Key Length - Key Length: 112- FIPS 198-1
HMAC-SHA3-512 A5721 Key Length - Key Length: 112- FIPS 198-1
RSA SigVer (FIPS186- A5720 Signature Type - PKCS 1.5 FIPS 186-5
Algorithm CAVP Properties Reference Cert SHA2-224 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm CAVP Properties Reference Cert SHA3-256 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-512 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with external Encryption with external IV (not compliant to FIPS 140-3 IG C.H) IV KBKDF (libkcapi) Key derivation with implementation not tested by CAVP HKDF (libkcapi) Key derivation with implementation not tested by CAVP PBKDF2 (libkcapi) Password-based key derivation with implementation not tested by CAVP RSA Encryption primitive; Decryption primitive (not compliant to SP 800-56Br2) RSA with PKCS#1 v1.5 Signature generation (pre-hashed message); Signature padding verification (pre-hashed message) Table 7: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Encryption with BC-UnAuth Encrypt a Key size(s):128, AES-CBC: AES plaintext with 192, 256 bits (A5720, A5726, AES (XTS mode 128 A5729) and 256 bits AES-CBC-CS3: only) (A5723, A5733) AES-CFB128: (A5722, A5732) © 2025 Red Hat, Inc./ atsec information security corporation.
Name Type Description Properties Algorithms AES-CTR: (A5720, A5726, A5729) AES-ECB: (A5720, A5724, A5725, A5726, A5727, A5728, A5729, A5730, A5731) AES-XTS Testing Revision 2.0: (A5720, A5726, A5729) Decryption with BC-UnAuth Decrypt a Key size(s):128, AES-CBC: AES ciphertext with 192, 256 bits (A5720, A5726, AES (XTS mode 128 A5729) and 256 bits AES-CBC-CS3: only) (A5723, A5733) AES-CFB128: (A5722, A5732) AES-CTR: (A5720, A5726, A5729) AES-ECB: (A5720, A5724, A5725, A5726, A5727, A5728, A5729, A5730, A5731) AES-XTS Testing Revision 2.0: (A5720, A5726, A5729) Hashing SHA Compute a SHA-1:N/A SHA-1: (A5720, message digest SHA2-224:N/A A5734, A5735, SHA2-256:N/A A5736) SHA2-384:N/A SHA2-224: SHA2-512:N/A (A5720, A5734, SHA3-224:N/A A5735, A5736) SHA3-256:N/A SHA2-256: SHA3-384:N/A (A5720, A5734, SHA3-512:N/A A5735, A5736) SHA2-384: (A5720, A5734, A5735, A5736) SHA2-512: (A5720, A5734, A5735, A5736) SHA3-224: (A5721) SHA3-256: (A5721) © 2025 Red Hat, Inc./ atsec information security corporation.
Name Type Description Properties Algorithms SHA3-384: (A5721) SHA3-512: (A5721) Message MAC Compute a MAC HMAC key AES-CMAC: authentication tag for size(s):112- (A5720, A5729) authentication 524288 bits AES-GMAC: (112-256 bits) (A5720, A5729) AES key HMAC-SHA-1: size(s):128, 192, (A5720, A5734,
HMAC-SHA2224: (A5720, A5734, A5735, A5736) HMAC-SHA2256: (A5720, A5734, A5735, A5736) HMAC-SHA2384: (A5720, A5734, A5735, A5736) HMAC-SHA2512: (A5720, A5734, A5735, A5736) HMAC-SHA3224: (A5721) HMAC-SHA3256: (A5721) HMAC-SHA3384: (A5721) HMAC-SHA3512: (A5721) Random DRBG Generate Counter Counter DRBG: number random DRBG:128, 192, (A5720, A5724, generation with numbers from 256 bits A5725, A5726, DRBGs DRBGs HMAC A5727, A5728, DRBG:128, 256 A5729, A5730, bits A5731) Hash DRBG:128, Hash DRBG:
A5725, A5726, A5727, A5728, A5729, A5730, A5731, A5734, A5735, A5736) HMAC DRBG: (A5720, A5724, A5725, A5726, A5727, A5728, © 2025 Red Hat, Inc./ atsec information security corporation.
Name Type Description Properties Algorithms A5729, A5730, A5731, A5734, A5735, A5736) Signature DigSig-SigVer Verify a Padding:PKCS#1 RSA SigVer verification with signature with v1.5 (FIPS186-5): RSA RSA Hashes:SHA-256 (A5720, A5734, Key size(s):3072 A5735, A5736) bits (128 bits) Authenticated BC-Auth Encrypt and Key size(s):128, AES-CCM: encryption with authenticate a 192, 256 bits (A5720, A5729) AES plaintext with AES-GCM: AES (A5724, A5727, A5730) AES-CBC: (A5720, A5726, A5729) AES-CTR: (A5720, A5726, A5729) HMAC-SHA-1: (A5720, A5734, A5735, A5736) HMAC-SHA2256: (A5720, A5734, A5735, A5736) HMAC-SHA2384: (A5720, A5734, A5735, A5736) HMAC-SHA2512: (A5720, A5734, A5735, A5736) Authenticated BC-Auth Decrypt and Key size(s):128, AES-CCM: decryption with authenticate a 192, 256 bits (A5720, A5729) AES ciphertext with AES-GCM: AES (A5720, A5725, A5726, A5728, A5729, A5731) AES-CBC: (A5720, A5726, A5729) AES-CTR: (A5720, A5726, A5729) HMAC-SHA-1: (A5720, A5734, A5735, A5736) HMAC-SHA2256: (A5720, A5734, A5735, © 2025 Red Hat, Inc./ atsec information security corporation.
Name Type Description Properties Algorithms A5736) HMAC-SHA2384: (A5720, A5734, A5735, A5736) HMAC-SHA2512: (A5720, A5734, A5735, A5736) Table 8: Security Function Implementations
The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario
1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs
generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in Section 4.3.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. © 2025 Red Hat, Inc./ atsec information security corporation.
For RSA signature verification, the module supports modulus size 3072 bits. The supported modulus size has been CAVP tested.
The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of each SHA-3 function was tested and validated on all the module’s operating environments. SHAKE functions are not implemented. SHA-3 hash functions are also used as part of a higher-level algorithm for HMAC.
Cert Vendor Number Name E174 Red Hat, Inc. Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample RHEL 8 Kernel Non- Red Hat Enterprise 64 bits 57.30 Linear-Feedback CPU Time Jitter Physical Linux 8 on Dell bits Shift Register RNG Entropy PowerEdge R440 (LFSR) Source Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of these DRBG implementations can be instantiated by the operator of the module. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA2-512 DRBG implementation for internal purposes (e.g. to generate initialization vectors). This DRBG is initially seeded with
384 output bits from the entropy source (343 bits of entropy) and reseeded with 256 output
bits from the entropy source (229 bits of entropy).
The module does not provide key generation.
The module does not provide key establishment.
© 2025 Red Hat, Inc./ atsec information security corporation.
AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP. © 2025 Red Hat, Inc./ atsec information security corporation.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type sockets N/A Data Output API data output parameters, AF_ALG type sockets N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel command line N/A Status API return values, AF_ALG type sockets, kernel logs Output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design, AF_ALG type socket that allows the applications running in the user space to request cryptographic services from the module. The module does not support a control output interface. © 2025 Red Hat, Inc./ atsec information security corporation.
N/A for this module. The module does not implement authentication.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.
Name Descript Indicator Inputs Outputs Security SSP ion Function Access s Message Compute crypto_shash_init Messag Digest Hashing Crypto digest a returns 0 e value Officer message digest Encryptio Encrypt a crypto_skcipher_se AES Ciphertext Encryptio Crypto n plaintext tkey returns 0 key, n with Officer plainte AES - AES xt key: W,E Decryptio Decrypt a crypto_skcipher_se AES Plaintext Decryptio Crypto n ciphertex tkey returns 0 key, n with Officer t ciphert AES - AES ext key: W,E Authentic Encrypt For all except AES AES Ciphertext Authentic Crypto ated and GCM: key, , MAC tag ated Officer encryptio authentic crypto_aead_setke plainte encryptio - AES n ate a y returns 0; For xt n with key: W,E plaintext AES GCM: AES crypto_aead_get_fl ags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set Authentic Encrypt For all except AES AES Plaintext Authentic Crypto ated and GCM: key, or failure ated Officer authentic crypto_aead_setke ciphert decryptio © 2025 Red Hat, Inc./ atsec information security corporation.
Name Descript Indicator Inputs Outputs Security SSP ion Function Access s decryptio ate a y returns 0; For ext, n with - AES n ciphertex AES GCM: MAC AES key: W,E t crypto_aead_get_fl tag ags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set Message Compute crypto_shash_init AES: MAC tag Message Crypto authentic a MAC returns 0 AES authentic Officer ation tag key, ation - AES generatio messag key: W,E n e; - HMAC HMAC: key: W,E HMAC key, messag e Message Compute crypto_shash_init AES: Success/Fa Message Crypto authentic a MAC returns 0 AES ilure authentic Officer ation tag key, ation - AES verificatio messag key: W,E n e, MAC - HMAC tag; key: W,E HMAC: HMAC key, messag e, MAC tag Random Generate crypto_rng_get_byt Output Random Random Crypto number random es returns 0 length bytes number Officer generatio bytes generatio - Entropy n n with input: DRBGs W,E CTR_DR BG Seed: G,E HMAC_D RBG Seed: G,E Hash_DR BG Seed: G,E © 2025 Red Hat, Inc./ atsec information security corporation.
Name Descript Indicator Inputs Outputs Security SSP ion Function Access s CTR_DR BG Internal State (V, Key): G,W,E HMAC_D RBG Internal State (V, Key): G,W,E Hash_DR BG Internal State (V, C): G,W,E Error Compute None Messag EDC None Crypto detection an EDC e Officer code (crc32, crct10dif) Compress Compres None Data Compress None Crypto ion s data ed data Officer (deflate, lz4, lz4hc, lzo, zlibdeflat e, zstd) Generic Use the None Identifi Various None Crypto system kernel to er, return Officer call perform various values various argume non- nts cryptogra phic operation s Show Return None N/A Module None Crypto version the name and Officer module version name and version informati on © 2025 Red Hat, Inc./ atsec information security corporation.
Name Descript Indicator Inputs Outputs Security SSP ion Function Access s Show Return None N/A Module None Crypto status the status Officer module status Self-test Perform None N/A Pass/fail Encryptio Crypto the n with Officer CASTs AES and Decryptio integrity n with tests AES Hashing Message authentic ation Random number generatio n with DRBGs Signature verificatio n with RSA Authentic ated encryptio n with AES Authentic ated decryptio n with AES Zeroizatio Zeroize None Any N/A None Crypto n all SSPs SSP Officer - AES key: Z - HMAC key: Z - Entropy input: Z CTR_DR BG Internal State (V, Key): Z HMAC_D RBG © 2025 Red Hat, Inc./ atsec information security corporation.
Name Descript Indicator Inputs Outputs Security SSP ion Function Access s Internal State (V, Key): Z Hash_DR BG Internal State (V, C): Z CTR_DR BG Seed: Z Hash_DR BG Seed: Z HMAC_D RBG Seed: Z Table 13: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:
Name Description Algorithms Role AES GCM external IV Encrypt a plaintext using AES AES-GCM with CO encryption GCM with an external IV external IV Key derivation Derive a key from a key- KBKDF (libkcapi) CO derivation key or a shared HKDF (libkcapi) secret Password-based key Derive a key from a password PBKDF2 (libkcapi) CO derivation RSA encryption primitive Compute the raw RSA RSA CO encryption of a plaintext RSA decryption primitive Compute the raw RSA RSA CO decryption of a cipertext RSA signature generation Generate a digital signature for RSA with PKCS#1 CO (pre-hashed message) a pre-hashed message v1.5 padding © 2025 Red Hat, Inc./ atsec information security corporation.
Name Description Algorithms Role RSA signature verification Verify a digital signature for a RSA with PKCS#1 CO (pre-hashed message) pre-hashed message v1.5 padding Table 14: Non-Approved Services
The module does not load external software or firmware. © 2025 Red Hat, Inc./ atsec information security corporation.
The static kernel binary is integrity tested using an HMAC-SHA2-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). An HMAC-SHA2-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity. The libkcapi checks the integrity of the binary of the sha512hmac utility first. The sha512hmac utility is then used to perform an HMAC-SHA2-512 calculation of the kernel’s binary to verify its integrity. After the integrity of the kernel’s binary has been verified, the self-test for the RSA signature verification implementation is run. Upon the successful run of this self-test, the RSA signature verification implementation of the kernel (with PKCS#1 v1.5 padding, SHA-256, and a 3072-bit key) is used to verify the integrity of the crypto object files listed in Section
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. © 2025 Red Hat, Inc./ atsec information security corporation.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.
The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to:
The module is comprised of software only and therefore this Section is not applicable. © 2025 Red Hat, Inc./ atsec information security corporation.
This module does not implement any non-invasive security mechanism and therefore this Section is not applicable. © 2025 Red Hat, Inc./ atsec information security corporation.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.
Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameters; calling c module t c AF_ALG_typ applicatio e sockets n (TOEPP) (input) Table 16: SSP Input-Output Methods
Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate handle SSPs SSPs is overwritten with zeroization functions: AES key: contained zeroes, which renders crypto_free_skcipher and within the the SSP values crypto_free_aead; HMAC key: cipher handle irretrievable. The crypto_free_shash and completion of the crypto_free_ahash; DRBG zeroization routine internal state: crypto_free_rng; indicates that the DRBG seed: crypto_free_rng; zeroization procedure Entropy input string: succeeded. crypto_free_rng Remove De-allocates Volatile memory used By removing power power from the volatile by the module is the module memory used overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. The © 2025 Red Hat, Inc./ atsec information security corporation.
Zeroization Description Rationale Operator Initiation Method successful removal of power implicitly indicates that the zeroization is complete. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization.
Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h AES key AES key 128, Symmetric Encryption used for 192, Key - CSP with AES encryption 256 bits Decryption , - 128, with AES decryption 192, Authenticat , and 256 bits ed computing encryption MAC tags. with AES Authenticat ed decryption with AES HMAC key HMAC key. 112- Authenticati Message
bits - on 112-256 bits Entropy Entropy 128-384 Entropy Random input input used bits - input - CSP number to seed 114-343 generation the bits with DRBGs DRBGs. Compliant with IG D.L. CTR_DRBG DRBG seed 256, Seed - CSP Random Random Seed derived 320, number number from 384 bits generatio generation entropy - 128, n with with DRBGs input. 192, DRBGs Compliant 256 bits with IG D.L. Hash_DRB DRBG seed 440, Seed - CSP Random Random G Seed derived 888 bits number number from generatio © 2025 Red Hat, Inc./ atsec information security corporation.
Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h entropy - 128, n with generation input. 256 bits DRBGs with DRBGs Compliant with IG D.L. HMAC_DR DRBG seed 440, Seed - CSP Random Random BG Seed derived 888 bits number number from - 128, generatio generation entropy 256 bits n with with DRBGs input. DRBGs Compliant with IG D.L. HMAC_DR Internal 320, Internal Random Random BG state of 512, state - CSP number number Internal HMAC 1024 generatio generation State (V, DRBG bits - n with with DRBGs Key) instance. 128, DRBGs Compliant 256 bits with IG D.L. CTR_DRBG Internal 256, Internal Random Random Internal state of 320, state - CSP number number State (V, Counter 384 bits generatio generation Key) DRBG - 128, n with with DRBGs instance. 192, DRBGs Compliant 256 bits with IG D.L. Hash_DRB Internal 880, Internal Random Random G Internal state of 1776 state - CSP number number State (V, Hash bits - generatio generation C) DRBG 128, n with with DRBGs instance. 256 bits DRBGs Compliant with IG D.L. Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related Output Duration SSPs AES key API input RAM:Plaintext Until cipher Free cipher parameters; handle is handle AF_ALG_type freed or Remove sockets module power from (input) powered off the module HMAC key API input RAM:Plaintext Until cipher Free cipher parameters; handle is handle AF_ALG_type freed or Remove © 2025 Red Hat, Inc./ atsec information security corporation.
Name Input - Storage Storage Zeroization Related Output Duration SSPs sockets module power from (input) powered off the module Entropy RAM:Plaintext From Free cipher CTR_DRBG input generation handle Seed:Derives until DRBG Remove Hash_DRBG seed/reseed power from Seed:Derives the module HMAC_DRBG Seed:Derives CTR_DRBG RAM:Plaintext While the Free cipher Entropy Seed DRBG is handle input:Derived being Remove From instantiated power from CTR_DRBG the module Internal State (V, Key):Derives Hash_DRBG RAM:Plaintext While the Free cipher Entropy Seed DRBG is handle input:Derived being Remove From instantiated power from Hash_DRBG the module Internal State (V, C):Derives HMAC_DRBG RAM:Plaintext While the Free cipher Entropy Seed DRBG is handle input:Derived being Remove From instantiated power from HMAC_DRBG the module Internal State (V, Key):Derives HMAC_DRBG RAM:Plaintext From DRBG Free cipher HMAC_DRBG Internal instantiation handle Seed:Derived State (V, until DRBG Remove From Key) is un- power from instantiated the module CTR_DRBG RAM:Plaintext From DRBG Free cipher CTR_DRBG Internal instantiation handle Seed:Derived State (V, until DRBG Remove From Key) is un- power from instantiated the module Hash_DRBG RAM:Plaintext From DRBG Free cipher Hash_DRBG Internal instantiation handle Seed:Derived State (V, C) until DRBG Remove From is un- power from instantiated the module Table 19: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Red Hat, Inc./ atsec information security corporation.
© 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-512 Authentication Integrity becomes kernel binary, (A5736) operational libkcapi and services components are available and for use. sha512hmac binary RSA SigVer 3072-bit key Signature SW/FW Module Integrity test for (FIPS186-5) with SHA- Verification Integrity becomes kernel object (A5720) 256 operational files and services are available for use. Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5720) message becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA3-224 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA3-256 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. SHA3-384 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. SHA3-512 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5724) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5725) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5726) - 256 bit keys becomes initialization Encrypt operational © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5727) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5728) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5730) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5731) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit keys becomes initialization Encrypt operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-CBC 128, 192, KAT CAST Module Encryption Module (A5726) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CBC- 128 bit keys KAT CAST Module Encryption Module CS3 becomes initialization (A5733) - operational Encrypt and services are available for use. AES- 128, 192, KAT CAST Module Encryption Module CFB128 256 bit keys becomes initialization (A5732) - operational Encrypt and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CCM 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit becomes initialization Encrypt keys; 128- operational bit IVs and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5724) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5725) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5726) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5727) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5728) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit becomes initialization Encrypt operational © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type keys, 96-bit and IVs services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5730) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5731) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption Module Testing bit keys becomes initialization Revision operational
- Encrypt services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption Module Testing bit keys becomes initialization Revision operational
- Encrypt services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5724) - 256 bit keys becomes initialization Decrypt operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5725) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5726) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5727) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5728) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5730) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5731) - 256 bit keys becomes initialization Decrypt operational and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Decryption Module (A5726) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CBC- 128 bit keys KAT CAST Module Decryption Module CS3 becomes initialization (A5733) - operational Decrypt and services are available for use. AES- 128, 192, KAT CAST Module Decryption Module CFB128 256 bit keys becomes initialization (A5732) - operational Decrypt and services are available for use. AES-CTR 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit keys becomes initialization Decrypt operational © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-CCM 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit becomes initialization Decrypt keys; 128- operational bit IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5724) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5725) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5726) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5727) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5728) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5730) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5731) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-XTS 128 and 256 KAT CAST Module Decryption Module Testing bit keys becomes initialization Revision operational
- Decrypt services are available for use. AES-XTS 128 and 256 KAT CAST Module Decryption Module Testing bit keys becomes initialization Revision operational
- Decrypt services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CMAC 128 and 256 KAT CAST Module Message Module (A5729) bit keys becomes authentication initialization operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module
1 (A5720) keys becomes authentication initialization
operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module
1 (A5734) keys becomes authentication initialization
operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module
1 (A5735) keys becomes authentication initialization
operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module
1 (A5736) keys becomes authentication initialization
operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5720) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5734) operational © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5735) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5736) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5720) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5734) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5735) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5736) operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5720) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5734) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5735) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5736) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5720) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5734) operational Before and integrity services test. are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5735) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5736) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-224 keys becomes authentication initialization (A5721) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-256 keys becomes authentication initialization (A5721) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-384 keys becomes authentication initialization (A5721) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-512 keys becomes authentication initialization (A5721) operational and services are available for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5720) With/without operational generate © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5724) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5725) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5726) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5727) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5728) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5729) With/without operational generate PR; Health and test per services section 11.3 are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5730) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5731) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5720) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5724) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5725) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5726) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5727) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5728) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5729) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5730) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5731) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5734) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5735) With/without becomes reseed, initialization PR; Health operational generate © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5736) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5720) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5724) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5725) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5726) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5727) With/without operational generate PR; Health and test per services section 11.3 are © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5728) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5729) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5730) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5731) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5734) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5735) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5736) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5720) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5734) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5735) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5736) 256 operational Before and integrity services test. are available for use. Entropy 1024 RCT CAST Module Entropy Entropy Source RCT samples becomes source start- source initialization operational up test initialization and services are available for use. Entropy 1024 APT CAST Module Entropy Entropy Source APT samples becomes source start- source initialization operational up test initialization © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. Entropy Cutoff C = RCT CAST Entropy Entropy Continuously Source 61 source is source continuous operational continuous RCT test Entropy Cutoff C = APT CAST Entropy Entropy Continuously Source 355 source is source continuous operational continuous APT test Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. Services are not available, and data output (via the data output interface) is inhibited during the conditional self-tests. If any of these tests fails, the module transitions to the Error State.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually
RSA SigVer Signature SW/FW Integrity On demand Manually (FIPS186-5) Verification (A5720) Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A5720) KAT CAST On demand Manually SHA-1 (A5734) KAT CAST On demand Manually SHA-1 (A5735) KAT CAST On demand Manually SHA-1 (A5736) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A5720) SHA2-224 KAT CAST On demand Manually (A5734) SHA2-224 KAT CAST On demand Manually (A5735) SHA2-224 KAT CAST On demand Manually (A5736) SHA2-256 KAT CAST On demand Manually (A5720) © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method SHA2-256 KAT CAST On demand Manually (A5734) SHA2-256 KAT CAST On demand Manually (A5735) SHA2-256 KAT CAST On demand Manually (A5736) SHA2-384 KAT CAST On demand Manually (A5720) SHA2-384 KAT CAST On demand Manually (A5734) SHA2-384 KAT CAST On demand Manually (A5735) SHA2-384 KAT CAST On demand Manually (A5736) SHA2-512 KAT CAST On demand Manually (A5720) SHA2-512 KAT CAST On demand Manually (A5734) SHA2-512 KAT CAST On demand Manually (A5735) SHA2-512 KAT CAST On demand Manually (A5736) SHA3-224 KAT CAST On demand Manually (A5721) SHA3-256 KAT CAST On demand Manually (A5721) SHA3-384 KAT CAST On demand Manually (A5721) SHA3-512 KAT CAST On demand Manually (A5721) AES-ECB KAT CAST On demand Manually (A5720) Encrypt AES-ECB KAT CAST On demand Manually (A5724) Encrypt AES-ECB KAT CAST On demand Manually (A5725) Encrypt AES-ECB KAT CAST On demand Manually (A5726) Encrypt AES-ECB KAT CAST On demand Manually (A5727) Encrypt AES-ECB KAT CAST On demand Manually (A5728) Encrypt © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On demand Manually (A5730) Encrypt AES-ECB KAT CAST On demand Manually (A5731) Encrypt AES-ECB KAT CAST On demand Manually (A5729) Encrypt AES-CBC KAT CAST On demand Manually (A5720) Encrypt AES-CBC KAT CAST On demand Manually (A5726) Encrypt AES-CBC-CS3 KAT CAST On demand Manually (A5733) Encrypt AES-CFB128 KAT CAST On demand Manually (A5732) Encrypt AES-CTR KAT CAST On demand Manually (A5720) Encrypt AES-CTR KAT CAST On demand Manually (A5729) Encrypt AES-CCM KAT CAST On demand Manually (A5729) Encrypt AES-GCM KAT CAST On demand Manually (A5720) Encrypt AES-GCM KAT CAST On demand Manually (A5724) Encrypt AES-GCM KAT CAST On demand Manually (A5725) Encrypt AES-GCM KAT CAST On demand Manually (A5726) Encrypt AES-GCM KAT CAST On demand Manually (A5727) Encrypt AES-GCM KAT CAST On demand Manually (A5728) Encrypt © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On demand Manually (A5729) Encrypt AES-GCM KAT CAST On demand Manually (A5730) Encrypt AES-GCM KAT CAST On demand Manually (A5731) Encrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5720) Encrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5729) Encrypt AES-ECB KAT CAST On demand Manually (A5720) Decrypt AES-ECB KAT CAST On demand Manually (A5724) Decrypt AES-ECB KAT CAST On demand Manually (A5725) Decrypt AES-ECB KAT CAST On demand Manually (A5726) Decrypt AES-ECB KAT CAST On demand Manually (A5727) Decrypt AES-ECB KAT CAST On demand Manually (A5728) Decrypt AES-ECB KAT CAST On demand Manually (A5730) Decrypt AES-ECB KAT CAST On demand Manually (A5731) Decrypt AES-ECB KAT CAST On demand Manually (A5729) Decrypt AES-CBC KAT CAST On demand Manually (A5720) Decrypt AES-CBC KAT CAST On demand Manually (A5726) Decrypt © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC-CS3 KAT CAST On demand Manually (A5733) Decrypt AES-CFB128 KAT CAST On demand Manually (A5732) Decrypt AES-CTR KAT CAST On demand Manually (A5720) Decrypt AES-CTR KAT CAST On demand Manually (A5729) Decrypt AES-CCM KAT CAST On demand Manually (A5729) Decrypt AES-GCM KAT CAST On demand Manually (A5720) Decrypt AES-GCM KAT CAST On demand Manually (A5724) Decrypt AES-GCM KAT CAST On demand Manually (A5725) Decrypt AES-GCM KAT CAST On demand Manually (A5726) Decrypt AES-GCM KAT CAST On demand Manually (A5727) Decrypt AES-GCM KAT CAST On demand Manually (A5728) Decrypt AES-GCM KAT CAST On demand Manually (A5729) Decrypt AES-GCM KAT CAST On demand Manually (A5730) Decrypt AES-GCM KAT CAST On demand Manually (A5731) Decrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5720) Decrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5729) Decrypt © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method AES-CMAC KAT CAST On demand Manually (A5729) HMAC-SHA-1 KAT CAST On demand Manually (A5720) HMAC-SHA-1 KAT CAST On demand Manually (A5734) HMAC-SHA-1 KAT CAST On demand Manually (A5735) HMAC-SHA-1 KAT CAST On demand Manually (A5736) HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
HMAC-SHA3- KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method Counter DRBG KAT CAST On demand Manually (A5720) Counter DRBG KAT CAST On demand Manually (A5724) Counter DRBG KAT CAST On demand Manually (A5725) Counter DRBG KAT CAST On demand Manually (A5726) Counter DRBG KAT CAST On demand Manually (A5727) Counter DRBG KAT CAST On demand Manually (A5728) Counter DRBG KAT CAST On demand Manually (A5729) Counter DRBG KAT CAST On demand Manually (A5730) Counter DRBG KAT CAST On demand Manually (A5731) Hash DRBG KAT CAST On demand Manually (A5720) Hash DRBG KAT CAST On demand Manually (A5724) Hash DRBG KAT CAST On demand Manually (A5725) Hash DRBG KAT CAST On demand Manually (A5726) Hash DRBG KAT CAST On demand Manually (A5727) Hash DRBG KAT CAST On demand Manually (A5728) Hash DRBG KAT CAST On demand Manually (A5729) Hash DRBG KAT CAST On demand Manually (A5730) Hash DRBG KAT CAST On demand Manually (A5731) Hash DRBG KAT CAST On demand Manually (A5734) Hash DRBG KAT CAST On demand Manually (A5735) Hash DRBG KAT CAST On demand Manually (A5736) HMAC DRBG KAT CAST On demand Manually (A5720) HMAC DRBG KAT CAST On demand Manually (A5724) HMAC DRBG KAT CAST On demand Manually (A5725) HMAC DRBG KAT CAST On demand Manually (A5726) © 2025 Red Hat, Inc./ atsec information security corporation.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC DRBG KAT CAST On demand Manually (A5727) HMAC DRBG KAT CAST On demand Manually (A5728) HMAC DRBG KAT CAST On demand Manually (A5729) HMAC DRBG KAT CAST On demand Manually (A5730) HMAC DRBG KAT CAST On demand Manually (A5731) HMAC DRBG KAT CAST On demand Manually (A5734) HMAC DRBG KAT CAST On demand Manually (A5735) HMAC DRBG KAT CAST On demand Manually (A5736) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5720) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5734) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5735) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5736) Entropy Source RCT CAST On demand Manually RCT initialization Entropy Source APT CAST On demand Manually APT initialization Entropy Source RCT CAST On demand Manually continuous RCT Entropy Source APT CAST On demand Manually continuous APT Table 23: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 24: Error States © 2025 Red Hat, Inc./ atsec information security corporation.
In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).
All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module. © 2025 Red Hat, Inc./ atsec information security corporation.
The module is distributed as a part of the Red Hat Enterprise Linux 8 (RHEL 8) package in the form of the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-hmaccalc1.2.0-3.el8_8 RPM packages. The module can achieve the FIPS validated configuration as follows.
After installation of the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapihmaccalc-1.2.0-3.el8_8 RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Red Hat Enterprise Linux 8 - Kernel Cryptographic API Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapi” commands. These commands must output the following (one line per output): 4.18.0-477.72.1.el8_8.x86_64 libkcapi-1.2.0-3.el8_8.x86_64
There is no non-administrator guidance.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-hmaccalc-1.2.0-3.el8_8 RPM packages can be uninstalled from the RHEL 8 system. © 2025 Red Hat, Inc./ atsec information security corporation.
The module does not offer mitigation of other attacks and therefore this Section is not applicable. © 2025 Red Hat, Inc./ atsec information security corporation.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Red Hat, Inc./ atsec information security corporation.
Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2025 Red Hat, Inc./ atsec information security corporation.
SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf © 2025 Red Hat, Inc./ atsec information security corporation.