All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Red Hat Enterprise Linux 8 Kernel Cryptographic API

Certificate#5089StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorRed Hat, Inc.
Medium review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 3932 CVEs since this module's initial validation  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/3/2030
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. The module generates random strings whose strengths are modified by available entropy.
VendorRed Hat, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Red Hat Enterprise Linux 8 Kernel Cryptographic API
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Red Hat Enterprise Linux 8 Kernel Cryptographic API
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Red Hat, Inc. Red Hat Enterprise Linux 8 Kernel Cryptographic API Document Version: 1.1 Last Modified: 22/10/2025 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2025 Red Hat, Inc./ atsec information security corporation.

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 Red Hat, Inc./ atsec information security corporation.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid8
Table 5: Modes List and Description9
Table 6: Approved Algorithms16
Table 7: Non-Approved, Not Allowed Algorithms16
Table 8: Security Function Implementations20
Table 9: Entropy Certificates21
Table 10: Entropy Sources21
Table 11: Ports and Interfaces23
Table 12: Roles24
Table 13: Approved Services28
Table 14: Non-Approved Services29
Table 15: Storage Areas34
Table 16: SSP Input-Output Methods34
Table 17: SSP Zeroization Methods35
Table 18: SSP Table 136
Table 19: SSP Table 237
Table 20: Pre-Operational Self-Tests39
Table 21: Conditional Self-Tests62
Table 22: Pre-Operational Periodic Information62
Table 23: Conditional Periodic Information69
Table 24: Error States69
Figure 1: Block Diagram7
Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version kernel 4.18.0477.72.1.el8_8; libkcapi 1.2.0-3.el8_8 of the Red Hat Enterprise Linux 8 Kernel Cryptographic API module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.

1.1.1 How this Security Policy was prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels © 2025 Red Hat, Inc./ atsec information security corporation.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Red Hat Enterprise Linux 8 Kernel Cryptographic API (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. The PAA/PAI provided by the processor is located within the module’s physical perimeter and outside of the module’s cryptographic boundary. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 7
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

Package or File Name Software/ Features Integrity Firmware Test Version 477.72.1.el8_8.x86_64/kernel/arch/x86/crypto; /usr/lib64/libkcapi.so.1.2.0, /usr/bin/sha512hmac Table 2: Tested Module Identification

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically Approved For all approved algorithms except GCM: mode entered whenever respective approved service function an approved returns indicator 0; For GCM: © 2025 Red Hat, Inc./ atsec information security corporation.

Page 9

Mode Description Type Status Indicator Name service is crypto_aead_get_flags(tfm) has the requested CRYPTO_TFM_ FIPS_COMPLIANCE flag set Non- Automatically Non- No service indicator required for nonapproved entered whenever Approved approved services per IG 2.4.C mode a non-approved service is requested Table 5: Modes List and Description After the module is powered on, it performs all the pre-operational self-tests and cryptographic algorithm self-tests without operator intervention. Only after all the self-tests are successful, the module automatically transitions to the approved mode. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5720 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5726 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5729 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5723 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5733 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A5720 Key Length - 128, 192, 256 SP 800-38C AES-CCM A5729 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A5722 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A5732 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A5720 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5729 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 © 2025 Red Hat, Inc./ atsec information security corporation.

Page 10

Algorithm CAVP Properties Reference Cert AES-CTR A5720 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5726 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A5729 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5720 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5724 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5725 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5726 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5727 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5728 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5729 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5730 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5731 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5720 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5724 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5725 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5726 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5727 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5728 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5729 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External © 2025 Red Hat, Inc./ atsec information security corporation.

Page 11

Algorithm CAVP Properties Reference Cert IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5730 Direction - Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A5731 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5720 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A5729 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-XTS Testing A5720 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5726 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5729 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A5720 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5724 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5725 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5726 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5727 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5728 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5729 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5730 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes © 2025 Red Hat, Inc./ atsec information security corporation.

Page 12

Algorithm CAVP Properties Reference Cert Counter DRBG A5731 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Hash DRBG A5720 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5724 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5725 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5726 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5727 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5728 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5729 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5730 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5731 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5734 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5735 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 Hash DRBG A5736 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5720 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5724 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5725 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 © 2025 Red Hat, Inc./ atsec information security corporation.

Page 13

Algorithm CAVP Properties Reference Cert HMAC DRBG A5726 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5727 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5728 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5729 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5730 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5731 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5734 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5735 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC DRBG A5736 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 HMAC-SHA-1 A5720 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA-1 A5734 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA-1 A5735 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA-1 A5736 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-224 A5720 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-224 A5734 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-224 A5735 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-224 A5736 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-256 A5720 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-256 A5734 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-256 A5735 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

© 2025 Red Hat, Inc./ atsec information security corporation.

Page 14

Algorithm CAVP Properties Reference Cert HMAC-SHA2-256 A5736 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-384 A5720 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-384 A5734 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-384 A5735 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-384 A5736 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-512 A5720 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-512 A5734 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-512 A5735 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA2-512 A5736 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-224 A5721 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-256 A5721 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-384 A5721 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

HMAC-SHA3-512 A5721 Key Length - Key Length: 112- FIPS 198-1

524288 Increment 8

RSA SigVer (FIPS186- A5720 Signature Type - PKCS 1.5 FIPS 186-5

  1. Modulo - 3072 RSA SigVer (FIPS186- A5734 Signature Type - PKCS 1.5 FIPS 186-5
  2. Modulo - 3072 RSA SigVer (FIPS186- A5735 Signature Type - PKCS 1.5 FIPS 186-5
  3. Modulo - 3072 RSA SigVer (FIPS186- A5736 Signature Type - PKCS 1.5 FIPS 186-5
  4. Modulo - 3072 SHA-1 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA-1 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2025 Red Hat, Inc./ atsec information security corporation.
Page 15

Algorithm CAVP Properties Reference Cert SHA2-224 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-256 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5720 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5734 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5735 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A5736 Message Length - Message Length: FIPS 180-4 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2025 Red Hat, Inc./ atsec information security corporation.

Page 16

Algorithm CAVP Properties Reference Cert SHA3-256 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-512 A5721 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with external Encryption with external IV (not compliant to FIPS 140-3 IG C.H) IV KBKDF (libkcapi) Key derivation with implementation not tested by CAVP HKDF (libkcapi) Key derivation with implementation not tested by CAVP PBKDF2 (libkcapi) Password-based key derivation with implementation not tested by CAVP RSA Encryption primitive; Decryption primitive (not compliant to SP 800-56Br2) RSA with PKCS#1 v1.5 Signature generation (pre-hashed message); Signature padding verification (pre-hashed message) Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption with BC-UnAuth Encrypt a Key size(s):128, AES-CBC: AES plaintext with 192, 256 bits (A5720, A5726, AES (XTS mode 128 A5729) and 256 bits AES-CBC-CS3: only) (A5723, A5733) AES-CFB128: (A5722, A5732) © 2025 Red Hat, Inc./ atsec information security corporation.

Page 17

Name Type Description Properties Algorithms AES-CTR: (A5720, A5726, A5729) AES-ECB: (A5720, A5724, A5725, A5726, A5727, A5728, A5729, A5730, A5731) AES-XTS Testing Revision 2.0: (A5720, A5726, A5729) Decryption with BC-UnAuth Decrypt a Key size(s):128, AES-CBC: AES ciphertext with 192, 256 bits (A5720, A5726, AES (XTS mode 128 A5729) and 256 bits AES-CBC-CS3: only) (A5723, A5733) AES-CFB128: (A5722, A5732) AES-CTR: (A5720, A5726, A5729) AES-ECB: (A5720, A5724, A5725, A5726, A5727, A5728, A5729, A5730, A5731) AES-XTS Testing Revision 2.0: (A5720, A5726, A5729) Hashing SHA Compute a SHA-1:N/A SHA-1: (A5720, message digest SHA2-224:N/A A5734, A5735, SHA2-256:N/A A5736) SHA2-384:N/A SHA2-224: SHA2-512:N/A (A5720, A5734, SHA3-224:N/A A5735, A5736) SHA3-256:N/A SHA2-256: SHA3-384:N/A (A5720, A5734, SHA3-512:N/A A5735, A5736) SHA2-384: (A5720, A5734, A5735, A5736) SHA2-512: (A5720, A5734, A5735, A5736) SHA3-224: (A5721) SHA3-256: (A5721) © 2025 Red Hat, Inc./ atsec information security corporation.

Page 18

Name Type Description Properties Algorithms SHA3-384: (A5721) SHA3-512: (A5721) Message MAC Compute a MAC HMAC key AES-CMAC: authentication tag for size(s):112- (A5720, A5729) authentication 524288 bits AES-GMAC: (112-256 bits) (A5720, A5729) AES key HMAC-SHA-1: size(s):128, 192, (A5720, A5734,

256 bits A5735, A5736)

HMAC-SHA2224: (A5720, A5734, A5735, A5736) HMAC-SHA2256: (A5720, A5734, A5735, A5736) HMAC-SHA2384: (A5720, A5734, A5735, A5736) HMAC-SHA2512: (A5720, A5734, A5735, A5736) HMAC-SHA3224: (A5721) HMAC-SHA3256: (A5721) HMAC-SHA3384: (A5721) HMAC-SHA3512: (A5721) Random DRBG Generate Counter Counter DRBG: number random DRBG:128, 192, (A5720, A5724, generation with numbers from 256 bits A5725, A5726, DRBGs DRBGs HMAC A5727, A5728, DRBG:128, 256 A5729, A5730, bits A5731) Hash DRBG:128, Hash DRBG:

256 bits (A5720, A5724,

A5725, A5726, A5727, A5728, A5729, A5730, A5731, A5734, A5735, A5736) HMAC DRBG: (A5720, A5724, A5725, A5726, A5727, A5728, © 2025 Red Hat, Inc./ atsec information security corporation.

Page 19

Name Type Description Properties Algorithms A5729, A5730, A5731, A5734, A5735, A5736) Signature DigSig-SigVer Verify a Padding:PKCS#1 RSA SigVer verification with signature with v1.5 (FIPS186-5): RSA RSA Hashes:SHA-256 (A5720, A5734, Key size(s):3072 A5735, A5736) bits (128 bits) Authenticated BC-Auth Encrypt and Key size(s):128, AES-CCM: encryption with authenticate a 192, 256 bits (A5720, A5729) AES plaintext with AES-GCM: AES (A5724, A5727, A5730) AES-CBC: (A5720, A5726, A5729) AES-CTR: (A5720, A5726, A5729) HMAC-SHA-1: (A5720, A5734, A5735, A5736) HMAC-SHA2256: (A5720, A5734, A5735, A5736) HMAC-SHA2384: (A5720, A5734, A5735, A5736) HMAC-SHA2512: (A5720, A5734, A5735, A5736) Authenticated BC-Auth Decrypt and Key size(s):128, AES-CCM: decryption with authenticate a 192, 256 bits (A5720, A5729) AES ciphertext with AES-GCM: AES (A5720, A5725, A5726, A5728, A5729, A5731) AES-CBC: (A5720, A5726, A5729) AES-CTR: (A5720, A5726, A5729) HMAC-SHA-1: (A5720, A5734, A5735, A5736) HMAC-SHA2256: (A5720, A5734, A5735, © 2025 Red Hat, Inc./ atsec information security corporation.

Page 20

Name Type Description Properties Algorithms A5736) HMAC-SHA2384: (A5720, A5734, A5735, A5736) HMAC-SHA2512: (A5720, A5734, A5735, A5736) Table 8: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

The Crypto Officer shall consider the following requirements and restrictions when using the module. For IPsec, the module offers the AES GCM implementation and uses the context of Scenario

1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs

generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in Section 4.3.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 21
2.7.3 RSA

For RSA signature verification, the module supports modulus size 3072 bits. The supported modulus size has been CAVP tested.

2.7.4 SHA-3

The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of each SHA-3 function was tested and validated on all the module’s operating environments. SHAKE functions are not implemented. SHA-3 hash functions are also used as part of a higher-level algorithm for HMAC.

2.8 RBG and Entropy

Cert Vendor Number Name E174 Red Hat, Inc. Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample RHEL 8 Kernel Non- Red Hat Enterprise 64 bits 57.30 Linear-Feedback CPU Time Jitter Physical Linux 8 on Dell bits Shift Register RNG Entropy PowerEdge R440 (LFSR) Source Table 10: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of these DRBG implementations can be instantiated by the operator of the module. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA2-512 DRBG implementation for internal purposes (e.g. to generate initialization vectors). This DRBG is initially seeded with

384 output bits from the entropy source (343 bits of entropy) and reseeded with 256 output

bits from the entropy source (229 bits of entropy).

2.9 Key Generation

The module does not provide key generation.

2.10 Key Establishment

The module does not provide key establishment.

2.11 Industry Protocols

© 2025 Red Hat, Inc./ atsec information security corporation.

Page 22

AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than the AES GCM implementation, have been tested by the CAVP and CMVP. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 23
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type sockets N/A Data Output API data output parameters, AF_ALG type sockets N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel command line N/A Status API return values, AF_ALG type sockets, kernel logs Output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design, AF_ALG type socket that allows the applications running in the user space to request cryptographic services from the module. The module does not support a control output interface. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 24
4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not implement authentication.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descript Indicator Inputs Outputs Security SSP ion Function Access s Message Compute crypto_shash_init Messag Digest Hashing Crypto digest a returns 0 e value Officer message digest Encryptio Encrypt a crypto_skcipher_se AES Ciphertext Encryptio Crypto n plaintext tkey returns 0 key, n with Officer plainte AES - AES xt key: W,E Decryptio Decrypt a crypto_skcipher_se AES Plaintext Decryptio Crypto n ciphertex tkey returns 0 key, n with Officer t ciphert AES - AES ext key: W,E Authentic Encrypt For all except AES AES Ciphertext Authentic Crypto ated and GCM: key, , MAC tag ated Officer encryptio authentic crypto_aead_setke plainte encryptio - AES n ate a y returns 0; For xt n with key: W,E plaintext AES GCM: AES crypto_aead_get_fl ags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set Authentic Encrypt For all except AES AES Plaintext Authentic Crypto ated and GCM: key, or failure ated Officer authentic crypto_aead_setke ciphert decryptio © 2025 Red Hat, Inc./ atsec information security corporation.

Page 25

Name Descript Indicator Inputs Outputs Security SSP ion Function Access s decryptio ate a y returns 0; For ext, n with - AES n ciphertex AES GCM: MAC AES key: W,E t crypto_aead_get_fl tag ags(tfm) has the CRYPTO_TFM_ FIPS_COMPLIANCE flag set Message Compute crypto_shash_init AES: MAC tag Message Crypto authentic a MAC returns 0 AES authentic Officer ation tag key, ation - AES generatio messag key: W,E n e; - HMAC HMAC: key: W,E HMAC key, messag e Message Compute crypto_shash_init AES: Success/Fa Message Crypto authentic a MAC returns 0 AES ilure authentic Officer ation tag key, ation - AES verificatio messag key: W,E n e, MAC - HMAC tag; key: W,E HMAC: HMAC key, messag e, MAC tag Random Generate crypto_rng_get_byt Output Random Random Crypto number random es returns 0 length bytes number Officer generatio bytes generatio - Entropy n n with input: DRBGs W,E CTR_DR BG Seed: G,E HMAC_D RBG Seed: G,E Hash_DR BG Seed: G,E © 2025 Red Hat, Inc./ atsec information security corporation.

Page 26

Name Descript Indicator Inputs Outputs Security SSP ion Function Access s CTR_DR BG Internal State (V, Key): G,W,E HMAC_D RBG Internal State (V, Key): G,W,E Hash_DR BG Internal State (V, C): G,W,E Error Compute None Messag EDC None Crypto detection an EDC e Officer code (crc32, crct10dif) Compress Compres None Data Compress None Crypto ion s data ed data Officer (deflate, lz4, lz4hc, lzo, zlibdeflat e, zstd) Generic Use the None Identifi Various None Crypto system kernel to er, return Officer call perform various values various argume non- nts cryptogra phic operation s Show Return None N/A Module None Crypto version the name and Officer module version name and version informati on © 2025 Red Hat, Inc./ atsec information security corporation.

Page 27

Name Descript Indicator Inputs Outputs Security SSP ion Function Access s Show Return None N/A Module None Crypto status the status Officer module status Self-test Perform None N/A Pass/fail Encryptio Crypto the n with Officer CASTs AES and Decryptio integrity n with tests AES Hashing Message authentic ation Random number generatio n with DRBGs Signature verificatio n with RSA Authentic ated encryptio n with AES Authentic ated decryptio n with AES Zeroizatio Zeroize None Any N/A None Crypto n all SSPs SSP Officer - AES key: Z - HMAC key: Z - Entropy input: Z CTR_DR BG Internal State (V, Key): Z HMAC_D RBG © 2025 Red Hat, Inc./ atsec information security corporation.

Page 28

Name Descript Indicator Inputs Outputs Security SSP ion Function Access s Internal State (V, Key): Z Hash_DR BG Internal State (V, C): Z CTR_DR BG Seed: Z Hash_DR BG Seed: Z HMAC_D RBG Seed: Z Table 13: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:

4.4 Non-Approved Services

Name Description Algorithms Role AES GCM external IV Encrypt a plaintext using AES AES-GCM with CO encryption GCM with an external IV external IV Key derivation Derive a key from a key- KBKDF (libkcapi) CO derivation key or a shared HKDF (libkcapi) secret Password-based key Derive a key from a password PBKDF2 (libkcapi) CO derivation RSA encryption primitive Compute the raw RSA RSA CO encryption of a plaintext RSA decryption primitive Compute the raw RSA RSA CO decryption of a cipertext RSA signature generation Generate a digital signature for RSA with PKCS#1 CO (pre-hashed message) a pre-hashed message v1.5 padding © 2025 Red Hat, Inc./ atsec information security corporation.

Page 29

Name Description Algorithms Role RSA signature verification Verify a digital signature for a RSA with PKCS#1 CO (pre-hashed message) pre-hashed message v1.5 padding Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 30
5 Software/Firmware Security
5.1 Integrity Techniques

The static kernel binary is integrity tested using an HMAC-SHA2-512 calculation performed by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations). An HMAC-SHA2-512 calculation is also performed on the sha512hmac utility and the libkcapi library to verify their integrity. The libkcapi checks the integrity of the binary of the sha512hmac utility first. The sha512hmac utility is then used to perform an HMAC-SHA2-512 calculation of the kernel’s binary to verify its integrity. After the integrity of the kernel’s binary has been verified, the self-test for the RSA signature verification implementation is run. Upon the successful run of this self-test, the RSA signature verification implementation of the kernel (with PKCS#1 v1.5 padding, SHA-256, and a 3072-bit key) is used to verify the integrity of the crypto object files listed in Section

2.2 and loaded at start-up.
5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 31
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.

6.3 Additional Information

The Red Hat Enterprise Linux operating system is used as the basis of other products which include but are not limited to:

Page 32
7 Physical Security

The module is comprised of software only and therefore this Section is not applicable. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 33
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this Section is not applicable. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 34
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameters; calling c module t c AF_ALG_typ applicatio e sockets n (TOEPP) (input) Table 16: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate handle SSPs SSPs is overwritten with zeroization functions: AES key: contained zeroes, which renders crypto_free_skcipher and within the the SSP values crypto_free_aead; HMAC key: cipher handle irretrievable. The crypto_free_shash and completion of the crypto_free_ahash; DRBG zeroization routine internal state: crypto_free_rng; indicates that the DRBG seed: crypto_free_rng; zeroization procedure Entropy input string: succeeded. crypto_free_rng Remove De-allocates Volatile memory used By removing power power from the volatile by the module is the module memory used overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the zeroization procedure succeeded. The © 2025 Red Hat, Inc./ atsec information security corporation.

Page 35

Zeroization Description Rationale Operator Initiation Method successful removal of power implicitly indicates that the zeroization is complete. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h AES key AES key 128, Symmetric Encryption used for 192, Key - CSP with AES encryption 256 bits Decryption , - 128, with AES decryption 192, Authenticat , and 256 bits ed computing encryption MAC tags. with AES Authenticat ed decryption with AES HMAC key HMAC key. 112- Authenticati Message

524288 on key - CSP authenticati

bits - on 112-256 bits Entropy Entropy 128-384 Entropy Random input input used bits - input - CSP number to seed 114-343 generation the bits with DRBGs DRBGs. Compliant with IG D.L. CTR_DRBG DRBG seed 256, Seed - CSP Random Random Seed derived 320, number number from 384 bits generatio generation entropy - 128, n with with DRBGs input. 192, DRBGs Compliant 256 bits with IG D.L. Hash_DRB DRBG seed 440, Seed - CSP Random Random G Seed derived 888 bits number number from generatio © 2025 Red Hat, Inc./ atsec information security corporation.

Page 36

Name Descripti Size - Type - Generat Establish Used By on Strengt Category ed By ed By h entropy - 128, n with generation input. 256 bits DRBGs with DRBGs Compliant with IG D.L. HMAC_DR DRBG seed 440, Seed - CSP Random Random BG Seed derived 888 bits number number from - 128, generatio generation entropy 256 bits n with with DRBGs input. DRBGs Compliant with IG D.L. HMAC_DR Internal 320, Internal Random Random BG state of 512, state - CSP number number Internal HMAC 1024 generatio generation State (V, DRBG bits - n with with DRBGs Key) instance. 128, DRBGs Compliant 256 bits with IG D.L. CTR_DRBG Internal 256, Internal Random Random Internal state of 320, state - CSP number number State (V, Counter 384 bits generatio generation Key) DRBG - 128, n with with DRBGs instance. 192, DRBGs Compliant 256 bits with IG D.L. Hash_DRB Internal 880, Internal Random Random G Internal state of 1776 state - CSP number number State (V, Hash bits - generatio generation C) DRBG 128, n with with DRBGs instance. 256 bits DRBGs Compliant with IG D.L. Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related Output Duration SSPs AES key API input RAM:Plaintext Until cipher Free cipher parameters; handle is handle AF_ALG_type freed or Remove sockets module power from (input) powered off the module HMAC key API input RAM:Plaintext Until cipher Free cipher parameters; handle is handle AF_ALG_type freed or Remove © 2025 Red Hat, Inc./ atsec information security corporation.

Page 37

Name Input - Storage Storage Zeroization Related Output Duration SSPs sockets module power from (input) powered off the module Entropy RAM:Plaintext From Free cipher CTR_DRBG input generation handle Seed:Derives until DRBG Remove Hash_DRBG seed/reseed power from Seed:Derives the module HMAC_DRBG Seed:Derives CTR_DRBG RAM:Plaintext While the Free cipher Entropy Seed DRBG is handle input:Derived being Remove From instantiated power from CTR_DRBG the module Internal State (V, Key):Derives Hash_DRBG RAM:Plaintext While the Free cipher Entropy Seed DRBG is handle input:Derived being Remove From instantiated power from Hash_DRBG the module Internal State (V, C):Derives HMAC_DRBG RAM:Plaintext While the Free cipher Entropy Seed DRBG is handle input:Derived being Remove From instantiated power from HMAC_DRBG the module Internal State (V, Key):Derives HMAC_DRBG RAM:Plaintext From DRBG Free cipher HMAC_DRBG Internal instantiation handle Seed:Derived State (V, until DRBG Remove From Key) is un- power from instantiated the module CTR_DRBG RAM:Plaintext From DRBG Free cipher CTR_DRBG Internal instantiation handle Seed:Derived State (V, until DRBG Remove From Key) is un- power from instantiated the module Hash_DRBG RAM:Plaintext From DRBG Free cipher Hash_DRBG Internal instantiation handle Seed:Derived State (V, C) until DRBG Remove From is un- power from instantiated the module Table 19: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 38

© 2025 Red Hat, Inc./ atsec information security corporation.

Page 39
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-512 Authentication Integrity becomes kernel binary, (A5736) operational libkcapi and services components are available and for use. sha512hmac binary RSA SigVer 3072-bit key Signature SW/FW Module Integrity test for (FIPS186-5) with SHA- Verification Integrity becomes kernel object (A5720) 256 operational files and services are available for use. Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 40

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA-1 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA2-224 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational © 2025 Red Hat, Inc./ atsec information security corporation.

Page 41

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA2-256 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5720) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 42

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. SHA2-384 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5720) message becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5734) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5735) messages becomes digest initialization operational and services are available for use. SHA2-512 0-8184 bit KAT CAST Module Message Module (A5736) messages becomes digest initialization operational and services are available for use. SHA3-224 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 43

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA3-256 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. SHA3-384 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. SHA3-512 0-8184 bit KAT CAST Module Message Module (A5721) message becomes digest initialization operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5724) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5725) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5726) - 256 bit keys becomes initialization Encrypt operational © 2025 Red Hat, Inc./ atsec information security corporation.

Page 44

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5727) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5728) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5730) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5731) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit keys becomes initialization Encrypt operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 45

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-CBC 128, 192, KAT CAST Module Encryption Module (A5726) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CBC- 128 bit keys KAT CAST Module Encryption Module CS3 becomes initialization (A5733) - operational Encrypt and services are available for use. AES- 128, 192, KAT CAST Module Encryption Module CFB128 256 bit keys becomes initialization (A5732) - operational Encrypt and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit keys becomes initialization Encrypt operational and services are available for use. AES-CCM 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit becomes initialization Encrypt keys; 128- operational bit IVs and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 46

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128, 192, KAT CAST Module Encryption Module (A5720) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5724) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5725) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5726) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5727) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5728) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5729) - 256 bit becomes initialization Encrypt operational © 2025 Red Hat, Inc./ atsec information security corporation.

Page 47

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type keys, 96-bit and IVs services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5730) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Encryption Module (A5731) - 256 bit becomes initialization Encrypt keys, 96-bit operational IVs and services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption Module Testing bit keys becomes initialization Revision operational

2.0 (A5720) and

- Encrypt services are available for use. AES-XTS 128 and 256 KAT CAST Module Encryption Module Testing bit keys becomes initialization Revision operational

2.0 (A5729) and

- Encrypt services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5724) - 256 bit keys becomes initialization Decrypt operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 48

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5725) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5726) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5727) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5728) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5730) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-ECB 128, 192, KAT CAST Module Decryption Module (A5731) - 256 bit keys becomes initialization Decrypt operational and services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 49

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CBC 128, 192, KAT CAST Module Decryption Module (A5726) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CBC- 128 bit keys KAT CAST Module Decryption Module CS3 becomes initialization (A5733) - operational Decrypt and services are available for use. AES- 128, 192, KAT CAST Module Decryption Module CFB128 256 bit keys becomes initialization (A5732) - operational Decrypt and services are available for use. AES-CTR 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit keys becomes initialization Decrypt operational and services are available for use. AES-CTR 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit keys becomes initialization Decrypt operational © 2025 Red Hat, Inc./ atsec information security corporation.

Page 50

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. AES-CCM 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit becomes initialization Decrypt keys; 128- operational bit IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5720) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5724) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5725) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5726) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5727) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 51

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5728) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5729) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5730) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-GCM 128, 192, KAT CAST Module Decryption Module (A5731) - 256 bit becomes initialization Decrypt keys, 96-bit operational IVs and services are available for use. AES-XTS 128 and 256 KAT CAST Module Decryption Module Testing bit keys becomes initialization Revision operational

2.0 (A5720) and

- Decrypt services are available for use. AES-XTS 128 and 256 KAT CAST Module Decryption Module Testing bit keys becomes initialization Revision operational

2.0 (A5729) and

- Decrypt services are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 52

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CMAC 128 and 256 KAT CAST Module Message Module (A5729) bit keys becomes authentication initialization operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module

1 (A5720) keys becomes authentication initialization

operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module

1 (A5734) keys becomes authentication initialization

operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module

1 (A5735) keys becomes authentication initialization

operational and services are available for use. HMAC-SHA- 32-64 bit KAT CAST Module Message Module

1 (A5736) keys becomes authentication initialization

operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5720) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5734) operational © 2025 Red Hat, Inc./ atsec information security corporation.

Page 53

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5735) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-224 keys becomes authentication initialization (A5736) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5720) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5734) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5735) operational and services are available for use. HMAC- 32-64 bit KAT CAST Module Message Module SHA2-256 keys becomes authentication initialization (A5736) operational and services are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 54

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5720) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5734) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5735) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-384 keys becomes authentication initialization (A5736) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5720) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5734) operational Before and integrity services test. are available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 55

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5735) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA2-512 keys becomes authentication initialization. (A5736) operational Before and integrity services test. are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-224 keys becomes authentication initialization (A5721) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-256 keys becomes authentication initialization (A5721) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-384 keys becomes authentication initialization (A5721) operational and services are available for use. HMAC- 32-1048 bit KAT CAST Module Message Module SHA3-512 keys becomes authentication initialization (A5721) operational and services are available for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5720) With/without operational generate © 2025 Red Hat, Inc./ atsec information security corporation.

Page 56

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5724) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5725) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5726) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5727) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5728) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5729) With/without operational generate PR; Health and test per services section 11.3 are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 57

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5730) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Counter 128, 192, KAT CAST Module instantiate, Module DRBG 256 bit keys becomes reseed, initialization (A5731) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5720) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5724) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5725) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5726) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 58

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5727) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5728) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5729) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5730) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5731) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5734) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5735) With/without becomes reseed, initialization PR; Health operational generate © 2025 Red Hat, Inc./ atsec information security corporation.

Page 59

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type test per and section 11.3 services of SP 800- are 90Arev1 available for use. Hash DRBG SHA-256 KAT CAST Module instantiate, Module (A5736) With/without becomes reseed, initialization PR; Health operational generate test per and section 11.3 services of SP 800- are 90Arev1 available for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5720) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5724) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5725) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5726) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5727) With/without operational generate PR; Health and test per services section 11.3 are © 2025 Red Hat, Inc./ atsec information security corporation.

Page 60

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5728) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5729) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5730) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5731) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5734) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5735) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 61

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC SHA-256, KAT CAST Module instantiate, Module DRBG SHA512 becomes reseed, initialization (A5736) With/without operational generate PR; Health and test per services section 11.3 are of SP 800- available 90Arev1 for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5720) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5734) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5735) 256 operational Before and integrity services test. are available for use. RSA SigVer 4096-bit key KAT CAST Module Verify Module (FIPS186-5) with SHA- becomes initialization. (A5736) 256 operational Before and integrity services test. are available for use. Entropy 1024 RCT CAST Module Entropy Entropy Source RCT samples becomes source start- source initialization operational up test initialization and services are available for use. Entropy 1024 APT CAST Module Entropy Entropy Source APT samples becomes source start- source initialization operational up test initialization © 2025 Red Hat, Inc./ atsec information security corporation.

Page 62

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type and services are available for use. Entropy Cutoff C = RCT CAST Entropy Entropy Continuously Source 61 source is source continuous operational continuous RCT test Entropy Cutoff C = APT CAST Entropy Entropy Continuously Source 355 source is source continuous operational continuous APT test Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. Services are not available, and data output (via the data output interface) is inhibited during the conditional self-tests. If any of these tests fails, the module transitions to the Error State.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually

512 (A5736) Authentication

RSA SigVer Signature SW/FW Integrity On demand Manually (FIPS186-5) Verification (A5720) Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A5720) KAT CAST On demand Manually SHA-1 (A5734) KAT CAST On demand Manually SHA-1 (A5735) KAT CAST On demand Manually SHA-1 (A5736) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A5720) SHA2-224 KAT CAST On demand Manually (A5734) SHA2-224 KAT CAST On demand Manually (A5735) SHA2-224 KAT CAST On demand Manually (A5736) SHA2-256 KAT CAST On demand Manually (A5720) © 2025 Red Hat, Inc./ atsec information security corporation.

Page 63

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-256 KAT CAST On demand Manually (A5734) SHA2-256 KAT CAST On demand Manually (A5735) SHA2-256 KAT CAST On demand Manually (A5736) SHA2-384 KAT CAST On demand Manually (A5720) SHA2-384 KAT CAST On demand Manually (A5734) SHA2-384 KAT CAST On demand Manually (A5735) SHA2-384 KAT CAST On demand Manually (A5736) SHA2-512 KAT CAST On demand Manually (A5720) SHA2-512 KAT CAST On demand Manually (A5734) SHA2-512 KAT CAST On demand Manually (A5735) SHA2-512 KAT CAST On demand Manually (A5736) SHA3-224 KAT CAST On demand Manually (A5721) SHA3-256 KAT CAST On demand Manually (A5721) SHA3-384 KAT CAST On demand Manually (A5721) SHA3-512 KAT CAST On demand Manually (A5721) AES-ECB KAT CAST On demand Manually (A5720) Encrypt AES-ECB KAT CAST On demand Manually (A5724) Encrypt AES-ECB KAT CAST On demand Manually (A5725) Encrypt AES-ECB KAT CAST On demand Manually (A5726) Encrypt AES-ECB KAT CAST On demand Manually (A5727) Encrypt AES-ECB KAT CAST On demand Manually (A5728) Encrypt © 2025 Red Hat, Inc./ atsec information security corporation.

Page 64

Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On demand Manually (A5730) Encrypt AES-ECB KAT CAST On demand Manually (A5731) Encrypt AES-ECB KAT CAST On demand Manually (A5729) Encrypt AES-CBC KAT CAST On demand Manually (A5720) Encrypt AES-CBC KAT CAST On demand Manually (A5726) Encrypt AES-CBC-CS3 KAT CAST On demand Manually (A5733) Encrypt AES-CFB128 KAT CAST On demand Manually (A5732) Encrypt AES-CTR KAT CAST On demand Manually (A5720) Encrypt AES-CTR KAT CAST On demand Manually (A5729) Encrypt AES-CCM KAT CAST On demand Manually (A5729) Encrypt AES-GCM KAT CAST On demand Manually (A5720) Encrypt AES-GCM KAT CAST On demand Manually (A5724) Encrypt AES-GCM KAT CAST On demand Manually (A5725) Encrypt AES-GCM KAT CAST On demand Manually (A5726) Encrypt AES-GCM KAT CAST On demand Manually (A5727) Encrypt AES-GCM KAT CAST On demand Manually (A5728) Encrypt © 2025 Red Hat, Inc./ atsec information security corporation.

Page 65

Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On demand Manually (A5729) Encrypt AES-GCM KAT CAST On demand Manually (A5730) Encrypt AES-GCM KAT CAST On demand Manually (A5731) Encrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5720) Encrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5729) Encrypt AES-ECB KAT CAST On demand Manually (A5720) Decrypt AES-ECB KAT CAST On demand Manually (A5724) Decrypt AES-ECB KAT CAST On demand Manually (A5725) Decrypt AES-ECB KAT CAST On demand Manually (A5726) Decrypt AES-ECB KAT CAST On demand Manually (A5727) Decrypt AES-ECB KAT CAST On demand Manually (A5728) Decrypt AES-ECB KAT CAST On demand Manually (A5730) Decrypt AES-ECB KAT CAST On demand Manually (A5731) Decrypt AES-ECB KAT CAST On demand Manually (A5729) Decrypt AES-CBC KAT CAST On demand Manually (A5720) Decrypt AES-CBC KAT CAST On demand Manually (A5726) Decrypt © 2025 Red Hat, Inc./ atsec information security corporation.

Page 66

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC-CS3 KAT CAST On demand Manually (A5733) Decrypt AES-CFB128 KAT CAST On demand Manually (A5732) Decrypt AES-CTR KAT CAST On demand Manually (A5720) Decrypt AES-CTR KAT CAST On demand Manually (A5729) Decrypt AES-CCM KAT CAST On demand Manually (A5729) Decrypt AES-GCM KAT CAST On demand Manually (A5720) Decrypt AES-GCM KAT CAST On demand Manually (A5724) Decrypt AES-GCM KAT CAST On demand Manually (A5725) Decrypt AES-GCM KAT CAST On demand Manually (A5726) Decrypt AES-GCM KAT CAST On demand Manually (A5727) Decrypt AES-GCM KAT CAST On demand Manually (A5728) Decrypt AES-GCM KAT CAST On demand Manually (A5729) Decrypt AES-GCM KAT CAST On demand Manually (A5730) Decrypt AES-GCM KAT CAST On demand Manually (A5731) Decrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5720) Decrypt AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5729) Decrypt © 2025 Red Hat, Inc./ atsec information security corporation.

Page 67

Algorithm or Test Method Test Type Period Periodic Test Method AES-CMAC KAT CAST On demand Manually (A5729) HMAC-SHA-1 KAT CAST On demand Manually (A5720) HMAC-SHA-1 KAT CAST On demand Manually (A5734) HMAC-SHA-1 KAT CAST On demand Manually (A5735) HMAC-SHA-1 KAT CAST On demand Manually (A5736) HMAC-SHA2- KAT CAST On demand Manually

224 (A5720)

HMAC-SHA2- KAT CAST On demand Manually

224 (A5734)

HMAC-SHA2- KAT CAST On demand Manually

224 (A5735)

HMAC-SHA2- KAT CAST On demand Manually

224 (A5736)

HMAC-SHA2- KAT CAST On demand Manually

256 (A5720)

HMAC-SHA2- KAT CAST On demand Manually

256 (A5734)

HMAC-SHA2- KAT CAST On demand Manually

256 (A5735)

HMAC-SHA2- KAT CAST On demand Manually

256 (A5736)

HMAC-SHA2- KAT CAST On demand Manually

384 (A5720)

HMAC-SHA2- KAT CAST On demand Manually

384 (A5734)

HMAC-SHA2- KAT CAST On demand Manually

384 (A5735)

HMAC-SHA2- KAT CAST On demand Manually

384 (A5736)

HMAC-SHA2- KAT CAST On demand Manually

512 (A5720)

HMAC-SHA2- KAT CAST On demand Manually

512 (A5734)

HMAC-SHA2- KAT CAST On demand Manually

512 (A5735)

HMAC-SHA2- KAT CAST On demand Manually

512 (A5736)

HMAC-SHA3- KAT CAST On demand Manually

224 (A5721)

HMAC-SHA3- KAT CAST On demand Manually

256 (A5721)

HMAC-SHA3- KAT CAST On demand Manually

384 (A5721)

HMAC-SHA3- KAT CAST On demand Manually

512 (A5721)

© 2025 Red Hat, Inc./ atsec information security corporation.

Page 68

Algorithm or Test Method Test Type Period Periodic Test Method Counter DRBG KAT CAST On demand Manually (A5720) Counter DRBG KAT CAST On demand Manually (A5724) Counter DRBG KAT CAST On demand Manually (A5725) Counter DRBG KAT CAST On demand Manually (A5726) Counter DRBG KAT CAST On demand Manually (A5727) Counter DRBG KAT CAST On demand Manually (A5728) Counter DRBG KAT CAST On demand Manually (A5729) Counter DRBG KAT CAST On demand Manually (A5730) Counter DRBG KAT CAST On demand Manually (A5731) Hash DRBG KAT CAST On demand Manually (A5720) Hash DRBG KAT CAST On demand Manually (A5724) Hash DRBG KAT CAST On demand Manually (A5725) Hash DRBG KAT CAST On demand Manually (A5726) Hash DRBG KAT CAST On demand Manually (A5727) Hash DRBG KAT CAST On demand Manually (A5728) Hash DRBG KAT CAST On demand Manually (A5729) Hash DRBG KAT CAST On demand Manually (A5730) Hash DRBG KAT CAST On demand Manually (A5731) Hash DRBG KAT CAST On demand Manually (A5734) Hash DRBG KAT CAST On demand Manually (A5735) Hash DRBG KAT CAST On demand Manually (A5736) HMAC DRBG KAT CAST On demand Manually (A5720) HMAC DRBG KAT CAST On demand Manually (A5724) HMAC DRBG KAT CAST On demand Manually (A5725) HMAC DRBG KAT CAST On demand Manually (A5726) © 2025 Red Hat, Inc./ atsec information security corporation.

Page 69

Algorithm or Test Method Test Type Period Periodic Test Method HMAC DRBG KAT CAST On demand Manually (A5727) HMAC DRBG KAT CAST On demand Manually (A5728) HMAC DRBG KAT CAST On demand Manually (A5729) HMAC DRBG KAT CAST On demand Manually (A5730) HMAC DRBG KAT CAST On demand Manually (A5731) HMAC DRBG KAT CAST On demand Manually (A5734) HMAC DRBG KAT CAST On demand Manually (A5735) HMAC DRBG KAT CAST On demand Manually (A5736) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5720) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5734) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5735) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5736) Entropy Source RCT CAST On demand Manually RCT initialization Entropy Source APT CAST On demand Manually APT initialization Entropy Source RCT CAST On demand Manually continuous RCT Entropy Source APT CAST On demand Manually continuous APT Table 23: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 24: Error States © 2025 Red Hat, Inc./ atsec information security corporation.

Page 70

In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 71
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as a part of the Red Hat Enterprise Linux 8 (RHEL 8) package in the form of the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-hmaccalc1.2.0-3.el8_8 RPM packages. The module can achieve the FIPS validated configuration as follows.

11.2 Administrator Guidance

After installation of the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapihmaccalc-1.2.0-3.el8_8 RPM packages, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Red Hat Enterprise Linux 8 - Kernel Cryptographic API Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q libkcapi” commands. These commands must output the following (one line per output): 4.18.0-477.72.1.el8_8.x86_64 libkcapi-1.2.0-3.el8_8.x86_64

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-hmaccalc-1.2.0-3.el8_8 RPM packages can be uninstalled from the RHEL 8 system. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 72
12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this Section is not applicable. © 2025 Red Hat, Inc./ atsec information security corporation.

Page 73

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Red Hat, Inc./ atsec information security corporation.

Page 74

Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program

10 October 2024

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2025 Red Hat, Inc./ atsec information security corporation.

Page 75

SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf © 2025 Red Hat, Inc./ atsec information security corporation.