All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Summit Linux FIPS Core Crypto Module

Certificate#5090StandardFIPS 140-3Level1TypeFirmware-hybridEmbodimentMulti-Chip Stand AloneStatusActiveVendorEzurio
Medium review priority  ·  no TCB surface named  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeFirmware-hybrid
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/11/2030
CaveatWhen operated in approved mode and installed, initialized and configured as specified in Section 11.1 of the Security Policy; No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorEzurio

Approved Algorithms (70)

AlgorithmACVP Cert
AES-CBCA4712
AES-CBC-CS1A5004
AES-CBC-CS2A5004
AES-CBC-CS3A4714
AES-CCMA4712
AES-CFB1A5004
AES-CFB128A4724
AES-CFB8A4724
AES-CMACA4712
AES-CTRA4712
AES-ECBA4711
AES-GCMA4712
AES-GMACA4712
AES-KWA5004
AES-KWPA5004
AES-OFBA4723
AES-XTS Testing Revision 2.0A4712
Counter DRBGA4711
ECDSA KeyGen (FIPS186-5)A4711
ECDSA KeyVer (FIPS186-5)A5018
ECDSA SigGen (FIPS186-5)A5018
ECDSA SigVer (FIPS186-5)A5018
EDDSA KeyGenA5016
EDDSA SigGenA5016
EDDSA SigVerA5016
Hash DRBGA5015
HMAC DRBGA5015
HMAC-SHA-1A5018
HMAC-SHA2- 224A4711
HMAC-SHA2- 256A4711
HMAC-SHA2- 384A4711
HMAC-SHA2- 512A4711
HMAC-SHA2- 512/224A5018
HMAC-SHA2- 512/256A5018
HMAC-SHA3- 224A4713
HMAC-SHA3- 256A4713
HMAC-SHA3- 384A4713
HMAC-SHA3- 512A4713
KAS-ECC-SSC Sp800-56Ar3A4711
KAS-FFC-SSC Sp800-56Ar3A5014
KAS-IFC-SSCA5018
KDA HKDF Sp800-56Cr1A5013
KDA OneStep SP800-56Cr2A5012
KDA TwoStep SP800-56Cr2A5012
KDF ANS 9.42 (CVL)A5018
KDF ANS 9.63 (CVL)A5018
KDF KMAC Sp800-108r1A5017
KDF SP800-108A5017
KDF SSH (CVL)A5019
KDF TLS (CVL)A5018
KTS-IFCA5018
PBKDFA5018
RSA KeyGen (FIPS186-5)A5018
RSA SigGen (FIPS186-5)A5018
RSA SigVer (FIPS186-5)A5018
SHA-1A5018
SHA2-224A4711
SHA2-256A4711
SHA2-384A4711
SHA2-512A4711
SHA2-512/224A5018
SHA2-512/256A5018
SHA3-224A4713
SHA3-256A4713
SHA3-384A4713
SHA3-512A4713
SHAKE-128A5020
SHAKE-256A5020
TLS v1.2 KDF RFC7627 (CVL)A5018
TLS v1.3 KDF (CVL)A5013

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Non-Invasive Security8
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Summit Linux FIPS Core Crypto Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Kernel AES-ECB<br/>Kernel AES-CTR<br/>Kernel AES-CBC</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Summit Linux FIPS Core Crypto Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Kernel AES-ECB<br/>Kernel AES-CTR<br/>Kernel AES-CBC</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Ezurio Summit Linux FIPS Core Crypto Module Document Version: 1.1 Last Modified: 08/19/2025 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com © 2025 Ezurio / atsec information security.

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.1.1How this Security Policy was prepared5
1.2Security Levels5
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification8
2.3Excluded Components9
2.4Modes of Operation9
2.5Algorithms9
2.6Security Function Implementations19
2.7Algorithm Specific Information28
2.7.1AES GCM IV28
2.7.1.1TLS version 1.228
2.7.1.2TLS version 1.328
2.7.1.3IEEE 802.11 GCMP29
2.7.2AES XTS29
2.7.3Key derivation using SP 800-132 PBKDF229
2.7.4SP 800-56Ar3 Assurances30
2.7.5RSA Key Encapsulation30
2.7.6RSA Key Agreement31
2.7.7RSA SigGen and SigVer compliance31
2.7.8SHA-3 compliance31
2.7.9SHA-1 compliance to SP 800-131A rev231
2.8RBG and Entropy32
2.9Key Generation32
2.10Key Establishment33
2.11Industry Protocols33
3Cryptographic Module Interfaces34
3.1Ports and Interfaces34
4Roles, Services, and Authentication35
4.1Roles35
4.2Approved Services35
4.3Non-Approved Services54
5Software/Firmware Security55
5.1Integrity Techniques55
5.2Initiate on Demand55
6Operational Environment56
6.1Operational Environment Type and Requirements56
6.2Configuration Settings and Restrictions56
7Physical Security57
7.1Mechanisms and Actions Required57
8Non-Invasive Security58
8.1Mitigation Techniques58
9Sensitive Security Parameters Management59
9.1Storage Areas59
9.2SSP Input-Output Methods59
9.3SSP Zeroization Methods59
9.4SSPs60
9.5Transitions84
10Self-Tests85
10.1Pre-Operational Self-Tests85
10.2Conditional Self-Tests85
10.3Periodic Self-Test Information93
10.4Error States98
10.5Operator Initiation of Self-Tests98
11Life-Cycle Assurance99
11.1Installation, Initialization, and Startup Procedures99
11.2Administrator Guidance99
11.3Non-Administrator Guidance100
11.4End of Life100
12Mitigation of Other Attacks101
12.1Attack List101
Appendix A. Glossary and Abbreviations102
Appendix B. References103
Page 3

© 2025 Ezurio / atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Module Identification – Hybrid Disjoint Hardware8
Table 4: Tested Operational Environments - Software, Firmware, Hybrid9
Table 5: Modes List and Description9
Table 6: Approved Algorithms18
Table 7: Vendor-Affirmed Algorithms18
Table 8: Non-Approved, Not Allowed Algorithms19
Table 9: Security Function Implementations28
Table 10: Entropy Certificates32
Table 11: Entropy Sources32
Table 12: Ports and Interfaces34
Table 13: Roles35
Table 14: Approved Services53
Table 15: Non-Approved Services54
Table 16: Storage Areas59
Table 17: SSP Input-Output Methods59
Table 18: SSP Zeroization Methods60
Table 19: SSP Table 175
Table 20: SSP Table 284
Table 21: Pre-Operational Self-Tests85
Table 22: Conditional Self-Tests93
Table 23: Pre-Operational Periodic Information93
Table 24: Conditional Periodic Information97
Table 25: Error States98
Figure 1: Tested Operational Environment Physical Perimeter7
Figure 2: Block Diagram8
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical security1
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacks1
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the Summit Linux FIPS Core Crypto Module, firmware version 11.1, hardware version ATSAMA5D31, ATSAMA5D36. It contains the security rules under which the module must be operated and describes how this module meets the requirements as specified in FIPS 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module. This Security Policy contains non-proprietary information. All other documentation submitted for FIPS 140-3 conformance testing and validation is proprietary and is releasable only under appropriate non-disclosure agreements.

1.1.1 How this Security Policy was prepared

consolidated into this document by atsec information security together with other vendor-supplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Table 1: Security Levels N/A © 2025 Ezurio / atsec information security.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Summit Linux FIPS Core Crypto Module (hereafter referred to as the “module”) is a Firmware-Hybrid module supporting FIPS 140-3 Approved cryptographic algorithms. The module is composed by a hardware component, the ARM-based Microchip/Atmel microprocessor, and firmware components comprised of a kernel and OpenSSL library, and fipscheck binary. The firmware components provide a C language application program interface (API) for use by other processes that require cryptographic functionality. The module offers approved cryptographic functions in the Approved mode for, among other uses:

Page 7

(a) WB50NBT with Microchip/Atmel (b) SU60-SOMC 60 Series SOM (System on Module) ATSAMA5D31. with Microchip/Atmel ATSAMA5D36 Figure 1: Tested Operational Environment Physical Perimeter Figure 2 below shows the block diagram of the module. The cryptographic boundary is indicated with yellow blocks, distributed among hardware and firmware components. Blocks of another color do not belong to the cryptographic boundary. Users of the module interact through the API that are the logical interfaces data input, data output, control input, status output. A dotted line encompasses the module’s components that interface through the API. In Figure 2, users of the module are exemplified by applications. These applications may reside within the NAND Flash memory or may reside outside (but still within the physical perimeter), always interacting with the module’s API. The physical perimeter of the module is defined as the perimeter of the circuit board on which the module is installed. The filesystem and operating system reside on NAND Flash memory within the physical perimeter. © 2025 Ezurio / atsec information security.

Page 8
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeaturesPackageIntegrity Test
Image.gz, fips.so and fipscheck (application and library)11.1N/AImage.gz, fips.so and fipscheck (application and library)HMAC-SHA-256
ATSAMA5D31ATSAMA5D31ATSAMA5D31N/AN/AN/A
ATSAMA5D36ATSAMA5D36ATSAMA5D36N/AN/AN/A
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeaturesPackageIntegrity Test
Image.gz, fips.so and fipscheck (application and library)11.1N/AImage.gz, fips.so and fipscheck (application and library)HMAC-SHA-256
ATSAMA5D31ATSAMA5D31ATSAMA5D31N/AN/AN/A
ATSAMA5D36ATSAMA5D36ATSAMA5D36N/AN/AN/A
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa PaiHypervisor
Summit Linux 11.1Summit Linux 11.1Ezurio WB50NBT System-On-Module11.1Microchip/Atmel ATSAMA5D31, ARM Cortex A5-based (ARMv7)NoN/A
Summit Linux 11.1Summit Linux 11.1Ezurio 60 Series SOM (System on Module)11.1Microchip/Atmel ATSAMA5D36, ARM Cortex A5-based (ARMv7)NoN/A
Service
NameDescriptionIndicatorType
Non- approved modeAutomatically entered whenever a non-approved service is requestedEquivalent to the indicator of the requested service as defined in section 4.3Non- Approved

Tested Operational Environments - Software, Firmware, Hybrid: N/A N/A Table 4: Tested Operational Environments - Software, Firmware, Hybrid

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Nonapproved NonApproved Table 5: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services service that was requested.

2.5 Algorithms

Approved Algorithms: © 2025 Ezurio / atsec information security.

Page 10
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4712Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA4716Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA4719Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA4721Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS1A5004Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS2A5004Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A4714Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A4718Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A4720Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A4722Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A5004Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA4712Key Length - 128, 192, 256SP 800-38C
AES-CCMA4716Key Length - 128, 192, 256SP 800-38C
AES-CCMA4719Key Length - 128, 192, 256SP 800-38C
AES-CCMA4721Key Length - 128, 192, 256SP 800-38C
AES-CCMA5004Key Length - 128, 192, 256SP 800-38C
AES-CFB1A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A4724Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A4724Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA4712Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CMACA4716Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CMACA4719Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CMACA4721Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CMACA5004Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA4712Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4716Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4719Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4721Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4711Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4712Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4715Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4716Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4717Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4719Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4721Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA5019Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA4712Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GCMA4715Direction - Decrypt, Encrypt IV Generation - ExternalSP 800-38D
AES-GCMA4717Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GCMA4719Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GCMA4721Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GCMA5008Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256SP 800-38D
AES-GMACA4712Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA4719Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA4721Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA5008Direction - Decrypt, Encrypt IV Generation - External IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-KWA5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWPA5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA4723Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-OFBA5004Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A4712Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
AES-XTS Testing Revision 2.0A4716Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
AES-XTS Testing Revision 2.0A4719Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
AES-XTS Testing Revision 2.0A4721Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
AES-XTS Testing Revision 2.0A5004Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA4711Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA4712Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA4715Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA4717Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA4719Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA4721Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
Counter DRBGA5015Prediction Resistance - No, Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-5)A4711Curve - P-256, P-384 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyGen (FIPS186-5)A5018Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyVer (FIPS186-5)A5018Curve - P-224, P-256, P-384, P-521FIPS 186-5
ECDSA SigGen (FIPS186-5)A5018Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2- 512, SHA2-512/224, SHA2-512/256 Component - NoFIPS 186-5
ECDSA SigGen (FIPS186-5)A5020Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - NoFIPS 186-5
ECDSA SigVer (FIPS186-5)A5018Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2- 512, SHA2-512/224, SHA2-512/256FIPS 186-5
ECDSA SigVer (FIPS186-5)A5020Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-5
EDDSA KeyGenA5016Curve - ED-25519, ED-448FIPS 186-5
EDDSA SigGenA5016Curve - ED-25519, ED-448FIPS 186-5
EDDSA SigVerA5016Curve - ED-25519, ED-448FIPS 186-5
Hash DRBGA5015Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC DRBGA5015Prediction Resistance - No, Yes Mode - SHA-1, SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA-1A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A4711Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A4712Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A4716Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 224A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A4711Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A4712Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A4716Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 256A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A4711Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A4712Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A4716Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 384A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A4711Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A4712Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A4716Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A5018Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 224A4713Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 224A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 256A4713Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 256A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 384A4713Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 384A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 512A4713Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
HMAC-SHA3- 512A5020Key Length - Key Length: 112-524288 Increment 8FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A4711Domain Parameter Generation Methods - P-256, P-384 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-ECC-SSC Sp800-56Ar3A5018Domain Parameter Generation Methods - P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A5014Domain Parameter Generation Methods - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme -SP 800-56A Rev. 3
KAS-IFC-SSCA5018Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1- prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responderSP 800-56A Rev. 3
KDA HKDF Sp800-56Cr1A5013Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512SP 800-56C Rev. 2
KDA OneStep SP800-56Cr2A5012Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-2048 Increment 8SP 800-56C Rev. 2
KDA TwoStep SP800-56Cr2A5012MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-2048 Increment 8SP 800-56C Rev. 2
KDF ANS 9.42 (CVL)A5018KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.42 (CVL)A5020KDF Type - DER Hash Algorithm - SHA3-224, SHA3-256, SHA3-384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.63 (CVL)A5018Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2- 512, SHA2-512/224, SHA2-512/256 Key Data Length - Key Data Length: 128-4096 Increment 8SP 800-135 Rev. 1
KDF KMAC Sp800-108r1A5017Derived Key Length - Derived Key Length: 112-4096 Increment 8SP 800-108 Rev. 1
KDF SP800-108A5017KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 112, 128, 776, 3456, 4096SP 800-108 Rev. 1
KDF SSH (CVL)A5019Cipher - AES-128, AES-192, AES-256, TDES Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512SP 800-135 Rev. 1
KDF TLS (CVL)A5018TLS Version - v1.0/1.1SP 800-135 Rev. 1
KMAC-128A5020Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KMAC-256A5020Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KTS-IFCA5018Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1- prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 768SP 800-56B Rev. 2
PBKDFA5018Iteration Count - Iteration Count: 1000-10000 Increment 1 Password Length - Password Length: 14-128 Increment 1SP 800-132
PBKDFA5020Iteration Count - Iteration Count: 1000-10000 Increment 1 Password Length - Password Length: 14-128 Increment 1SP 800-132
RSA KeyGen (FIPS186-5)A5018Key Generation Mode - probableWithProbableAux Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standardFIPS 186-5
RSA SigGen (FIPS186-5)A5018Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
RSA SigVer (FIPS186-5)A5018Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
Safe Primes Key GenerationA5014Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- 4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
Safe Primes Key VerificationA5014Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- 4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
SHA-1A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-224A4711Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-224A4712Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-224A4716Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-224A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A4711Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A4712Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A4716Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4711Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4712Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4716Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A4711Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A4712Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A4716Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512/224A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512/256A5018Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA3-224A4713Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-224A5020Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-256A4713Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-256A5020Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-384A4713Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-384A5020Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-512A4713Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-512A5020Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHAKE-128A5020Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A5020Output Length - Output Length: 16-65536 Increment 8FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A5018Hash Algorithm - SHA2-256, SHA2-384, SHA2-512SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A5013HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHESP 800-135 Rev. 1

© 2025 Ezurio / atsec information security.

Page 11

© 2025 Ezurio / atsec information security.

Page 12

© 2025 Ezurio / atsec information security.

Page 13
2.0 2.0 2.0 2.0 2.0 © 2025 Ezurio / atsec information security.
Page 14

HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2384 © 2025 Ezurio / atsec information security.

Page 15

HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA3512 © 2025 Ezurio / atsec information security.

Page 16

© 2025 Ezurio / atsec information security.

Page 17

© 2025 Ezurio / atsec information security.

Page 18
Service
NameApproved FunctionsProperties
Asymmetric keygen (CKG)Type:asymmetricN/ASection 4 example 1 per SP 800-133rev2
FIPS provider PBKDF with salt length less than 128 bitsKey derivation
Service
NameDescriptionApproved FunctionsTypeProperties
Asymmetric keygen (CKG)Type:asymmetricN/ASection 4 example 1 per SP 800-133rev2
FIPS provider PBKDF with salt length less than 128 bitsKey derivation
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivation
FIPS provider TLSv1.2 KDF without using EMSKey derivation
FIPS provider AES GCM using externally generated IVEncryption/Decryption
Kernel AES- CCM (KTS- Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A4712, A4716, A4719, A4721)KTS-WrapKeys: 128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES- GCM (KTS- Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A4712, A4715, A4717, A4719, A4721)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CBC with HMACKey Wrapping, Key UnwrappingAES-CBC: (A4712, A4716, A4719, A4721) HMAC-SHA2- 256: (A4711, A4712, A4716) HMAC-SHA2- 384: (A4711, A4712, A4716) HMAC-SHA2- 512: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CTR with HMACKey Wrapping, Key UnwrappingAES-CTR: (A4712, A4716, A4719, A4721) HMAC-SHA2- 256: (A4711, A4712, A4716) HMAC-SHA2- 384: (A4711, A4712, A4716) HMAC-SHA2- 512: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G

Table 6: Approved Algorithms Vendor-Affirmed Algorithms: N/A Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2025 Ezurio / atsec information security.

Page 19
Service
NameDescriptionApproved FunctionsTypeProperties
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivation
FIPS provider TLSv1.2 KDF without using EMSKey derivation
FIPS provider AES GCM using externally generated IVEncryption/Decryption
Kernel AES- CCM (KTS- Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A4712, A4716, A4719, A4721)KTS-WrapKeys: 128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES- GCM (KTS- Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A4712, A4715, A4717, A4719, A4721)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CBC with HMACKey Wrapping, Key UnwrappingAES-CBC: (A4712, A4716, A4719, A4721) HMAC-SHA2- 256: (A4711, A4712, A4716) HMAC-SHA2- 384: (A4711, A4712, A4716) HMAC-SHA2- 512: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel AES CTR with HMACKey Wrapping, Key UnwrappingAES-CTR: (A4712, A4716, A4719, A4721) HMAC-SHA2- 256: (A4711, A4712, A4716) HMAC-SHA2- 384: (A4711, A4712, A4716) HMAC-SHA2- 512: (A4711, A4712, A4716)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
Kernel KAS- ECC-SSCShared Secret ComputationKAS-ECC-SSC Sp800-56Ar3: (A4711)KAS-SSCCurves:Curves : P-256, P-384 elliptic curves with 128 and 192 bits of key strength Compliance : Compliant with IG D.F scenario 2(1)
Kernel AES-ECBEncryption/DecryptionAES-ECB: (A4711, A4712, A4715, A4716, A4717, A4719, A4721)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-CTREncryption/DecryptionAES-CTR: (A4712, A4716, A4719, A4721)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-CBCEncryption/DecryptionAES-CBC: (A4712, A4716, A4719, A4721)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES- CBC-CS3Encryption/DecryptionAES-CBC-CS3: (A4714, A4718, A4720, A4722)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES- CFB8Encryption/DecryptionAES-CFB8: (A4724)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES- CFB128Encryption/DecryptionAES-CFB128: (A4724)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-XTSEncryption/DecryptionAES-XTS Testing Revision 2.0: (A4712, A4716, A4719, A4721)BC-UnAuthKeys:128, 256 bits with 128 and 256 bits of key strength
Kernel AES- CCM (BC-Auth)Authenticated Encryption/DecryptionAES-CCM: (A4712, A4716, A4719, A4721)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES- GCM (BC-Auth)Authenticated Encryption/DecryptionAES-GCM: (A4712, A4715, A4717, A4719, A4721)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES-OFBEncryption/DecryptionAES-OFB: (A4723)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES- CMACMessage authentication code (MAC)AES-CMAC: (A4712, A4716, A4719, A4721)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel AES- GMACMessage authentication code (MAC)AES-GMAC: (A4712, A4719, A4721)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
Kernel Counter DRBGRandom Number GenerationCounter DRBG: (A4711, A4712, A4715, A4717, A4719, A4721)DRBGCompliance:Compliant with SP800-90ARev1
Kernel ECDSA Key GenerationKey GenerationECDSA KeyGen (FIPS186-5): (A4711) Asymmetric keygen (CKG): () Type: asymmetricCKG
Kernel HMACMessage authentication code (MAC)HMAC-SHA2- 224: (A4711, A4712, A4716) HMAC-SHA2- 256: (A4711, A4712, A4716) HMAC-SHA2- 384: (A4711, A4712, A4716) HMAC-SHA2- 512: (A4711, A4712, A4716) HMAC-SHA3- 224: (A4713) HMAC-SHA3- 256: (A4713) HMAC-SHA3- 384: (A4713) HMAC-SHA3- 512: (A4713)MACKeys:112-256 bits with 112-256 bits of key strength
Kernel HashesHashingSHA2-224: (A4711, A4712, A4716) SHA2-256: (A4711, A4712, A4716) SHA2-384: (A4711, A4712, A4716) SHA2-512: (A4711, A4712,SHA
FIPS provider AES-CCM (KTS- Wrap)Key Unwrapping, Key UnwrappingAES-CCM: (A5004)KTS-WrapKeys: 128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider AES-GCM (KTS- Wrap)Key Wrapping, Key UnwrappingAES-GCM: (A5008)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider KAS-IFC-SSCShared Secret ComputationKAS-IFC-SSC: (A5018)KAS-SSCKeys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength Compliance : Compliant with IG D.F scenario 1(1)
FIPS provider KTS-IFCKey encapsulation, Key unencapsulationKTS-IFC: (A5018)KTS-EncapKeys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength respectively Compliance:Compliant with IG D.G
FIPS provider Safe Primes Key GenerationKey GenerationSafe Primes Key Generation: (A5014) Asymmetric keygen (CKG): () Type: asymmetricCKG
FIPS provider Safe Primes Key VerificationKey VerificationSafe Primes Key Verification: (A5014)AsymKeyPair- KeyVerGroups:MODP-2048, MODP-3072, MODP- 4096, MODP-6144,
FIPS provider KAS-FFC-SSCShared Secret ComputationKAS-FFC-SSC Sp800-56Ar3: (A5014)KAS-SSCKeys:2048, 3072, 4096, 6144, 8192-bit keys with 112-200 bits of key strength Compliance : Compliant with IG D.F scenario 2(1)
FIPS provider KAS-ECC-SSCShared Secret ComputationKAS-ECC-SSC Sp800-56Ar3: (A5018)KAS-SSCCurves:P-224, P-256, P-384, P-521 elliptic curves with 112-256 bits of key strength Compliance : Compliant with IG D.F scenario 2(1)
FIPS provider AES KWKey Wrapping, Key UnwrappingAES-KW: (A5004)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider AES KWPKey Wrapping, Key UnwrappingAES-KWP: (A5004)KTS-WrapKeys:128, 192, 256-bit keys with 128, 192, 256 bits of key strength, respectively Compliance:Compliant with IG D.G
FIPS provider AES-ECBEncryption/DecryptionAES-ECB: (A5004, A5019)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CTREncryption/DecryptionAES-CTR: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBCEncryption/DecryptionAES-CBC: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBC-CS1Encryption/DecryptionAES-CBC-CS1: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBC-CS2Encryption/DecryptionAES-CBC-CS2: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CBC-CS3Encryption/DecryptionAES-CBC-CS3: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CFB1Encryption/DecryptionAES-CFB1: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CFB8Encryption/DecryptionAES-CFB8: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CFB128Encryption/DecryptionAES-CFB128: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-XTSEncryption/DecryptionAES-XTS Testing Revision 2.0: (A5004)BC-UnAuthKeys:128, 256 bits with 128 and 256 bits of key strength
FIPS provider AES-CCM (BC- Auth)Authenticated Encryption/DecryptionAES-CCM: (A5004)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-GCM (BC- Auth)Authenticated Encryption/DecryptionAES-GCM: (A5008)BC-AuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-OFBEncryption/DecryptionAES-OFB: (A5004)BC-UnAuthKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-CMACMessage authentication code (MAC)AES-CMAC: (A5004)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider AES-GMACMessage authentication code (MAC)AES-GMAC: (A5008)MACKeys:128, 192, 256 bits with 128-256 bits of key strength
FIPS provider Counter DRBGRandom Number GenerationCounter DRBG: (A5015)DRBGCompliance:Compliant with SP800-90ARev1
FIPS provider Hash DRBGRandom Number GenerationHash DRBG: (A5015)DRBGCompliance:Compliant with SP800-90ARev1
FIPS provider HMAC DRBGRandom Number GenerationHMAC DRBG: (A5015)DRBGCompliance:Compliant with SP800-90ARev1
FIPS provider ECDSA Key GenerationKey GenerationECDSA KeyGen (FIPS186-5): (A5018) Asymmetric keygen (CKG): () Type: asymmetricCKG
FIPS provider ECDSA Key VerificationKey VerificationECDSA KeyVer (FIPS186-5): (A5018)AsymKeyPair- KeyVerCurves:P-224, P-256, P-384, P-521
FIPS provider ECDSA Signature GenerationSignature GenerationECDSA SigGen (FIPS186-5): (A5018, A5020)DigSig-SigGenCurves:P-224, P-256, P-384, P-521
FIPS provider ECDSA Signature VerificationSignature VerificationECDSA SigVer (FIPS186-5): (A5018, A5020)DigSig-SigVerCurves:P-224, P-256, P-384, P-521
FIPS provider EDDSA Key GenerationKey GenerationEDDSA KeyGen: (A5016) Asymmetric keygen (CKG): () Type: asymmetricCKG
FIPS provider EDDSA Signature GenerationSignature GenerationEDDSA SigGen: (A5016)DigSig-SigGenCurves:Ed25519, Ed448
FIPS provider EDDSA Signature VerificationSignature VerificationEDDSA SigVer: (A5016)DigSig-SigVerCurves:Ed25519, Ed448
FIPS provider RSA Key GenerationKey GenerationRSA KeyGen (FIPS186-5): (A5018) Asymmetric keygen (CKG): () Type: asymmetricCKG
FIPS provider RSA Signature GenerationSignature GenerationRSA SigGen (FIPS186-5): (A5018)DigSig-SigGenKeys:2048, 3072, 4096 keys with 112-150 bits of key strength respectively
FIPS provider RSA Signature Verification (Legacy)Signature Verification using SHA-1 message digestRSA SigGen (FIPS186-5): (A5018)DigSig-SigVerKeys:2048, 3072, 4096 keys with 112-150 bits of key strength respectively
FIPS provider RSA Signature VerificationSignature VerificationRSA SigVer (FIPS186-5): (A5018)DigSig-SigVerKeys:2048, 3072, 4096 keys with 112-150 bits of key strength respectively
FIPS provider HMACMessage authentication code (MAC)HMAC-SHA-1: (A5018) HMAC-SHA2- 224: (A5018) HMAC-SHA2- 256: (A5018) HMAC-SHA2- 384: (A5018) HMAC-SHA2- 512: (A5018) HMAC-SHA2- 512/224: (A5018) HMAC-SHA2- 512/256: (A5018) HMAC-SHA3- 224: (A5020) HMAC-SHA3- 256: (A5020) HMAC-SHA3- 384: (A5020) HMAC-SHA3- 512: (A5020)MACKeys:112-256 bits with 112-256 bits of key strength
FIPS provider KMACMessage authentication code (MAC)KMAC-128: (A5020) KMAC-256: (A5020)MACKeys:112-256 bits with 112-256 bits of key strength
FIPS provider HashesHashingSHA-1: (A5018) SHA2-224: (A5018) SHA2-256: (A5018) SHA2-384: (A5018) SHA2-512: (A5018) SHA2-512/224: (A5018) SHA2-512/256: (A5018) SHA3-224: (A5020) SHA3-256: (A5020) SHA3-384: (A5020)SHA
FIPS provider ANS 9.42 Key Derivation (CVL)Key DerivationKDF ANS 9.42: (A5018, A5020)KAS-135KDFOID:AES-128-KW, AES-192-KW, AES- 256-KW with 128, 192, 256 bits of key strength, respectively
FIPS provider ANS 9.63 Key Derivation (CVL)Key DerivationKDF ANS 9.63: (A5018)KAS-135KDFKey data length:128- 4096 bits
FIPS provider TLS 1.0 and 1.1 Key Derivation (CVL)Key DerivationKDF TLS: (A5018)KAS-135KDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider TLS 1.2 Key Derivation (CVL)Key DerivationTLS v1.2 KDF RFC7627: (A5018)KAS-135KDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider TLS 1.3 Key Derivation (CVL)Key DerivationTLS v1.3 KDF: (A5013)KAS-135KDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider HKDF Key DerivationKey DerivationKDA HKDF Sp800-56Cr1: (A5013)KAS-56CKDFDerived key:112-256 bits with 112-256 bits of key strength
FIPS provider Password-based Key DerivationKey DerivationPBKDF: (A5018, A5020)PBKDFDerived key:112-4096 bits with 112-150 bits of key strength
FIPS provider OneStep Key DerivationKey DerivationKDA OneStep SP800-56Cr2: (A5012)KAS-56CKDFDerived key:2048 bits with 112 bits of key strength
FIPS provider TwoStep Key DerivationKey DerivationKDA TwoStep SP800-56Cr2: (A5012)KAS-56CKDFDerived key:2048 bits with 112 bits of key strength
FIPS provider KMAC Key DerivationKey DerivationKDF KMAC Sp800-108r1: (A5017)KBKDFDerived key:112-4096 bits with 112-150 bits of key strength
FIPS provider KBKDF Key DerivationKey Derivation.KDF SP800-108: (A5017)KBKDFDerived key:112-4096 bits with 112-150 bits of key strength
FIPS provider SSH Key DerivationKey DerivationKDF SSH: (A5019)KAS-135KDFKeys:128, 192, 256 bits with 128-256 bits of key strength

Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Kernel AESCCM (KTSWrap) Kernel AESGCM (KTSWrap) © 2025 Ezurio / atsec information security.

Page 20

Kernel AESCFB8 Kernel AESCFB128 Kernel AESCMAC © 2025 Ezurio / atsec information security.

Page 21

Kernel AESGMAC © 2025 Ezurio / atsec information security.

Page 22

AsymKeyPairKeyVer © 2025 Ezurio / atsec information security.

Page 23

© 2025 Ezurio / atsec information security.

Page 24

© 2025 Ezurio / atsec information security.

Page 25

AsymKeyPairKeyVer © 2025 Ezurio / atsec information security.

Page 26

© 2025 Ezurio / atsec information security.

Page 27

© 2025 Ezurio / atsec information security.

Page 28

Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

AES-GCM encryption and decryption are used in the context of the TLS protocol version 1.2 and 1.3 using the FIPS provider component (corresponding to Scenario 1 and 5 of IG C.H), and in the context of IEEE 802.11 GCMP using the kernel/hardware components (corresponding to Scenario 5 of IG C.H). For IPsec, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary, compliant with Scenario 2 of FIPS 140-3 IG C.H. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL iv value. When this is the case, the API will set a non-approved service indicator.

2.7.1.1 TLS version 1.2

For TLS v1.2, the module uses the context of Scenario 1 of IG C.H. The module is compliant with SP 80052rev2 section 3.3.1, and the mechanism for IV generation is compliant with RFC5288. For this compliance, the module’s implementation of the AES-GCM shall be used together with an application that negotiates the protocol session’s keys and the 32-bit nonce value of the IV. The setting of the counter portion of the IV is performed within the cryptographic boundary. The nonce explicit part of the IV does not exhaust the maximum number of possible values for a given session key. This condition is implicitly ensured by the design of the TLS protocol, in which the nonce_explicit is denied exhaustion by the control exerted by the protocol’s management logic (wherein the nonce_explicit is incremented per each TLS record). This management logic also implies that the probability of an exhaustion of all 264

2.7.1.2 TLS version 1.3

For TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that © 2025 Ezurio / atsec information security.

Page 29

explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. TLS 1.3 employs separate 64-bit sequence numbers, one for protocol records that are received, and one for protocol records that are sent to a peer. These sequence numbers are set at zero at the beginning of a TLS 1.3 connection and each time when the AES-GCM key is changed. After reading or writing a record, the respective sequence number is incremented by one. The protocol specification determines that the sequence number should not wrap, and if this condition is observed, then the protocol implementation must either trigger a re-key of the session (i.e., a new key for AESGCM) or terminate the connection. The module implements, within its boundary, an IV generation unit for TLS 1.3 that keeps control of the 64-bit counter value within the AES-GCM IV. The module explicitly ensures that the 64-bit counter is monotonically increasing at each invocation of the AES-GCM for the same encryption key, and that this counter does not exhaust all its possible values. If this exhaustion condition is observed, the module will return an error indication to the calling application who will then need to either trigger a re-key of the session (i.e., a new key for AES-GCM) or terminate the connection. The module will refuse a new AES-GCM encryption for the same key and IV under this scenario. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established.

2.7.1.3 IEEE 802.11 GCMP

The kernel component is in compliance with FIPS 140-3 IG C.H scenario 5 for the WPA2 protocol. Specifically, GCMP is defined in IEEE 802.11ac-2013. For IEEE 802.11 GCMP, the module implements an internal production unit logic that constructs the IV deterministically upon the initialization of a GCMP connection, and therefore the initialization of a GCM encryption context. In case the module's power is lost and then restored, the key used for AES GCM encryption or decryption shall be re-distributed.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2 20 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.3 Key derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met: © 2025 Ezurio / atsec information security.

Page 30
2.7.4 SP 800-56Ar3 Assurances

Kernel Component: The module offers ECDH shared secret computation services compliant to the SP 80056ARev3. In order to meet the required assurances listed in section 5.6 of SP 800-56ARev3, the module shall be used together with an application that implements the "IPsec protocol" and the following steps shall be performed. The entity using the module, must use the module's "key pair generation" service for generating ECDH ephemeral keys. The key generation service performs full public key validation. This meets the assurances required by key pair owner defined in the section 5.6.2.1 of SP 800-56ARev3. The consumer using the module doesn't need to obtain assurance of the peer's possession of private key as the module only makes use of ephemeral keys. As part of the module’s shared secret computation service, the module internally performs the public key validation on the peer's public key passed in as input to the SSC function. This meets the public key validity assurance required by the sections 5.6.2.2.1/5.6.2.2.2 of SP 800-56ARev3. FIPS provider Component: The module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3. To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module together with an application that implements the TLS protocol. Additionally, the module’s approved key pair generation service must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3.

2.7.5 RSA Key Encapsulation

To comply with SP800-56Br2 assurances found in its Section 6 (specifically SP800-56Br2 Section 6.4 Required Assurances) the entity using the module must obtain required assurances listed in section 6.4 of SP 800-56Br2 by performing the following steps: 1. The entity requesting the RSA key un-encapsulation service from the module, shall only use an RSA private key that was generated by an active FIPS validated module that implements FIPS 186-5 compliant RSA key generation service and performs the key pair validity and the pairwise consistency as stated in © 2025 Ezurio / atsec information security.

Page 31

section 6.4.1.1 of the SP 800-56Br2. Additionally, the entity shall renew these assurances over time by using any method described in section 6.4.1.5 of the SP 800-56Br2. 2. For use of an RSA key encapsulation service in the context of key transport per IG D.G the entity using the module shall: a. verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). b. confirm the peer’s possession of private key by using any method specified in section 6.4.2.3 of the SP 800-56Br2. Only after the above assurances are successfully met, shall the entity use the peer’s public key to perform the RSA key encapsulation service of the module.

2.7.6 RSA Key Agreement

To comply with the assurances found in Section 6.4 of SP 800-56Br2, the module’s approved RSA key pair generation service must be used to generate the RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validity and the pairwise consistency according to section 6.4.1.1 of SP 800-56Br2. Additionally, the entity requesting the shared secret computation service shall verify the validity of the peer’s public key using the public key validation service of the module (EVP_PKEY_check() API). This service will perform the full public key validation of the peer’s public key, complying with Section 6.4.2.1 of SP 800-56Br2.

2.7.7 RSA SigGen and SigVer compliance

The module provides RSA signature generation and signature verification compliant with IG C.F. The module supports RSA modulus lengths of 2048, 3072, and 4096 bits for signature generation and 1024, 2048, 3072, and 4096 for signature verification. The RSA signature generation and signature verification implementations have been tested for all implemented RSA modulus lengths. The number of Miller-Rabin tests is consistent with the bit sizes of p and q from Table B.1 of FIPS 186-4.

2.7.8 SHA-3 compliance

The module provides SHA-3 and SHAKE hash functions compliant with IG C.C. Every implementation of each SHA-3 and SHAKE functions were tested and validated on all of the module’s operating environments. SHA-3 hash functions are also used as part of a higher-level algorithm for HMAC. SHAKE functions are only used a standalone algorithms.

2.7.9 SHA-1 compliance to SP 800-131A rev2

© 2025 Ezurio / atsec information security.

Page 32
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Summit CPU Time Jitter RNG Entropy SourceNon- Physical256 bitsSummit Linux 11.1 on Microchip SAMA5D3 ATSAMA5D31 and Linux 11.1 on Microchip SAMA5D3 ATSAMA5D36full entropyA4713 (SHA3-256)
CertVendor
NumberName
E119Ezurio

SHA-1 from FIPS provider Message Digest service is only approved for non-digital-signature uses. SHA-1 used within Digital Signature Verification is considered Legacy (approved) per IG C.M. Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. Table 10: Entropy Certificates NonPhysical Table 11: Entropy Sources The module implements multiple DRBGs compliant with SP800-90A for random number generation and the creation of key components of asymmetric keys. The kernel component of the module implements a CTR_DRBG while the FIPS provider component of the module implements a CTR_DRBG, Hash_DRBG and HMAC_DRBG. Each of these DRBG is seeded with full entropy using an entropy source listed in the above table. For internal usage, module uses an SP800-90Ar1 CTR_DRBG with AES-256 as the default DRBG in both the Kernel and the FIPS Provider components. Note: Per FIPS 140-3 IG C.L please make sure to select the appropriate hash function when instantiating HMAC or Hash DRBG based on the minimum-security strength required for the generated random bits.

2.9 Key Generation

For generating RSA, ECDSA, Diffie-Hellman, EC Diffie-Hellman keys for the FIPS provider component and ECDSA keys for Kernel component, the module implements asymmetric key generation services compliant with FIPS186-5 or SP800-56Arev3 as applicable and using a DRBG compliant with SP800-90A. The random value used in asymmetric key generation is obtained from the DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per Section 4 of SP800-133rev2 (vendor affirmed). Additionally, the module implements the following key derivation methods according to section 6.2 of SP 800133r2:

Page 33
2.10 Key Establishment

The module implements following key establishments methods that are listed in the Security Function Implementations table: - shared secret computation for KAS-IFC-SSC, KAS-FFC-SSC KAS-ECC-SSC - key transport for KTS-IFC and KTS-Wrap

2.11 Industry Protocols

Only the Key Derivation Functions have been validated by the CAVP No other part of the SSH, IKE or TLS protocols are implemented or have been tested by the CAVP and CMVP. For DH, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS) as listed in Approved Services table. Note that the module only implements key pair generation, key pair verification, and shared secret computation. SSH KDF, TLS 1.0/1.1 KDF, TLS 1.2 KDF (RFC 7627), TLS 1.3 KDF implementations shall only be used to generate secret keys in the context of the SSH, TLS 1.0/1.1, TLS 1.2, or TLS 1.3 protocols, respectively. Note that TLS 1.2 KDF must be compliant with RFC 7627 to be considered approved. ANS X9.42 KDF and ANS X9.63 KDF implementations shall only be used to generate secret keys in the context of an ANS X9.42-2001 resp. ANS X9.63-2001 key agreement scheme. © 2025 Ezurio / atsec information security.

Page 34
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI data input parameters, AF_ALG type sockets (kernel component)
N/AN/AData OutputAPI output parameters, AF_ALG type sockets (kernel component)
N/AN/AControl InputAPI function calls, API control input parameters, AF_ALG type sockets (kernel component), kernel command line (kernel component)
N/AN/AStatus OutputAPI return values, error queue (FIPS provider component), AF_ALG type sockets (kernel component), kernel logs (kernel component)
N/AN/APowerThe hardware component of the module receives power from the circuit board on which the module is installed. The power input is not applicable for the firmware components.
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A N/A Table 12: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. © 2025 Ezurio / atsec information security.

Page 35
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
Kernel Encryptio nEncryptio nCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- CFB8 Kernel AES- CFB128 Kernel AES- XTS Kernel AES- OFBcrypto_skcipher_setkey returns 0AES key, plaintextciphertex t
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
Kernel Encryptio nEncryptio nCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- CFB8 Kernel AES- CFB128 Kernel AES- XTS Kernel AES- OFBcrypto_skcipher_setkey returns 0AES key, plaintextciphertex t
Kernel Decryptio nDecryptio nCrypto Officer - Kernel AES key: W,EKernel AES- ECB Kernel AES- CTR Kernel AES- CBC Kernel AES- CBC- CS3 Kernel AES- CFB8 Kernel AES- CFB128 Kernel AES- XTS Kernel AES- OFBcrypto_skcipher_setkey returns 0AES key, ciphertex tplaintext
Kernel Authentic ated Encryptio nEncryptio nCrypto Officer - Kernel AES key: W,EKernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)crypto_aead_setkey returns 0AES key, IV, plaintextciphertex t
Kernel Authentic ated Decryptio nDecryptio nCrypto Officer - Kernel AES key: W,EKernel AES- CCM (BC- Auth) Kernel AES- GCMcrypto_aead_setkey returns 0AES key, IV, MAC tag, ciphertex tplaintext
Kernel key wrappingWrap a keyCrypto Officer - Kernel AES key: W,EKernel AES- CCM (KTS- Wrap) Kernel AES- GCM (KTS- Wrap) Kernel AES CBC with HMAC Kernel AES CTR with HMACcrypto_skcipher_setkey returns 0; crypto_aead_setkey returns 0; crypto_shash_init returns 0AES key, key to be wrappedwrapped key
Kernel key unwrappin gunwrap a keyCrypto Officer - Kernel AES key: W,EKernel AES- CCM (KTS- Wrap) Kernel AES- GCM (KTS- Wrap) Kernel AES CBC with HMAC Kernel AES CTR with HMACcrypto_skcipher_setkey returns 0; crypto_aead_setkey returns 0; crypto_shash_init returns 0AES key, key to be unwrapp edunwrapp ed key
Kernel AES Message Authentic ationcompute a MAC tagCrypto Officer - Kernel AES key: W,EKernel AES- CMAC Kernel AES- GMACcrypto_shash_init returns 0AES key, messageMAC tag
Kernel HMAC Message Authentic ationcompute a MAC tagCrypto Officer - Kernel HMAC key: W,EKernel HMACcrypto_shash_init returns 0HMAC key, messageMAC tag
Kernel Message Digestcompute a message digestCrypto OfficerKernel Hashescrypto_shash_init returns 0messagedigest value
Kernel ECC Shared Secret Computati oncompute a shared secretCrypto Officer - Kernel EC public key: W,E - Kernel EC private key: W,E - Kernel shared secret: W,EKernel KAS- ECC- SSCcrypto_kpp_compute_shared_se cret returns 0EC public key, EC private keyShared Secret
Kernel Random Number Generatio ngenerate random bytesCrypto Officer - Entropy input: W,E - DRBG seed: G,E - Internal state (V, C): G,W,EKernel Counter DRBGcrypto_rng_get_bytes returns 0output lengthrandom data
Kernel EC Key generationgenerate key pairCrypto Officer - Kernel EC public key: G,R - Kernel EC private key: G,R - KernelKernel ECDSA Key Generati oncrypto_kpp_set_secret and crypto_kpp_generate_public_ke y return 0CurveEC keys
FIPS provider Message Digestcompute a message digestCrypto OfficerFIPS provider Hashes_SUMMIT_FIPS_INDICATOR_ APPROVEDmessagedigest value
FIPS provider Encryptio nEncrypt plaintextCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CTR FIPS provider AES- CBC FIPS provider AES- ECB FIPS provider AES- CBC- CS1 FIPS provider AES- CBC- CS2 FIPS provider AES- CBC- CS3 FIPS provider AES- CFB1 FIPS provider AES-_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, plaintextciphertex t
FIPS provider Decryptio nDecrypt ciphertex tCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CTR FIPS provider AES- CBC FIPS provider AES- ECB FIPS provider AES- CBC- CS1 FIPS provider AES- CBC- CS2 FIPS provider AES- CBC- CS3 FIPS provider AES-_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, ciphertex tplaintext
FIPS provider Authentic ated Encryptio nEncrypt plaintextCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CCM (BC- Auth) FIPS provider AES- GCM (BC- Auth)_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, IV, plaintextciphertex t
FIPS provider Authentic ated Decryptio nDecrypt ciphertex tCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CCM (BC- Auth) FIPS provider AES- GCM (BC- Auth)_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, IV, MAC tag, ciphertex tplaintext
FIPS provider AES Message Authentic ationcompute a MAC tagCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CMAC FIPS provider AES- GMAC_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, messageMAC tag
FIPS provider HMAC Message Authentic ationcompute a MAC tagCrypto Officer - FIPS provider HMAC key: W,EFIPS provider HMAC_SUMMIT_FIPS_INDICATOR_ APPROVEDHMAC key, messageMAC tag
FIPS provider FFC Shared Secret Computati oncompute a shared secretCrypto Officer - FIPS provider DH public key: W,E - FIPS provider DH private key: W,EFIPS provider KAS- FFC- SSC_SUMMIT_FIPS_INDICATOR_ APPROVEDDH private key, DH public keyShared Secret
FIPS provider ECC Shared Secret Computati oncompute a shared secretCrypto Officer - FIPS provider EC public key: W,E - FIPS provider EC private key: W,E - FIPS provider shared secret: W,EFIPS provider KAS- ECC- SSC_SUMMIT_FIPS_INDICATOR_ APPROVEDEC public key, EC private keyShared Secret
FIPS provider IFC Shared Secretcompute a shared secretCrypto Officer - FIPS provider RSA publicFIPS provider KAS- IFC-SSC_SUMMIT_FIPS_INDICATOR_ APPROVEDRSA public key, RSA private keyShared Secret
Computati onkey: W,E - FIPS provider RSA private key: W,E - FIPS provider shared secret: W,E
FIPS provider Key Derivationderive a keyCrypto Officer - FIPS provider shared secret: W,E - FIPS provider derived key: G,R - FIPS provider key- derivation key: W,E - FIPS provider AES Derived Key: G,R - FIPS provider HMAC Derived Key: G,R - FIPS provider 802.11 Pre- shared key (PSK): W,E - FIPS provider 802.11 PairwiseFIPS provider ANS 9.42 Key Derivati on (CVL) FIPS provider ANS 9.63 Key Derivati on (CVL) FIPS provider HKDF Key Derivati on FIPS provider OneStep Key Derivati on FIPS provider TwoSte p Key Derivati on_SUMMIT_FIPS_INDICATOR_ APPROVEDShared secretderived key
FIPS provider KMAC Key Derivati on FIPS provider KBKDF Key Derivati on FIPS provider SSH Key Derivati onMaster Key (PMK): W,E - FIPS provider 802.11 KDF Internal State: R - FIPS provider 802.11 Temporal Keys: W,E - FIPS provider 802.11 MIC keys (KCK): W,E - FIPS provider 802.11 Key Encryption Key (KEK): W,E - FIPS provider 802.11 Group Temporal Key (GTK): W,EFIPS provider KMAC Key Derivati on FIPS provider KBKDF Key Derivati on FIPS provider SSH Key Derivati on
FIPS provider Key Derivation (FIPS provider TLS master secret)derive a TLS master secretCrypto Officer - FIPS provider TLS pre- master secret: W,E - FIPS provider TLS master secret: G,RFIPS provider TLS 1.0 and 1.1 Key Derivati on (CVL) FIPS provider TLS 1.2 Key_SUMMIT_FIPS_INDICATOR_ APPROVEDFIPS provider TLS pre- master secret
FIPS provider Key Derivation (FIPS provider derived key)derive a key used for session establish mentCrypto Officer - FIPS provider TLS master secret: W,E - FIPS provider derived key: G,RFIPS provider TLS 1.0 and 1.1 Key Derivati on (CVL) FIPS provider TLS 1.2 Key Derivati on (CVL) FIPS provider TLS 1.3 Key Derivati on (CVL)_SUMMIT_FIPS_INDICATOR_ APPROVEDFIPS provider TLS master secretFIPS provider derived key
FIPS provider Password- based key derivationderive a key from a passwordCrypto Officer - FIPS provider derived key: G,R - FIPS provider Password: W,EFIPS provider Passwor d-based Key Derivati on_SUMMIT_FIPS_INDICATOR_ APPROVEDpasswordderived key
FIPS provider SafePrime key generationgenerate a key pairCrypto Officer - FIPS provider module generated DH public key: G,R - FIPS provider module generated DH private key: G,R - FIPS provider Intermediat e Key Generation Value: G,RFIPS provider Safe Primes Key Generati on_SUMMIT_FIPS_INDICATOR_ APPROVEDDH- GroupModule generate d Dh private key, Module generate d DH public key
FIPS provider EC Key generationgenerate a key pairCrypto Officer - FIPS provider module generated EC public key: G,R - FIPS provider module generated EC private key: G,R - FIPS provider Intermediat e Key Generation Value: G,RFIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati on_SUMMIT_FIPS_INDICATOR_ APPROVEDCurveModule Generate d EC Private Key, Module Generate d EC Public Key
FIPS providergenerate a key pairCrypto Officer - FIPSFIPS provider RSA_SUMMIT_FIPS_INDICATOR_ APPROVEDModulusModule Generate d RSA
RSA key generationprovider module generated RSA private key: G,R - FIPS provider module generated RSA public key: G,R - FIPS provider Intermediat e Key Generation Value: G,RKey Generati onPrivate Key, Module Generate d RSA Public Key
FIPS provider SafePrime Key Verificatio nverify key pairCrypto Officer - FIPS provider DH public key: W - FIPS provider DH private key: WFIPS provider Safe Primes Key Verifica tion_SUMMIT_FIPS_INDICATOR_ APPROVEDDH Private key, DH public keyPass/fail
FIPS provider EC Key Verificatio nverify key pairCrypto Officer - FIPS provider EC public key: W - FIPS provider EC private key: WFIPS provider ECDSA Key Verifica tion_SUMMIT_FIPS_INDICATOR_ APPROVEDEC public key, EC private keyPass/fail
FIPS provider Key wrappingwrap a keyCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CCM (KTS- Wrap)_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, key to be wrappedwrapped key
FIPS provider Key unwrappin gunwrap a keyCrypto Officer - FIPS provider AES Key: W,EFIPS provider AES- CCM (KTS- Wrap) FIPS provider AES- GCM (KTS- Wrap) FIPS provider AES KW FIPS provider AES KWP_SUMMIT_FIPS_INDICATOR_ APPROVEDAES key, key to be unwrapp edunwrapp ed key
FIPS provider RSA Signature Verificatio nverify digital signatureCrypto Officer - FIPS provider RSA public key: W,EFIPS provider RSA Signatur e Verifica tion_SUMMIT_FIPS_INDICATOR_ APPROVEDRSA public key, signature , hash algorith mPass/fail
FIPS provider EC Signature Verificatio nverify digital signatureCrypto Officer - FIPS provider EC public key: W,EFIPS provider ECDSA Signatur e Verifica tion FIPS provider EDDSA Signatur e Verifica tion_SUMMIT_FIPS_INDICATOR_ APPROVEDMessage, EC public key, signature , hash algorith m (ECDSA only)Pass/fail
FIPS provider EC Signature Generatio ngenerate digital signatureCrypto Officer - FIPS provider EC private key: W,EFIPS provider ECDSA Signatur e Generati on FIPS provider EDDSA Signatur e Generati on_SUMMIT_FIPS_INDICATOR_ APPROVEDMessage, EC public key, signature , hash algorith m (ECDSA only)signature
FIPS provider RSA Signature Generatio ngenerate digital signatureCrypto Officer - FIPS provider RSA private key: W,EFIPS provider RSA Signatur e Generati on_SUMMIT_FIPS_INDICATOR_ APPROVEDMessage, RSA public key, signature , hash algorith msignature
FIPS provider RSA Signature Verificatio n (Legacy)verify a digital signature using SHA-1 message digestCrypto Officer - FIPS provider RSA public key: W,EFIPS provider RSA Signatur e Verifica_SUMMIT_FIPS_INDICATOR_ APPROVEDMessage, RSA public key, signature , hashsignature
algorith mtion (Legacy)algorith m
FIPS provider Random Number Generatio ngenerate random bytesCrypto Officer - Entropy input: W,E - DRBG seed: G,E - Internal State (V, Key): G,W,E - Internal state (V, C): G,W,EFIPS provider Counter DRBG FIPS provider Hash DRBG FIPS provider HMAC DRBG_SUMMIT_FIPS_INDICATOR_ APPROVEDoutput lengthrandom bytes
FIPS provider key encapsulat ionKTSCrypto Officer - FIPS provider RSA public key: W,EFIPS provider KTS- IFC_SUMMIT_FIPS_INDICATOR_ APPROVEDRSA public keyEncapsul ated key
FIPS provider key decapsulat ionKTSCrypto Officer - FIPS provider RSA private key: W,EFIPS provider KTS- IFC_SUMMIT_FIPS_INDICATOR_ APPROVEDRSA private keyDecapsul ated key
FIPS provider KMAC Message Authentic ationMACCrypto OfficerFIPS provider KMAC_SUMMIT_FIPS_INDICATOR_ APPROVEDKMAC keyMac tag
Show versionReturn the module name and version informati onUnauthenti catedNoneNoneN/Amodule name and version
Show statusreturn module statusUnauthenti catedNoneNoneN/Amodule status
Self-Testsperform CASTs and integrity testUnauthenti catedNoneNoneN/APass/Fail
Zeroizatio nzeroize all SSPsCrypto Officer - Kernel AES key: Z - FIPS provider AES Key: Z - Kernel HMAC key: Z - Kernel shared secret: Z - FIPS provider shared secret: Z - Entropy input: Z - DRBG seed: Z - Internal State (V, Key): Z - Internal state (V, C): Z - FIPS provider DH public key: Z - FIPS provider DH private key: Z - Kernel EC public key: ZNoneNoneAny SSPN/A
4 Roles, Services, and Authentication
4.1 Roles

Table 13: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.2 Approved Services

n n t AESECB AESCTR AESCBC AESCBCCS3 AESCFB8 AESCFB128 AESXTS AESOFB W,E © 2025 Ezurio / atsec information security.

Page 36

n n t n n t n n t AESECB AESCTR AESCBC AESCBCCS3 AESCFB8 AESCFB128 AESXTS AESOFB AESCCM (BCAuth) AESGCM (BCAuth) AESCCM (BCAuth) AESGCM W,E W,E W,E © 2025 Ezurio / atsec information security.

Page 37

g (BCAuth) AESCCM (KTSWrap) AESGCM (KTSWrap) AESCCM (KTSWrap) AESGCM (KTSWrap) W,E W,E © 2025 Ezurio / atsec information security.

Page 38

AESCMAC AESGMAC KASECCSSC n W,E W,E W,E W,E G,W,E G,R G,R © 2025 Ezurio / atsec information security.

Page 39

n t AESCTR AESCBC AESECB AESCBCCS1 AESCBCCS2 AESCBCCS3 AESCFB1 G,E,Z W,E © 2025 Ezurio / atsec information security.

Page 40

n t t AESCFB128 AESXTS AESOFB AESCTR AESCBC AESECB AESCBCCS1 AESCBCCS2 AESCBCCS3 W,E © 2025 Ezurio / atsec information security.

Page 41

n t n t t AESCFB8 AESCFB128 AESXTS AESOFB AESCCM (BCAuth) AESGCM (BCAuth) AESCCM (BCAuth) AESGCM (BCAuth) W,E W,E © 2025 Ezurio / atsec information security.

Page 42

AESCMAC AESGMAC KASFFCSSC KASECCSSC KASIFC-SSC W,E W,E W,E W,E © 2025 Ezurio / atsec information security.

Page 43

keyderivation © 2025 Ezurio / atsec information security.

Page 44

TLS premaster W,E W,E W,E W,E TLS premaster © 2025 Ezurio / atsec information security.

Page 45

Passwordbased key a W,E © 2025 Ezurio / atsec information security.

Page 46

DHGroup © 2025 Ezurio / atsec information security.

Page 47

n n AESCCM (KTSWrap) W W W,E © 2025 Ezurio / atsec information security.

Page 48

g n m AESGCM (KTSWrap) AESCCM (KTSWrap) AESGCM (KTSWrap) e W,E © 2025 Ezurio / atsec information security.

Page 49

n m n m n m e e e e e e W,E W,E © 2025 Ezurio / atsec information security.

Page 50

m n KTSIFC KTSIFC N/A N/A G,W,E G,W,E © 2025 Ezurio / atsec information security.

Page 51

N/A N/A n Z Z Z © 2025 Ezurio / atsec information security.

Page 52

Z Z Z © 2025 Ezurio / atsec information security.

Page 53

keyderivation Table 14: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs: Generate (G): The module generates or derives the SSP. Read (R): The SSP is read from the module (e.g. the SSP is output). Write (W): The SSP is updated, imported, or written to the module. Execute (E): The module uses the SSP in performing a cryptographic operation. Zeroize (Z): The module zeroizes the SSP. To interact with the FIPS provider component of the module, a calling application must use the EVP API layer provided by OpenSSL. This layer will delegate the request to the FIPS provider, which will in turn perform the requested service. The EVP_KDF_CTX_get_params() function can be used to determine whether an EVP API © 2025 Ezurio / atsec information security.

Page 54
Service
NameDescriptionRolesApproved Functions
FIPS provider PBKDF with salt length less than 128 bitsKey derivationCOFIPS provider PBKDF with salt length less than 128 bits
FIPS provider TLSv1.0 and TLSv1.1 KDF using EMSKey derivationCOFIPS provider TLSv1.0 and TLSv1.1 KDF using EMS
FIPS provider TLSv1.2 KDF without using EMSKey derivationCOFIPS provider TLSv1.2 KDF without using EMS
FIPS provider AES-GCM using EVP_EncryptInit_ex2Encryption/Decryption using AES- GCM and externally generated IVCOFIPS provider AES GCM using externally generated IV

function is approved. After a cryptographic service was performed by the module, the API context associated with this request can contain a parameter (listed below) which represents the approved service indicator.

4.3 Non-Approved Services

Table 15: Non-Approved Services © 2025 Ezurio / atsec information security.

Page 55
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module’s firmware components (the kernel, the FIPS provider components and fipscheck application and library) is individually verified by the fipscheck integrity test tool using an HMAC-SHA2-256 implemented by the FIPS provider. The HMAC value of each firmware component is computed at build time and stored in the .hmac file for each component. The value is recalculated at runtime for the image of the kernel, for the FIPS provider binary and the fipscheck application and library, and then compared against the stored value in the file. If the comparison succeeds, then the remaining Known Answer Tests (KATs) for FIPS provider are performed. Then the kernel component executes its algorithm-specific Known Answer Tests. If the integrity test fails the module will enter the error state. Please see section 10.4 for details

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the firmware integrity tests. The Self-Tests service can also be used to invoke the integrity test on-demand. © 2025 Ezurio / atsec information security.

Page 56
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: The firmware components of this module are executed in the Microchip/Atmel ATSAMA5D31 (Microprocessor Unit) and Microchip/Atmel ATSAMA5D36 (Microprocessor Unit), ARM Cortex A5-based (ARMv7) operational environments.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11.1. There are no security rules, settings or restrictions to the configuration of the operational environment. © 2025 Ezurio / atsec information security.

Page 57
7 Physical Security
7.1 Mechanisms and Actions Required

N/A for this module. The module is a firmware-hardware hybrid module. The module contains standard integrated circuits with a uniform exterior material and standard connectors. The module is enclosed within a production-grade enclosure with components that include standard passivation techniques (e.g., a conformal coating applied over the module's circuitry to protect against environmental or other physical damage) conformant to the Level 1 requirements for physical security. The physical security requirements do not apply to the firmware components of the module. © 2025 Ezurio / atsec information security.

Page 58
8 Non-Invasive Security
8.1 Mitigation Techniques

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 Ezurio / atsec information security.

Page 59
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary storage for SSPs used by the module as part of service execution. The module does not perform persistent storage of SSPs.
Service
NameTypeFromTo
API input parametersPlaintextOperating calling application (TOEPP)Cryptographic moduleManualElectronic
Kernel AF_ALG_type sockets (input)PlaintextOperating calling application (TOEPP)Cryptographic moduleManualElectronic
API output parametersPlaintextCryptographic moduleOperator calling application (TOEPP)ManualElectronic
Kernel AF_ALG type sockets (output)PlaintextCryptographic moduleOperator calling application (TOEPP)ManualElectronic
ZeroizationDescriptionRationaleOperator Initiation
Method
Kernel free cipher handleZeroizes the SSPs containedMemory occupied by SSPs is overwritten with zeroes, which renders theBy calling the appropriate zeroization functions:- AES key: crypto_free_skcipher and crypto_free_aead; - HMAC key:
9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 16: Storage Areas plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

© 2025 Ezurio / atsec information security.

Page 60
Sensitive security parameter
NameTypeDescriptionStrengthZeroizationUseOperator Initiation crypto free shash and crypto free ahash; - DRBG Internal state: crypto free rng; - EC public & private key: crypto free kpp and crypto free akcipher
Memory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization. The completion of the zeroization routine(s) indicate that the zeroization procedure succeededZeroizes the SSPsFIPS provider calling the zeroization APIBy calling the appropriate zeroization functions: - EVP_CIPHER_CTX_free(): clears and frees symmetric cipher context; - EVP_MAC_CTX_free(): clears and frees MAC context; -EVP_KDF_CTX_free(): clears and frees KDF context; - EVP_RAND_CTX_free(): clears and frees DRBG context; - EVP_PKEY_free(): clears and frees asymmetric key pair structures
Memory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization.Zeroizes the SSPsFIPS provider AutomaticIntermediate key generation value: zeroized automatically by the module (after the requested service completed)
Volatile memory used by the module is overwritten within nanoseconds when power is removedDe-allocates the volatile memory used to store SSPsRemove power from the moduleBy removing power
Kernel AES keySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128, 192, 256 bitsKernel AES- CCM (KTS- Wrap)
Sensitive security parameter
NameTypeDescriptionStrengthZeroizationUseOperator Initiation crypto free shash and crypto free ahash; - DRBG Internal state: crypto free rng; - EC public & private key: crypto free kpp and crypto free akcipher
Memory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization. The completion of the zeroization routine(s) indicate that the zeroization procedure succeededZeroizes the SSPsFIPS provider calling the zeroization APIBy calling the appropriate zeroization functions: - EVP_CIPHER_CTX_free(): clears and frees symmetric cipher context; - EVP_MAC_CTX_free(): clears and frees MAC context; -EVP_KDF_CTX_free(): clears and frees KDF context; - EVP_RAND_CTX_free(): clears and frees DRBG context; - EVP_PKEY_free(): clears and frees asymmetric key pair structures
Memory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. All data output is inhibited during zeroization.Zeroizes the SSPsFIPS provider AutomaticIntermediate key generation value: zeroized automatically by the module (after the requested service completed)
Volatile memory used by the module is overwritten within nanoseconds when power is removedDe-allocates the volatile memory used to store SSPsRemove power from the moduleBy removing power
Kernel AES keySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128, 192, 256 bitsKernel AES- CCM (KTS- Wrap)

Table 18: SSP Zeroization Methods AESCCM (KTSWrap) © 2025 Ezurio / atsec information security.

Page 61
Sensitive security parameter
NameTypeEstablishmentGenerate
CategoryCategoryed Byd By

AESGCM (KTSWrap) AESCBC-CS3 AESCFB8 AESCFB128 AESCCM (BCAuth) AESGCM (BCAuth) © 2025 Ezurio / atsec information security.

Page 62
Sensitive security parameter
NameTypeDescriptionStrengthUse
Kernel HMAC keyAuthenticati on key - CSPHMAC key112-256 bits - 112- 256 bitsKernel AES CBC with HMAC Kernel AES CTR with HMAC Kernel HMAC
Kernel Intermedi ate Key Generatio n ValueIntermediate value - CSPIntermediate key generation valueP-256, P-384 - 128, 192 bitsKernel ECDSA Key Generatio nKernel ECDSA Key Generati on
Kernel shared secretShared secret - CSPShared secret generated by ECDHP-256, P-384 - 128 and 192 bitsKernel KAS- ECC-SSCKernel KAS- ECC-SSC
DRBG seedSeed - CSPDRBG seed derived from entropy inputCTR_DRBG:256,320 ,384 bits; HMAC or HASH DRBG: 440,888 bits - CTR_DRBG: 128,192,256 bits; HMAC or HASH DRBG: 128,256 bitsKernel Counter DRBG FIPS provider Counter DRBG FIPS provider Hash DRBG FIPS provider HMAC DRBGKernel Counter DRBG FIPS provider Counter DRBG FIPS provider Hash DRBG FIPS provider HMAC DRBG
Kernel EC public keyPublic key - PSPPublic key used for ECDHP-256, P-384 - 128, 192 bitsKernel KAS- ECC-SSC
Kernel EC private keyPrivate key - CSPPrivate key used for ECDHP-256, P-384 - 128, 192 bitsKernel KAS- ECC-SSC

KASECC-SSC AESGMAC n KASECC-SSC KASECC-SSC KASECC-SSC © 2025 Ezurio / atsec information security.

Page 63
Sensitive security parameter
NameTypeDescriptionStrengthUse
Entropy inputEntropy input - CSPEntropy input used to seed the DRBGsCTR_DRBG:192,288 ,384 bits; HMAC or HASH DRBG:240,384 bits - CTR_DRBG:192,288 ,384 bits; HMAC or HASH DRBG:240,384 bitsKernel Counter DRBG FIPS provider Counter DRBG FIPS provider Hash DRBG FIPS provider HMAC DRBG
Internal State (V, Key)DRBG Internal state - CSPInternal state of Counter DRBG and HMAC DRBGCTR_DRBG: 256,320,384 bits; HMAC DRBG: 320,512,1024 bits - CTR_DRBG: 128,192,256 bits; HMAC DRBG: 128,256 bitsKernel Counter DRBGKernel Counter DRBG FIPS provider Counter DRBG
Internal state (V, C)DRBG Internal state - CSPInternal state of Hash DRBGHASH DRBG:888,1776 bits - HASH DRBG:128,256 bitsFIPS provider Hash DRBGFIPS provider Hash DRBG
FIPS provider AES KeySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128, 192, 256 bitsFIPS provider AES- CCM (KTS- Wrap) FIPS provider AES- GCM (KTS- Wrap) FIPS provider AES KWP FIPS

C) AESCCM (KTSWrap) AESGCM (KTSWrap) © 2025 Ezurio / atsec information security.

Page 64
Sensitive security parameter
NameTypeEstablishmentGenerate
CategoryCategoryed Byd By

AESCBC-CS1 AESCBC-CS2 AESCBC-CS3 AESCFB1 AESCFB8 AESCCM (BCAuth) AESGCM (BCAuth) © 2025 Ezurio / atsec information security.

Page 65
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
FIPS provider HMAC keyAuthenticati on key - CSPHMAC key112-256 bits - 112- 256 bitsFIPS provider HMAC
FIPS provider shared secretShared secret - CSPShared secret generated by DH/ECDH224-8192 bits - 112- 256 bitsFIPS provider ANS 9.42 Key Derivatio n (CVL) FIPS provider ANS 9.63 Key Derivatio n (CVL) FIPS provider TLS 1.0 and 1.1 Key DerivatioFIPS provider KAS- FFC-SSC FIPS provider KAS- ECC-SSC
FIPS provider TLS pre- master secretShared secret - CSPShared secret used for deriving TLS master secret224-8192 bits - 112- 256 bitsFIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPSFIPS provider KAS- FFC-SSC FIPS provider KAS- ECC-SSC
FIPS provider TLS master secretShared secret - CSPShared secret used for the establishment of encrypted session256 bits - 112-256 bits based on the TLS pre-master secret usedFIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL)FIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL)
FIPS provider DH public keyPublic key - PSPPublic key used for DH2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider KAS- FFC-SSC
FIPS provider DH private keyPrivate key - CSPPrivate key used for DH2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider KAS- FFC-SSC
FIPS provider EC public keyPublic key - PSPPublic key used for ECDH and ECDSAP-224, P-256, P-384, P-521; Ed25519, Ed448 - 112, 128, 192, 256 bitsFIPS provider KAS- ECC-SSC FIPS
FIPS provider EC private keyPrivate key - CSPPrivate key used for ECDH and ECDSAP-224, P-256, P-384, P-521; Ed25519, Ed448 - 112, 128, 192, 256 bitsFIPS provider KAS- ECC-SSC FIPS provider ECDSA Signature Generatio n FIPS provider EDDSA Signature Generatio n
FIPS provider module generated DH public keyPublic key - PSPDH public key generated by the module2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider Safe Primes Key Generati onFIPS provider KAS- FFC-SSC
FIPS provider module generatedPrivate key - CSPDH private key generated by the module2048, 3072, 4096, 6144, 8192 bits - 112-200 bitsFIPS provider Safe PrimesFIPS provider KAS- FFC-SSC
DH private keyKey Generati on
FIPS provider module generated EC public keyPublic key - PSPEC public key generated by the moduleP-224, P-256, P-384, P-521; Ed25519, Ed448 - 128-256 bitsFIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati onFIPS provider KAS- ECC-SSC FIPS provider ECDSA Signature Verificati on FIPS provider EDDSA Signature Verificati on
FIPS provider module generated EC private keyPrivate key - CSPEC private key generated by the moduleP-224, P-256, P-384, P-521; Ed25519, Ed448 (128, 192 bits) - 128-256 bitsFIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati onFIPS provider KAS- ECC-SSC FIPS provider ECDSA Signature Generatio n FIPS provider EDDSA Signature Generatio n
FIPS provider RSA public keyPublic key - PSPPublic key used for RSA signature generation2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider RSA Signature Verificati on
FIPS provider RSAPrivate key - CSPPrivate key used for RSA signature generation2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider RSA

AESCMAC AESGMAC n KASFFC-SSC KASECC-SSC © 2025 Ezurio / atsec information security.

Page 66

TLS premaster KASFFC-SSC KASECC-SSC n n n n © 2025 Ezurio / atsec information security.

Page 67

KASFFC-SSC KASFFC-SSC KASECC-SSC © 2025 Ezurio / atsec information security.

Page 68

KASECC-SSC n n KASFFC-SSC KASFFC-SSC © 2025 Ezurio / atsec information security.

Page 69

KASECC-SSC KASECC-SSC n n © 2025 Ezurio / atsec information security.

Page 70
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
private keySignature Generatio n
FIPS provider module generated RSA public keyPublic key - PSPRSA public key generated by the module2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider RSA Key Generati onFIPS provider RSA Key Generatio n
FIPS provider module generated RSA private keyPrivate key - CSPRSA private key generated by the module2048, 3072, 4096 bits - 112, 128, 150 bitsFIPS provider RSA Key Generati onFIPS provider RSA Key Generatio n
FIPS provider Intermedi ate Key Generatio n ValueIntermediate value - CSPIntermediate key generation value224-4096 bits - 112- 256 bitsFIPS provider Safe Primes Key Generati on FIPS provider ECDSA Key Generati on FIPS provider EDDSA Key Generati on FIPS provider RSA Key Generati onFIPS provider Safe Primes Key Generatio n FIPS provider ECDSA Key Generatio n FIPS provider EDDSA Key Generatio n FIPS provider RSA Key Generatio n
FIPS provider derived keySymmetric key - CSPSymmetric key derived from a key-derivation112-4096 bits - 112- 256 bitsFIPS provider ANS 9.42 KeyFIPS provider ANS 9.42 Key

n n n n n n n © 2025 Ezurio / atsec information security.

Page 71
Sensitive security parameter
NameTypeDescriptionEstablishmentUseGenerate
CategoryCategoryed Byd By
key, shared secret, or passwordkey, shared secret, or passwordDerivatio n (CVL) FIPS provider ANS 9.63 Key Derivatio n (CVL) FIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL) FIPS provider HKDF Key Derivatio n FIPS provider Password -based Key Derivatio n FIPS provider OneStep KeyDerivatio n (CVL) FIPS provider ANS 9.63 Key Derivatio n (CVL) FIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL) FIPS provider HKDF Key Derivatio n FIPS provider Password -based Key Derivatio n FIPS provider OneStep Key

n n n n © 2025 Ezurio / atsec information security.

Page 72
Sensitive security parameter
NameTypeDescriptionStrengthUseDerivatio n FIPS provider Two Step Key Derivatio n FIPS provider KMAC Key Derivatio n FIPS provider KBKDF Key Derivatio n FIPS provider SSH Key Derivatio n
FIPS provider key- derivation keySymmetric key - CSPSymmetric key used to derive symmetric keys112-4096 bits - 112- 256 bitsFIPS provider KMAC Key Derivatio n FIPS provider KBKDF Key Derivatio n
FIPS provider PasswordPassword - CSPPassword used to derive symmetric keys8-128 characters - N/AFIPS provider Password -based Key Derivatio n
FIPS provider AES Derived KeySymmetric Key - CSPAES key used for encryption, decryption, and computing MAC tags128, 192, 256 bits - 128, 192, 256 bitsFIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL) FIPS provider KBKDF Key Derivatio nFIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL) FIPS provider KBKDF Key Derivatio n
FIPS provider HMAC Derived KeyAuthenticati on Key - CSPHMAC key112-256 bits - 112- 256 bitsFIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL)FIPS provider TLS 1.0 and 1.1 Key Derivatio n (CVL) FIPS provider TLS 1.2 Key Derivatio n (CVL) FIPS provider TLS 1.3 Key Derivatio n (CVL)

keyderivation n n n n n n n n n n n n n © 2025 Ezurio / atsec information security.

Page 73

n n © 2025 Ezurio / atsec information security.

Page 74
Sensitive security parameter
NameTypeDescriptionStrengthUse
FIPS provider 802.11 Pre-shared key (PSK)Pre-shared key - CSPUsed for pre- shared key authentication and session key establishment, as well as for 802.11 KDFUp to 256 bits of length - Up to 256 bitsFIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 Pairwise Master Key (PMK)Pairwise Master Key - CSPUsed for pre- shared key authentication and session key establishment, as well as for 802.11 KDF256 or 384 bits - 256 bitsFIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 Temporal KeysTemporal Keys - CSPAES-CCM or AES- GCM keys used for session encryption/decryp tion128 or 256 bits - 128 or 256 bitsKernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)FIPS provider KBKDF Key Derivatio n
FIPS provider 802.11 MIC keys (KCK)MIC keys - CSPKey confirmation keys (KCK) used for message authentication during session establishment128 or 192 bits - 128 or 192 bitsFIPS provider KBKDF Key Derivatio n

N/A - N/A n n n n n n n AESCCM (BCAuth) AESGCM (BCAuth) n © 2025 Ezurio / atsec information security.

Page 75
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroizationUseInput
FIPS provider 802.11 Key Encryptio n Key (KEK)Key Encryption Key - CSPUsed for AES Key Wrapping of the 802.11 Group Temporal Key (GTK)128 or 256 bits - 128 or 256 bitsKernel AES- CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)Kernel AES-CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
FIPS provider 802.11 Group Temporal Key (GTK)Group Temporal Key - CSP802.11 session key for broadcast communications128 to 256 bits - 128 to 256 bitsKernel AES- CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)Kernel AES-CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
Kernel AES keyRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_type sockets (input)For the duration of the service
Kernel HMAC keyRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_type sockets (input)For the duration of the service
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroizationUseInputRelated SSPs
FIPS provider 802.11 Key Encryptio n Key (KEK)Key Encryption Key - CSPUsed for AES Key Wrapping of the 802.11 Group Temporal Key (GTK)128 or 256 bits - 128 or 256 bitsKernel AES- CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)Kernel AES-CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
FIPS provider 802.11 Group Temporal Key (GTK)Group Temporal Key - CSP802.11 session key for broadcast communications128 to 256 bits - 128 to 256 bitsKernel AES- CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)Kernel AES-CBC Kernel AES- CCM (BC- Auth) Kernel AES- GCM (BC- Auth)
Kernel AES keyRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_type sockets (input)For the duration of the service
Kernel HMAC keyRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_type sockets (input)For the duration of the service
Kernel Intermediate Key Generation ValueRAM:PlaintextKernel free cipher handle Remove power from the moduleFor the duration of the serviceKernel EC public key:Generates Kernel EC private key:Generates
Kernel shared secretRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI output parameters Kernel AF_ALG type sockets (output)For the duration of the serviceKernel EC public key:Used With Kernel EC private key:Used With
DRBG seedRAM:PlaintextKernel free cipher handle FIPS provider calling the zeroization API Remove power from the moduleWhile the DRBG is being instantiatedEntropy input:Derived From Internal State (V, Key):Generates Internal state (V, C):Generates
Kernel EC public keyRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_type sockets (input) API output parameters Kernel AF_ALG type sockets (output)For the duration of the serviceKernel EC private key:Paired With Kernel Intermediate Key Generation Value:Generated from
Kernel EC private keyRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parameters Kernel AF_ALG_type sockets (input) API output parameters Kernel AF_ALG type sockets (output)For the duration of the serviceKernel EC public key:Paired With Kernel Intermediate Key Generation Value:Generated from
Entropy inputRAM:PlaintextKernel free cipher handle FIPS provider calling the zeroization API Remove power from the moduleFrom generation until DRBG seed is createdDRBG seed:Derives
Internal State (V, Key)RAM:PlaintextKernel free cipher handle FIPS provider calling the zeroization API Remove power from the moduleFrom DRBG instantiation until DRBG terminationDRBG seed:Generated from
Internal state (V, C)RAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleFrom DRBG instantiation until DRBG terminationDRBG seed:Generated from
FIPS provider AES KeyRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider HMAC keyRAM:PlaintextFIPS provider calling the zeroization API RemoveAPI input parametersFor the duration of the service
FIPS provider shared secretRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the serviceFIPS provider DH public key:Established by FIPS provider DH private key:Established by FIPS provider EC public key:Established by FIPS provider EC private key:Established by FIPS provider derived key:Derives
FIPS provider TLS pre-master secretRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the serviceFIPS provider DH public key:Established by FIPS provider DH private key:Established by FIPS provider EC public key:Established by FIPS provider EC private key:Established by FIPS provider TLS master secret:Derives
FIPS provider TLS master secretRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parameters API output parametersFor the duration of the serviceFIPS provider TLS pre-master secret:Derived From FIPS provider derived key:Derives
FIPS provider DH public keyRAM:PlaintextFIPS provider calling the zeroization APIAPI input parametersFor the duration of the serviceFIPS provider DH private key:Paired With FIPS provider Intermediate Key

AESCBC AESCCM (BCAuth) AESGCM (BCAuth) AESCBC AESCCM (BCAuth) AESGCM (BCAuth) AESCCM (BCAuth) AESGCM (BCAuth) AESCCM (BCAuth) AESGCM (BCAuth) Table 19: SSP Table 1 © 2025 Ezurio / atsec information security.

Page 76

© 2025 Ezurio / atsec information security.

Page 77

(V, C) © 2025 Ezurio / atsec information security.

Page 78

© 2025 Ezurio / atsec information security.

Page 79
Sensitive security parameter
NameGenerationStorageZeroizationInput
FIPS provider DH private keyFIPS provider DH public key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization APIAPI input parametersFor the duration of the service
FIPS provider EC public keyFIPS provider EC private key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider EC private keyFIPS provider EC public key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider module generated DH public keyFIPS provider module generated DH private key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider module generated DH private keyFIPS provider module generated DH public key:Paired With FIPS provider Intermediate Key GenerationRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider module generated EC public keyFIPS provider module generated EC private key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider module generated EC private keyFIPS provider module generated EC public key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider RSA public keyFIPS provider RSA private key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider RSA private keyFIPS provider RSA public key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider module generated RSA public keyFIPS provider module generated RSA private key:Paired With FIPS provider Intermediate Key GenerationRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider module generated RSA private keyFIPS provider module generated RSA public key:Paired With FIPS provider Intermediate Key Generation Value:Generated fromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider Intermediate Key Generation ValueFIPS provider DH public key:Generates FIPS provider DH private key:Generates FIPS provider module generated DH public key:Generates FIPS provider module generated DH private key:Generates FIPS provider EC public key:Generates FIPS provider EC private key:Generates FIPS provider module generated EC public key:Generates FIPS provider module generated EC private key:Generates FIPS provider RSA public key:Generates FIPS provider RSA private key:Generates FIPS provider module generatedRAM:PlaintextFIPS provider AutomaticFor the duration of the service
FIPS provider derived keyFIPS provider key- derivation key:Derived From FIPS provider shared secret:Derived From FIPS provider password:Derived FromRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider key-derivation keyFIPS provider derived key:DerivesRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider PasswordFIPS provider derived key:DerivesRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider AES Derived KeyFIPS provider derived key:DerivesRAM:PlaintextKernel free cipher handle FIPS provider calling the zeroization API Remove power from the moduleAPI output parametersFor the duration of the service
FIPS provider HMAC Derived KeyFIPS provider derived key:DerivesRAM:PlaintextKernel free cipher handleAPI output parametersFor the duration of the service
FIPS provider 802.11 Pre- shared key (PSK)FIPS provider derived key:Used WithRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider 802.11 Pairwise Master Key (PMK)FIPS provider derived key:Used WithRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider 802.11 KDF Internal StateRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleFor the duration of the service
FIPS provider 802.11 Temporal KeysKernel AES key:Encrypts Kernel AES key:DecryptsRAM:PlaintextFIPS provider calling the zeroization API Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider 802.11 MIC keys (KCK)RAM:PlaintextFIPS provider calling the zeroizationAPI input parametersFor the duration of the service
FIPS provider 802.11 Key Encryption Key (KEK)Kernel AES key:EncryptsRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI input parametersFor the duration of the service
FIPS provider 802.11 Group Temporal Key (GTK)Kernel AES key:Encrypts Kernel AES key:DecryptsRAM:PlaintextKernel free cipher handle Remove power from the moduleAPI output parametersFor the duration of the service

© 2025 Ezurio / atsec information security.

Page 80

© 2025 Ezurio / atsec information security.

Page 81

© 2025 Ezurio / atsec information security.

Page 82

© 2025 Ezurio / atsec information security.

Page 83

© 2025 Ezurio / atsec information security.

Page 84
9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Ezurio / atsec information security.

Page 85
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest PropertiesConditions
HMAC- SHA2-256 (A5018)HMAC- SHA2-256 (A5018)Message AuthenticationSW/FW IntegrityIntegrity test for fips.so; Integrity test for kernel binary; Integrity test for fipscheck binary; Integrity test for fipscheck library256-bit keyModule becomes operational and services are available for use
ECDSA KeyGen (FIPS186-5) (A4711)ECDSA KeyGen (FIPS186-5) (A4711)PCTPCTSP 800-56Ar3 Section 5.6.2.1.4crypto_kpp_g enerate_public_key returns 0N/AKey pair generation
HMAC- SHA2-256 (A4711)HMAC- SHA2-256 (A4711)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-256 (A4712)HMAC- SHA2-256 (A4712)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-256 (A4716)HMAC- SHA2-256 (A4716)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-384 (A4711)HMAC- SHA2-384 (A4711)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-384 (A4712)HMAC- SHA2-384 (A4712)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorTest PropertiesConditions
HMAC- SHA2-256 (A5018)HMAC- SHA2-256 (A5018)Message AuthenticationSW/FW IntegrityIntegrity test for fips.so; Integrity test for kernel binary; Integrity test for fipscheck binary; Integrity test for fipscheck library256-bit keyModule becomes operational and services are available for use
ECDSA KeyGen (FIPS186-5) (A4711)ECDSA KeyGen (FIPS186-5) (A4711)PCTPCTSP 800-56Ar3 Section 5.6.2.1.4crypto_kpp_g enerate_public_key returns 0N/AKey pair generation
HMAC- SHA2-256 (A4711)HMAC- SHA2-256 (A4711)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-256 (A4712)HMAC- SHA2-256 (A4712)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-256 (A4716)HMAC- SHA2-256 (A4716)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-384 (A4711)HMAC- SHA2-384 (A4711)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-384 (A4712)HMAC- SHA2-384 (A4712)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-384 (A4716)HMAC- SHA2-384 (A4716)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-512 (A4711)HMAC- SHA2-512 (A4711)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-512 (A4712)HMAC- SHA2-512 (A4712)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA2-512 (A4716)HMAC- SHA2-512 (A4716)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA3-224 (A4713)HMAC- SHA3-224 (A4713)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA3-256 (A4713)HMAC- SHA3-256 (A4713)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA3-384 (A4713)HMAC- SHA3-384 (A4713)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA3-512 (A4713)HMAC- SHA3-512 (A4713)KATCASTMessage AuthenticationModule is operational0-8184 bit messagesModule initialization
HMAC- SHA-1 (A5018)HMAC- SHA-1 (A5018)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA2-512 (A5018)HMAC- SHA2-512 (A5018)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
AES-ECB (A4711)AES-ECB (A4711)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-ECB (A4712)AES-ECB (A4712)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-ECB (A4715)AES-ECB (A4715)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-ECB (A4716)AES-ECB (A4716)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-ECB (A4717)AES-ECB (A4717)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-ECB (A4719)AES-ECB (A4719)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-ECB (A4721)AES-ECB (A4721)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-OFB (A4723)AES-OFB (A4723)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES- CFB128 (A4724)AES- CFB128 (A4724)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-CCM (A4719)AES-CCM (A4719)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-CCM (A4712)AES-CCM (A4712)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-CCM (A4716)AES-CCM (A4716)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-CCM (A4721)AES-CCM (A4721)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
AES-GCM (A4712)AES-GCM (A4712)KATCASTMessage authenticationModule is operational128, 192, 256 bit keysModule initialization
AES-GCM (A4715)AES-GCM (A4715)KATCASTMessage authenticationModule is operational128, 192, 256 bit keysModule initialization
AES-GCM (A4717)AES-GCM (A4717)KATCASTMessage authenticationModule is operational128, 192, 256 bit keysModule initialization
AES-GCM (A4719)AES-GCM (A4719)KATCASTMessage authenticationModule is operational128, 192, 256 bit keysModule initialization
AES-GCM (A4721)AES-GCM (A4721)KATCASTMessage authenticationModule is operational128, 192, 256 bit keysModule initialization
AES-CMAC (A4712)AES-CMAC (A4712)KATCASTMessage authenticationModule is operational128 and 256 bit keysModule initialization
AES-CMAC (A4716)AES-CMAC (A4716)KATCASTMessage authenticationModule is operational128 and 256 bit keysModule initialization
AES-CMAC (A4719)AES-CMAC (A4719)KATCASTMessage authenticationModule is operational128 and 256 bit keysModule initialization
AES-CMAC (A4721)AES-CMAC (A4721)KATCASTMessage authenticationModule is operational128 and 256 bit keysModule initialization
KAS-ECC- SSC Sp800- 56Ar3 (A4711)KAS-ECC- SSC Sp800- 56Ar3 (A4711)KATCASTShared secret computationModule is operationalP-256, P-384Module initialization
Counter DRBG (A4711)Counter DRBG (A4711)KATCASTSeed GenerateModule is operational128, 192, 256 bit keys with/without PR; Health test per section 11.3 of SP 800- 90AModule initialization
Counter DRBG (A4712)Counter DRBG (A4712)KATCASTSeed GenerateModule is operational128, 192, 256 bit keys with/without PR; Health test per section 11.3 of SP 800- 90AModule initialization
Counter DRBG (A4715)Counter DRBG (A4715)KATCASTSeed GenerateModule is operational128, 192, 256 bit keys with/without PR; Health test per section 11.3 of SP 800- 90AModule initialization
Counter DRBG (A4717)Counter DRBG (A4717)KATCASTSeed GenerateModule is operational128, 192, 256 bit keys with/without PR; Health test per section 11.3 of SP 800- 90AModule initialization
Counter DRBG (A4719)Counter DRBG (A4719)KATCASTSeed GenerateModule is operational128, 192, 256 bit keys with/without PR; Health test per section 11.3 of SP 800- 90AModule initialization
Counter DRBG (A4721)Counter DRBG (A4721)KATCASTSeed GenerateModule is operational128, 192, 256 bit keys with/withoutModule initialization
ECDSA KeyGen (FIPS186-5) (A5018)ECDSA KeyGen (FIPS186-5) (A5018)PCTPCTSignature generation and verificationSuccessful key generationSHA2-256EC key pair generation
RSA KeyGen (FIPS186-5) (A5018)RSA KeyGen (FIPS186-5) (A5018)PCTPCTSignature generation and verificationSuccessful key generationPKCS#1 v1.5 with SHA2-256RSA key pair generation
Safe Primes Key Generation (A5014)Safe Primes Key Generation (A5014)PCTPCTPublic key re- computation and comparison with the existing public key (per SP 800-56Ar3 Section 5.6.2.1.4)Successful key generationN/ASafe Primes key pair generation
EDDSA KeyGen (A5016)EDDSA KeyGen (A5016)PCTPCTSignature generation and verificationSuccessful key generationED25519 and ED448EDDSA key pair generation
AES-ECB (A5019)AES-ECB (A5019)KATCASTDecryptionModule is operational128-bit keys, 128-bit ciphertextModule initialization
AES-GCM (A5008)AES-GCM (A5008)KATCASTEncryption, Decryption (Separately)Module is operational256-bit keys, 96-bit IVs, 128-bit plaintext, 128- bit additional dataModule initialization
KDF SP800-108 (A5017)KDF SP800-108 (A5017)KATCASTKey DerivationModule is operationalCounter mode, HMAC-SHA2- 256, 128-bit input keyModule initialization
KDA OneStep SP800- 56Cr2 (A5012)KDA OneStep SP800- 56Cr2 (A5012)KATCASTKey DerivationModule is operationalSHA-224, 392- bit input secretModule initialization
KDA HKDF Sp800- 56Cr1 (A5013)KDA HKDF Sp800- 56Cr1 (A5013)KATCASTKey DerivationModule is operationalSHA-256, 48- bit input secretModule initialization
KDF ANS 9.42 (A5018)KDF ANS 9.42 (A5018)KATCASTKey DerivationModule is operationalSHA-1 with AES-128, KW, 160-bit input secretModule initialization
KDF ANS 9.42 (A5020)KDF ANS 9.42 (A5020)KATCASTKey DerivationModule is operationalSHA-1 with AES-128, KW, 160-bit input secretModule initialization
KDF ANS 9.63 (A5018)KDF ANS 9.63 (A5018)KATCASTKey DerivationModule is operationalSHA-256, 192- bit input secretModule initialization
KDF SSH (A5019)KDF SSH (A5019)KATCASTKey DerivationModule is operationalSHA-1, 1056- bit input secretModule initialization
TLS v1.2 KDF RFC7627 (A5018)TLS v1.2 KDF RFC7627 (A5018)KATCASTKey DerivationModule is operationalSHA-256, 84- bit input secretModule initialization
TLS v1.3 KDF (A5013)TLS v1.3 KDF (A5013)KATCASTKey DerivationModule is operationalExtract and expand modes, SHA-256Module initialization
PBKDF (A5018)PBKDF (A5018)KATCASTKey DerivationModule is operationalSHA-256, 24- character password, 288- bit salt, Iteration count: 4096Module initialization
PBKDF (A5020)PBKDF (A5020)KATCASTKey DerivationModule is operationalSHA-256, 24- character password, 288- bit salt, Iteration count: 4096Module initialization
Counter DRBG (A5015)Counter DRBG (A5015)KATCASTInstantiate, Generate, Reseed, Generate (compliant with SP 800-90Ar1 Section 11.3)Module is operationalAES-128 with prediction resistanceModule initialization
HMAC DRBG (A5015)HMAC DRBG (A5015)KATCASTInstantiate, Generate, Reseed, Generate (compliant with SP 800-90Ar1 Section 11.3)Module is operationalSHA-1 with prediction resistanceModule initialization
Hash DRBG (A5015)Hash DRBG (A5015)KATCASTInstantiate, Generate, Reseed, Generate (compliant with SP 800-90Ar1 Section 11.3)Module is operationalSHA-256 with prediction resistanceModule initialization
KAS-FFC- SSC Sp800- 56Ar3 (A5014)KAS-FFC- SSC Sp800- 56Ar3 (A5014)KATCASTShared Secret ComputationModule is operationalffdhe2048Module initialization
KAS-ECC- SSC Sp800- 56Ar3 (A5018)KAS-ECC- SSC Sp800- 56Ar3 (A5018)KATCASTShared Secret ComputationModule is operationalP-256Module initialization
RSA SigGen (FIPS186-5) (A5018)RSA SigGen (FIPS186-5) (A5018)KATCASTSignature GenerationModule is operationalPKCS#1 v1.5 with SHA-256 and 2048-bit keyModule initialization
ECDSA SigGen (FIPS186-5) (A5018)ECDSA SigGen (FIPS186-5) (A5018)KATCASTSignature GenerationModule is operationalSHA-256 and P-224, P-256, P-384, and P- 521Module initialization
ECDSA SigGen (FIPS186-5) (A5020)ECDSA SigGen (FIPS186-5) (A5020)KATCASTSignature GenerationModule is operationalSHA-256 and P-224, P-256, P-384, and P- 521Module initialization
EDDSA SigGen (A5016)EDDSA SigGen (A5016)KATCASTSignature GenerationModule is operationalED25519 and ED448Module initialization
KTS-IFC (A5018)KTS-IFC (A5018)KATCASTRSA Primitive ComputationModule is operationalSHA-256 with no paddingModule initialization
AES-CMAC (A5004)AES-CMAC (A5004)KATCASTMessage AuthenticationModule is operational128 and 256 bit keysModule initialization
AES-CBC (A5004)AES-CBC (A5004)KATCASTEncryption, Decryption (Separately)Module is operational128 and 256 bit keysModule initialization
AES-CCM (A5004)AES-CCM (A5004)KATCASTEncryption, Decryption (Separately)Module is operational128, 192, 256 bit keysModule initialization
HMAC- SHA2-224 (A4711)HMAC- SHA2-224 (A4711)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA2-224 (A4712)HMAC- SHA2-224 (A4712)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA2-224 (A4716)HMAC- SHA2-224 (A4716)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA2-224 (A5018)HMAC- SHA2-224 (A5018)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA2-256 (A5018)HMAC- SHA2-256 (A5018)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA2-384 (A5018)HMAC- SHA2-384 (A5018)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA3-224 (A5020)HMAC- SHA3-224 (A5020)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA3-384 (A5020)HMAC- SHA3-384 (A5020)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA3-512 (A5020)HMAC- SHA3-512 (A5020)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
HMAC- SHA3-256 (A5020)HMAC- SHA3-256 (A5020)KATCASTMessage AuthenticationModule is operational24-bit messageModule initialization
AES-CBC- CS3 (A4714)AES-CBC- CS3 (A4714)KATCASTEncryption, Decryption (Separately)Module is operational128 and 256 bit keysModule initialization
AES-CBC- CS3 (A4718)AES-CBC- CS3 (A4718)KATCASTEncryption, Decryption (Separately)Module is operational128 and 256 bit keysModule initialization
AES-CBC- CS3 (A4720)AES-CBC- CS3 (A4720)KATCASTEncryption, Decryption (Separately)Module is operational128 and 256 bit keysModule initialization
AES-CBC- CS3 (A4722)AES-CBC- CS3 (A4722)KATCASTEncryption, Decryption (Separately)Module is operational128 and 256 bit keysModule initialization
SHAKE- 128 (A5020)SHAKE- 128 (A5020)KATCASTMessage digestModule is operational0-8184 bit messagesModule initialization
SHAKE- 256 (A5020)SHAKE- 256 (A5020)KATCASTMessage digestModule is operational0-8184 bit messagesModule initialization
KDF KMAC Sp800- 108r1 (A5017)KDF KMAC Sp800- 108r1 (A5017)KATCASTKey DerivationModule is operationalCounter mode, HMAC-SHA2- 256, 128-bit input keyModule initialization
KDA TwoStep SP800- 56Cr2 (A5012)KDA TwoStep SP800- 56Cr2 (A5012)KATCASTKey DerivationModule is operationalSHA-224, 392- bit input secretModule initialization
KMAC-128 (A5020)KMAC-128 (A5020)KATCASTMessage digestModule is operational0-8184 bit messagesModule initialization
KMAC-256 (A5020)KMAC-256 (A5020)KATCASTMessage digestModule is operational0-8184 bit messagesModule initialization
KAS-IFC- SSC (A5018)KAS-IFC- SSC (A5018)KATCASTShared Secret ComputationModule is operationalSHA-256 with no paddingModule initialization
HMAC-SHA2-256 (A5018)HMAC-SHA2-256 (A5018)Message AuthenticationSW/FW IntegrityOn demandManually
ECDSA KeyGen (FIPS186-5) (A4711)ECDSA KeyGen (FIPS186-5) (A4711)PCTPCTOn demandManually
HMAC-SHA2-256 (A4711)HMAC-SHA2-256 (A4711)KATCASTOn demandManually
10 Self-Tests
10.1 Pre-Operational Self-Tests

HMACSHA2-256 Table 21: Pre-Operational Self-Tests The pre-operational firmware integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithm used for the integrity test (i.e., HMACSHA2-256) is self-tested before the firmware integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 N/A © 2025 Ezurio / atsec information security.

Page 86

HMACSHA2-384 HMACSHA2-512 HMACSHA2-512 HMACSHA2-512 HMACSHA3-224 HMACSHA3-256 HMACSHA3-384 HMACSHA3-512 HMACSHA-1 HMACSHA2-512 © 2025 Ezurio / atsec information security.

Page 87

AESCFB128 © 2025 Ezurio / atsec information security.

Page 88

KAS-ECCSSC Sp80056Ar3 © 2025 Ezurio / atsec information security.

Page 89

SP80056Cr2 Sp80056Cr1 N/A © 2025 Ezurio / atsec information security.

Page 90

© 2025 Ezurio / atsec information security.

Page 91

KAS-FFCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 HMACSHA2-224 © 2025 Ezurio / atsec information security.

Page 92

HMACSHA2-224 HMACSHA2-224 HMACSHA2-224 HMACSHA2-256 HMACSHA2-384 HMACSHA3-224 HMACSHA3-384 HMACSHA3-512 HMACSHA3-256 AES-CBCCS3 AES-CBCCS3 AES-CBCCS3 AES-CBCCS3 SHAKE128 © 2025 Ezurio / atsec information security.

Page 93
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorConditions
SHAKE- 256 (A5020)SHAKE- 256 (A5020)KATCASTMessage digest0-8184 bit messagesModule is operationalModule initialization
KDF KMAC Sp800- 108r1 (A5017)KDF KMAC Sp800- 108r1 (A5017)KATCASTKey DerivationCounter mode, HMAC-SHA2- 256, 128-bit input keyModule is operationalModule initialization
KDA TwoStep SP800- 56Cr2 (A5012)KDA TwoStep SP800- 56Cr2 (A5012)KATCASTKey DerivationSHA-224, 392- bit input secretModule is operationalModule initialization
KMAC-128 (A5020)KMAC-128 (A5020)KATCASTMessage digest0-8184 bit messagesModule is operationalModule initialization
KMAC-256 (A5020)KMAC-256 (A5020)KATCASTMessage digest0-8184 bit messagesModule is operationalModule initialization
KAS-IFC- SSC (A5018)KAS-IFC- SSC (A5018)KATCASTShared Secret ComputationSHA-256 with no paddingModule is operationalModule initialization
HMAC-SHA2-256 (A5018)HMAC-SHA2-256 (A5018)Message AuthenticationSW/FW IntegrityOn demandManually
ECDSA KeyGen (FIPS186-5) (A4711)ECDSA KeyGen (FIPS186-5) (A4711)PCTPCTOn demandManually
HMAC-SHA2-256 (A4711)HMAC-SHA2-256 (A4711)KATCASTOn demandManually
HMAC-SHA2-256 (A4712)HMAC-SHA2-256 (A4712)KATCASTOn demandManually
HMAC-SHA2-256 (A4716)HMAC-SHA2-256 (A4716)KATCASTOn demandManually
HMAC-SHA2-384 (A4711)HMAC-SHA2-384 (A4711)KATCASTOn demandManually
HMAC-SHA2-384 (A4712)HMAC-SHA2-384 (A4712)KATCASTOn demandManually
HMAC-SHA2-384 (A4716)HMAC-SHA2-384 (A4716)KATCASTOn demandManually
HMAC-SHA2-512 (A4711)HMAC-SHA2-512 (A4711)KATCASTOn demandManually
HMAC-SHA2-512 (A4712)HMAC-SHA2-512 (A4712)KATCASTOn demandManually
HMAC-SHA2-512 (A4716)HMAC-SHA2-512 (A4716)KATCASTOn demandManually
HMAC-SHA3-224 (A4713)HMAC-SHA3-224 (A4713)KATCASTOn demandManually
HMAC-SHA3-256 (A4713)HMAC-SHA3-256 (A4713)KATCASTOn demandManually
HMAC-SHA3-384 (A4713)HMAC-SHA3-384 (A4713)KATCASTOn demandManually
HMAC-SHA3-512 (A4713)HMAC-SHA3-512 (A4713)KATCASTOn demandManually
HMAC-SHA-1 (A5018)HMAC-SHA-1 (A5018)KATCASTOn demandManually
HMAC-SHA2-512 (A5018)HMAC-SHA2-512 (A5018)KATCASTOn demandManually
AES-ECB (A4711)AES-ECB (A4711)KATCASTOn demandManually
AES-ECB (A4712)AES-ECB (A4712)KATCASTOn demandManually
AES-ECB (A4715)AES-ECB (A4715)KATCASTOn demandManually
AES-ECB (A4716)AES-ECB (A4716)KATCASTOn demandManually
AES-ECB (A4717)AES-ECB (A4717)KATCASTOn demandManually
AES-ECB (A4719)AES-ECB (A4719)KATCASTOn demandManually
AES-ECB (A4721)AES-ECB (A4721)KATCASTOn demandManually
AES-OFB (A4723)AES-OFB (A4723)KATCASTOn demandManually
AES-CFB128 (A4724)AES-CFB128 (A4724)KATCASTOn demandManually
AES-CCM (A4719)AES-CCM (A4719)KATCASTOn demandManually
AES-CCM (A4712)AES-CCM (A4712)KATCASTOn demandManually
AES-CCM (A4716)AES-CCM (A4716)KATCASTOn demandManually
AES-CCM (A4721)AES-CCM (A4721)KATCASTOn demandManually
AES-GCM (A4712)AES-GCM (A4712)KATCASTOn demandManually
AES-GCM (A4715)AES-GCM (A4715)KATCASTOn demandManually
AES-GCM (A4717)AES-GCM (A4717)KATCASTOn demandManually
AES-GCM (A4719)AES-GCM (A4719)KATCASTOn demandManually
AES-GCM (A4721)AES-GCM (A4721)KATCASTOn demandManually
AES-CMAC (A4712)AES-CMAC (A4712)KATCASTOn demandManually
AES-CMAC (A4716)AES-CMAC (A4716)KATCASTOn demandManually
AES-CMAC (A4719)AES-CMAC (A4719)KATCASTOn demandManually
AES-CMAC (A4721)AES-CMAC (A4721)KATCASTOn demandManually
KAS-ECC-SSC Sp800-56Ar3 (A4711)KAS-ECC-SSC Sp800-56Ar3 (A4711)KATCASTOn demandManually
Counter DRBG (A4711)Counter DRBG (A4711)KATCASTOn demandManually
Counter DRBG (A4712)Counter DRBG (A4712)KATCASTOn demandManually
Counter DRBG (A4715)Counter DRBG (A4715)KATCASTOn demandManually
Counter DRBG (A4717)Counter DRBG (A4717)KATCASTOn demandManually
Counter DRBG (A4719)Counter DRBG (A4719)KATCASTOn demandManually
Counter DRBG (A4721)Counter DRBG (A4721)KATCASTOn demandManually
ECDSA KeyGen (FIPS186-5) (A5018)ECDSA KeyGen (FIPS186-5) (A5018)PCTPCTOn demandManually
RSA KeyGen (FIPS186-5) (A5018)RSA KeyGen (FIPS186-5) (A5018)PCTPCTOn demandManually
Safe Primes Key Generation (A5014)Safe Primes Key Generation (A5014)PCTPCTOn demandManually
EDDSA KeyGen (A5016)EDDSA KeyGen (A5016)PCTPCTOn demandManually
AES-ECB (A5019)AES-ECB (A5019)KATCASTOn demandManually
AES-GCM (A5008)AES-GCM (A5008)KATCASTOn demandManually
KDF SP800-108 (A5017)KDF SP800-108 (A5017)KATCASTOn demandManually
KDA OneStep SP800-56Cr2 (A5012)KDA OneStep SP800-56Cr2 (A5012)KATCASTOn demandManually
KDA HKDF Sp800- 56Cr1 (A5013)KDA HKDF Sp800- 56Cr1 (A5013)KATCASTOn demandManually
KDF ANS 9.42 (A5018)KDF ANS 9.42 (A5018)KATCASTOn demandManually
KDF ANS 9.42 (A5020)KDF ANS 9.42 (A5020)KATCASTOn demandManually
KDF ANS 9.63 (A5018)KDF ANS 9.63 (A5018)KATCASTOn demandManually
KDF SSH (A5019)KDF SSH (A5019)KATCASTOn demandManually
TLS v1.2 KDF RFC7627 (A5018)TLS v1.2 KDF RFC7627 (A5018)KATCASTOn demandManually
TLS v1.3 KDF (A5013)TLS v1.3 KDF (A5013)KATCASTOn demandManually
PBKDF (A5018)PBKDF (A5018)KATCASTOn demandManually
PBKDF (A5020)PBKDF (A5020)KATCASTOn demandManually
Counter DRBG (A5015)Counter DRBG (A5015)KATCASTOn demandManually
HMAC DRBG (A5015)HMAC DRBG (A5015)KATCASTOn demandManually
Hash DRBG (A5015)Hash DRBG (A5015)KATCASTOn demandManually
KAS-FFC-SSC Sp800-56Ar3 (A5014)KAS-FFC-SSC Sp800-56Ar3 (A5014)KATCASTOn demandManually
KAS-ECC-SSC Sp800-56Ar3 (A5018)KAS-ECC-SSC Sp800-56Ar3 (A5018)KATCASTOn demandManually
RSA SigGen (FIPS186-5) (A5018)RSA SigGen (FIPS186-5) (A5018)KATCASTOn demandManually
ECDSA SigGen (FIPS186-5) (A5018)ECDSA SigGen (FIPS186-5) (A5018)KATCASTOn demandManually
ECDSA SigGen (FIPS186-5) (A5020)ECDSA SigGen (FIPS186-5) (A5020)KATCASTOn demandManually
EDDSA SigGen (A5016)EDDSA SigGen (A5016)KATCASTOn demandManually
KTS-IFC (A5018)KTS-IFC (A5018)KATCASTOn demandManually
AES-CMAC (A5004)AES-CMAC (A5004)KATCASTOn demandManually
AES-CBC (A5004)AES-CBC (A5004)KATCASTOn demandManually
AES-CCM (A5004)AES-CCM (A5004)KATCASTOn demandManually
HMAC-SHA2-224 (A4711)HMAC-SHA2-224 (A4711)KATCASTOn demandManually
HMAC-SHA2-224 (A4712)HMAC-SHA2-224 (A4712)KATCASTOn demandManually
HMAC-SHA2-224 (A4716)HMAC-SHA2-224 (A4716)KATCASTOn demandManually
HMAC-SHA2-224 (A5018)HMAC-SHA2-224 (A5018)KATCASTOn demandManually
HMAC-SHA2-256 (A5018)HMAC-SHA2-256 (A5018)KATCASTOn demandManually
HMAC-SHA2-384 (A5018)HMAC-SHA2-384 (A5018)KATCASTOn demandManually
HMAC-SHA3-224 (A5020)HMAC-SHA3-224 (A5020)KATCASTOn demandManually
HMAC-SHA3-384 (A5020)HMAC-SHA3-384 (A5020)KATCASTOn demandManually
HMAC-SHA3-512 (A5020)HMAC-SHA3-512 (A5020)KATCASTOn demandManually
HMAC-SHA3-256 (A5020)HMAC-SHA3-256 (A5020)KATCASTOn demandManually
AES-CBC-CS3 (A4714)AES-CBC-CS3 (A4714)KATCASTOn demandManually
AES-CBC-CS3 (A4718)AES-CBC-CS3 (A4718)KATCASTOn demandManually
AES-CBC-CS3 (A4720)AES-CBC-CS3 (A4720)KATCASTOn demandManually
AES-CBC-CS3 (A4722)AES-CBC-CS3 (A4722)KATCASTOn demandManually
SHAKE-128 (A5020)SHAKE-128 (A5020)KATCASTOn demandManually
SHAKE-256 (A5020)SHAKE-256 (A5020)KATCASTOn demandManually
KDF KMAC Sp800- 108r1 (A5017)KDF KMAC Sp800- 108r1 (A5017)KATCASTOn demandManually
KDA TwoStep SP800-56Cr2 (A5012)KDA TwoStep SP800-56Cr2 (A5012)KATCASTOn demandManually
KMAC-128 (A5020)KMAC-128 (A5020)KATCASTOn demandManually
KMAC-256 (A5020)KMAC-256 (A5020)KATCASTOn demandManually
KAS-IFC-SSC (A5018)KAS-IFC-SSC (A5018)KATCASTOn demandManually

SHAKE256 Sp800108r1 SP80056Cr2 KAS-IFCSSC Table 22: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state.

10.3 Periodic Self-Test Information

Table 23: Pre-Operational Periodic Information © 2025 Ezurio / atsec information security.

Page 94

© 2025 Ezurio / atsec information security.

Page 95

© 2025 Ezurio / atsec information security.

Page 96

© 2025 Ezurio / atsec information security.

Page 97

Table 24: Conditional Periodic Information © 2025 Ezurio / atsec information security.

Page 98
Service
NameDescriptionRole AccessIndicator
Error StateThe module immediately stops functioning due to a self-test failureFirmware integrity test failure CAST Failure PCT FailureModule will reboot.Successful completion of self-tests after reboot
10.4 Error States

Table 25: Error States In the error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

10.5 Operator Initiation of Self-Tests

All self-tests, with the exception of the health tests, can be invoked on demand by unloading and subsequently re-initializing the module. The entropy health tests are run during DRBG seeding and reseeding. Similarly, a Pair-wise Consistency Test (PCT) it is run for keygen operations. © 2025 Ezurio / atsec information security.

Page 99
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Before deploying the module for usage, the Crypto Officer shall employ the following steps:

  1. Verify the HMAC values of each component of the module as listed in section 2.2.
  2. Verify that the kernel component command line is configured to run fipsInit.sh before any user mode application or init system.
  3. Verify that ‘fips=1’ parameter is present on the kernel command line for Approved mode operation.
11.2 Administrator Guidance

The Crypto Officer must execute the “cat /proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper name is listed in the output as follows: Summit Linux This output maps to the module name “Summit Linux FIPS Core Crypto Module”. Next the Crypto Officer must execute “cat /proc/sys/crypto/fips_version”. This command must output the following: 11.1 The hardware component of the module for both OE’s can be identified by executing the “cat /proc/cpuinfo” command which outputs: processor : 0 model name : ARMv7 Processor rev 1 (v7l) BogoMIPS : 33.00 Features : half thumb fastmult vfp edsp thumbee vfpv3 vfpv3d16 tls vfpv4 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc05 CPU revision : 1 Hardware Revision Serial : Atmel SAMA5 : 0000 : 0000000000000000 The following are the HMAC values for each of the components for each platform:

Page 100
11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. © 2025 Ezurio / atsec information security.

Page 101
12 Mitigation of Other Attacks
12.1 Attack List

For the FIPS Provider component, certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The FIPS Provider component mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:

Page 102

Appendix A. Glossary and Abbreviations AES API CAST CAVP CBC CCM CFB CMAC CMVP CSP CTR CTS DH DRBG ECB ECC ECDH ECDSA EMS ENT (NP) FFC FIPS GCM GMAC HKDF HMAC IPsec KAT KBKDF MAC NIST PAA PBKDF2 PKCS RSA SFI SHA SSC SSP TOEPP XTS Advanced Encryption Standard Application Programming Interface Cryptographic Algorithm Self-Test Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Ciphertext Stealing Diffie-Hellman Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Diffie-Hellman Elliptic Curve Digital Signature Algorithm Extended Master Secret Non-physical Entropy Source Finite Field Cryptography Federal Information Processing Standards Galois Counter Mode Galois Counter Mode Message Authentication Code HMAC-based Key Derivation Function Keyed-Hash Message Authentication Code Internet Protocol Security Known Answer Test Key-based Key Derivation Function Message Authentication Code National Institute of Science and Technology Processor Algorithm Acceleration Password-based Key Derivation Function v2 Public-Key Cryptography Standards Rivest, Shamir, Addleman Security Function Implementation Secure Hash Algorithm Shared Secret Computation Sensitive Security Parameter Test Operational Environment’s Physical Perimeter XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Ezurio / atsec information security.

Page 103

Appendix B. References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 3, 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt © 2025 Ezurio / atsec information security.

Page 104

RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf © 2025 Ezurio / atsec information security.

Page 105

SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP 800-140B CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2025 Ezurio / atsec information security.

Referenced URLs