All modules
CMVP Validated Module · FIPS 140-3 Security Policy

IBM COS Linux Kernel Cryptographic API Cryptographic Module

Certificate#5094StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorIBM Corporation
Medium review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 3932 CVEs since this module's initial validation  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/13/2030
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorIBM Corporation

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for IBM COS Linux Kernel Cryptographic API Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for IBM COS Linux Kernel Cryptographic API Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

IBM Corporation IBM COS Linux Kernel Cryptographic API Cryptographic Module Document Version 1.1 Last update: 2025-11-10 Prepared by: Prepared for: atsec information security corporation IBM Corporation

4516 Seton Center Parkway, Suite 250 71 S Wacker Dr, 6th Floor

Austin, TX 78759 Chicago, IL 60606 www.atsec.com www.ibm.com © 2025 IBM / atsec information security.

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 IBM / atsec information security.

3 of 71
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid9
Table 5: Modes List and Description9
Table 6: Approved Algorithms12
Table 7: Vendor-Affirmed Algorithms12
Table 8: Non-Approved, Not Allowed Algorithms12
Table 9: Security Function Implementations17
Table 10: Entropy Certificates18
Table 11: Entropy Sources19
Table 12: Ports and Interfaces21
Table 13: Roles22
Table 14: Approved Services30
Table 15: Non-Approved Services30
Table 16: Storage Areas35
Table 17: SSP Input-Output Methods35
Table 18: SSP Zeroization Methods36
Table 19: SSP Table 139
Table 20: SSP Table 241
Table 21: Pre-Operational Self-Tests42
Table 22: Conditional Self-Tests57
Table 23: Pre-Operational Periodic Information57
Table 24: Conditional Periodic Information64
Table 25: Error States64
Page 5
List of Figures
ItemPage
Figure 1: Block Diagram7
Page 6
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3 of the IBM COS Linux Kernel Cryptographic API Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2025 IBM / atsec information security.

6 of 71
Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The IBM COS Linux Kernel Cryptographic API Cryptographic Module (hereafter referred to as “the module”) provides a C language application program interface (API) for use by other (kernel space and user space) processes that require cryptographic functionality. The module operates on a general-purpose computer as part of the Linux kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the kernel crypto object files, the libkcapi library, and the kcapi-hasher binary, which is used to verify the integrity of the software components. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. The cryptographic boundary is indicated by the small bold border in Figure

  1. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. It includes software in kernel and user space, as well as the PAA in the CPU. The TOEPP is indicated by the large thin border in Figure
  2. Figure 1: Block Diagram © 2025 IBM / atsec information security.
7 of 71
Page 8
2.2 Tested and Vendor Affirmed Module Version

and Identification Tested Module Identification

3.19 SR650v3 Xeon 8474C libkcapi: 1.5.0-1

amd64 ClevOS Lenovo Intel Sapphire Rapids No N/A Kernel: 3

3.19 SR650v3 Xeon 8474C libkcapi: 1.5.0-1

amd64 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating Hardware Platform System ClevOS 3.19 PIO-628U-TR4T+-ST031 (Intel Xeon E5-2620 *) ClevOS 3.19 PIO-648R-E1CR36L+-ST031 (Intel Xeon E5-2620 *) ClevOS 3.19 IBM A10 Series (Intel Xeon 6126) ClevOS 3.19 IBM A10 Series (Intel Xeon 6226) ClevOS 3.19 IBM M10 Series (Intel Xeon 4110) ClevOS 3.19 IBM M10 Series (Intel Xeon 4210R) ClevOS 3.19 IBM C10 Series (Intel Xeon 4110) © 2025 IBM / atsec information security.

8 of 71
Page 9

Operating Hardware Platform System ClevOS 3.19 IBM C10 Series (Intel Xeon 4210R) ClevOS 3.19 IBM 4616-A2D Series (Intel Xeon 4416+) ClevOS 3.19 IBM 4616-M2D Series (Intel Xeon 4416+) ClevOS 3.19 IBM 4616-C2D Series (Intel Xeon 4416+) ClevOS 3.19 IBM 4616-S3D Series (Intel Xeon Gold 6438N) ClevOS 3.19 IBM 4616-S4D/S6D Series (Intel Xeon 4416+) ClevOS 3.19 IBM 4616-A1D Series (Intel Xeon 4314) ClevOS 3.19 IBM 4616-M1D Series (Intel Xeon 4314) ClevOS 3.19 IBM 4616-C1D Series (Intel Xeon 4314) ClevOS 3.19 IBM 4616-S2D Series (Intel Xeon 4314) Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically Approved Mapped to approved service indicator in Section mode entered whenever 4.3 for all approved algorithms except GCM: an approved respective approved service function returns service is indicator 0. For GCM: crypto_aead_get_flags(tfm) requested has the CRYPTO_TFM_FIPS_COMPLIANCE flag set Non- Automatically Non- No service indicator required for non-approved approved entered whenever Approved services per IG 2.4.C mode a non-approved service is requested Table 5: Modes List and Description Mode Change Instructions and Status: After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description: Not applicable. © 2025 IBM / atsec information security.

9 of 71
Page 10
2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A6801, A6806, A6809, Direction - Decrypt, Encrypt SP 800-38A A6812 Key Length - 128, 192, 256 AES-CBC-CS3 A6801, A6806, A6809, Direction - decrypt, encrypt SP 800-38A A6812 Key Length - 128, 192, 256 AES-CCM A6801, A6806, A6812 Key Length - 128, 192, 256 SP 800-38C AES-CFB128 A6801, A6806, A6812 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A6801, A6806, A6812 Direction - Generation SP 800-38B Key Length - 128, 192, 256 AES-CTR A6801, A6806, A6809, Direction - Decrypt, Encrypt SP 800-38A A6812 Key Length - 128, 192, 256 AES-ECB A6801, A6804, A6805, Direction - Decrypt, Encrypt SP 800-38A A6806, A6807, A6808, Key Length - 128, 192, 256 A6809, A6810, A6811, A6812, A6813, A6814 AES-GCM A6801, A6805, A6806, Direction - Decrypt, Encrypt SP 800-38D A6808, A6809, A6811, IV Generation - External A6812, A6814 Key Length - 128, 192, 256 AES-GCM A6804, A6807, A6810, Direction - Decrypt, Encrypt SP 800-38D A6813 IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A6801, A6806, A6812 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-KW A6801, A6806, A6812 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A6801, A6806, A6812 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS A6801, A6806, A6809, Direction - Decrypt, Encrypt SP 800-38E Testing A6812 Key Length - 128, 256 Revision 2.0 Counter DRBG A6801, A6804, A6805, Prediction Resistance - No, Yes SP 800-90A A6806, A6807, A6808, Mode - AES-128, AES-192, AES-256 Rev. 1 A6809, A6810, A6811, Derivation Function Enabled - Yes A6812, A6813, A6814 ECDSA KeyGen A6801 Curve - P-256, P-384 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA SigVer A6802 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384 Hash Algorithm - SHA-1 ECDSA SigVer A6802 Curve - P-256, P-384 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA3256, SHA3-384, SHA3-512 Hash DRBG A6801, A6815, A6816, Prediction Resistance - No, Yes SP 800-90A A6817 Mode - SHA-1, SHA2-256, SHA2- Rev. 1 384, SHA2-512 © 2025 IBM / atsec information security.

10 of 71
Page 11

Algorithm CAVP Cert Properties Reference HMAC DRBG A6801, A6815, A6816, Prediction Resistance - No, Yes SP 800-90A A6817 Mode - SHA-1, SHA2-256, SHA2- Rev. 1 384, SHA2-512 HMAC-SHA-1 A6801, A6815, A6816, Key Length - Key Length: 112- FIPS 198-1 A6817, A6818 524288 Increment 8 HMAC-SHA2- A6801, A6815, A6816, Key Length - Key Length: 112- FIPS 198-1

224 A6817, A6818 524288 Increment 8

HMAC-SHA2- A6801, A6815, A6816, Key Length - Key Length: 112- FIPS 198-1

256 A6817, A6818 524288 Increment 8

HMAC-SHA2- A6801, A6815, A6816, Key Length - Key Length: 112- FIPS 198-1

384 A6817 524288 Increment 8

HMAC-SHA2- A6801, A6815, A6816, Key Length - Key Length: 112- FIPS 198-1

512 A6817 524288 Increment 8

HMAC-SHA3- A6801 Key Length - Key Length: 112- FIPS 198-1

224 524288 Increment 8

HMAC-SHA3- A6801 Key Length - Key Length: 112- FIPS 198-1

256 524288 Increment 8

HMAC-SHA3- A6801 Key Length - Key Length: 112- FIPS 198-1

384 524288 Increment 8

HMAC-SHA3- A6801 Key Length - Key Length: 112- FIPS 198-1

512 524288 Increment 8

KAS-ECC-SSC A6801 Domain Parameter Generation SP 800-56A Sp800-56Ar3 Methods - P-256, P-384 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A6801 Domain Parameter Generation SP 800-56A Sp800-56Ar3 Methods - ffdhe2048, ffdhe3072, Rev. 3 ffdhe4096, ffdhe6144, ffdhe8192 Scheme dhEphem KAS Role - initiator, responder KDA OneStep A6803 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Rev. 2 Secret Length: 224-2048 Increment KDF SP800- A6803 KDF Mode - Counter SP 800-108

108 Supported Lengths - Supported Rev. 1

Lengths: 112-4096 Increment 8 RSA SigVer A6801 Signature Type - PKCS 1.5 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A6801 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5 Safe Primes A6801 Safe Prime Groups - ffdhe2048, SP 800-56A Key ffdhe3072, ffdhe4096, ffdhe6144, Rev. 3 Generation ffdhe8192 SHA-1 A6801, A6815, A6816, Message Length - Message Length: FIPS 180-4 A6817, A6818 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-224 A6801, A6815, A6816, Message Length - Message Length: FIPS 180-4 A6817, A6818 0-65536 Increment 8 Large Message Sizes - 1, 2 © 2025 IBM / atsec information security.

11 of 71
Page 12

Algorithm CAVP Cert Properties Reference SHA2-256 A6801, A6815, A6816, Message Length - Message Length: FIPS 180-4 A6817, A6818 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-384 A6801, A6815, A6816, Message Length - Message Length: FIPS 180-4 A6817 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA2-512 A6801, A6815, A6816, Message Length - Message Length: FIPS 180-4 A6817 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-224 A6801 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-256 A6801 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-384 A6801 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 SHA3-512 A6801 Message Length - Message Length: FIPS 202 0-65536 Increment 8 Large Message Sizes - 1, 2 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key N/A SP800-133r2, section 4 example 1 (asymmetric) Type:Asymmetric (without XOR) Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES-GCM with Encryption with external IV (not compliant to FIPS 140-3 IG C.H) external IV KBKDF Key derivation with implementation not tested by CAVP (libkcapi) HKDF (libkcapi) Key derivation with implementation not tested by CAVP PBKDF2 Password-based key derivation with implementation not tested by CAVP (libkcapi) RSA Encryption primitive; Decryption primitive (not compliant to SP 800-56Br2) RSA with Signature generation (pre-hashed message); Signature verification (prePKCS#1 v1.5 hashed message); Key encapsulation (not compliant to SP 800-56Br2); Key padding un-encapsulation (not compliant to SP 800-56Br2) Table 8: Non-Approved, Not Allowed Algorithms © 2025 IBM / atsec information security.

12 of 71
Page 13
2.6 Security Function Implementations

Name Type Description Properties Algorithms Encryption and BC-UnAuth SP800-38A. AES-CBC: (A6801, Decryption with Encryption, A6806, A6809, AES Decryption A6812) AES-ECB: (A6801, A6804, A6805, A6806, A6807, A6808, A6809, A6810, A6811, A6812, A6813, A6814) AES-CFB128: (A6801, A6806, A6812) AES-XTS Testing Revision 2.0: (A6801, A6806, A6809, A6812) AES-CBC-CS3: (A6801, A6806, A6809, A6812) AES-OFB: (A6801, A6806, A6812) Authenticated BC-Auth SP800-38F. Authenticated AES-KW: (A6801, Encryption and Authenticated Encryption and A6806, A6812) Authenticated encryption, Authenticated Decryption with Authenticated Decryption with AES-KW decryption AES-KW Security Strength:128-256 bits Random Number DRBG SP800-90Ar1. Hash DRBG: Generation with Random number (A6801, A6815, HMAC DRBG, generation A6816, A6817) Hash DRBG or HMAC DRBG: Counter DRBG (A6801, A6815, A6816, A6817) Counter DRBG: (A6801, A6804, A6805, A6806, A6807, A6808, A6809, A6810, A6811, A6812, A6813, A6814) Message MAC SP800-38B, HMAC-SHA-1: Authentication SP800-38D, FIPS (A6801, A6815, Code Generation 198-1. Message A6816, A6817, with AES or HMAC authentication A6818) HMAC-SHA2-224: (A6801, A6815, A6816, A6817, A6818) HMAC-SHA2-256: © 2025 IBM / atsec information security.

13 of 71
Page 14

Name Type Description Properties Algorithms (A6801, A6815, A6816, A6817, A6818) HMAC-SHA2-384: (A6801, A6815, A6816, A6817) HMAC-SHA2-512: (A6801, A6815, A6816, A6817) AES-CMAC: (A6801, A6806, A6812) AES-GMAC: (A6801, A6806, A6812) HMAC-SHA3-224: (A6801) HMAC-SHA3-256: (A6801) HMAC-SHA3-384: (A6801) HMAC-SHA3-512: (A6801) Message MAC SP800-38D, FIPS AES-GMAC: Authentication 198-1. Message (A6801, A6806, Code Verification authentication A6812) with AES-GMAC Shared Secret KAS-SSC SP 800-56Ar3. KAS-FFC-SSC KAS-ECC-SSC Computation with KAS-ECC-SSC and Security Sp800-56Ar3: KAS-FFC-SSC or KAS-FFC-SSC per Strength:112-200 (A6801) KAS-ECC-SSC IG D.F Scenario 2 bits KAS-FFC-SSC (1) KAS-ECC-SSC Sp800-56Ar3: Security (A6801) Strength:128,

192 bits

Message Digest SHA FIPS180-4, SHA-1: (A6801, with SHA FIPS202. Message A6815, A6816, digest A6817, A6818) SHA2-224: (A6801, A6815, A6816, A6817, A6818) SHA2-256: (A6801, A6815, A6816, A6817, A6818) SHA2-384: (A6801, A6815, A6816, A6817) SHA2-512: (A6801, A6815, A6816, A6817) SHA3-224: (A6801) © 2025 IBM / atsec information security.

14 of 71
Page 15

Name Type Description Properties Algorithms SHA3-256: (A6801) SHA3-384: (A6801) SHA3-512: (A6801) Key Pair AsymKeyPair- FIPS186-5, Safe Primes Key Generation with KeyGen SP800-56Ar3. Generation: ECDSA or Safe CKG ECDSA Key pair (A6801) Primes KAS-KeyGen generation ECDSA KeyGen according to (FIPS186-5): FIPS186-5, (A6801) Appendix A.2.2 CKG per IG D.H and (asymmetric): () SP800-133r2, section 4 (without XOR) 5.1, 5.2; Safe Primes Key Generation according to SP800-56Ar3, Section 5.6.1.1.4 per IG D.H and SP800-133r2, section 4 (without XOR), 5.2 Authenticated BC-Auth SP800-38C. Authenticated AES-CCM: Encryption and Authenticated Encryption and (A6801, A6806, Authenticated encryption, Authenticated A6812) Decryption with Authenticated Decryption with AES-CCM decryption AES-CCM Security Strength:128-256 bits Authenticated BC-Auth SP800-38D. Authenticated AES-GCM: Encryption and Authenticated Encryption and (A6801, A6804, Authenticated encryption, Authenticated A6805, A6806, Decryption with Authenticated Decryption with A6807, A6808, AES-GCM decryption AES-GCM A6809, A6810, Security A6811, A6812, Strength:128-256 A6813, A6814) bits Authenticated BC-Auth SP800-38A, FIPS AES-CBC: (A6801, Encryption and 198-1. A6806, A6809, Authenticated Authenticated A6812) Decryption with encryption, AES-CTR: (A6801, AES-CBC or AES- Authenticated A6806, A6809, CTR with HMAC decryption A6812) HMAC-SHA-1: (A6801, A6815, A6816, A6817, A6818) HMAC-SHA2-256: (A6801, A6815, A6816, A6817, © 2025 IBM / atsec information security.

15 of 71
Page 16

Name Type Description Properties Algorithms A6818) HMAC-SHA2-384: (A6801, A6815, A6816, A6817) HMAC-SHA2-512: (A6801, A6815, A6816, A6817) Signature DigSig-SigVer Signature RSA SigVer Verification with verification (FIPS186-5): RSA (A6801) SHA2-224: (A6801, A6815, A6816, A6817, A6818) SHA2-256: (A6801, A6815, A6816, A6818) SHA2-384: (A6801, A6815, A6816, A6817) SHA2-512: (A6801, A6815, A6816, A6817) Legacy Signature DigSig-SigVer Signature SHA-1: (A6801, Verification with verification A6815, A6816, RSA A6817, A6818) RSA SigVer (FIPS186-4): (A6801) Signature DigSig-SigVer Signature SHA2-224: Verification with verification (A6801, A6815, ECDSA A6816, A6817, A6818) SHA2-256: (A6801, A6815, A6816, A6817, A6818) SHA2-384: (A6801, A6815, A6816, A6817) SHA2-512: (A6801, A6815, A6816, A6817) SHA3-256: (A6801) SHA3-384: (A6801) SHA3-512: (A6801) ECDSA SigVer (FIPS186-5): (A6802) © 2025 IBM / atsec information security.

16 of 71
Page 17

Name Type Description Properties Algorithms Legacy Signature DigSig-SigVer Signature SHA-1: (A6801, Verification with verification A6815, A6816, ECDSA A6817, A6818) ECDSA SigVer (FIPS186-4): (A6802) Key Derivation KBKDF SP 800-108r1. KDF SP800-108: with KBKDF Key derivation (A6803) Key Derivation KAS-56CKDF SP 800-56cr2. KDA OneStep with KDA Key agreement SP800-56Cr2: OneStep scheme (A6803) Table 9: Security Function Implementations

2.7 Algorithm Specific Information

Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.

2.7.1 AES GCM IV

For IPsec, the module offers the AES GCM implementation and uses the context of Scenario

1 (b) of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs

generated using this mechanism may only be used in the context of AES GCM encryption within the IPsec protocol. The module does not implement IPsec. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. This application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API will not set an approved service indicator, as described in the Approved Services table.

2.7.2 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit. © 2025 IBM / atsec information security.

17 of 71
Page 18

To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. As the module does not implement symmetric key generation, this check is performed when the keys are input by the operator. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133r2, Section 6.3.

2.7.3 Diffie-Hellman and EC Diffie-Hellman

The module offers DH and ECDH shared secret computation services compliant to the SP 800-56Ar3 and meeting IG D.F scenario 2 path (1). To meet the required assurances listed in Section 5.6 of SP 800-56Ar3, the module shall be used together with an application that implements the IPSec protocol and the following steps shall be performed:

  1. The entity using the module, must use the module's "Key pair generation" service: the set_secret and generate_public_key API functions, to generate DH/ECDH ephemeral key pairs. This meets the assurances required by key pair owner defined in the section 5.6.2.1 of SP 800-56Ar3.
  2. As part of the module's shared secret computation service, the module internally performs the public key validation on the peer's public key passed in as input to the API function. This meets the public key validity assurance required by section
5.6.2.2.2 of SP 800-56Ar3.

3. The module does not support static keys, therefore the "assurance of peer's possession of private key" is not applicable.

2.7.5 SHA-1

Digital signature generation using SHA-1 is non-approved and not allowed in approved services.

2.7.6 SHA-3

The module implements HMAC with SHA3-224, SHA3-256, SHA3-384, SHA3-512. The CAVP certificates have been obtained for the HMAC algorithm as well as for all the SHA3 implementations. The CAVP certificates are listed in the Approved Algorithms table.

2.7.7 RSA

The module implements FIPS 186-4 RSA SigVer and FIPS 186-5 RSA SigVer. All RSA modulus lengths (i.e., 2048, 3072, 4096 bits) have been CAVP tested. The CAVP certificates are listed in the Approved Algorithms table.

2.8 RBG and Entropy

Cert Vendor Name Number E260 IBM Corporation Table 10: Entropy Certificates © 2025 IBM / atsec information security.

18 of 71
Page 19

Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample IBM Corporation Kernel Non- ClevOS 3.19 on 256 bits 256 bits SHA3-256 CPU Time Jitter Entropy Physical Intel® Xeon® (A6801) source Version 3.4.0 8474C Table 11: Entropy Sources The module implements three different Deterministic Random Bit Generator (DRBG) implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each of these DRBG implementations can be instantiated by the operator of the module, using the parameters listed specified in the Security Function Implementations table. When instantiated, these DRBGs can be used to generate random numbers for external usage. Additionally, the module employs a specific HMAC-SHA-512 DRBG implementation for internal purposes (e.g. to generate asymmetric key pairs). The module complies with the Public Use Document for ESV certificate E260 by reading entropy data from the jent_kcapi_random() function, which corresponds to the GetEntropy() conceptual interface. This function outputs 256 bits of full entropy. The HMAC-SHA-512 DRBG is instantiated with a 384-bit entropy input and reseeded with a 256-bits long entropy input. Outputs of multiple GetEntropy() calls are concatenated to receive the entropy input length greater than 256 bits. The output is truncated to get the entropy input string which is not a multiple of 256. The operational environment on the ESV certificate is identical to the operating system described in this document, and the entropy source is implemented inside the cryptographic boundary. Thus, the module is compliant with scenario 1 of IG 9.3.A. There are no maintenance requirements for the entropy source.

2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are directly obtained as output from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without XOR, as described in Additional Comment 2 of IG D.H). The following methods are implemented:

19 of 71
Page 20
2.10 Key Establishment

The module implements shared secret computation methods as listed in the Security Function Implementations table.

2.11 Industry Protocols

AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106 and shall only be used in conjunction with the IPsec protocol. The module implements shared secret computation for DH and ECDH following SP 80056Arev3 No other parts of the TLS or IPSec protocols, other than those mentioned above, have been tested by the CAVP and CMVP. © 2025 IBM / atsec information security.

20 of 71
Page 21
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API data input parameters, AF_ALG type sockets N/A Data Output API output parameters, AF_ALG type sockets N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel command line N/A Status API return values, AF_ALG type sockets, kernel logs Output Table 12: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. © 2025 IBM / atsec information security.

21 of 71
Page 22
4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods CO Role CO None Table 13: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Message Compute crypto_shash_init returns 0 Messag Digest Message CO Digest a e Value Digest with message SHA digest Encryption Encrypt a crypto_skcipher_setkey AES Cipherte Encryption CO plaintext returns 0 Key, xt and - AES plaintex Decryption Key: W,E t with AES Decryption Decrypt a crypto_skcipher_setkey AES Plaintext Encryption CO ciphertext returns 0 Key, and - AES cipherte Decryption Key: W,E xt with AES Authentica Encrypt a For all except AES GCM: AES Cipherte Authentica CO ted plaintext crypto_aead_setkey returns Key, IV, xt, MAC ted - AES Encryption 0; For AES GCM: plaintex tag Encryption Key: W,E crypto_aead_get_flags(tfm) t and has the Authentica CRYPTO_TFM_FIPS_COMPLI ted ANCE flag set Decryption with AESCCM Authentica ted Encryption and Authentica ted Decryption with AESGCM Authentica © 2025 IBM / atsec information security.

22 of 71
Page 23

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access ted Encryption and Authentica ted Decryption with AESCBC or AES-CTR with HMAC Authentica ted Encryption and Authentica ted Decryption with AESKW Authentica Decrypt a For all except AES GCM: AES Plaintext Authentica CO ted ciphertext crypto_aead_setkey returns key, IV, or failure ted - AES Decryption 0; For AES GCM: MAC Encryption Key: W,E crypto_aead_get_flags(tfm) tag, and has the cipherte Authentica CRYPTO_TFM_FIPS_COMPLI xt ted ANCE flag set Decryption with AESCCM Authentica ted Encryption and Authentica ted Decryption with AESGCM Authentica ted Encryption and Authentica ted Decryption with AESCBC or AES-CTR with HMAC Authentica ted Encryption and Authentica © 2025 IBM / atsec information security.

23 of 71
Page 24

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access ted Decryption with AESKW Message Compute crypto_shash_init returns 0 AES key MAC tag Message CO Authentica a MAC tag or Authentica - AES tion Code HMAC tion Code Key: W,E Generation key, Generation - HMAC messag with AES Key: W,E e or HMAC Message Verify a crypto_shash_init returns 0 AES Pass/fail Message CO Authentica MAC tag key, Authentica - AES tion Code MAC tion Code Key: W,E Verificatio tag, Verificatio n messag n with e AES-GMAC Random Generate crypto_rng_get_bytes Output Random Random CO Number random returns 0 length bytes Number - Entropy Generation bytes Generation Input (IG with HMAC D.L): DRBG, W,E,Z Hash DRBG or CTR_DRB Counter G Seed DRBG (IG D.L): G,E Hash_DR BG Seed (IG D.L): G,E HMAC_DR BG Seed (IG D.L): G,E CTR_DRB G Internal State (V, Key) (IG D.L): G,W,E Hash_DR BG Internal State (V, C) (IG D.L): G,W,E HMAC_DR © 2025 IBM / atsec information security.

24 of 71
Page 25

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access BG Internal State (V, Key) (IG D.L): G,W,E Shared Compute crypto_kpp_compute_share DH Shared Shared CO Secret a shared d_secret returns 0 private secret Secret - DH Computati secret key, DH Computati Public on public on with Key: W,E key or KAS-FFC- - DH EC SSC or Private private KAS-ECC- Key: W,E key, EC SSC - EC public Public key Key: W,E - EC Private Key: W,E - Shared Secret: G,R Key Pair Generate crypto_kpp_set_secret and Safe Safe Key Pair CO Generation a key pair crypto_kpp_generate_publi Primes: Primes: Generation c_key return 0 Group; DH with Intermedi ECDSA: private ECDSA or ate Key Curve key, DH Safe Generatio public Primes n Value: key; G,E,Z ECDSA: - DH EC Public private Key: G,R key, EC - DH public Private key Key: G,R - EC Public Key: G,R - EC Private Key: G,R Signature Verify a crypto_akcipher_init Signatu Digital Signature CO Verificatio signature returns 0 re, signature Verificatio - RSA n ECDSA verificati n with RSA Public public on result Signature Key: W,E key, Verificatio - EC RSA n with Public public ECDSA Key: W,E key Legacy Signature Verificatio n with RSA Legacy © 2025 IBM / atsec information security.

25 of 71
Page 26

Name Descripti IndicatorInputs Outputs Security SSP on Functions Access Signature Verificatio n with ECDSA KBKDF Key Derive a crypto_kdf108_ctr_generat Key- KBKDF Key CO Derivation key from e returns 0 Derivati Derived Derivation - Keya key- on Key Key with Derivatio derivation KBKDF n Key: key W,E - KBKDF Derived Key: G,R OneStep Derive a crypto_kdf108_ctr_generat Shared KDA Key CO KDA Key key from e returns 0 Secret OneStep Derivation - Shared Derivation a shared Derived with KDA Secret: secret Key OneStep W,E - KDA OneStep Derived Key: G,R Error Compute None Messag EDC None CO Detection an EDC e Code (crc32, crct10dif, crc64rocksoft) Compressi Compress None Data Compres None CO on data sed data (deflate, deflateiaa, lz4, lz4hc, lzo, zstd) Generic Use the None Identifie Various None CO System kernel to r, return Call perform various values various argume non- nts cryptogra phic operations Show Return the None N/A Module None CO Version module name name and and version version informatio n Show Return the None N/A Module None CO Status module status status Self-Test Perform None N/A Pass/fail Encryption CO the CASTs and and Decryption © 2025 IBM / atsec information security.

26 of 71
Page 27

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access integrity with AES tests Random Number Generation with HMAC DRBG, Hash DRBG or Counter DRBG Message Authentica tion Code Generation with AES or HMAC Message Authentica tion Code Verificatio n with AES-GMAC Shared Secret Computati on with KAS-FFCSSC or KAS-ECCSSC Message Digest with SHA Key Pair Generation with ECDSA or Safe Primes Authentica ted Encryption and Authentica ted Decryption with AESCCM Authentica ted Encryption and Authentica © 2025 IBM / atsec information security.

27 of 71
Page 28

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access ted Decryption with AESGCM Authentica ted Encryption and Authentica ted Decryption with AESCBC or AES-CTR with HMAC Authentica ted Encryption and Authentica ted Decryption with AESKW Signature Verificatio n with RSA Signature Verificatio n with ECDSA Zeroization Zeroize all None Any SSP N/A None CO SSPs - AES Key: Z - HMAC Key: Z - Shared Secret: Z - Entropy Input (IG D.L): Z CTR_DRB G Seed (IG D.L): Z Hash_DR BG Seed (IG D.L): Z HMAC_DR © 2025 IBM / atsec information security.

28 of 71
Page 29

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access BG Seed (IG D.L): Z CTR_DRB G Internal State (V, Key) (IG D.L): Z Hash_DR BG Internal State (V, C) (IG D.L): Z HMAC_DR BG Internal State (V, Key) (IG D.L): Z - DH Public Key: Z - DH Private Key: Z - EC Public Key: Z - EC Private Key: Z Intermedi ate Key Generatio n Value: Z - RSA Public Key: Z - KeyDerivatio n Key: Z - KBKDF Derived Key: Z - KDA OneStep © 2025 IBM / atsec information security.

29 of 71
Page 30

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Derived Key: Z Table 14: Approved Services The following convention is used to specify access rights to SSPs:

4.4 Non-Approved Services

Name Description Algorithms Role AES-GCM with Encryption AES-GCM with CO external IV external IV KBKDF Key derivation KBKDF (libkcapi) CO (libkcapi) HKDF (libkcapi) Key derivation HKDF (libkcapi) CO PBKDF2 Password-based key derivation PBKDF2 (libkcapi) CO (libkcapi) RSA Encryption primitive; Decryption primitive RSA CO RSA with Signature generation (pre-hashed message); RSA with PKCS#1 CO PKCS#1 v1.5 Signature verification (pre-hashed message); Key v1.5 padding padding encapsulation; Key un-encapsulation Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded

Not applicable. © 2025 IBM / atsec information security.

30 of 71
Page 31
5 Software/Firmware Security
5.1 Integrity Techniques

The kcapi-hasher binary utilizes the module’s HMAC and SHA-512 implementations and verifies it’s integrity test and the libkcapi library integrity followed by the integrity test on the static kernel binary i.e. vmlinuz. The HMAC key used for this integrity test is stored in libkcapi. The kernel object (.ko) files are verified using RSA signature verification with PKCS#1 v1.5 padding, SHA-512, and a 4096-bit key stored in the kernel.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests. © 2025 IBM / atsec information security.

31 of 71
Page 32
6 Operational Environment
6.1 Operational Environment Type and

Requirements Type of Operational Environment: Modifiable How Requirements are Satisfied: the module executes as part of a general-purpose operating system (ClevOS 3.19), which allows modification, loading, and execution of software that is not part of the validated module. The approved cryptographic algorithms of the module are part of the Linux kernel, which operates in Linux kernel space. This ensures that any SSPs contained within the module are protected by the process isolation and memory separation mechanisms provided by the Linux kernel, and only the module has control over these SSPs. The user space libkcapi and kcapi-hasher components, though not processing any SSPs, are similarly protected by the operating environment.

6.2 Configuration Settings and Restrictions

The module shall be installed as specified in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 IBM / atsec information security.

32 of 71
Page 33
7 Physical Security

The module is comprised of software only and therefore this section is not applicable. © 2025 IBM / atsec information security.

33 of 71
Page 34
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism and therefore this section is not applicable. © 2025 IBM / atsec information security.

34 of 71
Page 35
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service Dynamic execution Table 16: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator Cryptographic Plaintext Manual Electronic parameters; calling module AF_ALG_type application sockets (input) (TOEPP) API output Cryptographic Operator Plaintext Manual Electronic parameters; module calling AF_ALG type application sockets (TOEPP) (output) Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied By calling the appropriate zeroization handle SSPs contained by SSPs is functions: AES key: crypto_free_skcipher within the cipher overwritten with and crypto_free_aead; HMAC key: handle zeroes, which crypto_free_shash and renders the SSP crypto_free_ahash; Internal state: values crypto_free_rng; DH public & private irretrievable key: crypto_free_kpp; EC public & private key: crypto_free_kpp; KeyDerivation Key: memzero_explicit; KBKDF Derived Key: memzero_explicit; KDA OneStep Derived Key: memzero_explicit Automatic Automatically Memory occupied N/A zeroized by the by SSPs is module when no overwritten with longer needed zeroes, which © 2025 IBM / atsec information security.

35 of 71
Page 36

Zeroization Description Rationale Operator Initiation Method renders the SSP values irretrievable. Remove De-allocates the Volatile memory By removing power power from volatile memory used by the the module used to store module is SSPs overwritten within nanoseconds when power is removed. Table 18: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Description Size - Type - Generate Establishe Used By Strength Category d By d By AES Key AES key used XTS: 128, 256 Symmetric Encryption for bits; ECB, key - CSP and Encryption; CBC, CTR, Decryption Decryption; CFB128, CBC- with AES Authenticated CS3, KW, Message encryption; OFB, CCM, Authenticatio Authenticated GCM, CMAC, n Code decryption; GMAC: 128, Generation Message 192, 256 bits with AES or authenticatio - XTS: 128, HMAC n; 256 bits; ECB, Message CBC, CTR, Authenticatio CFB128, CBC- n Code CS3, KW, Verification OFB, CCM, with AESGCM, CMAC, GMAC GMAC: 128, 192, 256 bits HMAC Key HMAC key 112-524288 Symmetric Message used for bits - 112-256 key - CSP Authenticatio Message bits n Code authenticatio Generation n code (MAC); with AES or HMAC Shared Shared secret KAS-FFC- Shared Shared Key Secret established SSC:ffdhe204 secret - Secret Derivation during 8, ffdhe3072, CSP Computatio with KDA Shared ffdhe4096, n with KAS- OneStep Secret ffdhe6144, FFC-SSC or Computation ffdhe8192; KAS-ECCKAS-ECC-SSC: SSC P-256, P-384 bits - KAS© 2025 IBM / atsec information security.

36 of 71
Page 37

Name Description Size - Type - Generate Establishe Used By Strength Category d By d By FFC-SSC: 112-

200 bits; KAS-

ECC-SSC: 128, 192 bits Entropy Entropy input 128-384 bits - Entropy Random Input (IG used to seed 128-384 bits input - CSP Number D.L) the DRBGs Generation with HMAC DRBG, Hash DRBG or Counter DRBG CTR_DRBG DRBG seed 256, 320, 384 Seed - CSP Random Random Seed (IG derived from bits - 128, Number Number D.L) Entropy Input 192, 256 bits Generatio Generation n with with HMAC HMAC DRBG, Hash DRBG, DRBG or Hash Counter DRBG or DRBG Counter DRBG Hash_DRBG DRBG seed 440, 888 bits Seed - CSP Random Random Seed (IG derived from - 128, 256 Number Number D.L) Entropy Input bits Generatio Generation n with with HMAC HMAC DRBG, Hash DRBG, DRBG or Hash Counter DRBG or DRBG Counter DRBG HMAC_DRB DRBG seed 440, 888 bits Seed - CSP Random Random G Seed (IG derived from - 128, 256 Number Number D.L) Entropy Input bits Generatio Generation n with with HMAC HMAC DRBG, Hash DRBG, DRBG or Hash Counter DRBG or DRBG Counter DRBG CTR_DRBG Internal state 256, 320, 384 Internal Random Random Internal of Counter bits - 128, state - CSP Number Number State (V, DRBG 192, 256 bits Generatio Generation Key) (IG instance n with with HMAC D.L) HMAC DRBG, Hash DRBG, DRBG or Hash Counter DRBG or DRBG Counter DRBG © 2025 IBM / atsec information security.

37 of 71
Page 38

Name Description Size - Type - Generate Establishe Used By Strength Category d By d By Hash_DRBG Internal state 880, 1776 Internal Random Random Internal of Hash DRBG bits - 128, state - CSP Number Number State (V, C) instance 256 bits Generatio Generation (IG D.L) n with with HMAC HMAC DRBG, Hash DRBG, DRBG or Hash Counter DRBG or DRBG Counter DRBG HMAC_DRB Internal state 320, 512, Internal Random Random G Internal of HMAC 1024 bits - state - CSP Number Number State (V, DRBG 128, 256 bits Generatio Generation Key) (IG instance n with with HMAC D.L) HMAC DRBG, Hash DRBG, DRBG or Hash Counter DRBG or DRBG Counter DRBG DH Public Public key ffdhe2048, Public key - Key Pair Shared Key used for KAS- ffdhe3072, PSP Generatio Secret FFC-SSC ffdhe4096, n with Computation ffdhe6144, ECDSA or with KASffdhe8192 - Safe FFC-SSC or 112-200 bits Primes KAS-ECC-SSC DH Private DH private ffdhe2048, Private key Key Pair Shared Key key used for ffdhe3072, - CSP Generatio Secret KAS-FFC-SSC ffdhe4096, n with Computation ffdhe6144, ECDSA or with KASffdhe8192 - Safe FFC-SSC or 112-200 bits Primes KAS-ECC-SSC EC Public Public key P-256, P-384 - Public key - Key Pair Shared Key used for KAS- 128, 192 bits PSP Generatio Secret ECC-SSC n with Computation ECDSA or with KASSafe FFC-SSC or Primes KAS-ECC-SSC Signature Verification with ECDSA EC Private EC private P-521, P-384 - Private key Key Pair Shared Key key used for 128, 192 bits - CSP Generatio Secret KAS-ECC-SSC n with Computation ECDSA or with KASSafe FFC-SSC or Primes KAS-ECC-SSC Intermediat Intermediate 192-8192 bits Intermediat Key Pair Key Pair e Key value - 112-256 bits e value - Generatio Generation Generation generated CSP n with with ECDSA Value during Key ECDSA or or Safe Pair Safe Primes Generation Primes © 2025 IBM / atsec information security.

38 of 71
Page 39

Name Description Size - Type - Generate Establishe Used By Strength Category d By d By RSA Public RSA Public 2048-4096 Public key - Signature Key key used for bits - 112-150 PSP Verification Signature bits with RSA Verification with RSA Key- Used for key 112-4096 bits Symmetric Key Derivation derivation - 112-256 bits key - CSP Derivation Key with KBKDF KBKDF Generated by 112-4096 bits Symmetric Key Derived key-based - 112-256 bits key - CSP Derivation Key key with derivation KBKDF KDA Generated by 2048 bits - Symmetric Key OneStep OneStep KDA 112 bits key - CSP Derivation Derived key with KDA Key derivation OneStep Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES Key API input RAM:Plaintext From service Free cipher parameters; invocation to handle AF_ALG_type service Remove sockets (input) completion power from the module HMAC Key API input RAM:Plaintext From service Free cipher parameters; invocation to handle AF_ALG_type service Remove sockets (input) completion power from the module Shared Secret API output RAM:Plaintext From service Free cipher DH Public parameters; invocation to handle Key:Derived From AF_ALG type service Remove DH Private sockets completion power from Key:Derived From (output) the module EC Public Key:Derived From EC Private Key:Derived From Entropy Input RAM:Plaintext From service Automatic CTR_DRBG Seed (IG D.L) invocation to Remove (IG D.L):Derives service power from Hash_DRBG Seed completion the module (IG D.L):Derives HMAC_DRBG Seed (IG D.L):Derives CTR_DRBG RAM:Plaintext From service Automatic Entropy Input (IG Seed (IG D.L) invocation to Remove D.L):Derived From service power from CTR_DRBG completion the module Internal State (V, Key) (IG D.L):Derives Hash_DRBG RAM:Plaintext From service Automatic Entropy Input (IG Seed (IG D.L) invocation to Remove D.L):Derived From Hash_DRBG © 2025 IBM / atsec information security.

39 of 71
Page 40

Name Input - Storage Storage Zeroization Related SSPs Output Duration service power from Internal State (V, completion the module C) (IG D.L):Derives HMAC_DRBG RAM:Plaintext From service Automatic Entropy Input (IG Seed (IG D.L) invocation to Remove D.L):Derived From service power from HMAC_DRBG completion the module Internal State (V, Key) (IG D.L):Derives CTR_DRBG RAM:Plaintext From service Free cipher CTR_DRBG Seed Internal State invocation to handle (IG D.L):Derived (V, Key) (IG service Remove From D.L) completion power from the module Hash_DRBG RAM:Plaintext From service Free cipher Hash_DRBG Seed Internal State invocation to handle (IG D.L):Derived (V, C) (IG D.L) service Remove From completion power from the module HMAC_DRBG RAM:Plaintext From service Free cipher HMAC_DRBG Seed Internal State invocation to handle (IG D.L):Derived (V, Key) (IG service Remove From D.L) completion power from the module DH Public Key API input RAM:Plaintext From service Free cipher DH Private parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets From (output) DH Private API input RAM:Plaintext From service Free cipher DH Public Key parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets From (output) EC Public Key API input RAM:Plaintext From service Free cipher EC Private parameters; invocation to handle Key:Paired With AF_ALG_type service Remove Shared sockets (input) completion power from Secret:Derives API output the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets From (output) EC Private Key API input RAM:Plaintext From service Free cipher EC Public parameters; invocation to handle Key:Paired With AF_ALG_type Remove Shared © 2025 IBM / atsec information security.

40 of 71
Page 41

Name Input - Storage Storage Zeroization Related SSPs Output Duration sockets (input) service power from Secret:Derives API output completion the module Intermediate Key parameters; Generation AF_ALG type Value:Generated sockets From (output) Intermediate RAM:Plaintext From service Automatic DH Public Key invocation to Key:Generates Generation service DH Private Value completion Key:Generates EC Public Key:Generates EC Private Key:Generates RSA Public API input RAM:Plaintext From service Automatic Key parameters; invocation to AF_ALG_type service sockets (input) completion Key- API input RAM:Plaintext From service Free cipher KBKDF Derived Derivation parameters; invocation to handle Key:Derives Key AF_ALG_type service Remove sockets (input) completion power from the module KBKDF API output RAM:Plaintext From service Free cipher Key-Derivation Derived Key parameters; invocation to handle Key:Derived From AF_ALG type service Remove sockets completion power from (output) the module KDA OneStep API output RAM:Plaintext From service Free cipher Shared Derived Key parameters; invocation to handle Secret:Derived AF_ALG type service Remove From sockets completion power from (output) the module Table 20: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 IBM / atsec information security.

41 of 71
Page 42
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Method Test Indicator Details Test Properties Type HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for

512 (A6817) - Authentication Integrity operational and kernel

kernel services are binary available for use HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for

512 (A6817) - Authentication Integrity operational and libkcapi

libkcapi services are shared available for use library HMAC-SHA2- 128-bit key Message SW/FW Module becomes Used for

512 (A6817) - Authentication Integrity operational and kcapi-

kcapi-hasher services are hasher available for use binary RSA SigVer 4096-bit key Signature SW/FW Module becomes Used for (FIPS186-5) with SHA-512 Verification Integrity operational and kernel (A6801) services are object files available for use Table 21: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6801) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6804) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6805) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6806) - becomes power-on Encrypt operational before the integrity test © 2025 IBM / atsec information security.

42 of 71
Page 43

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6807) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6808) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6809) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6810) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6811) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6812) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6813) - becomes power-on Encrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption Test runs at (A6814) - becomes power-on Encrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Encryption Test runs at (A6801) - becomes power-on Encrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Encryption Test runs at (A6806) - becomes power-on Encrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Encryption Test runs at (A6809) - becomes power-on Encrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Encryption Test runs at (A6812) - becomes power-on Encrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Encryption Test runs at (A6801) - becomes power-on Encrypt operational before the integrity test © 2025 IBM / atsec information security.

43 of 71
Page 44

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CBC-CS3 128-bit key KAT CAST Module Encryption Test runs at (A6806) - becomes power-on Encrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Encryption Test runs at (A6809) - becomes power-on Encrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Encryption Test runs at (A6812) - becomes power-on Encrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Encryption Test runs at (A6801) - becomes power-on Encrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Encryption Test runs at (A6806) - becomes power-on Encrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Encryption Test runs at (A6809) - becomes power-on Encrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Encryption Test runs at (A6812) - becomes power-on Encrypt operational before the integrity test AES-CCM 128-bit key KAT CAST Module Encryption Test runs at (A6801) - becomes power-on Encrypt operational before the integrity test AES-CCM 128-bit key KAT CAST Module Encryption Test runs at (A6806) - becomes power-on Encrypt operational before the integrity test AES-CCM 128-bit key KAT CAST Module Encryption Test runs at (A6812) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6801) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6804) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6805) - becomes power-on Encrypt operational before the integrity test © 2025 IBM / atsec information security.

44 of 71
Page 45

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6806) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6807) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6808) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6809) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6810) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6811) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6812) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6813) - becomes power-on Encrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Encryption Test runs at (A6814) - becomes power-on Encrypt operational before the integrity test AES-XTS 128-bit and KAT CAST Module Encryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6801) - integrity test Encrypt AES-XTS 128-bit and KAT CAST Module Encryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6806) - integrity test Encrypt AES-XTS 128-bit and KAT CAST Module Encryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6809) - integrity test Encrypt © 2025 IBM / atsec information security.

45 of 71
Page 46

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-XTS 128-bit and KAT CAST Module Encryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6812) - integrity test Encrypt AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6801) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6804) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6805) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6806) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6807) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6808) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6809) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6810) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6811) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6812) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6813) - becomes power-on Decrypt operational before the integrity test AES-ECB 128-bit key KAT CAST Module Decryption Test runs at (A6814) - becomes power-on Decrypt operational © 2025 IBM / atsec information security.

46 of 71
Page 47

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type before the integrity test AES-CBC 128-bit key KAT CAST Module Decryption Test runs at (A6801) - becomes power-on Decrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Decryption Test runs at (A6806) - becomes power-on Decrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Decryption Test runs at (A6809) - becomes power-on Decrypt operational before the integrity test AES-CBC 128-bit key KAT CAST Module Decryption Test runs at (A6812) - becomes power-on Decrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Decryption Test runs at (A6801) - becomes power-on Decrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Decryption Test runs at (A6806) - becomes power-on Decrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Decryption Test runs at (A6809) - becomes power-on Decrypt operational before the integrity test AES-CBC-CS3 128-bit key KAT CAST Module Decryption Test runs at (A6812) - becomes power-on Decrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Decryption Test runs at (A6801) - becomes power-on Decrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Decryption Test runs at (A6806) - becomes power-on Decrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Decryption Test runs at (A6809) - becomes power-on Decrypt operational before the integrity test AES-CTR 128-bit key KAT CAST Module Decryption Test runs at (A6812) - becomes power-on Decrypt operational before the integrity test © 2025 IBM / atsec information security.

47 of 71
Page 48

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CCM 128-bit key KAT CAST Module Decryption Test runs at (A6801) - becomes power-on Decrypt operational before the integrity test AES-CCM 128-bit key KAT CAST Module Decryption Test runs at (A6806) - becomes power-on Decrypt operational before the integrity test AES-CCM 128-bit key KAT CAST Module Decryption Test runs at (A6812) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6801) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6804) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6805) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6806) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6807) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6808) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6809) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6810) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6811) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6812) - becomes power-on Decrypt operational before the integrity test © 2025 IBM / atsec information security.

48 of 71
Page 49

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6813) - becomes power-on Decrypt operational before the integrity test AES-GCM 128-bit key KAT CAST Module Decryption Test runs at (A6814) - becomes power-on Decrypt operational before the integrity test AES-XTS 128-bit and KAT CAST Module Decryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6801) - integrity test Decrypt AES-XTS 128-bit and KAT CAST Module Decryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6806) - integrity test Decrypt AES-XTS 128-bit and KAT CAST Module Decryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6809) - integrity test Decrypt AES-XTS 128-bit and KAT CAST Module Decryption Test runs at Testing 256-bit key becomes power-on Revision 2.0 operational before the (A6812) - integrity test Decrypt AES-CMAC 128-bit and KAT CAST Module Message Test runs at (A6801) 256-bit key becomes authentication power-on operational before the integrity test AES-CMAC 128-bit and KAT CAST Module Message Test runs at (A6806) 256-bit key becomes authentication power-on operational before the integrity test AES-CMAC 128-bit and KAT CAST Module Message Test runs at (A6812) 256-bit key becomes authentication power-on operational before the integrity test SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A6815) becomes power-on operational before the integrity test SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A6816) becomes power-on operational before the integrity test © 2025 IBM / atsec information security.

49 of 71
Page 50

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A6817) becomes power-on operational before the integrity test SHA-1 SHA-1 KAT CAST Module Message digest Test runs at (A6818) becomes power-on operational before the integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A6815) becomes power-on operational before the integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A6816) becomes power-on operational before the integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A6817) becomes power-on operational before the integrity test SHA2-224 SHA2-224 KAT CAST Module Message digest Test runs at (A6818) becomes power-on operational before the integrity test SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A6815) becomes power-on operational before the integrity test SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A6816) becomes power-on operational before the integrity test SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A6817) becomes power-on operational before the integrity test SHA2-256 SHA2-256 KAT CAST Module Message digest Test runs at (A6818) becomes power-on operational before the integrity test SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test © 2025 IBM / atsec information security.

50 of 71
Page 51

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A6815) becomes power-on operational before the integrity test SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A6816) becomes power-on operational before the integrity test SHA2-384 SHA2-384 KAT CAST Module Message digest Test runs at (A6817) becomes power-on operational before the integrity test SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A6815) becomes power-on operational before the integrity test SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A6816) becomes power-on operational before the integrity test SHA2-512 SHA2-512 KAT CAST Module Message digest Test runs at (A6817) becomes power-on operational before the integrity test SHA3-224 SHA3-224 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA3-256 SHA3-256 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA3-384 SHA3-384 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test SHA3-512 SHA3-512 KAT CAST Module Message digest Test runs at (A6801) becomes power-on operational before the integrity test HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A6801) becomes authentication power-on operational before the integrity test HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A6815) becomes authentication power-on operational before the integrity test © 2025 IBM / atsec information security.

51 of 71
Page 52

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A6816) becomes authentication power-on operational before the integrity test HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A6817) becomes authentication power-on operational before the integrity test HMAC-SHA-1 SHA-1 KAT CAST Module Message Test runs at (A6818) becomes authentication power-on operational before the integrity test HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A6815) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A6816) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A6817) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-224 KAT CAST Module Message Test runs at

224 (A6818) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A6815) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A6816) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A6817) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-256 KAT CAST Module Message Test runs at

256 (A6818) becomes authentication power-on

operational before the integrity test © 2025 IBM / atsec information security.

52 of 71
Page 53

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A6815) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A6816) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-384 KAT CAST Module Message Test runs at

384 (A6817) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A6815) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A6816) becomes authentication power-on

operational before the integrity test HMAC-SHA2- SHA2-512 KAT CAST Module Message Test runs at

512 (A6817) becomes authentication power-on

operational before the integrity test HMAC-SHA3- SHA3-224 KAT CAST Module Message Test runs at

224 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA3- SHA3-256 KAT CAST Module Message Test runs at

256 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA3- SHA3-384 KAT CAST Module Message Test runs at

384 (A6801) becomes authentication power-on

operational before the integrity test HMAC-SHA3- SHA3-512 KAT CAST Module Message Test runs at

512 (A6801) becomes authentication power-on

operational before the integrity test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6801) with/without PR operational reseed, before the integrity test © 2025 IBM / atsec information security.

53 of 71
Page 54

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type generate) health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6804) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6805) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6806) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6807) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6808) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6809) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6810) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6811) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6812) with/without PR operational reseed, before the generate) integrity test health test Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6813) with/without PR operational reseed, before the generate) integrity test health test © 2025 IBM / atsec information security.

54 of 71
Page 55

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Counter 128, 192, 256 KAT CAST Module SP 800-90Ar1 Test runs at DRBG bit keys, becomes (instantiate, power-on (A6814) with/without PR operational reseed, before the generate) integrity test health test Hash DRBG SHA2-256 KAT CAST Module SP 800-90Ar1 Test runs at (A6801) With/without PR becomes (instantiate, power-on operational reseed, before the generate) integrity test health test Hash DRBG SHA2-256 KAT CAST Module SP 800-90Ar1 Test runs at (A6815) With/without PR becomes (instantiate, power-on operational reseed, before the generate) integrity test health test Hash DRBG SHA2-256 KAT CAST Module SP 800-90Ar1 Test runs at (A6816) With/without PR becomes (instantiate, power-on operational reseed, before the generate) integrity test health test Hash DRBG SHA2-256 KAT CAST Module SP 800-90Ar1 Test runs at (A6817) With/without PR becomes (instantiate, power-on operational reseed, before the generate) integrity test health test HMAC DRBG HMAC-SHA2- KAT CAST Module SP 800-90Ar1 Test runs at (A6801) 256, HMAC- becomes (instantiate, power-on SHA2-512, operational reseed, before the with/without PR generate) integrity test health test HMAC DRBG HMAC-SHA2- KAT CAST Module SP 800-90Ar1 Test runs at (A6815) 256, HMAC- becomes (instantiate, power-on SHA2-512, operational reseed, before the with/without PR generate) integrity test health test HMAC DRBG HMAC-SHA2- KAT CAST Module SP 800-90Ar1 Test runs at (A6816) 256, HMAC- becomes (instantiate, power-on SHA2-512, operational reseed, before the with/without PR generate) integrity test health test HMAC DRBG HMAC-SHA2- KAT CAST Module SP 800-90Ar1 Test runs at (A6817) 256, HMAC- becomes (instantiate, power-on SHA2-512, operational reseed, before the with/without PR generate) integrity test health test KAS-ECC-SSC P-256, P-384 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 curves becomes computation power-on (A6801) operational before the integrity test KAS-FFC-SSC ffdhe2048 KAT CAST Module Shared secret Test runs at Sp800-56Ar3 becomes computation power-on (A6801) operational before the integrity test © 2025 IBM / atsec information security.

55 of 71
Page 56

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-4) with 2048 bit becomes signature power-on (A6801) key and SHA2- operational verification before the

256 integrity test

RSA SigVer PKCS#1 v1.5 KAT CAST Module Digital Test runs at (FIPS186-5) with 2048 bit becomes signature power-on (A6801) key and SHA2- operational verification before the

256 integrity test

ECDSA SHA2-256, P- KAT CAST Module Digital Test runs at SigVer 256 curve becomes signature power-on (FIPS186-4) operational verification before the (A6802) integrity test ECDSA SHA2-256, P- KAT CAST Module Digital Test runs at SigVer 256 curve becomes signature power-on (FIPS186-5) operational verification before the (A6802) integrity test KDF SP800- Counter mode; KAT CAST Module Key based key Test runs at

108 (A6803) HMAC-SHA-256; becomes derivation power-on

256-bit input operational before the key integrity test Safe Primes ffdhe2048, PCT PCT Successful SP 800- Key pair Key ffdhe3072, key pair 56ARev3, generation Generation ffdhe4096, generation 5.6.2.1.4 (A6801) ffdhe6144, ffdhe8192, Section 5.6.1.1.4 Testing Candidates ECDSA SHA2-256, P- PCT PCT Successful Signature Key pair KeyGen 256, P-384 key pair generation & generation (FIPS186-5) curves, generation verification (A6801) Appendix A.2.2 Rejection Sampling KDA OneStep SHA2-256 KAT CAST Module Shared secret Test runs at SP800-56Cr2 becomes key derivation power-on (A6803) operational before the integrity test Entropy 1024 samples RCT CAST Module Entropy source Entropy Source becomes startup test source Initialization operational initialization RCT and services are available for use Entropy 1024 samples APT CAST Module Entropy source Entropy Source becomes startup test source Initialization operational initialization APT and services are available for use © 2025 IBM / atsec information security.

56 of 71
Page 57

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Entropy Intermittent RCT CAST Entropy Entropy source Continuously Source Cutoff: 31 source is continuous test Operational samples, operational RCT Permanent Cutoff: 61 samples Entropy 512 samples, APT CAST Entropy Entropy source Continuously Source Intermittent source is continuous test Operational Cutoff: 325 operational APT samples, Permanent Cutoff: 355 samples Table 22: Conditional Self-Tests

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A6817) - kernel Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A6817) - libkcapi Authentication HMAC-SHA2-512 Message SW/FW Integrity On Demand Manually (A6817) - kcapi- Authentication hasher RSA SigVer Signature SW/FW Integrity On Demand Manually (FIPS186-5) Verification (A6801) Table 23: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB (A6801) KAT CAST On Demand Manually - Encrypt AES-ECB (A6804) KAT CAST On Demand Manually - Encrypt AES-ECB (A6805) KAT CAST On Demand Manually - Encrypt AES-ECB (A6806) KAT CAST On Demand Manually - Encrypt AES-ECB (A6807) KAT CAST On Demand Manually - Encrypt AES-ECB (A6808) KAT CAST On Demand Manually - Encrypt AES-ECB (A6809) KAT CAST On Demand Manually - Encrypt AES-ECB (A6810) KAT CAST On Demand Manually - Encrypt © 2025 IBM / atsec information security.

57 of 71
Page 58

Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB (A6811) KAT CAST On Demand Manually - Encrypt AES-ECB (A6812) KAT CAST On Demand Manually - Encrypt AES-ECB (A6813) KAT CAST On Demand Manually - Encrypt AES-ECB (A6814) KAT CAST On Demand Manually - Encrypt AES-CBC (A6801) KAT CAST On Demand Manually - Encrypt AES-CBC (A6806) KAT CAST On Demand Manually - Encrypt AES-CBC (A6809) KAT CAST On Demand Manually - Encrypt AES-CBC (A6812) KAT CAST On Demand Manually - Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6801) - Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6806) - Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6809) - Encrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6812) - Encrypt AES-CTR (A6801) KAT CAST On Demand Manually - Encrypt AES-CTR (A6806) KAT CAST On Demand Manually - Encrypt AES-CTR (A6809) KAT CAST On Demand Manually - Encrypt AES-CTR (A6812) KAT CAST On Demand Manually - Encrypt AES-CCM (A6801) KAT CAST On Demand Manually - Encrypt AES-CCM (A6806) KAT CAST On Demand Manually - Encrypt AES-CCM (A6812) KAT CAST On Demand Manually - Encrypt AES-GCM (A6801) KAT CAST On Demand Manually - Encrypt AES-GCM (A6804) KAT CAST On Demand Manually - Encrypt AES-GCM (A6805) KAT CAST On Demand Manually - Encrypt AES-GCM (A6806) KAT CAST On Demand Manually - Encrypt AES-GCM (A6807) KAT CAST On Demand Manually - Encrypt AES-GCM (A6808) KAT CAST On Demand Manually - Encrypt AES-GCM (A6809) KAT CAST On Demand Manually - Encrypt © 2025 IBM / atsec information security.

58 of 71
Page 59

Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM (A6810) KAT CAST On Demand Manually - Encrypt AES-GCM (A6811) KAT CAST On Demand Manually - Encrypt AES-GCM (A6812) KAT CAST On Demand Manually - Encrypt AES-GCM (A6813) KAT CAST On Demand Manually - Encrypt AES-GCM (A6814) KAT CAST On Demand Manually - Encrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6801) - Encrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6806) - Encrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6809) - Encrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6812) - Encrypt AES-ECB (A6801) KAT CAST On Demand Manually - Decrypt AES-ECB (A6804) KAT CAST On Demand Manually - Decrypt AES-ECB (A6805) KAT CAST On Demand Manually - Decrypt AES-ECB (A6806) KAT CAST On Demand Manually - Decrypt AES-ECB (A6807) KAT CAST On Demand Manually - Decrypt AES-ECB (A6808) KAT CAST On Demand Manually - Decrypt AES-ECB (A6809) KAT CAST On Demand Manually - Decrypt AES-ECB (A6810) KAT CAST On Demand Manually - Decrypt AES-ECB (A6811) KAT CAST On Demand Manually - Decrypt AES-ECB (A6812) KAT CAST On Demand Manually - Decrypt AES-ECB (A6813) KAT CAST On Demand Manually - Decrypt AES-ECB (A6814) KAT CAST On Demand Manually - Decrypt AES-CBC (A6801) KAT CAST On Demand Manually - Decrypt AES-CBC (A6806) KAT CAST On Demand Manually - Decrypt AES-CBC (A6809) KAT CAST On Demand Manually - Decrypt © 2025 IBM / atsec information security.

59 of 71
Page 60

Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC (A6812) KAT CAST On Demand Manually - Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6801) - Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6806) - Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6809) - Decrypt AES-CBC-CS3 KAT CAST On Demand Manually (A6812) - Decrypt AES-CTR (A6801) KAT CAST On Demand Manually - Decrypt AES-CTR (A6806) KAT CAST On Demand Manually - Decrypt AES-CTR (A6809) KAT CAST On Demand Manually - Decrypt AES-CTR (A6812) KAT CAST On Demand Manually - Decrypt AES-CCM (A6801) KAT CAST On Demand Manually - Decrypt AES-CCM (A6806) KAT CAST On Demand Manually - Decrypt AES-CCM (A6812) KAT CAST On Demand Manually - Decrypt AES-GCM (A6801) KAT CAST On Demand Manually - Decrypt AES-GCM (A6804) KAT CAST On Demand Manually - Decrypt AES-GCM (A6805) KAT CAST On Demand Manually - Decrypt AES-GCM (A6806) KAT CAST On Demand Manually - Decrypt AES-GCM (A6807) KAT CAST On Demand Manually - Decrypt AES-GCM (A6808) KAT CAST On Demand Manually - Decrypt AES-GCM (A6809) KAT CAST On Demand Manually - Decrypt AES-GCM (A6810) KAT CAST On Demand Manually - Decrypt AES-GCM (A6811) KAT CAST On Demand Manually - Decrypt AES-GCM (A6812) KAT CAST On Demand Manually - Decrypt AES-GCM (A6813) KAT CAST On Demand Manually - Decrypt AES-GCM (A6814) KAT CAST On Demand Manually - Decrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6801) - Decrypt © 2025 IBM / atsec information security.

60 of 71
Page 61

Algorithm or Test Method Test Type Period Periodic Test Method AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6806) - Decrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6809) - Decrypt AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A6812) - Decrypt AES-CMAC KAT CAST On Demand Manually (A6801) AES-CMAC KAT CAST On Demand Manually (A6806) AES-CMAC KAT CAST On Demand Manually (A6812) SHA-1 (A6801) KAT CAST On Demand Manually SHA-1 (A6815) KAT CAST On Demand Manually SHA-1 (A6816) KAT CAST On Demand Manually SHA-1 (A6817) KAT CAST On Demand Manually SHA-1 (A6818) KAT CAST On Demand Manually SHA2-224 KAT CAST On Demand Manually (A6801) SHA2-224 KAT CAST On Demand Manually (A6815) SHA2-224 KAT CAST On Demand Manually (A6816) SHA2-224 KAT CAST On Demand Manually (A6817) SHA2-224 KAT CAST On Demand Manually (A6818) SHA2-256 KAT CAST On Demand Manually (A6801) SHA2-256 KAT CAST On Demand Manually (A6815) SHA2-256 KAT CAST On Demand Manually (A6816) SHA2-256 KAT CAST On Demand Manually (A6817) SHA2-256 KAT CAST On Demand Manually (A6818) SHA2-384 KAT CAST On Demand Manually (A6801) SHA2-384 KAT CAST On Demand Manually (A6815) SHA2-384 KAT CAST On Demand Manually (A6816) SHA2-384 KAT CAST On Demand Manually (A6817) SHA2-512 KAT CAST On Demand Manually (A6801) SHA2-512 KAT CAST On Demand Manually (A6815) © 2025 IBM / atsec information security.

61 of 71
Page 62

Algorithm or Test Method Test Type Period Periodic Test Method SHA2-512 KAT CAST On Demand Manually (A6816) SHA2-512 KAT CAST On Demand Manually (A6817) SHA3-224 KAT CAST On Demand Manually (A6801) SHA3-256 KAT CAST On Demand Manually (A6801) SHA3-384 KAT CAST On Demand Manually (A6801) SHA3-512 KAT CAST On Demand Manually (A6801) HMAC-SHA-1 KAT CAST On Demand Manually (A6801) HMAC-SHA-1 KAT CAST On Demand Manually (A6815) HMAC-SHA-1 KAT CAST On Demand Manually (A6816) HMAC-SHA-1 KAT CAST On Demand Manually (A6817) HMAC-SHA-1 KAT CAST On Demand Manually (A6818) HMAC-SHA2-224 KAT CAST On Demand Manually (A6801) HMAC-SHA2-224 KAT CAST On Demand Manually (A6815) HMAC-SHA2-224 KAT CAST On Demand Manually (A6816) HMAC-SHA2-224 KAT CAST On Demand Manually (A6817) HMAC-SHA2-224 KAT CAST On Demand Manually (A6818) HMAC-SHA2-256 KAT CAST On Demand Manually (A6801) HMAC-SHA2-256 KAT CAST On Demand Manually (A6815) HMAC-SHA2-256 KAT CAST On Demand Manually (A6816) HMAC-SHA2-256 KAT CAST On Demand Manually (A6817) HMAC-SHA2-256 KAT CAST On Demand Manually (A6818) HMAC-SHA2-384 KAT CAST On Demand Manually (A6801) HMAC-SHA2-384 KAT CAST On Demand Manually (A6815) HMAC-SHA2-384 KAT CAST On Demand Manually (A6816) HMAC-SHA2-384 KAT CAST On Demand Manually (A6817) HMAC-SHA2-512 KAT CAST On Demand Manually (A6801) © 2025 IBM / atsec information security.

62 of 71
Page 63

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2-512 KAT CAST On Demand Manually (A6815) HMAC-SHA2-512 KAT CAST On Demand Manually (A6816) HMAC-SHA2-512 KAT CAST On Demand Manually (A6817) HMAC-SHA3-224 KAT CAST On Demand Manually (A6801) HMAC-SHA3-256 KAT CAST On Demand Manually (A6801) HMAC-SHA3-384 KAT CAST On Demand Manually (A6801) HMAC-SHA3-512 KAT CAST On Demand Manually (A6801) Counter DRBG KAT CAST On Demand Manually (A6801) Counter DRBG KAT CAST On Demand Manually (A6804) Counter DRBG KAT CAST On Demand Manually (A6805) Counter DRBG KAT CAST On Demand Manually (A6806) Counter DRBG KAT CAST On Demand Manually (A6807) Counter DRBG KAT CAST On Demand Manually (A6808) Counter DRBG KAT CAST On Demand Manually (A6809) Counter DRBG KAT CAST On Demand Manually (A6810) Counter DRBG KAT CAST On Demand Manually (A6811) Counter DRBG KAT CAST On Demand Manually (A6812) Counter DRBG KAT CAST On Demand Manually (A6813) Counter DRBG KAT CAST On Demand Manually (A6814) Hash DRBG KAT CAST On Demand Manually (A6801) Hash DRBG KAT CAST On Demand Manually (A6815) Hash DRBG KAT CAST On Demand Manually (A6816) Hash DRBG KAT CAST On Demand Manually (A6817) HMAC DRBG KAT CAST On Demand Manually (A6801) HMAC DRBG KAT CAST On Demand Manually (A6815) HMAC DRBG KAT CAST On Demand Manually (A6816) © 2025 IBM / atsec information security.

63 of 71
Page 64

Algorithm or Test Method Test Type Period Periodic Test Method HMAC DRBG KAT CAST On Demand Manually (A6817) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A6801) KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A6801) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A6801) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A6801) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A6802) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A6802) KDF SP800-108 KAT CAST On Demand Manually (A6803) Safe Primes Key PCT PCT On Demand Manually Generation (A6801) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A6801) KDA OneStep KAT CAST On Demand Manually SP800-56Cr2 (A6803) Entropy Source RCT CAST On Demand Manually Initialization RCT Entropy Source APT CAST On Demand Manually Initialization APT Entropy Source RCT CAST On Demand Manually Operational RCT Entropy Source APT CAST On Demand Manually Operational APT Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 25: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). © 2025 IBM / atsec information security.

64 of 71
Page 65
10.5 Operator Initiation of Self-Tests

The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. © 2025 IBM / atsec information security.

65 of 71
Page 66
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup

Procedures On the ClevOS 3.19 operational environment, the module is distributed within the clevos3.19.2.F1606-44_fips-accesser-usbiso.iso image. There are no specific steps for installing the module, the module is installed as part of operating system.

11.2 Administrator Guidance

The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the physical ports and logical interfaces are specified in section 3.1. The Crypto Officer must execute the Show version service using following commands: $ cat /proc/sys/crypto/fips_name The Crypto Officer must ensure that the proper name is listed in the output as follows: IBM COS Linux Kernel Cryptographic API Then, the Crypto Officer must execute: $ cat /proc/sys/crypto/fips_version This command must output the following version for kernel components: 3.0 Then, the Crypto Officer must execute: $ apt list --installed | grep libkcapi This command must output the following version for libkcapi and kcapi-hasher components: 1.5.0-1 amd64 On the ClevOS 3.19 operational environments, versions of the installed packages can be verified using the following command: $ dpkg-query -W linux-image-6.1.0-32-amd64 libkcapi1 kcapi-tools © 2025 IBM / atsec information security.

66 of 71
Page 67
11.3 Non-Administrator Guidance

The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3.1. The Approved and non-Approved modes of operation are specified in section 2.4. The algorithmspecific information is listed in section 2.7.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. If desired, the linux-image-6.1.0-32-amd64, libkcapi1, and kcapi-tools deb packages can be uninstalled from the ClevOS 3.19 system. © 2025 IBM / atsec information security.

67 of 71
Page 68
12 Mitigation of Other Attacks

The module does not offer mitigation of other attacks and therefore this section is not applicable. © 2025 IBM / atsec information security.

68 of 71
Page 69

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IPsec Internet Protocol Security KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KW Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 IBM / atsec information security.

69 of 71
Page 70

Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the (Last Update: Cryptographic Module Validation Program April 18, 2025) https://csrc.nist.gov/Projects/cryptographic-module-validationprogram/fips-140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard May 9, 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and ExtendableOutput Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) June 2005 https://datatracker.ietf.org/doc/html/rfc4106 RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2) October 2014 https://datatracker.ietf.org/doc/html/rfc7296 SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf © 2025 IBM / atsec information security.

70 of 71
Page 71

SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Addendum Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a-add.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Ar3.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800133r2.pdf SP 800-140Br1 CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800140Br1.pdf © 2025 IBM / atsec information security.

71 of 71