| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/5/2031 |
| Caveat | When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Canonical Ltd. |
flowchart LR
%% Deterministic review-risk graph for Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Canonical Ltd. Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic Module Version 3.0.13-0ubuntu3+Fips1 Document Version: 1.2 Last Updated: 2025-12-16 Prepared by: Prepared for: atsec information security corporation Canonical Ltd.
4516 Seton Center Parkway, Suite 250 110 Southwark Street, Blue Fin Building, 5th Floor
Austin, TX 78759 London, SE1 0SU www.atsec.com www.canonical.com
| # | Section | Page |
|---|
© 2025 Canonical Ltd. / atsec information security.
© 2025 Canonical Ltd. / atsec information security.
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 9 |
| Table 4: Modes List and Description | 9 |
| Table 5: Approved Algorithms | 12 |
| Table 6: Vendor-Affirmed Algorithms | 12 |
| Table 7: Non-Approved, Not Allowed Algorithms | 13 |
| Table 8: Security Function Implementations | 21 |
| Table 9: Entropy Certificates | 23 |
| Table 10: Entropy Sources | 24 |
| Table 11: Ports and Interfaces | 26 |
| Table 12: Roles | 27 |
| Table 13: Approved Services | 32 |
| Table 14: Non-Approved Services | 33 |
| Table 15: Storage Areas | 39 |
| Table 16: SSP Input-Output Methods | 39 |
| Table 17: SSP Zeroization Methods | 40 |
| Table 18: SSP Table 1 | 44 |
| Table 19: SSP Table 2 | 47 |
| Table 20: Pre-Operational Self-Tests | 49 |
| Table 21: Conditional Self-Tests | 63 |
| Table 22: Pre-Operational Periodic Information | 64 |
| Table 23: Conditional Periodic Information | 70 |
| Table 24: Error States | 70 |
| Figure 1: Block Diagram | 8 |
This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.130ubuntu3+Fips1 of the Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. whole and intact and including this notice. Other documentation is proprietary to their authors.
Section Title Security Level
Overall Level 1 Table 1: Security Levels
In preparing the Security Policy document, the laboratory formatted the vendorsupplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2025 Canonical Ltd. / atsec information security.
Purpose and Use: The Canonical Ltd. Ubuntu 24.04 OpenSSL Cryptographic Module (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider” i.e., fips.so, which implements the FIPS requirements, and the cryptographic functionality provided to the operator. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics Cryptographic Boundary: Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. Tested Operational Environment’s Physical Perimeter (TOEPP): Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by the component in the orange block, that is, the shared library implementing the FIPS provider (fips.so). The connecting lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. © 2025 Canonical Ltd. / atsec information security.
Identification Tested Module Identification
Tested Operational Environments - Software, Firmware, Hybrid: Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS Ubuntu Supermicro SYS-1019P-WTR Intel Xeon Gold Yes N/A 3.0.13-
24.04 6226 0ubuntu3+Fips1
Ubuntu Supermicro SYS-1019P-WTR Intel Xeon Gold No N/A 3.0.13-
24.04 6226 0ubuntu3+Fips1
Ubuntu Amazon Web Services AWS Graviton3 Yes N/A 3.0.13-
24.04 (AWS) c7g.metal 0ubuntu3+Fips1
Ubuntu Amazon Web Services AWS Graviton3 No N/A 3.0.13-
24.04 (AWS) c7g.metal 0ubuntu3+Fips1
Ubuntu IBM z16 IBM Telum Yes N/A 3.0.13-
24.04 0ubuntu3+Fips1
Ubuntu IBM z16 IBM Telum No N/A 3.0.13-
24.04 0ubuntu3+Fips1
Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module.
There are no components excluded from the module.
Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of the mode approved service is requested requested service listed in section 4.3 Non-approved Automatically entered whenever a Non- Equivalent to the indicator of the mode non-approved service is requested Approved requested service listed in section 4.4 Table 4: Modes List and Description The module supports two modes of operation: (1) the approved mode of operation, in which the approved or vendor affirmed services are available as specified in the Approved Services table and (2) the non-approved mode of operation, in which the non-approved services are available as specified in the Non-Approved Services table. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. © 2025 Canonical Ltd. / atsec information security.
Degraded Mode Description: The module does not implement a degraded mode of operation.
Approved Algorithms: The table below lists all implemented modes or methods of operation for the approved cryptographic algorithms of the module that are employed for approved services (Approved Services table). Algorithm CAVP Cert Properties Reference AES-CBC A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CBC-CS1 A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CBC-CS2 A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CBC-CS3 A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CCM A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38C AES-CFB1 A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CFB128 A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CFB8 A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-CMAC A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38B AES-CTR A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-ECB A5747, A5748, A5749, A5751, A5752, A5753, A5754, - SP 800-38A A5755, A5774, A5775, A5776, A5927, A5932 AES-GCM A5759, A5760, A5761, A5762, A5763, A5764, A5765, - SP 800-38D A5766, A5767, A5777, A5781, A5782, A5783, A5928, A5929, A5930 AES-GMAC A5759, A5760, A5761, A5762, A5763, A5764, A5765, - SP 800-38D A5766, A5767, A5777, A5781, A5782, A5783, A5928, A5929, A5930 AES-KW A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38F AES-KWP A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38F AES-OFB A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38A AES-XTS Testing A5747, A5748, A5749, A5774, A5775, A5776, A5927 - SP 800-38E Revision 2.0 Counter DRBG A5746 - SP 800-90A Rev. 1 ECDSA KeyGen A5745, A5750, A5768, A5769, A5770, A5771, A5778, - FIPS 186-5 (FIPS186-5) A5931 ECDSA KeyVer A5745, A5750, A5768, A5769, A5770, A5771, A5778, - FIPS 186-4 (FIPS186-4) A5931 ECDSA KeyVer A5745, A5750, A5768, A5769, A5770, A5771, A5778, - FIPS 186-5 (FIPS186-5) A5931 ECDSA SigGen A5750, A5756, A5768, A5769, A5770, A5771, A5778, - FIPS 186-5 (FIPS186-5) A5780, A5931, A5933 © 2025 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Properties Reference ECDSA SigVer A5750, A5756, A5768, A5769, A5770, A5771, A5778, - FIPS 186-4 (FIPS186-4) A5780, A5931, A5933 ECDSA SigVer A5750, A5756, A5768, A5769, A5770, A5771, A5778, - FIPS 186-5 (FIPS186-5) A5780, A5931, A5933 Hash DRBG A5746 - SP 800-90A Rev. 1 HMAC DRBG A5746 - SP 800-90A Rev. 1 HMAC-SHA-1 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 198-1 HMAC-SHA2-224 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 198-1 HMAC-SHA2-256 A5750, A5768, A5769, A5770, A5771, A5778, A5779, - FIPS 198-1 A5931 HMAC-SHA2-384 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 198-1 HMAC-SHA2-512 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 198-1 HMAC-SHA2- A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 198-1 512/224 HMAC-SHA2- A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 198-1 512/256 HMAC-SHA3-224 A5756, A5780, A5933 - FIPS 198-1 HMAC-SHA3-256 A5756, A5780, A5933 - FIPS 198-1 HMAC-SHA3-384 A5756, A5780, A5933 - FIPS 198-1 HMAC-SHA3-512 A5756, A5780, A5933 - FIPS 198-1 KAS-ECC-SSC A5750, A5768, A5769, A5770, A5771, A5778, A5931 - SP 800-56A Sp800-56Ar3 Rev. 3 KAS-FFC-SSC A5773 - SP 800-56A Sp800-56Ar3 Rev. 3 KDA HKDF SP800- A5758 - SP 800-56C 56Cr2 Rev. 2 KDA OneStep A5744 - SP 800-56C SP800-56Cr2 Rev. 2 KDA TwoStep A5744 - SP 800-56C SP800-56Cr2 Rev. 2 KDF ANS 9.42 A5750, A5756, A5768, A5769, A5770, A5771, A5778, - SP 800-135 (CVL) A5780, A5931, A5933 Rev. 1 KDF ANS 9.63 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - SP 800-135 (CVL) Rev. 1 KDF SP800-108 A5772 - SP 800-108 Rev. 1 KDF SSH (CVL) A5751, A5752, A5753, A5754, A5755, A5932 - SP 800-135 Rev. 1 KMAC-128 A5756, A5780, A5933 - SP 800-185 KMAC-256 A5756, A5780, A5933 - SP 800-185 PBKDF A5750, A5756, A5768, A5769, A5770, A5771, A5778, - SP 800-132 A5780, A5931, A5933 © 2025 Canonical Ltd. / atsec information security.
Algorithm CAVP Cert Properties Reference RSA KeyGen A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 186-5 (FIPS186-5) RSA SigGen A5750, A5756, A5768, A5769, A5770, A5771, A5778, - FIPS 186-5 (FIPS186-5) A5780, A5931, A5933 RSA SigVer A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 186-4 (FIPS186-4) RSA SigVer A5750, A5756, A5768, A5769, A5770, A5771, A5778, - FIPS 186-5 (FIPS186-5) A5780, A5931, A5933 Safe Primes Key A5773 - SP 800-56A Generation Rev. 3 Safe Primes Key A5773 - SP 800-56A Verification Rev. 3 SHA-1 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 180-4 SHA2-224 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 180-4 SHA2-256 A5750, A5768, A5769, A5770, A5771, A5778, A5779, - FIPS 180-4 A5931 SHA2-384 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 180-4 SHA2-512 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 180-4 SHA2-512/224 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 180-4 SHA2-512/256 A5750, A5768, A5769, A5770, A5771, A5778, A5931 - FIPS 180-4 SHA3-224 A5756, A5780, A5933 - FIPS 202 SHA3-256 A5756, A5780, A5933 - FIPS 202 SHA3-384 A5756, A5780, A5933 - FIPS 202 SHA3-512 A5756, A5780, A5933 - FIPS 202 SHAKE-128 A5756, A5780, A5933 - FIPS 202 SHAKE-256 A5756, A5780, A5933 - FIPS 202 TLS v1.2 KDF A5750, A5768, A5769, A5770, A5771, A5778, A5931 - SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.3 KDF (CVL) A5758 - SP 800-135 Rev. 1 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference Asymmetric Cryptographic Key Key N/A SP 800-133Rev2 section 4, Generation (CKG) Type:Asymmetric example 1 Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2025 Canonical Ltd. / atsec information security.
Name Use and Function AES GCM (external IV) Encryption DSA Signature Generation, Signature Verification, Key Pair Generation, Key Pair Verification ECDSA with curve P-192, B-163, K-163 Key Pair Generation ECDSA with curve B-163, K-163 Key Pair Verification ECDSA with curve P-192 Signature Generation ECDSA with curve B-163, B-233, B-283, B-409, B- Signature Generation, Signature Verification 571, K-163, K-233, K-283, K-409, K-571 RSA and ECDSA (pre-hashed message) Signature Generation (pre-hashed message), Signature Verification (pre-hashed message) RSA X9.31 Signature Generation, Signature Verification RSA primitive Asymmetric Encryption, Asymmetric Decryption RSA-OAEP Asymmetric Encryption, Asymmetric Decryption RSASVE Secret Value Encapsulation, Secret Value Decapsulation Table 7: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Encryption with BC-UnAuth SP 800-38A and SP AES-CBC: (A5747, AES 800-38E. A5748, A5749, Encryption A5774, A5775, A5776, A5927) AES-CBC-CS1: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CBC-CS2: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CBC-CS3: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CFB1: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CFB128: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CFB8: (A5747, © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms A5748, A5749, A5774, A5775, A5776, A5927) AES-CTR: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-ECB: (A5747, A5748, A5749, A5751, A5752, A5753, A5754, A5755, A5774, A5775, A5776, A5927, A5932) AES-OFB: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-XTS Testing Revision 2.0: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) Decryption with BC-UnAuth SP 800-38A and SP AES-CBC: (A5747, AES 800-38E. A5748, A5749, Decryption A5774, A5775, A5776, A5927) AES-CBC-CS1: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CBC-CS2: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CBC-CS3: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CFB1: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CFB128: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms AES-CFB8: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-CTR: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-ECB: (A5747, A5748, A5749, A5751, A5752, A5753, A5754, A5755, A5774, A5775, A5776, A5927, A5932) AES-OFB: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-XTS Testing Revision 2.0: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) Authenticated BC-Auth SP 800-38D. AES-CCM: (A5747, Encryption with Authenticated A5748, A5749, AES encryption A5774, A5775, A5776, A5927) AES-GCM: (A5759, A5760, A5761, A5762, A5763, A5764, A5765, A5766, A5767, A5777, A5781, A5782, A5783, A5928, A5929, A5930) AES-KW: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-KWP: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) Authenticated BC-Auth SP 800-38D. AES-CCM: (A5747, Decryption with Authenticated A5748, A5749, AES decryption A5774, A5775, A5776, A5927) AES-GCM: (A5759, A5760, A5761, © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms A5762, A5763, A5764, A5765, A5766, A5767, A5777, A5781, A5782, A5783, A5928, A5929, A5930) AES-KW: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) AES-KWP: (A5747, A5748, A5749, A5774, A5775, A5776, A5927) Message MAC SP 800-38B and SP AES-CMAC: (A5747, Authentication 800-38D Message A5748, A5749, Generation with authentication A5774, A5775, AES generation A5776, A5927) AES-GMAC: (A5759, A5760, A5761, A5762, A5763, A5764, A5765, A5766, A5767, A5777, A5781, A5782, A5783, A5928, A5929, A5930) Message MAC FIPS 198-1. HMAC-SHA-1: Authentication Message (A5750, A5768, Generation with authentication A5769, A5770, HMAC generation A5771, A5778, A5931) HMAC-SHA2-224: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) HMAC-SHA2-256: (A5750, A5768, A5769, A5770, A5771, A5778, A5779, A5931) HMAC-SHA2-384: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) HMAC-SHA2-512: (A5750, A5768, A5769, A5770, A5771, A5778, © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms A5931) HMAC-SHA2512/224: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) HMAC-SHA2512/256: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) HMAC-SHA3-224: (A5756, A5780, A5933) HMAC-SHA3-256: (A5756, A5780, A5933) HMAC-SHA3-384: (A5756, A5780, A5933) HMAC-SHA3-512: (A5756, A5780, A5933) Message MAC SP 800-185. KMAC-128: (A5756, Authentication Message A5780, A5933) Generation with authentication KMAC-256: (A5756, KMAC generation A5780, A5933) Random Number DRBG SP 800-90ARev1. Counter DRBG: Generation with Random number (A5746) DRBG generation Hash DRBG: (A5746) HMAC DRBG: (A5746) Signature DigSig-SigGen FIPS 186-5. ECDSA SigGen Generation with Signature (FIPS186-5): ECDSA generation (A5750, A5756, A5768, A5769, A5770, A5771, A5778, A5780, A5931, A5933) Signature DigSig-SigGen FIPS 186-5. IG C.F:RSA SigGen RSA SigGen Generation with Signature was CAVP tested (FIPS186-5): RSA generation with moduli sizes (A5750, A5756, 2048, 3072, 4096 A5768, A5769, bits. The module A5770, A5771, supports moduli A5778, A5780, sizes larger than A5931, A5933)
© 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms Signature DigSig-SigVer FIPS 186-5. ECDSA SigVer Verification with Signature (FIPS186-5): ECDSA verification (A5750, A5756, A5768, A5769, A5770, A5771, A5778, A5780, A5931, A5933) Signature DigSig-SigVer FIPS 186-5. IG C.F:RSA SigVer RSA SigVer Verification with Signature was CAVP tested (FIPS186-5): RSA verification with moduli sizes (A5750, A5756, 2048, 3072, 4096 A5768, A5769, bits. The module A5770, A5771, supports moduli A5778, A5780, sizes larger than A5931, A5933)
Key Pair Generation AsymKeyPair- FIPS 186-5. Key pair ECDSA KeyGen with ECDSA KeyGen generation (FIPS186-5): CKG (A5745, A5750, A5768, A5769, A5770, A5771, A5778, A5931) Asymmetric Cryptographic Key Generation (CKG): () Key Pair Generation AsymKeyPair- FIPS 186-5. Key pair IG C.F:RSA KeyGen RSA KeyGen with RSA KeyGen generation was CAVP tested (FIPS186-5): CKG with moduli sizes of (A5750, A5768, 2048, 3072, 4096, A5769, A5770, 6144, 8192 bits. A5771, A5778, The module A5931) supports moduli Asymmetric sizes larger than Cryptographic Key
number of MillerRabin tests is compliant with Table B.1 of FIPS 186-5. Key Pair Generation AsymKeyPair- SP 800-56Ar3. Key Safe Primes Key with Safe Primes KeyGen pair generation Generation: CKG (A5773) Asymmetric Cryptographic Key Generation (CKG): () Key Pair AsymKeyPair- FIPS 186-5 and ECDSA KeyVer Verification with KeyVer FIPS186-4. Key (FIPS186-4): ECDSA verification (A5745, A5750, A5768, A5769, A5770, A5771, © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms A5778, A5931) ECDSA KeyVer (FIPS186-5): (A5745, A5750, A5768, A5769, A5770, A5771, A5778, A5931) Key Pair AsymKeyPair- SP 800-56Ar3. Key Safe Primes Key Verification with KeyVer pair verification Verification: Safe Primes (A5773) Key Derivation with KBKDF SP 800-108r1. Key KDF SP800-108: KBKDF derivation (A5772) Key Derivation with KAS-56CKDF SP 800-56Cr2. Key KDA OneStep KDA OneStep derivation SP800-56Cr2: (A5744) Key Derivation with KAS-56CKDF SP 800-56Cr2. Key KDA TwoStep KDA TwoStep derivation SP800-56Cr2: (A5744) Key Derivation with KAS-56CKDF SP 800-56Cr2. Key KDA HKDF SP800KDA HKDF derivation 56Cr2: (A5758) Key Derivation with KAS-135KDF SP 800-135r1. Key KDF ANS 9.42: ANS X9.42 KDF derivation (A5750, A5756, A5768, A5769, A5770, A5771, A5778, A5780, A5931, A5933) Key Derivation with KAS-135KDF SP 800-135r1. Key KDF ANS 9.63: X9.63 KDF derivation (A5750, A5768, A5769, A5770, A5771, A5778, A5931) Key Derivation with KAS-135KDF SP 800-135r1. Key KDF SSH: (A5751, SSH KDF derivation A5752, A5753, A5754, A5755, A5932) Key Derivation with KAS-135KDF SP 800-135r1. Key TLS v1.2 KDF TLS 1.2 KDF derivation RFC7627: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) Key Derivation with KAS-135KDF RFC 8446. Key TLS v1.3 KDF: TLS 1.3 KDF derivation (A5758) Key Derivation with PBKDF SP 800-132. Key PBKDF: (A5750, PBKDF2 derivation A5756, A5768, A5769, A5770, A5771, A5778, A5780, A5931, A5933) © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms Shared Secret KAS-SSC SP 800-56Ar3. KAS-ECC-SSC Computation Shared secret Sp800-56Ar3: computation (A5750, A5768, A5770, A5771, A5778, A5931, A5769) KAS-FFC-SSC Sp800-56Ar3: (A5773) Message Digest SHA FIPS 180-4 and FIPS SHA-1: (A5750, with SHA 202. Message A5768, A5769, digest A5770, A5771, A5778, A5931) SHA2-224: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) SHA2-256: (A5750, A5768, A5769, A5770, A5771, A5778, A5779, A5931) SHA2-384: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) SHA2-512: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) SHA2-512/224: (A5750, A5768, A5769, A5770, A5771, A5778, A5931) SHA2-512/256: (A5750, A5771, A5778, A5931, A5768, A5769, A5770) SHA3-224: (A5756, A5780, A5933) SHA3-256: (A5756, A5780, A5933) SHA3-384: (A5756, A5780, A5933) SHA3-512: (A5756, A5780, A5933) Message Digest XOF FIPS 202. Message SHAKE-128: (A5756, with SHAKE digest A5780, A5933) SHAKE-256: (A5756, A5780, A5933) © 2025 Canonical Ltd. / atsec information security.
Name Type Description Properties Algorithms Signature DigSig-SigVer FIPS 186-4. Legacy IG C.M:Legacy RSA SigVer Verification with digital signature Algorithms (FIPS186-4): RSA (Legacy) verification (A5750, A5768, A5770, A5771, A5778, A5931) Modulo: 1024 Hash Algorithm: SHA-1 RSA SigVer (FIPS186-4): (A5769) Modulo : 1024 Hash Algorithm: SHA-1 Signature DigSig-SigVer FIPS 186-4. Legacy IG C.M:Legacy ECDSA SigVer Verification with digital signature Algorithms (FIPS186-4): ECDSA (Legacy) verification (A5750, A5756, A5768, A5769, A5770, A5771, A5778, A5780, A5931, A5933) Curve: P-192 Hash Algorithm: SHA-1 Table 8: Security Function Implementations
For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The module is compliant with SP 800-52r2 Section
The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary in compliance with Scenario 2 of IG C.H. © 2025 Canonical Ltd. / atsec information security.
The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. The service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL iv value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the cipher-suites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP800-52r2. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key
In accordance to FIPS 140-3 IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. As the module does not generate symmetric keys, the check is performed when keys are input the service APIs. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133rev2, Sec. 6.3. In addition, Section 4 of SP 800-38E states that the length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2²⁰ AES blocks, that is 16MB, of data per XTS instance. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
the minimum iteration count as described below, this provides an acceptable trade-off between user experience and security against brute-force attacks.
The module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3 and meeting IG D.F scenario 2 path (1). In order to meet the required assurances listed in section 5.6 of SP 800-56Arev3, the module shall be used together with an application that implements the “TLS protocol” and the following steps shall be performed.
The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS.
The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.
Cert Vendor Number Name E218 Canonical Table 9: Entropy Certificates © 2025 Canonical Ltd. / atsec information security.
Name Type Operational Environment Sample Entropy Conditioning Component Size per Sample OpenSSL Non- Ubuntu 24.04 on Supermicro 256 Full SHA3-256 (A5588); Counter CPU Time Physical SYS-1019P-WTR on Intel Xeon entropy DRBG (kernel) (A5588, A5591, Jitter Gold 6226; Ubuntu 24.04 on A5592, A5593, A5594, A5595, Amazon Web Services (AWS) A5599, A5600, A5601, A5602, c7g.metal on AWS Graviton3; A5603, A5606, A5607, A5608, Ubuntu 24.04 on IBM Telum on A5609, A5610, A5611); Counter IBM z16 DRBG (A5746) Table 10: Entropy Sources The module implements a primary DRBG (AES-256-CTR-DRBG (5746)) which acts as the conditioning component for the entropy source mentioned in the above table. It is only used internally by the module to seed the secondary DRBGs which can be of type (CTR, Hash, HMAC). The module complies with the Public Use Document for ESV certificate E218 by reading entropy data from the EVP_RAND_generate() function of the primary DRBG, which corresponds to the GetEntropy() conceptual interface. The operational environment on the ESV certificate is identical to the operating system described in this document. There are no maintenance requirements for the entropy source. As per the Public Use document of entropy certificate E218, the entropy source provides full entropy of 256 bits. When the module needs random data for internal purposes it uses two separate instances of AES-256 CTR_DRBG DRBG based on use case. i.e., it uses the “private DRBG” accessed via RAND_priv_bytes () for asymmetric key generation, signature generation, or other SSP use cases and it uses the “public DRBG” accessed via RAND_bytes() when it needs to generate IV or other non-SSP use cases. When an external caller needs the random data, they can access it via “Random Number Generation” service of the module and they have a choice between Hash, HMAC or CTR_DRBG listed in the Approved Algorithms table.
The module implements asymmetric key pair generation compliant with SP 800-133 Rev. 2 as listed in the Security Function Implementations table. When random values are required, they are obtained from the SP 800-90A Rev. 1 approved DRBG, compliant with Section 4 of SP 800-133 Rev. 2 (without XOR). Intermediate key generation values are not output from the module and are explicitly zeroized after processing the service. The key derivation methods implemented by the module are specified in the Security Function Implementations table. © 2025 Canonical Ltd. / atsec information security.
Key Establishment methods are specified in the Security Function Implementations table.
The module implements the SSH KDF (CVL) for use in the SSH protocol (RFC 4253 and RFC 6668). GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC
generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 KDF (CVL) and
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters N/A Data Output API output parameters N/A Control Input API function calls N/A Status Output API return codes, error queue Table 11: Ports and Interfaces As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs. The module does not implement a control output interface.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for a maintenance role.
Name Description Indicator Inputs Outputs Security SSP Access Functions Message Digest Compute a 0 Message Message Message Digest Crypto Officer message digest with SHA digest Message Digest with SHAKE Symmetric Encrypt a 0 AES Key, Ciphertext Encryption with Crypto Officer Encryption plaintext plaintext, IV AES - AES Key: W,E Symmetric Decrypt a 0 AES Key, Plaintext Decryption with Crypto Officer Decryption ciphertext ciphertext, AES - AES Key: W,E IV Authenticated Encrypt and 0 AES Key, Ciphertext, Authenticated Crypto Officer Symmetric authenticate plaintext, IV MAC tag Encryption with - AES Key: W,E Encryption a plaintext AES Authenticated Decrypt and 0 AES Key, Plaintext or Authenticated Crypto Officer Symmetric authenticate ciphertext, Failure Decryption with - AES Key: W,E Decryption a ciphertext MAC tag, IV AES AES Message Compute a 0 AES Key, MAC tag Message Crypto Officer Authentication MAC tag message Authentication - AES Key: W,E Generation using AES Generation with AES HMAC Message Compute a 0 HMAC Key, MAC tag Message Crypto Officer Authentication MAC tag message Authentication - HMAC Key: Generation using HMAC Generation with W,E HMAC KMAC Message Compute a 0 KMAC Key, MAC tag Message Crypto Officer Authentication MAC tag message Authentication - KMAC Key: Generation using KMAC Generation with W,E KMAC © 2025 Canonical Ltd. / atsec information security.
Name Description Indicator Inputs Outputs Security SSP Access Functions TLS KDF Key TLS key 0 Shared TLS Derived Key Derivation Crypto Officer Derivation derivation Secret Key with TLS 1.2 - Shared KDF Secret: W,E Key Derivation - TLS Derived with TLS 1.3 Key: G,R KDF KBKDF Key Derive a key 0 Key- KBKDF Key Derivation Crypto Officer Derivation from a key- Derivation Derived Key with KBKDF - Keyderivation key Key Derivation Key: W,E - KBKDF Derived Key: G,R ANS X9.42 Key Derive a key 0 Shared ANS X9.42 Key Derivation Crypto Officer Derivation from a shared Secret Derived Key with ANS X9.42 - ANS X9.42 secret KDF Derived Key: G,R - Shared Secret: W,E ANS X9.63 Key Derive a key 0 Shared ANS X9.63 Key Derivation Crypto Officer Derivation from a shared Secret Derived Key with X9.63 KDF - Shared secret Secret: W,E - ANS X9.63 Derived Key: G,R HKDF Key Derive a key 0 Shared HKDF Derived Key Derivation Crypto Officer Derivation from a shared Secret key with KDA HKDF - Shared secret Secret: W,E - HKDF Derived Key: G,R OneStep KDA Derive a key 0 Shared KDA OneStep Key Derivation Crypto Officer Key Derivation from a shared Secret Derived Key with KDA - Shared secret OneStep Secret: W,E - KDA OneStep Derived Key: G,R TwoStep KDA Derive a key 0 Shared KDA TwoStep Key Derivation Crypto Officer Key Derivation from a shared Secret Derived Key with KDA - Shared secret TwoStep Secret: W,E - KDA TwoStep Derived Key: G,R SSH KDF key Derive a key 0 Shared SSH KDF Key Derivation Crypto Officer derivation from a shared Secret Derived Key with SSH KDF - Shared secret Secret: W,E - SSH KDF © 2025 Canonical Ltd. / atsec information security.
Name Description Indicator Inputs Outputs Security SSP Access Functions Derived Key: G,R PBKDF Key Derive a key 0 Password PBKDF Key Derivation Crypto Officer Derivation from a Derived Key with PBKDF2 - Password: password W,E - PBKDF Derived Key: G,R Random Generate 0 Number of Random Random Crypto Officer Number random bits number Number - Entropy Generation number Generation with Input: W,E DRBG - DRBG Seed: G,E - DRBG Internal State (V, Key): G,E - DRBG Internal State (V, C): G,E KAS-FFC-SSC Compute a 0 DH Private Shared Secret Shared Secret Crypto Officer Shared Secret shared secret Key (owner), Computation - Shared Computation DH Public Secret: G,R Key (peer) - DH Private Key: W,E - DH Public Key: W,E KAS-ECC-SSC Compute a 0 EC Private Shared Secret Shared Secret Crypto Officer Shared Secret shared secret Key (owner), Computation - Shared Computation EC Public Secret: G,R Key (peer) - EC Private Key: W,E - EC Public Key: W,E RSA Digital Generate a 0 RSA Private Signature Signature Crypto Officer Signature digital Key, Generation with - RSA Private Generation signature message, RSA Key: W,E with RSA hash algorithm ECDSA Digital Generate a 0 EC Private Signature Signature Crypto Officer Signature digital Key, Generation with - EC Private Generation signature message, ECDSA Key: W,E with ECDSA hash algorithm RSA Digital Verify a 0 RSA Public Pass or Fail Signature Crypto Officer Signature digital Key, Verification with - RSA Public Verification signature message, RSA Key: W,E using RSA signature, Signature hash Verification with algorithm RSA (Legacy) © 2025 Canonical Ltd. / atsec information security.
Name Description Indicator Inputs Outputs Security SSP Access Functions ECDSA Digital Verify a 0 EC Public Pass or Fail Signature Crypto Officer Signature digital Key, Verification with - EC Public Verification signature message, ECDSA Key: W,E using ECDSA signature, Signature hash Verification with algorithm ECDSA (Legacy) RSA Key Pair Generate an 0 Modulus bits Module Key Pair Crypto Officer Generation RSA key pair Generated Generation with - Module RSA Private RSA Generated Key, Module RSA Private Generated Key: G,R RSA Public - Module Key Generated RSA Public Key: G,R - Intermediate Key Generation Value: G,E,Z ECDSA Key Pair Generate an 0 Curve Module Key Pair Crypto Officer Generation EC key pair Generated EC Generation with - Module Private Key, ECDSA Generated EC Module Private Key: Generated EC G,R Public Key - Module Generated EC Public Key: G,R - Intermediate Key Generation Value: G,E,Z Safe Primes Key Generate an 0 Group Module Key Pair Crypto Officer Pair Generation DH key pair Generated Generation with - Module DH Private Safe Primes Generated DH Key, Module Private Key: Generated G,R DH Public Key - Module Generated DH Public Key: G,R - Intermediate Key Generation Value: G,E,Z ECDSA Key Pair Verify an EC 0 EC Private Pass or Fail Key Pair Crypto Officer Verification key pair Key, EC Verification with - EC Private Public Key ECDSA Key: W,E - EC Public Key: W,E © 2025 Canonical Ltd. / atsec information security.
Name Description Indicator Inputs Outputs Security SSP Access Functions Safe Prime Key Verify a DH 0 DH Private Pass or Fail Key Pair Crypto Officer Pair Verification key pair Key, DH Verification with - DH Private Public Key Safe Primes Key: W,E - DH Public Key: W,E Show Version Return the 0 None Module name None Crypto Officer name and and version version information Show Status Return the 0 None Module None Crypto Officer module status status Self-Test Perform the 0 None Pass or Fail of None Crypto Officer CASTs and self-tests integrity test Zeroization Zeroize any 0 An SSP None None Crypto Officer SSP - AES Key: Z - HMAC Key: Z - KMAC Key: Z - KeyDerivation Key: Z - Shared Secret: Z - Password: Z - PBKDF Derived Key: Z - KBKDF Derived Key: Z - ANS X9.42 Derived Key: Z - ANS X9.63 Derived Key: Z - HKDF Derived Key: Z - KDA OneStep Derived Key: Z - KDA TwoStep Derived Key: Z - TLS Derived Key: Z - SSH KDF Derived Key: Z - Entropy Input: Z - DRBG Internal State (V, Key): Z - DRBG Seed: © 2025 Canonical Ltd. / atsec information security.
Name Description Indicator Inputs Outputs Security SSP Access Functions Z - DH Private Key: Z - DH Public Key: Z - EC Private Key: Z - EC Public Key: Z - RSA Private Key: Z - RSA Public Key: Z - Module Generated DH Private Key: Z - Module Generated DH Public Key: Z - Module Generated EC Private Key: Z - Module Generated EC Public Key: - Module Generated RSA Private Key: Z - Module Generated RSA Public Key: Z Table 13: Approved Services The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The Approved Services table and the Non-Approved Services table define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
turn perform the requested service. Additionally, this EVP API layer can be used to retrieve the approved service indicator for the module. The cryptographic module provides an approved service indicator in the form of an OpenSSL provider gettable parameter called UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE. This parameter will be equal to 0 if the requested service is an approved security service, otherwise it will be set to 1. The operator is responsible to query the value of such gettable parameter after calling the requested service.
Name Description Algorithms Role Encryption AES GCM (external IV) AES GCM (external IV) CO Key Pair Generation Key pair generation DSA CO ECDSA with curve P-192, B-163, K-163 Key Pair Verification Key pair verification DSA CO ECDSA with curve B-163, K-163 Signature Generation Signature generation DSA CO ECDSA with curve P-192 ECDSA with curve B-163, B-233, B-283, B-409, B571, K-163, K-233, K-283, K-409, K-571 RSA and ECDSA (pre-hashed message) RSA X9.31 Signature Verification Signature verification DSA CO ECDSA with curve B-163, B-233, B-283, B-409, B571, K-163, K-233, K-283, K-409, K-571 RSA and ECDSA (pre-hashed message) RSA X9.31 Asymmetric Asymmetric RSA primitive CO Encryption encryption RSA-OAEP Asymmetric Asymmetric RSA primitive CO Decryption decryption RSA-OAEP Secret Value Secret value RSASVE CO Encapsulation encapsulation Secret Value Un- Secret value un- RSASVE CO encapsulation encapsulation Table 14: Non-Approved Services In the table above, CO specifies the Crypto Officer role.
The module does not have the capability of loading software or firmware from an external source. © 2025 Canonical Ltd. / atsec information security.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
The integrity of the module is verified by comparing a HMAC-SHA2-256 value calculated at run time with the HMAC-SHA2-256 value embedded in the fips.so file that was computed at build time.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently re-initializing the module, or by calling the OSSL_PROVIDER_self_test function. This will perform (among others) the software integrity test.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.
There are no concurrent operators. © 2025 Canonical Ltd. / atsec information security.
The module is comprised of software only, and therefore this section is not applicable. © 2025 Canonical Ltd. / atsec information security.
This module does not implement any non-invasive security mechanism, and therefore this section is not applicable.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. Dynamic The module does not perform persistent storage of SSPs. Table 15: Storage Areas SSPs are provided to the module by the calling application and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of SSPs.
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling Cryptographic Plaintext Manual Electronic parameters application (TOEPP) module API output Cryptographic Operator calling Plaintext Manual Electronic parameters module application (TOEPP) Table 16: SSP Input-Output Methods The module only supports SSP entry and output to and from the calling application running on the same operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. There is no entry or output of cryptographically protected SSPs. SSPs can be entered into the module via API input parameters, when required by a service. SSPs can also be output from the module via API output parameters, immediately after generation of the SSP.
Zeroization Description Rationale Operator Method Initiation Free cipher Zeroizes the SSPs contained within the cipher Memory occupied by SSPs By calling the handle handle: EVP_CIPHER_CTX_free() clears and is overwritten with zeroes cipher frees symmetric cipher context, and then it is released, related EVP_MAC_CTX_free() clears and frees MAC which renders the SSP zeroization context, EVP_KDF_CTX_free() clears and frees values irretrievable. The API KDF context, EVP_RAND_CTX_free() clears and completion of the frees DRBG context, EVP_PKEY_free() clears zeroization routine and frees asymmetric key pair structures indicates that the © 2025 Canonical Ltd. / atsec information security.
Zeroization Description Rationale Operator Method Initiation zeroization procedure succeeded. Automatic Automatically zeroized by the module when no Memory occupied by SSPs N/A longer needed is overwritten with zeroes, which renders the SSP values irretrievable. Module De-allocates the volatile memory used to store Volatile memory used by By unloading reset SSPs the module is overwritten and within nanoseconds when reloading the power is removed. module Table 17: SSP Zeroization Methods The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The operator is responsible for calling the appropriate destruction functions provided in the module's API. The destruction functions, listed above, overwrite the memory occupied by SSPs with zeroes and de-allocate the memory with the regular memory de-allocation operating system call. All data output is inhibited during zeroization.
Name Description Size - Type - Generated Established Used By Strength Category By By AES Key Used for 128, 192, 256 Symmetric Encryption with encryption, bits - 128, key - CSP AES decryption, and 192, 256 bits Decryption message with AES authentication Authenticated Encryption with AES Authenticated Decryption with AES Message Authentication Generation with AES HMAC Key Used for hash- 112-524288 Symmetric Message based message bits - 112- key - CSP Authentication authentication 256 bits Generation with HMAC KMAC Key Used for 128-1024 Symmetric Message message bits - 112- key - CSP Authentication authentication 256 bits Generation with KMAC Key- Used for key 112-4096 Symmetric Key Derivation Derivation derivation bits - 112- key - CSP with KBKDF Key 256 bits © 2025 Canonical Ltd. / atsec information security.
Name Description Size -Type - Generated Established Used By Strength Category By By Shared Generated by 224-8192 Shared Shared Key Derivation Secret shared secret bits - 112secret - CSP Secret with KDA computation 256 bits Computation OneStep and used for key Key Derivation derivation with KDA TwoStep Key Derivation with KDA HKDF Key Derivation with ANS X9.42 KDF Key Derivation with X9.63 KDF Key Derivation with SSH KDF Key Derivation with TLS 1.2 KDF Key Derivation with TLS 1.3 KDF Password Used for At least 8 Password - Key Derivation password-based characters - CSP with PBKDF2 key derivation N/A PBKDF Generated by 112-4096 Symmetric Key Derived Key password-based bits - 112- key - CSP Derivation key derivation 256 bits with PBKDF2 KBKDF Generated by 112-4096 Symmetric Key Derived Key key-based key bits - 112- key - CSP Derivation derivation 256 bits with KBKDF ANS X9.42 Generated by 128-4096 Symmetric Key Derived Key ANS X9.42 key bits - 112- key - CSP Derivation derivation 256 bits with ANS X9.42 KDF ANS X9.63 Generated by 128-4096 Symmetric Key Derived Key ANS X9.63 key bits - 112- key - CSP Derivation derivation 256 bits with X9.63 KDF HKDF Generated by 224-8192 Symmetric Key Derived Key HKDF key bits - 112- key - CSP Derivation derivation 256 bits with KDA HKDF KDA Generated by 2048 bits - Symmetric Key OneStep OneStep KDA 112-256 bits key - CSP Derivation Derived Key key derivation with KDA OneStep © 2025 Canonical Ltd. / atsec information security.
Name Description Size - Type - Generated Established Used By Strength Category By By KDA Generated by 2048 bits - Symmetric Key TwoStep TwoStep KDA 112-256 bits key - CSP Derivation Derived Key key derivation with KDA TwoStep TLS Derived Generated by 112-1024 Symmetric Key Key TLS KDF key bits - 112- key - CSP Derivation derivation 256 bits with TLS
Key Derivation with TLS
SSH KDF Generated by 112-256 bits Symmetric Key Derived Key SSH KDF key - 112-256 key - CSP Derivation derivation bits with SSH KDF Entropy Used for 128-384 bits Entropy Random Input random number - 128-256 input - CSP Number generation and bits Generation seeding a DRBG with DRBG (compliant with IG D.L) DRBG Used for Counter Internal Random Random Internal random number DRBG: 256, state - CSP Number Number State (V, Key) generation 320, 348 bits; Generation Generation (compliant with HMAC DRBG: with DRBG with DRBG IG D.L) 320, 512,
Counter DRBG: 128, 192, 256 bits; HMAC DRBG: 128, 256 bits DRBG Used for 880, 1776 Internal Random Random Internal random number bits - 128, state - CSP Number Number State (V, C) generation 256 bits Generation Generation (compliant with with DRBG with DRBG IG D.L) DRBG Seed Used for 128-256 bits Seed - CSP Random Random random number - 128-256 Number Number generation bits Generation Generation (compliant with with DRBG with DRBG IG D.L) DH Private Used for shared 2048-8192 Private key - Key Pair Key secret bits - 112- CSP Verification computation 200 bits with Safe and key pair Primes verification Shared Secret Computation © 2025 Canonical Ltd. / atsec information security.
Name Description Size - Type - Generated Established Used By Strength Category By By DH Public Used for shared 2048-8192 Public key - Key Pair Key secret bits - 112- PSP Verification computation 200 bits with Safe and key pair Primes verification Shared Secret Computation EC Private Used for shared P-224, P-256, Private key - Signature Key secret P-384, P-521, CSP Generation computation, K-233, K-283, with ECDSA digital signature K-409, K-571, Key Pair generation, and B-233, B-283, Verification key pair B-409, B-571 with ECDSA verification bits - 112- Shared Secret
256 bits Computation
EC Public Key Used for shared P-192, P-224, Public key - Signature secret P-256, P-384, PSP Verification computation, P-521, K-163, with ECDSA signature K-233, K-283, Key Pair verification, and K-409, K-571, Verification key pair B-163, B-233, with ECDSA verification B-283, B-409, Shared Secret B-571 bits - Computation 80-256 bits RSA Private Used for 2048-16384 Private key - Signature Key signature bits - 112- CSP Generation generation 256 bits with RSA RSA Public Used for 1024-16384 Public key - Signature Key signature bits - 80-256 PSP Verification verification bits with RSA Module DH private key 2048-8192 Private key - Key Pair Generated generated by bits - 112- CSP Generation DH Private the module 200 bits with Safe Key Primes Module DH public key 2048-8192 Public key - Key Pair Generated generated by bits - 112PSP Generation DH Public the module 200 bits with Safe Key Primes Module EC private key P-224, P-256, Private key - Key Pair Generated generated by P-384, P-521, CSP Generation EC Private the module K-233, K-283, with ECDSA Key K-409, K-571, B-233, B-283, B-409, B-571 bits - 112-
Module EC public key P-224, P-256, Public key - Key Pair Generated generated by P-384, P-521, PSP Generation EC Public Key the module K-163, K-233, with ECDSA K-283, K-409, © 2025 Canonical Ltd. / atsec information security.
Name Description Size - Type - Generated Established Used By Strength Category By By K-571, B-163, B-233, B-283, B-409, B-571 bits - 112-
Module RSA private key 2048-16384 Private key - Key Pair Generated generated by bits - 112- CSP Generation RSA Private the module 256 bits with RSA Key Module RSA public key 2048-16384 Public key - Key Pair Generated generated by bits - 112- PSP Generation RSA Public the module 256 bits with RSA Key Intermediate Used for key 224-16384 Intermediate Key Pair Key Pair Key pair generation bits - 112- value - CSP Generation Generation Generation 256 bits with ECDSA with ECDSA Value Key Pair Key Pair Generation Generation with RSA with RSA Key Pair Key Pair Generation Generation with Safe with Safe Primes Primes Table 18: SSP Table 1 Name Input - Storage Storage Duration Zeroization Related SSPs Output AES Key API input RAM:Plaintext From service Free cipher parameters invocation to handle service completion Module reset HMAC Key API input RAM:Plaintext From service Free cipher parameters invocation to handle service completion Module reset KMAC Key API input RAM:Plaintext From service Free cipher parameters invocation to handle service completion Module reset Key-Derivation API input RAM:Plaintext From service Free cipher KBKDF Derived Key parameters invocation to handle Key:Derives service completion Module reset Shared Secret API input RAM:Plaintext From service Free cipher DH Private parameters invocation to handle Key:Generated From API output service completion Module DH Public parameters reset Key:Generated From EC Private © 2025 Canonical Ltd. / atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output Key:Generated From EC Public Key:Generated From Password API input RAM:PlaintextFrom service Free cipher PBKDF Derived parameters invocation to handle Key:Derives service completion Module reset PBKDF Derived API output RAM:Plaintext From service Free cipher Password:Derived Key parameters invocation to handle From service completion Module reset KBKDF Derived API output RAM:Plaintext From service Free cipher Key-Derivation Key parameters invocation to handle Key:Derived From service completion Module reset ANS X9.42 API output RAM:Plaintext From service Free cipher Shared Secret:Derived Derived Key parameters invocation to handle From service completion Module reset ANS X9.63 API output RAM:Plaintext From service Free cipher Shared Secret:Derived Derived Key parameters invocation to handle From service completion Module reset HKDF Derived API output RAM:Plaintext From service Free cipher Shared Secret:Derived Key parameters invocation to handle From service completion Module reset KDA OneStep API output RAM:Plaintext From service Free cipher Shared Secret:Derived Derived Key parameters invocation to handle From service completion Module reset KDA TwoStep API output RAM:Plaintext From service Free cipher Shared Secret:Derived Derived Key parameters invocation to handle From service completion Module reset TLS Derived API output RAM:Plaintext From service Free cipher Shared Secret:Derived Key parameters invocation to handle From service completion Module reset SSH KDF API output RAM:Plaintext From service Free cipher Shared Secret:Derived Derived Key parameters invocation to handle From service completion Module reset Entropy Input RAM:Plaintext From service Automatic DRBG Seed:Generates invocation to service completion DRBG Internal RAM:Plaintext From DRBG Free cipher DRBG Seed:Generated State (V, Key) instantiation to un- handle From © 2025 Canonical Ltd. / atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output instantiation or Module internal zeroization reset DRBG Internal RAM:Plaintext From DRBG Free cipher DRBG Seed:Generated State (V, C) instantiation to un- handle From instantiation or Module internal zeroization reset DRBG Seed RAM:Plaintext From service Free cipher DRBG Internal State invocation to handle (V, Key):Generates service completion Module DRBG Internal State reset (V, C):Generates Entropy Input:Generated From DH Private Key API input RAM:Plaintext From service Free cipher DH Public Key:Paired parameters invocation to handle With service completion Module Shared Secret:Derives reset DH Public Key API input RAM:Plaintext From service Free cipher DH Private Key:Paired parameters invocation to handle With service completion Module Shared reset Secret:Generates EC Private Key API input RAM:Plaintext From service Free cipher EC Public Key:Paired parameters invocation to handle With service completion Module Shared reset Secret:Generates EC Public Key API input RAM:Plaintext From service Free cipher EC Private Key:Paired parameters invocation to handle With service completion Module Shared reset Secret:Generates RSA Private Key API input RAM:Plaintext From service Free cipher RSA Public Key:Paired parameters invocation to handle With service completion Module reset RSA Public Key API input RAM:Plaintext From service Free cipher RSA Private parameters invocation to handle Key:Paired With service completion Module reset Module API output RAM:Plaintext From service Free cipher Module Generated DH Generated DH parameters invocation to handle Public Key:Paired With Private Key service completion Module Intermediate Key reset Generation Value:Generated From Module API output RAM:Plaintext From service Free cipher Module Generated DH Generated DH parameters invocation to handle Private Key:Paired Public Key service completion Module With reset Intermediate Key Generation Value:Generated From © 2025 Canonical Ltd. / atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output Module API output RAM:Plaintext From service Free cipher Module Generated EC Generated EC parameters invocation to handle Public Key:Paired With Private Key service completion Module Intermediate Key reset Generation Value:Generated From Module API output RAM:Plaintext From service Free cipher Module Generated EC Generated EC parameters invocation to handle Private Key:Paired Public Key service completion Module With reset Intermediate Key Generation Value:Generated From Module API output RAM:Plaintext From service Free cipher Module Generated Generated RSA parameters invocation to handle RSA Public Key:Paired Private Key service completion Module With reset Intermediate Key Generation Value:Generated From Module API output RAM:Plaintext From service Free cipher Module Generated Generated RSA parameters invocation to handle RSA Private Public Key service completion Module Key:Paired With reset Intermediate Key Generation Value:Generated From Intermediate RAM:Plaintext From service Automatic Module Generated DH Key Generation invocation to Private Key:Generates Value service completion Module Generated DH Public Key:Generates Module Generated EC Private Key:Generates Module Generated EC Public Key:Generates Module Generated RSA Private Key:Generates Module Generated RSA Public Key:Generates Table 19: SSP Table 2 The tables above summarize the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module in the approved services (Approved Services table). SSPs, including CSPs, are directly imported as input parameters and exported as output parameters from the module. Because these SSPs are only transiently used for a specific service, they are, by definition, exclusive between approved and nonapproved services. © 2025 Canonical Ltd. / atsec information security.
The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes starting January 1, 2031.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Indicator Details Test Properties HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5750) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5768) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5769) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5770) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5771) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5778) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5779) Authentication Integrity operational and services are for fips.so
available for use HMAC-SHA2- 256-bit key Message SW/FW Module becomes Integrity test
256 (A5931) Authentication Integrity operational and services are for fips.so
available for use Table 20: Pre-Operational Self-Tests The module performs pre-operational tests automatically when the module is powered on. The pre-operational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational selftests are passed successfully. The integrity of the shared library component of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the corresponding HMAC value embedded in the fips.so file that was computed at build time. If the software integrity test fails, the module transitions to the error state (Section 10.3). The HMAC and SHA2-256 algorithms go through their respective CASTs before the software integrity test is performed. © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5747) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5748) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5749) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5751) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5752) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5753) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5754) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5755) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5774) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5775) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5776) bit key operational and operation power-on services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5927) bit key operational and operation power-on © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type services are before the available for use integrity test AES-ECB Decrypt with 256- KAT CAST Module becomes Symmetric Test runs at (A5932) bit key operational and operation power-on services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5759) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5760) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5761) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5762) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5763) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5764) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5765) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5766) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5767) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5777) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5781) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5782) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5783) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5928) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5929) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test AES-GCM Encrypt/Decrypt KAT CAST Module becomes Symmetric Test runs at (A5930) with 256-bit key, 96- operational and operation power-on bit (internal IV) services are before the available for use integrity test SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5750) operational and power-on services are before the available for use integrity test SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5768) operational and power-on services are before the available for use integrity test SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5769) operational and power-on services are before the available for use integrity test SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5770) operational and power-on services are before the available for use integrity test SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5771) operational and power-on services are before the available for use integrity test SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5778) operational and power-on services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA-1 3-byte message KAT CAST Module becomes Message digest Test runs at (A5931) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5750) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5768) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5769) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5770) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5771) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5778) operational and power-on services are before the available for use integrity test SHA2-512 3-byte message KAT CAST Module becomes Message digest Test runs at (A5931) operational and power-on services are before the available for use integrity test SHA3-256 4-byte message KAT CAST Module becomes Message digest Test runs at (A5756) operational and power-on services are before the available for use integrity test SHA3-256 4-byte message KAT CAST Module becomes Message digest Test runs at (A5780) operational and power-on services are before the available for use integrity test SHA3-256 4-byte message KAT CAST Module becomes Message digest Test runs at (A5933) operational and power-on services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5750) operational and authentication power-on
services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5768) operational and authentication power-on
services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5769) operational and authentication power-on
services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5770) operational and authentication power-on
services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5771) operational and authentication power-on
services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5778) operational and authentication power-on
services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5779) operational and authentication power-on
services are before the available for use integrity test HMAC-SHA2- SHA2-256 KAT CAST Module becomes Message Test runs at
256 (A5931) operational and authentication power-on
services are before the available for use integrity test Counter 128 bit keys, DF, KAT CAST Module becomes Compliant with Test runs at DRBG with PR operational and SP 800-90Ar1 power-on (A5746) services are before the available for use integrity test HMAC DRBG HMAC-SHA-1, with KAT CAST Module becomes Compliant with Test runs at (A5746) PR operational and SP 800-90Ar1 power-on services are before the available for use integrity test Hash DRBG SHA2-256, with PR KAT CAST Module becomes Compliant with Test runs at (A5746) operational and SP 800-90Ar1 power-on services are before the available for use integrity test KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5750) services are before the available for use integrity test KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5768) services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5769) services are before the available for use integrity test KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5770) services are before the available for use integrity test KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5771) services are before the available for use integrity test KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5778) services are before the available for use integrity test KAS-ECC-SSC P-256 curve KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5931) services are before the available for use integrity test KAS-FFC-SSC ffdhe2048 KAT CAST Module becomes Shared secret Test runs at Sp800-56Ar3 operational and computation power-on (A5773) services are before the available for use integrity test KDF SP800- HMAC-SHA2-256 KAT CAST Module becomes Key based key Test runs at
108 (A5772) with 128-bit key, 24- operational and derivation power-on
bit salt services are before the available for use integrity test KDA OneStep SHA2-224 KAT CAST Module becomes Shared secret key Test runs at SP800-56Cr2 operational and derivation power-on (A5744) services are before the available for use integrity test KDA TwoStep SHA2-256 KAT CAST Module becomes Shared secret key Test runs on SP800-56Cr2 operational and derivation power-on (A5744) services are before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5750) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5756) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5768) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5769) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5770) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5771) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5778) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5780) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5931) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.42 SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5933) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5750) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5768) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5769) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5770) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5771) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5778) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test KDF ANS 9.63 SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5931) operational and ANS X9.42 key power-on services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5750) services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5768) services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5769) services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5770) services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5771) services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5778) services are derivation before the available for use integrity test TLS v1.2 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at RFC7627 operational and TLS v1.2 KDF key power-on (A5931) services are derivation before the available for use integrity test TLS v1.3 KDF SHA2-256 KAT CAST Module becomes Industry-based Test runs at (A5758) operational and TLS v1.3 KDF key power-on services are derivation before the available for use integrity test KDF SSH SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5751) operational and SSH KDF key power-on services are derivation before the available for use integrity test KDF SSH SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5752) operational and SSH KDF key power-on services are derivation before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type KDF SSH SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5753) operational and SSH KDF key power-on services are derivation before the available for use integrity test KDF SSH SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5754) operational and SSH KDF key power-on services are derivation before the available for use integrity test KDF SSH SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5755) operational and SSH KDF key power-on services are derivation before the available for use integrity test KDF SSH SHA-1 KAT CAST Module becomes Industry-based Test runs at (A5932) operational and SSH KDF key power-on services are derivation before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5750) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5756) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5768) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5769) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5770) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5771) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5778) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5780) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5931) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test PBKDF SHA2-256 with 4096 KAT CAST Module becomes Password-based Test runs at (A5933) iterations and 288- operational and key derivation power-on bit salt services are before the available for use integrity test KDA HKDF SHA2-256 KAT CAST Module becomes Shared secret key Test runs at SP800-56Cr2 operational and derivation power-on (A5758) services are before the available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5750) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5756) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5768) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5769) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5770) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5771) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5778) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5780) available for use integrity test ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5931) available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type ECDSA SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at SigGen 224, B-233 operational and generation power-on (FIPS186-5) services are before the (A5933) available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5750) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5756) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5768) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5769) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5770) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5771) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5778) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5780) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5931) services are before the available for use integrity test ECDSA SigVer SHA2-256 with P- KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 256, B-233 operational and verification power-on (A5933) services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5750) SHA2-256 services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5756) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5768) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5769) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5770) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5771) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5778) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5780) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5931) SHA2-256 services are before the available for use integrity test RSA SigGen PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and generation power-on (A5933) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5750) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5756) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5768) SHA2-256 services are before the available for use integrity test © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5769) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5770) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5771) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5778) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5780) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5931) SHA2-256 services are before the available for use integrity test RSA SigVer PKCS#1 v1.5 with KAT CAST Module becomes Digital signature Test runs at (FIPS186-5) 2048 bit key and operational and verification power-on (A5933) SHA2-256 services are before the available for use integrity test ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5745) ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5750) ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5768) ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5769) ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5770) © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5771) ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5778) ECDSA SHA2-256 PCT PCT Successful key Signature Key pair KeyGen pair generation generation & generation (FIPS186-5) verification (A5931) RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5750) verification RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5768) verification RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5769) verification RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5770) verification RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5771) verification RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5778) verification RSA KeyGen PKCS#1 v1.5 with PCT PCT Successful key Signature Key pair (FIPS186-5) SHA2-256 pair generation generation & generation (A5931) verification Safe Primes Section 5.6.2.1.4 of PCT PCT Successful key SP 800-56ARev3, Key pair Key SP800-56Arev3 pair generation 5.6.2.1.4 generation Generation (A5773) Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. The CASTs can be performed on demand by unloading and re-initializing the module. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state. © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5750) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5768) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5769) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5770) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5771) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5778) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5779) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5931) Authentication Table 22: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A5747) KAT CAST On Demand Manually AES-ECB (A5748) KAT CAST On Demand Manually AES-ECB (A5749) KAT CAST On Demand Manually AES-ECB (A5751) KAT CAST On Demand Manually AES-ECB (A5752) KAT CAST On Demand Manually AES-ECB (A5753) KAT CAST On Demand Manually AES-ECB (A5754) KAT CAST On Demand Manually AES-ECB (A5755) KAT CAST On Demand Manually AES-ECB (A5774) KAT CAST On Demand Manually AES-ECB (A5775) KAT CAST On Demand Manually AES-ECB (A5776) KAT CAST On Demand Manually AES-ECB (A5927) KAT CAST On Demand Manually AES-ECB (A5932) KAT CAST On Demand Manually AES-GCM (A5759) KAT CAST On Demand Manually AES-GCM (A5760) KAT CAST On Demand Manually AES-GCM (A5761) KAT CAST On Demand Manually AES-GCM (A5762) KAT CAST On Demand Manually AES-GCM (A5763) KAT CAST On Demand Manually AES-GCM (A5764) KAT CAST On Demand Manually AES-GCM (A5765) KAT CAST On Demand Manually AES-GCM (A5766) KAT CAST On Demand Manually AES-GCM (A5767) KAT CAST On Demand Manually AES-GCM (A5777) KAT CAST On Demand Manually © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM (A5781) KAT CAST On Demand Manually AES-GCM (A5782) KAT CAST On Demand Manually AES-GCM (A5783) KAT CAST On Demand Manually AES-GCM (A5928) KAT CAST On Demand Manually AES-GCM (A5929) KAT CAST On Demand Manually AES-GCM (A5930) KAT CAST On Demand Manually SHA-1 (A5750) KAT CAST On Demand Manually SHA-1 (A5768) KAT CAST On Demand Manually SHA-1 (A5769) KAT CAST On Demand Manually SHA-1 (A5770) KAT CAST On Demand Manually SHA-1 (A5771) KAT CAST On Demand Manually SHA-1 (A5778) KAT CAST On Demand Manually SHA-1 (A5931) KAT CAST On Demand Manually SHA2-512 (A5750) KAT CAST On Demand Manually SHA2-512 (A5768) KAT CAST On Demand Manually SHA2-512 (A5769) KAT CAST On Demand Manually SHA2-512 (A5770) KAT CAST On Demand Manually SHA2-512 (A5771) KAT CAST On Demand Manually SHA2-512 (A5778) KAT CAST On Demand Manually SHA2-512 (A5931) KAT CAST On Demand Manually SHA3-256 (A5756) KAT CAST On Demand Manually SHA3-256 (A5780) KAT CAST On Demand Manually SHA3-256 (A5933) KAT CAST On Demand Manually HMAC-SHA2-256 KAT CAST On Demand Manually (A5750) HMAC-SHA2-256 KAT CAST On Demand Manually (A5768) HMAC-SHA2-256 KAT CAST On Demand Manually (A5769) HMAC-SHA2-256 KAT CAST On Demand Manually (A5770) HMAC-SHA2-256 KAT CAST On Demand Manually (A5771) HMAC-SHA2-256 KAT CAST On Demand Manually (A5778) HMAC-SHA2-256 KAT CAST On Demand Manually (A5779) HMAC-SHA2-256 KAT CAST On Demand Manually (A5931) Counter DRBG KAT CAST On Demand Manually (A5746) HMAC DRBG KAT CAST On Demand Manually (A5746) © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method Hash DRBG (A5746) KAT CAST On Demand Manually KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5750) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5768) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5769) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5770) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5771) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5778) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5931) KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A5773) KDF SP800-108 KAT CAST On Demand Manually (A5772) KDA OneStep KAT CAST On Demand Manually SP800-56Cr2 (A5744) KDA TwoStep KAT CAST On Demand Manually SP800-56Cr2 (A5744) KDF ANS 9.42 KAT CAST On Demand Manually (A5750) KDF ANS 9.42 KAT CAST On Demand Manually (A5756) KDF ANS 9.42 KAT CAST On Demand Manually (A5768) KDF ANS 9.42 KAT CAST On Demand Manually (A5769) KDF ANS 9.42 KAT CAST On Demand Manually (A5770) KDF ANS 9.42 KAT CAST On Demand Manually (A5771) KDF ANS 9.42 KAT CAST On Demand Manually (A5778) © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method KDF ANS 9.42 KAT CAST On Demand Manually (A5780) KDF ANS 9.42 KAT CAST On Demand Manually (A5931) KDF ANS 9.42 KAT CAST On Demand Manually (A5933) KDF ANS 9.63 KAT CAST On Demand Manually (A5750) KDF ANS 9.63 KAT CAST On Demand Manually (A5768) KDF ANS 9.63 KAT CAST On Demand Manually (A5769) KDF ANS 9.63 KAT CAST On Demand Manually (A5770) KDF ANS 9.63 KAT CAST On Demand Manually (A5771) KDF ANS 9.63 KAT CAST On Demand Manually (A5778) KDF ANS 9.63 KAT CAST On Demand Manually (A5931) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5750) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5768) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5769) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5770) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5771) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5778) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5931) TLS v1.3 KDF KAT CAST On Demand Manually (A5758) KDF SSH (A5751) KAT CAST On Demand Manually KDF SSH (A5752) KAT CAST On Demand Manually KDF SSH (A5753) KAT CAST On Demand Manually KDF SSH (A5754) KAT CAST On Demand Manually KDF SSH (A5755) KAT CAST On Demand Manually KDF SSH (A5932) KAT CAST On Demand Manually PBKDF (A5750) KAT CAST On Demand Manually PBKDF (A5756) KAT CAST On Demand Manually PBKDF (A5768) KAT CAST On Demand Manually © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method PBKDF (A5769) KAT CAST On Demand Manually PBKDF (A5770) KAT CAST On Demand Manually PBKDF (A5771) KAT CAST On Demand Manually PBKDF (A5778) KAT CAST On Demand Manually PBKDF (A5780) KAT CAST On Demand Manually PBKDF (A5931) KAT CAST On Demand Manually PBKDF (A5933) KAT CAST On Demand Manually KDA HKDF SP800- KAT CAST On Demand Manually 56Cr2 (A5758) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5750) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5756) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5768) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5769) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5770) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5771) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5778) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5780) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5931) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5933) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5750) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5756) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5768) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5769) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5770) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5771) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5778) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5780) © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5931) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5933) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5750) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5756) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5768) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5769) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5770) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5771) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5778) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5780) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5931) RSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5933) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5750) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5756) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5768) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5769) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5770) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5771) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5778) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5780) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5931) RSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5933) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5745) © 2025 Canonical Ltd. / atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5750) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5768) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5769) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5770) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5771) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5778) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5931) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5750) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5768) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5769) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5770) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5771) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5778) RSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5931) Safe Primes Key PCT PCT On Demand Manually Generation (A5773) Table 23: Conditional Periodic Information The module does not implement periodic self-tests.
Name Description Conditions Recovery Method Indicator Error The module immediately Software integrity Re-initialization of Module will not load; stops functioning test failure the module Module is aborted for PCT CAST failure failure PCT failure Table 24: Error States If the module fails any of the self-tests, the module enters the error state. In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). © 2025 Canonical Ltd. / atsec information security.
Regarding the PCT failure, an OSSL_PROV_PARAM_STATUS parameter can be queried from the FIPS provider to check the status of the cryptographic module. The table above lists the error states and the status indicator values that explain the error that has occurred.
The software integrity tests and cryptographic algorithm self-tests can be invoked on demand by resetting the module or by invoking the OSSL_PROVIDER_self_test method. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
The binaries of the FIPS validated module are contained in the following Ubuntu packages for delivery:
$ sudo pro enable fips (4) To verify that Approved mode is enabled run: $ sudo pro status The pro client will install the necessary packages for the Approved mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into Approved mode. The reboot will boot into FIPS supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in Approved mode. If you do not reboot after installing and configuring the bootloader, Approved mode is not yet enabled. To verify that FIPS is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in Approved mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the pro status command.
The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the logical interfaces are specified in section 3.1. The requirements and restrictions that shall be considered when operating the module in approved mode are specified in section 2.7 and section 6. The installation, initialization, and startup procedures specified in section 11.1 shall be followed.
There is no non-administrator guidance.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the Ubuntu packages can be uninstalled from the Ubuntu 24.04 system. © 2025 Canonical Ltd. / atsec information security.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:
RSA, ECDSA, ECDH, and DH employ blinding techniques to further impede timing and power analysis.
No configuration is needed to enable the aforementioned countermeasures.
Not applicable. © 2025 Canonical Ltd. / atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF CP Assist for Cryptographic Functions CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IKE Internet Key Exchange © 2025 Canonical Ltd. / atsec information security.
KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KMAC KECCAK Message Authentication Code KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RSADP RSA Decryption Primitive RSAEP RSA Encryption Primitive RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Canonical Ltd. / atsec information security.
Appendix B. References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt © 2025 Canonical Ltd. / atsec information security.
RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Addendum Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38e.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf © 2025 Canonical Ltd. / atsec information security.
SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP 800-140Br1 CMVP Security Policy Requirements November 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Br1.pdf © 2025 Canonical Ltd. / atsec information security.