| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/5/2031 |
| Caveat | When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Ctrl IQ, Inc. |
flowchart LR
%% Deterministic review-risk graph for Rocky Linux 9 OpenSSL FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Rocky Linux 9 OpenSSL FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Ctrl IQ, Inc. Rocky Linux 9 OpenSSL FIPS Provider Prepared by: atsec information security corporation
Austin, TX 78759 Document version: 1.1 www.atsec.com Last update: 2026-01-05
| # | Section | Page |
|---|
© 2025 Ctrl IQ, Inc., atsec information security.
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 7 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 7 |
| Table 4: Modes List and Description | 8 |
| Table 5: Approved Algorithms | 10 |
| Table 6: Vendor-Affirmed Algorithms | 10 |
| Table 7: Non-Approved, Not Allowed Algorithms | 11 |
| Table 8: Security Function Implementations | 16 |
| Table 9: Entropy Certificates | 19 |
| Table 10: Entropy Sources | 19 |
| Table 11: Ports and Interfaces | 21 |
| Table 12: Roles | 22 |
| Table 13: Approved Services | 32 |
| Table 14: Non-Approved Services | 33 |
| Table 15: Storage Areas | 38 |
| Table 16: SSP Input-Output Methods | 38 |
| Table 17: SSP Zeroization Methods | 39 |
| Table 18: SSP Table 1 | 43 |
| Table 19: SSP Table 2 | 46 |
| Table 20: Pre-Operational Self-Tests | 47 |
| Table 21: Conditional Self-Tests | 49 |
| Table 22: Pre-Operational Periodic Information | 49 |
| Table 23: Conditional Periodic Information | 50 |
| Table 24: Error States | 50 |
| Figure 1: Block Diagram | 6 |
This document is the non-proprietary FIPS 140-3 Security Policy for version Rocky9.20250210 of the Rocky Linux 9 OpenSSL FIPS Provider. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. including this notice.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks 1
Overall Level 1 Table 1: Security Levels © 2025 Ctrl IQ, Inc., atsec information security.
Purpose and Use: The Rocky Linux 9 OpenSSL FIPS Provider (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider”, which implements the FIPS requirements and the cryptographic functionality provided to the operator. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined as the shared library implementing the FIPS provider (fips.so). Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is defined as the general-purpose computer on which the module is installed. The cryptographic boundary (orange) and TOEPP (purple) are schematically represented in Figure 1. Green lines indicate the flow of data between the cryptographic module and its operator application. Components in white are only included in the diagram for informational purposes and are not part of the module’s validation. Figure 1: Block Diagram © 2025 Ctrl IQ, Inc., atsec information security.
Tested Module Identification
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Mode Description Type Status Indicator Name Approve Automaticall Approve Equivalent to the indicator of the requested service: Message d y entered d digest 'EVP_DigestFinal_ex returns 1'; XOF whenever an 'EVP_DigestFinalXOF returns 1'; Encryption approved 'EVP_EncryptFinal_ex returns 1'; Decryption service is 'EVP_DecryptFinal_ex returns 1'; Authenticated encryption requested. 'AES-GCM: EVP_CIPHER_ROCKY_FIPS_INDICATOR_APPROVED; Others: EVP_EncryptFinal_ex returns 1'; Authenticated decryption 'EVP_DecryptFinal_ex returns 1'; MAC 'HMAC: OSSL_MAC_PARAM_ROCKY_FIPS_INDICATOR_APPROVE D; Others: EVP_MAC_final returns 1'; KDF 'EVP_KDF_ROCKY_FIPS_INDICATOR_APPROVED'; Random number generation 'EVP_RAND_generate returns 1'; Shared secret computation 'EVP_PKEY_ROCKY_FIPS_INDICATOR_APPROVED'; Signature generation/verification © 2025 Ctrl IQ, Inc., atsec information security.
Mode Description Type Status Indicator Name 'OSSL_RL_FIPSINDICATOR_APPROVED and EVP_PKEY_ROCKY_FIPS_INDICATOR_APPROVED'; Asymmetric Encryption/Decryption 'EVP_PKEY_ROCKY_FIPS_INDICATOR_APPROVED'; Key pair generation 'EVP_PKEY_generate returns 1'; Key pair verification 'EVP_PKEY_public_check or EVP_PKEY_private_check or EVP_PKEY_check returns 1' Non- Automaticall Non- The status indicator depends on the invoked service and is Approve y entered Approve equivalent to its indicator. As there is no non-approved service d whenever a d indicator, if the return code or flag differs from the approved non- ones it automatically implies the non-approved mode of approved operation service is requested. Table 4: Modes List and Description Once the module is installed and initilized as per Section 11.1, after passing all pre-operational self-tests and conditional self-tests executed on startup, the module automatically transitions to the approved mode. On startup, no operator intervention is required to reach this point. Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.
Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A6603, A6607, A6608 - SP 800-38A AES-CBC-CS1 A6603, A6607, A6608 - SP 800-38A AES-CBC-CS2 A6603, A6607, A6608 - SP 800-38A AES-CBC-CS3 A6603, A6607, A6608 - SP 800-38A AES-CCM A6603, A6607, A6608 - SP 800-38C AES-CFB1 A6603, A6607, A6608 - SP 800-38A AES-CFB128 A6603, A6607, A6608 - SP 800-38A AES-CFB8 A6603, A6607, A6608 - SP 800-38A AES-CMAC A6603, A6607, A6608 - SP 800-38B AES-CTR A6603, A6607, A6608 - SP 800-38A AES-ECB A6603, A6607, A6608 - SP 800-38A AES-GCM A6604, A6609, A6610, A6611, A6612, - SP 800-38D A6613, A6614, A6615, A6616 AES-GMAC A6604, A6609, A6610, A6611, A6612, - SP 800-38D A6613, A6614, A6615, A6616 AES-KW A6603, A6607, A6608 - SP 800-38F AES-KWP A6603, A6607, A6608 - SP 800-38F AES-OFB A6603, A6607, A6608 - SP 800-38A © 2025 Ctrl IQ, Inc., atsec information security.
Algorithm CAVP Cert Properties Reference AES-XTS Testing A6603, A6607, A6608 - SP 800-38E Revision 2.0 Counter DRBG A5957 - SP 800-90A Rev. 1 ECDSA KeyGen A6605, A6617, A6618, A6619 - FIPS 186-5 (FIPS186-5) ECDSA KeyVer A6605, A6617, A6618, A6619 - FIPS 186-5 (FIPS186-5) ECDSA SigGen A6605, A6606, A6617, A6618, A6619 - FIPS 186-5 (FIPS186-5) ECDSA SigVer A6605, A6606, A6617, A6618, A6619 - FIPS 186-5 (FIPS186-5) EDDSA KeyGen A6328 - FIPS 186-5 EDDSA SigGen A6328 - FIPS 186-5 EDDSA SigVer A6328 - FIPS 186-5 Hash DRBG A5957 - SP 800-90A Rev. 1 HMAC DRBG A5957 - SP 800-90A Rev. 1 HMAC-SHA-1 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA2-224 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA2-256 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA2-384 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA2-512 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA2-512/224 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA2-512/256 A6605, A6617, A6618, A6619 - FIPS 198-1 HMAC-SHA3-224 A6606 - FIPS 198-1 HMAC-SHA3-256 A6606 - FIPS 198-1 HMAC-SHA3-384 A6606 - FIPS 198-1 HMAC-SHA3-512 A6606 - FIPS 198-1 KAS-ECC-SSC Sp800- A6605, A6617, A6618, A6619 - SP 800-56A 56Ar3 Rev. 3 KAS-FFC-SSC Sp800- A6602 - SP 800-56A 56Ar3 Rev. 3 KAS-IFC-SSC A6605, A6617, A6618, A6619 - SP 800-56A Rev. 3 KDA HKDF SP800- A6601 - SP 800-56C 56Cr2 Rev. 2 KDA OneStep SP800- A6600 - SP 800-56C 56Cr2 Rev. 2 KDA TwoStep SP800- A6600 - SP 800-56C 56Cr2 Rev. 2 KDF ANS 9.42 (CVL) A6605, A6606, A6617, A6618, A6619 - SP 800-135 Rev. 1 KDF ANS 9.63 (CVL) A6605, A6606, A6617, A6618, A6619 - SP 800-135 Rev. 1 KDF SP800-108 A6599 - SP 800-108 Rev. 1 KDF SSH (CVL) A6605, A6617, A6618, A6619 - SP 800-135 Rev. 1 KTS-IFC A6605, A6617, A6618, A6619 - SP 800-56B Rev. 2 © 2025 Ctrl IQ, Inc., atsec information security.
Algorithm CAVP Cert Properties Reference PBKDF A6605, A6606, A6617, A6618, A6619 - SP 800-132 RSA KeyGen A6605, A6617, A6618, A6619 - FIPS 186-5 (FIPS186-5) RSA SigGen A6605, A6606, A6617, A6618, A6619 - FIPS 186-5 (FIPS186-5) RSA SigVer (FIPS186- A6605, A6617, A6618, A6619 - FIPS 186-4
Name Use and Function AES-GCM with external IV Authenticated encryption HMAC with < 112-bit keys Message authentication KBKDF with < 112-bit keys Key derivation KDA OneStep, HKDF with < 112-bit keys Key derivation KDA OneStep with SHAKE128, SHAKE256 Key derivation ANS X9.42 KDF, ANS X9.63 KDF with < 112-bit keys Key derivation ANS X9.42 KDF with SHAKE128, SHAKE256 Key derivation ANS X9.63 KDF with SHA-1, SHAKE128, SHAKE256 Key derivation SSH KDF with SHA-512/224, SHA-512/256, SHA-3, SHAKE128, Key derivation SHAKE256 TLS 1.2 KDF with SHA-1, SHA-224, SHA-512/224, SHA-512/256, Key derivation SHA-3 TLS 1.3 KDF with SHA-1, SHA-224, SHA-512, SHA-512/224, SHA- Key derivation 512/256, SHA-3 PBKDF2 with short password, short salt, insufficient iterations, < 112Password-based key bit output keys derivation RSA-PSS with invalid salt length Signature generation / verification RSA with no padding Signature generation / verification RSA and ECDSA with no hashing Signature generation / verification Table 7: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Message digest SHA Compute a SHA-1: (A6605, message digest A6617, A6618, A6619) SHA2-224: (A6605, A6617, A6618, A6619) SHA2-256: (A6605, A6617, A6618, A6619) SHA2-384: (A6605, A6617, A6618, A6619) SHA2-512: (A6605, A6617, A6618, A6619) SHA2-512/224: (A6605, A6617, A6618, A6619) SHA2-512/256: (A6605, A6617, A6618, A6619) SHA3-224: (A6606) SHA3-256: (A6606) © 2025 Ctrl IQ, Inc., atsec information security.
Name Type Description Properties Algorithms SHA3-384: (A6606) SHA3-512: (A6606) XOF XOF Compute an SHAKE-128: extendable output (A6606) message digest SHAKE-256: (A6606) Encryption BC-UnAuth Encrypt a plaintext AES-CBC: (A6603, A6607, A6608) AES-CBC-CS1: (A6603, A6607, A6608) AES-CBC-CS2: (A6603, A6607, A6608) AES-CBC-CS3: (A6603, A6607, A6608) AES-CFB1: (A6603, A6607, A6608) AES-CFB128: (A6603, A6607, A6608) AES-CFB8: (A6603, A6607, A6608) AES-CTR: (A6603, A6607, A6608) AES-ECB: (A6603, A6607, A6608) AES-OFB: (A6603, A6607, A6608) AES-XTS Testing Revision 2.0: (A6603, A6607, A6608) Decryption BC-UnAuth Decrypt a AES-CBC: ciphertext (A6603, A6607, A6608) AES-CBC-CS1: (A6603, A6607, A6608) AES-CBC-CS2: (A6603, A6607, A6608) AES-CBC-CS3: (A6603, A6607, A6608) © 2025 Ctrl IQ, Inc., atsec information security.
Name Type Description Properties Algorithms AES-CFB1: (A6603, A6607, A6608) AES-CFB128: (A6603, A6607, A6608) AES-CFB8: (A6603, A6607, A6608) AES-CTR: (A6603, A6607, A6608) AES-ECB: (A6603, A6607, A6608) AES-OFB: (A6603, A6607, A6608) AES-XTS Testing Revision 2.0: (A6603, A6607, A6608) Authenticated BC-Auth Encrypt and AES-CCM: encryption authenticate a (A6603, A6607, plaintext A6608) AES-GCM: (A6604, A6609, A6610, A6611, A6612, A6613, A6614, A6615, A6616) AES-KW: (A6603, A6607, A6608) AES-KWP: (A6603, A6607, A6608) Authenticated BC-Auth Decrypt and AES-CCM: decryption authenticate a (A6603, A6607, ciphertext A6608) AES-GCM: (A6604, A6609, A6610, A6611, A6612, A6613, A6614, A6615, A6616) AES-KW: (A6603, A6607, A6608) AES-KWP: (A6603, A6607, A6608) Message MAC Compute a MAC AES-CMAC: authentication tag (A6603, A6607, A6608) AES-GMAC: © 2025 Ctrl IQ, Inc., atsec information security.
Name Type Description Properties Algorithms (A6604, A6609, A6610, A6611, A6612, A6613, A6614, A6615, A6616) HMAC-SHA-1: (A6605, A6617, A6618, A6619) HMAC-SHA2-224: (A6605, A6617, A6618, A6619) HMAC-SHA2-256: (A6605, A6617, A6618, A6619) HMAC-SHA2-384: (A6605, A6617, A6618, A6619) HMAC-SHA2-512: (A6605, A6617, A6618, A6619) HMAC-SHA2512/224: (A6605, A6617, A6618, A6619) HMAC-SHA2512/256: (A6605, A6617, A6618, A6619) HMAC-SHA3-224: (A6606) HMAC-SHA3-256: (A6606) HMAC-SHA3-384: (A6606) HMAC-SHA3-512: (A6606) Key-based key KBKDF Derive keying KDF SP800-108: derivation material from a (A6599) key-derivation key Key-establishment KAS-56CKDF Derive keying KDA OneStep key derivation material from a SP800-56Cr2: shared secret (A6600) KDA TwoStep SP800-56Cr2: (A6600) KDA HKDF SP800-56Cr2: (A6601) Protocol key KAS-135KDF Derive keying TLS v1.3 KDF: derivation material from a (A6601) shared secret KDF ANS 9.42: (A6605, A6606, A6617, A6618, A6619) © 2025 Ctrl IQ, Inc., atsec information security.
Name Type Description Properties Algorithms KDF ANS 9.63: (A6605, A6606, A6617, A6618, A6619) KDF SSH: (A6605, A6617, A6618, A6619) TLS v1.2 KDF RFC7627: (A6605, A6617, A6618, A6619) Password-based PBKDF Derive keying PBKDF: (A6605, key derivation material from a A6606, A6617, password A6618, A6619) Random number DRBG Generate random Counter DRBG: generation bytes (A5957) Hash DRBG: (A5957) HMAC DRBG: (A5957) Shared secret KAS-SSC Compute a shared KAS-FFC-SSC computation secret Sp800-56Ar3: (A6602) KAS-ECC-SSC Sp800-56Ar3: (A6605, A6617, A6618, A6619) KAS-IFC-SSC: (A6605, A6617, A6618, A6619) Signature DigSig-SigGen Generate a digital ECDSA SigGen generation signature (FIPS186-5): (A6605, A6606, A6617, A6618, A6619) RSA SigGen (FIPS186-5): (A6605, A6606, A6617, A6618, A6619) EDDSA SigGen: (A6328) Signature DigSig-SigVer Verify a digital ECDSA SigVer verification signature (FIPS186-5): (A6605, A6606, A6617, A6618, A6619) RSA SigVer (FIPS186-2): (A6605, A6617, A6618, A6619) RSA SigVer (FIPS186-4): © 2025 Ctrl IQ, Inc., atsec information security.
Name Type Description Properties Algorithms (A6605, A6617, A6618, A6619) RSA SigVer (FIPS186-5): (A6605, A6606, A6617, A6618, A6619) EDDSA SigVer: (A6328) Asymmetric AsymKeyPair- Asymmetric KTS-IFC: (A6605, Encryption Encap encryption using A6617, A6618, RSA A6619) Asymmetric AsymKeyPair- Asymmetric KTS-IFC: (A6605, Decryption Decap decryption using A6617, A6618, RSA A6619) Key pair AsymKeyPair- Generate a key Safe Primes Key generation KeyGen pair Generation: CKG (A6602) ECDSA KeyGen (FIPS186-5): (A6605, A6617, A6618, A6619) RSA KeyGen (FIPS186-5): (A6605, A6617, A6618, A6619) EDDSA KeyGen: (A6328) Asymmetric Cryptographic Key Generation (CKG): () Key type: Asymmetric Key pair AsymKeyPair- Verify a key pair Safe Primes Key verification KeyVer Verification: (A6602) ECDSA KeyVer (FIPS186-5): (A6605, A6617, A6618, A6619) Table 8: Security Function Implementations
For TLS 1.2, the module offers the AES GCM implementation and uses the context of Scenario 1 of FIPS 140-3 IG C.H. The module is compliant with SP 800-52 Rev. 2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. © 2025 Ctrl IQ, Inc., atsec information security.
The module does not implement the TLS protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the Crypto Officer can use the module’s API to perform AES GCM encryption using internal IV generation. These IVs are always 96 bits and generated using the approved DRBG internal to the module’s boundary, compliant to Scenario 2 of FIPS 140-3 IG C.H. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. This service can be requested by invoking the EVP_EncryptInit_ex2 API function with a non-NULL IV value. When this is the case, the API will set a non-approved service indicator. Finally, for TLS 1.3, the AES GCM implementation uses the context of Scenario 5 of FIPS 140-3 IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the ciphersuites that explicitly select AES GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES GCM cipher suites from Section 3.3.1 of SP 800-52 Rev. 2. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2²⁰ AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133r2, Section 6.3. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements must be met:
To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the operator must use the module in the context of the TLS or SSH protocols. Additionally, the module’s approved key pair generation service (see Section 4.3) must be used to generate ephemeral Diffie-Hellman or EC Diffie-Hellman key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the full public key validation of the generated public key. The module’s shared secret computation service will internally perform the full public key validation of the peer public key, complying with Sections 5.6.2.2.1 and 5.6.2.2.2 of SP 800-56Ar3.
To comply with the assurances found in Section 6.4 of SP 800-56Br2, the operator must use the module in the context of the TLS or SSH protocols. Additionally, the module’s approved key pair generation service (see Section 4.3) must be used to generate RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validation of the generated public key. The operator must use the EVP_PKEY_public_check() API to perform partial public key validation of the peer public key, complying with Section 6.4.2.2 of SP 800-56Br2. The operator must also confirm the peer’s possession of private key by using any method specified in Section 6.4.2.3 of SP 800-56Br2.
For RSA key generation, signature generation, and signature verification, the approved modulus sizes of 2048, 3072, and 4096 bits are CAVP tested in compliance with FIPS 186-5. For KAS-IFC-SSC and KTSIFC, the approved modulus sizes of 2048, 3072, 4096, 6144, 8192 are CAVP tested in compliance with SP 800-56Br2. All other RSA modulus sizes listed in this document, and not mentioned above, cannot be tested by CAVP but are approved for RSA key generation, signature generation, and signature verification per FIPS 140-3 IG C.F, and KAS-IFC-SSC and KTS-IFC per SP 800-56Br2.
RSA signature verification using modulus sizes between 1024 and 2048 bits is allowed for legacy use only. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.
The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS. © 2025 Ctrl IQ, Inc., atsec information security.
The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS.
Cert Vendor Number Name E208 Ctrl IQ, Inc. Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Rocky Linux Non- Rocky Linux 9 on 256 bits full SHA3-256 (A5837); OpenSSL 3 CPU Physical Intel Kaby Lake entropy SHA2-512-HMAC-DRBG Time Jitter RNG Xeon E3-1270 v6 (A5837); AES-256-CTREntropy Source DRBG (A5957) Table 10: Entropy Sources The module implements primary DRBG (AES-256-CTR-DRBG (A5957)) which acts as the conditioning component for the entropy source mentioned in the above table. It is only used internally by the module to seed the secondary DRBGs which can be of type (CTR, Hash, HMAC). The module complies with the Public Use Document for ESV certificate E208 by reading entropy data from the EVP_RAND_generate() function of the primary DRBG, which corresponds to the GetEntropy() conceptual interface. The operational environment on the ESV certificate is identical to the operating system described in this document. There are no maintenance requirements for the entropy source. As per the Public document of entropy certificate E208, the entropy source provides full entropy of 256 bits. When the module needs random data for internal purposes it uses two separate instances of AES-256 CTR_DRBG DRBG based on use case. i.e., it uses the “private DRBG” accessed via RAND_priv_bytes () for asymmetric key generation, signature generation, or other SSP use cases and it uses the “public DRBG” accessed via RAND_bytes() when it needs to generate IV or other non-SSP use cases. When an external caller needs the random data, it can access it via “Random Number Generation” service of the module and it has a choice to choose between Hash, HMAC or CTR DRBG listed in the algorithms table.
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2. The following methods are implemented:
The module implements shared secret computation methods, asymmetric encryption and decryption services using RSA with OAEP padding, as listed in the Security Function Implementations table in Section 2.6.
The module implements key derivation functions for usage in the SSH (RFC 4253), TLS 1.2 (RFC 5288), and TLS 1.3 (RFC 8446) protocols. AES-GCM with internal IV generation is offered in the approved mode compliant with TLS 1.2 and TLS 1.3. Finally, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS) for Diffie-Hellman. No parts of the SSH, TLS, or IKE protocols, other than those mentioned above, have been tested by the CAVP and CMVP. © 2025 Ctrl IQ, Inc., atsec information security.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters N/A Data Output API output parameters N/A Control Input API function calls N/A Status Output API return codes, error queue Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. © 2025 Ctrl IQ, Inc., atsec information security.
The module does not implement any authentication methods.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles No support is provided for multiple concurrent operators.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns Messag Compu EVP_DigestFinal_ex returns 1 Messa Digest Messag Crypto e digest te a ge value e digest Officer messa ge digest XOF Compu EVP_DigestFinalXOF returns 1 Messa Digest XOF Crypto te an ge, value Officer extend output able length output messa ge digest Encrypti Encrypt EVP_EncryptFinal_ex returns 1 AES Cipher Encrypti Crypto on a key, text on Officer plaintex plainte - AES t xt, IV key: (if W,E requir ed) Decrypti Decrypt EVP_DecryptFinal_ex returns 1 AES Plainte Decrypti Crypto on a key, xt on Officer ciphert cipher - AES ext text, key: IV (if W,E requir ed) Authenti Encrypt AES-GCM: AES Cipher Authenti Crypto cated and EVP_CIPHER_ROCKY_FIPS_INDICAT key, text, cated Officer encrypti authent OR_APPROVED; Others: plainte MAC encrypti - AES on icate a EVP_EncryptFinal_ex returns 1 xt, IV tag on key: W,E © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns plaintex - DRBG t internal state (V, Key): W,E Authenti Decrypt EVP_DecryptFinal_ex returns 1 AES Plainte Authenti Crypto cated and key, xt or cated Officer decrypti authent cipher failure decrypti - AES on icate a text, on key: ciphert IV, W,E ext MAC tag Messag Compu HMAC: AES MAC Messag Crypto e te a OSSL_MAC_PARAM_ROCKY_FIPS_IN key or tag e Officer authenti MAC DICATOR_APPROVED; Others: HMAC authenti - AES cation tag EVP_MAC_final returns 1 key, cation key: messa W,E ge HMAC key: W,E Key- Derive EVP_KDF_ROCKY_FIPS_INDICATOR_ Key- Derive Key- Crypto based keying APPROVED deriva d key based Officer key materia tion key - Keyderivatio l from a key, derivatio derivati n key- output n on key: derivati length W,E on key Derived key: G,R Key- Derive EVP_KDF_ROCKY_FIPS_INDICATOR_ Share Derive Key- Crypto establis keying APPROVED d d key establis Officer hment materia secret hment key l from a , key Shared derivatio shared output derivatio secret: n secret length n W,E Derived key: G,R Protocol Derive EVP_KDF_ROCKY_FIPS_INDICATOR_ Share Derive Protocol Crypto key keying APPROVED d d key key Officer derivatio materia secret derivatio n l from a , n Shared shared output secret: secret length W,E Derived © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns key: G,R Passwor Derive EVP_KDF_ROCKY_FIPS_INDICATOR_ Passw Derive Protocol Crypto d-based keying APPROVED ord, d key key Officer key materia salt, derivatio derivatio l from a iterati n Passwo n passwo on rd: W,E rd count, output Derived length key: G,R Random Genera EVP_RAND_generate returns 1 Outpu Rando Random Crypto number te t m number Officer generati random length bytes generati on bytes on Entropy input: G,E,Z - DRBG seed: G,E,Z - DRBG internal state (V, Key): G,W,E - DRBG internal state (V, C): G,W,E Shared Compu EVP_PKEY_ROCKY_FIPS_INDICATOR Owner Share Shared Crypto secret te a _APPROVED privat d secret Officer computa shared e key, secret computa - DRBG tion secret peer tion internal public state key (V, Key): W,E - DH private key: W,E - DH public key: W,E - EC private key: W,E © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns - EC public key: W,E - RSA private key: W,E - RSA public key: W,E Shared secret: G,R Signatur Genera OSSL_RL_FIPSINDICATOR_APPROVE Privat Signat Signatur Crypto e te a D and e key, ure e Officer generati digital EVP_PKEY_ROCKY_FIPS_INDICATOR hash generati - DRBG on signatu _APPROVED algorit on internal re hm, state messa (V, ge Key): W,E - EC private key: W,E EdDSA private key: W,E - RSA private key: W,E Signatur Verify a OSSL_RL_FIPSINDICATOR_APPROVE Public Pass/f Signatur Crypto e digital D and key, ail e Officer verificati signatu EVP_PKEY_ROCKY_FIPS_INDICATOR hash verificati - EC on re _APPROVED algorit on public hm, key: messa W,E ge, signat EdDSA ure public key: W,E - RSA public © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns key: W,E Asymme Perfor EVP_PKEY_ROCKY_FIPS_INDICATOR RSA Cipher Asymme Crypto tric m _APPROVED public text tric Officer Encrypti RSA- key, Encrypti - RSA on based plainte on public encrypt xt key: ion W,E (compli ant with SP 80056B Rev. 2)) Asymme Perfor EVP_PKEY_ROCKY_FIPS_INDICATOR RSA Plainte Asymme Crypto tric m _APPROVED privat xt tric Officer Decrypti RSA- e key, Decrypti - RSA on based cipher on private decrypt text key: ion W,E (compli ant with SP 80056B Rev. 2)) Key pair Genera EVP_PKEY_generate returns 1 Group Modul Key pair Crypto generati te a or e- generati Officer on key curve gener on - DRBG pair or ated internal modul key state us bits pair (V, Key): W,E Module generat ed DH private key: G,R Module generat ed DH public key: © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns G,R Module generat ed EC private key: G,R Module generat ed EC public key: G,R Module generat ed EdDSA private key: G,R Module generat ed EdDSA public key: G,R Module generat ed RSA private key: G,R Module generat ed RSA public key: G,R © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns Interme diate key generat ion value: G,E,Z Key pair Verify a EVP_PKEY_public_check or Key Pass/f Key pair Crypto verificati key EVP_PKEY_private_check or pair ail verificati Officer on pair EVP_PKEY_check returns 1 on - DH private key: W,E - DH public key: W,E - EC private key: W,E - EC public key: W,E Show Return None N/A Modul None Crypto version the e Officer module name name and and versio version n informa tion Show Return None N/A Modul None Crypto status the e Officer module status status Self-test Perfor None N/A Pass/f Messag Crypto m the ail e digest Officer CASTs Decrypti and on integrit Authenti y tests cated encrypti on Authenti cated decrypti on © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns Keybased key derivatio n Keyestablis hment key derivatio n Protocol key derivatio n Passwor d-based key derivatio n Random number generati on Shared secret computa tion Signatur e generati on Signatur e verificati on Zeroizati Zeroize None Any N/A None Crypto on SSPs SSP Officer - AES key: Z HMAC key: Z - Keyderivati on key: Z Shared secret: Z © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns Passwo rd: Z Derived key: Z Entropy input: Z - DRBG seed: Z - DRBG internal state (V, Key): Z - DRBG internal state (V, C): Z - DH private key: Z - DH public key: Z - EC private key: Z - EC public key: Z EdDSA private key: Z EdDSA public key: Z - RSA private key: Z - RSA public key: Z Module generat © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns ed DH private key: Z Module generat ed DH public key: Z Module generat ed EC private key: Z Module generat ed EC public key: Z Module generat ed EdDSA private key: Z Module generat ed EdDSA public key: Z Module generat ed RSA private key: Z Module generat © 2025 Ctrl IQ, Inc., atsec information security.
Name Descri Indicator Input Outpu Securit SSP ption s ts y Access Functio ns ed RSA public key: Z Interme diate key generat ion value: Z Table 13: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
Name Description Algorithms Role AES-GCM with Encrypt and authenticate a AES-GCM with external IV Crypto external IV plaintext using AES-GCM with Officer encryption an external IV © 2025 Ctrl IQ, Inc., atsec information security.
Name Description Algorithms Role Message Compute a MAC tag HMAC with < 112-bit keys Crypto authentication Officer Key-based key Derive keying material from a KBKDF with < 112-bit keys Crypto derivation key-derivation key Officer Key-establishment Derive keying material from a KDA OneStep, HKDF with < 112- Crypto key derivation shared secret bit keys Officer KDA OneStep with SHAKE128, SHAKE256 Protocol key Derive keying material from a ANS X9.42 KDF, ANS X9.63 KDF Crypto derivation shared secret with < 112-bit keys Officer ANS X9.42 KDF with SHAKE128, SHAKE256 ANS X9.63 KDF with SHA-1, SHAKE128, SHAKE256 SSH KDF with SHA-512/224, SHA-512/256, SHA-3, SHAKE128, SHAKE256 TLS 1.2 KDF with SHA-1, SHA224, SHA-512/224, SHA-512/256, SHA-3 TLS 1.3 KDF with SHA-1, SHA224, SHA-512, SHA-512/224, SHA-512/256, SHA-3 Password-based key Derive keying material from a PBKDF2 with short password, Crypto derivation password short salt, insufficient iterations, < Officer 112-bit output keys Signature generation Generate a digital signature RSA-PSS with invalid salt length Crypto RSA with no padding Officer RSA and ECDSA with no hashing Signature verification Verify a digital signature RSA-PSS with invalid salt length Crypto RSA with no padding Officer RSA and ECDSA with no hashing Table 14: Non-Approved Services
The module does not load external software or firmware. © 2025 Ctrl IQ, Inc., atsec information security.
The integrity of the module is verified by comparing a HMAC-SHA2-256 value calculated at run time with the HMAC-SHA2-256 value embedded in the fips.so file that was computed at build time. The module performs a KAT for the HMAC SHA-256 algorithm in order to test its proper operation before performing the checksum of the fips.so file.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module (i.e., rebooting the system), which will perform (among others) the software integrity tests. © 2025 Ctrl IQ, Inc., atsec information security.
Type of Operational Environment: Modifiable How Requirements are Satisfied: Any SSPs contained within the module are protected by the process isolation and memory separation mechanisms, and only the module has control over these SSPs. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a nonvalidated operational environment. © 2025 Ctrl IQ, Inc., atsec information security.
The module is comprised of software only and therefore this section is not applicable. © 2025 Ctrl IQ, Inc., atsec information security.
The module does not implement any non-invasive security mechanisms. © 2025 Ctrl IQ, Inc., atsec information security.
Storage Description Persistence Area Name Type Module Temporary storage for SSPs used by the module as part of service Dynamic RAM execution Table 15: Storage Areas The module does not perform persistent storage of SSPs; SSPs in use by the module exist in volatile memory only. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling Module RAM Plaintext Manual Electronic parameters application (TOEPP) API output Module RAM Operator calling Plaintext Manual Electronic parameters application (TOEPP) Table 16: SSP Input-Output Methods The module only supports SSP entry and output to and from the calling application running on the same operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. There is no entry or output of cryptographically protected SSPs.
Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by SSPs By calling the appropriate zeroization handle SSPs contained is overwritten with zeroes, functions: EVP_CIPHER_CTX_free, within the cipher which renders the SSP EVP_MAC_CTX_free, handle values irretrievable. The EVP_KDF_CTX_free, completion of the EVP_RAND_CTX_free, zeroization routine indicates EVP_PKEY_free that the zeroization procedure succeeded. Module De-allocates the Volatile memory used by By unloading and reloading the reset volatile memory the module is overwritten module used to store within nanoseconds when SSPs power is removed. The successful completion of the module reset indicates that zeroization has completed. © 2025 Ctrl IQ, Inc., atsec information security.
Zeroization Description Rationale Operator Initiation Method Automatic Automatically Memory occupied by SSPs N/A zeroized by the is overwritten with zeroes, module when no which renders the SSP longer needed values irretrievable. The successful completion of the running service indicates that zeroization was completed. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization.
Name Description Size - Type - Generated Establishe Used By Strength Category By d By AES key Symmetric 128, 256 bits Symmetric Encryption key used for (AES-XTS); key - CSP Decryption AES 128, 192, Authenticate operations 256 bits d encryption (others) - Authenticate 128, 256 bits d decryption (AES-XTS); Message 128, 192, authenticatio
(others) HMAC key Symmetric 112-524288 Authenticati Message key used for bits - 112- on key - authenticatio HMAC 256 bits CSP n operations Key- Symmetric 112-4096 bits Symmetric Key-based derivation key used to - 112-256 key - CSP key key derive bits derivation symmetric keys Shared Shared 112-8192 bits Shared Shared Keysecret secret - 112-256 secret - CSP secret establishme established bits computatio nt key using KAS- n derivation SSC Protocol key derivation Password Password 8-128 Password - Passwordused to characters - CSP based key derive N/A derivation symmetric keys Derived Symmetric 112-4096 bits Symmetric Key-based key key derived - 112-256 key - CSP key from a key- bits derivation derivation Keykey, shared establishme © 2025 Ctrl IQ, Inc., atsec information security.
Name Description Size - Type - Generated Establishe Used By Strength Category By d By secret, or nt key password derivation Protocol key derivation Passwordbased key derivation Entropy Entropy 128-384 bits Entropy Random Random input input used to - 128-384 input - CSP number number seed bits generation generation DRBGs DRBG DRBG seed CTR_DRBG: Seed - CSP Random Random seed derived from 256, 320, number number entropy input 384 bits; generation generation and Hash_DRBG: additional 440, 888 bits; data HMAC_DRB G: 440, 888 bits CTR_DRBG: 128, 192,
Hash_DRBG: 128, 256 bits; HMAC_DRB G: 128, 256 bits DRBG Internal state CTR_DRBG: Internal Random Random internal of 256, 320, state - CSP number number state (V, CTR_DRBG 384 bits; generation generation Key) and HMAC_DRB HMAC_DRB G: 320, 512, G 1024 bits CTR_DRBG: 128, 192,
HMAC_DRB G: 128, 256 bits DRBG Internal state Hash_DRBG: Internal Random Random internal of 880, 1776 state - CSP number number state (V, C) Hash_DRBG bits - generation generation Hash_DRBG: 128, 256 bits DH private Private key ffdhe2048, Private key - Shared key used for ffdhe3072, CSP secret Diffie- ffdhe4096, computation Hellman ffdhe6144, Key pair ffdhe8192, verification MODP-2048, MODP-3072, MODP-4096, © 2025 Ctrl IQ, Inc., atsec information security.
Name Description Size - Type - Generated Establishe Used By Strength Category By d By MODP-6144, MODP-8192 - 112-200 bits DH public Public key ffdhe2048, Public key - Shared key used for ffdhe3072, PSP secret Diffie- ffdhe4096, computation Hellman ffdhe6144, Key pair ffdhe8192, verification MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 - 112-200 bits EC private Private key P-224, P- Private key - Shared key used for EC 256, P-384, CSP secret Diffie- P-521 - 112, computation Hellman and 128, 192, Signature ECDSA 256 bits generation Key pair verification EC public Public key P-224, P- Public key - Shared key used for EC 256, P-384, PSP secret Diffie- P-521 - 112, computation Hellman and 128, 192, Signature ECDSA 256 bits verification Key pair verification EdDSA Private key Ed25519, Private key - Signature private key used for Ed448 - 128, CSP generation EdDSA 224 bits EdDSA Public key Ed25519, Public key - Signature public key used for Ed448 - 128, PSP verification EdDSA 224 bits RSA Private key 2048-16384 Private key - Shared private key used for bits - 112- CSP secret RSA 256 bits computation Signature generation Asymmetric Decryption RSA public Public key 1024, 1536, Public key - Shared key used for 2048-16384 PSP secret RSA bits - 80, 96, computation 112-256 bits Signature verification Asymmetric Encryption Module- DH private ffdhe2048, Private key - Key pair generated key ffdhe3072, CSP generation © 2025 Ctrl IQ, Inc., atsec information security.
Name Description Size - Type - Generated Establishe Used By Strength Category By d By DH private generated ffdhe4096, key by the ffdhe6144, module ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 - 112-200 bits Module- DH public ffdhe2048, Public key - Key pair generated key ffdhe3072, PSP generation DH public generated ffdhe4096, key by the ffdhe6144, module ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 - 112-200 bits Module- EC private P-224, P- Private key - Key pair generated key 256, P-384, CSP generation EC private generated P-521 - 112, key by the 128, 192, module 256 bits Module- EC public P-224, P- Public key - Key pair generated key 256, P-384, PSP generation EC public generated P-521 - 112, key by the 128, 192, module 256 bits Module- EdDSA Ed25519, Private key - Key pair generated private key Ed448 - 128, CSP generation EdDSA generated 224 bits private key by the module Module- EdDSA Ed25519, Public key - Key pair generated public key Ed448 - 128, PSP generation EdDSA generated 224 bits public key by the module Module- RSA private 2048-15360 Private key - Key pair generated key bits - 112- CSP generation RSA generated 256 bits private key by the module Module- RSA public 2048-15360 Public key - Key pair generated key bits - 112- PSP generation RSA public generated 256 bits key by the module © 2025 Ctrl IQ, Inc., atsec information security.
Name Description Size - Type - Generated Establishe Used By Strength Category By d By Intermediat Temporary 224-15360 Intermediate Key pair Key pair e key value bits - 112- value - CSP generation generation generation generated 256 bits value during key pair generation services Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input Module Until cipher Free cipher parameters RAM:Plaintext handle is handle freed or Module module is reset reset HMAC key API input Module Until cipher Free cipher parameters RAM:Plaintext handle is handle freed or Module module is reset reset Key-derivation API input Module Until cipher Free cipher Derived key:Derives key parameters RAM:Plaintext handle is handle freed or Module module is reset reset Shared secret API input Module Until cipher Free cipher DH private parameters RAM:Plaintext handle is handle key:Established By API output freed or Module DH public parameters module is reset key:Established By reset EC private key:Established By EC public key:Established By RSA private key:Established By RSA public key:Established By Derived key:Derives Password API input Module Until cipher Free cipher Derived key:Derives parameters RAM:Plaintext handle is handle freed or Module module is reset reset Derived key API output Module Until cipher Free cipher Key-derivation parameters RAM:Plaintext handle is handle key:Derived From freed or Module Shared module is reset secret:Derived From reset Password:Derived From © 2025 Ctrl IQ, Inc., atsec information security.
Name Input - Storage Storage Zeroization Related SSPs Output Duration Entropy input Module From Module DRBG seed:Derives RAM:Plaintext generation reset until DRBG Automatic seed is created DRBG seed Module While the Module Entropy RAM:Plaintext DRBG is reset input:Derived From being Automatic DRBG internal state instantiated (V, Key):Generates DRBG internal state (V, C):Generates DRBG internal Module Until cipher Free cipher DRBG state (V, Key) RAM:Plaintext handle is handle seed:Generated freed or Module From module is reset reset DRBG internal Module Until cipher Free cipher DRBG state (V, C) RAM:Plaintext handle is handle seed:Generated freed or Module From module is reset reset DH private key API input Module Until cipher Free cipher DH public key:Paired parameters RAM:Plaintext handle is handle With freed or Module Shared module is reset secret:Establishes reset DH public key API input Module Until cipher Free cipher DH private parameters RAM:Plaintext handle is handle key:Paired With freed or Module Shared module is reset secret:Establishes reset EC private key API input Module Until cipher Free cipher EC public key:Paired parameters RAM:Plaintext handle is handle With freed or Module Shared module is reset secret:Establishes reset EC public key API input Module Until cipher Free cipher EC private parameters RAM:Plaintext handle is handle key:Paired With freed or Module Shared module is reset secret:Establishes reset EdDSA private API input Module Until cipher Free cipher EdDSA public key parameters RAM:Plaintext handle is handle key:Paired With freed or Module module is reset reset EdDSA public API input Module Until cipher Free cipher EdDSA private key parameters RAM:Plaintext handle is handle key:Paired With freed or Module module is reset reset © 2025 Ctrl IQ, Inc., atsec information security.
Name Input - Storage Storage Zeroization Related SSPs Output Duration RSA private API input Module Until cipher Free cipher RSA public key parameters RAM:Plaintext handle is handle key:Paired With freed or Module Shared module is reset secret:Establishes reset RSA public API input Module Until cipher Free cipher RSA private key parameters RAM:Plaintext handle is handle key:Paired With freed or Module Shared module is reset secret:Establishes reset Module- API output Module Until cipher Free cipher Module-generated generated DH parameters RAM:Plaintext handle is handle DH public key:Paired private key freed or Module With module is reset Intermediate key reset generation value:Generated From Module- API output Module Until cipher Free cipher Module-generated generated DH parameters RAM:Plaintext handle is handle DH private public key freed or Module key:Paired With module is reset Intermediate key reset generation value:Generated From Module- API output Module Until cipher Free cipher Module-generated generated EC parameters RAM:Plaintext handle is handle EC public key:Paired private key freed or Module With module is reset Intermediate key reset generation value:Generated From Module- API output Module Until cipher Free cipher Module-generated generated EC parameters RAM:Plaintext handle is handle EC private public key freed or Module key:Paired With module is reset Intermediate key reset generation value:Generated From Module- API output Module Until cipher Free cipher Module-generated generated parameters RAM:Plaintext handle is handle EdDSA public EdDSA private freed or Module key:Paired With key module is reset Intermediate key reset generation value:Generated From Module- API output Module Until cipher Free cipher Module-generated generated parameters RAM:Plaintext handle is handle EdDSA private EdDSA public freed or Module key:Paired With key module is reset Intermediate key reset generation value:Generated From © 2025 Ctrl IQ, Inc., atsec information security.
Name Input - Storage Storage Zeroization Related SSPs Output Duration Module- API output Module Until cipher Free cipher Module-generated generated parameters RAM:Plaintext handle is handle RSA public RSA private freed or Module key:Paired With key module is reset Intermediate key reset generation value:Generated From Module- API output Module Until cipher Free cipher Module-generated generated parameters RAM:Plaintext handle is handle RSA private RSA public freed or Module key:Paired With key module is reset Intermediate key reset generation value:Generated From Intermediate Module For the Module Module-generated key generation RAM:Plaintext duration of the reset DH private value service Automatic key:Generates Module-generated DH public key:Generates Module-generated EC private key:Generates Module-generated EC public key:Generates Module-generated EdDSA private key:Generates Module-generated EdDSA public key:Generates Module-generated RSA private key:Generates Module-generated RSA public key:Generates Table 19: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Ctrl IQ, Inc., atsec information security.
While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. If any of the self-tests fails, the module immediately transitions to the error state.
Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- Key size: Message SW/FW Module becomes Integrity test of SHA2-256 256 bits authentication Integrity available and services the fips.so are available for use shared library Table 20: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM - Key size: 256 KAT CAST Module Encryption At power-on, Encryption bits becomes before the operational integrity test AES-GCM - Key size: 256 KAT CAST Module Decryption At power-on, Decryption bits becomes before the operational integrity test AES-ECB Key size: 128 KAT CAST Module Decryption At power-on, bits becomes before the operational integrity test SHA-1 24-bit message KAT CAST Module Message digest At power-on, becomes before the operational integrity test SHA2-512 24-bit message KAT CAST Module Message digest At power-on, becomes before the operational integrity test SHA3-256 32-bit message KAT CAST Module Message digest At power-on, becomes before the operational integrity test KBKDF HMAC-SHA2- KAT CAST Module Key derivation At power-on,
256 in counter becomes before the
mode operational integrity test KDA SHA2-224 KAT CAST Module Key derivation At power-on, OneStep becomes before the operational integrity test KDA HKDF SHA2-256 KAT CAST Module Key derivation At power-on, becomes before the operational integrity test © 2025 Ctrl IQ, Inc., atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type X9.42 KDF SHA-1 KAT CAST Module Key derivation At power-on, becomes before the operational integrity test X9.63 KDF SHA2-256 KAT CAST Module Key derivation At power-on, becomes before the operational integrity test SSH KDF SHA-1 KAT CAST Module Key derivation At power-on, becomes before the operational integrity test TLS 1.2 SHA2-256 KAT CAST Module Key derivation At power-on, KDF becomes before the operational integrity test TLS 1.3 SHA2-256 KAT CAST Module Key derivation At power-on, KDF becomes before the operational integrity test PBKDF2 SHA-256 with KAT CAST Module Key derivation At power-on,
4096 iterations, becomes before the
24-byte operational integrity test password, and 288-bit salt Counter AES-128 with KAT CAST Module Instantiate, seed, At power-on, DRBG prediction becomes generate, reseed, before the resistance, with operational generate integrity test derivation (compliant to SP function 800-90Ar1 Section 11.3) Hash DRBG SHA2-256 with KAT CAST Module Instantiate, seed, At power-on, prediction becomes generate, reseed, before the resistance operational generate integrity test (compliant to SP 800-90Ar1 Section 11.3) HMAC HMAC-SHA-1 KAT CAST Module Instantiate, seed, At power-on, DRBG with prediction becomes generate, reseed, before the resistance operational generate integrity test (compliant to SP 800-90Ar1 Section 11.3) KAS-FFC- ffdhe2048 KAT CAST Module Shared secret At power-on, SSC becomes computation before the operational integrity test KAS-ECC- P-256 KAT CAST Module Shared secret At power-on, SSC becomes computation before the operational integrity test ECDSA SHA-256 and KAT CAST Module Signature At power-on, SigGen P-224, P-256, becomes generation before the (FIPS186-5) P-384, P-521 operational integrity test ECDSA SHA-256 and KAT CAST Module Signature At power-on, SigVer P-224, P-256, becomes verification before the (FIPS186-5) P-384, P-521 operational integrity test © 2025 Ctrl IQ, Inc., atsec information security.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type EdDSA Ed25519, KAT CAST Module Signature At power-on, SigGen Ed448 becomes generation before the operational integrity test EdDSA Ed25519, KAT CAST Module Signature At power-on, SigVer Ed448 becomes verification before the operational integrity test RSA SHA-256 and KAT CAST Module Signature At power-on, PKCS#1 2048-bit key becomes generation before the v1.5 SigGen operational integrity test RSA SHA-256 and KAT CAST Module Signature At power-on, PKCS#1 2048-bit key becomes verification before the v1.5 SigVer operational integrity test DH N/A PCT PCT Key pair SP 800-56Ar3 Key pair generation is Section 5.6.2.1.4 generation successful ECDSA SHA2-256 PCT PCT Key pair Signature Key pair KeyGen generation is generation and generation (FIPS186-5) successful verification EdDSA N/A PCT PCT Key pair Signature Key pair KeyGen generation is generation and generation successful verification RSA SHA2-256 PCT PCT Key pair Signature Key pair PKCS#1 generation is generation and generation v1.5 successful verification KeyGen Table 21: Conditional Self-Tests
Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2-256 Message SW/FW Integrity On demand Manually authentication Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Method Test AES-GCM - KAT CAST On demand Manually Encryption AES-GCM - KAT CAST On demand Manually Decryption AES-ECB KAT CAST On demand Manually SHA-1 KAT CAST On demand Manually SHA2-512 KAT CAST On demand Manually SHA3-256 KAT CAST On demand Manually KBKDF KAT CAST On demand Manually KDA OneStep KAT CAST On demand Manually KDA HKDF KAT CAST On demand Manually X9.42 KDF KAT CAST On demand Manually © 2025 Ctrl IQ, Inc., atsec information security.
Algorithm or Test Method Test Type Period Periodic Method Test X9.63 KDF KAT CAST On demand Manually SSH KDF KAT CAST On demand Manually TLS 1.2 KDF KAT CAST On demand Manually TLS 1.3 KDF KAT CAST On demand Manually PBKDF2 KAT CAST On demand Manually Counter DRBG KAT CAST On demand Manually Hash DRBG KAT CAST On demand Manually HMAC DRBG KAT CAST On demand Manually KAS-FFC-SSC KAT CAST On demand Manually KAS-ECC-SSC KAT CAST On demand Manually ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) EdDSA SigGen KAT CAST On demand Manually EdDSA SigVer KAT CAST On demand Manually RSA PKCS#1 KAT CAST On demand Manually v1.5 SigGen RSA PKCS#1 KAT CAST On demand Manually v1.5 SigVer DH PCT PCT On demand Manually ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) EdDSA KeyGen PCT PCT On demand Manually RSA PKCS#1 PCT PCT On demand Manually v1.5 KeyGen Table 23: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Power- An error occurred Software Module Module will not load up error during the self- integrity test reinitialization (OSSL_PROV_PARAM_STATUS is tests executed on failure set to 0) power-up CAST failure PCT An error occurred PCT failure Module Module stops functioning (aborts) error during a PCT reinitialization Table 24: Error States In any error state, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).
The pre-operational self-tests and CASTs can be invoked on demand by unloading and subsequently reinitializing the module. The PCTs can be invoked on demand by requesting the key pair generation service. © 2025 Ctrl IQ, Inc., atsec information security.
Before the openssl-fips-provider-so-3.0.7-27.el9_2.ciqfips.0.2.7.x86_64 RPM package is installed, the Rocky Linux 9 system must operate in the FIPS validated configuration. This can be achieved by:
After installation of the openssl-fips-provider-so-3.0.7-27.el9_2.ciqfips.0.2.7.x86_64 RPM package, the Crypto Officer must execute the “openssl list -providers” command. The Crypto Officer must ensure that the FIPS provider is listed in the output as follows: fips name: Rocky Linux 9 - OpenSSL FIPS Provider version: Rocky9.20250210 status: active The cryptographic boundary consists only of the FIPS provider as listed. If any other OpenSSL or thirdparty provider is invoked, the user is not interacting with the module specified in this Security Policy.
There is no non-administrator guidance.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the openssl-fips-provider-so3.0.7-27.el9_2.ciqfips.0.2.7.x86_64 RPM package can be uninstalled from the Rocky Linux 9 system. © 2025 Ctrl IQ, Inc., atsec information security.
Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:
A Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-CS Cipher Block Chaining with Ciphertext Stealing CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CVL Component Validation List DH Diffie-Hellman DRBG Deterministic Random Bit Generator EC Elliptic Curve ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EdDSA Edwards Curve Digital Signature Algorithm ESV Entropy Source Validation EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Keyed-Hash Message Authentication Code IFC Integer Factorization Cryptography IG Implementation Guidance IKE Internet Key Exchange IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-based Key Derivation Function KDA Key Derivation Algorithm KDF Key Derivation Function KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PBKDF Password-Based Key Derivation Function PCT Pair-wise Consistency Test PKCS Public-Key Cryptography Standards PSP Public Security Parameter PSS Probabilistic Signature Scheme RSA Rivest Shamir Adleman © 2025 Ctrl IQ, Inc., atsec information security.
SHA Secure Hash Algorithm SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TOEPP Tested Operational Environment’s Physical Perimeter XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Ctrl IQ, Inc., atsec information security.
B References ANSI X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANSI X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-2 Digital Signature Standard (DSS) January 2000 https://doi.org/10.6028/NIST.FIPS.186-2 FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://doi.org/10.6028/NIST.FIPS.186-4 FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 197 Advanced Encryption Standard (AES) November 2001; Updated May 2023 https://doi.org/10.6028/NIST.FIPS.197-upd1 FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) July 2008 https://doi.org/10.6028/NIST.FIPS.198-1 FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable- Output Functions August 2015 https://doi.org/10.6028/NIST.FIPS.202 PKCS#1 PKCS #1: RSA Cryptography Specifications Version 2.2 November 2016 https://doi.org/10.17487/RFC8017 RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://doi.org/10.17487/RFC3526 RFC 4253 The Secure Shell (SSH) Transport Layer Protocol January 2006 https://doi.org/10.17487/RFC4253 RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://doi.org/10.17487/RFC5288 RFC 7627 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension September 2015 © 2025 Ctrl IQ, Inc., atsec information security.
https://doi.org/10.17487/RFC7627 RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://doi.org/10.17487/RFC7919 RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://doi.org/10.17487/RFC8446 SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques December 2001 https://doi.org/10.6028/NIST.SP.800-38A SP 800-38A-Add Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://doi.org/10.6028/NIST.SP.800-38A-Add SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication May 2005; Updated October 2016 https://doi.org/10.6028/NIST.SP.800-38B SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004; Updated July 2007 https://doi.org/10.6028/NIST.SP.800-38C SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://doi.org/10.6028/NIST.SP.800-38D SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices January 2010 https://doi.org/10.6028/NIST.SP.800-38E SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://doi.org/10.6028/NIST.SP.800-38F SP 800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://doi.org/10.6028/NIST.SP.800-52r2 SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP 800-56Br2 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography March 2019 https://doi.org/10.6028/NIST.SP.800-56Br2 SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 © 2025 Ctrl IQ, Inc., atsec information security.
https://doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-108r1 Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths Marcy 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://doi.org/10.6028/NIST.SP.800-132 SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://doi.org/10.6028/NIST.SP.800-135r1 SP 800-140Br1 Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 Ctrl IQ, Inc., atsec information security.