| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/25/2031 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Amazon Web Services, Inc |
flowchart LR
%% Deterministic review-risk graph for AWS-LC Cryptographic Module (dynamic)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery<br/>upgrade</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for AWS-LC Cryptographic Module (dynamic)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery<br/>upgrade</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Amazon Web Services, Inc AWS-LC Cryptographic Module (dynamic) Document version: 1.2 Last update: 2026-01-20 © 2026 Amazon Web Services, Inc., atsec information security.
Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2026 Amazon Web Services, Inc., atsec information security.
| # | Section | Page |
|---|
© 2026 Amazon Web Services, Inc., atsec information security.
| Item | Page |
|---|---|
| Table 1: Security Levels | 7 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 9 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 9 |
| Table 4: Modes List and Description | 9 |
| Table 5: Approved Algorithms | 12 |
| Table 6: Vendor-Affirmed Algorithms | 12 |
| Table 7: Non-Approved, Allowed Algorithms with No Security Claimed | 12 |
| Table 8: Non-Approved, Not Allowed Algorithms | 13 |
| Table 9: Security Function Implementations | 15 |
| Table 10: Ports and Interfaces | 20 |
| Table 11: Roles | 21 |
| Table 12: Approved Services | 26 |
| Table 13: Non-Approved Services | 27 |
| Table 14: Storage Areas | 32 |
| Table 15: SSP Input-Output Methods | 32 |
| Table 16: SSP Zeroization Methods | 33 |
| Table 17: SSP Table 1 | 35 |
| Table 18: SSP Table 2 | 36 |
| Table 19: Pre-Operational Self-Tests | 37 |
| Table 20: Conditional Self-Tests | 41 |
| Table 21: Pre-Operational Periodic Information | 42 |
| Table 22: Conditional Periodic Information | 44 |
| Table 23: Error States | 45 |
| Item | Page |
|---|---|
| Figure 1: Block Diagram | 8 |
This document is the non-proprietary FIPS 140-3 Security Policy for version AWS-LC FIPS 1.29.1 of the AWSLC Cryptographic Module (dynamic). It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module.
Section Title Security Level
Overall Level 1 Table 1: Security Levels
This Security Policy describes the features and design of the module named AWS-LC Cryptographic Module (dynamic) using the terminology contained in the FIPS 140-3 specification. The FIPS 140-3 Security Requirements for Cryptographic Module specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST/CCCS Cryptographic Module Validation Program (CMVP) validates cryptographic module to FIPS 140-3. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. including this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2026 Amazon Web Services, Inc., atsec information security.
Purpose and Use: The AWS-LC Cryptographic Module (dynamic) (hereafter referred to as “the module”) provides cryptographic services to applications running in the user space of the underlying operating system through a C language Application Program Interface (API). Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The block diagram in Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows). The cryptographic boundary is defined as the AWS-LC Cryptographic Module (dynamic) which is a cryptographic library consisting of the bcm.o file (version AWS-LC FIPS 1.29.1). This file is dynamically linked to the userspace application during the compilation process. Tested Operational Environment’s Physical Perimeter (TOEPP): The PAA provided by the processor is located within the module’s physical perimeter and outside of the module’s cryptographic boundary. Figure 1: Block Diagram
Tested Module Identification
Package or File Name Software/ Firmware Version Features Integrity Test bcm.o on NetOS 2024 on AWS-LC FIPS 1.29.1 N/A HMAC-SHA2-256 CS8274 on NXP Layerscape LX2080 bcm.o on NetOS 2024 v1.1 on AWS-LC FIPS 1.29.1 N/A HMAC-SHA2-256 AZ3324 on NXP Layerscape LX2080 bcm.o on NetOS 2024 on AWS-LC FIPS 1.29.1 N/A HMAC-SHA2-256 CS8320 on Annapurna K2X-N Table 2: Tested Module Identification
Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of the requested Mode approved service is requested. service as defined in section 4.3 Non-approved Automatically entered whenever a non- Non- Equivalent to the indicator of the requested Mode approved service is requested. Approved service as defined in section 4.3 Table 4: Modes List and Description Mode Change Instructions and Status: When the module starts up successfully, after passing a set of cryptographic algorithms self-tests (CASTs) and the pre-operational self-test, the module is operating in the approved mode of operation by default and can only be transitioned into the non-approved mode by calling one of the non-approved services listed in the NonApproved Services table. The module will transition back to approved mode when approved service is called. Section 4 provides details on the service indicator implemented by the module. The service indicator identifies when an approved service is called. © 2026 Amazon Web Services, Inc., atsec information security.
Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A5422, A5427, A5429, A5431 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A5422, A5427, A5429, A5431 Key Length - 128 SP 800-38C AES-CMAC A5422, A5427, A5429, A5431 Direction - Generation, Verification SP 800-38B Key Length - 128, 256 AES-CTR A5422, A5427, A5429, A5431 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5422, A5423, A5427, A5428, A5429, Direction - Decrypt, Encrypt SP 800-38A A5430, A5431, A5432, A5435 Key Length - 128, 192, 256 AES-GCM A5423, A5428, A5430, A5432, A5435 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal Key Length - 128, 256 IV Generation Mode - 8.2.1, 8.2.2 AES-GMAC A5423, A5428, A5430, A5432, A5435 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal Key Length - 128, 256 IV Generation Mode - 8.2.1, 8.2.2 AES-KW A5422, A5427, A5429, A5431 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5422, A5427, A5429, A5431 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-XTS Testing A5422, A5427, A5429, A5431 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 256 Counter DRBG A5422, A5427, A5429, A5431 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No ECDSA KeyGen A5425, A5426, A5433, A5434 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A5425, A5426, A5433, A5434 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A5425, A5426, A5433, A5434 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 Component - No ECDSA SigVer A5425, A5426, A5433, A5434 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1 ECDSA SigVer A5425, A5426, A5433, A5434 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 HMAC-SHA-1 A5425, A5426, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm CAVP Cert Properties Reference HMAC-SHA2-224 A5425, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-256 A5425, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-384 A5425, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2-512 A5425, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 Increment 8 HMAC-SHA2- A5425, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 512/224 Increment 8 HMAC-SHA2- A5425, A5433, A5434 Key Length - Key Length: 112-524288 FIPS 198-1 512/256 Increment 8 KAS-ECC-SSC A5425, A5426, A5433, A5434 Domain Parameter Generation Methods - P- SP 800-56A Sp800-56Ar3 224, P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KDA HKDF Sp800- A5425, A5426, A5433, A5434 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: Rev. 2 224-2048 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512 KDF SSH (CVL) A5425, A5426, A5433, A5434 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 KDF TLS (CVL) A5425, A5426, A5433, A5434 TLS Version - v1.0/1.1, v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, Rev. 1 SHA2-512 PBKDF A5425, A5426, A5433, A5434 Iteration Count - Iteration Count: 1000-10000 SP 800-132 Increment 1 Password Length - Password Length: 14-128 Increment 1 RSA KeyGen A5425, A5426, A5433, A5434 Key Generation Mode - probable FIPS 186-5 (FIPS186-5) Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard RSA SigGen A5425, A5426, A5433, A5434 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigVer A5425, A5426, A5433, A5434 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 RSA SigVer A5425, A5426, A5433, A5434 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss SHA-1 A5425, A5426, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-224 A5425, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm CAVP Cert Properties Reference SHA2-256 A5425, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-384 A5425, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512 A5425, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512/224 A5425, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512/256 A5425, A5433, A5434 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA3-224 A5424 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-256 A5424 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-384 A5424 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-512 A5424 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHAKE-128 A5424 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 SHAKE-256 A5424 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference Cryptographic Key Key Type:Asymmetric N/A SP 800-133Rev2 Generation (CKG) RSA (FIPS 186-5):2048, 3072, 4096 bits with 112, 128, section 4, example 1
EC (FIPS 186-5):P-224, P-256, P-384, P-521 elliptic curves with 112-256 bits of key strength Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Allowed per IG 2.4.A Message Digest used in TLS 1.0/1.1 KDF only Table 7: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Use and Function Name AES with OFB or CFB1, CFB8 modes Encryption, Decryption (not CAVP tested) AES GCM, GMAC, XTS with keys not listed in Table 5 Encryption, Decryption AES using aes_*_generic function Encryption, Decryption (not CAVP tested) © 2026 Amazon Web Services, Inc., atsec information security.
Non-Approved, Not Allowed Algorithms: Use and Function Name AES GMAC using aes_*_generic Message Authentication Generation (not CAVP tested) Curve secp256k1 Signature Generation, Signature Verification, Shared Secret Computation Diffie Hellman Shared Secret Computation (not CAVP tested) HMAC-MD4, HMAC-MD5, HMAC-SHA-3, HMAC-RIPEMD-160 Message Authentication Generation (not CAVP tested) MD4 Message Digest MD5 (outside of TLS) Message Digest RSA using RSA_generate_key_ex Key Generation (not complaint with FIPS1865) ECDSA using EC_KEY_generate_key Key Generation (not complaint with FIPS1865) RSA using keys less than 2048 bits Signature Generation RSA using keys less than 1024 bits Signature Verification RSA without hashing Sign/Verify primitive operations RSA encryption primitive with PKCS#1 v1.5 and OAEP padding Encryption SHA-1, SHA-3 Signature Generation (not CAVP tested) RIPEMD-160 Message Digest TLS KDF using any SHA algorithms other than SHA2-256, SHA2-384, Key Derivation SHA2-512; or TLS KDF using non-extended master secret RSA Key Encapsulation/Un-encapsulation (not compliant with SP 800-56BRev2) Table 8: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Shared Secret KAS-SSC SP800-56Arev3. KAS- KAS-ECC-SSC Sp800Computation with EC ECC-SSC per IG D.F 56Ar3: (A5425, A5426, Diffie-Hellman Scenario 2 path (1). A5433, A5434) Authenticated BC-Auth SP800-38F. AES-KW: (A5422, Encryption/Decryption Authenticated A5427, A5429, A5431) with AES KW, AES- encryption, AES-KWP: (A5422, KWP Authenticated A5427, A5429, A5431) decryption Encryption/Decryption BC-UnAuth SP800-38A and SP 800- AES-CBC: (A5422, with AES 38E. Encryption and A5427, A5429, A5431) Decryption AES-CTR: (A5422, A5427, A5429, A5431) AES-ECB: (A5422, A5423, A5427, A5428, A5429, A5430, A5431, © 2026 Amazon Web Services, Inc., atsec information security.
Name Type Description Properties Algorithms A5432, A5435) AES-XTS Testing Revision 2.0: (A5422, A5427, A5429, A5431) Signature Generation DigSig-SigGen FIPS186-5. Digital RSA SigGen (FIPS186with RSA signature generation 5): (A5425, A5426, A5433, A5434) Signature Generation DigSig-SigGen FIPS186-5. Digital ECDSA SigGen with ECDSA signature generation (FIPS186-5): (A5425, A5426, A5433, A5434) Key Generation with AsymKeyPair-KeyGen FIPS186-5. Key RSA KeyGen (FIPS186RSA CKG generation 5): (A5425, A5426, A5433, A5434) Key Generation with AsymKeyPair-KeyGen FIPS186-5. Key ECDSA KeyGen ECDSA CKG generation (FIPS186-5): (A5425, A5426, A5433, A5434) Signature Verification DigSig-SigVer FIPS186-5. Digital ECDSA SigVer with ECDSA signature verification (FIPS186-5): (A5425, A5426, A5433, A5434) Signature Verification DigSig-SigVer FIPS186-5. Digital RSA SigVer (FIPS186with RSA signature verification 5): (A5425, A5426, A5433, A5434) Key Verification with AsymKeyPair-KeyVer FIPS186-5. Key ECDSA KeyVer ECDSA verification (FIPS186-5): (A5425, A5426, A5433, A5434) Key Derivation with KAS-135KDF SP800-135rev1. Key KDF TLS: (A5425, TLS KDF derivation A5426, A5433, A5434) Key Derivation with KAS-135KDF SP800-135rev1. Key KDF SSH: (A5425, SSH KDF derivation A5426, A5433, A5434) Key Derivation with KAS-56CKDF SP800-56Crev1. Key KDA HKDF Sp800KDA HKDF derivation 56Cr1: (A5425, A5426, A5433, A5434) Key Derivation with PBKDF SP800-132. Key PBKDF: (A5425, PBKDF derivation A5426, A5433, A5434) Message Digest with SHA FIPS180-4 and SHA-1: (A5425, A5426, SHA FIPS202. Message A5433, A5434) digest using SHA SHA2-224: (A5425, A5433, A5434) SHA2-256: (A5425, A5433, A5434) SHA2-384: (A5425, A5433, A5434) SHA2-512: (A5425, A5433, A5434) SHA2-512/224: (A5425, A5433, A5434) SHA2-512/256: (A5425, A5433, A5434) © 2026 Amazon Web Services, Inc., atsec information security.
Name Type Description Properties Algorithms SHA3-224: (A5424) SHA3-256: (A5424) SHA3-384: (A5424) SHA3-512: (A5424) Random Number DRBG SP800-90ARev1. Counter DRBG: Generation with DRBG Random number (A5422, A5427, A5429, generation A5431) Message MAC FIPS198-1. Message HMAC-SHA-1: (A5425, Authentication authentication A5426, A5433, A5434) Generation with generation HMAC-SHA2-224: HMAC (A5425, A5433, A5434) HMAC-SHA2-256: (A5425, A5433, A5434) HMAC-SHA2-384: (A5425, A5433, A5434) HMAC-SHA2-512: (A5425, A5433, A5434) HMAC-SHA2-512/256: (A5425, A5433, A5434) HMAC-SHA2-512/224: (A5425, A5433, A5434) Message MAC SP800-38B and SP800- AES-CMAC: (A5422, Authentication 38D Message A5427, A5429, A5431) Generation with AES authentication AES-GMAC: (A5423, generation A5428, A5430, A5432, A5435) Authenticated BC-Auth SP800-38C. AES-CCM: (A5422, Encryption/Decryption Authenticated A5427, A5429, A5431) with AES CCM encryption, Authenticated decryption Authenticated BC-Auth SP800-38D. AES-GCM: (A5423, Encryption/Decryption Authenticated A5428, A5430, A5432, with AES GCM encryption, A5435) Authenticated decryption Message Digest with XOF FIPS202. Message SHAKE-128: (A5424) SHAKE digest SHAKE-256: (A5424) Signature Verification DigSig-SigVer FIPS186-4. Legacy Publications:FIPS 140-3 RSA SigVer (FIPS186with RSA (legacy) digital signature IG C.M legacy 4): (A5425, A5426, verification algorithms A5433, A5434) Signature Verification DigSig-SigVer FIPS186-4. Legacy Publications:FIPS 140-3 ECDSA SigVer with ECDSA (legacy) digital signature IG C.M legacy (FIPS186-4): (A5425, verification algorithms A5426, A5433, A5434) Table 9: Security Function Implementations © 2026 Amazon Web Services, Inc., atsec information security.
The module offers three AES GCM implementations. The GCM IV generation for these implementations complies respectively with IG C.H under Scenario 1, Scenario 2, and Scenario 5. The GCM shall only be used in the context of the AES-GCM encryption executing under each scenario, and using the referenced APIs explained next. Scenario 1, TLS 1.2 For TLS 1.2, the module offers the GCM implementation via the functions EVP_aead_aes_128_gcm_tls12() and EVP_aead_aes_256_gcm_tls12(), and uses the context of Scenario 1 of IG C.H. The module is compliant with SP800-52rev2 and the mechanism for IV generation is compliant with RFC5288. The module supports acceptable AES-GCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 2^{64-1} for a given session key. If this exhaustion condition is observed, the module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Scenario 2, Random IV In this implementation, the module offers the interfaces EVP_aead_aes_128_gcm_randnonce() and EVP_aead_aes_256_gcm_randnonce() for compliance with Scenario 2 of IG C.H and SP800-38D Section 8.2.2. The module generates the IV and then performs AES GCM encryption without outputting the IV to the calling application. The 96-bit AES-GCM IV, is generated randomly internal to the module using module’s approved DRBG. Scenario 5, TLS 1.3 For TLS 1.3, the module offers the AES-GCM implementation via the functions EVP_aead_aes_128_gcm_tls13() and EVP_aead_aes_256_gcm_tls13(), and uses the context of Scenario 5 of IG C.H. The protocol that provides this compliance is TLS 1.3, defined in RFC8446 of August 2018, using the ciphersuites that explicitly select AES-GCM as the encryption/decryption cipher (Appendix B.4 of RFC8446). The module supports acceptable AES-GCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module implements, within its boundary, an IV generation unit for TLS 1.3 that keeps control of the 64-bit counter value within the AES-GCM IV. If the exhaustion condition is observed, the module will return an error indication to the calling application, who will then need to either trigger a re-key of the session (i.e., a new key for AES-GCM), or terminate the connection. In the event the module’s power is lost and restored, the consuming application must ensure that new AESGCM keys encryption or decryption under this scenario are established. TLS 1.3 provides session resumption, but the resumption procedure derives new AES-GCM encryption keys.
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, © 2026 Amazon Web Services, Inc., atsec information security.
such as the encryption of data in transit. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
The module offers ECDH shared secret computation services compliant to the SP 800-56ARev3 and meeting IG D.F scenario 2 path (1). To meet the required assurances listed in section 5.6 of SP 800-56ARev3, the module shall be used together with an application that implements the “TLS protocol” or “SSH protocol” and the following steps shall be performed.
RSA SigGen (FIPS 186-5) has been CAVP tested with all the supported RSA modulus lengths (i.e., 2048, 3072, 4096). This is documented in the Approved Algorithms table of the Security Policy. All modulus sizes for SigVer have also been CAVP tested. There is no RSA signature with keys for which CAVP testing is not available. The minimum number of the Miller-Rabin tests used in primality testing complies with Table B.1 in FIPS 186-5. The RSA SigVer (FIPS 186-4) and (FIPS 186-5) have been CAVP tested with the modulus sizes of © 2026 Amazon Web Services, Inc., atsec information security.
1024 (FIPS 186-4) and 2048, 3072, 4096 (FIPS 186-5). All modulus sizes in which testing is available have been
tested by the CAVP.
The cryptographic module implements the following cryptographic algorithms for legacy use. Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M:
The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS.
The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.
The module provides an SP800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) using CTR_DRBG mechanism with AES-256, with a derivation function, for generation of key components of asymmetric keys, and random number generation. The DRBG is seeded with 256-bit of entropy input provided from an external entity to the module. This corresponds to scenario 2 (b) of IG 9.3.A i.e., the DRBG that receives a LOAD command from external entropy source outside of module's cryptographic boundary. The calling application shall use an entropy source that meets the security strength required for the CTR_DRBG as shown in NIST SP 800-90Arev1, Table 3 and should return an error if minimum strength cannot be met. Per the IG 9.3.A requirement, the module includes the caveat "No assurance of the minimum strength of generated keys (e.g., keys)".
The key generation methods implemented by the module are specified in the Vendor-Affirmed Algorithms table. The key derivation methods implemented by the module are specified in the Security Function Implementations table. © 2026 Amazon Web Services, Inc., atsec information security.
The key establishment methods implemented by the module are specified in the Security Function Implementations table.
The module implements the SSH key derivation function for use in the SSH protocol (RFC 4253 and RFC 6668). GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC 5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. No parts of the SSH, TLS, other than those mentioned above, have been tested by the CAVP and CMVP. © 2026 Amazon Web Services, Inc., atsec information security.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters for data. N/A Data Output API output parameters for data. N/A Control Input API function calls. N/A Status Output API return codes, error message. Table 10: Ports and Interfaces The module does not implement the Control Output interface. © 2026 Amazon Web Services, Inc., atsec information security.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 11: Roles The module does not support concurrent operators.
Name Description Indicator Inputs Outputs Security Functions SSP Access Encryption Encryption Return value 1 from the function: AES key, Ciphertext Encryption/Decryp Crypto FIPS_service_indicator_check_app plaintext tion with AES Officer roved() - AES Key: W,E Decryption Decryption Return value 1 from the function: AES key, Plaintext Encryption/Decryp Crypto FIPS_service_indicator_check_app cipherte tion with AES Officer roved() xt - AES Key: W,E Authenticat Authenticated Return value 1 from the function: AES key, Ciphertext, Authenticated Crypto ed Encryption FIPS_ plaintext MAC tag Encryption/Decryp Officer Encryption service_indicator_check_approved( , IV tion with AES KW, - AES Key: ) AES-KWP W,E Authenticated Encryption/Decryp tion with AES CCM Authenticated Encryption/Decryp tion with AES GCM Authenticat Authenticated Return value 1 from the function: AES key, Plaintext Authenticated Crypto ed Decryption FIPS_ cipherte or fail Encryption/Decryp Officer Decryption service_indicator_check_approved( xt, IV, tion with AES KW, - AES Key: ) MAC tag AES-KWP W,E Authenticated Encryption/Decryp tion with AES CCM Authenticated Encryption/Decryp tion with AES GCM © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Functions SSP Access Message MAC Return value 1 from the function: AES key MAC tag Message Crypto Authenticati computation FIPS_ or Authentication Officer on service_indicator_check_approved( HMAC Generation with - HMAC Generation ) key, HMAC Key: W,E message Message - AES Key: Authentication W,E Generation with AES Message Generating Return value 1 from the function: Message Message Message Digest Crypto Digest message digest FIPS_ digest with SHA Officer service_indicator_check_approved( Message Digest ) with SHAKE Random Generating Return value 1 from the function: Output Random Random Number Crypto Number random numbers FIPS_ length bytes Generation with Officer Generation service_indicator_check_approved( DRBG - Entropy ) Input: W,E - DRBG Seed: G,W,E - DRBG Internal State (V, Key): G,W,E Key Generating a key Return value 1 from the function: Modulus RSA public Key Generation Crypto Generation pair FIPS_service_indicator_check_app size / key, RSA with RSA Officer roved() Curve private key Key Generation - RSA / EC public with ECDSA Public Key: key, EC G,R private key - RSA Private Key: G,R - EC Public Key: G,R - EC Private Key: G,R Intermediat e Key Generation Value: G,E,Z Key Verifying the Return value 1 from the function: Public Success/ Key Verification Crypto Verification public key FIPS_ key error with ECDSA Officer service_indicator_check_approved( - EC Public ) Key: W,E Signature Generating Return value 1 from the function: Message, Digital Signature Crypto Generation signature FIPS_ EC signature Generation with Officer private RSA - RSA © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Functions SSP Access service_indicator_check_approved( key or Signature Private ) RSA Generation with Key: W,E private ECDSA - EC key, Private hash Key: W,E algorith m Signature Verifying Return value 1 from the function: Signatur Digital Signature Crypto Verification signature FIPS_ e, EC signature Verification with Officer service_indicator_check_approved( public verification ECDSA - RSA ) key or result Signature Public Key: RSA Verification with W,E public RSA - EC Public key, Signature Key: W,E hash Verification with algorith RSA (legacy) m Signature Verification with ECDSA (legacy) Shared Calculating the Return value 1 from the function: EC Shared Shared Secret Crypto Secret Shared Secret FIPS_ public Secret Computation with Officer Computatio service_indicator_check_approved( key, EC EC Diffie-Hellman - EC Public n ) private Key: W,E key - EC Private Key: W,E - Shared Secret: G,R Key Deriving Keys Return value 1 from the function: TLS Pre- TLS Key Derivation Crypto Derivation FIPS_ Master Derived with TLS KDF Officer with TLS service_indicator_check_approved( Secret, Key - TLS PreKDF ) key (AES/HMA Master length C) Secret: W,E - TLS Master Secret: G,E,Z - TLS Derived Key (AES/HMA C): G,R Key Deriving Keys Return value 1 from the function: Passwor PBKDF Key Derivation Crypto Derivation FIPS_ d, salt, Derived with PBKDF Officer with PBKDF service_indicator_check_approved( iteration Key - PBKDF ) count, Derived key Key: G,R length - Password: W,E © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Functions SSP Access Key Deriving Keys Return value 1 from the function: Shared HKDF Key Derivation Crypto Derivation FIPS_ Secret, Derived with KDA HKDF Officer with KDA service_indicator_check_approved( Key Key - HKDF HKDF ) Length Derived Key: G,R - Shared Secret: W,E - TLS Master Secret: W,E,Z Zeroization Zeroize SSP in N/A SSP N/A None Crypto volatile memory Officer - AES Key: Z - HMAC Key: Z - Entropy Input: Z - DRBG Seed: Z - DRBG Internal State (V, Key): Z - RSA Public Key: Z - RSA Private Key: Z - EC Public Key: Z - EC Private Key: Z - Shared Secret: Z - TLS PreMaster Secret: Z - TLS Master Secret: Z - TLS Derived Key (AES/HMA C): Z - HKDF Derived Key: Z © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Functions SSP Access - SSH Derived Key: Z - PBKDF Derived Key: Z - Password: Z Intermediat e Key Generation Value: Z Key Deriving Keys Return value 1 from the function: Shared SSH Key Derivation Crypto Derivation FIPS_ Secret, Derived with SSH KDF Officer with SSH service_indicator_check_approved( Key Key - Shared KDF ) Length Secret: W,E - SSH Derived Key: G,R Show Status Show status of N/A N/A Module None Crypto the module state status Officer Show Show the version N/A N/A Module None Crypto Version of the module name and Officer using version awslc_version_st ring On-Demand Initiate N/A N/A Pass or fail Shared Secret Crypto Self-test cryptographic Computation with Officer algorithms self- EC Diffie-Hellman tests and Authenticated integrity test on- Encryption/Decryp demand. tion with AES KW, AES-KWP Encryption/Decryp tion with AES Signature Generation with RSA Signature Generation with ECDSA Key Generation with RSA Key Generation with ECDSA Signature Verification with ECDSA Signature Verification with © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Indicator Inputs Outputs Security Functions SSP Access RSA Key Verification with ECDSA Key Derivation with TLS KDF Key Derivation with SSH KDF Key Derivation with KDA HKDF Key Derivation with PBKDF Message Digest with SHA Random Number Generation with DRBG Message Authentication Generation with HMAC Message Authentication Generation with AES Authenticated Encryption/Decryp tion with AES CCM Authenticated Encryption/Decryp tion with AES GCM Message Digest with SHAKE Table 12: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
Name Description Algorithms Role Encryption Encryption AES with OFB or CFB1, CFB8 modes CO AES GCM, GMAC, XTS with keys not listed in Table 5 AES using aes_*_generic function AES GMAC using aes_*_generic RSA encryption primitive with PKCS#1 v1.5 and OAEP padding Decryption Decryption AES with OFB or CFB1, CFB8 modes CO AES GCM, GMAC, XTS with keys not listed in Table 5 AES using aes_*_generic function AES GMAC using aes_*_generic Message Authentication MAC computation AES using aes_*_generic function CO Generation HMAC-MD4, HMAC-MD5, HMAC-SHA-3, HMAC-RIPEMD-160 Message Digest Generating MD4 CO message digest MD5 (outside of TLS) RIPEMD-160 Signature Generation Generating RSA using keys less than 2048 bits CO signatures RSA without hashing SHA-1, SHA-3 Signature Verification Verifying RSA using keys less than 1024 bits CO signatures RSA without hashing Key Generation Generating key RSA using RSA_generate_key_ex CO pair ECDSA using EC_KEY_generate_key Shared Secret Calculating shared Curve secp256k1 CO Computation secret Diffie Hellman Key Derivation Deriving TLS keys TLS KDF using any SHA algorithms other than SHA2-256, SHA2-384, CO SHA2-512; or TLS KDF using non-extended master secret Key Encapsulation Encrypting a key RSA CO Key Un-encapsulation Decrypting a key RSA CO Table 13: Non-Approved Services
Not applicable. © 2026 Amazon Web Services, Inc., atsec information security.
The integrity of the module is verified by comparing a HMAC value calculated at run time on the bcm.o file, with the HMAC-SHA2-256 value stored within the module that was computed at build time. The HMAC key for the integrity verification is embedded in the module.
The module provides on-demand integrity test. The integrity test can be performed on demand by reloading the module. Additionally, the integrity test can be performed using the On-Demand Integrity Test service, which calls the BORINGSSL_integrity_test function. © 2026 Amazon Web Services, Inc., atsec information security.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module runs on a commercially available general-purpose operating system executing on the hardware specified in section
Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2026 Amazon Web Services, Inc., atsec information security.
The module is software only; therefore, this section is not applicable. © 2026 Amazon Web Services, Inc., atsec information security.
The module does not implement any non-invasive security mechanisms; therefore, this section is not applicable. © 2026 Amazon Web Services, Inc., atsec information security.
Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution. The module does not Dynamic perform persistent storage of SSPs Table 14: Storage Areas
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operator calling application Cryptographic module Plaintext Manual Electronic parameters (TOEPP) API output Cryptographic module Operator calling application Plaintext Manual Electronic parameters (TOEPP) Table 15: SSP Input-Output Methods The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment. The SSPs are provided to the module via API input parameters in the plaintext form and output via API output parameters in the plaintext form to and from the calling application running on the same operational environment.
Zeroization Description Rationale Operator Initiation Method Free Cipher Zeroizes the SSPs Memory occupied by SSPs is By calling the appropriate zeroization functions: Handle contained within overwritten with zeros, which OpenSSL_cleanse, EVP_CIPHER_CTX_cleanup, the cipher handle renders the SSP values irretrievable. EVP_AEAD_CTX_zero, HMAC_CTX_cleanup, The successful completion of the CTR_DRBG_clear, RSA_free, EC_KEY_free zeroization routine indicates that the zeroization procedure succeeded. Module Reset De-allocates the Volatile memory used by the module By unloading and reloading the module. volatile memory is overwritten within nanoseconds used to store SSPs when power is removed. The successful completion of the removal of power from the module indicates that zeroization has completed. Automatically Automatically Memory occupied by SSPs is N/A zeroized when no overwritten with zeros, which longer needed renders the SSP values irretrievable. The successful completion of the running service indicates that zeroization has completed. © 2026 Amazon Web Services, Inc., atsec information security.
Table 16: SSP Zeroization Methods All data output is inhibited during zeroization.
Name Description Size - Type - Generated Established By Used By Strength Category By AES Key AES key used for 128-256 bits - Symmetric key Authenticated encryption, 128-256 bits - CSP Encryption/Decryption decryption, and with AES KW, AEScomputing MAC KWP tags Encryption/Decryption with AES Message Authentication Generation with AES Authenticated Encryption/Decryption with AES CCM Authenticated Encryption/Decryption with AES GCM HMAC Key HMAC key for 112-524288 Authentication Message Authentication Message bits - 112-256 key - CSP Generation with HMAC Authentication bits Generation Entropy Input Entropy input used 256 bits - 256 Entropy - CSP Random Number to seed the DRBGs bits Generation with DRBG DRBG Seed DRBG seed derived 256 bits - 256 DRBG seed - Random Random Number from entropy input bits CSP Number Generation with DRBG as defined in SP Generation 800-90Ar1 with DRBG DRBG Internal state of V: 128 bits, Internal state - Random Random Number Internal State CTR_DRBG Key: 256 bits CSP Number Generation with DRBG (V, Key) - 256 bits Generation with DRBG RSA Public RSA public key 1024, 2048, Public key - Key Signature Verification Key used for RSA key 3072, 4096 PSP Generation with RSA generation, bits - 80-150 with RSA Signature Verification signature bits with RSA (legacy) verification RSA Private RSA private key 2048, 3072, Private key - Key Signature Generation Key used for RSA key 4096 bits - CSP Generation with RSA generation, 112-150 bits with RSA signature generation EC Public Key EC public key used P-224, P-256, Public key - Key Shared Secret for EC key P-384, P-521 PSP Generation Computation with EC generation, key - 112-256 bits with ECDSA Diffie-Hellman verification, Signature Verification © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Size - Type - Generated Established By Used By Strength Category By signature with ECDSA verification, shared Key Verification with secret computation ECDSA Signature Verification with ECDSA (legacy) EC Private EC private key used P-224, P-256, Private key - Key Shared Secret Key for EC key P-384, P-521 CSP Generation Computation with EC generation, key - 112-256 bits with ECDSA Diffie-Hellman verification, Signature Generation signature with ECDSA generation, shared secret computation Shared Secret Shared Secret P-224, P-256, Shared secret - Shared Secret Key Derivation with TLS generated by KAS- P-384, P-521 CSP Computation KDF ECC-SSC - 112-256 bits with EC Key Derivation with SSH Diffie- KDF Hellman Key Derivation with KDA HKDF TLS Pre- TLS Pre-Master P-224, P-256, TLS pre-master Key Derivation with TLS Master Secret secret used for P-384, P-521 secret - CSP KDF deriving the TLS - 112-256 bits Key Derivation with Master Secret KDA HKDF TLS Master TLS Master secret 384 bits - TLS master Key Key Derivation with TLS Secret used for deriving 112-256 bits secret - CSP Derivation KDF the TLS Derived with TLS Key Derivation with Key KDF KDA HKDF Key Derivation with KDA HKDF TLS Derived TLS Derived Key AES: 128-256 Symmetric key Key Key from TLS Master bits HMAC: - CSP Derivation (AES/HMAC) Secret 112 to 256 with TLS bits - AES: KDF 128-256 bits HMAC: 112 to 256 bits HKDF KDA HKDF 2048 bits - Symmetric key Key Derived Key derived key 112-256 bits - CSP Derivation with KDA HKDF SSH Derived SSH KDF derived 128 to 512 Symmetric key Key Key key bits - 112 to - CSP Derivation
KDF PBKDF PBKDF derived key 128 to 4096 Symmetric key Key Derived Key bits - N/A - CSP Derivation with PBKDF © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Size - Type - Generated Established By Used By Strength Category By Password Password for 14-128 Password - CSP Key Derivation with PBKDF characters - PBKDF N/A Intermediate Intermediate key 224-4096 bits Intermediate Key Key Generation with Key generation value - 112-256 bits value - CSP Generation RSA Generation with RSA Key Generation with Value Key ECDSA Generation with ECDSA Table 17: SSP Table 1 Name Input - Storage Storage Duration Zeroization Related SSPs Output AES Key API input RAM:Plaintext From service Free Cipher parameters invocation to service Handle completion Module Reset HMAC Key API input RAM:Plaintext From service Free Cipher parameters invocation to service Handle completion Module Reset Entropy Input API input RAM:Plaintext From service Module Reset DRBG Seed:Generation OF parameters invocation to service Automatically completion DRBG Seed RAM:Plaintext From service Module Reset Entropy Input:Derived From invocation to service Automatically DRBG Internal State (V, completion Key):Generation Of DRBG Internal RAM:Plaintext From service Free Cipher DRBG Seed:Derived From State (V, Key) invocation to service Handle completion Module Reset RSA Public Key API input RAM:Plaintext From service Free Cipher RSA Private Key:Paired With parameters invocation to service Handle Intermediate Key Generation API output completion Module Reset Value:Generated From parameters RSA Private Key API input RAM:Plaintext From service Free Cipher RSA Public Key:Paired With parameters invocation to service Handle Intermediate Key Generation API output completion Module Reset Value:Generated From parameters EC Public Key API input RAM:Plaintext From service Free Cipher EC Private Key:Paired With parameters invocation to service Handle Shared Secret:Generation Of API output completion Module Reset Intermediate Key Generation parameters Value:Generated From EC Private Key API input RAM:Plaintext From service Free Cipher EC Public Key:Paired With parameters invocation to service Handle Shared Secret:Generation Of API output completion Module Reset Intermediate Key Generation parameters Value:Generated From © 2026 Amazon Web Services, Inc., atsec information security.
Name Input - Storage Storage Duration Zeroization Related SSPs Output Shared Secret API input RAM:Plaintext From service Free Cipher EC Public Key:Derived From parameters invocation to service Handle EC Private Key:Derived From API output completion Module Reset parameters TLS Pre-Master API input RAM:Plaintext From service Free Cipher TLS Master Secret:Derivation Of Secret parameters invocation to service Handle completion Module Reset TLS Master Secret RAM:Plaintext From service Free Cipher TLS Pre-Master Secret:Derived invocation to service Handle From completion Module Reset TLS Derived Key (AES/HMAC):Derivation Of TLS Derived Key API output RAM:Plaintext From service Free Cipher TLS Master Secret:Derived From (AES/HMAC) parameters invocation to service Handle completion Module Reset HKDF Derived Key API output RAM:Plaintext From service Free Cipher Shared Secret:Derived From parameters invocation to service Handle completion Module Reset SSH Derived Key API output RAM:Plaintext From service Free Cipher Shared Secret:Derived From parameters invocation to service Handle completion Module Reset PBKDF Derived API output RAM:Plaintext From service Free Cipher Password:Derived From Key parameters invocation to service Handle completion Module Reset Password API input RAM:Plaintext From service Free Cipher PBKDF Derived Key:Derivation parameters invocation to service Handle Of completion Module Reset Intermediate Key RAM:Plaintext From service Module Reset RSA Public Key:Generation Of Generation Value invocation to service Automatically RSA Private Key:Generation Of completion EC Public Key:Generation Of EC Private Key:Generation Of Table 18: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Test Test Method Test Type Indicator Details Properties HMAC-SHA2-256 SHA2- Message SW/FW Module becomes Integrity test for (A5425) 256 Authentication Integrity operational bcm.o HMAC-SHA2-256 SHA2- Message SW/FW Module becomes Integrity test for (A5433) 256 Authentication Integrity operational bcm.o HMAC-SHA2-256 SHA2- Message SW/FW Module becomes Integrity test for (A5434) 256 Authentication Integrity operational bcm.o Table 19: Pre-Operational Self-Tests The module performs the pre-operational self-test automatically when the module is loaded into memory; the pre-operational self-test is the software integrity test that ensures that the module is not corrupted. While the module is executing the pre-operational self-test, services are not available, and input and output are inhibited. If the pre-operational self-test fails, the module transitions to the Error state. The software integrity test is performed after a set of conditional cryptographic algorithm self-tests (CASTs). The set of CASTs includes the self-test for HMAC-SHA2-256 algorithm used in the pre-operational self-test.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CBC 128, 192, 256 bit keys, KAT CAST Module Symmetric operation Power up (A5422) encrypt/decrypt becomes operational AES-CBC 128, 192, 256 bit keys, KAT CAST Module Symmetric operation Power up (A5427) encrypt/decrypt becomes operational AES-CBC 128, 192, 256 bit keys, KAT CAST Module Symmetric operation Power up (A5429) encrypt/decrypt becomes operational AES-CBC 128, 192, 256 bit keys, KAT CAST Module Symmetric operation Power up (A5431) encrypt/decrypt becomes operational AES-GCM 128, 192, 256 bit keys, 96-bit KAT CAST Module Symmetric operation Power up (A5423) (internal/external IV), becomes encrypt/decrypt operational AES-GCM 128, 192, 256 bit keys, 96-bit KAT CAST Module Symmetric operation Power up (A5428) (internal/external IV), becomes encrypt/decrypt operational AES-GCM 128, 192, 256 bit keys, 96-bit KAT CAST Module Symmetric operation Power up (A5430) (internal/external IV), becomes encrypt/decrypt operational © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM 128, 192, 256 bit keys, 96-bit KAT CAST Module Symmetric operation Power up (A5432) (internal/external IV), becomes encrypt/decrypt operational AES-GCM 128, 192, 256 bit keys, 96-bit KAT CAST Module Symmetric operation Power up (A5435) (internal/external IV), becomes encrypt/decrypt operational SHA-1 (A5425) SHA-1 KAT CAST Module Message digest Power up becomes operational SHA-1 (A5426) SHA-1 KAT CAST Module Message digest Power up becomes operational SHA-1 (A5433) SHA-1 KAT CAST Module Message digest Power up becomes operational SHA-1 (A5434) SHA-1 KAT CAST Module Message digest Power up becomes operational SHA2-256 SHA2-256 KAT CAST Module Message digest Power up (A5425) becomes operational SHA2-256 SHA2-256 KAT CAST Module Message digest Power up (A5433) becomes operational SHA2-256 SHA2-256 KAT CAST Module Message digest Power up (A5434) becomes operational SHA2-512 SHA2-512 KAT CAST Module Message digest Power up (A5425) becomes operational SHA2-512 SHA2-512 KAT CAST Module Message digest Power up (A5433) becomes operational SHA2-512 SHA2-512 KAT CAST Module Message digest Power up (A5434) becomes operational HMAC-SHA2- SHA2-256 KAT CAST Module Message Power up
256 (A5425) becomes authentication
operational HMAC-SHA2- SHA2-256 KAT CAST Module Message Power up
256 (A5433) becomes authentication
operational HMAC-SHA2- SHA2-256 KAT CAST Module Message Power up
256 (A5434) becomes authentication
operational © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Counter DRBG 256 bit keys, with PR KAT CAST Module Health test per Power up (A5422) becomes section 11.3 of SP operational 800-90Ar1 Counter DRBG 256 bit keys, with PR KAT CAST Module Health test per Power up (A5427) becomes section 11.3 of SP operational 800-90Ar1 Counter DRBG 256 bit keys, with PR KAT CAST Module Health test per Power up (A5429) becomes section 11.3 of SP operational 800-90Ar1 Counter DRBG 256 bit keys, with PR KAT CAST Module Health test per Power up (A5431) becomes section 11.3 of SP operational 800-90Ar1 ECDSA SigGen SHA2-256, P-256 curve KAT CAST Module Digital signature Signature Generation (FIPS186-5) becomes generation or Key Generation (A5425) operational service request ECDSA SigGen SHA2-256, P-256 curve KAT CAST Module Digital signature Signature Generation (FIPS186-5) becomes generation or Key Generation (A5426) operational service request ECDSA SigGen SHA2-256, P-256 curve KAT CAST Module Digital signature Signature Generation (FIPS186-5) becomes generation or Key Generation (A5433) operational service request ECDSA SigGen SHA2-256, P-256 curve KAT CAST Module Digital signature Signature Generation (FIPS186-5) becomes generation or Key Generation (A5434) operational service request ECDSA SigVer SHA2-256, P-256 curve KAT CAST Module Digital signature Signature verification (FIPS186-5) becomes verification or Key Generation (A5425) operational service request ECDSA SigVer SHA2-256, P-256 curve KAT CAST Module Digital signature Signature verification (FIPS186-5) becomes verification or Key Generation (A5426) operational service request ECDSA SigVer SHA2-256, P-256 curve KAT CAST Module Digital signature Signature verification (FIPS186-5) becomes verification or Key Generation (A5433) operational service request ECDSA SigVer SHA2-256, P-256 curve KAT CAST Module Digital signature Signature verification (FIPS186-5) becomes verification or Key Generation (A5434) operational service request RSA SigGen PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Generation (FIPS186-5) key and SHA2-256 becomes generation or Key Generation (A5425) operational service request RSA SigGen PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Generation (FIPS186-5) key and SHA2-256 becomes generation or Key Generation (A5426) operational service request RSA SigGen PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Generation (FIPS186-5) key and SHA2-256 becomes generation or Key Generation (A5433) operational service request © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type RSA SigGen PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Generation (FIPS186-5) key and SHA2-256 becomes generation or Key Generation (A5434) operational service request RSA SigVer PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Verification (FIPS186-5) key and SHA2-256 becomes verification or Key Generation (A5425) operational service request RSA SigVer PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Verification (FIPS186-5) key and SHA2-256 becomes verification or Key Generation (A5426) operational service request RSA SigVer PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Verification (FIPS186-5) key and SHA2-256 becomes verification or Key Generation (A5433) operational service request RSA SigVer PKCS#1 v1.5 with 2048 bit KAT CAST Module Digital signature Signature Verification (FIPS186-5) key and SHA2-256 becomes verification or Key Generation (A5434) operational service request KAS-ECC-SSC P-256 curve KAT CAST Module Shared secret Shared secret Sp800-56Ar3 becomes computation computation service (A5425) operational request KAS-ECC-SSC P-256 curve KAT CAST Module Shared secret Shared secret Sp800-56Ar3 becomes computation computation service (A5426) operational request KAS-ECC-SSC P-256 curve KAT CAST Module Shared secret Shared secret Sp800-56Ar3 becomes computation computation service (A5433) operational request KAS-ECC-SSC P-256 curve KAT CAST Module Shared secret Shared secret Sp800-56Ar3 becomes computation computation service (A5434) operational request KDF TLS SHA2-256 KAT CAST Module Key derivation Power up (A5425) becomes operational KDF TLS SHA2-256 KAT CAST Module Key derivation Power up (A5426) becomes operational KDF TLS SHA2-256 KAT CAST Module Key derivation Power up (A5433) becomes operational KDF TLS SHA2-256 KAT CAST Module Key derivation Power up (A5434) becomes operational KDA HKDF SHA2-256 KAT CAST Module Shared secret key Power up Sp800-56Cr1 becomes derivation (A5425) operational KDA HKDF SHA2-256 KAT CAST Module Shared secret key Power up Sp800-56Cr1 becomes derivation (A5426) operational © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type KDA HKDF SHA2-256 KAT CAST Module Shared secret key Power up Sp800-56Cr1 becomes derivation (A5433) operational KDA HKDF SHA2-256 KAT CAST Module Shared secret key Power up Sp800-56Cr1 becomes derivation (A5434) operational PBKDF (A5425) SHA2-256 KAT CAST Module Password-based key Power up becomes derivation operational PBKDF (A5426) SHA2-256 KAT CAST Module Password-based key Power up becomes derivation operational PBKDF (A5433) SHA2-256 KAT CAST Module Password-based key Power up becomes derivation operational PBKDF (A5434) SHA2-256 KAT CAST Module Password-based key Power up becomes derivation operational ECDSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5425) ECDSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5426) ECDSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5433) ECDSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5434) RSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5425) RSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5426) RSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5433) RSA KeyGen SHA2-256 PCT PCT Successful key Signature generation Key pair generation (FIPS186-5) pair generation & verification (A5434) SHA3-256 SHA3-256 KAT CAST Module Message digest Power up (A5424) becomes operational Table 20: Conditional Self-Tests © 2026 Amazon Web Services, Inc., atsec information security.
Data output through the data output interface is inhibited during the self-tests.
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5425) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5433) Authentication HMAC-SHA2-256 Message SW/FW Integrity On demand Manually (A5434) Authentication Table 21: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A5422) KAT CAST On Demand Manually AES-CBC (A5427) KAT CAST On Demand Manually AES-CBC (A5429) KAT CAST On Demand Manually AES-CBC (A5431) KAT CAST On Demand Manually AES-GCM (A5423) KAT CAST On Demand Manually AES-GCM (A5428) KAT CAST On Demand Manually AES-GCM (A5430) KAT CAST On Demand Manually AES-GCM (A5432) KAT CAST On Demand Manually AES-GCM (A5435) KAT CAST On Demand Manually SHA-1 (A5425) KAT CAST On Demand Manually SHA-1 (A5426) KAT CAST On Demand Manually SHA-1 (A5433) KAT CAST On Demand Manually SHA-1 (A5434) KAT CAST On Demand Manually SHA2-256 (A5425) KAT CAST On Demand Manually SHA2-256 (A5433) KAT CAST On Demand Manually SHA2-256 (A5434) KAT CAST On Demand Manually SHA2-512 (A5425) KAT CAST On Demand Manually SHA2-512 (A5433) KAT CAST On Demand Manually SHA2-512 (A5434) KAT CAST On Demand Manually HMAC-SHA2-256 KAT CAST On Demand Manually (A5425) HMAC-SHA2-256 KAT CAST On Demand Manually (A5433) HMAC-SHA2-256 KAT CAST On Demand Manually (A5434) Counter DRBG (A5422) KAT CAST On Demand Manually Counter DRBG (A5427) KAT CAST On Demand Manually Counter DRBG (A5429) KAT CAST On Demand Manually Counter DRBG (A5431) KAT CAST On Demand Manually © 2026 Amazon Web Services, Inc., atsec information security.
Algorithm or Test Test Method Test Type Period Periodic Method ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5425) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5426) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5433) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-5) (A5434) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5425) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5426) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5433) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-5) (A5434) RSA SigGen (FIPS186- KAT CAST On Demand Manually
Algorithm or Test Test Method Test Type Period Periodic Method KDA HKDF Sp800- KAT CAST On Demand Manually 56Cr1 (A5425) KDA HKDF Sp800- KAT CAST On Demand Manually 56Cr1 (A5426) KDA HKDF Sp800- KAT CAST On Demand Manually 56Cr1 (A5433) KDA HKDF Sp800- KAT CAST On Demand Manually 56Cr1 (A5434) PBKDF (A5425) KAT CAST On Demand Manually PBKDF (A5426) KAT CAST On Demand Manually PBKDF (A5433) KAT CAST On Demand Manually PBKDF (A5434) KAT CAST On Demand Manually ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5425) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5426) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5433) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-5) (A5434) RSA KeyGen (FIPS186- PCT PCT On Demand Manually
Name Description Conditions Recovery Indicator Method Error The library is Pre- Module Pre-operational test failure: an error message is output (i.e., "FIPS aborted with operational reset integrity test failed.") on the stderr and then the module is aborted. SIGABRT signal. test failure; Conditional test failure: an error message indicating which KAT failed Module is no longer CAST (e.g., "* KAT failed") is output on the stderr and then the module is operational the data failure aborted. output interface is inhibited PCT The library is PCT failure Module An error message is output in the error queue (e.g., Error aborted with reset EC_R_PUBLIC_KEY_VALIDATION_FAILED, SIGABRT signal. RSA_R_PUBLIC_KEY_VALIDATION_FAILED) and then the module Module is no longer © 2026 Amazon Web Services, Inc., atsec information security.
Name Description Conditions Recovery Indicator Method operational the data generates a new key, if the PCT still does not pass, eventually the output interface is module will be aborted after 5 tries. inhibited Table 23: Error States In the error states, the output interface is inhibited. If the module fails any of the self-tests, the module enters an error state. To recover from any error state, the module must be rebooted.
The software integrity tests and the CASTs for AES, SHA, SHA3, DRBG, TLS KDF, KDA HKDF, PBKDF2 can be invoked by unloading and subsequently re-initializing the module. The CASTs for ECDSA, KAS-ECC-SSC and RSA can be invoked by requesting the corresponding Key Generation, Shared Secret Computation or Digital Signature services. Additionally, all the CASTs can be invoked by calling the BORINGSSL_self_test function. The PCTs can be invoked on demand by requesting the Key Generation service. © 2026 Amazon Web Services, Inc., atsec information security.
The module bcm.o is embedded into the shared library libcrypto.so which can be obtained by building the source code at the following location [1]. The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during module build. [1] https://github.com/aws/aws-lc/archive/refs/heads/fips-NetOS-2024-06-11.zip The downloaded zip file can be verified by issuing the “sha256sum aws-lc-fips-NetOS-2024-06-11.zip” command. The expected SHA2-256 digest value is: 952c4a23cea54e2ada37dde18d4d95228736f1d2c303a056c9bb39de55c9cd89 After the zip file is extracted, the cmake flags listed below must be used to compile the module. The compilation must be executed separately for each platform. Due to four possible combinations of OS/processor, the module count is four (i.e., there are four separate binaries generated, one for each entry listed in the Tested Module Identification
The approved and non-approved modes of operation are specified in section 2.4. The approved services that include the administrative functions are specified in section 4.3. All the logical interfaces are specified in section 3.1. The procedures of installation, initialization, startup, that are specified in section 11.1, and the operational environment requirements, that are specified in section 6, must be followed.
The approved and non-approved modes of operation are specified in section 2.4. The approved and nonapproved cryptographic algorithms are specified in section 2.5. The approved security functions are specified in © 2026 Amazon Web Services, Inc., atsec information security.
section 2.6. The algorithm-specific information is specified in section 2.7. The approved services are specified in section 4.3, the non-approved services are specified in section 4.4. The logical interfaces available to users are specified in section 3.1. The user is responsible for following the procedures of installation, initialization, startup that are specified in section 11.1. The configuration settings and restrictions regarding the operational environment are specified in section 6.2.
When the module is at end of life, for the GitHub repo, the README will be modified to mark the library as deprecated. After a 6-month window, more restrictive branch permissions will be added such that only administrators can read from the FIPS branch. The module does not possess persistent storage of SSPs. The SSP value only exists in volatile memory and that value vanishes when the module is powered off. So as a first step for the secure sanitization, the module needs to be powered off. Then for actual deprecation, the module will be upgraded to newer version that is approved. This upgrade process will uninstall/remove the old/terminated module and provide a new replacement. © 2026 Amazon Web Services, Inc., atsec information security.
RSA timing attacks: RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack.
The module provides the mechanism to use the blinding for RSA. When the blinding is on, the module generates a random value to form a blinding factor in the RSA key before the RSA key is used in the RSA cryptographic operations. © 2026 Amazon Web Services, Inc., atsec information security.