© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 1 of 75
Red Hat, Inc.
Red Hat Enterprise Linux 8 Kernel Cryptographic API
FIPS 140-3 Non-Proprietary Security Policy
Document Version: 1.1
Last Modified: 22/10/2025
Prepared by:
atsec information security corporation
4516 Seton Center Parkway, Suite 250
Austin, TX 78759
www.atsec.com
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 2 of 75
Table of Contents
1 General................................................................................................................................... 5
1.1 Overview.......................................................................................................................... 5
1.1.1 How this Security Policy was prepared..................................................................... 5
1.2 Security Levels ................................................................................................................ 5
2 Cryptographic Module Specification ...................................................................................... 6
2.1 Description....................................................................................................................... 6
2.2 Tested and Vendor Affirmed Module Version and Identification..................................... 7
2.3 Excluded Components..................................................................................................... 8
2.4 Modes of Operation ......................................................................................................... 8
2.5 Algorithms ....................................................................................................................... 9
2.6 Security Function Implementations............................................................................... 16
2.7 Algorithm Specific Information ...................................................................................... 20
2.7.1 AES GCM IV ............................................................................................................. 20
2.7.2 AES XTS................................................................................................................... 20
2.7.3 RSA.......................................................................................................................... 21
2.7.4 SHA-3 ...................................................................................................................... 21
2.8 RBG and Entropy ........................................................................................................... 21
2.9 Key Generation.............................................................................................................. 21
2.10 Key Establishment....................................................................................................... 21
2.11 Industry Protocols........................................................................................................ 21
3 Cryptographic Module Interfaces......................................................................................... 23
3.1 Ports and Interfaces....................................................................................................... 23
4 Roles, Services, and Authentication .................................................................................... 24
4.1 Authentication Methods................................................................................................. 24
4.2 Roles .............................................................................................................................. 24
4.3 Approved Services......................................................................................................... 24
4.4 Non-Approved Services ................................................................................................. 28
4.5 External Software/Firmware Loaded ............................................................................. 29
5 Software/Firmware Security................................................................................................. 30
5.1 Integrity Techniques...................................................................................................... 30
5.2 Initiate on Demand........................................................................................................ 30
6 Operational Environment ..................................................................................................... 31
6.1 Operational Environment Type and Requirements....................................................... 31
6.2 Configuration Settings and Restrictions........................................................................ 31
6.3 Additional Information ................................................................................................... 31
7 Physical Security .................................................................................................................. 32
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 3 of 75
8 Non-Invasive Security .......................................................................................................... 33
9 Sensitive Security Parameters Management ....................................................................... 34
9.1 Storage Areas ................................................................................................................ 34
9.2 SSP Input-Output Methods ............................................................................................ 34
9.3 SSP Zeroization Methods............................................................................................... 34
9.4 SSPs ............................................................................................................................... 35
9.5 Transitions ..................................................................................................................... 37
10 Self-Tests............................................................................................................................ 39
10.1 Pre-Operational Self-Tests........................................................................................... 39
10.2 Conditional Self-Tests.................................................................................................. 39
10.3 Periodic Self-Test Information ..................................................................................... 62
10.4 Error States.................................................................................................................. 69
10.5 Operator Initiation of Self-Tests .................................................................................. 70
11 Life-Cycle Assurance .......................................................................................................... 71
11.1 Installation, Initialization, and Startup Procedures ..................................................... 71
11.2 Administrator Guidance............................................................................................... 71
11.3 Non-Administrator Guidance ....................................................................................... 71
11.4 End of Life.................................................................................................................... 71
12 Mitigation of Other Attacks ................................................................................................ 72
Appendix A. Glossary and Abbreviations ................................................................................ 73
Appendix B. References .......................................................................................................... 74
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 4 of 75
List of Tables
Table 1: Security Levels ............................................................................................................ 5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets). 8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid ............................... 8
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid................ 8
Table 5: Modes List and Description ......................................................................................... 9
Table 6: Approved Algorithms................................................................................................. 16
Table 7: Non-Approved, Not Allowed Algorithms.................................................................... 16
Table 8: Security Function Implementations .......................................................................... 20
Table 9: Entropy Certificates................................................................................................... 21
Table 10: Entropy Sources ...................................................................................................... 21
Table 11: Ports and Interfaces ................................................................................................ 23
Table 12: Roles........................................................................................................................ 24
Table 13: Approved Services .................................................................................................. 28
Table 14: Non-Approved Services........................................................................................... 29
Table 15: Storage Areas.......................................................................................................... 34
Table 16: SSP Input-Output Methods ...................................................................................... 34
Table 17: SSP Zeroization Methods......................................................................................... 35
Table 18: SSP Table 1.............................................................................................................. 36
Table 19: SSP Table 2.............................................................................................................. 37
Table 20: Pre-Operational Self-Tests....................................................................................... 39
Table 21: Conditional Self-Tests.............................................................................................. 62
Table 22: Pre-Operational Periodic Information...................................................................... 62
Table 23: Conditional Periodic Information............................................................................. 69
Table 24: Error States ............................................................................................................. 69
List of Figures
Figure 1: Block Diagram............................................................................................................ 7
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 5 of 75
1 General
1.1 Overview
This document is the non-proprietary FIPS 140-3 Security Policy for version kernel 4.18.0-
477.72.1.el8_8; libkcapi 1.2.0-3.el8_8 of the Red Hat Enterprise Linux 8 Kernel Cryptographic
API module. It contains the security rules under which the module must operate and
describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal
Information Processing Standards Publication 140-3) for an overall Security Level 1 module.
This Non-Proprietary Security Policy may be reproduced and distributed, but only whole and
intact and including this notice. Other documentation is proprietary to their authors.
1.1.1 How this Security Policy was prepared
In preparing the Security Policy document, the laboratory formatted the vendor-supplied
documentation for consolidation without altering the technical statements therein contained.
The further refining of the Security Policy document was conducted iteratively throughout
the conformance testing, wherein the Security Policy was submitted to the vendor, who
would then edit, modify, and add technical contents. The vendor would also supply
additional documentation, which the laboratory formatted into the existing Security Policy,
and resubmitted to the vendor for their final editing.
1.2 Security Levels
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1
Table 1: Security Levels
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 6 of 75
2 Cryptographic Module Specification
2.1 Description
Purpose and Use:
The Red Hat Enterprise Linux 8 Kernel Cryptographic API (hereafter referred to as “the
module”) provides a C language application program interface (API) for use by other (kernel
space and user space) processes that require cryptographic functionality. The module
operates on a general-purpose computer as part of the Linux kernel. Its cryptographic
functionality can be accessed using the Linux Kernel Crypto API.
Module Type: Software
Module Embodiment: MultiChipStand
Cryptographic Boundary:
The cryptographic boundary of the module is defined as the kernel binary and the kernel
crypto object files, the libkcapi library, and the sha512hmac binary, which is used to verify
the integrity of the software components. In addition, the cryptographic boundary contains
the .hmac files which store the expected integrity values for each of the software
components.
Tested Operational Environment’s Physical Perimeter (TOEPP):
The TOEPP of the module is defined as the general-purpose computer on which the module
is installed.
The PAA/PAI provided by the processor is located within the module’s physical perimeter and
outside of the module’s cryptographic boundary.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 7 of 75
Figure 1: Block Diagram
2.2 Tested and Vendor Affirmed Module Version and Identification
Tested Module Identification – Hardware:
N/A for this module.
Tested Module Identification – Software, Firmware, Hybrid (Executable Code
Sets):
Package or File Name Software/
Firmware
Version
Features Integrity
Test
/boot/vmlinuz-4.18.0-477.72.1.el8_8.x86_64;
*.ko and *.ko.xz files in
/usr/lib/modules/4.18.0-
477.72.1.el8_8.x86_64/kernel/crypto *.ko and
*.ko.xz files in /usr/lib/modules/4.18.0-
4.18.0-
477.72.1.el8_8;
1.2.0-3.el8_8
N/A HMAC-
SHA2-512;
RSA
signature
verification
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 8 of 75
Package or File Name Software/
Firmware
Version
Features Integrity
Test
477.72.1.el8_8.x86_64/kernel/arch/x86/crypto;
/usr/lib64/libkcapi.so.1.2.0,
/usr/bin/sha512hmac
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)
Tested Module Identification – Hybrid Disjoint Hardware:
N/A for this module.
Tested Operational Environments - Software, Firmware, Hybrid:
Operating
System
Hardware
Platform
Processors PAA/PAI Hypervisor
or Host OS
Version(s)
Red Hat
Enterprise
Linux 8
Dell
PowerEdge
R440
Intel Xeon
Silver 4216
Yes N/A 4.18.0-
477.72.1.el8_8;
1.2.0-3.el8_8
Red Hat
Enterprise
Linux 8
Dell
PowerEdge
R440
Intel Xeon
Silver 4216
No N/A 4.18.0-
477.72.1.el8_8;
1.2.0-3.el8_8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid
Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid:
Operating System Hardware
Platform
Red Hat Enterprise Linux 8 Intel Xeon E5
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid
CMVP makes no statement as to the correct operation of the module or the security
strengths of the generated keys when so ported if the specific operational environment is
not listed on the validation certificate.
2.3 Excluded Components
There are no components within the cryptographic boundary excluded from the FIPS 140-3
requirements.
2.4 Modes of Operation
Modes List and Description:
Mode
Name
Description Type Status Indicator
Approved
mode
Automatically
entered whenever
an approved
Approved For all approved algorithms except GCM:
respective approved service function
returns indicator 0; For GCM:
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 9 of 75
Mode
Name
Description Type Status Indicator
service is
requested
crypto_aead_get_flags(tfm) has the
CRYPTO_TFM_ FIPS_COMPLIANCE flag set
Non-
approved
mode
Automatically
entered whenever
a non-approved
service is
requested
Non-
Approved
No service indicator required for non-
approved services per IG 2.4.C
Table 5: Modes List and Description
After the module is powered on, it performs all the pre-operational self-tests and
cryptographic algorithm self-tests without operator intervention. Only after all the self-tests
are successful, the module automatically transitions to the approved mode.
Mode Change Instructions and Status:
The module automatically switches between the approved and non-approved modes
depending on the services requested by the operator. The status indicator of the mode of
operation is equivalent to the indicator of the service that was requested.
Degraded Mode Description:
The module does not implement a degraded mode of operation.
2.5 Algorithms
Approved Algorithms:
Algorithm CAVP
Cert
Properties Reference
AES-CBC A5720 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CBC A5726 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CBC A5729 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CBC-CS3 A5723 Direction - decrypt, encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CBC-CS3 A5733 Direction - decrypt, encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CCM A5720 Key Length - 128, 192, 256 SP 800-38C
AES-CCM A5729 Key Length - 128, 192, 256 SP 800-38C
AES-CFB128 A5722 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CFB128 A5732 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CMAC A5720 Direction - Generation, Verification
Key Length - 128, 192, 256
SP 800-38B
AES-CMAC A5729 Direction - Generation, Verification
Key Length - 128, 192, 256
SP 800-38B
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 10 of 75
Algorithm CAVP
Cert
Properties Reference
AES-CTR A5720 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CTR A5726 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CTR A5729 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5720 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5724 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5725 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5726 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5727 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5728 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5729 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5730 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-ECB A5731 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-GCM A5720 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5724 Direction - Encrypt
IV Generation - Internal
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5725 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5726 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5727 Direction - Encrypt
IV Generation - Internal
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5728 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5729 Direction - Decrypt, Encrypt
IV Generation - External
SP 800-38D
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 11 of 75
Algorithm CAVP
Cert
Properties Reference
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
AES-GCM A5730 Direction - Encrypt
IV Generation - Internal
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GCM A5731 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GMAC A5720 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-GMAC A5729 Direction - Decrypt, Encrypt
IV Generation - External
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
SP 800-38D
AES-XTS Testing
Revision 2.0
A5720 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38E
AES-XTS Testing
Revision 2.0
A5726 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38E
AES-XTS Testing
Revision 2.0
A5729 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38E
Counter DRBG A5720 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5724 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5725 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5726 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5727 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5728 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5729 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Counter DRBG A5730 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 12 of 75
Algorithm CAVP
Cert
Properties Reference
Counter DRBG A5731 Prediction Resistance - No, Yes
Mode - AES-128, AES-192, AES-256
Derivation Function Enabled - Yes
SP 800-90A
Rev. 1
Hash DRBG A5720 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5724 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5725 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5726 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5727 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5728 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5729 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5730 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5731 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5734 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5735 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
Hash DRBG A5736 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5720 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5724 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5725 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 13 of 75
Algorithm CAVP
Cert
Properties Reference
HMAC DRBG A5726 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5727 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5728 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5729 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5730 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5731 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5734 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5735 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC DRBG A5736 Prediction Resistance - No, Yes
Mode - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-90A
Rev. 1
HMAC-SHA-1 A5720 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA-1 A5734 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA-1 A5735 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA-1 A5736 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-224 A5720 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-224 A5734 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-224 A5735 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-224 A5736 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-256 A5720 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-256 A5734 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-256 A5735 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 14 of 75
Algorithm CAVP
Cert
Properties Reference
HMAC-SHA2-256 A5736 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-384 A5720 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-384 A5734 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-384 A5735 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-384 A5736 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-512 A5720 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-512 A5734 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-512 A5735 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA2-512 A5736 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA3-224 A5721 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA3-256 A5721 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA3-384 A5721 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
HMAC-SHA3-512 A5721 Key Length - Key Length: 112-
524288 Increment 8
FIPS 198-1
RSA SigVer (FIPS186-
5)
A5720 Signature Type - PKCS 1.5
Modulo - 3072
FIPS 186-5
RSA SigVer (FIPS186-
5)
A5734 Signature Type - PKCS 1.5
Modulo - 3072
FIPS 186-5
RSA SigVer (FIPS186-
5)
A5735 Signature Type - PKCS 1.5
Modulo - 3072
FIPS 186-5
RSA SigVer (FIPS186-
5)
A5736 Signature Type - PKCS 1.5
Modulo - 3072
FIPS 186-5
SHA-1 A5720 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA-1 A5734 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA-1 A5735 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA-1 A5736 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-224 A5720 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 15 of 75
Algorithm CAVP
Cert
Properties Reference
SHA2-224 A5734 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-224 A5735 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-224 A5736 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-256 A5720 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-256 A5734 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-256 A5735 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-256 A5736 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-384 A5720 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-384 A5734 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-384 A5735 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-384 A5736 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-512 A5720 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-512 A5734 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-512 A5735 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA2-512 A5736 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 180-4
SHA3-224 A5721 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 202
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 16 of 75
Algorithm CAVP
Cert
Properties Reference
SHA3-256 A5721 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 202
SHA3-384 A5721 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 202
SHA3-512 A5721 Message Length - Message Length:
0-65536 Increment 8
Large Message Sizes - 1, 2
FIPS 202
Table 6: Approved Algorithms
Vendor-Affirmed Algorithms:
N/A for this module.
Non-Approved, Allowed Algorithms:
N/A for this module.
Non-Approved, Allowed Algorithms with No Security Claimed:
N/A for this module.
Non-Approved, Not Allowed Algorithms:
Name Use and Function
AES-GCM with external
IV
Encryption with external IV (not compliant to FIPS 140-3 IG C.H)
KBKDF (libkcapi) Key derivation with implementation not tested by CAVP
HKDF (libkcapi) Key derivation with implementation not tested by CAVP
PBKDF2 (libkcapi) Password-based key derivation with implementation not tested
by CAVP
RSA Encryption primitive; Decryption primitive (not compliant to SP
800-56Br2)
RSA with PKCS#1 v1.5
padding
Signature generation (pre-hashed message); Signature
verification (pre-hashed message)
Table 7: Non-Approved, Not Allowed Algorithms
2.6 Security Function Implementations
Name Type Description Properties Algorithms
Encryption with
AES
BC-UnAuth Encrypt a
plaintext with
AES
Key size(s):128,
192, 256 bits
(XTS mode 128
and 256 bits
only)
AES-CBC:
(A5720, A5726,
A5729)
AES-CBC-CS3:
(A5723, A5733)
AES-CFB128:
(A5722, A5732)
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 17 of 75
Name Type Description Properties Algorithms
AES-CTR:
(A5720, A5726,
A5729)
AES-ECB:
(A5720, A5724,
A5725, A5726,
A5727, A5728,
A5729, A5730,
A5731)
AES-XTS
Testing Revision
2.0: (A5720,
A5726, A5729)
Decryption with
AES
BC-UnAuth Decrypt a
ciphertext with
AES
Key size(s):128,
192, 256 bits
(XTS mode 128
and 256 bits
only)
AES-CBC:
(A5720, A5726,
A5729)
AES-CBC-CS3:
(A5723, A5733)
AES-CFB128:
(A5722, A5732)
AES-CTR:
(A5720, A5726,
A5729)
AES-ECB:
(A5720, A5724,
A5725, A5726,
A5727, A5728,
A5729, A5730,
A5731)
AES-XTS
Testing Revision
2.0: (A5720,
A5726, A5729)
Hashing SHA Compute a
message digest
SHA-1:N/A
SHA2-224:N/A
SHA2-256:N/A
SHA2-384:N/A
SHA2-512:N/A
SHA3-224:N/A
SHA3-256:N/A
SHA3-384:N/A
SHA3-512:N/A
SHA-1: (A5720,
A5734, A5735,
A5736)
SHA2-224:
(A5720, A5734,
A5735, A5736)
SHA2-256:
(A5720, A5734,
A5735, A5736)
SHA2-384:
(A5720, A5734,
A5735, A5736)
SHA2-512:
(A5720, A5734,
A5735, A5736)
SHA3-224:
(A5721)
SHA3-256:
(A5721)
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 18 of 75
Name Type Description Properties Algorithms
SHA3-384:
(A5721)
SHA3-512:
(A5721)
Message
authentication
MAC Compute a MAC
tag for
authentication
HMAC key
size(s):112-
524288 bits
(112-256 bits)
AES key
size(s):128, 192,
256 bits
AES-CMAC:
(A5720, A5729)
AES-GMAC:
(A5720, A5729)
HMAC-SHA-1:
(A5720, A5734,
A5735, A5736)
HMAC-SHA2-
224: (A5720,
A5734, A5735,
A5736)
HMAC-SHA2-
256: (A5720,
A5734, A5735,
A5736)
HMAC-SHA2-
384: (A5720,
A5734, A5735,
A5736)
HMAC-SHA2-
512: (A5720,
A5734, A5735,
A5736)
HMAC-SHA3-
224: (A5721)
HMAC-SHA3-
256: (A5721)
HMAC-SHA3-
384: (A5721)
HMAC-SHA3-
512: (A5721)
Random
number
generation with
DRBGs
DRBG Generate
random
numbers from
DRBGs
Counter
DRBG:128, 192,
256 bits
HMAC
DRBG:128, 256
bits
Hash DRBG:128,
256 bits
Counter DRBG:
(A5720, A5724,
A5725, A5726,
A5727, A5728,
A5729, A5730,
A5731)
Hash DRBG:
(A5720, A5724,
A5725, A5726,
A5727, A5728,
A5729, A5730,
A5731, A5734,
A5735, A5736)
HMAC DRBG:
(A5720, A5724,
A5725, A5726,
A5727, A5728,
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 19 of 75
Name Type Description Properties Algorithms
A5729, A5730,
A5731, A5734,
A5735, A5736)
Signature
verification with
RSA
DigSig-SigVer Verify a
signature with
RSA
Padding:PKCS#1
v1.5
Hashes:SHA-256
Key size(s):3072
bits (128 bits)
RSA SigVer
(FIPS186-5):
(A5720, A5734,
A5735, A5736)
Authenticated
encryption with
AES
BC-Auth Encrypt and
authenticate a
plaintext with
AES
Key size(s):128,
192, 256 bits
AES-CCM:
(A5720, A5729)
AES-GCM:
(A5724, A5727,
A5730)
AES-CBC:
(A5720, A5726,
A5729)
AES-CTR:
(A5720, A5726,
A5729)
HMAC-SHA-1:
(A5720, A5734,
A5735, A5736)
HMAC-SHA2-
256: (A5720,
A5734, A5735,
A5736)
HMAC-SHA2-
384: (A5720,
A5734, A5735,
A5736)
HMAC-SHA2-
512: (A5720,
A5734, A5735,
A5736)
Authenticated
decryption with
AES
BC-Auth Decrypt and
authenticate a
ciphertext with
AES
Key size(s):128,
192, 256 bits
AES-CCM:
(A5720, A5729)
AES-GCM:
(A5720, A5725,
A5726, A5728,
A5729, A5731)
AES-CBC:
(A5720, A5726,
A5729)
AES-CTR:
(A5720, A5726,
A5729)
HMAC-SHA-1:
(A5720, A5734,
A5735, A5736)
HMAC-SHA2-
256: (A5720,
A5734, A5735,
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 20 of 75
Name Type Description Properties Algorithms
A5736)
HMAC-SHA2-
384: (A5720,
A5734, A5735,
A5736)
HMAC-SHA2-
512: (A5720,
A5734, A5735,
A5736)
Table 8: Security Function Implementations
2.7 Algorithm Specific Information
2.7.1 AES GCM IV
The Crypto Officer shall consider the following requirements and restrictions when using the
module.
For IPsec, the module offers the AES GCM implementation and uses the context of Scenario
1 of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs
generated using this mechanism may only be used in the context of AES GCM encryption
within the IPsec protocol.
The module does not implement IPsec. The module’s implementation of AES GCM is used
together with an application that runs outside the module’s cryptographic boundary. This
application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED
from which the AES GCM encryption keys are derived.
The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part
of the IV) does not exhaust the maximum number of possible values for a given session key.
In the event the module’s power is lost and restored, the consuming application must ensure
that a new key for use with the AES GCM key encryption or decryption under this scenario
shall be established.
The module also provides a non-approved AES GCM encryption service which accepts
arbitrary external IVs from the operator. This service can be requested by invoking the
crypto_aead_encrypt API function with an AES GCM handle. When this is the case, the API
will not set an approved service indicator, as described in Section 4.3.
2.7.2 AES XTS
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220
AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of
SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to
ensure that the two AES keys used in AES XTS mode are not identical.
The XTS mode shall only be used for the cryptographic protection of data on storage
devices. It shall not be used for other purposes, such as the encryption of data in transit.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 21 of 75
2.7.3 RSA
For RSA signature verification, the module supports modulus size 3072 bits. The supported
modulus size has been CAVP tested.
2.7.4 SHA-3
The module provides SHA-3 hash functions compliant with IG C.C. Every implementation of
each SHA-3 function was tested and validated on all the module’s operating environments.
SHAKE functions are not implemented. SHA-3 hash functions are also used as part of a
higher-level algorithm for HMAC.
2.8 RBG and Entropy
Cert
Number
Vendor
Name
E174 Red Hat, Inc.
Table 9: Entropy Certificates
Name Type Operational
Environment
Sample
Size
Entropy
per
Sample
Conditioning
Component
RHEL 8 Kernel
CPU Time Jitter
RNG Entropy
Source
Non-
Physical
Red Hat Enterprise
Linux 8 on Dell
PowerEdge R440
64 bits 57.30
bits
Linear-Feedback
Shift Register
(LFSR)
Table 10: Entropy Sources
The module implements three different Deterministic Random Bit Generator (DRBG)
implementations based on SP 800-90Ar1: CTR_DRBG, Hash_DRBG, and HMAC_DRBG. Each of
these DRBG implementations can be instantiated by the operator of the module. When
instantiated, these DRBGs can be used to generate random numbers for external usage.
Additionally, the module employs a specific HMAC-SHA2-512 DRBG implementation for
internal purposes (e.g. to generate initialization vectors). This DRBG is initially seeded with
384 output bits from the entropy source (343 bits of entropy) and reseeded with 256 output
bits from the entropy source (229 bits of entropy).
2.9 Key Generation
The module does not provide key generation.
2.10 Key Establishment
The module does not provide key establishment.
2.11 Industry Protocols
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 22 of 75
AES GCM with internal IV generation in the approved mode is compliant with RFC 4106 and
shall only be used in conjunction with the IPsec protocol. No parts of this protocol, other than
the AES GCM implementation, have been tested by the CAVP and CMVP.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 23 of 75
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
Physical
Port
Logical
Interface(s)
Data That Passes
N/A Data Input API data input parameters, AF_ALG type sockets
N/A Data Output API data output parameters, AF_ALG type sockets
N/A Control Input API function calls, API control input parameters, AF_ALG type
sockets, kernel command line
N/A Status
Output
API return values, AF_ALG type sockets, kernel logs
Table 11: Ports and Interfaces
The logical interfaces are the APIs through which the applications request services. These
logical interfaces are logically separated from each other by the API design, AF_ALG type
socket that allows the applications running in the user space to request cryptographic
services from the module.
The module does not support a control output interface.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 24 of 75
4 Roles, Services, and Authentication
4.1 Authentication Methods
N/A for this module.
The module does not implement authentication.
4.2 Roles
Name Type Operator Type Authentication
Methods
Crypto Officer Role CO None
Table 12: Roles
The module supports the Crypto Officer role only. This sole role is implicitly and always
assumed by the operator of the module. No support is provided for multiple concurrent
operators.
4.3 Approved Services
Name Descript
ion
Indicator Inputs Outputs Security
Function
s
SSP
Access
Message
digest
Compute
a
message
digest
crypto_shash_init
returns 0
Messag
e
Digest
value
Hashing Crypto
Officer
Encryptio
n
Encrypt a
plaintext
crypto_skcipher_se
tkey returns 0
AES
key,
plainte
xt
Ciphertext Encryptio
n with
AES
Crypto
Officer
- AES
key: W,E
Decryptio
n
Decrypt a
ciphertex
t
crypto_skcipher_se
tkey returns 0
AES
key,
ciphert
ext
Plaintext Decryptio
n with
AES
Crypto
Officer
- AES
key: W,E
Authentic
ated
encryptio
n
Encrypt
and
authentic
ate a
plaintext
For all except AES
GCM:
crypto_aead_setke
y returns 0; For
AES GCM:
crypto_aead_get_fl
ags(tfm) has the
CRYPTO_TFM_
FIPS_COMPLIANCE
flag set
AES
key,
plainte
xt
Ciphertext
, MAC tag
Authentic
ated
encryptio
n with
AES
Crypto
Officer
- AES
key: W,E
Authentic
ated
Encrypt
and
authentic
For all except AES
GCM:
crypto_aead_setke
AES
key,
ciphert
Plaintext
or failure
Authentic
ated
decryptio
Crypto
Officer
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 25 of 75
Name Descript
ion
Indicator Inputs Outputs Security
Function
s
SSP
Access
decryptio
n
ate a
ciphertex
t
y returns 0; For
AES GCM:
crypto_aead_get_fl
ags(tfm) has the
CRYPTO_TFM_
FIPS_COMPLIANCE
flag set
ext,
MAC
tag
n with
AES
- AES
key: W,E
Message
authentic
ation
generatio
n
Compute
a MAC
tag
crypto_shash_init
returns 0
AES:
AES
key,
messag
e;
HMAC:
HMAC
key,
messag
e
MAC tag Message
authentic
ation
Crypto
Officer
- AES
key: W,E
- HMAC
key: W,E
Message
authentic
ation
verificatio
n
Compute
a MAC
tag
crypto_shash_init
returns 0
AES:
AES
key,
messag
e, MAC
tag;
HMAC:
HMAC
key,
messag
e, MAC
tag
Success/Fa
ilure
Message
authentic
ation
Crypto
Officer
- AES
key: W,E
- HMAC
key: W,E
Random
number
generatio
n
Generate
random
bytes
crypto_rng_get_byt
es returns 0
Output
length
Random
bytes
Random
number
generatio
n with
DRBGs
Crypto
Officer
- Entropy
input:
W,E
-
CTR_DR
BG
Seed:
G,E
-
HMAC_D
RBG
Seed:
G,E
-
Hash_DR
BG
Seed:
G,E
-
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 26 of 75
Name Descript
ion
Indicator Inputs Outputs Security
Function
s
SSP
Access
CTR_DR
BG
Internal
State (V,
Key):
G,W,E
-
HMAC_D
RBG
Internal
State (V,
Key):
G,W,E
-
Hash_DR
BG
Internal
State (V,
C):
G,W,E
Error
detection
code
Compute
an EDC
(crc32,
crct10dif)
None Messag
e
EDC None Crypto
Officer
Compress
ion
Compres
s data
(deflate,
lz4,
lz4hc,
lzo,
zlibdeflat
e, zstd)
None Data Compress
ed data
None Crypto
Officer
Generic
system
call
Use the
kernel to
perform
various
non-
cryptogra
phic
operation
s
None Identifi
er,
various
argume
nts
Various
return
values
None Crypto
Officer
Show
version
Return
the
module
name
and
version
informati
on
None N/A Module
name and
version
None Crypto
Officer
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 27 of 75
Name Descript
ion
Indicator Inputs Outputs Security
Function
s
SSP
Access
Show
status
Return
the
module
status
None N/A Module
status
None Crypto
Officer
Self-test Perform
the
CASTs
and
integrity
tests
None N/A Pass/fail Encryptio
n with
AES
Decryptio
n with
AES
Hashing
Message
authentic
ation
Random
number
generatio
n with
DRBGs
Signature
verificatio
n with
RSA
Authentic
ated
encryptio
n with
AES
Authentic
ated
decryptio
n with
AES
Crypto
Officer
Zeroizatio
n
Zeroize
all SSPs
None Any
SSP
N/A None Crypto
Officer
- AES
key: Z
- HMAC
key: Z
- Entropy
input: Z
-
CTR_DR
BG
Internal
State (V,
Key): Z
-
HMAC_D
RBG
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 28 of 75
Name Descript
ion
Indicator Inputs Outputs Security
Function
s
SSP
Access
Internal
State (V,
Key): Z
-
Hash_DR
BG
Internal
State (V,
C): Z
-
CTR_DR
BG
Seed: Z
-
Hash_DR
BG
Seed: Z
-
HMAC_D
RBG
Seed: Z
Table 13: Approved Services
The table above lists the approved services. The following convention is used to specify
access rights to SSPs:
• Generate (G): The module generates or derives the SSP.
• Read (R): The SSP is read from the module (e.g. the SSP is output).
• Write (W): The SSP is updated, imported, or written to the module.
• Execute (E): The module uses the SSP in performing a cryptographic operation.
• Zeroize (Z): The module zeroizes the SSP.
4.4 Non-Approved Services
Name Description Algorithms Role
AES GCM external IV
encryption
Encrypt a plaintext using AES
GCM with an external IV
AES-GCM with
external IV
CO
Key derivation Derive a key from a key-
derivation key or a shared
secret
KBKDF (libkcapi)
HKDF (libkcapi)
CO
Password-based key
derivation
Derive a key from a password PBKDF2 (libkcapi) CO
RSA encryption primitive Compute the raw RSA
encryption of a plaintext
RSA CO
RSA decryption primitive Compute the raw RSA
decryption of a cipertext
RSA CO
RSA signature generation
(pre-hashed message)
Generate a digital signature for
a pre-hashed message
RSA with PKCS#1
v1.5 padding
CO
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 29 of 75
Name Description Algorithms Role
RSA signature verification
(pre-hashed message)
Verify a digital signature for a
pre-hashed message
RSA with PKCS#1
v1.5 padding
CO
Table 14: Non-Approved Services
4.5 External Software/Firmware Loaded
The module does not load external software or firmware.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 30 of 75
5 Software/Firmware Security
5.1 Integrity Techniques
The static kernel binary is integrity tested using an HMAC-SHA2-512 calculation performed
by the sha512hmac utility (which utilizes the module’s HMAC and SHA-512
implementations). An HMAC-SHA2-512 calculation is also performed on the sha512hmac
utility and the libkcapi library to verify their integrity.
The libkcapi checks the integrity of the binary of the sha512hmac utility first. The
sha512hmac utility is then used to perform an HMAC-SHA2-512 calculation of the kernel’s
binary to verify its integrity.
After the integrity of the kernel’s binary has been verified, the self-test for the RSA signature
verification implementation is run. Upon the successful run of this self-test, the RSA
signature verification implementation of the kernel (with PKCS#1 v1.5 padding, SHA-256,
and a 3072-bit key) is used to verify the integrity of the crypto object files listed in Section
2.2 and loaded at start-up.
5.2 Initiate on Demand
Integrity tests are performed as part of the pre-operational self-tests, which are executed
when the module is initialized. The integrity tests can be invoked on demand by unloading
and subsequently re-initializing the module, which will perform (among others) the software
integrity tests.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 31 of 75
6 Operational Environment
6.1 Operational Environment Type and Requirements
Type of Operational Environment: Modifiable
How Requirements are Satisfied:
The operating system provides process isolation and memory protection mechanisms that
ensure appropriate separation for memory access among the processes on the system. Each
process has control over its own data and uncontrolled access to the data of other processes
is prevented.
6.2 Configuration Settings and Restrictions
The module shall be installed as stated in Section 11.1.
Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing
mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be
used in the operational environments. The use of any of these tools implies that the
cryptographic module is running in a non-validated operational environment.
6.3 Additional Information
The Red Hat Enterprise Linux operating system is used as the basis of other products which
include but are not limited to:
• Red Hat Enterprise Linux CoreOS
• Red Hat Ansible Automation Platform
• Red Hat OpenStack Platform
• Red Hat OpenShift
• Red Hat Gluster Storage
• Red Hat Satellite
Compliance is maintained for these products whenever the binary is found unchanged.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 32 of 75
7 Physical Security
The module is comprised of software only and therefore this Section is not applicable.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 33 of 75
8 Non-Invasive Security
This module does not implement any non-invasive security mechanism and therefore this
Section is not applicable.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 34 of 75
9 Sensitive Security Parameters Management
9.1 Storage Areas
Storage
Area
Name
Description Persistence
Type
RAM Temporary storage for SSPs used by the module as part of
service execution
Dynamic
Table 15: Storage Areas
The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in
the RAM in plaintext form. SSPs are provided to the module by the calling process and are
destroyed when released by the appropriate zeroization function calls.
9.2 SSP Input-Output Methods
Name From To Format
Type
Distributio
n Type
Entry
Type
SFI or
Algorith
m
API input
parameters;
AF_ALG_typ
e sockets
(input)
Operator
calling
applicatio
n (TOEPP)
Cryptographi
c module
Plaintex
t
Manual Electroni
c
Table 16: SSP Input-Output Methods
9.3 SSP Zeroization Methods
Zeroization
Method
Description Rationale Operator Initiation
Free cipher
handle
Zeroizes the
SSPs
contained
within the
cipher handle
Memory occupied by
SSPs is overwritten with
zeroes, which renders
the SSP values
irretrievable. The
completion of the
zeroization routine
indicates that the
zeroization procedure
succeeded.
By calling the appropriate
zeroization functions: AES key:
crypto_free_skcipher and
crypto_free_aead; HMAC key:
crypto_free_shash and
crypto_free_ahash; DRBG
internal state: crypto_free_rng;
DRBG seed: crypto_free_rng;
Entropy input string:
crypto_free_rng
Remove
power from
the module
De-allocates
the volatile
memory used
to store SSPs
Volatile memory used
by the module is
overwritten within
nanoseconds when
power is removed.
Module power off
indicates that the
zeroization procedure
succeeded. The
By removing power
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 35 of 75
Zeroization
Method
Description Rationale Operator Initiation
successful removal of
power implicitly
indicates that the
zeroization is complete.
Table 17: SSP Zeroization Methods
All data output is inhibited during zeroization.
9.4 SSPs
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generat
ed By
Establish
ed By
Used By
AES key AES key
used for
encryption
,
decryption
, and
computing
MAC tags.
128,
192,
256 bits
- 128,
192,
256 bits
Symmetric
Key - CSP
Encryption
with AES
Decryption
with AES
Authenticat
ed
encryption
with AES
Authenticat
ed
decryption
with AES
HMAC key HMAC key. 112-
524288
bits -
112-256
bits
Authenticati
on key - CSP
Message
authenticati
on
Entropy
input
Entropy
input used
to seed
the
DRBGs.
Compliant
with IG
D.L.
128-384
bits -
114-343
bits
Entropy
input - CSP
Random
number
generation
with DRBGs
CTR_DRBG
Seed
DRBG seed
derived
from
entropy
input.
Compliant
with IG
D.L.
256,
320,
384 bits
- 128,
192,
256 bits
Seed - CSP Random
number
generatio
n with
DRBGs
Random
number
generation
with DRBGs
Hash_DRB
G Seed
DRBG seed
derived
from
440,
888 bits
Seed - CSP Random
number
generatio
Random
number
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 36 of 75
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generat
ed By
Establish
ed By
Used By
entropy
input.
Compliant
with IG
D.L.
- 128,
256 bits
n with
DRBGs
generation
with DRBGs
HMAC_DR
BG Seed
DRBG seed
derived
from
entropy
input.
Compliant
with IG
D.L.
440,
888 bits
- 128,
256 bits
Seed - CSP Random
number
generatio
n with
DRBGs
Random
number
generation
with DRBGs
HMAC_DR
BG
Internal
State (V,
Key)
Internal
state of
HMAC
DRBG
instance.
Compliant
with IG
D.L.
320,
512,
1024
bits -
128,
256 bits
Internal
state - CSP
Random
number
generatio
n with
DRBGs
Random
number
generation
with DRBGs
CTR_DRBG
Internal
State (V,
Key)
Internal
state of
Counter
DRBG
instance.
Compliant
with IG
D.L.
256,
320,
384 bits
- 128,
192,
256 bits
Internal
state - CSP
Random
number
generatio
n with
DRBGs
Random
number
generation
with DRBGs
Hash_DRB
G Internal
State (V,
C)
Internal
state of
Hash
DRBG
instance.
Compliant
with IG
D.L.
880,
1776
bits -
128,
256 bits
Internal
state - CSP
Random
number
generatio
n with
DRBGs
Random
number
generation
with DRBGs
Table 18: SSP Table 1
Name Input -
Output
Storage Storage
Duration
Zeroization Related
SSPs
AES key API input
parameters;
AF_ALG_type
sockets
(input)
RAM:Plaintext Until cipher
handle is
freed or
module
powered off
Free cipher
handle
Remove
power from
the module
HMAC key API input
parameters;
AF_ALG_type
RAM:Plaintext Until cipher
handle is
freed or
Free cipher
handle
Remove
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 37 of 75
Name Input -
Output
Storage Storage
Duration
Zeroization Related
SSPs
sockets
(input)
module
powered off
power from
the module
Entropy
input
RAM:Plaintext From
generation
until DRBG
seed/reseed
Free cipher
handle
Remove
power from
the module
CTR_DRBG
Seed:Derives
Hash_DRBG
Seed:Derives
HMAC_DRBG
Seed:Derives
CTR_DRBG
Seed
RAM:Plaintext While the
DRBG is
being
instantiated
Free cipher
handle
Remove
power from
the module
Entropy
input:Derived
From
CTR_DRBG
Internal State
(V,
Key):Derives
Hash_DRBG
Seed
RAM:Plaintext While the
DRBG is
being
instantiated
Free cipher
handle
Remove
power from
the module
Entropy
input:Derived
From
Hash_DRBG
Internal State
(V, C):Derives
HMAC_DRBG
Seed
RAM:Plaintext While the
DRBG is
being
instantiated
Free cipher
handle
Remove
power from
the module
Entropy
input:Derived
From
HMAC_DRBG
Internal State
(V,
Key):Derives
HMAC_DRBG
Internal
State (V,
Key)
RAM:Plaintext From DRBG
instantiation
until DRBG
is un-
instantiated
Free cipher
handle
Remove
power from
the module
HMAC_DRBG
Seed:Derived
From
CTR_DRBG
Internal
State (V,
Key)
RAM:Plaintext From DRBG
instantiation
until DRBG
is un-
instantiated
Free cipher
handle
Remove
power from
the module
CTR_DRBG
Seed:Derived
From
Hash_DRBG
Internal
State (V, C)
RAM:Plaintext From DRBG
instantiation
until DRBG
is un-
instantiated
Free cipher
handle
Remove
power from
the module
Hash_DRBG
Seed:Derived
From
Table 19: SSP Table 2
9.5 Transitions
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes,
starting January 1, 2031.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 38 of 75
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 39 of 75
10 Self-Tests
10.1 Pre-Operational Self-Tests
Algorithm
or Test
Test
Properties
Test Method Test
Type
Indicator Details
HMAC-
SHA2-512
(A5736)
128-bit key Message
Authentication
SW/FW
Integrity
Module
becomes
operational
and services
are available
for use.
Integrity test for
kernel binary,
libkcapi
components
and
sha512hmac
binary
RSA SigVer
(FIPS186-5)
(A5720)
3072-bit key
with SHA-
256
Signature
Verification
SW/FW
Integrity
Module
becomes
operational
and services
are available
for use.
Integrity test for
kernel object
files
Table 20: Pre-Operational Self-Tests
The pre-operational software integrity tests are performed automatically when the module is
powered on, before the module transitions into the operational state. The algorithms used
for the integrity test (i.e., HMAC-SHA2-512 and RSA SigVer with 3072 bit key) run their
CASTs before the integrity test is performed. While the module is executing the self-tests,
services are not available, and data output (via the data output interface) is inhibited until
the pre-operational software integrity self-tests are successfully completed. The module
transitions to the operational state only after the pre-operational self-tests are passed
successfully.
10.2 Conditional Self-Tests
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
SHA-1
(A5720)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA-1
(A5734)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 40 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
SHA-1
(A5735)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA-1
(A5736)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-224
(A5720)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-224
(A5734)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-224
(A5735)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-224
(A5736)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-256
(A5720)
0-8184 bit
messages
KAT CAST Module
becomes
operational
Message
digest
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 41 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
and
services
are
available
for use.
SHA2-256
(A5734)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-256
(A5735)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-256
(A5736)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-384
(A5720)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-384
(A5734)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-384
(A5735)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
Message
digest
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 42 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
available
for use.
SHA2-384
(A5736)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-512
(A5720)
0-8184 bit
message
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-512
(A5734)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-512
(A5735)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA2-512
(A5736)
0-8184 bit
messages
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA3-224
(A5721)
0-8184 bit
message
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 43 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
SHA3-256
(A5721)
0-8184 bit
message
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA3-384
(A5721)
0-8184 bit
message
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
SHA3-512
(A5721)
0-8184 bit
message
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
digest
Module
initialization
AES-ECB
(A5720) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5724) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5725) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5726) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
Encryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 44 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
and
services
are
available
for use.
AES-ECB
(A5727) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5728) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5730) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5731) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5729) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-CBC
(A5720) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
Encryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 45 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
available
for use.
AES-CBC
(A5726) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-CBC-
CS3
(A5733) -
Encrypt
128 bit keys KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-
CFB128
(A5732) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-CTR
(A5720) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-CTR
(A5729) -
Encrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-CCM
(A5729) -
Encrypt
128, 192,
256 bit
keys; 128-
bit IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 46 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
AES-GCM
(A5720) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5724) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5725) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5726) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5727) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5728) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5729) -
Encrypt
128, 192,
256 bit
KAT CAST Module
becomes
operational
Encryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 47 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
keys, 96-bit
IVs
and
services
are
available
for use.
AES-GCM
(A5730) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-GCM
(A5731) -
Encrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-XTS
Testing
Revision
2.0 (A5720)
- Encrypt
128 and 256
bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-XTS
Testing
Revision
2.0 (A5729)
- Encrypt
128 and 256
bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Encryption Module
initialization
AES-ECB
(A5720) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-ECB
(A5724) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
Decryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 48 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
available
for use.
AES-ECB
(A5725) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-ECB
(A5726) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-ECB
(A5727) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-ECB
(A5728) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-ECB
(A5730) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-ECB
(A5731) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 49 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
AES-ECB
(A5729) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-CBC
(A5720) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-CBC
(A5726) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-CBC-
CS3
(A5733) -
Decrypt
128 bit keys KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-
CFB128
(A5732) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-CTR
(A5720) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-CTR
(A5729) -
Decrypt
128, 192,
256 bit keys
KAT CAST Module
becomes
operational
Decryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 50 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
and
services
are
available
for use.
AES-CCM
(A5729) -
Decrypt
128, 192,
256 bit
keys; 128-
bit IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5720) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5724) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5725) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5726) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5727) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
Decryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 51 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
available
for use.
AES-GCM
(A5728) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5729) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5730) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-GCM
(A5731) -
Decrypt
128, 192,
256 bit
keys, 96-bit
IVs
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-XTS
Testing
Revision
2.0 (A5720)
- Decrypt
128 and 256
bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
AES-XTS
Testing
Revision
2.0 (A5729)
- Decrypt
128 and 256
bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Decryption Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 52 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
AES-CMAC
(A5729)
128 and 256
bit keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-SHA-
1 (A5720)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-SHA-
1 (A5734)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-SHA-
1 (A5735)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-SHA-
1 (A5736)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-224
(A5720)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-224
(A5734)
32-1048 bit
keys
KAT CAST Module
becomes
operational
Message
authentication
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 53 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
and
services
are
available
for use.
HMAC-
SHA2-224
(A5735)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-224
(A5736)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-256
(A5720)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-256
(A5734)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-256
(A5735)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-256
(A5736)
32-64 bit
keys
KAT CAST Module
becomes
operational
and
services
are
Message
authentication
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 54 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
available
for use.
HMAC-
SHA2-384
(A5720)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-384
(A5734)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-384
(A5735)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-384
(A5736)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA2-512
(A5720)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization.
Before
integrity
test.
HMAC-
SHA2-512
(A5734)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization.
Before
integrity
test.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 55 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
HMAC-
SHA2-512
(A5735)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization.
Before
integrity
test.
HMAC-
SHA2-512
(A5736)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization.
Before
integrity
test.
HMAC-
SHA3-224
(A5721)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA3-256
(A5721)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA3-384
(A5721)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
HMAC-
SHA3-512
(A5721)
32-1048 bit
keys
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Message
authentication
Module
initialization
Counter
DRBG
(A5720)
128, 192,
256 bit keys
With/without
KAT CAST Module
becomes
operational
instantiate,
reseed,
generate
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 56 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
PR; Health
test per
section 11.3
of SP 800-
90Arev1
and
services
are
available
for use.
Counter
DRBG
(A5724)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Counter
DRBG
(A5725)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Counter
DRBG
(A5726)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Counter
DRBG
(A5727)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Counter
DRBG
(A5728)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Counter
DRBG
(A5729)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
KAT CAST Module
becomes
operational
and
services
are
instantiate,
reseed,
generate
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 57 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
of SP 800-
90Arev1
available
for use.
Counter
DRBG
(A5730)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Counter
DRBG
(A5731)
128, 192,
256 bit keys
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5720)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5724)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5725)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5726)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 58 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
Hash DRBG
(A5727)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5728)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5729)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5730)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5731)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5734)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
Hash DRBG
(A5735)
SHA-256
With/without
PR; Health
KAT CAST Module
becomes
operational
instantiate,
reseed,
generate
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 59 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
test per
section 11.3
of SP 800-
90Arev1
and
services
are
available
for use.
Hash DRBG
(A5736)
SHA-256
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5720)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5724)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5725)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5726)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5727)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
KAT CAST Module
becomes
operational
and
services
are
instantiate,
reseed,
generate
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 60 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
of SP 800-
90Arev1
available
for use.
HMAC
DRBG
(A5728)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5729)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5730)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5731)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5734)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
HMAC
DRBG
(A5735)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 61 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
HMAC
DRBG
(A5736)
SHA-256,
SHA512
With/without
PR; Health
test per
section 11.3
of SP 800-
90Arev1
KAT CAST Module
becomes
operational
and
services
are
available
for use.
instantiate,
reseed,
generate
Module
initialization
RSA SigVer
(FIPS186-5)
(A5720)
4096-bit key
with SHA-
256
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Verify Module
initialization.
Before
integrity
test.
RSA SigVer
(FIPS186-5)
(A5734)
4096-bit key
with SHA-
256
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Verify Module
initialization.
Before
integrity
test.
RSA SigVer
(FIPS186-5)
(A5735)
4096-bit key
with SHA-
256
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Verify Module
initialization.
Before
integrity
test.
RSA SigVer
(FIPS186-5)
(A5736)
4096-bit key
with SHA-
256
KAT CAST Module
becomes
operational
and
services
are
available
for use.
Verify Module
initialization.
Before
integrity
test.
Entropy
Source RCT
initialization
1024
samples
RCT CAST Module
becomes
operational
and
services
are
available
for use.
Entropy
source start-
up test
Entropy
source
initialization
Entropy
Source APT
initialization
1024
samples
APT CAST Module
becomes
operational
Entropy
source start-
up test
Entropy
source
initialization
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 62 of 75
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
and
services
are
available
for use.
Entropy
Source
continuous
RCT
Cutoff C =
61
RCT CAST Entropy
source is
operational
Entropy
source
continuous
test
Continuously
Entropy
Source
continuous
APT
Cutoff C =
355
APT CAST Entropy
source is
operational
Entropy
source
continuous
test
Continuously
Table 21: Conditional Self-Tests
The module performs self-tests on all approved cryptographic algorithms as part of the
approved services supported in the approved mode of operation, using the tests shown in
the table above. Services are not available, and data output (via the data output interface) is
inhibited during the conditional self-tests. If any of these tests fails, the module transitions
to the Error State.
10.3 Periodic Self-Test Information
Algorithm or
Test
Test Method Test Type Period Periodic
Method
HMAC-SHA2-
512 (A5736)
Message
Authentication
SW/FW Integrity On demand Manually
RSA SigVer
(FIPS186-5)
(A5720)
Signature
Verification
SW/FW Integrity On demand Manually
Table 22: Pre-Operational Periodic Information
Algorithm or
Test
Test Method Test Type Period Periodic
Method
SHA-1 (A5720) KAT CAST On demand Manually
SHA-1 (A5734) KAT CAST On demand Manually
SHA-1 (A5735) KAT CAST On demand Manually
SHA-1 (A5736) KAT CAST On demand Manually
SHA2-224
(A5720)
KAT CAST On demand Manually
SHA2-224
(A5734)
KAT CAST On demand Manually
SHA2-224
(A5735)
KAT CAST On demand Manually
SHA2-224
(A5736)
KAT CAST On demand Manually
SHA2-256
(A5720)
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 63 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
SHA2-256
(A5734)
KAT CAST On demand Manually
SHA2-256
(A5735)
KAT CAST On demand Manually
SHA2-256
(A5736)
KAT CAST On demand Manually
SHA2-384
(A5720)
KAT CAST On demand Manually
SHA2-384
(A5734)
KAT CAST On demand Manually
SHA2-384
(A5735)
KAT CAST On demand Manually
SHA2-384
(A5736)
KAT CAST On demand Manually
SHA2-512
(A5720)
KAT CAST On demand Manually
SHA2-512
(A5734)
KAT CAST On demand Manually
SHA2-512
(A5735)
KAT CAST On demand Manually
SHA2-512
(A5736)
KAT CAST On demand Manually
SHA3-224
(A5721)
KAT CAST On demand Manually
SHA3-256
(A5721)
KAT CAST On demand Manually
SHA3-384
(A5721)
KAT CAST On demand Manually
SHA3-512
(A5721)
KAT CAST On demand Manually
AES-ECB
(A5720) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5724) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5725) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5726) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5727) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5728) -
Encrypt
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 64 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-ECB
(A5730) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5731) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5729) -
Encrypt
KAT CAST On demand Manually
AES-CBC
(A5720) -
Encrypt
KAT CAST On demand Manually
AES-CBC
(A5726) -
Encrypt
KAT CAST On demand Manually
AES-CBC-CS3
(A5733) -
Encrypt
KAT CAST On demand Manually
AES-CFB128
(A5732) -
Encrypt
KAT CAST On demand Manually
AES-CTR
(A5720) -
Encrypt
KAT CAST On demand Manually
AES-CTR
(A5729) -
Encrypt
KAT CAST On demand Manually
AES-CCM
(A5729) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5720) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5724) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5725) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5726) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5727) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5728) -
Encrypt
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 65 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-GCM
(A5729) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5730) -
Encrypt
KAT CAST On demand Manually
AES-GCM
(A5731) -
Encrypt
KAT CAST On demand Manually
AES-XTS Testing
Revision 2.0
(A5720) -
Encrypt
KAT CAST On demand Manually
AES-XTS Testing
Revision 2.0
(A5729) -
Encrypt
KAT CAST On demand Manually
AES-ECB
(A5720) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5724) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5725) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5726) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5727) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5728) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5730) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5731) -
Decrypt
KAT CAST On demand Manually
AES-ECB
(A5729) -
Decrypt
KAT CAST On demand Manually
AES-CBC
(A5720) -
Decrypt
KAT CAST On demand Manually
AES-CBC
(A5726) -
Decrypt
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 66 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-CBC-CS3
(A5733) -
Decrypt
KAT CAST On demand Manually
AES-CFB128
(A5732) -
Decrypt
KAT CAST On demand Manually
AES-CTR
(A5720) -
Decrypt
KAT CAST On demand Manually
AES-CTR
(A5729) -
Decrypt
KAT CAST On demand Manually
AES-CCM
(A5729) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5720) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5724) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5725) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5726) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5727) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5728) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5729) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5730) -
Decrypt
KAT CAST On demand Manually
AES-GCM
(A5731) -
Decrypt
KAT CAST On demand Manually
AES-XTS Testing
Revision 2.0
(A5720) -
Decrypt
KAT CAST On demand Manually
AES-XTS Testing
Revision 2.0
(A5729) -
Decrypt
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 67 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-CMAC
(A5729)
KAT CAST On demand Manually
HMAC-SHA-1
(A5720)
KAT CAST On demand Manually
HMAC-SHA-1
(A5734)
KAT CAST On demand Manually
HMAC-SHA-1
(A5735)
KAT CAST On demand Manually
HMAC-SHA-1
(A5736)
KAT CAST On demand Manually
HMAC-SHA2-
224 (A5720)
KAT CAST On demand Manually
HMAC-SHA2-
224 (A5734)
KAT CAST On demand Manually
HMAC-SHA2-
224 (A5735)
KAT CAST On demand Manually
HMAC-SHA2-
224 (A5736)
KAT CAST On demand Manually
HMAC-SHA2-
256 (A5720)
KAT CAST On demand Manually
HMAC-SHA2-
256 (A5734)
KAT CAST On demand Manually
HMAC-SHA2-
256 (A5735)
KAT CAST On demand Manually
HMAC-SHA2-
256 (A5736)
KAT CAST On demand Manually
HMAC-SHA2-
384 (A5720)
KAT CAST On demand Manually
HMAC-SHA2-
384 (A5734)
KAT CAST On demand Manually
HMAC-SHA2-
384 (A5735)
KAT CAST On demand Manually
HMAC-SHA2-
384 (A5736)
KAT CAST On demand Manually
HMAC-SHA2-
512 (A5720)
KAT CAST On demand Manually
HMAC-SHA2-
512 (A5734)
KAT CAST On demand Manually
HMAC-SHA2-
512 (A5735)
KAT CAST On demand Manually
HMAC-SHA2-
512 (A5736)
KAT CAST On demand Manually
HMAC-SHA3-
224 (A5721)
KAT CAST On demand Manually
HMAC-SHA3-
256 (A5721)
KAT CAST On demand Manually
HMAC-SHA3-
384 (A5721)
KAT CAST On demand Manually
HMAC-SHA3-
512 (A5721)
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 68 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
Counter DRBG
(A5720)
KAT CAST On demand Manually
Counter DRBG
(A5724)
KAT CAST On demand Manually
Counter DRBG
(A5725)
KAT CAST On demand Manually
Counter DRBG
(A5726)
KAT CAST On demand Manually
Counter DRBG
(A5727)
KAT CAST On demand Manually
Counter DRBG
(A5728)
KAT CAST On demand Manually
Counter DRBG
(A5729)
KAT CAST On demand Manually
Counter DRBG
(A5730)
KAT CAST On demand Manually
Counter DRBG
(A5731)
KAT CAST On demand Manually
Hash DRBG
(A5720)
KAT CAST On demand Manually
Hash DRBG
(A5724)
KAT CAST On demand Manually
Hash DRBG
(A5725)
KAT CAST On demand Manually
Hash DRBG
(A5726)
KAT CAST On demand Manually
Hash DRBG
(A5727)
KAT CAST On demand Manually
Hash DRBG
(A5728)
KAT CAST On demand Manually
Hash DRBG
(A5729)
KAT CAST On demand Manually
Hash DRBG
(A5730)
KAT CAST On demand Manually
Hash DRBG
(A5731)
KAT CAST On demand Manually
Hash DRBG
(A5734)
KAT CAST On demand Manually
Hash DRBG
(A5735)
KAT CAST On demand Manually
Hash DRBG
(A5736)
KAT CAST On demand Manually
HMAC DRBG
(A5720)
KAT CAST On demand Manually
HMAC DRBG
(A5724)
KAT CAST On demand Manually
HMAC DRBG
(A5725)
KAT CAST On demand Manually
HMAC DRBG
(A5726)
KAT CAST On demand Manually
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 69 of 75
Algorithm or
Test
Test Method Test Type Period Periodic
Method
HMAC DRBG
(A5727)
KAT CAST On demand Manually
HMAC DRBG
(A5728)
KAT CAST On demand Manually
HMAC DRBG
(A5729)
KAT CAST On demand Manually
HMAC DRBG
(A5730)
KAT CAST On demand Manually
HMAC DRBG
(A5731)
KAT CAST On demand Manually
HMAC DRBG
(A5734)
KAT CAST On demand Manually
HMAC DRBG
(A5735)
KAT CAST On demand Manually
HMAC DRBG
(A5736)
KAT CAST On demand Manually
RSA SigVer
(FIPS186-5)
(A5720)
KAT CAST On demand Manually
RSA SigVer
(FIPS186-5)
(A5734)
KAT CAST On demand Manually
RSA SigVer
(FIPS186-5)
(A5735)
KAT CAST On demand Manually
RSA SigVer
(FIPS186-5)
(A5736)
KAT CAST On demand Manually
Entropy Source
RCT
initialization
RCT CAST On demand Manually
Entropy Source
APT
initialization
APT CAST On demand Manually
Entropy Source
continuous RCT
RCT CAST On demand Manually
Entropy Source
continuous APT
APT CAST On demand Manually
Table 23: Conditional Periodic Information
10.4 Error States
Name Description Conditions Recovery
Method
Indicator
Error
State
The Linux kernel immediately
stops executing
Any self-test
failure
Restart of the
module
Kernel
Panic
Table 24: Error States
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 70 of 75
In the Error State, the output interface is inhibited, and the module accepts no more inputs
or requests (as the module is no longer running).
10.5 Operator Initiation of Self-Tests
All self-tests, with the exception of the continuous health tests, can be invoked on demand
by unloading and subsequently re-initializing the module.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 71 of 75
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
The module is distributed as a part of the Red Hat Enterprise Linux 8 (RHEL 8) package in
the form of the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-hmaccalc-
1.2.0-3.el8_8 RPM packages.
The module can achieve the FIPS validated configuration as follows.
• During the system installation, add the fips=1 option to the kernel command line.
During the software selection stage, do not install any third-party software. More
information can be found at the vendor documentation.
• After the installation, to switch the system into the approved mode, first execute the
fips-mode-setup --enable command, then restart the system. More information can
be found at the vendor documentation.
In both cases, the Crypto Officer must verify the RHEL 8 system operates in the approved
mode by executing the “fips-mode-setup --check” command, which should output “FIPS
mode is enabled.”
11.2 Administrator Guidance
After installation of the kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-
hmaccalc-1.2.0-3.el8_8 RPM packages, the Crypto Officer must execute the “cat
/proc/sys/crypto/fips_name” command. The Crypto Officer must ensure that the proper
name is listed in the output as follows:
Red Hat Enterprise Linux 8 - Kernel Cryptographic API
Then, the Crypto Officer must execute the “cat /proc/sys/crypto/fips_version” and “rpm -q
libkcapi” commands. These commands must output the following (one line per output):
4.18.0-477.72.1.el8_8.x86_64
libkcapi-1.2.0-3.el8_8.x86_64
11.3 Non-Administrator Guidance
There is no non-administrator guidance.
11.4 End of Life
As the module does not persistently store SSPs, secure sanitization of the module consists of
unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the
kernel-4.18.0-477.72.1.el8_8, libkcapi-1.2.0-3.el8_8, and libkcapi-hmaccalc-1.2.0-3.el8_8
RPM packages can be uninstalled from the RHEL 8 system.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 72 of 75
12 Mitigation of Other Attacks
The module does not offer mitigation of other attacks and therefore this Section is not
applicable.
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 73 of 75
Appendix A. Glossary and Abbreviations
AES Advanced Encryption Standard
API Application Programming Interface
CAST Cryptographic Algorithm Self-Test
CAVP Cryptographic Algorithm Validation Program
CBC Cipher Block Chaining
CCM Counter with Cipher Block Chaining-Message Authentication Code
CFB Cipher Feedback
CMAC Cipher-based Message Authentication Code
CMVP Cryptographic Module Validation Program
CSP Critical Security Parameter
CTR Counter
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
FIPS Federal Information Processing Standards
GCM Galois Counter Mode
GMAC Galois Counter Mode Message Authentication Code
HMAC Keyed-Hash Message Authentication Code
IPsec Internet Protocol Security
KAT Known Answer Test
MAC Message Authentication Code
NIST National Institute of Science and Technology
PAA Processor Algorithm Acceleration
PKCS Public-Key Cryptography Standards
RSA Rivest, Shamir, Addleman
SHA Secure Hash Algorithm
SSP Sensitive Security Parameter
XTS XEX-based Tweaked-codebook mode with cipher text Stealing
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 74 of 75
Appendix B. References
FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic
Modules
March 2019
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the
Cryptographic Module Validation Program
10 October 2024
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-
140-3-ig-announcements
FIPS 180-4 Secure Hash Standard (SHS)
March 2012
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS 186-5 Digital Signature Standard (DSS)
February 2023
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC)
July 2008
https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output
Functions
August 2015
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1
February 2003
https://www.ietf.org/rfc/rfc3447.txt
SP 800-38A Recommendation for Block Cipher Modes of Operation Methods
and Techniques
December 2001
https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC
Mode for Authentication
May 2005
https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
SP 800-38C Recommendation for Block Cipher Modes of Operation: the CCM
Mode for Authentication and Confidentiality
May 2004
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38c.pdf
SP 800-38D Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC
November 2007
https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
© 2025 Red Hat, Inc./ atsec information security corporation.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Page 75 of 75
SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS
AES Mode for Confidentiality on Storage Devices
January 2010
https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
SP 800-90Ar1 Recommendation for Random Number Generation Using
Deterministic Random Bit Generators
June 2015
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf