© 2024 Canonical Ltd./ atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Canonical Ltd.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API
Cryptographic Module
Version 5.15.0-73-fips
FIPS 140-3 Non-Proprietary Security Policy
Version 1.2
Last update: 11-08-2024
Prepared by:
atsec information security corporation
4516 Seton Center Pkwy, Suite 250
Austin, TX 78759
www.atsec.com
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
2 of 103
Table of Contents
1 General ........................................................................................................................................................................................6
1.1 Overview .............................................................................................................................................................................6
1.2 Security Levels ..................................................................................................................................................................6
1.3 Additional Information...................................................................................................................................................6
2 Cryptographic Module Specification.............................................................................................................................7
2.1 Description .........................................................................................................................................................................7
2.2 Tested and Vendor Affirmed Module Version and Identification..................................................................8
2.3 Excluded Components ...................................................................................................................................................9
2.4 Modes of Operation........................................................................................................................................................9
2.5 Algorithms ........................................................................................................................................................................10
2.6 Security Function Implementations ........................................................................................................................16
2.7 Algorithm Specific Information.................................................................................................................................26
2.7.1 AES GCM IV...............................................................................................................................................................26
2.7.2 AES XTS......................................................................................................................................................................26
2.7.3 Diffie-Hellman and EC Diffie-Hellman............................................................................................................26
2.7.4 SHA-3..........................................................................................................................................................................27
2.7.5 RSA ..............................................................................................................................................................................27
2.8 RBG and Entropy ............................................................................................................................................................27
2.9 Key Generation ...............................................................................................................................................................28
2.10 Key Establishment.......................................................................................................................................................28
2.11 Industry Protocols .......................................................................................................................................................29
3 Cryptographic Module Interfaces.................................................................................................................................30
3.1 Ports and Interfaces ......................................................................................................................................................30
4 Roles, Services, and Authentication ............................................................................................................................31
4.1 Authentication Methods .............................................................................................................................................31
4.2 Roles ...................................................................................................................................................................................31
4.3 Approved Services .........................................................................................................................................................31
4.4 Non-Approved Services ...............................................................................................................................................36
4.5 External Software/Firmware Loaded .....................................................................................................................36
5 Software/Firmware Security...........................................................................................................................................37
5.1 Integrity Techniques .....................................................................................................................................................37
5.2 Initiate on Demand........................................................................................................................................................37
6 Operational Environment .................................................................................................................................................38
6.1 Operational Environment Type and Requirements ..........................................................................................38
6.2 Configuration Settings and Restrictions ...............................................................................................................38
7 Physical Security...................................................................................................................................................................39
8 Non-Invasive Security.........................................................................................................................................................40
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
3 of 103
9 Sensitive Security Parameters Management ..........................................................................................................41
9.1 Storage Areas ..................................................................................................................................................................41
9.2 SSP Input-Output Methods ........................................................................................................................................41
9.3 SSP Zeroization Methods ............................................................................................................................................41
9.4 SSPs .....................................................................................................................................................................................42
9.5 Transitions ........................................................................................................................................................................45
10 Self-Tests...............................................................................................................................................................................46
10.1 Pre-Operational Self-Tests.......................................................................................................................................46
10.2 Conditional Self-Tests................................................................................................................................................48
10.3 Periodic Self-Test Information................................................................................................................................84
10.4 Error States ....................................................................................................................................................................96
10.5 Operator Initiation of Self-Tests............................................................................................................................96
11 Life-Cycle Assurance ........................................................................................................................................................97
11.1 Installation, Initialization, and Startup Procedures.........................................................................................97
11.2 Administrator Guidance ............................................................................................................................................98
11.3 Non-Administrator Guidance ..................................................................................................................................98
11.4 End of Life ......................................................................................................................................................................98
12 Mitigation of Other Attacks .........................................................................................................................................99
Appendix A. Glossary and Abbreviations...................................................................................................................100
Appendix B. References.....................................................................................................................................................101
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
4 of 103
List of Tables
Table 1: Security Levels..............................................................................................................................................................6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets).......................8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid .............................................................9
Table 4: Modes List and Description .....................................................................................................................................9
Table 5: Approved Algorithms...............................................................................................................................................15
Table 6: Vendor-Affirmed Algorithms ................................................................................................................................15
Table 7: Non-Approved, Not Allowed Algorithms..........................................................................................................16
Table 8: Security Function Implementations ...................................................................................................................26
Table 9: Entropy Certificates .................................................................................................................................................27
Table 10: Entropy Sources ......................................................................................................................................................27
Table 11: Ports and Interfaces...............................................................................................................................................30
Table 12: Roles ............................................................................................................................................................................31
Table 13: Approved Services ..................................................................................................................................................35
Table 14: Non-Approved Services ........................................................................................................................................36
Table 15: Storage Areas ...........................................................................................................................................................41
Table 16: SSP Input-Output Methods .................................................................................................................................41
Table 17: SSP Zeroization Methods .....................................................................................................................................41
Table 18: SSP Table 1 ................................................................................................................................................................44
Table 19: SSP Table 2 ................................................................................................................................................................45
Table 20: Pre-Operational Self-Tests ..................................................................................................................................47
Table 21: Conditional Self-Tests ...........................................................................................................................................84
Table 22: Pre-Operational Periodic Information ............................................................................................................85
Table 23: Conditional Periodic Information .....................................................................................................................96
Table 24: Error States ...............................................................................................................................................................96
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
5 of 103
List of Figures
Figure 1: Block Diagram .............................................................................................................................................................7
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
6 of 103
1 General
1.1 Overview
This document is the non-proprietary FIPS 140-3 Security Policy for version 5.15.0-73-fips of
the Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module. It contains the
security rules under which the module must operate and describes how this module meets
the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards
Publication 140-3) for an overall Security Level 1 module.
This Non-Proprietary Security Policy may be reproduced and distributed, but only whole and
intact and including this notice. Other documentation is proprietary to their authors.
1.2 Security Levels
Section Security Level
1 1
2 1
3 1
4 1
5 1
6 1
7 N/A
8 N/A
9 1
10 1
11 1
12 N/A
Overall 1
Table 1: Security Levels
1.3 Additional Information
The vendor has provided the non-proprietary Security Policy of the cryptographic module,
which was further consolidated into this document by atsec information security together
with other vendor-supplied documentation. In preparing the Security Policy document, the
laboratory formatted the vendor-supplied documentation forconsolidation without altering
the technical statements therein contained. The further refining of the Security Policy
document was conducted iteratively throughout the conformance testing, wherein the
Security Policy was submitted to the vendor, whowould then edit, modify, and add technical
contents. The vendor would also supply additional documentation, which the laboratory
formatted into the existing Security Policy, and resubmitted to the vendor for their final
editing.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
7 of 103
2 Cryptographic Module Specification
2.1 Description
Purpose and Use: The Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module
(hereafter referred to as “the module”) provides a C language application program interface
(API) for use by other (kernel space and user space) processes that require cryptographic
functionality. The module operates on a general-purpose computer as part of the Linux
kernel. Its cryptographic functionality can be accessed using the Linux Kernel Crypto API.
Module Type: Software
Module Embodiment: MultiChipStand
Module Characteristics:
Cryptographic Boundary: The cryptographic boundary of the module is definedas the kernel
binary and the kernel crypto object files, the libkcapi library, and the sha512hmac binary,
which is used to verify the integrity of the software components. In addition, the
cryptographicboundary contains the .hmac files which store the expectedintegrity values for
each of the software components.
Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module
is defined as the general-purpose computer on which the module is installed.
Figure 1: Block Diagram
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
8 of 103
2.2 Tested and Vendor Affirmed Module Version and
Identification
Tested Module Identification – Hardware:
N/A for this module.
Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets):
Package or File Name Software/ Firmware
Version
Features Integrity Test
/boot/vmlinuz-5.15.0-73-fips;
/run/mnt/kernel/kernel.efi
5.15.0-73-fips N/A HMAC SHA-512
*.ko files in
/usr/lib/modules/5.15.0-73-
fips/kernel/crypto/; *.ko files in
/usr/lib/modules/5.15.0-73-
fips/kernel/arch/x86/crypto/;
*.ko files in
/usr/lib/modules/5.15.0-73-
fips/kernel/arch/arm64/crypto/;
*.ko files in
/usr/lib/modules/5.15.0-73-
fips/kernel/arch/s390/crypto/
5.15.0-73-fips N/A RSA signature
verification
/usr/lib/*-linux-
gnu/libkcapi.so.1.4.0;
/usr/bin/sha512hmac
1.4.0-
1ubuntu0.1~Fips1
N/A HMAC SHA-256
(/usr/lib/*-linux-
gnu/libkcapi.so.1.4.0);
HMAC SHA-512
(/usr/bin/sha512hmac)
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)
Tested Module Identification – Hybrid Disjoint Hardware:
N/A for this module.
Tested Operational Environments - Software, Firmware, Hybrid:
The module makes use of hardware acceleration provided by the hardware platform. Namely,
AES-NI and SHA extensions from the Intel based platform, NEON and Cryptography
Extensions for the Graviton2 based platform, andCPACF for the z15 based platform, listed in
the Tested Operational Environments - Software, Firmware, Hybrid table. CPACF is considered
as PAI. AES-NI, SHA extensions, NEON, andCryptography Extensions are considered as PAA.
Operating
System
Hardware Platform Processors PAA/PAI Hypervisor
or Host OS
Version(s)
Ubuntu 22.04 LTS
64-bit
Supermicro SYS-1019P-
WTR
Intel(R) Xeon(R)
Gold 6226
Yes N/A 5.15.0-73-
fips
Ubuntu 22.04 LTS
64-bit
Supermicro SYS-1019P-
WTR
Intel(R) Xeon(R)
Gold 6226
No N/A 5.15.0-73-
fips
Ubuntu Core 22
64-bit
Supermicro SYS-1019P-
WTR
Intel(R) Xeon(R)
Gold 6226
Yes N/A 5.15.0-73-
fips
Ubuntu Core 22
64-bit
Supermicro SYS-1019P-
WTR
Intel(R) Xeon(R)
Gold 6226
No N/A 5.15.0-73-
fips
Ubuntu 22.04 LTS
64-bit
Amazon Web Services
(AWS) c6g.metal
AWS Graviton2 Yes N/A 5.15.0-73-
fips
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
9 of 103
Operating
System
Hardware Platform Processors PAA/PAI Hypervisor
or Host OS
Version(s)
Ubuntu 22.04 LTS
64-bit
Amazon Web Services
(AWS) c6g.metal
AWS Graviton2 No N/A 5.15.0-73-
fips
Ubuntu Core 22
64-bit
Amazon Web Services
(AWS) c6g.metal
AWS Graviton2 Yes N/A 5.15.0-73-
fips
Ubuntu Core 22
64-bit
Amazon Web Services
(AWS) c6g.metal
AWS Graviton2 No N/A 5.15.0-73-
fips
Ubuntu 22.04 LTS
64-bit
IBM z15 IBM z15 Yes N/A 5.15.0-73-
fips
Ubuntu 22.04 LTS
64-bit
IBM z15 IBM z15 No N/A 5.15.0-73-
fips
Table 3: Tested Operational Environments - Software, Firmware, Hybrid
Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid:
N/A for this module.
CMVP makes no statement as to the correct operation of the module or the security
strengths of the generatedkeys when so ported if the specific operational environment is not
listed on the validation certificate.
2.3 Excluded Components
Not applicable.
2.4 Modes of Operation
Modes List and Description:
Mode Name Description Type Status Indicator
Approved
mode
Automatically entered whenever an
approved service is requested
Approved Equivalent to the indicator of the
requested service defined in section
4.3
Non-approved
mode
Automatically entered whenever a
non-approved service is requested
Non-
Approved
Equivalent to the indicator of the
requested service defined in section
4.3
Table 4: Modes List and Description
Mode Change Instructions and Status:
After passing all pre-operational self-tests andcryptographic algorithm self-tests executed on
start-up, the module automatically transitions to the approved mode. No operator
intervention is required to reach this point. The module automatically switches between the
approved and non-approved modes depending on the services requested by the operator.
The status indicator of the mode of operation is equivalent to the indicator ofthe service that
was requested.
Degraded Mode Description:
Not applicable.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
10 of 103
2.5 Algorithms
Approved Algorithms:
Algorithm CAVP Cert Reference
AES-ECB A3812 SP 800-38A
Counter DRBG A3812 SP 800-90A Rev. 1
Hash DRBG A3812 SP 800-90A Rev. 1
HMAC DRBG A3812 SP 800-90A Rev. 1
HMAC-SHA-1 A3812 FIPS 198-1
HMAC-SHA2-224 A3812 FIPS 198-1
HMAC-SHA2-256 A3812 FIPS 198-1
HMAC-SHA2-384 A3812 FIPS 198-1
HMAC-SHA2-512 A3812 FIPS 198-1
KAS-FFC-SSC Sp800-56Ar3 A3812 SP 800-56A Rev. 3
Safe Primes Key Generation A3812 SP 800-56A Rev. 3
SHA-1 A3812 FIPS 180-4
SHA2-224 A3812 FIPS 180-4
SHA2-256 A3812 FIPS 180-4
SHA2-384 A3812 FIPS 180-4
SHA2-512 A3812 FIPS 180-4
AES-ECB A3813 SP 800-38A
Counter DRBG A3813 SP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4) A3813 FIPS 186-4
Hash DRBG A3813 SP 800-90A Rev. 1
HMAC DRBG A3813 SP 800-90A Rev. 1
HMAC-SHA-1 A3813 FIPS 198-1
HMAC-SHA2-224 A3813 FIPS 198-1
HMAC-SHA2-256 A3813 FIPS 198-1
HMAC-SHA2-384 A3813 FIPS 198-1
HMAC-SHA2-512 A3813 FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3 A3813 SP 800-56A Rev. 3
SHA-1 A3813 FIPS 180-4
SHA2-224 A3813 FIPS 180-4
SHA2-256 A3813 FIPS 180-4
SHA2-384 A3813 FIPS 180-4
SHA2-512 A3813 FIPS 180-4
AES-CBC A3814 SP 800-38A
AES-CCM A3814 SP 800-38C
AES-CMAC A3814 SP 800-38B
AES-CTR A3814 SP 800-38A
AES-ECB A3814 SP 800-38A
AES-GCM A3814 SP 800-38D
AES-GMAC A3814 SP 800-38D
AES-XTS Testing Revision 2.0 A3814 SP 800-38E
Counter DRBG A3814 SP 800-90A Rev. 1
Hash DRBG A3814 SP 800-90A Rev. 1
HMAC DRBG A3814 SP 800-90A Rev. 1
HMAC-SHA-1 A3814 FIPS 198-1
HMAC-SHA2-224 A3814 FIPS 198-1
HMAC-SHA2-256 A3814 FIPS 198-1
HMAC-SHA2-384 A3814 FIPS 198-1
HMAC-SHA2-512 A3814 FIPS 198-1
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
11 of 103
Algorithm CAVP Cert Reference
RSA SigVer (FIPS186-4) A3814 FIPS 186-4
SHA-1 A3814 FIPS 180-4
SHA2-224 A3814 FIPS 180-4
SHA2-256 A3814 FIPS 180-4
SHA2-384 A3814 FIPS 180-4
SHA2-512 A3814 FIPS 180-4
AES-KW A3815 SP 800-38F
HMAC-SHA3-224 A3816 FIPS 198-1
HMAC-SHA3-256 A3816 FIPS 198-1
HMAC-SHA3-384 A3816 FIPS 198-1
HMAC-SHA3-512 A3816 FIPS 198-1
SHA3-224 A3816 FIPS 202
SHA3-256 A3816 FIPS 202
SHA3-384 A3816 FIPS 202
SHA3-512 A3816 FIPS 202
AES-CFB128 A3817 SP 800-38A
AES-OFB A3818 SP 800-38A
AES-CBC-CS3 A3819 SP 800-38A
AES-ECB A3820 SP 800-38A
AES-GCM A3820 SP 800-38D
Counter DRBG A3820 SP 800-90A Rev. 1
Hash DRBG A3820 SP 800-90A Rev. 1
HMAC DRBG A3820 SP 800-90A Rev. 1
AES-ECB A3821 SP 800-38A
AES-GCM A3821 SP 800-38D
Counter DRBG A3821 SP 800-90A Rev. 1
Hash DRBG A3821 SP 800-90A Rev. 1
HMAC DRBG A3821 SP 800-90A Rev. 1
AES-CBC A3822 SP 800-38A
AES-CCM A3822 SP 800-38C
AES-CMAC A3822 SP 800-38B
AES-CTR A3822 SP 800-38A
AES-ECB A3822 SP 800-38A
AES-GCM A3822 SP 800-38D
AES-GMAC A3822 SP 800-38D
AES-XTS Testing Revision 2.0 A3822 SP 800-38E
Counter DRBG A3822 SP 800-90A Rev. 1
Hash DRBG A3822 SP 800-90A Rev. 1
HMAC DRBG A3822 SP 800-90A Rev. 1
AES-KW A3823 SP 800-38F
AES-ECB A3824 SP 800-38A
AES-GCM A3824 SP 800-38D
Counter DRBG A3824 SP 800-90A Rev. 1
Hash DRBG A3824 SP 800-90A Rev. 1
HMAC DRBG A3824 SP 800-90A Rev. 1
AES-ECB A3825 SP 800-38A
AES-GCM A3825 SP 800-38D
Counter DRBG A3825 SP 800-90A Rev. 1
Hash DRBG A3825 SP 800-90A Rev. 1
HMAC DRBG A3825 SP 800-90A Rev. 1
AES-CFB128 A3826 SP 800-38A
AES-OFB A3827 SP 800-38A
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
12 of 103
Algorithm CAVP Cert Reference
AES-CBC-CS3 A3828 SP 800-38A
AES-CBC A3829 SP 800-38A
AES-CCM A3829 SP 800-38C
AES-CMAC A3829 SP 800-38B
AES-CTR A3829 SP 800-38A
AES-ECB A3829 SP 800-38A
AES-GCM A3829 SP 800-38D
AES-GMAC A3829 SP 800-38D
AES-XTS Testing Revision 2.0 A3829 SP 800-38E
Counter DRBG A3829 SP 800-90A Rev. 1
AES-ECB A3830 SP 800-38A
AES-GCM A3830 SP 800-38D
Counter DRBG A3830 SP 800-90A Rev. 1
Hash DRBG A3830 SP 800-90A Rev. 1
HMAC DRBG A3830 SP 800-90A Rev. 1
AES-ECB A3831 SP 800-38A
AES-GCM A3831 SP 800-38D
Counter DRBG A3831 SP 800-90A Rev. 1
Hash DRBG A3831 SP 800-90A Rev. 1
HMAC DRBG A3831 SP 800-90A Rev. 1
AES-CBC A3832 SP 800-38A
AES-CCM A3832 SP 800-38C
AES-CMAC A3832 SP 800-38B
AES-CTR A3832 SP 800-38A
AES-ECB A3832 SP 800-38A
AES-GCM A3832 SP 800-38D
AES-GMAC A3832 SP 800-38D
AES-XTS Testing Revision 2.0 A3832 SP 800-38E
Counter DRBG A3832 SP 800-90A Rev. 1
Hash DRBG A3832 SP 800-90A Rev. 1
HMAC DRBG A3832 SP 800-90A Rev. 1
HMAC-SHA-1 A3832 FIPS 198-1
HMAC-SHA2-224 A3832 FIPS 198-1
HMAC-SHA2-256 A3832 FIPS 198-1
HMAC-SHA2-384 A3832 FIPS 198-1
HMAC-SHA2-512 A3832 FIPS 198-1
RSA SigVer (FIPS186-4) A3832 FIPS 186-4
SHA-1 A3832 FIPS 180-4
SHA2-224 A3832 FIPS 180-4
SHA2-256 A3832 FIPS 180-4
SHA2-384 A3832 FIPS 180-4
SHA2-512 A3832 FIPS 180-4
AES-ECB A3833 SP 800-38A
AES-GCM A3833 SP 800-38D
Counter DRBG A3833 SP 800-90A Rev. 1
Hash DRBG A3833 SP 800-90A Rev. 1
HMAC DRBG A3833 SP 800-90A Rev. 1
AES-ECB A3834 SP 800-38A
AES-GCM A3834 SP 800-38D
Counter DRBG A3834 SP 800-90A Rev. 1
Hash DRBG A3834 SP 800-90A Rev. 1
HMAC DRBG A3834 SP 800-90A Rev. 1
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
13 of 103
Algorithm CAVP Cert Reference
AES-KW A3835 SP 800-38F
AES-CFB128 A3836 SP 800-38A
AES-OFB A3837 SP 800-38A
AES-CBC-CS3 A3838 SP 800-38A
HMAC-SHA3-224 A3839 FIPS 198-1
HMAC-SHA3-256 A3839 FIPS 198-1
HMAC-SHA3-384 A3839 FIPS 198-1
HMAC-SHA3-512 A3839 FIPS 198-1
SHA3-224 A3839 FIPS 202
SHA3-256 A3839 FIPS 202
SHA3-384 A3839 FIPS 202
SHA3-512 A3839 FIPS 202
AES-CBC A3840 SP 800-38A
AES-CTR A3840 SP 800-38A
AES-ECB A3840 SP 800-38A
AES-GCM A3840 SP 800-38D
AES-XTS Testing Revision 2.0 A3840 SP 800-38E
Counter DRBG A3840 SP 800-90A Rev. 1
Hash DRBG A3840 SP 800-90A Rev. 1
HMAC DRBG A3840 SP 800-90A Rev. 1
AES-ECB A3841 SP 800-38A
AES-GCM A3841 SP 800-38D
Counter DRBG A3841 SP 800-90A Rev. 1
Hash DRBG A3841 SP 800-90A Rev. 1
HMAC DRBG A3841 SP 800-90A Rev. 1
AES-ECB A3842 SP 800-38A
AES-GCM A3842 SP 800-38D
Counter DRBG A3842 SP 800-90A Rev. 1
Hash DRBG A3842 SP 800-90A Rev. 1
HMAC DRBG A3842 SP 800-90A Rev. 1
AES-CBC A3843 SP 800-38A
AES-CCM A3843 SP 800-38C
AES-CMAC A3843 SP 800-38B
AES-CTR A3843 SP 800-38A
AES-ECB A3843 SP 800-38A
AES-GCM A3843 SP 800-38D
AES-GMAC A3843 SP 800-38D
AES-XTS Testing Revision 2.0 A3843 SP 800-38E
Counter DRBG A3843 SP 800-90A Rev. 1
Hash DRBG A3843 SP 800-90A Rev. 1
HMAC DRBG A3843 SP 800-90A Rev. 1
AES-ECB A3844 SP 800-38A
AES-GCM A3844 SP 800-38D
Counter DRBG A3844 SP 800-90A Rev. 1
Hash DRBG A3844 SP 800-90A Rev. 1
HMAC DRBG A3844 SP 800-90A Rev. 1
AES-ECB A3845 SP 800-38A
AES-GCM A3845 SP 800-38D
Counter DRBG A3845 SP 800-90A Rev. 1
Hash DRBG A3845 SP 800-90A Rev. 1
HMAC DRBG A3845 SP 800-90A Rev. 1
AES-KW A3846 SP 800-38F
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
14 of 103
Algorithm CAVP Cert Reference
AES-CFB128 A3847 SP 800-38A
AES-OFB A3848 SP 800-38A
AES-CBC-CS3 A3849 SP 800-38A
Hash DRBG A3850 SP 800-90A Rev. 1
HMAC DRBG A3850 SP 800-90A Rev. 1
HMAC-SHA-1 A3850 FIPS 198-1
HMAC-SHA2-224 A3850 FIPS 198-1
HMAC-SHA2-256 A3850 FIPS 198-1
HMAC-SHA2-384 A3850 FIPS 198-1
HMAC-SHA2-512 A3850 FIPS 198-1
RSA SigVer (FIPS186-4) A3850 FIPS 186-4
SHA-1 A3850 FIPS 180-4
SHA2-224 A3850 FIPS 180-4
SHA2-256 A3850 FIPS 180-4
SHA2-384 A3850 FIPS 180-4
SHA2-512 A3850 FIPS 180-4
Hash DRBG A3851 SP 800-90A Rev. 1
HMAC DRBG A3851 SP 800-90A Rev. 1
HMAC-SHA-1 A3851 FIPS 198-1
HMAC-SHA2-224 A3851 FIPS 198-1
HMAC-SHA2-256 A3851 FIPS 198-1
HMAC-SHA2-384 A3851 FIPS 198-1
HMAC-SHA2-512 A3851 FIPS 198-1
RSA SigVer (FIPS186-4) A3851 FIPS 186-4
SHA-1 A3851 FIPS 180-4
SHA2-224 A3851 FIPS 180-4
SHA2-256 A3851 FIPS 180-4
SHA2-384 A3851 FIPS 180-4
SHA2-512 A3851 FIPS 180-4
Hash DRBG A3852 SP 800-90A Rev. 1
HMAC DRBG A3852 SP 800-90A Rev. 1
HMAC-SHA-1 A3852 FIPS 198-1
HMAC-SHA2-224 A3852 FIPS 198-1
HMAC-SHA2-256 A3852 FIPS 198-1
HMAC-SHA2-384 A3852 FIPS 198-1
HMAC-SHA2-512 A3852 FIPS 198-1
RSA SigVer (FIPS186-4) A3852 FIPS 186-4
SHA-1 A3852 FIPS 180-4
SHA2-224 A3852 FIPS 180-4
SHA2-256 A3852 FIPS 180-4
SHA2-384 A3852 FIPS 180-4
SHA2-512 A3852 FIPS 180-4
AES-CBC A3853 SP 800-38A
AES-CBC-CS3 A3853 SP 800-38A
AES-CCM A3853 SP 800-38C
AES-CMAC A3853 SP 800-38B
AES-CTR A3853 SP 800-38A
AES-ECB A3853 SP 800-38A
AES-XTS Testing Revision 2.0 A3853 SP 800-38E
HMAC-SHA-1 A3853 FIPS 198-1
HMAC-SHA2-224 A3853 FIPS 198-1
HMAC-SHA2-256 A3853 FIPS 198-1
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
15 of 103
Algorithm CAVP Cert Reference
SHA-1 A3853 FIPS 180-4
SHA2-224 A3853 FIPS 180-4
SHA2-256 A3853 FIPS 180-4
AES-CBC A3854 SP 800-38A
AES-CBC-CS3 A3854 SP 800-38A
AES-CCM A3854 SP 800-38C
AES-CFB128 A3854 SP 800-38A
AES-CMAC A3854 SP 800-38B
AES-CTR A3854 SP 800-38A
AES-ECB A3854 SP 800-38A
AES-GCM A3854 SP 800-38D
AES-GMAC A3854 SP 800-38D
AES-KW A3854 SP 800-38F
AES-OFB A3854 SP 800-38A
AES-XTS Testing Revision 2.0 A3854 SP 800-38E
Counter DRBG A3854 SP 800-90A Rev. 1
AES-ECB A3855 SP 800-38A
AES-GCM A3855 SP 800-38D
Counter DRBG A3855 SP 800-90A Rev. 1
Hash DRBG A3855 SP 800-90A Rev. 1
HMAC DRBG A3855 SP 800-90A Rev. 1
AES-ECB A3856 SP 800-38A
AES-GCM A3856 SP 800-38D
Counter DRBG A3856 SP 800-90A Rev. 1
Hash DRBG A3856 SP 800-90A Rev. 1
HMAC DRBG A3856 SP 800-90A Rev. 1
AES-CBC A3857 SP 800-38A
AES-CTR A3857 SP 800-38A
AES-ECB A3857 SP 800-38A
AES-XTS Testing Revision 2.0 A3857 SP 800-38E
HMAC-SHA2-224 A3857 FIPS 198-1
HMAC-SHA2-256 A3857 FIPS 198-1
SHA2-224 A3857 FIPS 180-4
SHA2-256 A3857 FIPS 180-4
HMAC-SHA2-224 A3858 FIPS 198-1
HMAC-SHA2-256 A3858 FIPS 198-1
HMAC-SHA2-384 A3858 FIPS 198-1
HMAC-SHA2-512 A3858 FIPS 198-1
SHA2-224 A3858 FIPS 180-4
SHA2-256 A3858 FIPS 180-4
SHA2-384 A3858 FIPS 180-4
SHA2-512 A3858 FIPS 180-4
Table 5: Approved Algorithms
Vendor-Affirmed Algorithms:
Name Properties Implementation Reference
ECC and
DH CKG
Key Type:Asymmetric
ECC Curves:P-256, P-384 (strength of 128, 192
bits)
DH groups:ffdhe2048, ffdhe3072, ffdhe4096,
ffdhe6144, ffdhe8192 (strength of 112-200 bits)
N/A SP800-133r2, section
4 (without XOR)
Table 6: Vendor-Affirmed Algorithms
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
16 of 103
Non-Approved, Allowed Algorithms:
N/A for this module.
Non-Approved, Allowed Algorithms with No Security Claimed:
N/A for this module.
Non-Approved, Not Allowed Algorithms:
Name Use and Function
AES-GCM with
external IV
Encryption
KBKDF (libkcapi) Key derivation
HKDF (libkcapi) Key derivation
PBKDF2 (libkcapi) Password-based key derivation
RSA Encryption primitive; Decryption primitive
RSA with PKCS#1
v1.5 padding
Signature generation (pre-hashed message); Signature verification (pre-hashed
message); Key encapsulation; Key un-encapsulation
Table 7: Non-Approved, Not Allowed Algorithms
2.6 Security Function Implementations
Name Type Description Properties Algorithms
Encryption and
Decryption with
AES
BC-UnAuth SP800-38A.
Encryption,
Decryption; SP800-
38F. KTS (key
wrapping and key
unwrapping) per IG
D.G
AES-ECB keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-CBC keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-CTR keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-XTS Testing
Revision 2.0
keys:128, 256 bits
with 128 and 256
bits of strength
AES-KW keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-CFB128
keys:128, 192, 256
bits with 128, 192,
256 bits of strength
AES-OFB keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-CBC-CS3
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-ECB
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CBC
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
17 of 103
Name Type Description Properties Algorithms
keys:128, 192, 256
bits with 128, 192,
256 bits of strength
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-XTS Testing
Revision 2.0
AES-KW
AES-KW
AES-KW
AES-KW
AES-KW
AES-CFB128
AES-CFB128
AES-CFB128
AES-CFB128
AES-CFB128
AES-OFB
AES-OFB
AES-OFB
AES-OFB
AES-OFB
AES-CBC-CS3
AES-CBC-CS3
AES-CBC-CS3
AES-CBC-CS3
AES-CBC-CS3
AES-CBC-CS3
Random Number
Generation with
HMAC DRBG, Hash
DRBG SP800-90Ar1.
Random number
generation
Counter DRBG:128,
192, 256 bits
HMAC DRBG:128,
Counter DRBG
Counter DRBG
Counter DRBG
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
18 of 103
Name Type Description Properties Algorithms
DRBG or Counter
DRBG
256 bits
Hash DRBG:128,
256 bits
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
Counter DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
HMAC DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
19 of 103
Name Type Description Properties Algorithms
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Hash DRBG
Message
Authentication with
AES or HMAC
MAC SP800-38B, SP800-
38D, FISP198-1.
Message
authentication
HMAC-SHA-1
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA2-224
keys:112-524288
bits 112-256 bits
with 112-256 bits of
strength
HMAC-SHA2-256
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA2-384
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA2-512
keys:112-524288
bits with 112-256
bits of strength
AES-CMAC
keys:128, 192, 256
bits with 128, 192,
256 bits of strength
AES-GMAC
keys:128, 192, 256
bits with 128, 192,
256 bits of strength
HMAC-SHA3-224
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA3-256
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA3-384
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA3-512
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA2-512
HMAC-SHA2-512
HMAC-SHA2-512
HMAC-SHA2-512
HMAC-SHA2-512
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
20 of 103
Name Type Description Properties Algorithms
keys:112-524288
bits with 112-256
bits of strength
HMAC-SHA2-512
HMAC-SHA2-512
AES-CMAC
AES-CMAC
AES-CMAC
AES-CMAC
AES-CMAC
AES-CMAC
AES-CMAC
AES-GMAC
AES-GMAC
AES-GMAC
AES-GMAC
AES-GMAC
AES-GMAC
HMAC-SHA3-224
HMAC-SHA3-224
HMAC-SHA3-256
HMAC-SHA3-256
HMAC-SHA3-384
HMAC-SHA3-384
HMAC-SHA3-512
HMAC-SHA3-512
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-384
SHA2-384
SHA2-384
SHA2-384
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
21 of 103
Name Type Description Properties Algorithms
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA3-224
SHA3-224
SHA3-256
SHA3-256
SHA3-384
SHA3-256
SHA3-512
SHA3-512
Shared Secret
Computation with
KAS-FFC-SSC or
KAS-ECC-SSC
KAS-SSC SP 800-56Ar3. KAS-
ECC-SSC and KAS-
FFC-SSC per IG D.F
Scenario 2 (1)
KAS-FFC-SSC
Sp800-56Ar3
keys:ffdhe2048,
ffdhe3072,
ffdhe4096,
ffdhe6144,
ffdhe8192 with
112-200 bits of
strength
KAS-ECC-SSC
Sp800-56Ar3
curves:P-256, P-384
with 128, 192 bits
of strength
KAS-FFC-SSC
Sp800-56Ar3
KAS-ECC-SSC
Sp800-56Ar3
Message Digest
with SHA
SHA FIPS180-4, FIPS202.
Message digest
SHA-1:N/A
SHA2-224:N/A
SHA2-256:N/A
SHA2-384:N/A
SHA2-512:N/A
SHA3-224:N/A
SHA3-256:N/A
SHA3-384:N/A
SHA3-512:N/A
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-224
SHA2-256
SHA2-256
SHA2-256
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
22 of 103
Name Type Description Properties Algorithms
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA3-224
SHA3-224
SHA3-256
SHA3-256
SHA3-384
SHA3-384
SHA3-512
SHA3-512
Key Pair Generation
with ECDSA or Safe
Primes
AsymKeyPair-
KeyGen
FIPS186-4, SP800-
56Ar3. ECDSA Key
pair generation
according to
FIPS186-4,
Appendix B.4.2 per
IG D.H and SP800-
133r2, section 4
(without XOR) 5.1,
5.2; Safe Primes
Key Generation
according to SP800-
56Ar3, Section
5.6.1.1.4 per IG D.H
and SP800-133r2,
section 4 (without
XOR), 5.2
Safe Primes Key
Generation
keys:ffdhe2048,
ffdhe3072,
ffdhe4096,
ffdhe6144,
ffdhe8192 with
112-200 bits of
strength
ECDSA KeyGen
(FIPS186-4)
curves:P-256, P-384
with 128, 192 bits
of strength
Safe Primes Key
Generation
ECDSA KeyGen
(FIPS186-4)
Authenticated
Encryption and
Authenticated
Decryption with
AES-CCM
BC-Auth
KTS-Wrap
SP800-38C.
Authenticated
encryption,
Authenticated
decryption, KTS
(key wrapping and
AES-CCM keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-CCM
AES-CCM
AES-CCM
AES-CCM
AES-CCM
AES-CCM
AES-CCM
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
23 of 103
Name Type Description Properties Algorithms
key unwrapping)
per IG D.G
Authenticated
Decryption with
AES-GCM
BC-Auth
KTS-Wrap
SP800-38D.
Authenticated
decryption, KTS
(key unwrapping)
per IG D.G
AES-GCM keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
Compliance: FIPS
140-3 IG D.G
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
Signature
Verification with
RSA
DigSig-SigVer FIPS186-4.
Signature
verification
RSA SigVer
(FIPS186-4)
keys:4096 bits with
150 bits of strength
RSA SigVer
(FIPS186-4)
RSA SigVer
(FIPS186-4)
RSA SigVer
(FIPS186-4)
RSA SigVer
(FIPS186-4)
RSA SigVer
(FIPS186-4)
SHA-1
SHA2-224
SHA2-256
SHA2-384
SHA2-512
SHA-1
SHA2-224
SHA2-256
SHA2-384
SHA2-512
SHA-1
SHA2-224
SHA2-256
SHA2-384
SHA2-512
SHA-1
SHA2-224
SHA2-256
SHA2-384
SHA2-512
SHA-1
SHA2-224
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
24 of 103
Name Type Description Properties Algorithms
SHA2-256
SHA2-384
SHA2-512
Authenticated
Encryption with
AES-GCM
BC-Auth
KTS-Wrap
SP800-38D.
Authenticated
encryption KTS (key
wrapping) per IG
D.G
AES-GCM keys:128,
192, 256 bits with
128, 192, 256 bits
of strength
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
AES-GCM
Authenticated
Encryption and
Authenticated
Decryption with
AES-CBC or AES-
CTR with HMAC
BC-Auth
KTS-Wrap
SP800-38A, FIPS
198-1. KTS (key
wrapping and key
unwrapping) per IG
D.G
AES-CBC keys:128,
192, 256 bits with
128, 192, 256 bits
of security
AES-CTR keys:128,
192, 256 bits with
128, 192, 256 bits
of security
HMAC-SHA-1
keys:112-524288
bits with 112-256
bits of security
HMAC-SHA2-256
keys:112-524288
bits with 112-256
bits of security
HMAC-SHA2-384
keys:112-524288
bits with 112-256
bits of security
HMAC-SHA2-512
keys:112-524288
bits with 112-256
bits of security
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-256
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
25 of 103
Name Type Description Properties Algorithms
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CBC
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
AES-CTR
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA-1
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-256
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-384
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
SHA2-512
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
26 of 103
Table 8: Security Function Implementations
2.7 Algorithm Specific Information
2.7.1 AES GCM IV
For IPsec, the module offers the AESGCM implementation and uses the context ofScenario 1
(b) of FIPS 140-3 IG C.H. The mechanism for IV generation is compliant with RFC 4106. IVs
generated using this mechanism may only be used in the context of AES GCM encryption
within the IPsec protocol.
The module does not implement IPsec. The module’s implementation of AES GCM is used
together with an application that runs outside the module’s cryptographic boundary. This
application must use RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from
which the AES GCM encryption keys are derived.
The design of the IPsec protocol implicitly ensures that the counter (the nonce_explicit part
of the IV) does not exhaust the maximumnumber of possible values for a given session key.
In the event the module’s poweris lost and restored, the consuming application must ensure
that a new key for use with the AES GCM key encryption or decryption under this scenario
shall be established.
The module also provides a non-approved AES GCM encryption service which accepts
arbitrary external IVs from the operator. This service can be requested by invoking the
crypto_aead_encrypt API function with an AESGCM handle. When this is the case, the API will
not set an approved service indicator, as described in the Approved Services table.
2.7.2 AES XTS
The length of a single dataunit encryptedor decrypted with AES XTS shall not exceed 220
AES
blocks, that is 16MB, ofdata per XTS instance. An XTS instance is defined in Section 4 of SP
800-38E.
The XTS mode shall only be used for the cryptographic protection of dataon storage devices.
It shall not be used for other purposes, such as the encryption of data in transit. To meet the
requirement stated in IG C.I, the module implements a check to ensure that the two AES keys
used in AES XTS mode are not identical.
2.7.3 Diffie-Hellman and EC Diffie-Hellman
The module offers DH and ECDH shared secret computation services compliant to the SP 800-
56Ar3 and meeting IG D.F scenario 2 path (1). In order to meet the required assurances listed
in Section 5.6 of SP 800-56Ar3, the module shall be used together with an application that
implements the IPSec protocol and the following steps shall be performed:
1. The entity using the module, must use the module's "Key pair generation" service: the
set_secret and generate_public_key API functions, to generate DH/ECDH ephemeral
key pairs. This meets the assurances required by key pair owner defined in the section
5.6.2.1 of SP 800-56Ar3.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
27 of 103
2. As part of the module's shared secret computation service, the module internally
performs the public key validation on the peer's public key passed in as input to the
API function. This meets the public key validity assurance required by the sections
5.6.2.2.1/5.6.2.2.2 of SP 800-56Ar3.
3. The module does not support static keys, therefore the "assurance of peer's
possession of private key" is not applicable.
2.7.4 SHA-3
The module implements HMAC with SHA3-224, SHA3-256, SHA3-384, SHA3-512. The CAVP
certificates have been obtained for the HMAC algorithm as well as for all the SHA3
implementations. The CAVP certificates are listed in the Approved Algorithms table.
2.7.5 RSA
The module implements FIPS 186-4 RSA SigVer. All RSA modulus lengths (i.e., 2048, 3072,
4096 bits) have been CAVP tested. The CAVP certificates are listed in the Approved Algorithms
table.
2.8 RBG and Entropy
Cert
Number
Vendor
Name
E59 Canonical Ltd.
Table 9: Entropy Certificates
Name Type Operational Environment Sample
Size
Entropy
per
Sample
Conditioning
Component
Canonical
Kernel CPU
Time Jitter
RNG Entropy
source
Non-
Physical
Ubuntu 22.04 LTS 64-bit on Intel(R) Xeon(R)
Gold 6226 on Supermicro SYS-1019P-WTR;
Ubuntu Core 22 64-bit on Intel(R) Xeon(R)
Gold 6226 on Supermicro SYS-1019P-WTR;
Ubuntu 22.04 LTS 64-bit on AWS Graviton2
on Amazon Web Services (AWS) c6g.metal;
Ubuntu Core 22 64-bit on AWS Graviton2 on
Amazon Web Services (AWS) c6g.metal;
Ubuntu 22.04 LTS 64-bit on IBM z15 on IBM
z15
64 bits 59.43
bits
Linear-
Feedback Shift
Register (LFSR)
Table 10: Entropy Sources
The module implements three different Deterministic Random Bit Generator (DRBG)
implementations based on SP 800-90Ar1: Counter DRBG, Hash DRBG, and HMAC DRBG. Each
of these DRBG implementations can be instantiated by the operatorof the module, using the
parameters listed specified in the Security Function Implementations table. When instantiated,
these DRBGs can be used to generate random numbers for external usage.
Additionally, the module employs a specific HMAC SHA-512 DRBG implementation for
internal purposes (e.g. to generate asymmetric key pairs). This DRBG is initially seeded with
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
28 of 103
448 output bits fromthe entropy source (416 bits of entropy) and reseeded with 320 output
bits from the entropy source (297 bits of entropy).
2.9 Key Generation
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant
with SP 800-133r2. When random values are required, they are directly obtained as output
from the SP 800-90Ar1 approved DRBG, compliant with Section 4 of SP 800-133r2 (without
XOR). The following methods are implemented:
• Safe Primes key pair generation: compliant with SP 800-133r2, Section 5.2, which maps
to SP 800-56Ar3. The method described in Section 5.6.1.1.4 of SP 800-56Ar3 (“Testing
Candidates”) is used.
• ECDSA key pair generation: compliant with SP 800-133r2, Section 5.1 and 5.2. The
method described in Appendix B.4.2 of FIPS 186-4 (“Testing Candidates”) is used. Note
that this generation method is also used to generated ECDH key pairs.
Intermediate key generation values are not output from the module and are explicitly
zeroized after processing the service.
2.10 Key Establishment
The module implements SSP agreement and SSP transport methods as listed in the Security
Function Implementations table. The module implements the following SSP establishment
methods:
Key agreement:
• KAS-FFC-SSC compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F;
using ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 safe primes groups
with 112-200 bits of security strength.
• KAS-ECC-SSC compliant with SP 800-56Ar3 and Scenario 2 (1) of FIPS 140-3 IG D.F;
using P-256, P-384 curves with 128, 192 bits of security strength.
Key transport:
• AES-KW according to IG D.G, using 128, 192, 256-bit keys with 128-256 bits of security
strength.
• AES-CCM according toIG D.G, using 128, 192, 256-bit keys with 128-256 bits of security
strength.
• AES-GCM according to IG D.G, using 128, 192, 256-bit keys with 128-256 bits of security
strength.
• AES-CBC or AES-CTR with HMAC SHA-1, HMAC SHA-256, HMAC SHA-384, or HMAC
SHA-512 according to IG D.G, using 128, 192, 256-bit AES keys with 128-256 bits of
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
29 of 103
security strength, and 112-524288 bits HMAC keys with 112-256 bits of security
strength.
2.11 Industry Protocols
AES-GCM with internal IV generation in the approved mode is compliant with RFC 4106 and
shall only be used in conjunction with the IPsec protocol.
For Diffie-Hellman, the module supports the use of the following safe primes:
• TLS (RFC 7919): ffdhe2048 (ID = 256), ffdhe3072 (ID = 257), ffdhe4096 (ID = 258),
ffdhe6144 (ID = 259), ffdhe8192 (ID = 260)
No other parts of the TLS or IPSec protocols, other than those mentioned above, have been
tested by the CAVP and CMVP.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
30 of 103
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
Physical
Port
Logical
Interface(s)
Data That Passes
N/A Data Input API data input parameters, AF_ALG type sockets
N/A Data Output API output parameters, AF_ALG type sockets
N/A Control Input API function calls, API control input parameters, AF_ALG type sockets, kernel
command line
N/A Status
Output
API return values, AF_ALG type sockets, kernel logs
Table 11: Ports and Interfaces
The logical interfaces are the APIs through which the applications request services. These
logical interfaces are logically separated from each other by the API design. The module does
not implement a control output interface.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
31 of 103
4 Roles, Services, and Authentication
4.1 Authentication Methods
N/A for this module.
4.2 Roles
Name Type Operator Type Authentication Methods
CO Role CO None
Table 12: Roles
The module supports the Crypto Officer role only. This sole role is implicitly and always
assumed by the operator of the module. No support is provided for multiple concurrent
operators.
4.3 Approved Services
Name Descriptio
n
Indicator Inputs Outputs Security
Functions
SSP
Access
Message
Digest
Compute a
message
digest
crypto_shash_init returns 0 Message Digest
Value
Message
Digest with
SHA
CO
Encryption Encrypt a
plaintext
crypto_skcipher_setkey
returns 0
AES Key,
plaintext
Ciphertex
t
Encryption
and
Decryption
with AES
CO
- AES Key:
W,E
Decryption Decrypt a
ciphertext
crypto_skcipher_setkey
returns 0
AES Key,
cipherte
xt
Plaintext Encryption
and
Decryption
with AES
CO
- AES Key:
W,E
Authenticat
ed
Encryption
Encrypt a
plaintext
For all except AES GCM:
crypto_aead_setkey returns 0;
For AES GCM:
crypto_aead_get_flags(tfm)
has the
CRYPTO_ALG_FIPS140_COMP
LIANT flag set
AES Key,
IV,
plaintext
Ciphertex
t, MAC tag
Authenticat
ed
Encryption
and
Authenticat
ed
Decryption
with AES-
CCM
Authenticat
ed
Encryption
with AES-
GCM
Authenticat
ed
Encryption
and
Authenticat
ed
CO
- AES Key:
W,E
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
32 of 103
Name Descriptio
n
Indicator Inputs Outputs Security
Functions
SSP
Access
Decryption
with AES-
CBC or AES-
CTR with
HMAC
Authenticat
ed
Decryption
Decrypt a
ciphertext
For all except AES GCM:
crypto_aead_setkey returns 0;
For AES GCM:
crypto_aead_get_flags(tfm)
has the
CRYPTO_ALG_FIPS140_COMP
LIANT flag set
AES key,
IV, MAC
tag,
cipherte
xt
Plaintext
or failure
Authenticat
ed
Encryption
and
Authenticat
ed
Decryption
with AES-
CCM
Authenticat
ed
Decryption
with AES-
GCM
Authenticat
ed
Encryption
and
Authenticat
ed
Decryption
with AES-
CBC or AES-
CTR with
HMAC
CO
- AES Key:
W,E
Message
Authenticati
on
Compute a
MAC tag
crypto_shash_init returns 0 AES Key
or HMAC
key,
message
MAC tag Message
Authenticati
on with AES
or HMAC
CO
- AES Key:
W,E
- HMAC
Key: W,E
Random
Number
Generation
Generate
random
bytes
crypto_rng_get_bytes returns
0
Output
length
Random
bytes
Random
Number
Generation
with HMAC
DRBG, Hash
DRBG or
Counter
DRBG
CO
- Entropy
Input (IG
D.L): W,E
- DRBG
Seed (IG
D.L): G,E
- DRBG
Internal
State (V,
Key) (IG
D.L): G,W,E
- DRBG
Internal
State (V,
C) (IG D.L):
G,W,E
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
33 of 103
Name Descriptio
n
Indicator Inputs Outputs Security
Functions
SSP
Access
Shared
Secret
Computatio
n
Compute a
shared
secret
crypto_kpp_compute_shared_
secret returns 0
DH
private
key, DH
public
key or
EC
private
key, EC
public
key
Shared
secret
Shared
Secret
Computatio
n with KAS-
FFC-SSC or
KAS-ECC-
SSC
CO
- DH Public
Key: W,E
- DH
Private
Key: W,E
- EC Public
Key: W,E
- EC
Private
Key: W,E
- Shared
Secret: G,R
Key Pair
Generation
Generate a
key pair
crypto_kpp_set_secret and
crypto_kpp_generate_public_
key return 0
Safe
Primes:
Group;
ECDSA:
Curve
Safe
Primes:
DH
private
key, DH
public
key;
ECDSA: EC
private
key, EC
public key
Key Pair
Generation
with ECDSA
or Safe
Primes
CO
-
Intermedia
te Key
Generatio
n Value:
G,E,Z
- DH Public
Key: G,R
- DH
Private
Key: G,R
- EC Public
Key: G,R
- EC
Private
Key: G,R
Error
Detection
Code
Compute
an EDC
(crc32,
crct10dif)
None Message EDC None CO
Compressio
n
Compress
data
(deflate,
lz4, lz4hc,
lzo, zlib-
deflate,
zstd)
None Data Compress
ed data
None CO
Generic
System Call
Use the
kernel to
perform
various
non-
cryptograp
hic
operations
None Identifie
r, various
argumen
ts
Various
return
values
None CO
Show
Version
Return the
module
name and
version
None N/A Module
name and
version
None CO
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
34 of 103
Name Descriptio
n
Indicator Inputs Outputs Security
Functions
SSP
Access
informatio
n
Show Status Return the
module
status
None N/A Module
status
None CO
Self-Test Perform
the CASTs
and
integrity
tests
None N/A Pass/fail Encryption
and
Decryption
with AES
Random
Number
Generation
with HMAC
DRBG, Hash
DRBG or
Counter
DRBG
Message
Authenticati
on with AES
or HMAC
Shared
Secret
Computatio
n with KAS-
FFC-SSC or
KAS-ECC-
SSC
Message
Digest with
SHA
Authenticat
ed
Encryption
and
Authenticat
ed
Decryption
with AES-
CCM
Authenticat
ed
Decryption
with AES-
GCM
Signature
Verification
with RSA
Authenticat
ed
Encryption
with AES-
GCM
CO
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
35 of 103
Name Descriptio
n
Indicator Inputs Outputs Security
Functions
SSP
Access
Zeroization Zeroize all
SSPs
None Any SSP N/A None CO
- AES Key:
Z
- HMAC
Key: Z
- Shared
Secret: Z
- Entropy
Input (IG
D.L): Z
- DRBG
Seed (IG
D.L): Z
- DRBG
Internal
State (V,
Key) (IG
D.L): Z
- DRBG
Internal
State (V,
C) (IG D.L):
Z
- DH Public
Key: Z
- DH
Private
Key: Z
- EC Public
Key: Z
- EC
Private
Key: Z
-
Intermedia
te Key
Generatio
n Value: Z
Table 13: Approved Services
The following convention is used to specify access rights to SSPs:
• Generate (G): The module generates or derives the SSP.
• Read (R): The SSP is read from the module (e.g. the SSP is output).
• Write (W): The SSP is updated, imported, or written to the module.
• Execute (E): The module uses the SSP in performing a cryptographic operation.
• Zeroize (Z): The module zeroizes the SSP.
• N/A: The module does not access any SSP or key during its operation.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
36 of 103
4.4 Non-Approved Services
Name Description Algorithms Role
AES-GCM with
external IV
Encryption AES-GCM with
external IV
CO
KBKDF (libkcapi) Key derivation KBKDF (libkcapi) CO
HKDF (libkcapi) Key derivation HKDF (libkcapi) CO
PBKDF2
(libkcapi)
Password-based key derivation PBKDF2 (libkcapi) CO
RSA Encryption primitive; Decryption primitive RSA CO
RSA with
PKCS#1 v1.5
padding
Signature generation (pre-hashed message); Signature
verification (pre-hashed message); Key encapsulation; Key
un-encapsulation
RSA with PKCS#1
v1.5 padding
CO
Table 14: Non-Approved Services
4.5 External Software/Firmware Loaded
Not applicable.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
37 of 103
5 Software/Firmware Security
5.1 Integrity Techniques
The Linux kernel binary is integrity tested using an HMAC SHA-512 calculation performed by
the sha512hmac utility (which utilizes the module’s HMAC and SHA-512 implementations).
The kernel crypto object files listed in the Tested Module Identification – Software, Firmware,
Hybrid (Executable Code Sets) table are loaded on start-up by the module and verified using
RSA signature verification with PKCS#1 v1.5 padding, SHA-512, and a 4096-bit key.
The libkcapi and sha512hmac software components performtheir own internal integrity test,
respectively using the HMAC SHA-256 and HMAC SHA-512 implementations provided by the
Linux kernel.
5.2 Initiate on Demand
Integrity tests are performed as part of the pre-operational self-tests, which are executed
when the module is initialized. The integrity tests can be invoked on demand by unloading
and subsequently re-initializing the module, which will perform (among others) the software
integrity tests.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
38 of 103
6 Operational Environment
6.1 Operational Environment Type and Requirements
Type of Operational Environment: Modifiable
How Requirements are Satisfied: the module executes as part of a general-purpose
operating system (Canonical Ubuntu 22.04 and Canonical Ubuntu Core 22), which allows
modification, loading, and execution of software that is not part of the validated module.
The approved cryptographic algorithms of the module are part of the Linux kernel, which
operates in Linux kernel space. This ensures that any SSPs contained within the module are
protected by the process isolation and memory separation mechanisms provided by the Linux
kernel, and only the module has control over these SSPs. The user space libkcapi and
sha512hmac components, though not processing any SSPs, are similarly protected by the
operating environment.
6.2 Configuration Settings and Restrictions
The module shall be installed as specified in Section 11.1.
Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing
mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used
in the operational environment. The use of any of these tools implies that the cryptographic
module is running in a non-validated operational environment.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
39 of 103
7 Physical Security
The module is comprised of software only and therefore this section is not applicable.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
40 of 103
8 Non-Invasive Security
This module does not implement any non-invasive security mechanism and therefore this
section is not applicable.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
41 of 103
9 Sensitive Security Parameters Management
9.1 Storage Areas
Storage
Area
Name
Description Persistence
Type
RAM Temporary storage for SSPs used by the Dynamic module as part of service
execution
Dynamic
Table 15: Storage Areas
The module does not performpersistent storage ofSSPs. The SSPs are temporarily stored in
the RAM in plaintext form. SSPs are provided to the module by the calling process and are
destroyed when released by the appropriate zeroization function calls.
9.2 SSP Input-Output Methods
Name From To Format
Type
Distribution
Type
Entry
Type
SFI or
Algorithm
API input
parameters;
AF_ALG_type
sockets (input)
Operator calling
application
(TOEPP)
Cryptographic
module
Plaintext Manual Electronic
API output
parameters;
AF_ALG type
sockets (output)
Cryptographic
module
Operator calling
application
(TOEPP)
Plaintext Manual Electronic
Table 16: SSP Input-Output Methods
9.3 SSP Zeroization Methods
Zeroization
Method
Description Rationale Operator Initiation
Free cipher
handle
Zeroizes the SSPs
contained within
the cipher handle
Memory occupied by
SSPs is overwritten
with zeroes, which
renders the SSP
values irretrievable
By calling the appropriate zeroization
functions: AES key: crypto_free_skcipher and
crypto_free_aead; HMAC key:
crypto_free_shash and crypto_free_ahash;
Internal state: crypto_free_rng; DH public &
private key: crypto_free_kpp; EC public &
private key: crypto_free_kpp
Automatic Automatically
zeroized by the
module when no
longer needed
Memory occupied by
SSPs is overwritten
with zeroes, which
renders the SSP
values irretrievable.
N/A
Remove
power from
the module
De-allocates the
volatile memory
used to store SSPs
Volatile memory
used by the module
is overwritten within
nanoseconds when
power is removed.
By removing power
Table 17: SSP Zeroization Methods
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
42 of 103
All data output is inhibited during zeroization.
9.4 SSPs
Name Description Size - Strength Type -
Category
Generated
By
Established
By
Used By
AES Key AES key used
for Encryption;
Decryption;
Authenticated
encryption;
Authenticated
decryption;
Message
authentication;
XTS: 128, 256
bits; ECB, CBC,
CTR, CFB128,
CBC-CTS-CS3,
KW, OFB, CCM,
GCM, CMAC,
CMAC: 128, 192,
256 bits - XTS:
128, 256 bits;
ECB, CBC, CTR,
CFB128, CBC-
CTS-CS3, KW,
OFB, CCM,
GCM, CMAC,
CMAC: 128, 192,
256 bits
Symmetric
key - CSP
Encryption and
Decryption
with AES
Message
Authentication
with AES or
HMAC
HMAC Key HMAC key used
for Message
authentication
code (MAC);
112-524288 bits
- 112-256 bits
Symmetric
key - CSP
Message
Authentication
with AES or
HMAC
Shared
Secret
Shared secret
established
during Shared
Secret
Computation
KAS-FFC-
SSC:ffdhe2048,
ffdhe3072,
ffdhe4096,
ffdhe6144,
ffdhe8192; KAS-
ECC-SSC: P-256,
P-384 bits -
KAS-FFC-SSC:
112-200 bits;
KAS-ECC-SSC:
128, 192 bits
Shared
secret - CSP
Shared
Secret
Computation
with KAS-
FFC-SSC or
KAS-ECC-SSC
Entropy
Input (IG D.L)
Entropy input
used to seed
the DRBGs
128-448 bits -
128-256 bits
Entropy
input - CSP
Random
Number
Generation
with HMAC
DRBG, Hash
DRBG or
Counter DRBG
DRBG Seed
(IG D.L)
DRBG seed
derived from
Entropy Input
Counter DRBG:
256, 320, 384
bits;
Hash_DRBG:
440, 888 bits;
HMAC DRBG:
160, 256, 512
bits - Counter
DRBG: 128, 192,
Seed - CSP Random
Number
Generation
with HMAC
DRBG,
Hash DRBG
or Counter
DRBG
Random
Number
Generation
with HMAC
DRBG, Hash
DRBG or
Counter DRBG
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
43 of 103
Name Description Size - Strength Type -
Category
Generated
By
Established
By
Used By
256 bits; Hash
DRBG: 128, 256
bits; HMAC
DRBG: 128, 256
bits
DRBG
Internal
State (V,
Key) (IG D.L)
Internal state
of Counter
DRBG and
HMAC DRBG
instances
Counter DRBG:
256, 320, 348
bits; HMAC
DRBG: 320, 512,
1024 bits -
Counter DRBG:
128, 192, 256
bits; HMAC
DRBG: 128, 256
bits
Internal
state - CSP
Random
Number
Generation
with HMAC
DRBG,
Hash DRBG
or Counter
DRBG
Random
Number
Generation
with HMAC
DRBG, Hash
DRBG or
Counter DRBG
DRBG
Internal
State (V, C)
(IG D.L)
Internal state
of Hash DRBG
instance
440, 888 bits -
128, 256 bits
Internal
state - CSP
Random
Number
Generation
with HMAC
DRBG,
Hash DRBG
or Counter
DRBG
Random
Number
Generation
with HMAC
DRBG, Hash
DRBG or
Counter DRBG
DH Public
Key
Public key used
for KAS-FFC-
SSC
ffdhe2048,
ffdhe3072,
ffdhe4096,
ffdhe6144,
ffdhe8192 -
112-200 bits
Public key -
PSP
Key Pair
Generation
with
ECDSA or
Safe
Primes
Shared Secret
Computation
with KAS-FFC-
SSC or KAS-
ECC-SSC
DH Private
Key
DH private key
used for KAS-
FFC-SSC
ffdhe2048,
ffdhe3072,
ffdhe4096,
ffdhe6144,
ffdhe8192 -
112-200 bits
Private key -
CSP
Key Pair
Generation
with
ECDSA or
Safe
Primes
Shared Secret
Computation
with KAS-FFC-
SSC or KAS-
ECC-SSC
EC Public
Key
Public key used
for KAS-ECC-
SSC
P-256, P-384 -
128, 192 bits
Public key -
PSP
Key Pair
Generation
with
ECDSA or
Safe
Primes
Shared Secret
Computation
with KAS-FFC-
SSC or KAS-
ECC-SSC
EC Private
Key
EC private key
used for KAS-
ECC-SSC
P-521, P-384 -
128, 192 bits
Private key -
CSP
Key Pair
Generation
with
ECDSA or
Safe
Primes
Shared Secret
Computation
with KAS-FFC-
SSC or KAS-
ECC-SSC
Intermediate
Key
Generation
Value
Intermediate
value
generated
during Key Pair
Generation
2048-8192 bits
- 112-200 bits
Intermediate
value - CSP
Key Pair
Generation
with
ECDSA or
Safe
Primes
Key Pair
Generation
with ECDSA or
Safe Primes
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
44 of 103
Table 18: SSP Table 1
Name Input - Output Storage Storage
Duration
Zeroization Related SSPs
AES Key API input
parameters;
AF_ALG_type
sockets (input)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
HMAC Key API input
parameters;
AF_ALG_type
sockets (input)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
Shared Secret API output
parameters;
AF_ALG type
sockets (output)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
DH Public
Key:Derived From
DH Private
Key:Derived From
EC Public
Key:Derived From
EC Private
Key:Derived From
Entropy Input
(IG D.L)
RAM:Plaintext From service
invocation to
service
completion
Automatic
Remove
power from
the module
DRBG Seed (IG
D.L):Derives
DRBG Seed (IG
D.L)
RAM:Plaintext From service
invocation to
service
completion
Automatic
Remove
power from
the module
Entropy Input (IG
D.L):Derived From
DRBG Internal State
(V, Key) (IG
D.L):Derives
DRBG Internal State
(V, C) (IG
D.L):Derives
DRBG Internal
State (V, Key)
(IG D.L)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
DRBG Seed (IG
D.L):Derived From
DRBG Internal
State (V, C) (IG
D.L)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
DRBG Seed (IG
D.L):Derived From
DH Public Key API input
parameters;
AF_ALG_type
sockets (input)
API output
parameters;
AF_ALG type
sockets (output)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
DH Private
Key:Paired With
Shared
Secret:Derives
Intermediate Key
Generation
Value:Generated
From
DH Private Key API input
parameters;
AF_ALG_type
RAM:Plaintext From service
invocation to
Free cipher
handle
Remove
DH Public Key:Paired
With
Shared
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
45 of 103
Name Input - Output Storage Storage
Duration
Zeroization Related SSPs
sockets (input)
API output
parameters;
AF_ALG type
sockets (output)
service
completion
power from
the module
Secret:Derives
Intermediate Key
Generation
Value:Generated
From
EC Public Key API input
parameters;
AF_ALG_type
sockets (input)
API output
parameters;
AF_ALG type
sockets (output)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
EC Private
Key:Paired With
Shared
Secret:Derives
Intermediate Key
Generation
Value:Generated
From
EC Private Key API input
parameters;
AF_ALG_type
sockets (input)
API output
parameters;
AF_ALG type
sockets (output)
RAM:Plaintext From service
invocation to
service
completion
Free cipher
handle
Remove
power from
the module
EC Public Key:Paired
With
Shared
Secret:Derives
Intermediate Key
Generation
Value:Generated
From
Intermediate
Key Generation
Value
RAM:Plaintext From service
invocation to
service
completion
Automatic DH Public
Key:Generates
DH Private
Key:Generates
EC Public
Key:Generates
EC Private
Key:Generates
Table 19: SSP Table 2
9.5 Transitions
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes,
starting January 1, 2030.
The RSA algorithm as implemented by the module conforms to FIPS 186-4, which has been
superseded by FIPS 186-5. FIPS 186-4 was withdrawn on February 3, 2024.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
46 of 103
10 Self-Tests
10.1 Pre-Operational Self-Tests
Algorithm or
Test
Test
Properties
Test Method Test
Type
Indicator Details
HMAC-SHA2-
256 (A3812)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3813)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3814)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3832)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3850)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3851)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3852)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3853)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3857)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
256 (A3858)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for libkcapi
HMAC-SHA2-
512 (A3812)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
HMAC-SHA2-
512 (A3813)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
Used for kernel
and sha512hmac
binaries
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
47 of 103
Algorithm or
Test
Test
Properties
Test Method Test
Type
Indicator Details
services are available
for use
HMAC-SHA2-
512 (A3814)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
HMAC-SHA2-
512 (A3832)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
HMAC-SHA2-
512 (A3850)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
HMAC-SHA2-
512 (A3851)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
HMAC-SHA2-
512 (A3852)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
HMAC-SHA2-
512 (A3858)
128-bit key Message
Authentication
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
and sha512hmac
binaries
RSA SigVer
(FIPS186-4)
(A3814)
4096-bit key
with SHA-512
Signature
Verification
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
crypto object files
RSA SigVer
(FIPS186-4)
(A3832)
4096-bit key
with SHA-512
Signature
Verification
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
crypto object files
RSA SigVer
(FIPS186-4)
(A3850)
4096-bit key
with SHA-512
Signature
Verification
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
crypto object files
RSA SigVer
(FIPS186-4)
(A3851)
4096-bit key
with SHA-512
Signature
Verification
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
crypto object files
RSA SigVer
(FIPS186-4)
(A3852)
4096-bit key
with SHA-512
Signature
Verification
SW/FW
Integrity
Module becomes
operational and
services are available
for use
Used for kernel
crypto object files
Table 20: Pre-Operational Self-Tests
The pre-operational software integrity tests are performed automatically when the module is
powered on, before the module transitions into the operational state. While the module is
executing the self-tests, services are not available, and data output (via the data output
interface) is inhibited until the tests are successfully completed. The module transitions to
the operational state only after the pre-operational self-tests are passed successfully.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
48 of 103
10.2 Conditional Self-Tests
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-ECB
(A3812)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3813)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3814)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3820)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3821)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3822)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3824)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3825)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3829)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3830)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
49 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-ECB
(A3831)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3832)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3833)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3834)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3840)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3841)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3842)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3843)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3844)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3845)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3853)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
Encryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
50 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-ECB
(A3854)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3855)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3856)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3857)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3812)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3813)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3814)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3820)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3821)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3822)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
51 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-ECB
(A3824)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3825)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3829)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3830)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3831)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3832)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3833)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3834)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3840)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3841)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3842)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
Decryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
52 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-ECB
(A3843)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3844)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3845)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3853)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3854)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3855)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3856)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-ECB
(A3857)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3814)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3822)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
53 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-CBC
(A3829)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3832)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3840)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3843)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3853)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3854)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3857)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3814)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3822)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3829)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3832)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
Decryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
54 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-CBC
(A3840)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3843)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3853)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3854)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC
(A3857)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3819)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3828)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3838)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3849)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3853)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
55 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-CBC-CS3
(A3854)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3819)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3828)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3838)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3849)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3853)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CBC-CS3
(A3854)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3817)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3826)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3836)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3847)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
Encryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
56 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-CFB128
(A3854)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3817)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3826)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3836)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3847)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CFB128
(A3854)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3814)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3822)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3829)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3832)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
57 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-CTR
(A3840)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3843)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3853)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3854)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3857)
128, 192, 256 bit
keys, encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3814)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3822)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3829)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3832)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3840)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3843)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
Decryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
58 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-CTR
(A3853)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3854)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CTR
(A3857)
128, 192, 256 bit
keys, decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3814)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3822)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3829)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3832)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3843)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3853)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3854)
128, 192, 256 bit
keys, 128-bit IVs,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
59 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-CCM
(A3814)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3822)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3829)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3832)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3843)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3853)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CCM
(A3854)
128, 192, 256 bit
keys, 128-bit IVs,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3814)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3820)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3821)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3822)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
Encryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
60 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-GCM
(A3824)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3825)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3829)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3830)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3831)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3832)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3833)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3834)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3840)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3841)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
61 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-GCM
(A3842)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3843)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3844)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3845)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3854)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3855)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3856)
128, 192, 256 bit
keys, 96-bit (internal
IV), encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3814)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3820)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3821)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3822)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
Decryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
62 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-GCM
(A3824)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3825)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3829)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3830)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3831)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3832)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3833)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3834)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3840)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3841)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
63 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-GCM
(A3842)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3843)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3844)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3845)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3854)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3855)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-GCM
(A3856)
128, 192, 256 bit
keys, 96-bit (internal
IV), decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3818)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3827)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3837)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3848)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
Encryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
64 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
AES-OFB
(A3854)
128 bit keys, encrypt KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3818)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3827)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3837)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3848)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-OFB
(A3854)
128 bit keys, decrypt KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3814)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3822)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3829)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3832)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
65 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
AES-XTS
Testing
Revision 2.0
(A3840)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3843)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3853)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3854)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3857)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Encryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3814)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3822)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3829)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3832)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3840)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
Decryption Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
66 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
Revision 2.0
(A3843)
services are
available for use
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3853)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3854)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-XTS
Testing
Revision 2.0
(A3857)
128 and 256 bit keys,
decrypt
KAT CAST Module
becomes
operational and
services are
available for use
Decryption Test runs at
power-on
before the
integrity test
AES-CMAC
(A3814)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
AES-CMAC
(A3822)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
AES-CMAC
(A3829)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
AES-CMAC
(A3832)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
AES-CMAC
(A3843)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
AES-CMAC
(A3853)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
AES-CMAC
(A3854)
128 and 256 bit keys,
encrypt
KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
67 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
SHA-1
(A3812)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3813)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3814)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3832)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3850)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3851)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3852)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA-1
(A3853)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3812)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3813)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3814)
SHA2-224 KAT CAST Module
becomes
operational and
Message digest Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
68 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
SHA2-224
(A3832)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3850)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3851)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3852)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3853)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3857)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-224
(A3858)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3812)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3813)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3814)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
69 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
SHA2-256
(A3832)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3850)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3851)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3852)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3853)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3857)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-256
(A3858)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3812)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3813)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3814)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3832)
SHA2-384 KAT CAST Module
becomes
operational and
Message digest Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
70 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
SHA2-384
(A3850)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3851)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3852)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-384
(A3858)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3812)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3813)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3814)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3832)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3850)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3851)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
71 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
SHA2-512
(A3852)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA2-512
(A3858)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-224
(A3816)
SHA3-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-224
(A3839)
SHA3-224 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-256
(A3816)
SHA3-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-256
(A3839)
SHA3-256 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-384
(A3816)
SHA3-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-384
(A3839)
SHA3-384 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-512
(A3816)
SHA3-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
SHA3-512
(A3839)
SHA3-512 KAT CAST Module
becomes
operational and
services are
available for use
Message digest Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3812)
SHA-1 KAT CAST Module
becomes
operational and
Message
authentication
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
72 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
HMAC-SHA-1
(A3813)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3814)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3832)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3850)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3851)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3852)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA-1
(A3853)
SHA-1 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3812)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3813)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3814)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
73 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
HMAC-SHA2-
224 (A3832)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3850)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3851)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3852)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3853)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3857)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
224 (A3858)
SHA2-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3812)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3813)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3814)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3832)
SHA2-256 KAT CAST Module
becomes
operational and
Message
authentication
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
74 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
HMAC-SHA2-
256 (A3850)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3851)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3852)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3853)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3857)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
256 (A3858)
SHA2-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3812)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3813)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3814)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3832)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
75 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
HMAC-SHA2-
384 (A3850)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3851)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3852)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
384 (A3858)
SHA2-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3812)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3813)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3814)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3832)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3850)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3851)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA2-
512 (A3852)
SHA2-512 KAT CAST Module
becomes
operational and
Message
authentication
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
76 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
HMAC-SHA2-
512 (A3858)
SHA2-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
224 (A3816)
SHA3-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
224 (A3839)
SHA3-224 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
256 (A3816)
SHA3-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
256 (A3839)
SHA3-256 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
384 (A3816)
SHA3-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
384 (A3839)
SHA3-384 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
512 (A3816)
SHA3-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
HMAC-SHA3-
512 (A3839)
SHA3-512 KAT CAST Module
becomes
operational and
services are
available for use
Message
authentication
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3812)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
77 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
Counter
DRBG
(A3813)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3814)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3820)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3821)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3822)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3824)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3825)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3829)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3830)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3831)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3832)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
SP800-90Arev1
health test
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
78 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
Counter
DRBG
(A3833)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3834)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3840)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3841)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3842)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3843)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3844)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3845)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3854)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Counter
DRBG
(A3855)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
79 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
Counter
DRBG
(A3856)
128, 192, 256 bit
keys, with/without
PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3812)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3813)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3814)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3820)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3821)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3822)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3824)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3825)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3830)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3831)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
SP800-90Arev1
health test
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
80 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
Hash DRBG
(A3832)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3833)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3834)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3840)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3841)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3842)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3843)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3844)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3845)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3850)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
81 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
Hash DRBG
(A3851)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3852)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3855)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Hash DRBG
(A3856)
SHA2-256
With/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3812)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3813)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3814)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3820)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3821)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3822)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3824)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
SP800-90Arev1
health test
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
82 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
HMAC DRBG
(A3825)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3830)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3831)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3832)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3833)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3834)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3840)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3841)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3842)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3843)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
83 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
HMAC DRBG
(A3844)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3845)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3850)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3851)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3852)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3855)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
HMAC DRBG
(A3856)
HMAC-SHA2-256,
HMAC-SHA2-512,
with/without PR
KAT CAST Module
becomes
operational and
services are
available for use
SP800-90Arev1
health test
Test runs at
power-on
before the
integrity test
KAS-ECC-SSC
Sp800-56Ar3
(A3813)
P-256, P-384 curves KAT CAST Module
becomes
operational and
services are
available for use
Shared secret
computation
Test runs at
power-on
before the
integrity test
KAS-FFC-SSC
Sp800-56Ar3
(A3812)
ffdhe2048 KAT CAST Module
becomes
operational and
services are
available for use
Shared secret
computation
Test runs at
power-on
before the
integrity test
RSA SigVer
(FIPS186-4)
(A3814)
PKCS#1 v1.5 with
2048 bit key and
SHA2-256
KAT CAST Module
becomes
operational and
services are
available for use
Digital signature
verification
Test runs at
power-on
before the
integrity test
RSA SigVer
(FIPS186-4)
(A3832)
PKCS#1 v1.5 with
2048 bit key and
SHA2-256
KAT CAST Module
becomes
operational and
Digital signature
verification
Test runs at
power-on
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
84 of 103
Algorithm or
Test
Test Properties Test
Method
Test
Type
Indicator Details Conditions
services are
available for use
before the
integrity test
RSA SigVer
(FIPS186-4)
(A3850)
PKCS#1 v1.5 with
2048 bit key and
SHA2-256
KAT CAST Module
becomes
operational and
services are
available for use
Digital signature
verification
Test runs at
power-on
before the
integrity test
RSA SigVer
(FIPS186-4)
(A3851)
PKCS#1 v1.5 with
2048 bit key and
SHA2-256
KAT CAST Module
becomes
operational and
services are
available for use
Digital signature
verification
Test runs at
power-on
before the
integrity test
RSA SigVer
(FIPS186-4)
(A3852)
PKCS#1 v1.5 with
2048 bit key and
SHA2-256
KAT CAST Module
becomes
operational and
services are
available for use
Digital signature
verification
Test runs at
power-on
before the
integrity test
Safe Primes
Key
Generation
(A3812)
ffdhe2048,
ffdhe3072,
ffdhe4096,
ffdhe6144,
ffdhe8192, Section
5.6.1.1.4 Testing
Candidates
PCT PCT Successful key
pair generation
Signature
generation &
verification
Key pair
generation
ECDSA
KeyGen
(FIPS186-4)
(A3813)
SHA2-256, P-256, P-
384 curves, Appendix
B.4.2 Testing
Candidates
PCT PCT Successful key
pair generation
Signature
generation &
verification
Key pair
generation
Entropy
Source
1024 samples RCT CAST Module
becomes
operational and
services are
available for use
Entropy source
startup test
Entropy source
initialization
Entropy
Source
1024 samples APT CAST Module
becomes
operational and
services are
available for use
Entropy source
startup test
Entropy source
initialization
Entropy
Source
Continuously RCT CAST Entropy source
is operational
Entropy source
continuous test
Continuously
Entropy
Source
Continuously APT CAST Entropy source
is operational
Entropy source
continuous test
Continuously
Table 21: Conditional Self-Tests
If any conditional self-test fails, the module enters the Error State.
10.3 Periodic Self-Test Information
Algorithm or Test Test Method Test Type Period Periodic Method
HMAC-SHA2-256
(A3812)
Message
Authentication
SW/FW Integrity On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
85 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
HMAC-SHA2-256
(A3813)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3814)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3832)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3850)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3851)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3852)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3853)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3857)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-256
(A3858)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3812)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3813)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3814)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3832)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3850)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3851)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3852)
Message
Authentication
SW/FW Integrity On Demand Manually
HMAC-SHA2-512
(A3858)
Message
Authentication
SW/FW Integrity On Demand Manually
RSA SigVer
(FIPS186-4) (A3814)
Signature
Verification
SW/FW Integrity On Demand Manually
RSA SigVer
(FIPS186-4) (A3832)
Signature
Verification
SW/FW Integrity On Demand Manually
RSA SigVer
(FIPS186-4) (A3850)
Signature
Verification
SW/FW Integrity On Demand Manually
RSA SigVer
(FIPS186-4) (A3851)
Signature
Verification
SW/FW Integrity On Demand Manually
RSA SigVer
(FIPS186-4) (A3852)
Signature
Verification
SW/FW Integrity On Demand Manually
Table 22: Pre-Operational Periodic Information
Algorithm or Test Test Method Test Type Period Periodic Method
AES-ECB (A3812) KAT CAST On Demand Manually
AES-ECB (A3813) KAT CAST On Demand Manually
AES-ECB (A3814) KAT CAST On Demand Manually
AES-ECB (A3820) KAT CAST On Demand Manually
AES-ECB (A3821) KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
86 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
AES-ECB (A3822) KAT CAST On Demand Manually
AES-ECB (A3824) KAT CAST On Demand Manually
AES-ECB (A3825) KAT CAST On Demand Manually
AES-ECB (A3829) KAT CAST On Demand Manually
AES-ECB (A3830) KAT CAST On Demand Manually
AES-ECB (A3831) KAT CAST On Demand Manually
AES-ECB (A3832) KAT CAST On Demand Manually
AES-ECB (A3833) KAT CAST On Demand Manually
AES-ECB (A3834) KAT CAST On Demand Manually
AES-ECB (A3840) KAT CAST On Demand Manually
AES-ECB (A3841) KAT CAST On Demand Manually
AES-ECB (A3842) KAT CAST On Demand Manually
AES-ECB (A3843) KAT CAST On Demand Manually
AES-ECB (A3844) KAT CAST On Demand Manually
AES-ECB (A3845) KAT CAST On Demand Manually
AES-ECB (A3853) KAT CAST On Demand Manually
AES-ECB (A3854) KAT CAST On Demand Manually
AES-ECB (A3855) KAT CAST On Demand Manually
AES-ECB (A3856) KAT CAST On Demand Manually
AES-ECB (A3857) KAT CAST On Demand Manually
AES-ECB (A3812) KAT CAST On Demand Manually
AES-ECB (A3813) KAT CAST On Demand Manually
AES-ECB (A3814) KAT CAST On Demand Manually
AES-ECB (A3820) KAT CAST On Demand Manually
AES-ECB (A3821) KAT CAST On Demand Manually
AES-ECB (A3822) KAT CAST On Demand Manually
AES-ECB (A3824) KAT CAST On Demand Manually
AES-ECB (A3825) KAT CAST On Demand Manually
AES-ECB (A3829) KAT CAST On Demand Manually
AES-ECB (A3830) KAT CAST On Demand Manually
AES-ECB (A3831) KAT CAST On Demand Manually
AES-ECB (A3832) KAT CAST On Demand Manually
AES-ECB (A3833) KAT CAST On Demand Manually
AES-ECB (A3834) KAT CAST On Demand Manually
AES-ECB (A3840) KAT CAST On Demand Manually
AES-ECB (A3841) KAT CAST On Demand Manually
AES-ECB (A3842) KAT CAST On Demand Manually
AES-ECB (A3843) KAT CAST On Demand Manually
AES-ECB (A3844) KAT CAST On Demand Manually
AES-ECB (A3845) KAT CAST On Demand Manually
AES-ECB (A3853) KAT CAST On Demand Manually
AES-ECB (A3854) KAT CAST On Demand Manually
AES-ECB (A3855) KAT CAST On Demand Manually
AES-ECB (A3856) KAT CAST On Demand Manually
AES-ECB (A3857) KAT CAST On Demand Manually
AES-CBC (A3814) KAT CAST On Demand Manually
AES-CBC (A3822) KAT CAST On Demand Manually
AES-CBC (A3829) KAT CAST On Demand Manually
AES-CBC (A3832) KAT CAST On Demand Manually
AES-CBC (A3840) KAT CAST On Demand Manually
AES-CBC (A3843) KAT CAST On Demand Manually
AES-CBC (A3853) KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
87 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
AES-CBC (A3854) KAT CAST On Demand Manually
AES-CBC (A3857) KAT CAST On Demand Manually
AES-CBC (A3814) KAT CAST On Demand Manually
AES-CBC (A3822) KAT CAST On Demand Manually
AES-CBC (A3829) KAT CAST On Demand Manually
AES-CBC (A3832) KAT CAST On Demand Manually
AES-CBC (A3840) KAT CAST On Demand Manually
AES-CBC (A3843) KAT CAST On Demand Manually
AES-CBC (A3853) KAT CAST On Demand Manually
AES-CBC (A3854) KAT CAST On Demand Manually
AES-CBC (A3857) KAT CAST On Demand Manually
AES-CBC-CS3
(A3819)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3828)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3838)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3849)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3853)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3854)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3819)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3828)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3838)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3849)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3853)
KAT CAST On Demand Manually
AES-CBC-CS3
(A3854)
KAT CAST On Demand Manually
AES-CFB128
(A3817)
KAT CAST On Demand Manually
AES-CFB128
(A3826)
KAT CAST On Demand Manually
AES-CFB128
(A3836)
KAT CAST On Demand Manually
AES-CFB128
(A3847)
KAT CAST On Demand Manually
AES-CFB128
(A3854)
KAT CAST On Demand Manually
AES-CFB128
(A3817)
KAT CAST On Demand Manually
AES-CFB128
(A3826)
KAT CAST On Demand Manually
AES-CFB128
(A3836)
KAT CAST On Demand Manually
AES-CFB128
(A3847)
KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
88 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
AES-CFB128
(A3854)
KAT CAST On Demand Manually
AES-CTR (A3814) KAT CAST On Demand Manually
AES-CTR (A3822) KAT CAST On Demand Manually
AES-CTR (A3829) KAT CAST On Demand Manually
AES-CTR (A3832) KAT CAST On Demand Manually
AES-CTR (A3840) KAT CAST On Demand Manually
AES-CTR (A3843) KAT CAST On Demand Manually
AES-CTR (A3853) KAT CAST On Demand Manually
AES-CTR (A3854) KAT CAST On Demand Manually
AES-CTR (A3857) KAT CAST On Demand Manually
AES-CTR (A3814) KAT CAST On Demand Manually
AES-CTR (A3822) KAT CAST On Demand Manually
AES-CTR (A3829) KAT CAST On Demand Manually
AES-CTR (A3832) KAT CAST On Demand Manually
AES-CTR (A3840) KAT CAST On Demand Manually
AES-CTR (A3843) KAT CAST On Demand Manually
AES-CTR (A3853) KAT CAST On Demand Manually
AES-CTR (A3854) KAT CAST On Demand Manually
AES-CTR (A3857) KAT CAST On Demand Manually
AES-CCM (A3814) KAT CAST On Demand Manually
AES-CCM (A3822) KAT CAST On Demand Manually
AES-CCM (A3829) KAT CAST On Demand Manually
AES-CCM (A3832) KAT CAST On Demand Manually
AES-CCM (A3843) KAT CAST On Demand Manually
AES-CCM (A3853) KAT CAST On Demand Manually
AES-CCM (A3854) KAT CAST On Demand Manually
AES-CCM (A3814) KAT CAST On Demand Manually
AES-CCM (A3822) KAT CAST On Demand Manually
AES-CCM (A3829) KAT CAST On Demand Manually
AES-CCM (A3832) KAT CAST On Demand Manually
AES-CCM (A3843) KAT CAST On Demand Manually
AES-CCM (A3853) KAT CAST On Demand Manually
AES-CCM (A3854) KAT CAST On Demand Manually
AES-GCM (A3814) KAT CAST On Demand Manually
AES-GCM (A3820) KAT CAST On Demand Manually
AES-GCM (A3821) KAT CAST On Demand Manually
AES-GCM (A3822) KAT CAST On Demand Manually
AES-GCM (A3824) KAT CAST On Demand Manually
AES-GCM (A3825) KAT CAST On Demand Manually
AES-GCM (A3829) KAT CAST On Demand Manually
AES-GCM (A3830) KAT CAST On Demand Manually
AES-GCM (A3831) KAT CAST On Demand Manually
AES-GCM (A3832) KAT CAST On Demand Manually
AES-GCM (A3833) KAT CAST On Demand Manually
AES-GCM (A3834) KAT CAST On Demand Manually
AES-GCM (A3840) KAT CAST On Demand Manually
AES-GCM (A3841) KAT CAST On Demand Manually
AES-GCM (A3842) KAT CAST On Demand Manually
AES-GCM (A3843) KAT CAST On Demand Manually
AES-GCM (A3844) KAT CAST On Demand Manually
AES-GCM (A3845) KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
89 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
AES-GCM (A3854) KAT CAST On Demand Manually
AES-GCM (A3855) KAT CAST On Demand Manually
AES-GCM (A3856) KAT CAST On Demand Manually
AES-GCM (A3814) KAT CAST On Demand Manually
AES-GCM (A3820) KAT CAST On Demand Manually
AES-GCM (A3821) KAT CAST On Demand Manually
AES-GCM (A3822) KAT CAST On Demand Manually
AES-GCM (A3824) KAT CAST On Demand Manually
AES-GCM (A3825) KAT CAST On Demand Manually
AES-GCM (A3829) KAT CAST On Demand Manually
AES-GCM (A3830) KAT CAST On Demand Manually
AES-GCM (A3831) KAT CAST On Demand Manually
AES-GCM (A3832) KAT CAST On Demand Manually
AES-GCM (A3833) KAT CAST On Demand Manually
AES-GCM (A3834) KAT CAST On Demand Manually
AES-GCM (A3840) KAT CAST On Demand Manually
AES-GCM (A3841) KAT CAST On Demand Manually
AES-GCM (A3842) KAT CAST On Demand Manually
AES-GCM (A3843) KAT CAST On Demand Manually
AES-GCM (A3844) KAT CAST On Demand Manually
AES-GCM (A3845) KAT CAST On Demand Manually
AES-GCM (A3854) KAT CAST On Demand Manually
AES-GCM (A3855) KAT CAST On Demand Manually
AES-GCM (A3856) KAT CAST On Demand Manually
AES-OFB (A3818) KAT CAST On Demand Manually
AES-OFB (A3827) KAT CAST On Demand Manually
AES-OFB (A3837) KAT CAST On Demand Manually
AES-OFB (A3848) KAT CAST On Demand Manually
AES-OFB (A3854) KAT CAST On Demand Manually
AES-OFB (A3818) KAT CAST On Demand Manually
AES-OFB (A3827) KAT CAST On Demand Manually
AES-OFB (A3837) KAT CAST On Demand Manually
AES-OFB (A3848) KAT CAST On Demand Manually
AES-OFB (A3854) KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3814)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3822)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3829)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3832)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3840)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3843)
KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
90 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
AES-XTS Testing
Revision 2.0
(A3853)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3854)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3857)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3814)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3822)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3829)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3832)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3840)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3843)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3853)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3854)
KAT CAST On Demand Manually
AES-XTS Testing
Revision 2.0
(A3857)
KAT CAST On Demand Manually
AES-CMAC (A3814) KAT CAST On Demand Manually
AES-CMAC (A3822) KAT CAST On Demand Manually
AES-CMAC (A3829) KAT CAST On Demand Manually
AES-CMAC (A3832) KAT CAST On Demand Manually
AES-CMAC (A3843) KAT CAST On Demand Manually
AES-CMAC (A3853) KAT CAST On Demand Manually
AES-CMAC (A3854) KAT CAST On Demand Manually
SHA-1 (A3812) KAT CAST On Demand Manually
SHA-1 (A3813) KAT CAST On Demand Manually
SHA-1 (A3814) KAT CAST On Demand Manually
SHA-1 (A3832) KAT CAST On Demand Manually
SHA-1 (A3850) KAT CAST On Demand Manually
SHA-1 (A3851) KAT CAST On Demand Manually
SHA-1 (A3852) KAT CAST On Demand Manually
SHA-1 (A3853) KAT CAST On Demand Manually
SHA2-224 (A3812) KAT CAST On Demand Manually
SHA2-224 (A3813) KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
91 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
SHA2-224 (A3814) KAT CAST On Demand Manually
SHA2-224 (A3832) KAT CAST On Demand Manually
SHA2-224 (A3850) KAT CAST On Demand Manually
SHA2-224 (A3851) KAT CAST On Demand Manually
SHA2-224 (A3852) KAT CAST On Demand Manually
SHA2-224 (A3853) KAT CAST On Demand Manually
SHA2-224 (A3857) KAT CAST On Demand Manually
SHA2-224 (A3858) KAT CAST On Demand Manually
SHA2-256 (A3812) KAT CAST On Demand Manually
SHA2-256 (A3813) KAT CAST On Demand Manually
SHA2-256 (A3814) KAT CAST On Demand Manually
SHA2-256 (A3832) KAT CAST On Demand Manually
SHA2-256 (A3850) KAT CAST On Demand Manually
SHA2-256 (A3851) KAT CAST On Demand Manually
SHA2-256 (A3852) KAT CAST On Demand Manually
SHA2-256 (A3853) KAT CAST On Demand Manually
SHA2-256 (A3857) KAT CAST On Demand Manually
SHA2-256 (A3858) KAT CAST On Demand Manually
SHA2-384 (A3812) KAT CAST On Demand Manually
SHA2-384 (A3813) KAT CAST On Demand Manually
SHA2-384 (A3814) KAT CAST On Demand Manually
SHA2-384 (A3832) KAT CAST On Demand Manually
SHA2-384 (A3850) KAT CAST On Demand Manually
SHA2-384 (A3851) KAT CAST On Demand Manually
SHA2-384 (A3852) KAT CAST On Demand Manually
SHA2-384 (A3858) KAT CAST On Demand Manually
SHA2-512 (A3812) KAT CAST On Demand Manually
SHA2-512 (A3813) KAT CAST On Demand Manually
SHA2-512 (A3814) KAT CAST On Demand Manually
SHA2-512 (A3832) KAT CAST On Demand Manually
SHA2-512 (A3850) KAT CAST On Demand Manually
SHA2-512 (A3851) KAT CAST On Demand Manually
SHA2-512 (A3852) KAT CAST On Demand Manually
SHA2-512 (A3858) KAT CAST On Demand Manually
SHA3-224 (A3816) KAT CAST On Demand Manually
SHA3-224 (A3839) KAT CAST On Demand Manually
SHA3-256 (A3816) KAT CAST On Demand Manually
SHA3-256 (A3839) KAT CAST On Demand Manually
SHA3-384 (A3816) KAT CAST On Demand Manually
SHA3-384 (A3839) KAT CAST On Demand Manually
SHA3-512 (A3816) KAT CAST On Demand Manually
SHA3-512 (A3839) KAT CAST On Demand Manually
HMAC-SHA-1
(A3812)
KAT CAST On Demand Manually
HMAC-SHA-1
(A3813)
KAT CAST On Demand Manually
HMAC-SHA-1
(A3814)
KAT CAST On Demand Manually
HMAC-SHA-1
(A3832)
KAT CAST On Demand Manually
HMAC-SHA-1
(A3850)
KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
92 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
HMAC-SHA-1
(A3851)
KAT CAST On Demand Manually
HMAC-SHA-1
(A3852)
KAT CAST On Demand Manually
HMAC-SHA-1
(A3853)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3812)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3813)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3814)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3832)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3850)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3851)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3852)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3853)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3857)
KAT CAST On Demand Manually
HMAC-SHA2-224
(A3858)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3812)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3813)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3814)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3832)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3850)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3851)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3852)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3853)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3857)
KAT CAST On Demand Manually
HMAC-SHA2-256
(A3858)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3812)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3813)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3814)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3832)
KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
93 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
HMAC-SHA2-384
(A3850)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3851)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3852)
KAT CAST On Demand Manually
HMAC-SHA2-384
(A3858)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3812)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3813)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3814)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3832)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3850)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3851)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3852)
KAT CAST On Demand Manually
HMAC-SHA2-512
(A3858)
KAT CAST On Demand Manually
HMAC-SHA3-224
(A3816)
KAT CAST On Demand Manually
HMAC-SHA3-224
(A3839)
KAT CAST On Demand Manually
HMAC-SHA3-256
(A3816)
KAT CAST On Demand Manually
HMAC-SHA3-256
(A3839)
KAT CAST On Demand Manually
HMAC-SHA3-384
(A3816)
KAT CAST On Demand Manually
HMAC-SHA3-384
(A3839)
KAT CAST On Demand Manually
HMAC-SHA3-512
(A3816)
KAT CAST On Demand Manually
HMAC-SHA3-512
(A3839)
KAT CAST On Demand Manually
Counter DRBG
(A3812)
KAT CAST On Demand Manually
Counter DRBG
(A3813)
KAT CAST On Demand Manually
Counter DRBG
(A3814)
KAT CAST On Demand Manually
Counter DRBG
(A3820)
KAT CAST On Demand Manually
Counter DRBG
(A3821)
KAT CAST On Demand Manually
Counter DRBG
(A3822)
KAT CAST On Demand Manually
Counter DRBG
(A3824)
KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
94 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
Counter DRBG
(A3825)
KAT CAST On Demand Manually
Counter DRBG
(A3829)
KAT CAST On Demand Manually
Counter DRBG
(A3830)
KAT CAST On Demand Manually
Counter DRBG
(A3831)
KAT CAST On Demand Manually
Counter DRBG
(A3832)
KAT CAST On Demand Manually
Counter DRBG
(A3833)
KAT CAST On Demand Manually
Counter DRBG
(A3834)
KAT CAST On Demand Manually
Counter DRBG
(A3840)
KAT CAST On Demand Manually
Counter DRBG
(A3841)
KAT CAST On Demand Manually
Counter DRBG
(A3842)
KAT CAST On Demand Manually
Counter DRBG
(A3843)
KAT CAST On Demand Manually
Counter DRBG
(A3844)
KAT CAST On Demand Manually
Counter DRBG
(A3845)
KAT CAST On Demand Manually
Counter DRBG
(A3854)
KAT CAST On Demand Manually
Counter DRBG
(A3855)
KAT CAST On Demand Manually
Counter DRBG
(A3856)
KAT CAST On Demand Manually
Hash DRBG (A3812) KAT CAST On Demand Manually
Hash DRBG (A3813) KAT CAST On Demand Manually
Hash DRBG (A3814) KAT CAST On Demand Manually
Hash DRBG (A3820) KAT CAST On Demand Manually
Hash DRBG (A3821) KAT CAST On Demand Manually
Hash DRBG (A3822) KAT CAST On Demand Manually
Hash DRBG (A3824) KAT CAST On Demand Manually
Hash DRBG (A3825) KAT CAST On Demand Manually
Hash DRBG (A3830) KAT CAST On Demand Manually
Hash DRBG (A3831) KAT CAST On Demand Manually
Hash DRBG (A3832) KAT CAST On Demand Manually
Hash DRBG (A3833) KAT CAST On Demand Manually
Hash DRBG (A3834) KAT CAST On Demand Manually
Hash DRBG (A3840) KAT CAST On Demand Manually
Hash DRBG (A3841) KAT CAST On Demand Manually
Hash DRBG (A3842) KAT CAST On Demand Manually
Hash DRBG (A3843) KAT CAST On Demand Manually
Hash DRBG (A3844) KAT CAST On Demand Manually
Hash DRBG (A3845) KAT CAST On Demand Manually
Hash DRBG (A3850) KAT CAST On Demand Manually
Hash DRBG (A3851) KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
95 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
Hash DRBG (A3852) KAT CAST On Demand Manually
Hash DRBG (A3855) KAT CAST On Demand Manually
Hash DRBG (A3856) KAT CAST On Demand Manually
HMAC DRBG
(A3812)
KAT CAST On Demand Manually
HMAC DRBG
(A3813)
KAT CAST On Demand Manually
HMAC DRBG
(A3814)
KAT CAST On Demand Manually
HMAC DRBG
(A3820)
KAT CAST On Demand Manually
HMAC DRBG
(A3821)
KAT CAST On Demand Manually
HMAC DRBG
(A3822)
KAT CAST On Demand Manually
HMAC DRBG
(A3824)
KAT CAST On Demand Manually
HMAC DRBG
(A3825)
KAT CAST On Demand Manually
HMAC DRBG
(A3830)
KAT CAST On Demand Manually
HMAC DRBG
(A3831)
KAT CAST On Demand Manually
HMAC DRBG
(A3832)
KAT CAST On Demand Manually
HMAC DRBG
(A3833)
KAT CAST On Demand Manually
HMAC DRBG
(A3834)
KAT CAST On Demand Manually
HMAC DRBG
(A3840)
KAT CAST On Demand Manually
HMAC DRBG
(A3841)
KAT CAST On Demand Manually
HMAC DRBG
(A3842)
KAT CAST On Demand Manually
HMAC DRBG
(A3843)
KAT CAST On Demand Manually
HMAC DRBG
(A3844)
KAT CAST On Demand Manually
HMAC DRBG
(A3845)
KAT CAST On Demand Manually
HMAC DRBG
(A3850)
KAT CAST On Demand Manually
HMAC DRBG
(A3851)
KAT CAST On Demand Manually
HMAC DRBG
(A3852)
KAT CAST On Demand Manually
HMAC DRBG
(A3855)
KAT CAST On Demand Manually
HMAC DRBG
(A3856)
KAT CAST On Demand Manually
KAS-ECC-SSC
Sp800-56Ar3
(A3813)
KAT CAST On Demand Manually
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
96 of 103
Algorithm or Test Test Method Test Type Period Periodic Method
KAS-FFC-SSC
Sp800-56Ar3
(A3812)
KAT CAST On Demand Manually
RSA SigVer
(FIPS186-4) (A3814)
KAT CAST On Demand Manually
RSA SigVer
(FIPS186-4) (A3832)
KAT CAST On Demand Manually
RSA SigVer
(FIPS186-4) (A3850)
KAT CAST On Demand Manually
RSA SigVer
(FIPS186-4) (A3851)
KAT CAST On Demand Manually
RSA SigVer
(FIPS186-4) (A3852)
KAT CAST On Demand Manually
Safe Primes Key
Generation (A3812)
PCT PCT On Demand Manually
ECDSA KeyGen
(FIPS186-4) (A3813)
PCT PCT On Demand Manually
Entropy Source RCT CAST On Demand Manually
Entropy Source APT CAST On Demand Manually
Entropy Source RCT CAST On Demand Manually
Entropy Source APT CAST On Demand Manually
Table 23: Conditional Periodic Information
10.4 Error States
Name Description Conditions Recovery Method Indicator
Error
State
The Linux kernel immediately stops
executing
Any self-test
failure
Restart of the
module
Kernel
Panic
Table 24: Error States
In the Error State, the output interface is inhibited, and the module accepts nomore inputs or
requests (as the module is no longer running).
10.5 Operator Initiation of Self-Tests
The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up
tests can be invoked on demand by unloading and subsequently re-initializing the module.
The pair-wise consistency tests can be invoked on demand by requesting the key pair
generation service.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
97 of 103
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
On the Ubuntu 22.04 LTS operational environments, the module is distributed in the form of
the following deb packages:
• linux-image-5.15.0-73-fips=5.15.0-73.80+fips1
• linux-modules-5.15.0-73-fips=5.15.0-73.80+fips1
• linux-image-hmac-5.15.0-73-fips=5.15.0-73.80+fips1
• libkcapi1=1.4.0-1ubuntu0.1~Fips1
• kcapi-tools=1.4.0-1ubuntu0.1~Fips1
On the Ubuntu Core 22 operational environments, the module is distributed in the form of
the “fips-kernel” snap, with snap-id ZjfoRia9mZzIe2xoWtGxHNUQsSSqjzUK. Revision 4 and 9
are respectively validated for x86 and arm64 platforms.
Once the Ubuntu 22.04 LTS operational environment is configured following the instructions
provided in Section 11.1, and configuration to access the PPA is complete, the Crypto Officer
can install the Ubuntu packages containing the module using the Advanced Package Tool
(APT) with the following command line:
$ sudo apt-get install linux-image-5.15.0-73-fips=5.15.0-73.80+fips1 linux-modules-5.15.0-73-
fips=5.15.0-73.80+fips1 linux-image-hmac-5.15.0-73-fips=5.15.0-73.80+fips1 libkcapi1=1.4.0-
1ubuntu0.1~Fips1 kcapi-tools=1.4.0-1ubuntu0.1~Fips1
All the Ubuntu packages are associated with hashes for integrity check. The integrity of the
Ubuntu package is automatically verified by the packing tool during the installation of the
module. The Crypto Officer shall not install the package if the integrity check fails.
Installation of the module on the Ubuntu Core 22 operational environment simply consists of
flashing the operating system image to a hard drive, then following the instructions on the
screen.
After the module is installed, the Crypto Officer must execute:
$ cat /proc/sys/crypto/fips_name
The Crypto Officer must ensure that the proper name is listed in the output as follows:
Ubuntu 22.04 Kernel Crypto API Cryptographic Module
Then, the Crypto Officer must execute:
$ cat /proc/sys/crypto/fips_version
This command must output the following:
5.15.0-73-fips
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
98 of 103
On the Ubuntu 22.04 LTS operational environments, versions of the installedpackages can be
verified using the following command:
$ dpkg-query -W linux-image-5.15.0-73-fips linux-modules-5.15.0-73-fips linux-image-hmac-
5.15.0-73-fips libkcapi1 kcapi-tools
On the Ubuntu Core 22 operational environments, revisions of the installed snaps can be
verified using the following command:
$ snap list fips-kernel
11.2 Administrator Guidance
The Approved and non-Approved modes of operation are specified in section 2.4. The
administrative functions are specified in the Approved Services table. All the physical ports and
logical interfaces are specified in section 3.1.
11.3 Non-Administrator Guidance
The approved and non-approved security functions available to users are listed in section 2,
the physical ports, and logical interfaces available to users are specified in section 3.1. The
Approved and non-Approved modes ofoperation are specified in section 2.4. The algorithm-
specific information is listed in section 2.7.
11.4 End of Life
As the module does not persistently store SSPs, secure sanitization ofthe module consists of
unloading the module. This will zeroize all SSPs in volatile memory.
If desired, the linux-image-5.15.0-73-fips, linux-modules-5.15.0-73-fips, linux-image-hmac-
5.15.0-73-fips, libkcapi1, and kcapi-tools deb packages can be uninstalled from the Ubuntu
22.04 LTS system.
The Ubuntu Core 22 system is distributed as an operating system image, so removing this
image will also uninstall the module. Alternatively, the “snap remodel” command can be used
to switch to a generic model with a different kernel.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
99 of 103
12 Mitigation of Other Attacks
The module does not offer mitigation of other attacks and therefore this section is not applicable.
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
100 of 103
Appendix A. Glossary and Abbreviations
AES Advanced Encryption Standard
API Application Programming Interface
CAST Cryptographic Algorithm Self-Test
CAVP Cryptographic Algorithm Validation Program
CBC Cipher Block Chaining
CCM Counter with Cipher Block Chaining-Message Authentication Code
CFB Cipher Feedback
CKG Cryptographic Key Generation
CMAC Cipher-based Message Authentication Code
CMVP Cryptographic Module Validation Program
CSP Critical Security Parameter
CTR Counter
CTS Ciphertext Stealing
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
ECDH Elliptic Curve Diffie-Hellman
ECDSA Elliptic Curve Digital Signature Algorithm
FFC Finite Field Cryptography
FIPS Federal Information Processing Standards
GCM Galois Counter Mode
GMAC Galois Counter Mode Message Authentication Code
HKDF HMAC-based Key Derivation Function
HMAC Keyed-Hash Message Authentication Code
IPsec Internet Protocol Security
KAS Key Agreement Scheme
KAT Known Answer Test
KBKDF Key-based Key Derivation Function
KW Key Wrap
MAC Message Authentication Code
NIST National Institute of Science and Technology
OFB Output Feedback
PAA Processor Algorithm Acceleration
PAI Processor Algorithm Implementation
PCT Pair-wise Consistency Test
PBKDF2 Password-based Key Derivation Function v2
PKCS Public-Key Cryptography Standards
RSA Rivest, Shamir, Addleman
SHA Secure Hash Algorithm
SSC Shared Secret Computation
SSP Sensitive Security Parameter
XTS XEX-based Tweaked-codebook mode with cipher text Stealing
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
101 of 103
Appendix B. References
FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules
March 2019
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic
Module Validation Program
https://csrc.nist.gov/Projects/cryptographic-module-validation-
program/fips-140-3-ig-announcements
FIPS 180-4 Secure Hash Standard (SHS)
March 2012
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS 186-4 Digital Signature Standard (DSS)
July 2013
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS 186-5 Digital Signature Standard (DSS)
February 2023
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
FIPS 197 Advanced Encryption Standard
November 2001
https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC)
July 2008
https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output
Functions
August 2015
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1
February 2003
https://www.ietf.org/rfc/rfc3447.txt
RFC 3526 More Modular Exponential (MODP) Diffie-Hellmangroups for Internet
Key Exchange (IKE)
May 2003
https://www.ietf.org/rfc/rfc3526.txt
RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)
June 2005
https://datatracker.ietf.org/doc/html/rfc4106
RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2)
October 2014
https://datatracker.ietf.org/doc/html/rfc7296
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
102 of 103
SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and
Techniques
December 2001
https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP 800-38A
Addendum
Recommendation for Block Cipher Modes of Operation: Three
Variants of Ciphertext Stealing for CBC Mode
October 2010
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38a-add.pdf
SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC
Mode for Authentication
May 2005
https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
SP 800-38C Recommendationfor Block Cipher Modes of Operation: theCCM Mode
for Authentication and Confidentiality
May 2004
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
38c.pdf
SP 800-38D Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC
November 2007
https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES
Mode for Confidentiality on Storage Devices
January 2010
https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for
Key Wrapping
December 2012
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
38F.pdf
SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using
Discrete Logarithm Cryptography
April 2018
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
56Ar3.pdf
SP 800-90Ar1 Recommendationfor Random Number GenerationUsing Deterministic
Random Bit Generators
June 2015
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
90Ar1.pdf
SP 800-90B Recommendation for the Entropy Sources Used for Random Bit
Generation
January 2018
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
90B.pdf
Canonical Ltd. Ubuntu 22.04 Kernel Crypto API Cryptographic Module FIPS 140-3 Non-Proprietary Security Policy
© 2024 Canonical Ltd. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
103 of 103
SP 800-133r2 Recommendation for Cryptographic Key Generation
June 2020
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
133r2.pdf
SP 800-140Br1 CMVP Security Policy Requirements
March 2020
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
140Br1.pdf