Red Hat Enterprise Linux 9 NSS Cryptographic Module

Certificate #4774

Webpage information ?

Status active
Validation dates 21.08.2024
Sunset date 20-08-2026
Standard FIPS 140-3
Security level 1
Type Software
Embodiment Multi-Chip Stand Alone
Caveat Interim validation. When operated in approved mode and installed, initialized and configured as specified in section 11 of the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.
Exceptions
  • Physical security: N/A
  • Non-invasive security: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Description Network Security Services (NSS) is a set of open source C libraries designed to support cross-platform development of security-enabled applications. NSS implements major Internet security standards. NSS is available free of charge under a variety of open source compatible licenses. See http://www.mozilla.org/projects/security/pki/nss/.
Tested configurations
  • Red Hat Enterprise Linux 9 on IBM 9080 HEX with IBM POWER10 with PAA
  • Red Hat Enterprise Linux 9 on IBM 9080 HEX with IBM POWER10 without PAA
  • Red Hat Enterprise Linux 9 on IBM z16 3931-A01 with IBM z16 with PAI
  • Red Hat Enterprise Linux 9 on IBM z16 3931-A01 with IBM z16 without PAI
  • Red Hat Enterprise Linux 9 running on Dell PowerEdge R440 with Intel(R) Xeon(R) Silver 4216 with PAA
  • Red Hat Enterprise Linux 9 running on Dell PowerEdge R440 with Intel(R) Xeon(R) Silver 4216 without PAA
Vendor Red Hat(R), Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Security policy ?

Symmetric Algorithms
AES, AES-, CAST, RC2, RC4, DES, Triple-DES, ChaCha20, Camellia, SEED, HMAC, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, CMAC, CBC-MAC
Asymmetric Algorithms
ECDH, ECDSA, ECC, Diffie-Hellman, DH, DSA
Hash functions
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, MD5, PBKDF2
Schemes
MAC, Key Exchange, Key Agreement
Protocols
SSL, TLS, TLS 1.2, TLSv1.0, TLS 1.3, IKEv2, IKEv1, IKE
Randomness
DRBG, RNG
Libraries
NSS
Elliptic Curves
P-256, P-384, P-521, P-192
Block cipher modes
ECB, CBC, CTR, GCM

Trusted Execution Environments
PSP, SSC

Security level
Level 1, level 1
Side-channel analysis
Timing attacks, Timing attack, timing attacks

Standards
FIPS 140-3, FIPS PUB 140-3, FIPS 180-4, FIPS 197, FIPS 198-1, FIPS 186-4, FIPS 186-2, SP 800-132, SP 800-38A, SP 800-38D, SP 800-38F, SP 800-38B, SP 800-90B, SP 800-140B, PKCS#5, PKCS#7, PKCS#11, PKCS#12, PKCS#1, RFC 3526, RFC 7919, RFC 5288, RFC8446, RFC 8446, ISO/IEC 24759, X.509

File metadata

Title FIPS 140-3 Non-Proprietary Security Policy
Author David Cornwell
Creation date D:20240820152453-05'00'
Pages 39
Creator Writer
Producer LibreOffice 7.3

References

Outgoing
  • 47 - historical - Netscape Security Module 1.01

Heuristics ?

No heuristics are available for this certificate.

References ?

Updates ?

  • 09.09.2024 The certificate was first processed.
    New certificate

    A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4774,
  "dgst": "e5b82b15c2c265c2",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "AES-CBCA3470",
        "AES-KWA3469",
        "PBKDFA3463",
        "HMAC-SHA2-512A3463",
        "KDF IKEv2A3467",
        "Hash DRBGA3463",
        "AES-GCMA4482",
        "RSA SigVer (FIPS186-2)A3463",
        "AES-CBC-CS1A3468",
        "AES-KWPA3469",
        "HMAC-SHA2-224A3463",
        "KAS-ECC-SSC Sp800-56Ar3A3463",
        "RSA KeyGen (FIPS186-4)A3463",
        "ECDSA KeyGen (FIPS186-4)A3463",
        "RSA SigGen (FIPS186-4)A3463",
        "Safe Primes Key GenerationA3463",
        "SHA2-384A3463",
        "KDF TLSA3463",
        "TLS v1.2 KDF RFC7627A3463",
        "AES-ECBA3470",
        "HMAC-SHA2-256A3463",
        "KDA HKDF Sp800-56Cr1A3462",
        "SHA2-256A3463",
        "AES-CMACA3465",
        "SHA2-224A3463",
        "SHA2-512A3463",
        "RSA SigVer (FIPS186-4)A3463",
        "ECDSA SigVer (FIPS186-4)A3463",
        "HMAC-SHA2-384A3463",
        "ECDSA SigGen (FIPS186-4)A3463",
        "KDF SP800-108A3466",
        "KAS-FFC-SSC Sp800-56Ar3A3463",
        "AES-CTRA3470",
        "DSA SigVer (FIPS186-4)A3463"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "9"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": {
        "_type": "Set",
        "elements": [
          "47"
        ]
      },
      "indirectly_referenced_by": null,
      "indirectly_referencing": {
        "_type": "Set",
        "elements": [
          "47"
        ]
      }
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": [
        "47"
      ]
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECC": {
            "ECC": 2
          },
          "ECDH": {
            "ECDH": 4
          },
          "ECDSA": {
            "ECDSA": 18
          }
        },
        "FF": {
          "DH": {
            "DH": 20,
            "Diffie-Hellman": 12
          },
          "DSA": {
            "DSA": 23
          }
        }
      },
      "certification_process": {},
      "cipher_mode": {
        "CBC": {
          "CBC": 4
        },
        "CTR": {
          "CTR": 2
        },
        "ECB": {
          "ECB": 3
        },
        "GCM": {
          "GCM": 19
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {
        "NSS": {
          "NSS": 44
        }
      },
      "crypto_protocol": {
        "IKE": {
          "IKE": 5,
          "IKEv1": 2,
          "IKEv2": 21
        },
        "TLS": {
          "SSL": {
            "SSL": 3
          },
          "TLS": {
            "TLS": 32,
            "TLS 1.2": 14,
            "TLS 1.3": 2,
            "TLSv1.0": 1
          }
        }
      },
      "crypto_scheme": {
        "KA": {
          "Key Agreement": 1
        },
        "KEX": {
          "Key Exchange": 3
        },
        "MAC": {
          "MAC": 10
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "P-192": 14,
          "P-256": 14,
          "P-384": 10,
          "P-521": 10
        }
      },
      "eval_facility": {
        "atsec": {
          "atsec": 45
        }
      },
      "fips_cert_id": {
        "Cert": {
          "#2": 4,
          "#47": 1
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES CBC 128, 192": 1,
          "AES CMAC 128": 1,
          "AES GCM 128": 1,
          "HMAC SHA-1": 2,
          "HMAC SHA-256": 1,
          "HMAC-SHA-224": 4,
          "HMAC-SHA-256": 4,
          "HMAC-SHA-384": 4,
          "HMAC-SHA-512": 4,
          "PKCS#1": 16,
          "PKCS#11": 8,
          "PKCS#12": 8,
          "PKCS#5": 8,
          "PKCS#7": 4,
          "RSA PKCS#1": 2,
          "SHA- 224": 1,
          "SHA- 384": 1,
          "SHA- 512": 5,
          "SHA-1": 14,
          "SHA-224": 13,
          "SHA-256": 34,
          "SHA-384": 17,
          "SHA-512": 13
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 2,
          "level 1": 1
        }
      },
      "hash_function": {
        "MD": {
          "MD5": {
            "MD5": 15
          }
        },
        "PBKDF": {
          "PBKDF2": 18
        },
        "SHA": {
          "SHA1": {
            "SHA-1": 14
          },
          "SHA2": {
            "SHA-224": 13,
            "SHA-256": 34,
            "SHA-384": 17,
            "SHA-512": 13
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 20
        },
        "RNG": {
          "RNG": 2
        }
      },
      "side_channel_analysis": {
        "SCA": {
          "Timing attack": 1,
          "Timing attacks": 1,
          "timing attacks": 1
        }
      },
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 51,
          "FIPS 180-4": 2,
          "FIPS 186-2": 2,
          "FIPS 186-4": 16,
          "FIPS 197": 7,
          "FIPS 198-1": 2,
          "FIPS PUB 140-3": 2
        },
        "ISO": {
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-132": 8,
          "SP 800-140B": 1,
          "SP 800-38A": 5,
          "SP 800-38B": 2,
          "SP 800-38D": 3,
          "SP 800-38F": 2,
          "SP 800-90B": 1
        },
        "PKCS": {
          "PKCS#1": 9,
          "PKCS#11": 4,
          "PKCS#12": 4,
          "PKCS#5": 4,
          "PKCS#7": 2
        },
        "RFC": {
          "RFC 3526": 3,
          "RFC 5288": 2,
          "RFC 7919": 3,
          "RFC 8446": 1,
          "RFC8446": 2
        },
        "X509": {
          "X.509": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 51,
            "AES-": 1
          },
          "CAST": {
            "CAST": 4
          },
          "RC": {
            "RC2": 4,
            "RC4": 4
          }
        },
        "DES": {
          "3DES": {
            "Triple-DES": 4
          },
          "DES": {
            "DES": 7
          }
        },
        "constructions": {
          "MAC": {
            "CBC-MAC": 2,
            "CMAC": 7,
            "HMAC": 17,
            "HMAC-SHA-224": 2,
            "HMAC-SHA-256": 2,
            "HMAC-SHA-384": 2,
            "HMAC-SHA-512": 2
          }
        },
        "djb": {
          "ChaCha": {
            "ChaCha20": 3
          }
        },
        "miscellaneous": {
          "Camellia": {
            "Camellia": 5
          },
          "SEED": {
            "SEED": 5
          }
        }
      },
      "tee_name": {
        "AMD": {
          "PSP": 4
        },
        "IBM": {
          "SSC": 3
        }
      },
      "tls_cipher_suite": {},
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "David Cornwell",
      "/CreationDate": "D:20240820152453-05\u002700\u0027",
      "/Creator": "Writer",
      "/Producer": "LibreOffice 7.3",
      "/Title": "FIPS 140-3 Non-Proprietary Security Policy",
      "pdf_file_size_bytes": 354923,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": [
          "https://www.ietf.org/rfc/rfc3526.txt",
          "https://www.ietf.org/rfc/rfc2898.txt",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf",
          "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a-add.pdf",
          "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening#proc_installing-the-system-with-fips-mode-enabled_assembly_installing-the-system-in-fips-mode",
          "https://www.ietf.org/rfc/rfc5288.txt",
          "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies",
          "https://www.ietf.org/rfc/rfc7919.txt",
          "https://www.ietf.org/rfc/rfc3447.txt",
          "https://www.ietf.org/rfc/rfc2315.txt",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf",
          "https://www.ietf.org/rfc/rfc7292.txt",
          "https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf",
          "https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf",
          "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/entropy/E47_PublicUse.pdf",
          "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf",
          "https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf",
          "https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/pkcs11-base-v3.0.pdf",
          "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf",
          "https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf",
          "http://www.atsec.com/",
          "https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements",
          "https://www.ietf.org/rfc/rfc8446.txt",
          "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf",
          "https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf",
          "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf",
          "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf"
        ]
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 39
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "99ae0a6f65f68e5e9b01f682a57c9559266fba5c2ba196402d04cb2d79921931",
    "policy_txt_hash": "3b868591aae2b9479537c555018d6362fb1a7b5d681f1d4bf8b9b5966b7f8039"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "Interim validation. When operated in approved mode and installed, initialized and configured as specified in section 11 of the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/August 2024_010924_0336.pdf",
    "date_sunset": "2026-08-20",
    "description": "Network Security Services (NSS) is a set of open source C libraries designed to support cross-platform development of security-enabled applications. NSS implements major Internet security standards. NSS is available free of charge under a variety of open source compatible licenses. See http://www.mozilla.org/projects/security/pki/nss/.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Physical security: N/A",
      "Non-invasive security: N/A",
      "Documentation requirements: N/A",
      "Cryptographic module security policy: N/A"
    ],
    "fw_versions": null,
    "historical_reason": null,
    "hw_versions": null,
    "level": 1,
    "mentioned_certs": {},
    "module_name": "Red Hat Enterprise Linux 9 NSS Cryptographic Module",
    "module_type": "Software",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": "4.34.0-a20cd33fbbe14357",
    "tested_conf": [
      "Red Hat Enterprise Linux 9 on IBM 9080 HEX with IBM POWER10 with PAA",
      "Red Hat Enterprise Linux 9 on IBM 9080 HEX with IBM POWER10 without PAA",
      "Red Hat Enterprise Linux 9 on IBM z16 3931-A01 with IBM z16 with PAI",
      "Red Hat Enterprise Linux 9 on IBM z16 3931-A01 with IBM z16 without PAI",
      "Red Hat Enterprise Linux 9 running on Dell PowerEdge R440 with Intel(R) Xeon(R) Silver 4216 with PAA",
      "Red Hat Enterprise Linux 9 running on Dell PowerEdge R440 with Intel(R) Xeon(R) Silver 4216 without PAA"
    ],
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-08-21",
        "lab": "ATSEC INFORMATION SECURITY CORP",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Red Hat(R), Inc.",
    "vendor_url": "http://www.redhat.com"
  }
}