All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Kenwood Cryptographic Library

Certificate#4699StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorEF Johnson Technologies
Medium review priority  ·  no TCB surface named  ·  last validated 26 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date5/23/2029
CaveatNo assurance of the minimum strength of generated SSPs
VendorEF Johnson Technologies

Approved Algorithms (6)

AlgorithmACVP Cert
AES-CBCA2280
AES-ECBA2280
AES-KWA2280
AES-OFBA2280
Hash DRBGA2280
SHA2-512A2280

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Kenwood Cryptographic Library
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Self-Test<br/>no authentication</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C6 clue;
  class I3,I6 infer;
  class R3,R6 risk;
  class E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Kenwood Cryptographic Library
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Self-Test<br/>no authentication</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C6 clueLow;

Security Policy, page by page

Page 1

EF Johnson Technologies - Kenwood Cryptographic Library Author: John Tooker Software Version: 4.0 Date: 2/14/2024

Page 2

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 Table of Contents - 2 of 15 -

Page 3

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024

1 General

This document is a non-proprietary FIPS 140-3 Security Policy for the EF Johnson Technologies’ Kenwood Cryptographic Library (KCL) version 4.0. The KCL is a Level 1 software cryptographic module. Table 1 describes the security level of each section in this document. Table 1: Security Levels Section No. Section Title Security Level

1 General Level 1

2 Cryptographic Module Specification Level 1

3 Cryptographic Module Interfaces Level 1

4 Roles, Services and Authentication Level 1

5 Software/Firmware Security Level 1

6 Operational Environment Level 1

7 Physical Security N/A
8 Non-invasive Security N/A

9 Sensitive Security Parameter Management Level 1

10 Self-Tests Level 1

11 Life-Cycle Assurance Level 1

12 Mitigation of Other Attacks N/A
2 Cryptographic Module Specification

The KCL is a multi-chip standalone FIPS 140-3 module for use on a variety of platforms when a hardware module is unavailable. It provides access to basic cryptographic algorithms with no long-term key storage within the library itself. It is a dynamically linked C++ library compiled for various consumer grade operating environments, see Table 2 below. - 3 of 15 -

Page 4

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 Figure 1 diagrams the KCL’s relationship with an application that may use it. Device TOEPP Process Memory Space Process KCL API Operating KCL Module System KCL Loaded into Process Memory Memory Space KCL Module, Hash on File System Figure 1: A diagram showing the KCL loaded from disk into process memory for use The module itself consists of a single library file to be dynamically loaded by a process into its memory space. The library file has a companion hash file to verify its integrity when loaded by a process. Table 2 and Table 3 list the operating environments in which the KCL was tested or affirmed. Table 2: Tested Operational Environments # Operating System Hardware Platform Processor PAA/Acceleration

1 Android 10 Zebra TC21 Qualcomm Snapdragon™ No

660 octa-core, 1.8 GHz

2 ST Microelectronics VP8000 STM32MP151 ARM No

Linux v5.10- Cortex A7 stm32mp-r1 - 4 of 15 -

Page 5

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 Table 3: Vendor Affirmed Operational Environments # Operating System Hardware Platform

1 Android 6.0 Nexus 5X with Qualcomm SDM630
2 Android 7.1 Nexus 5X with Qualcomm SDM630
3 Android 7.1 Sonim XP8 with Qualcomm
4 ST Microelectronics Linux VM8000 with STM32MP151 ARM
5 ST Microelectronics Linux VP8000 with STM32MP151 ARM

v5.15-stm32mp-r2 Cortex A7 The overall security rating of this module is Level 1. The module boundary consists of the device on which the KCL is installed with the binary file: “libkcl.so”. If multiple processes load the module, each will have its own, separate instance of the library in its own, separate memory. None of the data passed between the process and the KCL leaves the process’s memory space. The KCL only operates in a single mode of operation. This unnamed mode is entered automatically when the library is loaded. If a failure occurs, the library enters a failure mode which cannot be exited except by unloading and reloading the library. Other than the failure mode, the library does not operate in any degraded modes. Table 4 lists the security functions provided by the KCL. - 5 of 15 -

Page 6

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 Table 4: Approved Algorithms CAVP Cert. Algorithm Modes Description & Key Sizes Functions A2280 AES ECB, CBC, OFB 128, 192, 256 Encryption, SP 800-38A Decryption FIPS 197 A2280 AES Key KW 128, 192, 256 Wrap, Unwrap Wrap/Unwrap SP 800-38F A2280 DRBG SHA-512 N/A DRBG SP 800-90A A2280 SHA-2 SHA-512 N/A Hash FIPS 180-4 No block diagram is required for understanding other than Figure 1, above. The security design and rules of operation are as follows. The physical interface is provided by the hosting platform, generally consumer-grade hardware and operating systems with a keyboard, monitor, mouse, screen, and/or touch screen as well as network and USB ports. The logical interface of the KCL is provided through the library’s Application Programming Interface (API). All data input, output, control and status are defined by this API. All data contained within the loaded library is erased when the error state is entered, or the library is unloaded. The DRBG must be seeded with a user-provided seed containing at least 384 bits of entropy as specified in scenario 2(b) of IG 9.3.A and there is no assurance of the minimum strength of generated SSPs. If fewer than 384 bits are supplied, the library will enter the error state. The library initializes itself atomically on load, including all self-tests and integrity checks. The only requirement is a file containing the hash of loaded library’s binary file be located next to it with the same name, but a *.hash.* extension. See Section 10 for a description of the self-tests that are run on load.

3 Cryptographic Module Interfaces

Table 5 lists the data that passes over the API of the KCL library categorized by logical interface. This encompasses all logical interfaces. There are no physical interfaces for the KCL itself. - 6 of 15 -

Page 7

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 Table 5: Ports and Interfaces Logical Interface Data that passes over this interface Data Input

Page 8

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024

4 Roles, Services and Authentication

The KCL modules supports the crypto-officer role only. There is no user or maintenance role. No authentication is required. Table 6: Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer Generate Random Value Length Random bytes Crypto Officer Seed DRBG DRBG Entropy & Seed N/A Crypto Officer AES Encryption AES Key, Plaintext Ciphertext Crypto Officer AES Decryption AES Key, Ciphertext Plaintext Crypto Officer AES Key Wrap AES Key, AES Key-to-be- AES Key-to-bewrapped wrapped Crypto Officer AES Key Unwrap AES Key, AES AES Unwrapped Key Unwrapped Key Crypto Officer SHA-512 Message Hash Crypto Officer Zeroize N/A N/A Crypto Officer Get Status N/A Boolean indicating if the library is in the ok state Crypto Officer Show Module’s Version N/A Library version Information Crypto Officer Perform Self-Test N/A N/A There are no ways to bypass any of these capabilities. There is no self-initiated cryptographic output capability. No external software or firmware may be loaded into the library. When seeding the DRBG, at least 48 bytes of entropy must be provided; otherwise, it will enter the error state. - 8 of 15 -

Page 9

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 The list of security services and their approved security functions can be found in Table 7. Access rights legend: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. For API return code indicators, the successful completion of a service is an implicit indicator for the use of an approved service. If the service does not complete successfully, an exception is thrown, and the module enters an error state. - 9 of 15 -

Page 10

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 Table 7: Approved Services Service Description Approved Keys and/or SSPs Roles Access rights Indicator Security to Keys Functions and/or SSPs Generate Use previously DRBG DRBG V and C Crypto R,W,E API return Random Value seeded DRBG SHA-512 State Officer code Seed DRBG Initialize the DRBG DRBG DRBG Entropy & Crypto W,E API return portion of the SHA-512 Seed Officer code library AES Encryption Encrypt plaintext AES AES Key Crypto W, E API return with a key Officer code AES Decryption Decrypt ciphertext AES AES Key Crypto W, E API return with a key Officer code AES Key Wrap Wrap a key with AES AES Key, AES Key- Crypto W, E, Z API return another to-be-wrapped Officer code AES Key Unwrap a key with AES AES Key, AES Crypto W, E, Z API return Unwrap another Unwrapped Key Officer code SHA-512 Hash a message SHA2-512 N/A Crypto - API return Officer code Zeroize Clear the DRBG AES, DRBG DRBG V and C Crypto Z API return and any loaded State, DRBG Officer code AES key Entropy & Seed, AES Key Get Status Return whether N/A N/A Crypto - API return the library is in an Officer code OK state Show Module’s Return library N/A N/A Crypto - API return Version version Officer code Information Perform Self- (Re)load the DRBG, DRBG V and C Crypto R, W, E, Z None (call Tests library to SHA-512 State, DRBG Officer Get Status (re)perform self- AES Entropy & Seed, service to tests AES Key observe results) - 10 of 15 -

Page 11

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 The installation of the module simply requires placing it and its corresponding hash file on the file system and loading the library in a compiled C++ program. There is no authentication mechanism. The module itself contains no data when not loaded (no data is persisted when the module unloads).

5 Software/Firmware Security

The KCL automatically performs an integrity check on itself when it is loaded. It looks for a file next to the library file that contains the SHA2-512 hash of the library file itself. It then computes the SHA2-512 hash of itself. If the two match, the integrity check passes. Otherwise, the library enters a failed state and any calls made to the library will not return normally but throw an exception. The operator can initiate this integrity check on demand by loading the library. The library comes in the form of a single binary file. The filename is libkcl.so on Linux (including Android). This module is not open source.

6 Operational Environment

The KCL operates in a modifiable environment. The operating system is in charge of guarding the memory of the KCL while it is loaded. No special rules, settings or restrictions are needed of the operational environment. This is how Level 1 security is satisfied. The library stores no keys/SSPs when unloaded. The operating systems and tested platforms can be found in Table 2 above.

7 Physical Security

The KCL is implemented completely in software such that physical security is provided solely by the host platform. Therefore, the physical security section of FIPS 140-3 is not applicable.

8 Non-invasive Security

No steps to mitigate non-invasive attacks have been made. - 11 of 15 -

Page 12

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024

9 Sensitive Security Parameter Management

The sensitive security parameters (SSPs) managed by the KCL are enumerated in Table 8. Table 8: Sensitive Security Parameters (SSPs) Key/ Security SSP Funct. & Gener- Import/ EstablishName Strength Cert # ation Export ment Storage Zeroization Use AES Key 128, 192 AES N/A Plaintext N/A In memory Zeroize AES Encrypt, or 256 A2280 import only while function Decrypt, Key only module is Wrap/Unwrap invoked loaded AES Key- 128, 192 AES N/A Plaintext N/A In memory Cleared on AES Wrap to-be- or 256 A2280 import only during API call wrapped only, API call return cyphertext export only AES Un- 128, 192 AES N/A Cypher- N/A In memory Cleared on AES Unwrap wrapped or 256 A2280 text only during API call Key import API call return only, Plaintext export only DRBG 256-bit DRBG N/A Import N/A Not stored N/A Initialize Entropy A2280 only DRBG V & C state DRBG 256-bit DRBG N/A N/A N/A In memory Zeroize Initialize Seed A2280 only while function DRBG V & C module is State invoked loaded DRBG 256-bit DRBG V&C N/A N/A In memory Zeroize Generate V&C A2280 values only while function Keys, IVs State module is invoked loaded - 12 of 15 -

Page 13

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 The approved random bit generator is a SHA-512 DRBG using certification A2280. The source of entropy is provided by the operator external to the KCL module. The state of the DRBG exists in volatile memory only and is cleared when the module is unloaded or zeroized. An AES key is stored in volatile memory only and are cleared when the module is unloaded or zeroized. This AES key cannot be directly generated internal to the module, but the DRBG may be used to generate them. If the DRGB is used to generate an AES key, then the key must be the unmodified output of the DRBG. This AES key cannot be exported, only loaded for use. The zeroize function is invoked using the API. When invoked, all keys and sensitive security parameters are cleared from memory. As the module is implemented in C++, cleared memory is released back to the OS, which takes responsibility for clearing the data so other processes cannot observe it (just as it protects that memory from being accessed by other processes while it is in use by the library). The module is always in approved mode. Keys stored in memory are not protected within the module and rely on the operating system’s process memory protection. Unloading the library will zeroize all SSPs; this procedural zeroization method is under the control of the operator. - 13 of 15 -

Page 14

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024

10 Self-Tests

The module runs self-tests automatically on load. The following tests are performed in the order listed in Table 9. Certain tests rely on and therefore test certain services. Table 9: Self-Tests Performed by the KCL On Load Test Name Category Type Services Covered Key Size Order

1 AES Conditional Known Answer AES Key Wrap 128-bit key

cryptographic Test (KAT) AES Encryption algorithm test AES Key Unwrap AES Decryption

2 DRBG Conditional Known Answer Seed DRBG

cryptographic Test (KAT) Generate Random Value algorithm test SHA-512

3 Integrity Pre- SHA-512 of -

operational library file software integrity test - DRBG Request Limit Conditional Continuous Generate Random Value critical functions test AES test performs known answer tests (KAT). The DRBG test is also a KAT. Finally, the integrity check is done by calculating the SHA-512 hash of the library itself on disk against a file with the expected hash. After each test, all temporary values are cleared. There is no condition where these tests are repeated once the module is loaded. If a test fails, the module enters an error state. Subsequent function calls into the module will not return normally, rather, an exception is thrown. The module operator cannot initiate self-tests other than (re)loading the module. The DRBG continuously keeps track of requests and will put the library into the error state when the number of requests exceeds 248. - 14 of 15 -

Page 15

TITLE: EF Johnson Technologies - Kenwood Cryptographic Library SOFTWARE VERSION: 4.0 DATE: 2/14/2024 There is only a single error state, it is entered when a self-test fails or the reseed counter is triggered in the DRBG. The two status indicators are: 1) calling the Get Status service, which will return a Boolean indicating the error state, and 2) calling any other service will throw an exception if we are in the error state rather than returning a normal value.

11 Life-Cycle Assurance

The module’s life cycle starts when it is loaded into memory by a process, and it ends when the module is unloaded. There are no maintenance requirements or administrator or non-administration guidance other than the module’s API itself.

12 Mitigation of Other Attacks

The KCL is not designed for the mitigation of any attacks outside the scope of FIPS 140-3 Level 1. - 15 of 15 -