All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Firepower Threat Defense Virtual Cryptographic Module

Certificate#4711StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorCisco Systems, Inc.
High review priority  ·  no TCB surface named  ·  last validated 25 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorCisco Systems, Inc.

Approved Algorithms (48)

AlgorithmACVP Cert
AES-CBCA2952
AES-CBCA3376
AES-GCMA2952
AES-GCMA3376
Counter DRBGA2952
Counter DRBGA3376
ECDSA KeyGen (FIPS186-4)A2952
ECDSA KeyGen (FIPS186-4)A3376
ECDSA KeyVer (FIPS186-4)A2952
ECDSA KeyVer (FIPS186-4)A3376
ECDSA SigGen (FIPS186-4)A2952
ECDSA SigGen (FIPS186-4)A3376
ECDSA SigVer (FIPS186-4)A2952
ECDSA SigVer (FIPS186-4)A3376
HMAC-SHA-1A2952
HMAC-SHA-1A3376
HMAC-SHA2-256A2952
HMAC-SHA2-256A3376
HMAC-SHA2-384A2952
HMAC-SHA2-384A3376
HMAC-SHA2-512A2952
HMAC-SHA2-512A3376
KAS-ECC-SSC Sp800-56Ar3A2952
KAS-ECC-SSC Sp800-56Ar3A3376
KAS-FFC-SSC Sp800-56Ar3A2952
KAS-FFC-SSC Sp800-56Ar3A3376
KDF IKEv2A2952
KDF IKEv2A3376
KDF SSHA2952
KDF SSHA3376
RSA KeyGen (FIPS186-4)A2952
RSA KeyGen (FIPS186-4)A3376
RSA SigGen (FIPS186-4)A2952
RSA SigGen (FIPS186-4)A3376
RSA SigVer (FIPS186-4)A2952
RSA SigVer (FIPS186-4)A3376
Safe Primes Key GenerationA2952
Safe Primes Key GenerationA3376
SHA-1A2952
SHA-1A3376
SHA2-256A2952
SHA2-256A3376
SHA2-384A2952
SHA2-384A3376
SHA2-512A2952
SHA2-512A3376
TLS v1.2 KDF RFC7627A2952
TLS v1.2 KDF RFC7627A3376

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Firepower Threat Defense Virtual Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Firepower Threat Defense Virtual Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Cisco Systems, Inc. ISO/IEC 19790 and FIPS 140-3 Non-Proprietary Security Policy for Firepower Threat Defense Virtual Cryptographic Module Last Updated: June 13, 2024, Version 0.4 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Page 2

Table of Content List of Figures List of Tables

Page 3
1 General

Cryptographic Module (hereinafter referred to as FTDv or the Module), software version 7.0.5. The following details how this module meets the security requirements of FIPS 140-3, SP 800-140 and ISO/IEC 19790 for a Security Level 1 Software cryptographic module. The security requirements cover areas related to the design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operational environment; physical security; noninvasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. The following table indicates the actual security levels for each area of the cryptographic module. ISO/IEC 24759:2017 ISO/IEC 24759:2017 and FIPS 140-3 Level Section 6 Section Title

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Table 1 Security Levels The module has an overall security level of 1.

2 Cryptographic module specification

The Module is a multi-chip standalone software module deployed as the virtualized version of the Cisco Firepower Threat Defense which houses ASA, FX-OS and Firepower solutions with underlying operating system identified as Linux 4 (also referred to as Firepower eXtensible Operating System or FX-OS throughout this document). The module can be used in single context mode, and in routed or transparent mode to support TLSv1.2 (RFC7627), SSHv2, IPsec/IKEv2 and Cryptographic Cipher Suite B, which delivers enterprise-class security for business-to-enterprise networks in a virtual environment. The module has been tested on the following Operational Environments. # Operating System Hardware Platform Processor PAA/Acceleration

1 Linux 4 (FX-OS) on VMware UCS C220 M5 SFF INTEL Skylake 6128 With PAA

2 Linux 4 (FX-OS) on VMware UCS C220 M5 SFF INTEL Skylake 6128 Without PAA

3 Linux 4 (FX-OS) on VMware UCS C220 M5 SFF INTEL Skylake 6128 With PAA

4 Linux 4 (FX-OS) on VMware UCS C220 M5 SFF INTEL Skylake 6128 Without PAA

Page 4

5 Linux 4 (FX-OS) on NFVIS ENCS 5412 Server Intel Xeon Processor D- With PAA

4.4 1557 (Broadwell)

6 Linux 4 (FX-OS) on NFVIS ENCS 5412 Server Intel Xeon Processor D- Without PAA

4.4 1557 (Broadwell)

Table 2 Tested Operational Environment Figure 1 UCS C220 M5 front view with Bezel Figure 2 UCS C220 M5 front view without Bezel Figure 3 UCS C220 M5 rear view Figure 4 ENCS 5412 front view1 Figure 5 ENCS 5412 rear view https://www.cisco.com/c/dam/global/da_dk/assets/training/seminariamaterials/enterprise_network_compute_system_encs_.pdf

Page 5

# Operating System Hardware Platform

1 Linux 4 (FX-OS) C220 M5 w/KVM/AWS
2 Linux 4 (FX-OS) C240 M5 w/ESXi/KVM/AWS
3 Linux 4 (FX-OS) C480 M5 w/ESXi/KVM/AWS
4 Linux 4 (FX-OS) E160-M3 w/ESXi/KVM/AWS
5 Linux 4 (FX-OS) E180D-M3 w/ESXi/KVM/AWS
6 Linux 4 (FX-OS) ENCS 5406
7 Linux 4 (FX-OS) ENCS 5408

Table 3 Vendor Affirmed Operational Environments The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment which is not listed on the validation certificate. Mode of operation The module has one approved mode of operation and is always in the approved mode of operation after initial operations are performed (See Section 11). The module does not claim implementation of a degraded mode of operation. Section 4 provides details on the service indicator implemented by the module. The table below lists all Approved or Vendor-affirmed security functions of the module, including specific key size(s) -in bits unless otherwise noted- employed for approved services, and implemented modes of operation. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in this table. CAVP Algorithm and Mode/Method Description / Key Use/Function Cert Standard Size(s) / Key Strength(s) A2952 and AES CBC Key Length: 128 and Symmetric encryption and A3376 [FIPS 197; 256 bits decryption SP800-38A] A2952 and AES GCM Key Length: 128 and Authenticated symmetric A3376 [FIPS 197; 256 bits encryption and decryption SP 800-38D] A2952 and KDF SSH KDF SSH N/A Key derivation function used A3376 [SP 800-135rev1] in SSHv2 (CVL) A2952 and TLS v1.2 KDF TLS v1.2 KDF with RFC7627 N/A Key derivation function used A3376 RFC7627 in TLSv1.2 (RFC7627) with [RFC7627] extended master secret (CVL) A2952 and KDF IKEv2 KDF IKEv2 N/A Key derivation function used A3376 [SP 800-135rev1] in IPSec/IKEv2 (CVL) A2952 and CTR_DRBG AES-256 N/A Deterministic Random Bit A3376 [SP 800-90Arev1] Derivation Function Enabled; Generators (DRBG); uses an Prediction Resistance: Yes algorithm to produce random output A2952 and ECDSA ECDSA KeyGen Curves: P-256, P-384, ECDSA keypair generation A3376 [FIPS 186-4] P-521 A2952 and ECDSA ECDSA KeyVer Curves: P-256, P-384, ECDSA keypair verification A3376 [FIPS 186-4] P-521

Page 6

CAVP Algorithm and Mode/Method Description / Key Use/Function Cert Standard Size(s) / Key Strength(s) A2952 and ECDSA ECDSA SigGen Curves: P-256, P-384, ECDSA signature generation A3376 [FIPS 186-4] P-521 A2952 and ECDSA ECDSA SigVer Curves: P-256, P-384, ECDSA signature verification A3376 [FIPS 186-4] P-521 A2952 and HMAC HMAC-SHA-1 Key Length: 112 bits Keyed hash A3376 [FIPS 198-1] or greater A2952 and HMAC HMAC-SHA2-256 Key Length: 112 bits Keyed hash A3376 [FIPS 198-1] or greater A2952 and HMAC HMAC-SHA2-384 Key Length: 112 bits Keyed hash A3376 [FIPS 198-1] or greater A2952 and HMAC HMAC-SHA2-512 Key Length: 112 bits Keyed hash A3376 [FIPS 198-1] or greater A2952 and KAS-SSC KAS-ECC-SSC: Curves: P-256, P-384, KAS-ECC shared secret A3376 [SP 800-56Arev3] Scheme: ephemeralUnified: P-521 computation KAS Role: initiator, responder A2952 and KAS KAS (ECC): Curves: P-256, P-384 Key Agreement Scheme per A3376 [SP800-56Arev3] Scheme: ephemeralUnified and P-521 with SP800-56Arev3 with key KAS Role: initiator, responder TLSv1.2 KDF RFC derivation function (SP800KAS (KAS-SSC Cert. 7627, or KDF IKEv2 135rev1) #A2952, TLSv1.2 KDF (SP800-135rev1) Note: The module’s KAS RFC7627 Cert. A#2952, or (ECC) implementation is KDF IKEv2 Cert. #A2952) Key establishment FIPS 140-3 IG D.F Scenario 2 methodology provides (path 2) compliant KAS (KAS-SSC Cert. between 128 and 256 #A3376, TLSv1.2 KDF bits of encryption RFC7627 Cert. A#3376, or strength KDF IKEv2 Cert. #A3376) A2952 and KAS-SSC KAS-FFC-SSC: MODP-2048 KAS-FFC shared secret A3376 [SP 800-56Arev3] Scheme: dhEphem: computation KAS Role: initiator, responder A2952 and KAS KAS (FFC): MODP-2048 with Key Agreement Scheme per A3376 [SP 800-56Arev3] Scheme: dhEphem KDF SSH or KDF SP800-56Arev3 with key KAS Role: initiator, responder IKEv2 (SP800- derivation function (SP800KAS (KAS-SSC Cert. 135rev1) 135rev1) #A2952, KDF SSH Cert. Note: The module’s KAS #A2952, or KDF IKEv2 Cert. Key establishment (FFC) implementation is FIPS #A2952) methodology provides 140-3 IG D.F Scenario 2 (path

112 bits of encryption 2) compliant

KAS (KAS-SSC Cert. strength #A3376, KDF SSH Cert. #A3376, or KDF IKEv2 Cert. #A3376) A2952 and RSA RSA KeyGen: Modulus: 2048/3072 RSA keypair generation A3376 [FIPS 186-4] - Mode: B.3.4 - 2048/3072 modulus A2952 and RSA RSA SigGen: Modulus: 2048/3072 RSA signature generation A3376 [FIPS 186-4] - PKCSv1.5 - 2048/3072 modulus with SHA-256/384/512 A2952 and RSA RSA SigVer: Modulus: 2048/3072 RSA signature verification A3376 [FIPS 186-4] - PKCSv1.5

Page 7

CAVP Algorithm and Mode/Method Description / Key Use/Function Cert Standard Size(s) / Key Strength(s) - 2048/3072 modulus with SHA-256/384/512 A2952 and Safe Primes Key KeyGen for KAS-SSC (FFC) Safe Prime Groups: KAS-FFC Keypair domain A3376 Generation MODP-2048 parameters generation [SP 800-56Arev3] A2952 and SHS SHA-1 N/A Message digest A3376 [FIPS 180-4] Note: SHA-1 is not used for digital signature generation A2952 and SHS SHA2-256 N/A Message digest A3376 [FIPS 180-4] A2952 and SHS SHA2-384 N/A Message digest A3376 [FIPS 180-4] A2952 and SHS SHA2-512 N/A Message digest A3376 [FIPS 180-4] Vendor CKG Section 5.1, Section 5.2 Cryptographic Key Key generation. Affirmed (SP800-133rev2) Generation; SP 800133rev2 and IG D.H. Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP80090Arev1 CTR_DRBG. Table 4 Approved Algorithms Notes:

Page 8

As the module can only be operated in the Approved mode of operation, and any algorithms not listed in table 4 above will be rejected by the module while in the approved mode, the tables defined in SP800140B for the following categories are missing from this document:

3 Cryptographic module interfaces

The module’s physical perimeter encompasses the case of the tested platform mentioned in Table 2. The module provides its logical interfaces via Application Programming Interface (API) calls. The module’s logical interfaces provided by the module are mapped onto the FIPS 140-3 interfaces (data input, data output, control input, control output and status output) as follows.

Page 9

Physical Logical Interface Data that passes over port/interface Port N/A Data Input Interface Arguments for an API call that provide the data to be used or processed by the module. N/A Data Output Interface Arguments output from an API call. N/A Control Input Interface Arguments for an API call used to control and configure module operation. N/A Control Output Interface N/A N/A Status Output Interface Return values, and or log messages. Table 5 Ports and Interfaces

4 Roles, services, and authentication

The module supports Crypto Officer (CO) role. The cryptographic module does not provide any authentication methods. The module does not allow concurrent operators. The Crypto Officer is implicitly assumed based on the service requested. The module provides the following services to the Crypto Officer role. Role Service Input Output Crypto Officer Show Status API command to show status Module’s current status Crypto Officer Show Version API commands to show version Module’s name/ID and versioning information Crypto Officer Perform Self-Tests API commands to conduct on- Status of the self-tests results demand Self-Tests Crypto Officer Perform Zeroization API commands to conduct Status of the SSPs zeroization Zeroization operation or Power down the tested platform Crypto Officer Configure Network API Commands to configure Status of the completion of network the module related configuration Crypto Officer Configure IPsec/IKEv2 API commands to configure Status of completion of IPsec/IKEv2 Functions IPsec/IKEv2 secure tunnel configuration Crypto Officer Configure SSHv2 API commands to configure Status of the completion of SSHv2 Function SSHv2 configuration Crypto Officer Configure HTTPS over API commands to configure Status of the completion of HTTPS over TLSv1.2 Function HTTPS over TLSv1.2 TLSv1.2 configuration Crypto Officer Configure IPSec/IKEv2 API commands to configure Status of the completion of HTTPS over Function IPSec/IKEv2 IPSec/IKEv2 configuration Crypto Officer Run SSHv2 Function API commands to execute Status of SSHv2 secure tunnel SSHv2 service establishment Crypto Officer Run HTTPS over API commands to execute Status of HTTPS over TLSv1.2 secure TLSv1.2 Function HTTPS over TLSv1.2 service tunnel establishment Crypto Officer Run IPsec/IKEv2 API command to execute Status of IPsec/IKEv2 secure tunnel Functions IPsec/IKEv2 establishment Table 6 Roles and Services Table 7 below lists all approved services that can be used in the approved mode of operation. The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A = The service does not access any SSP during its operation.

Page 10

Services Description Approved Keys and /or SSPs Roles Access rights Indicator Security to Keys and/or Functions SSPs Show Provide Module’s N/A N/A Crypto N/A None Status current status Officer Show Provide Module’s N/A N/A Crypto N/A None Version name/ID and Officer versioning information Perform Perform Self-Tests N/A Software Integrity Test Crypto N/A None Self-Tests (Pre-operational Key (non-SSP) Officer self-tests and Conditional SelfTests) Perform Perform N/A All SSPs Crypto Z None Zeroization Zeroization Officer Configure Sets configuration N/A N/A Crypto N/A None Network of the systems Officer Configure Configure SSHv2 AES-CBC; DRBG entropy input; Crypto W, E Global SSHv2 Function CKG; DRBG Seed, Internal Officer Indicator and Function KDF SSH; State V value, and Key; SSHv2 CTR_DRBG; Diffie-Hellman Private configuration HMAC-SHA-1; Key; success KAS-FFC-SSC; Diffie-Hellman Public status KAS (FFC); Key; message RSA KeyGen; Peer Diffie-Hellman RSA SigGen; Public Key; RSA SigVer; Diffie-Hellman Shared Safe Primes Key Secret; Generation; RSA Private Key; SHA-1 RSA Public Key; SSH Session Integrity Key; SSH Session Encryption Key Configure Configure HTTPS AES-CBC; DRBG entropy input; Crypto W, E Global HTTPS over TLSv1.2 AES-GCM; DRBG Seed, Internal Officer Indicator and over Function CKG; State V value, and Key; HTTPS over TLSv1.2 TLS v1.2 KDF EC Diffie-Hellman TLSv1.2 Function RFC7627; Private Key; configuration CTR_DRBG; EC Diffie-Hellman success ECDSA KeyGen; Public Key; status ECDSA KeyVer; Peer EC Diffie-Hellman message ECDSA SigGen; Public Key; ECDSA SigVer; EC Diffie-Hellman HMAC-SHA2- Shared Secret; 256; ECDSA Private Key; HMAC-SHA2- ECDSA Public Key; 384; RSA Private Key; HMAC-SHA2- RSA Public Key; 512; TLS master secret; KAS-ECC-SSC; TLS Session Encryption KAS (ECC); Key; RSA KeyGen; TLS Session Integrity RSA SigGen; Key RSA SigVer; SHA2-256; SHA2-384;

Page 11

Services Description Approved Keys and /or SSPs Roles Access rights Indicator Security to Keys and/or Functions SSPs SHA2-512 Configure Configure AES-CBC; DRBG entropy input; Crypto W,E Global IPsec/IKE IPsec/IKEv2 AES-GCM; DRBG Seed, Internal Officer Indicator v2 Functions CKG; State V value, and Key; with Function CTR_DRBG; Diffie-Hellman Private IPsec/IKEv2 IKE KDF; Key; configuration ECDSA KeyGen; Diffie-Hellman Public success ECDSA KeyVer; Key; status ECDSA SigGen; Peer Diffie-Hellman message ECDSA SigVer; Public Key; HMAC-SHA2- Diffie-Hellman Shared 256; Secret; HMAC-SHA2- EC Diffie-Hellman 384; Private Key; HMAC-SHA2- EC Diffie-Hellman

512 Public Key;

KAS-ECC-SSC; Peer EC Diffie-Hellman KAS (ECC); Public Key; KAS-FFC-SSC; EC Diffie-Hellman KAS (FFC); Shared Secret; RSA KeyGen; ECDSA Private Key; RSA SigGen; ECDSA Public Key; RSA SigVer; RSA Private Key; SafePrimes RSA Public Key; KeyGen; IPSec/IKE Pre-Shared SHA2-256; Secret; SHA2-384; SKEYSEED; SHA2-512 IPSec/IKE Session Encryption key; IPSec/IKE Session Integrity Key Run Execute SSHv2 AES-CBC; DRBG entropy input; Crypto W, E Global SSHv2 Function CKG; DRBG Seed, Internal Officer Indicator and Function KDF SSH; State V value, and Successful CTR_DRBG; Key; SSHv2 log HMAC-SHA-1; Diffie-Hellman Private message KAS-FFC-SSC; Key; KAS (FFC); Diffie-Hellman Public RSA KeyGen; Key; RSA SigGen; Peer Diffie-Hellman RSA SigVer; Public Key; Safe Primes Key Diffie-Hellman Shared Generation; Secret; SHA-1 RSA Private Key; RSA Public Key; SSH Session Integrity Key; SSH Session Encryption Key Run Execute HTTPS AES-CBC; DRBG entropy input; Crypto W, E Global HTTPS over TLSv1.2 AES-GCM; DRBG Seed, Internal Officer Indicator and over Function CKG; State V value, and Successful TLSv1.2 TLS v1.2 KDF Key; HTTPS over Function RFC7627; EC Diffie-Hellman TLSv1.2 log CTR_DRBG; Private Key; message

Page 12

Services Description Approved Keys and /or SSPs Roles Access rights Indicator Security to Keys and/or Functions SSPs ECDSA KeyGen; EC Diffie-Hellman ECDSA KeyVer; Public Key; ECDSA SigGen; Peer EC Diffie-Hellman ECDSA SigVer; Public Key; HMAC-SHA2- EC Diffie-Hellman 256; Shared Secret; HMAC-SHA2- ECDSA Private Key; 384; ECDSA Public Key; HMAC-SHA2- RSA Private Key; 512; RSA Public Key; KAS-ECC-SSC; TLS master secret; KAS (ECC); TLS Session Encryption RSA KeyGen; Key; RSA SigGen; TLS Session Integrity RSA SigVer; Key SHA2-256; SHA2-384; SHA2-512 Run Execute AES-CBC; DRBG entropy input; Crypto W,E Global IPsec/IKE IPsec/IKEv2 AES-GCM; DRBG Seed; Internal Officer Indicator and v2 Functions CKG; State V value; and Successful Function CTR_DRBG; Key; IPsec/IKEv2 ECDSA KeyGen; Diffie-Hellman Private log message ECDSA KeyVer; Key; ECDSA SigGen; Diffie-Hellman Public ECDSA SigVer; Key; KDF IKEv2; Peer Diffie-Hellman HMAC-SHA2- Public Key; 256; Diffie-Hellman Shared HMAC-SHA2- Secret; 384; EC Diffie-Hellman HMAC-SHA2- Private Key;

512 EC Diffie-Hellman

KAS-ECC-SSC; Public Key; KAS (ECC); Peer EC Diffie-Hellman KAS-FFC-SSC; Public Key; KAS (FFC); EC Diffie-Hellman RSA KeyGen; Shared Secret; RSA SigGen; ECDSA Private Key; RSA SigVer; ECDSA Public Key; SafePrimes RSA Private Key; KeyGen; RSA Public Key; SHA2-256; IPSec/IKE Pre-Shared SHA2-384; Secret; SHA2-512 SKEYSEED; IPSec/IKE Session Encryption key; IPSec/IKE Session Integrity Key Table 7 Approved Services As the module can only be operated in the Approved mode of operation, and as such any algorithms not listed in Table 4 above will be rejected by the module while in the approved mode, the required table defined in SP800-140B for Non-Approved Services is missing from this document.

Page 13
5 Software/Firmware security

Integrity techniques The module is provided in the form of binary executable code. To ensure the software security, the module is protected by RSA 2048 modulus with SHA2-512 (RSA and SHA2-512 Cert. #A2952 and #A3376) algorithm. The software integrity test key (non-SSP) was preloaded to the module’s binary by/ at the factory and used for software integrity test only at the pre-operational self-test. At crypto module library initialization, the signature is recalculated and compared to the hardcoded build-time generated signature value. If at load time the signature does not match, the crypto module library exits with error. If failure occurs during self-test, all crypto functionality is disabled. Integrity test on-demand Integrity test is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. The operator can power cycle or reboot the tested platform to initiate the software integrity test on-demand.

6 Operational environment

The module is a software module, which is operated in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module’s software version running on each tested platform is 7.0.5. The module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators.

7 Physical security

The FIPS 140-3 physical security requirements do not apply to the Module since it is a software module.

8 Non-invasive security

Currently, non-invasive security is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module.

9 Sensitive security parameters management

The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module.

Page 14

Key/SSP Strength Security Generation Import/ Esta Storage Zeroization Use & Name Function and Export blish related Type Cert Number ment Keys DRBG 384 bits N/A Obtained from Import to N/A N/A: The Automatic Random entropy the Entropy the module module zeroization Number input Source within via does not when the Generation (CSP) TOEPP (GPS Module’s provide tested INT Pathways) API persistent platform is Export: No keys/SSPs powered storage. down DRBG 256 bits CTR_DRBG Internally Import: No N/A N/A: The Automatic Random Seed, Derived from module zeroization Number Internal Certs. #A2952 entropy input Export: No does not when the Generation State V or #A3376 string as provide tested value, and defined by persistent platform is Key SP800-90Arev1 keys/SSPs powered (CSP) storage. down Diffie- MODP- CKG; Internally Import: No N/A N/A: The Automatic Used to Hellman 2048 CTR_DRBG; generated module zeroization derive Private KAS (FFC); conformant to Export: No does not when the DiffieKey KAS-FFC- SP800-133r2 provide tested Hellman (CSP) SSC; (CKG) using persistent platform is Shared Safe Primes SP800-56A keys/ powered Secret Key rev3 Diffie- SSPs down Generation Hellman key storage. generation Certs. #A2952 method, and the or #A3376 random value used in key generation is generated using SP80090ARev1 DRBG Diffie- MODP- KAS (FFC); Internally Import: No N/A N/A: The Automatic Used to Hellman 2048 KAS-FFC- derived per the module zeroization derive Public Key SSC; Diffie-Hellman Export: to does not when the Diffie(PSP) Safe Primes key agreement the SSH provide tested Hellman Key (SP800- Peer persistent platform is Shared Generation 56Arev3) application keys/ powered Secret SSPs down Certs. #A2952 storage. or #A3376 Peer MODP- KAS (FFC); N/A Import: to N/A N/A: The Automatic Used to Diffie- 2048 KAS-FFC- the Module module zeroization derive Hellman SSC via API does not when the DiffiePublic Key provide tested Hellman (PSP) Certs. #A2952 Export: No persistent platform is Shared or #A3376 keys/SSPs powered Secret storage. down Diffie- MODP- KAS (FFC); Internally Import: No N/A N/A: The Automatic Used to Hellman 2048 KAS-FFC- generated using module zeroization derive SSH Shared SSC SP800-56Arev3 Export: No does not when the session Secret DH shared provide tested related (CSP) Certs. #A2952 secret persistent platform is keys or #A3376 computation keys/SSPs powered storage. down

Page 15

Key/SSP Strength Security Generation Import/ Esta Storage Zeroization Use & Name Function and Export blish related Type Cert Number ment Keys EC Diffie- P-256, P- CKG; Internally Import: No N/A N/A: The Automatic Used to Hellman 384 and CTR_DRBG; generated module zeroization derive EC Private P-521 KAS (ECC); conformant to Export: No does not when the DiffieKey KAS-ECC- SP800-133r2 provide tested Hellman (CSP) SSC; (CKG) using persistent platform is Shared SP800-56A keys/ powered Secret Certs. #A2952 rev3 EC Diffie- SSPs down or #A3376 Hellman key storage. generation method, and the random value used in key generation is generated using SP800-90Arev1 DRBG EC Diffie- P-256, P- KAS (ECC); Internally Import: No N/A N/A: The Automatic Used to Hellman 384 and KAS-ECC- derived per the module zeroization derive EC Public Key P-521 SSC; EC Diffie- Export: to does not when the Diffie(PSP) Hellman key the TLS provide tested Hellman Certs. #A2952 agreement Peer persistent platform is Shared or #A3376 (SP800- application keys/ powered Secret 56Arev3) SSPs down storage. Peer EC P-256, P- KAS (ECC); N/A Import: to N/A N/A: The Automatic Used to Diffie- 384 and KAS-ECC- the Module module zeroization derive EC Hellman P-521 SSC; via API does not when the DiffiePublic Key provide tested Hellman (PSP) Certs. #A2952 Export: No persistent platform is Shared or #A3376 keys/SSPs powered Secret storage. down EC Diffie- P-256, P- KAS (ECC); Internally Import: No N/A N/A: The Automatic Used to Hellman 384 and KAS-ECC- generated using module zeroization derive TLS Shared P-521 SSC; SP800-56Ar3 Export: No does not when the session Secret ECDH shared provide tested related (CSP) Certs. #A2952 secret persistent platform is keys or #A3376 computation keys/SSPs powered storage. down ECDSA P-256, P- CKG; Internally Import: No N/A N/A: The Automatic Signature Private 384 and CTR_DRBG generated module zeroization generation Key P-521 ECDSA conformant to Export: No does not when the and (CSP) KeyGen; SP800-133r2 provide tested Verification ECDSA (CKG) using persistent platform is used in TLS KeyVer; FIPS 186-4 keys/SSPs powered or ECDSA ECDSA key storage. down IPSec/IKE SigGen; generation method, and the Certs. #A2952 random value or #A3376 used in key generation is generated using SP800-90Arev1 DRBG

Page 16

Key/SSP Strength Security Generation Import/ Esta Storage Zeroization Use & Name Function and Export blish related Type Cert Number ment Keys ECDSA P-256, P- ECDSA Internally Import: No N/A N/A: The Automatic Signature Public Key 384 and KeyGen; derived per the module zeroization generation (PSP) P-521 ECDSA FIPS 186-4 Export: No does not when the and KeyVer; ECDSA key provide tested Verification ECDSA generation persistent platform is used in TLS SigVer; method keys/SSPs powered or storage. down IPSec/IKE Certs. #A2952 or #A3376 RSA 2048 and CKG; Internally Import: No N/A N/A: The Automatic Signature Private 3072 bits CTR_DRBG; generated module zeroization generation Key RSA KeyGen; conformant to Export: No does not when the and (CSP) RSA SigGen; SP800-133r2 provide tested Verification (CKG) using persistent platform is used in SSH, Certs. #A2952 FIPS 186-4 keys/SSPs powered TLS or or #A3376 RSA key storage. down IPSec/IKE generation method, and the random value used in the key generation is generated using SP800-90Arev1 DRBG RSA 2048 and KeyGen; Internally Import: No N/A N/A: The Automatic Signature Public Key 3072 bits RSA SigVer; derived per the module zeroization generation (PSP) FIPS 186-4 Export: No does not when the and Certs. #A2952 RSA key provide tested Verification or #A3376 generation persistent platform is used in SSH, method keys/SSPs powered TLS or storage. down IPSec/IKE SSH 160 bits KDF SSH; Internally Import: No N/A N/A: The Automatic Used for Session HMAC-SHA- Derived per the module zeroization SSH Integrity 1; key derivation Export: No does not when SSH session Key function provide session is integrity (CSP) Certs. #A2952 defined in persistent terminated or protection. or #A3376 SP800-135 keys/SSPs when the KDF (KDF storage. tested SSH). platform is powered down SSH 128/256 AES-CBC; Internally Import: No N/A N/A: The Automatic Used for SSH Session bits KDF SSH; Generated via module zeroization session Encryption key derivation Export: No does not when SSH confidentiality Key Certs. #A2952 function provide session is protection (CSP) or #A3376 defined in persistent terminated or SP800-135 keys/SSPs when the KDF (KDF storage. tested SSH) platform is powered down

Page 17

Key/SSP Strength Security Generation Import/ Esta Storage Zeroization Use & Name Function and Export blish related Type Cert Number ment Keys TLS 48 Bytes TLS v1.2 KDF Internally Import: No N/A N/A: The Automatic Keying Master RFC7627; Derived per the module zeroization material Secret key derivation Export: No does not when TLS used to (CSP) Certs. #A2952 function provide session is derive or #A3376 defined in TLS persistent terminated or other TLS v1.2 KDF keys/SSPs when the keys RFC7627 storage. tested platform is powered down TLS 128/256 AES-CBC; Internally Import: No N/A N/A: The Automatic Used for TLS Session bits AES-GCM; Derived per the module zeroization session Encryption TLS v1.2 KDF key derivation Export: No does not when TLS confidentiality Key RFC7627; function provide session is protection (CSP) defined in TLS persistent terminated or Certs. #A2952 v1.2 KDF keys/SSPs when the or #A3376 RFC7627 storage. tested platform is powered down TLS 256-384 TLS v1.2 KDF Internally Import: No N/A N/A: The Automatic Used for Session bits RFC7627; Derived per the module zeroization TLS Integrity HMAC- key derivation Export: No does not when TLS session Key SHA2-256; function provide session is integrity (CSP) HMAC- defined in TLS persistent terminated or protection SHA2-384; v1.2 KDF keys/SSPs when the RFC7627 storage. tested Certs. #A2952 platform is or #A3376 powered down IPSec/IKE At least 8 N/A N/A Import to MD/ N/A. The Zeroized by Used for Pre-Shared characters the Module EE module SSP/CSP/PS IPSec/IKE Secret wrapped does not P Zeroization peer (CSP) with TLS provide Command authenticati or SSH persistent on session keys/ keys SSPs storage Export: No SKEYSEE 160 bits KDF IKEv2; N/A Import: No N/A N/A. The Zeroized Used for D (CSP) module when IPSec/IKE Certs. #A2952 Export: No does not IPSec/IKE Session or #A3376 provide session is Encryption persistent terminated or Key and keys/ when the Session SSPs tested Integrity storage platform is Key powered derivation down IPSec/IKE 128/256 AES-CBC; Internally Import: No N/A N/A: The Zeroized Used to Session bits AES-GCM; derived per the module when secure Encryption KDF IKEv2; key derivation Export: No does not IPSec/IKE IPSec/IKE Key (CSP) function session is session provide Certs. #A2952 defined in terminated or confidentia or #A3376 SP800-135 persistent when the lity,

Page 18

Key/SSP Strength Security Generation Import/ Esta Storage Zeroization Use & Name Function and Export blish related Type Cert Number ment Keys KDF (KDF keys/SSPs tested IKEv2). storage platform is powered down IPSec/IKE 160-512 KDF IKEv2 Internally Import: No N/A N/A: The Zeroized Used to Session bits HMAC- derived per the module when secure Integrity SHA2-256; key derivation Export: No does not IPSec/IKE IPSec/IKE Key (CSP) HMAC- function session is session provide SHA2-384; defined in terminated or integrity HMAC- SP800-135 persistent when the SHA2-521; KDF (KDF keys/SSPs tested IKEv2). storage platform is Certs. #A2952 powered or #A3376 down Table 8 SSPs RBG entropy source Entropy sources Minimum number Details of bits of entropy Entropy within the At least 112 bits While operating in the Approved Mode, the entropy and seeding material for TOEPP was the SP800-90Arev1 DRBG are provided by the external calling application passively loaded (and not by the Module) which is outside the Module’s Cryptographic into the Module to boundary but contained within the Module’s Tested Operational seed the SP800- Environment’s Physical Perimeter (TOEPP) boundary. The module receives a 90Arev1 DRBG by LOAD command with entropy obtained from the entropy source (Intel CPU the Operating processor with instructions RDRand) inside the TOEPP. The minimum System effective strength of the SP800-90ARev1 DRBG seed is required to be at least

112 bits when used in an approved mode of operation, therefore the minimum

number of bits of entropy requested when the Module makes a call to the SP800-90ARev1 DRBG is at least 112 bits. Per the IG 9.3.A Entropy Caveats, the following caveat applies: When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). Table 9 Non-Deterministic Random Number Generation Specification

10 Self-tests

When the module is loaded or instantiated (after being powered off, rebooted, etc.), the module runs preoperational self-tests. The operating system is responsible for the initialization process and loading of the library. The module is designed with a default entry point (DEP) which ensures that the self-tests are initiated automatically when the module is loaded. Prior to the module providing any data output via the data output interface, the module performs and passes the pre-operational self-tests. Following the successful pre-operational self-tests, the module executes the Conditional Cryptographic Algorithm Selftests (CASTs). The self-test success or failure results are an output of the return value of the library load API call, which is functioning as the self-test status indicator. If any one of the self-tests fails, the module transitions into an error state and outputs the error message via the module’s status output interface. While the module is in the error state, all data through the data output interface and all cryptographic operations are disabled.

Page 19

The error state can only be cleared by reloading the module. All self-tests must be completed successfully before the module transitions to the operational state. Below are the details of the self-tests conducted by the module. Pre-operational self-tests:

Page 20
11 Life-cycle assurance

Secure operations The module meets all the Level 1 requirements for FIPS 140-3. The validated module’s executable file Cisco_Firepower_Threat_Defense_Virtual-7.0.5-72.vmdk is the only allowable software image file running on the respective test platform listed in Table 2 above while in the Approved Mode. The Crypto Officer must configure and enforce the following initialization steps:

  1. Review the Setup wizard settings. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
  2. Complete the system configuration as prompted.
  3. The VMware console may display messages as your settings are implemented. When finished, the device reminds you to register this device to a Cisco Firepower Management Center, and displays the CLI prompt.
  4. Verify the setup was successful when the console returns to the firepower # prompt. Note: To successfully register the Firepower Threat Defense Virtual with the Cisco Licensing Authority, the Firepower Threat Defense Virtual requires Internet access.
  5. Log into FTDv SSH and enter show network.
  6. Register the module into Firepower Management Center (FMC) for the further configuration.
  7. System >Licenses>Smart Licenses, add and verify licenses.
  8. Install AES SMART license to use AES (for data traffic and SSH).
  9. On FMC, go to Device >> Platform setting associated to the FTD IP. Then create and select CC option and save. This sets the approved mode of operation.
  10. Reboot the module.
12 Mitigation of other attacks

The requirements under INCITS+ISO+IEC 19790+2012[2014], section 7.12 “Mitigation of other attacks”, are not applicable to the module since the module currently does not support any mitigation of other attacks services.