All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Adaptive Security Appliance Virtual Cryptographic Module

Certificate#4712StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorCisco Systems, Inc.
Critical review priority  ·  no TCB surface named  ·  last validated 25 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorCisco Systems, Inc.

Approved Algorithms (48)

AlgorithmACVP Cert
AES-CBCA2952
AES-CBCA3376
AES-GCMA2952
AES-GCMA3376
Counter DRBGA2952
Counter DRBGA3376
ECDSA KeyGen (FIPS186-4)A2952
ECDSA KeyGen (FIPS186-4)A3376
ECDSA KeyVer (FIPS186-4)A2952
ECDSA KeyVer (FIPS186-4)A3376
ECDSA SigGen (FIPS186-4)A2952
ECDSA SigGen (FIPS186-4)A3376
ECDSA SigVer (FIPS186-4)A2952
ECDSA SigVer (FIPS186-4)A3376
HMAC-SHA-1A2952
HMAC-SHA-1A3376
HMAC-SHA2-256A2952
HMAC-SHA2-256A3376
HMAC-SHA2-384A2952
HMAC-SHA2-384A3376
HMAC-SHA2-512A2952
HMAC-SHA2-512A3376
KAS-ECC-SSC Sp800-56Ar3A2952
KAS-ECC-SSC Sp800-56Ar3A3376
KAS-FFC-SSC Sp800-56Ar3A2952
KAS-FFC-SSC Sp800-56Ar3A3376
KDF IKEv2A2952
KDF IKEv2A3376
KDF SSHA2952
KDF SSHA3376
RSA KeyGen (FIPS186-4)A2952
RSA KeyGen (FIPS186-4)A3376
RSA SigGen (FIPS186-4)A2952
RSA SigGen (FIPS186-4)A3376
RSA SigVer (FIPS186-4)A2952
RSA SigVer (FIPS186-4)A3376
Safe Primes Key GenerationA2952
Safe Primes Key GenerationA3376
SHA-1A2952
SHA-1A3376
SHA2-256A2952
SHA2-256A3376
SHA2-384A2952
SHA2-384A3376
SHA2-512A2952
SHA2-512A3376
TLS v1.2 KDF RFC7627A2952
TLS v1.2 KDF RFC7627A3376

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Adaptive Security Appliance Virtual Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery<br/>upgrade</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Adaptive Security Appliance Virtual Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery<br/>upgrade</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Cisco Systems, Inc. ISO/IEC 19790 and FIPS 140-3 Non-Proprietary Security Policy for Adaptive Security Appliance Virtual Cryptographic Module Last Updated: June 17, 2024, Version 0.4 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Page 2

Table of Content List of Figures List of Tables

Page 3
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A

Virtual Cryptographic Module (hereinafter referred to as ASAv or the Module), software version 9.16.4. The following details how this module meets the security requirements of FIPS 140-3, The security requirements cover areas related to the design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic actual security levels for each area of the cryptographic module. N/A N/A N/A Table 1 Security Levels The module has an overall security level of 1. The Module is a multi-chip standalone software module deployed as the virtualized version of the Cisco Firepower Threat Defense which houses ASA, FX-OS and Firepower solutions with underlying operating system identified as Linux 4 (also referred to as Firepower eXtensible Operating System or FX-OS throughout this document). This solution offers the combination of the industry's most deployed stateful firewall with a comprehensive range of next-generation network security services, intrusion prevention system (IPS), content security, secure unified communications, TLSv1.2, SSHv2, IPSec/IKEv2 and Cryptographic Cipher Suite B, which delivers enterprise-class security for business-to-enterprise networks in a virtual environment. The module has been tested on the following Operational Environments.

Page 4
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai
1Linux 4 (FX-OS) on VMware ESXi 6.7UCS C220 M5 SFF ServerINTEL Skylake 6128 (Skylake)With PAA1
2Linux 4 (FX-OS) on VMware ESXi 6.7UCS C220 M5 SFF ServerINTEL Skylake 6128 (Skylake)Without PAA2
3Linux 4 (FX-OS) on VMware ESXi 7.0UCS C220 M5 SFF ServerINTEL Skylake 6128 (Skylake)With PAA3
4Linux 4 (FX-OS) on VMware ESXi 7.0UCS C220 M5 SFF ServerINTEL Skylake 6128 (Skylake)Without PAA4
5Linux 4 (FX-OS) on NFVIS 4.4ENCS 5412 ServerIntel Xeon Processor D-1557 (Broadwell)With PAA5
6Linux 4 (FX-OS) on NFVIS 4.4ENCS 5412 ServerIntel Xeon Processor D-1557 (Broadwell)Without PAA6

# Table 2 Tested Operational Environment Figure 1 UCS C220 M5 front view with Bezel Figure 2 UCS C220 M5 front view without Bezel Figure 3 UCS C220 M5 rear view Figure 4 ENCS 5412 front view1 Figure 5 ENCS 5412 rear view

1 https://www.cisco.com/c/dam/global/da_dk/assets/training/seminaria-materials/enterprise_network_compute_system_encs_.pdf

Page 5
Module configuration
NameOperating SystemHardware Platform
1Linux 4 (FX-OS)C220 M5 w/KVM/AWS1
2Linux 4 (FX-OS)C240 M5 w/ESXi/KVM/AWS2
3Linux 4 (FX-OS)C480 M5 w/ESXi/KVM/AWS3
4Linux 4 (FX-OS)E160-M3 w/ESXi/KVM/AWS4
5Linux 4 (FX-OS)E180D-M3 w/ESXi/KVM/AWS5
6Linux 4 (FX-OS)ENCS 54066
7Linux 4 (FX-OS)ENCS 54087
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197; SP800-38A]A2952 and A3376CBCKey Length: 128 and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP 800-38D]A2952 and A3376GCMKey Length: 128 and 256 bitsAuthenticated symmetric encryption and decryption
KDF SSH [SP 800-135rev1] (CVL)A2952 and A3376KDF SSHN/AKey derivation function used in SSHv2
TLS v1.2 KDF RFC7627 [RFC7627] (CVL)A2952 and A3376TLS v1.2 KDF with RFC7627N/AKey derivation function used in TLSv1.2 (RFC7627) with extended master secret
KDF IKEv2 [SP 800-135rev1] (CVL)A2952 and A3376KDF IKEv2N/AKey derivation function used in IPSec/IKEv2
CTR_DRBG [SP 800-90Arev1]A2952 and A3376AES-256 Derivation Function Enabled; Prediction Resistance: YesN/ADeterministic Random Bit Generators (DRBG); uses an algorithm to produce random output
ECDSA [FIPS 186-4]A2952 and A3376ECDSA KeyGenCurves: P-256, P-384, P-521ECDSA keypair generation
ECDSA [FIPS 186-4]A2952 and A3376ECDSA KeyVerCurves: P-256, P-384, P-521ECDSA keypair verification
ECDSA [FIPS 186-4]A2952 and A3376ECDSA SigGenCurves: P-256, P-384, P-521ECDSA signature generation
ECDSA [FIPS 186-4]A2952 and A3376ECDSA SigVerCurves: P-256, P-384, P-521ECDSA signature verification
HMAC [FIPS 198-1]A2952 and A3376HMAC-SHA-1Key Length: 112 bits or greaterKeyed hash
HMAC [FIPS 198-1]A2952 and A3376HMAC-SHA2-256Key Length: 112 bits or greaterKeyed hash
HMAC [FIPS 198-1]A2952 and A3376HMAC-SHA2-384Key Length: 112 bits or greaterKeyed hash
HMAC [FIPS 198-1]A2952 and A3376HMAC-SHA2-512Key Length: 112 bits or greaterKeyed hash
KAS-SSC [SP 800-56Arev3]A2952 and A3376KAS-ECC-SSC: Scheme: ephemeralUnified: KAS Role: initiator, responderCurves: P-256, P-384, P-521KAS-ECC shared secret computation
KAS [SP800-56Arev3]A2952 and A3376KAS (ECC): Scheme: ephemeralUnified KAS Role: initiator, responder KAS (KAS-SSC Cert. #A2952, TLSv1.2 KDF RFC7627 Cert. A#2952, or KDF IKEv2 Cert. #A2952) KAS (KAS-SSC Cert. #A3376, TLSv1.2 KDF RFC7627 Cert. A#3376, or KDF IKEv2 Cert. #A3376)Curves: P-256, P-384 and P-521 with TLSv1.2 KDF RFC 7627, or KDF IKEv2 (SP800-135rev1) Key establishment methodology provides between 128 and 256 bits of encryption strengthKey Agreement Scheme per SP800-56Arev3 with key derivation function (SP800- 135rev1) Note: The module’s KAS (ECC) implementation is FIPS 140-3 IG D.F Scenario 2 (path 2) compliant
KAS-SSC [SP 800-56Arev3]A2952 and A3376KAS-FFC-SSC: Scheme: dhEphem: KAS Role: initiator, responderMODP-2048KAS-FFC shared secret computation
KAS [SP 800-56Arev3]A2952 and A3376KAS (FFC): Scheme: dhEphem KAS Role: initiator, responder KAS (KAS-SSC Cert. #A2952, KDF SSH Cert. #A2952, or KDF IKEv2 Cert. #A2952) KAS (KAS-SSC Cert. #A3376, KDF SSH Cert. #A3376, or KDF IKEv2 Cert. #A3376)MODP-2048 with KDF SSH or KDF IKEv2 (SP800- 135rev1) Key establishment methodology provides 112 bits of encryption strengthKey Agreement Scheme per SP800-56Arev3 with key derivation function (SP800- 135rev1) Note: The module’s KAS (FFC) implementation is FIPS 140-3 IG D.F Scenario 2 (path 2) compliant
RSA [FIPS 186-4]A2952 and A3376RSA KeyGen: - Mode: B.3.4 - 2048/3072 modulusModulus: 2048/3072RSA keypair generation
RSA [FIPS 186-4]A2952 and A3376RSA SigGen: - PKCSv1.5 - 2048/3072 modulus with SHA-256/384/512Modulus: 2048/3072RSA signature generation
RSA [FIPS 186-4]A2952 and A3376RSA SigVer: - PKCSv1.5 - 2048/3072 modulus with SHA-256/384/512Modulus: 2048/3072RSA signature verification
Safe Primes Key Generation [SP 800-56Arev3]A2952 and A3376KeyGen for KAS-SSC (FFC)Safe Prime Groups: MODP-2048KAS-FFC Keypair domain parameters generation
SHS [FIPS 180-4]A2952 and A3376SHA-1N/AMessage digest Note: SHA-1 is not used for digital signature generation
SHS [FIPS 180-4]A2952 and A3376SHA2-256N/AMessage digest
SHS [FIPS 180-4]A2952 and A3376SHA2-384N/AMessage digest
SHS [FIPS 180-4]A2952 and A3376SHA2-512N/AMessage digest
CKG (SP800-133rev2)Vendor AffirmedSection 5.1, Section 5.2Cryptographic Key Generation; SP 800- 133rev2 and IG D.H.Key generation. Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800- 90Arev1 CTR_DRBG.

# Table 3 Vendor Affirmed Operational Environments The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment which is not listed on the validation certificate. Modes of operation The module has one approved mode of operation and is always in the approved mode of operation after initial operations are performed (See Section 11). The module does not claim implementation of a degraded mode of operation. Section 4 provides details on the service indicator implemented by the module. The table below lists all Approved or Vendor-affirmed security functions of the module, including specific key size(s) -in bits unless otherwise noted- employed for approved services, and implemented modes of operation. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in this table. N/A N/A N/A N/A

Page 7

N/A N/A N/A N/A Table 4 Approved Algorithms Notes:

Page 8
Page 9
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData Input InterfaceArguments for an API call that provide the data to be used or processed by the module.
N/AN/AData Output InterfaceArguments output from an API call.
N/AN/AControl Input InterfaceArguments for an API call used to control and configure module operation.
N/AN/AControl Output InterfaceN/A
N/AN/AStatus Output InterfaceReturn values, and/or log messages.
Service
NameRolesInputOutput
Show StatusCrypto OfficerAPI command to show statusModule’s current status
Show VersionCrypto OfficerAPI commands to show versionModule’s name/ID and versioning information
Perform Self-TestsCrypto OfficerAPI commands to conduct on- demand Self-TestsStatus of the self-tests results
Perform ZeroizationCrypto OfficerAPI commands to conduct Zeroization operation or Power down the tested platformStatus of the SSPs zeroization
Configure NetworkCrypto OfficerAPI Commands to configure the moduleStatus of the completion of network related configuration
Configure Bypass capabilityCrypto OfficerAPI Commands to configure the Bypass capabilityStatus of the completion of Bypass capability configuration
Configure IPsec/IKEv2 FunctionsCrypto OfficerAPI commands to configure IPsec/IKEv2Status of completion of IPsec/IKEv2 secure tunnel configuration
Configure SSHv2 FunctionCrypto OfficerAPI commands to configure SSHv2Status of the completion of SSHv2 configuration
Configure HTTPS over TLSv1.2 FunctionCrypto OfficerAPI commands to configure HTTPS over TLSv1.2Status of the completion of HTTPS over TLSv1.2 configuration
Run SSHv2 FunctionCrypto OfficerAPI commands to execute SSHv2 serviceStatus of SSHv2 secure tunnel establishment
Run IPsec/IKEv2 FunctionsCrypto OfficerAPI command to execute IPsec/IKEv2Status of IPsec/IKEv2 secure tunnel establishment
Page 10
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorA r K a S
Show StatusProvide Module’s current statusCrypto OfficerN/AN/ANoneN/A
Show VersionProvide Module’s name/ID and versioning informationCrypto OfficerN/AN/ANoneN/A
Perform Self-TestsPerform Self- Tests (Pre- operational self- tests and Conditional Self- Tests)Crypto OfficerSoftware Integrity Test Key (non-SSP)N/ANoneN/A
Perform ZeroizationPerform ZeroizationCrypto OfficerAll SSPsN/ANoneZ
Configure NetworkSets configuration of the systemsCrypto OfficerN/AN/ANoneN/A
Configure Bypass capabilitySets the Bypass capabilityCrypto OfficerN/AN/ANoneN/A
Configure SSHv2 FunctionConfigure SSHv2 FunctionCrypto OfficerDRBG entropy input; DRBG Seed, Internal State V value, and Key; Diffie-Hellman Private Key; Diffie-Hellman Public Key; Peer Diffie-Hellman Public Key; Diffie-Hellman Shared Secret; RSA Private Key; RSA Public Key; SSH Session Integrity Key;AES-CBC; CKG; KDF SSH; CTR_DRBG; HMAC-SHA-1; KAS-FFC-SSC; KAS (FFC); RSA KeyGen; RSA SigGen; RSA SigVer; Safe Primes Key Generation; SHA-1Global Indicator and SSHv2 configuration success status messageW, E
Configure HTTPS over TLSv1.2 FunctionConfigure HTTPS over TLSv1.2 FunctionCrypto OfficerDRBG entropy input; DRBG Seed, Internal State V value, and Key; EC Diffie-Hellman Private Key; EC Diffie-Hellman Public Key; Peer EC Diffie-Hellman Public Key; EC Diffie-Hellman Shared Secret; ECDSA Private Key; ECDSA Public Key; RSA Private Key; RSA Public Key; TLS master secret; TLS Session Encryption Key; TLS Session Integrity KeyAES-CBC; AES-GCM CKG; TLS v1.2 KDF RFC7627; CTR_DRBG ECDSA KeyGen; ECDSA KeyVer; ECDSA SigGen; ECDSA SigVer; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KAS-ECC-SSC; KAS (ECC); RSA KeyGen; RSA SigGen; RSA SigVer; SHA2-256; SHA2-384; SHA2-512Global Indicator and HTTPS over TLSv1.2 configuration success status messageW, E
Configure IPsec/IKE v2 FunctionConfigure IPsec/IKEv2 FunctionsCrypto OfficerDRBG entropy input; DRBG Seed; Internal State V value; and Key; Diffie-Hellman Private Key; Diffie-Hellman Public Key; Peer Diffie-Hellman Public Key; Diffie-Hellman Shared Secret; EC Diffie-Hellman Private Key; EC Diffie-Hellman Public Key; Peer EC Diffie-Hellman Public Key; EC Diffie-Hellman Shared Secret; ECDSA Private Key; ECDSA Public Key; RSA Private Key; RSA Public Key; IPSec/IKE Pre-Shared Secret; SKEYSEED; IPSec/IKE Session Encryption key;AES-CBC; AES-GCM; CKG; CTR_DRBG; KDF IKEv2; ECDSA KeyGen; ECDSA KeyVer; ECDSA SigGen; ECDSA SigVer; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512 KAS-ECC-SSC; KAS (ECC); KAS-FFC-SSC; KAS (FFC); RSA KeyGen; RSA SigGen; RSA SigVer; SafePrimes KeyGen; SHA2-256; SHA2-384; SHA2-512Global Indicator with IPsec/IKEv2 configuration success status messageW, E
Run SSHv2 FunctionExecute SSHv2 FunctionCrypto OfficerDRBG entropy input; DRBG Seed, Internal State V value, and Key; Diffie-Hellman Private Key; Diffie-Hellman Public Key; Peer Diffie-Hellman Public Key; Diffie-Hellman Shared Secret; RSA Private Key; RSA Public Key; SSH Session Integrity Key; SSH Session Encryption KeyAES-CBC; CKG; KDF SSH; CTR_DRBG; HMAC-SHA-1; KAS-FFC-SSC; KAS (FFC); RSA KeyGen; RSA SigGen; RSA SigVer; Safe Primes Key Generation; SHA-1Global Indicator and Successful SSHv2 log messageW, E
Run HTTPS over TLSv1.2 FunctionExecute HTTPS over TLSv1.2 FunctionCrypto OfficerDRBG entropy input; DRBG Seed, Internal State V value, and Key; EC Diffie-Hellman Private Key; EC Diffie-Hellman Public Key; Peer EC Diffie-Hellman Public Key; EC Diffie-Hellman Shared Secret; ECDSA Private Key; ECDSA Public Key; RSA Private Key; RSA Public Key; TLS master secret; TLS Session Encryption Key; TLS Session Integrity KeyAES-CBC; AES-GCM; CKG; TLS v1.2 KDF RFC7627; CTR_DRBG; ECDSA KeyGen; ECDSA KeyVer; ECDSA SigGen; ECDSA SigVer; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KAS-ECC-SSC; KAS (ECC); RSA KeyGen; RSA SigGen; RSA SigVer; SHA2-256; SHA2-384; SHA2-512Global Indicator and Successful HTTPS over TLSv1.2 log messageW, E
Run IPsec/IKE v2 FunctionExecute IPsec/IKEv2 FunctionsCrypto OfficerDRBG entropy input; DRBG Seed; Internal State V value; and Key; Diffie-Hellman Private Key; Diffie-Hellman Public Key; Peer Diffie-Hellman Public Key; Diffie-Hellman Shared Secret;AES-CBC; AES-GCM; CKG; CTR_DRBG; CVL (IKE-KDF); ECDSA KeyGen; ECDSA KeyVer; ECDSA SigGen; ECDSA SigVer; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512Global Indicator and Successful IPsec/IKEv2 log messageW, E
KAS-ECC-SSC; KAS (ECC); KAS-FFC-SSC; KAS (FFC); RSA KeyGen; RSA SigGen; RSA SigVer; SafePrimes KeyGen; SHA2-256; SHA2-384; SHA2-512EC Diffie-Hellman Private Key; EC Diffie-Hellman Public Key; Peer EC Diffie-Hellman Public Key; EC Diffie-Hellman Shared Secret; ECDSA Private Key; ECDSA Public Key; RSA Private Key; RSA Public Key; IPSec/IKE Pre-Shared Secret; SKEYSEED; IPSec/IKE Session Encryption key; IPSec/IKE Session Integrity KeyKAS-ECC-SSC; KAS (ECC); KAS-FFC-SSC; KAS (FFC); RSA KeyGen; RSA SigGen; RSA SigVer; SafePrimes KeyGen; SHA2-256; SHA2-384; SHA2-512
Run Bypass capabilityExecute Bypass capabilityCrypto OfficerN/AN/ANoneN/A
Crypto OfficerRun Bypass capabilityAPI command to execute Bypass capabilityStatus of Bypass capability

Table 7 below lists all approved services that can be used in the approved mode of operation. The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. N/A = The service does not access any SSP during its operation. Perform SelfSelf-Tests Tests (Preoperational selftests and Conditional SelfTests) N/A N/A N/A N/A N/A Access rights to N/A N/A Z N/A N/A N/A N/A N/A N/A W, E

Page 13

N/A N/A Access rights to N/A As the module can only be operated in the Approved mode of operation, and as such any algorithms not listed in Table 4 above will be rejected by the module while in the approved mode, the required table defined in SP800-140B for Non-Approved Services is missing from this document. Software/Firmware security Integrity techniques The module is provided in the form of binary executable code. To ensure the software security, the module is protected by RSA 2048 bits with SHA2-512 (RSA and SHA2-512 Cert. #A2952 and #A3376) algorithm. The software integrity test key (non-SSP) was preloaded to the module’s binary by/at the factory and used for software integrity test only at the pre-operational self-test. At crypto module library initialization, the signature is recalculated and compared to the hardcoded build-time generated signature value. If at load time the signature does not match, the crypto module library exits with error. If failure occurs during self-test, all crypto functionality is disabled. Integrity test on-demand Integrity test is performed as part of the pre-operational self-test. It is automatically executed at power-on. The operator can power cycle or reboot the tested platform to initiate the software integrity test on-demand.

Page 14
Sensitive security parameter
NameStrengthGenerationStorageZeroizationUseImport Export
DRBG entropy input (CSP)384 bitsObtained from the Entropy Source within TOEPP (GPS INT Pathways)N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downRandom Number GenerationImport to the module via Module’s API Export: NoDRBG entropy input (CSP)N/AN/A
DRBG Seed, Internal State V value, and Key (CSP)256 bitsInternally Derived from entropy input string as defined by SP800- 90Arev1N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downRandom Number GenerationImport: No Export: NoDRBG Seed, Internal State V value, and Key (CSP)CTR_DRBG Certs. #A2952 or #A3376N/A
Diffie- Hellman Private Key (CSP)MODP- 2048Internally generated conformant to SP800-133r2 (CKG) using SP800-56A rev3 Diffie-Hellman key generationN/A: The module does not provide persistent keys/ SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive Diffie- Hellman Shared SecretImport: No Export: NoDiffie- Hellman Private Key (CSP)CKG; CTR_DRBG; KAS (FFC); KAS-FFC- SSC; Safe Primes Key GenerationN/A
Certs. #A2952 or #A3376method, and the random value used in key generation is generated using SP800-90ARev1 DRBGCerts. #A2952 or #A3376
Diffie- Hellman Public Key (PSP)MODP- 2048Internally derived per the Diffie-Hellman key agreement (SP800- 56Arev3)N/A: The module does not provide persistent keys/ SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive Diffie- Hellman Shared SecretImport: No Export: to the SSH Peer applicationDiffie- Hellman Public Key (PSP)KAS (FFC); KAS-FFC- SSC; Safe Primes Key Generation Certs. #A2952 or #A3376N/A
Peer Diffie- Hellman Public Key (PSP)MODP- 2048N/AN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive Diffie- Hellman Shared SecretImport: to the Module via API Export: NoPeer Diffie- Hellman Public Key (PSP)KAS (FFC); KAS-FFC-SSC Certs. #A2952 or #A3376N/A
Diffie- Hellman Shared Secret (CSP)MODP- 2048Internally generated using SP800-56Arev3 DH shared secret computationN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive SSH session related keysImport: No Export: NoDiffie- Hellman Shared Secret (CSP)KAS (FFC); KAS-FFC-SSC Certs. #A2952 or #A3376N/A
EC Diffie- Hellman Private Key (CSP)P-256, P-384 and P- 521Internally generated conformant to SP800-133r2 (CKG) using SP800-56A rev3 EC Diffie- Hellman key generation method, and the random value used in key generation is generated using SP800-90Arev1 DRBGN/A: The module does not provide persistent keys/ SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive EC Diffie- Hellman Shared SecretImport: No Export: NoEC Diffie- Hellman Private Key (CSP)CKG; CTR_DRBG; KAS (ECC); KAS-ECC-SSC Certs. #A2952 or #A3376N/A
EC Diffie- Hellman Public Key (PSP)P-256, P-384 and P- 521Internally derived per the EC Diffie- Hellman key agreement (SP800- 56Arev3)N/A: The module does not provide persistent keys/ SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive EC Diffie- Hellman Shared SecretImport: No Export: to the TLS Peer applicationEC Diffie- Hellman Public Key (PSP)KAS (ECC); KAS-ECC-SSC Certs. #A2952 or #A3376N/A
Peer EC Diffie- Hellman Public Key (PSP)P-256, P-384 and P- 521N/AN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive EC Diffie- Hellman Shared SecretImport: to the Module via API Export: NoPeer EC Diffie- Hellman Public Key (PSP)KAS (ECC); KAS-ECC-SSC Certs. #A2952 or #A3376N/A
EC Diffie- Hellman Shared Secret (CSP)P-256, P-384 and P- 521Internally generated using SP800-56Ar3 ECDH shared secret computationN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downUsed to derive TLS session related keysImport: No Export: NoEC Diffie- Hellman Shared Secret (CSP)KAS (ECC); KAS-ECC-SSC Certs. #A2952 or #A3376N/A
ECDSA Private Key (CSP)P-256, P-384 and P- 521Internally generated conformant to SP800-133r2 (CKG) using FIPS 186-4 ECDSA key generation method, and the random value used in key generation is generated using SP800-90Arev1 DRBGN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downSignature generation and Verification used in TLS or IPSec/IKEImport: No Export: NoECDSA Private Key (CSP)CKG; CTR_DRBG ECDSA KeyGen; ECDSA KeyVer; ECDSA SigGen; Certs. #A2952 or #A3376N/A
ECDSA Public Key (PSP)P-256, P-384 and P- 521Internally derived per the FIPS 186-4 ECDSA key generation methodN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downSignature generation and Verification used in TLS or IPSec/IKEImport: No Export: NoECDSA Public Key (PSP)ECDSA KeyGen; ECDSA KeyVer; ECDSA SigVer; Certs. #A2952 or #A3376N/A
RSA Private Key (CSP)2048 and 3072 bitsInternally generated conformant to SP800-133r2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in the key generation is generated using SP800-90Arev1 DRBGN/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when the tested platform is powered downSignature generation and Verification used in SSH, TLS or IPSec/IKEImport: No Export: NoRSA Private Key (CSP)CKG; CTR_DRBG; RSA KeyGen; RSA SigGen; Certs. #A2952 or #A3376N/A
RSA Public Key (PSP)2048 andInternally derived per the FIPS 186-4 RSAN/A: The module does notAutomatic zeroization when theSignature generation and VerificationImport: No Export: NoRSA Public Key (PSP)KeyGen; RSA SigVer;N/A
3072 bits3072 bitskey generation methodprovide persistent keys/SSPs storage.tested platform is powered downused in SSH, TLS or IPSec/IKECerts. #A2952 or #A3376
SSH Session Integrity Key (CSP)160 bitsInternally Derived per the key derivation function defined in SP800-135 KDF (KDF SSH).N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when SSH session is terminated or when the tested platform is powered downUsed for SSH session integrity protection.Import: No Export: NoSSH Session Integrity Key (CSP)KDF SSH; HMAC-SHA-1 Certs. #A2952 or #A3376N/A
SSH Session Encryption Key (CSP)128/256 bitsInternally Generated via key derivation function defined in SP800-135 KDF (KDF SSH)N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when SSH session is terminated or when the tested platform is powered downUsed for SSH session confidentiality protectionImport: No Export: NoSSH Session Encryption Key (CSP)AES-CBC; KDF SSH; Certs. #A2952 or #A3376N/A
TLS Master Secret (CSP)48 BytesInternally Derived per the key derivation function defined in SP800-135 KDF (KDF-TLS v1.2 RFC7627)N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when TLS session is terminated or when the tested platform is powered downKeying material used to derive other TLS keysImport: No Export: NoTLS Master Secret (CSP)Keying MaterialN/A
TLS Session Encryption Key (CSP)128/256 bitsInternally Derived per the key derivation function defined in SP800-135 KDF (TLS v1.2 KDF RFC7627)N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when TLS session is terminated or when the tested platform is powered downUsed for TLS session confidentiality protectionImport: No Export: NoTLS Session Encryption Key (CSP)AES-CBC; AES-GCM; TLS v1.2 KDF RFC7627; Certs. #A2952 or #A3376N/A
TLS Session Integrity Key (CSP)256-384 bitsInternally Derived per the key derivation function defined in SP800-135 KDF (TLS v1.2 KDF RFC7627)N/A: The module does not provide persistent keys/SSPs storage.Automatic zeroization when TLS session is terminated or when the tested platform is powered downUsed for TLS session integrity protectionImport: No Export: NoTLS Session Integrity Key (CSP)HMAC-SHA2- 256; HMAC-SHA2- 384; TLS v1.2 KDF RFC7627; Certs. #A2952 or #A3376N/A
IPSec/IKE Pre-Shared Secret (CSP)At least 8 charactersN/AN/A. The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PS P Zeroization CommandUsed for IPSec/IKE peer authenticationImport to the Module wrapped with TLS or SSH session keys Export: NoIPSec/IKE Pre-Shared Secret (CSP)N/AMD/ EE
SKEYSEE D (CSP)160 bitsN/AN/A. The module does not provide persistent keys/ SSPs storageZeroized when IPSec/IKE session is terminated or when the tested platform is powered downUsed for IPSec/IKE Session Encryption Key and Session Integrity Key derivationImport: No Export: NoSKEYSEE D (CSP)KDF IKEv2 Certs. #A2952 or #A3376N/A
IPSec/IKE Session Encryption Key (CSP)128/256 bitsInternally derived per the key derivation function defined in SP800-135 KDF (KDF IKEv2).N/A: The module does not provide persistent keys/SSPs storageZeroized when IPSec/IKE session is terminated or when the tested platform is powered downUsed to secure IPSec/IKE session confidentialityImport: No Export: NoIPSec/IKE Session Encryption Key (CSP)AES-CBC; AES-GCM; KDF IKEv2 Certs. #A2952 or #A3376N/A
IPSec/IKE Session Integrity Key (CSP)160-512 bitsInternally derived per the key derivation function defined in SP800-135 KDF (KDF IKEv2).N/A: The module does not provide persistent keys/SSPs storageZeroized when IPSec/IKE session is terminated or when the tested platform is powered downUsed to secure IPSec/IKE session integrityImport: No Export: NoIPSec/IKE Session Integrity Key (CSP)HMAC-SHA2- 256; HMAC-SHA2- 384; HMAC-SHA2- 521; KDF IKEv2 Certs. #A2952 or #A3376N/A

Operational environment The module is a software module, which is operated in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module’s software version running on each tested The module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevent unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Physical security The FIPS 140-3 physical security requirements do not apply to the Module since it is a software Non-invasive security Currently, non-invasive security is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module. Sensitive security parameters management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module. N/A DiffieHellman by SP80090Arev1 MODP2048 KAS-FFCSSC; N/A N/A N/A DiffieHellman

Page 15

DiffieHellman Peer DiffieHellman MODP2048 MODP2048 KAS-FFCSSC; (SP80056Arev3) N/A DiffieHellman MODP2048 EC DiffieHellman and P521 EC DiffieHellman and P521 N/A DiffieHellman N/A DiffieHellman EC DiffieHellman (SP80056Arev3) N/A N/A N/A EC DiffieHellman

Page 16

DiffieHellman and P521 N/A EC DiffieHellman and P521 and P521 and P521 N/A EC DiffieHellman N/A N/A N/A N/A N/A

Page 17

HMAC-SHA2256; HMAC-SHA2384; N/A N/A N/A N/A N/A

Page 18
Approved algorithm
NameKey Size
DetailsEntropy sourcesMinimum number
While operating in the Approved Mode, the entropy and seeding material for the SP800-90Arev1 DRBG are provided by the external calling application (and not by the Module) which is outside the Module’s Cryptographic boundary but contained within the Module’s Tested Operational Environment’s Physical Perimeter (TOEPP) boundary. The module receives a LOAD command with entropy obtained from the entropy source (Intel CPU processor with instructions RDRand) inside the TOEPP. The minimum effective strength of the SP 800-90Arev1 DRBG seed is required to be at least 112 bits when used in an approved mode of operation, therefore the minimumAt least 112 bitsEntropy within the TOEPP was passively load into the Module to seed the 800-90Arev1 DRBG by the Operating System

N/A N/A HMAC-SHA2256; HMAC-SHA2384; HMAC-SHA2521; N/A N/A N/A Table 8 SSPs

Page 19

number of bits of entropy requested when the Module makes a call to the SP 800-90Arev1 DRBG is at least 112 bits. Per the IG 9.3.A Entropy Caveats, the following caveat applies: When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). Table 9 Non-Deterministic Random Number Generation Specification

10 Self-tests

When the module is loaded or instantiated (after being powered off, rebooted, etc.), the module runs pre-operational self-tests. The operating system is responsible for the initialization process and loading of the library. The module is designed with a default entry point (DEP) which ensures that the self-tests are initiated automatically when the module is loaded. Prior to the module providing any data output via the data output interface, the module performs and passes the pre-operational self-tests. Following the successful pre-operational self-tests, the module executes the Conditional Cryptographic Algorithm Self-tests (CASTs). The self-test success or failure results are an output of the return value of the library load API call, which is functioning as the self-test status indicator. If any one of the self-tests fails, the module transitions into an error state and outputs the error message via the module’s status output interface. While the module is in the error state, all data through the data output interface and all cryptographic operations are disabled. The error state can only be cleared by reloading the module. All self-tests must be completed successfully before the module transitions to the operational state. Below are the details of the self-tests conducted by the module. Pre-Operational Self-Tests: Pre-operational software integrity test

Page 20

o o o o o o o o o o

11 Life-cycle assurance

Secure operations The module meets all the Level 1 requirements for FIPS 140-3. The validated Module’s package asav9-16-4.zip (for VMware ESXi system), or asav9-16-4.qcow2 (for NFVIS system) is the only allowable software image running on the respective tested platform listed in Table 2 above while in the approved mode. The Crypto Officer must configure and enforce the following initialization steps: Step 1: Install AES licenses to require the module to use AES (for data traffic and SSH). Step 2: Issue “fips enable” to allow the module to internally enforce approved compliant services. (config)# fips enable Step 3: Disable password recovery. (config)#no service password-recovery Step 4: Set the configuration register to bypass ROMMON prompt at boot.

Page 21

(config)# config-register 0x10011 Step 5: Configure the TLS protocol when using HTTPS to protect administrative functions. Due to known issues relating to the use of TLS with certain versions of the Java plugin, we require that you upgrade to JRE 1.5.0_05 or later. The following configuration settings are known to work when launching ASDM in a TLS-only environment with JRE 1.5.0_05: a. Configure the device to allow only TLSv1.2 packets using the following command: (config)# ssl server-version tlsv2-only (config)# ssl client-version tlsv2-only b. Check TLS v1.2.0 in both the web browser and JRE security settings. Step 6: Configure the module to use SSHv2. Note that all operators must still authenticate after remote access is granted. (config)# ssh version 2 Step 7: Configure the module such that any remote connections via Telnet are secured through IPSec. Step 8: Configure the module such that only approved algorithms are used for IPSec tunnels. Step 9: Configure the IPSec/IKE secure tunnel, including the Access-list (ACL) which classifies the data transferred through the data path to be cryptographic processed or be in Bypass capability. Step 10: Configure the module such that error messages can only be viewed by a Crypto Officer. Step 11: Disable the TFTP server. Step 12: Disable HTTP for performing system management in approved mode of operation. HTTPS with TLS should always be used for Web-based management. Step 13. Save the configuration. Step 14: Reboot the Module.

12 Mitigation of other attacks

The requirements under INCITS+ISO+IEC 19790+2012[2014], section 7.12 “Mitigation of other attacks”, are not applicable to the module since the module currently does not support any mitigation of other attacks services.

Referenced URLs