All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Palo Alto Networks SD-WAN ION Core Crypto Module

Certificate#4715StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorPalo Alto Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/7/2029
CaveatInterim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode
VendorPalo Alto Networks, Inc.

Approved Algorithms (39)

AlgorithmACVP Cert
AES-CBCA3564
AES-CBCA3566
AES-CTRA3563
AES-ECBA3563
AES-GCMA3563
AES-GCMA3564
Counter DRBGA3563
ECDSA KeyGen (FIPS186-4)A3563
ECDSA KeyGen (FIPS186-4)A3564
ECDSA SigGen (FIPS186-4)A3563
ECDSA SigVer (FIPS186-4)A3563
HMAC DRBGA3564
HMAC-SHA-1A3563
HMAC-SHA2-224A3563
HMAC-SHA2-256A3564
HMAC-SHA2-256A3566
HMAC-SHA2-384A3563
HMAC-SHA2-384A3564
HMAC-SHA2-512A3563
HMAC-SHA2-512A3564
KAS-ECC-SSC Sp800-56Ar3A3563
KAS-ECC-SSC Sp800-56Ar3A3564
KDF IKEv2A3563
KDF SNMPA3563
KDF SSHA3563
KDF TLSA3563
KDF TLSA3564
RSA KeyGen (FIPS186-4)A3563
RSA SigGen (FIPS186-4)A3563
RSA SigVer (FIPS186-4)A3563
RSA SigVer (FIPS186-4)A3572
SHA-1A3566
SHA2-224A3563
SHA2-256A3563
SHA2-256A3564
SHA2-384A3563
SHA2-384A3564
SHA2-512A3563
SHA2-512A3564

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification3
Cryptographic Module Interfaces8
Roles, Services, and Authentication8
Software/Firmware Security1
Operational Environment1
Physical Security1
Non-Invasive Security1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Palo Alto Networks SD-WAN ION Core Crypto Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-Test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Palo Alto Networks SD-WAN ION Core Crypto Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-Test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Palo Alto Networks SD-WAN ION Core Crypto Module Software Version: 1.0 Documentation Version: 1.3 Last Update: June 11, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: June 11, 2024 Document Version: 1.3

Page 2
Table of Contents
#SectionPage
1General3
2Cryptographic Module Specification3
3Cryptographic Module Interfaces8
4Roles, Services, and Authentication8
5Software/Firmware Security12
6Operational Environment12
7Physical Security12
8Non-Invasive Security12
9Sensitive Security Parameters12
10Self-Tests15
11Life-Cycle Assurance18
12Mitigation of Other Attacks19
9Sensitive security parameter management1
Page 3
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai
1ION 6.1ION 1200Intel Atom C3436LWith PAA1
2ION 6.1ION 1200Intel Atom C3436LWithout PAA2
3ION 6.1ION 1200-C-NAIntel Atom C3436LWith PAA3
4ION 6.1ION 1200-C-NAIntel Atom C3436LWithout PAA4
5ION 6.1ION 1200-C-ROWIntel Atom C3436LWith PAA5
6ION 6.1ION 1200-C-ROWIntel Atom C3436LWithout PAA6
7ION 6.1ION 1200-C-5G-WWIntel Atom C3436LWith PAA7
8ION 6.1ION 1200-C-5G-WWIntel Atom C3436LWithout PAA8
9ION 6.1ION 1200-SIntel Atom C3436LWith PAA9
10ION 6.1ION 1200-SIntel Atom C3436LWithout PAA10
11ION 6.1ION 1200-S-C-NAIntel Atom C3436LWith PAA11
12ION 6.1ION 1200-S-C-NAIntel Atom C3436LWithout PAA12
13ION 6.1ION 1200-S-C-ROWIntel Atom C3436LWith PAA13

The table below provides the security levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks SD-WAN ION Core Crypto Module with software version 1.0, hereinafter referred to as the Module. The Palo Alto Networks SD-WAN ION Core Crypto Module is utilized in hardware and software ION form factors. These enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of a WAN. The Module contains the following libraries:

Page 4
Module configuration
NameOperating SystemHardware Platform
1AWSDependent on Provider1
2AzureDependent on Provider2
3Google CloudDependent on Provider3
4OCIDependent on Provider4
5ION 7108VGPC5
6ION 3108VGPC6
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES: ● FIPS 197SP 800-38DA3566ECB128, 192, and 256 bitsData Encryption/Decryption
AES: ● FIPS 197SP 800-38AA3566CBC128, 192, and 256 bitsData Encryption/Decryption
AES: ● FIPS 197SP 800-38AA3566CTR128, 192, and 256 bitsData Encryption/Decryption
AES: ● FIPS 197SP 800-38DA3566GCM128, 192, and 256 bitsData Encryption/Decryption
KDF SSH: ● SP 800-135rev1 (CVL)A3566KDF SSHv2N/ASP800-135rev1 compliant Key Derivation
KDF TLS: ● SP 800-135rev1 (CVL)A3566KDF TLS 1.2N/ASP800-135rev1 compliant Key Derivation
KDF KEv2: ● SP 800-135rev1 (CVL)A3566KDF IKEv2N/ASP800-135rev1 compliant Key Derivation
KDF SNMP: ● SP 800-135rev1 (CVL)A3566KDF SNMPv3N/ASP800-135rev1 compliant Key Derivation
DRBG: ● SP 800-90Arev1A3566CTR_DRBG (AES-256 bits) Derivation Function Enabled: YesN/ADeterministic Random Bit Generation
KAS-SSC ● SP 800-56Arev3A3566KAS-ECC-SSC Ephemeral UnifiedKAS-ECC-SSC with P-256, P-384, P-521; key establishment methodology provides between 128 and 256 bits of encryption strengthKAS-ECC Shared Secret Computation
KAS ● SP 800-56Arev3A3566KAS (ECC) Scheme: ephemeralUnified: KAS Role: initiator, responderKAS (ECC): Curves: P-256, P-384, P-521; Key establishment methodology provides between 128 and 256 bits of encryption strengthKey Agreement Scheme per SP800-56Arev3 with key derivation function (SP800-135rev1) Note: The module’s KAS (ECC) implementation is FIPS140-3 IG D.F Scenario 2 (path 2) compliant
ECDSA ● FIPS 186-4A3566ECDSA KeyGenCurves: P-224, P-256, P-384, P-521ECDSA Key Generation
ECDSA ● FIPS 186-4A3566ECDSA SigGenCurves: P-224, P-256, P-384, P-521ECDSA Digital Signature Generation
ECDSA ● FIPS 186-4A3566ECDSA SigVerCurves: P-224, P-256, P-384, P-521ECDSA Digital Signature Verification
HMAC ● FIPS 198-1A3566HMAC-SHA-1At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3566HMAC-SHA2-224At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3566HMAC-SHA2-256At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3566HMAC-SHA2-384At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3566HMAC-SHA2-512At least 160 bitsMessage Authentication
KTS ● SP800-38FA3566KTS (AES Cert. #A3566)128, 192, and 256 bits Key establishment methodology provides between 128 and 256 bits of encryption strengthKey Transport using AES-GCM
KTS ● SP800-38FA3566KTS (AES Cert. #A3566 and HMAC Cert. #A3566)128, 192, and 256 bits Key establishment methodology provides between 128 and 256 bits of encryption strengthKey Transport using AES and HMAC
RSA ● FIPS 186-4A3566RSA KeyGen (PKCS#1 v1.5)Modulus: 2048 and 3072 bitsRSA Key Generation
RSA ● FIPS 186-4A3566RSA SigGen (PKCS#1 v1.5)Modulus: 2048 and 3072 bitsRSA Digital Signature Generation
RSA ● FIPS 186-4A3566RSA SigVer (PKCS#1 v1.5)Modulus: 2048 and 3072 bitsRSA Digital Signature Verification
SHS ● FIPS 180-4A3566SHA-1N/AHashing Note: SHA-1 is not used for digital signature generation
SHS ● FIPS 180-4A3566SHA2-224N/AHashing
SHS ● FIPS 180-4A3566SHA2-256N/AHashing
SHS ● FIPS 180-4A3566SHA2-384N/AHashing
SHS ● FIPS 180-4A3566SHA2-512N/AHashing
CKG (SP 800-133rev2)Vendor AffirmedSection 5Cryptographic Key Generation; SP 800- 133rev2 and IG D.H.Key Generation Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800- 133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3566).
AES: ● FIPS 197SP 800-38AA3572CBC128 or 256 bitsData Encryption/Decryption
AES: ● FIPS 197SP 800-38DA3572GCM128 or 256 bitsData Encryption/Decryption
KDF TLS: ● SP 800-135rev1 (CVL)A3572KDF TLS v1.2N/ASP800-135rev1 compliant Key Derivation
DRBG: ● SP 800-90Arev1A3572DRBG with HMAC- SHA2-512N/ADeterministic Random Bit Generation
KAS-SSC ● SP 800-56Arev3A3572KAS-ECC-SSC Ephemeral UnifiedKAS-ECC-SSC with P-256, P- 384, P-521; Key establishment methodology provides between 128 256 bits of encryption strengthKAS-ECC Shared Secret Computation
KAS ● SP 800-56Arev3A3572KAS (ECC) Scheme: ephemeralUnified: KAS Role: initiator, responderKAS (ECC): Curves: P-256, P-384, P-521; Key establishment methodology provides between 128 and 256 bits of encryption strengthKey Agreement Scheme per SP800- 56Arev3 with key derivation function (SP800-135rev1) Note: The module’s KAS (ECC) implementation is FIPS140-3 IG D.F Scenario 2 (path 2) compliant
ECDSA ● FIPS 186-4A3572ECDSA KeyGenCurves: P-224, P-256, P-384, P- 521ECDSA Key Generation
HMAC ● FIPS 198-1A3572HMAC-SHA2-256At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3572HMAC-SHA2-384At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3572HMAC-SHA2-512At least 160 bitsMessage Authentication
KTS ● SP800-38FA3572KTS (AES Cert. #A3572)128 or 256 bits Key establishment methodology provides 128 or 256 bits of encryption strengthKey Transport using AES-GCM
15ION 6.1ION 1200-S-C-5G-WWIntel Atom C3436LWith PAA
16ION 6.1ION 1200-S-C-5G-WWIntel Atom C3436LWithout PAA
17ION 6.1ION 3200Intel Atom C3558RWith PAA
18ION 6.1ION 3200Intel Atom C3558RWithout PAA
19ION 6.1ION 5200Intel Atom C5325With PAA
20ION 6.1ION 5200Intel Atom C5325Without PAA
21ION 6.1ION 9200Intel Atom P5362With PAA
22ION 6.1ION 9200Intel Atom P5362Without PAA

Table 2

4 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc. Module

Page 5

N/A N/A N/A N/A N/A © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 5

Page 6
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHS ● FIPS 180-4A3566SHA2-256N/AHashing
SHS ● FIPS 180-4A3566SHA2-384N/AHashing
SHS ● FIPS 180-4A3566SHA2-512N/AHashing
CKG (SP 800-133rev2)Vendor AffirmedSection 5Cryptographic Key Generation; SP 800- 133rev2 and IG D.H.Key Generation Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800- 133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3566).
AES: ● FIPS 197SP 800-38AA3572CBC128 or 256 bitsData Encryption/Decryption
AES: ● FIPS 197SP 800-38DA3572GCM128 or 256 bitsData Encryption/Decryption
KDF TLS: ● SP 800-135rev1 (CVL)A3572KDF TLS v1.2N/ASP800-135rev1 compliant Key Derivation
DRBG: ● SP 800-90Arev1A3572DRBG with HMAC- SHA2-512N/ADeterministic Random Bit Generation
KAS-SSC ● SP 800-56Arev3A3572KAS-ECC-SSC Ephemeral UnifiedKAS-ECC-SSC with P-256, P- 384, P-521; Key establishment methodology provides between 128 256 bits of encryption strengthKAS-ECC Shared Secret Computation
KAS ● SP 800-56Arev3A3572KAS (ECC) Scheme: ephemeralUnified: KAS Role: initiator, responderKAS (ECC): Curves: P-256, P-384, P-521; Key establishment methodology provides between 128 and 256 bits of encryption strengthKey Agreement Scheme per SP800- 56Arev3 with key derivation function (SP800-135rev1) Note: The module’s KAS (ECC) implementation is FIPS140-3 IG D.F Scenario 2 (path 2) compliant
ECDSA ● FIPS 186-4A3572ECDSA KeyGenCurves: P-224, P-256, P-384, P- 521ECDSA Key Generation
HMAC ● FIPS 198-1A3572HMAC-SHA2-256At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3572HMAC-SHA2-384At least 160 bitsMessage Authentication
HMAC ● FIPS 198-1A3572HMAC-SHA2-512At least 160 bitsMessage Authentication
KTS ● SP800-38FA3572KTS (AES Cert. #A3572)128 or 256 bits Key establishment methodology provides 128 or 256 bits of encryption strengthKey Transport using AES-GCM
KTS ● SP800-38FA3572KTS (AES Cert. #A3572 and HMAC Cert. #A3572)128 or 256 bits Key establishment methodology provides 128 or 256 bits of encryption strengthKey Transport using AES and HMAC
RSA ● FIPS 186-4A3572RSA SigVer (PKCS#1 v1.5)Modulus: 2048 bitsDigital Signature Verification
SHS ● FIPS 180-4A3572SHA2-256N/AHashing
SHS ● FIPS 180-4A3572SHA2-384N/AHashing
SHS ● FIPS 180-4A3572SHA2-512N/AHashing
CKG (SP 800-133rev2)Vendor AffirmedSection 5Cryptographic Key Generation; SP 800- 133rev2 and IG D.H.Key Generation Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3572).

N/A N/A N/A Table 4

6 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc.

Page 7

N/A N/A N/A Table 5

Page 8
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData Input InterfaceAPI input parameters for data
N/AN/AData Output InterfaceAPI output parameters for data
N/AN/AControl Input InterfaceAPI function calls
N/AN/AControl Output InterfaceN/A
N/AN/AStatus Output InterfaceReturn values, and or log messages

As the module can only be operated in the Approved mode of operation with algorithms listed in Tables 4 - 5, the following options defined in SP 800-140B are not applicable for this document: ● ● ● Non-Approved Algorithms Allowed in Approved Mode of Operation Non-Approved Algorithms Allowed in Approved Mode of Operation with No Security Claimed Non-Approved Algorithms Not Allowed in Approved Mode of Operation Cryptographic Boundary Figure 1 below depicts the cryptographic boundary (yellow area with the blue dashed lines) and the physical perimeter (red dashed line). The cryptographic boundary includes all of the software components of the cryptographic libraries. The physical perimeter is the Tested Operational Environment’s Physical Perimeter (TOEPP) on which the module runs. Figure 1– Cryptographic Boundary

  1. Cryptographic Module Interfaces The module’s physical perimeter encompasses the case of the tested platform mentioned in Table
  2. The module provides its logical interfaces via Application Programming Interface (API) calls. The logical interfaces provided by the module are mapped onto the FIPS 140-3 interfaces (data input, data output, control input, control output and status output) as follows. N/A N/A N/A N/A N/A N/A Table 7 – Ports and Interfaces
8 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc. Module

Page 9
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Self-TestCrypto OfficerCommand to trigger Self-TestStatus of the self-tests results
ZeroizeCrypto OfficerCommand to initiate the SSPs zeroizationStatus of the SSPs zeroization
Show VersionCrypto OfficerCommand to show versionModule’s name/ID and versions
Show StatusCrypto OfficerCommand to show statusModule’s status information
Configure NetworkCrypto OfficerCommands to configure the moduleStatus of the completion of network related configuration
Configure SSHv2 FunctionCrypto OfficerCommands to configure SSHv2Status of the completion of SSHv2 configuration
Configure TLSv1.2 FunctionCrypto OfficerCommands to configure TLSv1.2Status of the completion of TLSv1.2 configuration
Configure SNMPv3 FunctionCrypto OfficerCommands to configure SNMPv3Status of the completion of SNMPv3 configuration
Configure IPsec/IKEv2 FunctionCrypto OfficerCommands to configure IPSec/IKEv2Status of the completion of IPSec/IKEv2 configuration
Run SSHv2 FunctionCrypto OfficerInitiate SSHv2 tunnel establishment requestStatus of SSHv2 tunnel establishment
Run TLSv1.2 FunctionCrypto OfficerInitiate TLSv1.2 tunnel establishment requestStatus of TLSv1.2 tunnel establishment
Run SNMPv3 FunctionCrypto OfficerInitiate SNMPv3 tunnel establishment requestStatus of SNMPv3 tunnel establishment
Run IPSec/IKEv2 FunctionCrypto OfficerInitiate of IPSec/IKEv2 tunnel establishmentStatus of IPSec/IKEv2 tunnel establishment
Self-TestInitiate and run the pre-operational self- testsCrypto OfficerSoftware Integrity Test Key (Not a SSP)HMAC-SHA2-256N/ANone
ZeroizeZeroize all unprotected SSPs stored in the moduleCrypto OfficerAllN/AZNone
Show VersionProvides the module’s name/ID and versionsCrypto OfficerN/AN/AN/ANone
Show StatusProvides the module’s current status and informationCrypto OfficerN/AN/AN/ANone
Configure NetworkPerform the Module’s Network ConfigurationCrypto OfficerTLS RSA Public KeyRSA SigverG/R/W/EGlobal indicator and Configuration logs
Configure SSHv2 FunctionCreate a secure SSHv2 channelCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); SSH ECDHE Private Key (CSP);AES-CTR; CKG; CTR_DRBG; ECDSA KeyGen; ECDSA SigGen; ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512;G/R/W/EGlobal indicator and SSH connection log message
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Self-TestCrypto OfficerCommand to trigger Self-TestStatus of the self-tests results
ZeroizeCrypto OfficerCommand to initiate the SSPs zeroizationStatus of the SSPs zeroization
Show VersionCrypto OfficerCommand to show versionModule’s name/ID and versions
Show StatusCrypto OfficerCommand to show statusModule’s status information
Configure NetworkCrypto OfficerCommands to configure the moduleStatus of the completion of network related configuration
Configure SSHv2 FunctionCrypto OfficerCommands to configure SSHv2Status of the completion of SSHv2 configuration
Configure TLSv1.2 FunctionCrypto OfficerCommands to configure TLSv1.2Status of the completion of TLSv1.2 configuration
Configure SNMPv3 FunctionCrypto OfficerCommands to configure SNMPv3Status of the completion of SNMPv3 configuration
Configure IPsec/IKEv2 FunctionCrypto OfficerCommands to configure IPSec/IKEv2Status of the completion of IPSec/IKEv2 configuration
Run SSHv2 FunctionCrypto OfficerInitiate SSHv2 tunnel establishment requestStatus of SSHv2 tunnel establishment
Run TLSv1.2 FunctionCrypto OfficerInitiate TLSv1.2 tunnel establishment requestStatus of TLSv1.2 tunnel establishment
Run SNMPv3 FunctionCrypto OfficerInitiate SNMPv3 tunnel establishment requestStatus of SNMPv3 tunnel establishment
Run IPSec/IKEv2 FunctionCrypto OfficerInitiate of IPSec/IKEv2 tunnel establishmentStatus of IPSec/IKEv2 tunnel establishment
Self-TestInitiate and run the pre-operational self- testsCrypto OfficerSoftware Integrity Test Key (Not a SSP)HMAC-SHA2-256N/ANone
ZeroizeZeroize all unprotected SSPs stored in the moduleCrypto OfficerAllN/AZNone
Show VersionProvides the module’s name/ID and versionsCrypto OfficerN/AN/AN/ANone
Show StatusProvides the module’s current status and informationCrypto OfficerN/AN/AN/ANone
Configure NetworkPerform the Module’s Network ConfigurationCrypto OfficerTLS RSA Public KeyRSA SigverG/R/W/EGlobal indicator and Configuration logs
Configure SSHv2 FunctionCreate a secure SSHv2 channelCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); SSH ECDHE Private Key (CSP);AES-CTR; CKG; CTR_DRBG; ECDSA KeyGen; ECDSA SigGen; ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512;G/R/W/EGlobal indicator and SSH connection log message
KAS-SSC (ECC); KAS (ECC); KDF SSHSSH ECDHE Public Key (PSP); Peer SSH ECDHE Public Key (PSP); SSH ECDHE Shared Secret (CSP); SSH ECDSA Private Key (CSP); SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP)KAS-SSC (ECC); KAS (ECC); KDF SSH
Configure TLSv1.2 FunctionCreate a secure TLSv1.2 channelCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); TLS RSA Private Key (CSP); TLS RSA Public Key (PSP); TLS ECDHE Private Key (CSP); TLS ECDHE Public Key (PSP); Peer TLS ECDHE Public Key (PSP); TLS ECDHE Shared Secret (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP);AES-CBC; AES-GCM; CKG; CTR_DRBG; HMAC_DRBG; HMAC-SHA2-256; HMAC-SHA2-384; KAS-SSC (ECC); KAS (ECC); KTS; RSA KeyGen; RSA SigGen; RSA SigVer; KDF TLSG/R/W/EGlobal indicator and TLS success log message
Configure SNMPv3 FunctionCreate a secure SNMPv3 channelCrypto OfficerSNMPv3 Authentication Secret (CSP); SNMPv3 Session Encryption Key (CSP); SNMPv3 Session Authentication Key (CSP);AES-CBC; HMAC-SHA-1; KDF SNMPG/R/W/EGlobal indicator and SNMPv3 success log message
Configure IPsec/IKEv2 FunctionCreate IPSec/IKEv2 tunnelCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); IPSec/IKE Pre-Shared Secret (CSP); IPSec/IKE RSA Private Key (CSP); IPSec/IKE RSA Public Key (PSP); IPSec/IKE ECDHE Private Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP);AES-CBC; CKG; CTR_DRBG; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); RSA KeyGen; RSA SigGen; RSA SigVer; KDF IKEv2G/R/W/EGlobal indicator and IPSec success log message
Run SSHv2 FunctionNegotiation and encrypted data transport via SSHCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP);AES-CTR; CKG; CTR_DRBG; ECDSA KeyGen; ECDSA SigGen;G/R/W/EGlobal indicator and SSH connection log message
ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); KDF SSHSSH ECDHE Private Key (CSP); SSH ECDHE Public Key (PSP); Peer SSH ECDHE Public Key (PSP); SSH ECDHE Shared Secret (CSP); SSH ECDSA Private Key (CSP); SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP);ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); KDF SSH
Run TLSv1.2 FunctionNegotiation and encrypted data transport via TLSCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); TLS RSA Private Key (CSP); TLS RSA Public Key (PSP); TLS ECDHE Private Key (CSP); TLS ECDHE Public Key (PSP); Peer TLS ECDHE Public Key (PSP); TLS ECDHE Shared Secret (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP);AES-CBC; AES-GCM; CKG; CTR_DRBG; HMAC_DRBG; HMAC-SHA2-256; HMAC-SHA2-384; KAS-SSC (ECC); KAS (ECC); KTS; RSA KeyGen; RSA SigGen; RSA SigVer; KDF TLSG/R/W/EGlobal indicator and TLS success log message
Run SNMPv3 FunctionNegotiation and encrypted data transport via SNMPv3Crypto OfficerSNMPv3 Authentication Secret (CSP); SNMPv3 Session Encryption Key (CSP); SNMPv3 Session Authentication Key (CSP);AES-CBC; HMAC-SHA-1; KDF SNMPG/R/W/EGlobal indicator and SNMPv3 success log message
Run IPSec/IKEv2 FunctionNegotiation and encrypted data transport via IPSecCrypto OfficerDRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); IPSec/IKE Pre-Shared Secret (CSP); IPSec/IKE RSA Private Key (CSP); IPSec/IKE RSA Public Key (PSP); IPSec/IKE ECDHE Private Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP);AES-CBC; CKG; CTR_DRBG; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); RSA KeyGen; RSA SigGen; RSA SigVer; KDF IKEv2G/R/W/EGlobal indicator and IPSec/IKEv2 success log message

4. Roles, Services, and Authentication The module supports role-based authentication, and provides a Crypto Officer role. The Crypto Officer role has the ability to perform all tasks and administrative actions. N/A N/A Z N/A N/A N/A N/A N/A N/A G/R/W/E G/R/W/E © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 9

Page 10
10 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc. Module

Page 11

G/R/W/E G/R/W/E G/R/W/E Table 9

Page 12
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationImport ExportKey/SSP Name/Type
Used to seed the DRBGAt least 256 bitsN/AObtained from the Entropy Source within TOEPP (GPS INT Pathways)N/ADRAM (plaintext)Zeroized when the tested platform is powered downImport to the module via Module’s APIDRBG Entropy Input (CSP)
Export: NoNote: The module does not provide persistent keys/ SSPs storageExport: No
Random number generation256 bitsCTR_DRBG Cert. #A3566; HMAC_DRBG Cert. #A3572Internally Derived from entropy input string as defined by SP 800- 90Arev1 DRBGN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoDRBG Seed (CSP)
Random number generation256 bitsCTR_DRBG Cert. #A3566; HMAC_DRBG Cert. #A3572Internally Derived from entropy input string as defined by SP 800- 90Arev1 DRBGN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoDRBG Internal State V value (CSP)
Random number generation256 bitsCTR_DRBG Cert. #A3566; HMAC_DRBG Cert. #A3572Internally Derived from entropy input string as defined by SP 800- 90Arev1 DRBGN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoDRBG Key (CSP)
Used for TLS peer authentication112-128 bits (Modulus: 2048, 3072 bits)CKG; DRBG; RSA KeyGen; RSA SigGen; Certs. #A3566 and #A3572Internally generated conformant to SP800- 133r2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in key generation is generated using SP 800- 90Arev1 DRBGN/AHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: No Export: NoTLS RSA Private Key (CSP)
Used for TLS peer authentication112-128 bits (Modulus: 2048, 3072 bits)RSA KeyGen; RSA SigVer; Certs. #A3566 and #A3572Internally derived per the FIPS 186-4 RSA key generation methodN/AHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: No Export: Yes, to the TLS peerTLS RSA Public Key (PSP)
Used to derive TLS ECDHE Shared Secret128 – 256 bits (Curves: P- 256, P-384, P-521)CKG; DRBG; KAS-ECC-SSC; Certs. #A3566 and #A3572Internally generated conformant to SP800- 133r2 (CKG) using SP 800-56Arev3 EC Diffie- Hellman key generation method, and the random value used in key generation is generated using SP 800-90Arev1 DRBGN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoTLS ECDHE Private Key (CSP)
Used to derive TLS ECDHE Shared Secret128 – 256 bits (Curves: P- 256, P-384, P-521)KAS-ECC-SSC; Certs. #A3566 and #A3572Internally derived internally per the EC Diffie-Hellman key agreement (SP800-56Arev3)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: Yes, to the TLS peerTLS ECDHE Public Key (PSP)
Used to derive TLS ECDHE Shared SecretCurves: P- 256, P-384, P-521N/AN/AN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: Enter into the Module via Module’s API Export: NoPeer TLS ECDHE Public Key (PSP)
Used to derive TLS Session Encryption Keys, TLS Session Authentication Keys128 – 256 bits (Curves: P- 256, P-384, P-521)KAS-ECC-SSC; KAS (ECC); Certs. #A3566 and #A3572Internally derived using SP800-56A rev3 EC Diffie-Hellman shared secret computationN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoTLS ECDHE Shared Secret (CSP)
Used to derive TLS Master Secret384 bitsN/AInternally derived via key derivation function defined in SP800- 135rev1 KDF (TLSv1.2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoTLS Pre-Master Secret (CSP)
Used to derive TLS Encryption Keys, TLS Authentication Keys.384 bitsN/AInternally derived via key derivation function defined in SP800- 135rev1 KDF (TLSv1.2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoTLS Master Secret (CSP)
Used to secure TLS session confidentiality128 or 256 bitsAES-CBC; AES-GCM; KDF TLS KTS; Certs. #A3566 and #A3572Internally derived via key derivation function defined in SP 800- 135rev1 KDF (TLSv1.2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoTLS Session Encryption Key (CSP)
Used to secure the TLS session integrityAt least 112 bitsHMAC-SHA2-256; HMAC-SHA2-384; KDF TLS KTS; Certs. #A3566 and #A3572Internally derived via key derivation function defined in SP800-135 rev1 KDF TLSv1.2N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoTLS Session Authentication Key (CSP)
Used for IPSec/IKE peer authentication2048 bits charactersN/AN/AMD/EEHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: Encrypted by using TLS/SSH session key Export: NoIPSec/IKE Pre- Shared Secret (CSP)
Used for IPSec/IKE peer authentication112 or 128 bits (Modulus: 2048 or 3072 bits)CKG; DRBG; RSA SigGen; Cert# A3566Internally generated conformant to SP800- 133r2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBGN/AHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: No Export: NoIPSec/IKE RSA Private Key (CSP)
Used for IPSec/IKE peer authentication112 or 128 bits (Modulus: 2048 or 3072 bits)RSA SigVer; Cert. #A3566Internally derived per the FIPS 186-4 RSA key generation methodN/AHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: No Export: to the IKE Peer applicationIPSec/IKE RSA Public Key (PSP)
Used to derive IPSec/IKE ECDHE Shared Secret128 or 192 bits (Curves: P- 256 or P-384)CKG; DRBG; KAS-ECC-SSC; KAS (ECC); Cert. #A3566Internally generated conformant to SP800- 133r2 (CKG) using SP800-56Arev3 EC Diffie-Hellman key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBGN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoIPSec/IKE ECDHE Private Key (CSP)
Used to derive IPSec/IKE ECDHE Shared Secret128 or 192 bits (Curves: P- 256 or P-384)KAS-ECC-SSC; KAS (ECC); Cert. #A3566Internally derived internally per the EC Diffie-Hellman key agreement (SP800-56Arev3)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: to the IKE Peer applicationIPSec/IKE ECDHE Public Key (PSP)
Used to derive IPSec/IKE Session Encryption Keys, IPSec/IKE Authentication Keys128 or 192 bits (Curves: P- 256 or P-384)KAS-ECC-SSC; KAS (ECC); Cert. #A3566Internally derived using SP800-56A rev3 EC Diffie-Hellman shared secret computationN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoIPSec/IKE ECDHE Shared Secret (CSP)
Used to secure IPSec/IKEv2 session confidentiality128-256 bitsAES-CBC; KDF IKEv2; Cert. #A3566Internally derived via key derivation function defined in SP800- 135rev1 KDF (IKEv2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoIPSec/IKE Session Encryption Key (CSP)
Used to secure IPSec/IKEv2 session integrityAt least 112 bitsHMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KDF IKEv2; Cert. #A3566Internally derived via key derivation function defined in SP800- 135rev1 KDF (IKEv2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoIPSec/IKE Session Authentication Key (CSP)
Used for SNMPv3 User authentication8 characters minimumN/AN/AMD/EEHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: Encrypted by using TLS/SSH session key Export: NoSNMPv3 Authentication Secret (CSP)
Used to secure SNMPv3 session confidentiality128 bitsAES-CFB; KDF SNMP; Cert. #A3566Internally derived via key derivation function defined in SP800- 135rev1 KDF (SNMPv3)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoSNMPv3 Session Encryption Key (CSP)
Used to secure SNMPv3 session integrityAt least 112 bitsHMAC-SHA-1; KDF SNMP; Cert. #A3566Internally derived via key derivation function defined in SP800- 135rev1 KDF (SNMPv3)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoSNMPv3 Session Authentication Key (CSP)
Used to derive the SSH ECDHE Shared Secret128-256 bitsCKG; DRBG; KAS-ECC-SSC; KAS (ECC);Internally generated conformant to SP800- 133r2 (CKG) using SP800-56Arev3 ECN/ADRAM (plaintext)Zeroized when the tested platform is powered downImport: No Export: NoSSH ECDHE Private Key (CSP)
(Curves: P- 256, P-384, or P-521)(Curves: P- 256, P-384, or P-521)Cert. #A3566Diffie-Hellman key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBGNote: The module does not provide persistent keys/ SSPs storage
Used to derive the SSH ECDHE Shared Secret128-256 bits (Curves: P- 256, P-384, or P-521)KAS-ECC-SSC; KAS (ECC); Cert. #A3566Internally derived internally per the EC Diffie-Hellman key agreement (SP800-56Arev3)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: Yes, to the SSH peerSSH ECDHE Public Key (PSP)
Used to derive SSH ECDHE Shared Secret128-256 bits (Curves: P- 256, P-384, or P-521)KAS-ECC-SSC; KAS (ECC); Cert.#A3566N/AN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: Enter into the Module via the Module’s API Export: NoPeer SSH ECDHE Public Key (PSP)
Used to derive SSH Session Encryption Keys, SSH Session Authentication Keys128-256 bits (Curves: P- 256, P-384, or P-521)CKG; DRBG; KAS-ECC-SSC; Cert. #A3566Internally derived using SP800-56A rev3 EC Diffie-Hellman shared secret computationN/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoSSH ECDHE Shared Secret (CSP)
Used for SSH session authentication128-256 bits (Curves: P- 256, P-384, or P-521)CKG; DRBG; ECDSA KeyGen; ECDSA SigGen; Cert. #A3566Internally generated conformant to SP800- 133r2 (CKG) using FIPS 186-4 ECDSA Key Generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBGN/AHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP (CSP/PSP) Zeroization CommandImport: No Export: NoSSH ECDSA Private Key (CSP)
Used for SSH session authentication128-256 bits (Curves: P- 256, P-384, or P-521)ECDSA KeyGen; ECDSA SigVer; Cert. #A3566Internally derived per the FIPS 186-4 ECDSA Keypair generation methodN/AHDD (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized by SSP/CSP/PSP Zeroization CommandImport: No Export: Yes, to the SSH peerSSH ECDSA Public Key (PSP)
Used for SSH session confidentiality protection128 - 256 bitsAES-CTR; KDF SSH; KTS; Cert. #A3566Internally derived via key derivation function defined in SP 800- 135rev1 KDF (SSHv2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoSSH Session Encryption Key (CSP)
Used for SSH session integrity protectionAt least 112 bitsKDF SSH; KTS; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; Cert. #A3566Internally derived via key derivation function defined in SP 800- 135rev1 KDF (SSHv2)N/ADRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storageZeroized when the tested platform is powered downImport: No Export: NoSSH Session Authentication Key (CSP)

G = Generate: The module generates or derives the SSP. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Unauthenticated Services Unauthenticated Users can run the self-test service by power-cycling the tested platform.

  1. Software/Firmware Security Integrity Techniques The module performs the Software Integrity test by using HMAC-SHA2-256 (HMAC Cert. #A3566) during the PreOperational Self-Test. A Software Integrity Test Key (non-SSP) was preloaded to the module’s binary at the factory and used for firmware integrity test only at the pre-operational self-test. At Module’s initialization, the integrity of the runtime executable is verified using an HMAC-SHA2-256 digest which is compared to a value computed at build time. If at the load time the MAC does not match the stored, known MAC value, the module would enter an Error state with all crypto functionality inhibited. Integrity Test On-Demand Integrity test is performed as part of the Pre-operational self-tests. It is automatically executed at power-on. The operator can power-cycle or reboot the module to initiate the software integrity test on-demand. This automatically performs the integrity test of all firmware components included within the boundary of the module.
  2. Operational Environment The module is a modifiable operational environment as per FIPS 140-3 Level 1 specifications. The operating system is restricted to a single operator mode of operation. The application that makes calls to the module is the single user of the module even when the application is serving multiple clients. See Table 2 for details regarding what platforms the module was tested on.
  3. Physical Security As the module is a software only module, the physical security requirements are not applicable.
  4. Non-Invasive Security No approved non-invasive attack mitigation test metrics are defined at this time.
  5. Sensitive Security Parameters Establishment N/A N/A
12 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc.

Page 13

Establishment (Curves: P256, Curves: P256, N/A (Curves: P256, (Curves: P256, N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 13

Page 14
14 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc.

Page 15

(Curves: P256, (Curves: P256, (Curves: P256, (Curves: P256, (Curves: P256, N/A Establishment (Curves: P256, N/A N/A N/A N/A N/A N/A N/A Table 10– SSPs Table 11 - Non-Deterministic Random Number Generation Specification Palo Alto Networks SD-WAN ION Core Crypto Module 15

Page 16
AlgorithmSelf-Test Details
SHSKAT using SHA2-256
HMACKAT using HMAC- SHA2-256
Software integrityUsing HMAC-SHA2-256
AlgorithmSelf-Test Details
AESAES-ECB 256 bits Encryption KAT
AESAES-ECB 256 bits Decryption KAT
AESAES-CBC 256 bits Encryption KAT
AESAES-CBC 256 bits Decryption KAT
AESAES-GCM 256 bits Encryption KAT
AESAES-GCM 256 bits Decryption KAT
DRBGCTR_DRBG KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed)
ECDSAKAT using P-224 with SHA2-256 (ECDSA Signature Generation)
ECDSAKAT using P-224 with SHA2-256 (ECDSA Signature Verification)
HMACKAT using HMAC-SHA-1
HMACKAT using HMAC-SHA2-224
HMACKAT using HMAC-SHA2-256
HMACKAT using HMAC-SHA2-384
HMACKAT using HMAC-SHA2-512
KAS-ECC-SSCKAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value
KDF IKEv2KAT for KDF IKEv2
KDF SSHKAT for KDF SSH
KDF SNMPKAT for KDF SNMP
KDF TLSKAT for KDF TLSv
RSAKAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation)
RSAKAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification)
SHSKAT using SHA-1
AlgorithmSelf-Test Details
AESAES-CBC 256 bits Encryption KAT
AESAES-CBC 256 bits Decryption KAT
AESAES-GCM 256 bits Encryption KAT

The modules perform the following self-tests, including the pre-operational self-tests and Conditional self-tests. Pre-Operational Self-Tests Table 12 - Pre-Operational Self-Tests The modules also perform the following Cryptographic Algorithm Self-Tests (CASTs), which can be initiated by rebooting the module. All self-tests run without operator intervention. Table 13

16 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc. Module

Page 17
AESAES-GCM 256 bits Encryption KAT
ECDSAKAT using P-224 with SHA2-256 (ECDSA Signature Generation)
ECDSAKAT using P-224 with SHA2-256 (ECDSA Signature Verification)
DRBGHMAC_DRBG (SHA2-512) KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed)
HMACKAT using SHA2-256
HMACKAT using SHA2-384
HMACKAT using SHA2-512
KAS-ECC-SSCKAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value
KDF TLSKAT for KDF TLS
RSAKAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation)
RSAKAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification)
AlgorithmSelf-Test Details
SP 800-90B Health TestsThe module’s entropy source implements Start-up and Continuous health tests defined in SP800-90B, section 4.2. The entropy source utilizes Developer-Defined Alternatives to the Continuous Health Tests which is defined in SP 800-90B section 4.5.
AlgorithmSelf-Test Details
RSARSA Pairwise consistency test (PCT)
ECDSAECDSA PCT
KAS-ECC-SSCSP800-56Ar3 KAS-ECC-SSC PCT
AlgorithmSelf-Test Details
RSARSA Pairwise consistency test (PCT)
ECDSAECDSA PCT
SP800-56Ar3 KAS-ECC-SSCSP800-56Ar3 KAS-ECC-SSC PCT

Table 14

Page 18
Cause of ErrorError State Indicator
Failed Pre-Operational Software Integrity TestIntegrity check failed at <location>
Failed Conditional CAST<Crypto Library>: FIPS Self-test failed for <algorithm> Entering error state
Failed Conditional PCTKey verification failed
SP 800-90B Entropy Source Start-up/Continuous health testsNo random numbers are generated and key generation is halted

passing the pre-operational firmware integrity test and the conditional CASTs. The table 18 below shows the different causes that lead to the Error State and the status indicators reported. Table 18 - Error State Indicators

  1. Life-Cycle Assurance The sections below highlight the details for each stage. Secure Delivery Procedures The module is built into ION 6.1. There is no standalone delivery of the module as a software library. The vendor’s internal development process guarantees that the correct version of the module goes with the intended OS. Secure Operation The module meets all the Level 1 requirements for FIPS 140-3. Follow the secure operations provided below to place the module in the Approved mode. The software version is 1.0. The module is initiated into the Approved mode of operation via the following procedure. Note that a Palo Alto ION device running ION 6.1 is needed to access the APIs of the module.
  2. Prepare ION device for use and power-on
  3. Using the Controller, navigate to the device that is to be initiated
  4. Select “FIPS” a. Click “proceed” to begin initialization procedure
  5. The module will begin initialization that includes the following: a. Zeroization of any sensitive information or data b. Power cycle of the device followed by running all self-tests
  6. Once initialization is complete, the module provides the following status output: a. Device Mode: “fips” b. Once the module has completed initialization into the Approved mode of operation, any non-Approved configurations/algorithms are rejected automatically by the module and an error message is output. End of Life / Sanitization End of life dates for the module are announced publicly via Palo Alto Networks’ services website. Crypto Officers should follow the procedure below for the secure destruction of their module: Note: This process will cause the module to no longer function after it has wiped all configurations and keys.
18 Palo Alto Networks SD-WAN ION Core Crypto

© 2024 Palo Alto Networks, Inc. Module

Page 19
  1. Access the module as Crypto Officer
  2. Execute command: “disable system” a. Confirm command
  3. Module will begin zeroization process and wipe all security parameters and configurations
  4. Mitigation of Other Attacks This module is not designed to mitigate against any other attacks outside of the FIPS 140-3 scope. © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 19

Referenced URLs