| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/7/2029 |
| Caveat | Interim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3564 |
| AES-CBC | A3566 |
| AES-CTR | A3563 |
| AES-ECB | A3563 |
| AES-GCM | A3563 |
| AES-GCM | A3564 |
| Counter DRBG | A3563 |
| ECDSA KeyGen (FIPS186-4) | A3563 |
| ECDSA KeyGen (FIPS186-4) | A3564 |
| ECDSA SigGen (FIPS186-4) | A3563 |
| ECDSA SigVer (FIPS186-4) | A3563 |
| HMAC DRBG | A3564 |
| HMAC-SHA-1 | A3563 |
| HMAC-SHA2-224 | A3563 |
| HMAC-SHA2-256 | A3564 |
| HMAC-SHA2-256 | A3566 |
| HMAC-SHA2-384 | A3563 |
| HMAC-SHA2-384 | A3564 |
| HMAC-SHA2-512 | A3563 |
| HMAC-SHA2-512 | A3564 |
| KAS-ECC-SSC Sp800-56Ar3 | A3563 |
| KAS-ECC-SSC Sp800-56Ar3 | A3564 |
| KDF IKEv2 | A3563 |
| KDF SNMP | A3563 |
| KDF SSH | A3563 |
| KDF TLS | A3563 |
| KDF TLS | A3564 |
| RSA KeyGen (FIPS186-4) | A3563 |
| RSA SigGen (FIPS186-4) | A3563 |
| RSA SigVer (FIPS186-4) | A3563 |
| RSA SigVer (FIPS186-4) | A3572 |
| SHA-1 | A3566 |
| SHA2-224 | A3563 |
| SHA2-256 | A3563 |
| SHA2-256 | A3564 |
| SHA2-384 | A3563 |
| SHA2-384 | A3564 |
| SHA2-512 | A3563 |
| SHA2-512 | A3564 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 3 |
| Cryptographic Module Interfaces | 8 |
| Roles, Services, and Authentication | 8 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | 1 |
| Non-Invasive Security | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Palo Alto Networks SD-WAN ION Core Crypto Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-Test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Palo Alto Networks SD-WAN ION Core Crypto Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-Test<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Palo Alto Networks SD-WAN ION Core Crypto Module Software Version: 1.0 Documentation Version: 1.3 Last Update: June 11, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: June 11, 2024 Document Version: 1.3
| # | Section | Page |
|---|---|---|
| 1 | General | 3 |
| 2 | Cryptographic Module Specification | 3 |
| 3 | Cryptographic Module Interfaces | 8 |
| 4 | Roles, Services, and Authentication | 8 |
| 5 | Software/Firmware Security | 12 |
| 6 | Operational Environment | 12 |
| 7 | Physical Security | 12 |
| 8 | Non-Invasive Security | 12 |
| 9 | Sensitive Security Parameters | 12 |
| 10 | Self-Tests | 15 |
| 11 | Life-Cycle Assurance | 18 |
| 12 | Mitigation of Other Attacks | 19 |
| 9 | Sensitive security parameter management | 1 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | |
|---|---|---|---|---|---|
| 1 | ION 6.1 | ION 1200 | Intel Atom C3436L | With PAA | 1 |
| 2 | ION 6.1 | ION 1200 | Intel Atom C3436L | Without PAA | 2 |
| 3 | ION 6.1 | ION 1200-C-NA | Intel Atom C3436L | With PAA | 3 |
| 4 | ION 6.1 | ION 1200-C-NA | Intel Atom C3436L | Without PAA | 4 |
| 5 | ION 6.1 | ION 1200-C-ROW | Intel Atom C3436L | With PAA | 5 |
| 6 | ION 6.1 | ION 1200-C-ROW | Intel Atom C3436L | Without PAA | 6 |
| 7 | ION 6.1 | ION 1200-C-5G-WW | Intel Atom C3436L | With PAA | 7 |
| 8 | ION 6.1 | ION 1200-C-5G-WW | Intel Atom C3436L | Without PAA | 8 |
| 9 | ION 6.1 | ION 1200-S | Intel Atom C3436L | With PAA | 9 |
| 10 | ION 6.1 | ION 1200-S | Intel Atom C3436L | Without PAA | 10 |
| 11 | ION 6.1 | ION 1200-S-C-NA | Intel Atom C3436L | With PAA | 11 |
| 12 | ION 6.1 | ION 1200-S-C-NA | Intel Atom C3436L | Without PAA | 12 |
| 13 | ION 6.1 | ION 1200-S-C-ROW | Intel Atom C3436L | With PAA | 13 |
The table below provides the security levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks SD-WAN ION Core Crypto Module with software version 1.0, hereinafter referred to as the Module. The Palo Alto Networks SD-WAN ION Core Crypto Module is utilized in hardware and software ION form factors. These enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of a WAN. The Module contains the following libraries:
| Name | Operating System | Hardware Platform | |
|---|---|---|---|
| 1 | AWS | Dependent on Provider | 1 |
| 2 | Azure | Dependent on Provider | 2 |
| 3 | Google Cloud | Dependent on Provider | 3 |
| 4 | OCI | Dependent on Provider | 4 |
| 5 | ION 7108V | GPC | 5 |
| 6 | ION 3108V | GPC | 6 |
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES: ● FIPS 197 ● SP 800-38D | A3566 | ECB | 128, 192, and 256 bits | Data Encryption/Decryption |
| AES: ● FIPS 197 ● SP 800-38A | A3566 | CBC | 128, 192, and 256 bits | Data Encryption/Decryption |
| AES: ● FIPS 197 ● SP 800-38A | A3566 | CTR | 128, 192, and 256 bits | Data Encryption/Decryption |
| AES: ● FIPS 197 ● SP 800-38D | A3566 | GCM | 128, 192, and 256 bits | Data Encryption/Decryption |
| KDF SSH: ● SP 800-135rev1 (CVL) | A3566 | KDF SSHv2 | N/A | SP800-135rev1 compliant Key Derivation |
| KDF TLS: ● SP 800-135rev1 (CVL) | A3566 | KDF TLS 1.2 | N/A | SP800-135rev1 compliant Key Derivation |
| KDF KEv2: ● SP 800-135rev1 (CVL) | A3566 | KDF IKEv2 | N/A | SP800-135rev1 compliant Key Derivation |
| KDF SNMP: ● SP 800-135rev1 (CVL) | A3566 | KDF SNMPv3 | N/A | SP800-135rev1 compliant Key Derivation |
| DRBG: ● SP 800-90Arev1 | A3566 | CTR_DRBG (AES-256 bits) Derivation Function Enabled: Yes | N/A | Deterministic Random Bit Generation |
| KAS-SSC ● SP 800-56Arev3 | A3566 | KAS-ECC-SSC Ephemeral Unified | KAS-ECC-SSC with P-256, P-384, P-521; key establishment methodology provides between 128 and 256 bits of encryption strength | KAS-ECC Shared Secret Computation |
| KAS ● SP 800-56Arev3 | A3566 | KAS (ECC) Scheme: ephemeralUnified: KAS Role: initiator, responder | KAS (ECC): Curves: P-256, P-384, P-521; Key establishment methodology provides between 128 and 256 bits of encryption strength | Key Agreement Scheme per SP800-56Arev3 with key derivation function (SP800-135rev1) Note: The module’s KAS (ECC) implementation is FIPS140-3 IG D.F Scenario 2 (path 2) compliant |
| ECDSA ● FIPS 186-4 | A3566 | ECDSA KeyGen | Curves: P-224, P-256, P-384, P-521 | ECDSA Key Generation |
| ECDSA ● FIPS 186-4 | A3566 | ECDSA SigGen | Curves: P-224, P-256, P-384, P-521 | ECDSA Digital Signature Generation |
| ECDSA ● FIPS 186-4 | A3566 | ECDSA SigVer | Curves: P-224, P-256, P-384, P-521 | ECDSA Digital Signature Verification |
| HMAC ● FIPS 198-1 | A3566 | HMAC-SHA-1 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3566 | HMAC-SHA2-224 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3566 | HMAC-SHA2-256 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3566 | HMAC-SHA2-384 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3566 | HMAC-SHA2-512 | At least 160 bits | Message Authentication |
| KTS ● SP800-38F | A3566 | KTS (AES Cert. #A3566) | 128, 192, and 256 bits Key establishment methodology provides between 128 and 256 bits of encryption strength | Key Transport using AES-GCM |
| KTS ● SP800-38F | A3566 | KTS (AES Cert. #A3566 and HMAC Cert. #A3566) | 128, 192, and 256 bits Key establishment methodology provides between 128 and 256 bits of encryption strength | Key Transport using AES and HMAC |
| RSA ● FIPS 186-4 | A3566 | RSA KeyGen (PKCS#1 v1.5) | Modulus: 2048 and 3072 bits | RSA Key Generation |
| RSA ● FIPS 186-4 | A3566 | RSA SigGen (PKCS#1 v1.5) | Modulus: 2048 and 3072 bits | RSA Digital Signature Generation |
| RSA ● FIPS 186-4 | A3566 | RSA SigVer (PKCS#1 v1.5) | Modulus: 2048 and 3072 bits | RSA Digital Signature Verification |
| SHS ● FIPS 180-4 | A3566 | SHA-1 | N/A | Hashing Note: SHA-1 is not used for digital signature generation |
| SHS ● FIPS 180-4 | A3566 | SHA2-224 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3566 | SHA2-256 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3566 | SHA2-384 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3566 | SHA2-512 | N/A | Hashing |
| CKG (SP 800-133rev2) | Vendor Affirmed | Section 5 | Cryptographic Key Generation; SP 800- 133rev2 and IG D.H. | Key Generation Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800- 133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3566). |
| AES: ● FIPS 197 ● SP 800-38A | A3572 | CBC | 128 or 256 bits | Data Encryption/Decryption |
| AES: ● FIPS 197 ● SP 800-38D | A3572 | GCM | 128 or 256 bits | Data Encryption/Decryption |
| KDF TLS: ● SP 800-135rev1 (CVL) | A3572 | KDF TLS v1.2 | N/A | SP800-135rev1 compliant Key Derivation |
| DRBG: ● SP 800-90Arev1 | A3572 | DRBG with HMAC- SHA2-512 | N/A | Deterministic Random Bit Generation |
| KAS-SSC ● SP 800-56Arev3 | A3572 | KAS-ECC-SSC Ephemeral Unified | KAS-ECC-SSC with P-256, P- 384, P-521; Key establishment methodology provides between 128 256 bits of encryption strength | KAS-ECC Shared Secret Computation |
| KAS ● SP 800-56Arev3 | A3572 | KAS (ECC) Scheme: ephemeralUnified: KAS Role: initiator, responder | KAS (ECC): Curves: P-256, P-384, P-521; Key establishment methodology provides between 128 and 256 bits of encryption strength | Key Agreement Scheme per SP800- 56Arev3 with key derivation function (SP800-135rev1) Note: The module’s KAS (ECC) implementation is FIPS140-3 IG D.F Scenario 2 (path 2) compliant |
| ECDSA ● FIPS 186-4 | A3572 | ECDSA KeyGen | Curves: P-224, P-256, P-384, P- 521 | ECDSA Key Generation |
| HMAC ● FIPS 198-1 | A3572 | HMAC-SHA2-256 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3572 | HMAC-SHA2-384 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3572 | HMAC-SHA2-512 | At least 160 bits | Message Authentication |
| KTS ● SP800-38F | A3572 | KTS (AES Cert. #A3572) | 128 or 256 bits Key establishment methodology provides 128 or 256 bits of encryption strength | Key Transport using AES-GCM |
| 15 | ION 6.1 | ION 1200-S-C-5G-WW | Intel Atom C3436L | With PAA |
|---|---|---|---|---|
| 16 | ION 6.1 | ION 1200-S-C-5G-WW | Intel Atom C3436L | Without PAA |
| 17 | ION 6.1 | ION 3200 | Intel Atom C3558R | With PAA |
| 18 | ION 6.1 | ION 3200 | Intel Atom C3558R | Without PAA |
| 19 | ION 6.1 | ION 5200 | Intel Atom C5325 | With PAA |
| 20 | ION 6.1 | ION 5200 | Intel Atom C5325 | Without PAA |
| 21 | ION 6.1 | ION 9200 | Intel Atom P5362 | With PAA |
| 22 | ION 6.1 | ION 9200 | Intel Atom P5362 | Without PAA |
Table 2
© 2024 Palo Alto Networks, Inc. Module
N/A N/A N/A N/A N/A © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 5
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| SHS ● FIPS 180-4 | A3566 | SHA2-256 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3566 | SHA2-384 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3566 | SHA2-512 | N/A | Hashing |
| CKG (SP 800-133rev2) | Vendor Affirmed | Section 5 | Cryptographic Key Generation; SP 800- 133rev2 and IG D.H. | Key Generation Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800- 133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3566). |
| AES: ● FIPS 197 ● SP 800-38A | A3572 | CBC | 128 or 256 bits | Data Encryption/Decryption |
| AES: ● FIPS 197 ● SP 800-38D | A3572 | GCM | 128 or 256 bits | Data Encryption/Decryption |
| KDF TLS: ● SP 800-135rev1 (CVL) | A3572 | KDF TLS v1.2 | N/A | SP800-135rev1 compliant Key Derivation |
| DRBG: ● SP 800-90Arev1 | A3572 | DRBG with HMAC- SHA2-512 | N/A | Deterministic Random Bit Generation |
| KAS-SSC ● SP 800-56Arev3 | A3572 | KAS-ECC-SSC Ephemeral Unified | KAS-ECC-SSC with P-256, P- 384, P-521; Key establishment methodology provides between 128 256 bits of encryption strength | KAS-ECC Shared Secret Computation |
| KAS ● SP 800-56Arev3 | A3572 | KAS (ECC) Scheme: ephemeralUnified: KAS Role: initiator, responder | KAS (ECC): Curves: P-256, P-384, P-521; Key establishment methodology provides between 128 and 256 bits of encryption strength | Key Agreement Scheme per SP800- 56Arev3 with key derivation function (SP800-135rev1) Note: The module’s KAS (ECC) implementation is FIPS140-3 IG D.F Scenario 2 (path 2) compliant |
| ECDSA ● FIPS 186-4 | A3572 | ECDSA KeyGen | Curves: P-224, P-256, P-384, P- 521 | ECDSA Key Generation |
| HMAC ● FIPS 198-1 | A3572 | HMAC-SHA2-256 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3572 | HMAC-SHA2-384 | At least 160 bits | Message Authentication |
| HMAC ● FIPS 198-1 | A3572 | HMAC-SHA2-512 | At least 160 bits | Message Authentication |
| KTS ● SP800-38F | A3572 | KTS (AES Cert. #A3572) | 128 or 256 bits Key establishment methodology provides 128 or 256 bits of encryption strength | Key Transport using AES-GCM |
| KTS ● SP800-38F | A3572 | KTS (AES Cert. #A3572 and HMAC Cert. #A3572) | 128 or 256 bits Key establishment methodology provides 128 or 256 bits of encryption strength | Key Transport using AES and HMAC |
| RSA ● FIPS 186-4 | A3572 | RSA SigVer (PKCS#1 v1.5) | Modulus: 2048 bits | Digital Signature Verification |
| SHS ● FIPS 180-4 | A3572 | SHA2-256 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3572 | SHA2-384 | N/A | Hashing |
| SHS ● FIPS 180-4 | A3572 | SHA2-512 | N/A | Hashing |
| CKG (SP 800-133rev2) | Vendor Affirmed | Section 5 | Cryptographic Key Generation; SP 800- 133rev2 and IG D.H. | Key Generation Note: The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3572). |
N/A N/A N/A Table 4
© 2024 Palo Alto Networks, Inc.
N/A N/A N/A Table 5
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input Interface | API input parameters for data |
| N/A | N/A | Data Output Interface | API output parameters for data |
| N/A | N/A | Control Input Interface | API function calls |
| N/A | N/A | Control Output Interface | N/A |
| N/A | N/A | Status Output Interface | Return values, and or log messages |
As the module can only be operated in the Approved mode of operation with algorithms listed in Tables 4 - 5, the following options defined in SP 800-140B are not applicable for this document: ● ● ● Non-Approved Algorithms Allowed in Approved Mode of Operation Non-Approved Algorithms Allowed in Approved Mode of Operation with No Security Claimed Non-Approved Algorithms Not Allowed in Approved Mode of Operation Cryptographic Boundary Figure 1 below depicts the cryptographic boundary (yellow area with the blue dashed lines) and the physical perimeter (red dashed line). The cryptographic boundary includes all of the software components of the cryptographic libraries. The physical perimeter is the Tested Operational Environment’s Physical Perimeter (TOEPP) on which the module runs. Figure 1– Cryptographic Boundary
© 2024 Palo Alto Networks, Inc. Module
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|---|
| Self-Test | Crypto Officer | Command to trigger Self-Test | Status of the self-tests results | |||||
| Zeroize | Crypto Officer | Command to initiate the SSPs zeroization | Status of the SSPs zeroization | |||||
| Show Version | Crypto Officer | Command to show version | Module’s name/ID and versions | |||||
| Show Status | Crypto Officer | Command to show status | Module’s status information | |||||
| Configure Network | Crypto Officer | Commands to configure the module | Status of the completion of network related configuration | |||||
| Configure SSHv2 Function | Crypto Officer | Commands to configure SSHv2 | Status of the completion of SSHv2 configuration | |||||
| Configure TLSv1.2 Function | Crypto Officer | Commands to configure TLSv1.2 | Status of the completion of TLSv1.2 configuration | |||||
| Configure SNMPv3 Function | Crypto Officer | Commands to configure SNMPv3 | Status of the completion of SNMPv3 configuration | |||||
| Configure IPsec/IKEv2 Function | Crypto Officer | Commands to configure IPSec/IKEv2 | Status of the completion of IPSec/IKEv2 configuration | |||||
| Run SSHv2 Function | Crypto Officer | Initiate SSHv2 tunnel establishment request | Status of SSHv2 tunnel establishment | |||||
| Run TLSv1.2 Function | Crypto Officer | Initiate TLSv1.2 tunnel establishment request | Status of TLSv1.2 tunnel establishment | |||||
| Run SNMPv3 Function | Crypto Officer | Initiate SNMPv3 tunnel establishment request | Status of SNMPv3 tunnel establishment | |||||
| Run IPSec/IKEv2 Function | Crypto Officer | Initiate of IPSec/IKEv2 tunnel establishment | Status of IPSec/IKEv2 tunnel establishment | |||||
| Self-Test | Initiate and run the pre-operational self- tests | Crypto Officer | Software Integrity Test Key (Not a SSP) | HMAC-SHA2-256 | N/A | None | ||
| Zeroize | Zeroize all unprotected SSPs stored in the module | Crypto Officer | All | N/A | Z | None | ||
| Show Version | Provides the module’s name/ID and versions | Crypto Officer | N/A | N/A | N/A | None | ||
| Show Status | Provides the module’s current status and information | Crypto Officer | N/A | N/A | N/A | None | ||
| Configure Network | Perform the Module’s Network Configuration | Crypto Officer | TLS RSA Public Key | RSA Sigver | G/R/W/E | Global indicator and Configuration logs | ||
| Configure SSHv2 Function | Create a secure SSHv2 channel | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); SSH ECDHE Private Key (CSP); | AES-CTR; CKG; CTR_DRBG; ECDSA KeyGen; ECDSA SigGen; ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; | G/R/W/E | Global indicator and SSH connection log message |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|---|
| Self-Test | Crypto Officer | Command to trigger Self-Test | Status of the self-tests results | |||||
| Zeroize | Crypto Officer | Command to initiate the SSPs zeroization | Status of the SSPs zeroization | |||||
| Show Version | Crypto Officer | Command to show version | Module’s name/ID and versions | |||||
| Show Status | Crypto Officer | Command to show status | Module’s status information | |||||
| Configure Network | Crypto Officer | Commands to configure the module | Status of the completion of network related configuration | |||||
| Configure SSHv2 Function | Crypto Officer | Commands to configure SSHv2 | Status of the completion of SSHv2 configuration | |||||
| Configure TLSv1.2 Function | Crypto Officer | Commands to configure TLSv1.2 | Status of the completion of TLSv1.2 configuration | |||||
| Configure SNMPv3 Function | Crypto Officer | Commands to configure SNMPv3 | Status of the completion of SNMPv3 configuration | |||||
| Configure IPsec/IKEv2 Function | Crypto Officer | Commands to configure IPSec/IKEv2 | Status of the completion of IPSec/IKEv2 configuration | |||||
| Run SSHv2 Function | Crypto Officer | Initiate SSHv2 tunnel establishment request | Status of SSHv2 tunnel establishment | |||||
| Run TLSv1.2 Function | Crypto Officer | Initiate TLSv1.2 tunnel establishment request | Status of TLSv1.2 tunnel establishment | |||||
| Run SNMPv3 Function | Crypto Officer | Initiate SNMPv3 tunnel establishment request | Status of SNMPv3 tunnel establishment | |||||
| Run IPSec/IKEv2 Function | Crypto Officer | Initiate of IPSec/IKEv2 tunnel establishment | Status of IPSec/IKEv2 tunnel establishment | |||||
| Self-Test | Initiate and run the pre-operational self- tests | Crypto Officer | Software Integrity Test Key (Not a SSP) | HMAC-SHA2-256 | N/A | None | ||
| Zeroize | Zeroize all unprotected SSPs stored in the module | Crypto Officer | All | N/A | Z | None | ||
| Show Version | Provides the module’s name/ID and versions | Crypto Officer | N/A | N/A | N/A | None | ||
| Show Status | Provides the module’s current status and information | Crypto Officer | N/A | N/A | N/A | None | ||
| Configure Network | Perform the Module’s Network Configuration | Crypto Officer | TLS RSA Public Key | RSA Sigver | G/R/W/E | Global indicator and Configuration logs | ||
| Configure SSHv2 Function | Create a secure SSHv2 channel | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); SSH ECDHE Private Key (CSP); | AES-CTR; CKG; CTR_DRBG; ECDSA KeyGen; ECDSA SigGen; ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; | G/R/W/E | Global indicator and SSH connection log message | ||
| KAS-SSC (ECC); KAS (ECC); KDF SSH | SSH ECDHE Public Key (PSP); Peer SSH ECDHE Public Key (PSP); SSH ECDHE Shared Secret (CSP); SSH ECDSA Private Key (CSP); SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP) | KAS-SSC (ECC); KAS (ECC); KDF SSH | ||||||
| Configure TLSv1.2 Function | Create a secure TLSv1.2 channel | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); TLS RSA Private Key (CSP); TLS RSA Public Key (PSP); TLS ECDHE Private Key (CSP); TLS ECDHE Public Key (PSP); Peer TLS ECDHE Public Key (PSP); TLS ECDHE Shared Secret (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP); | AES-CBC; AES-GCM; CKG; CTR_DRBG; HMAC_DRBG; HMAC-SHA2-256; HMAC-SHA2-384; KAS-SSC (ECC); KAS (ECC); KTS; RSA KeyGen; RSA SigGen; RSA SigVer; KDF TLS | G/R/W/E | Global indicator and TLS success log message | ||
| Configure SNMPv3 Function | Create a secure SNMPv3 channel | Crypto Officer | SNMPv3 Authentication Secret (CSP); SNMPv3 Session Encryption Key (CSP); SNMPv3 Session Authentication Key (CSP); | AES-CBC; HMAC-SHA-1; KDF SNMP | G/R/W/E | Global indicator and SNMPv3 success log message | ||
| Configure IPsec/IKEv2 Function | Create IPSec/IKEv2 tunnel | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); IPSec/IKE Pre-Shared Secret (CSP); IPSec/IKE RSA Private Key (CSP); IPSec/IKE RSA Public Key (PSP); IPSec/IKE ECDHE Private Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); | AES-CBC; CKG; CTR_DRBG; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); RSA KeyGen; RSA SigGen; RSA SigVer; KDF IKEv2 | G/R/W/E | Global indicator and IPSec success log message | ||
| Run SSHv2 Function | Negotiation and encrypted data transport via SSH | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); | AES-CTR; CKG; CTR_DRBG; ECDSA KeyGen; ECDSA SigGen; | G/R/W/E | Global indicator and SSH connection log message | ||
| ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); KDF SSH | SSH ECDHE Private Key (CSP); SSH ECDHE Public Key (PSP); Peer SSH ECDHE Public Key (PSP); SSH ECDHE Shared Secret (CSP); SSH ECDSA Private Key (CSP); SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP); | ECDSA SigVer; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); KDF SSH | ||||||
| Run TLSv1.2 Function | Negotiation and encrypted data transport via TLS | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); TLS RSA Private Key (CSP); TLS RSA Public Key (PSP); TLS ECDHE Private Key (CSP); TLS ECDHE Public Key (PSP); Peer TLS ECDHE Public Key (PSP); TLS ECDHE Shared Secret (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP); | AES-CBC; AES-GCM; CKG; CTR_DRBG; HMAC_DRBG; HMAC-SHA2-256; HMAC-SHA2-384; KAS-SSC (ECC); KAS (ECC); KTS; RSA KeyGen; RSA SigGen; RSA SigVer; KDF TLS | G/R/W/E | Global indicator and TLS success log message | ||
| Run SNMPv3 Function | Negotiation and encrypted data transport via SNMPv3 | Crypto Officer | SNMPv3 Authentication Secret (CSP); SNMPv3 Session Encryption Key (CSP); SNMPv3 Session Authentication Key (CSP); | AES-CBC; HMAC-SHA-1; KDF SNMP | G/R/W/E | Global indicator and SNMPv3 success log message | ||
| Run IPSec/IKEv2 Function | Negotiation and encrypted data transport via IPSec | Crypto Officer | DRBG Entropy Input (CSP); DRBG Seed (CSP); DRBG Internal State V Value (CSP); DRBG Key (CSP); IPSec/IKE Pre-Shared Secret (CSP); IPSec/IKE RSA Private Key (CSP); IPSec/IKE RSA Public Key (PSP); IPSec/IKE ECDHE Private Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); | AES-CBC; CKG; CTR_DRBG; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KAS-SSC (ECC); KAS (ECC); RSA KeyGen; RSA SigGen; RSA SigVer; KDF IKEv2 | G/R/W/E | Global indicator and IPSec/IKEv2 success log message |
4. Roles, Services, and Authentication The module supports role-based authentication, and provides a Crypto Officer role. The Crypto Officer role has the ability to perform all tasks and administrative actions. N/A N/A Z N/A N/A N/A N/A N/A N/A G/R/W/E G/R/W/E © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 9
© 2024 Palo Alto Networks, Inc. Module
G/R/W/E G/R/W/E G/R/W/E Table 9
| Name | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Import Export | Key/SSP Name/Type |
|---|---|---|---|---|---|---|---|---|
| Used to seed the DRBG | At least 256 bits | N/A | Obtained from the Entropy Source within TOEPP (GPS INT Pathways) | N/A | DRAM (plaintext) | Zeroized when the tested platform is powered down | Import to the module via Module’s API | DRBG Entropy Input (CSP) |
| Export: No | Note: The module does not provide persistent keys/ SSPs storage | Export: No | ||||||
| Random number generation | 256 bits | CTR_DRBG Cert. #A3566; HMAC_DRBG Cert. #A3572 | Internally Derived from entropy input string as defined by SP 800- 90Arev1 DRBG | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | DRBG Seed (CSP) |
| Random number generation | 256 bits | CTR_DRBG Cert. #A3566; HMAC_DRBG Cert. #A3572 | Internally Derived from entropy input string as defined by SP 800- 90Arev1 DRBG | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | DRBG Internal State V value (CSP) |
| Random number generation | 256 bits | CTR_DRBG Cert. #A3566; HMAC_DRBG Cert. #A3572 | Internally Derived from entropy input string as defined by SP 800- 90Arev1 DRBG | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | DRBG Key (CSP) |
| Used for TLS peer authentication | 112-128 bits (Modulus: 2048, 3072 bits) | CKG; DRBG; RSA KeyGen; RSA SigGen; Certs. #A3566 and #A3572 | Internally generated conformant to SP800- 133r2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in key generation is generated using SP 800- 90Arev1 DRBG | N/A | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: No Export: No | TLS RSA Private Key (CSP) |
| Used for TLS peer authentication | 112-128 bits (Modulus: 2048, 3072 bits) | RSA KeyGen; RSA SigVer; Certs. #A3566 and #A3572 | Internally derived per the FIPS 186-4 RSA key generation method | N/A | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: No Export: Yes, to the TLS peer | TLS RSA Public Key (PSP) |
| Used to derive TLS ECDHE Shared Secret | 128 – 256 bits (Curves: P- 256, P-384, P-521) | CKG; DRBG; KAS-ECC-SSC; Certs. #A3566 and #A3572 | Internally generated conformant to SP800- 133r2 (CKG) using SP 800-56Arev3 EC Diffie- Hellman key generation method, and the random value used in key generation is generated using SP 800-90Arev1 DRBG | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | TLS ECDHE Private Key (CSP) |
| Used to derive TLS ECDHE Shared Secret | 128 – 256 bits (Curves: P- 256, P-384, P-521) | KAS-ECC-SSC; Certs. #A3566 and #A3572 | Internally derived internally per the EC Diffie-Hellman key agreement (SP800-56Arev3) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: Yes, to the TLS peer | TLS ECDHE Public Key (PSP) |
| Used to derive TLS ECDHE Shared Secret | Curves: P- 256, P-384, P-521 | N/A | N/A | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: Enter into the Module via Module’s API Export: No | Peer TLS ECDHE Public Key (PSP) |
| Used to derive TLS Session Encryption Keys, TLS Session Authentication Keys | 128 – 256 bits (Curves: P- 256, P-384, P-521) | KAS-ECC-SSC; KAS (ECC); Certs. #A3566 and #A3572 | Internally derived using SP800-56A rev3 EC Diffie-Hellman shared secret computation | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | TLS ECDHE Shared Secret (CSP) |
| Used to derive TLS Master Secret | 384 bits | N/A | Internally derived via key derivation function defined in SP800- 135rev1 KDF (TLSv1.2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | TLS Pre-Master Secret (CSP) |
| Used to derive TLS Encryption Keys, TLS Authentication Keys. | 384 bits | N/A | Internally derived via key derivation function defined in SP800- 135rev1 KDF (TLSv1.2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | TLS Master Secret (CSP) |
| Used to secure TLS session confidentiality | 128 or 256 bits | AES-CBC; AES-GCM; KDF TLS KTS; Certs. #A3566 and #A3572 | Internally derived via key derivation function defined in SP 800- 135rev1 KDF (TLSv1.2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | TLS Session Encryption Key (CSP) |
| Used to secure the TLS session integrity | At least 112 bits | HMAC-SHA2-256; HMAC-SHA2-384; KDF TLS KTS; Certs. #A3566 and #A3572 | Internally derived via key derivation function defined in SP800-135 rev1 KDF TLSv1.2 | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | TLS Session Authentication Key (CSP) |
| Used for IPSec/IKE peer authentication | 2048 bits characters | N/A | N/A | MD/EE | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: Encrypted by using TLS/SSH session key Export: No | IPSec/IKE Pre- Shared Secret (CSP) |
| Used for IPSec/IKE peer authentication | 112 or 128 bits (Modulus: 2048 or 3072 bits) | CKG; DRBG; RSA SigGen; Cert# A3566 | Internally generated conformant to SP800- 133r2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG | N/A | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: No Export: No | IPSec/IKE RSA Private Key (CSP) |
| Used for IPSec/IKE peer authentication | 112 or 128 bits (Modulus: 2048 or 3072 bits) | RSA SigVer; Cert. #A3566 | Internally derived per the FIPS 186-4 RSA key generation method | N/A | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: No Export: to the IKE Peer application | IPSec/IKE RSA Public Key (PSP) |
| Used to derive IPSec/IKE ECDHE Shared Secret | 128 or 192 bits (Curves: P- 256 or P-384) | CKG; DRBG; KAS-ECC-SSC; KAS (ECC); Cert. #A3566 | Internally generated conformant to SP800- 133r2 (CKG) using SP800-56Arev3 EC Diffie-Hellman key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | IPSec/IKE ECDHE Private Key (CSP) |
| Used to derive IPSec/IKE ECDHE Shared Secret | 128 or 192 bits (Curves: P- 256 or P-384) | KAS-ECC-SSC; KAS (ECC); Cert. #A3566 | Internally derived internally per the EC Diffie-Hellman key agreement (SP800-56Arev3) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: to the IKE Peer application | IPSec/IKE ECDHE Public Key (PSP) |
| Used to derive IPSec/IKE Session Encryption Keys, IPSec/IKE Authentication Keys | 128 or 192 bits (Curves: P- 256 or P-384) | KAS-ECC-SSC; KAS (ECC); Cert. #A3566 | Internally derived using SP800-56A rev3 EC Diffie-Hellman shared secret computation | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | IPSec/IKE ECDHE Shared Secret (CSP) |
| Used to secure IPSec/IKEv2 session confidentiality | 128-256 bits | AES-CBC; KDF IKEv2; Cert. #A3566 | Internally derived via key derivation function defined in SP800- 135rev1 KDF (IKEv2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | IPSec/IKE Session Encryption Key (CSP) |
| Used to secure IPSec/IKEv2 session integrity | At least 112 bits | HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-384; HMAC-SHA2-512; KDF IKEv2; Cert. #A3566 | Internally derived via key derivation function defined in SP800- 135rev1 KDF (IKEv2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | IPSec/IKE Session Authentication Key (CSP) |
| Used for SNMPv3 User authentication | 8 characters minimum | N/A | N/A | MD/EE | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: Encrypted by using TLS/SSH session key Export: No | SNMPv3 Authentication Secret (CSP) |
| Used to secure SNMPv3 session confidentiality | 128 bits | AES-CFB; KDF SNMP; Cert. #A3566 | Internally derived via key derivation function defined in SP800- 135rev1 KDF (SNMPv3) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | SNMPv3 Session Encryption Key (CSP) |
| Used to secure SNMPv3 session integrity | At least 112 bits | HMAC-SHA-1; KDF SNMP; Cert. #A3566 | Internally derived via key derivation function defined in SP800- 135rev1 KDF (SNMPv3) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | SNMPv3 Session Authentication Key (CSP) |
| Used to derive the SSH ECDHE Shared Secret | 128-256 bits | CKG; DRBG; KAS-ECC-SSC; KAS (ECC); | Internally generated conformant to SP800- 133r2 (CKG) using SP800-56Arev3 EC | N/A | DRAM (plaintext) | Zeroized when the tested platform is powered down | Import: No Export: No | SSH ECDHE Private Key (CSP) |
| (Curves: P- 256, P-384, or P-521) | (Curves: P- 256, P-384, or P-521) | Cert. #A3566 | Diffie-Hellman key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG | Note: The module does not provide persistent keys/ SSPs storage | ||||
| Used to derive the SSH ECDHE Shared Secret | 128-256 bits (Curves: P- 256, P-384, or P-521) | KAS-ECC-SSC; KAS (ECC); Cert. #A3566 | Internally derived internally per the EC Diffie-Hellman key agreement (SP800-56Arev3) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: Yes, to the SSH peer | SSH ECDHE Public Key (PSP) |
| Used to derive SSH ECDHE Shared Secret | 128-256 bits (Curves: P- 256, P-384, or P-521) | KAS-ECC-SSC; KAS (ECC); Cert.#A3566 | N/A | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: Enter into the Module via the Module’s API Export: No | Peer SSH ECDHE Public Key (PSP) |
| Used to derive SSH Session Encryption Keys, SSH Session Authentication Keys | 128-256 bits (Curves: P- 256, P-384, or P-521) | CKG; DRBG; KAS-ECC-SSC; Cert. #A3566 | Internally derived using SP800-56A rev3 EC Diffie-Hellman shared secret computation | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | SSH ECDHE Shared Secret (CSP) |
| Used for SSH session authentication | 128-256 bits (Curves: P- 256, P-384, or P-521) | CKG; DRBG; ECDSA KeyGen; ECDSA SigGen; Cert. #A3566 | Internally generated conformant to SP800- 133r2 (CKG) using FIPS 186-4 ECDSA Key Generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG | N/A | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP (CSP/PSP) Zeroization Command | Import: No Export: No | SSH ECDSA Private Key (CSP) |
| Used for SSH session authentication | 128-256 bits (Curves: P- 256, P-384, or P-521) | ECDSA KeyGen; ECDSA SigVer; Cert. #A3566 | Internally derived per the FIPS 186-4 ECDSA Keypair generation method | N/A | HDD (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized by SSP/CSP/PSP Zeroization Command | Import: No Export: Yes, to the SSH peer | SSH ECDSA Public Key (PSP) |
| Used for SSH session confidentiality protection | 128 - 256 bits | AES-CTR; KDF SSH; KTS; Cert. #A3566 | Internally derived via key derivation function defined in SP 800- 135rev1 KDF (SSHv2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | SSH Session Encryption Key (CSP) |
| Used for SSH session integrity protection | At least 112 bits | KDF SSH; KTS; HMAC-SHA-1; HMAC-SHA2-256; HMAC-SHA2-512; Cert. #A3566 | Internally derived via key derivation function defined in SP 800- 135rev1 KDF (SSHv2) | N/A | DRAM (plaintext) Note: The module does not provide persistent keys/ SSPs storage | Zeroized when the tested platform is powered down | Import: No Export: No | SSH Session Authentication Key (CSP) |
G = Generate: The module generates or derives the SSP. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Unauthenticated Services Unauthenticated Users can run the self-test service by power-cycling the tested platform.
© 2024 Palo Alto Networks, Inc.
Establishment (Curves: P256, Curves: P256, N/A (Curves: P256, (Curves: P256, N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN ION Core Crypto Module 13
© 2024 Palo Alto Networks, Inc.
(Curves: P256, (Curves: P256, (Curves: P256, (Curves: P256, (Curves: P256, N/A Establishment (Curves: P256, N/A N/A N/A N/A N/A N/A N/A Table 10– SSPs Table 11 - Non-Deterministic Random Number Generation Specification Palo Alto Networks SD-WAN ION Core Crypto Module 15
| Algorithm | Self-Test Details | ||
|---|---|---|---|
| SHS | KAT using SHA2-256 | ||
| HMAC | KAT using HMAC- SHA2-256 | ||
| Software integrity | Using HMAC-SHA2-256 |
| Algorithm | Self-Test Details | ||
|---|---|---|---|
| AES | AES-ECB 256 bits Encryption KAT | ||
| AES | AES-ECB 256 bits Decryption KAT | ||
| AES | AES-CBC 256 bits Encryption KAT | ||
| AES | AES-CBC 256 bits Decryption KAT | ||
| AES | AES-GCM 256 bits Encryption KAT | ||
| AES | AES-GCM 256 bits Decryption KAT | ||
| DRBG | CTR_DRBG KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed) | ||
| ECDSA | KAT using P-224 with SHA2-256 (ECDSA Signature Generation) | ||
| ECDSA | KAT using P-224 with SHA2-256 (ECDSA Signature Verification) | ||
| HMAC | KAT using HMAC-SHA-1 | ||
| HMAC | KAT using HMAC-SHA2-224 | ||
| HMAC | KAT using HMAC-SHA2-256 | ||
| HMAC | KAT using HMAC-SHA2-384 | ||
| HMAC | KAT using HMAC-SHA2-512 | ||
| KAS-ECC-SSC | KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value | ||
| KDF IKEv2 | KAT for KDF IKEv2 | ||
| KDF SSH | KAT for KDF SSH | ||
| KDF SNMP | KAT for KDF SNMP | ||
| KDF TLS | KAT for KDF TLSv | ||
| RSA | KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) | ||
| RSA | KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) | ||
| SHS | KAT using SHA-1 |
| Algorithm | Self-Test Details | ||
|---|---|---|---|
| AES | AES-CBC 256 bits Encryption KAT | ||
| AES | AES-CBC 256 bits Decryption KAT | ||
| AES | AES-GCM 256 bits Encryption KAT |
The modules perform the following self-tests, including the pre-operational self-tests and Conditional self-tests. Pre-Operational Self-Tests Table 12 - Pre-Operational Self-Tests The modules also perform the following Cryptographic Algorithm Self-Tests (CASTs), which can be initiated by rebooting the module. All self-tests run without operator intervention. Table 13
© 2024 Palo Alto Networks, Inc. Module
| AES | AES-GCM 256 bits Encryption KAT |
|---|---|
| ECDSA | KAT using P-224 with SHA2-256 (ECDSA Signature Generation) |
| ECDSA | KAT using P-224 with SHA2-256 (ECDSA Signature Verification) |
| DRBG | HMAC_DRBG (SHA2-512) KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed) |
| HMAC | KAT using SHA2-256 |
| HMAC | KAT using SHA2-384 |
| HMAC | KAT using SHA2-512 |
| KAS-ECC-SSC | KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value |
| KDF TLS | KAT for KDF TLS |
| RSA | KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) |
| RSA | KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) |
| Algorithm | Self-Test Details | ||
|---|---|---|---|
| SP 800-90B Health Tests | The module’s entropy source implements Start-up and Continuous health tests defined in SP800-90B, section 4.2. The entropy source utilizes Developer-Defined Alternatives to the Continuous Health Tests which is defined in SP 800-90B section 4.5. |
| Algorithm | Self-Test Details | ||
|---|---|---|---|
| RSA | RSA Pairwise consistency test (PCT) | ||
| ECDSA | ECDSA PCT | ||
| KAS-ECC-SSC | SP800-56Ar3 KAS-ECC-SSC PCT |
| Algorithm | Self-Test Details | ||
|---|---|---|---|
| RSA | RSA Pairwise consistency test (PCT) | ||
| ECDSA | ECDSA PCT | ||
| SP800-56Ar3 KAS-ECC-SSC | SP800-56Ar3 KAS-ECC-SSC PCT |
Table 14
| Cause of Error | Error State Indicator | ||
|---|---|---|---|
| Failed Pre-Operational Software Integrity Test | Integrity check failed at <location> | ||
| Failed Conditional CAST | <Crypto Library>: FIPS Self-test failed for <algorithm> Entering error state | ||
| Failed Conditional PCT | Key verification failed | ||
| SP 800-90B Entropy Source Start-up/Continuous health tests | No random numbers are generated and key generation is halted |
passing the pre-operational firmware integrity test and the conditional CASTs. The table 18 below shows the different causes that lead to the Error State and the status indicators reported. Table 18 - Error State Indicators
© 2024 Palo Alto Networks, Inc. Module