| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. |
| Vendor | F5, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2711 |
| AES-CBC | A2762 |
| AES-CTR | A2762 |
| AES-ECB | A2711 |
| AES-ECB | A2762 |
| AES-GCM | A2711 |
| AES-GCM | A2762 |
| AES-GCM | A2762 |
| AES-GMAC | A2711 |
| AES-GMAC | A2762 |
| Counter DRBG | A2711 |
| Counter DRBG | A2762 |
| ECDSA KeyGen (FIPS186-4) | A2762 |
| ECDSA KeyVer (FIPS186-4) | A2762 |
| ECDSA SigGen (FIPS186-4) | A2762 |
| ECDSA SigVer (FIPS186-4) | A2762 |
| HMAC-SHA-1 | A2711 |
| HMAC-SHA-1 | A2762 |
| HMAC-SHA2-256 | A2762 |
| HMAC-SHA2-384 | A2762 |
| KAS-ECC-SSC Sp800-56Ar3 | A2762 |
| KAS-FFC-SSC Sp800-56Ar3 | A2762 |
| RSA KeyGen (FIPS186-4) | A2762 |
| RSA SigGen (FIPS186-4) | A2762 |
| RSA SigVer (FIPS186-4) | A2762 |
| Safe Primes Key Generation | A2762 |
| Safe Primes Key Verification | A2762 |
| SHA-1 | A2711 |
| SHA-1 | A2762 |
| SHA2-256 | A2762 |
| SHA2-384 | A2762 |
flowchart LR
%% Deterministic review-risk graph for Cryptographic Module for BIG-IP ®
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Show status<br/>Self-Test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Cryptographic Module for BIG-IP ®
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Show status<br/>Self-Test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;F5, Inc. Cryptographic Module for BIG-IP(R) version 1.0.2u-fips document version 1.1 Last update: June 2024 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
| # | Section | Page |
|---|
F5® and BIG-IP® are registered trademarks of F5, Inc. VMware ESXi™ is a registered trademark of VMware ®, Inc. Intel® Xeon® is a registered trademark of Intel® Corporation. Dell is a registered trademark of Dell, Inc. Azure and Hyper-V are registered trademarks of Microsoft AWS is a trademark of Amazon.com, Inc. © 2024 F5, Inc. / atsec information security.
This document is the non-proprietary FIPS 140-3 Security Policy for version 1.0.2u-fips of the Cryptographic Module for BIG-IP. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an Overall Security Level 1 module. ISO/IEC 24759 Section FIPS 140-3 Section Title Security Level 6. [Number Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security Not Applicable
8 Non-invasive Security Not Applicable
9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-cycle Assurance 1
12 Mitigation of Other Attacks Not Applicable
Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.
The Cryptographic Module for BIG-IP (hereafter referred to as “the module”) is a software library implementing general purpose cryptographic algorithms. The module is a multiple-chip standalone cryptographic module. The software module provides cryptographic services to applications through an Application Program Interface (API). The module also interacts with the underlying operating system via system calls.
The module has been tested on the following platforms with the corresponding module variants and configuration options with and without PAA: # Operating Hardware Platform Processor PAA/ System Acceleration
1 BIG-IP 16.1.3.1 on Dell PowerEdge M620 Intel® Xeon® E5- AES-NI and
VMware ESXi™ 6.5 2670 Sandy Bridge SHA extensions hypervisor
2 BIG-IP 16.1.3.1 on Dell PowerEdge R450 Intel® Xeon Silver AES-NI and
3 BIG-IP 16.1.3.1 on Dell PowerEdge M630 Intel® Xeon® E5- AES-NI and
KVM on Ubuntu 2690 v4 Broadwell SHA extensions
Fossa) Table 2 - Tested Operational Environments In addition to the configurations tested by the atsec CST laboratory, vendor-affirmed testing was performed on the following platforms for the module by F5, Inc. # Operating System Hardware Platform
1 BIG-IP 16.1.3.1 running on Microsoft Azure -cli 2.48.1 on Intel Xeon Platinum
Corporation Hyper-V Virtual Machine 8272CL processor
2 BIG-IP 16.1.3.1 running on Xen 4.2.amazon AWS CLI 2.11.19 on Intel Xeon Scalable
Processor
The module supports two modes of operation:
The table below lists all security functions of the module, including specific key size(s) employed for approved or vendor-affirmed security functions, and implemented modes of operation. CAVP Algorithm and Mode / Method Description / Key Use / Function Cert1 Size(s) / Key Strengths Standard (bits) Assembler implementation A2762 AES [FIPS 197, ECB, CBC, CTR, GCM 128 / 192 / 256-bit AES Encryption and SP800-38A, key / strength from 128 to decryption SP800 38C, 256 bits SP800 38D] A2762 AES [FIPS 197, GMAC 128 / 192 / 256-bit AES MAC generation/ SP800 38D] key / strength from 128 to verification
A2762 KTS (AES) FIPS GCM 128 / 256-bit AES key / Key wrapping 197, SP800-38F] strength from 128 and 256 bits A2762 Counter DRBG AES-256 in CTR DRBG seed, DRBG internal Random number [SP800- mode, with/ without state (V and Key values) / generation 90ARev1] derivation function, strength is 256 bits prediction resistance enabled and disabled Vendor CKG [SP800- RSA KeyGen 2048/ 3072/ 4096-bit Key pair generation Affirmed 133Rev2] modulus / strength from
1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service
of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. © 2024 F5, Inc. / atsec information security.
CAVP Algorithm and Mode / Method Description / Key Use / Function Cert1 Size(s) / Key Strengths Standard (bits) ECDSA KeyGen P-256, P- 384 / strength
Safe Primes Key ffdhe2048, ffdhe3072, Generation ffdhe4096 / strength from
A2762 RSA KeyGen B.3.3 Probable 2048/ 3072/ 4096-bit RSA key pair [FIPS 186-4] primes with modulus size / strength generation standard key format from 112 to 150 bits A2762 RSA SigGen PKCS 1.5 with SHA- 2048/ 3072/ 4096-bit RSA signature [FIPS 186-4] 256, SHA-384 modulus/ strength from generation
A2762 RSA SigVer PKCS 1.5 with SHA- 2048/ 3072/ 4096-bit RSA signature [FIPS 186-4] 1, SHA2-256, SHA2- modulus / strength from verification
A2762 ECDSA KeyGen Appendix B.4.2: ECDSA/ ECDH key pair P- ECDSA/ ECDH key Testing Candidates 256 and P-384 curves / pair generation [FIPS 186-4] strength 128 and 192 bits A2762 ECDSA KeyVer N/A ECDSA/ ECDH key pair ECDSA/ ECDH public [FIPS 186-4] with P-256 and P-384 key verification curves / strength 128 and
A2762 ECDSA SigGen SHA2-256, SHA2- ECDSA P-256, P- 384 ECDSA signature [FIPS 186-4] 384 curves / strength 128 and generation
A2762 ECDSA SigVer SHA2-256, SHA2- ECDSA P-256, P- 384 ECDSA signature [FIPS 186-4] 384 curves / strength 128 and verification
A2762 SHA [FIPS180-4] SHA-1, SHA2-256, N/A Message digest SHA2-384 A2762 HMAC [FIPS 198] HMAC-SHA-1, HMAC- 128-1024-bit HMAC key / MAC generation/ SHA2-256, HMAC- strength from 112 to 256 verification SHA2-384 bits A2762 KAS-ECC-SSC Ephemeral Unified: P-256, P-384 / strength EC Diffie-Hellman [SP800- KAS Role: initiator, 128 and 192 bits shared secret 56ARev3] responder computation IG D.F scenario 2, path 1 © 2024 F5, Inc. / atsec information security.
CAVP Algorithm and Mode / Method Description / Key Use / Function Cert1 Size(s) / Key Strengths Standard (bits) A2762 Safe Primes key Safe prime Safe Prime Groups: Safe primes key Generation / ffdhe2048, ffdhe3072, generation Verification ffdhe4096 / strength from
A2762 KAS-FCC-SSC dhEphemeral: ffdhe2048, ffdhe3072, Diffie-Hellman shared [SP800- KAS Role: initiator, ffdhe4096 / strength from secret computation 56ARev3] responder 112 to 150 bits IG D.F scenario 2, path 1 AESNI-SSSE3 Implementation A2711 AES [FIPS 197, ECB, CBC 128 / 192/ 256-bit AES key Encryption and SP800-38A, / strength from 128 to 256 decryption SP800 38D] bits A2711 AES [FIPS 197, GMAC 128 / 192/ 256-bit AES key MAC generation/ SP800 38D] / strength from 128 to 256 verification bits A2711 AES [SP800-38F] GCM 128 / 256-bit AES key / Key wrapping strength 128 and 256 bits A2711 Counter DRBG AES 256 in CTR Entropy input string, seed, Random number [SP800- mode, with V and Key values / generation 90ARev1] derivation function, strength is 256 bits prediction resistance enabled A2711 SHA [FIPS180-4] SHA-1 N/A Message digest A2711 HMAC [FIPS 198] HMAC-SHA-1 128-1024-bit HMAC key / MAC generation/ strength from 112 to 256 verification bits Table 4 - Approved Algorithms The module does not implement any non-Approved but Allowed algorithm in Approved mode of operation with no security claimed. The module does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation. The table below lists Non-Approved security functions that are not Allowed in the Approved Mode of Operation. Algorithm/Functions Use/Function © 2024 F5, Inc. / atsec information security.
AES with OFB, CCM, CFB, XTS, Encryption and decryption KW modes, Blowfish, Camellia, CAST5, DES, IDEA, RC2, RC4, SEED, SM2, SM4, Triple-DES SHA2-224, SHA2-512, SM3, Message digest MD4, MD5, MDC2, RIPEMD, Whirlpool HMAC-SHA2-224, HMAC-SHA2- MAC generation/ verification 512, AES CMAC, Triple-DES CMAC RSA KeyGen with 1024 and RSA key pair generation greater than 4096 up to 16384 modulus RSA SigGen with PKCS #1 v1.5 RSA signature generation scheme with modulus size 2048, 3072, 4096 bits with SHA-1, SHA2-224, SHA2-512 RSA SigGen with PKCS #1 v1.5 scheme with keys other than the ones listed in Table 4 RSA SigGen with PSS, X9.31 schemes RSA SigVer with PKCS #1 v1.5 RSA signature verification scheme with modulus size 2048, 3072, 4096 bits with SHA2-224, SHA2-512 RSA SigVer with PKCS #1 v1.5 scheme with keys other than the ones listed in Table 4 RSA SigVer with PSS, X9.31 schemes ECDSA KeyGen with P-224, P- ECDSA key pair generation
ECDSA KeyVer with P-224, P- ECDSA public key verification
ECDSA SigGen with P-256, P- ECDSA signature generation
224, SHA2-512 ECDSA SigVer with P-256, P- ECDSA signature verification
SHA2-512 ECDSA with SM2 ECDSA signature generation ECDSA signature verification RSA with modulus sizes up to RSA encryption and decryption
© 2024 F5, Inc. / atsec information security.
DSA Domain parameter generation Domain parameter verification DSA key pair generation DSA signature generation DSA signature verification HMAC_DRBG and Hash_DRBG Random number generation for all SHA sizes, CTR_DRBG with AES-128, AES-192, ANSI X9.31 RNG Diffie-Hellman key agreement Diffie-Hellman shared secret computation with groups other than ffdhe2048, ffdhe3072, ffdhe4096 EC Diffie-Hellman Ephemeral EC Diffie-Hellman shared secret computation without KDF Unified with curves other than P-256, P-384 EC Diffie-Hellman without KDF one PassDh and StaticUnified Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
The software block diagram below shows the module, its interfaces with the operational environment and the delimitation of its cryptographic boundary with red lines. Figure 1
The logical interfaces are the API through which the applications request services. The following table summarizes the logical interfaces: Physical Port Logical Interface2 Data that passes over port/interface As a software-only module, the Data Input API input parameters for data module does not have physical Data Output API output parameters for data ports. Physical Ports are interpreted to be the physical Control Input API function calls for control ports of the hardware platform on which it runs. Status Output API return codes, error messages Table 6 - Ports and Interfaces Cryptographic bypass capability is not supported by the module. The module does not implement control output interface.
© 2024 F5, Inc. / atsec information security.
The module supports the Crypto Officer role only. No support is provided for multiple concurrent operators or a Maintenance Operator.
Table below describes the authorized role(s) in which the service can be performed with specification of the service input parameters and associated service output parameters. Role Service Input Output Crypto Encryption and Plaintext, key / ciphertext, Ciphertext / plaintext Officer decryption key Key wrapping Wrapping key, key to be Wrapped key / unwrapped wrapped / Unwrapping key, key key and key to be unwrapped Random number Number of bits Random numbers generation RSA key pair Key size Public key, private key generation RSA signature Private key, message, Computed signature generation hashing algorithm RSA signature Public key, digital signature, Pass/fail result of digital verification message, hashing algorithm signature verification ECDSA/ ECDH key pair Elliptic curve Private key, public key generation ECDSA/ ECDH public Public key Pass/fail result of public key key verification verification ECDSA signature Private key, message, Computed signature generation hashing algorithm ECDSA signature Public key, digital signature, Pass/fail result of digital verification message, hashing algorithm signature verification EC Diffie-Hellman Received public key, Shared secret shared secret possessed private key computation Safe primes key Group Private key, public key generation Diffie-Hellman shared Received public key, Shared secret secret computation possessed private key Message digest Message, hashing algorithm Hashed message MAC generation Message, key, MAC MAC tag algorithm, MAC length MAC verification MAC tag, key, MAC algorithm Pass/fail result of MAC verification © 2024 F5, Inc. / atsec information security.
Show version N/A Name and version information Show status N/A Status output Self-tests Power Pass/fail results of self-tests Zeroization Unencrypted SSPs listed in Zeroized memory Table 10 RSA encryption and Message, key Ciphertext / plaintext decryption Domain parameter L and N pair Domain parameters generation Domain parameter Domain parameters Pass/fail result of verification verification DSA key pair Domain parameters Public key, private key generation DSA signature Private key, message, Computed signature generation hashing algorithm DSA signature Public key, digital signature, Pass/fail result of digital verification message, hashing algorithm signature verification Table 7 - Roles, Service Commands, Input and Output
FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not implement an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see Table - Approved Services and Table - Non-Approved Services below).
The table below lists all approved services that can be used in the approved mode of operation. The status output from the FIPS_set_indicator_status service indicator's call is provided in Indicator column in Table 8. To read this indicator, the calling application must register a callback function using `FIPS_register_indicator_callback'. The callback function shall take the input of the form "char *" which is the form of the indicator being output by the module. Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/or SSPs Encryption Executes AES- AES-ECB, AES-CBC, AES key (128 / 192 Crypto W, E AES-ECB, and mode encrypt or AES-CTR / 256 bits) Officer AES-CBC, decryption decrypt AES-CTR operation © 2024 F5, Inc. / atsec information security.
Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/or SSPs Key Executes AES- AES-GCM AES key (128 / 256 Crypto W, E AES-GCM wrapping GCM key bits) Officer wrapping or unwrapping operation, per IG D.G Random Generate Counter DRBG Entropy input Crypto W, E CTR-DRBGnumber random number string Officer AES-256 generation DRBG seed G, E DRBG internal G, E state (V and Key values) RSA key Generate RSA RSA KeyGen (FIPS RSA private key, Crypto G, R RSA-KEYpair Key Pair 186-4) CKG [SP800- RSA public key ( Officer GEN-2048, generation 133Rev2], 2048/ 3072/ 4096 RSA-KEYCounter DRBG bits) GEN-3072 RSA-KEYGEN- 4096 RSA Sign a message RSA private key Crypto E, W RSA-SIG RSA SigGen (FIPS signature with a specified (2048 / 3072 / Officer 186-4) generation RSA private key 4096 bits) RSA Verify the RSA SigVer (FIPS RSA public key Crypto E, W RSA-VER signature signature of a 186-4) (2048/ 3072 / 4096 Officer verification message with a bits) specified RSA public key ECDSA/ Generate a ECDSA KeyGen ECDSA private key, Crypto G, R EC-KEYGENECDH key keypair for a (FIPS 186-4) CKG ECDSA public key, Officer P-256, ECpair requested elliptic [SP800-133Rev2], EC Diffie-Hellman KEYGEN-Pgeneration curve Counter DRBG private key, EC 384 Diffie-Hellman public key (P-256 and P-384 curves) ECDSA/ Public key ECDSA KeyVer (FIPS ECDSA public key, Crypto E, W EC-KEYECDH verification 186-4) EC Diffie-Hellman Officer VERIFY-Ppublic key public key (P-256 256, ECverification and P-384 curves) KEY-VERIFYP-384 ECDSA Sign a message ECDSA SigGen (FIPS ECDSA private key Crypto W, E ECDSAsignature with a specified 186-4) (P-256 and P-384 Officer SIGN-P-256, generation ECDSA private curves) ECDSAkey SIGN-P-384 © 2024 F5, Inc. / atsec information security.
Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/or SSPs ECDSA Verify the ECDSA SigVer (FIPS ECDSA public key Crypto W, E ECDSAsignature signature of a 186-4) (P-256 and P-384 Officer VERIFY-Pverification message with a curves) 256, specified ECDSAECDSA public VERIFY-Pkey EC Diffie- Calculate a KAS-ECC-SSC EC Diffie-Hellman Crypto W, E ECDHHellman shared secret via Sp800-56Ar3 private key (P-256 Officer COMPUTEshared the ECDH and P-384 curves) KEY-P-256, secret algorithm ECDHcomputatio EC Diffie-Hellman G, R COMPUTEn IG D.F shared secret KEY-P-384 scenario 2, path 1 EC Diffie-Hellman W, E public key (remote peer public key) (P-256 and P-384 curves) Safe Generate a Safe Primes Key Diffie-Hellman Crypto G, R FFDHE2048 primes key keypair / verify Generation, Safe private key Officer -KEYGEN, generation public key Primes Key (ffdhe2048, FFDHE3072 Verification ffdhe3072, -KEYGEN, ffdhe4096) FFDHE4096 -KEYGEN Diffie-Hellman G, R, W, public key E (ffdhe2048, ffdhe3072, ffdhe4096) Diffie- Calculate a KAS-FFC-SSC Diffie-Hellman Crypto W, E FFDHE2048 Hellman shared secret via Sp800-56Ar3 private key Officer -COMPUTE, shared the DH (ffdhe2048, FFDHE3072 secret algorithm. ffdhe3072, - COMPUTE, computatio ffdhe4096) FFDHE4096 n IG D.F - COMPUTE scenario 2, Diffie-Hellman G, R path 1 shared secret Diffie-Hellman W, E public key (remote peer public key) (ffdhe2048, ffdhe3072, ffdhe4096) © 2024 F5, Inc. / atsec information security.
Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/or SSPs Message Generate a SHA-1, SHA2-256, N/A Crypto N/A MESSAGEdigest digest for the SHA2-384 Officer DIGESTrequested SHA-1/ SHAalgorithm 256/SHAMAC Generate/ Verify HMAC-SHA-1, HMAC key, AES Crypto W, E MSG-AUTHgeneration/ an HMAC or HMAC-SHA2-256, key Officer HMAC-SHAverification GMAC digest HMAC-SHA2-384, 1, using the AES-GMAC MSG-AUTHrequested SHA HMAC-SHAalgorithm or AES 256 algorithm as MSG-AUTHappropriate HMAC-SHAAES-GMAC Show Return the SW N/A N/A Crypto N/A None version version and the Officer module's name Show Return the N/A N/A Crypto N/A None status module status Officer Self-tests Execute self- AES-ECB, AES-GCM, N/A (key for self- Crypto N/A None tests tests are not SSPs) Officer HMAC-SHA1, HMACSHA2-256, HMACSHA2-384, RSA (SigGen (FIPS 186-4), RSA SigVer (FIPS 186-4), KAS-ECC-SSC Sp800-56Ar3, KASFFC-SSC Sp80056Ar3, ECDSA SigGen (FIPS 186-4) / ECDSA SigVer (FIPS 186-4), Counter DRBG Zeroization Zeroize all non- n/a All SSPs Crypto Z None protected SSPs Officer Table 8 - Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). © 2024 F5, Inc. / atsec information security.
W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. The table below lists all non-Approved services that can only be used in the non-Approved mode of operation. Service Description Algorithms Accessed Role Indic ator Encryption and Encryption/ AES with OFB, CFB, CCM, XTS, KW modes Crypto None decryption decryption Triple-DES Officer Blowfish, Camellia, CAST5, DES, IDEA, RC2, RC4, SEED, SM2, SM4 Message digest Generating SHA2-224, SHA2-512, SM3, MD4, MD5, None message digest MDC2, RIPEMD, Whirlpool MAC generation/ MAC computation HMAC-SHA2-224, HMAC-SHA2-512 None verification AES CMAC, Triple-DES CMAC RSA key pair generation Generating key RSA KeyGen with 1024, greater than None pair 4096 and up to 16384 modulus RSA signature Generating RSA SigGen with PKCS #1 v1.5 with keys None generation signature other than the one listed in Table 4 RSA SigGen with PSS, X9.31 schemes RSA SigGen PKCS #1 v1.5 scheme with modulus size 2048, 3072, 4096 bits with SHA-1, SHA2-224, SHA2-512 RSA signature Verifying RSA SigVer with PKCS #1 v1.5 with keys verification signature other than the one listed in Table 4 RSA SigVer with PKCS #1 v1.5 scheme with modulus size 2048, 3072, 4096 bits with SHA2-224, SHA2-512 RSA SigVer with PSS, X9.31 schemes ECDSA key pair Generating key ECDSA KeyGen using P-224, P-521 curves None generation pair ECDSA public key Verifying public ECDSA KeyVer using P-224, P-521 curves verification key ECDSA signature Generating ECDSA SigGen with P-256 and P-384 None generation signature curves with SHA-1, SHA2-224 and SHA2512; ECDSA with SM2 ECDSA signature Verifying ECDSA SigVer with P-256 and P-384 verification signature curves with SHA2-224 and SHA2-512; ECDSA with SM2 © 2024 F5, Inc. / atsec information security.
Service Description Algorithms Accessed Role Indic ator RSA encryption and Encryption/ RSA with modulus sizes up to 16384 bits None decryption decryption Domain parameter Generating DSA None generation domain parameters Domain parameter Verifying domain verification parameters DSA key pair generation Generating key pair DSA signature Generating generation signature DSA signature Verifying verification signature Random number Generating HMAC_DRBG and Hash_DRBG for all SHA None generation deterministic sizes random number CTR_DRBG with AES-128 or AES-192 None ANSI X9.31 RNG None Diffie-Hellman shared Calculating Diffie-Hellman key agreement with None secret computation shared secret groups other than ffdhe2048, ffdhe3072, ffdhe4096 EC Diffie-Hellman EC Diffie-Hellman Ephemeral without KDF shared secret Unified with curves other than P-256, Pcomputation 384 EC Diffie-Hellman without KDF one PassDh and StaticUnified Table 9 - Non-Approved Services © 2024 F5, Inc. / atsec information security.
The integrity of the module is verified by comparing a HMAC value calculated at run time on the libcrypto.so.1.0.2u file, with the HMAC-SHA2-256 value stored in the module file .libcrypto.so.1.0.2u.hmac that was computed at build time. Integrity tests are performed as part of the Pre-Operational Self-Tests.
The on-demand integrity test is performed as part of the Pre-Operational Self-Tests by powercycling the module. © 2024 F5, Inc. / atsec information security.
The module operates in a modifiable operational environment. The module runs on a BIG-IP
16.1.3.1 operating system executing on the hardware and hypervisor specified in section 2.2. BIG-
IP consists of a Linux based operating system customized for performance that runs directly on the hardware or in virtual environment.
The module should be installed as stated in section 11. The operator should confirm that the module is installed correctly by sub-section 11.2. © 2024 F5, Inc. / atsec information security.
The module is comprised of software only and therefore this section is Not Applicable (N/A). © 2024 F5, Inc. / atsec information security.
Currently the non-invasive Security is not required by FIPS 140-3 (see NIST SP 800-140F). © 2024 F5, Inc. / atsec information security.
Key/ SSP Strength Security Generation Import Establis Storage Zeroizati Use and Name/ Function hment on related /Export Type and keys Cert. Number AES key 128 to ECB, N/A Input as N/A RAM EVP_CIPH Use: / CSP/ 256 bits CBC, an API ER_CTX_c Encryption symmetr CTR: paramete leanup and ic A2762 r decryption; ECB, No export Related CBC: keys: N/A A2711 AES key 128 to GMAC: N/A Input as N/A RAM EVP_CIPH Use: MAC / CSP/ 256 bits A2762, an API ER_CTX_c generation/ symmetr A2711 paramete leanup verification ic r ; No export Related keys: N/A AES key 128 and AES- N/A Input as N/A RAM FIPS_ciph Use: Key / CSP/ 256 bits GCM: an API er_ctx_cle wrapping; symmetr A2762, paramete anup() Related ic A2711 r keys: N/A No export HMAC 112 to HMAC- N/A Input as N/A RAM HMAC_CT Use: MAC key / 256 bits SHA-1, an API X_cleanu generation/ CSP/ HMAC- paramete p() verification symmetr SHA- r ; ic 256, No export Related HMAC- keys: N/A SHA384: A2762 HMACSHA-1: A2711 RSA 112 to RSA Generated Import/ N/A RAM FIPS_rsa_f Use: RSA private 150 bits SigGen: conformant to Export: ree() key pair key / A2762 section 5.1 of CM to/ generation, CSP/ SP800- from digital asymme 133Rev2 TOEPP signature tric (CKG) using Path. generation; [FPIS 186-4], Passed Related Appendix to/ from keys: RSA B.3.3 key the public key, generation module DRBG method and via API internal the random paramete state (V © 2024 F5, Inc. / atsec information security.
Key/ SSP Strength Security Generation Import Establis Storage Zeroizati Use and Name/ Function hment on related /Export Type and keys Cert. Number value used in rs in and Key the key plaintext values) generation is format. obtained RSA RSA using [SP 800- Use: RSA public SigVer: 90ARev1] key pair key / A2762 DRBG generation, PSP/ digital asymme signature tric verification ; Related keys: RSA private key, DRBG internal state (V and Key values) ECDSA 128 and ECDSA Generated Import/ N/A RAM EC_KEY_fr Use: private 192 bits SigGen: conformant to Export: ee() ECDSA/ key / A2762 section 5.1 of CM to/ ECDH key CSP/ SP800- from pair asymme 133Rev2 TOEPP generation, tric (CKG) using Path. digital [FPIS 186-4], Passed signature Appendix to/ from generation; B.4.2 key the Related generation module keys: method and via API ECDSA the random paramete public key, value used in rs in DRBG the key plaintext internal generation is format. state (V obtained and Key using [SP 800- values) 90ARev1] ECDSA ECDSA DRBG Use: public SigVer: ECDSA/ key / A2762 ECDH key PSP/ pair asymme generation, tric digital signature verification ; Related keys: © 2024 F5, Inc. / atsec information security.
Key/ SSP Strength Security Generation Import Establis Storage Zeroizati Use and Name/ Function hment on related /Export Type and keys Cert. Number ECDSA private key, DRBG internal state (V and Key values) EC 128 and KAS- Generated Import/ N/A RAM EC_KEY_fr Use: EC Diffie- 192 bits ECC-SSC conformant to Export: ee() DiffieHellman Sp800- section 5.2 of CM to/ EC_POINT Hellman private 56Ar3: SP800- from _free() shared key / A2762 133Rev2 TOEPP secret CSP/ (CKG) using Path. computatio asymme [FIPS 186-4], Passed n; tric Appendix to/ from Related B.4.2 key the keys: EC generation module Diffiemethod and via API Hellman the random paramete public key, value used in rs in DRBG the key plaintext internal generation is format. state (V obtained and Key using [SP800- values), EC 90ARev1] DiffieDRBG Hellman shared secret EC Use: EC Diffie- DiffieHellman Hellman public shared key / secret PSP/ computatio asymme n; tric Related keys: EC DiffieHellman private key, DRBG internal state (V and Key values), EC DiffieHellman © 2024 F5, Inc. / atsec information security.
Key/ SSP Strength Security Generation Import Establis Storage Zeroizati Use and Name/ Function hment on related /Export Type and keys Cert. Number shared secret EC 128 and KAS- N/A No import Establish RAM EC_KEY_fr Use: EC Diffie- 192 bits ECC-SSC Export: ed via ee() DiffieHellman Sp800- CM to SP800- EC_POINT Hellman shared 56Ar3: TOEPP 56ARev3 _free() shared secret / A2762 Path. KAS- secret CSP/ ECC-SSC computatio Passed asymme n; from the tric Related module via API keys: EC paramete Diffiers in Hellman plaintext private format. key, EC DiffieHellman public key Diffie- 112 to KAS-FFC- Generated Import/ N/A RAM DH_free Use: DiffieHellman 150 bits SSC conformant to Export: Hellman private Sp800- section 5.2 of CM to/ shared key / 56Ar3: SP800- from secret CSP/ A2762 133Rev2 TOEPP computatio asymme (CKG) using Path. n; tric [SP800- Passed Related 56Ar3], to/ from keys: Section the Diffie-
generation via API public key, method and paramete DRBG the random rs in internal value used in plaintext state (V the key format. and Key generation is values) obtained Diffie- using [SP800- Use: DiffieHellman 90ARev1] Hellman public DRBG shared key / secret PSP/ computatio asymme n; tric Related keys: DiffieHellman private © 2024 F5, Inc. / atsec information security.
Key/ SSP Strength Security Generation Import Establis Storage Zeroizati Use and Name/ Function hment on related /Export Type and keys Cert. Number key, DRBG internal state (V and Key values) Diffie- 112 to KAS-FFC- N/A No import Establish RAM DH_free Use: DiffieHellman 150 bits SSC Export: ed via Hellman shared Sp800- CM to SP800- shared secret / 56Ar3: TOEPP 56ARev3 secret CSP/ A2762 Path. KAS- computatio asymme FFC-SSC n; Passed tric Related from the module keys: via API Diffieparamete Hellman rs in private plaintext key, Diffieformat. Hellman public key Entropy 256 bits Counter Generated by Import N/A RAM when Use: input DRBG: the entropy from the the Random string A2762, source (ESV OS system is number (IG D.L) A2711, Cert. #E16) No Export powered generation; /CSP ESV: E16 (reference in down Related section 11.2) keys: DRBG seed DRBG 256 bits Counter Derived from No N/A RAM FIPS_drbg Use: seed (IG DRBG: the entropy import: it _uninstan Random D.L), A2762, input string as remains tiate number /CSP A2711 defined by [SP within the generation; 800-90ARev1] cryptogra Related phic keys: boundary. Entropy No Export input string, DRBG Internal state (V and Key values) DRBG 256 bits Counter Derived from No N/A RAM FIPS_drbg Use: internal DRBG: the seed as import: it _uninstan Random state (V A2762, defined by [SP remains tiate number and Key A2711 800-90ARev1] within the generation; values) cryptogra © 2024 F5, Inc. / atsec information security.
Key/ SSP Strength Security Generation Import Establis Storage Zeroizati Use and Name/ Function hment on related /Export Type and keys Cert. Number (IG D.L) phic Related /CSP boundary keys: DRBG No Export seed (V and Key values), RSA private key, RSA public key, ECDSA private key, ECDSA public key, EC DiffieHellman private key, EC DiffieHellman public key, DiffieHellman private key, DiffieHellman public key Table 10 - SSPs
The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90ARev1] for the generation of random value used in asymmetric keys, and for providing a RNG service to calling applications. The Approved DRBG provided by the module is the Counter DRBG with AES256. The module uses the Entropy source specified in Table 11 to seed the DRBG. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2. The F5 ES is tested in the OEs listed in Table 1. Entropy Source Minimum number Details of bits of entropy ESV #E16 (non- 256 CPU Jitter 3.4.0 entropy source with SHA-3 as the physical noise vetted conditioning component is located within the source) physical perimeter of the module but outside the cryptographic boundary of the module. Table 11 - Non-Deterministic Random Number Generation Specification © 2024 F5, Inc. / atsec information security.
The module generates SSPs in accordance with FIPS 140-3 IG D.H. The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 4 [SP800133Rev2] (vendor affirmed), using DRBG compliant with [SP800-90ARev1]. A seed (i.e., the random value) used in asymmetric key generation is a direct output from [SP800-90ARev1] Counter DRBG. The following methods are implemented:
The module does not support manual SSP entry or intermediate key generation output. The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment. The SSPs can be provided to the module in plaintext form via API parameters, to and from the calling application running on the same operational environment. This is allowed by [FIPS 140-3_IG] IG 9.5.A Table 1, according to the “CM Software to/from App via TOEPP Path” entry which refers to keys communicated within the physical perimeter of the GPC.
The module provides:
256 bits of strength. The TLS protocol has not been reviewed or tested by the CAVP or CMVP.
© 2024 F5, Inc. / atsec information security.
SSPs are provided to the module by the calling process and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of SSPs.
The memory occupied by SSPs and keys is allocated by regular memory allocation operating system calls. The application is responsible for calling the appropriate destruction functions provided in the module's API. The destruction functions (listed in Table 10) overwrite the memory occupied by keys with “zeros” and deallocate the memory with the regular memory deallocation operating system call. © 2024 F5, Inc. / atsec information security.
Pre-operational self-tests are performed automatically when the module is loaded into memory; the pre-operational self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. While the module is executing the pre-operational self-tests, services are not available, and input and output are inhibited. The module does not return control to the calling application until the tests are completed. On successful completion of the pre-operational self-tests, the module enters operational mode and cryptographic services are available. If the module fails any of the tests, it will return an error code and enter the error state to prohibit any further cryptographic operations. The module provides the Self-Test service to perform periodic and on-demand self-tests. Both periodic and on demand self-tests (i.e., Conditional Cryptographic Algorithm Self-Tests (CASTs) and integrity test) can be invoked by powering-off and reloading the module. During the execution of the periodic and on-demand self-tests, crypto services are not available, and no data output or input is possible.
The integrity of the module is verified by comparing an HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value stored in the module that was computed at build time. Prior to using HMAC-SHA2-256, a CAST is performed. If the CAST on the HMAC-SHA2-256 is successful, the HMAC value of the runtime image is recalculated and compared with the stored HMAC value pre-computed at compilation time.
The following sub-sections describe the conditional self-tests supported by the module. If one of the Conditional self-tests fails, the module transitions to the ‘Halt Error’ state and a corresponding error indication is given. While the module is executing the CASTs, services are not available, and input and output are inhibited. The entropy source performs its required self-tests; those are not listed in this section, as the entropy source is not part of the cryptographic boundary of the module.
The module performs cryptographic algorithm self-tests (CASTs) on all Approved cryptographic algorithms. The module performs CASTs before the integrity test. The CASTs consist in Known Answer Tests for all the approved cryptographic algorithms and the SP800-90ARev1 Health Tests for DRBG. Algorithm Test Counter DRBG KAT with AES 256 bits with derivation function SP800-90ARev1 section 11.3 health tests AES-ECB Encryption KAT with 128 bit-key Decryption KAT with 128 bit-key © 2024 F5, Inc. / atsec information security.
Algorithm Test AES-GCM Encryption KAT with 128-bit key Decryption KAT with 128-bit key RSA PKCS#1 v1.5 signature generation KAT with 2048 bit key and SHA2PKCS#1 v1.5 signature verification KAT, with 2048 bit key and SHA2-256 ECDSA Signature generation KAT, with P-256 and SHA2-256 Signature verification KAT, with P-256 and SHA2-256 KAS-ECC-SSC “Z” computation KAT with P-256 curve KAS-FFC-SSC “Z” computation KAT with 2048 modulus HMAC-SHA HMAC-SHA-1 KAT HMAC-SHA2-256 KAT HMAC-SHA2-384 KAT SHA KATs for all SHA sizes are covered by respective HMAC KATs (allowed per IG 10.3.B) Table 12 - Conditional Cryptographic Algorithm Self-Tests
A pairwise consistency test (PCT) is run whenever asymmetric keys (RSA, DH, ECDH/ECDSA) are generated. PCT for ECDSA and RSA key pair generation used for digital signatures is tested by the calculation and verification of a digital signature. PCT for Diffie-Hellman key pair generation is performed following the SP 800-56Arev3 requirements. PCT for EC Diffie-Hellman key pair generation is covered by ECDSA PCT (IG 10.3.A). While the module is executing the PCTs, services are not available, and input and output are inhibited.
Error State Cause of Error Status Indicator Halt Error HMAC-SHA2-256 KAT failure Module will not load The module must be re- or HMAC-SHA2-256 integrity loaded in order to clear test failure the error condition. Failure of any of the CASTs Error message related to the crypto That data output is function listed in Table 12 and the flag inhibited. 'fips_selftest_fail' is set. © 2024 F5, Inc. / atsec information security.
Error State Cause of Error Status Indicator Failure of any of the PCTs Error message a PCT failure for RSA, DH, ECDH or ECDSA pairwise consistency test and the flag 'fips_selftest_fail' is set. Table 13 - Error States © 2024 F5, Inc. / atsec information security.
The module i.e. 1.0.2u-fips binary and its integrity check file are distributed and installed as a part of the BIG-IP product ISO. There are no maintenance requirements.
The FIPS validated module activation requires installation of the BIG-IP System License key file. The Crypto Officer should install this file as /config/bigip.license and verify the FIPS validated module license activation (or reactivation) by running the command: ‘tmsh show sys license' which should output FIPS 140, BIG-IP VE-1G to 10G,’ under the ‘Active Modules’ list. After the FIPS validated module license is installed, the command prompt will change to ‘REBOOT REQUIRED’. The Crypto Officer must reboot the BIG-IP for all FIPS-compliant changes to take effect. On the BIG-IP product the Crypto Officer should call the dedicated Show version API, fips_get_f5fips_module_version, to ensure that the module identifier and version are shown as: Cryptographic Module for BIG-IP OpenSSL 1.0.2u-fips 20 Dec 2019. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/16
The Crypto Officer shall consider the following requirements and restrictions when using the module. For TLS 1.2, the module offers the AES-GCM implementation and uses the context of Scenario 1 of IG C.H. The module is compliant with SP800-52Rev2 section 3.3.1 and the mechanism for IV generation is compliant with RFC5288. The module does not implement the TLS protocol. The module’s implementation of AESGCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established.
To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the keys for KAS-FFC-SSC and KAS-ECC-SSC must be generated using the approved key generation services specified in section 9.2. For KAS-FFC-SSC the module generates keys using Safe Primes Key Generation with Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096. For KAS-ECC-SSC, the module generates keys using ECDSA KeyGen, Testing Candidates, with curves P-384 and P-256. The module performs full public key validation on the generated public keys. Additionally, the module performs full public key validation on the received public keys. © 2024 F5, Inc. / atsec information security.
Per IG C.F, the module implements FIPS 186-4 RSA SigVer and RSA SigGen with modulus lengths of 2048, 3072, 4096 bits. All these modulus lengths have been CAVP tested. © 2024 F5, Inc. / atsec information security.
The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ESV Entropy Source Validation FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback OS Operating System PAA Processor Algorithm Acceleration PCT Pairwise Consistency Test PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.
Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-1403-ig-announcements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf © 2024 F5, Inc. / atsec information security.
SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800- NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key 56ARev3 Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800- Recommendation for Key Derivation through Extraction-then-Expansion 56CRev2 August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 4 - Recommendation for Key Management Part 1: General January 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800- NIST Special Publication 800-90A - Revision 1 - Recommendation for Random 90ARev1 Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B (Second DRAFT) NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B © 2024 F5, Inc. / atsec information security.
SP800-131A NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths November 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800- NIST Special Publication 800-133 - Recommendation for Cryptographic Key 133Rev2 Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800- NIST Special Publication 800-135 Revision 1 - Recommendation for Existing 135Rev1 Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.