| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/10/2029 |
| Caveat | No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | KeyPair Consulting Inc. |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for KeyPair FIPS Provider for OpenSSL 3
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Self-test<br/>failure</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Cipher (Unauth)<br/>BC-UnAuth<br/>Cipher</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for KeyPair FIPS Provider for OpenSSL 3
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Self-test<br/>failure</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Cipher (Unauth)<br/>BC-UnAuth<br/>Cipher</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;KeyPair Consulting Inc. KeyPair FIPS Provider for OpenSSL 3 Document Version 1.5 December 2, 2025 KeyPair Consulting Inc.
San Luis Obispo, CA 93401 keypair.us +1 805.316.5024
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table of Contents 1.1 1.2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 6.1 5.1 5.2 5.3 4.1 4.2 4.3 4.4 4.5 3.1 9.1
FIPS 140-3 Security Policy 9.2 9.3 9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 12.1 12.2 12.3 KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 List of Tables List of Figures
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 3 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
hereafter denoted the Module. The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as shown in Section 1.2. In accordance with AS02.05, ISO/IEC 19790:2012 §7.7 Physical Security is optional and does not apply to the Module.
Purpose and Use: The Module is a cryptographic software library, intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module is distributed by KeyPair to vendors for incorporation into their products. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Embodiment: Multi-Chip Standalone
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The General Purpose Computer is the TOEPP. Figure 1: Block Diagram
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | fips.so for Unix/Linux platforms | fips.so | HMAC-SHA2-256 #A4481 over the | ||||||
| fips.dll | 3.0.10 with KP_1.2 | fips.dll for Windows platforms | fips.dll | HMAC-SHA2-256 #A4481 over the | ||||||
| AIX 7.3 32-bit | AIX 7.3 32-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | Yes | PowerVM 1060 | ||||
| AIX 7.3 32-bit | AIX 7.3 32-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | No | PowerVM 1060 | ||||
| AIX 7.3 64-bit | AIX 7.3 64-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | Yes | PowerVM 1060 | ||||
| AIX 7.3 64-bit | AIX 7.3 64-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | No | PowerVM 1060 | ||||
| HID Intelligent Controller OS 2.0 | HID Intelligent Controller OS 2.0 | LP4502 | 3.0.10 with | Atmel SAMA5 (ARMv7) | No | |||||
| HID Intelligent Controller OS 2.0 | HID Intelligent Controller OS 2.0 | MP4502 | 3.0.10 with | STMicroelectronics STM32MP133CAF3 (ARMv7) | No | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with | NXP i.MX 8X (Cortex-A35) | Yes | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with | NXP i.MX 8X (Cortex-A35) | No | |||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 6000 | 3.0.10 with | Atmel AT91SAM9 | No | |||||
| PexOS 1.0 | PexOS 1.0 | SuperMicro SuperServer 6018R- | 3.0.10 with | Intel® Xeon® Gold 6248 (Cascade Lake) | Yes | VMware ESXi 7 | ||||
| MTR | MTR | KP_1.2 | ||||||||
| PexOS 1.0 | PexOS 1.0 | SuperMicro SuperServer 6018R- | 3.0.10 with | Intel® Xeon® Gold 6248 (Cascade Lake) | No | VMware ESXi 7 | ||||
| MTR | MTR | KP_1.2 | ||||||||
| Panzura Base OS 1.2 | Panzura Base OS 1.2 | Lenovo ThinkPad X1 Extreme | 3.0.10 with | Intel® Core™ i7-10850H vPro® CPU @ 2.70GHz | Yes | |||||
| Gen 3 | Gen 3 | KP_1.2 | (Comet Lake) |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | fips.so for Unix/Linux platforms | fips.so | HMAC-SHA2-256 #A4481 over the | ||||||
| fips.dll | 3.0.10 with KP_1.2 | fips.dll for Windows platforms | fips.dll | HMAC-SHA2-256 #A4481 over the | ||||||
| AIX 7.3 32-bit | AIX 7.3 32-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | Yes | PowerVM 1060 | ||||
| AIX 7.3 32-bit | AIX 7.3 32-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | No | PowerVM 1060 | ||||
| AIX 7.3 64-bit | AIX 7.3 64-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | Yes | PowerVM 1060 | ||||
| AIX 7.3 64-bit | AIX 7.3 64-bit | IBM Power E1080 (9080-HEX) | 3.0.10 with | IBM POWER10 (PPC) | No | PowerVM 1060 | ||||
| HID Intelligent Controller OS 2.0 | HID Intelligent Controller OS 2.0 | LP4502 | 3.0.10 with | Atmel SAMA5 (ARMv7) | No | |||||
| HID Intelligent Controller OS 2.0 | HID Intelligent Controller OS 2.0 | MP4502 | 3.0.10 with | STMicroelectronics STM32MP133CAF3 (ARMv7) | No | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with | NXP i.MX 8X (Cortex-A35) | Yes | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with | NXP i.MX 8X (Cortex-A35) | No | |||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 6000 | 3.0.10 with | Atmel AT91SAM9 | No | |||||
| PexOS 1.0 | PexOS 1.0 | SuperMicro SuperServer 6018R- | 3.0.10 with | Intel® Xeon® Gold 6248 (Cascade Lake) | Yes | VMware ESXi 7 | ||||
| MTR | MTR | KP_1.2 | ||||||||
| PexOS 1.0 | PexOS 1.0 | SuperMicro SuperServer 6018R- | 3.0.10 with | Intel® Xeon® Gold 6248 (Cascade Lake) | No | VMware ESXi 7 | ||||
| MTR | MTR | KP_1.2 | ||||||||
| Panzura Base OS 1.2 | Panzura Base OS 1.2 | Lenovo ThinkPad X1 Extreme | 3.0.10 with | Intel® Core™ i7-10850H vPro® CPU @ 2.70GHz | Yes | |||||
| Gen 3 | Gen 3 | KP_1.2 | (Comet Lake) | |||||||
| Panzura Base OS 1.2 | Panzura Base OS 1.2 | Lenovo ThinkPad X1 Extreme | 3.0.10 with | Intel® Core™ i7-10850H vPro® CPU @ 2.70GHz | No | |||||
| Gen 3 | Gen 3 | KP_1.2 | (Comet Lake) | |||||||
| Scientific Linux 6.9 | Scientific Linux 6.9 | SteelHead CXA-00580 | 3.0.10 with | Intel® Xeon® D-1513N (Broadwell) | Yes | |||||
| Scientific Linux 6.9 | Scientific Linux 6.9 | SteelHead CXA-00580 | 3.0.10 with | Intel® Xeon® D-1513N (Broadwell) | No | |||||
| SFOS 20.0 | SFOS 20.0 | XGS 3100 | 3.0.10 with | AMD Ryzen Embedded V1780B | Yes | |||||
| SFOS 20.0 | SFOS 20.0 | XGS 3100 | 3.0.10 with | AMD Ryzen Embedded V1780B | No | |||||
| SnowflakeOS 1.2 | SnowflakeOS 1.2 | HPE ProLiant DL60 Gen9 | 3.0.10 with | Intel® Xeon® E5-2609 (Sandy Bridge EP) | Yes | |||||
| SnowflakeOS 1.2 | SnowflakeOS 1.2 | HPE ProLiant DL60 Gen9 | 3.0.10 with | Intel® Xeon® E5-2609 (Sandy Bridge EP) | No | |||||
| SnowflakeOS 1.2 | SnowflakeOS 1.2 | Ampere® Altra® 2U Server | 3.0.10 with | Ampere® Altra® SOC with Aarch64 ARMv8 | Yes | |||||
| R272-P33 | R272-P33 | KP_1.2 | ||||||||
| SnowflakeOS 1.2 | SnowflakeOS 1.2 | Ampere® Altra® 2U Server | 3.0.10 with | Ampere® Altra® SOC with Aarch64 ARMv8 | No | |||||
| R272-P33 | R272-P33 | KP_1.2 | ||||||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell Inspiron 7591 | 3.0.10 with | Intel Core i7-10510U | Yes | |||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell Inspiron 7591 | 3.0.10 with | Intel Core i7-10510U | No | |||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell PowerEdge R7515 | 3.0.10 with | AMD EPYC 7313P | Yes | |||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell PowerEdge R7515 | 3.0.10 with | AMD EPYC 7313P | No | |||||
| ZPE Systems' Nodegrid OS | ZPE Systems' Nodegrid OS | Net Services Router (NSR) | 3.0.10 with | Intel® Atom™ CPU C3758 (Denverton) | Yes | |||||
| version 6.0 | version 6.0 | KP_1.2 | ||||||||
| ZPE Systems' Nodegrid OS | ZPE Systems' Nodegrid OS | Net Services Router (NSR) | 3.0.10 with | Intel® Atom™ CPU C3758 (Denverton) | No | |||||
| version 6.0 | version 6.0 | KP_1.2 | ||||||||
| Red Hat Enterprise Linux 9 | Red Hat Enterprise Linux 9 | HPE ProLiant XL420 Gen10 | 3.0.10 with | Intel® Xeon® Silver 4214R CPU | Yes | |||||
| Red Hat Enterprise Linux 9 | Red Hat Enterprise Linux 9 | HPE ProLiant XL420 Gen10 | 3.0.10 with | Intel® Xeon® Silver 4214R CPU | No | |||||
| Microsoft Windows 11 Pro | Microsoft Windows 11 Pro | Dell Optiplex SFF 7020 | 3.0.10 with | Intel® Core™ i3-14100 (Raptor Lake) | Yes | |||||
| Microsoft Windows 11 Pro | Microsoft Windows 11 Pro | Dell Optiplex SFF 7020 | 3.0.10 with | Intel® Core™ i3-14100 (Raptor Lake) | No | |||||
| Microsoft Windows Server 2022 | Microsoft Windows Server 2022 | Dell PowerEdge R450 | 3.0.10 with | Intel® Xeon® Silver 4309Y (Ice Lake) | Yes | |||||
| Microsoft Windows Server 2022 | Microsoft Windows Server 2022 | Dell PowerEdge R450 | 3.0.10 with | Intel® Xeon® Silver 4309Y (Ice Lake) | No | |||||
| Rocky Linux 8 | Rocky Linux 8 | Lenovo ThinkPad P14s Gen 1 | 3.0.10 with | Intel® Core™ i7- 10510U (Comet Lake) | Yes | |||||
| Rocky Linux 8 | Rocky Linux 8 | Lenovo ThinkPad P14s Gen 1 | 3.0.10 with | Intel® Core™ i7- 10510U (Comet Lake) | No | |||||
| Ubuntu 18.04 | Ubuntu 18.04 | Dell Inspiron 7591 with Intel® Core™ i7-10510U | ||||||||
| Ubuntu 18.04 | Ubuntu 18.04 | Dell PowerEdge R7515 with AMD EPYC 7313P | ||||||||
| Ubuntu 22.04 LTS | Ubuntu 22.04 LTS | HPE ProLiant DL325 Gen10 Plus v2 with AMD EPYC 7313P | ||||||||
| Ubuntu 22.04 LTS | Ubuntu 22.04 LTS | HPE ProLiant DL60 Gen9 with Intel® Xeon® E5-2609 | ||||||||
| CentOS 7.9 | CentOS 7.9 | Ampere® Altra® 2U Server R272-P33 with Ampere® Altra® SOC with Aarch64 ARMv8 | ||||||||
| CentOS 7.9 | CentOS 7.9 | HW Platform: HPE ProLiant DL60 Gen9 with Intel® Xeon® E5-2609 |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
Tested Module Identification
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
| Name | Operating System | Hardware Platform | Software Version | Processor | Paa Pai |
|---|---|---|---|---|---|
| Microsoft Windows 11 Pro | Microsoft Windows 11 Pro | Dell Optiplex SFF 7020 | 3.0.10 with | Intel® Core™ i3-14100 (Raptor Lake) | No |
| Microsoft Windows Server 2022 | Microsoft Windows Server 2022 | Dell PowerEdge R450 | 3.0.10 with | Intel® Xeon® Silver 4309Y (Ice Lake) | Yes |
| Microsoft Windows Server 2022 | Microsoft Windows Server 2022 | Dell PowerEdge R450 | 3.0.10 with | Intel® Xeon® Silver 4309Y (Ice Lake) | No |
| Rocky Linux 8 | Rocky Linux 8 | Lenovo ThinkPad P14s Gen 1 | 3.0.10 with | Intel® Core™ i7- 10510U (Comet Lake) | Yes |
| Rocky Linux 8 | Rocky Linux 8 | Lenovo ThinkPad P14s Gen 1 | 3.0.10 with | Intel® Core™ i7- 10510U (Comet Lake) | No |
| Ubuntu 18.04 | Ubuntu 18.04 | Dell Inspiron 7591 with Intel® Core™ i7-10510U | |||
| Ubuntu 18.04 | Ubuntu 18.04 | Dell PowerEdge R7515 with AMD EPYC 7313P | |||
| Ubuntu 22.04 LTS | Ubuntu 22.04 LTS | HPE ProLiant DL325 Gen10 Plus v2 with AMD EPYC 7313P | |||
| Ubuntu 22.04 LTS | Ubuntu 22.04 LTS | HPE ProLiant DL60 Gen9 with Intel® Xeon® E5-2609 | |||
| CentOS 7.9 | CentOS 7.9 | Ampere® Altra® 2U Server R272-P33 with Ampere® Altra® SOC with Aarch64 ARMv8 | |||
| CentOS 7.9 | CentOS 7.9 | HW Platform: HPE ProLiant DL60 Gen9 with Intel® Xeon® E5-2609 |
| Name | Description | Type |
|---|---|---|
| Nominal | Approved mode of operation | Approved |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the Module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
N/A for this Module. Modes List and Description: Table 5: Modes List and Description
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CBC-CS1 | A4481 | Direction - decrypt, encrypt | SP 800-38A |
| AES-CBC-CS2 | A4481 | Direction - decrypt, encrypt | SP 800-38A |
| AES-CBC-CS3 | A4481 | Direction - decrypt, encrypt | SP 800-38A |
| AES-CCM | A4481 | Key Length - 128, 192, 256 | SP 800-38C |
| AES-CFB1 | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CFB128 | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CFB8 | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CTR | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-ECB | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-GCM | A4481 | Direction - Decrypt, Encrypt | SP 800-38D |
| AES-KW | A4481 | Direction - Decrypt, Encrypt | SP 800-38F |
| AES-KWP | A4481 | Direction - Decrypt, Encrypt | SP 800-38F |
| AES-OFB | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A4481 | Direction - Decrypt, Encrypt | SP 800-38E |
| AES-CMAC | A4481 | Direction - Generation, Verification | SP 800-38B |
| AES-GMAC | A4481 | Direction - Decrypt, Encrypt | SP 800-38D |
| HMAC-SHA-1 | A4481 | MAC - MAC: 32-160 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-224 | A4481 | MAC - MAC: 32-224 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-256 | A4481 | MAC - MAC: 32-256 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-384 | A4481 | MAC - MAC: 32-384 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512 | A4481 | MAC - MAC: 32-512 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512/224 | A4481 | MAC - MAC: 32-224 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512/256 | A4481 | MAC - MAC: 32-256 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-224 | A4481 | MAC - MAC: 32-224 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-256 | A4481 | MAC - MAC: 32-256 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-384 | A4481 | MAC - MAC: 32-384 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-512 | A4481 | MAC - MAC: 32-512 Increment 8 | FIPS 198-1 |
| KMAC-128 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | SP 800-185 |
| KMAC-256 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | SP 800-185 |
| Counter | A4481 | Prediction Resistance - Yes | SP 800-90A Rev. 1 |
| DRBG | Supports Reseed - Yes | ||
| Hash DRBG | A4481 | Prediction Resistance - Yes | SP 800-90A Rev. 1 |
| HMAC | A4481 | Prediction Resistance - Yes | SP 800-90A Rev. 1 |
| DRBG | Supports Reseed - Yes | ||
| DSA KeyGen (FIPS186- | A4481 | L - 2048, 3072 N - 224, 256 | FIPS 186-4 |
| DSA PQGGen (FIPS186- | A4481 | P/Q Generation Methods - Probable G Generation Methods - Canonical, Unverifiable L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| DSA PQGVer (FIPS186- | A4481 | P/Q Generation Methods - Probable G Generation Methods - Canonical, Unverifiable L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| ECDSA KeyGen | A4481 | Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyVer | A4481 | Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P- 521 | FIPS 186-4 |
| EDDSA KeyGen | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA KeyVer | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| RSA KeyGen (FIPS186- | A4481 | Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Info Generated By Server - Yes Public Exponent Mode - Random Private Key Format - Standard | FIPS 186-4 |
| Safe Primes Key | A4481 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, modp-4096, modp-6144, modp-8192 | SP 800-56A |
| Safe Primes Key | A4481 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, modp-4096, modp-6144, modp-8192 | SP 800-56A |
| Verification | Rev. 3 | ||
| DSA SigGen (FIPS186-4) | A4481 | L - 2048, 3072 | FIPS 186-4 |
| DSA SigVer (FIPS186-4) | A4481 | L - 1024, 2048, 3072 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A4481 | Component - No, Yes | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A4481 | Component - No | FIPS 186-4 |
| EDDSA SigGen | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA SigVer | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| RSA SigGen (FIPS186-4) | A4481 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS | FIPS 186-4 |
| RSA SigGen (FIPS186-5) | A4481 | Hash Pair - | FIPS 186-5 |
| RSA Signature Primitive | A4481 | Private Key Format - crt | FIPS 186-4 |
| (CVL) | Public Exponent Mode - fixed | ||
| RSA SigVer (FIPS186-4) | A4481 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS | FIPS 186-4 |
| RSA SigVer (FIPS186-5) | A4481 | Hash Pair - F Hash Algorithm - SHA-1 Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pss Mask Function - MGF1 Public Exponent Mode - random | IPS 186-5 |
| KAS-ECC CDH-Component | A4481 | Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | SP 800-56A Rev. 3 |
| KAS-ECC-SSC Sp800-56Ar3 | A4481 | Domain Parameter Generation Methods - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A4481 | Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, | SP 800-56A Rev. 3 |
| KAS-IFC-SSC | A4481 | Modulo - 2048, 3072, 4096, 6144, 8192 | SP 800-56A Rev. 3 |
| KDA HKDF SP800- | A4481 | Fixed Info Pattern - algorithmId||l||uPartyInfo||vPartyInfo | SP 800-56C Rev. 2 |
| 56Cr2 | Fixed Info Encoding - concatenation | ||
| KDA OneStep | A4481 | Auxiliary Function Methods - | SP 800-56C Rev. 2 |
| SP800-56Cr2 | Auxiliary Function Name - SHA2-512 | ||
| KDA TwoStep | A4481 | MAC Salting Methods - default, random | SP 800-56C Rev. 2 |
| SP800-56Cr2 | Fixed Info Pattern - algorithmId||l||uPartyInfo||vPartyInfo | ||
| KDF ANS 9.42 | A4481 | KDF Type - DER | SP 800-135 Rev. 1 |
| (CVL) | Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- | ||
| KDF ANS 9.63 | A4481 | Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| (CVL) | Field Size - 224, 571 | ||
| KDF SP800-108 | A4481 | KDF Mode - Counter, Feedback | SP 800-108 Rev. 1 |
| KDF SSH (CVL) | A4481 | Cipher - AES-128, AES-192, AES-256 | SP 800-135 Rev. 1 |
| PBKDF | A4481 | Iteration Count - Iteration Count: 1-10000 Increment 1 | SP 800-132 |
| TLS v1.2 KDF | A4481 | Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| RFC7627 (CVL) | Key Block Length - Key Block Length: 1024 | ||
| TLS v1.3 KDF | A4481 | HMAC Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
| (CVL) | KDF Running Modes - DHE, PSK, PSK-DHE | ||
| KTS-IFC | A4481 | Function - keyPairGen, partialVal | SP 800-56B Rev. 2 |
| SHA-1 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-224 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-384 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-512 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-512/224 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-512/256 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA3-224 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-256 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-384 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-512 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHAKE-128 | A4481 | Supports Bit-Oriented Messages - No | FIPS 202 |
| SHAKE-256 | A4481 | Supports Bit-Oriented Messages - No | FIPS 202 |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 The Module only supports an Approved mode of operation. The conditions for using the Module in the Approved mode of operation are:
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 6: Approved Algorithms - Cipher
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Message authentication
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 7: Approved Algorithms - Message authentication Random
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 8: Approved Algorithms - Random Key management 4) 4) 4) 4) Table 9: Approved Algorithms - Key management
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 FIPS 186-5 Table 10: Approved Algorithms - Signature Key agreement Table 11: Approved Algorithms - Key agreement Key derivation
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 12: Approved Algorithms - Key derivation
| Name | Properties | Reference |
|---|---|---|
| CKG Section 4 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 |
| CKG Section 5 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 |
| CKG Section 6.2 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 |
| Hash DRBG with SHA3-256, SHA3-512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-90A Rev. 1 |
| HMAC DRBG with SHA3-256, SHA3-512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-90A Rev. 1 |
FIPS 140-3 Security Policy Table 13: Approved Algorithms - Key transport Message digest Table 14: Approved Algorithms - Message digest Vendor-Affirmed Algorithms:
FIPS 140-3 Security Policy Table 15: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this Module. Non-Approved, Not Allowed Algorithms: N/A for this Module.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| Cipher (Unauth) | AES ciphers | AES-CBC: (A4481) | BC-UnAuth | |
| Cipher (Auth) | Authenticated ciphers | AES-CCM: (A4481) | BC-Auth | |
| CKG Section 4 | Using the Output of a Random Bit Generator | CKG Section 4: () | CKG | |
| CKG Section 5 | Generation of Key Pairs for Asymmetric-Key Algorithms | CKG Section 5: () | CKG | |
| CKG Section 6.2 | Derivation of Symmetric Keys | CKG Section 6.2: () | CKG | |
| Key agreement | Key agreement | KAS-ECC CDH-Component | KAS-SSC | KAS:KAS-ECC-SSC provides between 112 and 256 bits of encryption strength; KAS-FFC- SSC provides between 112 and 200 bits of encryption strength; KAS-IFC-SSC provides between 112 and 200 bits of encryption strength |
| Key derivation | KAS-KDF HKDF SP800-56Cr2: | KAS-135KDF | ||
| KAS-56CKDF | (A4481) | KAS-56CKDF | ||
| KBKDF | KAS-KDF OneStep SP800-56Cr2: | KBKDF | ||
| PBKDF | (A4481) | PBKDF | ||
| Key management ECC | ECDSA KeyGen (FIPS186-4): | AsymKeyPair-KeyGen | ||
| AsymKeyPair-KeyVer | (A4481) | AsymKeyPair-KeyVer | ||
| Key management Edwards | EDDSA KeyGen: (A4481) | AsymKeyPair-KeyGen | ||
| AsymKeyPair-KeyVer | EDDSA KeyVer: (A4481) | AsymKeyPair-KeyVer | ||
| Key management FFC | DSA KeyGen (FIPS186-4): | AsymKeyPair-KeyGen | ||
| Key management IFC | RSA KeyGen (FIPS186-4): | AsymKeyPair-KeyGen | ||
| Key transport | KTS-IFC: (A4481) | KTS-Encap | KTS:2048, 3072, 4096 or 6144- bit keys provide between 112 and 176 bits of encryption strength | |
| KTS (Cipher w/ CMAC, GMAC, HMAC, KMAC) | SP 800-38F Section 3.1 Provisions | AES-CBC: (A4481) | BC-Auth | KTS:128, 192 or 256-bit keys provide between 128 and 256 bits of encryption strength |
| BC-UnAuth | AES-CBC-CS1: (A4481) | BC-UnAuth | ||
| MAC | AES-CBC-CS2: (A4481) | MAC | ||
| KTS (AES KW, KWP) | AES-KW: (A4481) | BC-Auth | KTS:128, 192 or 256-bit keys provide between 128 and 256 bits of encryption strength | |
| MAC AES (CMAC, GMAC) | AES-GMAC: (A4481) | MAC | ||
| MAC HMAC | HMAC-SHA-1: (A4481) | MAC | ||
| MAC KMAC (XOF) | KMAC-128: (A4481) | XOF | ||
| Message Digest | SHA-1: (A4481) | SHA | ||
| Message Digest (XOF SHAKE) | SHAKE-128: (A4481) | XOF | ||
| Random | Counter DRBG: (A4481) | DRBG | ||
| Signature DSA | DSA SigGen (FIPS186-4): | DigSig-SigGen | ||
| DigSig-SigVer | (A4481) | DigSig-SigVer | ||
| Signature ECDSA | ECDSA SigGen (FIPS186-4): | DigSig-SigGen | ||
| DigSig-SigVer | (A4481) | DigSig-SigVer | ||
| Signature EDDSA | EDDSA SigGen: (A4481) | DigSig-SigGen | ||
| DigSig-SigVer | EDDSA SigVer: (A4481) | DigSig-SigVer | ||
| Signature RSA | RSA SigGen (FIPS186-4): | DigSig-SigGen | ||
| DigSig-SigVer | (A4481) | DigSig-SigVer |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 16: Security Function Implementations
AES-GCM: The Module supports internal IV generation using the Approved DRBG. The IV is at least 96 bits in length per SP 800-38D Section 8.2.2, and the Approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2-32 per SP 800-38D Section 8.
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 AES-GCM IVs shall be used in compliance with FIPS 140-3 IG C.H scenario 1a (TLS/DTLS 1.2, per RFC 5288), 1d (SSHv2, per RFC 5647) and 5 (TLS 1.3, per RFC 8446). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from SP 800-52 Rev. 1 Section 3.3.1. The Module’s implementation of AES-GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; these protocols have not been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power-cycles: AES-GCM key/IVs are not stored in non-volatile persistent memory (i.e., disk), hence no re-connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. If this exhaustion condition is observed, the Module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. XTS-AES: In accordance with SP 800-38E, the XTS-AES algorithm is to be used for confidentiality on storage devices. The Module complies with FIPS 140-3 IG C.I by:
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 The choice to use the PBKDF with a password or passphrase is entirely outside the scope of the Module, managed by the calling application
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
N/A for this Module. The calling application is responsible for use of a SP 800-90B compliant entropy source outside the Module boundary providing at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The following caveat applies per FIPS 140-3 IG 9.3.A: No assurance of the minimum strength of generated SSPs (e.g., keys).
The Module:
The Module implements key agreement methods compliant with FIPS 140-3 IG D.F and key transport methods compliant with FIPS 140-3 IG D.G. Strengths are provided in Section 2.6.
The Module conforms to FIPS 140-3 IG D.C References to the Support of Industry Protocols: while it provides SP 800-56A Rev. 3 conformant schemes and API entry points oriented to TLS usage, the Module does not contain the full implementation of TLS. The following caveat is required: No parts of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A (API - input) | N/A (API - input) | Control Input | API input: stack frame including non-sensitive parameters. |
| Data Input | Data Input | ||
| N/A (API - output) | N/A (API - output) | Data Output | API output: output parameters and return value resulting from call execution. |
| Status Output | Status Output |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output |
|---|---|---|---|---|---|---|---|---|
| CO | CO | Role | ||||||
| Cipher | Encrypt or decrypt data, including AEAD modes (CCM, GCM). | CO | Cipher (Unauth) | FIPS_OK | Encryption or decryption key; | Status return. Plaintext | ||
| plaintext or ciphertext data; flags. | - SC_EDK_AES: W,E | Cipher (Auth) | plaintext or ciphertext data; flags. | or ciphertext data. | ||||
| Get capabilities | Reports information on the requested capabilities. | FIPS_OK | Provider context, capability, | Description of | ||||
| callback pointer and arguments. | callback pointer and arguments. | capabilities. | ||||||
| Initialize | Module initialization, including instantiation of the | CO | Random | FIPS_OK | Core handle, dispatch in and out, | Initialization status (1 = | ||
| provider context. | - DRBG_EI: W,E,Z | MAC HMAC | provider context. | pass, 0 = fail). |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output |
|---|---|---|---|---|---|---|---|---|
| CO | CO | Role | ||||||
| Cipher | Encrypt or decrypt data, including AEAD modes (CCM, GCM). | CO | Cipher (Unauth) | FIPS_OK | Encryption or decryption key; | Status return. Plaintext | ||
| plaintext or ciphertext data; flags. | - SC_EDK_AES: W,E | Cipher (Auth) | plaintext or ciphertext data; flags. | or ciphertext data. | ||||
| Get capabilities | Reports information on the requested capabilities. | FIPS_OK | Provider context, capability, | Description of | ||||
| callback pointer and arguments. | callback pointer and arguments. | capabilities. | ||||||
| Initialize | Module initialization, including instantiation of the | CO | Random | FIPS_OK | Core handle, dispatch in and out, | Initialization status (1 = | ||
| provider context. | - DRBG_EI: W,E,Z | MAC HMAC | provider context. | pass, 0 = fail). | ||||
| opaque (managed within the | opaque (managed within the | - DRBG_Seed: G,E,Z | ||||||
| module) Counter DRBG | module) Counter DRBG | - DRBG_Key: G,W,E | ||||||
| instance. | instance. | - DRBG_V: G,W,E | ||||||
| Key agreement | Perform key agreement | CO | CKG Section 5 Key agreement | FIPS_OK | Key structs (key agreement keys); flags. | Status return; key agreement shared secret. | ||
| primitives on behalf of the | primitives on behalf of the | - KAS_Private_ECC: | ||||||
| calling process (does not | calling process (does not | W,E | ||||||
| establish keys into the | establish keys into the | - KAS_Public_ECC: W,E | ||||||
| module). | module). | - KAS_Private_FFC: W,E | ||||||
| Key derivation | Derive keying material from a | CO | Key derivation CKG Section 6.2 | FIPS_OK | Key agreement shared secret; flags. | Status return; derived keying material. | ||
| shared secret. | shared secret. | - KD_DKM_KDF: G,R | ||||||
| Key management | Generate asymmetric key | CO | Key management ECC Key management Edwards Key management FFC Key management IFC CKG Section 4 | FIPS_OK | ECDSA, EdDSA: curve identifier. DSA, RSA: domain parameter targets. | Status return; general digital signature private and public keys. | ||
| pairs. | pairs. | - DRBG_C: G,W,E | ||||||
| Key transport | Encapsulate or decapsulate | CO | CKG Section 5 Key transport KTS (Cipher w/ CMAC, GMAC, | FIPS_OK | Key encapsulation/decapsulation key or Key wrap/unwrap key. | Status return; key transport shared secret. | ||
| key material on behalf of the | key material on behalf of the | - KTS_KDK_IFC: W,E | ||||||
| calling process. | calling process. | - KTS_KEK_IFC: W,E | ||||||
| Message authentication | Generate or verify data | CO | MAC AES (CMAC, | FIPS_OK | Keyed hash key. | Status return; MAC output value. | ||
| integrity. | integrity. | - KH_Key_AES-CMAC: | GMAC) | |||||
| MAC HMAC | W,E | MAC HMAC | ||||||
| MAC KMAC (XOF) | - KH_Key_AES-GMAC: | MAC KMAC (XOF) | ||||||
| Message digest | Generate a message digest. | Message Digest | FIPS_OK | Message; flags. | Status return; Hash output value. | |||
| Query | Report available crypto | FIPS_OK | Provider context, operation ID. | Array of available operations. | ||||
| Random | Generate random bits using | CO | Random | FIPS_OK | DRBG struct (RBG State); DRBG_Seed. | Status return; Random value. | ||
| the DRBG. | the DRBG. | - DRBG_C: W,E | CKG Section 4 | |||||
| Self-test | Perform the self-test | FIPS_OK | Provider context. | Status (1 = pass, 0 = fail). | ||||
| Show module name and versioning information | Return module name and | FIPS_OK | Provider context, parameter types (array). | Parameter types (array) with: Name, Version. | ||||
| Show status | OpenSSL core metadata | FIPS_OK | Provider context, parameter types (array). | Parameter types with: BuildInfo, Status, SecurityChecks; Status return. | ||||
| Signature | Generate or verify digital | CO | CKG Section 5 | FIPS_OK | Sign: signing key; message. Verify: signature value; flags; sizes. | Status return; Signature value. | ||
| signatures. (SSPs are passed in | signatures. (SSPs are passed in | - DS_SGK_ECC: W,E | Signature DSA | |||||
| by the calling process.) | by the calling process.) | - DS_SVK_ECC: W,E | Signature ECDSA | |||||
| Signature EDDSA | - DS_SGK_Edwards: | Signature EDDSA | ||||||
| Signature RSA | W,E | Signature RSA | ||||||
| Teardown | Uninstantiate the module; | CO | FIPS_OK | Provider context. | None. | |||
| zeroizes internal CTR DRBG | zeroizes internal CTR DRBG | - DRBG_Key: Z | ||||||
| state (DRBG_Key, DRBG_V). | state (DRBG_Key, DRBG_V). | - DRBG_V: Z | ||||||
| Zeroize | Zeroization of allocated key | CO | FIPS_OK | Memory pointer. | Void. | |||
| structures using | structures using | - DRBG_C: Z | ||||||
| openssl_cleanse. | openssl_cleanse. | - DRBG_EI: Z |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
Table 17: Ports and Interfaces The Module does not interact with physical ports. The Control Output interface is not applicable, as the Module does not control other components.
Table 18: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified), and does not support a maintenance role or a bypass capability. The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document and in associated KeyPair FIPS Provider for OpenSSL 3 Guidance Documentation.
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 W,E G,R G,R
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 19: Approved Services All services implemented by the Module correspond to the functionality described by the fips_query function, which returns available services based on an operation_id input. The fips_get_params function provides access to the current status of the Module as well as the name and version; this information correlates to the validation listing. A 1 value returned in status indicates the Module is running without error (FIPS_OK); a 0 return indicates an error (with additional error details indicated as described in the release specific API documentation). Services are only operational in the running state. Any attempts to access services in any other state will result in an error being returned. If the integrity test or any CAST fails then any attempt to access any service will result in an error being returned. The OpenSSL toolkit OSSL_PROVIDER_get_params function is used to invoke fips_get_params, when called with the Module’s global handle and a pointer to a parameter structure (initialized using provider_gettable_params or the equivalent). Regarding the Indicator of approved security services, the Module conforms to FIPS 140-3 IG 2.4.C Approved Security Service Indicator, similar to example 2. Each service provides context sensitive status responses as described in the OpenSSL 3 API manual pages; generally, functions of return type int return the value 1 for success with other error codes as appropriate for the call (described in API documentation). The Module’s name and version parameters (as cited in Section 2) along with the Module’s internal indicators of the security-check and conditional-errors settings are used to confirm the Module is the validated Module operating in the approved mode with only approved security services. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module.
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fips.so.mac (for Linux environments) or fips.dll.mac (for Windows environments) contains the integrity reference value. The Module is provided in an executable form (as fips.so shared object for use in Linux environments or fips.dll for use in Windows environments).
The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.
In accordance with ISO/IEC 19790:2012 Annex B, as the Module is open source, the tools used to build the Module as tested are:
Type of Operational Environment: Modifiable No operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2.4. The Module conforms to FIPS 140-3 IG 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by FIPS 140-3 IG 2.3.C as a known PAA.
| Name | Approved Functions | Type | From | To | Distribution Type |
|---|---|---|---|---|---|
| I | Electronic | Plaintext | Calling process | Call stack (API) input parameters | Manual |
| O | Electronic | Plaintext | Call stack (API) output parameters | Calling process | Manual |
| Storage | Description | Persistence |
|---|---|---|
| Area | Type | |
| Name | ||
| RAM | R: Random access memory | Dynamic |
| Zeroization | Description | Rationale | Operator Initiation |
|---|---|---|---|
| Method | |||
| C | C (Cleanse): Caller invocation of openssl_cleanse. | Overwrites with zeros | Caller invocation of openssl_cleanse |
| T | T (Teardown): Module unload - invokes cleanse internally. | Overwrites with zeros | Occurs when module is unloaded |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
I O Table 21: SSP Input-Output Methods
C T Table 22: SSP Zeroization Methods All SSPs are zeroized (overwritten with 0s) when they are no longer needed:
| Name | Type | Description | Strength | Generation | Establishment | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|---|---|
| DRBG_C | Hash_DRBG_C - CSP | Element of Hash DRBG state. | Size: 440-888 - | Random | Random | ||||||
| DRBG_EI | Other - CSP | Entropy input from an external source used for DRBG seeding. | Size: 128-2^35 - | Random | |||||||
| DRBG_Key | CTR_DRBG_Key, HMAC_DRBG_Key - CSP | Element of CTR DRBG or HMAC DRBG state. | Size: 128-256, 128-256 - | Random | Random | ||||||
| DRBG_Seed | Other - CSP | Seed used for DRBG Instantiation and Reseed. | Size: 128-256 - | Random | Random | ||||||
| DRBG_V | CTR_DRBG_Key, Hash_DRBG_Key, HMAC_DRBG_Key - CSP | Element of CTR, Hash or HMAC DRBG state. | Size: 128-256, 128-256, 128-256 | Random | Random | ||||||
| DS_SGK_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - CSP | SigGen (private) key. | Size: 233, 283, 409, 571, 233, | Signature | |||||||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | ECDSA | |||||||||
| DS_SGK_Edwards | Edwards25519, Edwards448 - CSP | SigGen (private) key. | Size: 255, 448 - | Signature | |||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | EDDSA | |||||||||
| DS_SGK_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 - CSP | SigGen (private) key. | Size: 2048, 2048, 3072 - | Signature DSA | |||||||
| DS_SGK_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - CSP | SigGen (private) key. | Size: 2048, 3072, 4096, 6144, | Signature RSA | |||||||
| DS_SVK_ECC | B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 - PSP | SigVer (public) key. | Size: 163, 233, 283, 409, 571, | Signature | |||||||
| 163, 233, 283, 409, 571, 192, | 163, 233, 283, 409, 571, 192, | ECDSA | |||||||||
| DS_SVK_Edwards | Edwards25519, Edwards448 - PSP | SigVer (public) key. | Size: 255, 448 - | Signature | |||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | EDDSA | |||||||||
| DS_SVK_FFC | L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256 - PSP | SigVer (public) key. | Size: 1024, 2048, 2048, 3072 - | Signature DSA | |||||||
| DS_SVK_IFC | k=1024, k=2048, k=3072, k=4096, k=6144, k=8192 - PSP | SigVer (public) key. | Size: 1024, 2048, 3072, 4096, | Signature RSA | |||||||
| GKP_Private_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - CSP | General ECDSA (private) key. | Size: 233, 283, 409, 571, 233, | Key | Key | ||||||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | management | management | ||||||||
| 521 - | 521 - | ECC | ECC | ||||||||
| GKP_Private_Edwards | Edwards25519, Edwards448 - CSP | General EdDSA (private) key. | Size: 255, 448 - | Key | Key | ||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | management | management | ||||||||
| Edwards | Edwards | Edwards | |||||||||
| GKP_Private_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 - CSP | General FFC (private) key. | Size: 2048, 2048, 3072 - | Key | Key | ||||||
| Strength: s = 112, s = 112, s = | Strength: s = 112, s = 112, s = | management | management | ||||||||
| 128 | 128 | FFC | FFC | ||||||||
| GKP_Private_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - CSP | General RSA (private) key. | Size: 2048, 3072, 4096, 6144, | Key | Key | ||||||
| 8192 - | 8192 - | management | management | ||||||||
| Strength: s = 112, s = 128, s = | Strength: s = 112, s = 128, s = | IFC | IFC | ||||||||
| GKP_Public_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - PSP | General ECDSA (public) key. | Size: 233, 283, 409, 571, 233, | Key | Key | ||||||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | management | management | ||||||||
| 521 - | 521 - | ECC | ECC | ||||||||
| GKP_Public_Edwards | Edwards25519, Edwards448 - PSP | General EdDSA (public) key. | Size: 255, 448 - | Key management Edwards | Key | ||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | management | |||||||||
| GKP_Public_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 - PSP | General FFC (public) key. | Size: 2048, 2048, 3072 - | Key management FFC | Key | ||||||
| Strength: s = 112, s = 112, s = | Strength: s = 112, s = 112, s = | management | |||||||||
| 128 | 128 | FFC | |||||||||
| GKP_Public_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - PSP | General RSA (public) key. | Size: 2048, 3072, 4096, 6144, | Key management IFC | Key | ||||||
| 8192 - | 8192 - | management | |||||||||
| Strength: s = 112, s = 128, s = | Strength: s = 112, s = 128, s = | IFC | |||||||||
| KAS_Private_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - CSP | Key pair component used for shared secret generation. | Size: 233, 283, 409, 571, 233, | Key agreement | |||||||
| KAS_Private_FFC | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - CSP | Key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_Private_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - CSP | Key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_Public_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - PSP | Peer key pair component used for shared secret generation. | Size: 233, 283, 409, 571, 233, | Key agreement | |||||||
| KAS_Public_FFC | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - PSP | Peer key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_Public_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - PSP | Peer key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_SS_ECC | Other - CSP | Shared secret calculation z output value (for KDF). | Size: 112 - 256 - | Key | Key agreement | ||||||
| Strength: 112 - 256 | Strength: 112 - 256 | agreement | |||||||||
| KAS_SS_FFC | Other - CSP | Shared secret calculation z output value (for KDF). | Size: 112 - 256 - | Key | Key agreement | ||||||
| Strength: 112 - 200 | Strength: 112 - 200 | agreement | |||||||||
| KAS_SS_IFC | Other - CSP | Shared secret calculation z output value (for KDF). | Size: 112 - 256 - | Key | Key agreement | ||||||
| Strength: 112 - 200 | Strength: 112 - 200 | agreement | |||||||||
| KD_DKM_KDF | Other - CSP | Key derivation derived keying material. | Size: 128 - 256 - | Key derivation | Key derivation | ||||||
| KD_DKM_PBKDF | Other - CSP | PBKDF derived key material | Size: 128 - | Key derivation | Key derivation | ||||||
| KD_PW_PBKDF | Other - CSP | PBKDF password input. | Size: 128 - | Key derivation | Key derivation | ||||||
| KD_SK | Other - CSP | Key derivation source key material. | Size: 128 - 256 - | Key derivation | |||||||
| KH_Key_AES-CMAC | AES-128, AES-192, AES-256 - CSP | Keyed Hash key. | Size: 128, 192, 256 - | MAC AES | |||||||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (CMAC, GMAC) | |||||||||
| KH_Key_AES-GMAC | AES-128, AES-192, AES-256 - CSP | Keyed Hash key. | Size: 128, 192, 256 - | MAC AES | |||||||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (CMAC, GMAC) | |||||||||
| KH_Key_HMAC | Other - CSP | Keyed Hash key. | Size: 112 - 2048 - | MAC HMAC | |||||||
| KH_Key_KMAC | KMAC128, KMAC256 - CSP | Keyed Hash key. | Size: 128, 256 - | MAC KMAC | |||||||
| Strength: 112 ≤ s ≤ 128, 112 ≤ s ≤ | Strength: 112 ≤ s ≤ 128, 112 ≤ s ≤ | (XOF) | |||||||||
| KTS_KDK_IFC | Other - CSP | RSA key de- encapsulation Key (key transport). | Size: 2048, 3072, 4096, 6144 - | Key transport | |||||||
| KTS_KEK_IFC | Other - PSP | RSA key encapsulation | Size: 2048, 3072, 4096, 6144 - Strength: s = 112, s = 128, s = 152, s = 176 | Key transport | |||||||
| KTS_SS_IFC | Other - CSP | RSA key transport | Size: 112 - 256 - Strength: s = 112 - s = 176 | Key | Key transport | ||||||
| shared secret. | shared secret. | transport | |||||||||
| SC_EDK_AES | AES-128, AES-192, AES-256 - CSP | Symmetric encryption | Size: 128, 192, 256 - Strength: s = 128, s = 192, s = 256 | Cipher | |||||||
| and decryption. | and decryption. | (Unauth) | |||||||||
| SC_EDK_XTS | XTS-128, XTS-256 - CSP | Symmetric encryption | Size: 256, 512 - Strength: s = 128, s = 256 | Cipher | |||||||
| and decryption. | and decryption. | (Unauth) | |||||||||
| DRBG_C | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Derived From | ||||||
| O | O | DRBG_V:Used with | |||||||||
| DRBG_EI | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Constituent | ||||||
| DRBG_Key | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | ||||||
| O | O | DRBG_V:Used with | |||||||||
| DRBG_Seed | RAM:Plaintext | C | Call lifetime | DRBG_C:Derives | |||||||
| DRBG_V | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | ||||||
| O | O | DRBG_Key:Used with | |||||||||
| DS_SGK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_ECC:Paired With | ||||||
| DS_SGK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SVK_Edwards:Paired With | ||||||
| DS_SGK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_FFC:Paired With | ||||||
| DS_SGK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_IFC:Paired With | ||||||
| DS_SVK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_ECC:Paired With | ||||||
| DS_SVK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SGK_Edwards:Paired With | ||||||
| DS_SVK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_FFC:Paired With | ||||||
| DS_SVK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_IFC:Paired With | ||||||
| GKP_Private_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_ECC:Paired With | ||||||
| GKP_Private_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Public_Edwards:Paired With | ||||||
| GKP_Private_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_FFC:Paired With |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
| Name | Type | Description | Strength | Establishment | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|---|
| KTS_KEK_IFC | Other - PSP | RSA key encapsulation | Size: 2048, 3072, 4096, 6144 - Strength: s = 112, s = 128, s = 152, s = 176 | Key transport | ||||||
| KTS_SS_IFC | Other - CSP | RSA key transport | Size: 112 - 256 - Strength: s = 112 - s = 176 | Key | Key transport | |||||
| shared secret. | shared secret. | transport | ||||||||
| SC_EDK_AES | AES-128, AES-192, AES-256 - CSP | Symmetric encryption | Size: 128, 192, 256 - Strength: s = 128, s = 192, s = 256 | Cipher | ||||||
| and decryption. | and decryption. | (Unauth) | ||||||||
| SC_EDK_XTS | XTS-128, XTS-256 - CSP | Symmetric encryption | Size: 256, 512 - Strength: s = 128, s = 256 | Cipher | ||||||
| and decryption. | and decryption. | (Unauth) | ||||||||
| DRBG_C | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Derived From | |||||
| O | O | DRBG_V:Used with | ||||||||
| DRBG_EI | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Constituent | |||||
| DRBG_Key | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | |||||
| O | O | DRBG_V:Used with | ||||||||
| DRBG_Seed | RAM:Plaintext | C | Call lifetime | DRBG_C:Derives | ||||||
| DRBG_V | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | |||||
| O | O | DRBG_Key:Used with | ||||||||
| DS_SGK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_ECC:Paired With | |||||
| DS_SGK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SVK_Edwards:Paired With | |||||
| DS_SGK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_FFC:Paired With | |||||
| DS_SGK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_IFC:Paired With | |||||
| DS_SVK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_ECC:Paired With | |||||
| DS_SVK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SGK_Edwards:Paired With | |||||
| DS_SVK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_FFC:Paired With | |||||
| DS_SVK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_IFC:Paired With | |||||
| GKP_Private_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_ECC:Paired With | |||||
| GKP_Private_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Public_Edwards:Paired With | |||||
| GKP_Private_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_FFC:Paired With | |||||
| GKP_Private_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_IFC:Paired With | |||||
| GKP_Public_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_ECC:Paired With | |||||
| GKP_Public_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Private_Edwards:Paired With | |||||
| GKP_Public_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_FFC:Paired With | |||||
| GKP_Public_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_IFC:Paired With | |||||
| KAS_Private_ECC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_ECC:Paired With | |||||
| KAS_Private_FFC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_FFC:Paired With | |||||
| KAS_Private_IFC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_IFC:Paired With | |||||
| KAS_Public_ECC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_ECC:Paired With | |||||
| KAS_Public_FFC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_FFC:Paired With | |||||
| KAS_Public_IFC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_IFC:Paired With | |||||
| KAS_SS_ECC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_ECC:Calculated From | |||||
| KAS_SS_FFC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_FFC:Calculated From | |||||
| KAS_SS_IFC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_IFC:Calculated From | |||||
| KD_DKM_KDF | RAM:Plaintext | C | O | Call lifetime | KD_SK:Derived From | |||||
| KD_DKM_PBKDF | RAM:Plaintext | C | O | Call lifetime | KD_PW_PBKDF:Derived From | |||||
| KD_PW_PBKDF | RAM:Plaintext | C | I | Call lifetime | KD_DKM_PBKDF:Derives | |||||
| KD_SK | RAM:Plaintext | C | I | Call lifetime | KD_DKM_KDF:Derives | |||||
| KH_Key_AES-CMAC | RAM:Plaintext | C | I | Call lifetime | ||||||
| KH_Key_AES-GMAC | RAM:Plaintext | C | I | Call lifetime | ||||||
| KH_Key_HMAC | RAM:Plaintext | C | I | Call lifetime | ||||||
| KH_Key_KMAC | RAM:Plaintext | C | I | Call lifetime | ||||||
| KTS_KDK_IFC | RAM:Plaintext | C | I | Call lifetime | KTS_SS_IFC:Unwraps | |||||
| KTS_KEK_IFC | RAM:Plaintext | C | I | Call lifetime | KTS_SS_IFC:Wraps | |||||
| KTS_SS_IFC | RAM:Plaintext | C | O | Call lifetime | KTS_KDK_IFC:Unwrapped By | |||||
| SC_EDK_AES | RAM:Plaintext | C | I | Call lifetime | ||||||
| SC_EDK_XTS | RAM:Plaintext | C | I | Call lifetime |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 23: SSP Table 1 I C O I C I O T C I O T I C I C I C I C I C I C I C I C O C C O C
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 O O O O I I I I I I O O C O C O O I I I I I I I I O C C C C C C C C C C C Table 24: SSP Table 2 I I C C C C C C C C C C C C C C Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10.
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 The Module maintains only the Counter DRBG state used for key generation as a persistent CSP; this DRBG instance is used exclusively for approved services.
Key/Algorithm Type Equivalent Strengths: Reference sources for the strengths provided in SSP Table 1 are specified below. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). Block Cipher (and related functions): • AES (AES-128, AES-192, AES-256): SP 800-57 Part 1 Rev. 5 Table
| Name | Algorithm Or Test | Test Method | Test Type | Test Properties | Indicator |
|---|---|---|---|---|---|
| SW Integrity | SW Integrity | HMAC over the complete module file image | SW/FW Integrity | HMAC-SHA2-256 #A4481 | FIPS_OK or PROV_R_FIPS_MODULE_IN_ERROR_STATE |
| Name | Properties | Test | Indicator | Details | Conditions |
|---|---|---|---|---|---|
| Test | Type | ||||
| AES-ECB | 128-bit | CAST | FIPS_OK | Encrypt | Performed on module load. |
| AES-ECB | 128-bit | CAST | FIPS_OK | Decrypt | Performed on module load. |
| AES-GCM | 256-bit | CAST | FIPS_OK | Encrypt | Performed on module load. |
| AES-GCM | 256-bit | CAST | FIPS_OK | Decrypt | Performed on module load. |
| Counter DRBG | AES-128 with derivation function | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| DSA SigGen | 2048-bit with SHA2-384 | CAST | FIPS_OK | Sign | Performed on module load. |
| DSA SigVer | 2048-bit with SHA2-384 | CAST | FIPS_OK | Verify | Performed on module load. |
| ECDSA SigGen | P-224 with SHA2-512 | CAST | FIPS_OK | Sign | Performed on module load. |
| ECDSA SigVer | P-224 with SHA2-512 | CAST | FIPS_OK | Verify | Performed on module load. |
| EDDSA ED448 | Edwards448 SigGen with SHA2- 256 | CAST | FIPS_OK | Sign | Performed on module load. |
| EDDSA ED448 | Edwards448 SigVer with SHA2- 256 | CAST | FIPS_OK | Verify | Performed on module load. |
| EDDSA ED25519 | Edwards25519 SigGen with SHA2-512 | CAST | FIPS_OK | Sign | Performed on module load. |
| EDDSA ED25519 | Edwards25519 SigVer with SHA2-512 | CAST | FIPS_OK | Verify | Performed on module load. |
| Hash DRBG | SHA2-256 | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| HMAC DRBG | SHA-1 | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| HMAC-SHA2-256 | SHA2-256 with a 256-bit key | CAST | FIPS_OK | Generate | Performed on module load. |
| Test | Type | ||||
| KAS-ECC-SSC | P-256 | CAST | FIPS_OK | Ephemeral Unified Shared Secret | Performed on module load. |
| Sp800-56Ar3 | (Z) Computation | ||||
| KAS-FFC-SSC | L=2048/N=256 | CAST | FIPS_OK | dhEphem Shared Secret (Z) | Performed on module load. |
| Sp800-56Ar3 | Computation | ||||
| KAS-IFC-SSC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Section 8.2.2 RSA | Performed on module load. |
| KAS-KDF | SHA2-224 | CAST | FIPS_OK | SP 800-56C Rev. 2 Section 4 | Performed on module load. |
| OneStep SP800- | OneStep KDF (AKA OpenSSL single- | ||||
| 56Cr2 | step or SS-KDF) | ||||
| KAS-KDF | SHA2-256 | CAST | FIPS_OK | SP 800-56C Rev. 2 Section 5 | Performed on module load. |
| TwoStep SP800- | TwoStep KDF (HKDF variant) | ||||
| KDF ANS 9.42 | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 5.1 ANSI | Performed on module load. |
| KDF ANS 9.63 | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 5.1 | Performed on module load. |
| KDF SP800-108 | HMAC-SHA2-256 | CAST | FIPS_OK | SP 800-108 Rev. 1 Section 4.1 KAT | Performed on module load. |
| KDF SSH | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 5.2 | Performed on module load. |
| KTS-IFC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Decrypt for CRT | Performed on module load. |
| KTS-IFC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Encrypt for Basic | Performed on module load. |
| KTS-IFC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Decrypt for Basic | Performed on module load. |
| PBKDF | SHA2-256, 24-byte password, 36-byte salt, iteration count of 4096 | CAST | FIPS_OK | SP 800-132 Section 5.3 KAT of | Performed on module load. |
| RSA SigGen | k=2048 with SHA2-256 | CAST | FIPS_OK | Sign | Performed on module load. |
| RSA SigVer | k=2048 with SHA2-256 | CAST | FIPS_OK | Verify | Performed on module load. |
| SHA-1 | SHA-1 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| SHA2-512 | SHA2-512 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| SHA3-256 | SHA3-256 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| TLS v1.2 KDF | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 4.2.2 TLS | Performed on module load. |
| RFC7627 | 1.2 KAT |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
Table 25: Pre-Operational Self-Tests
FIPS 140-3 Security Policy OneStep SP80056Cr2 TwoStep SP80056Cr2
| Name | Mode Method | Properties | Tes | T Indicator e | Details | Conditions |
|---|---|---|---|---|---|---|
| Test | Typ | |||||
| TLS v1.3 KDF | KAT | Fixed input KAT | CAS | T FIPS_OK | RFC8446 Section 7.1 TLS v1.3 KDF KAT | Performed on module load. |
| DSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on FFC (DSA, KAS-FFC-SSC) key pair |
| (FIPS186-4) | generated key pair | generation, prior to returning the key pair on | ||||
| ECDSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on ECC (ECDSA) key pair generation, |
| (FIPS186-4) | generated key pair | prior to returning the key pair on conclusion of | ||||
| EDDSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on Edwards (EdDSA) key pair |
| generated key pair | generated key pair | generation, prior to returning the key pair on | ||||
| RSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on IFC (RSA, KAS-IFC-SSC, KTS-IFC) key |
| (FIPS186-4) | generated key pair | pair generation, prior to returning the key pair on |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| SW Integrity | SW Integrity | HMAC over the complete module file image | SW/FW Integrity | On demand | Module load |
| AES-ECB | AES-ECB | KAT C | AST | On demand | On power on or reset |
| AES-ECB | AES-ECB | KAT C | AST | On demand | On power on or reset |
| AES-GCM | AES-GCM | KAT C | AST | On demand | On power on or reset |
| AES-GCM | AES-GCM | KAT C | AST | On demand | On power on or reset |
| Counter DRBG | Counter DRBG | KAT C | AST | On demand | On power on or reset |
| DSA SigGen (FIPS186-4) | DSA SigGen (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| DSA SigVer (FIPS186-4) | DSA SigVer (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| ECDSA SigGen (FIPS186-4) | ECDSA SigGen (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| ECDSA SigVer (FIPS186-4) | ECDSA SigVer (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| EDDSA ED448 SigGen | EDDSA ED448 SigGen | KAT C | AST | On demand | On power on or reset |
| EDDSA ED448 SigVer | EDDSA ED448 SigVer | KAT | CAST | On demand | On power on or reset |
| EDDSA ED25519 SigGen | EDDSA ED25519 SigGen | KAT | CAST | On demand | On power on or reset |
| EDDSA ED25519 SigVer | EDDSA ED25519 SigVer | KAT | CAST | On demand | On power on or reset |
| Hash DRBG | Hash DRBG | KAT | CAST | On demand | On power on or reset |
| HMAC DRBG | HMAC DRBG | KAT | CAST | On demand | On power on or reset |
| HMAC-SHA2-256 | HMAC-SHA2-256 | KAT | CAST | On demand | On power on or reset |
| KAS-ECC-SSC Sp800-56Ar3 | KAS-ECC-SSC Sp800-56Ar3 | KAT | CAST | On demand | On power on or reset |
| KAS-FFC-SSC Sp800-56Ar3 | KAS-FFC-SSC Sp800-56Ar3 | KAT | CAST | On demand | On power on or reset |
| KAS-IFC-SSC | KAS-IFC-SSC | KAT | CAST | On demand | On power on or reset |
| KAS-KDF OneStep SP800-56Cr2 | KAS-KDF OneStep SP800-56Cr2 | KAT | CAST | On demand | On power on or reset |
| KAS-KDF TwoStep SP800-56Cr2 | KAS-KDF TwoStep SP800-56Cr2 | KAT | CAST | On demand | On power on or reset |
| KDF ANS 9.42 | KDF ANS 9.42 | KAT | CAST | On demand | On power on or reset |
| KDF ANS 9.63 | KDF ANS 9.63 | KAT | CAST | On demand | On power on or reset |
| KDF SP800-108 | KDF SP800-108 | KAT | CAST | On demand | On power on or reset |
| KDF SSH | KDF SSH | KAT | CAST | On demand | On power on or reset |
| KTS-IFC | KTS-IFC | KAT | CAST | On demand | On power on or reset |
| KTS-IFC | KTS-IFC | KAT | CAST | On demand | On power on or reset |
| KTS-IFC | KTS-IFC | KAT | CAST | On demand | On power on or reset |
| PBKDF | PBKDF | KAT | CAST | On demand | On power on or reset |
| RSA SigGen (FIPS186-4) | RSA SigGen (FIPS186-4) | KAT | CAST | On demand | On power on or reset |
| RSA SigVer (FIPS186-4) | RSA SigVer (FIPS186-4) | KAT | CAST | On demand | On power on or reset |
| SHA-1 | SHA-1 | KAT | CAST | On demand | On power on or reset |
| SHA2-512 | SHA2-512 | KAT | CAST | On demand | On power on or reset |
| SHA3-256 | SHA3-256 | KAT | CAST | On demand | On power on or reset |
| TLS v1.2 KDF RFC7627 | TLS v1.2 KDF RFC7627 | KAT | CAST | On demand | On power on or reset |
| TLS v1.3 KDF | TLS v1.3 KDF | KAT | CAST | On demand | On power on or reset |
| DSA KeyGen (FIPS186-4) | DSA KeyGen (FIPS186-4) | PCT | PCT | On demand | On power on or reset |
| ECDSA KeyGen (FIPS186-4) | ECDSA KeyGen (FIPS186-4) | PCT | PCT | On demand | On power on or reset |
| EDDSA KeyGen | EDDSA KeyGen | PCT | PCT | On demand | On power on or reset |
| RSA KeyGen (FIPS186-4) | RSA KeyGen (FIPS186-4) | PCT | PCT | On demand | On power on or reset |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 Table 26: Conditional Self-Tests The intended usage of asymmetric key pairs generated by the Module is not known at the time when the key pair is generated and the pairwise consistency test (PCT) is performed. In all cases, a sign and verify PCT is performed.
Table 27: Pre-Operational Periodic Information CAST CAST CAST CAST CAST CAST CAST CAST CAST CAST
FIPS 140-3 Security Policy Table 28: Conditional Periodic Information KeyPair FIPS Provider for OpenSSL 3
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Self-test | The self-test failure error | If one of the KATs fails or integrity test | PROV_R_FIPS_MODULE_IN_ERROR_STATE | Reload the Module into |
| failure | state | fails | memory |
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. The pre-operational self-tests are available on demand by reloading the Module. On instantiation, the Module performs the pre-operational self-test and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. The fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11.
The Module is based on the open-source OpenSSL 3 FIPS Provider, with a set of patches applied for conformance to FIPS 140-3 requirements. The Module is provided to vendors who integrate it into their product, typically in a manufacturing environment, and is not provided directly to US or Canadian Federal agencies. Adherence to these steps maintains security throughout the distribution, build, installation and configuration processes. Tamper is detected via the use of HMAC integrity checking using a utility built with a separate FIPS 140-2 validated module. An authorized Cryptographic Officer is required to perform these steps on each platform where it is intended to be used. The config file output contains information about the Module (such as the self-test status and the Module checksum) and must not be copied from one machine to another. The Module is distributed by KeyPair to vendors as a tarball containing:
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3 The process to build and install the KeyPair Module is:
Additional Guidance Documentation inclusive of all information required per ISO/IEC 19790:2012 Section 7.11.9 is available from KeyPair Consulting by request.
The inherent properties of the Module are:
FIPS 140-3 Security Policy KeyPair FIPS Provider for OpenSSL 3
The Module implements mitigations for constant-time implementations and blinding attacks.
Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.
The mitigation mechanisms described in Section 12.2 are inherent within the validated algorithms. No other guidance or constraints are specified.