All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Motorola Solutions Cryptographic Firmware Module

Certificate#4730StandardFIPS 140-3Level1TypeFirmwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorMotorola Solutions, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeFirmware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/17/2029
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g. Keys).
VendorMotorola Solutions, Inc.

Approved Algorithms (13)

AlgorithmACVP Cert
AES-CBCA2228
AES-ECBA2228
AES-GCMA2228
AES-KWA2228
AES-OFBA2228
Counter DRBGA2228
ECDSA KeyGen (FIPS186-4)A2228
HMAC-SHA2-384A2228
KAS-ECC Sp800-56Ar3A2228
PBKDFA2228
SHA2-256A2228
SHA2-384A2228
SHA2-512A2228

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical Security1
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Motorola Solutions Cryptographic Firmware Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>R01.13.00</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-Test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C3,C5,C6 clue;
  class I1,I3,I5,I6 infer;
  class R1,R3,R5,R6 risk;
  class E1,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Motorola Solutions Cryptographic Firmware Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>R01.13.00</i><br/>src: certificate.firmwareVersions"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-Test</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Motorola Solutions Cryptographic Firmware Module Firmware Version: R01.13.00 Document Version: 1.0 Date: July 16, 2024 Prepared by: www.acumensecurity.net Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 2

Introduction Federal Information Processing Standards Publication 140-3

140 validation. Validated is the term given to a module that is documented and tested against the FIPS

140 criteria.

More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program About this Document This non-proprietary Cryptographic Module Security Policy for the Motorola Solutions Cryptographic Firmware Module provides an overview of the product and a high-level description of how it meets the overall Level 1 security requirements of FIPS 140-3. The Motorola Solutions Cryptographic Firmware Module may also be referred to as the “module” in this document. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Motorola Solutions, Inc. shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 3
Table of Contents
#SectionPage
Introduction2
Disclaimer2
Notices2
1General4
2Cryptographic Module Specification5
2.1Modes of Operation5
2.2Cryptographic Functionality6
2.3Module Description and Cryptographic Boundary7
2.4Security Rules and Guidance8
3Cryptographic Module Interfaces8
4Roles, Services, and Authentication9
5Software/Firmware Security12
6Operational Environment12
7Physical Security12
8Non-invasive Security13
9Sensitive Security Parameters Management13
10Self-Tests15
10.1Automatic Self-Test15
10.2Operator Initiated Self-Test16
11Life-Cycle Assurance16
12Mitigation of Other Attacks17
References and Definitions18
Page 4
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical Security1
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management1
1010Self-Tests1
1111Life-Cycle Assurance1
1212Mitigation of Other AttacksN/A

1. This document defines the cryptographic module security policy for the Motorola Solutions Cryptographic Firmware Module (Firmware version: R01.13.00), also referred to as the “module” hereafter. The module is a multichip standalone embodiment. It contains specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The following table lists the level of validation for each area in FIPS 140-3: N/A N/A Table 1

Page 5
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Mentor Graphics Nucleus 3.0 (version 2013.08.1)Texas Instrument (TI) OMAP-L138 C6000 DSP+ARMARM926EJ-SN/A1
2Texas Instrument (TI) DSP/BIOS (version 5.41.04.18)Texas Instrument (TI) OMAP-L138 C6000 DSP+ARMTMS320C674xN/A2
1Enea OSE, Version 5.8Motorola Solutions GRV 8000 Comparator, NXP QorIQ P10211
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Mentor Graphics Nucleus 3.0 (version 2013.08.1)Texas Instrument (TI) OMAP-L138 C6000 DSP+ARMARM926EJ-SN/A1
2Texas Instrument (TI) DSP/BIOS (version 5.41.04.18)Texas Instrument (TI) OMAP-L138 C6000 DSP+ARMTMS320C674xN/A2
1Enea OSE, Version 5.8Motorola Solutions GRV 8000 Comparator, NXP QorIQ P10211
  1. Cryptographic Module Specification The module is a firmware-based cryptographic module that runs on a Motorola Solutions, Inc. radio hardware platform. The module provides FIPS 140-3 approved cryptographic functionalities via an Application Programming Interface (API) to the application layer running in Motorola Solutions, Inc. radio products supporting the APCO Project 25 standard. The module is intended for use by the markets that require FIPS 140-3 validated overall Security Level
  2. A unique binary is generated for each operating system. The following operating environments have been tested for this validation: # N/A N/A Table 2 – Tested Operational Environments The module has also been confirmed by Motorola Solutions, Inc. to be operational on the following OE shown in Table
  3. However, no target testing was performed on this platform for the FIPS 140-3 validation with the specific firmware version listed in this document. Note: The CMVP makes no statement as to the correct operation of the module on the operational environments for which operational testing was not performed. # Table 3 – Vendor Affirmed Operational Environments 2.1 Modes of Operation The module operates in two different modes of operation. • • Approved mode: DES Encrypt/Decrypt are blocked. All services listed in Table 9 are available when the module is operating in Approved mode. non-Approved mode: All services listed in Table 9 and Table 10 are available when the module is operating in non-Approved mode. The module defaults to the Approved mode at the initial power-up and will transition between Approved Mode and non-Approved mode by using the “Configure Approved Mode” service. The operator can configure the mode of the module by using the “Configure Approved Mode” Service listed in Table
  4. The “Configure Approved Mode” services sets an Approved mode flag via the API. The Approved mode flag is “fips_mode = 1” in the Approved mode and the non-Approved mode flag is “fips_mode = 0”. The operator shall zeroize all CSPs by power cycling the module when transitioning between Approved and nonApproved modes. The operator must retain control of the module while zeroization is in process. Motorola Solutions, Inc. © 2024 Public Material – May be reproduced only in its original entirety (without revision).
Page 6
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197]A2228CBC [SP 800-38A]Key Size: 256Encrypt, Decrypt
ECB [SP 800-38A]ECB [SP 800-38A]Key Size: 256Encrypt, Decrypt
GCM [SP 800-38D]1GCM [SP 800-38D]1Key Size: 256Encrypt, Decrypt
KW [SP 800-38F]KW [SP 800-38F]Key Size: 256Encrypt, Decrypt
OFB [SP 800-38A]OFB [SP 800-38A]Key Size: 256Encrypt, Decrypt
DRBG [SP800-90Ar1]CTRAES-256Deterministic Random Bit Generation
ECDSA [FIPS 186-4]P-384Key Generation, Supported only on OE #1.
HMAC [FIPS 198-1]HMAC-SHA2-384(1024 bit)Message authentication, Code Integrity tests
KAS-ECC [SP 800- 56Ar3]P-384 with SHA2- 256Key Establishment provides 192 bits of encryption strength, Supported only on OE#1ECC (Initiator,
pair generation,P-384 with SHA2- 384pair generation,
validation, One-P-384 with SHA2- 512validation, One-
KTS [IG D.G]AES-KWKey Size: 256Key Wrap provides 256 bits of encryption strength
KTS [IG D.G]GCMKey Size: 256Key Wrap provides 256 bits of encryption strength
PBKDF [SP 800-132]Option 1a Option 2a (using HMAC)sLen = 16 – 512 bytes C = 1 – 5000 SHA2-256, SHA2- 384, SHA2-512Password-Based Key Derivation. Supported only on OE #1.
SHS [FIPS 180-4]SHA2-256 SHA2-384 SHA2-512N/AMessage Digest Generation, Password Obfuscation
CKGVendor AffirmedCTR_DRBGN/ASymmetric key and asymmetric key seed

2.2 Cryptographic Functionality The module’s supported cryptographic functions are listed in the following tables: N/A N/A #1. Per IG C.H option 2, the module generates 96-bit GCM IVs randomly as specified in SP800-38D section 8.2.2 using an approved DRBG (Cert. #A2228), that is internal to the module’s boundary. Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 7
Approved algorithm
NameCAVP CertUse FunctionDescription
AES MAC3AES MAC3[IG D.C] AES MAC for Project 25 APCO OTAR (Cert. #A2228)
DESDES Encryption/Decryption – ECB, OFB and CBC Mode.
Approved algorithm
NameCAVP CertUse FunctionDescription
AES MAC3AES MAC3[IG D.C] AES MAC for Project 25 APCO OTAR (Cert. #A2228)
DESDES Encryption/Decryption – ECB, OFB and CBC Mode.

Table 4

Page 8

Logical Perimeter Figure 1 – Logical cryptographic boundary and physical boundary 2.4 Security Rules and Guidance The module enforces the following security rules:

  1. The module does not support any operator authentication.
  2. The module is available to perform services only after successfully completing the pre-operational self-tests.
  3. Data output is inhibited during pre-operational self-tests, zeroization, and while in an error state.
  4. The module shall not support concurrent operators.
  5. The module enters the uninitialized state if any pre-operational self-test fail. The uninitialized state can be exited by restarting the module allowing the module to attempt to re-initialize itself.
  6. If the module enters a soft error state, the error condition may be cleared by executing the Operator Initiated Self-Test service documented in Section 11.2 or power cycling the module.
  7. The module can perform periodic self-tests. An operator can perform periodic self-tests on demand by using the Operator Initiated Self-Test API or power cycle.
  8. The module does not perform any cryptographic functions while in the uninitialized state.
  9. The module returns the results of the pre-operational self-tests to the operator.
  10. The module may be power cycled to zeroize all CSPs.
  11. The module is to be installed on Motorola Solutions radio products.
  12. The operator may choose whether the module will run in the Approved mode or non-Approved mode using the “Configure Approved Mode” Service.
  13. Cryptographic Module Interfaces The Module’s logical interfaces are described in Table 7: Motorola Solutions, Inc. © 2024 Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 9
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
11Data inputAPI entry point data input stack parameters
22Data outputAPI entry point data output stack parameters
33Control inputAPI entry point and corresponding stack parameters
44Status outputAPI entry point return values and status stack parameters
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Self-TestCOPower-up/Run Self-Test commandStatus: Success/Error
Load EntropyCOEntropy Input StringN/A
Get Module StatusCOGet module status commandModule initialization status, Approved mode status
Get Module VersionCOGet module version command“libALG Library R01.13.00 – Copyright 2021 Motorola Solutions, Inc.”
Configure Approved ModeCOApproved mode enabled/Approved mode disabledEnable/Disable
UtilityCOModule query for algorithm/key statusAlgorithm/key status information
EncryptCOEncryption key, plaintextCiphertext or error status
DecryptCODecryption key, ciphertextPlaintext or error status
AES Key WrappingCOEncryption key, input dataWrapped key
AES Key UnwrappingCODecryption key, input dataUnwrapped data
Generate OTAR MACCOInput dataMAC Key
DRBGCOEntropy input dataPseudo-random number
HashingCOHash algorithm, input dataHashed output
HMAC-SHACOHash Key, input datadigest
ZeroizeCON/AN/A
PBKDFCOPassword, iteration count, salt, hash algorithmDerived key
ECDSA Key GenCOPrivate keyPrivate key/Public key
KAS-ECCCOPrivate key, Public Key of Remote Party (Host B)ECDH Shared Secret/KDF Derived Key
Self-TestAutomatic: See section 10.1CON/AN/AN/A”fips_mode = 1”
Load EntropyLoad external entropy to seed the DRBGCOEntropy Input stringN/AW,E,Z”fips_mode = 1”
Get Module StatusShow the module statusCON/AN/AN/A”fips_mode = 1”
Get Module VersionGet module version numberCON/AN/AN/A”fips_mode = 1”
Configure Approved ModeSet/Unset module to Approved modeCON/AN/AN/A”fips_mode = 1”
UtilityKey check and other servicesCON/AN/AN/A”fips_mode = 1”
EncryptEncryption of voice and dataCOAES-256 KeyAESW,E,Z”fips_mode = 1”
DecryptDecryption of voice and dataCOAES-256 KeyAESW,E,Z”fips_mode = 1”
AES Key WrappingUsed for the encryption of keys.COAES-256 Key Wrap KeyKTS (AES- KW or AES- GCM)W,E,Z”fips_mode = 1”
AES Key UnwrappingUsed for the decryption of keys.COAES-256 Key Wrap KeyKTS (AES- KW or AES- GCM)W,E,Z”fips_mode = 1”

Table 7

Page 10
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
ECDSA Key GenCOPrivate keyPrivate key/Public key
KAS-ECCCOPrivate key, Public Key of Remote Party (Host B)ECDH Shared Secret/KDF Derived Key
Self-TestAutomatic: See section 10.1CON/AN/AN/A”fips_mode = 1”
Load EntropyLoad external entropy to seed the DRBGCOEntropy Input stringN/AW,E,Z”fips_mode = 1”
Get Module StatusShow the module statusCON/AN/AN/A”fips_mode = 1”
Get Module VersionGet module version numberCON/AN/AN/A”fips_mode = 1”
Configure Approved ModeSet/Unset module to Approved modeCON/AN/AN/A”fips_mode = 1”
UtilityKey check and other servicesCON/AN/AN/A”fips_mode = 1”
EncryptEncryption of voice and dataCOAES-256 KeyAESW,E,Z”fips_mode = 1”
DecryptDecryption of voice and dataCOAES-256 KeyAESW,E,Z”fips_mode = 1”
AES Key WrappingUsed for the encryption of keys.COAES-256 Key Wrap KeyKTS (AES- KW or AES- GCM)W,E,Z”fips_mode = 1”
AES Key UnwrappingUsed for the decryption of keys.COAES-256 Key Wrap KeyKTS (AES- KW or AES- GCM)W,E,Z”fips_mode = 1”
Generate OTAR MACUsed to generate MAC (Message Authentication Code) as defined in [OTAR].COOTAR MAC KeyAES MACW,E,Z”fips_mode = 1”
DRBGUsed for random number, IV and key generation using DRBG [SP 800-90Ar1].COEntropy Input string/ SP 800- 90Ar1 Seed/ SP 800- 90Ar1 Internal State (“V” and “Key”)DRBG (output directly used for CKG) CKGG,R,W”fips_mode = 1”
HashingUsed to generate SHA2- 256/384/512 message digest.CON/ASHSN/A”fips_mode = 1”
HMAC-SHAUsed to calculate data integrity codes with HMAC.COKeyed Hash KeyHMACW,E”fips_mode = 1”
Zeroize4Zeroize all SSPsCOAllN/AZ”fips_mode = 1”
PBKDF5Used to generate keys using PBKDF [SP 800-132]COPBKDF Secret Value DPKPBKDFW,E G,R”fips_mode = 1”
ECDSA Key GenUsed for generating asymmetric key pairCOECDSA Private Key, ECDSA Public KeyECDSAG,R”fips_mode = 1”
KAS-ECCUsed for key agreement process using ECDHCOECDH Shared Secret, KDF Derived Key, ECDH Private Key, ECDH PublicKAS-ECCG,R,W,E”fips_mode = 1”

The SSPs modes of access shown in Table 9, are defined as:

Page 11

W,E,Z SP 80090Ar1 N/A G,R,W N/A W,E N/A Z W,E G,R G,R G,R,W,E The Zeroize service zeroizes the key in the volatile memory by power cycling the module. As per NIST SP 800-132, keys generated by the module shall be used as recommend in Section 5.4 of [132]. Any other use of the approved PBKDF is non‐conformant. In approved mode the operator shall enter a password no less than 8 hexadecimal digits in length. The probability of guessing the password will be equal to 1:168. Due to the computational limitations of this embedded operational environment, the iteration count associated with the PBKDF should not exceed 5000. The minimum iteration count is 1, however it shall be selected as large as possible. Keys derived from passwords may only be used in storage applications. Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 12
Service
NameDescriptionRolesApproved FunctionsIndicator
EncryptEncryption of voice and dataCODES”fips_mode = 0”
DecryptDecryption of voice and dataCODES”fips_mode = 0”
Service
NameDescriptionRolesApproved FunctionsIndicator
EncryptEncryption of voice and dataCODES”fips_mode = 0”
DecryptDecryption of voice and dataCODES”fips_mode = 0”

Table 9 – Approved Services Table 10 – Non-Approved Services

  1. Software/Firmware Security The module consists of firmware in the form of a statically linked library. The firmware components are protected and authenticated using an HMAC hash function using the keyed hash key referenced in Table
  2. The operator can initiate the firmware integrity test (HMAC-SHA2-384) on demand by power cycling the radio. If the integrity test fails, the module will not initialize and no security functions will be provided by the module.
  3. Operational Environment The module operates and was tested on the following non-modifiable operational environment: Motorola Solutions, Inc. Radio using hardware platform as specified in Table
  4. As per ISO/IEC 19790:2012 7.6.3: • The cryptographic module has control over its own SSPs. • The operational environment provides the capability to separate individual application processes from each other to prevent uncontrolled access to CSPs and uncontrolled modifications of SSPs, regardless if this data is in the process memory or stored on persistent storage within the operational environment. This ensures that direct access to CSPs and SSPs is restricted to the cryptographic module and the trusted parts of the operational environment. • The module operates in a non-modifiable operational environment, therefore no restrictions or modifications to the configuration of the operational environment are possible. • Processes that are spawned by the cryptographic module are owned by the module and are not owned by external processes/operators.
  5. Physical Security The module is a firmware module and operates in a Motorola Solutions, In. radio that is built with production grade materials that include standard passivation techniques. For the purposes of FIPS 140Motorola Solutions, Inc. © 2024 Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 13
Approved algorithm
NameKey Size
P S S / y e KP S S / y e Ke p y T / e m a Nh t g n e r t Sy t ir u c e Sd n a n o it c n u Fr e b m u N .t r e Cn o it a r e n e Gt r o p x E / t r o p m It n e m h s ilb a t s Ee g a r o t Sn o it a s io r e Zd e t a le r & e s Us y e k
Used to derived SP 800-90Ar1 seedVariable (384-bit minimum)Entropy Input stringN/AExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Derived from the Entropy Input string. Used in AES IV, ECDSA Private Key, and ECDH Private Key generation384-bitSP 800- 90Ar1 SeedDRBG (A2228)InternalN/AN/AVolatile memory (plaintext)Power Cycle/Reset
CTR_DRBG stateN/ASP 800- 90Ar1 Internal State (“V” and “Key”)DRBG (A2228) CKGInternalN/AN/AVolatile memory (plaintext)Power Cycle/Reset
Used in HMAC functionVariable (192-bit minimum)Keyed Hash KeyHMAC (A2228)ExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Used in data encryption / decryption256-bitAES-256 KeyAES (A2228)ExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset /End of data processing
P S S / y e KP S S / y e Ke p y T / e m a Nh t g n e r t Sy t ir u c e Sd n a n o it c n u Fr e b m u N .t r e Cn o it a r e n e Gt r o p x E / t r o p m It n e m h s ilb a t s Ee g a r o t Sn o it a s io r e Zd e t a le r & e s Us y e k
Used in key encryption / decryption256-bitAES-256 Key Wrap KeyKTS (A2228)ExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset /End of data processing
Used in Key DerivationVariable (64-bit minimum )PBKDF Secret ValuePBKDF (A2228)External 6Import (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Derived by the PBKDF using the PBKDF Secret Value128-bit minimumDPKPBKDF (A2228)InternalExport (electr onic)Internally computedVolatile memory (plaintext)Power Cycle/Reset
Used for AES MAC256-bitOTAR MAC KeyAES MACExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Used to generate ECDH Public Key192-bitECDH Private KeyKAS- ECC (A2228)External or InternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Used to generate KDF derived key192-bitECDH Shared SecretKAS- ECC (A2228)InternalExport (electr onic)Internally computedVolatile memory (plaintext)Power Cycle/Reset
Used for ECDSA192-bitECDSA Private KeyECDSA (A2228)External or InternalImport or Export (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Used in KAS-ECCVariable (128-bit minimum)KDF Derived KeyKAS- ECC (A2228)InternalExport (electr onic)Internally computedVolatile memory (plaintext)Power Cycle/Reset
Used in key exchange192-bitECDH Public KeyKAS- ECC (A2228)InternalExport (electr onic)Internally computedVolatile memory (plaintext)Power Cycle/Reset
P S S / y e KP S S / y e Ke p y T / e m a Nh t g n e r t Sy t ir u c e Sd n a n o it c n u Fr e b m u N .t r e Cn o it a r e n e Gt r o p x E / t r o p m It n e m h s ilb a t s Ee g a r o t Sn o it a s io r e Zd e t a le r & e s Us y e k
Used in key exchange192-bitECDH Remote Party Public KeyKAS- ECC (A2228)ExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Used for ECDSA192-bitECDSA Public KeyECDSA (A2228)InternalExport (electr onic)Internally computedVolatile memory (plaintext)Power Cycle/Reset
Entropy sourcesMinimum number of bits ofEntropy sourcesDetails
384 (minimum seed length for AES-256 CTR_DRBG)Entropy Input StringThe entropy for seeding the SP 800-90Ar1 DRBG is determined by the user operator of the module which is outside of the module’s cryptographic boundary. To be compliant, the target application shall supply at least 384 bits of entropy in order to meet the security strength required for the random number generation mechanism as shown in [SP 800- 90Ar1] Table 3 (CTR_DRBG) and set required bits into the module by calling module defined API function. Since entropy is loaded passively into the module, there is no assurance of the minimum strength of generated keys.

3, the embodiment is defined as multiple-chip standalone and is designed to meet Level 1 security requirements. 8. Non-invasive Security Not Applicable. The module does not implement non-invasive security measures. N/A N/A N/A N/A / Strength SP 80090Ar1 SP 80090Ar1 N/A Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 14

/ KASExternal KASInternal KASInternal Use & related keys ) Zeroisation Establishment Storage Generation Security Function and Cert. Number Strength Key/SSP Name/Type KASInternal Password generated externally. Salt may be generated externally or internally according to SP 800-133. Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 15
Approved algorithm
NameKey Size
P S S / y e KP S S / y e Ke p y T / e m a Nh t g n e r t Sy t ir u c e Sd n a n o it c n u Fr e b m u N .t r e Cn o it a r e n e Gt r o p x E / t r o p m It n e m h s ilb a t s Ee g a r o t Sn o it a s io r e Zd e t a le r & e s Us y e k
Used in key exchange192-bitECDH Remote Party Public KeyKAS- ECC (A2228)ExternalImport (electr onic)Input via API in plaintextVolatile memory (plaintext)Power Cycle/Reset
Used for ECDSA192-bitECDSA Public KeyECDSA (A2228)InternalExport (electr onic)Internally computedVolatile memory (plaintext)Power Cycle/Reset
Entropy sourcesMinimum number of bits ofEntropy sourcesDetails
384 (minimum seed length for AES-256 CTR_DRBG)Entropy Input StringThe entropy for seeding the SP 800-90Ar1 DRBG is determined by the user operator of the module which is outside of the module’s cryptographic boundary. To be compliant, the target application shall supply at least 384 bits of entropy in order to meet the security strength required for the random number generation mechanism as shown in [SP 800- 90Ar1] Table 3 (CTR_DRBG) and set required bits into the module by calling module defined API function. Since entropy is loaded passively into the module, there is no assurance of the minimum strength of generated keys.

Storage Use & related Establishment Zeroisation KASExternal Cert. Number Key/SSP Name/Type Table 11

10.1 Automatic Self-Test

The module automatically performs pre-operational self-tests and conditional cryptographic algorithm self-tests. Automatic pre-operational self-tests are initiated upon module power-up and must pass in order for the module to initialize and render any security services. A failure of any pre-operational selftest will prevent the module from initializing. Automatic conditional cryptographic algorithm self-tests (CAST) will run prior to the first use of a security service using an approved cryptographic algorithm after module initialization. Failure of a conditional CAST will cause the module to enter the soft error state and a) Pre-Operational Self-Tests

Page 16

b) Conditional Self-Tests

  1. Conditional cryptographic algorithm test o SHA2-256 CAST o SHA2-512 CAST o HMAC-SHA2-384 CAST o AES ECB Encrypt CASTs (256-bit key) o AES ECB Decrypt CASTs (256-bit key) o AES GCM Encrypt CASTs (256-bit key) o AES GCM Decrypt CASTs (256-bit key) o CTR_DRBG [SP 800-90Ar1] CAST (Instantiate, Generate, and Reseed) o AES-KW [SP 800-38F] Wrap/Unwrap CASTs o KAS ECC [SP 800-56ar3] CAST o KDF [SP 800-56Arev3] CAST (SHA2-256, SHA2-384, SHA2-512) o PBKDF [SP 800-132] CAST (128-bit key, 128-bit salt, 2 iterations)
  2. Conditional pair-wise consistency test o ECDSA Key Gen PCT (384-bit private key, 384-bit public key)
10.2 Operator Initiated Self-Test

Self-tests can also be initiated by calling the “Self-Test” service via the API. Operator initiated self-tests via the API can only be invoked after the module has initialized. When initiating self-test via API call, the following tests are performed:

Page 17

12. Mitigation of Other Attacks Not Applicable. The Module does not implement mitigations of other attacks outside the scope of FIPS 140-3. Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 18
Acronyms
NameTermDefinitionAbbreviationFull Specification Name
[FIPS 140-3][FIPS 140-3]Security Requirements for Cryptographic Modules, March 2019
[IG][IG]Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program, November 2021.
[SP 800-132][SP 800-132]NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation, Part 1: Storage Applications, December 2010
[FIPS 186-4][FIPS 186-4]National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July 2013.
[FIPS 197][FIPS 197]National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 2001
[FIPS 198-1][FIPS 198-1]National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198- 1, July 2008
[FIPS 180-4][FIPS 180-4]National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August 2015
[SP 800-38A][SP 800-38A]National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001
[SP 800-38D][SP 800-38D]National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800- 38D, November 2007
[SP 800-38F][SP 800-38F]National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, Special Publication 800-38F, December 2012
[SP 800-56Ar3][SP 800-56Ar3]NIST Special Publication 800-56A Revision 3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018
[SP 800-56Cr2][SP 800-56Cr2]NIST Special Publication 800-56C Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, August 2020
[SP 800-90Ar1][SP 800-90Ar1]National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, Revision 1, June 2015.
[OTAR][OTAR]Project 25 – Digital Radio Over-The-Air-Rekeying (OTAR) Messages and Procedures [TIA- 102.AACA-A], September 2014
AcronymAcronymDefinition
AESAESAdvanced Encryption Standard
APCOAPCOAssociation of Public-Safety Communications Officials
CBCCBCCipher Block Chaining
CKGCKGCryptographic Key Generation
DRBGDRBGDeterministic Random Bit Generator
ECBECBElectronic Code Book
ECDHECDHElliptic Curve Diffie-Hellman
ECDSAECDSAElliptic Curve Diffie-Hellman

References and Definitions Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Page 19
FIPSFederal Information Processing Standards
GCMGalois/Counter Mode
HMACHash-based Message Authentication Code
IVInitialization Vector
KATKnown Answer Test
KDAKey Derivation Algorithm
MACMessage Authentication Code
OFBOutput Feedback
OTAROver The Air Rekeying
PBKDFPassword-Based Key Derivation Function
PCTPairwise Consistency Test
SSPSensitive Security Parameter

Motorola Solutions, Inc. © 2024 Version 1.0 Public Material

Referenced URLs