All modules
CMVP Validated Module · FIPS 140-3 Security Policy

NetApp CryptoMod

Certificate#4731StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorNetApp, Inc.
Low review priority  ·  no TCB surface named  ·  last validated 4 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When installed, initialized and configured as specified in section 11 of the Security Policy
VendorNetApp, Inc.

Approved Algorithms (18)

AlgorithmACVP Cert
AES-CBCA2640
AES-CCMA2640
AES-CMACA2640
AES-ECBA2640
AES-GCMA2640
AES-GMACA2640
AES-KWPA2640
AES-XTS Testing Revision 2.0A2640
Counter DRBGA2640
HMAC-SHA-1A2640
HMAC-SHA2-256A2640
HMAC-SHA2-512A2640
KDF SP800-108A2640
PBKDFA2640
SHA-1A2640
SHA2-256A2640
SHA2-512A2640
SHA3-256A2640

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for NetApp CryptoMod
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for NetApp CryptoMod
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

NetApp, Inc. NetApp CryptoMod 3.0

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid15
Table 5: Modes List and Description15
Table 6: Approved Algorithms16
Table 7: Vendor-Affirmed Algorithms16
Table 8: Security Function Implementations19
Table 9: Entropy Certificates21
Table 10: Entropy Sources21
Table 11: Ports and Interfaces23
Table 12: Roles23
Table 13: Approved Services27
Table 14: Storage Areas28
Table 15: SSP Input-Output Methods29
Table 16: SSP Zeroization Methods29
Table 17: SSP Table 131
Table 18: SSP Table 233
Table 19: Pre-Operational Self-Tests33
Table 20: Conditional Self-Tests34
Table 21: Pre-Operational Periodic Information35
Table 22: Conditional Periodic Information36
Table 23: Error States36
Figure 1: Block Diagram7
Page 5
1 General
1.1 Overview

The NetApp CryptoMod module, hereby referred to as either CryptoMod, or “the Module”, is a multi-chip standalone module validated at FIPS 140-3 Security Level 1. Specifically, the module meets the following security levels for each of the individual sections in the FIPS 140-3 standard:

1.2 Security Levels

Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

In accordance with AS02.05, [ISO 19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, [ISO 19790] §7.8 Non-Invasive Security is not applicable.

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Module is a kernel mode cryptographic software library providing a C-language application program interface (API) for use by ONTAP kernel modules that require cryptographic functionality. The Module is designated as a software module with multi-chip standalone embodiment based on the descriptions of [ISO 19790] AS02.03. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module’s formal name and version are “CryptoMod” and “3.0”, respectively. The Module’s design corresponds to the Module security roles. Security roles enforced by the Module are described in the appropriate context of the document.

Page 6

Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the CryptoMod module is the cryptomod_fips kernel module of the ONTAP OS kernel. The cryptographic boundary is depicted in red in the figure below. The Module’s approved DRBG is used to supply the Module’s cryptographic keys. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested OE’s Physical Perimeter (TOEPP) for the module is the enclosure of the NetApp controller.

Page 7
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

Table 2: Tested Module Identification

9.11.1 8352Y

ONTAP AFF A900 Intel Xeon Platinum Yes N/A 3.0

9.11.1 8352Y

Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating System Hardware Platform ONTAP 9.11 AFF A150 ONTAP 9.12 AFF A150 ONTAP 9.13 AFF A150 ONTAP 9.14 AFF A150 ONTAP 9.15 AFF A150 ONTAP 9.16 AFF A150 ONTAP 9.17 AFF A150 ONTAP 9.15 AFF A1K ONTAP 9.16 AFF A1K ONTAP 9.17 AFF A1K ONTAP 9.11 AFF A220 ONTAP 9.12 AFF A220 ONTAP 9.13 AFF A220 ONTAP 9.14 AFF A220 ONTAP 9.15 AFF A220 ONTAP 9.16 AFF A220 ONTAP 9.17 AFF A220 ONTAP 9.12 AFF A250 ONTAP 9.13 AFF A250 ONTAP 9.14 AFF A250 ONTAP 9.15 AFF A250

Page 9

Operating System Hardware Platform ONTAP 9.16 AFF A250 ONTAP 9.17 AFF A250 ONTAP 9.11 AFF A300 ONTAP 9.12 AFF A300 ONTAP 9.13 AFF A300 ONTAP 9.14 AFF A300 ONTAP 9.15 AFF A300 ONTAP 9.16 AFF A300 ONTAP 9.11 AFF A320 ONTAP 9.12 AFF A320 ONTAP 9.13 AFF A320 ONTAP 9.14 AFF A320 ONTAP 9.12 AFF A400 ONTAP 9.13 AFF A400 ONTAP 9.14 AFF A400 ONTAP 9.15 AFF A400 ONTAP 9.16 AFF A400 ONTAP 9.17 AFF A400 ONTAP 9.16 AFF A20 ONTAP 9.17 AFF A20 ONTAP 9.16 AFF A30 ONTAP 9.17 AFF A30 ONTAP 9.16 AFF A50 ONTAP 9.17 AFF A50 ONTAP 9.15 AFF A70 ONTAP 9.16 AFF A70 ONTAP 9.17 AFF A70 ONTAP 9.15 AFF A90 ONTAP 9.16 AFF A90 ONTAP 9.17 AFF A90 ONTAP 9.11 AFF A700 ONTAP 9.12 AFF A700 ONTAP 9.13 AFF A700 ONTAP 9.14 AFF A700 ONTAP 9.15 AFF A700 ONTAP 9.16 AFF A700 ONTAP 9.17 AFF A700 ONTAP 9.11 AFF A800 ONTAP 9.12 AFF A800 ONTAP 9.13 AFF A800 ONTAP 9.14 AFF A800 ONTAP 9.15 AFF A800 ONTAP 9.16 AFF A800 ONTAP 9.17 AFF A800 ONTAP 9.12 AFF A900 ONTAP 9.13 AFF A900 ONTAP 9.14 AFF A900 ONTAP 9.15 AFF A900

Page 10

Operating System Hardware Platform ONTAP 9.16 AFF A900 ONTAP 9.17 AFF A900 ONTAP 9.16 AFF C30 ONTAP 9.17 AFF C30 ONTAP 9.16 AFF C60 ONTAP 9.17 AFF C60 ONTAP 9.16 AFF C80 ONTAP 9.17 AFF C80 ONTAP 9.11 AFF C190 ONTAP 9.12 AFF C190 ONTAP 9.13 AFF C190 ONTAP 9.14 AFF C190 ONTAP 9.15 AFF C190 ONTAP 9.16 AFF C190 ONTAP 9.17 AFF C190 ONTAP 9.11 AFF C250 ONTAP 9.12 AFF C250 ONTAP 9.13 AFF C250 ONTAP 9.14 AFF C250 ONTAP 9.15 AFF C250 ONTAP 9.16 AFF C250 ONTAP 9.17 AFF C250 ONTAP 9.11 AFF C400 ONTAP 9.12 AFF C400 ONTAP 9.13 AFF C400 ONTAP 9.14 AFF C400 ONTAP 9.15 AFF C400 ONTAP 9.16 AFF C400 ONTAP 9.17 AFF C400 ONTAP 9.11 AFF C800 ONTAP 9.12 AFF C800 ONTAP 9.13 AFF C800 ONTAP 9.14 AFF C800 ONTAP 9.15 AFF C800 ONTAP 9.16 AFF C800 ONTAP 9.17 AFF C800 ONTAP 9.16 ASA A1K ONTAP 9.17 ASA A1K ONTAP 9.16 ASA A20 ONTAP 9.17 ASA A20 ONTAP 9.16 ASA A30 ONTAP 9.17 ASA A30 ONTAP 9.16 ASA A50 ONTAP 9.17 ASA A50 ONTAP 9.16 ASA A70 ONTAP 9.17 ASA A70 ONTAP 9.16 ASA A90 ONTAP 9.17 ASA A90

Page 11

Operating System Hardware Platform ONTAP 9.13 ASA A150 ONTAP 9.14 ASA A150 ONTAP 9.15 ASA A150 ONTAP 9.16 ASA A150 ONTAP 9.17 ASA A150 ONTAP 9.13 ASA A250 ONTAP 9.14 ASA A250 ONTAP 9.15 ASA A250 ONTAP 9.16 ASA A250 ONTAP 9.17 ASA A250 ONTAP 9.13 ASA A400 ONTAP 9.14 ASA A400 ONTAP 9.15 ASA A400 ONTAP 9.16 ASA A400 ONTAP 9.17 ASA A400 ONTAP 9.13 ASA A800 ONTAP 9.14 ASA A800 ONTAP 9.15 ASA A800 ONTAP 9.16 ASA A800 ONTAP 9.17 ASA A800 ONTAP 9.13 ASA A900 ONTAP 9.14 ASA A900 ONTAP 9.15 ASA A900 ONTAP 9.16 ASA A900 ONTAP 9.17 ASA A900 ONTAP 9.11 ASA AFF A220 ONTAP 9.12 ASA AFF A220 ONTAP 9.13 ASA AFF A220 ONTAP 9.14 ASA AFF A220 ONTAP 9.15 ASA AFF A220 ONTAP 9.16 ASA AFF A220 ONTAP 9.17 ASA AFF A220 ONTAP 9.11 ASA AFF A250 ONTAP 9.12 ASA AFF A250 ONTAP 9.13 ASA AFF A250 ONTAP 9.11 ASA AFF A400 ONTAP 9.12 ASA AFF A400 ONTAP 9.13 ASA AFF A400 ONTAP 9.11 ASA AFF A700 ONTAP 9.12 ASA AFF A700 ONTAP 9.13 ASA AFF A700 ONTAP 9.14 ASA AFF A700 ONTAP 9.15 ASA AFF A700 ONTAP 9.16 ASA AFF A700 ONTAP 9.17 ASA AFF A700 ONTAP 9.11 ASA AFF A800 ONTAP 9.12 ASA AFF A800 ONTAP 9.13 ASA AFF A800

Page 12

Operating System Hardware Platform ONTAP 9.16 ASA C30 ONTAP 9.17 ASA C30 ONTAP 9.13 ASA C250 ONTAP 9.14 ASA C250 ONTAP 9.15 ASA C250 ONTAP 9.16 ASA C250 ONTAP 9.17 ASA C250 ONTAP 9.13 ASA C400 ONTAP 9.14 ASA C400 ONTAP 9.15 ASA C400 ONTAP 9.16 ASA C400 ONTAP 9.17 ASA C400 ONTAP 9.13 ASA C800 ONTAP 9.14 ASA C800 ONTAP 9.15 ASA C800 ONTAP 9.16 ASA C800 ONTAP 9.17 ASA C800 ONTAP 9.16 FAS50 ONTAP 9.17 FAS50 ONTAP 9.15 FAS70 ONTAP 9.16 FAS70 ONTAP 9.17 FAS70 ONTAP 9.15 FAS90 ONTAP 9.16 FAS90 ONTAP 9.17 FAS90 ONTAP 9.11 FAS2720 ONTAP 9.12 FAS2720 ONTAP 9.13 FAS2720 ONTAP 9.14 FAS2720 ONTAP 9.15 FAS2720 ONTAP 9.16 FAS2720 ONTAP 9.17 FAS2720 ONTAP 9.11 FAS2750 ONTAP 9.12 FAS2750 ONTAP 9.13 FAS2750 ONTAP 9.14 FAS2750 ONTAP 9.15 FAS2750 ONTAP 9.16 FAS2750 ONTAP 9.17 FAS2750 ONTAP 9.13 FAS2820 ONTAP 9.14 FAS2820 ONTAP 9.15 FAS2820 ONTAP 9.16 FAS2820 ONTAP 9.17 FAS2820 ONTAP 9.11 FAS500f ONTAP 9.12 FAS500f ONTAP 9.13 FAS500f ONTAP 9.14 FAS500f

Page 13

Operating System Hardware Platform ONTAP 9.15 FAS500f ONTAP 9.16 FAS500f ONTAP 9.17 FAS500f ONTAP 9.11 FAS8200 ONTAP 9.12 FAS8200 ONTAP 9.13 FAS8200 ONTAP 9.14 FAS8200 ONTAP 9.15 FAS8200 ONTAP 9.16 FAS8200 ONTAP 9.11 FAS8300 ONTAP 9.12 FAS8300 ONTAP 9.13 FAS8300 ONTAP 9.14 FAS8300 ONTAP 9.15 FAS8300 ONTAP 9.16 FAS8300 ONTAP 9.17 FAS8300 ONTAP 9.11 FAS8700 ONTAP 9.12 FAS8700 ONTAP 9.13 FAS8700 ONTAP 9.14 FAS8700 ONTAP 9.15 FAS8700 ONTAP 9.16 FAS8700 ONTAP 9.17 FAS8700 ONTAP 9.11 FAS9000 ONTAP 9.12 FAS9000 ONTAP 9.13 FAS9000 ONTAP 9.14 FAS9000 ONTAP 9.15 FAS9000 ONTAP 9.16 FAS9000 ONTAP 9.17 FAS9000 ONTAP 9.11 FAS9500 ONTAP 9.12 FAS9500 ONTAP 9.13 FAS9500 ONTAP 9.14 FAS9500 ONTAP 9.15 FAS9500 ONTAP 9.16 FAS9500 ONTAP 9.17 FAS9500 ONTAP 9.11 AFF A700s ONTAP 9.12 AFF A700s ONTAP 9.13 AFF A700s ONTAP 9.14 AFF A700s ONTAP 9.15 AFF A700s ONTAP 9.16 AFF A700s ONTAP 9.17 AFF A700s Data ONTAP Select 9.11 with VMware ESXi 7, 8 FDvM300-16GB Data ONTAP Select 9.12 with VMware ESXi 7, 8 FDvM300-16GB Data ONTAP Select 9.13 with VMware ESXi 7, 8 FDvM300-16GB Data ONTAP Select 9.14 with VMware ESXi 7, 8 FDvM300-16GB

Page 14

Operating System Hardware Platform Data ONTAP Select 9.15 with VMware ESXi 7, 8 FDvM300-16GB Data ONTAP Select 9.16 with VMware ESXi 7, 8 FDvM300-16GB Data ONTAP Select 9.17 with VMware ESXi 7, 8 FDvM300-16GB Data ONTAP Select 9.17 with VMware ESXi 9 FDvM300-16GB Data ONTAP Select 9.16 with RHEL Server KVM 9.5, 9.6 FDvM300-16GB Data ONTAP Select 9.17 with RHEL Server KVM 9.5, 9.6 FDvM300-16GB Data ONTAP Select 9.14 with RHEL Server KVM 8.6, 8.7, 8.8, 8.9, FDvM300-16GB 9.0, 9.1, 9.2, 9.3, 9.4 Data ONTAP Select 9.15 with RHEL Server KVM 8.6, 8.7, 8.8, 8.9, FDvM300-16GB 9.0, 9.1, 9.2, 9.3, 9.4 Data ONTAP Select 9.16 with RHEL Server KVM 8.6, 8.7, 8.8, 8.9, FDvM300-16GB 9.0, 9.1, 9.2, 9.3, 9.4 Data ONTAP Select 9.11 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.12 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.13 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.14 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.15 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.16 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.17 with VMware ESXi 7, 8 FDvM300-64GB Data ONTAP Select 9.17 with VMware ESXi 9 FDvM300-64GB Data ONTAP Select 9.16 with RHEL Server KVM 9.5, 9.6 FDvM300-64GB Data ONTAP Select 9.17 with RHEL Server KVM 9.5, 9.6 FDvM300-64GB Data ONTAP Select 9.14 with RHEL Server KVM 8.6, 8.7, 8.8, 8.9, FDvM300-64GB 9.0, 9.1, 9.2, 9.3, 9.4 Data ONTAP Select 9.15 with RHEL Server KVM 8.6, 8.7, 8.8, 8.9, FDvM300-64GB 9.0, 9.1, 9.2, 9.3, 9.4 Data ONTAP Select 9.16 with RHEL Server KVM 8.6, 8.7, 8.8, 8.9, FDvM300-64GB 9.0, 9.1, 9.2, 9.3, 9.4 Data ONTAP Select 9.11 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.12 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.13 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.14 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.15 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.16 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.17 with VMware ESXi 7, 8 FDvM300-128GB Data ONTAP Select 9.17 with VMware ESXi 9 FDvM300-128GB Amazon FSx for NetApp ONTAP 9.11 AWS EC2 Nitro Amazon FSx for NetApp ONTAP 9.12 AWS EC2 Nitro Amazon FSx for NetApp ONTAP 9.13 AWS EC2 Nitro Amazon FSx for NetApp ONTAP 9.14 AWS EC2 Nitro Amazon FSx for NetApp ONTAP 9.15 AWS EC2 Nitro Amazon FSx for NetApp ONTAP 9.16 AWS EC2 Nitro Amazon FSx for NetApp ONTAP 9.17 AWS EC2 Nitro Cloud Volumes ONTAP 9.11 Microsoft Azure Compute Cloud Volumes ONTAP 9.12 Microsoft Azure Compute

Page 15

Operating System Hardware Platform Cloud Volumes ONTAP 9.13 Microsoft Azure Compute Cloud Volumes ONTAP 9.14 Microsoft Azure Compute Cloud Volumes ONTAP 9.15 Microsoft Azure Compute Cloud Volumes ONTAP 9.16 Microsoft Azure Compute Cloud Volumes ONTAP 9.17 Microsoft Azure Compute Cloud Volumes ONTAP 9.11 Google Compute Engine Cloud Volumes ONTAP 9.12 Google Compute Engine Cloud Volumes ONTAP 9.13 Google Compute Engine Cloud Volumes ONTAP 9.14 Google Compute Engine Cloud Volumes ONTAP 9.15 Google Compute Engine Cloud Volumes ONTAP 9.16 Google Compute Engine Cloud Volumes ONTAP 9.17 Google Compute Engine Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

No components are excluded from the [FIPS 140-3] requirements.

2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved The module must be installed per instructions Approved FIPS mode = mode provided in Section 11 of this document. true Table 5: Modes List and Description The module supports one mode of operation: Approved. The module will be in the approved mode when all the power up self-tests have completed successfully, and only Approved

Page 16

algorithms are invoked. If the power-up self-tests fail, then the module reboots the hardware platform. Mode Change Instructions and Status: The Module only supports an Approved mode of operation. Degraded Mode Description: The Module does not support a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A6624 - SP 800-38A AES-CCM A6624 - SP 800-38C AES-CMAC A6624 - SP 800-38B AES-ECB A6624 - SP 800-38A AES-GCM A6624 - SP 800-38D AES-GMAC A6624 - SP 800-38D AES-KWP A6624 - SP 800-38F AES-XTS Testing Revision 2.0 A6624 - SP 800-38E Counter DRBG A6624 - SP 800-90A Rev. 1 HMAC-SHA-1 A6624 - FIPS 198-1 HMAC-SHA2-256 A6624 - FIPS 198-1 HMAC-SHA2-512 A6624 - FIPS 198-1 KDF SP800-108 A6624 - SP 800-108 Rev. 1 PBKDF A6624 - SP 800-132 SHA-1 A6624 - FIPS 180-4 SHA2-256 A6624 - FIPS 180-4 SHA2-512 A6624 - FIPS 180-4 SHA3-256 A6624 - FIPS 202 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG - Key NetApp SP 800-133 Rev. 2 Section 6.3: Section Type:Symmetric CryptoMod Symmetric Keys Produced by Combining

6.3 Multiple Keys and Other Data. (Method

2) Table 7: Vendor-Affirmed Algorithms

Page 17

Non-Approved, Allowed Algorithms: N/A for this module. The Module does not support any Non-Approved, Allowed Algorithms. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The Module does not support any Non-Approved, Allowed Algorithms with No Security Claimed. Non-Approved, Not Allowed Algorithms: N/A for this module. The Module does not support any Non-Approved, Not Allowed Algorithms.

2.6 Security Function Implementations

Name Type Description Properties Algorithms Symmetric BC-UnAuth Symmetric Key Length:128, AES-CBC: Encryption and encryption and 256 bits (A6624) Decryption decryption AES-ECB: (A6624) AES-XTS Testing Revision 2.0: (A6624) Authenticated BC-Auth Authenticated Key Length:128, AES-CCM: Symmetric symmetric 256 bits (A6624) Encryption and encryption and Key Length AES-CMAC: Decryption decryption (CCM):128 bits (A6624) AES-GCM: (A6624) AES-GMAC: (A6624) Message Digest SHA Message Digest Publication:FIPS SHA-1: (A6624) 180-4 SHA2-256: (A6624) SHA2-512: (A6624) SHA3-256: (A6624) Keyed Hash MAC Keyed Hash Publication:FIPS HMAC-SHA-1: 198-1 (A6624) HMAC-SHA2256: (A6624) HMAC-SHA2512: (A6624)

Page 18

Name Type Description Properties Algorithms AES Keyed BC-Auth Keyed Hash Key Length:128, AES-CMAC: Hash MAC 256 bits (A6624) Key Length AES-GMAC: (CCM):128 bits (A6624) Random DRBG Random Publication:SP Counter DRBG: Number Number 800-90A Rev. 1 (A6624) Generation Generation Entropy Noise ENT-Cond Entropy noise Publication:SP SHA3-256: Source ENT-ESV source 800-90B (A6624) ENT-NP Cryptographic CKG AES keys Key Length:128, SHA3-256: Key Generation generated to 256 bits (A6624) (CKG) comply with the approved key generation guidelines of SP800-133 Rev. 2, Section 6.3, Symmetric Keys Produced by Combining Multiple Keys and Other Data Key Derivation KBKDF Derive keying Publications:SP KDF SP800PBKDF material 800-108 Rev. 1 108: (A6624) UPD 1, SP 800- PBKDF: (A6624) Key size:8 to

4096 bit derived

keys KTS-AES KTS-Wrap AES keys Publication:SP AES-KWP: generated to 800-38F (A6624) comply with the Key approved key Strength:Key generation establishment guidelines of methodology SP800-133 Rev. provides 2, Section 6.3, between 128 Symmetric Keys and 256 bits of Produced by encryption Combining strength Multiple Keys and Other Data Software MAC HMAC-SHA2- Key size:256 HMAC-SHA2Integrity Test 256 used to bits 256: (A6624) perform the software integrity test

Page 19

Name Type Description Properties Algorithms Perform self- BC-Auth All self-tests AES-CBC: tests (All) BC-UnAuth executed by the (A6624) DRBG module at boot AES-CCM: KBKDF (A6624) MAC AES-CMAC: PBKDF (A6624) SHA AES-ECB: (A6624) AES-GCM: (A6624) AES-XTS Testing Revision 2.0: (A6624) Counter DRBG: (A6624) HMAC-SHA-1: (A6624) HMAC-SHA2256: (A6624) HMAC-SHA2512: (A6624) KDF SP800108: (A6624) PBKDF: (A6624) SHA-1: (A6624) SHA2-256: (A6624) SHA2-512: (A6624) SHA3-256: (A6624) Table 8: Security Function Implementations

2.7 Algorithm Specific Information

a) AES-GCM Usage The AES-GCM IV is partially generated by an industry protocol and is always passed to the module via an API call. The counter portion of the IV is set by the module within the module’s cryptographic boundary. When used with TLS 1.2/1.3, the AES-GCM IV is constructed in compliance with IG C.H scenario 1. The GCM IV generation follows RFC 5288. The counter portion of the IV is set by the module within the module’s cryptographic boundary. The module does not implement the TLS protocol. The module’s implementation of AES-GCM, when used for TLS, is used with another ONTAP application running outside of the module’s boundary. The design of the TLS

Page 20

protocol implicitly ensures that the counter portion of the IV will not exhaust all its possible values. When used with the IPsec-v3 protocol, GCM IV generation follows RFC 4106 and is constructed in compliance with IG C.H scenario

  1. The counter portion of the IV is set by the module within the module’s cryptographic boundary. The module does not implement the IPsec protocol. The module’s implementation of AES-GCM, when used for IPsec, is used with another ONTAP application running outside of the module’s boundary. The design of the IPsec protocol implicitly ensures that the counter portion of the IV will not exhaust all its possible values. When used with SMB 3.x, the AES-GCM IV is constructed in compliance with IG C.H scenario 5 with 8 bytes of random data followed by 8 bytes from the network context. The counter portion of the IV is set by the module within the module’s cryptographic boundary. The module does not implement the SMB protocol. The module’s implementation of AES-GCM, when used for SMB, is used with another ONTAP application running outside of the module’s boundary. The design of the SMB protocol implicitly ensures that the counter portion of the IV will not exhaust all its possible values. In all instances, the AES-GCM IV is not persistently stored; therefore, whenever the module’s power is lost and then restored, the user of the module (i.e., TLS, IPsec, or SMB) along with the ONTAP application that implements the protocol, must re-establish keying material using new random values and a KDF operation to establish the pertinent network communication channel. b) PBKDF Usage The module provides password-based key derivation (PBKD), compliant with NIST SP 800-132 Rev.
  2. The CryptoMod module supports option 1a from section 5.4 of [SP800-132]. In option 1a, the Master Key (MK), or a segment of the MK, is used directly as the Data Protection Key (DPK). In line with the requirements for NIST SP800-132, keys generated using the approved PBKDF algorithm must only be used for storage applications. The length of the MK or DPK shall be 112 bits or more. A salt, with a length of at least 128 bits, shall be generated using the NIST SP 800-90Arev1 DRBG. The iteration count shall be selected as large as possible, with a minimum value of 1000. Passwords or passphrases, used as input for the PBKDF, shall not be used as cryptographic keys. The length of the password of passphrase shall be at least 32 characters and shall consist of ASCII printable characters. The probability of guessing the value is estimated to be: 1/9532 <10-64, which is less than 2-112. As the module is a general-purpose software module, it is not possible to predict the use of the PBKDF, however a user of the module should also note that a password should contain at least enough entropy to be unguessable and contain enough entropy to reflect
Page 21

the security strength required for the key being generated. Users are referred to Appendix A, “Security Considerations” of NIST SP 800-132 Rev. 2 for further information on password selection. c) AES-XTS Usage Per the requirements of NIST SP 800-38E, AES-XTS mode shall be used for storage purposes only. The length of the AES-XTS data unit does not exceed 220 blocks. In accordance with IG C.I when generating an AES-XTS key, the module checks to ensure that key1 is not equal to key2. If key1 is equal to key2, then the module fails the key generation request. d) SHA-1 Usage The module implements SHA-1 for usage in the following:

2.8 RBG and Entropy

Cert Number Vendor Name Entropy Certificate #E1 NetApp, Inc. Table 9: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample CPU Non- ONTAP 9.16.1 on Intel® Xeon® 64 1 SHA3-256 Jitter Physical Bronze 3508U (Sapphire Rapids), (A2640) RNG ONTAP 9.16.1 on Intel® Xeon® v3.4.0 Gold 6438N (Sapphire Rapids), ONTAP 9.16.1 on Intel® Xeon® Platinum 8352Y (Ice Lake), ONTAP

9.16.1 on Intel® Xeon® D-1735TR

(Ice Lake), ONTAP 9.16.1 on Silver

4210 (Cascade Lake), ONTAP
9.16.1 on Intel® Xeon® Silver 4114

(Skylake), ONTAP 9.16.1 on Intel® Xeon® D-2164IT (Skylake), ONTAP 9.16.1 on Intel® Xeon® D-

1557 (Broadwell)
Page 22

The ESV (#E1) entropy source used by the Counter DRBG in the module is described above. The module’s embedded entropy source provides 256 bits of min-entropy per 256-bit output sample of full entropy.

2.9 Key Generation

CryptoMod implements a NIST SP800-90A Rev. 1 Counter DRBG for the generation of random bits and keys. The implementation of the Counter DRBG uses AES-256 (maximum of 256 bits of security strength) as the block cipher along with the appropriate derivation function. On the tested system, entropy is provided from the module’s embedded jitter-entropy CPU ESV (#E1) implementation. The module uses its embedded entropy source in accordance with the ESV (#E1) Public Use Document. The module requests a minimum number of 512 bits of entropy from its Operational Environment per each call. In addition, the vendor affirmed CKG implementation uses an Approved Counter DRBG as specified in NIST SP 800-90 A Rev.

  1. The key generation method adheres to NIST SP800-133 Rev. 2, and the module utilizes post processing. The output of the CryptoMod DRBG is XOR’d with a random mask obtained from ESV (#E1) to compute the secret value "K" as per Section 6.3, method #2 in NIST SP800-133 Rev. 2 with m = 1 and n =
  2. The post-processing is performed on the DRBG output with the post-processing operation resulting in the new "U".
2.10 Key Establishment

Key Agreement Schemes The Module does not support any key establishment algorithms. Key Transport Schemes The module implements the following Approved/allowed key transport methods as specified in [FIPS140-3_IG] IG D.G which have been CAVP tested and validated:

2.11 Industry Protocols

The Module conforms to Resolution 3 per [FIPS140-3_IG] D.C References to the Support of Industry Protocols: while it provides cryptographic APIs that may be used by IPSec and TLS components, the Module does not contain an implementation for IPSec or TLS. The following caveat is required: No parts of the IPSec and TLS protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
Page 23

Physical Logical Data That Passes Port Interface(s) N/A Control Input API call parameters passed by reference or value for cryptographic service input N/A Control Not implemented Output N/A Data Input API call parameters passed by reference or value for cryptographic service input N/A Data Output API call parameters passed by reference or value for cryptographic service output N/A Status Output API return value: enumerated status resulting from call execution Table 11: Ports and Interfaces As a software-only module, CryptoMod does not have any physical ports. The logical interfaces for the module are defined by the API for CryptoMod. If the module enters an error state, then data output interfaces are disabled (note: the module does not utilize control input or output interfaces).

4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The Module does not provide an authentication or identification method of its own; operators implicitly assume an authorized role based on the service selected.

4.2 Roles

Name Type Operator Type Authentication Methods User Role User Crypto Officer Role Crypto Officer Table 12: Roles The module supports the User and mandatory Cryptographic Officer operational role, which is implicitly defined. The module does not support a maintenance role, nor does it support a bypass capability. The module does not support multiple concurrent operators.

4.3 Approved Services

Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access Show versioning Returns N/A API call Module Crypto information the name paramete name Officer of the rs and module version

Page 24

Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access and the version associate d with the module Show status Return FIPS API call FIPS Crypto FIPS status paramete status Officer mode rs status Perform on Initiates API API call API Perform Crypto demand self-tests and runs output paramete output of self-tests Officer the pre- of 0 rs 0 (All) operationa indicate indicates Software l self-tests s success, Integrity success non-zero Test indicates failure Encryption/decrypt Perform API API call Status Symmetric User ion encryption output paramete return, Encryption - AES key: or of 0 rs plaintext and E,W decryption indicate or Decryption - AES using AES s ciphertex XTS key: success t E,W Authenticated Perform API API call Status Authenticat User encryption/decrypt encryption output paramete return, ed - AES ion or of 0 rs plaintext Symmetric CCM key: decryption indicate or Encryption E,W using AES s ciphertex and - AES CCM or success t Decryption GCM key: AES GCM E,W Key Perform API API call Status KTS-AES User wrapping/unwrapp key output paramete return, - AES key: ing wrapping of 0 rs wrapped E,R,W or indicate or - CPKEK unwrappin s unwrapp key: g using success ed key E,R,W AES Random bit Provide API API call Status, Entropy User generation random output paramete random Noise - DRBG V bits from of 0 rs bytes Source value: E,G the indicate Random - DRBG module's s Number entropy DRBG success Generation input: E,G - DRBG internal state key: E,G

Page 25

Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access - ESV state: E,G Key generation Perform API API call Status Entropy User key output paramete return, Noise - AES key: generation of 0 rs key Source R using the indicate Random - AES module's s Number CCM key: DRBG success Generation R Cryptograp - AES hic Key CMAC Generation key: R (CKG) - AES GCM key: R - AES GMAC key: R - AES KEK key: R - AES XTS key: R HMAC message Generate API API call Status Keyed User authentication or verify output paramete return, Hash - HMAC data of 0 rs tag value key: integrity indicate E,R,W s success AES message Generate API API call Status AES Keyed User authentication or verify output paramete return, Hash - AES data of 0 rs tag value CCM key: integrity indicate E,R,W s - AES success GCM key: E,R,W Hashing Perform API API call Status Message User SHA output paramete return, Digest hashing of 0 rs digest function indicate s success Key derivation Perform API API call Status Key User key output paramete return, Derivation derivation of 0 rs key Passphras using indicate e: E,W,Z PBKDF or s - CPKEK NIST SP success key: G,R

Page 26

Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access 800-108 in - KDK key: CTR E,W mode - KDK output key: G,R Zeroize Zeroize None Reboot None Crypto and or power Officer dellocate cycle - AES key: memory NetApp Z containing platform - AES sensitive CCM key: data Z - AES CMAC key: Z - AES GCM key: Z - AES GMAC key: Z - AES KEK key: Z - AES XTS key: Z - CPKEK key: Z - HMAC key: Z - DRBG V value: Z - DRBG entropy input: Z - DRBG internal state key: Z - DRBG seed: Z - ESV state: Z - KDK key: Z - KDK output key: Z

Page 27

Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access Passphras e: Z Table 13: Approved Services Legend: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP.

4.4 Non-Approved Services

N/A for this module. The Module does not support any non-approved services.

4.5 External Software/Firmware Loaded

The Module does not have the capability of loading software or firmware from an external source.

5 Software/Firmware Security
5.1 Integrity Techniques

The module compares the HMAC-SHA2-256 digest created over the .text and .data sections of the module versus the digest pre-calculated at compile time. The module’s self-integrity check is automatically performed when the module is loaded into kernel memory. Since the module, once loaded, cannot be unloaded, the self-integrity check can only be initiated by rebooting the platform.

5.2 Initiate on Demand

The Module does not support initiate on demand functionality. The self-integrity check can only be initiated by rebooting the platform.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable

Page 28

How Requirements are Satisfied: The module operates in a modifiable operational environment on the validated platforms and the vendor-affirmed platforms listed in Section 2.2 Tested and Vendor Affirmed Module Version and Identification. The Module conforms to [FIPS 140-3_IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by [FIPS 140-3_IG] 2.3.C as a known PAA.

6.2 Configuration Settings and Restrictions

No operational environment restrictions are required for operation in the approved mode. As indicated in Section 2, the Module always operates in the approved mode.

7 Physical Security

Physical Security requirements are not applicable for this software Module.

8 Non-Invasive Security

In accordance with current CMVP policy, Non-Invasive Security is not applicable.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary, plaintext storage Dynamic Table 14: Storage Areas The cryptographic module does not persistently store keys. Keys and CSPs are passed to the module by the calling kernel process. The keys and CSPs are stored in nondumpable memory in plaintext. Keys and CSPs residing in internally allocated data structures (during the lifetime of an API call) can only be accessed using the module defined API. The ONTAP operating system protects memory and process space from unauthorized access.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm [Input] Call Calling Module Plaintext Manual Electronic stack application parameters

Page 29

Name From To Format Distribution Entry SFI or Type Type Type Algorithm [Output] Call Module Calling Plaintext Manual Electronic stack application parameters Table 15: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Cleansed Zeroisation of SSPs managed Overwrites with random data Module by the caller followed by an overwrite with initiated zeroes Cleared after Zeroisation of temporary Overwrites with zeroes Module use copies of CSPs within the initiated relevant function Reboot RAM is used for temporary Restarting the NetApp Operator storage of SSPs controller clears the SSPs in initiated RAM Table 16: SSP Zeroization Methods

9.4 SSPs

Name Descriptio Size - Type - Generated Establish Used By n Strengt Category By ed By h AES key AES key 128, 256 Symmetric Cryptograp Symmetric used for bits - Key - CSP hic Key Encryption symmetric 128, 256 Generation and decryption, bits (CKG) Decryption encryption AES AES CCM 128 bits Symmetric Authenticat CCM key key used - 128 Key - CSP ed for bits Symmetric authenticat Encryption ed and symmetric Decryption decryption, encryption AES AES 128, 256 MAC - CSP AES Keyed CMAC CMAC key bits - Hash key used for 128, 256 CMAC bits

Page 30

Name Descriptio Size - Type - Generated Establish Used By n Strengt Category By ed By h generation, verification AES AES GCM 128, 256 Symmetric Authenticat GCM key key used bits - Key - CSP ed for 128, 256 Symmetric authenticat bits Encryption ed and symmetric Decryption decryption, encryption AES AES 128, 256 MAC - CSP AES Keyed GMAC GMAC key bits - Hash key used for 128, 256 GMAC bits generation, verification AES KEK Key 128, 256 Symmetric Cryptograp KTS-AES key wrapping bits - Key - CSP hic Key and 128, 256 Generation unwrappin bits (CKG) g AES XTS AES XTS 128, 256 Symmetric Cryptograp Symmetric key key used bits - Key - CSP hic Key Encryption for 128, 256 Generation and symmetric bits (CKG) Decryption decryption, encryption CPKEK Key 128, 256 Symmetric Key KTS-AES key wrapping bits - Key - CSP Derivation and 128, 256 unwrappin bits g HMAC Keyed 112 bits MAC - CSP Keyed key Hash (minimu Hash m) - 112 bits (minimu m) DRBG V State value 256 bits 256 bits - CSP Random Random value for DRBG - 256 Number Number bits Generation Generation DRBG Entropy 4096 Entropy input - Entropy Random entropy material for bits - CSP Noise Number input DRBG N/A Source Generation DRBG DRBG 256 bits CTR_DRBG_ Random internal internal - 256 Key - CSP Number state key state key bits Generation

Page 31

Name Descriptio Size - Type - Generated Establish Used By n Strengt Category By ed By h DRBG Seeding 384 bits Entropy input - Entropy Random seed material for - 384 CSP Noise Number DRBG bits Source Generation ESV state ESV N/A - Entropy state - Entropy Entropy internal 256 bits CSP Noise Noise state Source Source KDK key Key 256 bits KDF - CSP Key derivation - 256 Derivation source key bits KDK Key 256 bits KDF - CSP Key output derivation - 256 Derivation key output key bits Passphra Input to 32 to Symmetric Key se PBKDF for 256 Key - CSP Derivation key bytes derivation 112 bits or greater Table 17: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared parameters after use [Output] Call Reboot stack parameters AES CCM [Input] Call RAM:Plaintext Call Cleansed key stack lifetime Cleared parameters after use Reboot AES CMAC [Input] Call RAM:Plaintext Call Cleansed key stack lifetime Cleared parameters after use Reboot AES GCM [Input] Call RAM:Plaintext Call Cleansed key stack lifetime Cleared parameters after use Reboot AES GMAC [Input] Call RAM:Plaintext Call Cleansed key stack lifetime Cleared parameters after use Reboot AES KEK key [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared

Page 32

Name Input - Storage Storage Zeroization Related SSPs Output Duration parameters after use [Output] Call Reboot stack parameters AES XTS key [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared parameters after use [Output] Call Reboot stack parameters CPKEK key [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared parameters after use [Output] Call Reboot stack parameters HMAC key [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared parameters after use Reboot DRBG V [Input] Call RAM:Plaintext Module Reboot value stack lifetime parameters [Output] Call stack parameters DRBG [Input] Call RAM:Plaintext Call Cleared DRBG entropy input stack lifetime after use seed:Used to parameters Reboot derive DRBG [Input] Call RAM:Plaintext Module Cleansed DRBG internal state stack lifetime Cleared seed:Derived key parameters after use from [Output] Call Reboot stack parameters DRBG seed [Input] Call RAM:Plaintext Call Cleansed DRBG entropy stack lifetime Cleared input:Derived parameters after use from [Output] Call Reboot stack parameters ESV state [Input] Call RAM:Plaintext Call Cleared stack lifetime after use parameters Reboot KDK key [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared parameters after use Reboot

Page 33

Name Input - Storage Storage Zeroization Related SSPs Output Duration KDK output [Output] Call RAM:Plaintext Call Cleansed key stack lifetime Cleared parameters after use Reboot Passphrase [Input] Call RAM:Plaintext Call Cleansed stack lifetime Cleared parameters after use Reboot Table 18: SSP Table 2

10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Test Indicator Details Test Properties Method Type HMAC-SHA2- Key length: KAT SW/FW Success: all self- MAC (HMAC-

256 (A2640) 256 bits Integrity tests passed (as SHA2-256,

expected) A2640) Table 19: Pre-Operational Self-Tests The module is compliant with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the HMAC-SHA2-256 algorithm.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CBC Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On

128 and 256 reloading

bits the module AES-CCM Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On

128 bits reloading

the module AES- Key Length: KAT CAST FIPS_OK Hash On CMAC 128 and 256 reloading bits the module AES-ECB Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On

128 and 256 reloading

bits the module AES-GCM Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On

128 and 256 reloading

Page 34

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-KWP Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On

128 and 256 reloading

bits the module AES- Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On GMAC 128 and 256 reloading bits the module AES-XTS Key Length: KAT CAST FIPS_OK Encrypt/Decrypt On Testing 128 and 256 reloading Revision bits the module 2.0 Counter AES CTR (256 KAT CAST FIPS_OK Generate, On DRBG bits) with Reseed, reloading derivation Instantiate the module function functions HMAC- PRF: SHA-1 KAT CAST FIPS_OK HMAC tag On SHA-1 generation reloading the module HMAC- PRF: SHA2- KAT CAST FIPS_OK HMAC tag On SHA2-256 256 generation reloading the module HMAC- PRF: SHA2- KAT CAST FIPS_OK HMAC tag On SHA2-512 512 generation reloading the module KDF PRF: HMAC- KAT CAST FIPS_OK Counter Mode On SP800-108 SHA2-512 (HMAC-SHA2- reloading 512) the module PBKDF Derivation of KAT CAST FIPS_OK Key Derivation On the Master Key reloading (MK) PRF: the module HMAC-SHA-1, HMAC-SHA2256, HMACSHA2-512 SHA-1 SHA-1 KAT CAST FIPS_OK Hash On reloading the module SHA2-256 SHA2-256 KAT CAST FIPS_OK Hash On reloading the module SHA2-512 SHA2-512 KAT CAST FIPS_OK Hash On reloading the module SHA3-256 SHA3-256 KAT CAST FIPS_OK Hash On reloading the module Table 20: Conditional Self-Tests

Page 35

Each time the platform is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. On Module instantiation, the Module performs the pre-operational self-tests and CASTs listed above. All KATs must complete successfully prior to any other use of cryptography by the Module.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT SW/FW Integrity On Demand Manually by

256 (A2640) reloading the

module Table 21: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST On Demand Manually by reloading the module AES-CCM KAT CAST On Demand Manually by reloading the module AES-CMAC KAT CAST On Demand Manually by reloading the module AES-ECB KAT CAST On Demand Manually by reloading the module AES-GCM KAT CAST On Demand Manually by reloading the module AES-KWP KAT CAST On Demand Manually by reloading the module AES-GMAC KAT CAST On Demand Manually by reloading the module AES-XTS KAT CAST On Demand Manually by Testing Revision reloading the

2.0 module

Counter DRBG KAT CAST On Demand Manually by reloading the module HMAC-SHA-1 KAT CAST On Demand Manually by reloading the module HMAC-SHA2- KAT CAST On Demand Manually by

256 reloading the

Page 36

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On Demand Manually by

512 reloading the

module KDF SP800-108 KAT CAST On Demand Manually by reloading the module PBKDF KAT CAST On Demand Manually by reloading the module SHA-1 KAT CAST On Demand Manually by reloading the module SHA2-256 KAT CAST On Demand Manually by reloading the module SHA2-512 KAT CAST On Demand Manually by reloading the module SHA3-256 KAT CAST On Demand Manually by reloading the module Table 22: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method ERROR_STATE The error state is Entered The NetApp ERROR_STATE persistent and no whenever one platform services are or more KAT automatically available. Any self-tests fail or reboots. attempt to use the if the software Module's services integrity test result in the return fails. of a non-zero error code. Table 23: Error States Errors encountered during the power-on self-test operations will result in an automatic reboot of the operating system. If the module encounters a fatal error state, other than one encountered during self-tests, then the Crypto-Officer must manually reboot the system to return the module to normal operation.

Page 37
10.5 Operator Initiation of Self-Tests

The operator can reload the module by rebooting the NetApp platform, fulfilling AS05.11.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module consists of a single kernel object module that provides cryptographic services as part of the NetApp ONTAP operating system. The CryptoMod module is automatically installed with ONTAP and is automatically initialized and started up whenever the appliance and/or ONTAP instance is restarted. See the NetApp documentation center (https://docs.netapp.com) for ONTAP product documentation. ONTAP 9.15 and greater will use the NetApp CryptoMod version 3.0 module without any required user intervention. When used with ONTAP versions less than ONTAP 9.15, the FIPS 140-3 variant of the module is initialized by executing the following ONTAP CLI diagnostic level command: *> security cryptomod_fips modify -node local -is_iut_enabled true followed by a reboot of the controller. Once the controller has rebooted, the FIPS 140-3 variant of the module will be automatically used.

11.2 Administrator Guidance

ONTAP 9.15 and greater will use the NetApp CryptoMod version 3.0 module without any required administrator intervention. When used with ONTAP versions less than ONTAP 9.15, the FIPS 140-3 variant of the module is initialized by executing the following ONTAP CLI diagnostic level command: *> security cryptomod_fips modify -node local -is_iut_enabled true followed by a reboot of the controller. Once the controller has rebooted, the FIPS 140-3 variant of the module will be automatically used.

11.3 Non-Administrator Guidance

Users can determine if they are using the FIPS 140-3 variant of the module by running the following ONTAP CLI command: *> security cryptomod-fips show

12 Mitigation of Other Attacks

This section is not applicable. The module does not claim to mitigate against any attacks beyond the FIPS 140-3 requirements for a Level 1 module.