All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Device Cryptographic Module

Certificate#4733StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorF5, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/21/2026
CaveatInterim Validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals with F5-ADD-BIG-FIPS140 kit installed as indicated in the Security Policy.
VendorF5, Inc.
Hardware versionsBIG-IP i4600, BIG-IP i4800, BIG-IP i5600, BIG-IP i5800, BIG-IP i5820-DF, BIG-IP i7600, BIG-IP i7800, BIG-IP i7820-DF, BIG-IP i10600, BIG-IP i10800, BIG-IP i11600-DS, BIG-IP i11800-DS, BIG-IP i15600, BIG-IP i15800, BIG-IP i15820-DF, VIPRION B2250, VIPRION B4450

Approved Algorithms (52)

AlgorithmACVP Cert
AES-CBCA2594
AES-CBCA2671
AES-CCMA2594
AES-CCMA2671
AES-CTRA2594
AES-ECBA2594
AES-GCMA2594
AES-GCMA2671
AES-GMACA2594
AES-GMACA2671
Counter DRBGA2594
Counter DRBGA2671
ECDSA KeyGen (FIPS186-4)A2594
ECDSA KeyGen (FIPS186-4)A2671
ECDSA KeyVer (FIPS186-4)A2594
ECDSA KeyVer (FIPS186-4)A2671
ECDSA SigGen (FIPS186-4)A2594
ECDSA SigGen (FIPS186-4)A2671
ECDSA SigVer (FIPS186-4)A2594
ECDSA SigVer (FIPS186-4)A2671
HMAC-SHA-1A2594
HMAC-SHA-1A2671
HMAC-SHA2-256A2594
HMAC-SHA2-256A2671
HMAC-SHA2-384A2594
HMAC-SHA2-384A2671
HMAC-SHA2-512A2594
HMAC-SHA2-512A2671
KAS-ECC-SSC Sp800-56Ar3A2594
KAS-ECC-SSC Sp800-56Ar3A2671
KAS-FFC-SSC Sp800-56Ar3A2594
KAS-FFC-SSC Sp800-56Ar3A2671
KDF SSHA2594
KDF TLSA2594
KDF TLSA2671
RSA KeyGen (FIPS186-4)A2594
RSA SigGen (FIPS186-4)A2594
RSA SigGen (FIPS186-4)A2671
RSA SigVer (FIPS186-4)A2594
RSA SigVer (FIPS186-4)A2671
Safe Primes Key GenerationA2594
Safe Primes Key GenerationA2671
Safe Primes Key VerificationA2594
Safe Primes Key VerificationA2671
SHA-1A2594
SHA-1A2671
SHA2-256A2594
SHA2-256A2671
SHA2-384A2594
SHA2-384A2671
SHA2-512A2594
SHA2-512A2671

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces2
Roles, Services, and Authentication2
Software/Firmware Security2
Operational EnvironmentN/A
Physical Security2
Non-Invasive SecurityN/A
Sensitive Security Parameter Management2
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Device Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>16.1.3.1</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C5,C6 clue;
  class I1,I2,I3,I5,I6 infer;
  class R1,R2,R3,R5,R6 risk;
  class E1,E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Device Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>16.1.3.1</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

F5, Inc. Device Cryptographic Module Hardware Versions: BIG-IP i4600, BIG-IP i4800, BIG-IP i5600, BIG-IP i5800, BIG-IP i5820-DF, BIG-IP i7600, BIG-IP i7800, BIG-IP i7820-DF, BIG-IP i10600, BIG-IP i10800, BIG-IP i11600-DS, BIG-IP i11800-DS, BIG-IP i15600, BIG-IP i15800, BIG-IP i15820-DF, VIPRION B2250, VIPRION B4450 with FIPS Kit P/N: F5-ADD-BIG-FIPS140 Firmware Version: 16.1.3.1 FIPS Security Level 2 Last update: July 2024 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

Device Cryptographic Module Table of Contents

2.4.2 Non-Approved, Allowed Algorithms and Non-Approved, Allowed Algorithms with No

© 2024 F5, Inc. / atsec information security.

2 of 53
Page 3

Device Cryptographic Module Appendix A. Appendix B. © 2024 F5, Inc. / atsec information security.

3 of 53
Page 4

Device Cryptographic Module Figure 12

4 of 53
Page 5

Device Cryptographic Module F5®, BIG-IP®, TMOS®, are registered trademarks of F5, Inc. Intel® and Xeon® are registered trademarks of Intel Corporation. © 2024 F5, Inc. / atsec information security.

5 of 53
Page 6
Security level
NameISO SectionRequirementLevelISO/IEC 24759 Section 6. [Number Below]
11General21
22Cryptographic Module Specification2
33Cryptographic Module Interfaces2
44Roles, Services, and Authentication2
55Software/Firmware Security2
66Operational EnvironmentN/A
77Physical Security2
88Non-Invasive SecurityN/A
99Sensitive Security Parameter Management2
1010Self-tests2
1111Life-cycle Assurance2
1212Mitigation of Other AttacksN/A

This document is the non-proprietary FIPS 140-3 Security Policy for the Device Cryptographic Module with firmware version 16.1.3.1 and hardware versions listed in Table 2 below. The document contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 2 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. The following describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. N/A N/A N/A Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.

6 of 53
Page 7
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures#
1i4600BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® D-1518, Broadwell1 x USB port 8 x 1GbE; 4 x 10GbE network ports 1 x Console port 1 x 1GbE management port1
2i4800BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® D-1518, Broadwell1 x USB port 8 x 1GbE; 4 x 10GbE network ports 1 x Console port 1 x 1GbE management port2
3i5600BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1630v4, Broadwell1 x USB port 8 x 10GbE; 4 x 40GbE network ports 1 x Console port 1 x 1GbE management port3
4i5800BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1630v4, Broadwell1 x USB port 8 x 10GbE; 4 x 40GbE network ports 1 x Console port 1 x 1GbE management port4
5i5820-DFBIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1630v4, Broadwell1 x USB port 8 x 10GbE; 4 x 40GbE network ports 1 x Console port 1 x 1GbE management port5
6i7600BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1650v4, Broadwell1 x USB port 8 x 10GbE and 4 x 40GbE network ports 1 x Console port 1 x 10/100/1000-BaseT management port6
7i7800BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1650v4, Broadwell1 x USB port 8 x 10GbE and 4 x 40GbE network ports 1 x Console port 1 x 10/100/1000-BaseT management port7
8i7820-DFBIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1650v4, Broadwell1 x USB port 8 x 10GbE and 4 x 40GbE network ports 1 x Console port 1 x 10/100/1000-BaseT management port8
9i10600BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1660v4, Broadwell1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE management port9
10i10800BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-1660v4, Broadwell1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE management port10
11i11600- DSBIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-2695v4, Broadwell1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE (10/100/1000 capable) management port11
12i11800- DSBIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-2695v4, Broadwell1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE (10/100/1000 capable) management port12
13i15600BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-2680v4, Broadwell1 x USB port 8 x 40GbE; 4 x 100GbE network ports 1 x Console port 1 x 1GbE management port13
14i15800BIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-2680v4, Broadwell1 x USB port 8 x 40GbE; 4 x 100GbE network ports 1 x Console port 1 x 1GbE management port14
15i15820- DFBIG-IP iseriesBIG-IP 16.1.3.1Intel® Xeon® E5-2680v4, Broadwell1 x USB port 8 x 40GbE; 4 x 100GbE network ports 1 x Console port 1 x 1GbE management port15
16B2250VIPRIONBIG-IP 16.1.3.1Intel® Xeon® E5-2658v2, Ivy Bridge2 x USB port 4 x 40 GbE network ports 1 x Console port 1 x GbE management port16
17B4450VIPRIONBIG-IP 16.1.3.1Intel® Xeon® E5-2658v3, Haswell1 x USB port 6 x 40 GbE; 2 x 100 GbE network ports 1 x Console port 1 x GbE (10/100/1000 Ethernet) management port17
2 Cryptographic Module Specification
2.1 Description

The Device Cryptographic Module (hereafter referred to as “the module”) is a Hardware cryptographic module with multiple-chip standalone embodiment. The module is a smart evolution of Application Delivery Controller (ADC) technology. Solutions built on this platform are load balancers. They are full proxies that give visibility into, and the power to control—inspect and encrypt or decrypt—all the traffic that passes through your network. Underlying all BIG-IP hardware and software is F5’s proprietary operating system, TMOS, which provides unified intelligence, flexibility, and programmability. With its application control plane architecture, TMOS gives you control over the acceleration, security, and availability services your applications require. TMOS establishes a virtual, unified pool of highly scalable, resilient, and reusable services that can dynamically adapt to the changing conditions in data centers and virtual and cloud infrastructures.

2.2 Operating Environments

# © 2024 F5, Inc. / atsec information security.

7 of 53
Page 8

Device Cryptographic Module # i11600DS i11800DS i15820DF Table 2 - Cryptographic Module Tested Configuration © 2024 F5, Inc. / atsec information security.

8 of 53
Page 9
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
ControlControlData
PlanePlanePlane
AESA2594ECB, CBC, GCM,128 / 192 / 256-bit keysEncryption and DecryptionN/A
[FIPS 197, SP800-CCM, CTRwith key strengths from
38A,128 to 256 bits
KTS (AES)A2594GCM, CCM128 / 256-bit AES keysKey Wrapping / UnwrappingA2671
[FIPS 197, SP800-with key strengths 128 or
38D, SP800- 38F]256 bits
A2594A2594AES-CBC key and128 / 256-bit AES andA2671
HMAC-SHA2-256,HMAC-SHA2-256,HMAC keys with key
or HMAC-SHA2-or HMAC-SHA2-strengths 128 or 256 bits
A2594A2594AES-CBC/ AES-CTR128 / 256-bit AES andN/A
keys and HMAC-keys and HMAC-HMAC keys with key
SHA-1, HMAC-SHA-1, HMAC-strengths 128 or 256 bits
AESA2594GMAC128 / 192 / 256-bit AESMAC Generation and VerificationN/A
[FIPS 197, SP800-keys with key strengths
38B, SP800 38D]from 128 to 256 bits
AESN/ACBC, GCM, CCM128 / 256-bit keys with keyEncryption and DecryptionA2671
[FIPS 197, SP800-strengths 128 and 256 bits
ControlControlData
PlanePlanePlane
AESN/AGMAC128 / 256-bit keys with keyMAC GenerationA2671
[FIPS 197, SP800-strengths 128 and 256 bitsand Verification
CTR_DRBGA2594AES 256 in CTREntropy inputRandom NumberN/A
[SP800-90ARev1]mode with /(256-bits with DF and 384-Generation
without derivationwithout derivationbits without DF), V (128-
predictionpredictionvalues
CTR_DRBGN/AAES 256 in CTREntropy input (256-bits), VRandom NumberA2671
[SP800-90A Rev1]mode with(128-bits) and key (256-Generation
derivationderivationbits) values
RSAA2594B.3.3 Random2048 and 4096-bit keysKey GenerationN/A
[FIPS 186-4]Probable Primeswith key strengths 112
RSAA2594PKCS#1v1.5: SHA-2048, 3072 and 4096-bitsSignatureA2671
[FIPS 186-4]1 (Sig Ver only)keys with key strengthsGeneration and
SHA2-256, SHA2-SHA2-256, SHA2-112 to 150-bitsVerification
RSAN/APKCSPSS:2048, 3072 and 4096-bitsSignatureA2671
[FIPS 186-4]SHA-1 (Sig Verkeys with key strengthsGeneration and
only) SHA2-256,only) SHA2-256,112 to 150-bitsVerification
Safe Primes KeyA2594Safe Primesffdhe2048, ffdhe3072, andDiffie-HellmanA2671
Verificationstrengths 112 to 150-bitsgeneration and
[SP800-56Ar3]verification using
ECDSAA2594B.4.2 TestingP-256 and P-384 with keyKey PairA2671
[FIPS 186-4]Candidatesstrengths 128 and 192-bitsGeneration /
ECDSAA2594SHA2-256, SHA2-P-256 and P-384 with keySignatureA2671
[FIPS 186-4]384, SHA2-512strengths 128 and 192-bitsGeneration and
SHSA2594SHA-1N/AMessage DigestA2671
[FIPS180-4]SHA2-256
HMACA2594HMAC-SHA-1112 bits to 1024-bits withMessageA2671
[FIPS 198-1]HMAC-SHA2-256key strengths 112 to 256-Authentication
HMAC-SHA2-384HMAC-SHA2-384bits
ControlControlData
PlanePlanePlane
KAS-ECC-SSCA2594Ephemeral Unified;P-256, P-384 with keyShared SecretA2671
[SP800-56ARev3]KAS Role: initiator,strengths 128 and 192-bitsComputation
responderresponderused in Key
KAS-FFC-SSCA2594dhEphemffdhe2048, ffdhe3072,Shared SecretA2671
[SP800-56ARev3]KAS Role: initiator,ffdhe4096 with keyComputation
responderresponderstrengths 112 to 150-bitsused in Key
SSH KDF1A2594AES-128, AES-256256-bit keys with 256-bitsKey DerivationN/A
[SP800-135]withkey strength
(CVL)SHA2-256, SHA2-
TLS KDF1A2594TLS v1.2128 / 256-bit AES keysKey DerivationA2671
[SP800-135]with key strengths from
(CVL)112 and 256 bits;
CKG(vendorDRBG producesRSA Sizes: 2048 and 4096-Key generation(vendor
[SP800-133rev2]affirmed)random numbersbits key with 112 and 150-affirmed)
CTR_DRBGuse for keybits key strength
[SP800-90Ar1]generation of RSA,ECDSA, EC Diffie-Hellman:
Diffie-Hellman, ECECDSA, Diffie-
Diffie-HellmanHellman and EC
[SP800-56Ar3]Diffie-Hellman
RSA, ECDSA [FIPSSafe Primes: ffdhe2048,
186-4]ffdhe3072, ffdhe4096 with
2.3 Modes of Operation

The module supports two modes of operation:

2.4 Algorithms
2.4.1 Approved Algorithms and Vendor Affirmed Algorithms

N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

9 of 53
Page 10

Device Cryptographic Module N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

10 of 53
Page 11

Device Cryptographic Module N/A Table 3 - Approved Algorithms

2.4.2 Non-Approved, Allowed Algorithms and Non-Approved, Allowed Algorithms with No

Security Claimed The module does not implement any non-approved algorithms allowed in the approved mode of operation with or without security claimed.

1 No parts of the TLS / SSH protocols except the KDF has been reviewed or tested by the CAVP and

CMVP © 2024 F5, Inc. / atsec information security.

11 of 53
Page 12
Approved algorithm
NameUse Function
AES modes: OFB, CFB, XTS2 and KW modes; DES RC4 Triple-DES SM2, SM4Symmetric Encryption and Decryption
RSAAsymmetric Encryption and Decryption
RSA Key generationUsing modulus sizes other than 2048-bit or 4096-bit; ANSI X9.31 standard with all key sizes
DSADomain parameter generation, domain parameter verification, key pair generation
DSA digital signatureSignature generation and verification using any key size
EdDSA digital signatureSignature generation and verification using Ed25519
ECDSA Key generation/ verificationUsing curves other than P-256 and P-384
RSA digital signature- Signature Generation: PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Verification PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA2-224, SHA2-512 - Signature Generation and Verification using PKCS #1 v1.5 scheme with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes - Signature Generation PSS using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Verification PSS using 2048, 3072 or 4096-bits modulus with SHA2-224, SHA2-512 - Signature Generation and Verification using Probabilistic Signature Scheme (PSS) specified in ANSI X9.31 standard
ECDSA digital signature- Digital Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes - Digital Signature Generation using curves P-256 and P-384 with SHA- 1, SHA2-224 - Digital Signature Verification using curves P-256 and P-384 with SHA2-224
SHA2-224 SM3 MD5Message Digest
HMAC-SHA2-224 AES-CMAC Triple-DES AES-GCM in IPsec protocolMessage Authentication
Diffie-Hellman EC Diffie-HellmanKey Agreement Scheme: - Diffie-Hellman using groups other than ffdhe2048, ffdhe3072, ffdhe4096 - Diffie-Hellman using MODP groups in IPsec/IKE protocol - EC Diffie-Hellman ephemeral Unified using curves other than P- 256 and P-384 - EC Diffie-Hellman using curves P-256 and P-384 Static Unified and OnePassDh - EC Diffie-Hellman in IPsec/IKE protocol using P-384
TLS KDF SNMP KDF, IKEv1, IKEv2 KDFKey Derivation function in the context of: - TLS using MD5/ SHA-1/ SHA2-224 / SHA2-512 - SSH using SHA-1/ SHA2-224/ SHA2-512 - SNMP using any SHA variant - IKE using any SHA variant
TLS used in SSL Orchestrator (SSLO)All ciphersuites algorithms implemented by f5-rest-node
2.4.3 Non-Approved, Not Allowed Algorithms

The following table lists the non-FIPS Approved algorithms along with their usage.

2 The AES-XTS mode shall only be used for the cryptographic protection of data on storage devices

and shall not be used for other purposes such as the encryption of data in transit. © 2024 F5, Inc. / atsec information security.

12 of 53
Page 13

Device Cryptographic Module Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation

2.5 Hardware Module photographs

Figure 1 - BIG-IP i4600 and BIG-IP i4800 Figure 2 - BIG-IP i5600, BIG-IP i5800 and BIG-IP i5820-DF Figure 3

13 of 53
Page 14

Device Cryptographic Module Figure 4 - BIG-IP i10600, BIG-IP i10800 and BIG-IP i11600-DS, BIG-IP i11800-DS Figure 5

14 of 53
Page 15
2.6 Block Diagram and Cryptographic Boundary Descriptions

The cryptographic boundary of the module is defined by the exterior surface of the appliance (red dotted line in Figure 8). The block diagram below shows the module, its interfaces and the delimitation of its cryptographic boundary. Figure 8 also depicts the flow of status output (SO), control input (CI), data input (DI) and data output (DO). Description of the ports and interfaces can be found in Table 5. - PI SSL Accelerator Power Interface (PSU) Central Processing Unit (CPU) Memory Interface (RAM) Storage Interface (SSD/ HDD) Network Interface (Ethernet, Fiber) Display Interface (LED) - DO - SO - DI - DO - SO - CI Figure 8 - Hardware Block Diagram © 2024 F5, Inc. / atsec information security.

15 of 53
Page 16
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Network Interface (SFP, SFP+, and QSFP+ ports (Ethernet and/or Fiber Optic) which allow transfer speeds from 1Gbps up to 100Gbps.)Network Interface (SFP, SFP+, and QSFP+ ports (Ethernet and/or Fiber Optic) which allow transfer speeds from 1Gbps up to 100Gbps.)Data InputTLS/SSH protocol input messages; Configuration commands for interface management
Network Interface (SFP, SFP+, and QSFP+ ports)Network Interface (SFP, SFP+, and QSFP+ ports)Data OutputTLS/SSH protocol output messages; Status logs
Network Interface (SFP, SFP+, and QSFP+ ports)Network Interface (SFP, SFP+, and QSFP+ ports)Control InputAPI which control system state (e.g. reset system, power-off system).
Network Interface (SFP, SFP+, and QSFP+ ports); Display Interface (LEDs, and/or output to STDOUT)Network Interface (SFP, SFP+, and QSFP+ ports); Display Interface (LEDs, and/or output to STDOUT)Status OutputAPI which provides system status information.
Power InterfacePower InterfacePower InputPSU
3 Cryptographic Module Interfaces

The logical interfaces are the commands through which users of the module request services. There are no external input or output devices to the module can be used for data input, data The physical ports mapping to the logical interfaces and the flow of data passing over them are described in the Table 5. Table 5 - Ports and Interfaces

3 The module does not implement Control Output interface.

© 2024 F5, Inc. / atsec information security.

16 of 53
Page 17
Service
NameRolesInputOutputModule Role
List usersCO UserNoneList of user accountsadministrator User Manager Resource Manager Auditor
Create additional UserCO UserUsername / passwordConfirmation of account creationadministrator User Manager
Modify existing UsersCO UserUsernameConfirmation of account modificationadministrator User Manager
Delete UserCO UserUsernameConfirmation of deletionadministrator User Manager
Unlock UserCO UserUsernameConfirmation of unlockadministrator User Manager
Update own passwordCO UserOwn passwordConfirmation of update of passwordadministrator User
Update others passwordCO UserUsername / passwordConfirmation of updateadministrator User Manager
Configure password policyCONew password policyConfirmation of configuration changeadministrator
Create TLS certificateCO UserCertificate identification informationConfirmation of certificate creationadministrator Certificate Manager Resource Manager
Create TLS KeyCO UserKey identification informationConfirmation of key creationadministrator Certificate Manager Resource Manager
Delete TLS Key / CertificateCO UserKey identification informationConfirmation of key / certificate deletionadministrator Certificate Manager Resource Manager
Display / log expiration data of installed certificatesCO UserList of certificates to displayCertificate expiration informationadministrator Auditor Certificate Manager Resource Manager
List private keysCO UserList of private keys to displayTLS private key informationadministrator Auditor Certificate Manager Resource Manager
Import TLS CertificateCO UserCertificate to importConfirmation of import of certificateadministrator Certificate Manager
Export Certificate fileCO UserCertificate to exportExported Certificate fileadministrator Certificate Manager
Create SSH- keyswapCO UserSSH key to createConfirmation of SSH key creationadministrator Resource Manager
Delete SSH- keyswapCO UserSSH key to deleteConfirmation of SSH key deletionadministrator Resource Manager
Configure FirewallCO UserPolicy rules, address listsConfirmation of policy configurationadministrator Firewall Manager
Show firewall stateCO UserN/ADisplay the current system wide state of the firewall rules.administrator Firewall Manager
Show statistics of firewall rules on the BIG-IP systemCO UserN/AList of statistics of firewall rulesadministrator Firewall Manager
Configure Firewall UsersCO UserFirewall user and configuration informationConfirmation of configurationadministrator Firewall Manager
View System Audit LogCO UserN/ADisplay of system audit logsadministrator Auditor Resource Manager
Export Analytics Logs SystemCO UserN/ADisplay System Analytics Logsadministrator Auditor
Enable / Disable AuditCO UserN/AConfirmation of enabling or disabling of auditadministrator Resource Manager
Configure Boot OptionsCO UserBoot optionsConfirmation of configuration of boot optionsadministrator Resource Manager
Configure SSH access optionsCO UserSSH access / IP address listConfirmation of configuration of SSH access optionsadministrator Resource Manager
Configure SSH user configurationCO Userssh/ authorized_key s fileConfirmation of configuration of SSH user configurationadministrator Resource Manager User Manager
Modify nodes and pool membersCO UserWhich nodes and pool members to modifyConfirmation of modification of nodes and pool membersadministrator Operator
Configure nodesCO UserList of nodes to create / modify / view / deleteConfirmation of creation / modification / display / deletion of nodesadministrator Firewall Manager Resource Manager
Configure iRulesCO UserList of iRules to create / modify / view / deleteConfirmation of creation / modification / display / deletion of iRulesadministrator iRule Manager Firewall Manager Resource Manager
Reboot SystemCON/AConfirmation of system rebootadministrator
Secure EraseCOSelected optionConfirmation of full system zeroizationadministrator
Establish SSH SessionCO UserUser / address / password /Confirmation of SSH session establishmentadministrator User
Maintain SSH SessionCO UserSSH Derived Session keySSH session informationadministrator User
Closing SSH SessionCO UserN/AConfirmation of SSH session closureadministrator User
Establish TLS SessionCO UserAddress / algorithms/ keys / primary secretConfirmation of establishment of TLS sessionadministrator User
Maintain TLS SessionCO UserTLS Derived Session keyTLS session informationadministrator User
Closing TLS sessionCO UserN/AConfirmation of TLS session closureadministrator User
Show versionCO UserNoneVersioning information, and module nameadministrator User
Show licenseCO UserNoneLicense informationadministrator User
Show statusCO UserNoneStatus of the specific service passed in the show status commandadministrator User
Self- testCO UserpowerPass/ fail results of self- testsadministrator User
4 Roles, Services, and Authentication
4.1 Roles

The module supports one CO role and one User role. Maintenance role is not supported. The FIPS 140-3 roles are defined below and corresponding service with input and output are described in Table 6.

17 of 53
Page 18

Device Cryptographic Module Create SSHkeyswap Delete SSHkeyswap N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

18 of 53
Page 19

Device Cryptographic Module N/A N/A Table 6 - Roles, Service Commands, Input and Output

4.2 Authentication

The module supports role-based authentication. The module supports concurrent operators belonging to different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces can be used to access the module:

19 of 53
Page 20
Approved algorithm
NameKey Size
role-based authentication with Password (CLI or WebUI)The password must consist of a minimum of 8 characters with at least one from each of the three-character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z) Assuming a worst-case scenario where the password contains six numerical digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000.Crypto Officer User
role-based authentication with SSH ECDSA key-pair (CLI only)The ECDSA using P-256 or P-384 curves for key based authentication yields a minimum security-strength of 128 bits. The chance of a random authentication attempt falsely succeeding is at most 1/(2128) that is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000.Crypto Officer User

Device Cryptographic Module Table 7 - Roles and Authentication

4.3 Approved Services

Table 8 lists the Approved services, the service name, description, the Approved security function being used by the service, the keys and SSPs accessed by the service, the roles used by the service, access rights to keys and SSPs and the FIPS 140-3 service indicator returned by the service. The environment variable SECURITY_FIPS140_CIPHER_STRICT is exported with the cipher restriction status. If the cipher_restricted status is enabled, the status output from the service indicator is returned in the high speed login /var/log remote.log file. The output 'Service Indicator: Approved' or the 'Service Indicator: Not Approved' are listed in Table 8. If the cipher_restricted status is disabled, there is no service indicator output. For SSH service the service indicator is implicit: when the SSH connection is established the service with the cipher selected is approved. The following variables are used in the Access rights to keys or SSPs column:

20 of 53
Page 21
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
List usersDisplay list of all User accountsCO, User Manager, Resource Manager, AuditorN/AN/AN/ANone
Create additional UserCreate additional UserCO, User ManagerpasswordN/AWNone
Modify existing UsersModify existing UsersCO, User ManagerN/AN/AN/ANone
Delete UserDelete UserCO, User ManagerN/AN/AN/ANone
Unlock UserRemove lock from user who has exceeded login attemptsCO, User ManagerN/AN/AN/ANone
Update own passwordUpdate own passwordCO, UserpasswordN/AWNone
Update others passwordUpdate others passwordCO, User ManagerpasswordN/AWNone
Configure Password PolicySet password policy featuresCON/AN/AN/ANone
Create TLS CertificateSelf-signed certificate creationCO, Certificate Manager, Resource ManagerTLS RSA private key; TLS ECDSA private keyRSA / ECDSA SigGenEService Indicator: Approved
Create TLS KeyUsed for the SSL Certificate key fileCO, Certificate Manager, Resource ManagerTLS RSA public key; TLS RSA private key; TLS ECDSA public key; TLS ECDSA private key;RSA / ECDSA KeyGen CTR_DRBGGService Indicator: Approved
DRBG seedDRBG seedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
Delete TLS Certificate /KeySelf-signed certificate / key deletionCO, Certificate Manager, Resource ManagerTLS RSA public key; TLS RSA private key; TLS ECDSA public key; TLS ECDSA private keyN/AZNone
List CertificateDisplay / log expiration data of installed certificatesCO, Auditor, Certificate Manager, Resource ManagerN/AN/AN/ANone
List Private KeysList private key informationCO, Auditor, Certificate Manager, Resource ManagerN/AN/AN/ANone
Import TLS CertificateImport TLS CertificateCO, Certificate ManagerTLS RSA public key; TLS ECDSA public keyN/AWNone
Export Certificate FileExport Certificate FileCO, Certificate ManagerTLS RSA public key; TLS ECDSA public keyN/ARNone
Create ssh- keyswapUtility service create ssh keysCO, Resource ManagerSSH ECDSA public key; SSH ECDSA private keyECDSA KeyGen CTR_DRBGGService Indicator: Approved
DRBG seedDRBG seedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
Delete ssh- keyswapUtility service delete ssh keysCO, Resource ManagerSSH ECDSA public key; SSH ECDSA private keyN/AZNone
Configure FirewallSet policy rules, and address lists for use by firewall rulesCO, Firewall ManagerN/AN/AN/ANone
Show firewall stateDisplay the current system-wide state of firewall rulesCO, Firewall ManagerN/AN/AN/ANone
Shows statisticsShows statistics of firewall rules on the BIG-IP systemCO, Firewall ManagerN/AN/AN/ANone
Configure Firewall UsersConfigure firewall usersCO, Firewall ManagerN/AN/AN/ANone
View System Audit LogDisplay logs/files of configuration changesCO, Auditor, Resource ManagerN/AN/AN/ANone
Export Analytics Logs SystemExport Analytics Logs SystemCO, AuditorN/AN/AN/ANone
Enable/ Disable AuditEnable/ Disable AuditCO, Resource ManagerN/AN/AN/ANone
Configure Boot OptionsEnable Quiet boot, Manage boot locationsCO, Resource ManagerN/AN/AN/ANone
Configure SSH access optionsEnable / Disable SSH access, Configure IP address allow listCO, Resource ManagerN/AN/AN/ANone
Configure SSH user configurati onUpdate ssh/ authorized_key s file for user authenticationCO, Resource Manager User ManagerSSH ECDSA public keyN/AWNone
Configure Firewall UsersConfigure Firewall UsersCO, Firewall ManagerN/AN/AN/ANone
Modify nodes and pool membersEnable / Disable nodes and pool membersCO OperatorN/AN/AN/ANone
Configure nodesCreate, modify, view, delete nodesCO Firewall Manager, Resource Manager,N/AN/AN/ANone
Configure iRulesCreate, modify, view, delete, iRulesCO, iRule Manager, Firewall Manager, Resource Manager,N/AN/AN/ANone
Reboot SystemRestart cryptographic moduleCOSSPs listed in Table 12N/AZNone
Secure EraseFull system zeroizationCOSSPs listed in Table 12N/AZNone
Establish SSH sessionKey authenticationCO UserSSH ECDSA public key; SSH ECDSA private keyECDSA with SHA2-256 / SHA2-384 curves P-256 / P-384WSSH connection successful
Password authenticationPassword authenticationCO UserPasswordN/AWSSH connection successful
Key ExchangeKey ExchangeCO UserSSH EC Diffie-Hellman public key; SSH EC Diffie- Hellman private keyECDSA KeyGen, CTR_DRBGGSSH connection successful
DRBG SeedDRBG SeedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
KAS-ECC-SSCSSH EC Diffie-Hellman public key (remote peer)KAS-ECC-SSCW
SSH EC Diffie-Hellman private keySSH EC Diffie-Hellman private keyE
SSH shared secretSSH shared secretG
Key DerivationKey DerivationCO UserSSH shared secret[SP 800-135] SSH KDFESSH connection successful
derived SSH session key (AES, HMAC)derived SSH session key (AES, HMAC)G
Maintain SSH SessionData Encryption and DecryptionCO Userderived SSH Session key (AES)AES-CBC AES-CTRESSH connection successful
Data Integrity (MAC): HMAC- with SHA-1/ SHA2-256Data Integrity (MAC): HMAC- with SHA-1/ SHA2-256CO Userderived SSH session key (HMAC)HMACESSH connection successful
Close SSH SessionClose SSH SessionCO UserSSH EC Diffie-Hellman public key; SSH EC Diffie- Hellman private key; SSH shared secret; derived SSH session keyN/AZNone
Establish TLS SessionTLS Certificate AuthenticationCO UserTLS RSA public key; TLS RSA private key; TLS ECDSA public key; TLS ECDSA private keyECDSA / RSAWService Indicator: Approved
Key ExchangeKey ExchangeCO UserTLS Diffie-Hellman public key; TLS Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS EC Diffie-Hellman private keyECDSA KeyGen, Safe Primes Key Generation and Verification, CTR_DRBGGService Indicator: Approved
DRBG SeedDRBG SeedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
KAS-ECC-SSC, KAS-FFC-SSCTLS Diffie-Hellman public key (remote peer); TLS EC Diffie-Hellman public key (remote peer)KAS-ECC-SSC, KAS-FFC-SSCW
TLS Diffie-Hellman private key; TLS EC Diffie- Hellman private keyTLS Diffie-Hellman private key; TLS EC Diffie- Hellman private keyE
TLS pre-primary secretTLS pre-primary secretG
[SP 800-135] TLS KDFTLS pre-primary secret[SP 800-135] TLS KDFE
TLS primary secretTLS primary secretG, E
TLS derived session keys (AES and HMAC or authentication cypher)TLS derived session keys (AES and HMAC or authentication cypher)G
Maintain TLS SessionData Encryption, Data AuthenticationCO UserTLS derived session keys (AES and HMAC or authentication cypher)AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCM, AES-CCMEService Indicator: Approved
Close TLS sessionClose TLS sessionCO UserTLS Diffie-Hellman public key; TLS Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS EC Diffie-Hellman private key; TLS pre-primary secret; TLS primary secret; TLS derived session keysN/AZNone
Show versionReturn the module name and versioning informationCO UserN/AN/AN/ANone
Show licenseReturn license informationCO UserN/AN/AN/ANone
Show statusReturn the module statusCO UserN/AN/AN/ANone
Self- testExecute integrity test; Execute the CASTsCO UserN/A (key for self-tests are not SSPs)All the algorithms listed in table section 10N/ANone
Establish TLS sessionSignature generation and verificationUser/ COAlgorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signatureNo indicator
Key ExchangeKey ExchangeUser/ CO- TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512 - Diffie-Hellman with other curves than ffdhe2048, ffdhe3072, ffdhe4096 - RSA key wrapping with all keys - EC Diffie-Hellman ephemeral unified using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDhNo indicator
Maintain TLS sessionData encryptionUser/ COTriple-DESNo indicator
Data authenticationData authenticationUser/ COHMAC SHA-1No indicator

Device Cryptographic Module N/A N/A N/A W N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A W W N/A N/A E G W, E N/A N/A N/A E Z N/A © 2024 F5, Inc. / atsec information security.

21 of 53
Page 22

Device Cryptographic Module N/A N/A N/A N/A W R G N/A N/A E W, E Z N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

22 of 53
Page 23

N/A N/A N/A N/A N/A N/A W N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Z N/A Z W W G W, E N/A N/A N/A E © 2024 F5, Inc. / atsec information security.

23 of 53
Page 24

Device Cryptographic Module W E G E E E Z W G N/A G E W, E W G E E G, E G © 2024 F5, Inc. / atsec information security.

24 of 53
Page 25
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Maintain TLS SessionData Encryption, Data AuthenticationCO UserTLS derived session keys (AES and HMAC or authentication cypher)AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCM, AES-CCMEService Indicator: Approved
Close TLS sessionClose TLS sessionCO UserTLS Diffie-Hellman public key; TLS Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS EC Diffie-Hellman private key; TLS pre-primary secret; TLS primary secret; TLS derived session keysN/AZNone
Show versionReturn the module name and versioning informationCO UserN/AN/AN/ANone
Show licenseReturn license informationCO UserN/AN/AN/ANone
Show statusReturn the module statusCO UserN/AN/AN/ANone
Self- testExecute integrity test; Execute the CASTsCO UserN/A (key for self-tests are not SSPs)All the algorithms listed in table section 10N/ANone
Establish TLS sessionSignature generation and verificationUser/ COAlgorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signatureNo indicator
Key ExchangeKey ExchangeUser/ CO- TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512 - Diffie-Hellman with other curves than ffdhe2048, ffdhe3072, ffdhe4096 - RSA key wrapping with all keys - EC Diffie-Hellman ephemeral unified using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDhNo indicator
Maintain TLS sessionData encryptionUser/ COTriple-DESNo indicator
Data authenticationData authenticationUser/ COHMAC SHA-1No indicator
IPsec /IKEv2configuration and usageUser/ CO- Authentication: SHA2-256, SHA2-512. AES-GCM - Encryption: AES-192, AES-256, AES- GCM-128, triple-DES - Key Exchange: MODP1024, MODP2048, EC Diffie-Hellman with P-384No indicator
iControl REST accessAccess to the system through RESTUser/ CONoneNo indicator
SSLO Configuration and usageManagement of the module protected by iApplx authenticationUser/ COTLS used in SSL Orchestrator (SSLO)No indicator
Configuration using SNMPManagement of the moduleUser/ COSHA-1, AES-ECB, RSA- signature verificationNo indicator
Physical SecurityPhysical SecurityRecommended FrequencyInspection/Test Guidance Details
MechanismMechanismof Inspection / Test
Production grade enclosure (SL1)N/AN/A
Opaque enclosure (SL2)N/AN/A
Tamper Evident Labels (SL2)Once per monthCheck the quality of the tamper evident labels for any sign of removal, replacement, tearing, etc. If any label is found to be damaged or missing, contact the system administrator immediately

Device Cryptographic Module N/A E Z N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

25 of 53
Page 26

Device Cryptographic Module Table 9 - Non-Approved Services © 2024 F5, Inc. / atsec information security.

26 of 53
Page 27
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module using the approved integrity technique HMAC-SHA2-384 is listed in the section 10.1.1 below. Integrity tests are performed as part of the Pre-Operational Self-Tests.

5.2 On-Demand Integrity Test

The on demand pre-operational self-tests, including the integrity test on demand, are performed by powering the module off and powering it on again.

5.3 Executable Code

The executable code is defined by the firmware version 16.1.3.1. All code belonging to this firmware version is the executable code of the module. © 2024 F5, Inc. / atsec information security.

27 of 53
Page 28
6 Operational Environment
6.1 Operational Environment Type and Requirements

The module operates in a non-modifiable operational environment provided by F5 called TMOS 16.1.3.1. The module is a hardware validated at a Security Level 2 in Physical Security. Once the module is operational, it does not allow the loading of any additional firmware. There are no further requirements for this security area. © 2024 F5, Inc. / atsec information security.

28 of 53
Page 29
7.1 Mechanisms and Actions Required

The module tested in the platforms listed in Table 2 is enclosed in a hard-metallic production grade enclosure that provides opacity and prevents visual inspection of internal components. Each test platform is fitted with tamper evident labels to provide physical evidence of attempts to gain access inside the enclosure. The tamper evident labels shall be installed for the module to operate in approved mode of operation. The Crypto Officer is responsible for inspecting the quality of the tamper labels on a regular basis to confirm that the module has not been tampered with. In the event that the tamper evident labels require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-ADD-BIG-FIPS140). The Crypto Officer shall be responsible for the N/A N/A N/A N/A Table 10 - Physical Security Inspection Guidelines The pictures below show the location of all tamper evident labels for each hardware appliance. Label application instructions are provided in Section 11.2.1 of the Crypto-Officer guidance below. © 2024 F5, Inc. / atsec information security.

29 of 53
Page 30

Device Cryptographic Module VIPRION B4450 Figure 4: per evof ident holographic labels w it h ize

1.9 cm x

5cm Table 11Fiv– e t am Number Tamper Evident Labels per hardware appliance Figures below show t he placem ent of t he t am per evident labels on each of t he t est plat form s. Tam perare Labels are boxed red. circles in the pictures below. The tamper labels delineated withinorange i4000 series front zzzzzz z La b e l 1 La b e l 8 La b e l 2 La be l 6 La b e l 3 La b e l 4 La b e l 5 i4000 series back Figure 5

30 of 53
Page 31

Device Cryptographic Module i5000 series front Label 1 Front Label 7 Label 2 Label 2 Label 6 Label 1 Label 3 Label 3 Label 2 Label 5 i5000 series back Label 4 Figure i5000labels series on (BIG-IP i5 600, BIG-IP i5 800 BIG-IP i5

820 t

est plat form s) w it h per labels show n. Figure6

7 t am

tamper labels) i7000 series front Label 1 Label 8 Label 2 Label 3 Label 4 Label 7 i7000 series back Label 5 Label 6 Label 3 Label 2 i11000 i11000 Figure 7

Page 32

i7000 series back Device Cryptographic Module Label 5 Label 6 Label position is as Figure 11

0 0 0n

i1 se ries fr ont a d i11000

0 0 0n

i1 b ck se ries a plat form s -label 1-. On t he opposit e lat eral sides of t he plat form -labels 2,3 ,7 ,8. On t he v ent ilat ion fan t ray t hat allow s access t

7 tamper labels shown)

CON FI D EN TI AL © 2024 at sec inform at ion securit y corporat ion © 2024 F5, Inc. / atsec information security.

32 of 53
Page 33

Device Cryptographic Module i15000 series front Label 2 Label 1 Label 1 Label 2 i15000 series Label

7 front

Label 3 Label 7 Label 3 i15000 series back Label 6 i15000 series back Label 6 Label 4 Label 5 Label

4 i1 5800, BIG-IP i1 5820 -DF t est plat form s). 1 label on t he front , 4 labels

Figure 9 - Top v iew i15000series (BIG-IP i1 5600, BIG-IP Figure 13per

2 t am

show n circled orange t o m ark w it h ev idence t he unaut of t he 1 fan t ray and PSUs (replaceable s) t h at giv replaceable st orage drives.circled in orange to mark with evidence the front, 4 it em labels on thee access sides, t o2 tamper labels Label

5 shown

unauthorized removal of the fan tray and PSUs (replaceable items) that give access to Figure 9 - Top view i15000series (BIG-IP i1 5600, BIG-IP i1 5800, BIG-IP i1 5820-DF t est plat form s). 1 label on t he front , 4 labels replaceable storage drives. on t he sides, 2 t am per labels show n circled in orange t o m ark w it h evidence t he unaut horized rem oval of t he fan t ray and PSUs (replaceable it em s) t hat give access t o replaceable st orage drives. Figure 10

10 –

VIPRION B2250 t est plat form (delineat ed box) m ount ed in chassis w it h 1 of 1 t amaper label show n Figure

14 –

Tamper labels on chassis withby a red VIPRION B2250 blade (delineated by red box) and three blanks (1 of 1 tamper label shown) CON FI D EN TI AL © 2024 F5, Inc. / atsec information security. © 2024 at sec inform at ion securit y corporat ion

33 of 53

CON FI D EN TI AL © 2024 at sec inform at ion securit y corporat ion

Page 34

Device Cryptographic Module Figur e 11 -15

2 . 2 . 2 Exp e r im e n t a l se t u p

The t est lab used various m et hods t o m odify t he adhesion label propert ies by t est ing a range of t em perat ures around t he am bient (20C)

2 . 2 . 3 Sa m p lin g r e su lt s of t h e e xp e r im e n t s

Below is phot ographic evidence from t he t est ing perform ed on all of t he t est plat form s list ed in sect ion 1.1.

2.2.3.1 Therm al t reat m ent s

Ap ply ing high t em perat ure by heat gun on t he labels placed at t he enclosure t op-bot t om connect ion. The label is delam inat ed due t o t he heat . Under t his t reat m ent , t he m et alic layer of t h e label could be disolved. CON FI D EN TI AL © 2024 F5, Inc. / atsec information security. © 2024 at sec inform at ion securit y corporat ion

34 of 53
Page 35
8 Non-Invasive Security

This section is N/A until non-invasive security is defined. © 2024 F5, Inc. / atsec information security.

35 of 53
Page 36
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationUseImport Export
TLS RSA publi c key112- bits to 150- bitsRSA A2594 A2671Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGN/AHDD or SSDZeroized by Secure Erase service at boot.Use: Key Generation, Digital signature verification used in the TLS protocol Related SSPs: TLS RSA private key, DRBG internal state (V and key values)Can be imported/ exported from the module; AD / EETLS RSA publi c key
TLS RSA privat e key112- bits to 150- bitsRSA A2594 A2671Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGN/AHDD or SSDZeroized by Secure Erase service at boot.Use: Key Generation, Digital signature generation used in the TLS protocol Related SSPs: TLS RSA public key, DRBG internal state (V and key values)No import No exportTLS RSA privat e key
TLS ECDS A publi c key128- bits and 192- bitsECDSA A2594 A2671Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] ECDSA Key Generation method; random values are obtained using [SP 800- 90ARev1] DRBGN/AHDD or SSDZeroized by Secure Erase service at boot.Use: Key Generation, Digital signature verification used in the TLS protocol Related SSPs: TLS ECDSA private key, DRBG internal state (V and key values)Can be imported/ exported from the module; AD / EETLS ECDS A publi c key
TLS ECDS A privat e key128- bits and 192- bitsECDSA A2594 A2671Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] ECDSA Key GenerationN/AHDD or SSDZeroized by Secure Erase service at boot.Use: Key Generation, Digital signature generation used in the TLS protocol Related SSPs: TLS ECDSANo import No exportTLS ECDS A privat e key
method; random values are obtained using [SP 800- 90ARev1] DRBGmethod; random values are obtained using [SP 800- 90ARev1] DRBGpublic key, DRBG internal state (V and key values)
TLS EC Diffie - Hellm an publi c key128- bits and 192- bitsKAS- ECC- SSC A2594 A2671Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90ARev1] DRBGN/ARAMZeroized by closing TLS session or by Reboot System serviceUse: Key Generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman private key, DRBG internal state (V and key values), TLS pre-primary SecretCan be imported/ exported from the module; AD / EETLS EC Diffie - Hellm an publi c key
TLS EC Diffie - Hellm an privat e key128- bits and 192- bitsKAS- ECC- SSC A2594 A2671Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90ARev1] DRBGN/ARAMZeroized by closing TLS session or by Reboot System serviceUse: Key Generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman public key, DRBG internal state (V and key values), TLS pre-primary SecretNo import No exportTLS EC Diffie - Hellm an privat e key
TLS Diffie - Hellm an publi c key112, 128, and 150- bitsKAS- FFC- SSC A2594 A2671Generated using Safe primes key generation method specified in SP800- 56Arev3; random values are obtained using [SP 800- 90ARev1] DRBGN/ARAMZeroized by closing TLS session or by Reboot System serviceUse: Key Generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman private key, DRBG internal state (V and key values), TLS pre-primary SecretCan be imported/ exported from the module; AD / EETLS Diffie - Hellm an publi c key
TLS Diffie - Hellm an privat e key112, 128, and 150- bitsKAS- FFC- SSC A2594 A2671Generated using Safe primes key generation method specified in SP800- 56Arev3; random values are obtained using [SP 800-N/ARAMZeroized by closing TLS session or by Reboot System serviceUse: Key Generation, TLS protocol key exchange Related SSPs: TLS Diffie- Hellman public key, DRBG internal state (V and key values),No import No exportTLS Diffie - Hellm an privat e key
90ARev1] DRBG90ARev1] DRBGTLS pre-primary Secret
TLS pre- prima ry Secre tDiffie- Hellm an: 112, 128, 150- bits EC Diffie- Hellm an: 128- bits and 192- bitsKAS- ECC- SSC or KAS- FFC- SSC A2594 A2671N/AEstablish ed via SP800- 56ARev3 during key agreeme nt for Diffie- Hellman or EC Diffie- Hellman cipher suitesRAMZeroized by closing TLS session or by Reboot System serviceUse: TLS protocol Related SSPs: TLS EC Diffie- Hellman public/private key or TLS Diffie-Hellman public/private key, TLS primary secretNo import No exportTLS pre- prima ry Secre t
TLS prima ry Secre t256- bitsTLS KDF A2671 A2594Derived from T LS pre-primary Secret using SP 800-135 TLS KDFN/ARAMZeroized by closing TLS session or by Reboot System serviceUse: TLS protocol Related SSPs: TLS pre-primary secret, TLS derived session keyNo import No exportTLS prima ry Secre t
TLS Deriv ed sessi on key (AES, HMA C)128 and 256- bits (AES) 112 and 256- bits (HMAC )TLS KDF A2671 A2594Derived from T LS Derived session key using SP 800- 135 TLS KDFN/ARAMZeroized by closing TLS session or by Reboot System serviceUse: TLS protocol Related SSPs: TLS pre-primary secret, TLS primary secretNo import No exportTLS Deriv ed sessi on key (AES, HMA C)
SSH ECDS A publi c key128 and 192- bitsECDSA A2594Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] ECDSA Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGN/AHDD or SSDZeroized using delete ssh- keyswap utility or by Secure Erase service at bootUse: Key Generation; SSH key-based authentication Related SSPs: SSH ECDSA private key, DRBG internal state (V and key values)Can be imported/ exported from the module; AD / EESSH ECDS A publi c key
SSH ECDS A privat e key128 and 192- bitsECDSA A2594Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4]N/AHDD or SSDZeroized using delete ssh- keyswap utility or by SecureUse: Key Generation, SSH key-based authentication Related SSPs: SSH ECDSANo import No exportSSH ECDS A privat e key
ECDSA Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGECDSA Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGErase service at boot.public key, DRBG internal state (V and key values)
SSH EC Diffie - Hellm an publi c key128 and 192- bitsKAS- ECC- SSC A2594Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGN/ARAMZeroized by closing SSH session or terminating the SSH application or Reboot System serviceUse: SSH handshake Related SSPs: SSH EC Diffie- Hellman private key, SSH shared secret, DRBG internal state (V and key values)Can be imported/ exported from the module; AD / EESSH EC Diffie - Hellm an publi c key
SSH EC Diffie - Hellm an privat e key128 and 192- bitsKAS- ECC- SSC A2594Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBGN/ARAMZeroized by closing SSH session or terminating the SSH application or Reboot System serviceUse: SSH handshake Related SSPs: SSH EC Diffie- Hellman public key, SSH shared secret, DRBG internal state (V and key values)No import No exportSSH EC Diffie - Hellm an privat e key
SSH Share d Secre t128 and 192- bitsKAS- ECC- SSC A2594N/AEstablish ed via SP800- 56ARev3 KAS-ECC- SSCRAMZeroized by closing SSH session or terminating the SSH application or Reboot System serviceUse: Key derivation, SSH shared secret; Related SSPs: SSH EC Diffie- Hellman public/private key, SSH derived keyNo import No exportSSH Share d Secre t
SSH Deriv ed sessi on key (AES, HMA C)128 and 256- bits (AES) 112 and 256- bits (HMAC )SSH KDF A2594Derived from SSH Shared Secret using SP 800-135 SSH KDFN/ARAMZeroized by closing SSH session or terminating the SSH application or Reboot System serviceUse: Used in data encryption / decryption and MAC calculations in SSH protocol Related SSPs: SSH shared secretNo import No exportSSH Deriv ed sessi on key (AES, HMA C)
Pass word1/676, 000,0 00 (see Table 7)N/AN/AN/AHDD or SSD as a hash ed valu eZeroized by Secure Erase service at bootUse: SSH authentication, WebUI login Related SSPs: N/AInput by the User or CO invoking "create additional user" or "Update own password " or "Update others password " services No export; AD / EEPass word
Entro py input256- bits with DF and 384- bits withou t DFEntropy Source ESV Cert. #E16Obtained from non-physical Entropy sourceN/ARAMZeroized by Reboot System serviceUse: random number generation Related SSPs: DRBG seedNo import No exportEntro py input
DRBG seed256 bitsCTR_DR BG A2594 A2671Derived from the entropy string as defined by [SP 800-90ARev1]N/ARAMZeroized by Reboot System serviceUse: random number generation Related SSPs: Entropy input, DRBG internal state (V and key values)No import No exportDRBG seed
DRBG inter nal state (V and key value s)256 bitsCTR_DR BG A2594 A2671Derived from the seed as defined by [SP 800-90ARev1]N/ARAMZeroized by Reboot System serviceUse: random number generation Related SSPs: Entropy input, DRBG seed, TLS RSA public key, TLS RSA private key, TLS ECDSA public key, TLS ECDSA private key, TLS EC Diffie-Hellman public key, TLS EC Diffie- Hellman private key, TLS Diffie- Hellman public key, TLS Diffie- Hellman private key, SSH ECDSANo import No exportDRBG inter nal state (V and key value s)
9 Sensitive Security Parameter Management

112bits to 150bits N/A 112bits to 150bits N/A A 128bits 192bits N/A A 128bits 192bits SP800133Rev2 SP800133Rev2 SP800133Rev2 SP800133Rev2 N/A

4 The " Import/Export" column also defines the distribution and entry options from IG 9.5.A e.g.

Automated Distribution / Electronic Entry = AD/EE © 2024 F5, Inc. / atsec information security.

36 of 53
Page 37

Device Cryptographic Module 128bits 192bits KASECCSSC 128bits 192bits KASECCSSC 150bits KASFFCSSC 150bits KASFFCSSC SP800133Rev2 SP800133Rev2 SP80056Arev3; SP80056Arev3; N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

37 of 53
Page 38

Device Cryptographic Module preprima t t C) A A DiffieHellm 150bits DiffieHellm 128bits 192bits 256bits KASECCSSC or KASFFCSSC N/A SP80056ARev3 DiffieHellman DiffieHellman N/A 256bits 256bits ) 192bits N/A N/A delete sshkeyswap 192bits SP800133Rev2 SP800133Rev2 N/A delete sshkeyswap © 2024 F5, Inc. / atsec information security.

38 of 53
Page 39

Device Cryptographic Module 192bits KASECCSSC 192bits KASECCSSC d t 192bits KASECCSSC C) 256bits 256bits ) SP800133Rev2 SP800133Rev2 N/A N/A N/A SP80056ARev3 KAS-ECCSSC N/A © 2024 F5, Inc. / atsec information security.

39 of 53
Page 40

Device Cryptographic Module 7) N/A N/A 256bits 384bits (V s) N/A e N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

40 of 53
Page 41
Approved algorithm
NameKey Size
DetailsEntropy SourceMinimum number of
The CPU Jitter RNG version 3.4.0 entropy source uses jitter variations caused by executing instructions and memory accessed. The entropy source has been shown to provide full 256-bits of entropy at the output of the SHA3-256 vetted conditioning function (Cert. #A2621).256-bitsESV #E16 (non- physical noise source)

Device Cryptographic Module Table 12 - SSPs The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90ARev1] for the generation of random value used in asymmetric keys. The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The module uses the SP800-90B compliant Entropy source specified in Table 13 to seed the DRBG with full entropy. In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. No non-DRBG functions or instances are able to access the DRBG internal state. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The F5 ES is tested in the OEs listed in Table 2. Table 13 - Non-Deterministic Random Number Generation Specification generation services compliant with [FIPS186-4], using a [SP800-90ARev1] DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per [SP800-133r2] (vendor affirmed). The RSA and ECDSA key pairs used for Digital Signature Schemes are generated in accordance with section 5.1 of [SP800-133r2] and maps specifically to [FIPS 186-4]. The ECDH and DH key pairs used for Key Establishment are generated in accordance with section

5.2 of [SP800-133r2] i.e. key generation method specified in [SP 800-56Ar3]. For this module

applicable method from [SP800-56Ar3] is 5.6.1.2 ECC Key Pair Generation which actually maps to [FIPS 186-4]. and 5.6.1.1 FFC Key Pair Generation. © 2024 F5, Inc. / atsec information security.

41 of 53
Page 42

Device Cryptographic Module The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133r2] section 6.2.1 Symmetric keys generated using Key Agreement Scheme.

9.3 SSP Establishment

The module provides the following key establishment services:

9.4 SSP Entry / Output

For TLS with EC Diffie-Hellman / Diffie-Hellman key exchange, the TLS pre-primary secret is established during key agreement and is not output from the module. Once the TLS session is established, any key or data transfer performed thereafter is protected by authenticated encryption mode using AES-GCM/ AES-CCM or AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 TLS KDF. For SSH with EC Diffie-Hellman key exchange, the SSH shared secret is established during key agreement and is not output from the module. SSH ECDSA public keys can be imported into the module by the CO and User role using the "Configure SSH user configuration" service. Once the SSH session is established, any key or data transfer performed thereafter is protected by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 SSH KDF. There are no encrypted SSPs that are directly entered. © 2024 F5, Inc. / atsec information security.

42 of 53
Page 43
9.5 SSP Storage

As shown in Table 12 the keys are stored in the volatile memory (RAM) in plaintext form and are destroyed when released by the appropriate zeroization calls or when the system is rebooted. The SSPs stored in plaintext in the module's non-volatile memory (SSD/ HDD) are static and will remain on the system across power cycle. SSPs are only accessible to the authenticated operator, to which the SSPs are associated.

9.6 SSP Zeroization

The zeroization methods listed in Table 12, overwrites the memory occupied by keys with “zeros” or pre-defined values. The zeroization of temporary values are performed at the closing of the TLS/SSH connection. The zeroization can be enforced by the Crypto Officer and Resource Manager role with the following services:

43 of 53
Page 44
AlgorithmTest
Control Plane (A2594 Cert.)
non-physical entropy sourceSP800-90B health test (APT and RCT) classified as CAST: • at start-up: performed on 1,024 consecutive samples. • during runtime.
CTR_DRBGCAST KAT with AES 256 bits with and without derivation function SP800-90ARev1 section 11.3 health tests
AESCAST KAT of AES encryption / decryption separately with AES-GCM mode and 256-bit key
10 Self-Tests
10.1 Pre-Operational Self-Tests

The pre-operational self-test are performed automatically whenever the module is powered on. At initialization the module performed the pre-operational self-tests (the integrity test) and the conditional cryptographic algorithm tests (CASTs). Both the pre-operational tests and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module. Services are not available during the pre-operational self-test and the data output interface is inhibited. On successful completion of the pre-operational self-tests, the module enters operational mode and cryptographic services are available. If the module fails any of the tests, it will return an error code and enter into the error state to prohibit any further cryptographic operations.

10.1.1 Pre-Operational Software/Firmware Integrity Test

The integrity of the module is verified by comparing the HMAC-SHA2-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match the system enters the error state and the device will not be accessible. Data output and cryptographic operations are inhibited while the module is in the error state. In order to recover from this state, the module needs to be reinstalled. The HMAC-SHA384 algorithm is selftested prior to the integrity test being run.

10.2 Conditional Self-Tests

The following sub-sections describe the conditional self-tests supported by the module. The conditional self-tests are specified in Table 14. If one of the conditional self-tests fails, the module transitions to the error state and a corresponding error indication is given. The module becomes inoperable, and no services are available. Data output and cryptographic operations are inhibited while the module is in the error State. runtime. If the entropy source health tests fail, then the module moves into the error state.

10.2.1 Conditional Cryptographic Algorithm Self-Tests

The module performs cryptographic algorithm self-tests (CASTs) on all Approved cryptographic algorithms. The module performs the CASTs shown in Table 14 during the power-up. The CASTs consist of Known Answer Tests for all the approved cryptographic algorithms, SP800-90B Health © 2024 F5, Inc. / atsec information security.

44 of 53
Page 45
Approved algorithm
NameMode Method
RSACAST KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and SHA2-256 CAST KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and SHA2-256
ECDSACAST KAT of ECDSA signature generation using P-256 and SHA2-256 CAST KAT of ECDSA signature verification using P-256 and SHA2-256
KAS-ECC-SSCCAST KAT of shared secret computation with P-256 curve
KAS-FFC-SSCCAST KAT of shared secret computation with 2048 modulus
HMAC-SHA-1, HMAC-SHA2- 256, HMAC-SHA2-384, HMAC-SHA2-512CAST KAT of HMAC-SHA-1, CAST KAT of HMAC-SHA2-256 CAST KAT of HMAC-SHA2-384 (prior integrity tests during pre-operational self-tests) CAST KAT of HMAC-SHA2-512
SHA-1, SHA2-256, SHA2-384, SHA2-512CAST KATs for all SHA sizes are covered by the respective HMAC KATs (allowed per IG 10.3.B)
[SP800-135] KDFSSH CAST KAT TLS1.2 CAST KAT
Data Plane (A2671 Cert.)
AESCAST KAT of AES encryption with GCM mode and 128-bit key CAST KAT of AES encryption /decryption performed separately with CBC mode and 128-bit key
RSACAST KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and SHA2-256 CAST KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and SHA2-256
ECDSACAST KATs of ECDSA signature generation and verification with P-256 curve, SHA2-256
KAS-ECC-SSCCAST KAT of shared secret computation with P-256 curve
KAS-FFC-SSCCAST KAT of shared secret computation with 2048 modulus
CTR_DRBGCovered by Control Plane Self-Tests. (Data Plane makes use of the same DRBG implementation provided by Control Plane)
[SP800-135] KDFTLS1.2 CAST KAT
HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512CAST KAT of HMAC-SHA-1 CAST KAT of HMAC-SHA2-256 CAST KAT of HMAC-SHA2-384 CAST KAT of HMAC-SHA2-512
SHA-1, SHA2-256, SHA2-384, SHA2-512CAST KATs for all SHA sizes are covered by respective HMAC KATs (allowed per IG 10.3.B)

Device Cryptographic Module Table 14

45 of 53
Page 46
Error StateCause of ErrorStatus Indicator
Halt ErrorHMAC-SHA2-384 KAT failure or HMAC-SHA2- 384 integrity test failureModule will not load
Failure of any of the Control Plane CAST KATs, and SP800-90rev1 Health tests and Data Plane CAST KATsModule will not load
Failure of any of the PCTsModule will reboot
Failure of the APT, RCT at restart/power-on (CAST for entropy source health test at restart)Module will not load
Health Test ErrorFailure of the APT, RCT at runtime (CAST for entropy source health test at runtime)The module reboot in a loop
10.2.2 Conditional Pairwise Consistency Test

A pairwise consistency test is run whenever asymmetric keys (RSA, Diffie-Hellman, EC DiffieHellman or ECDSA) are generated. PCT for ECDSA (Control and Data planes) and RSA (Control Plane) Key Pair Generation used for digital signatures is tested by the calculation and verification of a digital signature. PCT for Diffie-Hellman (Control and Data planes) Key Pair Generation is performed following the SP 800-56Arev3 requirements. PCT for EC Diffie-Hellman (Control Plane) Key Pair Generation is covered by ECDSA PCT (IG 10.3.A). PCTs for EC Diffie-Hellman (Data Plane) Key Pair Generation is performed following the SP 800-56Arev3 section 5.6.2.1.4 requirements.

10.2.3 On-Demand Self-Test

On demand and periodic self-tests are performed by powering off the module and powering it on again. This service performs the same cryptographic algorithm tests executed during preoperational self-tests and CASTs. During the execution of the periodic and on-demand self-tests, crypto services are not available and no data output or input is possible.

10.3 Error States

Table 15 - Error States In any of the error states, any data output or cryptographic operations are prohibited. The module must reboot to re-loaded with a fresh image to clear the error condition. All data output and cryptographic operations are inhibited when the module is in an error state. © 2024 F5, Inc. / atsec information security.

46 of 53
Page 47
11 Life-Cycle Assurance
11.1 Delivery and Operation

The module is distributed as a part of a BIG-IP product which includes the hardware and an installed copy of firmware with version 16.1.3.1. The hardware devices are shipped directly from the hardware manufacturer/authorized subcontractor via trusted carrier and tracked by that carrier. The hardware is shipped in a sealed box that includes a packing slip with a list of components inside, and with labels outside printed with the product nomenclature, sales order number, and product serial number. Upon receipt of the hardware, the customer is required to perform the following verifications:

11.2 Crypto Officer Guidance

The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the approved validated configuration. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/16

11.2.1 Installing Tamper Evident Labels

Before the device is installed in the production environment, tamper-evident labels must be installed in the location identified for each module in Section 7.2. The following steps should be taken when installing or replacing the tamper evident labels on the module. The instructions are also included in F5 Platforms: FIPS Kit Installation provided with each module.

11.2.2 Installing BIG-IP

Follow the instructions in the "BIG-IP System: Initial Configuration" guide for the initial setup and configuration of the module.

47 of 53
Page 48

Device Cryptographic Module

11.2.2.1 Version Confirmation

The Crypto Officer should call the show version service (with command "tmsh show sys version" and "tmsh show sys hardware"), then confirm that the provided firmware and hardware versions matches the validated versions shown in Table 2. Any firmware loaded into the module other than version 16.1.3.1 is out of the scope of this validation and will mean that the module is not operating as a FIPS validated module.

11.2.2.2 License Confirmation

The FIPS validated module activation requires installation of the license referred as ‘FIPS license’. The Crypto Officer should call the show license service (with command "tmsh show sys license"), then verify that the list of license flags includes "FIPS 140-3”.

11.2.3 Additional Guidance

The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the FIPS validated configuration.

48 of 53
Page 49

Device Cryptographic Module

11.3 User Guidance

The module supports two modes of operation, Approved mode and non-Approved mode. The following two tables define which services are available in each mode: Table 8 - Approved Services and Table 9 - Non-Approved Services. Using the non-approved algorithms found in Table 4 - NonApproved Algorithms Not Allowed in the Approved Mode of Operation, means that the module operates in non- Approved mode for the particular session of a particular service.

11.3.1 AES GCM IV

The User shall consider the following requirements and restrictions when using the module. AESGCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario 1. The implementation of the nonce_explicit management logic inside the module ensures that when the IV exhausts the maximum number of possible values for a given session key, the module triggers a new handshake request to establish a new key. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed. The AES GCM IV generation follows [RFC 5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-3_IG] IG C.H scenario 1; thus, the module is compliant with [SP800-52 Rev2] section 3.3.1.

11.3.2 RSA SigGen/SigVer

All the modulus sizes supported by the module have been ACVP tested (per IG C.F). © 2024 F5, Inc. / atsec information security.

49 of 53
Page 50
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.

50 of 53
Page 51

Device Cryptographic Module Appendix A. Glossary and Abbreviations AES AES-NI Advanced Encryption Standard Advanced Encryption Standard New Instructions CAVP CBC CCM CFB Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback CMAC CMVP CSP Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter CTR DES DSA Counter Mode Data Encryption Standard Digital Signature Algorithm DRBG ECB ECC ESV Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Entropy Source Validation FFC FIPS GCM Finite Field Cryptography Federal Information Processing Standards Publication Galois Counter Mode HMAC KAS KAT Hash Message Authentication Code Key Agreement Schema Known Answer Test KW KWP MAC AES Key Wrap AES Key Wrap with Padding Message Authentication Code NDF NIST OFB PR No Derivation Function National Institute of Science and Technology Output Feedback Prediction Resistance PSS RNG RSA Probabilistic Signature Scheme Random Number Generator Rivest, Shamir, Addleman SHA SHS SSH Secure Hash Algorithm Secure Hash Standard Secure Shell TDES XTS Triple-DES XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.

51 of 53
Page 52

Device Cryptographic Module Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 © 2024 F5, Inc. / atsec information security.

52 of 53
Page 53

Device Cryptographic Module SP800-90A NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-133 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.

53 of 53

Referenced URLs