| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/21/2026 |
| Caveat | Interim Validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals with F5-ADD-BIG-FIPS140 kit installed as indicated in the Security Policy. |
| Vendor | F5, Inc. |
| Hardware versions | BIG-IP i4600, BIG-IP i4800, BIG-IP i5600, BIG-IP i5800, BIG-IP i5820-DF, BIG-IP i7600, BIG-IP i7800, BIG-IP i7820-DF, BIG-IP i10600, BIG-IP i10800, BIG-IP i11600-DS, BIG-IP i11800-DS, BIG-IP i15600, BIG-IP i15800, BIG-IP i15820-DF, VIPRION B2250, VIPRION B4450 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 2 |
| Roles, Services, and Authentication | 2 |
| Software/Firmware Security | 2 |
| Operational Environment | N/A |
| Physical Security | 2 |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 2 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for Device Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>16.1.3.1</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C5,C6 clue;
class I1,I2,I3,I5,I6 infer;
class R1,R2,R3,R5,R6 risk;
class E1,E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Device Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>16.1.3.1</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3 clueHigh;
class C5,C6 clueLow;F5, Inc. Device Cryptographic Module Hardware Versions: BIG-IP i4600, BIG-IP i4800, BIG-IP i5600, BIG-IP i5800, BIG-IP i5820-DF, BIG-IP i7600, BIG-IP i7800, BIG-IP i7820-DF, BIG-IP i10600, BIG-IP i10800, BIG-IP i11600-DS, BIG-IP i11800-DS, BIG-IP i15600, BIG-IP i15800, BIG-IP i15820-DF, VIPRION B2250, VIPRION B4450 with FIPS Kit P/N: F5-ADD-BIG-FIPS140 Firmware Version: 16.1.3.1 FIPS Security Level 2 Last update: July 2024 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
Device Cryptographic Module Table of Contents
2.4.2 Non-Approved, Allowed Algorithms and Non-Approved, Allowed Algorithms with No
© 2024 F5, Inc. / atsec information security.
Device Cryptographic Module Appendix A. Appendix B. © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module Figure 12
Device Cryptographic Module F5®, BIG-IP®, TMOS®, are registered trademarks of F5, Inc. Intel® and Xeon® are registered trademarks of Intel Corporation. © 2024 F5, Inc. / atsec information security.
| Name | ISO Section | Requirement | Level | ISO/IEC 24759 Section 6. [Number Below] |
|---|---|---|---|---|
| 1 | 1 | General | 2 | 1 |
| 2 | 2 | Cryptographic Module Specification | 2 | |
| 3 | 3 | Cryptographic Module Interfaces | 2 | |
| 4 | 4 | Roles, Services, and Authentication | 2 | |
| 5 | 5 | Software/Firmware Security | 2 | |
| 6 | 6 | Operational Environment | N/A | |
| 7 | 7 | Physical Security | 2 | |
| 8 | 8 | Non-Invasive Security | N/A | |
| 9 | 9 | Sensitive Security Parameter Management | 2 | |
| 10 | 10 | Self-tests | 2 | |
| 11 | 11 | Life-cycle Assurance | 2 | |
| 12 | 12 | Mitigation of Other Attacks | N/A |
This document is the non-proprietary FIPS 140-3 Security Policy for the Device Cryptographic Module with firmware version 16.1.3.1 and hardware versions listed in Table 2 below. The document contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 2 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. The following describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. N/A N/A N/A Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.
| Name | Model | Hardware Version | Firmware Version | Processor | Features | # |
|---|---|---|---|---|---|---|
| 1 | i4600 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® D-1518, Broadwell | 1 x USB port 8 x 1GbE; 4 x 10GbE network ports 1 x Console port 1 x 1GbE management port | 1 |
| 2 | i4800 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® D-1518, Broadwell | 1 x USB port 8 x 1GbE; 4 x 10GbE network ports 1 x Console port 1 x 1GbE management port | 2 |
| 3 | i5600 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1630v4, Broadwell | 1 x USB port 8 x 10GbE; 4 x 40GbE network ports 1 x Console port 1 x 1GbE management port | 3 |
| 4 | i5800 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1630v4, Broadwell | 1 x USB port 8 x 10GbE; 4 x 40GbE network ports 1 x Console port 1 x 1GbE management port | 4 |
| 5 | i5820-DF | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1630v4, Broadwell | 1 x USB port 8 x 10GbE; 4 x 40GbE network ports 1 x Console port 1 x 1GbE management port | 5 |
| 6 | i7600 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1650v4, Broadwell | 1 x USB port 8 x 10GbE and 4 x 40GbE network ports 1 x Console port 1 x 10/100/1000-BaseT management port | 6 |
| 7 | i7800 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1650v4, Broadwell | 1 x USB port 8 x 10GbE and 4 x 40GbE network ports 1 x Console port 1 x 10/100/1000-BaseT management port | 7 |
| 8 | i7820-DF | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1650v4, Broadwell | 1 x USB port 8 x 10GbE and 4 x 40GbE network ports 1 x Console port 1 x 10/100/1000-BaseT management port | 8 |
| 9 | i10600 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1660v4, Broadwell | 1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE management port | 9 |
| 10 | i10800 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-1660v4, Broadwell | 1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE management port | 10 |
| 11 | i11600- DS | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2695v4, Broadwell | 1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE (10/100/1000 capable) management port | 11 |
| 12 | i11800- DS | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2695v4, Broadwell | 1 x USB port 8 x 10GbE; 6 x 40GbE network ports 1 x Console port 1 x 1GbE (10/100/1000 capable) management port | 12 |
| 13 | i15600 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2680v4, Broadwell | 1 x USB port 8 x 40GbE; 4 x 100GbE network ports 1 x Console port 1 x 1GbE management port | 13 |
| 14 | i15800 | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2680v4, Broadwell | 1 x USB port 8 x 40GbE; 4 x 100GbE network ports 1 x Console port 1 x 1GbE management port | 14 |
| 15 | i15820- DF | BIG-IP iseries | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2680v4, Broadwell | 1 x USB port 8 x 40GbE; 4 x 100GbE network ports 1 x Console port 1 x 1GbE management port | 15 |
| 16 | B2250 | VIPRION | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2658v2, Ivy Bridge | 2 x USB port 4 x 40 GbE network ports 1 x Console port 1 x GbE management port | 16 |
| 17 | B4450 | VIPRION | BIG-IP 16.1.3.1 | Intel® Xeon® E5-2658v3, Haswell | 1 x USB port 6 x 40 GbE; 2 x 100 GbE network ports 1 x Console port 1 x GbE (10/100/1000 Ethernet) management port | 17 |
The Device Cryptographic Module (hereafter referred to as “the module”) is a Hardware cryptographic module with multiple-chip standalone embodiment. The module is a smart evolution of Application Delivery Controller (ADC) technology. Solutions built on this platform are load balancers. They are full proxies that give visibility into, and the power to control—inspect and encrypt or decrypt—all the traffic that passes through your network. Underlying all BIG-IP hardware and software is F5’s proprietary operating system, TMOS, which provides unified intelligence, flexibility, and programmability. With its application control plane architecture, TMOS gives you control over the acceleration, security, and availability services your applications require. TMOS establishes a virtual, unified pool of highly scalable, resilient, and reusable services that can dynamically adapt to the changing conditions in data centers and virtual and cloud infrastructures.
# © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module # i11600DS i11800DS i15820DF Table 2 - Cryptographic Module Tested Configuration © 2024 F5, Inc. / atsec information security.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |
|---|---|---|---|---|---|
| Control | Control | Data | |||
| Plane | Plane | Plane | |||
| AES | A2594 | ECB, CBC, GCM, | 128 / 192 / 256-bit keys | Encryption and Decryption | N/A |
| [FIPS 197, SP800- | CCM, CTR | with key strengths from | |||
| 38A, | 128 to 256 bits | ||||
| KTS (AES) | A2594 | GCM, CCM | 128 / 256-bit AES keys | Key Wrapping / Unwrapping | A2671 |
| [FIPS 197, SP800- | with key strengths 128 or | ||||
| 38D, SP800- 38F] | 256 bits | ||||
| A2594 | A2594 | AES-CBC key and | 128 / 256-bit AES and | A2671 | |
| HMAC-SHA2-256, | HMAC-SHA2-256, | HMAC keys with key | |||
| or HMAC-SHA2- | or HMAC-SHA2- | strengths 128 or 256 bits | |||
| A2594 | A2594 | AES-CBC/ AES-CTR | 128 / 256-bit AES and | N/A | |
| keys and HMAC- | keys and HMAC- | HMAC keys with key | |||
| SHA-1, HMAC- | SHA-1, HMAC- | strengths 128 or 256 bits | |||
| AES | A2594 | GMAC | 128 / 192 / 256-bit AES | MAC Generation and Verification | N/A |
| [FIPS 197, SP800- | keys with key strengths | ||||
| 38B, SP800 38D] | from 128 to 256 bits | ||||
| AES | N/A | CBC, GCM, CCM | 128 / 256-bit keys with key | Encryption and Decryption | A2671 |
| [FIPS 197, SP800- | strengths 128 and 256 bits | ||||
| Control | Control | Data | |||
| Plane | Plane | Plane | |||
| AES | N/A | GMAC | 128 / 256-bit keys with key | MAC Generation | A2671 |
| [FIPS 197, SP800- | strengths 128 and 256 bits | and Verification | |||
| CTR_DRBG | A2594 | AES 256 in CTR | Entropy input | Random Number | N/A |
| [SP800-90ARev1] | mode with / | (256-bits with DF and 384- | Generation | ||
| without derivation | without derivation | bits without DF), V (128- | |||
| prediction | prediction | values | |||
| CTR_DRBG | N/A | AES 256 in CTR | Entropy input (256-bits), V | Random Number | A2671 |
| [SP800-90A Rev1] | mode with | (128-bits) and key (256- | Generation | ||
| derivation | derivation | bits) values | |||
| RSA | A2594 | B.3.3 Random | 2048 and 4096-bit keys | Key Generation | N/A |
| [FIPS 186-4] | Probable Primes | with key strengths 112 | |||
| RSA | A2594 | PKCS#1v1.5: SHA- | 2048, 3072 and 4096-bits | Signature | A2671 |
| [FIPS 186-4] | 1 (Sig Ver only) | keys with key strengths | Generation and | ||
| SHA2-256, SHA2- | SHA2-256, SHA2- | 112 to 150-bits | Verification | ||
| RSA | N/A | PKCSPSS: | 2048, 3072 and 4096-bits | Signature | A2671 |
| [FIPS 186-4] | SHA-1 (Sig Ver | keys with key strengths | Generation and | ||
| only) SHA2-256, | only) SHA2-256, | 112 to 150-bits | Verification | ||
| Safe Primes Key | A2594 | Safe Primes | ffdhe2048, ffdhe3072, and | Diffie-Hellman | A2671 |
| Verification | strengths 112 to 150-bits | generation and | |||
| [SP800-56Ar3] | verification using | ||||
| ECDSA | A2594 | B.4.2 Testing | P-256 and P-384 with key | Key Pair | A2671 |
| [FIPS 186-4] | Candidates | strengths 128 and 192-bits | Generation / | ||
| ECDSA | A2594 | SHA2-256, SHA2- | P-256 and P-384 with key | Signature | A2671 |
| [FIPS 186-4] | 384, SHA2-512 | strengths 128 and 192-bits | Generation and | ||
| SHS | A2594 | SHA-1 | N/A | Message Digest | A2671 |
| [FIPS180-4] | SHA2-256 | ||||
| HMAC | A2594 | HMAC-SHA-1 | 112 bits to 1024-bits with | Message | A2671 |
| [FIPS 198-1] | HMAC-SHA2-256 | key strengths 112 to 256- | Authentication | ||
| HMAC-SHA2-384 | HMAC-SHA2-384 | bits | |||
| Control | Control | Data | |||
| Plane | Plane | Plane | |||
| KAS-ECC-SSC | A2594 | Ephemeral Unified; | P-256, P-384 with key | Shared Secret | A2671 |
| [SP800-56ARev3] | KAS Role: initiator, | strengths 128 and 192-bits | Computation | ||
| responder | responder | used in Key | |||
| KAS-FFC-SSC | A2594 | dhEphem | ffdhe2048, ffdhe3072, | Shared Secret | A2671 |
| [SP800-56ARev3] | KAS Role: initiator, | ffdhe4096 with key | Computation | ||
| responder | responder | strengths 112 to 150-bits | used in Key | ||
| SSH KDF1 | A2594 | AES-128, AES-256 | 256-bit keys with 256-bits | Key Derivation | N/A |
| [SP800-135] | with | key strength | |||
| (CVL) | SHA2-256, SHA2- | ||||
| TLS KDF1 | A2594 | TLS v1.2 | 128 / 256-bit AES keys | Key Derivation | A2671 |
| [SP800-135] | with key strengths from | ||||
| (CVL) | 112 and 256 bits; | ||||
| CKG | (vendor | DRBG produces | RSA Sizes: 2048 and 4096- | Key generation | (vendor |
| [SP800-133rev2] | affirmed) | random numbers | bits key with 112 and 150- | affirmed) | |
| CTR_DRBG | use for key | bits key strength | |||
| [SP800-90Ar1] | generation of RSA, | ECDSA, EC Diffie-Hellman: | |||
| Diffie-Hellman, EC | ECDSA, Diffie- | ||||
| Diffie-Hellman | Hellman and EC | ||||
| [SP800-56Ar3] | Diffie-Hellman | ||||
| RSA, ECDSA [FIPS | Safe Primes: ffdhe2048, | ||||
| 186-4] | ffdhe3072, ffdhe4096 with |
The module supports two modes of operation:
N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module N/A Table 3 - Approved Algorithms
2.4.2 Non-Approved, Allowed Algorithms and Non-Approved, Allowed Algorithms with No
Security Claimed The module does not implement any non-approved algorithms allowed in the approved mode of operation with or without security claimed.
1 No parts of the TLS / SSH protocols except the KDF has been reviewed or tested by the CAVP and
CMVP © 2024 F5, Inc. / atsec information security.
| Name | Use Function |
|---|---|
| AES modes: OFB, CFB, XTS2 and KW modes; DES RC4 Triple-DES SM2, SM4 | Symmetric Encryption and Decryption |
| RSA | Asymmetric Encryption and Decryption |
| RSA Key generation | Using modulus sizes other than 2048-bit or 4096-bit; ANSI X9.31 standard with all key sizes |
| DSA | Domain parameter generation, domain parameter verification, key pair generation |
| DSA digital signature | Signature generation and verification using any key size |
| EdDSA digital signature | Signature generation and verification using Ed25519 |
| ECDSA Key generation/ verification | Using curves other than P-256 and P-384 |
| RSA digital signature | - Signature Generation: PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Verification PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA2-224, SHA2-512 - Signature Generation and Verification using PKCS #1 v1.5 scheme with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes - Signature Generation PSS using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Verification PSS using 2048, 3072 or 4096-bits modulus with SHA2-224, SHA2-512 - Signature Generation and Verification using Probabilistic Signature Scheme (PSS) specified in ANSI X9.31 standard |
| ECDSA digital signature | - Digital Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes - Digital Signature Generation using curves P-256 and P-384 with SHA- 1, SHA2-224 - Digital Signature Verification using curves P-256 and P-384 with SHA2-224 |
| SHA2-224 SM3 MD5 | Message Digest |
| HMAC-SHA2-224 AES-CMAC Triple-DES AES-GCM in IPsec protocol | Message Authentication |
| Diffie-Hellman EC Diffie-Hellman | Key Agreement Scheme: - Diffie-Hellman using groups other than ffdhe2048, ffdhe3072, ffdhe4096 - Diffie-Hellman using MODP groups in IPsec/IKE protocol - EC Diffie-Hellman ephemeral Unified using curves other than P- 256 and P-384 - EC Diffie-Hellman using curves P-256 and P-384 Static Unified and OnePassDh - EC Diffie-Hellman in IPsec/IKE protocol using P-384 |
| TLS KDF SNMP KDF, IKEv1, IKEv2 KDF | Key Derivation function in the context of: - TLS using MD5/ SHA-1/ SHA2-224 / SHA2-512 - SSH using SHA-1/ SHA2-224/ SHA2-512 - SNMP using any SHA variant - IKE using any SHA variant |
| TLS used in SSL Orchestrator (SSLO) | All ciphersuites algorithms implemented by f5-rest-node |
The following table lists the non-FIPS Approved algorithms along with their usage.
2 The AES-XTS mode shall only be used for the cryptographic protection of data on storage devices
and shall not be used for other purposes such as the encryption of data in transit. © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
Figure 1 - BIG-IP i4600 and BIG-IP i4800 Figure 2 - BIG-IP i5600, BIG-IP i5800 and BIG-IP i5820-DF Figure 3
Device Cryptographic Module Figure 4 - BIG-IP i10600, BIG-IP i10800 and BIG-IP i11600-DS, BIG-IP i11800-DS Figure 5
The cryptographic boundary of the module is defined by the exterior surface of the appliance (red dotted line in Figure 8). The block diagram below shows the module, its interfaces and the delimitation of its cryptographic boundary. Figure 8 also depicts the flow of status output (SO), control input (CI), data input (DI) and data output (DO). Description of the ports and interfaces can be found in Table 5. - PI SSL Accelerator Power Interface (PSU) Central Processing Unit (CPU) Memory Interface (RAM) Storage Interface (SSD/ HDD) Network Interface (Ethernet, Fiber) Display Interface (LED) - DO - SO - DI - DO - SO - CI Figure 8 - Hardware Block Diagram © 2024 F5, Inc. / atsec information security.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| Network Interface (SFP, SFP+, and QSFP+ ports (Ethernet and/or Fiber Optic) which allow transfer speeds from 1Gbps up to 100Gbps.) | Network Interface (SFP, SFP+, and QSFP+ ports (Ethernet and/or Fiber Optic) which allow transfer speeds from 1Gbps up to 100Gbps.) | Data Input | TLS/SSH protocol input messages; Configuration commands for interface management |
| Network Interface (SFP, SFP+, and QSFP+ ports) | Network Interface (SFP, SFP+, and QSFP+ ports) | Data Output | TLS/SSH protocol output messages; Status logs |
| Network Interface (SFP, SFP+, and QSFP+ ports) | Network Interface (SFP, SFP+, and QSFP+ ports) | Control Input | API which control system state (e.g. reset system, power-off system). |
| Network Interface (SFP, SFP+, and QSFP+ ports); Display Interface (LEDs, and/or output to STDOUT) | Network Interface (SFP, SFP+, and QSFP+ ports); Display Interface (LEDs, and/or output to STDOUT) | Status Output | API which provides system status information. |
| Power Interface | Power Interface | Power Input | PSU |
The logical interfaces are the commands through which users of the module request services. There are no external input or output devices to the module can be used for data input, data The physical ports mapping to the logical interfaces and the flow of data passing over them are described in the Table 5. Table 5 - Ports and Interfaces
© 2024 F5, Inc. / atsec information security.
| Name | Roles | Input | Output | Module Role |
|---|---|---|---|---|
| List users | CO User | None | List of user accounts | administrator User Manager Resource Manager Auditor |
| Create additional User | CO User | Username / password | Confirmation of account creation | administrator User Manager |
| Modify existing Users | CO User | Username | Confirmation of account modification | administrator User Manager |
| Delete User | CO User | Username | Confirmation of deletion | administrator User Manager |
| Unlock User | CO User | Username | Confirmation of unlock | administrator User Manager |
| Update own password | CO User | Own password | Confirmation of update of password | administrator User |
| Update others password | CO User | Username / password | Confirmation of update | administrator User Manager |
| Configure password policy | CO | New password policy | Confirmation of configuration change | administrator |
| Create TLS certificate | CO User | Certificate identification information | Confirmation of certificate creation | administrator Certificate Manager Resource Manager |
| Create TLS Key | CO User | Key identification information | Confirmation of key creation | administrator Certificate Manager Resource Manager |
| Delete TLS Key / Certificate | CO User | Key identification information | Confirmation of key / certificate deletion | administrator Certificate Manager Resource Manager |
| Display / log expiration data of installed certificates | CO User | List of certificates to display | Certificate expiration information | administrator Auditor Certificate Manager Resource Manager |
| List private keys | CO User | List of private keys to display | TLS private key information | administrator Auditor Certificate Manager Resource Manager |
| Import TLS Certificate | CO User | Certificate to import | Confirmation of import of certificate | administrator Certificate Manager |
| Export Certificate file | CO User | Certificate to export | Exported Certificate file | administrator Certificate Manager |
| Create SSH- keyswap | CO User | SSH key to create | Confirmation of SSH key creation | administrator Resource Manager |
| Delete SSH- keyswap | CO User | SSH key to delete | Confirmation of SSH key deletion | administrator Resource Manager |
| Configure Firewall | CO User | Policy rules, address lists | Confirmation of policy configuration | administrator Firewall Manager |
| Show firewall state | CO User | N/A | Display the current system wide state of the firewall rules. | administrator Firewall Manager |
| Show statistics of firewall rules on the BIG-IP system | CO User | N/A | List of statistics of firewall rules | administrator Firewall Manager |
| Configure Firewall Users | CO User | Firewall user and configuration information | Confirmation of configuration | administrator Firewall Manager |
| View System Audit Log | CO User | N/A | Display of system audit logs | administrator Auditor Resource Manager |
| Export Analytics Logs System | CO User | N/A | Display System Analytics Logs | administrator Auditor |
| Enable / Disable Audit | CO User | N/A | Confirmation of enabling or disabling of audit | administrator Resource Manager |
| Configure Boot Options | CO User | Boot options | Confirmation of configuration of boot options | administrator Resource Manager |
| Configure SSH access options | CO User | SSH access / IP address list | Confirmation of configuration of SSH access options | administrator Resource Manager |
| Configure SSH user configuration | CO User | ssh/ authorized_key s file | Confirmation of configuration of SSH user configuration | administrator Resource Manager User Manager |
| Modify nodes and pool members | CO User | Which nodes and pool members to modify | Confirmation of modification of nodes and pool members | administrator Operator |
| Configure nodes | CO User | List of nodes to create / modify / view / delete | Confirmation of creation / modification / display / deletion of nodes | administrator Firewall Manager Resource Manager |
| Configure iRules | CO User | List of iRules to create / modify / view / delete | Confirmation of creation / modification / display / deletion of iRules | administrator iRule Manager Firewall Manager Resource Manager |
| Reboot System | CO | N/A | Confirmation of system reboot | administrator |
| Secure Erase | CO | Selected option | Confirmation of full system zeroization | administrator |
| Establish SSH Session | CO User | User / address / password / | Confirmation of SSH session establishment | administrator User |
| Maintain SSH Session | CO User | SSH Derived Session key | SSH session information | administrator User |
| Closing SSH Session | CO User | N/A | Confirmation of SSH session closure | administrator User |
| Establish TLS Session | CO User | Address / algorithms/ keys / primary secret | Confirmation of establishment of TLS session | administrator User |
| Maintain TLS Session | CO User | TLS Derived Session key | TLS session information | administrator User |
| Closing TLS session | CO User | N/A | Confirmation of TLS session closure | administrator User |
| Show version | CO User | None | Versioning information, and module name | administrator User |
| Show license | CO User | None | License information | administrator User |
| Show status | CO User | None | Status of the specific service passed in the show status command | administrator User |
| Self- test | CO User | power | Pass/ fail results of self- tests | administrator User |
The module supports one CO role and one User role. Maintenance role is not supported. The FIPS 140-3 roles are defined below and corresponding service with input and output are described in Table 6.
Device Cryptographic Module Create SSHkeyswap Delete SSHkeyswap N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module N/A N/A Table 6 - Roles, Service Commands, Input and Output
The module supports role-based authentication. The module supports concurrent operators belonging to different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces can be used to access the module:
| Name | Key Size | |
|---|---|---|
| role-based authentication with Password (CLI or WebUI) | The password must consist of a minimum of 8 characters with at least one from each of the three-character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z) Assuming a worst-case scenario where the password contains six numerical digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000. | Crypto Officer User |
| role-based authentication with SSH ECDSA key-pair (CLI only) | The ECDSA using P-256 or P-384 curves for key based authentication yields a minimum security-strength of 128 bits. The chance of a random authentication attempt falsely succeeding is at most 1/(2128) that is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000. | Crypto Officer User |
Device Cryptographic Module Table 7 - Roles and Authentication
Table 8 lists the Approved services, the service name, description, the Approved security function being used by the service, the keys and SSPs accessed by the service, the roles used by the service, access rights to keys and SSPs and the FIPS 140-3 service indicator returned by the service. The environment variable SECURITY_FIPS140_CIPHER_STRICT is exported with the cipher restriction status. If the cipher_restricted status is enabled, the status output from the service indicator is returned in the high speed login /var/log remote.log file. The output 'Service Indicator: Approved' or the 'Service Indicator: Not Approved' are listed in Table 8. If the cipher_restricted status is disabled, there is no service indicator output. For SSH service the service indicator is implicit: when the SSH connection is established the service with the cipher selected is approved. The following variables are used in the Access rights to keys or SSPs column:
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| List users | Display list of all User accounts | CO, User Manager, Resource Manager, Auditor | N/A | N/A | N/A | None |
| Create additional User | Create additional User | CO, User Manager | password | N/A | W | None |
| Modify existing Users | Modify existing Users | CO, User Manager | N/A | N/A | N/A | None |
| Delete User | Delete User | CO, User Manager | N/A | N/A | N/A | None |
| Unlock User | Remove lock from user who has exceeded login attempts | CO, User Manager | N/A | N/A | N/A | None |
| Update own password | Update own password | CO, User | password | N/A | W | None |
| Update others password | Update others password | CO, User Manager | password | N/A | W | None |
| Configure Password Policy | Set password policy features | CO | N/A | N/A | N/A | None |
| Create TLS Certificate | Self-signed certificate creation | CO, Certificate Manager, Resource Manager | TLS RSA private key; TLS ECDSA private key | RSA / ECDSA SigGen | E | Service Indicator: Approved |
| Create TLS Key | Used for the SSL Certificate key file | CO, Certificate Manager, Resource Manager | TLS RSA public key; TLS RSA private key; TLS ECDSA public key; TLS ECDSA private key; | RSA / ECDSA KeyGen CTR_DRBG | G | Service Indicator: Approved |
| DRBG seed | DRBG seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| Delete TLS Certificate /Key | Self-signed certificate / key deletion | CO, Certificate Manager, Resource Manager | TLS RSA public key; TLS RSA private key; TLS ECDSA public key; TLS ECDSA private key | N/A | Z | None |
| List Certificate | Display / log expiration data of installed certificates | CO, Auditor, Certificate Manager, Resource Manager | N/A | N/A | N/A | None |
| List Private Keys | List private key information | CO, Auditor, Certificate Manager, Resource Manager | N/A | N/A | N/A | None |
| Import TLS Certificate | Import TLS Certificate | CO, Certificate Manager | TLS RSA public key; TLS ECDSA public key | N/A | W | None |
| Export Certificate File | Export Certificate File | CO, Certificate Manager | TLS RSA public key; TLS ECDSA public key | N/A | R | None |
| Create ssh- keyswap | Utility service create ssh keys | CO, Resource Manager | SSH ECDSA public key; SSH ECDSA private key | ECDSA KeyGen CTR_DRBG | G | Service Indicator: Approved |
| DRBG seed | DRBG seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| Delete ssh- keyswap | Utility service delete ssh keys | CO, Resource Manager | SSH ECDSA public key; SSH ECDSA private key | N/A | Z | None |
| Configure Firewall | Set policy rules, and address lists for use by firewall rules | CO, Firewall Manager | N/A | N/A | N/A | None |
| Show firewall state | Display the current system-wide state of firewall rules | CO, Firewall Manager | N/A | N/A | N/A | None |
| Shows statistics | Shows statistics of firewall rules on the BIG-IP system | CO, Firewall Manager | N/A | N/A | N/A | None |
| Configure Firewall Users | Configure firewall users | CO, Firewall Manager | N/A | N/A | N/A | None |
| View System Audit Log | Display logs/files of configuration changes | CO, Auditor, Resource Manager | N/A | N/A | N/A | None |
| Export Analytics Logs System | Export Analytics Logs System | CO, Auditor | N/A | N/A | N/A | None |
| Enable/ Disable Audit | Enable/ Disable Audit | CO, Resource Manager | N/A | N/A | N/A | None |
| Configure Boot Options | Enable Quiet boot, Manage boot locations | CO, Resource Manager | N/A | N/A | N/A | None |
| Configure SSH access options | Enable / Disable SSH access, Configure IP address allow list | CO, Resource Manager | N/A | N/A | N/A | None |
| Configure SSH user configurati on | Update ssh/ authorized_key s file for user authentication | CO, Resource Manager User Manager | SSH ECDSA public key | N/A | W | None |
| Configure Firewall Users | Configure Firewall Users | CO, Firewall Manager | N/A | N/A | N/A | None |
| Modify nodes and pool members | Enable / Disable nodes and pool members | CO Operator | N/A | N/A | N/A | None |
| Configure nodes | Create, modify, view, delete nodes | CO Firewall Manager, Resource Manager, | N/A | N/A | N/A | None |
| Configure iRules | Create, modify, view, delete, iRules | CO, iRule Manager, Firewall Manager, Resource Manager, | N/A | N/A | N/A | None |
| Reboot System | Restart cryptographic module | CO | SSPs listed in Table 12 | N/A | Z | None |
| Secure Erase | Full system zeroization | CO | SSPs listed in Table 12 | N/A | Z | None |
| Establish SSH session | Key authentication | CO User | SSH ECDSA public key; SSH ECDSA private key | ECDSA with SHA2-256 / SHA2-384 curves P-256 / P-384 | W | SSH connection successful |
| Password authentication | Password authentication | CO User | Password | N/A | W | SSH connection successful |
| Key Exchange | Key Exchange | CO User | SSH EC Diffie-Hellman public key; SSH EC Diffie- Hellman private key | ECDSA KeyGen, CTR_DRBG | G | SSH connection successful |
| DRBG Seed | DRBG Seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| KAS-ECC-SSC | SSH EC Diffie-Hellman public key (remote peer) | KAS-ECC-SSC | W | |||
| SSH EC Diffie-Hellman private key | SSH EC Diffie-Hellman private key | E | ||||
| SSH shared secret | SSH shared secret | G | ||||
| Key Derivation | Key Derivation | CO User | SSH shared secret | [SP 800-135] SSH KDF | E | SSH connection successful |
| derived SSH session key (AES, HMAC) | derived SSH session key (AES, HMAC) | G | ||||
| Maintain SSH Session | Data Encryption and Decryption | CO User | derived SSH Session key (AES) | AES-CBC AES-CTR | E | SSH connection successful |
| Data Integrity (MAC): HMAC- with SHA-1/ SHA2-256 | Data Integrity (MAC): HMAC- with SHA-1/ SHA2-256 | CO User | derived SSH session key (HMAC) | HMAC | E | SSH connection successful |
| Close SSH Session | Close SSH Session | CO User | SSH EC Diffie-Hellman public key; SSH EC Diffie- Hellman private key; SSH shared secret; derived SSH session key | N/A | Z | None |
| Establish TLS Session | TLS Certificate Authentication | CO User | TLS RSA public key; TLS RSA private key; TLS ECDSA public key; TLS ECDSA private key | ECDSA / RSA | W | Service Indicator: Approved |
| Key Exchange | Key Exchange | CO User | TLS Diffie-Hellman public key; TLS Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS EC Diffie-Hellman private key | ECDSA KeyGen, Safe Primes Key Generation and Verification, CTR_DRBG | G | Service Indicator: Approved |
| DRBG Seed | DRBG Seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| KAS-ECC-SSC, KAS-FFC-SSC | TLS Diffie-Hellman public key (remote peer); TLS EC Diffie-Hellman public key (remote peer) | KAS-ECC-SSC, KAS-FFC-SSC | W | |||
| TLS Diffie-Hellman private key; TLS EC Diffie- Hellman private key | TLS Diffie-Hellman private key; TLS EC Diffie- Hellman private key | E | ||||
| TLS pre-primary secret | TLS pre-primary secret | G | ||||
| [SP 800-135] TLS KDF | TLS pre-primary secret | [SP 800-135] TLS KDF | E | |||
| TLS primary secret | TLS primary secret | G, E | ||||
| TLS derived session keys (AES and HMAC or authentication cypher) | TLS derived session keys (AES and HMAC or authentication cypher) | G | ||||
| Maintain TLS Session | Data Encryption, Data Authentication | CO User | TLS derived session keys (AES and HMAC or authentication cypher) | AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCM, AES-CCM | E | Service Indicator: Approved |
| Close TLS session | Close TLS session | CO User | TLS Diffie-Hellman public key; TLS Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS EC Diffie-Hellman private key; TLS pre-primary secret; TLS primary secret; TLS derived session keys | N/A | Z | None |
| Show version | Return the module name and versioning information | CO User | N/A | N/A | N/A | None |
| Show license | Return license information | CO User | N/A | N/A | N/A | None |
| Show status | Return the module status | CO User | N/A | N/A | N/A | None |
| Self- test | Execute integrity test; Execute the CASTs | CO User | N/A (key for self-tests are not SSPs) | All the algorithms listed in table section 10 | N/A | None |
| Establish TLS session | Signature generation and verification | User/ CO | Algorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signature | No indicator | ||
| Key Exchange | Key Exchange | User/ CO | - TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512 - Diffie-Hellman with other curves than ffdhe2048, ffdhe3072, ffdhe4096 - RSA key wrapping with all keys - EC Diffie-Hellman ephemeral unified using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDh | No indicator | ||
| Maintain TLS session | Data encryption | User/ CO | Triple-DES | No indicator | ||
| Data authentication | Data authentication | User/ CO | HMAC SHA-1 | No indicator |
Device Cryptographic Module N/A N/A N/A W N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A W W N/A N/A E G W, E N/A N/A N/A E Z N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module N/A N/A N/A N/A W R G N/A N/A E W, E Z N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
N/A N/A N/A N/A N/A N/A W N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Z N/A Z W W G W, E N/A N/A N/A E © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module W E G E E E Z W G N/A G E W, E W G E E G, E G © 2024 F5, Inc. / atsec information security.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Maintain TLS Session | Data Encryption, Data Authentication | CO User | TLS derived session keys (AES and HMAC or authentication cypher) | AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCM, AES-CCM | E | Service Indicator: Approved |
| Close TLS session | Close TLS session | CO User | TLS Diffie-Hellman public key; TLS Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS EC Diffie-Hellman private key; TLS pre-primary secret; TLS primary secret; TLS derived session keys | N/A | Z | None |
| Show version | Return the module name and versioning information | CO User | N/A | N/A | N/A | None |
| Show license | Return license information | CO User | N/A | N/A | N/A | None |
| Show status | Return the module status | CO User | N/A | N/A | N/A | None |
| Self- test | Execute integrity test; Execute the CASTs | CO User | N/A (key for self-tests are not SSPs) | All the algorithms listed in table section 10 | N/A | None |
| Establish TLS session | Signature generation and verification | User/ CO | Algorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signature | No indicator | ||
| Key Exchange | Key Exchange | User/ CO | - TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512 - Diffie-Hellman with other curves than ffdhe2048, ffdhe3072, ffdhe4096 - RSA key wrapping with all keys - EC Diffie-Hellman ephemeral unified using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDh | No indicator | ||
| Maintain TLS session | Data encryption | User/ CO | Triple-DES | No indicator | ||
| Data authentication | Data authentication | User/ CO | HMAC SHA-1 | No indicator | ||
| IPsec /IKEv2 | configuration and usage | User/ CO | - Authentication: SHA2-256, SHA2-512. AES-GCM - Encryption: AES-192, AES-256, AES- GCM-128, triple-DES - Key Exchange: MODP1024, MODP2048, EC Diffie-Hellman with P-384 | No indicator | ||
| iControl REST access | Access to the system through REST | User/ CO | None | No indicator | ||
| SSLO Configuration and usage | Management of the module protected by iApplx authentication | User/ CO | TLS used in SSL Orchestrator (SSLO) | No indicator | ||
| Configuration using SNMP | Management of the module | User/ CO | SHA-1, AES-ECB, RSA- signature verification | No indicator | ||
| Physical Security | Physical Security | Recommended Frequency | Inspection/Test Guidance Details | |||
| Mechanism | Mechanism | of Inspection / Test | ||||
| Production grade enclosure (SL1) | N/A | N/A | ||||
| Opaque enclosure (SL2) | N/A | N/A | ||||
| Tamper Evident Labels (SL2) | Once per month | Check the quality of the tamper evident labels for any sign of removal, replacement, tearing, etc. If any label is found to be damaged or missing, contact the system administrator immediately |
Device Cryptographic Module N/A E Z N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module Table 9 - Non-Approved Services © 2024 F5, Inc. / atsec information security.
The integrity of the module using the approved integrity technique HMAC-SHA2-384 is listed in the section 10.1.1 below. Integrity tests are performed as part of the Pre-Operational Self-Tests.
The on demand pre-operational self-tests, including the integrity test on demand, are performed by powering the module off and powering it on again.
The executable code is defined by the firmware version 16.1.3.1. All code belonging to this firmware version is the executable code of the module. © 2024 F5, Inc. / atsec information security.
The module operates in a non-modifiable operational environment provided by F5 called TMOS 16.1.3.1. The module is a hardware validated at a Security Level 2 in Physical Security. Once the module is operational, it does not allow the loading of any additional firmware. There are no further requirements for this security area. © 2024 F5, Inc. / atsec information security.
The module tested in the platforms listed in Table 2 is enclosed in a hard-metallic production grade enclosure that provides opacity and prevents visual inspection of internal components. Each test platform is fitted with tamper evident labels to provide physical evidence of attempts to gain access inside the enclosure. The tamper evident labels shall be installed for the module to operate in approved mode of operation. The Crypto Officer is responsible for inspecting the quality of the tamper labels on a regular basis to confirm that the module has not been tampered with. In the event that the tamper evident labels require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-ADD-BIG-FIPS140). The Crypto Officer shall be responsible for the N/A N/A N/A N/A Table 10 - Physical Security Inspection Guidelines The pictures below show the location of all tamper evident labels for each hardware appliance. Label application instructions are provided in Section 11.2.1 of the Crypto-Officer guidance below. © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module VIPRION B4450 Figure 4: per evof ident holographic labels w it h ize
5cm Table 11Fiv– e t am Number Tamper Evident Labels per hardware appliance Figures below show t he placem ent of t he t am per evident labels on each of t he t est plat form s. Tam perare Labels are boxed red. circles in the pictures below. The tamper labels delineated withinorange i4000 series front zzzzzz z La b e l 1 La b e l 8 La b e l 2 La be l 6 La b e l 3 La b e l 4 La b e l 5 i4000 series back Figure 5
Device Cryptographic Module i5000 series front Label 1 Front Label 7 Label 2 Label 2 Label 6 Label 1 Label 3 Label 3 Label 2 Label 5 i5000 series back Label 4 Figure i5000labels series on (BIG-IP i5 600, BIG-IP i5 800 BIG-IP i5
est plat form s) w it h per labels show n. Figure6
tamper labels) i7000 series front Label 1 Label 8 Label 2 Label 3 Label 4 Label 7 i7000 series back Label 5 Label 6 Label 3 Label 2 i11000 i11000 Figure 7
i7000 series back Device Cryptographic Module Label 5 Label 6 Label position is as Figure 11
i1 se ries fr ont a d i11000
i1 b ck se ries a plat form s -label 1-. On t he opposit e lat eral sides of t he plat form -labels 2,3 ,7 ,8. On t he v ent ilat ion fan t ray t hat allow s access t
CON FI D EN TI AL © 2024 at sec inform at ion securit y corporat ion © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module i15000 series front Label 2 Label 1 Label 1 Label 2 i15000 series Label
Label 3 Label 7 Label 3 i15000 series back Label 6 i15000 series back Label 6 Label 4 Label 5 Label
4 i1 5800, BIG-IP i1 5820 -DF t est plat form s). 1 label on t he front , 4 labels
Figure 9 - Top v iew i15000series (BIG-IP i1 5600, BIG-IP Figure 13per
show n circled orange t o m ark w it h ev idence t he unaut of t he 1 fan t ray and PSUs (replaceable s) t h at giv replaceable st orage drives.circled in orange to mark with evidence the front, 4 it em labels on thee access sides, t o2 tamper labels Label
unauthorized removal of the fan tray and PSUs (replaceable items) that give access to Figure 9 - Top view i15000series (BIG-IP i1 5600, BIG-IP i1 5800, BIG-IP i1 5820-DF t est plat form s). 1 label on t he front , 4 labels replaceable storage drives. on t he sides, 2 t am per labels show n circled in orange t o m ark w it h evidence t he unaut horized rem oval of t he fan t ray and PSUs (replaceable it em s) t hat give access t o replaceable st orage drives. Figure 10
VIPRION B2250 t est plat form (delineat ed box) m ount ed in chassis w it h 1 of 1 t amaper label show n Figure
Tamper labels on chassis withby a red VIPRION B2250 blade (delineated by red box) and three blanks (1 of 1 tamper label shown) CON FI D EN TI AL © 2024 F5, Inc. / atsec information security. © 2024 at sec inform at ion securit y corporat ion
CON FI D EN TI AL © 2024 at sec inform at ion securit y corporat ion
Device Cryptographic Module Figur e 11 -15
The t est lab used various m et hods t o m odify t he adhesion label propert ies by t est ing a range of t em perat ures around t he am bient (20C)
Below is phot ographic evidence from t he t est ing perform ed on all of t he t est plat form s list ed in sect ion 1.1.
Ap ply ing high t em perat ure by heat gun on t he labels placed at t he enclosure t op-bot t om connect ion. The label is delam inat ed due t o t he heat . Under t his t reat m ent , t he m et alic layer of t h e label could be disolved. CON FI D EN TI AL © 2024 F5, Inc. / atsec information security. © 2024 at sec inform at ion securit y corporat ion
This section is N/A until non-invasive security is defined. © 2024 F5, Inc. / atsec information security.
| Name | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Use | Import Export | |
|---|---|---|---|---|---|---|---|---|---|
| TLS RSA publi c key | 112- bits to 150- bits | RSA A2594 A2671 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | HDD or SSD | Zeroized by Secure Erase service at boot. | Use: Key Generation, Digital signature verification used in the TLS protocol Related SSPs: TLS RSA private key, DRBG internal state (V and key values) | Can be imported/ exported from the module; AD / EE | TLS RSA publi c key |
| TLS RSA privat e key | 112- bits to 150- bits | RSA A2594 A2671 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | HDD or SSD | Zeroized by Secure Erase service at boot. | Use: Key Generation, Digital signature generation used in the TLS protocol Related SSPs: TLS RSA public key, DRBG internal state (V and key values) | No import No export | TLS RSA privat e key |
| TLS ECDS A publi c key | 128- bits and 192- bits | ECDSA A2594 A2671 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] ECDSA Key Generation method; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | HDD or SSD | Zeroized by Secure Erase service at boot. | Use: Key Generation, Digital signature verification used in the TLS protocol Related SSPs: TLS ECDSA private key, DRBG internal state (V and key values) | Can be imported/ exported from the module; AD / EE | TLS ECDS A publi c key |
| TLS ECDS A privat e key | 128- bits and 192- bits | ECDSA A2594 A2671 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] ECDSA Key Generation | N/A | HDD or SSD | Zeroized by Secure Erase service at boot. | Use: Key Generation, Digital signature generation used in the TLS protocol Related SSPs: TLS ECDSA | No import No export | TLS ECDS A privat e key |
| method; random values are obtained using [SP 800- 90ARev1] DRBG | method; random values are obtained using [SP 800- 90ARev1] DRBG | public key, DRBG internal state (V and key values) | |||||||
| TLS EC Diffie - Hellm an publi c key | 128- bits and 192- bits | KAS- ECC- SSC A2594 A2671 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | RAM | Zeroized by closing TLS session or by Reboot System service | Use: Key Generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman private key, DRBG internal state (V and key values), TLS pre-primary Secret | Can be imported/ exported from the module; AD / EE | TLS EC Diffie - Hellm an publi c key |
| TLS EC Diffie - Hellm an privat e key | 128- bits and 192- bits | KAS- ECC- SSC A2594 A2671 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | RAM | Zeroized by closing TLS session or by Reboot System service | Use: Key Generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman public key, DRBG internal state (V and key values), TLS pre-primary Secret | No import No export | TLS EC Diffie - Hellm an privat e key |
| TLS Diffie - Hellm an publi c key | 112, 128, and 150- bits | KAS- FFC- SSC A2594 A2671 | Generated using Safe primes key generation method specified in SP800- 56Arev3; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | RAM | Zeroized by closing TLS session or by Reboot System service | Use: Key Generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman private key, DRBG internal state (V and key values), TLS pre-primary Secret | Can be imported/ exported from the module; AD / EE | TLS Diffie - Hellm an publi c key |
| TLS Diffie - Hellm an privat e key | 112, 128, and 150- bits | KAS- FFC- SSC A2594 A2671 | Generated using Safe primes key generation method specified in SP800- 56Arev3; random values are obtained using [SP 800- | N/A | RAM | Zeroized by closing TLS session or by Reboot System service | Use: Key Generation, TLS protocol key exchange Related SSPs: TLS Diffie- Hellman public key, DRBG internal state (V and key values), | No import No export | TLS Diffie - Hellm an privat e key |
| 90ARev1] DRBG | 90ARev1] DRBG | TLS pre-primary Secret | |||||||
| TLS pre- prima ry Secre t | Diffie- Hellm an: 112, 128, 150- bits EC Diffie- Hellm an: 128- bits and 192- bits | KAS- ECC- SSC or KAS- FFC- SSC A2594 A2671 | N/A | Establish ed via SP800- 56ARev3 during key agreeme nt for Diffie- Hellman or EC Diffie- Hellman cipher suites | RAM | Zeroized by closing TLS session or by Reboot System service | Use: TLS protocol Related SSPs: TLS EC Diffie- Hellman public/private key or TLS Diffie-Hellman public/private key, TLS primary secret | No import No export | TLS pre- prima ry Secre t |
| TLS prima ry Secre t | 256- bits | TLS KDF A2671 A2594 | Derived from T LS pre-primary Secret using SP 800-135 TLS KDF | N/A | RAM | Zeroized by closing TLS session or by Reboot System service | Use: TLS protocol Related SSPs: TLS pre-primary secret, TLS derived session key | No import No export | TLS prima ry Secre t |
| TLS Deriv ed sessi on key (AES, HMA C) | 128 and 256- bits (AES) 112 and 256- bits (HMAC ) | TLS KDF A2671 A2594 | Derived from T LS Derived session key using SP 800- 135 TLS KDF | N/A | RAM | Zeroized by closing TLS session or by Reboot System service | Use: TLS protocol Related SSPs: TLS pre-primary secret, TLS primary secret | No import No export | TLS Deriv ed sessi on key (AES, HMA C) |
| SSH ECDS A publi c key | 128 and 192- bits | ECDSA A2594 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] ECDSA Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | HDD or SSD | Zeroized using delete ssh- keyswap utility or by Secure Erase service at boot | Use: Key Generation; SSH key-based authentication Related SSPs: SSH ECDSA private key, DRBG internal state (V and key values) | Can be imported/ exported from the module; AD / EE | SSH ECDS A publi c key |
| SSH ECDS A privat e key | 128 and 192- bits | ECDSA A2594 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] | N/A | HDD or SSD | Zeroized using delete ssh- keyswap utility or by Secure | Use: Key Generation, SSH key-based authentication Related SSPs: SSH ECDSA | No import No export | SSH ECDS A privat e key |
| ECDSA Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | ECDSA Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | Erase service at boot. | public key, DRBG internal state (V and key values) | ||||||
| SSH EC Diffie - Hellm an publi c key | 128 and 192- bits | KAS- ECC- SSC A2594 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | RAM | Zeroized by closing SSH session or terminating the SSH application or Reboot System service | Use: SSH handshake Related SSPs: SSH EC Diffie- Hellman private key, SSH shared secret, DRBG internal state (V and key values) | Can be imported/ exported from the module; AD / EE | SSH EC Diffie - Hellm an publi c key |
| SSH EC Diffie - Hellm an privat e key | 128 and 192- bits | KAS- ECC- SSC A2594 | Generated conformant to SP800- 133Rev2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90ARev1] DRBG | N/A | RAM | Zeroized by closing SSH session or terminating the SSH application or Reboot System service | Use: SSH handshake Related SSPs: SSH EC Diffie- Hellman public key, SSH shared secret, DRBG internal state (V and key values) | No import No export | SSH EC Diffie - Hellm an privat e key |
| SSH Share d Secre t | 128 and 192- bits | KAS- ECC- SSC A2594 | N/A | Establish ed via SP800- 56ARev3 KAS-ECC- SSC | RAM | Zeroized by closing SSH session or terminating the SSH application or Reboot System service | Use: Key derivation, SSH shared secret; Related SSPs: SSH EC Diffie- Hellman public/private key, SSH derived key | No import No export | SSH Share d Secre t |
| SSH Deriv ed sessi on key (AES, HMA C) | 128 and 256- bits (AES) 112 and 256- bits (HMAC ) | SSH KDF A2594 | Derived from SSH Shared Secret using SP 800-135 SSH KDF | N/A | RAM | Zeroized by closing SSH session or terminating the SSH application or Reboot System service | Use: Used in data encryption / decryption and MAC calculations in SSH protocol Related SSPs: SSH shared secret | No import No export | SSH Deriv ed sessi on key (AES, HMA C) |
| Pass word | 1/676, 000,0 00 (see Table 7) | N/A | N/A | N/A | HDD or SSD as a hash ed valu e | Zeroized by Secure Erase service at boot | Use: SSH authentication, WebUI login Related SSPs: N/A | Input by the User or CO invoking "create additional user" or "Update own password " or "Update others password " services No export; AD / EE | Pass word |
| Entro py input | 256- bits with DF and 384- bits withou t DF | Entropy Source ESV Cert. #E16 | Obtained from non-physical Entropy source | N/A | RAM | Zeroized by Reboot System service | Use: random number generation Related SSPs: DRBG seed | No import No export | Entro py input |
| DRBG seed | 256 bits | CTR_DR BG A2594 A2671 | Derived from the entropy string as defined by [SP 800-90ARev1] | N/A | RAM | Zeroized by Reboot System service | Use: random number generation Related SSPs: Entropy input, DRBG internal state (V and key values) | No import No export | DRBG seed |
| DRBG inter nal state (V and key value s) | 256 bits | CTR_DR BG A2594 A2671 | Derived from the seed as defined by [SP 800-90ARev1] | N/A | RAM | Zeroized by Reboot System service | Use: random number generation Related SSPs: Entropy input, DRBG seed, TLS RSA public key, TLS RSA private key, TLS ECDSA public key, TLS ECDSA private key, TLS EC Diffie-Hellman public key, TLS EC Diffie- Hellman private key, TLS Diffie- Hellman public key, TLS Diffie- Hellman private key, SSH ECDSA | No import No export | DRBG inter nal state (V and key value s) |
112bits to 150bits N/A 112bits to 150bits N/A A 128bits 192bits N/A A 128bits 192bits SP800133Rev2 SP800133Rev2 SP800133Rev2 SP800133Rev2 N/A
4 The " Import/Export" column also defines the distribution and entry options from IG 9.5.A e.g.
Automated Distribution / Electronic Entry = AD/EE © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module 128bits 192bits KASECCSSC 128bits 192bits KASECCSSC 150bits KASFFCSSC 150bits KASFFCSSC SP800133Rev2 SP800133Rev2 SP80056Arev3; SP80056Arev3; N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module preprima t t C) A A DiffieHellm 150bits DiffieHellm 128bits 192bits 256bits KASECCSSC or KASFFCSSC N/A SP80056ARev3 DiffieHellman DiffieHellman N/A 256bits 256bits ) 192bits N/A N/A delete sshkeyswap 192bits SP800133Rev2 SP800133Rev2 N/A delete sshkeyswap © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module 192bits KASECCSSC 192bits KASECCSSC d t 192bits KASECCSSC C) 256bits 256bits ) SP800133Rev2 SP800133Rev2 N/A N/A N/A SP80056ARev3 KAS-ECCSSC N/A © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module 7) N/A N/A 256bits 384bits (V s) N/A e N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
| Name | Key Size | ||
|---|---|---|---|
| Details | Entropy Source | Minimum number of | |
| The CPU Jitter RNG version 3.4.0 entropy source uses jitter variations caused by executing instructions and memory accessed. The entropy source has been shown to provide full 256-bits of entropy at the output of the SHA3-256 vetted conditioning function (Cert. #A2621). | 256-bits | ESV #E16 (non- physical noise source) |
Device Cryptographic Module Table 12 - SSPs The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90ARev1] for the generation of random value used in asymmetric keys. The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The module uses the SP800-90B compliant Entropy source specified in Table 13 to seed the DRBG with full entropy. In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. No non-DRBG functions or instances are able to access the DRBG internal state. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The F5 ES is tested in the OEs listed in Table 2. Table 13 - Non-Deterministic Random Number Generation Specification generation services compliant with [FIPS186-4], using a [SP800-90ARev1] DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per [SP800-133r2] (vendor affirmed). The RSA and ECDSA key pairs used for Digital Signature Schemes are generated in accordance with section 5.1 of [SP800-133r2] and maps specifically to [FIPS 186-4]. The ECDH and DH key pairs used for Key Establishment are generated in accordance with section
5.2 of [SP800-133r2] i.e. key generation method specified in [SP 800-56Ar3]. For this module
applicable method from [SP800-56Ar3] is 5.6.1.2 ECC Key Pair Generation which actually maps to [FIPS 186-4]. and 5.6.1.1 FFC Key Pair Generation. © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133r2] section 6.2.1 Symmetric keys generated using Key Agreement Scheme.
The module provides the following key establishment services:
For TLS with EC Diffie-Hellman / Diffie-Hellman key exchange, the TLS pre-primary secret is established during key agreement and is not output from the module. Once the TLS session is established, any key or data transfer performed thereafter is protected by authenticated encryption mode using AES-GCM/ AES-CCM or AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 TLS KDF. For SSH with EC Diffie-Hellman key exchange, the SSH shared secret is established during key agreement and is not output from the module. SSH ECDSA public keys can be imported into the module by the CO and User role using the "Configure SSH user configuration" service. Once the SSH session is established, any key or data transfer performed thereafter is protected by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 SSH KDF. There are no encrypted SSPs that are directly entered. © 2024 F5, Inc. / atsec information security.
As shown in Table 12 the keys are stored in the volatile memory (RAM) in plaintext form and are destroyed when released by the appropriate zeroization calls or when the system is rebooted. The SSPs stored in plaintext in the module's non-volatile memory (SSD/ HDD) are static and will remain on the system across power cycle. SSPs are only accessible to the authenticated operator, to which the SSPs are associated.
The zeroization methods listed in Table 12, overwrites the memory occupied by keys with “zeros” or pre-defined values. The zeroization of temporary values are performed at the closing of the TLS/SSH connection. The zeroization can be enforced by the Crypto Officer and Resource Manager role with the following services:
| Algorithm | Test |
|---|---|
| Control Plane (A2594 Cert.) | |
| non-physical entropy source | SP800-90B health test (APT and RCT) classified as CAST: • at start-up: performed on 1,024 consecutive samples. • during runtime. |
| CTR_DRBG | CAST KAT with AES 256 bits with and without derivation function SP800-90ARev1 section 11.3 health tests |
| AES | CAST KAT of AES encryption / decryption separately with AES-GCM mode and 256-bit key |
The pre-operational self-test are performed automatically whenever the module is powered on. At initialization the module performed the pre-operational self-tests (the integrity test) and the conditional cryptographic algorithm tests (CASTs). Both the pre-operational tests and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module. Services are not available during the pre-operational self-test and the data output interface is inhibited. On successful completion of the pre-operational self-tests, the module enters operational mode and cryptographic services are available. If the module fails any of the tests, it will return an error code and enter into the error state to prohibit any further cryptographic operations.
The integrity of the module is verified by comparing the HMAC-SHA2-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match the system enters the error state and the device will not be accessible. Data output and cryptographic operations are inhibited while the module is in the error state. In order to recover from this state, the module needs to be reinstalled. The HMAC-SHA384 algorithm is selftested prior to the integrity test being run.
The following sub-sections describe the conditional self-tests supported by the module. The conditional self-tests are specified in Table 14. If one of the conditional self-tests fails, the module transitions to the error state and a corresponding error indication is given. The module becomes inoperable, and no services are available. Data output and cryptographic operations are inhibited while the module is in the error State. runtime. If the entropy source health tests fail, then the module moves into the error state.
The module performs cryptographic algorithm self-tests (CASTs) on all Approved cryptographic algorithms. The module performs the CASTs shown in Table 14 during the power-up. The CASTs consist of Known Answer Tests for all the approved cryptographic algorithms, SP800-90B Health © 2024 F5, Inc. / atsec information security.
| Name | Mode Method |
|---|---|
| RSA | CAST KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and SHA2-256 CAST KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and SHA2-256 |
| ECDSA | CAST KAT of ECDSA signature generation using P-256 and SHA2-256 CAST KAT of ECDSA signature verification using P-256 and SHA2-256 |
| KAS-ECC-SSC | CAST KAT of shared secret computation with P-256 curve |
| KAS-FFC-SSC | CAST KAT of shared secret computation with 2048 modulus |
| HMAC-SHA-1, HMAC-SHA2- 256, HMAC-SHA2-384, HMAC-SHA2-512 | CAST KAT of HMAC-SHA-1, CAST KAT of HMAC-SHA2-256 CAST KAT of HMAC-SHA2-384 (prior integrity tests during pre-operational self-tests) CAST KAT of HMAC-SHA2-512 |
| SHA-1, SHA2-256, SHA2-384, SHA2-512 | CAST KATs for all SHA sizes are covered by the respective HMAC KATs (allowed per IG 10.3.B) |
| [SP800-135] KDF | SSH CAST KAT TLS1.2 CAST KAT |
| Data Plane (A2671 Cert.) | |
| AES | CAST KAT of AES encryption with GCM mode and 128-bit key CAST KAT of AES encryption /decryption performed separately with CBC mode and 128-bit key |
| RSA | CAST KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and SHA2-256 CAST KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and SHA2-256 |
| ECDSA | CAST KATs of ECDSA signature generation and verification with P-256 curve, SHA2-256 |
| KAS-ECC-SSC | CAST KAT of shared secret computation with P-256 curve |
| KAS-FFC-SSC | CAST KAT of shared secret computation with 2048 modulus |
| CTR_DRBG | Covered by Control Plane Self-Tests. (Data Plane makes use of the same DRBG implementation provided by Control Plane) |
| [SP800-135] KDF | TLS1.2 CAST KAT |
| HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 | CAST KAT of HMAC-SHA-1 CAST KAT of HMAC-SHA2-256 CAST KAT of HMAC-SHA2-384 CAST KAT of HMAC-SHA2-512 |
| SHA-1, SHA2-256, SHA2-384, SHA2-512 | CAST KATs for all SHA sizes are covered by respective HMAC KATs (allowed per IG 10.3.B) |
Device Cryptographic Module Table 14
| Error State | Cause of Error | Status Indicator |
|---|---|---|
| Halt Error | HMAC-SHA2-384 KAT failure or HMAC-SHA2- 384 integrity test failure | Module will not load |
| Failure of any of the Control Plane CAST KATs, and SP800-90rev1 Health tests and Data Plane CAST KATs | Module will not load | |
| Failure of any of the PCTs | Module will reboot | |
| Failure of the APT, RCT at restart/power-on (CAST for entropy source health test at restart) | Module will not load | |
| Health Test Error | Failure of the APT, RCT at runtime (CAST for entropy source health test at runtime) | The module reboot in a loop |
A pairwise consistency test is run whenever asymmetric keys (RSA, Diffie-Hellman, EC DiffieHellman or ECDSA) are generated. PCT for ECDSA (Control and Data planes) and RSA (Control Plane) Key Pair Generation used for digital signatures is tested by the calculation and verification of a digital signature. PCT for Diffie-Hellman (Control and Data planes) Key Pair Generation is performed following the SP 800-56Arev3 requirements. PCT for EC Diffie-Hellman (Control Plane) Key Pair Generation is covered by ECDSA PCT (IG 10.3.A). PCTs for EC Diffie-Hellman (Data Plane) Key Pair Generation is performed following the SP 800-56Arev3 section 5.6.2.1.4 requirements.
On demand and periodic self-tests are performed by powering off the module and powering it on again. This service performs the same cryptographic algorithm tests executed during preoperational self-tests and CASTs. During the execution of the periodic and on-demand self-tests, crypto services are not available and no data output or input is possible.
Table 15 - Error States In any of the error states, any data output or cryptographic operations are prohibited. The module must reboot to re-loaded with a fresh image to clear the error condition. All data output and cryptographic operations are inhibited when the module is in an error state. © 2024 F5, Inc. / atsec information security.
The module is distributed as a part of a BIG-IP product which includes the hardware and an installed copy of firmware with version 16.1.3.1. The hardware devices are shipped directly from the hardware manufacturer/authorized subcontractor via trusted carrier and tracked by that carrier. The hardware is shipped in a sealed box that includes a packing slip with a list of components inside, and with labels outside printed with the product nomenclature, sales order number, and product serial number. Upon receipt of the hardware, the customer is required to perform the following verifications:
The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the approved validated configuration. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/16
Before the device is installed in the production environment, tamper-evident labels must be installed in the location identified for each module in Section 7.2. The following steps should be taken when installing or replacing the tamper evident labels on the module. The instructions are also included in F5 Platforms: FIPS Kit Installation provided with each module.
Follow the instructions in the "BIG-IP System: Initial Configuration" guide for the initial setup and configuration of the module.
Device Cryptographic Module
The Crypto Officer should call the show version service (with command "tmsh show sys version" and "tmsh show sys hardware"), then confirm that the provided firmware and hardware versions matches the validated versions shown in Table 2. Any firmware loaded into the module other than version 16.1.3.1 is out of the scope of this validation and will mean that the module is not operating as a FIPS validated module.
The FIPS validated module activation requires installation of the license referred as ‘FIPS license’. The Crypto Officer should call the show license service (with command "tmsh show sys license"), then verify that the list of license flags includes "FIPS 140-3”.
The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the FIPS validated configuration.
Device Cryptographic Module
The module supports two modes of operation, Approved mode and non-Approved mode. The following two tables define which services are available in each mode: Table 8 - Approved Services and Table 9 - Non-Approved Services. Using the non-approved algorithms found in Table 4 - NonApproved Algorithms Not Allowed in the Approved Mode of Operation, means that the module operates in non- Approved mode for the particular session of a particular service.
The User shall consider the following requirements and restrictions when using the module. AESGCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario 1. The implementation of the nonce_explicit management logic inside the module ensures that when the IV exhausts the maximum number of possible values for a given session key, the module triggers a new handshake request to establish a new key. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed. The AES GCM IV generation follows [RFC 5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-3_IG] IG C.H scenario 1; thus, the module is compliant with [SP800-52 Rev2] section 3.3.1.
All the modulus sizes supported by the module have been ACVP tested (per IG C.F). © 2024 F5, Inc. / atsec information security.
The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module Appendix A. Glossary and Abbreviations AES AES-NI Advanced Encryption Standard Advanced Encryption Standard New Instructions CAVP CBC CCM CFB Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback CMAC CMVP CSP Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter CTR DES DSA Counter Mode Data Encryption Standard Digital Signature Algorithm DRBG ECB ECC ESV Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Entropy Source Validation FFC FIPS GCM Finite Field Cryptography Federal Information Processing Standards Publication Galois Counter Mode HMAC KAS KAT Hash Message Authentication Code Key Agreement Schema Known Answer Test KW KWP MAC AES Key Wrap AES Key Wrap with Padding Message Authentication Code NDF NIST OFB PR No Derivation Function National Institute of Science and Technology Output Feedback Prediction Resistance PSS RNG RSA Probabilistic Signature Scheme Random Number Generator Rivest, Shamir, Addleman SHA SHS SSH Secure Hash Algorithm Secure Hash Standard Secure Shell TDES XTS Triple-DES XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 © 2024 F5, Inc. / atsec information security.
Device Cryptographic Module SP800-90A NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-133 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.