| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim Validation, No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Corsec Security, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3356 |
| AES-CCM | A3356 |
| AES-CFB1 | A3356 |
| AES-CFB128 | A3356 |
| AES-CFB8 | A3356 |
| AES-CMAC | A3356 |
| AES-CTR | A3356 |
| AES-ECB | A3356 |
| AES-GCM | A3356 |
| AES-OFB | A3356 |
| AES-XTS Testing Revision 2.0 | A3356 |
| Counter DRBG | A3356 |
| DSA KeyGen (FIPS186-4) | A3356 |
| DSA PQGGen (FIPS186-4) | A3356 |
| DSA PQGVer (FIPS186-4) | A3356 |
| DSA SigGen (FIPS186-4) | A3356 |
| DSA SigVer (FIPS186-4) | A3356 |
| ECDSA KeyGen (FIPS186-4) | A3356 |
| ECDSA KeyVer (FIPS186-4) | A3356 |
| ECDSA SigGen (FIPS186-4) | A3356 |
| ECDSA SigVer (FIPS186-4) | A3356 |
| Hash DRBG | A3356 |
| HMAC DRBG | A3356 |
| HMAC-SHA-1 | A3356 |
| HMAC-SHA2-224 | A3356 |
| HMAC-SHA2-256 | A3356 |
| HMAC-SHA2-384 | A3356 |
| HMAC-SHA2-512 | A3356 |
| KAS-ECC-SSC Sp800-56Ar3 | A3356 |
| KTS-IFC | A3356 |
| RSA KeyGen (FIPS186-4) | A3356 |
| RSA SigGen (FIPS186-4) | A3356 |
| RSA SigVer (FIPS186-4) | A3356 |
| SHA-1 | A3356 |
| SHA2-224 | A3356 |
| SHA2-256 | A3356 |
| SHA2-384 | A3356 |
| SHA2-512 | A3356 |
flowchart LR
%% Deterministic review-risk graph for CorSSL FIPS Object Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>library named: openssl<br/>library named: nss</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for CorSSL FIPS Object Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>library named: openssl<br/>library named: nss</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Corsec Security, Inc. CorSSL™ FIPS Object Module Software Version: 2.0.16.001 FIPS Security Level: 1 Document Version: 0.2 Prepared by: Corsec Security, Inc.
Suite 210 Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 www.corsec.com
Abstract This is a non-proprietary Cryptographic Module Security Policy for the CorSSL™ FIPS Object Module (version 2.0.16.001) from Corsec Security, Inc. (Corsec). This Security Policy describes how the CorSSL™ FIPS Object Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in its Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The CorSSL™ FIPS Object Module is referred to in this document as CorSSL FOM or the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1 – Security Levels | 5 |
| Table 2 – Tested Operational Environments | 7 |
| Table 3 – Approved Algorithms | 8 |
| Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation | 11 |
| Table 5 – Ports and Interfaces | 14 |
| Table 6 – Roles, Service Commands, Input and Output | 15 |
| Table 7 – Approved Services | 16 |
| Table 8 – SSPs | 23 |
| Table 9 – Acronyms and Abbreviations | 33 |
| Figure 1 – GPC Block Diagram | 12 |
| Figure 2 – Module Block Diagram (with Cryptographic Boundary) | 13 |
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 1
DoDIN
CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
ISO/IEC 24759 Section 6. FIPS 140-3 Section Title Security Level [Number Below]
10 Self-Tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A
The module has an overall security level of 1. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
2. Cryptographic Module Specification The CorSSL™ FIPS Object Module is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment.
The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in Table 2. Table 2
1 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R With
2 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R Without
The module is designed to utilize the AES-NI4 extended instruction set when available by the host platform’s CPU for processor algorithm acceleration (PAA) of its AES implementation. There are no vendor-affirmed operational environments claimed. The cryptographic module maintains validation compliance when operating on any general-purpose computer (GPC) provided that the GPC uses any operating system/mode specified on the validation certificate, or another compatible operating system. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment not listed on the validation certificate.
The module implements the Approved algorithms listed in Table 3.
CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
Table 3
5 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.
CBC
ECB
GCM
CKG
CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate5 Standard Key Strengths - 2048/224, 2048/256, Digital signature generation 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) - 1024/160, 2048/224, Digital signature verification 2048/256, 3072/256 (SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512) A3356 ECDSA21 Testing candidates B-233, B-283, B-409, B-571, Key pair generation FIPS PUB 186-4 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - B-163, B-233, B-283, B-409, Public key validation B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 - B-233, B-283, B-409, B-571, Digital signature generation K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2384, SHA2-512) - B-163, B-233, B-283, B-409, Digital signature verification B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512) A3356 HMAC SHA-1, SHA2-224, 112 (minimum) Message authentication FIPS PUB 198-1 SHA2-256, SHA2-384, SHA2-512 A3356 KAS-ECC-SSC22 ephemeralUnified B-233, B-283, B-409, B-571, Shared secret computation NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Key agreement method complies with FIPS 140-3 Implementation Guidance D.F. A3356 KTS23 AES-CCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38C encryption)24 SSP establishment methodology provides between 128 and 256 bits of encryption strength A3356 KTS AES-GCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38D encryption)25 SSP establishment methodology provides between 128 and 256 bits of encryption strength
22 KAS-ECC-SSC
KTS
24 Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is an Approved key transport technique.
25 Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is an Approved key transport technique.
CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate5 Standard Key Strengths A3356 KTS AES with CMAC 128, 192, 256 Key wrap/unwrap (encryption FIPS PUB 197 with message authentication)26 NIST SP 800-38B SSP establishment methodology provides between 128 and 256 bits of encryption strength A3356 KTS AES with HMAC 128, 192, 256 Key wrap/unwrap (encryption FIPS PUB 197 with message authentication)27 FIPS PUB 198-1 SSP establishment methodology provides between 128 and 256 bits of encryption strength A3356 KTS-IFC28 KTS-OAEP-basic rsakpg1-basic Key encapsulation/unNIST SP 800-56Brev2 encapsulation 2048, 3072, 4096, 6144,
SHA2-384, SHA2-512) provides between 112 and 201 bits of encryption strength A3356 RSA29 Key generation mode: 2048, 3072, 4096 Key pair generation FIPS PUB 186-4 B.3.3 ANSI X9.31 2048, 3072, 4096 (SHA2-256, Digital signature generation SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-256, SHA2384, SHA2-512) PKCS#1 v1.5 2048, 3072, 4096 (SHA2-224, Digital signature generation SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS30 2048, 3072, 4096 (SHA2-224, Digital signature generation SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A3356 SHS31 SHA-1, SHA2-224, - Message digest FIPS PUB 180-4 SHA2-256, SHA2-384, SHA2-512 The vendor affirms the following cryptographic security methods:
26 Per FIPS 140-3 Implementation Guidance D.G, AES with CMAC is an Approved key transport technique.
27 Per FIPS 140-3 Implementation Guidance D.G, AES with HMAC is an Approved key transport technique.
RSA
CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 below illustrates a block diagram of a typical GPC and the module’s physical perimeter.
32 Per FIPS 140-3 Implementation Guidance D.G, AES in any Approved mode is an Approved key transport technique (for unwrapping only).
CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: BIOS
Calling Application fipscanister KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Status Output CPU Memory Storage Ports System Calls Host Device Figure 2
Once all pre-operational self-tests have completed successfully, the module supports only an Approved mode of operation. Table 3, Table 4, and above list the algorithms available in the Approved mode; Table 7 provides descriptions of the Approved services. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.
The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs cryptographic initialization or management functions and general security services. The module also supports the following role(s):
Role Service Input Output User Calculate key agreement API call parameter Status, key pairs primitive User Perform key wrapping API call parameter, encryption key, Status, encrypted key key User Perform key unwrapping API call parameters, decryption Status, decrypted key key, encrypted key User Perform key encapsulation API call parameter, encryption key, Status, encrypted key key User Perform key un-encapsulation API call parameters, decryption Status, decrypted key key, encrypted key User Generate signature API call parameters, key, message Status, signature User Verify signature API call parameters, key, signature, Status message
The module does not support authentication methods; operators implicitly assume an authorized role based on the service selected.
Descriptions of the services available are provided in Table 7 below. The keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:
Service Description Approved Security Keys and/or SSPs Roles Access Rights to Keys and/or Indicator Function(s) SSPs Perform Encrypt plaintext AES (Cert. A3356) AES key User AES key
The module does not provide any non-Approved services. Thus, as allowed per section 2.4.C of FIPS 140-3 Implementation Guidance, the module provides indicators for the use of Approved services through a combination of an explicit indication (via a global Approved mode indicator) and an implicit indication (via the API return indicating the successful completion of the service). CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
5. Software/Firmware Security The module's integrity is verified via a pre-operational self-test that uses an Approved integrity technique implemented within the cryptographic module itself. The entirety of the software cryptographic module is verified using a single embedded HMAC SHA-1 digest value. The module computes an HMAC SHA-1 digest at runtime and compares it to the embedded digest value; failure of the integrity test will cause the module to enter a critical error state. The module’s integrity test is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. This integrity test can also be performed on demand by the module operator by issuing the FIPS_selftest() API command. The CorSSL™ FIPS Object Module is not a standalone application; it is a cryptographic toolkit intended for use in a with a vendor’s solution. The module will be linked to a host application, and the host application will be preinstalled onto a target platform by the vendor or installed onto target platforms by the end-user. The module itself requires no configuration steps to be performed by application developers or end-users, and no action is required from developers or end-users to initialize the module for operation. The module is designed with a default entry point (DEP) that ensures that the pre-operational tests and conditional CASTS are initiated automatically when the module is loaded. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
6. Operational Environment The CorSSL™ FIPS Object Module comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environment provides the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
7. Physical Security The cryptographic module is implemented completely in software, such that the physical security is provided solely by the host device. Therefore, per ISO/IEC 19790:2012 7.7.1, this section is not applicable. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques references in ISO/IEC 19790:2021 Annex F. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
9. Sensitive Security Parameter Management
The module supports the keys and other SSPs listed Table 8 below. Table 8
Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Name/Type and Cert. Number Related Keys DSA private 128 or 256 bits DSA Generated IMPORT: - Not Unload Digital key (Cert. A3356) internally via Imported in persistently module; API signature (CSP) Approved plaintext via API stored by the call; Remove generation DRBG parameter module power EXPORT: Exported in plaintext via API parameter DSA public key 80 or 256 bits DSA Generated IMPORT: - Not Unload Digital (PSP) (Cert. A3356) internally via Imported in persistently module; API signature Approved plaintext via API stored by the call; Remove verification DRBG parameter module power EXPORT: Exported in plaintext via API parameter ECDSA private Between 80 ECDSA Generated IMPORT: - Not Unload Digital key and 256 bits (Cert. A3356) internally via Imported in persistently module; API signature (CSP) Approved plaintext via API stored by the call; Remove generation DRBG parameter module power EXPORT: Exported in plaintext via API parameter ECDSA public Between 80 ECDSA Generated IMPORT: - Not Unload Digital key (PSP) and 256 bits (Cert. A3356) internally via Imported in persistently module; API signature Approved plaintext via API stored by the call; Remove verification DRBG parameter module power EXPORT: Exported in plaintext via API parameter ECDH private Between 128 KAS-SSC Generated IMPORT: - Not Unload Computation key and 256 bits (Cert. A3356) internally via Imported in persistently module; API of ECDH (CSP) Approved plaintext via API stored by the call; Remove shared secret DRBG parameter module power EXPORT: Exported in plaintext via API parameter ECDH public Between 128 KAS-SSC Generated IMPORT: - Not Unload Computation key and 256 bits (Cert. A3356) internally via Imported in persistently module; API of ECDH (PSP) Approved plaintext via API stored by the call; Remove shared secret DRBG parameter module power EXPORT: Exported in plaintext via API parameter Other SSPs AES GCM IV - AES (GCM mode) - - Constructed at Not Unload Initialization (PSP) (Cert. A3356) its entirety persistently module; API vector for AES internally stored by the call; Remove GCM deterministically module power DRBG Entropy - DRBG - IMPORT: - Plaintext in Unload Used in Input (Cert. A3356) Imported in volatile module; API random bit (CSP) plaintext via API memory call; Remove generation parameter power (Counter, Hash, HMAC) EXPORT: Never exported DRBG Seed - DRBG Generated - - Not Unload Used in (CSP) (Cert. A3356) internally persistently module; API random bit stored by the call; Remove generation module power DRBG ‘C’ Value - DRBG Generated - - Plaintext in Unload Used in (CSP) (Cert. A3356) internally volatile module; API random bit memory call; Remove generation power (Hash) CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Name/Type and Cert. Number Related Keys DRBG ‘V’ - DRBG Generated - - Plaintext in Unload Used in Value (Cert. A3356) internally volatile module; API random bit (CSP) memory call; Remove generation power (Counter, Hash, HMAC) DRBG ‘Key’ - DRBG Generated - - Plaintext in Unload Used in Value (Cert. A3356) internally volatile module; API random bit (CSP) memory call; Remove generation power (Counter, HMAC)
The module implements the following Approved DRBG(s):
There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.
Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For temporarily stored SSPs, zeroization of sensitive data is performed automatically by API function calls. The module will first overwrite existing values with “0”s and then free the memory. Additionally, module operators can unload the module from memory or reboot/power-cycle the host device.
The cryptographic module’s entropy scheme follows the scenario given in FIPS 140-3 Implementation Guidance 9.3.A, section 2(b). The module invokes a GET command to obtain entropy for random number generation (the module requests 256 bits of entropy from the calling application per request), and then passively receives entropy from the calling CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
application while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the physical perimeter of the module’s operational environment but outside its cryptographic boundary. Thus, there is no assurance of the minimum strength of the generated SSPs. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.
The module performs the following pre-operational self-test(s):
Conditional self-tests are performed by the module during module operation when certain conditions exist. The module performs the following conditional self-tests:
To ensure all CASTs are performed prior to the first operational use of the associated algorithm, all CASTs are performed during the module’s initial power-up sequence. The SHA and HMAC KATs are performed prior to the pre-operational software integrity test; all other CASTs are executed after the successful completion of the software integrity test.
Upon failure of any of the module’s pre-operational or conditional self-tests, the module will enter a critical error state. An internal global error flag FIPS_selftest_fail will be set and subsequently tested to prevent the execution of any cryptographic services while the error state persists. For any subsequent request for cryptographic services, the module will return an error result consistent with the API’s function declaration for every invocation. To recover, the module must be re-instantiated, or the host device must be rebooted/power-cycled. If these recovery methods do not result in the successful completion of all pre-operational self-tests and conditional CASTs, then the module will not be able to resume normal operations, and the CO should contact Corsec Security, Inc. for assistance. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:
The module is distributed third-party vendors as a package containing the binary and HMAC digest file that the Crypto Officer is to install onto a target platform specified in section 2.1 above or one where portability is maintained.
This module is designed to support third-party vendor applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required to initialize the module. The pre-operational integrity test and cryptographic algorithm self-tests are performed automatically via a DEP when the module is loaded for execution by the calling application, without any specific action from the calling application or the end-user. The DEP invokes self-test code by calling the FIPS_mode_set() API command with a non-zero parameter. If successful, this action sets an internal Approved mode flag to ‘TRUE’, placing the module in its Approved mode. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.
No startup steps are required to be performed by end-users.
There are no specific management activities required of the CO role to ensure that the module runs securely. If any irregular activity is observed, or if the module is consistently reporting errors, then Corsec Customer Support should be contacted. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
The following list provides additional guidance for the CO:
The following list provides additional policies for module operators acting in a non-administrative role:
12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
Appendix A. Acronyms and Abbreviations Table 9 provides definitions for the acronyms and abbreviations used in this document. Table 9
Term Definition OS Operating System PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard SP Special Publication CorSSL™ FIPS Object Module 2.0.16.001 ©2024 Corsec Security, Inc.
Prepared by: Corsec Security, Inc.
Fairfax, Virginia 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com