| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys) and random strings. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs |
| Vendor | SafeLogic Inc. |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for CryptoComply 140-3 FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>FIPS_STATE_ERROR<br/>entered an error</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CO<br/>Self-Test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for CryptoComply 140-3 FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>FIPS_STATE_ERROR<br/>entered an error</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>CO<br/>Self-Test<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;SafeLogic Inc. CryptoComply 140-3 FIPS Provider Software Versions 3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3 Document Version 1.1a June 27, 2024 SafeLogic Inc.
Palo Alto, CA 94301 www.safelogic.com Document Version 1.1a © SafeLogic Inc.
| # | Section | Page |
|---|---|---|
| 1 | General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 6 |
| 2 | Cryptographic Module Specification | 7 |
| 2.1 | Description | 7 |
| 2.2 | Version Information | 8 |
| 2.3 | Operating Environments | 8 |
| 2.4 | Excluded Components | 11 |
| 2.5 | Modes of Operation | 11 |
| 2.6 | Algorithms | 13 |
| 2.7 | Module Block Diagram | 42 |
| 2.8 | Security Function Implementations | 43 |
| 2.9 | Algorithm Specific Information | 43 |
| 2.10 | RNG and Entropy | 46 |
| 2.11 | Key Generation | 46 |
| 2.12 | Key Establishment | 47 |
| 2.13 | Industry Protocols | 47 |
| 2.14 | Design and Rules | 47 |
| 2.15 | Initialisation | 48 |
| 3 | Cryptographic Module Interfaces | 49 |
| 3.1 | Ports and Interfaces | 49 |
| 3.2 | Additional Information | 49 |
| 4 | Roles, Services, and Authentication | 50 |
| 4.1 | Roles | 50 |
| 4.2 | Authentication Methods | 52 |
| 4.3 | Approved Services | 52 |
| 4.4 | Non-Approved Services | 63 |
| 4.5 | External Software/Firmware Loaded | 63 |
| 5 | Software/Firmware Security | 64 |
| 5.1 | Integrity Techniques | 64 |
| 5.2 | Initiate on Demand | 64 |
| 6 | Operational Environment | 65 |
| 6.1 | Operational Environment Type and Requirements | 65 |
| 6.2 | Configuration Settings and Restrictions | 65 |
| 7 | Physical Security | 66 |
| 8 | Non-Invasive Security | 67 |
| 9 | Sensitive Security Parameter Management | 68 |
| 9.1 | Storage Areas | 68 |
| 9.2 | SSP Input-Output Methods | 68 |
| 9.3 | SSP Zeroisation Methods | 69 |
| 9.4 | SSPs | 70 |
| 9.5 | Transitions | 85 |
| 10 | Self-Tests | 87 |
| 10.1 | Pre-Operational Self-Tests | 87 |
| 10.2 | Conditional Self-Tests | 87 |
| 10.3 | Periodic Self-Tests | 96 |
| 10.4 | Error States | 96 |
| 10.5 | Operator Initiation | 97 |
| 11 | Life-Cycle Assurance | 98 |
| 11.1 | Startup Procedures | 98 |
| 11.2 | Administrator Guidance | 99 |
| 11.3 | Non-Administrator Guidance | 99 |
| 11.4 | End of Life | 99 |
| 12 | Mitigation of Other Attacks | 100 |
| 12.1 | Attack List | 100 |
| 12.2 | Mitigation Effectiveness | 100 |
| 12.3 | Guidance and Constraints | 100 |
9.3 9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 12.1 12.2 12.3 Document Version 1.1a © SafeLogic Inc.
| Item | Page |
|---|---|
| Table 1 - Security Levels | 6 |
| Table 2 - Version Information | 8 |
| Table 3 – Tested Operational Environments | 8 |
| Table 4 - Executable Code Sets | 10 |
| Table 5 - Vendor Affirmed Operational Environments | 10 |
| Table 6 - Modes of Operation | 11 |
| Table 7 - Approved Algorithms | 13 |
| Table 8 - Non-Approved Algorithms Allowed in the Approved Mode of Operation | 41 |
| Table 9 - Security Function Implementations | 43 |
| Table 10 - Ports and Interfaces | 49 |
| Table 11 - Roles | 50 |
| Table 12 – Roles, Service Commands, Input and Output | 50 |
| Table 13 – Roles and Authentication | 52 |
| Table 14 - Approved Services | 53 |
| Table 15 – Storage Areas | 68 |
| Table 16 – SSP Input-Output Methods | 68 |
| Table 17 – SSP Zeroisation Methods | 69 |
| Table 18 – SSPs | 70 |
| Table 19 – SSPs, Additional Details | 82 |
| Table 20 – Pre-Operational Self-Tests | 87 |
| Table 21 - Conditional Self-Tests | 88 |
| Table 22 - Periodic Information | 96 |
| Table 23 - Error States | 96 |
| Figure 1 - Module Block Diagram and Cryptographic Boundary | 42 |
This document provides a non-proprietary FIPS 140-3 Security Policy for CryptoComply 140-3 FIPS Provider. SafeLogic Inc.'s CryptoComply 140-3 FIPS Provider is designed to provide FIPS 140-3 validated cryptographic functionality and is available for licensing. For more information, visit www.safelogic.com/cryptocomply.
Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules, (FIPS 140-3) specifies the latest requirements for cryptographic modules utilized to protect sensitive but unclassified information. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) collaborate to run the Cryptographic Module Validation Program (CMVP), which assesses conformance to FIPS 140. NIST (through NVLAP) accredits independent testing labs to perform FIPS 140 testing. The CMVP reviews and validates modules tested against FIPS
140 criteria. Validated is the term given to a module that has successfully gone through this FIPS 140
validation process. Validated modules receive a validation certificate that is posted on the CMVP’s website. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program.
This non-proprietary cryptographic module Security Policy for CryptoComply 140-3 FIPS Provider from SafeLogic Inc. (SafeLogic) provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-3. This document includes details on the module’s cryptographic capabilities, services, sensitive security parameters, and self-tests. This Security Policy also includes guidance on operating the module while maintaining compliance with FIPS 140-3. CryptoComply 140-3 FIPS Provider may also be referred to as the “module” in this document.
The SafeLogic website (www.safelogic.com) contains information on SafeLogic services and products. The CMVP website maintains all FIPS 140 certificates for SafeLogic’s FIPS 140 validations. These certificates also include SafeLogic contact information. Document Version 1.1a © SafeLogic Inc.
| Name | ISO Section | Requirement | Level | General | 1 | |
|---|---|---|---|---|---|---|
| 2 | Cryptographic Module Specification | 1 | 2 | |||
| 3 | 3 | Cryptographic Module Interfaces | 1 | |||
| 4 | Roles, Services, and Authentication | 1 | 4 | |||
| 5 | 5 | Software/Firmware Security | 1 | |||
| 6 | Operational Environment | 1 | 6 | |||
| 7 | 7 | Physical Security | N/A | |||
| 8 | Non-Invasive Security | N/A | 8 | |||
| 9 | 9 | Sensitive Security Parameter Management | 1 | |||
| 10 | Self-Tests | 1 | 10 | |||
| 11 | 11 | Life-Cycle Assurance | 1 | |||
| 12 | Mitigation of Other Attacks | 1 | 12 | |||
| Overall Level | Overall Level | 1 |
This document may be freely reproduced and distributed, but only in its entirety and without modification.
The following table lists the module’s level of validation for each area in FIPS 140-3. Table 1 - Security Levels [Number Below] Document Version 1.1a © SafeLogic Inc. N/A N/A
CryptoComply 140-3 FIPS Provider is a standards-based “Drop-in Compliance™” cryptographic engine. The module delivers core cryptographic functions to applications such as servers, personal computers, mobile devices, and appliances. The module features robust algorithm support, including CNSA algorithms. The module delivers cryptographic services to host applications through a C language Application Programming Interface (API).
The module's cryptographic boundary is delimited by the module’s components, as well as the instantiation of the cryptographic module saved in memory and executed by the processor. The executable files that constitute the cryptographic module are listed in Table 4 - Executable Code Sets. Additionally, the module’s integrity value is included inside the boundary. Refer to the block diagram in Figure 1 (Security Policy Section 2.7 - Module Block Diagram) for additional detail. 2.1.5.1 Tested Operational Environment’s Physical Perimeter (TOEPP) As a software cryptographic module, the module operates within the Tested Operational Environment’s Physical Perimeter (TOEPP). The TOEPP consists of the Operating System (OS) and the physical perimeter of the General Purpose Computer (GPC). This TOEPPe comprises the Operational Environment (OE) that the module operates in, the module itself, and all other applications that operate within the OE, including the host application for the module. Document Version 1.1a © SafeLogic Inc.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # | Operating System | Hardware Platform | Processor | PAA/Acceleration | ||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Software | Software | 3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3 | |||||||||
| 1. | AlmaLinux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 1. | 1. | AlmaLinux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | |
| 2. | AlmaLinux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 2. | ||||||
| 3. | Android 13 | Google Pixel 7 | Google Tensor G2 | No | 3. | ||||||
| 4. | Debian 11 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 4. | ||||||
| 5. | Debian 11 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 5. | ||||||
| 6. | FreeBSD 13 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 6. |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # | Operating System | Hardware Platform | Processor | PAA/Acceleration | ||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Software | Software | 3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3 | |||||||||
| 1. | AlmaLinux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 1. | 1. | AlmaLinux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | |
| 2. | AlmaLinux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 2. | ||||||
| 3. | Android 13 | Google Pixel 7 | Google Tensor G2 | No | 3. | ||||||
| 4. | Debian 11 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 4. | ||||||
| 5. | Debian 11 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 5. | ||||||
| 6. | FreeBSD 13 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 6. | ||||||
| 7. | FreeBSD 13 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 7. | 7. | FreeBSD 13 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | |
| 8. | iOS 16 | iPhone 13 Mini | Apple A15 Bionic | No | 8. | ||||||
| 9. | iPadOS 16 | iPad Air (2022) | Apple M1 | No | 9. | ||||||
| 10. | macOS 13 (Ventura) | Mac Mini M2 | Apple M2 | No | 10. | ||||||
| 11. | Oracle Solaris 11.4 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 11. | ||||||
| 12. | Oracle Solaris 11.4 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 12. | ||||||
| 13. | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 13. | Red Hat Enterprise | ||||||
| 14. | Red Hat Enterprise Linux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 14. | ||||||
| 15. | Rocky Linux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 15. | ||||||
| 16. | Rocky Linux 9 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 16. | ||||||
| 17. | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 17. | SUSE Linux | ||||||
| 18. | SUSE Linux Enterprise Server 15 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 18. | ||||||
| 19. | Ubuntu 22.04 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 19. | ||||||
| 20. | Ubuntu 22.04 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 20. | ||||||
| 21. | Windows 10 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 21. | ||||||
| 22. | Windows 10 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 22. | ||||||
| 23. | Windows 11 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 23. | ||||||
| 24. | Windows 11 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 24. | ||||||
| 25. | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 25. | Windows Server | ||||||
| 26. | Windows Server 2019 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 26. | ||||||
| 27. | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | AES_NI | 27. | Windows Server | ||||||
| 28. | Windows Server 2022 | Dell PowerEdge R830 | Intel Xeon E5-4667v4 | No | 28. |
Refer to the block diagram in Figure 1 (Security Policy Section 2.7 - Module Block Diagram) for additional detail.
Table 2 - Version Information Note: versions 3.0.0-FIPS 140-3 and 3.0.1-FIPS 140-3 have identical functionality and APIs, however an internal modification permits the module to be built as a dynamic or static build.
The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module operates on a general purpose computer (GPC) running a general purpose operating system (GPOS). The module was tested in the following operating environments specified in the table below. Testing on iOS 16 and iPadOS 16 was performed with module version 3.0.1-FIPS 140-3 and testing on all other OEs was performed with module version 3.0.0-FIPS 140-3. Table 3
# 7. 8. 9. Document Version 1.1a © SafeLogic Inc.
| Name | Operating System | Hardware Platform | # | Operating System | Hardware Platform | ||||
|---|---|---|---|---|---|---|---|---|---|
| fips.a | fips.a | 3.0.1-FIPS 140-3 | Compiled as a static library, tested on iOS and iPadOS | HMAC-SHA-256 | |||||
| 1. | AlmaLinux 9 | Any general-purpose platform that supports this OS | 1. | 1. | AlmaLinux 9 | Any general-purpose platform that supports this OS | |||
| 2. | Android 13 | Any general-purpose mobile platform that supports this OS | 2. | ||||||
| 3. | Debian 11 | Any general-purpose platform that supports this OS | 3. | ||||||
| 4. | FreeBSD 13 | Any general-purpose platform that supports this OS | 4. | ||||||
| 5. | iOS 16 | Any general-purpose mobile platform that supports this OS | 5. | ||||||
| 6. | iPadOS 16 | Any general-purpose mobile platform that supports this OS | 6. | ||||||
| 7. | macOS 13 (Ventura) | Any general-purpose platform that supports this OS | 7. | ||||||
| 8. | Oracle Solaris 11.4 | Any general-purpose platform that supports this OS | 8. |
| Name | Operating System | Hardware Platform | # | Operating System | Hardware Platform | ||||
|---|---|---|---|---|---|---|---|---|---|
| fips.a | fips.a | 3.0.1-FIPS 140-3 | Compiled as a static library, tested on iOS and iPadOS | HMAC-SHA-256 | |||||
| 1. | AlmaLinux 9 | Any general-purpose platform that supports this OS | 1. | 1. | AlmaLinux 9 | Any general-purpose platform that supports this OS | |||
| 2. | Android 13 | Any general-purpose mobile platform that supports this OS | 2. | ||||||
| 3. | Debian 11 | Any general-purpose platform that supports this OS | 3. | ||||||
| 4. | FreeBSD 13 | Any general-purpose platform that supports this OS | 4. | ||||||
| 5. | iOS 16 | Any general-purpose mobile platform that supports this OS | 5. | ||||||
| 6. | iPadOS 16 | Any general-purpose mobile platform that supports this OS | 6. | ||||||
| 7. | macOS 13 (Ventura) | Any general-purpose platform that supports this OS | 7. | ||||||
| 8. | Oracle Solaris 11.4 | Any general-purpose platform that supports this OS | 8. | ||||||
| 9. | Red Hat Enterprise Linux 9 | Any general-purpose platform that supports this OS | 9. | 9. | Any general-purpose platform that supports this OS | ||||
| 10. | Rocky Linux 9 | Any general-purpose platform that supports this OS | 10. | ||||||
| 11. | SUSE Linux Enterprise Server 15 | Any general-purpose platform that supports this OS | 11. | ||||||
| 12. | Ubuntu 22.04 | Any general-purpose platform that supports this OS | 12. | ||||||
| 13. | Windows 10 | Any general-purpose platform that supports this OS | 13. | ||||||
| 14. | Windows 11 | Any general-purpose platform that supports this OS | 14. | ||||||
| 15. | Windows Server 2019 | Any general-purpose platform that supports this OS | 15. | ||||||
| 16. | Windows Server 2022 | Any general-purpose platform that supports this OS | 16. |
Table 4 - Executable Code Sets
Porting guidance is defined in the FIPS 140-3 CMVP Management Manual Section 7.9. FIPS 140-3 validation compliance can be maintained when the following requirements are met:
| Name | Description | Indicator |
|---|---|---|
| approved mode is | approved mode is | provides a global indicator that services are approved. |
| implemented in the | implemented in the | Additionally, the module provides a status code |
| module. | module. | indicating the completion of each service, as indicated |
Table 6 - Modes of Operation
mode of operation and will operate in this mode once the module is powered on.
Not applicable. Document Version 1.1a © SafeLogic Inc.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |||||
|---|---|---|---|---|---|---|---|---|---|
| AES-CBC | A4593, A5173 | AES-CBC | Strength: 128, 192, 256 bits | Encryption, Decryption | A4593, A5173 | AES-CBC SP 800-38A | AES-CBC | Encryption, Decryption | |
| A4593, A5173 | A4593, A5173 | AES-CBC-CS1 SP 800-38A-Add | AES-CBC-CS1 | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: decrypt, encrypt Key Length: 128, 192, 256 Payload Length: 128-65536 Increment 8 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-CBC-CS2 SP 800-38A-Add | AES-CBC-CS2 | Encryption, Decryption | ||||
| A4593, A5173 | A4593, A5173 | AES-CBC-CS3 SP 800-38A-Add | AES-CBC-CS3 | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: decrypt, encrypt Key Length: 128, 192, 256 Payload Length: 128-65536 Increment 8 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-CCM SP 800-38C | AES-CCM | Encryption, Decryption | ||||
| A4593, A5173 | A4593, A5173 | AES-CFB1 SP 800-38A | AES-CFB1 | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-CFB8 SP 800-38A | AES-CFB8 | Encryption, Decryption | ||||
| A4593, A5173 | A4593, A5173 | AES-CFB128 SP 800-38A | AES-CFB128 | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-CMAC SP 800-38B | AES-CMAC | Generation, Verification | ||||
| A4593, A5173 | A4593, A5173 | AES-CTR SP 800-38A | AES-CTR | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256 Payload Length: 8-128 Increment 8 Incremental Counter Counter Tests Performed | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-ECB SP 800-38A | AES-ECB | Encryption, Decryption | ||||
| A4593, A5173 | A4593, A5173 | AES-GCM SP 800-38D | AES-GCM | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt IV Generation: Internal IV Generation Mode: 8.2.1 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96-1024 Increment 8 Payload Length: 0-65536 Increment 8 AAD Length: 0-65536 Increment 8 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-GCM SP 800-38D | AES-GCM | Encryption, Decryption | ||||
| A4593, A5173 | A4593, A5173 | AES-GMAC SP 800-38D | AES-GMAC | Encryption, Decryption, Generation, Verification | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt IV Generation: Internal IV Generation Mode: 8.2.1 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96-1024 Increment 8 AAD Length: 0-65536 Increment 8 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-GMAC SP 800-38D | AES-GMAC | Encryption, Decryption, Generation, Verification | ||||
| A4593, A5173 | A4593, A5173 | AES-KW SP 800-38F | AES-KW | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt Cipher: Cipher, Inverse Key Length: 128, 192, 256 Payload Length: 128-524288 Increment 128 | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | AES-KWP SP 800-38F | AES-KWP | Encryption, Decryption | ||||
| A4593, A5173 | A4593, A5173 | AES-OFB SP 800-38A | AES-OFB | Encryption, Decryption | Strength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256 | ||||
| A4593, A5173 | Strength: 128, 256 bits | A4593, A5173 | AES-XTS Testing Revision 2.0 SP 800-38E | AES-XTS Testing Revision 2.0 | Encryption, Decryption | ||||
| Vendor affirmed | Vendor affirmed | CKG (SP 800-133Rev2) | CKG (SP 800-133Rev2) | Cryptographic Key Generation; SP 800-133 and IG D.H. | The module uses the direct output of its approved DRBGs for key generation Key Generation per SP 800-133r2: • Section 4: Using the Output of a Random Bit Generator. The module uses the direct output of its approved DRBGs. o As per Section 5, this method is used to supply random values used in the Generation of Key Pairs for Asymmetric-Key Algorithms. • Section 6.2: Derivation of Symmetric Keys. The module also supports key derivation via KDF and SSP agreement. | ||||
| A4593, A5173 | Strength: 128, 192, 256 bits | A4593, A5173 | Counter DRBG SP 800-90A | Counter DRBG | Random Number Generation | ||||
| A4593, A5173 | A4593, A5173 | DSA KeyGen FIPS 186-4 | DSA KeyGen | Key Generation for Key Agreement | Strength: 112 bits Capabilities: L: 2048 N: 224 Capabilities: L: 2048 N: 256 | ||||
| A4593, A5173 | Strength: 112 bits | A4593, A5173 | DSA PQGGen FIPS 186-4 | DSA PQGGen | Key Generation for Key Agreement | ||||
| A4593, A5173 | A4593, A5173 | DSA PQGVer FIPS 186-4 | DSA PQGVer | Legacy Key Verification | Strength: 80, 112 bits Capabilities: P/Q Generation Methods: Probable G Generation Methods: Canonical, Unverifiable L: 1024 N: 160 Hash Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256 Capabilities: P/Q Generation Methods: Probable G Generation Methods: Canonical, Unverifiable L: 2048 N: 224 Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Capabilities: P/Q Generation Methods: Probable G Generation Methods: Canonical, Unverifiable L: 2048 N: 256 Hash Algorithm: SHA2-256, SHA2-384, SHA2-512, SHA2-512/256 | ||||
| DSA SigVer | A4593, A5173 | DSA SigVer | Strength: 80, 112, 128 bits | Legacy Signature Verification | A4593, A5173 | DSA SigVer FIPS 186-4 | DSA SigVer | Legacy Signature Verification | |
| A4593, A5173 | A4593, A5173 | ECDSA KeyGen FIPS 186-4 | ECDSA KeyGen | Key Generation | Strength: 112-256 bits Curve: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode: Testing Candidates | ||||
| A4593, A5173 | Strength: 80 bits (Legacy), 112-256 bits | A4593, A5173 | ECDSA KeyVer FIPS 186-4 | ECDSA KeyVer | Key Verification | ||||
| A4593, A5173 | A4593, A5173 | ECDSA SigGen FIPS 186-4 | ECDSA SigGen | Signature Generation | Strength: 112-256 bits Curve: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | ||||
| A4593, A5173 | Strength: 80 bits (Legacy), 112-256 bits | A4593, A5173 | ECDSA SigVer FIPS 186-4 | ECDSA SigVer | Signature Verification | ||||
| A4593, A5173 | A4593, A5173 | EDDSA keygen FIPS 186-5 | EDDSA keygen | Key Generation | Strength: 128, 224 bits Curve: ED-25519, ED-448 | ||||
| A4593, A5173 | Strength: 128, 224 bits | A4593, A5173 | EDDSA keyVer FIPS 186-5 | EDDSA keyVer | Key Verification | ||||
| A4593, A5173 | A4593, A5173 | EDDSA SigGen FIPS 186-5 | EDDSA SigGen | Signature Generation | Strength: 128, 224 bits Curve: ED-25519, ED-448 | ||||
| A4593, A5173 | Strength: 128, 224 bits | A4593, A5173 | EDDSA SigVer FIPS 186-5 | EDDSA SigVer | Signature Verification | ||||
| A4593, A5173 | A4593, A5173 | Hash DRBG SP 800-90A | Hash DRBG | Random Number Generation | Strength: 128 bits for SHA-1, 256 bits for SHA-256 and SHA-512 Prediction Resistance: Yes Supports Reseed Capabilities: Mode: SHA-1 Entropy Input: 128-256 Increment 64 Nonce: 96-128 Increment 32 Personalization String Length: 0-256 Increment 128 Additional Input: 0-256 Increment 128 Returned Bits: 160 Capabilities: Mode: SHA2-256 Entropy Input: 256-320 Increment 64 Nonce: 128-160 Increment 32 Personalization String Length: 0-256 Increment 128 Additional Input: 0-256 Increment 128 Returned Bits: 256 Capabilities: Mode: SHA2-512 Entropy Input: 256-320 Increment 64 Nonce: 128-160 Increment 32 Personalization String Length: 0-256 Increment 128 Additional Input: 0-256 Increment 128 Returned Bits: 512 | ||||
| HMAC DRBG | A4593, A5173 | HMAC DRBG | Strength: 128 bits for SHA-1, 256 bits for SHA-256 and SHA-512 | Random Number Generation | A4593, A5173 | HMAC DRBG SP 800-90A | HMAC DRBG | Random Number Generation | |
| A4593, A5173 | A4593, A5173 | HMAC-SHA-1 FIPS 198-1 | HMAC-SHA-1 | Message Authentication | Strength: 128 bits MAC: 32-160 Increment 8 Key Length: 8-524288 Increment 8 | ||||
| A4593, A5173 | Strength: 192 bits | A4593, A5173 | HMAC-SHA2-224 FIPS 198-1 | HMAC-SHA2-224 | Message Authentication | ||||
| A4593, A5173 | A4593, A5173 | HMAC-SHA2-256 FIPS 198-1 | HMAC-SHA2-256 | Message Authentication | Strength: 256 bits MAC: 32-256 Increment 8 Key Length: 8-524288 Increment 8 | ||||
| A4593, A5173 | Strength: 256 bits | A4593, A5173 | HMAC-SHA2-384 FIPS 198-1 | HMAC-SHA2-384 | Message Authentication | ||||
| A4593, A5173 | A4593, A5173 | HMAC-SHA2-512 FIPS 198-1 | HMAC-SHA2-512 | Message Authentication | Strength: 256 bits MAC: 32-512 Increment 8 Key Length: 8-524288 Increment 8 | ||||
| A4593, A5173 | Strength: 192 bits | A4593, A5173 | HMAC-SHA2-512/224 FIPS 198-1 | HMAC-SHA2-512/224 | Message Authentication | ||||
| A4593, A5173 | A4593, A5173 | HMAC-SHA2-512/256 FIPS 198-1 | HMAC-SHA2-512/256 | Message Authentication | Strength: 256 bits MAC: 32-256 Increment 8 Key Length: 8-524288 Increment 8 | ||||
| A4593, A5173 | Strength: 192 bits | A4593, A5173 | HMAC-SHA3-224 FIPS 198-1 | HMAC-SHA3-224 | Message Authentication | ||||
| A4593, A5173 | A4593, A5173 | HMAC-SHA3-256 FIPS 198-1 | HMAC-SHA3-256 | Message Authentication | Strength: 256 bits MAC: 32-256 Increment 8 Key Length: 8-524288 Increment 8 | ||||
| A4593, A5173 | Strength: 256 bits | A4593, A5173 | HMAC-SHA3-384 FIPS 198-1 | HMAC-SHA3-384 | Message Authentication | ||||
| A4593, A5173 | A4593, A5173 | HMAC-SHA3-512 FIPS 198-1 | HMAC-SHA3-512 | Message Authentication | Strength: 256 bits MAC: 32-512 Increment 8 Key Length: 8-524288 Increment 8 | ||||
| A4593, A5173 | Strength: 112-256 bits | A4593, A5173 | KAS-ECC-SSC SP 800-56Ar3 | KAS-ECC-SSC | Key Agreement | ||||
| A4593, A5173 | A4593, A5173 | KAS-FFC-SSC SP 800-56Ar3 | KAS-FFC-SSC | Key Agreement | Strength: 112 bits (FB, FC), 112-200 bits (Safe Primes) Domain Parameter Generation Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme: dhEphem: KAS Role: initiator, responder | ||||
| KAS-IFC-SSC | A4593, A5173 | KAS-IFC-SSC | Strength: 112-256 bits | Key Agreement | A4593, A5173 | KAS-IFC-SSC SP 800-56Br2 | KAS-IFC-SSC | Key Agreement | |
| A4593, A5173 | A4593, A5173 | KDA HKDF SP 800-56Cr2 | KDA HKDF | Key Derivation | Strength: 128, 192, 256 bits Fixed Info Pattern: algorithmId||l||uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation Derived Key Length: 2048 Shared Secret Length: 224-8192 Increment 8 HMAC Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 |
The module implements the following approved algorithms that have been tested by the Cryptographic Algorithm Validation Program (CAVP). Table 7 - Approved Algorithms Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
| Name | Key Size | Use Function | ||
|---|---|---|---|---|
| KDA OneStep SP 800-56Cr2 | Strength: 128, 192, 256 bits | Key Derivation | A4593, A5173 | KDA OneStep |
Document Version 1.1a © SafeLogic Inc.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |||||
|---|---|---|---|---|---|---|---|---|---|
| A4593, A5173 | A4593, A5173 | KDA TwoStep SP 800-56Cr2 | KDA TwoStep | Strength: 128, 192, 256 bits Fixed Info Pattern: algorithmId||l||uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation KDF Mode: feedback MAC Modes: HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2- 384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC- SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 Fixed Data Order: after fixed data Counter Lengths: 8 The KDF supports an empty IV The KDF requires an empty IV Supported Lengths: 2048 Derived Key Length: 2048 Shared Secret Length: 224-8192 Increment 8 | Key Derivation | ||||
| KDF ANS 9.42 | A4593, A5173 | KDF ANS 9.42 | Strength: 128, 192, 256 bits | Key Derivation | A4593, A5173 | KDF ANS 9.42 SP 800-135r1 CVL | KDF ANS 9.42 | Key Derivation | |
| CVL | KDF Type: DER | ||||||||
| A4593, A5173 | A4593, A5173 | KDF ANS 9.63 SP 800-135r1 CVL | KDF ANS 9.63 | Strength: 192, 256 bits Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512 Field Size: 224, 571 Shared Info Length: 0, 1024 Key Data Length: 128, 4096 | Key Derivation | ||||
| A4593, A5173 | Strength: 128, 256 bits | A4593, A5173 | KDF KMAC SP 800-108r1 | KBKDF KMAC | Key Derivation | ||||
| A4593, A5173 | A4593, A5173 | KDF SP 800-108r1 | KBKDF | Strength: 128, 192, 256 bits Capabilities: KDF Mode: Counter MAC Mode: CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3- 256, HMAC-SHA3-384, HMAC-SHA3-512 Supported Lengths: 8, 72, 128, 776, 3456, 4096 Fixed Data Order: Before Fixed Data Counter Length: 32 Custom Key In Length: 0 Capabilities: KDF Mode: Feedback MAC Mode: CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3- 256, HMAC-SHA3-384, HMAC-SHA3-512 Supported Lengths: 8, 72, 128, 776, 3456, 4096 Fixed Data Order: Before Fixed Data Counter Length: 32 Custom Key In Length: 0 | Key Derivation | ||||
| KDF SSH | A4593, A5173 | KDF SSH | Strength: 128, 192, 256 bits | Key Derivation | A4593, A5173 | KDF SSH SP 800-135r1 CVL | KDF SSH | Key Derivation | |
| CVL | Cipher: AES-128, AES-192, AES-256 | ||||||||
| A4593, A5173 | A4593, A5173 | KMAC-128 SP 800-185 | KMAC-128 | Strength: 128 bits Message Length: 0-65536 Increment 8 MAC Length: 32-65536 Increment 8 Key Data Length: 128-1024 Increment 8 Supports eXtendable-Output Functions: Yes, No | Key Derivation | ||||
| A4593, A5173 | Strength: 256 bits | A4593, A5173 | KMAC-256 SP 800-185 | KMAC-256 | Key Derivation | ||||
| A4593, A5173 | A4593, A5173 | KTS (AES) SP 800-38F | KTS (AES) | Strength: 128, 192, 256 bits AES-KW, AES-KWP Key Length: 128, 192, 256 Additional detail provided in Table 9 - Security Function Implementations in the entry for the KeyWrapping function | Key Transport | ||||
| A4593, A5173 | Strength: 112-200 bits | A4593, A5173 | KTS-IFC SP 800-56Br2 | KTS-IFC | Key Transport | ||||
| A4593, A5173 | A4593, A5173 | PBKDF SP 800-132 | PBKDF | Strength: 128, 192, 256 bits Iteration Count: 1-10000 Increment 1 HMAC Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length: 8-128 Increment 8 Salt Length: 128-4096 Increment 8 Key Data Length: 112-4096 Increment 8 | Key Derivation | ||||
| A4593, A5173 | Strength: 112, 128, 150 bits | A4593, A5173 | RSA KeyGen FIPS 186-4 | RSA KeyGen | Key Generation |
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
| A4593, A5173 | RSA SigGen FIPS 186-4 | RSA SigGen | Strength: 112, 128, 150 bits Capabilities: Signature Type: PKCS 1.5 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: | Signature Generation |
|---|
Document Version 1.1a © SafeLogic Inc.
Hash Algorithm: SHA2-512/256 Capabilities: Signature Type: PKCSPSS Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 4096 Hash Pair: Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
| Name | Key Size | Use Function | ||
|---|---|---|---|---|
| RSA SigVer | Strength: 80 bits (Legacy), 112, 128, 150 bits | Signature Verification | A4593, A5173 | RSA SigVer FIPS 186-4 |
Document Version 1.1a © SafeLogic Inc.
Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Capabilities: Signature Type: ANSI X9.31 Properties: Modulo: 1024 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 3072 Hash Pair: Document Version 1.1a © SafeLogic Inc.
Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Capabilities: Signature Type: PKCSPSS Properties: Modulo: 1024 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 62 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA-1 Document Version 1.1a © SafeLogic Inc.
Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Document Version 1.1a © SafeLogic Inc.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |||||
|---|---|---|---|---|---|---|---|---|---|
| A4593, A5173 | A4593, A5173 | Safe Primes Key Generation SP 800-56Ar3 | Safe Primes Key Generation | Strength: 112-200 bits Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | Key Generation | ||||
| A4593, A5173 | Strength: 112-200 bits | A4593, A5173 | Safe Primes Key Verification SP 800-56Ar3 | Safe Primes Key Verification | Key Verification | ||||
| A4593 | A4593 | SHA-1 FIPS 180-4 | SHA-1 | Strength: 80 bits (Legacy) Collision Resistance 128 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA-1 FIPS 180-4 | SHA-1 | Hashing | ||||
| A4593 | A4593 | SHA2-224 FIPS 180-4 | SHA2-224 | Strength: 112 bits Collision Resistance 192 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| SHA2-224 | A5173 | SHA2-224 | Strength: | Hashing | A5173 | SHA2-224 FIPS 180-4 | SHA2-224 | Hashing | |
| FIPS 180-4 | 112 bits Collision Resistance | ||||||||
| A4593 | A4593 | SHA2-256 FIPS 180-4 | SHA2-256 | Strength: 128 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA2-256 FIPS 180-4 | SHA2-256 | Hashing | ||||
| A4593 | A4593 | SHA2-384 FIPS 180-4 | SHA2-384 | Strength: 192 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA2-384 FIPS 180-4 | SHA2-384 | Hashing | ||||
| A4593 | A4593 | SHA2-512 FIPS 180-4 | SHA2-512 | Strength: 256 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA2-512 FIPS 180-4 | SHA2-512 | Hashing | ||||
| A4593 | A4593 | SHA2-512/224 FIPS 180-4 | SHA2-512/224 | Strength: 112 bits Collision Resistance 192 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA2-512/224 FIPS 180-4 | SHA2-512/224 | Hashing | ||||
| A4593 | A4593 | SHA2-512/256 FIPS 180-4 | SHA2-512/256 | Strength: 128 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA2-512/256 FIPS 180-4 | SHA2-512/256 | Hashing | ||||
| A4593 | A4593 | SHA3-224 FIPS 202 | SHA3-224 | Strength: 112 bits Collision Resistance 192 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA3-224 FIPS 202 | SHA3-224 | Hashing | ||||
| A4593 | A4593 | SHA3-256 FIPS 202 | SHA3-256 | Strength: 128 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| SHA3-256 | A5173 | SHA3-256 | Strength: | Hashing | A5173 | SHA3-256 FIPS 202 | SHA3-256 | Hashing | |
| FIPS 202 | 128 bits Collision Resistance | ||||||||
| A4593 | A4593 | SHA3-384 FIPS 202 | SHA3-384 | Strength: 192 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA3-384 FIPS 202 | SHA3-384 | Hashing | ||||
| A4593 | A4593 | SHA3-512 FIPS 202 | SHA3-512 | Strength: 256 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytes | Hashing | ||||
| A5173 | Strength: | A5173 | SHA3-512 FIPS 202 | SHA3-512 | Hashing | ||||
| A4593, A5173 | A4593, A5173 | SHAKE-128 FIPS 202 | SHAKE-128 | Strength: 128 bits Supports Empty Message Output Length: 16-65536 Increment 8 | Hashing | ||||
| A4593, A5173 | Strength: 256 bits | A4593, A5173 | SHAKE-256 FIPS 202 | SHAKE-256 | Hashing | ||||
| A4593, A5173 | A4593, A5173 | TDES-CBC SP 800-67r2 | TDES-CBC | Strength: 112 bits Direction: Decrypt Keying Option: 1 | Legacy Decryption | ||||
| A4593, A5173 | Strength: 112 bits | A4593, A5173 | TDES-ECB SP 800-67r2 | TDES-ECB | Legacy Decryption | ||||
| A4593, A5173 | A4593, A5173 | TLS v1.2 KDF RFC7627 SP 800-135r1 CVL | TLS v1.2 KDF RFC7627 | Strength: 256 bits Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 Key Block Length: 1024 | Key Derivation | ||||
| A4593, A5173 | Strength: 256 bits | A4593, A5173 | TLS v1.3 KDF RFC 8446 CVL | TLS v1.3 KDF | Key Derivation |
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
Document Version 1.1a © SafeLogic Inc.
| Name | Use Function | Use / Function | |||
|---|---|---|---|---|---|
| EC Diffie-Hellman with | Provides 112, 128, 160, | EC Diffie-Hellman with non-NIST recommended curves | Provides 112, 128, 160, 192, or 256 bits of encryption strength. Per IGs D.F and C.A. | Shared secret computation using non-NIST | |
| non-NIST | 192, or 256 bits of | curves: | |||
| recommended curves | encryption strength. | brainpoolP224r1, brainpoolP256r1, | |||
| Per IGs D.F and C.A. | Per IGs D.F and C.A. | brainpoolP320r1, brainpoolP384r1, | |||
| ECDSA with non-NIST recommended curves | ECDSA with non-NIST recommended curves | Provides 112, 128, 160, 192, or 256 bits of encryption strength. Per IG C.A. | Key pair generation, digital signature generation, digital signature verification using non-NIST curves: brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1, with strengths 112 bits, 128 bits, 160 bits, 192 bits, and 256 bits |
The module implements the vendor affirmed algorithms that are approved for use in Approved mode. Specifically, the module implements CKG per SP 800-133r2 for generation of symmetric keys and asymmetric keys. Refer to the CKG entries in Table 7 for additional details.
The module implements the following algorithms that are allowed for use in Approved mode. These are the brainpool curves as listed in SP 800-186 Appendix H.1. Table 8 - Non-Approved Algorithms Allowed in the Approved Mode of Operation
Not applicable. The module does not implement any non-approved algorithms with no security claimed.
Not applicable. The module does not implement any non-approved, not allowed algorithms. Document Version 1.1a © SafeLogic Inc.
Figure 1 - Module Block Diagram and Cryptographic Boundary The module’s block diagram depicts the cryptographic boundary, TOEPP, and the components of each. Additionally, it depicts the data flow between these components. The module’s logical interfaces are defined by its API. These interfaces are used by the host application to interact with the module. All input to the module occurs through the data input interface or control input interface. All output from the module occurs through the data output interface or status output interface. Refer also to Security Policy Section 3 - Cryptographic Module Interfaces and Section 9.2 - SSP Input-Output Methods. The module executes within the operating environments specified in Security Policy Section 2.3 Operating Environments. Document Version 1.1a © SafeLogic Inc.
| Name | Description | Approved Functions | Type | Properties | |||
|---|---|---|---|---|---|---|---|
| KeyTransport | KTS-IFC | KTS | SP 800-56Brev2. KTS-IFC (key | 2048 to 16384-bit modulus | KTS-IFC A4593, A5173 | ||
| encapsulation and un- | A4593, A5173 | encapsulation and un- | providing 112 to 256 bits of | ||||
| encapsulation) per IG D.G. | encapsulation) per IG D.G. | encryption strength | |||||
| KeyWrapping | SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G. | KTS | 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strength | AES-KW, AES- KWP A4593, A5173 |
Security function implementations (SFIs) are defined by the table below. The module is a software library, therefore the SFIs map directly to the module’s services. Refer also to Security Policy Section 4.3 - Approved Services for a description of the module’s services and SSP access. The SFIs below are used to encrypt or decrypt a key value on behalf of the calling application. SSPs are passed in by the calling application. Established SSPs are passed out to the calling application. Table 9 - Security Function Implementations
The module is compatible with TLS 1.2 and supports AES-GCM IV construction in alignment with IG C.H scenario
Per SP 800-38E, AES-XTS should only be used for storage applications.
DSA KeyGen (FIPS186-4) and DSA PQGGen (FIPS 186-4) are only implemented for use as a part of an approved SP 800-56Ar3 FFC scheme. In accordance with this, only the FIPS 186-type parameter sets FB (2048, 224) and FC (2048, 256) from SP 800-56Arev3 are supported by the module. For DSA signatures, only DSA PQGVer (FIPS186-4) and DSA SigVer (FIPS186-4) are only implemented. Refer to Security Policy Section 9.5 - Transitions for additional context.
Per FIPS 186-5, Edwards curves are only used for digital signatures using EdDSA. Per FIPS 186-5, only SHA-512 is supported with curve Edwards25519 and only SHAKE256 is supported with curve Edwards448.
The PBKDF aligns with Option 1a in Section 5.4 of SP 800-132. Keys derived from passwords using the PBKDF may only be used in storage applications. The PBKDF function can be called using the Key Derivation service, but it does not establish keys into the module. The PBKDF function supports passwords from 8 to 128 bytes and iteration counts from 1 to 10,000. SP 800-132 Section 5.2 recommends a minimum iteration count of 1,000. Operators should select an appropriate password length and iteration count for their use case, bearing in mind that both should be as large as is feasible for the application.
RSA SigVer (FIPS186-4) ANSI X9.31 functionality is only implemented for legacy support. Refer to Security Policy Section 9.5 - Transitions for additional context. The module supports the following even RSA modulus sizes that are not testable by the CAVP:
For the RSA KTS (KTS-IFC) algorithm, the module supports the KTS-OAEP-basic scheme. As indicated in Security Policy Section 2.9.6, the module supports even RSA modulus sizes that are not testable by the CAVP. The module supports moduli 2048-16384 for RSA KTS. This is conformant to IG C.F.
As indicated under CAVP certificates A4593 and A5173, the module supports TLS 1.2 KDF per RFC 7627, i.e. using the extended master secret.
TDES-CBC and TDES-ECB Decryption functionality is only implemented for legacy support. Refer to Security Policy Section 9.5 - Transitions for additional context. Document Version 1.1a © SafeLogic Inc.
Not applicable The module does not include an entropy source. The module aligns with IG 9.3.A, scenario 2b, therefore the module’s certificate includes the caveat “No assurance of the minimum strength of generated SSPs (e.g., keys).”
The module accepts input from entropy sources external to the cryptographic boundary for use as seed material for the module’s approved DRBG implementations. Entropy is supplied to the module by means of callback functions. Those functions return an error if the minimum entropy strength is not met. Entropy strength requirements are per NIST Special Publication 800-90A Table 2 (Hash_DRBG, HMAC_DRBG) and Table 3 (CTR_DRBG). At a minimum, the entropy source shall provide at least 128 bits of entropy to the DRBG. All random values used by the module for approved algorithms are provided by the module’s approved DRBGs.
The module does not include an entropy source. The module includes Counter DRBG, Hash DRBG, and HMAC DRBG, all of which are approved RBGs. The output of these approved RBGs is used to generate random data, symmetric keys, and asymmetric keys, as indicated in Security Policy Section 2.6.2 - Vendor Affirmed Algorithms.
Any generated SSPs are passed out to the calling application and are not stored in the module. Additional detail is provided in Security Policy Section 4.3 - Approved Services. Random values for key generation are provided by the module’s approved DRBGs. The output of the module’s approved DRBGs may be used to generate symmetric keys per SP 800-133r2 using the Random Number Generation service, as indicated in Security Policy Section 2.6.2 - Vendor Affirmed Algorithms. The output of the module’s approved DRBGs may be used to generate asymmetric keys per FIPS 186-4 and per FIPS 186-5 (for EdDSA only) using the Asymmetric Key Generation service. Document Version 1.1a © SafeLogic Inc.
SSPs used for services are passed in by the calling application. Established SSPs are passed out to the calling application and are not stored in the module. Additional detail is provided in Security Policy Section 4.3 - Approved Services. The module provides ECC and FFC shared secret computation that is conformant to SP 800-56Ar3 in alignment with IG D.F scenario 2 (path 1) via the Key Agreement service. For ECC, the module supports the (Cofactor) Ephemeral Unified Model, C(2e, 0s, ECC CDH) Scheme described in SP 800-56Ar3 Section 6.1.2.2. For FFC, the module supports the dhEphem, C(2e, 0s, FFC DH) Scheme described in SP 80056Ar3 Section 6.1.2.1. The module also provides ECC key agreement using the allowed curves specified in Table 8 - Non-Approved Algorithms Allowed in the Approved Mode of Operation in alignment with IG D.F scenario 3 via the Key Agreement service. The appropriate public key validation assurances are implemented. For ECC, full public key validation is implemented (SP 800-56Ar3 Section 5.6.2.3.3). For FFC, both full public key validation (per SP 800-56Ar3 Section 5.6.2.3.1) and partial public key validation (per SP 800-56Ar3 Section 5.6.2.3.2) are implemented. The module provides RSA shared secret computation that is conformant to SP 800-56Br2 in alignment with IG D.F scenario 1 (path 1) via the Key Agreement service. The module supports the KAS1 basic and KAS2 basic schemes. The module supports various key derivation functions separately via the Key Derivation service. Supported KDFs are conformant to SP 800-108r1 (KBKDF), SP 800-132 (PBKDF), SP 800-56Cr2 (HKDF, KDA OneStep KDA, TwoStep KDA), SP 800-135r1 (ANSI 9.42 KDF, ANSI 9.63 KDF, SSH KDF, TLS 1.2 KDF), and RFC 8446 (TLS 1.3 KDF). The module provides RSA key encapsulation that is conformant to SP 800-56Br2 via the Key Transport service (this is the KeyTransport SFI). The module provides AES key wrapping (AES KW, AES KWP) that is conformant to SP 800-38F via the Key Wrapping service (this is the KeyWrapping SFI).
The module implements KDFs from SP 800-135r1 (Recommendation for Existing Application-Specific Key Derivation Functions) and the TLS 1.3 KDF. These KDFs have been validated by the CAVP and received CVL certificates (A4593, A5173 ). No parts of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.
The module is designed to meet the applicable requirements of FIPS 140-3. The module initializes when powered on, then performs the pre-operational self-tests and CASTs as specified in Security Policy Document Version 1.1a © SafeLogic Inc.
Section 10 - Self-Tests. After successfully passing these self-tests, the module automatically transitions to the operational state and awaits service requests.
The Module Initialization service is executed when the module is powered on. Document Version 1.1a © SafeLogic Inc.
| Name | Physical Port | Logical Interface | Data That Passes | |||
|---|---|---|---|---|---|---|
| N/A | N/A | Data Output | API output parameters for data | |||
| N/A | N/A | Control Input | API function calls | |||
| N/A | N/A | Status Output | API status outputs (return codes, error messages) |
As a software cryptographic module, the module supports logical interfaces only and not physical ports. All access to the module is through the module’s API. The API provides and defines the module’s logical interfaces. The API provides functions that may be called by a host application (refer to Security Policy Section 4.3 - Approved Services). Table 10 - Ports and Interfaces N/A N/A N/A N/A The following interfaces are omitted from the table above because they are not applicable to the module: Control Output (not implemented), Power Input (N/A for software modules).
All interfaces are logically separated by the module’s API. The data output path is inhibited during pre-operational self-tests, zeroisation, and when the module is in an error state. Document Version 1.1a © SafeLogic Inc.
| Name | Roles | Role Access | Type | Input | Output | ||||
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | |||||||
| Module | CO | External dispatch | Internal dispatch (function pointer) table | CO | Internal dispatch (function pointer) table | ||||
| Initialization | (function pointer) table | ||||||||
| CO | CO | Module State (queried via Show Status) changes to Running (FIPS_STATE_RUNNING) | Self-Test | None | |||||
| CO | Module State (queried via Show Status) changes | CO | Integrity Test | Expected HMAC | |||||
| CO | CO | Module Status: Running (FIPS_STATE_RUNNING), or Error (FIPS_STATE_ERROR) | Show Status | None | |||||
| CO | name: | CO | Output ID/ Version Information | None | |||||
| CO | CO | Random data | Random Number Generation | Desired security strength in bits, entropy input | |||||
| Symmetric | AES EDK, AES XTS key, | CO | Ciphertext data or plaintext data | ||||||
| Encryption/ | TDES DK, IV, ciphertext | ||||||||
| Decryption | data, plaintext data |
| Name | Roles | Role Access | Type | Input | Output | ||||
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | |||||||
| Module | CO | External dispatch | Internal dispatch (function pointer) table | CO | Internal dispatch (function pointer) table | ||||
| Initialization | (function pointer) table | ||||||||
| CO | CO | Module State (queried via Show Status) changes to Running (FIPS_STATE_RUNNING) | Self-Test | None | |||||
| CO | Module State (queried via Show Status) changes | CO | Integrity Test | Expected HMAC | |||||
| CO | CO | Module Status: Running (FIPS_STATE_RUNNING), or Error (FIPS_STATE_ERROR) | Show Status | None | |||||
| CO | name: | CO | Output ID/ Version Information | None | |||||
| CO | CO | Random data | Random Number Generation | Desired security strength in bits, entropy input | |||||
| Symmetric | AES EDK, AES XTS key, | CO | Ciphertext data or plaintext data | ||||||
| Encryption/ | TDES DK, IV, ciphertext | ||||||||
| Decryption | data, plaintext data | ||||||||
| CO | CO | Ciphertext data or plaintext data | Authenticated Symmetric Encryption/ Decryption | AES CMAC/CCM key, AES GMAC/GCM key, ciphertext data, plaintext data | |||||
| CO | Digest or message, AES | CO | Digest or verification result | Symmetric Digest | |||||
| CO | CO | ECDSA SGK, ECDSA SVK, RSA SGK, RSA SVK, EdDSA SGK, EdDSA SVK, DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public, RSA KDK Private, RSA KEK Public | Asymmetric Key Generation | Desired security strength in bits, entropy input, prediction resistance, parameters and values for FFC, ECC, RSA key generation | |||||
| CO | DSA SVK, ECDSA SGK, | CO | Digital signature or verification result | Digital Signatures | |||||
| CO | CO | Keyed hash or verification result | Keyed Hash | HMAC key, KMAC key | |||||
| Message Digest | CO | Message data | Digest | ||||||
| CO | CO | DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public, KDF secret | Key Agreement | DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public | |||||
| CO | KDF secret, salt, | CO | Generic Secret | Key Derivation | |||||
| CO | CO | Encapsulated key (Generic Secret), or unencapsulated key (Generic Secret) | Key Transport | RSA KEK Public and key to be encapsulated (Generic Secret), or RSA KDK Private and encapsulated key (Generic Secret) | |||||
| CO | AES key wrapping key, | CO | Wrapped key or unwrapped key (Generic Secret) | Key Wrapping | |||||
| CO | CO | The completion of a zeroisation routine indicates that the zeroisation procedure succeeded. Zeroisation can be confirmed via EVP_RAND_verify_zeroization: 1 for success (i.e. the DRBG CSPs have been zeroised), 0 for failure. | Zeroise | Memory to be cleansed (pointer and length) | |||||
| Utility | CO | None | None |
Table 11 - Roles Crypto Officer is the only role supported by the module. The module does not support a User role or a Maintenance role. The Crypto Officer role is implicitly selected by calling the module’s services. Table 12 below describes the service inputs and outputs for the CO role and should be reviewed in conjunction with the service descriptions in Table 14. Table 12
Document Version 1.1a © SafeLogic Inc.
| Role | Authentication Methods | Authentication Strength |
|---|---|---|
| Crypto Officer | N/A | N/A |
Table 13
The following table describes the services the module provides and the access to SSPs by each service. Additional details on each service are available in the module’s user guidance documentation. SSP Access is divided into the following access types:
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| Module Initialization | CO | N/A | None | N/A | API return value from OSSL_provider_init: 1 for success, 0 for failure | Initialize the FIPS | None | N/A | ||
| Self-Test | Performs pre- operational self- tests and CASTs on demand. | CO | N/A | API return value code from SELF_TEST_post(): 1 for success, 0 for failure | None | N/A | ||||
| Integrity Test | CO | N/A | Performs the | HMAC-SHA-256 | N/A | API return value from | ||||
| integrity test on | integrity test on | verify_integrity(): 1 for | ||||||||
| demand. | demand. | verified, 0 for failure | ||||||||
| Show Status | Provides status information by querying the “status” parameter. | CO | N/A | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for query operation completed successfully, 0 for failure to query the parameter | None | N/A |
Table 14 - Approved Services N/A N/A N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Description | ||
|---|---|---|---|---|---|---|---|---|---|
| Output ID/ Version Information | Displays FIPS | CO | N/A | None | N/A | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for query operation completed successfully, 0 for failure to query the parameter | None | N/A | |
| Random Number Generation | CO | DRBG Entropy Input CTR_DRBG Seed, CTR_DRBG V, CTR_DRBG Key, Hash_DRBG Seed, Hash_DRBG V, Hash_DRBG C, HMAC_DRBG Seed, HMAC_DRBG V, HMAC_DRBG Key | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | Counter DRBG Hash DRBG HMAC DRBG | Write, Execute, Zeroise (W, E, Z) Generate, Execute, Zeroise (G, E, Z) | Used to seed/reseed a DRBG instance (including determining the security strength) or obtain random data that is passed out to the calling application. |
Document Version 1.1a © SafeLogic Inc. N/A N/A Z) Z)
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | ||
|---|---|---|---|---|---|---|---|---|
| Symmetric Encryption/ Decryption | Used to encrypt or decrypt data. SSPs are passed in by the calling application. | CO | AES EDK, AES XTS key, TDES DK | AES-CBC | Write, | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | Write, Execute, Zeroise (W, E, Z) | |
| AES-CBC-CS1 | AES-CBC-CS1 | Execute, | ||||||
| AES-CBC-CS2 | AES-CBC-CS2 | Zeroise (W, E, | ||||||
| AES-CBC-CS3 | AES-CBC-CS3 | Z) | ||||||
| Authenticated Symmetric Encryption/ Decryption | Used to encrypt or decrypt data or keys. SSPs are passed in by the calling application. Any established SSPs are passed out to the calling application. | CO | AES CMAC/CCM key, AES GMAC/GCM key AES GMAC/GCM IV | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | Write, Execute, Zeroise (W, E, Z) Generate, Execute, Zeroise (G, E, Z) | AES-CCM AES-GCM |
Z) Z) © SafeLogic Inc. Document Version 1.1a Z)
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | |
|---|---|---|---|---|---|---|---|
| Symmetric Digest | Used to generate or verify data integrity with CMAC or GMAC. SSPs are passed in by the calling application. | CO | AES CMAC/CCM key, AES GMAC/GCM key AES GMAC/GCM IV | AES-CMAC | Write, | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | AES-CMAC AES-GMAC |
| AES-GMAC | AES-GMAC | Execute, |
Document Version 1.1a Z) Z) © SafeLogic Inc.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Approved Security Functions | Access Rights to Keys and/or SSPs |
|---|---|---|---|---|---|---|---|---|
| Asymmetric Key Generation | Used to generate asymmetric keys using the DRBG. Established SSPs are passed out to the calling application. | CO | DRBG Entropy Input CTR_DRBG Seed, CTR_DRBG V, CTR_DRBG Key, Hash_DRBG Seed, Hash_DRBG V, Hash_DRBG C, HMAC_DRBG Seed, HMAC_DRBG V, HMAC_DRBG Key ECDSA SGK, ECDSA SVK, RSA SGK, RSA SVK, EdDSA SGK, EdDSA SVK, DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public, RSA KDK Private, RSA KEK Public | Prerequisites: Counter DRBG Hash DRBG HMAC DRBG CKG With DSA KeyGen DSA PQGGen DSA PQGVer ECDSA KeyGen ECDSA KeyVer ECDSA with non- NIST recommended curves EDDSA keyGen EDDSA keyVer RSA KeyGen Safe Primes Key Generation Safe Primes Key Verification | Write, Execute, Zeroise (W, E, Z) Generate, Execute, Zeroise (G, E, Z) Generate, Read, Zeroise (G, R, Z) | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | ||
| Digital Signatures | Used to generate or verify digital signatures. SSPs are passed in by the calling application. | CO | DSA SVK, ECDSA SGK, ECDSA SVK, RSA SGK, RSA SVK, EdDSA SGK, EdDSA SVK | Write, Execute, Zeroise (W, E, Z) | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | DSA SigVer | Write, | |
| ECDSA SigGen | ECDSA SigGen | Execute, | ||||||
| ECDSA SigVer | ECDSA SigVer | Zeroise (W, E, | ||||||
| ECDSA with non- | ECDSA with non- | Z) | ||||||
| Keyed Hash | Used to generate or verify data integrity. SSPs are passed in by the calling application. | CO | HMAC key, KMAC key | HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 KMAC-128 KMAC-256 | Write, Execute, Zeroise (W, E, Z) | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | ||
| Message Digest | Used to generate a SHA-1, SHA-2, SHA- 3, or SHAKE message digest. | CO | N/A | N/A | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | SHA-1 | N/A | |
| Key Agreement | Used to perform key agreement primitives on behalf of the calling application (does not establish keys into the module). SSPs are passed in by the calling application. Established SSPs are passed out to the calling application. | CO | DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public KDF secret | KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves KAS-FFC-SSC KAS-IFC-SSC | Write, Read, Execute, Zeroise (W, R, E, Z) Generate, Read, Zeroise (G, R, Z) | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure |
Document Version 1.1a © SafeLogic Inc. Z) Z) (G, R, Z)
Document Version 1.1a © SafeLogic Inc. Z) Z)
N/A © SafeLogic Inc. Document Version 1.1a N/A E, Z) (G, R, Z)
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Description | ||
|---|---|---|---|---|---|---|---|---|---|
| Key Derivation | Used to derive keys | CO | KDF Secret Generic Secret | KDA HKDF SP800- | Write, | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | KDA HKDF SP800- 56Cr2 KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF ANS 9.42 KDF ANS 9.63 KDF KMAC Sp800- 108r1 KDF SP800-108 KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDF | Write, Execute, Zeroise (W, E, Z) Generate, Read, Zeroise (G, R, Z) | |
| using KBKDF, | using KBKDF, | 56Cr2 | Execute, | ||||||
| PBKDF, HKDF, SP | PBKDF, HKDF, SP | KDA OneStep | Zeroise (W, E, | ||||||
| 800-56Cr2 One- | 800-56Cr2 One- | SP800-56Cr2 | Z) | ||||||
| Step KDF (KDA), SP | Step KDF (KDA), SP | KDA TwoStep | |||||||
| 800-56Cr2 Two- | 800-56Cr2 Two- | SP800-56Cr2 | Generate, | ||||||
| Step KDF (KDA), | Step KDF (KDA), | KDF ANS 9.42 | Read, Zeroise | ||||||
| ANSI X9.42-2001 | ANSI X9.42-2001 | KDF ANS 9.63 | (G, R, Z) | ||||||
| KDF, ANSI X9.63- | KDF, ANSI X9.63- | KDF KMAC Sp800- | |||||||
| 2001 KDF, SSHv2 | 2001 KDF, SSHv2 | 108r1 | |||||||
| KDF, TLS 1.2 KDF, | KDF, TLS 1.2 KDF, | KDF SP800-108 | |||||||
| TLS 1.3 KDF (does | TLS 1.3 KDF (does | KDF SSH | |||||||
| not establish keys | not establish keys | PBKDF | |||||||
| into the module). | into the module). | TLS v1.2 KDF | |||||||
| SSPs are passed in | SSPs are passed in | TLS v1.3 KDF | |||||||
| Key Transport | CO | RSA KDK Private, RSA KEK Public Generic Secret | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | KTS-IFC KeyTransport SFI | Write, Execute, Zeroise (W, E, Z) Write, Read, Zeroise (W, R, Z) | Used to encrypt or decrypt a key value on behalf of the calling application (does not establish keys into the module). SSPs are passed in by the calling application. Established SSPs are passed out to the calling application. | |||
| Key Wrapping | Used to encrypt or | CO | AES key wrapping key Generic Secret | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | AES-KW AES-KWP KeyWrapping SFI | Write, Execute, Zeroise (W, E, Z) Write, Read, Zeroise (W, R, Z) | |||
| Zeroise | None | Zeroise (Z) | CO | DRBG Entropy Input, CTR_DRBG Seed, CTR_DRBG V, CTR_DRBG Key, Hash_DRBG Seed, Hash_DRBG V, Hash_DRBG C, HMAC_DRBG Seed, HMAC_DRBG V, HMAC_DRBG Key | Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure | All services automatically overwrite SSPs stored in allocated memory. The module does not store any SSP persistently (beyond the lifetime of an API call), except for DRBG state values (stored for the lifetime of the DRBG instance). Stack cleanup is the responsibility of the calling application. | |||
| Utility | None | N/A | CO | N/A | Implied if | Miscellaneous helper functions. |
Document Version 1.1a © SafeLogic Inc. Z) (G, R, Z)
Z) Z) Z) Document Version 1.1a Z) © SafeLogic Inc.
N/A N/A Document Version 1.1a © SafeLogic Inc.
Not applicable. The module does not implement any non-approved, not allowed algorithms; therefore, it also does not provide any non-approved services.
Not applicable. The module does not support this functionality. Document Version 1.1a © SafeLogic Inc.
As specified in Security Policy Section 2.3.3 - Executable Code Sets, the module implements integrity techniques for all executable code sets. The integrity technique used by the module is HMAC-SHA-256. The integrity technique has received CAVP certificates A4593 and A5173. The integrity technique is implemented by the module itself.
The Integrity Test can be performed on demand via the “Integrity Test” service. Document Version 1.1a © SafeLogic Inc.
Refer to Security Policy Section 2.3.4 for vendor affirmed operating environment porting guidance.
Supported operational environments are indicated in Security Policy Section 2.3 - Operating Environments. The operating environments ensure that every application using the module operates in its own private and isolated environment (memory, I/O, etc.) and that user processes are segregated into separate process spaces. The module does not spawn any processes.
The module must be installed, and the correct installation confirmed, as described in Security Policy Section 11.1
The requirements of this section are not applicable to the module. The module is a software module and does not implement any physical security mechanisms. Document Version 1.1a © SafeLogic Inc.
Non-Invasive Security The requirements of this section are not applicable to the module. Document Version 1.1a © SafeLogic Inc.
| Name | Type | Description | ||
|---|---|---|---|---|
| RAM / DRAM | Dynamic | Memory that only holds data during power on of the | RAM / DRAM | Dynamic |
Table 16
| Method | Description | Rationale | Operator | ||
|---|---|---|---|---|---|
| Initiation | |||||
| Capability | |||||
| Zeroise service | Calls OPENSSL_cleanse to zeroise the DRBG CSPs | DRBG CSPs are the only SSPs stored | Function provided via API | Function | |
| by the module beyond the lifetime | provided | ||||
| of an API call. | via API | ||||
| The Zeroise service zeroises SSPs by | |||||
| overwriting zeroes to the memory | |||||
| location occupied by the SSP and | |||||
| further deallocating that area. | |||||
| Call a service that creates or uses the SSP | Services include appropriate APIs (OPENSSL_free or OPENSSL_cleanse) to automatically zeroise the SSPs created or used by the services. This zeroises the context structures that contain the SSP. | SSPs are zeroised by overwriting zeroes to the memory location occupied by the SSP and further deallocating that area. | Function provided via API |
Table 17
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation | ||
|---|---|---|---|---|---|---|---|---|---|---|
| Generic Secret | 112 – 256 bits | N/A | Key Derivation | Key Transport Service (A4593 and A5173): KTS-IFC Key Wrapping Service (A4593 and A5173): AES-KW AES-KWP | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Note: Used only as an input or output Related SSPs: May be derived from KDF Secret May be wrapped or unwrapped by RSA KDK Private, RSA KEK Public, or AES key wrapping key | Key Derivation Service: plaintext export Key Transport Service (A4593 and A5173): import or export, plaintext or encrypted with KTS-IFC Key Wrapping Service (A4593 and A5173), import or export, plaintext or encrypted with AES-KW or AES- KWP | Generic Secret Type: Key or other SSP | N/A | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) |
| Type: Key or | Service (A4593 | |||||||||
| other SSP | and A5173): |
The following two tables define the module’s Sensitive Security Parameters (SSPs). Access to SSPs is defined under Security Policy Section 4.3 Approved Services. N/A Document Version 1.1a © SafeLogic Inc.
| Name | Strength | Generation | Establishment | Storage | Use | Import Export | Zeroisation | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AES EDK Type: Symmetric Key | 128, 192, 256 bits | External | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Symmetric Encryption/ Decryption | Symmetric Encryption/ Decryption service: plaintext import | AES EDK Type: Symmetric Key | A4593 and A5173: AES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CFB1 AES-CFB8 AES-CFB128 AES-CTR AES-ECB AES-OFB | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | |||
| AES CMAC/CCM key Type: Symmetric Key | 128, 192, 256 bits | External | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Authenticated Symmetric Encryption/ Decryption, Symmetric Digest | AES CMAC/CCM key Type: Symmetric Key | A4593 and A5173: AES-CCM AES-CMAC | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | Authenticated | |||
| AES GMAC/GCM key Type: Symmetric Key | 128, 192, 256 bits | External | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Authenticated Symmetric Encryption/ Decryption, Symmetric Digest Related SSPs: AES GMAC/GCM IV: Used with | Authenticated Symmetric Encryption/ Decryption service: plaintext import Symmetric Digest service: plaintext import | AES GMAC/GCM key Type: Symmetric Key | A4593 and A5173: AES-GCM AES-GMAC | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | |||
| AES GMAC/GCM IV Type: IV | 96-1024 bits | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | N/A | AES GMAC/GCM IV Type: IV | A4593 and A5173: AES-GCM AES-GMAC | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | Random | Use: | |||
| service (A4593 | service (A4593 | Symmetric Digest | ||||||||||
| Counter DRBG | Counter DRBG | Related SSPs: | ||||||||||
| Hash DRBG | Hash DRBG | AES GMAC/GCM key: Used | ||||||||||
| HMAC DRBG | HMAC DRBG | with |
Document Version 1.1a N/A N/A N/A N/A © SafeLogic Inc. N/A
| Name | Strength | Generation | Establishment | Storage | Use | Import Export | Zeroisation | Use & related keys | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| AES XTS key Type: Symmetric Key | 128, 256 bits | External | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Symmetric Encryption/ Decryption service: plaintext import | AES XTS key Type: Symmetric Key | A4593 and A5173: AES-XTS | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | Use: Symmetric Encryption/ Decryption | ||
| AES key wrapping key Type: Symmetric Key | 128, 192, 256 bits | External | N/A | Use: | Key Wrapping service: plaintext import | AES key wrapping key Type: Symmetric Key | A4593 and A5173: AES-KW AES-KWP (KeyWrapping SFI) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM | ||
| All SSPs are | Key Wrapping (using | All SSPs are | |||||||||
| temporarily stored | KeyWrapping SFI) | temporarily stored | |||||||||
| duration is for the | Related SSPs: | duration is for the | |||||||||
| lifetime of the API | Wraps or unwraps Generic | lifetime of the API | |||||||||
| call. | Secret | call. | |||||||||
| TDES DK Type: Symmetric Key | 112 bits | External | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Symmetric Encryption/ Decryption service: plaintext import | TDES DK Type: Symmetric Key | A4593 and A5173: TDES-CBC TDES-ECB | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | Use: Symmetric Encryption/ Decryption | ||
| DRBG Entropy Input Type: RBG | 128-256 bits | External | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: | Random Number Generation service: plaintext import Asymmetric Key Generation service: plaintext import | DRBG Entropy Input Type: RBG | A4593 and A5173: Counter DRBG Hash DRBG HMAC DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) |
N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Generation | Zeroisation | ||
|---|---|---|---|---|---|---|---|---|---|---|---|
| CTR_DRBG Seed Type: RBG | 128-256 bits | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, CTR_DRBG V, CTR_DRBG Key: Used with | N/A | CTR_DRBG Seed Type: RBG | A4593 and A5173: Counter DRBG | Random Number Generation service (A4593 and A5173): Counter DRBG Asymmetric Key Generation service (A4593 and A5173): Counter DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| CTR_DRBG V Type: RBG | 128 bits | Random | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, CTR_DRBG Seed, CTR_DRBG Key: Used with | N/A | CTR_DRBG V Type: RBG | A4593 and A5173: Counter DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| CTR_DRBG Key Type: RBG | 128, 192, 256 bits | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, CTR_DRBG Seed, CTR_DRBG V: Used with | N/A | CTR_DRBG Key Type: RBG | A4593 and A5173: Counter DRBG | Random Number Generation service (A4593 and A5173): Counter DRBG Asymmetric Key Generation service (A4593 and A5173): Counter DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| Hash_DRBG | 128-256 bits | A4593 and A5173: | Random | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, Hash_DRBG V, Hash_DRBG C: Used with | N/A | Hash_DRBG Seed Type: RBG | A4593 and A5173: Hash DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | |
| Seed | Hash DRBG | Number | |||||||||
| Type: RBG | Generation | ||||||||||
| Hash_DRBG V Type: RBG | 128, 256 bits | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, Hash_DRBG Seed, Hash_DRBG C: Used with | N/A | Hash_DRBG V Type: RBG | A4593 and A5173: Hash DRBG | Random Number Generation service (A4593 and A5173): Hash DRBG Asymmetric Key Generation service (A4593 and A5173): Hash DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| Hash_DRBG C Type: RBG | 128, 256 bits | Random | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, Hash_DRBG Seed, Hash_DRBG V: Used with | N/A | Hash_DRBG C Type: RBG | A4593 and A5173: Hash DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| HMAC_DRBG Seed Type: RBG | 128-256 bits | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, HMAC_DRBG V, HMAC_DRBG Key: Used with | N/A | HMAC_DRBG Seed Type: RBG | A4593 and A5173: HMAC DRBG | Random Number Generation service (A4593 and A5173): HMAC DRBG Asymmetric Key Generation service (A4593 and A5173): HMAC DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| HMAC_DRBG V Type: RBG | 160, 256, 512 bits | Random | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, HMAC_DRBG Seed, HMAC_DRBG Key: Used with | N/A | HMAC_DRBG V Type: RBG | A4593 and A5173: HMAC DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| HMAC_DRBG Key Type: RBG | 160, 256, 512 bits | N/A | RAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance. | Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, HMAC_DRBG Seed, HMAC_DRBG Key: Used with | N/A | HMAC_DRBG Key Type: RBG | A4593 and A5173: HMAC DRBG | Random Number Generation service (A4593 and A5173): HMAC DRBG Asymmetric Key Generation service (A4593 and A5173): HMAC DRBG | Zeroise service (Refer to Table 17 – SSP Zeroisation Methods) | ||
| ECDSA SGK | 112 – 256 bits | A4593 and A5173: | Asymmetric | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Digital Signatures Related SSPs: May be paired with ECDSA SVK | Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext export | ECDSA SGK Type: Signature | A4593 and A5173: ECDSA SigGen ECDSA with non- NIST recommended curves (allowed) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | |
| Type: Signature | ECDSA SigGen | Key Generation | |||||||||
| ECDSA with non- | ECDSA with non- | and A5173): | |||||||||
| NIST | NIST | Counter DRBG | |||||||||
| recommended | recommended | Hash DRBG | |||||||||
| curves (allowed) | curves (allowed) | HMAC DRBG | |||||||||
| RSA SGK Type: Signature | 112 – 256 bits | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Digital Signatures Related SSPs: May be paired with RSA SVK | Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext export | RSA SGK Type: Signature | A4593 and A5173: RSA SigGen | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) RSA KeyGen or External | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| EdDSA SGK Type: Signature | 128, 224 bits | Asymmetric | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Digital Signatures Related SSPs: May be paired with EdDSA SVK | Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext export | EdDSA SGK Type: Signature | A4593 and A5173: EDDSA SigGen | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| DH Private Type: Key Agreement | 112 bits 112-200 bits | Key Agreement service (A4593 and A5173): KAS-FFC-SSC | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Key Agreement Related SSPs: May be paired with DH Public Used to establish KDF Secret | Key Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext export | DH Private Type: Key Agreement | A4593 and A5173: KAS-FFC-SSC | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) DSA KeyGen DSA PQGGen DSA PQGVer Safe Primes Key Generation Safe Primes Key Verification or External | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| EC DH Private Type: Key Agreement | 112 – 256 bits | Asymmetric | Key Agreement service (A4593 and A5173): KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Key Agreement Related SSPs: May be paired with EC DH Public Used to establish KDF Secret | Key Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext export | EC DH Private Type: Key Agreement | A4593 and A5173: KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| RSA KAK Private Type: Key Agreement | 112 – 256 bits | Key Agreement service (A4593 and A5173): KAS-IFC-SSC | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Key Agreement Related SSPs: May be paired with RSA KAK Public Used to establish KDF Secret | Key Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext export | RSA KAK Private Type: Key Agreement | A4593 and A5173: KAS-IFC-SSC | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) RSA KeyGen or External | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) |
N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
© SafeLogic Inc. Document Version 1.1a
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation | Generation | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| RSA KDK Private | 112 – 256 bits | A4593 and A5173: | Asymmetric | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Key Transport (using KeyTransport SFI) Related SSPs: May be paired with RSA KEK Public Unwraps Generic Secret | Key Transport service: plaintext import Asymmetric Key Generation service: plaintext export | RSA KDK Private Type: Key Transport | A4593 and A5173: KTS-IFC (KeyTransport SFI) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| Transport | (KeyTransport SFI) | service (A4593 | ||||||||||
| HMAC Key Type: Authentication | 128, 192 256 bits | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Keyed Hash | Keyed Hash service: plaintext import | HMAC Key Type: Authentication | A4593 and A5173: HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | External | |||
| KMAC Key Type: Authentication | 128, 256 bits | N/A | Use: Keyed Hash | Keyed Hash service: plaintext import | KMAC Key Type: Authentication | A4593 and A5173: KMAC-128 KMAC-256 | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | External | RAM / DRAM |
Document Version 1.1a N/A N/A N/A © SafeLogic Inc.
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| KDF Secret Type: Key Derivation Function | 112 – 512 bits | N/A | Key Agreement Service (A4593 and A5173): KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed) KAS-FFC-SSC KAS-IFC-SSC or External | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Key Derivation Related SSPs: May be derived from DH Private, DH Public, or EC DH Private, EC DH Public, or RSA KAK Private, RSA KAK Public May be used to derive Generic Secret | Key Derivation service: plaintext import Key Agreement service: plaintext export | KDF Secret Type: Key Derivation Function | A4593 and A5173: KDA HKDF SP800- 56Cr2 KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF ANS 9.42 KDF ANS 9.63 KDF KMAC Sp800- 108r1 KDF SP800-108 KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDF | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| DSA SVK Type: Signature | 80 – 128 | External | N/A | Use: Digital Signatures | Digital Signatures service: plaintext import | DSA SVK Type: Signature | A4593 and A5173: DSA SigVer | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM | ||
| ECDSA SVK Type: Signature | 80 – 256 bits | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) ECDSA KeyGen ECDSA KeyVer or External | N/A | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | Use: Digital Signatures Related SSPs: May be paired with ECDSA SGK | Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext export | ECDSA SVK Type: Signature | A4593 and A5173: ECDSA SigVer ECDSA with non- NIST recommended curves (allowed) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | ||
| RSA SVK | 80 – 256 bits | A4593 and A5173: | Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext export | N/A | Use: Digital Signatures Related SSPs: May be paired with RSA SGK | Asymmetric | RSA SVK Type: Signature | A4593 and A5173: RSA SigVer | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | |
| Type: Signature | RSA SigVer | Key Generation | |||||||||
| EdDSA SVK Type: Signature | 128, 224 bits | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) EDDSA keyGen EDDSA keyVer or External | Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext export | N/A | Use: Digital Signatures Related SSPs: May be paired with EdDSA SGK | EdDSA SVK Type: Signature | A4593 and A5173: EDDSA SigVer | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | ||
| DH Public Type: Key Agreement | 112 bits 112-200 bits | Key Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext export | Key Agreement service (A4593 and A5173): KAS-FFC-SSC | Use: Key Agreement Related SSPs: May be paired with DH Private Used to establish KDF Secret | Asymmetric | DH Public Type: Key Agreement | A4593 and A5173: KAS-FFC-SSC | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | ||
| EC DH Public Type: Key Agreement | 112 – 256 bits | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) ECDSA KeyGen ECDSA KeyVer or External | Key Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext export | Key Agreement service (A4593 and A5173): KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed) | Use: Key Agreement Related SSPs: May be paired with EC DH Private Used to establish KDF Secret | EC DH Public Type: Key Agreement | A4593 and A5173: KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | ||
| RSA KAK Public Type: Key Agreement | 112 – 256 bits | Key Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext export | Key Agreement service (A4593 and A5173): KAS-IFC-SSC | Use: Key Agreement Related SSPs: May be paired with RSA KAK Private Used to establish KDF Secret | Asymmetric | RSA KAK Public Type: Key Agreement | A4593 and A5173: KAS-IFC-SSC | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. | ||
| RSA KEK Public Type: Key Transport | 112 – 256 bits | Asymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) RSA KeyGen or External | Key Transport service: plaintext import Asymmetric Key Generation service: plaintext export | N/A | Use: Key Transport (using KeyTransport SFI) Related SSPs: May be paired with RSA KDK Private Wraps Generic Secret | RSA KEK Public Type: Key Transport | A4593 and A5173: KTS-IFC (KeyTransport SFI) | Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods) | RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call. |
N/A N/A N/A Document Version 1.1a © SafeLogic Inc.
N/A N/A © SafeLogic Inc. Document Version 1.1a
The table below provides additional detail for the SSPs listed in Table 18
| Name | Description | Strength | Category | ||
|---|---|---|---|---|---|
| Generic Secret | 112 – 512 bits | Generic Secret Type: Key or other SSP | SSPs generated by key derivation and directly output by | CSP | |
| Type: Key or other | the module, or generic keys that are wrapped or | ||||
| AES EDK Type: Symmetric Key | AES encrypt/ decrypt key | 128, 192, 256 bits | AES EDK Type: Symmetric Key | CSP | |
| AES CMAC/CCM | AES CMAC/CCM key for encrypt/ decrypt or generate/ verify | 128, 192, 256 bits | CSP | ||
| AES GMAC/GCM key Type: Symmetric Key | AES GMAC/GCM key for encrypt/ decrypt or generate/ verify | 128, 192, 256 bits | AES GMAC/GCM key Type: Symmetric Key | CSP | |
| AES GMAC/GCM IV | 96-1024 bits | AES GMAC/GCM IV for encrypt/ decrypt or generate/ | CSP | ||
| Type: IV | verify | ||||
| AES XTS key Type: Symmetric Key | AES XTS encrypt/ decrypt key | 128, 256 bits | AES XTS key Type: Symmetric Key | CSP | |
| AES key wrapping | AES KW, KWP key | 128, 192, 256 bits | CSP | ||
| TDES DK Type: Symmetric Key | 3-key Triple-DES decrypt key | 192 bits | TDES DK Type: Symmetric Key | CSP |
Table 19
| Name | Input | |
|---|---|---|
| Type: RBG | Type: RBG | other inputs per SP 800-90A Sections 7.2, 8.6 |
| Type: Signature | Type: Signature | brainpool) |
Document Version 1.1a © SafeLogic Inc.
| Name | Description | Strength | Category | ||
|---|---|---|---|---|---|
| DH Private Type: Key Agreement | Diffie-Hellman private key agreement key (186-4-type and safe primes) | For 186-4 type key generation: 224, 256 bits For safe primes key generation: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- 4096, MODP-6144, MODP-8192 | DH Private Type: Key Agreement | CSP | |
| EC DH Private | Elliptic Curve Diffie-Hellman private key agreement key (P, B, K curves and brainpool) | 224 – 512 bits | CSP | ||
| RSA KAK Private Type: Key Agreement | RSA private key agreement key | 2048 – 16384 bits | RSA KAK Private Type: Key Agreement | CSP | |
| RSA KDK Private | RSA private key decryption key | 2048 – 16384 bits | CSP | ||
| HMAC Key Type: Authentication | Keyed hash key for HMAC | 160, 224, 256, 384, 512 bits | HMAC Key Type: Authentication | CSP | |
| KMAC Key | Keyed hash key for KMAC | 128-1024 bits | CSP | ||
| KDF Secret Type: Key Derivation Function | Secret value used by KDFs | 112 – 512 bits | KDF Secret Type: Key Derivation Function | CSP | |
| DSA SVK Type: Signature | DSA signature verification key (legacy only) | DSA SVK Type: Signature | PSP | DSA (L, N) = | |
| ECDSA SVK Type: Signature | ECDSA signature verification key (P, B, K curves and brainpool) | 160 – 512 bits | ECDSA SVK Type: Signature | PSP | |
| RSA SVK | RSA signature verification key | 1024 – 16384 bits | PSP | ||
| EdDSA SVK Type: Signature | Ed25519 or Ed448 signature verification key | 256, 456 bits | EdDSA SVK Type: Signature | PSP | |
| DH Public Type: Key Agreement | Diffie-Hellman public key agreement key (186-4-type and safe primes) | DH Public Type: Key Agreement | PSP | For 186-4 type key generation: 2048 bits | |
| EC DH Public Type: Key Agreement | Elliptic Curve Diffie-Hellman public key agreement key (P, B, K curves and brainpool) | 224 – 512 bits | EC DH Public Type: Key Agreement | PSP | |
| RSA KAK Public | RSA public key agreement key | 2048 – 16384 bits | PSP | ||
| RSA KEK Public Type: Key Transport | RSA public key encryption key | 2048 – 16384 bits | RSA KEK Public Type: Key Transport | PSP |
Document Version 1.1a © SafeLogic Inc.
All algorithms implemented by the module are approved for FIPS 140-3 and will not be impacted by the transitions specified below. The information below provides context for the algorithms not supported by the module due to algorithm transitions. Refer also to Security Policy Section 2.9
| Name | Algorithm Or Test | Test Method | Test Type | Details | Implementation | Test Properties | Indicator | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| HMAC-SHA2-256 | HMAC-SHA2-256 | Compare to pre- | SW/FW | Verify | HMAC-SHA2-256 | CryptoComply | HMAC-SHA-2561 | HMAC-SHA-2561 | Compare to pre- computed HMAC | SW/FW Integrity | The Module State (queried via Show Status) changes to Running (FIPS_STATE_RUNNING) | The Module State (queried via | Verify |
| 140-3 FIPS | computed | Integrity | 140-3 FIPS | Show Status) changes to | |||||||||
| Provider (CAVP | HMAC | Provider (CAVP | Running | ||||||||||
| Cert. #A4593 and | Cert. #A4593 and | (FIPS_STATE_RUNNING) |
Table 20
The module mainly performs two types of conditional self-tests, which are Cryptographic Algorithm Self-Tests (CASTs) and Pairwise Consistency Tests (PCTs). The module also performs one critical function test for AES-XTS, per IG C.I. The module does not implement any other conditional Please refer also to the HMAC-SHA-256 CAST, which is performed before the pre-operational SW integrity test Document Version 1.1a © SafeLogic Inc.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Condition | Implementation | Indicator | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AES-GCM | AES-GCM | KAT | CAST | CryptoComply 140- | 256-bit AES | KAT | The Module State (queried | Authenticated | Initialisation | |||
| 3 FIPS Provider | 3 FIPS Provider | via Show Status) changes to | Encrypt | |||||||||
| (CAVP Cert. #A4593 | (CAVP Cert. #A4593 | Running | (forward | |||||||||
| and Cert. #A5173) | and Cert. #A5173) | (FIPS_STATE_RUNNING) | cipher) | |||||||||
| AES-GCM | AES-GCM | CAST | Decrypt (forward cipher) | 256-bit AES | KAT | Initialisation | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | The Module State changes to Running | ||||
| AES-ECB | AES-ECB | CAST | Decrypt (inverse cipher) | CryptoComply 140- | 256-bit AES | KAT | Initialisation | The Module State changes to Running | ||||
| Counter DRBG | Counter DRBG | CAST | Instantiate, Reseed, Generate (per IG 10.3.A, 7) | 128-bit AES with df | KAT | Initialisation | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | The Module State changes to Running | ||||
| Hash DRBG | Hash DRBG | CAST | CryptoComply 140- | SHA-256 | KAT | Instantiate, | Initialisation | The Module State changes to Running | ||||
| 3 FIPS Provider | 3 FIPS Provider | Reseed, | ||||||||||
| (CAVP Cert. #A4593 | (CAVP Cert. #A4593 | Generate (per | ||||||||||
| and Cert. #A5173) | and Cert. #A5173) | IG 10.3.A, 7) |
self-tests, including conditional self-tests for software/firmware loading, manual entry, or bypass, because the module does not implement corresponding functions. The CAST tests below are executed automatically by the Module Initialization service when the module is powered on. Automatic execution of the CASTs relies on use of the default entry point (DEP); no operator intervention is required. The CASTs execute before the module transitions to the operational state. If the CASTs are successful, the Module State (queried via Show Status) is updated to indicate that the module is in the Running state (FIPS_STATE_RUNNING). All other conditional self-tests are executed when the relevant condition occurs, as specified in the table below. Table 21 - Conditional Self-Tests Document Version 1.1a © SafeLogic Inc.
| Name | Algorithm Or Test | Test Type | Details | Implementation | Test Properties | Indicator | Condition | ||
|---|---|---|---|---|---|---|---|---|---|
| HMAC DRBG | HMAC DRBG | CAST | Instantiate, Reseed, Generate (per IG 10.3.A, 7) | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | HMAC-SHA-1 | KAT | The Module State changes to Running | Initialisation | |
| KDF ANS 9.42 | KDF ANS 9.42 | CAST | Derive | SHA-1 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- | |
| KDF ANS 9.63 | KDF ANS 9.63 | CAST | Derive | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | SHA-256 | KAT | The Module State changes to Running | Initialisation | |
| KDF SSH | KDF SSH | CAST | Derive | SHA-1 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- | |
| TLS v1.2 KDF RFC7627 | TLS v1.2 KDF RFC7627 | CAST | Derive | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | HMAC-SHA-256 | KAT | The Module State changes to Running | Initialisation | |
| TLS v1.3 KDF | TLS v1.3 KDF | CAST | Derive | SHA-256 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- | |
| DSA SigVer (FIPS186-4) | DSA SigVer (FIPS186-4) | CAST | Verify | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | 2048, SHA-256 | KAT | The Module State changes to Running | Initialisation | |
| ECDSA SigGen (FIPS186-4) | ECDSA SigGen (FIPS186-4) | CAST | Sign | P-224, SHA-512 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- |
CryptoComply 140SigGen Document Version 1.1a © SafeLogic Inc.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Implementation | Test Properties | Indicator | Condition | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ECDSA SigGen (FIPS186-4) | ECDSA SigGen (FIPS186-4) | CAST | Sign | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | K-233, SHA-512 | KAT | The Module State changes to Running | Initialisation | |||
| Brainpool | CAST | Sign | brainpoolP224r1, SHA-512 | KAT | The Module State changes to Running | Initialisation | Brainpool | CryptoComply 140- | |||
| curves for | curves for | 3 FIPS Provider | |||||||||
| ECDSA | ECDSA | (CAVP Cert. #A4593 | |||||||||
| signatures | signatures | and Cert. #A5173) | |||||||||
| ECDSA SigVer (FIPS186-4) | ECDSA SigVer (FIPS186-4) | CAST | Verify | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | P-224, SHA-512 | KAT | The Module State changes to Running | Initialisation | |||
| ECDSA SigVer (FIPS186-4) | ECDSA SigVer (FIPS186-4) | CAST | Verify | K-233, SHA-512 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- | |||
| Brainpool curves for ECDSA signatures | Brainpool curves for ECDSA signatures | CAST | Verify | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | brainpoolP224r1, SHA-512 | KAT | The Module State changes to Running | Initialisation | |||
| EDDSA sigGen | EDDSA sigGen | CAST | Sign | Ed25519 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- | |||
| EDDSA sigGen | EDDSA sigGen | CAST | Sign | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | Ed448 | KAT | The Module State changes to Running | Initialisation | |||
| EDDSA sigVer | EDDSA sigVer | CAST | Verify | Ed25519 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- | |||
| EDDSA sigVer | EDDSA sigVer | The Module State changes to Running | Verify | Initialisation | Ed448 | CAST | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | KAT | |||
| HMAC- SHA2-256 | HMAC- SHA2-256 | The Module State changes to Running | Verify | HMAC-SHA-2562 | CAST | Initialisation, | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | KAT | |||
| KAS-ECC- SSC Sp800- 56Ar3 | KAS-ECC- SSC Sp800- 56Ar3 | The Module State changes to Running | Verify computation of shared secret Z in Ephemeral Unified scheme3 | Initialisation | P-256 | CAST | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | KAT | |||
| KAS-FFC-SSC Sp800- 56Ar3 | KAS-FFC-SSC Sp800- 56Ar3 | The Module State changes to Running | Initialisation | FB (2048, 224) | CAST | Verify | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | KAT | |||
| KAS-IFC-SSC | KAS-IFC-SSC | The Module State changes to Running | RSA Primitive Computation5 | Initialisation | 2048-bit key | CAST | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | KAT |
Document Version 1.1a © SafeLogic Inc.
Sp80056Ar3 before preoperational KAS-ECCSSC Sp80056Ar3 HMACSHA2-256 Also serves as a self-test for SHA-256 and covers the self-test requirement for SHA-224 Per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3. Also covers the self-test requirement for EC Diffie-Hellman with non-NIST recommended curves. Per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3 Per Scenario 1 of IG D.F and Section 8.2.2 in SP 800-56Br2 Document Version 1.1a © SafeLogic Inc.
SP80056Cr2 SP80056Cr26 KDF SP800108 KTS-OAEPBasic7 KTS-OAEPBasic8 Per IG D.G and SP 800-56Br2 Per IG D.G and SP 800-56Br2 Per IG D.G and SP 800-56Br2 Document Version 1.1a © SafeLogic Inc.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Condition | Implementation | ||
|---|---|---|---|---|---|---|---|---|---|---|
| PBKDF | PBKDF | KAT | CAST | Derivation of the Master Key (MK)10 | CryptoComply 140- | HMAC-SHA-1 | KAT | The Module State changes to Running | Initialisation | |
| RSA SigGen (FIPS186-4) | RSA SigGen (FIPS186-4) | CAST | Sign | 2048-bit key, SHA- 256, PKCS#1 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | ||
| RSA SigVer (FIPS186-4) | RSA SigVer (FIPS186-4) | CAST | Verify | CryptoComply 140- | 2048-bit key, SHA- 256, PKCS#1 | KAT | The Module State changes to Running | Initialisation | ||
| SHA3-256 | SHA3-256 | CAST | Hash | SHA3-25611 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | ||
| SHA-1 | SHA-1 | CAST | Hash | CryptoComply 140- | SHA-1 | KAT | The Module State changes to Running | Initialisation | ||
| SHA2-512 | SHA2-512 | CAST | Hash | SHA-51212 | KAT | The Module State changes to Running | Initialisation | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | ||
| TDES-CBC | TDES-CBC | CAST | Decrypt | CryptoComply 140- | CBC mode, 3-key | KAT | The Module State changes to Running | Initialisation |
Per Section 5.3 of SP 800-132 Also serves as a self-test for KMAC and SHAKE since it utilizes the same Keccak-p permutation Also covers the self-test requirements for SHA-384, SHA-512/224, and SHA-512/256. SHA-256 is tested by the HMAC-SHA-256 self-test. Document Version 1.1a © SafeLogic Inc.
| Name | Algorithm Or Test | Test Type | Details | Implementation | Test Properties | Indicator | Condition | |||
|---|---|---|---|---|---|---|---|---|---|---|
| DSA KeyGen (FIPS186-4), Safe Primes Key Generation, Safe Primes Key Verification | DSA KeyGen (FIPS186-4), Safe Primes Key Generation, Safe Primes Key Verification | PCT | Sign/Verify for Key Agreement13 | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | All supported parameters for KAS-FFC | PCT | Return value for the relevant API call (i.e. for key pair generation or key pair import): 1 for success, 0 for failure | Key Pair Generation, Key Pair Import | ||
| ECDSA KeyGen (FIPS186-4) | ECDSA KeyGen (FIPS186-4) | PCT | Sign/Verify for Digital Signatures14 | All supported curves | PCT | Key Pair Generation | CryptoComply 140- | Return value for the | ||
| 3 FIPS Provider | 3 FIPS Provider | relevant API call (i.e. for | ||||||||
| (CAVP Cert. #A4593 | (CAVP Cert. #A4593 | key pair generation): 1 for | ||||||||
| and Cert. #A5173) | and Cert. #A5173) | success, 0 for failure | ||||||||
| ECDSA KeyGen (FIPS186-4) | ECDSA KeyGen (FIPS186-4) | PCT | Sign/Verify for Key Agreement15 | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | All supported curves | PCT | Return value for the relevant API call (i.e. for key pair import): 1 for success, 0 for failure | Key Pair Import | ||
| EDDSA keyGen | EDDSA keyGen | PCT | Sign/Verify for Digital Signatures16 | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | All supported curves (Ed25519, Ed448) | PCT | Key Pair Generation, Key Pair Import | Return value for the |
Per VE10.35.03 Per VE10.35.02. At the time of key pair generation, the keys’ intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. Per VE10.35.03. At the time of key pair import, the keys’ intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. Per VE10.35.02. EdDSA keys can only be used for digital signatures. Document Version 1.1a © SafeLogic Inc.
| Name | Algorithm Or Test | Test Type | Details | Implementation | Test Properties | Indicator | Condition | ||
|---|---|---|---|---|---|---|---|---|---|
| RSA KeyGen (FIPS186-4) | RSA KeyGen (FIPS186-4) | PCT | Sign/Verify for Key Agreement17 | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | All supported moduli | PCT | Return value for the relevant API call (i.e. for key pair generation or key pair import): 1 for success, 0 for failure | Key Pair Generation, Key Pair Import | |
| AES-XTS | AES-XTS | Critical Function | Test that Key_1 ≠ Key_2 18 | CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173) | All supported sizes (128-bit, 256-bit) | Other | Symmetric Encryption/ Decryption | Return value for the |
Per VE10.35.03. At the time of key pair generation or import, the keys’ intended usage is not known (key pairs may be used for key transport, digital signatures, or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. Per IG C.I Document Version 1.1a © SafeLogic Inc.
| Name | Description | Role Access | Indicator | Recovery Method | Description | Conditions | |
|---|---|---|---|---|---|---|---|
| FIPS_STATE_ERROR | The module has | The error state is | Module State (queried via Show Status) changes to Error (FIPS_STATE_ERROR) | Restart the module | Restart the | ||
| entered an error | entered an error | triggered if any | module | ||||
| state. All | state. All | pre-operational or | |||||
| cryptographic | cryptographic | CAST self-tests fail | |||||
| APIs will return | APIs will return | to pass (either on | |||||
| an error when | an error when | power on or when | |||||
| called. | called. | called by operator) | |||||
| Temporary Error | The return value for the relevant API call (i.e. for key pair generation, key pair import, or symmetric encryption/ decryption with AES- XTS) returns 0 for failure | The module will reject the tested key or key pair and then return automatically to the Running state (FIPS_STATE_ RUNNING). | The module enters a temporary error state when a PCT test fails or when the AES- XTS critical function test fails. Keys that fail the tests are disabled and the module returns to the Running state. | The error state is triggered if a conditional PCT test or conditional AES-XTS critical function test fails to pass. |
| Period | Periodic Method | |
|---|---|---|
| On demand. It is recommended to run the periodic tests at least annually. | On demand. | Pre-Operational Periodic tests are called by power cycling the |
| It is recommended to run the | module, calling the Integrity Test service, or calling the Self-Test | |
| periodic tests at least | service (which calls the module’s integrity test and all CASTs). | |
| annually. | ||
| Conditional Periodic tests are called by power cycling the module or | ||
| calling the Self-Test service (which calls the module’s integrity test | ||
| and all CASTs). |
Table 23 - Error States Document Version 1.1a © SafeLogic Inc.
The module supports two error states, both triggered by failures of the module’s self-tests. The module must be restarted to recover from a failure of the pre-operational or CAST self-test, but it recovers automatically from a failure in the other conditional self-tests.
Self-tests can be called on demand using the Self-Test service. This service calls the module’s integrity test and all CASTs (i.e. KATs). PCTs are not called by this service; PCTs are only called under the conditions specified in Section 10.2 - Conditional Self-Tests. The integrity test is automatically called as part of the Pre-Operational Self-Tests and can also be manually called by the Integrity Test service (or the Self-Test service). Document Version 1.1a © SafeLogic Inc.
Failure to follow initialization instructions for the module (provided below) will result in the module being in a non-compliant state. The module is only provided to the end user in the form of a compiled binary file. Its source code is not provided. The module is provided to the end user by the vendor as a binary archive and an associated hash value. The end user should validate the integrity of the binary archive against the SHA-256 hash value provided with the binary archive. If the integrity value for the archive is correct, the archive should be extracted, and the binaries should be installed. The module is a FIPS-validated cryptographic provider for use by OpenSSL 3.x. OpenSSL 3.x should be installed per its documentation prior to module installation. The FIPS module may be installed using the following procedure:
//Execute commands for the FIPS module if (fips_provider != NULL) OSSL_PROVIDER_unload(fips_provider); return 0; } After the module starts up, the operator should confirm that the module outputs the Approved mode status indicator (refer to Security Policy Section 2.5 - Modes of Operation) and verify the module’s version using the “Output ID/ Version Information” service (refer to Security Policy Section 4.3 Approved Services).
Additional administrator guidance is provided separately in other operator documentation, including the User Manual.
If the module power is lost and restored, the operator shall establish a new key for use with AES-GCM encryption/decryption. Refer also to Security Policy Section 2.9.1 - AES-GCM (IG C.H conformance). Additional guidance is provided separately in other operator documentation, including the User Manual.
The vendor documentation (User Guide) specifies the procedures for the removal of the FIPS module and secure sanitization of the device that the module was installed on. Document Version 1.1a © SafeLogic Inc.
The module implements two types of mitigations of other attacks, which are constant-time implementations and numeric blinding. Constant-time implementations protect cryptographic implementations in the module against timing analysis. With this mitigation, variations in execution time cannot be traced back to an SSP, key, or secret data. Numeric Blinding protects RSA, DSA, and ECDSA from timing attacks, where attackers measure the time of signature operations or RSA decryption. To mitigate this attack, the module generates a random blinding factor that is provided as an input to the decryption/signature operation and is discarded once the operation has completed. With this mitigation, the execution time cannot be correlated to the RSA, DSA, or ECDSA key via a timing attack because the attacker does not know the blinding factor.
These mitigations should make the timing of the encryption, decryption, and signing operations independent of the key material or the input data. This should prevent an attacker from recovering information by measuring the timing of these operations.
While the module implements countermeasures to prevent timing analysis and timing attacks, other side-channel attacks may be possible. As a Level 1, software-based module, the module is limited in its ability to prevent access at the hardware level; power analysis attacks may be possible for an attacker with physical access. Users of software-based modules should be aware of these limitations and incorporate this information into their threat model. Document Version 1.1a © SafeLogic Inc.