All modules
CMVP Validated Module · FIPS 140-3 Security Policy

CryptoComply 140-3 FIPS Provider

Certificate#4781StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorSafeLogic Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys) and random strings. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorSafeLogic Inc.

Approved Algorithms (164)

AlgorithmACVP Cert
AES-CBCA4593
AES-CBCA5173
AES-CBC-CS1A4593
AES-CBC-CS1A5173
AES-CBC-CS2A4593
AES-CBC-CS2A5173
AES-CBC-CS3A4593
AES-CBC-CS3A5173
AES-CCMA4593
AES-CCMA5173
AES-CFB1A4593
AES-CFB1A5173
AES-CFB128A4593
AES-CFB128A5173
AES-CFB8A4593
AES-CFB8A5173
AES-CMACA4593
AES-CMACA5173
AES-CTRA4593
AES-CTRA5173
AES-ECBA4593
AES-ECBA5173
AES-GCMA4593
AES-GCMA4593
AES-GCMA5173
AES-GCMA5173
AES-GMACA4593
AES-GMACA4593
AES-GMACA5173
AES-GMACA5173
AES-KWA4593
AES-KWA5173
AES-KWPA4593
AES-KWPA5173
AES-OFBA4593
AES-OFBA5173
AES-XTS Testing Revision 2.0A4593
AES-XTS Testing Revision 2.0A5173
Counter DRBGA4593
Counter DRBGA5173
DSA KeyGen (FIPS186-4)A4593
DSA KeyGen (FIPS186-4)A5173
DSA PQGGen (FIPS186-4)A4593
DSA PQGGen (FIPS186-4)A5173
DSA PQGVer (FIPS186-4)A4593
DSA PQGVer (FIPS186-4)A5173
DSA SigVer (FIPS186-4)A4593
DSA SigVer (FIPS186-4)A5173
ECDSA KeyGen (FIPS186-4)A4593
ECDSA KeyGen (FIPS186-4)A5173
ECDSA KeyVer (FIPS186-4)A4593
ECDSA KeyVer (FIPS186-4)A5173
ECDSA SigGen (FIPS186-4)A4593
ECDSA SigVer (FIPS186-4)A4593
ECDSA SigVer (FIPS186-4)A5173
ECDSA SigVer (FIPS186-4)A5173
EDDSA KeyGenA4593
EDDSA KeyGenA5173
EDDSA KeyVerA4593
EDDSA KeyVerA5173
EDDSA SigGenA4593
EDDSA SigGenA5173
EDDSA SigGenA5173
EDDSA SigVerA4593
Hash DRBGA4593
Hash DRBGA5173
HMAC DRBGA4593
HMAC DRBGA5173
HMAC-SHA-1A4593
HMAC-SHA-1A5173
HMAC-SHA2-224A4593
HMAC-SHA2-224A5173
HMAC-SHA2-256A4593
HMAC-SHA2-256A5173
HMAC-SHA2-384A4593
HMAC-SHA2-384A5173
HMAC-SHA2-512A4593
HMAC-SHA2-512A5173
HMAC-SHA2-512/224A4593
HMAC-SHA2-512/224A5173
HMAC-SHA2-512/256A4593
HMAC-SHA2-512/256A5173
HMAC-SHA3-224A4593
HMAC-SHA3-224A5173
HMAC-SHA3-256A4593
HMAC-SHA3-256A5173
HMAC-SHA3-384A4593
HMAC-SHA3-384A5173
HMAC-SHA3-512A4593
HMAC-SHA3-512A5173
KAS-ECC-SSC Sp800-56Ar3A4593
KAS-ECC-SSC Sp800-56Ar3A5173
KAS-FFC-SSC Sp800-56Ar3A4593
KAS-FFC-SSC Sp800-56Ar3A5173
KAS-IFC-SSCA4593
KAS-IFC-SSCA5173
KDA HKDF SP800-56Cr2A4593
KDA HKDF SP800-56Cr2A5173
KDA OneStep SP800-56Cr2A4593
KDA OneStep SP800-56Cr2A5173
KDA TwoStep SP800-56Cr2A4593
KDA TwoStep SP800-56Cr2A5173
KDF ANS 9.42A4593
KDF ANS 9.42A5173
KDF ANS 9.63A4593
KDF ANS 9.63A5173
KDF KMAC Sp800-108r1A4593
KDF KMAC Sp800-108r1A5173
KDF SP800-108A4593
KDF SP800-108A5173
KDF SSHA4593
KDF SSHA5173
KMAC-128A4593
KMAC-128A5173
KMAC-256A4593
KMAC-256A5173
KTS-IFCA4593
KTS-IFCA5173
PBKDFA4593
PBKDFA5173
RSA KeyGen (FIPS186-4)A4593
RSA KeyGen (FIPS186-4)A5173
RSA SigGen (FIPS186-4)A4593
RSA SigGen (FIPS186-4)A5173
RSA SigVer (FIPS186-4)A4593
RSA SigVer (FIPS186-4)A5173
Safe Primes Key GenerationA4593
Safe Primes Key GenerationA5173
Safe Primes Key VerificationA4593
Safe Primes Key VerificationA5173
SHA-1A4593
SHA-1A5173
SHA2-224A4593
SHA2-224A5173
SHA2-256A4593
SHA2-256A5173
SHA2-384A4593
SHA2-384A5173
SHA2-512A4593
SHA2-512A5173
SHA2-512/224A4593
SHA2-512/224A5173
SHA2-512/256A4593
SHA2-512/256A5173
SHA3-224A4593
SHA3-224A5173
SHA3-256A4593
SHA3-256A5173
SHA3-384A4593
SHA3-384A5173
SHA3-512A4593
SHA3-512A5173
SHAKE-128A4593
SHAKE-128A5173
SHAKE-256A4593
SHAKE-256A5173
TDES-CBCA4593
TDES-CBCA5173
TDES-ECBA4593
TDES-ECBA5173
TLS v1.2 KDF RFC7627A4593
TLS v1.2 KDF RFC7627A5173
TLS v1.3 KDFA4593
TLS v1.3 KDFA5173

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for CryptoComply 140-3 FIPS Provider
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>FIPS_STATE_ERROR<br/>entered an error</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CO<br/>Self-Test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for CryptoComply 140-3 FIPS Provider
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>FIPS_STATE_ERROR<br/>entered an error</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>CO<br/>Self-Test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

SafeLogic Inc. CryptoComply 140-3 FIPS Provider Software Versions 3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3 Document Version 1.1a June 27, 2024 SafeLogic Inc.

530 Lytton Ave, Suite 200

Palo Alto, CA 94301 www.safelogic.com Document Version 1.1a © SafeLogic Inc.

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels6
2Cryptographic Module Specification7
2.1Description7
2.2Version Information8
2.3Operating Environments8
2.4Excluded Components11
2.5Modes of Operation11
2.6Algorithms13
2.7Module Block Diagram42
2.8Security Function Implementations43
2.9Algorithm Specific Information43
2.10RNG and Entropy46
2.11Key Generation46
2.12Key Establishment47
2.13Industry Protocols47
2.14Design and Rules47
2.15Initialisation48
3Cryptographic Module Interfaces49
3.1Ports and Interfaces49
3.2Additional Information49
4Roles, Services, and Authentication50
4.1Roles50
4.2Authentication Methods52
4.3Approved Services52
4.4Non-Approved Services63
4.5External Software/Firmware Loaded63
5Software/Firmware Security64
5.1Integrity Techniques64
5.2Initiate on Demand64
6Operational Environment65
6.1Operational Environment Type and Requirements65
6.2Configuration Settings and Restrictions65
7Physical Security66
8Non-Invasive Security67
9Sensitive Security Parameter Management68
9.1Storage Areas68
9.2SSP Input-Output Methods68
9.3SSP Zeroisation Methods69
9.4SSPs70
9.5Transitions85
10Self-Tests87
10.1Pre-Operational Self-Tests87
10.2Conditional Self-Tests87
10.3Periodic Self-Tests96
10.4Error States96
10.5Operator Initiation97
11Life-Cycle Assurance98
11.1Startup Procedures98
11.2Administrator Guidance99
11.3Non-Administrator Guidance99
11.4End of Life99
12Mitigation of Other Attacks100
12.1Attack List100
12.2Mitigation Effectiveness100
12.3Guidance and Constraints100
Page 3

9.3 9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 12.1 12.2 12.3 Document Version 1.1a © SafeLogic Inc.

Page 4
List of Tables
ItemPage
Table 1 - Security Levels6
Table 2 - Version Information8
Table 3 – Tested Operational Environments8
Table 4 - Executable Code Sets10
Table 5 - Vendor Affirmed Operational Environments10
Table 6 - Modes of Operation11
Table 7 - Approved Algorithms13
Table 8 - Non-Approved Algorithms Allowed in the Approved Mode of Operation41
Table 9 - Security Function Implementations43
Table 10 - Ports and Interfaces49
Table 11 - Roles50
Table 12 – Roles, Service Commands, Input and Output50
Table 13 – Roles and Authentication52
Table 14 - Approved Services53
Table 15 – Storage Areas68
Table 16 – SSP Input-Output Methods68
Table 17 – SSP Zeroisation Methods69
Table 18 – SSPs70
Table 19 – SSPs, Additional Details82
Table 20 – Pre-Operational Self-Tests87
Table 21 - Conditional Self-Tests88
Table 22 - Periodic Information96
Table 23 - Error States96
Figure 1 - Module Block Diagram and Cryptographic Boundary42
Page 5
1 General
1.1 Overview

This document provides a non-proprietary FIPS 140-3 Security Policy for CryptoComply 140-3 FIPS Provider. SafeLogic Inc.'s CryptoComply 140-3 FIPS Provider is designed to provide FIPS 140-3 validated cryptographic functionality and is available for licensing. For more information, visit www.safelogic.com/cryptocomply.

1.1.1 About FIPS 140

Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules, (FIPS 140-3) specifies the latest requirements for cryptographic modules utilized to protect sensitive but unclassified information. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) collaborate to run the Cryptographic Module Validation Program (CMVP), which assesses conformance to FIPS 140. NIST (through NVLAP) accredits independent testing labs to perform FIPS 140 testing. The CMVP reviews and validates modules tested against FIPS

140 criteria. Validated is the term given to a module that has successfully gone through this FIPS 140

validation process. Validated modules receive a validation certificate that is posted on the CMVP’s website. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program.

1.1.2 About this Document

This non-proprietary cryptographic module Security Policy for CryptoComply 140-3 FIPS Provider from SafeLogic Inc. (SafeLogic) provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-3. This document includes details on the module’s cryptographic capabilities, services, sensitive security parameters, and self-tests. This Security Policy also includes guidance on operating the module while maintaining compliance with FIPS 140-3. CryptoComply 140-3 FIPS Provider may also be referred to as the “module” in this document.

1.1.3 External Resources

The SafeLogic website (www.safelogic.com) contains information on SafeLogic services and products. The CMVP website maintains all FIPS 140 certificates for SafeLogic’s FIPS 140 validations. These certificates also include SafeLogic contact information. Document Version 1.1a © SafeLogic Inc.

Page 6
Security level
NameISO SectionRequirementLevelGeneral1
2Cryptographic Module Specification12
33Cryptographic Module Interfaces1
4Roles, Services, and Authentication14
55Software/Firmware Security1
6Operational Environment16
77Physical SecurityN/A
8Non-Invasive SecurityN/A8
99Sensitive Security Parameter Management1
10Self-Tests110
1111Life-Cycle Assurance1
12Mitigation of Other Attacks112
Overall LevelOverall Level1
1.1.4 Notices

This document may be freely reproduced and distributed, but only in its entirety and without modification.

1.2 Security Levels

The following table lists the module’s level of validation for each area in FIPS 140-3. Table 1 - Security Levels [Number Below] Document Version 1.1a © SafeLogic Inc. N/A N/A

Page 7
2 Cryptographic Module Specification
2.1 Description
2.1.1 Purpose and Use

CryptoComply 140-3 FIPS Provider is a standards-based “Drop-in Compliance™” cryptographic engine. The module delivers core cryptographic functions to applications such as servers, personal computers, mobile devices, and appliances. The module features robust algorithm support, including CNSA algorithms. The module delivers cryptographic services to host applications through a C language Application Programming Interface (API).

2.1.2 Module Type
2.1.3 Module Embodiment
2.1.4 Module Characteristics
2.1.5 Cryptographic Boundary

The module's cryptographic boundary is delimited by the module’s components, as well as the instantiation of the cryptographic module saved in memory and executed by the processor. The executable files that constitute the cryptographic module are listed in Table 4 - Executable Code Sets. Additionally, the module’s integrity value is included inside the boundary. Refer to the block diagram in Figure 1 (Security Policy Section 2.7 - Module Block Diagram) for additional detail. 2.1.5.1 Tested Operational Environment’s Physical Perimeter (TOEPP) As a software cryptographic module, the module operates within the Tested Operational Environment’s Physical Perimeter (TOEPP). The TOEPP consists of the Operating System (OS) and the physical perimeter of the General Purpose Computer (GPC). This TOEPPe comprises the Operational Environment (OE) that the module operates in, the module itself, and all other applications that operate within the OE, including the host application for the module. Document Version 1.1a © SafeLogic Inc.

Page 8
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#Operating SystemHardware PlatformProcessorPAA/Acceleration
SoftwareSoftware3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3
1.AlmaLinux 9Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI1.1.AlmaLinux 9Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI
2.AlmaLinux 9Dell PowerEdge R830Intel Xeon E5-4667v4No2.
3.Android 13Google Pixel 7Google Tensor G2No3.
4.Debian 11Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI4.
5.Debian 11Dell PowerEdge R830Intel Xeon E5-4667v4No5.
6.FreeBSD 13Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI6.
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#Operating SystemHardware PlatformProcessorPAA/Acceleration
SoftwareSoftware3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3
1.AlmaLinux 9Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI1.1.AlmaLinux 9Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI
2.AlmaLinux 9Dell PowerEdge R830Intel Xeon E5-4667v4No2.
3.Android 13Google Pixel 7Google Tensor G2No3.
4.Debian 11Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI4.
5.Debian 11Dell PowerEdge R830Intel Xeon E5-4667v4No5.
6.FreeBSD 13Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI6.
7.FreeBSD 13Dell PowerEdge R830Intel Xeon E5-4667v4No7.7.FreeBSD 13Dell PowerEdge R830Intel Xeon E5-4667v4No
8.iOS 16iPhone 13 MiniApple A15 BionicNo8.
9.iPadOS 16iPad Air (2022)Apple M1No9.
10.macOS 13 (Ventura)Mac Mini M2Apple M2No10.
11.Oracle Solaris 11.4Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI11.
12.Oracle Solaris 11.4Dell PowerEdge R830Intel Xeon E5-4667v4No12.
13.Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI13.Red Hat Enterprise
14.Red Hat Enterprise Linux 9Dell PowerEdge R830Intel Xeon E5-4667v4No14.
15.Rocky Linux 9Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI15.
16.Rocky Linux 9Dell PowerEdge R830Intel Xeon E5-4667v4No16.
17.Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI17.SUSE Linux
18.SUSE Linux Enterprise Server 15Dell PowerEdge R830Intel Xeon E5-4667v4No18.
19.Ubuntu 22.04Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI19.
20.Ubuntu 22.04Dell PowerEdge R830Intel Xeon E5-4667v4No20.
21.Windows 10Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI21.
22.Windows 10Dell PowerEdge R830Intel Xeon E5-4667v4No22.
23.Windows 11Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI23.
24.Windows 11Dell PowerEdge R830Intel Xeon E5-4667v4No24.
25.Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI25.Windows Server
26.Windows Server 2019Dell PowerEdge R830Intel Xeon E5-4667v4No26.
27.Dell PowerEdge R830Intel Xeon E5-4667v4AES_NI27.Windows Server
28.Windows Server 2022Dell PowerEdge R830Intel Xeon E5-4667v4No28.

Refer to the block diagram in Figure 1 (Security Policy Section 2.7 - Module Block Diagram) for additional detail.

2.2 Version Information

Table 2 - Version Information Note: versions 3.0.0-FIPS 140-3 and 3.0.1-FIPS 140-3 have identical functionality and APIs, however an internal modification permits the module to be built as a dynamic or static build.

2.3 Operating Environments
2.3.2 Software, Firmware, Hybrid Tested Operating Environments

The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module operates on a general purpose computer (GPC) running a general purpose operating system (GPOS). The module was tested in the following operating environments specified in the table below. Testing on iOS 16 and iPadOS 16 was performed with module version 3.0.1-FIPS 140-3 and testing on all other OEs was performed with module version 3.0.0-FIPS 140-3. Table 3

Page 9

# 7. 8. 9. Document Version 1.1a © SafeLogic Inc.

Page 10
Module configuration
NameOperating SystemHardware Platform#Operating SystemHardware Platform
fips.afips.a3.0.1-FIPS 140-3Compiled as a static library, tested on iOS and iPadOSHMAC-SHA-256
1.AlmaLinux 9Any general-purpose platform that supports this OS1.1.AlmaLinux 9Any general-purpose platform that supports this OS
2.Android 13Any general-purpose mobile platform that supports this OS2.
3.Debian 11Any general-purpose platform that supports this OS3.
4.FreeBSD 13Any general-purpose platform that supports this OS4.
5.iOS 16Any general-purpose mobile platform that supports this OS5.
6.iPadOS 16Any general-purpose mobile platform that supports this OS6.
7.macOS 13 (Ventura)Any general-purpose platform that supports this OS7.
8.Oracle Solaris 11.4Any general-purpose platform that supports this OS8.
Module configuration
NameOperating SystemHardware Platform#Operating SystemHardware Platform
fips.afips.a3.0.1-FIPS 140-3Compiled as a static library, tested on iOS and iPadOSHMAC-SHA-256
1.AlmaLinux 9Any general-purpose platform that supports this OS1.1.AlmaLinux 9Any general-purpose platform that supports this OS
2.Android 13Any general-purpose mobile platform that supports this OS2.
3.Debian 11Any general-purpose platform that supports this OS3.
4.FreeBSD 13Any general-purpose platform that supports this OS4.
5.iOS 16Any general-purpose mobile platform that supports this OS5.
6.iPadOS 16Any general-purpose mobile platform that supports this OS6.
7.macOS 13 (Ventura)Any general-purpose platform that supports this OS7.
8.Oracle Solaris 11.4Any general-purpose platform that supports this OS8.
9.Red Hat Enterprise Linux 9Any general-purpose platform that supports this OS9.9.Any general-purpose platform that supports this OS
10.Rocky Linux 9Any general-purpose platform that supports this OS10.
11.SUSE Linux Enterprise Server 15Any general-purpose platform that supports this OS11.
12.Ubuntu 22.04Any general-purpose platform that supports this OS12.
13.Windows 10Any general-purpose platform that supports this OS13.
14.Windows 11Any general-purpose platform that supports this OS14.
15.Windows Server 2019Any general-purpose platform that supports this OS15.
16.Windows Server 2022Any general-purpose platform that supports this OS16.
2.3.3 Executable Code Sets

Table 4 - Executable Code Sets

2.3.4 Vendor Affirmed Operating Environments

Porting guidance is defined in the FIPS 140-3 CMVP Management Manual Section 7.9. FIPS 140-3 validation compliance can be maintained when the following requirements are met:

Page 11
Service
NameDescriptionIndicator
approved mode isapproved mode isprovides a global indicator that services are approved.
implemented in theimplemented in theAdditionally, the module provides a status code
module.module.indicating the completion of each service, as indicated
2.4 Excluded Components
2.5.1 Modes List and Description

Table 6 - Modes of Operation

2.5.2 Mode change instructions and status indicators

mode of operation and will operate in this mode once the module is powered on.

Page 12
2.5.3 Degraded Mode Description

Not applicable. Document Version 1.1a © SafeLogic Inc.

Page 13
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES-CBCA4593, A5173AES-CBCStrength: 128, 192, 256 bitsEncryption, DecryptionA4593, A5173AES-CBC SP 800-38AAES-CBCEncryption, Decryption
A4593, A5173A4593, A5173AES-CBC-CS1 SP 800-38A-AddAES-CBC-CS1Encryption, DecryptionStrength: 128, 192, 256 bits Direction: decrypt, encrypt Key Length: 128, 192, 256 Payload Length: 128-65536 Increment 8
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-CBC-CS2 SP 800-38A-AddAES-CBC-CS2Encryption, Decryption
A4593, A5173A4593, A5173AES-CBC-CS3 SP 800-38A-AddAES-CBC-CS3Encryption, DecryptionStrength: 128, 192, 256 bits Direction: decrypt, encrypt Key Length: 128, 192, 256 Payload Length: 128-65536 Increment 8
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-CCM SP 800-38CAES-CCMEncryption, Decryption
A4593, A5173A4593, A5173AES-CFB1 SP 800-38AAES-CFB1Encryption, DecryptionStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-CFB8 SP 800-38AAES-CFB8Encryption, Decryption
A4593, A5173A4593, A5173AES-CFB128 SP 800-38AAES-CFB128Encryption, DecryptionStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-CMAC SP 800-38BAES-CMACGeneration, Verification
A4593, A5173A4593, A5173AES-CTR SP 800-38AAES-CTREncryption, DecryptionStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256 Payload Length: 8-128 Increment 8 Incremental Counter Counter Tests Performed
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-ECB SP 800-38AAES-ECBEncryption, Decryption
A4593, A5173A4593, A5173AES-GCM SP 800-38DAES-GCMEncryption, DecryptionStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt IV Generation: Internal IV Generation Mode: 8.2.1 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96-1024 Increment 8 Payload Length: 0-65536 Increment 8 AAD Length: 0-65536 Increment 8
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-GCM SP 800-38DAES-GCMEncryption, Decryption
A4593, A5173A4593, A5173AES-GMAC SP 800-38DAES-GMACEncryption, Decryption, Generation, VerificationStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt IV Generation: Internal IV Generation Mode: 8.2.1 Key Length: 128, 192, 256 Tag Length: 32, 64, 96, 104, 112, 120, 128 IV Length: 96-1024 Increment 8 AAD Length: 0-65536 Increment 8
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-GMAC SP 800-38DAES-GMACEncryption, Decryption, Generation, Verification
A4593, A5173A4593, A5173AES-KW SP 800-38FAES-KWEncryption, DecryptionStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt Cipher: Cipher, Inverse Key Length: 128, 192, 256 Payload Length: 128-524288 Increment 128
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173AES-KWP SP 800-38FAES-KWPEncryption, Decryption
A4593, A5173A4593, A5173AES-OFB SP 800-38AAES-OFBEncryption, DecryptionStrength: 128, 192, 256 bits Direction: Decrypt, Encrypt Key Length: 128, 192, 256
A4593, A5173Strength: 128, 256 bitsA4593, A5173AES-XTS Testing Revision 2.0 SP 800-38EAES-XTS Testing Revision 2.0Encryption, Decryption
Vendor affirmedVendor affirmedCKG (SP 800-133Rev2)CKG (SP 800-133Rev2)Cryptographic Key Generation; SP 800-133 and IG D.H.The module uses the direct output of its approved DRBGs for key generation Key Generation per SP 800-133r2: • Section 4: Using the Output of a Random Bit Generator. The module uses the direct output of its approved DRBGs. o As per Section 5, this method is used to supply random values used in the Generation of Key Pairs for Asymmetric-Key Algorithms. • Section 6.2: Derivation of Symmetric Keys. The module also supports key derivation via KDF and SSP agreement.
A4593, A5173Strength: 128, 192, 256 bitsA4593, A5173Counter DRBG SP 800-90ACounter DRBGRandom Number Generation
A4593, A5173A4593, A5173DSA KeyGen FIPS 186-4DSA KeyGenKey Generation for Key AgreementStrength: 112 bits Capabilities: L: 2048 N: 224 Capabilities: L: 2048 N: 256
A4593, A5173Strength: 112 bitsA4593, A5173DSA PQGGen FIPS 186-4DSA PQGGenKey Generation for Key Agreement
A4593, A5173A4593, A5173DSA PQGVer FIPS 186-4DSA PQGVerLegacy Key VerificationStrength: 80, 112 bits Capabilities: P/Q Generation Methods: Probable G Generation Methods: Canonical, Unverifiable L: 1024 N: 160 Hash Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256 Capabilities: P/Q Generation Methods: Probable G Generation Methods: Canonical, Unverifiable L: 2048 N: 224 Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Capabilities: P/Q Generation Methods: Probable G Generation Methods: Canonical, Unverifiable L: 2048 N: 256 Hash Algorithm: SHA2-256, SHA2-384, SHA2-512, SHA2-512/256
DSA SigVerA4593, A5173DSA SigVerStrength: 80, 112, 128 bitsLegacy Signature VerificationA4593, A5173DSA SigVer FIPS 186-4DSA SigVerLegacy Signature Verification
A4593, A5173A4593, A5173ECDSA KeyGen FIPS 186-4ECDSA KeyGenKey GenerationStrength: 112-256 bits Curve: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode: Testing Candidates
A4593, A5173Strength: 80 bits (Legacy), 112-256 bitsA4593, A5173ECDSA KeyVer FIPS 186-4ECDSA KeyVerKey Verification
A4593, A5173A4593, A5173ECDSA SigGen FIPS 186-4ECDSA SigGenSignature GenerationStrength: 112-256 bits Curve: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
A4593, A5173Strength: 80 bits (Legacy), 112-256 bitsA4593, A5173ECDSA SigVer FIPS 186-4ECDSA SigVerSignature Verification
A4593, A5173A4593, A5173EDDSA keygen FIPS 186-5EDDSA keygenKey GenerationStrength: 128, 224 bits Curve: ED-25519, ED-448
A4593, A5173Strength: 128, 224 bitsA4593, A5173EDDSA keyVer FIPS 186-5EDDSA keyVerKey Verification
A4593, A5173A4593, A5173EDDSA SigGen FIPS 186-5EDDSA SigGenSignature GenerationStrength: 128, 224 bits Curve: ED-25519, ED-448
A4593, A5173Strength: 128, 224 bitsA4593, A5173EDDSA SigVer FIPS 186-5EDDSA SigVerSignature Verification
A4593, A5173A4593, A5173Hash DRBG SP 800-90AHash DRBGRandom Number GenerationStrength: 128 bits for SHA-1, 256 bits for SHA-256 and SHA-512 Prediction Resistance: Yes Supports Reseed Capabilities: Mode: SHA-1 Entropy Input: 128-256 Increment 64 Nonce: 96-128 Increment 32 Personalization String Length: 0-256 Increment 128 Additional Input: 0-256 Increment 128 Returned Bits: 160 Capabilities: Mode: SHA2-256 Entropy Input: 256-320 Increment 64 Nonce: 128-160 Increment 32 Personalization String Length: 0-256 Increment 128 Additional Input: 0-256 Increment 128 Returned Bits: 256 Capabilities: Mode: SHA2-512 Entropy Input: 256-320 Increment 64 Nonce: 128-160 Increment 32 Personalization String Length: 0-256 Increment 128 Additional Input: 0-256 Increment 128 Returned Bits: 512
HMAC DRBGA4593, A5173HMAC DRBGStrength: 128 bits for SHA-1, 256 bits for SHA-256 and SHA-512Random Number GenerationA4593, A5173HMAC DRBG SP 800-90AHMAC DRBGRandom Number Generation
A4593, A5173A4593, A5173HMAC-SHA-1 FIPS 198-1HMAC-SHA-1Message AuthenticationStrength: 128 bits MAC: 32-160 Increment 8 Key Length: 8-524288 Increment 8
A4593, A5173Strength: 192 bitsA4593, A5173HMAC-SHA2-224 FIPS 198-1HMAC-SHA2-224Message Authentication
A4593, A5173A4593, A5173HMAC-SHA2-256 FIPS 198-1HMAC-SHA2-256Message AuthenticationStrength: 256 bits MAC: 32-256 Increment 8 Key Length: 8-524288 Increment 8
A4593, A5173Strength: 256 bitsA4593, A5173HMAC-SHA2-384 FIPS 198-1HMAC-SHA2-384Message Authentication
A4593, A5173A4593, A5173HMAC-SHA2-512 FIPS 198-1HMAC-SHA2-512Message AuthenticationStrength: 256 bits MAC: 32-512 Increment 8 Key Length: 8-524288 Increment 8
A4593, A5173Strength: 192 bitsA4593, A5173HMAC-SHA2-512/224 FIPS 198-1HMAC-SHA2-512/224Message Authentication
A4593, A5173A4593, A5173HMAC-SHA2-512/256 FIPS 198-1HMAC-SHA2-512/256Message AuthenticationStrength: 256 bits MAC: 32-256 Increment 8 Key Length: 8-524288 Increment 8
A4593, A5173Strength: 192 bitsA4593, A5173HMAC-SHA3-224 FIPS 198-1HMAC-SHA3-224Message Authentication
A4593, A5173A4593, A5173HMAC-SHA3-256 FIPS 198-1HMAC-SHA3-256Message AuthenticationStrength: 256 bits MAC: 32-256 Increment 8 Key Length: 8-524288 Increment 8
A4593, A5173Strength: 256 bitsA4593, A5173HMAC-SHA3-384 FIPS 198-1HMAC-SHA3-384Message Authentication
A4593, A5173A4593, A5173HMAC-SHA3-512 FIPS 198-1HMAC-SHA3-512Message AuthenticationStrength: 256 bits MAC: 32-512 Increment 8 Key Length: 8-524288 Increment 8
A4593, A5173Strength: 112-256 bitsA4593, A5173KAS-ECC-SSC SP 800-56Ar3KAS-ECC-SSCKey Agreement
A4593, A5173A4593, A5173KAS-FFC-SSC SP 800-56Ar3KAS-FFC-SSCKey AgreementStrength: 112 bits (FB, FC), 112-200 bits (Safe Primes) Domain Parameter Generation Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme: dhEphem: KAS Role: initiator, responder
KAS-IFC-SSCA4593, A5173KAS-IFC-SSCStrength: 112-256 bitsKey AgreementA4593, A5173KAS-IFC-SSC SP 800-56Br2KAS-IFC-SSCKey Agreement
A4593, A5173A4593, A5173KDA HKDF SP 800-56Cr2KDA HKDFKey DerivationStrength: 128, 192, 256 bits Fixed Info Pattern: algorithmId||l||uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation Derived Key Length: 2048 Shared Secret Length: 224-8192 Increment 8 HMAC Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
2.6 Algorithms
2.6.1 Approved Algorithms

The module implements the following approved algorithms that have been tested by the Cryptographic Algorithm Validation Program (CAVP). Table 7 - Approved Algorithms Document Version 1.1a © SafeLogic Inc.

Page 14

Document Version 1.1a © SafeLogic Inc.

Page 15
2.0 Document Version 1.1a 2.0 © SafeLogic Inc.
Page 16
Page 17

Document Version 1.1a © SafeLogic Inc.

Page 18

Document Version 1.1a © SafeLogic Inc.

Page 19

Document Version 1.1a © SafeLogic Inc.

Page 20

Document Version 1.1a © SafeLogic Inc.

Page 21

Document Version 1.1a © SafeLogic Inc.

Page 22

Document Version 1.1a © SafeLogic Inc.

Page 23

Document Version 1.1a © SafeLogic Inc.

Page 24
Approved algorithm
NameKey SizeUse Function
KDA OneStep SP 800-56Cr2Strength: 128, 192, 256 bitsKey DerivationA4593, A5173KDA OneStep

Document Version 1.1a © SafeLogic Inc.

Page 25
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
A4593, A5173A4593, A5173KDA TwoStep SP 800-56Cr2KDA TwoStepStrength: 128, 192, 256 bits Fixed Info Pattern: algorithmId||l||uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation KDF Mode: feedback MAC Modes: HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2- 384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC- SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 Fixed Data Order: after fixed data Counter Lengths: 8 The KDF supports an empty IV The KDF requires an empty IV Supported Lengths: 2048 Derived Key Length: 2048 Shared Secret Length: 224-8192 Increment 8Key Derivation
KDF ANS 9.42A4593, A5173KDF ANS 9.42Strength: 128, 192, 256 bitsKey DerivationA4593, A5173KDF ANS 9.42 SP 800-135r1 CVLKDF ANS 9.42Key Derivation
CVLKDF Type: DER
A4593, A5173A4593, A5173KDF ANS 9.63 SP 800-135r1 CVLKDF ANS 9.63Strength: 192, 256 bits Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512 Field Size: 224, 571 Shared Info Length: 0, 1024 Key Data Length: 128, 4096Key Derivation
A4593, A5173Strength: 128, 256 bitsA4593, A5173KDF KMAC SP 800-108r1KBKDF KMACKey Derivation
A4593, A5173A4593, A5173KDF SP 800-108r1KBKDFStrength: 128, 192, 256 bits Capabilities: KDF Mode: Counter MAC Mode: CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3- 256, HMAC-SHA3-384, HMAC-SHA3-512 Supported Lengths: 8, 72, 128, 776, 3456, 4096 Fixed Data Order: Before Fixed Data Counter Length: 32 Custom Key In Length: 0 Capabilities: KDF Mode: Feedback MAC Mode: CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3- 256, HMAC-SHA3-384, HMAC-SHA3-512 Supported Lengths: 8, 72, 128, 776, 3456, 4096 Fixed Data Order: Before Fixed Data Counter Length: 32 Custom Key In Length: 0Key Derivation
KDF SSHA4593, A5173KDF SSHStrength: 128, 192, 256 bitsKey DerivationA4593, A5173KDF SSH SP 800-135r1 CVLKDF SSHKey Derivation
CVLCipher: AES-128, AES-192, AES-256
A4593, A5173A4593, A5173KMAC-128 SP 800-185KMAC-128Strength: 128 bits Message Length: 0-65536 Increment 8 MAC Length: 32-65536 Increment 8 Key Data Length: 128-1024 Increment 8 Supports eXtendable-Output Functions: Yes, NoKey Derivation
A4593, A5173Strength: 256 bitsA4593, A5173KMAC-256 SP 800-185KMAC-256Key Derivation
A4593, A5173A4593, A5173KTS (AES) SP 800-38FKTS (AES)Strength: 128, 192, 256 bits AES-KW, AES-KWP Key Length: 128, 192, 256 Additional detail provided in Table 9 - Security Function Implementations in the entry for the KeyWrapping functionKey Transport
A4593, A5173Strength: 112-200 bitsA4593, A5173KTS-IFC SP 800-56Br2KTS-IFCKey Transport
A4593, A5173A4593, A5173PBKDF SP 800-132PBKDFStrength: 128, 192, 256 bits Iteration Count: 1-10000 Increment 1 HMAC Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length: 8-128 Increment 8 Salt Length: 128-4096 Increment 8 Key Data Length: 112-4096 Increment 8Key Derivation
A4593, A5173Strength: 112, 128, 150 bitsA4593, A5173RSA KeyGen FIPS 186-4RSA KeyGenKey Generation

Document Version 1.1a © SafeLogic Inc.

Page 26

Document Version 1.1a © SafeLogic Inc.

Page 27

Document Version 1.1a © SafeLogic Inc.

Page 28

Document Version 1.1a © SafeLogic Inc.

Page 29
A4593, A5173RSA SigGen FIPS 186-4RSA SigGenStrength: 112, 128, 150 bits Capabilities: Signature Type: PKCS 1.5 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair:Signature Generation

Document Version 1.1a © SafeLogic Inc.

Page 30

Hash Algorithm: SHA2-512/256 Capabilities: Signature Type: PKCSPSS Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 4096 Hash Pair: Document Version 1.1a © SafeLogic Inc.

Page 31

Document Version 1.1a © SafeLogic Inc.

Page 32
Approved algorithm
NameKey SizeUse Function
RSA SigVerStrength: 80 bits (Legacy), 112, 128, 150 bitsSignature VerificationA4593, A5173RSA SigVer FIPS 186-4

Document Version 1.1a © SafeLogic Inc.

Page 33

Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Capabilities: Signature Type: ANSI X9.31 Properties: Modulo: 1024 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 3072 Hash Pair: Document Version 1.1a © SafeLogic Inc.

Page 34

Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Capabilities: Signature Type: PKCSPSS Properties: Modulo: 1024 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 62 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA-1 Document Version 1.1a © SafeLogic Inc.

Page 35

Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 28 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo: 4096 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Document Version 1.1a © SafeLogic Inc.

Page 36
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
A4593, A5173A4593, A5173Safe Primes Key Generation SP 800-56Ar3Safe Primes Key GenerationStrength: 112-200 bits Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192Key Generation
A4593, A5173Strength: 112-200 bitsA4593, A5173Safe Primes Key Verification SP 800-56Ar3Safe Primes Key VerificationKey Verification
A4593A4593SHA-1 FIPS 180-4SHA-1Strength: 80 bits (Legacy) Collision Resistance 128 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA-1 FIPS 180-4SHA-1Hashing
A4593A4593SHA2-224 FIPS 180-4SHA2-224Strength: 112 bits Collision Resistance 192 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
SHA2-224A5173SHA2-224Strength:HashingA5173SHA2-224 FIPS 180-4SHA2-224Hashing
FIPS 180-4112 bits Collision Resistance
A4593A4593SHA2-256 FIPS 180-4SHA2-256Strength: 128 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA2-256 FIPS 180-4SHA2-256Hashing
A4593A4593SHA2-384 FIPS 180-4SHA2-384Strength: 192 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA2-384 FIPS 180-4SHA2-384Hashing
A4593A4593SHA2-512 FIPS 180-4SHA2-512Strength: 256 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA2-512 FIPS 180-4SHA2-512Hashing
A4593A4593SHA2-512/224 FIPS 180-4SHA2-512/224Strength: 112 bits Collision Resistance 192 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA2-512/224 FIPS 180-4SHA2-512/224Hashing
A4593A4593SHA2-512/256 FIPS 180-4SHA2-512/256Strength: 128 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA2-512/256 FIPS 180-4SHA2-512/256Hashing
A4593A4593SHA3-224 FIPS 202SHA3-224Strength: 112 bits Collision Resistance 192 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA3-224 FIPS 202SHA3-224Hashing
A4593A4593SHA3-256 FIPS 202SHA3-256Strength: 128 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
SHA3-256A5173SHA3-256Strength:HashingA5173SHA3-256 FIPS 202SHA3-256Hashing
FIPS 202128 bits Collision Resistance
A4593A4593SHA3-384 FIPS 202SHA3-384Strength: 192 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA3-384 FIPS 202SHA3-384Hashing
A4593A4593SHA3-512 FIPS 202SHA3-512Strength: 256 bits Collision Resistance 256 bits Pre-Image Resistance Message Length: 0-65536 Increment 8 Large Message Sizes: 1, 2, 4, 8gigabytesHashing
A5173Strength:A5173SHA3-512 FIPS 202SHA3-512Hashing
A4593, A5173A4593, A5173SHAKE-128 FIPS 202SHAKE-128Strength: 128 bits Supports Empty Message Output Length: 16-65536 Increment 8Hashing
A4593, A5173Strength: 256 bitsA4593, A5173SHAKE-256 FIPS 202SHAKE-256Hashing
A4593, A5173A4593, A5173TDES-CBC SP 800-67r2TDES-CBCStrength: 112 bits Direction: Decrypt Keying Option: 1Legacy Decryption
A4593, A5173Strength: 112 bitsA4593, A5173TDES-ECB SP 800-67r2TDES-ECBLegacy Decryption
A4593, A5173A4593, A5173TLS v1.2 KDF RFC7627 SP 800-135r1 CVLTLS v1.2 KDF RFC7627Strength: 256 bits Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 Key Block Length: 1024Key Derivation
A4593, A5173Strength: 256 bitsA4593, A5173TLS v1.3 KDF RFC 8446 CVLTLS v1.3 KDFKey Derivation

Document Version 1.1a © SafeLogic Inc.

Page 37

Document Version 1.1a © SafeLogic Inc.

Page 38

Document Version 1.1a © SafeLogic Inc.

Page 39

Document Version 1.1a © SafeLogic Inc.

Page 40

Document Version 1.1a © SafeLogic Inc.

Page 41
Approved algorithm
NameUse FunctionUse / Function
EC Diffie-Hellman withProvides 112, 128, 160,EC Diffie-Hellman with non-NIST recommended curvesProvides 112, 128, 160, 192, or 256 bits of encryption strength. Per IGs D.F and C.A.Shared secret computation using non-NIST
non-NIST192, or 256 bits ofcurves:
recommended curvesencryption strength.brainpoolP224r1, brainpoolP256r1,
Per IGs D.F and C.A.Per IGs D.F and C.A.brainpoolP320r1, brainpoolP384r1,
ECDSA with non-NIST recommended curvesECDSA with non-NIST recommended curvesProvides 112, 128, 160, 192, or 256 bits of encryption strength. Per IG C.A.Key pair generation, digital signature generation, digital signature verification using non-NIST curves: brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1, with strengths 112 bits, 128 bits, 160 bits, 192 bits, and 256 bits
2.6.2 Vendor Affirmed Algorithms

The module implements the vendor affirmed algorithms that are approved for use in Approved mode. Specifically, the module implements CKG per SP 800-133r2 for generation of symmetric keys and asymmetric keys. Refer to the CKG entries in Table 7 for additional details.

2.6.3 Non-Approved, Allowed Algorithms

The module implements the following algorithms that are allowed for use in Approved mode. These are the brainpool curves as listed in SP 800-186 Appendix H.1. Table 8 - Non-Approved Algorithms Allowed in the Approved Mode of Operation

2.6.4 Non-Approved, Allowed Algorithms with No Security Claimed

Not applicable. The module does not implement any non-approved algorithms with no security claimed.

2.6.5 Non-Approved, Not Allowed Algorithms

Not applicable. The module does not implement any non-approved, not allowed algorithms. Document Version 1.1a © SafeLogic Inc.

Page 42
2.7 Module Block Diagram

Figure 1 - Module Block Diagram and Cryptographic Boundary The module’s block diagram depicts the cryptographic boundary, TOEPP, and the components of each. Additionally, it depicts the data flow between these components. The module’s logical interfaces are defined by its API. These interfaces are used by the host application to interact with the module. All input to the module occurs through the data input interface or control input interface. All output from the module occurs through the data output interface or status output interface. Refer also to Security Policy Section 3 - Cryptographic Module Interfaces and Section 9.2 - SSP Input-Output Methods. The module executes within the operating environments specified in Security Policy Section 2.3 Operating Environments. Document Version 1.1a © SafeLogic Inc.

Page 43
Service
NameDescriptionApproved FunctionsTypeProperties
KeyTransportKTS-IFCKTSSP 800-56Brev2. KTS-IFC (key2048 to 16384-bit modulusKTS-IFC A4593, A5173
encapsulation and un-A4593, A5173encapsulation and un-providing 112 to 256 bits of
encapsulation) per IG D.G.encapsulation) per IG D.G.encryption strength
KeyWrappingSP 800-38F. KTS (key wrapping and unwrapping) per IG D.G.KTS128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strengthAES-KW, AES- KWP A4593, A5173
2.8 Security Function Implementations

Security function implementations (SFIs) are defined by the table below. The module is a software library, therefore the SFIs map directly to the module’s services. Refer also to Security Policy Section 4.3 - Approved Services for a description of the module’s services and SSP access. The SFIs below are used to encrypt or decrypt a key value on behalf of the calling application. SSPs are passed in by the calling application. Established SSPs are passed out to the calling application. Table 9 - Security Function Implementations

2.9 Algorithm Specific Information
2.9.1 AES-GCM (IG C.H conformance)

The module is compatible with TLS 1.2 and supports AES-GCM IV construction in alignment with IG C.H scenario

  1. The module does not implement the TLS 1.2 protocol itself, however, it provides the cryptographic functions required for implementing the protocol, including for AES-GCM cipher suites specified in Section 3.3.1 of SP 800-52r2. AES GCM encryption is used in the context of the TLS 1.2 protocol and the mechanism for IV generation is compliant with RFC 5288. The counter portion of the AES GCM IV is set by the module within its cryptographic boundary. The counter portion of the IV is strictly increasing. When the IV exhausts the maximum number of possible values for a given session key, encryption will fail. A handshake to establish a new encryption key is required. It is the responsibility of the user of the module (i.e., the first party to encounter this condition, either the client or the server) to trigger this handshake in accordance with RFC 5246. The module supports internal IV generation by the module’s approved DRBGs, in alignment with IG C.H scenario
  2. The IV is at least 96 bits in length per NIST SP 800-38D, Section 8.2.2. The module is compatible with TLS 1.3 and supports AES-GCM IV construction in alignment with IG C.H scenario
  3. The module does not implement the TLS 1.3 protocol itself, however, it provides the cryptographic functions required for implementing the protocol. AES GCM encryption is used in the context of the TLS 1.3 protocol. When used in the context of TLS 1.3, the GCM IV is constructed in accordance with RFC 8446. Document Version 1.1a © SafeLogic Inc.
Page 44
2.9.2 AES-XTS

Per SP 800-38E, AES-XTS should only be used for storage applications.

2.9.3 DSA

DSA KeyGen (FIPS186-4) and DSA PQGGen (FIPS 186-4) are only implemented for use as a part of an approved SP 800-56Ar3 FFC scheme. In accordance with this, only the FIPS 186-type parameter sets FB (2048, 224) and FC (2048, 256) from SP 800-56Arev3 are supported by the module. For DSA signatures, only DSA PQGVer (FIPS186-4) and DSA SigVer (FIPS186-4) are only implemented. Refer to Security Policy Section 9.5 - Transitions for additional context.

2.9.4 Edwards Curves

Per FIPS 186-5, Edwards curves are only used for digital signatures using EdDSA. Per FIPS 186-5, only SHA-512 is supported with curve Edwards25519 and only SHAKE256 is supported with curve Edwards448.

2.9.5 PBKDF (IG D.N Conformance)

The PBKDF aligns with Option 1a in Section 5.4 of SP 800-132. Keys derived from passwords using the PBKDF may only be used in storage applications. The PBKDF function can be called using the Key Derivation service, but it does not establish keys into the module. The PBKDF function supports passwords from 8 to 128 bytes and iteration counts from 1 to 10,000. SP 800-132 Section 5.2 recommends a minimum iteration count of 1,000. Operators should select an appropriate password length and iteration count for their use case, bearing in mind that both should be as large as is feasible for the application.

2.9.6 RSA

RSA SigVer (FIPS186-4) ANSI X9.31 functionality is only implemented for legacy support. Refer to Security Policy Section 9.5 - Transitions for additional context. The module supports the following even RSA modulus sizes that are not testable by the CAVP:

Page 45
2.9.7 RSA KTS (IG D.G conformance)

For the RSA KTS (KTS-IFC) algorithm, the module supports the KTS-OAEP-basic scheme. As indicated in Security Policy Section 2.9.6, the module supports even RSA modulus sizes that are not testable by the CAVP. The module supports moduli 2048-16384 for RSA KTS. This is conformant to IG C.F.

2.9.8 TLS 1.2 KDF (IG D.Q conformance)

As indicated under CAVP certificates A4593 and A5173, the module supports TLS 1.2 KDF per RFC 7627, i.e. using the extended master secret.

2.9.9 Triple-DES

TDES-CBC and TDES-ECB Decryption functionality is only implemented for legacy support. Refer to Security Policy Section 9.5 - Transitions for additional context. Document Version 1.1a © SafeLogic Inc.

Page 46
2.10 RNG and Entropy

Not applicable The module does not include an entropy source. The module aligns with IG 9.3.A, scenario 2b, therefore the module’s certificate includes the caveat “No assurance of the minimum strength of generated SSPs (e.g., keys).”

2.10.1 Entropy Information

The module accepts input from entropy sources external to the cryptographic boundary for use as seed material for the module’s approved DRBG implementations. Entropy is supplied to the module by means of callback functions. Those functions return an error if the minimum entropy strength is not met. Entropy strength requirements are per NIST Special Publication 800-90A Table 2 (Hash_DRBG, HMAC_DRBG) and Table 3 (CTR_DRBG). At a minimum, the entropy source shall provide at least 128 bits of entropy to the DRBG. All random values used by the module for approved algorithms are provided by the module’s approved DRBGs.

2.10.2 RNG Information

The module does not include an entropy source. The module includes Counter DRBG, Hash DRBG, and HMAC DRBG, all of which are approved RBGs. The output of these approved RBGs is used to generate random data, symmetric keys, and asymmetric keys, as indicated in Security Policy Section 2.6.2 - Vendor Affirmed Algorithms.

2.11 Key Generation

Any generated SSPs are passed out to the calling application and are not stored in the module. Additional detail is provided in Security Policy Section 4.3 - Approved Services. Random values for key generation are provided by the module’s approved DRBGs. The output of the module’s approved DRBGs may be used to generate symmetric keys per SP 800-133r2 using the Random Number Generation service, as indicated in Security Policy Section 2.6.2 - Vendor Affirmed Algorithms. The output of the module’s approved DRBGs may be used to generate asymmetric keys per FIPS 186-4 and per FIPS 186-5 (for EdDSA only) using the Asymmetric Key Generation service. Document Version 1.1a © SafeLogic Inc.

Page 47
2.12 Key Establishment

SSPs used for services are passed in by the calling application. Established SSPs are passed out to the calling application and are not stored in the module. Additional detail is provided in Security Policy Section 4.3 - Approved Services. The module provides ECC and FFC shared secret computation that is conformant to SP 800-56Ar3 in alignment with IG D.F scenario 2 (path 1) via the Key Agreement service. For ECC, the module supports the (Cofactor) Ephemeral Unified Model, C(2e, 0s, ECC CDH) Scheme described in SP 800-56Ar3 Section 6.1.2.2. For FFC, the module supports the dhEphem, C(2e, 0s, FFC DH) Scheme described in SP 80056Ar3 Section 6.1.2.1. The module also provides ECC key agreement using the allowed curves specified in Table 8 - Non-Approved Algorithms Allowed in the Approved Mode of Operation in alignment with IG D.F scenario 3 via the Key Agreement service. The appropriate public key validation assurances are implemented. For ECC, full public key validation is implemented (SP 800-56Ar3 Section 5.6.2.3.3). For FFC, both full public key validation (per SP 800-56Ar3 Section 5.6.2.3.1) and partial public key validation (per SP 800-56Ar3 Section 5.6.2.3.2) are implemented. The module provides RSA shared secret computation that is conformant to SP 800-56Br2 in alignment with IG D.F scenario 1 (path 1) via the Key Agreement service. The module supports the KAS1 basic and KAS2 basic schemes. The module supports various key derivation functions separately via the Key Derivation service. Supported KDFs are conformant to SP 800-108r1 (KBKDF), SP 800-132 (PBKDF), SP 800-56Cr2 (HKDF, KDA OneStep KDA, TwoStep KDA), SP 800-135r1 (ANSI 9.42 KDF, ANSI 9.63 KDF, SSH KDF, TLS 1.2 KDF), and RFC 8446 (TLS 1.3 KDF). The module provides RSA key encapsulation that is conformant to SP 800-56Br2 via the Key Transport service (this is the KeyTransport SFI). The module provides AES key wrapping (AES KW, AES KWP) that is conformant to SP 800-38F via the Key Wrapping service (this is the KeyWrapping SFI).

2.13 Industry Protocols

The module implements KDFs from SP 800-135r1 (Recommendation for Existing Application-Specific Key Derivation Functions) and the TLS 1.3 KDF. These KDFs have been validated by the CAVP and received CVL certificates (A4593, A5173 ). No parts of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

2.14 Design and Rules

The module is designed to meet the applicable requirements of FIPS 140-3. The module initializes when powered on, then performs the pre-operational self-tests and CASTs as specified in Security Policy Document Version 1.1a © SafeLogic Inc.

Page 48

Section 10 - Self-Tests. After successfully passing these self-tests, the module automatically transitions to the operational state and awaits service requests.

2.15 Initialisation

The Module Initialization service is executed when the module is powered on. Document Version 1.1a © SafeLogic Inc.

Page 49
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData OutputAPI output parameters for data
N/AN/AControl InputAPI function calls
N/AN/AStatus OutputAPI status outputs (return codes, error messages)
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

As a software cryptographic module, the module supports logical interfaces only and not physical ports. All access to the module is through the module’s API. The API provides and defines the module’s logical interfaces. The API provides functions that may be called by a host application (refer to Security Policy Section 4.3 - Approved Services). Table 10 - Ports and Interfaces N/A N/A N/A N/A The following interfaces are omitted from the table above because they are not applicable to the module: Control Output (not implemented), Power Input (N/A for software modules).

3.2 Additional Information

All interfaces are logically separated by the module’s API. The data output path is inhibited during pre-operational self-tests, zeroisation, and when the module is in an error state. Document Version 1.1a © SafeLogic Inc.

Page 50
Service
NameRolesRole AccessTypeInputOutput
Crypto OfficerCORole
ModuleCOExternal dispatchInternal dispatch (function pointer) tableCOInternal dispatch (function pointer) table
Initialization(function pointer) table
COCOModule State (queried via Show Status) changes to Running (FIPS_STATE_RUNNING)Self-TestNone
COModule State (queried via Show Status) changesCOIntegrity TestExpected HMAC
COCOModule Status: Running (FIPS_STATE_RUNNING), or Error (FIPS_STATE_ERROR)Show StatusNone
COname:COOutput ID/ Version InformationNone
COCORandom dataRandom Number GenerationDesired security strength in bits, entropy input
SymmetricAES EDK, AES XTS key,COCiphertext data or plaintext data
Encryption/TDES DK, IV, ciphertext
Decryptiondata, plaintext data
Service
NameRolesRole AccessTypeInputOutput
Crypto OfficerCORole
ModuleCOExternal dispatchInternal dispatch (function pointer) tableCOInternal dispatch (function pointer) table
Initialization(function pointer) table
COCOModule State (queried via Show Status) changes to Running (FIPS_STATE_RUNNING)Self-TestNone
COModule State (queried via Show Status) changesCOIntegrity TestExpected HMAC
COCOModule Status: Running (FIPS_STATE_RUNNING), or Error (FIPS_STATE_ERROR)Show StatusNone
COname:COOutput ID/ Version InformationNone
COCORandom dataRandom Number GenerationDesired security strength in bits, entropy input
SymmetricAES EDK, AES XTS key,COCiphertext data or plaintext data
Encryption/TDES DK, IV, ciphertext
Decryptiondata, plaintext data
COCOCiphertext data or plaintext dataAuthenticated Symmetric Encryption/ DecryptionAES CMAC/CCM key, AES GMAC/GCM key, ciphertext data, plaintext data
CODigest or message, AESCODigest or verification resultSymmetric Digest
COCOECDSA SGK, ECDSA SVK, RSA SGK, RSA SVK, EdDSA SGK, EdDSA SVK, DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public, RSA KDK Private, RSA KEK PublicAsymmetric Key GenerationDesired security strength in bits, entropy input, prediction resistance, parameters and values for FFC, ECC, RSA key generation
CODSA SVK, ECDSA SGK,CODigital signature or verification resultDigital Signatures
COCOKeyed hash or verification resultKeyed HashHMAC key, KMAC key
Message DigestCOMessage dataDigest
COCODH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public, KDF secretKey AgreementDH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public
COKDF secret, salt,COGeneric SecretKey Derivation
COCOEncapsulated key (Generic Secret), or unencapsulated key (Generic Secret)Key TransportRSA KEK Public and key to be encapsulated (Generic Secret), or RSA KDK Private and encapsulated key (Generic Secret)
COAES key wrapping key,COWrapped key or unwrapped key (Generic Secret)Key Wrapping
COCOThe completion of a zeroisation routine indicates that the zeroisation procedure succeeded. Zeroisation can be confirmed via EVP_RAND_verify_zeroization: 1 for success (i.e. the DRBG CSPs have been zeroised), 0 for failure.ZeroiseMemory to be cleansed (pointer and length)
UtilityCONoneNone
4 Roles, Services, and Authentication
4.1 Roles

Table 11 - Roles Crypto Officer is the only role supported by the module. The module does not support a User role or a Maintenance role. The Crypto Officer role is implicitly selected by calling the module’s services. Table 12 below describes the service inputs and outputs for the CO role and should be reviewed in conjunction with the service descriptions in Table 14. Table 12

Page 51

Document Version 1.1a © SafeLogic Inc.

Page 52
RoleAuthentication MethodsAuthentication Strength
Crypto OfficerN/AN/A

Table 13

4.3 Approved Services

The following table describes the services the module provides and the access to SSPs by each service. Additional details on each service are available in the module’s user guidance documentation. SSP Access is divided into the following access types:

Page 53
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Module InitializationCON/ANoneN/AAPI return value from OSSL_provider_init: 1 for success, 0 for failureInitialize the FIPSNoneN/A
Self-TestPerforms pre- operational self- tests and CASTs on demand.CON/AAPI return value code from SELF_TEST_post(): 1 for success, 0 for failureNoneN/A
Integrity TestCON/APerforms theHMAC-SHA-256N/AAPI return value from
integrity test onintegrity test onverify_integrity(): 1 for
demand.demand.verified, 0 for failure
Show StatusProvides status information by querying the “status” parameter.CON/AImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for query operation completed successfully, 0 for failure to query the parameterNoneN/A

Table 14 - Approved Services N/A N/A N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 54
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorDescription
Output ID/ Version InformationDisplays FIPSCON/ANoneN/AImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for query operation completed successfully, 0 for failure to query the parameterNoneN/A
Random Number GenerationCODRBG Entropy Input CTR_DRBG Seed, CTR_DRBG V, CTR_DRBG Key, Hash_DRBG Seed, Hash_DRBG V, Hash_DRBG C, HMAC_DRBG Seed, HMAC_DRBG V, HMAC_DRBG KeyImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureCounter DRBG Hash DRBG HMAC DRBGWrite, Execute, Zeroise (W, E, Z) Generate, Execute, Zeroise (G, E, Z)Used to seed/reseed a DRBG instance (including determining the security strength) or obtain random data that is passed out to the calling application.

Document Version 1.1a © SafeLogic Inc. N/A N/A Z) Z)

Page 55
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Symmetric Encryption/ DecryptionUsed to encrypt or decrypt data. SSPs are passed in by the calling application.COAES EDK, AES XTS key, TDES DKAES-CBCWrite,Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureWrite, Execute, Zeroise (W, E, Z)
AES-CBC-CS1AES-CBC-CS1Execute,
AES-CBC-CS2AES-CBC-CS2Zeroise (W, E,
AES-CBC-CS3AES-CBC-CS3Z)
Authenticated Symmetric Encryption/ DecryptionUsed to encrypt or decrypt data or keys. SSPs are passed in by the calling application. Any established SSPs are passed out to the calling application.COAES CMAC/CCM key, AES GMAC/GCM key AES GMAC/GCM IVImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureWrite, Execute, Zeroise (W, E, Z) Generate, Execute, Zeroise (G, E, Z)AES-CCM AES-GCM

Z) Z) © SafeLogic Inc. Document Version 1.1a Z)

Page 56
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Symmetric DigestUsed to generate or verify data integrity with CMAC or GMAC. SSPs are passed in by the calling application.COAES CMAC/CCM key, AES GMAC/GCM key AES GMAC/GCM IVAES-CMACWrite,Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureAES-CMAC AES-GMAC
AES-GMACAES-GMACExecute,

Document Version 1.1a Z) Z) © SafeLogic Inc.

Page 57
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorApproved Security FunctionsAccess Rights to Keys and/or SSPs
Asymmetric Key GenerationUsed to generate asymmetric keys using the DRBG. Established SSPs are passed out to the calling application.CODRBG Entropy Input CTR_DRBG Seed, CTR_DRBG V, CTR_DRBG Key, Hash_DRBG Seed, Hash_DRBG V, Hash_DRBG C, HMAC_DRBG Seed, HMAC_DRBG V, HMAC_DRBG Key ECDSA SGK, ECDSA SVK, RSA SGK, RSA SVK, EdDSA SGK, EdDSA SVK, DH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public, RSA KDK Private, RSA KEK PublicPrerequisites: Counter DRBG Hash DRBG HMAC DRBG CKG With DSA KeyGen DSA PQGGen DSA PQGVer ECDSA KeyGen ECDSA KeyVer ECDSA with non- NIST recommended curves EDDSA keyGen EDDSA keyVer RSA KeyGen Safe Primes Key Generation Safe Primes Key VerificationWrite, Execute, Zeroise (W, E, Z) Generate, Execute, Zeroise (G, E, Z) Generate, Read, Zeroise (G, R, Z)Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure
Digital SignaturesUsed to generate or verify digital signatures. SSPs are passed in by the calling application.CODSA SVK, ECDSA SGK, ECDSA SVK, RSA SGK, RSA SVK, EdDSA SGK, EdDSA SVKWrite, Execute, Zeroise (W, E, Z)Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureDSA SigVerWrite,
ECDSA SigGenECDSA SigGenExecute,
ECDSA SigVerECDSA SigVerZeroise (W, E,
ECDSA with non-ECDSA with non-Z)
Keyed HashUsed to generate or verify data integrity. SSPs are passed in by the calling application.COHMAC key, KMAC keyHMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 KMAC-128 KMAC-256Write, Execute, Zeroise (W, E, Z)Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure
Message DigestUsed to generate a SHA-1, SHA-2, SHA- 3, or SHAKE message digest.CON/AN/AImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureSHA-1N/A
Key AgreementUsed to perform key agreement primitives on behalf of the calling application (does not establish keys into the module). SSPs are passed in by the calling application. Established SSPs are passed out to the calling application.CODH Private, DH Public, ECDH Private, ECDH Public, RSA KAK Private, RSA KAK Public KDF secretKAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves KAS-FFC-SSC KAS-IFC-SSCWrite, Read, Execute, Zeroise (W, R, E, Z) Generate, Read, Zeroise (G, R, Z)Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failure

Document Version 1.1a © SafeLogic Inc. Z) Z) (G, R, Z)

Page 58

Document Version 1.1a © SafeLogic Inc. Z) Z)

Page 59

N/A © SafeLogic Inc. Document Version 1.1a N/A E, Z) (G, R, Z)

Page 60
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorDescription
Key DerivationUsed to derive keysCOKDF Secret Generic SecretKDA HKDF SP800-Write,Implied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureKDA HKDF SP800- 56Cr2 KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF ANS 9.42 KDF ANS 9.63 KDF KMAC Sp800- 108r1 KDF SP800-108 KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDFWrite, Execute, Zeroise (W, E, Z) Generate, Read, Zeroise (G, R, Z)
using KBKDF,using KBKDF,56Cr2Execute,
PBKDF, HKDF, SPPBKDF, HKDF, SPKDA OneStepZeroise (W, E,
800-56Cr2 One-800-56Cr2 One-SP800-56Cr2Z)
Step KDF (KDA), SPStep KDF (KDA), SPKDA TwoStep
800-56Cr2 Two-800-56Cr2 Two-SP800-56Cr2Generate,
Step KDF (KDA),Step KDF (KDA),KDF ANS 9.42Read, Zeroise
ANSI X9.42-2001ANSI X9.42-2001KDF ANS 9.63(G, R, Z)
KDF, ANSI X9.63-KDF, ANSI X9.63-KDF KMAC Sp800-
2001 KDF, SSHv22001 KDF, SSHv2108r1
KDF, TLS 1.2 KDF,KDF, TLS 1.2 KDF,KDF SP800-108
TLS 1.3 KDF (doesTLS 1.3 KDF (doesKDF SSH
not establish keysnot establish keysPBKDF
into the module).into the module).TLS v1.2 KDF
SSPs are passed inSSPs are passed inTLS v1.3 KDF
Key TransportCORSA KDK Private, RSA KEK Public Generic SecretImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureKTS-IFC KeyTransport SFIWrite, Execute, Zeroise (W, E, Z) Write, Read, Zeroise (W, R, Z)Used to encrypt or decrypt a key value on behalf of the calling application (does not establish keys into the module). SSPs are passed in by the calling application. Established SSPs are passed out to the calling application.
Key WrappingUsed to encrypt orCOAES key wrapping key Generic SecretImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureAES-KW AES-KWP KeyWrapping SFIWrite, Execute, Zeroise (W, E, Z) Write, Read, Zeroise (W, R, Z)
ZeroiseNoneZeroise (Z)CODRBG Entropy Input, CTR_DRBG Seed, CTR_DRBG V, CTR_DRBG Key, Hash_DRBG Seed, Hash_DRBG V, Hash_DRBG C, HMAC_DRBG Seed, HMAC_DRBG V, HMAC_DRBG KeyImplied if EVP_default_properties _is_fips_enabled() returns true API return value: 1 for operation completed successfully, 0 for failureAll services automatically overwrite SSPs stored in allocated memory. The module does not store any SSP persistently (beyond the lifetime of an API call), except for DRBG state values (stored for the lifetime of the DRBG instance). Stack cleanup is the responsibility of the calling application.
UtilityNoneN/ACON/AImplied ifMiscellaneous helper functions.

Document Version 1.1a © SafeLogic Inc. Z) (G, R, Z)

Page 61

Z) Z) Z) Document Version 1.1a Z) © SafeLogic Inc.

Page 62

N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 63
4.4 Non-Approved Services

Not applicable. The module does not implement any non-approved, not allowed algorithms; therefore, it also does not provide any non-approved services.

4.5 External Software/Firmware Loaded

Not applicable. The module does not support this functionality. Document Version 1.1a © SafeLogic Inc.

Page 64
5 Software/Firmware Security
5.1 Integrity Techniques

As specified in Security Policy Section 2.3.3 - Executable Code Sets, the module implements integrity techniques for all executable code sets. The integrity technique used by the module is HMAC-SHA-256. The integrity technique has received CAVP certificates A4593 and A5173. The integrity technique is implemented by the module itself.

5.2 Initiate on Demand

The Integrity Test can be performed on demand via the “Integrity Test” service. Document Version 1.1a © SafeLogic Inc.

Page 65
6 Operational Environment
6.1 Operational Environment Type and Requirements

Refer to Security Policy Section 2.3.4 for vendor affirmed operating environment porting guidance.

6.1.1 Type of Operating Environment
6.1.2 How Requirements are Satisfied

Supported operational environments are indicated in Security Policy Section 2.3 - Operating Environments. The operating environments ensure that every application using the module operates in its own private and isolated environment (memory, I/O, etc.) and that user processes are segregated into separate process spaces. The module does not spawn any processes.

6.2 Configuration Settings and Restrictions

The module must be installed, and the correct installation confirmed, as described in Security Policy Section 11.1

Page 66
7 Physical Security

The requirements of this section are not applicable to the module. The module is a software module and does not implement any physical security mechanisms. Document Version 1.1a © SafeLogic Inc.

Page 67

Non-Invasive Security The requirements of this section are not applicable to the module. Document Version 1.1a © SafeLogic Inc.

Page 68
Sensitive security parameter
NameTypeDescription
RAM / DRAMDynamicMemory that only holds data during power on of theRAM / DRAMDynamic
9 Sensitive Security Parameter Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

Table 16

Page 69
MethodDescriptionRationaleOperator
Initiation
Capability
Zeroise serviceCalls OPENSSL_cleanse to zeroise the DRBG CSPsDRBG CSPs are the only SSPs storedFunction provided via APIFunction
by the module beyond the lifetimeprovided
of an API call.via API
The Zeroise service zeroises SSPs by
overwriting zeroes to the memory
location occupied by the SSP and
further deallocating that area.
Call a service that creates or uses the SSPServices include appropriate APIs (OPENSSL_free or OPENSSL_cleanse) to automatically zeroise the SSPs created or used by the services. This zeroises the context structures that contain the SSP.SSPs are zeroised by overwriting zeroes to the memory location occupied by the SSP and further deallocating that area.Function provided via API
9.3 SSP Zeroisation Methods

Table 17

Page 70
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
Generic Secret112 – 256 bitsN/AKey DerivationKey Transport Service (A4593 and A5173): KTS-IFC Key Wrapping Service (A4593 and A5173): AES-KW AES-KWPRAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Note: Used only as an input or output Related SSPs: May be derived from KDF Secret May be wrapped or unwrapped by RSA KDK Private, RSA KEK Public, or AES key wrapping keyKey Derivation Service: plaintext export Key Transport Service (A4593 and A5173): import or export, plaintext or encrypted with KTS-IFC Key Wrapping Service (A4593 and A5173), import or export, plaintext or encrypted with AES-KW or AES- KWPGeneric Secret Type: Key or other SSPN/ACall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
Type: Key orService (A4593
other SSPand A5173):

The following two tables define the module’s Sensitive Security Parameters (SSPs). Access to SSPs is defined under Security Policy Section 4.3 Approved Services. N/A Document Version 1.1a © SafeLogic Inc.

Page 71
Sensitive security parameter
NameStrengthGenerationEstablishmentStorageUseImport ExportZeroisation
AES EDK Type: Symmetric Key128, 192, 256 bitsExternalN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Symmetric Encryption/ DecryptionSymmetric Encryption/ Decryption service: plaintext importAES EDK Type: Symmetric KeyA4593 and A5173: AES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CFB1 AES-CFB8 AES-CFB128 AES-CTR AES-ECB AES-OFBCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
AES CMAC/CCM key Type: Symmetric Key128, 192, 256 bitsExternalN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Authenticated Symmetric Encryption/ Decryption, Symmetric DigestAES CMAC/CCM key Type: Symmetric KeyA4593 and A5173: AES-CCM AES-CMACCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)Authenticated
AES GMAC/GCM key Type: Symmetric Key128, 192, 256 bitsExternalN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Authenticated Symmetric Encryption/ Decryption, Symmetric Digest Related SSPs: AES GMAC/GCM IV: Used withAuthenticated Symmetric Encryption/ Decryption service: plaintext import Symmetric Digest service: plaintext importAES GMAC/GCM key Type: Symmetric KeyA4593 and A5173: AES-GCM AES-GMACCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
AES GMAC/GCM IV Type: IV96-1024 bitsN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.N/AAES GMAC/GCM IV Type: IVA4593 and A5173: AES-GCM AES-GMACCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RandomUse:
service (A4593service (A4593Symmetric Digest
Counter DRBGCounter DRBGRelated SSPs:
Hash DRBGHash DRBGAES GMAC/GCM key: Used
HMAC DRBGHMAC DRBGwith

Document Version 1.1a N/A N/A N/A N/A © SafeLogic Inc. N/A

Page 72
Sensitive security parameter
NameStrengthGenerationEstablishmentStorageUseImport ExportZeroisationUse & related keys
AES XTS key Type: Symmetric Key128, 256 bitsExternalN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Symmetric Encryption/ Decryption service: plaintext importAES XTS key Type: Symmetric KeyA4593 and A5173: AES-XTSCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)Use: Symmetric Encryption/ Decryption
AES key wrapping key Type: Symmetric Key128, 192, 256 bitsExternalN/AUse:Key Wrapping service: plaintext importAES key wrapping key Type: Symmetric KeyA4593 and A5173: AES-KW AES-KWP (KeyWrapping SFI)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM
All SSPs areKey Wrapping (usingAll SSPs are
temporarily storedKeyWrapping SFI)temporarily stored
duration is for theRelated SSPs:duration is for the
lifetime of the APIWraps or unwraps Genericlifetime of the API
call.Secretcall.
TDES DK Type: Symmetric Key112 bitsExternalN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Symmetric Encryption/ Decryption service: plaintext importTDES DK Type: Symmetric KeyA4593 and A5173: TDES-CBC TDES-ECBCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)Use: Symmetric Encryption/ Decryption
DRBG Entropy Input Type: RBG128-256 bitsExternalN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use:Random Number Generation service: plaintext import Asymmetric Key Generation service: plaintext importDRBG Entropy Input Type: RBGA4593 and A5173: Counter DRBG Hash DRBG HMAC DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)

N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 73
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportGenerationZeroisation
CTR_DRBG Seed Type: RBG128-256 bitsN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, CTR_DRBG V, CTR_DRBG Key: Used withN/ACTR_DRBG Seed Type: RBGA4593 and A5173: Counter DRBGRandom Number Generation service (A4593 and A5173): Counter DRBG Asymmetric Key Generation service (A4593 and A5173): Counter DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
CTR_DRBG V Type: RBG128 bitsRandomN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, CTR_DRBG Seed, CTR_DRBG Key: Used withN/ACTR_DRBG V Type: RBGA4593 and A5173: Counter DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
CTR_DRBG Key Type: RBG128, 192, 256 bitsN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, CTR_DRBG Seed, CTR_DRBG V: Used withN/ACTR_DRBG Key Type: RBGA4593 and A5173: Counter DRBGRandom Number Generation service (A4593 and A5173): Counter DRBG Asymmetric Key Generation service (A4593 and A5173): Counter DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
Hash_DRBG128-256 bitsA4593 and A5173:RandomN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, Hash_DRBG V, Hash_DRBG C: Used withN/AHash_DRBG Seed Type: RBGA4593 and A5173: Hash DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
SeedHash DRBGNumber
Type: RBGGeneration
Hash_DRBG V Type: RBG128, 256 bitsN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, Hash_DRBG Seed, Hash_DRBG C: Used withN/AHash_DRBG V Type: RBGA4593 and A5173: Hash DRBGRandom Number Generation service (A4593 and A5173): Hash DRBG Asymmetric Key Generation service (A4593 and A5173): Hash DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
Hash_DRBG C Type: RBG128, 256 bitsRandomN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, Hash_DRBG Seed, Hash_DRBG V: Used withN/AHash_DRBG C Type: RBGA4593 and A5173: Hash DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
HMAC_DRBG Seed Type: RBG128-256 bitsN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, HMAC_DRBG V, HMAC_DRBG Key: Used withN/AHMAC_DRBG Seed Type: RBGA4593 and A5173: HMAC DRBGRandom Number Generation service (A4593 and A5173): HMAC DRBG Asymmetric Key Generation service (A4593 and A5173): HMAC DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
HMAC_DRBG V Type: RBG160, 256, 512 bitsRandomN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, HMAC_DRBG Seed, HMAC_DRBG Key: Used withN/AHMAC_DRBG V Type: RBGA4593 and A5173: HMAC DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
HMAC_DRBG Key Type: RBG160, 256, 512 bitsN/ARAM / DRAM All DRBG SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the DRBG instance.Use: Random Number Generation, Asymmetric Key Generation Related SSPs: DRBG Entropy Input, HMAC_DRBG Seed, HMAC_DRBG Key: Used withN/AHMAC_DRBG Key Type: RBGA4593 and A5173: HMAC DRBGRandom Number Generation service (A4593 and A5173): HMAC DRBG Asymmetric Key Generation service (A4593 and A5173): HMAC DRBGZeroise service (Refer to Table 17 – SSP Zeroisation Methods)
ECDSA SGK112 – 256 bitsA4593 and A5173:AsymmetricN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Digital Signatures Related SSPs: May be paired with ECDSA SVKDigital Signatures service: plaintext import Asymmetric Key Generation service: plaintext exportECDSA SGK Type: SignatureA4593 and A5173: ECDSA SigGen ECDSA with non- NIST recommended curves (allowed)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
Type: SignatureECDSA SigGenKey Generation
ECDSA with non-ECDSA with non-and A5173):
NISTNISTCounter DRBG
recommendedrecommendedHash DRBG
curves (allowed)curves (allowed)HMAC DRBG
RSA SGK Type: Signature112 – 256 bitsN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Digital Signatures Related SSPs: May be paired with RSA SVKDigital Signatures service: plaintext import Asymmetric Key Generation service: plaintext exportRSA SGK Type: SignatureA4593 and A5173: RSA SigGenAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) RSA KeyGen or ExternalCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
EdDSA SGK Type: Signature128, 224 bitsAsymmetricN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Digital Signatures Related SSPs: May be paired with EdDSA SVKDigital Signatures service: plaintext import Asymmetric Key Generation service: plaintext exportEdDSA SGK Type: SignatureA4593 and A5173: EDDSA SigGenCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
DH Private Type: Key Agreement112 bits 112-200 bitsKey Agreement service (A4593 and A5173): KAS-FFC-SSCRAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Key Agreement Related SSPs: May be paired with DH Public Used to establish KDF SecretKey Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext exportDH Private Type: Key AgreementA4593 and A5173: KAS-FFC-SSCAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) DSA KeyGen DSA PQGGen DSA PQGVer Safe Primes Key Generation Safe Primes Key Verification or ExternalCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
EC DH Private Type: Key Agreement112 – 256 bitsAsymmetricKey Agreement service (A4593 and A5173): KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Key Agreement Related SSPs: May be paired with EC DH Public Used to establish KDF SecretKey Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext exportEC DH Private Type: Key AgreementA4593 and A5173: KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
RSA KAK Private Type: Key Agreement112 – 256 bitsKey Agreement service (A4593 and A5173): KAS-IFC-SSCRAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Key Agreement Related SSPs: May be paired with RSA KAK Public Used to establish KDF SecretKey Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext exportRSA KAK Private Type: Key AgreementA4593 and A5173: KAS-IFC-SSCAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) RSA KeyGen or ExternalCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)

N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 74

N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 75

N/A N/A N/A N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 76

N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 77

© SafeLogic Inc. Document Version 1.1a

Page 78
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisationGeneration
RSA KDK Private112 – 256 bitsA4593 and A5173:AsymmetricN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Key Transport (using KeyTransport SFI) Related SSPs: May be paired with RSA KEK Public Unwraps Generic SecretKey Transport service: plaintext import Asymmetric Key Generation service: plaintext exportRSA KDK Private Type: Key TransportA4593 and A5173: KTS-IFC (KeyTransport SFI)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
Transport(KeyTransport SFI)service (A4593
HMAC Key Type: Authentication128, 192 256 bitsN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Keyed HashKeyed Hash service: plaintext importHMAC Key Type: AuthenticationA4593 and A5173: HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)External
KMAC Key Type: Authentication128, 256 bitsN/AUse: Keyed HashKeyed Hash service: plaintext importKMAC Key Type: AuthenticationA4593 and A5173: KMAC-128 KMAC-256Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)ExternalRAM / DRAM

Document Version 1.1a N/A N/A N/A © SafeLogic Inc.

Page 79
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
KDF Secret Type: Key Derivation Function112 – 512 bitsN/AKey Agreement Service (A4593 and A5173): KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed) KAS-FFC-SSC KAS-IFC-SSC or ExternalRAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Key Derivation Related SSPs: May be derived from DH Private, DH Public, or EC DH Private, EC DH Public, or RSA KAK Private, RSA KAK Public May be used to derive Generic SecretKey Derivation service: plaintext import Key Agreement service: plaintext exportKDF Secret Type: Key Derivation FunctionA4593 and A5173: KDA HKDF SP800- 56Cr2 KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF ANS 9.42 KDF ANS 9.63 KDF KMAC Sp800- 108r1 KDF SP800-108 KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDFCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
DSA SVK Type: Signature80 – 128ExternalN/AUse: Digital SignaturesDigital Signatures service: plaintext importDSA SVK Type: SignatureA4593 and A5173: DSA SigVerCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM
ECDSA SVK Type: Signature80 – 256 bitsAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) ECDSA KeyGen ECDSA KeyVer or ExternalN/ARAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.Use: Digital Signatures Related SSPs: May be paired with ECDSA SGKDigital Signatures service: plaintext import Asymmetric Key Generation service: plaintext exportECDSA SVK Type: SignatureA4593 and A5173: ECDSA SigVer ECDSA with non- NIST recommended curves (allowed)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)
RSA SVK80 – 256 bitsA4593 and A5173:Digital Signatures service: plaintext import Asymmetric Key Generation service: plaintext exportN/AUse: Digital Signatures Related SSPs: May be paired with RSA SGKAsymmetricRSA SVK Type: SignatureA4593 and A5173: RSA SigVerCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.
Type: SignatureRSA SigVerKey Generation
EdDSA SVK Type: Signature128, 224 bitsAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) EDDSA keyGen EDDSA keyVer or ExternalDigital Signatures service: plaintext import Asymmetric Key Generation service: plaintext exportN/AUse: Digital Signatures Related SSPs: May be paired with EdDSA SGKEdDSA SVK Type: SignatureA4593 and A5173: EDDSA SigVerCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.
DH Public Type: Key Agreement112 bits 112-200 bitsKey Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext exportKey Agreement service (A4593 and A5173): KAS-FFC-SSCUse: Key Agreement Related SSPs: May be paired with DH Private Used to establish KDF SecretAsymmetricDH Public Type: Key AgreementA4593 and A5173: KAS-FFC-SSCCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.
EC DH Public Type: Key Agreement112 – 256 bitsAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) ECDSA KeyGen ECDSA KeyVer or ExternalKey Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext exportKey Agreement service (A4593 and A5173): KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed)Use: Key Agreement Related SSPs: May be paired with EC DH Private Used to establish KDF SecretEC DH Public Type: Key AgreementA4593 and A5173: KAS-ECC-SSC EC Diffie-Hellman with non-NIST recommended curves (allowed)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.
RSA KAK Public Type: Key Agreement112 – 256 bitsKey Agreement service: plaintext import/export Asymmetric Key Generation service: plaintext exportKey Agreement service (A4593 and A5173): KAS-IFC-SSCUse: Key Agreement Related SSPs: May be paired with RSA KAK Private Used to establish KDF SecretAsymmetricRSA KAK Public Type: Key AgreementA4593 and A5173: KAS-IFC-SSCCall a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.
RSA KEK Public Type: Key Transport112 – 256 bitsAsymmetric Key Generation service (A4593 and A5173): Counter DRBG Hash DRBG HMAC DRBG CKG (Vendor affirmed) RSA KeyGen or ExternalKey Transport service: plaintext import Asymmetric Key Generation service: plaintext exportN/AUse: Key Transport (using KeyTransport SFI) Related SSPs: May be paired with RSA KDK Private Wraps Generic SecretRSA KEK Public Type: Key TransportA4593 and A5173: KTS-IFC (KeyTransport SFI)Call a service that creates or uses the SSP (Refer to Table 17 – SSP Zeroisation Methods)RAM / DRAM All SSPs are temporarily stored in plaintext. Storage duration is for the lifetime of the API call.

N/A N/A N/A Document Version 1.1a © SafeLogic Inc.

Page 80

N/A N/A © SafeLogic Inc. Document Version 1.1a

Page 81
9.4.1 SSPs, Additional Details

The table below provides additional detail for the SSPs listed in Table 18

Page 82
Sensitive security parameter
NameDescriptionStrengthCategory
Generic Secret112 – 512 bitsGeneric Secret Type: Key or other SSPSSPs generated by key derivation and directly output byCSP
Type: Key or otherthe module, or generic keys that are wrapped or
AES EDK Type: Symmetric KeyAES encrypt/ decrypt key128, 192, 256 bitsAES EDK Type: Symmetric KeyCSP
AES CMAC/CCMAES CMAC/CCM key for encrypt/ decrypt or generate/ verify128, 192, 256 bitsCSP
AES GMAC/GCM key Type: Symmetric KeyAES GMAC/GCM key for encrypt/ decrypt or generate/ verify128, 192, 256 bitsAES GMAC/GCM key Type: Symmetric KeyCSP
AES GMAC/GCM IV96-1024 bitsAES GMAC/GCM IV for encrypt/ decrypt or generate/CSP
Type: IVverify
AES XTS key Type: Symmetric KeyAES XTS encrypt/ decrypt key128, 256 bitsAES XTS key Type: Symmetric KeyCSP
AES key wrappingAES KW, KWP key128, 192, 256 bitsCSP
TDES DK Type: Symmetric Key3-key Triple-DES decrypt key192 bitsTDES DK Type: Symmetric KeyCSP

Table 19

Page 83
Sensitive security parameter
NameInput
Type: RBGType: RBGother inputs per SP 800-90A Sections 7.2, 8.6
Type: SignatureType: Signaturebrainpool)

Document Version 1.1a © SafeLogic Inc.

Page 84
Sensitive security parameter
NameDescriptionStrengthCategory
DH Private Type: Key AgreementDiffie-Hellman private key agreement key (186-4-type and safe primes)For 186-4 type key generation: 224, 256 bits For safe primes key generation: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP- 4096, MODP-6144, MODP-8192DH Private Type: Key AgreementCSP
EC DH PrivateElliptic Curve Diffie-Hellman private key agreement key (P, B, K curves and brainpool)224 – 512 bitsCSP
RSA KAK Private Type: Key AgreementRSA private key agreement key2048 – 16384 bitsRSA KAK Private Type: Key AgreementCSP
RSA KDK PrivateRSA private key decryption key2048 – 16384 bitsCSP
HMAC Key Type: AuthenticationKeyed hash key for HMAC160, 224, 256, 384, 512 bitsHMAC Key Type: AuthenticationCSP
KMAC KeyKeyed hash key for KMAC128-1024 bitsCSP
KDF Secret Type: Key Derivation FunctionSecret value used by KDFs112 – 512 bitsKDF Secret Type: Key Derivation FunctionCSP
DSA SVK Type: SignatureDSA signature verification key (legacy only)DSA SVK Type: SignaturePSPDSA (L, N) =
ECDSA SVK Type: SignatureECDSA signature verification key (P, B, K curves and brainpool)160 – 512 bitsECDSA SVK Type: SignaturePSP
RSA SVKRSA signature verification key1024 – 16384 bitsPSP
EdDSA SVK Type: SignatureEd25519 or Ed448 signature verification key256, 456 bitsEdDSA SVK Type: SignaturePSP
DH Public Type: Key AgreementDiffie-Hellman public key agreement key (186-4-type and safe primes)DH Public Type: Key AgreementPSPFor 186-4 type key generation: 2048 bits
EC DH Public Type: Key AgreementElliptic Curve Diffie-Hellman public key agreement key (P, B, K curves and brainpool)224 – 512 bitsEC DH Public Type: Key AgreementPSP
RSA KAK PublicRSA public key agreement key2048 – 16384 bitsPSP
RSA KEK Public Type: Key TransportRSA public key encryption key2048 – 16384 bitsRSA KEK Public Type: Key TransportPSP

Document Version 1.1a © SafeLogic Inc.

Page 85
9.5 Transitions

All algorithms implemented by the module are approved for FIPS 140-3 and will not be impacted by the transitions specified below. The information below provides context for the algorithms not supported by the module due to algorithm transitions. Refer also to Security Policy Section 2.9

Page 86
Page 87
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTest PropertiesIndicator
HMAC-SHA2-256HMAC-SHA2-256Compare to pre-SW/FWVerifyHMAC-SHA2-256CryptoComplyHMAC-SHA-2561HMAC-SHA-2561Compare to pre- computed HMACSW/FW IntegrityThe Module State (queried via Show Status) changes to Running (FIPS_STATE_RUNNING)The Module State (queried viaVerify
140-3 FIPScomputedIntegrity140-3 FIPSShow Status) changes to
Provider (CAVPHMACProvider (CAVPRunning
Cert. #A4593 andCert. #A4593 and(FIPS_STATE_RUNNING)
10 Self-Tests
10.1 Pre-Operational Self-Tests

Table 20

10.2 Conditional Self-Tests

The module mainly performs two types of conditional self-tests, which are Cryptographic Algorithm Self-Tests (CASTs) and Pairwise Consistency Tests (PCTs). The module also performs one critical function test for AES-XTS, per IG C.I. The module does not implement any other conditional Please refer also to the HMAC-SHA-256 CAST, which is performed before the pre-operational SW integrity test Document Version 1.1a © SafeLogic Inc.

Page 88
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesConditionImplementationIndicator
AES-GCMAES-GCMKATCASTCryptoComply 140-256-bit AESKATThe Module State (queriedAuthenticatedInitialisation
3 FIPS Provider3 FIPS Providervia Show Status) changes toEncrypt
(CAVP Cert. #A4593(CAVP Cert. #A4593Running(forward
and Cert. #A5173)and Cert. #A5173)(FIPS_STATE_RUNNING)cipher)
AES-GCMAES-GCMCASTDecrypt (forward cipher)256-bit AESKATInitialisationCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)The Module State changes to Running
AES-ECBAES-ECBCASTDecrypt (inverse cipher)CryptoComply 140-256-bit AESKATInitialisationThe Module State changes to Running
Counter DRBGCounter DRBGCASTInstantiate, Reseed, Generate (per IG 10.3.A, 7)128-bit AES with dfKATInitialisationCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)The Module State changes to Running
Hash DRBGHash DRBGCASTCryptoComply 140-SHA-256KATInstantiate,InitialisationThe Module State changes to Running
3 FIPS Provider3 FIPS ProviderReseed,
(CAVP Cert. #A4593(CAVP Cert. #A4593Generate (per
and Cert. #A5173)and Cert. #A5173)IG 10.3.A, 7)

self-tests, including conditional self-tests for software/firmware loading, manual entry, or bypass, because the module does not implement corresponding functions. The CAST tests below are executed automatically by the Module Initialization service when the module is powered on. Automatic execution of the CASTs relies on use of the default entry point (DEP); no operator intervention is required. The CASTs execute before the module transitions to the operational state. If the CASTs are successful, the Module State (queried via Show Status) is updated to indicate that the module is in the Running state (FIPS_STATE_RUNNING). All other conditional self-tests are executed when the relevant condition occurs, as specified in the table below. Table 21 - Conditional Self-Tests Document Version 1.1a © SafeLogic Inc.

Page 89
Self test
NameAlgorithm Or TestTest TypeDetailsImplementationTest PropertiesIndicatorCondition
HMAC DRBGHMAC DRBGCASTInstantiate, Reseed, Generate (per IG 10.3.A, 7)CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)HMAC-SHA-1KATThe Module State changes to RunningInitialisation
KDF ANS 9.42KDF ANS 9.42CASTDeriveSHA-1KATThe Module State changes to RunningInitialisationCryptoComply 140-
KDF ANS 9.63KDF ANS 9.63CASTDeriveCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)SHA-256KATThe Module State changes to RunningInitialisation
KDF SSHKDF SSHCASTDeriveSHA-1KATThe Module State changes to RunningInitialisationCryptoComply 140-
TLS v1.2 KDF RFC7627TLS v1.2 KDF RFC7627CASTDeriveCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)HMAC-SHA-256KATThe Module State changes to RunningInitialisation
TLS v1.3 KDFTLS v1.3 KDFCASTDeriveSHA-256KATThe Module State changes to RunningInitialisationCryptoComply 140-
DSA SigVer (FIPS186-4)DSA SigVer (FIPS186-4)CASTVerifyCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)2048, SHA-256KATThe Module State changes to RunningInitialisation
ECDSA SigGen (FIPS186-4)ECDSA SigGen (FIPS186-4)CASTSignP-224, SHA-512KATThe Module State changes to RunningInitialisationCryptoComply 140-

CryptoComply 140SigGen Document Version 1.1a © SafeLogic Inc.

Page 90
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTest PropertiesIndicatorCondition
ECDSA SigGen (FIPS186-4)ECDSA SigGen (FIPS186-4)CASTSignCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)K-233, SHA-512KATThe Module State changes to RunningInitialisation
BrainpoolCASTSignbrainpoolP224r1, SHA-512KATThe Module State changes to RunningInitialisationBrainpoolCryptoComply 140-
curves forcurves for3 FIPS Provider
ECDSAECDSA(CAVP Cert. #A4593
signaturessignaturesand Cert. #A5173)
ECDSA SigVer (FIPS186-4)ECDSA SigVer (FIPS186-4)CASTVerifyCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)P-224, SHA-512KATThe Module State changes to RunningInitialisation
ECDSA SigVer (FIPS186-4)ECDSA SigVer (FIPS186-4)CASTVerifyK-233, SHA-512KATThe Module State changes to RunningInitialisationCryptoComply 140-
Brainpool curves for ECDSA signaturesBrainpool curves for ECDSA signaturesCASTVerifyCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)brainpoolP224r1, SHA-512KATThe Module State changes to RunningInitialisation
EDDSA sigGenEDDSA sigGenCASTSignEd25519KATThe Module State changes to RunningInitialisationCryptoComply 140-
EDDSA sigGenEDDSA sigGenCASTSignCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)Ed448KATThe Module State changes to RunningInitialisation
EDDSA sigVerEDDSA sigVerCASTVerifyEd25519KATThe Module State changes to RunningInitialisationCryptoComply 140-
EDDSA sigVerEDDSA sigVerThe Module State changes to RunningVerifyInitialisationEd448CASTCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)KAT
HMAC- SHA2-256HMAC- SHA2-256The Module State changes to RunningVerifyHMAC-SHA-2562CASTInitialisation,CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)KAT
KAS-ECC- SSC Sp800- 56Ar3KAS-ECC- SSC Sp800- 56Ar3The Module State changes to RunningVerify computation of shared secret Z in Ephemeral Unified scheme3InitialisationP-256CASTCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)KAT
KAS-FFC-SSC Sp800- 56Ar3KAS-FFC-SSC Sp800- 56Ar3The Module State changes to RunningInitialisationFB (2048, 224)CASTVerifyCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)KAT
KAS-IFC-SSCKAS-IFC-SSCThe Module State changes to RunningRSA Primitive Computation5Initialisation2048-bit keyCASTCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)KAT

Document Version 1.1a © SafeLogic Inc.

Page 91

Sp80056Ar3 before preoperational KAS-ECCSSC Sp80056Ar3 HMACSHA2-256 Also serves as a self-test for SHA-256 and covers the self-test requirement for SHA-224 Per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3. Also covers the self-test requirement for EC Diffie-Hellman with non-NIST recommended curves. Per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3 Per Scenario 1 of IG D.F and Section 8.2.2 in SP 800-56Br2 Document Version 1.1a © SafeLogic Inc.

Page 92

SP80056Cr2 SP80056Cr26 KDF SP800108 KTS-OAEPBasic7 KTS-OAEPBasic8 Per IG D.G and SP 800-56Br2 Per IG D.G and SP 800-56Br2 Per IG D.G and SP 800-56Br2 Document Version 1.1a © SafeLogic Inc.

Page 93
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditionImplementation
PBKDFPBKDFKATCASTDerivation of the Master Key (MK)10CryptoComply 140-HMAC-SHA-1KATThe Module State changes to RunningInitialisation
RSA SigGen (FIPS186-4)RSA SigGen (FIPS186-4)CASTSign2048-bit key, SHA- 256, PKCS#1KATThe Module State changes to RunningInitialisationCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)
RSA SigVer (FIPS186-4)RSA SigVer (FIPS186-4)CASTVerifyCryptoComply 140-2048-bit key, SHA- 256, PKCS#1KATThe Module State changes to RunningInitialisation
SHA3-256SHA3-256CASTHashSHA3-25611KATThe Module State changes to RunningInitialisationCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)
SHA-1SHA-1CASTHashCryptoComply 140-SHA-1KATThe Module State changes to RunningInitialisation
SHA2-512SHA2-512CASTHashSHA-51212KATThe Module State changes to RunningInitialisationCryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)
TDES-CBCTDES-CBCCASTDecryptCryptoComply 140-CBC mode, 3-keyKATThe Module State changes to RunningInitialisation

Per Section 5.3 of SP 800-132 Also serves as a self-test for KMAC and SHAKE since it utilizes the same Keccak-p permutation Also covers the self-test requirements for SHA-384, SHA-512/224, and SHA-512/256. SHA-256 is tested by the HMAC-SHA-256 self-test. Document Version 1.1a © SafeLogic Inc.

Page 94
Self test
NameAlgorithm Or TestTest TypeDetailsImplementationTest PropertiesIndicatorCondition
DSA KeyGen (FIPS186-4), Safe Primes Key Generation, Safe Primes Key VerificationDSA KeyGen (FIPS186-4), Safe Primes Key Generation, Safe Primes Key VerificationPCTSign/Verify for Key Agreement13CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)All supported parameters for KAS-FFCPCTReturn value for the relevant API call (i.e. for key pair generation or key pair import): 1 for success, 0 for failureKey Pair Generation, Key Pair Import
ECDSA KeyGen (FIPS186-4)ECDSA KeyGen (FIPS186-4)PCTSign/Verify for Digital Signatures14All supported curvesPCTKey Pair GenerationCryptoComply 140-Return value for the
3 FIPS Provider3 FIPS Providerrelevant API call (i.e. for
(CAVP Cert. #A4593(CAVP Cert. #A4593key pair generation): 1 for
and Cert. #A5173)and Cert. #A5173)success, 0 for failure
ECDSA KeyGen (FIPS186-4)ECDSA KeyGen (FIPS186-4)PCTSign/Verify for Key Agreement15CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)All supported curvesPCTReturn value for the relevant API call (i.e. for key pair import): 1 for success, 0 for failureKey Pair Import
EDDSA keyGenEDDSA keyGenPCTSign/Verify for Digital Signatures16CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)All supported curves (Ed25519, Ed448)PCTKey Pair Generation, Key Pair ImportReturn value for the

Per VE10.35.03 Per VE10.35.02. At the time of key pair generation, the keys’ intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. Per VE10.35.03. At the time of key pair import, the keys’ intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. Per VE10.35.02. EdDSA keys can only be used for digital signatures. Document Version 1.1a © SafeLogic Inc.

Page 95
Self test
NameAlgorithm Or TestTest TypeDetailsImplementationTest PropertiesIndicatorCondition
RSA KeyGen (FIPS186-4)RSA KeyGen (FIPS186-4)PCTSign/Verify for Key Agreement17CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)All supported moduliPCTReturn value for the relevant API call (i.e. for key pair generation or key pair import): 1 for success, 0 for failureKey Pair Generation, Key Pair Import
AES-XTSAES-XTSCritical FunctionTest that Key_1 ≠ Key_2 18CryptoComply 140- 3 FIPS Provider (CAVP Cert. #A4593 and Cert. #A5173)All supported sizes (128-bit, 256-bit)OtherSymmetric Encryption/ DecryptionReturn value for the

Per VE10.35.03. At the time of key pair generation or import, the keys’ intended usage is not known (key pairs may be used for key transport, digital signatures, or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. Per IG C.I Document Version 1.1a © SafeLogic Inc.

Page 96
Service
NameDescriptionRole AccessIndicatorRecovery MethodDescriptionConditions
FIPS_STATE_ERRORThe module hasThe error state isModule State (queried via Show Status) changes to Error (FIPS_STATE_ERROR)Restart the moduleRestart the
entered an errorentered an errortriggered if anymodule
state. Allstate. Allpre-operational or
cryptographiccryptographicCAST self-tests fail
APIs will returnAPIs will returnto pass (either on
an error whenan error whenpower on or when
called.called.called by operator)
Temporary ErrorThe return value for the relevant API call (i.e. for key pair generation, key pair import, or symmetric encryption/ decryption with AES- XTS) returns 0 for failureThe module will reject the tested key or key pair and then return automatically to the Running state (FIPS_STATE_ RUNNING).The module enters a temporary error state when a PCT test fails or when the AES- XTS critical function test fails. Keys that fail the tests are disabled and the module returns to the Running state.The error state is triggered if a conditional PCT test or conditional AES-XTS critical function test fails to pass.
PeriodPeriodic Method
On demand. It is recommended to run the periodic tests at least annually.On demand.Pre-Operational Periodic tests are called by power cycling the
It is recommended to run themodule, calling the Integrity Test service, or calling the Self-Test
periodic tests at leastservice (which calls the module’s integrity test and all CASTs).
annually.
Conditional Periodic tests are called by power cycling the module or
calling the Self-Test service (which calls the module’s integrity test
and all CASTs).
10.4 Error States

Table 23 - Error States Document Version 1.1a © SafeLogic Inc.

Page 97

The module supports two error states, both triggered by failures of the module’s self-tests. The module must be restarted to recover from a failure of the pre-operational or CAST self-test, but it recovers automatically from a failure in the other conditional self-tests.

10.5 Operator Initiation

Self-tests can be called on demand using the Self-Test service. This service calls the module’s integrity test and all CASTs (i.e. KATs). PCTs are not called by this service; PCTs are only called under the conditions specified in Section 10.2 - Conditional Self-Tests. The integrity test is automatically called as part of the Pre-Operational Self-Tests and can also be manually called by the Integrity Test service (or the Self-Test service). Document Version 1.1a © SafeLogic Inc.

Page 98
11 Life-Cycle Assurance
11.1 Startup Procedures

Failure to follow initialization instructions for the module (provided below) will result in the module being in a non-compliant state. The module is only provided to the end user in the form of a compiled binary file. Its source code is not provided. The module is provided to the end user by the vendor as a binary archive and an associated hash value. The end user should validate the integrity of the binary archive against the SHA-256 hash value provided with the binary archive. If the integrity value for the archive is correct, the archive should be extracted, and the binaries should be installed. The module is a FIPS-validated cryptographic provider for use by OpenSSL 3.x. OpenSSL 3.x should be installed per its documentation prior to module installation. The FIPS module may be installed using the following procedure:

  1. If the module is provided as a dynamic library: a. Copy the module binary and configuration files to the OpenSSL Provider Directory, e.g. [OPENSSL_INSTALL_LOCATION]/lib/ossl-modules/
  2. If the module is provided as a static library: a. Copy the module library archive and configuration file to the OpenSSL directory, e.g. [OPENSSL_INSTALL_LOCATION]/lib/ and [OPENSSL_INSTALL_LOCATION]/conf/
  3. If the module is provided as part of an XCFramework bundle: a. Integrate the module framework into an XCode application and install the application on an iOS device. b. Note, when provided as a XCFramework bundle (fips.xcframework), the OpenSSL framework (openssl.xcframework) should also be integrated into the application project. The OpenSSL framework is a general implementation of the OpenSSL 3.x API (common and crypto).
  4. To initialize and start up the module, use the OSSL_PROVIDER_load API call from OpenSSL. An example is specified below: int main(int argc, char **argv) { OSSL_PROVIDER *fips_provider; fips_provider = OSSL_PROVIDER_load(NULL, "fips"); if (fips_provider == NULL) { printf("Could not load FIPS provider\n"); return 1; } printf("Provider %s loaded \n", OSSL_PROVIDER_get0_name(fips_provider)); Document Version 1.1a © SafeLogic Inc.
Page 99

//Execute commands for the FIPS module if (fips_provider != NULL) OSSL_PROVIDER_unload(fips_provider); return 0; } After the module starts up, the operator should confirm that the module outputs the Approved mode status indicator (refer to Security Policy Section 2.5 - Modes of Operation) and verify the module’s version using the “Output ID/ Version Information” service (refer to Security Policy Section 4.3 Approved Services).

11.2 Administrator Guidance

Additional administrator guidance is provided separately in other operator documentation, including the User Manual.

11.3 Non-Administrator Guidance

If the module power is lost and restored, the operator shall establish a new key for use with AES-GCM encryption/decryption. Refer also to Security Policy Section 2.9.1 - AES-GCM (IG C.H conformance). Additional guidance is provided separately in other operator documentation, including the User Manual.

11.4 End of Life

The vendor documentation (User Guide) specifies the procedures for the removal of the FIPS module and secure sanitization of the device that the module was installed on. Document Version 1.1a © SafeLogic Inc.

Page 100
12 Mitigation of Other Attacks
12.1 Attack List

The module implements two types of mitigations of other attacks, which are constant-time implementations and numeric blinding. Constant-time implementations protect cryptographic implementations in the module against timing analysis. With this mitigation, variations in execution time cannot be traced back to an SSP, key, or secret data. Numeric Blinding protects RSA, DSA, and ECDSA from timing attacks, where attackers measure the time of signature operations or RSA decryption. To mitigate this attack, the module generates a random blinding factor that is provided as an input to the decryption/signature operation and is discarded once the operation has completed. With this mitigation, the execution time cannot be correlated to the RSA, DSA, or ECDSA key via a timing attack because the attacker does not know the blinding factor.

12.2 Mitigation Effectiveness

These mitigations should make the timing of the encryption, decryption, and signing operations independent of the key material or the input data. This should prevent an attacker from recovering information by measuring the timing of these operations.

12.3 Guidance and Constraints

While the module implements countermeasures to prevent timing analysis and timing attacks, other side-channel attacks may be possible. As a Level 1, software-based module, the module is limited in its ability to prevent access at the hardware level; power analysis attacks may be possible for an attacker with physical access. Users of software-based modules should be aware of these limitations and incorporate this information into their threat model. Document Version 1.1a © SafeLogic Inc.

Referenced URLs