All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Samsung CryptoCore Cryptographic Module

Certificate#4787StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSamsung Electronics Co., Ltd.
Medium review priority  ·  no TCB surface named  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/2/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys) and random strings.
VendorSamsung Electronics Co., Ltd.

Approved Algorithms (23)

AlgorithmACVP Cert
AES-CBCA4968
AES-CFB128A4968
AES-CMACA4968
AES-CTRA4968
AES-ECBA4968
AES-OFBA4968
ECDSA KeyGen (FIPS186-4)A4968
ECDSA KeyVer (FIPS186-4)A4968
ECDSA SigGen (FIPS186-4)A4968
ECDSA SigVer (FIPS186-4)A4968
HMAC DRBGA4968
HMAC-SHA2-224A4968
HMAC-SHA2-256A4968
HMAC-SHA2-384A4968
HMAC-SHA2-512A4968
KAS-ECC CDH-Component SP800-56Ar3 (CVL)A4968
RSA SigGen (FIPS186-4)A4968
RSA SigVer (FIPS186-4)A4968
SHA2-224A4968
SHA2-256A4968
SHA2-384A4968
SHA2-512A4968
RSA KeyGen (FIPS186-4)A4968

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Samsung CryptoCore Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES encryption<br/>AES decryption<br/>Cryptographic algorithm self- test and integrity…</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Samsung CryptoCore Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES encryption<br/>AES decryption<br/>Cryptographic algorithm self- test and integrity…</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Samsung Electronics Co., Ltd. Samsung CryptoCore Cryptographic Module Document Version 0.1.17 Last Update: 17-07-2024 ©2024 Samsung Electronics Co., Ltd.

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels5
2Cryptographic Module Specification5
2.1Description5
2.2Tested and Vendor Affirmed Module Version and Identification6
2.3Excluded Components7
2.4Modes of Operation7
2.5Algorithms7
2.6Security Function Implementations9
2.7Algorithm Specific Information10
2.8RBG and Entropy11
2.9Key Generation11
2.10Key Establishment11
2.11Industry Protocols11
3Cryptographic Module Interfaces12
3.1Ports and Interfaces12
4Roles, Services, and Authentication12
4.1Authentication Methods12
4.2Roles12
4.3Approved Services13
4.4Non-Approved Services19
4.5External Software/Firmware Loaded19
5Software/Firmware Security19
5.1Integrity Techniques19
5.2Initiate on Demand19
6Operational Environment19
6.1Operational Environment Type and Requirements19
7Physical Security19
8Non-Invasive Security20
9Sensitive Security Parameters Management20
9.1Storage Areas20
9.2SSP Input-Output Methods20
9.3SSP Zeroization Methods20
9.4SSPs22
9.5Transitions26
10Self-Tests26
10.1Pre-Operational Self-Tests26
10.2Conditional Self-Tests26
10.3Periodic Self-Test Information31
10.4Error States32
11Life-Cycle Assurance32
11.1Installation, Initialization, and Startup Procedures32
11.2Administrator Guidance33
11.3Non-Administrator Guidance33
11.4Design and Rules33
12Mitigation of Other Attacks33
Page 3

©2024 Samsung Electronics Co., Ltd.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)6
Table 3: Tested Operational Environments - Software, Firmware, Hybrid7
Table 4: Modes List and Description7
Table 5: Approved Algorithms8
Table 6: Vendor-Affirmed Algorithms9
Table 7: Security Function Implementations10
Table 8: Ports and Interfaces12
Table 9: Roles12
Table 10: Approved Services18
Table 11: Storage Areas20
Table 12: SSP Input-Output Methods20
Table 13: SSP Zeroization Methods21
Table 14: SSP Table 123
Table 15: SSP Table 225
Table 16: Pre-Operational Self-Tests26
Table 17: Conditional Self-Tests30
Table 18: Pre-Operational Periodic Information31
Table 19: Conditional Periodic Information32
Table 20: Error States32
Figure 1: Block Diagram6
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the Samsung CryptoCore Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module.

1.2 Security Levels
2.1 Description

Purpose and Use: The module provides cryptographic services to applications through an application program interface (API). The module also interacts with the operating system via system calls. Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is a single object file named cryptocore.0.2.9.FIPS.1.o, which is statically linked into the position-independent code ©2024 Samsung Electronics Co., Ltd.

Page 6
Module configuration
NameFirmware VersionPackageIntegrity Test
cryptocore.0.2.9.FIPS.1.o0.2.9.FIPS.1cryptocore.0.2.9.FIPS.1.oHMAC-SHA2-256

libcryptocore.so.0.1.0 shared library. There are no excluded components inside the cryptographic boundary. The module is intended only for single-threaded execution per process. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is a Samsung Smart TV Q70B with Tizen 7.0. The module is located in the volatile memory controlled by OS Tizen 7.0 installed on hardware platform Samsung Smart TV Q70B. Physical Perimeter Operating System Tizen libc API invocation libcryptocore.so.0.1.0 Cryptographic boundary Cryptographic Functions API invocation Self-Test Application Figure 1: Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 7
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa Pai
Tizen 7.0Tizen 7.0Samsung Smart TV Q70B0.2.9.FIPS.1Pontus-MNo
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4968Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A4968Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA4968Direction - Generation, Verification Key Length - 128SP 800-38B
AES-CTRA4968Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4968Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-OFBA4968Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
ECDSA KeyGen (FIPS186-4)A4968Curve - P-224, P-256, P-384, P- 521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A4968Curve - P-192, P-224, P-256, P- 384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A4968Curve - P-224, P-256, P-384, P- 521FIPS 186-4
ECDSA SigVer (FIPS186-4)A4968Curve - P-192, P-224, P-256, P- 384, P-521FIPS 186-4
HMAC DRBGA4968Prediction Resistance - No Mode - SHA2-256, SHA2-512SP 800-90A Rev. 1
HMAC-SHA2-224A4968Key Length - Key Length: 112, 504, 512, 520, 2048FIPS 198-1
HMAC-SHA2-256A4968Key Length - Key Length: 112, 504, 512, 520, 2048FIPS 198-1
HMAC-SHA2-384A4968Key Length - Key Length: 112, 504, 1024, 1032, 2048FIPS 198-1
HMAC-SHA2-512A4968Key Length - Key Length: 112, 504, 1024, 1032, 2048FIPS 198-1
KAS-ECC CDH-Component SP800-56Ar3 (CVL)A4968SP 800-56A Rev. 3
RSA SigGen (FIPS186-4)A4968Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-4)A4968Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096FIPS 186-4
SHA2-224A4968FIPS 180-4
SHA2-256A4968FIPS 180-4
SHA2-384A4968FIPS 180-4
SHA2-512A4968FIPS 180-4
RSA KeyGen (FIPS186-4)A4968Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4

Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components excluded from the security requirements. Modes List and Description: Table 4: Modes List and Description

2.5 Algorithms

Approved Algorithms: ©2024 Samsung Electronics Co., Ltd.

Page 8
Service
NameProperties
CKG: RSAType:Asymmetric RSA Modulo:2048, 3072, 4096Samsung CryptoCore Cryptographic ModuleSection B.3.3 of FIPS 186-4 and Sections 4 / 5.1 of SP 800-133r2 (V is all zeroes)
CKG: ECCType:Asymmetric ECC / ECDSASamsung CryptoCore Cryptographic ModuleSection B.4.2 of FIPS 186-4 respectively Section 5.6.1.2.2 of SP

Table 5: Approved Algorithms Vendor-Affirmed Algorithms: ©2024 Samsung Electronics Co., Ltd.

Page 9
Service
NameDescriptionApproved FunctionsType
Curve:P-224, P-256, P-384, P-521800-56Ar3 and Sections 4, 5.1, and 5.2 of SP 800-133r2 (V is all zeroes)
AES encryptionAES encryptionAES-CBC AES-CFB128 AES-CTR AES-ECB AES-OFBBC-UnAuth
AES decryptionAES decryptionAES-CBC AES-CFB128 AES-CTR AES-ECB AES-OFBBC-UnAuth
HMAC generationHMAC generationHMAC-SHA2- 224 SHA2-224 HMAC-SHA2- 256 SHA2-256 HMAC-SHA2- 384 SHA2-384 HMAC-SHA2- 512 SHA2-512MACTruncation:Not supported
CMAC generationCMAC generationAES-CMAC AES-ECBMACTruncation:Not supported
Hash generationHash generationSHA2-224 SHA2-256 SHA2-384 SHA2-512SHA
Service
NameDescriptionApproved FunctionsType
Curve:P-224, P-256, P-384, P-521800-56Ar3 and Sections 4, 5.1, and 5.2 of SP 800-133r2 (V is all zeroes)
AES encryptionAES encryptionAES-CBC AES-CFB128 AES-CTR AES-ECB AES-OFBBC-UnAuth
AES decryptionAES decryptionAES-CBC AES-CFB128 AES-CTR AES-ECB AES-OFBBC-UnAuth
HMAC generationHMAC generationHMAC-SHA2- 224 SHA2-224 HMAC-SHA2- 256 SHA2-256 HMAC-SHA2- 384 SHA2-384 HMAC-SHA2- 512 SHA2-512MACTruncation:Not supported
CMAC generationCMAC generationAES-CMAC AES-ECBMACTruncation:Not supported
Hash generationHash generationSHA2-224 SHA2-256 SHA2-384 SHA2-512SHA
RSA key pair generationRSA key pair generationRSA KeyGen (FIPS186-4) CKG: RSAAsymKeyPair- KeyGen
RSA signature generationRSA signature generationRSA SigGen (FIPS186-4) SHA2-224 SHA2-256 SHA2-384 SHA2-512DigSig-SigGen
RSA signature verificationRSA signature verificationRSA SigVer (FIPS186-4) SHA2-224 SHA2-256 SHA2-384 SHA2-512DigSig-SigVer
ECC key generationECDSA and ECC key generationECDSA KeyGen (FIPS186-4) CKG: RSAAsymKeyPair- KeyGen
ECDSA signature generationECDSA signature generationECDSA SigGen (FIPS186-4) SHA2-224 SHA2-256 SHA2-384 SHA2-512DigSig-SigGen
ECDSA signature verificationECDSA signature verificationECDSA SigVer (FIPS186-4) SHA2-224 SHA2-256 SHA2-384 SHA2-512DigSig-SigVer
ECDSA public key validationECDSA public key validationECDSA KeyVer (FIPS186-4)AsymKeyPair- PubKeyVal
DRBGRandom number generationHMAC DRBG HMAC-SHA2- 256 SHA2-256 HMAC-SHA2- 512 SHA2-512DRBG
Shared secret computationECC CDH primitiveKAS-ECC CDH- Component SP800-56Ar3KAS-SSCEncryption strength:Between 112 and 256 bits

Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.

2.6 Security Function Implementations

HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 ©2024 Samsung Electronics Co., Ltd.

Page 10

AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairPubKeyVal HMAC-SHA2256 HMAC-SHA2512 Table 7: Security Function Implementations

2.7 Algorithm Specific Information

©2024 Samsung Electronics Co., Ltd.

Page 11

AES CTR: the externally loaded counters of AES CTR shall have the property defined in [SP800-38A], 6.5 The Counter Mode.

2.8 RBG and Entropy

N/A for this module. N/A for this module. The module passively receives the entropy for seeding/reseeding DRBG while exercising no control over the amount or the quality of the obtained entropy. The random string for seeding/reseeding must supply at least 112 bits of entropy to provide the minimum acceptable security strength that is 112 bits according to [SP800-57pt1r5]. The module employs a SP800-90Ar1 HMAC_DRBG as Random Number Generation service. For DRBG Instantiation to create a seed the module requires a random string of 48 bytes (384 bits) size: 32 bytes (256 bits) for "entropy input" and 16 bytes (128 bits) for "nonce". For periodic DRBG Reseeding to create a reseed the module requires a random string of 64 bytes (512 bits) size: 32 bytes (256 bits) for "entropy input" and 32 bytes (256 bits) for "additional input". For explicit DRBG Reseeding to create a reseed the module requires a random string of 32 bytes (256 bits) size: 32 bytes (256 bits) for "entropy input". The output of the module implemented DRBG is used to generate random bits for

2.9 Key Generation

For generating RSA, ECC key pairs, the module implements Asymmetric Key Generation services compliant with FIPS 186-4. The random value used in asymmetric key generation is obtained using Random Number Generation service of the module. In accordance with FIPS 140-3 IG D.H, the module performs Cryptographic Key Generation (CKG) for asymmetric keys as per sections 5.1, 5.2 SP800-133r2 (vendor affirmed) by obtaining a random bit string as per section 4 SP800-133r2 directly from a DRBG without any V, as described in Additional Comments 2 in FIPS 140-3 IG D.H.

2.10 Key Establishment
2.11 Industry Protocols

N/A ©2024 Samsung Electronics Co., Ltd.

Page 12
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI input parameters
N/AN/AData OutputAPI output parameters
N/AN/AControl InputAPI function calls
N/AN/AStatus OutputAPI return codes, log messages
Service
NameRole AccessType
Crypto OfficerCORoleNone
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 8: Ports and Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The logical interfaces are the application program interface (API) through which applications request services. The control output interface is omitted on purpose because the module does not implement it.

4 Roles, Services, and Authentication

N/A for this module. The module does not support user authentication.

4.2 Roles

Table 9: Roles The Crypto Officer role is implicitly assumed by the entity accessing the module services. ©2024 Samsung Electronics Co., Ltd.

Page 13
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Symmetric encryptionEncrypt a plaintextCrypto Officer - AES keys: R,EAES encryptionThe successful completion of a service is an implicit indicator for the use of an approved serviceKey, plain text, mode, padding method, initialization vectorCipher text
Symmetric decryptionDecrypt a cipher textCrypto Officer - AES keys: R,EAES decryptionThe successful completion of a service is an implicit indicator for the use of an approved serviceKey, cipher text, mode, padding, initialization vectorPlain text
Asymmetric key generationGenerate asymmetric RSA and ECC key pairCrypto Officer - RSA private key: G,R,W - RSA public key: G,W - ECDSA private key: G,W - ECDSA public key: G,W - ECC CDH private key: G,W - ECC CDH public key: G,W - Intermediate key generationRSA key pair generation ECC key generationThe successful completion of a service is an implicit indicator for the use of an approved serviceRSA: padding method, modulus length, optionally fixed private key, entropy input string; ECDSA: curve, entropy input stringKey pair
Digital signature generationGenerate digital signatureCrypto Officer - RSA private key: R,E - ECDSA private key: R,ERSA signature generation ECDSA signature generationThe successful completion of a service is an implicit indicator for the use of an approved serviceRSA: private key, message, modulus, padding method; ECDSA: public key, message, curveSignature
Digital signature verificationVerify digital signatureCrypto Officer - RSA public key: R,E - ECDSA public key: R,ERSA signature generation ECDSA signature verification ECDSA public key validationThe successful completion of a service is an implicit indicator for the use of an approved serviceRSA: public key, message, signature, modulus, padding method; ECDSA: public key, message, signature, curveVerification result
Message digest generationGenerate message digestCrypto OfficerHash generationThe successful completion of a service is an implicit indicator for the use of an approved serviceMessage, algorithmMessage digest
MAC generationGenerate messageCrypto Officer - CMAC keys: R,EHMAC generationThe successful completion of a service is anMessage, algorithm, keyMAC
4.3 Approved Services

R,E G,W G,W G,W G,W ©2024 Samsung Electronics Co., Ltd. R,E

Page 14

©2024 Samsung Electronics Co., Ltd. G,E G,E R,E R,E R,E

Page 15
Sensitive security parameter
NameDescriptionGenerationUseInputOutputAccess
Random number generationGenerate random numberDRBGThe successful completion of a service is an implicit indicator for the use of an approved serviceEntropy input string, Personalization string, additional inputRandom bitsCrypto Officer - Entropy input string: R - DRBG V: G,E - DRBG Key: G,E - Entropy buffer: E
Shared secret computationCompute shared secretShared secret computationThe successful completion of a service is an implicit indicator for the use of an approved serviceReceived public key, private keyShared secretCrypto Officer - ECC CDH received public key: R,E - ECC CDH private key: R,E - Shared secret: G,W
Show statusShow status of the moduleNoneN/ANoneStatus informationCrypto Officer
Show module's versioning informationShow the versioning information of the moduleNoneN/ANoneModule name and versionCrypto Officer

R,E N/A N/A G,E G,E R,E R,E N/A Z ©2024 Samsung Electronics Co., Ltd.

Page 16
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Cryptographic algorithm self- test and integrity testInitiate cryptographic algorithm self-test and integrity testCrypto Officer - Entropy input string: R - DRBG V: G,E - DRBG Key: G,E - Entropy buffer: EAES decryption HMAC generation CMAC generation Hash generation RSA signature generation RSA signature verification ECDSAThe successful completion of a service is an implicit indicator for the use of an approved serviceEntropy input stringStatus information

©2024 Samsung Electronics Co., Ltd. Z Z G,E G,E

Page 17
Service
NameDescriptionRole AccessCsps AccessedIndicatorInputOutput
Module start-upRun cryptographic algorithm self-test and integrity test at the module start-upAES decryption HMAC generation CMAC generation Hash generation RSA signature generation RSA signature verification ECDSA signature generation ECDSA signature verification ECDSACrypto Officer - Entropy input string: R - DRBG V: G,E - DRBG Key: G,E - Entropy buffer: EThe successful completion of a service is an implicit indicator for the use of an approved serviceEntropy input stringStatus information

©2024 Samsung Electronics Co., Ltd. G,E G,E

Page 18

Table 10: Approved Services The approved security service indicator of the module is compliant to the example scenario 2) of [IG] 2.4.C. ©2024 Samsung Electronics Co., Ltd.

Page 19
4.4 Non-Approved Services
4.5 External Software/Firmware Loaded

The module does not support Software/Firmware loading.

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing MAC calculated on the module at runtime and the value stored in the module, which was calculated at build-time. An approved integrity technique used in the integrity test is HMAC-SHA256 algorithm implemented in the module itself. The integrity test uses a 256-bit key, which resides within the module code and is not considered a SSP. Before executing the integrity test, the module performs CAST of SHA-256 and HMAC-SHA512 algorithms.

5.2 Initiate on Demand

The integrity test can be initiated on demand by the operator by calling fips_post() API.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module runs on a commercially available general-purpose operating system. The operating system is restricted to a single operator (concurrent operators are explicitly excluded). The operational environment is non-configurable for operator, thus the module operates securely by default. The application that requests cryptographic services is the single user of the module, even when the application is serving multiple clients. The operating system provides the capability to separate the module during operation from other functions in the operational environment. Those functions do not obtain information from the module related to the CSPs and do not modify CSPs, PSPs, or the execution flow of the module other than via the interfaces provided by the module itself. The module does not spawn any processes.

7 Physical Security

The module is comprised of software only and thus does not claim any physical security. ©2024 Samsung Electronics Co., Ltd.

Page 20
Sensitive security parameter
NameTypeDescription
Volatile memoryDynamicThe OE's volatile memory (RAM) shared with the linked application, but under the module's control
Service
NameTypeFromTo
API inputPlaintextLinked application in the TOEPPVolatile memoryManualElectronic
API outputPlaintextVolatile memoryLinked application in the TOEPPManualElectronic
8 Non-Invasive Security

The module does not implement non-invasive attack mitigation techniques to protect the module’s unprotected SSPs from non-invasive attacks referenced in Annex F of FIPS 140-3.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 11: Storage Areas The module does not provide persistent storage for keys or SSPs. The module stores SP80090Ar1 DRBG state values and the Entropy buffer for at most the runtime of the module. The module uses pointers to plaintext keys/SSPs that are passed in by the calling application. The module does not store SSP beyond the lifetime of an API call or beyond the runtime of the module. Allocated memory in RAM for SSP is managed by the module.

9.2 SSP Input-Output Methods

Table 12: SSP Input-Output Methods SSPs enter the module's cryptographic boundary as cryptographic algorithm API parameters in plaintext. They are associated with memory locations and do not persist across power cycles. The module does not output intermediate key generation values. The module provides the resulting keys as output parameters of key generation service API to the calling application, but they do not cross the physical perimeter. Import and export operations of SSP are plaintext manual electronic entry for the module and user application inside OE physical perimeter (TOEPP) in terms of IG 140-3 9.5.A.

9.3 SSP Zeroization Methods

©2024 Samsung Electronics Co., Ltd.

Page 21
ZeroizationDescriptionRationaleOperator Initiation
Method
DestructorCryptoCoreContainer destructor zeroises all SSPs stored in its context structSSPs are actively overwritten with zeroes and thus not recoverableUsing destroy_CryptoCoreContainer()
IntermediateIntermediate and temporary SSPs are automatically zeroized by the module before a function returnsSSPs are actively overwritten with zeroes and thus not recoverableNo, done automatically by the module
Entropy buffer zeroizationThe module's entropy buffer SSP storing the user-provided entropy is zeroizedSSPs are actively overwritten with zeroes and thus not recoverableUsing fips_cleanup_entropy_buffer() or by unloading the module

Table 13: SSP Zeroization Methods Zeroisation of sensitive data is performed by calling destruction API function destroy_CryptoCoreContainer() by the operator. This functions overwrites the memory occupied by SSPs with “zeros” and deallocates the memory. The application that uses the module is responsible for calling the destruction function destroy_CryptoCoreContainer(). The calling application is responsible for parameters passed in and out of the module. The return of the destroy_CryptoCoreContainer() function indicates the successful completion of the zeroisation procedure. Zeroisation of entropy buffer is performed by calling the fips_cleanup_entropy_buffer() API or successful completion of the module indicates the successful completion of the zeroisation procedure, accordingly. ©2024 Samsung Electronics Co., Ltd.

Page 22
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
AES keysSymmetric AES key - CSPKeys used for AES encryption / decryption128, 192, 256 bits - 128 to 256 bitsAES encryption AES decryption
CMAC keysSymmetric AES key - CSPKeys used for CMAC generation128 bits - 128 bitsCMAC generation
HMAC keysSymmetric HMAC key - CSPKeys used for HMAC computation112 bits or longer - 112 bits or greaterHMAC generation
RSA private keyAsymmetric RSA private key - CSPRSA private key for digital signature computationsUp to 4096 bits - 112 bits or greaterRSA key pair generationRSA signature generation RSA signature verification
RSA public keyAsymmetric RSA public key - PSPRSA public key for digital signature computationsUp to 4096 bits - Less than 112 bits for module size 1024 bits, greater than 112 bits for modulus sizes of 2048 bits or longerRSA key pair generationRSA signature generation RSA signature verification
ECDSA private keyAsymmetric ECDSA private key - CSPECDSA private key for digital signature computationsUp to 521 bits - 112 bits or greaterECC key generationECDSA signature generation ECDSA signature verification
ECDSA public keyAsymmetric ECDSA public key - PSPECDSA public key for digital signature computationsUp to 521 bits - 112 bits or greaterECC key generationECDSA signature generation ECDSA
9.4 SSPs

©2024 Samsung Electronics Co., Ltd.

Page 23
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
ECC CDH received public keyAsymmetric ECC public key - PSPECC public key from other party for shared secret computationUp to 521 bits - 112 to 256 bitsShared secret computation
ECC CDH private keyAsymmetric ECC private key - CSPOwn ECC private key for shared secret computationUp to 521 bits - 112 bits or greaterECC key generationShared secret computation
ECC CDH public keyAsymmetric ECC public key - PSPOwn ECC public key for shared secret computationUp to 521 bits - 112 bits or greaterECC key generationShared secret computation
Shared secretShared secret - CSPResult of the shared secret computationUp to 521 bits - 112 bits or greaterShared secret computation
Entropy input stringEntropy input - CSPUser-provided entropy inputUp to 2048 bits - 112 bits or greater
Entropy bufferEntropy buffer - CSPModule-internal entropy buffer and its inputsUp to 2048 bits - 112 bits or greaterDRBG
DRBG VValue V of HMAC DRBG - CSPValue V of the HMAC DRBG's state256 or 512 bits - 112 bits or greaterDRBGDRBG
DRBG KeyKey of HMAC DRBG - CSPKey of the HMAC DRBG256 or 512 bits - 112 bits or greaterDRBGDRBG
Intermediate key generation valuesIntermediate key generation values - CSPIntermediate RSA and ECC key generation valuesUp to 4096 bits - 112 bits or greaterRSA key pair generation ECC key generation

Table 14: SSP Table 1 ©2024 Samsung Electronics Co., Ltd.

Page 24
Sensitive security parameter
NameStorageZeroizationInputStorage DurationRelated SSPs
AES keysVolatile memory:PlaintextDestructorAPI inputFor the lifetime of the API call
CMAC keysVolatile memory:PlaintextDestructorAPI inputFor the lifetime of the API call
HMAC keysVolatile memory:PlaintextDestructorAPI inputFor the lifetime of the API call
RSA private keyVolatile memory:PlaintextDestructorAPI input API outputFor the lifetime of the API callRSA public key:Paired With
RSA public keyVolatile memory:PlaintextDestructorAPI input API outputFor the lifetime of the API callRSA private key:Paired With
ECDSA private keyVolatile memory:PlaintextDestructorAPI input API outputFor the lifetime of the API callECDSA public key:Paired With
ECDSA public keyVolatile memory:PlaintextDestructorAPI input API outputFor the lifetime of the API callECDSA private key:Paired With
ECC CDH received public keyVolatile memory:PlaintextIntermediateAPI inputFor the lifetime of the API callECC CDH private key:Used With Shared secret:Used To Derive
ECC CDH private keyVolatile memory:PlaintextDestructorAPI input API outputFor the lifetime of the API callECC CDH received public key:Used With ECC CDH public key:Paired With Shared secret:Used To Derive
ECC CDH public keyVolatile memory:PlaintextDestructorAPI input API outputFor the lifetime of the API callECC CDH private key:Paired With
Shared secretVolatile memory:PlaintextIntermediateAPI outputFor the lifetime of the API callECC CDH received public key:Derived From ECC CDH private key:Derived From
Entropy input stringVolatile memory:PlaintextIntermediateAPI inputFor the lifetime of the API callEntropy buffer:Stored In
Entropy bufferVolatile memory:PlaintextEntropy buffer zeroizationFor the runtime of the module or until zeroizationEntropy input string:Used To Store
DRBG VVolatile memory:PlaintextDestructor IntermediateFor the runtime of the module or until zeroizationEntropy buffer:Seeded From DRBG Key:Paired With
DRBG KeyVolatile memory:PlaintextDestructor IntermediateFor the runtime of the module or until zeroizationEntropy buffer:Seeded From DRBG V:Paired With
Intermediate key generation valuesVolatile memory:PlaintextIntermediateFor the lifetime of the API callRSA private key:Used to Generate RSA public key:Used to Generate ECDSA private key:Used to Generate ECDSA public key:Used to Generate ECC CDH private key:Used to Generate ECC CDH public key:Used to Generate

©2024 Samsung Electronics Co., Ltd.

Page 25

Table 15: SSP Table 2 ©2024 Samsung Electronics Co., Ltd.

Page 26
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditions
HMAC- SHA2-256 (A4968)HMAC- SHA2-256 (A4968)See (*) below the table.SW/FW IntegrityThis test is performed after the CASTs for SHA2- 256 and HMAC- SHA2-512Key length: 256 bitsWhen the test passes, get_fips_status() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_FAIL and get_fips_status_reason() returns FIPS_STATUS_INTEGRITY_FAIL
AES-ECB (A4968)AES-ECB (A4968)KATCASTAES decryptionWhen the test passes, get_fips_status_reason() returnsKey length: 256 bitsDuring module start- up or on-
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditions
HMAC- SHA2-256 (A4968)HMAC- SHA2-256 (A4968)See (*) below the table.SW/FW IntegrityThis test is performed after the CASTs for SHA2- 256 and HMAC- SHA2-512Key length: 256 bitsWhen the test passes, get_fips_status() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_FAIL and get_fips_status_reason() returns FIPS_STATUS_INTEGRITY_FAIL
AES-ECB (A4968)AES-ECB (A4968)KATCASTAES decryptionWhen the test passes, get_fips_status_reason() returnsKey length: 256 bitsDuring module start- up or on-
FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILFIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILdemand using fips_post()
AES-CMAC (A4968)AES-CMAC (A4968)KATCASTCMAC generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILKey length: 128 bitsDuring module start- up or on- demand using fips_post()
SHA2-224 (A4968)SHA2-224 (A4968)KATCASTHash generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILN/ADuring module start- up or on- demand using fips_post()
SHA2-256 (A4968)SHA2-256 (A4968)KATCASTHash generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILN/ADuring module start- up or on- demand using fips_post()
SHA2-384 (A4968)SHA2-384 (A4968)KATCASTHash generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILN/ADuring module start- up or on- demand using fips_post()
SHA2-512 (A4968)SHA2-512 (A4968)KATCASTHash generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILN/ADuring module start- up or on- demand using fips_post()
HMAC- SHA2-512 (A4968)HMAC- SHA2-512 (A4968)KATCASTHMAC generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILKey length: 1024 bitsDuring module start- up or on- demand using fips_post()
RSA SigGen (FIPS186-4) (A4968)RSA SigGen (FIPS186-4) (A4968)KATCASTRSA digital signature generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILKey length: 2048 bits, Padding: PKCS-v1.5During module start- up or on- demand using fips_post()
RSA SigVer (FIPS186-4) (A4968)RSA SigVer (FIPS186-4) (A4968)KATCASTRSA digital signature verificationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILKey length: 2048 bits, Padding: PKCS-v1.5During module start- up or on- demand using fips_post()
ECDSA SigGen (FIPS186-4) (A4968)ECDSA SigGen (FIPS186-4) (A4968)KATCASTECDSA digital signature generationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILCurve: P- 224, Hash function: SHA2-512During module start- up or on- demand using fips_post()
ECDSA SigVer (FIPS186-4) (A4968)ECDSA SigVer (FIPS186-4) (A4968)KATCASTECDSA digital signature verificationWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILCurve: P- 224, Hash function: SHA2-512During module start- up or on- demand using fips_post()
KAS-ECC CDH- ComponentKAS-ECC CDH- ComponentKATCASTShared secret computationWhen the test passes, get_fips_status_reason() returnsCurve: P- 224During module start- up or on-
SP800- 56Ar3 (A4968)SP800- 56Ar3 (A4968)FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILdemand using fips_post()
HMAC DRBG (A4968)HMAC DRBG (A4968)KATCASTKAT of instantiation, reseeding, generate, and generate calls in one sweep according to SP 800-90Ar1, Sec. 11.3 and 7. of IG 10.3.AWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_SELFTEST_FAILMAC: HMAC- SHA2-256During module start- up or on- demand using fips_post()
HMAC DRBG (A4968)HMAC DRBG (A4968)KATCASTSame as test above, but the tested MAC variant is chosen based on the one used by the current HMAC instance. The instance state is untouchedWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_DRBG_HEALTH_FAILMAC: HMAC- SHA2-256 or HMAC- SHA2-512Every 400 generate calls of an DRBG instance
RSA (FIPS186-4) (A4968)RSA (FIPS186-4) (A4968)PCTPCTRSA signature generation and verification of a fixed 32-byte messageWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_RSA_PCT_FAILPadding: noneAfter each RSA key pair generation and key pair import
ECDSA (FIPS186-4) (A4968)ECDSA (FIPS186-4) (A4968)PCTPCTECDSA signature generation and verification of a fixed 32-byte messageWhen the test passes, get_fips_status_reason() returns FIPS_STATUS_SUCCESS, otherwise it returns FIPS_STATUS_ECDSA_PCT_FAILN/AAfter each ECDSA key pair generation
9.5 Transitions

Transition from FIPS 186-4 to FIPS 186-5 and SP 800-186 as specified in FIPS 140-3 IG C.K.

10 Self-Tests
10.1 Pre-Operational Self-Tests

HMACSHA2-256 Table 16: Pre-Operational Self-Tests (*) A MAC is calculated over the module FIPS-relevant APIs at runtime and compared to the value stored in the module, which was calculated at build-time. This MAC is calculated between designated memory addresses of the .text and .rodata sections of the object file, excluding relocatable address parts. These sections have read-only and executable attributes in terms of the ELF file. The content of these sections is formed at the module build stage. While the module is performing the Pre-Operational Self-Test, no other functions are available and all output is inhibited. Once PreOperational Self-Test is completed successfully, the module enters the Approved Mode of Operation and cryptographic services are available.

10.2 Conditional Self-Tests

©2024 Samsung Electronics Co., Ltd.

Page 27

N/A N/A N/A N/A ©2024 Samsung Electronics Co., Ltd. module startup or ondemand module startup or ondemand module startup or ondemand module startup or ondemand module startup or ondemand

Page 28

HMACSHA2-512 CDHComponent Curve: P224 module startup or ondemand module startup or ondemand module startup or ondemand module startup or ondemand module startup or ondemand ©2024 Samsung Electronics Co., Ltd.

Page 29

SP80056Ar3 HMACSHA2-256 HMACSHA2-256 N/A ©2024 Samsung Electronics Co., Ltd. module startup or ondemand

Page 30
AlgorithmTestTestTestIndicatorDetailsConditions
or TestPropertiesMethodType
and key pair import

Table 17: Conditional Self-Tests None of the keys used for the KAT are considered as SSP. ©2024 Samsung Electronics Co., Ltd.

Page 31
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2- 256 (A4968)HMAC-SHA2- 256 (A4968)See (*) below the table.SW/FW IntegrityOn DemandReloading the module or using fips_post()
AES-ECB (A4968)AES-ECB (A4968)KATCASTOn demandReloading the module or using fips_post()
AES-CMAC (A4968)AES-CMAC (A4968)KATCASTOn demandReloading the module or using fips_post()
SHA2-224 (A4968)SHA2-224 (A4968)KATCASTOn demandReloading the module or using fips_post()
SHA2-256 (A4968)SHA2-256 (A4968)KATCASTOn demandReloading the module or using the fips_post() API
SHA2-384 (A4968)SHA2-384 (A4968)KATCASTOn demandReloading the module or using fips_post()
SHA2-512 (A4968)SHA2-512 (A4968)KATCASTOn demandReloading the module or using fips_post()
HMAC-SHA2- 512 (A4968)HMAC-SHA2- 512 (A4968)KATCASTOn demandReloading the module or using fips_post()
RSA SigGen (FIPS186-4) (A4968)RSA SigGen (FIPS186-4) (A4968)KATCASTOn demandReloading the module or using fips_post()
RSA SigVer (FIPS186-4) (A4968)RSA SigVer (FIPS186-4) (A4968)KATCASTOn demandReloading the module or using fips_post()
ECDSA SigGen (FIPS186-4) (A4968)ECDSA SigGen (FIPS186-4) (A4968)KATCASTOn demandReloading the module or using fips_post()
ECDSA SigVer (FIPS186-4) (A4968)ECDSA SigVer (FIPS186-4) (A4968)KATCASTOn demandReloading the module or using fips_post()
KAS-ECC CDH- Component SP800-56Ar3 (A4968)KAS-ECC CDH- Component SP800-56Ar3 (A4968)KATCASTOn demandReloading the module or using fips_post()
HMAC DRBG (A4968)HMAC DRBG (A4968)KATCASTOn demandReloading the module or using fips_post()
HMAC DRBG (A4968)HMAC DRBG (A4968)KATCASTOn demandRepeated calls of the DRBG generate function
RSA (FIPS186- 4) (A4968)RSA (FIPS186- 4) (A4968)PCTPCTOn demandAfter RSA key pair generation and key pair import
ECDSA (FIPS186-4) (A4968)ECDSA (FIPS186-4) (A4968)PCTPCTOn demandAfter ECDSA key pair generation and key pair import
10.3 Periodic Self-Test Information

Table 18: Pre-Operational Periodic Information (*) A MAC is calculated over the module FIPS-relevant APIs at runtime and compared to the value stored in the module, which was calculated at build-time. This MAC is calculated between designated memory addresses of the .text and .rodata sections of the object file, excluding relocatable address parts. These sections have read-only and executable attributes in terms of the ELF file. The content of these sections is formed at the module build stage. ©2024 Samsung Electronics Co., Ltd.

Page 32
Service
NameDescriptionRole AccessIndicator
ErrorThe module's only error stateAny failure in context of the execution of the implemented self-tests during module start-up or the self-test serviceget_fips_status() returns FIPS_STATUS_FAILReloading the module or using fips_post()

Table 19: Conditional Periodic Information

10.4 Error States
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is built into the operational environment and delivered with a device. There is no standalone delivery of the module as a software library. The module is initialized during the loading of the module before any cryptographic functionality is available. The Tizen operating system is responsible for the initialization and loading processes of the module. The module is designed with constructor (default entry point of the ©2024 Samsung Electronics Co., Ltd.

Page 33

module) which ensures that CAST and POST are initiated automatically when the module is loaded.

11.2 Administrator Guidance

The guidance is provided in the document “Samsung CryptoCore Cryptographic Module, Software Version: 0.2.9.FIPS.1, Functional Design, Document Version 0.1.23, Last Update: 1207-2024”.

11.3 Non-Administrator Guidance

The guidance is provided in the document “Samsung CryptoCore Cryptographic Module, Software Version: 0.2.9.FIPS.1, Functional Design, Document Version 0.1.23, Last Update: 1207-2024”.

11.4 Design and Rules

The usual sequence of secure operations:

12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. ©2024 Samsung Electronics Co., Ltd.