| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/3/2026 |
| Caveat | Interim validation. When operating in the approved mode. No assurance of the minimum strength of generated SSPs |
| Vendor | Masimo Corporation |
flowchart LR
%% Deterministic review-risk graph for Masimo Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Masimo Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;Masimo Corporation Masimo Cryptographic Module Software Version: 1.0 FIPS Security Level: 1 Document Version: 0.2 Prepared for: Prepared by: Masimo Corporation Corsec Security, Inc.
Irvine, CA 92618 Fairfax, VA 22033 United States of America United States of America Phone: +1 800 326 4890 Phone: +1 703 267 6050 www.masimo.com www.corsec.com
Abstract This is a non-proprietary Cryptographic Module Security Policy for the Masimo Cryptographic Module (software version: 1.0) from Masimo Corporation (Masimo). This Security Policy describes how the Masimo Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in an Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The Masimo Cryptographic Module is referred to in this document as Masimo Crypto Module or the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1 – Security Levels | 5 |
| Table 2 – Tested Operational Environments | 6 |
| Table 3 – Vendor-Affirmed Operational Environments | 6 |
| Table 4 – Approved Algorithms | 7 |
| Table 5 – Non-Approved Algorithms Allowed in the Approved Mode of Operation | 11 |
| Table 6 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation | 12 |
| Table 7 – Ports and Interfaces | 16 |
| Table 8 – Roles, Service Commands, Input and Output | 17 |
| Table 9 – Approved Services | 19 |
| Table 10 – Non-Approved Services | 20 |
| Table 11 – SSPs | 26 |
| Table 12 – Acronyms and Abbreviations | 39 |
| Figure 1 – Hardware Block Diagram (Root) | 13 |
| Figure 2 – Hardware Block Diagram (Radical-7) | 14 |
| Figure 3 – Module Block Diagram (with Cryptographic Boundary) | 15 |
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A
The module has an overall security level of 1. API
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
2. Cryptographic Module Specification The Masimo Cryptographic Module v1.0 is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment.
The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in Table 2. Table 2
1 Custom Linux OS with Linux Masimo Radical-7 ARM Cortex-A8 (ARMv7-A) Without PAA
2 Custom Linux OS with Linux Masimo Root ARM Cortex-A8 (ARMv7-A) Without PAA
kernel 4.9.43 The vendor affirms the module’s continued validation compliance when operating on the environments listed in Table 3. Table 3
1 Red Hat Enterprise Linux 8 Masimo Patient SafetyNet
3 Windows 10 Pro on VMware Workstation 15.x Masimo Patient SafetyNet View Station
8 Custom Linux OS using Yocto standard Masimo iSirona Connectivity Hub
9 Android 6.0.1 Masimo Uniview Media Hub
10 Android 7.0 Masimo Uniview 60 Tablet
11 Android 12.0 Masimo Zebra TC51-HC Phone
12 Custom Linux OS with Linux kernel 4.14.78 Masimo Radical-7 w/ ARM Cortex-A9 (ARMv7-A)
13 Custom Linux OS with Linux kernel 4.14.78 Masimo Root w/ ARM Cortex-A9 (ARMv7-A)
The cryptographic module maintains compliance when operating on a general-purpose computer (GPC) with any of the following supported bare metal and virtual environments: Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Validation certificates for each Approved security function are listed in Table 4. Note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any Approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in Table 4 are used by an Approved service of the module. Table 4
CMAC
XEX
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths A3595 AES KW16, KWP17 128, 192, 256 Encryption/decryption NIST SP 800-38F A3595 CVL18 TLS v1.2 KDF RCF7627 - Key derivation RFC19 7627 No part of the TLS v1.2 protocol, other than the KDF, has been tested by the CAVP and CMVP. A3596 CVL TLS v1.3 KDF - Key derivation RFC 8446 No part of the TLS v1.3 protocol, other than the KDF, has been tested by the CAVP and CMVP. A3595 DRBG20 Counter-based AES-128, AES-192, AES-256 Deterministic random bit NIST SP 800-90Arev1 generation A3595 DSA21 - 2048/224, 2048/256, Domain parameter generation FIPS PUB 186-4 3072/256 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) - 1024/160, 2048/224, Domain parameter verification 2048/256, 3072/256 (SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) - 2048/224, 2048/256, Key pair generation 3072/256 - 2048/224, 2048/256, Digital signature generation 3072/256 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) - 1024/160, 2048/224, Digital signature verification 2048/256, 3072/256 (SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3595 ECDSA22 Secrets generation mode: B-233, B-283, B-409, B-571, Key pair generation FIPS PUB 186-4 Testing candidates K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - B-163, B-233, B-283, B-409, Public key validation B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 KW
DSA
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths - B-233, B-283, B-409, B-571, Digital signature generation K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) - B-163, B-233, B-283, B-409, Digital signature verification B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3595 HMAC SHA-1, SHA2-224, SHA2- - Message authentication FIPS PUB 198-1 256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 A3595 KAS23 KAS-ECC-SSC with KDFs B-233, B-283, B-409, B-571, Key agreement A3596 NIST SP 800-56Arev3 (TLS 1.2 RFC7627, TLS 1.3) K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 SSP establishment methodology provides between 112 and 256 bits of encryption strength. KAS-FFC-SSC with KDFs FB, FC Key agreement (TLS 1.2 RFC7627, TLS 1.3) SSP establishment methodology provides
A3595 KAS-ECC-SSC24 ephemeralUnified B-233, B-283, B-409, B-571, Shared secret computation25 NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 A3595 KAS-FFC-SSC26 dhEphem FB, FC Shared secret computation27 NIST SP 800-56Arev3 A3595 KTS AES-CCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38C encryption)28 SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES-GCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38D encryption)29 SSP establishment methodology provides between 128 and 256 bits of encryption strength KAS
24 KAS-ECC-SSC
25 Key agreement method complies with FIPS 140-3 Implementation Guidance D.F, scenario 2(1).
26 KAS-FFC-SSC
27 Key agreement method complies with FIPS 140-3 Implementation Guidance D.F, scenario 2(1).
Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is an Approved key transport technique.
29 Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is an Approved key transport technique.
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths A3595 KTS30 AES key wrap 128, 192, 256 Key wrap/unwrap NIST SP 800-38F SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES with CMAC 128, 192, 256 Key wrap/unwrap (encryption with FIPS PUB 197 message authentication)31 NIST SP 800-38B SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES with GMAC 128, 192, 256 Key wrap/unwrap (encryption with FIPS PUB 197 message authentication)32 NIST SP 800-38D SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES-CBC with HMAC 128, 192, 256 Key wrap/unwrap (encryption with FIPS PUB 197 message authentication)33 FIPS PUB 198-1 SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS Triple-DES with CMAC 112 (KO2), 168 (KO1) Key unwrap (encryption with NIST SP 800-67rev2 message authentication)34 NIST SP 800-38B A3595 KTS Triple-DES with HMAC 112 (KO2), 168 (KO1) Key unwrap (encryption with NIST SP 800-67rev2 message authentication)35 FIPS PUB 198-1 SSP establishment methodology provides
A3595 PBKDF236 Section 5.4, option 1a SHA-1, SHA2-224, SHA2- Password-based key derivation NIST SP 800-132 256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 A3595 RSA Key generation mode: 2048, 3072, 4096 Key pair generation FIPS PUB 186-4 B.3.3 ANSI37 X9.31 2048, 3072, 4096 (SHA2- Digital signature generation 256, SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-256, SHA2384, SHA2-512)
Per FIPS 140-3 Implementation Guidance D.G, AES with CMAC is an Approved key transport technique.
32 Per FIPS 140-3 Implementation Guidance D.G, AES with GMAC is an Approved key transport technique.
33 Per FIPS 140-3 Implementation Guidance D.G, AES with HMAC is an Approved key transport technique.
34 Per FIPS 140-3 Implementation Guidance D.G, Triple-DES with CMAC is an Approved key transport technique.
35 Per FIPS 140-3 Implementation Guidance D.G, Triple-DES with HMAC is an Approved key transport technique.
PBKDF2
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths PKCS#1 v1.5 2048, 3072, 4096 (SHA2- Digital signature generation 224, SHA2-256, SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS38 2048, 3072, 4096 (SHA2- Digital signature generation 224, SHA2-256, SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A3595 SHA-3 SHA3-224, SHA3-256, - Message digest FIPS PUB 202 SHA3-384, SHA3-512 A3595 SHAKE39 SHAKE-128, SHAKE-256 - Message digest FIPS PUB 202 A3595 SHS40 SHA-1, SHA2-224, SHA2- - Message digest FIPS PUB 180-4 256, SHA2-384, SHA2-512 A3595 Triple-DES CBC, CFB1, CFB8, CFB64, 168 (KO1) Decryption NIST SP 800-67rev2 ECB, OFB NIST SP 800-38A A3595 Triple-DES CMAC 112 (KO2), 168 (KO1) MAC verification NIST SP 800-67rev2 NIST SP 800-38B The module implements the non-Approved but allowed algorithms shown in Table 5 below. Table 5
SHAKE
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Table 6
EdDSA
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Algorithm / Function Use / Function SHA-1 (non-compliant) Signature generation for TLS 1.0/1.1 SM2, SM3, SM3 Message digest SM4 Encryption/decryption Triple-DES (non-compliant) Encryption; MAC generation; key wrapping Whirlpool Message digest
As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 and Figure 2 below provide hardware block diagrams of the host devices used for testing and illustrate the module’s physical perimeter. Radio RAM Board Ethernet Serial Instrument Audio SoC w/ ARM Board I/O Processing Core USB SD Card Touch Controller Board Module Interface Touch LCD (Radical-7 Power Screen Panel Board) Interface External Power Supply KEY: BIOS
RAM Radio Board Serial SoC w/ ARM Processing Core Instrument Board I/O Audio Touch Controller SD Card Board Touch LCD Power Screen Panel Interface External Power Supply KEY: BIOS
libssl libssl.hmac Calling Application libcrypto libcrypto.hmac KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output CPU Memory Storage Ports Status Output System Calls Host Device Figure 3
The module supports two modes of operation: Approved and non-Approved. The module will be in its Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked. Table 4 and Table 5 list the Approved and allowed algorithms; Table 9 provides descriptions of the Approved services. The module alternates on a service-by-service basis between Approved and non-Approved modes of operation. The module will switch to the non-Approved mode upon execution of a non-Approved service. The module will switch back to the Approved mode upon execution of an Approved service. Table 6 lists the non-Approved algorithms implemented by the module; Table 10 below lists the services that constitute the non-Approved mode. When following the guidance in this document, CSPs are not shared between Approved and non-Approved services and modes of operation. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.
The module supports two roles that authorized operators can assume:
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Role Service Input Output User Verify digital signature API call parameters, key, Status signature, message User Perform key wrap API call parameters, encryption Status, encrypted key key, key User Perform key un-encapsulation API call parameters, decryption Status, decrypted key key, key User Compute shared secret API call parameters Status, shared secret User Derive keys via TLS KDF API call parameters, TLS pre- Status, TLS keys master secret User Perform key agreement functions API call parameters Status, symmetric key User Derive key via PBKDF2 API call parameters, passphrase Status, symmetric key
The module does not support authentication methods; operators implicitly assume an authorized role based on the service selected.
Descriptions of the approved services available to the authorized roles are provided in Table 9 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided by the module are considered the module’s security services. Indicators for Approved services (in the case of this module, those security functions with algorithm validation certificates and all required self-tests) are provided via API return value. When invoking a security function, the calling application provides inputs via an internal structure, or “context”. Upon each service invocation, the module will determine if the invoked security function is an Approved service. To access the resulting value, the calling application must pass the finalized context to the indicator API associated with that security function (note the indicator check must be performed prior to any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix A below. The keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:
Table 9
Service Description Approved Security Function(s) Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Perform key Perform key AES (Cert. A3595) AES key User AES key
Service Description Algorithm(s) Accessed Role Indicator Perform data encryption Perform symmetric data ARIA, Blake2, Blowfish, User API return value (non-compliant) encryption Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4, TripleDES (non-compliant) Perform data decryption Perform symmetric data ARIA, Blake2, Blowfish, User API return value (non-compliant) decryption Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4 Perform MAC operations Perform message Poly1305, Triple-DES/CMAC User API return value (non-compliant) authentication operations (non-compliant for MAC generation) Perform hash operation (non- Perform hash operation MD2, MD4, MD5, RIPEMD, User API return value compliant) RMD160, SM2, SM3, SM4, Whirlpool Perform digital signature Perform digital signature DSA (non-compliant), ECDSA User API return value functions (non-compliant) functions (non-compliant), RSA (noncompliant) Perform key agreement Perform key agreement DH (non-compliant), ECDH User API return value functions (non-compliant) functions (non-compliant) Perform key wrap (non- Perform key wrap functions Triple-DES/CMAC (non- User API return value compliant) compliant) Perform key encapsulation Perform key encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key un-encapsulation Perform key un-encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key derivation Perform key derivation HKDF (non-compliant), KBKDF User API return value functions (non-compliant) functions (non-compliant), TLS v1.0/1.1 KDF (non-compliant) Perform authenticated Perform authenticated AES-OCB User API return value encryption/decryption (non- encryption/decryption compliant) Perform random number Perform random number ANSI X9.31 RNG (with 128-bit User API return value generation (non-compliant) generation AES core), Hash_DRBG (noncompliant), HMAC_DRBG (non-compliant) Perform key pair generation Perform key pair generation DSA (non-compliant), ECDSA User API return value (non-compliant) (non-compliant), EdDSA, RSA (non-compliant) Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
5. Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file; failure of the integrity test for either library file will cause the module to enter a critical error state. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. The Masimo Cryptographic Module is not delivered to end-users as a standalone offering. Rather, it is a pre-built component integrated into Masimo’s application software. Masimo does not provide end-users with any mechanisms to directly access the module, its source code, its APIs, or any information sent to/from the module. Thus, end-users have no ability to independently load the module onto target platforms. No configuration steps are required to be performed by end-users, and no end-user action is required to initialize the module for operation. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
6. Operational Environment The Masimo Cryptographic Module comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environment provides the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
7. Physical Security This section is not applicable. Per section 7.7.1 of ISO/IEC 19790:2021, the requirements of this section are “applicable to hardware and firmware modules, and hardware and firmware components of hybrid modules”. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
9. Sensitive Security Parameter Management
The module supports the keys and other SSPs listed Table 11. Note that all SSP import and export is electronic and is performed within the Tested OE’s Physical Perimeter (TOEPP). Table 11
Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys DSA private 112 or 128 bits DSA Generated Imported in - Not Reboot or power- Digital key (Cert. A3595) internally via plaintext via API persistently cycle the host signature (CSP) approved parameter stored by the device generation DRBG module Exported in plaintext via API parameter DSA public key 112 or 128 bits DSA Generated Imported in - Not Reboot or power- Digital (PSP) (Cert. A3595) internally via plaintext via API persistently cycle the host signature approved parameter stored by the device verification DRBG module Exported in plaintext via API parameter ECDSA private Between 112 ECDSA Generated Imported in - Not Reboot or power- Digital key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature (CSP) approved parameter stored by the device generation DRBG module Exported in plaintext via API parameter ECDSA public Between 112 ECDSA Generated Imported in - Not Reboot or power- Digital key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature (PSP) approved parameter stored by the device verification DRBG module Exported in plaintext via API parameter RSA private Between 112 RSA Generated Imported in - Not Reboot or power- Digital key and 150 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature (CSP) approved parameter stored by the device generation KTS DRBG module (Cert. A3595) Exported in plaintext via API parameter RSA public key Between 80 RSA Generated Imported in - Not Reboot or power- Digital (PSP) and 150 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature approved parameter stored by the device verification KTS DRBG module (Cert. A3595) Exported in plaintext via API parameter DH private key 112 bits KAS-SSC-FFC Generated Imported in - Not Reboot or power- DH shared (CSP) (Cert. A3595) internally via plaintext via API persistently cycle the host secret approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter DH public key 112 bits KAS-SSC-FFC Generated Imported in - Not Reboot or power- DH shared (PSP) (Cert. _A3595) internally via plaintext via API persistently cycle the host secret approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter ECDH private Between 112 KAS-SSC-ECC Generated Imported in - Not Reboot or power- ECDH shared key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host secret (CSP) approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter ECDH public Between 112 KAS-SSC-ECC Generated Imported in - Not Reboot or power- ECDH shared key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host secret (PSP) approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter Other SSPs Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys Passphrase - PBKDF - Imported in - Not Reboot or power- Input to PBKDF (PSP) (Cert. A3595) plaintext via API persistently cycle the host for key parameter stored by the device derivation module Never exported AES GCM IV - AES (GCM mode) Generated - - Not Reboot or power- Initialization (CSP) (Cert. A3595) internally in persistently cycle the host vector for AES compliance stored by the device GCM with the module provisions of a peer-to-peer industry standard protocols TLS 1.2 pre- - KDF (TLS 1.2 - Imported in - Not Reboot or power- Input to TLS master secret RFC7627) plaintext via API persistently cycle the host 1.2 KDF for (CSP) (Cert. A3595) parameter stored by the device derivation of module secrets and Never exported keys TLS 1.2 master - KDF (TLS 1.2 - - Derived Not Reboot or power- Derivation of secret RFC7627) internally via persistently cycle the host keys used for (CSP) (Cert. A3595) TLS 1.2 KDF stored by the device securing TLS with EMS45 module 1.2 session extension traffic TLS 1.3 - KDF (TLS 1.3) - Imported in - Not Reboot or power- Input to TLS handshake (Cert. A3596) plaintext via API persistently cycle the host 1.3 KDF for secret parameter stored by the device derivation of (CSP) module secrets and Never exported keys TLS 1.3 - KDF (TLS 1.3) - - Derived Not Reboot or power- Derivation of handshake (Cert. A3596) internally via persistently cycle the host keys used for traffic secrets TLS 1.3 KDF stored by the device securing TLS (CSP) module 1.3 handshake traffic TLS 1.3 master - KDF (TLS 1.3) - - Derived Not Reboot or power- Derivation of secret (Cert. A3596) internally via persistently cycle the host TLS 1.3 (CSP) TLS 1.3 KDF stored by the device application module traffic secrets TLS 1.3 - KDF (TLS 1.3) - - Derived Not Reboot or power- Derivation of application (Cert. A3596) internally via persistently cycle the host keys used for traffic secrets TLS 1.3 KDF stored by the device securing TLS (CSP) module 1.3 session traffic DRBG entropy - DRBG - Imported in - Not Reboot or power- Entropy input (Cert. A3595) plaintext via API persistently cycle the host material for (CSP) parameter46 stored by the device DRBG module Never exported DRBG seed - DRBG Generated - - Not Reboot or power- Seeding (CSP) (Cert. A3595) internally persistently cycle the host material for using nonce stored by the device DRBG along with module DRBG entropy input DRBG ‘V’ value - DRBG Generated - - Not Reboot or power- State values (CSP) (Cert. A3595) internally persistently cycle the host for DRBG stored by the device module DRBG ‘Key’ - DRBG Generated - - Not Reboot or power- State values value (Cert. A3595) internally persistently cycle the host for DRBG (CSP) stored by the device module
The module obtains entropy input from the calling application (which is outside of the cryptographic boundary) but exercises no control over the amount or the quality of the obtained entropy. As such, there is no assurance of the minimum strength of generated keys. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
The module implements the following Approved DRBG:
There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.
Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can reboot/power-cycle the host device.
The cryptographic module’s entropy scheme follows the scenario given in FIPS 140-3 Implementation Guidance 9.3.A, section 2(b). The module invokes a GET command to obtain entropy for random number generation (the module requests 256 bits of entropy from the calling application per request), and then passively receives entropy from the calling application while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the physical perimeter of the module’s operational environment but outside its cryptographic boundary. Thus, there is no assurance of the minimum strength of the generated SSPs. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.
The module performs the following pre-operational self-test(s):
The module performs the following conditional self-tests:
Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
The module reaches the critical error state when any self-test fails. Upon test failure, the module immediately terminates the calling application’s API call with a returned error code and sets an internal flag, signaling the error condition. For any subsequent request made by the calling application for cryptographic services, the module will return a failure indicator, thereby disabling all access to its cryptographic functions, sensitive security parameters (SSPs), and data output services while the error condition persists. To recover, the module must be re-instantiated by the calling application. If the pre-operational self-tests complete successfully, then the module can resume normal operations. If the module continues to experience self-test failures after reinitializing, then the module will not be able to resume normal operations, and the CO should contact Masimo Corporation for assistance. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:
The module is an integrated component of Masimo’s product application software, module operators have no ability to independently load the module onto the target platform. The module and its calling application are to be installed on a platform specified in section 2.1 or one where portability is maintained. Masimo does not provide any mechanisms to directly access the module, its source code, its APIs, or any information sent between it and other Masimo applications.
This module is designed to support Masimo applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required for module initialization. The pre-operational integrity test and conditional CASTs are performed automatically via a default entry point (DEP) when the module is loaded for execution, without any specific action from the calling application or the end-user. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.
No startup steps are required to be performed by end-users.
There are no specific management activities required of the CO role to ensure that the module runs securely. If any irregular activity is observed, or if the module is consistently reporting errors, then Masimo Customer Support should be contacted. The following list provides additional guidance for the CO: Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
The following list provides additional policies for non-Administrators:
probability requirement, as the mechanism for IV generation is compliant with RFC 8446. The implementations of AES GCM, TLS 1.3 KDF, and all underlying algorithms, have been successfully tested for compliance with their respective specifications (see CAVP Certs. A3595 and A3596).The generated IV is only used in the context of the AES GCM encryption executing the provisions of the TLS 1.3 protocol. The module also supports internal IV generation using the module’s Approved DRBG. The IV is at least 96 bits in length per section 8.2.2 of NIST SP 800-38D. Per NIST SP 800-38D and scenario 2 of FIPS 140-3 IG C.H, the DRBG generates outputs such that the (key/IV) pair collision probability is less than 2-32. In the event that power to the module is lost and subsequently restored, the calling application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed.
12. Mitigation of Other Attacks The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. Therefore, per ISO/IEC 19790:2021 section 7.12, requirements for this section are not applicable. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Appendix A. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved service indicator value based on the parameter(s) passed to them.
//Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Appendix B. Acronyms and Abbreviations Table 12 provides definitions for the acronyms and abbreviations used in this document. Table 12
Term Definition GPC General-Purpose Computer HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OE Operational Environment OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication TLS Transport Layer Security TOEPP Tested OE’s Physical Perimeter XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Prepared by: Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com