All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Masimo Cryptographic Module

Certificate#4788StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorMasimo Corporation
Medium review priority  ·  no TCB surface named  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/3/2026
CaveatInterim validation. When operating in the approved mode. No assurance of the minimum strength of generated SSPs
VendorMasimo Corporation

Approved Algorithms (63)

AlgorithmACVP Cert
AES-CBCA3595
AES-CCMA3595
AES-CFB1A3595
AES-CFB128A3595
AES-CFB8A3595
AES-CMACA3595
AES-CTRA3595
AES-ECBA3595
AES-GCMA3595
AES-GMACA3595
AES-KWA3595
AES-KWPA3595
AES-OFBA3595
AES-XTS Testing Revision 2.0A3595
Counter DRBGA3595
DSA KeyGen (FIPS186-4)A3595
DSA PQGGen (FIPS186-4)A3595
DSA PQGVer (FIPS186-4)A3595
DSA SigGen (FIPS186-4)A3595
DSA SigVer (FIPS186-4)A3595
ECDSA KeyGen (FIPS186-4)A3595
ECDSA KeyVer (FIPS186-4)A3595
ECDSA SigGen (FIPS186-4)A3595
ECDSA SigVer (FIPS186-4)A3595
HMAC-SHA-1A3595
HMAC-SHA2-224A3595
HMAC-SHA2-256A3595
HMAC-SHA2-384A3595
HMAC-SHA2-512A3595
HMAC-SHA3-224A3595
HMAC-SHA3-256A3595
HMAC-SHA3-384A3595
HMAC-SHA3-512A3595
KAS-ECC-SSC Sp800-56Ar3A3595
KAS-FFC-SSC Sp800-56Ar3A3595
PBKDFA3595
RSA KeyGen (FIPS186-4)A3595
RSA SigGen (FIPS186-4)A3595
RSA SigGen (FIPS186-4)A3595
RSA SigGen (FIPS186-4)A3595
RSA SigVer (FIPS186-4)A3595
RSA SigVer (FIPS186-4)A3595
RSA SigVer (FIPS186-4)A3595
SHA-1A3595
SHA2-224A3595
SHA2-256A3595
SHA2-384A3595
SHA2-512A3595
SHA3-224A3595
SHA3-256A3595
SHA3-384A3595
SHA3-512A3595
SHAKE-128A3595
SHAKE-256A3595
TDES-CBCA3595
TDES-CFB1A3595
TDES-CFB64A3595
TDES-CFB8A3595
TDES-CMACA3595
TDES-ECBA3595
TDES-OFBA3595
TLS v1.2 KDF RFC7627A3595
TLS v1.3 KDFA3595

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Masimo Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Masimo Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Masimo Corporation Masimo Cryptographic Module Software Version: 1.0 FIPS Security Level: 1 Document Version: 0.2 Prepared for: Prepared by: Masimo Corporation Corsec Security, Inc.

52 Discovery 12600 Fair Lakes Circle, Suite 210

Irvine, CA 92618 Fairfax, VA 22033 United States of America United States of America Phone: +1 800 326 4890 Phone: +1 703 267 6050 www.masimo.com www.corsec.com

Page 2

Abstract This is a non-proprietary Cryptographic Module Security Policy for the Masimo Cryptographic Module (software version: 1.0) from Masimo Corporation (Masimo). This Security Policy describes how the Masimo Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in an Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The Masimo Cryptographic Module is referred to in this document as Masimo Crypto Module or the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:

Page 3
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1 – Security Levels5
Table 2 – Tested Operational Environments6
Table 3 – Vendor-Affirmed Operational Environments6
Table 4 – Approved Algorithms7
Table 5 – Non-Approved Algorithms Allowed in the Approved Mode of Operation11
Table 6 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation12
Table 7 – Ports and Interfaces16
Table 8 – Roles, Service Commands, Input and Output17
Table 9 – Approved Services19
Table 10 – Non-Approved Services20
Table 11 – SSPs26
Table 12 – Acronyms and Abbreviations39
Figure 1 – Hardware Block Diagram (Root)13
Figure 2 – Hardware Block Diagram (Radical-7)14
Figure 3 – Module Block Diagram (with Cryptographic Boundary)15
Page 5
  1. General Masimo Corporation is a global medical technology company that develops and produces a wide array of industryleading monitoring technologies, including innovative measurements, sensors, patient monitors, and automation and connectivity solutions. Our mission is to improve patient outcomes and reduce the cost of care. Masimo’s Root® Patient Monitoring and Connectivity Platform was built from the ground up to be as flexible and expandable as possible to facilitate the addition of other Masimo and third-party monitoring technologies. When connected to Masimo’s Radical-7 Pulse CO-Oximeter®, Root provides continuous monitoring using industryleading Masimo SET® Measure-through Motion and Low Perfusion™ pulse oximetry. In addition, the platform can be upgraded to provide Masimo rainbow SET® technology, allowing clinicians to non-invasively monitor multiple additional physiologic parameters. The Masimo Cryptographic Module v1.0 is a software library providing a C language API 1 for use by Masimo products requiring cryptographic functionality. The Masimo Cryptographic Module v1.0 includes symmetric encryption/decryption, digital signature generation/verification, hashing, cryptographic key generation, random number generation, message authentication, and SSP establishment functions to secure data-at-rest/data-inflight and offers cryptographic support for secure communications protocols (including TLS2 1.2/1.3). The Masimo Cryptographic Module is validated at the FIPS 140-3 section levels shown in Table
  2. Table 1 – Security Levels ISO/IEC 24579 Section
  3. FIPS 140-3 Section Title Security Level [Number Below]

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security N/A

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 1

10 Self-tests 1

11 Life-Cycle Assurance 1

12 Mitigation of Other Attacks N/A

The module has an overall security level of 1. API

2 TLS – Transport Layer Security

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 6

2. Cryptographic Module Specification The Masimo Cryptographic Module v1.0 is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment.

2.1 Operational Environments

The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in Table 2. Table 2

1 Custom Linux OS with Linux Masimo Radical-7 ARM Cortex-A8 (ARMv7-A) Without PAA

2 Custom Linux OS with Linux Masimo Root ARM Cortex-A8 (ARMv7-A) Without PAA

kernel 4.9.43 The vendor affirms the module’s continued validation compliance when operating on the environments listed in Table 3. Table 3

1 Red Hat Enterprise Linux 8 Masimo Patient SafetyNet

2 Red Hat Enterprise Linux 8 Masimo Iris Gateway

3 Windows 10 Pro on VMware Workstation 15.x Masimo Patient SafetyNet View Station

4 Custom Linux OS with Linux 4.14.78 Masimo Rad-97
5 Custom Linux OS with Linux 4.14.78 Masimo Rad-67
6 Custom Linux OS with Linux 4.14.78 Masimo Radius VSM
7 Custom Linux OS with Linux 4.16.7 Masimo Radius-7

8 Custom Linux OS using Yocto standard Masimo iSirona Connectivity Hub

9 Android 6.0.1 Masimo Uniview Media Hub

10 Android 7.0 Masimo Uniview 60 Tablet

11 Android 12.0 Masimo Zebra TC51-HC Phone

12 Custom Linux OS with Linux kernel 4.14.78 Masimo Radical-7 w/ ARM Cortex-A9 (ARMv7-A)

13 Custom Linux OS with Linux kernel 4.14.78 Masimo Root w/ ARM Cortex-A9 (ARMv7-A)

The cryptographic module maintains compliance when operating on a general-purpose computer (GPC) with any of the following supported bare metal and virtual environments: Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 7
2.2 Algorithm Implementations

Validation certificates for each Approved security function are listed in Table 4. Note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any Approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in Table 4 are used by an Approved service of the module. Table 4

3 PUB – Publication
4 CBC – Cipher Block Chaining
6 CTR – Counter
7 ECB – Electronic Code Book
8 OFB – Output Feedback

CMAC

10 CCM – Counter with Cipher Block Chaining - Message Authentication Code
11 GCM – Galois Counter Mode
12 GMAC – Galois Message Authentication Code
13 XOR – Exclusive OR

XEX

15 XTS – XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 8

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths A3595 AES KW16, KWP17 128, 192, 256 Encryption/decryption NIST SP 800-38F A3595 CVL18 TLS v1.2 KDF RCF7627 - Key derivation RFC19 7627 No part of the TLS v1.2 protocol, other than the KDF, has been tested by the CAVP and CMVP. A3596 CVL TLS v1.3 KDF - Key derivation RFC 8446 No part of the TLS v1.3 protocol, other than the KDF, has been tested by the CAVP and CMVP. A3595 DRBG20 Counter-based AES-128, AES-192, AES-256 Deterministic random bit NIST SP 800-90Arev1 generation A3595 DSA21 - 2048/224, 2048/256, Domain parameter generation FIPS PUB 186-4 3072/256 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) - 1024/160, 2048/224, Domain parameter verification 2048/256, 3072/256 (SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) - 2048/224, 2048/256, Key pair generation 3072/256 - 2048/224, 2048/256, Digital signature generation 3072/256 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) - 1024/160, 2048/224, Digital signature verification 2048/256, 3072/256 (SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3595 ECDSA22 Secrets generation mode: B-233, B-283, B-409, B-571, Key pair generation FIPS PUB 186-4 Testing candidates K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - B-163, B-233, B-283, B-409, Public key validation B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 KW

17 KWP – Key Wrap with Padding
18 CVL – Component Validation List
19 RFC – Request for Comments
20 DRBG – Deterministic Random Bit Generator

DSA

22 ECDSA – Elliptic Curve Digital Signature Algorithm

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 9

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths - B-233, B-283, B-409, B-571, Digital signature generation K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) - B-163, B-233, B-283, B-409, Digital signature verification B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3595 HMAC SHA-1, SHA2-224, SHA2- - Message authentication FIPS PUB 198-1 256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 A3595 KAS23 KAS-ECC-SSC with KDFs B-233, B-283, B-409, B-571, Key agreement A3596 NIST SP 800-56Arev3 (TLS 1.2 RFC7627, TLS 1.3) K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 SSP establishment methodology provides between 112 and 256 bits of encryption strength. KAS-FFC-SSC with KDFs FB, FC Key agreement (TLS 1.2 RFC7627, TLS 1.3) SSP establishment methodology provides

112 bits of encryption strength.

A3595 KAS-ECC-SSC24 ephemeralUnified B-233, B-283, B-409, B-571, Shared secret computation25 NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 A3595 KAS-FFC-SSC26 dhEphem FB, FC Shared secret computation27 NIST SP 800-56Arev3 A3595 KTS AES-CCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38C encryption)28 SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES-GCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38D encryption)29 SSP establishment methodology provides between 128 and 256 bits of encryption strength KAS

24 KAS-ECC-SSC

25 Key agreement method complies with FIPS 140-3 Implementation Guidance D.F, scenario 2(1).

26 KAS-FFC-SSC

27 Key agreement method complies with FIPS 140-3 Implementation Guidance D.F, scenario 2(1).

Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is an Approved key transport technique.

29 Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is an Approved key transport technique.

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 10

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths A3595 KTS30 AES key wrap 128, 192, 256 Key wrap/unwrap NIST SP 800-38F SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES with CMAC 128, 192, 256 Key wrap/unwrap (encryption with FIPS PUB 197 message authentication)31 NIST SP 800-38B SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES with GMAC 128, 192, 256 Key wrap/unwrap (encryption with FIPS PUB 197 message authentication)32 NIST SP 800-38D SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS AES-CBC with HMAC 128, 192, 256 Key wrap/unwrap (encryption with FIPS PUB 197 message authentication)33 FIPS PUB 198-1 SSP establishment methodology provides between 128 and 256 bits of encryption strength A3595 KTS Triple-DES with CMAC 112 (KO2), 168 (KO1) Key unwrap (encryption with NIST SP 800-67rev2 message authentication)34 NIST SP 800-38B A3595 KTS Triple-DES with HMAC 112 (KO2), 168 (KO1) Key unwrap (encryption with NIST SP 800-67rev2 message authentication)35 FIPS PUB 198-1 SSP establishment methodology provides

112 or 168 bits of encryption strength

A3595 PBKDF236 Section 5.4, option 1a SHA-1, SHA2-224, SHA2- Password-based key derivation NIST SP 800-132 256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 A3595 RSA Key generation mode: 2048, 3072, 4096 Key pair generation FIPS PUB 186-4 B.3.3 ANSI37 X9.31 2048, 3072, 4096 (SHA2- Digital signature generation 256, SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-256, SHA2384, SHA2-512)

30 KTS – Key Transport Scheme

Per FIPS 140-3 Implementation Guidance D.G, AES with CMAC is an Approved key transport technique.

32 Per FIPS 140-3 Implementation Guidance D.G, AES with GMAC is an Approved key transport technique.

33 Per FIPS 140-3 Implementation Guidance D.G, AES with HMAC is an Approved key transport technique.

34 Per FIPS 140-3 Implementation Guidance D.G, Triple-DES with CMAC is an Approved key transport technique.

35 Per FIPS 140-3 Implementation Guidance D.G, Triple-DES with HMAC is an Approved key transport technique.

PBKDF2

37 ANSI – American National Standards Institute

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 11

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate Standard Key Strengths PKCS#1 v1.5 2048, 3072, 4096 (SHA2- Digital signature generation 224, SHA2-256, SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS38 2048, 3072, 4096 (SHA2- Digital signature generation 224, SHA2-256, SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A3595 SHA-3 SHA3-224, SHA3-256, - Message digest FIPS PUB 202 SHA3-384, SHA3-512 A3595 SHAKE39 SHAKE-128, SHAKE-256 - Message digest FIPS PUB 202 A3595 SHS40 SHA-1, SHA2-224, SHA2- - Message digest FIPS PUB 180-4 256, SHA2-384, SHA2-512 A3595 Triple-DES CBC, CFB1, CFB8, CFB64, 168 (KO1) Decryption NIST SP 800-67rev2 ECB, OFB NIST SP 800-38A A3595 Triple-DES CMAC 112 (KO2), 168 (KO1) MAC verification NIST SP 800-67rev2 NIST SP 800-38B The module implements the non-Approved but allowed algorithms shown in Table 5 below. Table 5

38 PSS – Probabilistic Signature Scheme

SHAKE

40 SHS – Secure Hash Standard

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 12

Table 6

41 OCB – Offset Codebook

EdDSA

43 RC – Rivest Cipher

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 13

Algorithm / Function Use / Function SHA-1 (non-compliant) Signature generation for TLS 1.0/1.1 SM2, SM3, SM3 Message digest SM4 Encryption/decryption Triple-DES (non-compliant) Encryption; MAC generation; key wrapping Whirlpool Message digest

2.3 Cryptographic Boundary

As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 and Figure 2 below provide hardware block diagrams of the host devices used for testing and illustrate the module’s physical perimeter. Radio RAM Board Ethernet Serial Instrument Audio SoC w/ ARM Board I/O Processing Core USB SD Card Touch Controller Board Module Interface Touch LCD (Radical-7 Power Screen Panel Board) Interface External Power Supply KEY: BIOS

Page 14

RAM Radio Board Serial SoC w/ ARM Processing Core Instrument Board I/O Audio Touch Controller SD Card Board Touch LCD Power Screen Panel Interface External Power Supply KEY: BIOS

Page 15

libssl libssl.hmac Calling Application libcrypto libcrypto.hmac KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output CPU Memory Storage Ports Status Output System Calls Host Device Figure 3

2.4 Modes of Operation

The module supports two modes of operation: Approved and non-Approved. The module will be in its Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked. Table 4 and Table 5 list the Approved and allowed algorithms; Table 9 provides descriptions of the Approved services. The module alternates on a service-by-service basis between Approved and non-Approved modes of operation. The module will switch to the non-Approved mode upon execution of a non-Approved service. The module will switch back to the Approved mode upon execution of an Approved service. Table 6 lists the non-Approved algorithms implemented by the module; Table 10 below lists the services that constitute the non-Approved mode. When following the guidance in this document, CSPs are not shared between Approved and non-Approved services and modes of operation. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 16
  1. Cryptographic Module Interfaces FIPS 140-3 defines the following logical interfaces for cryptographic modules: • Data Input • Data Output • Control Input • Control Output • Status Output As a software library, the cryptographic module has no direct access to any of the host platform’s physical ports, as it communicates only to the calling application via its well-defined API. A mapping of the FIPS-defined interfaces and the module’s ports and interfaces can be found in Table
  2. Note that the module does not output control information, and thus has no specified control output interface. Table 7 – Ports and Interfaces Physical Port Logical Interface Data That Passes Over Port/Interface Physical data input port(s) of Data Input • Data to be encrypted, decrypted, signed, the tested platforms • API input arguments that provide verified, or hashed input data for processing • Keys to be used in cryptographic services • Random seed material for the module’s DRBG • Keying material to be used as input to SSP establishment services Physical data output port(s) of Data Output • Data that has been encrypted, the tested platforms • API output arguments that return decrypted, or verified generated or processed data back • Digital signatures to the caller • Hashes • Random values generated by the module’s DRBG • Keys established using module’s SSP establishment methods Physical control input port(s) of Control Input • API commands invoking cryptographic the tested platforms • API input arguments that are services used to initialize and control the • Modes, key sizes, etc. used with operation of the module cryptographic services Physical status output port(s) Status Output • Status information regarding the module of the tested platforms • API call return values • Status information regarding the invoked service/operation Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation
Page 17

4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.

4.1 Authorized Roles

The module supports two roles that authorized operators can assume:

44 MAC – Message Authentication Code

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 18

Role Service Input Output User Verify digital signature API call parameters, key, Status signature, message User Perform key wrap API call parameters, encryption Status, encrypted key key, key User Perform key un-encapsulation API call parameters, decryption Status, decrypted key key, key User Compute shared secret API call parameters Status, shared secret User Derive keys via TLS KDF API call parameters, TLS pre- Status, TLS keys master secret User Perform key agreement functions API call parameters Status, symmetric key User Derive key via PBKDF2 API call parameters, passphrase Status, symmetric key

4.2 Authentication Methods

The module does not support authentication methods; operators implicitly assume an authorized role based on the service selected.

4.3 Services

Descriptions of the approved services available to the authorized roles are provided in Table 9 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided by the module are considered the module’s security services. Indicators for Approved services (in the case of this module, those security functions with algorithm validation certificates and all required self-tests) are provided via API return value. When invoking a security function, the calling application provides inputs via an internal structure, or “context”. Upon each service invocation, the module will determine if the invoked security function is an Approved service. To access the resulting value, the calling application must pass the finalized context to the indicator API associated with that security function (note the indicator check must be performed prior to any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix A below. The keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:

Page 19

Table 9

Page 20

Service Description Approved Security Function(s) Keys and/or SSPs Roles Access Rights to Keys and/or SSPs Indicator Perform key Perform key AES (Cert. A3595) AES key User AES key

Page 21

Service Description Algorithm(s) Accessed Role Indicator Perform data encryption Perform symmetric data ARIA, Blake2, Blowfish, User API return value (non-compliant) encryption Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4, TripleDES (non-compliant) Perform data decryption Perform symmetric data ARIA, Blake2, Blowfish, User API return value (non-compliant) decryption Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4 Perform MAC operations Perform message Poly1305, Triple-DES/CMAC User API return value (non-compliant) authentication operations (non-compliant for MAC generation) Perform hash operation (non- Perform hash operation MD2, MD4, MD5, RIPEMD, User API return value compliant) RMD160, SM2, SM3, SM4, Whirlpool Perform digital signature Perform digital signature DSA (non-compliant), ECDSA User API return value functions (non-compliant) functions (non-compliant), RSA (noncompliant) Perform key agreement Perform key agreement DH (non-compliant), ECDH User API return value functions (non-compliant) functions (non-compliant) Perform key wrap (non- Perform key wrap functions Triple-DES/CMAC (non- User API return value compliant) compliant) Perform key encapsulation Perform key encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key un-encapsulation Perform key un-encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key derivation Perform key derivation HKDF (non-compliant), KBKDF User API return value functions (non-compliant) functions (non-compliant), TLS v1.0/1.1 KDF (non-compliant) Perform authenticated Perform authenticated AES-OCB User API return value encryption/decryption (non- encryption/decryption compliant) Perform random number Perform random number ANSI X9.31 RNG (with 128-bit User API return value generation (non-compliant) generation AES core), Hash_DRBG (noncompliant), HMAC_DRBG (non-compliant) Perform key pair generation Perform key pair generation DSA (non-compliant), ECDSA User API return value (non-compliant) (non-compliant), EdDSA, RSA (non-compliant) Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 22

5. Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file; failure of the integrity test for either library file will cause the module to enter a critical error state. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. The Masimo Cryptographic Module is not delivered to end-users as a standalone offering. Rather, it is a pre-built component integrated into Masimo’s application software. Masimo does not provide end-users with any mechanisms to directly access the module, its source code, its APIs, or any information sent to/from the module. Thus, end-users have no ability to independently load the module onto target platforms. No configuration steps are required to be performed by end-users, and no end-user action is required to initialize the module for operation. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 23

6. Operational Environment The Masimo Cryptographic Module comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environment provides the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 24

7. Physical Security This section is not applicable. Per section 7.7.1 of ISO/IEC 19790:2021, the requirements of this section are “applicable to hardware and firmware modules, and hardware and firmware components of hybrid modules”. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 25

8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 26

9. Sensitive Security Parameter Management

9.1 Keys and SSPs

The module supports the keys and other SSPs listed Table 11. Note that all SSP import and export is electronic and is performed within the Tested OE’s Physical Perimeter (TOEPP). Table 11

Page 27

Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys DSA private 112 or 128 bits DSA Generated Imported in - Not Reboot or power- Digital key (Cert. A3595) internally via plaintext via API persistently cycle the host signature (CSP) approved parameter stored by the device generation DRBG module Exported in plaintext via API parameter DSA public key 112 or 128 bits DSA Generated Imported in - Not Reboot or power- Digital (PSP) (Cert. A3595) internally via plaintext via API persistently cycle the host signature approved parameter stored by the device verification DRBG module Exported in plaintext via API parameter ECDSA private Between 112 ECDSA Generated Imported in - Not Reboot or power- Digital key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature (CSP) approved parameter stored by the device generation DRBG module Exported in plaintext via API parameter ECDSA public Between 112 ECDSA Generated Imported in - Not Reboot or power- Digital key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature (PSP) approved parameter stored by the device verification DRBG module Exported in plaintext via API parameter RSA private Between 112 RSA Generated Imported in - Not Reboot or power- Digital key and 150 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature (CSP) approved parameter stored by the device generation KTS DRBG module (Cert. A3595) Exported in plaintext via API parameter RSA public key Between 80 RSA Generated Imported in - Not Reboot or power- Digital (PSP) and 150 bits (Cert. A3595) internally via plaintext via API persistently cycle the host signature approved parameter stored by the device verification KTS DRBG module (Cert. A3595) Exported in plaintext via API parameter DH private key 112 bits KAS-SSC-FFC Generated Imported in - Not Reboot or power- DH shared (CSP) (Cert. A3595) internally via plaintext via API persistently cycle the host secret approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter DH public key 112 bits KAS-SSC-FFC Generated Imported in - Not Reboot or power- DH shared (PSP) (Cert. _A3595) internally via plaintext via API persistently cycle the host secret approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter ECDH private Between 112 KAS-SSC-ECC Generated Imported in - Not Reboot or power- ECDH shared key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host secret (CSP) approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter ECDH public Between 112 KAS-SSC-ECC Generated Imported in - Not Reboot or power- ECDH shared key and 256 bits (Cert. A3595) internally via plaintext via API persistently cycle the host secret (PSP) approved parameter stored by the device computation DRBG module Exported in plaintext via API parameter Other SSPs Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 28

Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys Passphrase - PBKDF - Imported in - Not Reboot or power- Input to PBKDF (PSP) (Cert. A3595) plaintext via API persistently cycle the host for key parameter stored by the device derivation module Never exported AES GCM IV - AES (GCM mode) Generated - - Not Reboot or power- Initialization (CSP) (Cert. A3595) internally in persistently cycle the host vector for AES compliance stored by the device GCM with the module provisions of a peer-to-peer industry standard protocols TLS 1.2 pre- - KDF (TLS 1.2 - Imported in - Not Reboot or power- Input to TLS master secret RFC7627) plaintext via API persistently cycle the host 1.2 KDF for (CSP) (Cert. A3595) parameter stored by the device derivation of module secrets and Never exported keys TLS 1.2 master - KDF (TLS 1.2 - - Derived Not Reboot or power- Derivation of secret RFC7627) internally via persistently cycle the host keys used for (CSP) (Cert. A3595) TLS 1.2 KDF stored by the device securing TLS with EMS45 module 1.2 session extension traffic TLS 1.3 - KDF (TLS 1.3) - Imported in - Not Reboot or power- Input to TLS handshake (Cert. A3596) plaintext via API persistently cycle the host 1.3 KDF for secret parameter stored by the device derivation of (CSP) module secrets and Never exported keys TLS 1.3 - KDF (TLS 1.3) - - Derived Not Reboot or power- Derivation of handshake (Cert. A3596) internally via persistently cycle the host keys used for traffic secrets TLS 1.3 KDF stored by the device securing TLS (CSP) module 1.3 handshake traffic TLS 1.3 master - KDF (TLS 1.3) - - Derived Not Reboot or power- Derivation of secret (Cert. A3596) internally via persistently cycle the host TLS 1.3 (CSP) TLS 1.3 KDF stored by the device application module traffic secrets TLS 1.3 - KDF (TLS 1.3) - - Derived Not Reboot or power- Derivation of application (Cert. A3596) internally via persistently cycle the host keys used for traffic secrets TLS 1.3 KDF stored by the device securing TLS (CSP) module 1.3 session traffic DRBG entropy - DRBG - Imported in - Not Reboot or power- Entropy input (Cert. A3595) plaintext via API persistently cycle the host material for (CSP) parameter46 stored by the device DRBG module Never exported DRBG seed - DRBG Generated - - Not Reboot or power- Seeding (CSP) (Cert. A3595) internally persistently cycle the host material for using nonce stored by the device DRBG along with module DRBG entropy input DRBG ‘V’ value - DRBG Generated - - Not Reboot or power- State values (CSP) (Cert. A3595) internally persistently cycle the host for DRBG stored by the device module DRBG ‘Key’ - DRBG Generated - - Not Reboot or power- State values value (Cert. A3595) internally persistently cycle the host for DRBG (CSP) stored by the device module

45 EMS – Extended Master Secret

The module obtains entropy input from the calling application (which is outside of the cryptographic boundary) but exercises no control over the amount or the quality of the obtained entropy. As such, there is no assurance of the minimum strength of generated keys. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 29
9.2 DRBGs

The module implements the following Approved DRBG:

9.3 SSP Storage Techniques

There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.

9.4 SSP Zeroization Methods

Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can reboot/power-cycle the host device.

9.5 RBG Entropy Sources

The cryptographic module’s entropy scheme follows the scenario given in FIPS 140-3 Implementation Guidance 9.3.A, section 2(b). The module invokes a GET command to obtain entropy for random number generation (the module requests 256 bits of entropy from the calling application per request), and then passively receives entropy from the calling application while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the physical perimeter of the module’s operational environment but outside its cryptographic boundary. Thus, there is no assurance of the minimum strength of the generated SSPs. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 30

10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.

10.1 Pre-Operational Self-Tests

The module performs the following pre-operational self-test(s):

10.2 Conditional Self-Tests

The module performs the following conditional self-tests:

47 KAT – Known Answer Test

Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 31
10.3 Self-Test Failure Handling

The module reaches the critical error state when any self-test fails. Upon test failure, the module immediately terminates the calling application’s API call with a returned error code and sets an internal flag, signaling the error condition. For any subsequent request made by the calling application for cryptographic services, the module will return a failure indicator, thereby disabling all access to its cryptographic functions, sensitive security parameters (SSPs), and data output services while the error condition persists. To recover, the module must be re-instantiated by the calling application. If the pre-operational self-tests complete successfully, then the module can resume normal operations. If the module continues to experience self-test failures after reinitializing, then the module will not be able to resume normal operations, and the CO should contact Masimo Corporation for assistance. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 32

11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:

11.1 Secure Installation

The module is an integrated component of Masimo’s product application software, module operators have no ability to independently load the module onto the target platform. The module and its calling application are to be installed on a platform specified in section 2.1 or one where portability is maintained. Masimo does not provide any mechanisms to directly access the module, its source code, its APIs, or any information sent between it and other Masimo applications.

11.2 Initialization

This module is designed to support Masimo applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required for module initialization. The pre-operational integrity test and conditional CASTs are performed automatically via a default entry point (DEP) when the module is loaded for execution, without any specific action from the calling application or the end-user. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.

11.3 Startup

No startup steps are required to be performed by end-users.

11.4 Administrator Guidance

There are no specific management activities required of the CO role to ensure that the module runs securely. If any irregular activity is observed, or if the module is consistently reporting errors, then Masimo Customer Support should be contacted. The following list provides additional guidance for the CO: Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 33
11.5 Non-Administrator Guidance

The following list provides additional policies for non-Administrators:

Page 34

probability requirement, as the mechanism for IV generation is compliant with RFC 8446. The implementations of AES GCM, TLS 1.3 KDF, and all underlying algorithms, have been successfully tested for compliance with their respective specifications (see CAVP Certs. A3595 and A3596).The generated IV is only used in the context of the AES GCM encryption executing the provisions of the TLS 1.3 protocol. The module also supports internal IV generation using the module’s Approved DRBG. The IV is at least 96 bits in length per section 8.2.2 of NIST SP 800-38D. Per NIST SP 800-38D and scenario 2 of FIPS 140-3 IG C.H, the DRBG generates outputs such that the (key/IV) pair collision probability is less than 2-32. In the event that power to the module is lost and subsequently restored, the calling application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed.

Page 35

12. Mitigation of Other Attacks The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. Therefore, per ISO/IEC 19790:2021 section 7.12, requirements for this section are not applicable. Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 36

Appendix A. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved service indicator value based on the parameter(s) passed to them.

Page 37
Page 38

//Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 39

Appendix B. Acronyms and Abbreviations Table 12 provides definitions for the acronyms and abbreviations used in this document. Table 12

Page 40

Term Definition GPC General-Purpose Computer HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OE Operational Environment OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication TLS Transport Layer Security TOEPP Tested OE’s Physical Perimeter XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing Masimo Cryptographic Module 1.0 ©2024 Masimo Corporation

Page 41

Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com