All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Arista Crypto Module v3.0 [Software, Software IPsec]

Certificate#4790StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorArista Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/5/2029
CaveatInterim validation. When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorArista Networks, Inc.

Approved Algorithms (39)

AlgorithmACVP Cert
AES-CBCA3592
AES-CCMA3592
AES-CFB1A3592
AES-CFB128A3592
AES-CFB8A3592
AES-CMACA3592
AES-CTRA3592
AES-ECBA3592
AES-GCMA3592
AES-XTS Testing Revision 2.0A3592
Counter DRBGA3592
ECDSA KeyGen (FIPS186-4)A3592
ECDSA KeyVer (FIPS186-4)A3592
ECDSA SigGen (FIPS186-4)A3592
ECDSA SigVer (FIPS186-4)A3592
Hash DRBGA3592
HMAC DRBGA3592
HMAC-SHA-1A3592
HMAC-SHA2-224A3592
HMAC-SHA2-256A3592
HMAC-SHA2-384A3592
HMAC-SHA2-512A3592
KAS-ECC-SSC Sp800-56Ar3A3592
KAS-FFC-SSC Sp800-56Ar3A3592
KDF IKEv1A3592
KDF IKEv2A3592
KDF SP800-108A3592
KDF SSHA3592
KDF TLSA3592
KTS-IFCA3592
RSA KeyGen (FIPS186-4)A3592
RSA SigGen (FIPS186-4)A3592
RSA SigVer (FIPS186-4)A3592
SHA-1A3592
SHA2-224A3592
SHA2-256A3592
SHA2-384A3592
SHA2-512A3592
TLS v1.2 KDF RFC7627A3592

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification4
Cryptographic Module Interfaces1
Self-Tests2

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Arista Crypto Module v3.0 [Software, Software IPsec]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>upgrade</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>On-Demand self-test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Arista Crypto Module v3.0 [Software, Software IPsec]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>upgrade</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>On-Demand self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Arista Networks Inc. Arista Crypto Module v3.0 [Software, Software IPsec] Version: 3.0 Non-Proprietary FIPS 140-3 Security Policy Document Version: v1.4 Date: July 6, 2024 Document Version 1.4 Arista Networks Inc. Public Material

Page 2

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table of Contents

1.0 - General Information
1.1 Overview
1.2 Security Levels
2.0 Cryptographic Module Specification
2.1 Description
2.2 Version Information
2.3 Operating Environments
2.4 Excluded Components
2.5 Modes of Operation
2.6 Approved Algorithms
2.7 Algorithm Specific Information
2.8 RBG and Entropy
2.9 Key Generation
2.10 Key Establishment
2.11 Industry Protocols
2.12 Design and Rules
2.13 Initialization
3.0 - Cryptographic Module Interfaces
3.1 Ports and Interfaces
4.0 - Roles, Services and Authentication
4.1 Authentication Methods
4.2 Roles
4.3 Approved Services
4.4 Non-Approved Services
4.5 External Software/Firmware Loaded – N/A
5.0 - Software/Firmware security
5.1 Integrity Techniques
5.2 Initiate on Demand
6.0 Operational environment
6.1 Operational Environment Type and Requirements
6.2 Configuration Settings and Restrictions
7.0 - Physical security – N/A
8.0 - Non-invasive security – N/A
9.0 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods
9.3 SSP Zeroisation Methods
9.4 SSPs

10. Self‐tests Document Version 1.4 Arista Networks Inc. Public Material

Page 3

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec]

10.1 Pre-Operational Self-Tests
10.2 Conditional Self-Tests
10.3 Periodic Self-Tests
10.4 Error States
11.1 Startup Procedures
11.2 Administrator Guidance
11.3 Non-Administrator Guidance
11.4 Maintenance Requirements – N/A
11.5 End of Life
12.0 Mitigation of other attacks – N/A
13.0 References and Definitions

Document Version 1.4 Arista Networks Inc. Public Material

Page 4
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication2
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec]

1.0 - General Information
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0 of the Arista Networks Inc. Arista Crypto Module v3.0 [Software, Software IPsec]. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module.

1.2 Security Levels
2.1 Description

Purpose and Use: The Arista Crypto Module v3.0 [Software, Software IPsec] (hereafter referred to as “the module”) is a Software Multichip standalone cryptographic module. The module provides cryptographic services to applications running in the user space of the underlying operating system through a C language Application Program Interface (API). Document Version 1.4 Arista Networks Inc. Public Material

Page 5
TypeVersions
SoftwareName: Arista Crypto Module v3.0 [Software, Software IPsec] Version: 3.0

Module Embodiment: Multi-chip Standalone Module Characteristics: None Cryptographic Boundary: The block diagram in Figure 1 shows the cryptographic boundary of the module, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows) Figure 1

2.2 Version Information

Table A

Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1CloudEOS version 4.29 running on QEMU version 2.0.0 running on Linux 3.10.0-1160.el7.x86_64Supermicro SYS- 1029U-TR-CTOIntel Xeon Gold 6240RYes1
2CloudEOS version 4.29 running on QEMU version 2.0.0 running on Linux 3.10.0-1160.el7.x86_64Supermicro SYS- 1029U-TR-CTOIntel Xeon Gold 6240RNo2
1CloudEOSAny general-purpose computer (GPC)1
2Any compatible OSAny general-purpose computer (GPC)2
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1CloudEOS version 4.29 running on QEMU version 2.0.0 running on Linux 3.10.0-1160.el7.x86_64Supermicro SYS- 1029U-TR-CTOIntel Xeon Gold 6240RYes1
2CloudEOS version 4.29 running on QEMU version 2.0.0 running on Linux 3.10.0-1160.el7.x86_64Supermicro SYS- 1029U-TR-CTOIntel Xeon Gold 6240RNo2
1CloudEOSAny general-purpose computer (GPC)1
2Any compatible OSAny general-purpose computer (GPC)2

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] The module does not contain any hardware or firmware.

2.3 Operating Environments

The module operates in a modifiable operational environment. The module runs on a commercially available virtual machine, based on a general-purpose operating system. The module executes on the hardware specified in Section 2. The module does not support concurrent operators. Software, Firmware, Hybrid Testing Operating Environments: The module has been tested on the platforms indicated in the following table, with the corresponding module variants and configuration options with and without PAA. # Table 2

Page 7
Service
NameDescriptionApproved FunctionsApproved Mode Yes
Non-Approved ModeSelected by default in CloudEOSThe status indicator is a return value 0 from the FIPS_mode() function.No
Approved algorithm
NameCAVP CertKey Size
and StandardCertKey Strength(s)

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Per the FIPS 140-3 Cryptographic Module Validation Program Management Manual, Section 7.9, Arista affirms that the module remains compliant with the FIPS 140-3 validation when operating on any general-purpose computer (GPC) provided that the GPC uses the specified operating system/mode specified on the validation certificate, or another compatible operating system (including Linux distros such as CentOS 6.x,7.x,8.x). The CMVP allows vendor porting and re-compilation of a validated cryptographic module from the operational environment specified on the validation certificate to an operational environment which was not included as part of the validation testing as long as the porting rules are followed. Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.4 Excluded Components

There are no excluded components for the module.

2.5 Modes of Operation

Modes List and Description: Table B - Modes of Operation When the module starts up successfully, after passing all the pre-operational self-tests, the module is set to use Approved Mode by calling FIPS_mode_set with an argument of 1. Section

4.3 provides details on the service indicator implemented by the module.

Mode change instructions and status indicators: To change to Approved mode, call FIPS_mode_set(1). To validate that the Approved Mode is active, call FIPS_mode() and verify the return value is equal to “1”.

2.6 Approved Algorithms

The table below lists the approved security functions (or cryptographic algorithms) of the module, including specific key lengths employed for approved services, and implemented modes or methods of operation of the algorithms. Document Version 1.4 Arista Networks Inc. Public Material

Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionDescription / Key Size(s) / Key Strength(s)
AES-CBCA3592AES128, 192, 256Encrypt, Decrypt
AES-CCMA3592AES128, 192, 256Encrypt, Decrypt
AES-CFB1A3592AES128, 192, 256Encrypt, Decrypt
AES-CFB128A3592AES128, 192, 256Encrypt, Decrypt
AES-CFB8A3592AES128, 192, 256Encrypt, Decrypt
AES-CMACA3592AES128, 192, 256Message Authentication128, 192, 256
AES-CTRA3592AES128, 192, 256Encrypt, Decrypt
AES-ECBA3592AES128, 192, 256Encrypt, Decrypt
AES-GCMA3592AES128, 192, 256Authenticated Encrypt, Authenticated Decrypt, Message Authentication
AES-XTS Testing Revision 2.0A3592AES128, 256Confidentiality on storage devices only [XTS-AES is compliant to IG C.I by checking for Key_1 ≠ Key_2.]
Counter DRBGA3592Counter DRBG128, 192, 256Deterministic Random Bit Generation [Module defaults to Counter DRBG with 256- bit security strength]
ECDSA KeyGen (FIPS186-4)A3592Secret Generation Mode: Testing CandidatesP-256, P-384, P-521KeyGen
ECDSA KeyVer (FIPS186-4)A3592ECDSA KeyVerP-256, P-384, P-521KeyVer
ECDSA SigGen (FIPS186-4)A3592ECDSA SigGenCurve: P-256, P-384, P-521; Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512SigGen
ECDSA SigVer (FIPS186-4)A3592ECDSA SigVerCurve: P-256, P-384, P-521; Hash Algorithm: SHA-1, SHA2- 224, SHA2-256, SHA2-384, SHA2-512SigVer
HMAC DRBGA3592HMAC DRBGSHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512Deterministic Random Bit Generation
HMAC-SHA-1A3592HMACKey: 256-2048 Increment 8; MAC: 80-160 Increment 8Message Authentication, password obfuscation
HMAC-SHA2-224A3592HMACKey: 256-2048 Increment 8; MAC: 112-224 Increment 16Message Authentication
HMAC-SHA2-256A3592HMACKey: 256-2048 Increment 8; MAC: 128-256 Increment 64Message Authentication, KDF primitive, integrity test
HMAC-SHA2-384A3592HMACKey: 256-2048 Increment 8; MAC: 192-384 Increment 64Message Authentication, KDF primitive
HMAC-SHA2-512A3592HMACKey: 256-2048 Increment 8; MAC: 256-512 Increment 64Message Authentication, KDF primitive
Hash DRBGA3592Hash DRBGSHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512Deterministic Random Bit Generation
KAS-ECC-SSC Sp800-56Ar3A3592KASephemeralUnified: P-256, P-384, P-521Key Agreement [Relies on calling application to feed shared secret into KDF
KAS-FFC-SSC Sp800-56Ar3A3592KASdhEphem: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, MODP- 2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192Key Agreement [Relies on calling application to feed shared secret into KDF]
CVL KDF IKEv1A3592KDF IKEv1Hash Algorithm: SHA-1, SHA2- 256, SHA2-384, SHA2-512Key Derivation for IKEv1
CVL KDF IKEv2A3592KDF IKEv2Hash Algorithm: SHA-1, SHA2- 256, SHA2-384, SHA2-512Key Derivation for IKEv2
KDF SP800-108A3592KDF SP800-108KDF Mode: Counter; MAC Mode: CMAC-AES128, CMAC-AES256Key Derivation
CVL KDF SSHA3592KDF SSHHash Algorithm: SHA-1, SHA2- 224, SHA2-256, SHA2-384, SHA2-512Key Derivation for SSHv2
CVL KDF TLSA3592KDF TLSTLS Version: v1.0/1.1Key Derivation for TLS
KTS-IFCA3592KTSModulo: 2048, 3072, 4096; KTS- OAEP-basicKey Transport
RSA KeyGen (FIPS186-4)A3592RSA KeyGenKey Generation Mode: B.3.3; Modulo: 2048, 3072, 4096KeyGen
RSA SigGen (FIPS186-4)A3592RSA SigGenModulo 2048, 3072, 4096; ANSI X9.31 (SHA2-256, SHA2-384, SHA2-512), PKCS 1.5 (SHA2- 224, SHA2-256, SHA2-384, SHA2-512), PKCSPSS (SHA2- 224, SHA2-256, SHA2-384, SHA2-512)SigGen
RSA SigVer (FIPS186-4)A3592RSA SigVerModulo 1024, 2048, 3072, 4096; ANSI X9.31 (SHA-1 SHA2-256, SHA2-384, SHA2-512), PKCS 1.5 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512), PKCSPSS (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2- 512)SigVer
SHA-1A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
SHA2-224A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
SHA2-256A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
SHA2-384A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
SHA2-512A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
CVL TLS v1.2 KDF RFC7627A3592TLS v1.2 KDF RFC7627Hash Algorithm: SHA2-256, SHA2-384, SHA2-512Key Derivation for TLS
CKG [IG D.H]Cryptographic key generation per SP 800-133rev2 and IG D.I * Generation of asymmetric keys for signature generation per [133] section 5.1. * Generation of asymmetric keys for key establishment per [133] section 5.2. * Symmetric key derivation for industry standard protocols from a key agreement shared secret per [133] section 6.2.1. * Symmetric key derivation from existing key per [133] section 6.2.2.

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Document Version 1.4 Arista Networks Inc. Public Material

Page 9

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Document Version 1.4 Arista Networks Inc. Public Material

Page 10
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHA2-256A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
SHA2-384A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
SHA2-512A3592SHSMessage Length: 0-65536 Increment 8Message Digest Generation
CVL TLS v1.2 KDF RFC7627A3592TLS v1.2 KDF RFC7627Hash Algorithm: SHA2-256, SHA2-384, SHA2-512Key Derivation for TLS
CKG [IG D.H]Cryptographic key generation per SP 800-133rev2 and IG D.I * Generation of asymmetric keys for signature generation per [133] section 5.1. * Generation of asymmetric keys for key establishment per [133] section 5.2. * Symmetric key derivation for industry standard protocols from a key agreement shared secret per [133] section 6.2.1. * Symmetric key derivation from existing key per [133] section 6.2.2.

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table 5 - Approved Algorithms Note: IG D.R states for modules submitted after May 16, 2023 it is non-approved to use of SHA2-224 or SHA2-384 within Hash DRBG or HMAC DRBG. Vendor Affirmed Approved Algorithms The table below lists the vendor affirmed algorithms that are allowed in the approved mode of operation. Table 6

Page 11
Service
NameDescriptionApproved FunctionsTypeProperties
KAS- ECCSP 800-56Arev3. KAS_ECC_SSC per IG D.F Scenario 2, path (2). No key confirmation, key derivation per IG 2.4.B. SP 800-135. KDFs (TLS 1.0/1.1, 1.2, SSHv2, IKE v1, IKE v2)KAS-ECC-SSCKASP-256, P-384, P-521 curves providing 128, 192, or 256 bits of encryption strengthKAS-ECC-SSC Sp800-56Ar3/A3592 KDF IKEv1/A3592 KDF IKEv2/A3592 KDF SSH/A3592 KDF TLS/A3592 TLS v1.2 KDF RFC7627/A3592
KAS- FFCSP 800-56Arev3. KAS_FFC_SSC per IG D.F Scenario 2, path (2). No key confirmation, key derivation per IG 2.4.B. SP 800-135. KDFs (TLS 1.0/1.1, 1.2, SSHv2, IKE v1, IKE v2)KAS-FFC-SSCKAS2048, 3072, 4096, 6144, and 8192-bit moduli providing 112, 128, 152, 176, or 200 bits of encryption strengthKAS-FFC-SSC Sp800-56Ar3/A3592 KDF IKEv1/A3592 KDF IKEv2/A3592 KDF SSH/A3592 KDF TLS/A3592 TLS v1.2 KDF RFC7627/A3592
KTS-IFCSP 800-56Brev2. KTS-IFC (key encapsulation and un-encapsulation) per IG D.G.KTS-IFC KTS-OAEP-KTS2048, 3072, and 4096-bit moduli providing 112, 128, or 152 bits of encryption strengthKTS-IFC KTS-OAEP- basic/A3592
TLS- KTSSP 800-38D and SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G, Additional Comment 8.AES-GCM/A3592KTS128 and 256-bit keys providing 128 or 256 bits of encryption strengthAES-GCM/A3592 AES-CCM/A3592 AES-CBC/A3592 HMAC/A3592
SSHv2- KTSSP 800-38D and SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G, Additional Comment 8.AES-GCM/A3592KTS128, 192, 256-bit keys providing 128, 192, or 256 bits of encryption strengthAES-GCM/A3592 AES-CBC/A3592 AES-CTR/A3492 HMAC/A3592
IPsec- KTSSP 800-38D and SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G, Additional Comment 8.AES-GCM/A3592KTS128, 192, 256-bit keys providing 128, 192, or 256 bits of encryption strengthAES-GCM/A3592 AES-CCM/A3592 AES-CBC/A3592 HMAC/A3592
MD5Allowed per IG 2.4.AMessage digest used in TLS 1.0/1.1 KDF only

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table 8

Page 12
Approved algorithm
NameUse FunctionAlgorithm/FunctionUse/Function
DSA (disallowed)Digital Signature and Asymmetric Key Generation; PQG Gen, Key Pair Gen, Sig Gen
RSA (disallowed)Key Encryption, Decryption using PKCS#1 v1.5
Hash DRBG w/ SHA2-224 or SHA2- 384 (disallowed)Random Bit Generation
HMAC DRBG w/ SHA2-224 or SHA2- 384 (disallowed)Random Bit Generation
AES/Triple‐DES KW (non‐compliant)Key wrapping [algorithm disabled by module in approved mode]
BlowfishEncryption and Decryption [algorithm disabled by module in approved mode]
Camellia 128/192/256Encryption and Decryption [algorithm disabled by module in approved mode]
CAST5Encryption and Decryption [algorithm disabled by module in approved mode]
DESEncryption and Decryption [algorithm disabled by module in approved mode]
DES‐XEncryption and Decryption [algorithm disabled by module in approved mode]
IDEAEncryption and Decryption [algorithm disabled by module in approved mode]
RC2Encryption and Decryption [algorithm disabled by module in approved mode]
RC5Encryption and Decryption [algorithm disabled by module in approved mode]
SEEDEncryption and Decryption [algorithm disabled by module in approved mode]
Triple-DESEncryption and Decryption [algorithm disabled by module in approved mode]
MD4Message Digest [algorithm disabled by module in approved mode]
MD5Message Digest [algorithm disabled by module in approved mode]
RIPEMD‐160Message Digest [algorithm disabled by module in approved mode]
WhirlpoolMessage Digest [algorithm disabled by module in approved mode]
Triple‐DES MACMessage Digest [algorithm disabled by module in approved mode]
HMAC‐MD5Keyed Hash [algorithm disabled by module in approved mode]
ProtocolProtocolReference
SSHv2[IG D.F and SP 800‐135]

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table 11 - Non-Approved Algorithms Not Allowed In the approved Mode of Operation

2.7 Algorithm Specific Information

AES-GCM IV Generation The module offers three AES GCM implementations. The GCM IV generation for these implementations complies respectively with IG C.H under Scenario 1 and Scenario 2. The GCM shall only be used in the context of the AES-GCM encryption executing under each scenario, and using the referenced APIs explained next. Scenario 1, TLS 1.2 For TLS 1.2, the module offers the GCM implementation via the functions aes_gcm_tls_cipher, which calls CRYPTO_gcm128_encrypt_ctr32, and uses the context of Scenario 1 of IG C.H. The module is compliant with SP800-52rev2 and the mechanism Document Version 1.4 Arista Networks Inc. Public Material

Page 13

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] for IV generation is compliant with RFC5288. The module supports acceptable AESGCM ciphersuites from Section 3.3.1 of SP800-52rev2. The module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. If this exhaustion condition is observed, the module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Scenario 1, SSHv2 For SSH, the module offers the GCM implementation via the functions CRYPTO_gcm128_encrypt_ctr32, and uses the context of Scenario 1 of IG C.H. The module is compliant with RFCs 4252, 4253, and 5647. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Scenario 1, IPsec-v3 For IPsec, the module offers the GCM implementation via the functions CRYPTO_gcm128_encrypt_ctr32, and uses the context of Scenario 1 of IG C.H. The module is compliant with RFCs 4106 and 5282. The module uses RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES-GCM encryption keys are derived. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. This application negotiates the protocol session’s keys and the value in the first 32 bits of the nonce. The construction of the last

64 bits of the nonce is deterministic and uses a counter.

The module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. If this exhaustion condition is observed, the module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. Scenario 2, Random IV In this implementation, the module offers the interfaces RAND_bytes for compliance with Scenario 2 of IG C.H and SP800-38D Section 8.2.2. The AES-GCM IV is generated randomly internal to the module using the module's approved DRBG. The DRBG seeds itself from the entropy source. The GCM IV is 96 bits in length. Per Section 9, this 96-bit IV contains 96 bits of entropy. Document Version 1.4 Arista Networks Inc. Public Material

Page 14

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] XTS-AES Key Generation The module checks for Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm in compliance with IG C.I.

2.8 RBG and Entropy

The module provides an SP800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) using CTR_DRBG mechanism with AES-256 for creation of key components of asymmetric keys, and random number generation. Operators may instantiate and use the other Approved DRBGs offered by the module. The module receives entropy passively and uses 384 bits of entropy to seed the DRBG.

2.9 Key Generation

For generating RSA, ECDSA and EC Diffie-Hellman keys, the module implements asymmetric key generation services compliant with FIPS186-4 and using a DRBG compliant with SP80090Arev1. The random value used in asymmetric key generation is obtained from the DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 5.1 of SP800-133rev2 (vendor affirmed) by obtaining a random bit string directly from an approved DRBG and that can support the required security strength requested by the caller (without any V, as described in Additional Comments 2 of IG D.H). The module does not provide a dedicated service for generating symmetric keys. However, symmetric keys can be derived using SP800-135rev1 for TLS KDF, IKE v1/2 KDF, and SSHv2 KDF algorithms, as well as SP800-108 counter KBKDF. This generation method maps to section

6.2 of SP800-133rev2.
2.10 Key Establishment

The module provides EC Diffie-Hellman and FFC Diffie-Hellman shared secret computation compliant with SP800-56Arev3, in accordance with scenario 2 (1) of IG D.F. It also provides RSA OAEP key transport as KTS-IFC compliant with SP 800-56Br2 in accordance with IG D.G. and applications may transport keys as TLS, SSHv2, or IPsec protocol payload compliant to SP 800-38F in accordance with IG D.G. Additionally, the module also supports key derivation using TLS 1.0/1.1, TLS 1.2, IKE v1, IKE v2, SSHv2 KDF compliant to SP800-135rev1 and counter KBKDF compliant to SP800-108.

2.11 Industry Protocols

The module does not implement any industry protocols. However it provides the building blocks to support the following protocols. Note: no parts of the TLS v1.0/1.1, v1.2, SSHv2, or IPsec-v3 protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Document Version 1.4 Arista Networks Inc. Public Material

Page 15
Approved algorithm
NameMode Method
ProtocolCipherProtocolProtocolKey ExchangeKey ExchangeServer/ Host AuthServer/ HostCipherIntegrityIntegrity
DTLS [IG D.G]DTLS [IG D.G]See TLS entry in this table.
SSHv2 [IG D.F and SP 800‐135]AES-GCM-128 AES-GCM-256 AES-CBC-128 AES-CBC-192 AES-CBC-256 AES-CTR-128 AES-CTR-192 AES-CTR-256SSHv2 [IG D.F and SP 800‐135]ECDH‐SHA2‐NIST P521, ECDH‐SHA2‐NIST P384, ECDH‐SHA2‐NIST P256, DIFFIE‐HELLMAN GROUP14‐SHA1, DIFFIE‐HELLMAN GROUP14‐SHA256, DIFFIE‐HELLMAN GROUP16‐SHA512ECDSA P‐521, ECDSA P‐384, ECDSA P‐256, RSAHMAC SHA-1 HMAC SHA2‐256 HMAC SHA2‐512 AES-GCM-128 AES-GCM-256
TLS [IG D.G and SP 800‐135]TLS [IG D.G and SP 800‐135]TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS v1.0, v1.1, v1.2
ECDHEAES‐GCM-128ECDHERSAAES‐GCM-128
AES-GCM-256AES-GCM-256ECDHERSA
ECDHEAES‐GCM‐128ECDHEECDSAAES‐GCM‐128
ECDHEAES‐GCM‐256ECDHEECDSAAES‐GCM‐256
ECDHEAES-CCM-256ECDHEECDSAAES-CCM-256
TLS v1.0/v1.1/v1.2[IG D.F, IG D.G and SP 800‐135]
IPsec-v3[RFC 4106, 5282, 7296]

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table C- Security Relevant Protocols Used in Approved Mode Document Version 1.4 Arista Networks Inc. Public Material

Page 16
Approved algorithm
NameMode Method
Key ExchangeCipherProtocolProtocolKey ExchangeServer/ Host AuthServer/ HostCipherIntegrityIntegrity
ECDHEAES-CCM-256ECDSAAES-CCM-256
ECDHEAES-CCM-128ECDSAAES-CCM-128
ECDHEAES-CCM-128ECDSAAES-CCM-128
ECDHEAES-CBC-256ECDSAHMAC SHA2-384
ECDHEAES-CBC-128ECDSAHMAC SHA2-256
ECDHEAES-CBC-256ECDSAHMAC SHA-1
ECDHEAES-CBC-128ECDSAHMAC SHA-1
ECDHEAES-CBC-128RSAHMAC SHA2-256
ECDHEAES-CBC-256RSAHMAC SHA2-256
ECDHEAES-CBC-256RSAHMAC SHA-1
ECDHEAES-CBC-128RSAHMAC SHA-1
Key ExchangeCipherProtocolProtocolKey ExchangeServer/ Host AuthServer/ HostCipherIntegrityIntegrity
DHEAES-CCM-256RSAAES-CCM-256
DHEAES-CCM-256RSAAES-CCM-256
DHEAES-CCM-128RSAAES-CCM-128
DHEAES-CCM-128RSAAES-CCM-128
DHEAES-CBC-256RSAHMAC SHA2-256
DHEAES-CBC-128RSAHMAC SHA2-256
DHEAES-CBC-256RSAHMAC SHA-1
DHEAES-CBC-128RSAHMAC SHA-1
diffie-hellman MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 ec diffie-hellman secp256r1, secp384r1, secp521r1AES-GCM-128 AES-GCM-192 AES-GCM-256 AES-CBC-128 AES-CBC-192 AES-CBC-256 AES-CTR-128 AES-CTR-192 AES-CTR-256 AES-CCM-128 AES-CCM-192 AES-CCM-256IPsec-v3AES-GCM-128 AES-GCM-192 AES-GCM-256 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CCM-128 AES-CCM-192 AES-CCM-256

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Document Version 1.4 Arista Networks Inc. Public Material

Page 17

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table D - Security Relevant Protocols Used in Approved Mode Document Version 1.4 Arista Networks Inc. Public Material

Page 18
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI input parameters for data
N/AN/AData OutputAPI output parameters for data
N/AN/AControl InputAPI function calls
N/AN/AStatus OutputAPI return codes, error messages, logging messages

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec]

2.12 Design and Rules

The module initializes upon power-on. After the pre-operational self-tests (POST) are successfully concluded, the module automatically transitions to the operational state. In this state, the module awaits service requests from the operator. The operator must then manually set the module to approved mode, via the interface described in Section “2.5 Modes of Operation”.

2.13 Initialization

Upon initializing the module by installing the module and setting the password, the operator must then manually set the module to approved mode, via the interface described in Section “2.5 Modes of Operation”:

3.0 - Cryptographic Module Interfaces
3.1 Ports and Interfaces

As a Software module, the module interfaces are defined as Software or Firmware Module Interfaces (SFMI), and there are no physical ports. The interfaces are mapped to the API provided by the module, through which the operator can interact. The interfaces are listed in the table below. All data output via data output interface is inhibited under the following circumstances:

4.0 - Roles, Services and Authentication
4.1 Authentication Methods

The module supports Role-based authentication using passwords as the SP 800-140E memorized secret. The module has a strength of authentication objective of at least 1/95^8, and to achieve that over a one minute period the module enforces a minimum password length of 16 Document Version 1.4 Arista Networks Inc. Public Material

Page 19
Service
NameRolesInputOutput
Authenticated DecryptionCOCiphertext, authentication tag, key, IVPlaintext
Authenticated EncryptionCOPlaintext, key, IVCiphertext, authentication tag
DecryptionCOCiphertext, keyPlaintext
EncryptionCOPlaintext, keyCiphertext
Key Derivation (TLS)COPRF algorithm, TLS master secretDerived Keys
Key Derivation (SSH)COPRF algorithm, SSH shared secretDerived Keys
Key Derivation (IKE)COPRF algorithm, IKE shared secretDerived Keys
Key Derivation (SP 800-108r1)COShared secret, key sizeDerived Keys
Key EncapsulationCORSA keypair, keying material to encapsulateEncapsulated key
Key Un-encapsulationCORSA keypair, keying material to un- encapsulateUn-encapsulated key
Key VerificationCOKey to verifyReturn codes and log messages
InitializeCOCrypto Officer PasswordNone
Message Authentication GenerationCOMessage, Algorithm, keyMessage Authentication code
Message DigestCOMessageDigest of the message
On-Demand Integrity TestCONoneResult of test (pass/fail)
On-Demand self-testCONoneResult of self-test (pass/fail)
Random number generationCOSizeRandom bytes
Shared secret computationCOEC Curve or DH parameters, V's public keyShared secret
Show StatusCONoneReturn code of 1 indicates approved mode enabled, 0 is disabled
Show VersionCONoneString indicating the module version and name
Signature GenerationCOMessage, hash algorithm, private keySignature
Signature VerificationCOMessage, Signature, hash algorithm, public keyVerification result
ZeroiseCOContext containing SSPsNone

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] characters. The password can be set by the calling application through the “FIPS_set_password” API. The module has procedural controls and enforces that an operator must set a password prior to use of the module. The module is installed according to section 11.1 and the module authentication mechanism is included within the module software and so automatically included during that installation process. Since the module enforces a minimum 16 character password length and there are 95 possible ASCII characters (upper and lower case, digits, special characters), it has an authentication strength of 95^16. Thus the false acceptance rate is 1/95^16. Assuming a very high-performing CPU that runs at 4 GHz with 24 cores which means it can perform 4 billion * 24 instructions per second, the probability of a successful random access within a minute is still extremely unlikely at 1/95^16 * 4 billion * 24 cores * 60 seconds/min. It would take about 150 billion years to have a 1% chance of cracking the password in this scenario: 1/95^16 * 4 billion * 24 cores * 60 sec / min * 60 min / hr * 24 hr / day * 365 days / year *

150 billion = 0.0103
4.2 Roles

The module supports the Crypto Officer role only, whose authentication is performed by the module using passwords. This sole role is implicitly assumed by the operator of the module when performing a service after authentication. Table 13 provides a mapping of services to the roles that can utilize them, in this case the sole role of the module, and the service inputs and outputs. Document Version 1.4 Arista Networks Inc. Public Material

Page 20

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table 13

Page 21
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Authenticated DecryptionAuthenticated DecryptionCOAES keyAES-GCM, AES-CCMW, EReturn code 1, log message indicating approval
Authenticated EncryptionAuthenticated EncryptionCOAES keyAES-GCM, AES-CCMW, EReturn code 1, log message indicating approval
DecryptionDecryptionCOAES keyAES CBC, CTR, ECB, CFB1, CFB128, CFB8, XTSW, EReturn code 1, log message indicating approval
EncryptionEncryptionCOAES keyAES CBC, CTR, ECB, CFB1, CFB128, CFB8, XTSW, EReturn code 1, log message indicating approval
Key Derivation (TLS)Deriving TLS keysCOTLS pre_master_secret; TLS master secret; TLS derived keysKDF TLS 1.0/1/1/1.2TLS pre_master_secret - W, E; TLS master secret - G, E; TLS derived keys G, RReturn code 1, log message indicating approval
Key Derivation (SSH)Deriving SSH keysCOSSH shared secret; SSH derived keysKDF SSH v2SSH shared secret - W, E; SSH derived key - G, RReturn code 1, log message indicating approval
Key Derivation (IKE)Deriving IKE keysCOIKE shared secret; IKE derived keyKDF IKE v1, v2IKE shared secret - W, E; IKE derived key - G, RReturn code 1, log message indicating approval
Key Derivation (SP 800- 108r1)Deriving keysCOShared secret; 800- 108 derived keyKDF SP800-108Shared secret - W, E; 800-108 derived key - G, RReturn code 1, log message indicating approval
Key EncapsulationKey EncapsulationCORSA key pair, keying materialKTS-IFCRSA key pair - W, E; keying materialReturn code 1, log message indicating
per SP 800- 56Br2per SP 800- 56Br2- W, Rapproval
Key Un- encapsulationKey Un- encapsulation per SP 800- 56Br2CORSA key pair, keying materialKTS-IFCRSA key pair - W, E; keying material - W, RReturn code 1, log message indicating approval
Key VerificationVerifying the public keyCOECDSA public keyECDSAW, EReturn code 1, log message indicating approval
InitializeInitialize FIPS password using FIPS_set_pass wordCOCrypto Officer Password, Hashed PasswordHMAC SHA-1Crypto Officer Password - W, E; Hashed Password - EReturn code 1
Message Authentication GenerationMAC computationCOAES key; HMAC keyAES CMAC, HMACW, EReturn code 1, log message indicating approval
Message DigestGenerating message digestCON/ASHSN/AReturn code 1, log message indicating approval
On-Demand Integrity TestInitiate integrity test on-demand through FIPS_check_inc ore_fingerprintCON/A (keys for self- tests are not SSPs)HMAC SHA2- 256N/AReturn code 1
On-Demand self-testInitiate pre- operational and conditional CAST self-tests through FIPS_selftestCON/A (keys for self- tests are not SSPs)AES, CMAC, DRBG, ECDSA, HMAC, KAS- ECC-SSC, KAS-FFC-SSC, KDF, KTS, IKE KDF, RSA, SHS, TLS KDF, SSH KDFN/AReturn code 1
Random number generationGenerating random numbersCODRBG Entropy Input; DRBG Seed, V, C, KeyDRBGDRBG Entropy Input - W, E; DRBG Seed, V, C, Key - G, EReturn code 1, log message indicating approval
Shared secret computationCalculating Shared secretCODH key pair; ECDH key pair; DRBGKAS-ECC-SSC, KAS-FFC-SSC,DH key pair - G, E, Z; ECDH keyReturn code 1, log message indicating
DRBGSeed, V Key; Shared secretDRBGpair G, E, Z; DRBG Seed, V, C, Key - W, E; Shared secret - G, Rapproval
Show StatusShow status of the module state using FIPS_modeCON/AN/AN/AN/A
Show VersionShow the version of the module using FIPS_module_v ersion_textCON/AN/AN/AN/A
Signature GenerationGenerating signatureCOECDSA key pair; RSA key pairECDSA, RSA, SHSW, EReturn code 1, log message indicating approval
Signature VerificationVerifying signatureCOECDSA key pair; RSA key pairECDSA, RSA, SHSW, EReturn code 1, log message indicating approval
ZeroiseZeroise SSP in volatile memoryCOContext containing SSPsN/ASSPs – ZN/A

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] length); chance of guessing in one minute 1 in 9.03*10^18 Table 14

4.3 Approved Services

The module provides services to operators who assume the available role. All services are described in detail in the developer documentation. For the role, CO indicates “Crypto Officer”. The following table lists the approved services that utilize approved and allowed security W, E W, E W, E W, E 1.0/1/1/1.2 (SP 800108r1) Document Version 1.4 Arista Networks Inc. Public Material

Page 22

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] - W, R Key Unencapsulation Key Unencapsulation - W, R W, E -E W, E N/A N/A HMAC SHA2256 N/A N/A Document Version 1.4 Arista Networks Inc. Public Material

Page 23

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] R N/A N/A N/A N/A N/A N/A N/A N/A W, E W, E N/A N/A Table 15

Page 24
Service
NameDescriptionRolesApproved FunctionsIndicator
DecryptionDecryptionCOBlowfish, Camillia, CAST5, DES, DES-X, IDEA, RC2, RC5, SEED, Triple-DES listed in Table 11Return code 0, absence of approved log message
EncryptionEncryptionCOBlowfish, Camillia, CAST5, DES, DES-X, IDEA, RC2, RC5, SEED, Triple-DES listed in Table 11Return code 0, absence of approved log message
Key WrappingEncrypting/Decry pting keyCOAES/Triple-DES KW, RSA PKCS #1 v1.5 listed in Table 11Return code 0, absence of approved log message
Message DigestHash computationCOMD4, MD5 outside TLS 1.0 usage, RIPEMD- 160, Whirlpool, Triple-DES MAC, HMAC- MD5 listed in Table 11Return code 0, absence of approved log message

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec]

4.4 Non-Approved Services

The following table lists the non-approved services that utilize non-approved security functions. Table E - Non-approved services

4.5 External Software/Firmware Loaded – N/A
5.0 - Software/Firmware security
5.1 Integrity Techniques

The integrity of the module is validated by comparing the module with a HMAC-SHA2-256 value generated after the build of fipscanister.o, which is the FIPS Object Module. This generated value is embedded into fipscanister.o before fipscanister.o is statically linked to libcrypto.so. During runtime the FIPS_mode_set() function calculates the digest over fipscanister.o, excluding the embedded hash value, and checks to see if the embedded value matches the calculated Document Version 1.4 Arista Networks Inc. Public Material

Page 25
Sensitive security parameter
NameTypeDescription
RAMDynamicSystem Memory

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec]

5.2 Initiate on Demand

The module provides on-demand integrity test. The integrity test is performed by the OnDemand Integrity Test service, which calls the FIPS_check_incore_fingerprint function. The integrity test is also performed as part of the Pre-Operational Self-Tests. One can also initiate the On Demand Integrity Test service by calling “openssl --fips” on the command line, which is a calling application that runs the module’s self-test API function. A successful test will show “FIPS mode is enabled”.

6.0 Operational environment
6.1 Operational Environment Type and Requirements

Type of Operating Environment: Modifiable

6.2 Configuration Settings and Restrictions

The module should be installed as stated in section 11.

7.0 - Physical security – N/A
8.0 - Non-invasive security – N/A
9.0 Sensitive Security Parameters Management
9.1 Storage Areas

Table F

9.2 SSP Input-Output Methods

The module does not support manual SSP entry or intermediate key generation output. The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment. Except for services designed to wrap or unwrap an SSP the SSPs are provided to the module via API input parameters in the plaintext form and output via API output parameters in the plaintext form to and from the calling application running on the same operational environment. SSPs provided for unwrapping are input encrypted using KTS-IFC’s RSA-OAEP_basic, and SSPs the module wrapped are output encrypted using KTS-IFC’s RSAOAEP_basic. The output of plaintext CSPs requires two independent internal actions. Specifically, the first action is creation of the cipher context to request the service and to hold the CSPs to be output from the module. The second action is to process the ‘Key Generation’ service request using the Document Version 1.4 Arista Networks Inc. Public Material

Page 26
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey/SSP/Name/ TypeZeroisation
Derived for output to calling application. Used with Shared Secret128, 192, 256A3592SP 800-108 KDFN/AEphemeral in RAMN/A / Plaintext800-108 derived keyOPENSSL_cleanse
Authenticated Encryption, Authenticated Decryption, Encryption, Decryption, Message Authentication Generation. Used with Shared Secret128, 192, 256A3592External or KDFKAS-ECC or KAS-FFCEphemeral in RAMPlaintext / PlaintextAES KeyOPENSSL_cleanse
Crypto Officer authentication. Used with Hashed PasswordN/AN/AN/AN/AEphemeral in RAMPlaintext / N/ACrypto Officer PasswordAutomatic at end of service call
Crypto Officer authentication. Used with Crypto Officer PasswordN/AA3592HMAC SHA-1 of Crypto Officer PasswordN/AEphemeral in RAMN/AHashed PasswordRestart module
Key agreement. Used with: DRBG Seed, V, C, and Key, Shared Secret112 – 200A3592Internal per SP 800- 56Arev3N/AEphemeral in RAMN/A / Public key in plaintextDH key pairDH_free
Random number generation. Used with DRBG Seed, V, C, and Key384A3592ExternalN/AEphemeral in RAMPlaintext / N/ADRBG Entropy InputFIPS_DRBG_free
Random number generation. Used with DRBG Entropy Input and generated keys256A3592From DRBG entropy input; within SP 800- 90A Hash_DRBG, HMAC_DRBG, and CTR_DRBG DRBGsN/AEphemeral in RAMN/A / N/ADRBG SeedFIPS_DRBG_free
Random number generation. Used with DRBG Entropy Input and generated keys256A3592From DRBG entropy input; within SP 800- 90A Hash_DRBG, HMAC_DRBG, and CTR_DRBG DRBGsN/AEphemeral in RAMN/A / N/ADRBG VFIPS_DRBG_free
Random number generation. Used with DRBG Entropy Input and generated keys256A3592From DRBG entropy input; within SP 800- 90A Hash_DRBGN/AEphemeral in RAMN/A / N/ADRBG CFIPS_DRBG_free
Random number generation. Used with DRBG Entropy Input and generated keys256A3592From DRBG entropy input; within SP 800- 90A HMAC_DRB, and CTR_DRBG DRBGsN/AEphemeral in RAMN/A / N/ADRBG KeyFIPS_DRBG_free
Key agreement. Used with: DRBG Seed, V, C, and Key, Shared Secret128-256A3592Internal per SP 800- 56Arev3N/AEphemeral in RAMN/A / Public key in plaintextECDH key pairEC_GROUP_free, EC_POINT_free, EC_KEY_free
Signature generation and verification. Used with DRBG Seed, V, C, and Key128, 192, 256A3592External or per FIPS 186-4N/AEphemeral in RAMPlaintext / PlaintextECDSA key pairEC_GROUP_free, EC_POINT_free, EC_KEY_free
Message Authentication. Used with Shared secret112 or greaterA3592External or KDFKAS-ECC or KAS-FFCEphemeral in RAMPlaintext / PlaintextHMAC keyHMAC_CTX_cleanup
KE key agreement. Used with IKE derived key, DH key pair, ECDH key pair112 -256A3592N/AKAS-ECC-SSC or KAS-FFC- SSCEphemeral in RAMPlaintext / PlaintextIKE shared secretOpenSSL_cleanse
IKE key agreement Used with IKE shared secret112 or greaterA3592KDF IKEN/AEphemeral in RAMN/A / PlaintextIKE Derived key/AES &OpenSSL_cleanse
KTS-IFC keying material to be encapsulated or un-encapsulated by RSA-OAEP_basic. Used with RSA key pair112 or greaterA3592ExternalKTS-IFCEphemeral in RAMPlaintext or Encrypted / Encrypted or PlaintextKeying materialOpenSSL_cleanse
Signature generation and verification or KTS-IFC. Used with DRBG Seed, V, C, and Key; and keying material to encapsulate/un-encapsulate112, 128, 152A3592External or per FIPS 186-4N/AEphemeral in RAMPlaintext / PlaintextRSA key pairRSA_free
For key agreement. Used with DH key pair, ECDH key pair112 or greaterA3592N/AKAS-ECC-SSC or KAS-FFC- SSCEphemeral in RAMPlaintext / PlaintextShared secretOpenSSL_cleanse
SSH key agreement. Used with SSH Derived key, DH key pair, ECDH key pair112 or greaterA3592N/AKAS-ECC-SSC or KAS-FFC- SSCEphemeral in RAMPlaintext / PlaintextSSH shared secretOpenSSL_cleanse
SSH key agreement Used with SSH shared secret112 or greaterA3592KDF SSHN/AEphemeral in RAMN/A / PlaintextSSH Derived key/AES & HMACOpenSSL_cleanse
TLS key agreement Used with TLD master secret, TLS pre- master secret112 or greaterA3592KDF TLS 1.0/1.1, 1.2 RFC7627N/AEphemeral in RAMN/A / PlaintextTLS Derived key/AES & HMACOpenSSL_cleanse
TLS key agreement Used with TLS pre-master secret, TLS Derived key112-256A3592From TLS pre-master secretKAS-ECC-SSC or KAS-FFC- SSCEphemeral in RAMPlaintext / PlaintextTLS master secretOpenSSL_cleanse
TLS key agreement Used with TLS master secret, TLS Derived key112 - 256A3592N/AKAS-ECC-SSC or KAS-FFC- SSCEphemeral in RAMPlaintext / PlaintextTLS pre-master secretOpenSSL_cleanse

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] context created. Only after successful completion of this request, the generated CSP is output via the API output parameter. The zeroisation is performed by the module overwriting zeroes or predefined values to the memory location occupied by the SSP and further deallocating that area. The calling application, interacting with the module, is responsible for calling the appropriate destruction functions using the zeroisation APIs listed in the above table to zeroise the calling application’s copies of the SSP. The completion of a zeroisation routine will indicate that a zeroisation procedure succeeded.

9.4 SSPs

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A / N/A N/A N/A / N/A N/A N/A / N/A N/A N/A / N/A N/A N/A N/A N/A N/A Document Version 1.4 Arista Networks Inc. Public Material

Page 27

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] N/A N/A N/A N/A N/A N/A Table 20

10.1 Pre-Operational Self-Tests

The module performs pre-operational tests automatically when the module is powered on. The pre-operational self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. The module transitions to the operational state only after the preoperational self-tests (and the cryptographic algorithm self-tests, which in this module are executed automatically after the pre-operational self-tests) are passed successfully. The types of pre-operational self-tests are described in the next sub-section. Pre-Operational Software Integrity Test The HMAC-SHA2-256 Conditional CAST is performed before checking the module integrity. Then the integrity of the software component of the module is verified according to Section 5, using HMAC-SHA2-256. If the comparison verification fails, the module transitions to the error state (Section 10.4). Pre-Operational Bypass and Critical Functions Tests The module does not implement pre-operational bypass or critical functions tests. We note that the entropy source is not within the cryptographic boundary of the module, instead passively receiving entropy from the external entropy source. Thus, its critical functions tests are not included in the module. Document Version 1.4 Arista Networks Inc. Public Material

Page 28
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC- SHA2-256HMAC- SHA2-256Compare Hash ResultsSW IntegritySingle encompassing message authentication code128-bit hardcoded keyStdout, log message
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-ECB128Power-up
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-GCM256Power-up
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-CCM192Power-up
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-XTS128, 256Power-up
CMACCMACKATCASTGenerate/ VerifyStdout, log messageCMAC-AES128, 192, 256Power-up
DRBGDRBGKATCASTSP 800-90A section 11.3 health testsStdout, log messageCounter DRBGChained instantiate, reseed, generatePower-up
DRBGDRBGKATCASTSP 800-90A section 11.3 health testsStdout, log messageHash DRBGChained instantiate, reseed, generatePower-up
DRBGDRBGKATCASTSP 800-90A section 11.3 health testsStdout, log messageHMAC DRBGChained instantiate, reseed, generatePower-up
ECDSAECDSAKATCASTSign/ VerifyStdout, logP-224, P- 384Power-up
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC- SHA2-256HMAC- SHA2-256Compare Hash ResultsSW IntegritySingle encompassing message authentication code128-bit hardcoded keyStdout, log message
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-ECB128Power-up
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-GCM256Power-up
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-CCM192Power-up
AESAESKATCASTEncrypt/ DecryptStdout, log messageAES-XTS128, 256Power-up
CMACCMACKATCASTGenerate/ VerifyStdout, log messageCMAC-AES128, 192, 256Power-up
DRBGDRBGKATCASTSP 800-90A section 11.3 health testsStdout, log messageCounter DRBGChained instantiate, reseed, generatePower-up
DRBGDRBGKATCASTSP 800-90A section 11.3 health testsStdout, log messageHash DRBGChained instantiate, reseed, generatePower-up
DRBGDRBGKATCASTSP 800-90A section 11.3 health testsStdout, log messageHMAC DRBGChained instantiate, reseed, generatePower-up
ECDSAECDSAKATCASTSign/ VerifyStdout, logP-224, P- 384Power-up
HMACHMACKATCASTGenerateStdout, log messageHMAC SHA2-224Power-up
HMACHMACKATCASTGenerateStdout, log messageHMAC SHA2-256Power-up
HMACHMACKATCASTGenerateStdout, log messageHMAC SHA2-512Power-up
IKE KDFIKE KDFKATCASTDeriveStdout, log messagePower-up
KAS-ECC- SSCKAS-ECC- SSCKATCASTShared secret “z” computationStdout, log messageP-224, P256Power-up
KAS-FFC- SSCKAS-FFC- SSCKATCASTShared secret “z” computationStdout, log message2048Power-up
KBKDFKBKDFKATCASTDeriveStdout, log messageCounter modePower-up
RSARSAKATCASTSign/ VerifyStdout, log message2048; PKCS 1.5 & PSS; SHA2-224, SHA2-256, SHA2-384, SHA2-512Power-up
RSARSAKATCASTEncrypt/ DecryptStdout, log messageKTS-IFC2048Power-up
SHSSHSKATCASTGenerateStdout, log messageSHA-1Power-up
SHSSHSKATCASTGenerateStdout, log messageSHA2-224Power-up
SHSSHSKATCASTGenerateStdout, log messageSHA2-256Power-up

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] HMACSHA2-256 Table G

10.2 Conditional Self-Tests

P-224, P384 Document Version 1.4 Arista Networks Inc. Public Material

Page 29

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] KAS-ECCSSC KAS-FFCSSC Document Version 1.4 Arista Networks Inc. Public Material

Page 30
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
SHSSHSKATCASTGenerateSHA2-384Stdout, log messagePower-up
SHSSHSKATCASTGenerateSHA2-512Stdout, log messagePower-up
SSH KDFSSH KDFKATCASTDeriveStdout, log messagePower-up
TLS KDFTLS KDFKATCASTDeriveStdout, log messagePower-up
ECDSAECDSAPCTCPCTSign/ VerifyN/AGenerate Key Pair
KAS-ECC- SSCKAS-ECC- SSCPCTCPCTSP 800- 56Arev3 assurance checksN/AGenerate Key Pair
KAS-FFC- SSCKAS-FFC- SSCPCTCPCTSP 800- 56Arev3 assurance checksN/AGenerate Key Pair
RSARSAPCTCPCTSign/ VerifyN/AGenerate Key Pair

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] N/A KAS-ECCSSC N/A SP 80056Arev3 KAS-FFCSSC N/A SP 80056Arev3 N/A Table H

Page 31
Service
NameRole AccessIndicator
Conditional ErrorConditional test failureError message is placed into the error queue and an error is returned from the API.The module generates a new key and tests the key via a PCT. If the test fails, an error is returned.
PreOp ErrorPre-operational test failureError message is output on stderr.The module is aborted – restart module

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] The module implements RSA and ECDSA key generation service and performs the respective pairwise consistency test using sign and verify functions when the keys are generated (Table H). In addition, SP 800-56a Rev3 conditional tests are run when ephemeral keypairs are created for key agreement.

10.3 Periodic Self-Tests

On demand self-tests can be invoked by powering-off and reloading the module. This service performs the same pre-operational test that includes integrity test and cryptographic algorithm tests executed during power-up. The integrity test can also be performed on demand by calling the FIPS_check_incore_fingerprint function. During the execution of the on-demand self-tests, cryptographic services are not available, and no data output or input is possible.

10.4 Error States

Table I - Error States If the module fails any of the self-tests, the module enters the error state. In the error state, the module outputs the error through the status output interface and the abort function is called that raises the SIGABRT signal, causing the program termination such that the module is no longer operational. In the error state, as the module is no longer operational the data output interface is inhibited. In order to recover from the Error state, the module needs to be rebooted. 11. Life-cycle Assurance

11.1 Startup Procedures

The cryptographic module is the fipscanister.o file, though Arista does not distribute this file on its own. Instead it is embedded into the shared library libcrypto.so which is part of OpenSSL, which in turn is distributed as part of the CloudEOS product, in the CloudEOS image accessible through the Arista software downloads website. The CloudEOS product includes the CloudEOS operating system, virtual machine, applications, OpenSSL, libcrypto.so, and fipscanister.o. While there is no need for the fipscanister.o library to be built by the user at any point in time, the file can be verified as the correct one by comparing the SHA256 hash sum. The SHA256 hash should be 8b92b97d92571963b66649d0bb3ca62fba77100a316757e9487ad2091eddcc18. In the Arista build process for building OpenSSL, this fipscanister.o file is linked into OpenSSL’s libcrypto.so shared library file and OpenSSL is configured to use it. Document Version 1.4 Arista Networks Inc. Public Material

Page 32
Acronyms
NameTermDefinitionAbbreviationFull Specification Name
[NIST][NIST]National Institute of Standards and Technology
[FIPS140‐3][FIPS140‐3]Security Requirements for Cryptographic Modules, March 22, 2019
[IG][IG]Implementation Guidance for FIPS PUB 140‐3 and the Cryptographic Module Validation Program
[ISO19790][ISO19790]Information technology – Security techniques – Security requirements for cryptographic modules, 2012(2014)
[38A][38A]NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation, December 2001
[38B][38B]NIST Special Publication 800‐38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005
[38C][38C]NIST Special Publication 800‐38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, May 2004
[38D][38D]NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007
[38E][38E]NIST Special Publication 800‐38E, Recommendation for Block Cipher Modes of Operation: The XTS‐AES Mode for Confidentiality on Storage Devices, January 2010
[38F][38F]NIST Special Publication 800‐38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012
[56Ar3][56Ar3]NIST Special Publication 800‐56A Revision 3, Recommendation for Pair‐Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018
[56Ar2][56Ar2]NIST Special Publication 800‐56A Revision 2, Recommendation for Pair‐Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, May 2013
[56Br2][56Br2]NIST Special Publication 800‐56B Revision 2, Recommendation for Pair‐Wise Key Establishment Schemes Using Integer Factorization Cryptography, March 2019
[67][67]NIST Special Publication 800‐67 Revision 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, November 2017
[90A][90A]NIST Special Publication 800‐90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015.
[90B][90B]NIST Special Publication 800‐90B, Recommendation for the Entropy Sources Used for Random Bit Generation, January 2018
[90C][90C](Second Draft) NIST Special Publication 800‐90C, Recommendation for Random Bit Generator (RBG) Constructions, April 2016
[108][108]NIST Special Publication 800‐108, Recommendation for Key Derivation Using Pseudorandom Functions (Revised), October 2009
[131A][131A]NIST Special Publication 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019
[132][132]NIST Special Publication 800‐132, Recommendation for Password‐Based Key Derivation, Part 1: Storage Applications, December 2010
[133][133]NIST Special Publication 800‐133 Revision 2, Recommendation for Cryptographic Key Generation, June 2020
[135][135]NIST Special Publication 800‐135 Revision 1, Recommendation for Existing Application‐Specific Key Derivation Functions, December 2011
[180][180]Federal Information Processing Standards Publication 180-4, Secure Hash Standard (SHS), August 2015
[186][186]Federal Information Processing Standards Publication 186‐4, Digital Signature Standard (DSS), July1 2013
[186‐2][186‐2]Federal Information Processing Standards Publication 186-2, Digital Signature Standard (DSS), January 2000
[197][197]Federal Information Processing Standards Publication 197, Advanced Encryption Standard (AES), November 26, 2001
[198][198]Federal Information Processing Standards Publication 198‐1, The Keyed‐Hash Message Authentication Code (HMAC), July 2008
[202][202]Federal Information Processing Standards Publication 202, SHA‐3 Standard: Permutation‐Based Hash and Extendable‐Output Functions, August 2015
[RFC 4581][RFC 4581]IETF, The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP‐FAST), May 2007
AcronymAcronymDefinitionAcronymDefinition
COCOCryptographic Officer role
CloudEOSCloudEOSName of the Arista operating system
VAVAVendor Affirmed cryptographic algorithms are Approved algorithms for which no CAVP tests are available yet. The vendor performs their own testing as the basis for their affirmation.

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] When downloading the CloudEOS image, the SHA-256 hash of the image is also made available. When an authorized operator downloads the CloudEOS image, they can also download the hash file and compare the SHA-256 hash of the CloudEOS image to the one listed in the file to make sure that the downloaded image is correct. Then they can install the CloudEOS image onto the virtual machine. Upon completion of installation, the user can confirm that the correct module has been installed by running the “show version” service should display the module base name and version number, “Crypto Module: Arista Crypto Module v3.0“. Correct operation of the module can be verified by running the on-demand self-test service as specified in Section 5 by calling “openssl --fips” from bash.

11.2 Administrator Guidance
11.3 Non-Administrator Guidance
11.4 Maintenance Requirements – N/A
11.5 End of Life

To cease using the module, power off the module. The module does not possess persistent storage of SSPs. The SSP value only exists in volatile memory and that value vanishes when the module is powered off. So as a first step for the secure sanitization, the module needs to be powered off. Then for actual deprecation, the module will be upgraded to a newer version that is approved. This upgrade process will uninstall/remove the old/terminated and provide a new replacement.

12.0 Mitigation of other attacks – N/A
13.0 References and Definitions

The following standards are referred to in this Security Policy. Document Version 1.4 Arista Networks Inc. Public Material

Page 33

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Document Version 1.4 Arista Networks Inc. Public Material

Page 34

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table J - References Document Version 1.4 Arista Networks Inc. Public Material

Page 35

Arista Networks Inc. ‐ Arista Crypto Module v3.0 [Software, Software IPsec] Table K - Acronyms and Definitions Document Version 1.4 Arista Networks Inc. Public Material