All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]

Certificate#4817StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorApple Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/30/2026
CaveatInterim validation. When operated in approved mode
VendorApple Inc.

Approved Algorithms (164)

AlgorithmACVP Cert
AES-CBCA2783
AES-CBCA2784
AES-CBCA2785
AES-CBCA2786
AES-CBCA2802
AES-CBCA2803
AES-CBCA2804
AES-CBCA2805
AES-CCMA2784
AES-CCMA2786
AES-CCMA2787
AES-CCMA2803
AES-CCMA2805
AES-CCMA2806
AES-CFB128A2783
AES-CFB128A2784
AES-CFB128A2786
AES-CFB128A2802
AES-CFB128A2803
AES-CFB128A2805
AES-CFB8A2784
AES-CFB8A2786
AES-CFB8A2803
AES-CFB8A2805
AES-CMACA2786
AES-CMACA2805
AES-CTRA2784
AES-CTRA2786
AES-CTRA2787
AES-CTRA2803
AES-CTRA2805
AES-CTRA2806
AES-ECBA2783
AES-ECBA2784
AES-ECBA2786
AES-ECBA2787
AES-ECBA2802
AES-ECBA2803
AES-ECBA2805
AES-ECBA2806
AES-GCMA2784
AES-GCMA2786
AES-GCMA2787
AES-GCMA2803
AES-GCMA2805
AES-GCMA2806
AES-KWA2784
AES-KWA2786
AES-KWA2803
AES-KWA2805
AES-OFBA2783
AES-OFBA2784
AES-OFBA2786
AES-OFBA2802
AES-OFBA2803
AES-OFBA2805
AES-XTS Testing Revision 2.0A2783
AES-XTS Testing Revision 2.0A2784
AES-XTS Testing Revision 2.0A2786
AES-XTS Testing Revision 2.0A2802
AES-XTS Testing Revision 2.0A2803
AES-XTS Testing Revision 2.0A2805
Counter DRBGA2784
Counter DRBGA2786
Counter DRBGA2787
Counter DRBGA2803
Counter DRBGA2805
Counter DRBGA2806
ECDSA KeyGen (FIPS186-4)A2786
ECDSA KeyGen (FIPS186-4)A2788
ECDSA KeyGen (FIPS186-4)A2805
ECDSA KeyGen (FIPS186-4)A2807
ECDSA KeyVer (FIPS186-4)A2786
ECDSA KeyVer (FIPS186-4)A2788
ECDSA KeyVer (FIPS186-4)A2805
ECDSA KeyVer (FIPS186-4)A2807
ECDSA SigGen (FIPS186-4)A2786
ECDSA SigGen (FIPS186-4)A2788
ECDSA SigGen (FIPS186-4)A2805
ECDSA SigGen (FIPS186-4)A2807
ECDSA SigVer (FIPS186-4)A2786
ECDSA SigVer (FIPS186-4)A2788
ECDSA SigVer (FIPS186-4)A2805
ECDSA SigVer (FIPS186-4)A2807
HMAC-SHA-1A2786
HMAC-SHA-1A2788
HMAC-SHA-1A2805
HMAC-SHA-1A2807
HMAC-SHA2-224A2786
HMAC-SHA2-224A2788
HMAC-SHA2-224A2805
HMAC-SHA2-224A2807
HMAC-SHA2-256A2786
HMAC-SHA2-256A2788
HMAC-SHA2-256A2789
HMAC-SHA2-256A2805
HMAC-SHA2-256A2807
HMAC-SHA2-256A2808
HMAC-SHA2-384A2786
HMAC-SHA2-384A2788
HMAC-SHA2-384A2805
HMAC-SHA2-384A2807
HMAC-SHA2-512A2786
HMAC-SHA2-512A2788
HMAC-SHA2-512A2805
HMAC-SHA2-512A2807
HMAC-SHA2-512/256A2786
HMAC-SHA2-512/256A2788
HMAC-SHA2-512/256A2805
HMAC-SHA2-512/256A2807
KAS-ECC-SSC Sp800-56Ar3A2786
KAS-ECC-SSC Sp800-56Ar3A2805
KAS-FFC-SSC Sp800-56Ar3A2786
KAS-FFC-SSC Sp800-56Ar3A2805
KDF SP800-108A2786
KDF SP800-108A2786
KDF SP800-108A2788
KDF SP800-108A2805
KDF SP800-108A2805
KDF SP800-108A2807
PBKDFA2786
PBKDFA2788
PBKDFA2805
PBKDFA2807
RSA KeyGen (FIPS186-4)A2786
RSA KeyGen (FIPS186-4)A2788
RSA KeyGen (FIPS186-4)A2805
RSA KeyGen (FIPS186-4)A2807
RSA SigGen (FIPS186-4)A2786
RSA SigGen (FIPS186-4)A2788
RSA SigGen (FIPS186-4)A2805
RSA SigGen (FIPS186-4)A2807
RSA SigVer (FIPS186-4)A2786
RSA SigVer (FIPS186-4)A2788
RSA SigVer (FIPS186-4)A2805
RSA SigVer (FIPS186-4)A2807
Safe Primes Key GenerationA2786
Safe Primes Key GenerationA2805
SHA-1A2786
SHA-1A2788
SHA-1A2805
SHA-1A2807
SHA2-224A2786
SHA2-224A2788
SHA2-224A2805
SHA2-224A2807
SHA2-256A2786
SHA2-256A2788
SHA2-256A2789
SHA2-256A2805
SHA2-256A2807
SHA2-256A2808
SHA2-384A2786
SHA2-384A2788
SHA2-384A2805
SHA2-384A2807
SHA2-512A2786
SHA2-512A2788
SHA2-512A2805
SHA2-512A2807
SHA2-512/256A2786
SHA2-512/256A2788
SHA2-512/256A2805
SHA2-512/256A2807

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Sensitive Security Parameter Management1
Self-Tests1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Apple Inc. Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] September 2024 Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectualproperty/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.

2 of 40
Page 3

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table of Contents 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 4.1 4.2 4.3 9.1 9.2 9.3 9.4 9.5 9.6 5.1 5.2 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed... 14 10.1 10.2 10.2.1 10.2.2 10.3 11.1 11.2 11.3 11.4 11.5 This document may be reproduced and distributed only in its original entirely without revision.

3 of 40
Page 4

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] List of Tables This document may be reproduced and distributed only in its original entirely without revision.

4 of 40
Page 5
Security level
NameISO SectionRequirementLevelISO/IEC 24759 Section 6.
11General11
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityNot Applicable
88Non-invasive SecurityNot Applicable
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other AttacksNot Applicable

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. The column names of the tables follow the template tables provided in NIST SP 800-140B. Table 1 describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. [Number Below] Table 1 - Security Levels This document may be reproduced and distributed only in its original entirely without revision.

5 of 40
Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1iPadOS 15iPad (5th generation)Apple A Series A9With and without PAA1
2iPadOS 15iPad Pro 9.7-inchApple A Series A9XWith and without PAA2
3iPadOS 15iPad (7th generation)Apple A Series A10 FusionWith and without PAA3
4iPadOS 15iPad Pro 10.5-inchApple A Series A10X FusionWith and without PAA4
5iPadOS 15iPad mini (5th generation)Apple A Series A12 BionicWith and without PAA5
6iPadOS 15iPad Pro 11-inch (1st generation)Apple A Series A12X BionicWith and without PAA6
7iPadOS 15iPad Pro 11-inch (2nd generation)Apple A Series A12Z BionicWith and without PAA7
8iPadOS 15iPad (9th generation)Apple A Series A13 BionicWith and without PAA8
9iPadOS 15iPad Air (4th generation)Apple A Series A14 BionicWith and without PAA9
10iPadOS 15iPad mini (6th generation)Apple A Series A15 BionicWith and without PAA10
11iPadOS 15iPad Pro 11-inch (3rd generation)Apple M Series M1With and without PAA11
12iOS 15iPhone 6SApple A Series A9With and without PAA12
13iOS 15iPhone 7 PlusApple A Series A10 FusionWith and without PAA13
14iOS 15iPhone XApple A Series A11 BionicWith and without PAA14
15iOS 15iPhone XS MaxApple A Series A12 BionicWith and without PAA15
16iOS 15iPhone 11 ProApple A Series A13 BionicWith and without PAA16
17iOS 15iPhone 12Apple A Series A14 BionicWith and without PAA17
18iOS 15iPhone 13 Pro MaxApple A Series A15 BionicWith and without PAA18
19watchOS 8Apple Watch Series S3Apple S Series S3With and without PAA19
20watchOS 8Apple Watch Series S4Apple S Series S4With and without PAA20
21watchOS 8Apple Watch Series S5Apple S Series S5With and without PAA21
22watchOS 8Apple Watch Series S6Apple S Series S6With and without PAA22
23watch OS 8Apple Watch Series S7Apple S Series S7With and without PAA23
24tvOS 15Apple TV 4KApple A Series A10X FusionWith and without PAA24
25tvOS 15Apple TV 4K (2nd generation)Apple A Series A12 BionicWith and without PAA25
26T2OS 12Apple Security Chip T2Apple T Series T2With and without PAA26
27macOS 12 MontereyMacBook Pro (13-inch, M1, 2020)Apple M Series M1With and without PAA27
28macOS 12 MontereyMacBook Pro 14-inchApple M Series M1 ProWith and without PAA28
29macOS 12 MontereyMacBook Pro 16-inchApple M Series M1 MaxWith and without PAA29
1iPadOS 15iPad Pro 12.9-inch1
2iPadOS 15iPad (6th generation)2
3iPadOS 15iPad Pro 12.9-inch (2nd generation)3
4iPadOS 15iPad Air (3rd generation)4
5iPadOS 15iPad (8th generation)5
6iPadOS 15iPad Pro 12.9-inch (3rd generation)6
7iPadOS 15iPad Pro 12.9-inch (4th generation)7
8iPadOS 15iPad Pro 12.9-inch (5th generation)8
9iOS 15iPhone SE9
10iOS 15iPhone 6S Plus10
11iOS 15iPhone 711
12iOS 15iPhone 812
13iOS 15iPhone 8 Plus13
14iOS 15iPhone XS14
15iOS 15iPhone XR15
16iOS 15iPhone 1116
17iOS 15iPhone 11 Pro Max17
18iOS 15iPhone SE (2nd generation)18
19iOS 15iPhone 12 mini19

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Cryptographic Module Specification The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] cryptographic module (hereafter referred to as “the module”) is a Software module running on a multi-chip standalone general-purpose computing platform. The version of module is 12.0. The module provides implementations of low-level cryptographic primitives to the Device OS’s (iOS 15, iPadOS 15, watchOS 8, tvOS 15, T2OS 12 and macOS 12 Monterey) Security Framework and Common Crypto. 2.1 Tested Operational Environments # This document may be reproduced and distributed only in its original entirely without revision.

6 of 40
Page 7
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
21watchOS 8Apple Watch Series S5Apple S Series S5With and without PAA21
22watchOS 8Apple Watch Series S6Apple S Series S6With and without PAA22
23watch OS 8Apple Watch Series S7Apple S Series S7With and without PAA23
24tvOS 15Apple TV 4KApple A Series A10X FusionWith and without PAA24
25tvOS 15Apple TV 4K (2nd generation)Apple A Series A12 BionicWith and without PAA25
26T2OS 12Apple Security Chip T2Apple T Series T2With and without PAA26
27macOS 12 MontereyMacBook Pro (13-inch, M1, 2020)Apple M Series M1With and without PAA27
28macOS 12 MontereyMacBook Pro 14-inchApple M Series M1 ProWith and without PAA28
29macOS 12 MontereyMacBook Pro 16-inchApple M Series M1 MaxWith and without PAA29
1iPadOS 15iPad Pro 12.9-inch1
2iPadOS 15iPad (6th generation)2
3iPadOS 15iPad Pro 12.9-inch (2nd generation)3
4iPadOS 15iPad Air (3rd generation)4
5iPadOS 15iPad (8th generation)5
6iPadOS 15iPad Pro 12.9-inch (3rd generation)6
7iPadOS 15iPad Pro 12.9-inch (4th generation)7
8iPadOS 15iPad Pro 12.9-inch (5th generation)8
9iOS 15iPhone SE9
10iOS 15iPhone 6S Plus10
11iOS 15iPhone 711
12iOS 15iPhone 812
13iOS 15iPhone 8 Plus13
14iOS 15iPhone XS14
15iOS 15iPhone XR15
16iOS 15iPhone 1116
17iOS 15iPhone 11 Pro Max17
18iOS 15iPhone SE (2nd generation)18
19iOS 15iPhone 12 mini19
20iOS 15iPhone 12 Pro20
21iOS 15iPhone 12 Pro Max21
22iOS 15iPhone 13 mini22
23iOS 15iPhone 1323
24iOS 15iPhone 13 Pro24
25watchOS 8Apple Watch SE25
26macOS 12 MontereyMacBook Air26
27macOS 12 MontereyMac mini27
28macOS 12 MontereyiMac (24-inch)28

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] # Table 2 - Tested Operational Environments 2.2 Vendor-affirmed Operational Environments # This document may be reproduced and distributed only in its original entirely without revision.

7 of 40
Page 8
Service
NameDescriptionIndicatorType
Non- Approved modeNon-Approved mode of operation is entered when the module utilizes non- approved security functions in Table 8.return a '0' from fips_allowed_mode() for block cipher functions and fips_allowed() for all other services to indicate the executed cryptographic algorithm was non-approvedNon-Approved
Approved algorithm
NameUse Function
CKG [SP800-133rev2] (asymmetric)vendor affirmedCryptographic key Generation for asymmetric (RSA/EC and DH) key pair; FIPS 140-3 IG D.H and SP800-133rev2 section 4 example 1

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. 2.3 the service utilized. by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 14 - Non-Approved Services. If the device starts up successfully, then the module has NonApproved 2.4 This document may be reproduced and distributed only in its original entirely without revision.

8 of 40
Page 9
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197; SPA2783, A2802CBCKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](asm_arm)and Decryption
AES [FIPS 197; SPA2786, A2805CBCKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_ltc)and Decryption
AES [FIPS 197; SPA2785, A2804CBCKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_glad)and Decryption
AES [FIPS 197; SPA2784, A2803CBCKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_asm)and Decryption
AES [FIPS 197; SPA2787, A2806CCMKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38C](vng_asm)and Decryption
AES [FIPS 197; SPA2786, A2805CCMKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38C](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803CCMKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38C](c_asm)and Decryption
AES [FIPS 197; SPA2783, A2802CFB128Key Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](asm_arm)and Decryption
AES [FIPS 197; SPA2786, A2805CFB128Key Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803CFB128Key Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_asm)and Decryption
AES [FIPS 197; SPA2786, A2805CFB8Key Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803CFB8Key Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_asm)and Decryption
AES [FIPS 197; SPA2786, A2805CMACKey Size / Key Strength: 128, 192, 256 bitsMessage
800-38B](c_ltc)authentication (MAC)
AES [FIPS 197; SPA2787, A2806CTRKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](vng_asm)and Decryption
AES [FIPS 197; SPA2786, A2805CTRKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803CTRKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_asm)and Decryption
AES [FIPS 197; SPA2783, A2802ECBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](asm_arm)and Decryption
AES [FIPS 197; SPA2787, A2806ECBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](vng_asm)and Decryption
AES [FIPS 197; SPA2786, A2805ECBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803ECBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_asm)and Decryption
AES [FIPS 197; SPA2787, A2806GCMKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38D](vng_asm)and Decryption
AES [FIPS 197; SPA2786, A2805GCMKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38D](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803GCMKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38D](c_asm)and Decryption
AES [FIPS 197; SPA2783, A2802OFBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](asm_arm)and Decryption
AES [FIPS 197; SPA2786, A2805OFBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803OFBKey Size / Key Strength: 128, 192, 256 bitsSymmetric Encryption
800-38A](c_asm)and Decryption
AES [FIPS 197; SPA2783, A2802XTSKey Size / Key Strength: 128, 256 bitsSymmetric Encryption
800-38E](asm_arm)and Decryption
AES [FIPS 197; SPA2786, A2805XTSKey Size / Key Strength: 128, 256 bitsSymmetric Encryption
800-38E](c_ltc)and Decryption
AES [FIPS 197; SPA2784, A2803XTSKey Size / Key Strength: 128, 256 bitsSymmetric Encryption
800-38E](c_asm)and Decryption
DRBG [SP800-A2787, A2806CTR_DRBG: AES-128,Key Size / Key Strength: 128, 256 bitsRandom Number
90Arev1](vng_asm)AES-256Derivation Function Enabled, No PredictionGeneration
DRBG [SP800-A2786, A2805CTR_DRBG: AES-128,Key Size / Key Strength: 128, 256 bitsRandom Number
90Arev1](c_ltc)AES-256Derivation Function Enabled, No PredictionGeneration
DRBG [SP800-A2784, A2803CTR_DRBG: AES-128,Key Size / Key Strength: 128, 256 bitsRandom Number
90Arev1](c_asm)AES-256Derivation Function Enabled, No PredictionGeneration
ECDSAA2788, A2807Key Pair GenerationCurve: P-224, P-256, P-384, P-521Asymmetric Key
ANSI X9.62(vng_ltc)(CKG using method inKey Strength: from 112 - 256 bitsGeneration
[FIPS 186-4]Section 4 [SP 800-
ECDSAA2786, A2805Key Pair GenerationCurve: P-224, P-256, P-384, P-521Asymmetric Key
ANSI X9.62(c_ltc)(CKG using method inKey Strength: from 112 - 256 bitsGeneration
[FIPS 186-4]Section 4 [SP 800-
ECDSAA2788, A2807N/ACurve: P-224, P-256, P-384, P-521Key Validation
ANSI X9.62(vng_ltc)Key Strength: from 112 - 256 bits
ECDSAA2786, A2805N/ACurve: P-224, P-256, P-384, P-521Key Validation
ANSI X9.62(c_ltc)Key Strength: from 112 - 256 bits
ECDSAA2788, A2807SHA2-224, SHA2-256,Curve: P-224, P-256, P-384, P-521Digital Signature
ANSI X9.62(vng_ltc)SHA2-384, SHA2-512Key Strength: from 112 - 256 bitsGeneration
ECDSAA2786, A2805SHA2-224, SHA2-256,Curve: P-224, P-256, P-384, P-521Digital Signature
ANSI X9.62(c_ltc)SHA2-384, SHA2-512Key Strength: from 112 - 256 bitsGeneration
ECDSAA2788, A2807SHA-1 (legacy), SHA2-Curve: P-224, P-256, P-384, P-521Digital Signature
ANSI X9.62(vng_ltc)224, SHA2-256, SHA2-Key Strength: from 112 - 256 bitsVerification
[FIPS 186-4]384, SHA2-512
ECDSAA2786, A2805SHA-1(legacy), SHA2-: P-224, P-256, P-384, P-521Digital Signature
ANSI X9.62(c_ltc)224, SHA2-256, SHA2-Key Strength: from 112 - 256 bitsVerification
[FIPS 186-4]384, SHA2-512
HMAC [FIPS 198]A2788, A2807SHA-1Key Size: 128 - 262144 bitsMessage
(vng_ltc)(vng_ltc)Key Strength: 128 bitsauthentication (MAC)
HMAC [FIPS 198]A2786, A2805SHA-1Key Size: 128 - 262144 bitsMessage
(c_ltc)(c_ltc)Key Strength: 128 bitsauthentication (MAC)
HMAC [FIPS 198]A2788, A2807SHA-224Key Size: 224 - 262144 bitsMessage
(vng_ltc)(vng_ltc)Key Strength: 224 bitsauthentication (MAC)
HMAC [FIPS 198]A2786, A2805SHA-224Key Size: 224 - 262144 bitsMessage
(c_ltc)(c_ltc)Key Strength: 224 bitsauthentication (MAC)
HMAC [FIPS 198]A2788, A2807SHA-256Key Size: 224 - 262144 bitsMessage
(vng_ltc)(vng_ltc)Key Strength: 256 bitsauthentication (MAC)
HMAC [FIPS 198]A2786, A2805SHA-256Key Size: 256 - 262144 bitsMessage
(c_ltc)(c_ltc)Key Strength: 256 bitsauthentication (MAC)
HMAC [FIPS 198]A2789, A2808SHA-256 (for all CPUs inKey Size: 256 - 262144 bitsMessage
(vng_neon)(vng_neon)Table 2 except S3)Key Strength: 256 bitsauthentication (MAC)
HMAC [FIPS 198]A2788, A2807SHA-384Key Size: 384 - 262144 bitsMessage
(vng_ltc)(vng_ltc)Key Strength: 384 bitsauthentication (MAC)
HMAC [FIPS 198]A2786, A2805SHA-384Key Size: 384 - 262144 bitsMessage
(c_ltc)(c_ltc)Key Strength: 384 bitsauthentication (MAC)
HMAC [FIPS 198]A2788, A2807SHA-512Key Size: 512 - 262144 bitsMessage
(vng_ltc)(vng_ltc)Key Strength: 512 bitsauthentication (MAC)
HMAC [FIPS 198]A2786, A2805SHA-512Key Size: 512 - 262144 bitsMessage
(c_ltc)(c_ltc)Key Strength: 512 bitsauthentication (MAC)
HMAC [FIPS 198]A2788, A2807SHA-512/256Key Size: 512 - 262144 bitsMessage
(vng_ltc)(vng_ltc)Key Strength: 256 bitsauthentication (MAC)
HMAC [FIPS 198]A2786, A2805SHA-512/256Key Size: 512 - 262144 bitsMessage
(c_ltc)(c_ltc)Key Strength: 256 bitsauthentication (MAC)
KAS-ECC-SSCA2786, A2805Scheme: ephemeralCurve: P-224, P-256, P-384, P-521Shared Secret
[SP800-56Arev 3](c_ltc)UnifiedKey Strength: from 112 - 256 bitsComputation
KAS-FFC-SSCA2786, A2805Scheme: dh Ephem withKey Size: MODP-2048, MODP-3072, MODP-4096,Shared Secret
[SP800-56Arev3](c_ltc)safe prime groupsMODP-6144, MODP-8192.Computation
KAS Role: initiator,KAS Role: initiator,Key Strength: from 112 - 200 bits
KBKDFA2788, A2807KDF Mode: Counter andKey Size / Key Strength: 128 -256 bitsKey Derivation
[SP800-108rev1](vng_ltc)FeedbackSupported [output] Lengths: 8-4096 Increment 8
A2786, A2805A2786, A2805MAC Mode: HMAC-SHA-Fixed Data Order: Before Fixed Data
(c_ltc)(c_ltc)1, HMAC-SHA2-224,Counter Length: 32
KBKDFA2786, A2805KDF Mode: CounterKey Size / Key Strength: 128 - 256 bitsKey Derivation
[SP800-108rev1](c_ltc)MAC Mode: CMAC-Supported [output] Lengths: 8-4096 Increment 8
AES128, CMAC-AES192,AES128, CMAC-AES192,Fixed Data Order: Before Fixed Data
CMAC-AES256CMAC-AES256Counter Length: 8, 16, 24, 32
KTS (AES) [FIPSA2786, A2805AES-KWKey Size / Key Strength: 128, 192, 256 bitsKey Wrapping
197; SP 800-38 F](c_ltc)
KTS (AES) [FIPSA2784, A2803AES-KWKey Size / Key Strength: 128, 192, 256 bitsKey Wrapping
197; SP 800-38 F](c_asm)
PBKDF [SP800-A2788, A2807HMAC with: SHA-1,Key Size / Key Strength: 128 - 256 bitsKey Derivation
132](vng_ltc)SHA-224, SHA-256, SHA-Password length: 8- 128 bytes Increment 1
384, SHA-512384, SHA-512Salt Length: 128-4096 Increment 8
PBKDF [SP800-A2786, A2805HMAC with: SHA-1,Key Size / Key Strength: 128 - 256 bitsKey Derivation
132](c_ltc)SHA-224, SHA-256, SHA-Password length: 8- 128 bytes
384, SHA-512384, SHA-512Increment 1
RSA [FIPS 186-4]A2788, A2807ANSI X9.31; CKG usingKey Size: 2048, 3072, 4096 bitsAsymmetric Key
(vng_ltc)(vng_ltc)method in Section 4Key Strength: from 112 - 150 bitsGeneration
RSA [FIPS 186-4]A2786, A2805ANSI X9.31; CKG usingKey Size: 2048, 3072, 4096 bitsAsymmetric Key
(c_ltc)(c_ltc)method in Section 4Key Strength: from 112 - 150 bitsGeneration
RSA [FIPS 186-4]A2788, A2807PKCS#1 v1.5: and PKCSKey Size: 2048, 3072, 4096 bitsDigital Signature
(vng_ltc)(vng_ltc)PSSKey Strength: from 112 - 150 bitsGeneration
RSA [FIPS 186-4]A2786, A2805PKCS#1 v1.5 and PKCSKey Size: 2048, 3072, 4096 bitsDigital Signature
(c_ltc)(c_ltc)PSSKey Strength: from 112 - 150 bitsGeneration
RSA [FIPS 186-4]A2788, A2807PKCS#1 v1.5 and PKCSKey Size: 1024 (legacy), 2048, 3072, 4096 bitsDigital Signature
(vng_ltc)(vng_ltc)PSSKey Strength: from 80 - 150 bitsVerification
RSA [FIPS 186-4]A2786, A2805PKCS#1 v1.5 and PKCSKey Size: 1024 (legacy), 2048, 3072, 4096 bitsDigital Signature
(c_ltc)(c_ltc)PSSKey Strength: from 80 - 150 bitsVerification
Safe Primes KeyA2786, A2805CKG using method inSafe Prime Groups: MODP-2048, MODP-3072,Key Generation
800-133Rev2)800-133Rev2)Key Strength: from 112 - 200 bits
SHS [FIPS 180-4]A2788, A2807SHA-1N/AMessage Digest
SHS [FIPS 180-4]A2786, A2805SHA-1N/AMessage Digest
SHS [FIPS 180-4]A2788, A2807SHA-224N/AMessage Digest
SHS [FIPS 180-4]A2786, A2805SHA-224N/AMessage Digest
SHS [FIPS 180-4]A2788, A2807SHA-256N/AMessage Digest
SHS [FIPS 180-4]A2786, A2805SHA-256N/AMessage Digest
SHS [FIPS 180-4]A2789, A2808SHA-256 (for all CPUs inN/AMessage Digest
(vng_neon)(vng_neon)Table 2 except S3)
SHS [FIPS 180-4]A2788, A2807SHA-384N/AMessage Digest
SHS [FIPS 180-4]A2786, A2805SHA-384N/AMessage Digest
SHS [FIPS 180-4]A2788, A2807SHA-512N/AMessage Digest
SHS [FIPS 180-4]A2786, A2805SHA-512N/AMessage Digest
SHS [FIPS 180-4]A2788, A2807SHA-512/256N/AMessage Digest
SHS [FIPS 180-4]A2786, A2805SHA-512/256N/AMessage Digest

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] 2.5 Approved Algorithms The table below lists all Approved security functions of the module, including specific key size(s) -in bits otherwise noted- employed for approved services. Not all algorithms tested with CAVP are used by the module. This document may be reproduced and distributed only in its original entirely without revision.

9 of 40
Page 10

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] DRBG [SP80090Arev1] DRBG [SP80090Arev1] DRBG [SP80090Arev1] This document may be reproduced and distributed only in its original entirely without revision.

10 of 40
Page 11

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

11 of 40
Page 12

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] PBKDF [SP800132] PBKDF [SP800132] This document may be reproduced and distributed only in its original entirely without revision.

12 of 40
Page 13

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Table 6 - Approved Algorithms 2.6 Non-Approved Algorithms Allowed in the Approved Mode of Operation There are no non-Approved but “Allowed functions” with security claimed algorithms in approved mode. This document may be reproduced and distributed only in its original entirely without revision.

13 of 40
Page 14
Approved algorithm
NameUse FunctionUse/Function
MD5Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bitMessage Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only)
RSA Key Pair GenerationANSI X9.31 Key Pair Generation Key Size < 2048
RSA Signature GenerationPKCS#1 v1.5 and PSS Signature Generation Key Size < 2048
RSA Signature VerificationPKCS#1 v1.5 and PSS Signature Verification Key Size < 1024
RSA Key WrappingOAEP, PKCS#1 v1.5 and PSS schemes
Diffie-HellmanShared Secret Computation using key size < 2048
EC Diffie-HellmanShared Secret Computation using curves < P-224
EdDSAKey Generation with Ed25519 Signature Generation with Ed25519 Signature Verification with Ed25519 Key Agreement with X25519
ANSI X9.63 KDFHash based Key Derivation Function
RFC6637Key Derivation Function
HKDF [SP800-56Crev2]Key Derivation Function
DESEncryption / Decryption Key Size 56-bits
CAST5Encryption / Decryption Key Sizes 40 to 128-bits in 8-bit increments
AES-GCM using external IVAuthenticated Encryption / Decryption
RC4Encryption / Decryption Key Sizes 8 to 4096-bits
RC2Encryption / Decryption Key Sizes 8 to 1024-bits
MD2Message Digest Digest size 128-bit
MD4Message Digest Digest size 128-bit
RIPEMDMessage Digest Digest size 160-bits
ECDSAPKG: Curve P-192 with security strength of 96 bits PKV: Curve P-192 Signature Generation: Curve P-192 Signature Verification: Curve P-192
ECDSAKey Pair Generation for compact point representation of points
Approved algorithm
NameUse FunctionUse/Function
MD5Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bitMessage Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only)
RSA Key Pair GenerationANSI X9.31 Key Pair Generation Key Size < 2048
RSA Signature GenerationPKCS#1 v1.5 and PSS Signature Generation Key Size < 2048
RSA Signature VerificationPKCS#1 v1.5 and PSS Signature Verification Key Size < 1024
RSA Key WrappingOAEP, PKCS#1 v1.5 and PSS schemes
Diffie-HellmanShared Secret Computation using key size < 2048
EC Diffie-HellmanShared Secret Computation using curves < P-224
EdDSAKey Generation with Ed25519 Signature Generation with Ed25519 Signature Verification with Ed25519 Key Agreement with X25519
ANSI X9.63 KDFHash based Key Derivation Function
RFC6637Key Derivation Function
HKDF [SP800-56Crev2]Key Derivation Function
DESEncryption / Decryption Key Size 56-bits
CAST5Encryption / Decryption Key Sizes 40 to 128-bits in 8-bit increments
AES-GCM using external IVAuthenticated Encryption / Decryption
RC4Encryption / Decryption Key Sizes 8 to 4096-bits
RC2Encryption / Decryption Key Sizes 8 to 1024-bits
MD2Message Digest Digest size 128-bit
MD4Message Digest Digest size 128-bit
RIPEMDMessage Digest Digest size 160-bits
ECDSAPKG: Curve P-192 with security strength of 96 bits PKV: Curve P-192 Signature Generation: Curve P-192 Signature Verification: Curve P-192
ECDSAKey Pair Generation for compact point representation of points
Integrated Encryption Scheme on elliptic curves (ECIES)Hybrid Encryption scheme
BlowfishEncryption / Decryption
OMAC (One-Key CBC MAC)MAC generation / verification
Triple-DES [SP 800-67]Encryption/Decryption with modes CBC, CTR, CFB64, ECB, CFB8, OFB

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] 2.7 2.8 This document may be reproduced and distributed only in its original entirely without revision.

Page 15
Module configuration
NameSoftware VersionPackageIntegrity Test
corecrypto-1217.40.1112.0corecrypto-1217.40.11HMAC-SHA-256

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table 8 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation 2.9 Module components Table 9 - Executable Code Sets The module cryptographic boundary is delineated by the dotted green rectangle in the Figure

  1. The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] executes within the user space of the computing platforms and operating systems listed in Table
  2. The tested operational environment’s physical perimeter (TOEPP) is represented by the most exterior black line in the block diagram Figure
  3. Figure 1 - Block diagram This document may be reproduced and distributed only in its original entirely without revision.
15 of 40
Page 16
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runsAs a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runsData InputData inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers
Data OutputData OutputData outputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers
Control InputControl InputControl inputs which control the mode of the module are provided through dedicated parameters.
Status OutputStatus OutputStatus output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation.

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Cryptographic Module Interfaces detail these interfaces are described in (Table 10): Table 10 - Ports and Interfaces The module is optimized for library use within the Device OS user space and does not contain any terminating assertions or exceptions. It is implemented as a Device OS dynamically loadable library. After the dynamically loadable library is loaded, its cryptographic functions are made available to the Device OS application. Any internal error detected by the module is returned to the caller with an appropriate return code. The calling Device OS application must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus Caller-induced or internal errors do not reveal any sensitive material to callers. This document may be reproduced and distributed only in its original entirely without revision.

16 of 40
Page 17
Service
NameDescriptionRolesRole AccessCsps AccessedApproved FunctionsIndicatorTypePropertiesInputOutput
Crypto OfficerCORoleImplicit
KAS-ECCKAS-ECC-SSC SP800-Curves P-224, P-256, P-384, P-521Curves P-224, P-256, P-384, P-521 providing from 112 to 256 bits of encryption strengthKAS-ECCKASEC Diffie-Hellman Shared Secret computation SP 800- 56ARev3. KAS-ECC per IG D.F Scenario 2 path (1)KAS-ECC-SSC SP800- 56ARev3 / A2786, A2805
providing from 112 to 256 bits o56ARev3 / A2786, A280providing from 112 to 256 bits o
KAS-FFCSafe Prime Groups MODP-2048, MODP-KAS-FFCKASDiffie-Hellman Shared Secret Computation KAS-FFC per IG D.F Scenario 2 path (1).KAS-FFC-SSC SP800- 56ARev3/ A2786, A2805
KTS128, 192, and 256-bit AES keys providingKTSKTSSP 800-38F, IG D.G. AES key wrapping and unwrappingAES-KW/ A2786, A2805 AES-KW/ A2784, A2803
Symmetric EncryptionExecute AES-mode encrypt operationCOW,EAES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM1AES key, plaintext dataciphertext data
Symmetric DecryptionExecute AES-mode decrypt operationCOW,EAES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM1AES key, ciphertext dataplaintext data
Service
NameDescriptionRolesRole AccessCsps AccessedApproved FunctionsIndicatorTypePropertiesInputOutput
Crypto OfficerCORoleImplicit
KAS-ECCKAS-ECC-SSC SP800-Curves P-224, P-256, P-384, P-521Curves P-224, P-256, P-384, P-521 providing from 112 to 256 bits of encryption strengthKAS-ECCKASEC Diffie-Hellman Shared Secret computation SP 800- 56ARev3. KAS-ECC per IG D.F Scenario 2 path (1)KAS-ECC-SSC SP800- 56ARev3 / A2786, A2805
providing from 112 to 256 bits o56ARev3 / A2786, A280providing from 112 to 256 bits o
KAS-FFCSafe Prime Groups MODP-2048, MODP-KAS-FFCKASDiffie-Hellman Shared Secret Computation KAS-FFC per IG D.F Scenario 2 path (1).KAS-FFC-SSC SP800- 56ARev3/ A2786, A2805
KTS128, 192, and 256-bit AES keys providingKTSKTSSP 800-38F, IG D.G. AES key wrapping and unwrappingAES-KW/ A2786, A2805 AES-KW/ A2784, A2803
Symmetric EncryptionExecute AES-mode encrypt operationCOW,EAES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM1AES key, plaintext dataciphertext data
Symmetric DecryptionExecute AES-mode decrypt operationCOW,EAES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM1AES key, ciphertext dataplaintext data
Service
NameDescriptionRolesRole AccessCsps AccessedApproved FunctionsIndicatorTypePropertiesInputOutput
Crypto OfficerCORoleImplicit
KAS-ECCKAS-ECC-SSC SP800-Curves P-224, P-256, P-384, P-521Curves P-224, P-256, P-384, P-521 providing from 112 to 256 bits of encryption strengthKAS-ECCKASEC Diffie-Hellman Shared Secret computation SP 800- 56ARev3. KAS-ECC per IG D.F Scenario 2 path (1)KAS-ECC-SSC SP800- 56ARev3 / A2786, A2805
providing from 112 to 256 bits o56ARev3 / A2786, A280providing from 112 to 256 bits o
KAS-FFCSafe Prime Groups MODP-2048, MODP-KAS-FFCKASDiffie-Hellman Shared Secret Computation KAS-FFC per IG D.F Scenario 2 path (1).KAS-FFC-SSC SP800- 56ARev3/ A2786, A2805
KTS128, 192, and 256-bit AES keys providingKTSKTSSP 800-38F, IG D.G. AES key wrapping and unwrappingAES-KW/ A2786, A2805 AES-KW/ A2784, A2803
Symmetric EncryptionExecute AES-mode encrypt operationCOW,EAES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM1AES key, plaintext dataciphertext data
Symmetric DecryptionExecute AES-mode decrypt operationCOW,EAES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM1AES key, ciphertext dataplaintext data
SP 800
56ARev3. KAS-ECC per IG
D.F Scenario 2 path (1)

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] 4.1 The module supports a single instance of one authorized role: the Crypto Officer. No support is provided for multiple concurrent operators. Table 11 - Roles 4.2 FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not support an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see - Approved Services and - Non-Approved Services below). 4.3 Services The module implements a dedicated API function (section "Modes of Operation" above) to indicate if a requested service utilizes an approved security function. For services listed in Table Approved Services, the W,E W,E This document may be reproduced and distributed only in its original entirely without revision.

17 of 40
Page 18
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorInputOutput
Key WrappingExecute AES-key wrapping operationCOW, EAES-KW1AES key-wrappinwrapped keyg key
key, unkey, unwrapped
Key UnwrappingExecute AES-key unwrapping operationCOW, EAES-KW1AES key- wrappinunwrapped key
Message Digest GenerationGenerate a digest for the requested algorithmCON/ASHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA- 512/256, MD521Messagemessage digest
Message Authentication Code (CMAC/HMAC) GenerationGenerate a Message Authentication CodeCOW, EHMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA-512/256, AES-CMAC1HMAC key or AES key, MAC algorithm, messageMAC
Message Authentication Code (CMAC) VerificationVerify a Message Authentication CodeCOW, EAES-CMAC1MAC, message, Apass/fail
Signature generation (RSA)Sign a message with a specified RSA private key.COW, ERSA SigGen1RSA private key,computed signature
Signature verification (RSA)Verify the signature of a message with a specified RSA public key.COW, ERSA SigVer1RSA public key,pass/fail result
digital signature,digital signature,of digital
Signature generation (ECDSA)Sign a message with a specified ECDSA private keyCOW, EECDSA SigGen1ECDSA private kecomputed signature
Signature verification (ECDSA)Verify the signature of a message with a specified ECDSA public keyCOW, EECDSA SigVer1ECDSA public kepass/fail result
digital signature,digital signature,of digital
Random number generationGenerate Random numberCOE/ G, W, E / G, W, ECTR_DRBG1Entropy Input, DRBG seed, Internal, state V value, and keyrandom bit- string
Key Derivation (PBKDF)Derive key from passwordCOW, E / G, RPBKDF1PBKDF passwordPBKDF derived key
Key Derivation (KBKDF)Derive key from key derivation keyCOW, E / G, RKBKDF1KBKDF key derivation keyKBKDF derived key
Key pair generation (RSA)Generate a keypair for a requested modulusCOG, RRSA KeyGen, CKG1key sizeRSA Key Pair
Key pair generation (ECDSA)Generate a keypair for a requested elliptic curveCOG, RECDSA KeyGen, CKG1key sizeECDSA Key Pair
Public key validation (ECDSA)Verify a public key for a requested elliptic curveCOE, WECDSA KeyVer1ECDSA public keypass/fail result

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] message, hash message, hash message, hash message, hash W, E W, E N/A W, E W, E W, E random bitstring W, E E/ G, W, E / G, W, E W, E / G, R W, E / G, R G, R W, E W, E G, R E, W

2 non-approved but allowed for TLS 1.0/1.1. Used in the context of TLS in conjunction with the approved algorithm SHA-1. No security claimed.

This document may be reproduced and distributed only in its original entirely without revision.

18 of 40
Page 19
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorInputOutput
Safe primes key generationGenerate a keypair for a requested 'safe' domain parameterCOG, RSafe primes key generation1domain parameterDH Key Pair
Diffie-Hellman Shared Secret ComputationGenerate a shared secretCOW, E/ W, E/ G, RKAS-FFC-SSC1received DH publicDH shared secret
EC Diffie-Hellman Shared Secret ComputationGenerate a shared secretCOW, E/ W, E/ G, RKAS-ECC-SSC1received ECDH publicECDH shared secret
Release all resources of hash contextRelease all resources of hash contextCOZN/A1HMAC keyN/A
Release of all resources of Diffie- Hellman context for Diffie-Hellman and EC Diffie-HellmanRelease of all resources of Diffie- Hellman context for Diffie-Hellman and EC Diffie-HellmanCOZN/A1Asymmetric keys (ECDH/DH) and shared secretN/A
Release of all resources of asymmetric crypto function contextRelease of all resources of asymmetric crypto function contextCOZN/A1RSA/ ECDSA key pairN/A
Release of all resources of key derivation function contextRelease of all resources of key derivation function contextCOZN/A1KBKDF key derivation key, PBKDF password, KBKDF and PBKDF derived keyN/A
Self-testExecute the CASTsCON/AAlgorithms listed in table Table 191Nonepass/fail results
Show StatusReturn the module statusCON/AN/ANoneNonestatus output
Show Module InfoReturn Module Base Name and Module Version NumberCON/AN/ANoneNonename and version information
Sensitive security parameter
NameDescriptionRoleAccess
Triple-DES encryption / decryptionModes CBC, CTR, CFB64, ECB, CFB8, OFBCOTriple-DES
RSA Key EncapsulationThe CAST does not perform the full KTS, only the raw RSA encrypt/ decrypt.CORSA encrypt/ decrypt
RSA Key-pair GenerationANSI X9.31 Key-pair Generation Key Size < 2048CORSA KeyGen
RSA Signature GenerationPKCS#1 v1.5 and PSS Signature Generation Key Size < 2048CORSA Signature Generation
RSA Signature VerificationPKCS#1 v1.5 and PSS Signature Verification Key Size < 1024CORSA Signature Verification
Diffie Hellman Shared Secret Computationfor key sizes < 2048CODiffie Hellman Shared Secret Computation
EC Diffie Hellman Shared Secret Computationfor curve sizes < P-224COEC Diffie Hellman Shared Secret Computation
ECDSA Key-pair Generation (PKG) and ECDSA Key Validation (PKV)ECDSA PKG and PKV using curve P-192COECDSA Key Generation, ECDSA Key Validation
ECDSA Signature GenerationECDSA Signature Generation using curve P-192COECDSA Signature Generation
ECDSA Signature VerificationECDSA Signature Verification using curve P-192COECDSA Signature Verification
ECDSA Key Pair Generation for compact point representation of pointsKey Pair Generation for compact point representation of pointsCOECDSA Key Generation
EdDSA Key GenerationKey Generation with Ed25519COEdDSA Key Generation
EdDSA Signature GenerationSignature Generation with Ed25519COEdDSA Signature Generation
EdDSA Signature VerificationSignature Verification with Ed25519COEdDSA Signature Verification
EdDSA Key AgreementKey Agreement with X25519COEdDSA Key Agreement
ECIESElliptic Curve encryptCOECIES Encrypt
ANSI X9.63 Key DerivationSHA-1 hash-basedCOSHA-1
SP800-56Crev2 Key Derivation (HKDF)SHA-256 hash-basedCOSHA-256
RFC6637 Key DerivationSHA hash basedCOSHA-256, SHA-512, AES-128, AES-256
OMAC Message Authentication Code Generation and VerificationOne-Key CBC-MAC using 128-bit keyCOOMAC
Message digest generationMessage digest generation using non-approved algorithmsCOMD2, MD4 RIPEMD
Authenticated Encryption / decryptionEncrypt a plaintext / Decrypt a ciphertextCOAES-GCM using external IV
(other) symmetric encryption / decryptionsymmetric encryption / decryption using non-approved algorithmsCOBlowfish, CAST5, DES, RC2, RC4

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] G, R W, E/ W, E/ G, R W, E/ W, E/ G, R N/A N/A Z N/A N/A Z N/A N/A Z N/A N/A Z N/A Z N/A N/A N/A N/A N/A Table 13 - Approved Services The abbreviations of the access rights to SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. N/A = The service does not access any SSP during its operation. This document may be reproduced and distributed only in its original entirely without revision.

Page 20

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table 14 - Non-Approved Services This document may be reproduced and distributed only in its original entirely without revision.

20 of 40
Page 21

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Software/Firmware security 5.1 Integrity Techniques The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] which is made up of a single component, is provided in the form of binary executable code. A software integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e., the module is not operational. 5.2 On-Demand Integrity Test The module’s integrity test can be performed on demand by power-cycling the computing platform. Integrity test on demand is performed as part of the Pre-Operational Self-Tests, automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.

21 of 40
Page 22

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Operational Environment The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module is supplied as part of Device OS, a commercially available general-purpose operating system executing on the computing platforms specified in section 2. This document may be reproduced and distributed only in its original entirely without revision.

22 of 40
Page 23

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Physical Security The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.

23 of 40
Page 24

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Non-invasive Security Currently, the ISO/IEC 19790:2012 non-invasive security area is not required by FIPS 140-3 (see NIST SP 800140F). The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.

24 of 40
Page 25
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey /SSP Name/ TypeZeroisation
Use: Symmetric Encryption and Decryption; message authentication code (CMAC) Related keys: N/A128 - 256 bitsAES-CBC (A2783, A2784, A2785, A2786, A2802, A2803, A2804, A2805) AES-CCM (A2784, A2786, A2787, A2803, A2805, A2806) AES-CFB8, (A2784, A2786, A2803, A2805) AES-CFB128 (A2783, A2784, A2786, A2802, A2803, A2805) AES-CMAC (A2786, A2805) AES-CTR (A2784, A2786, A2787, A2803, A2805, A2806) AES-ECB (A2783, A2784, A2786. A2787, A2802, A2803, A2805, A2806) AES-GCM (A2784, A2786, A2787, A2803, A2805, A2806) AES- OFB (A2783, A2784, A2786, A2802, A2805, A2803) AES-XTS (A2783, A2784, A2786, A2802, A2803, A2805)N/AN/ARAMImport from calling applicati on No ExportAES Key / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: Key Wrapping Related keys: N/A128 - 256 bitsAES-KW (A2784, A2803, A2786, A2805)N/AN/ARAMImport from calling applicati on No ExportAES key- wrapping Key / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: Message authentication code generation (HMAC) Related keys: N/A128- 256 bitsHMAC-SHA-1, HMAC- SHA-224, HMAC-SHA- 256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA-512/256 (A2788, A2807, A2786, A2805, A2789, A2808)N/AN/ARAMImport from calling applicati on No ExportHMAC Key / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: Digital Signature verification Related keys: DRBG internal state, ECDSA private key112 - 256 bitsECDSA KeyGen (A2788, A2807, A2786, A2805)The key pairs are generated conformant to SP800- 133rev2 (CKG) using FIPS186-4 Key Generation method, and the random value used in the key generation is generated using SP800- 90Arev1 DRBGN/ARAMImport and Export to calling applicati on for key pair only. Intermed iate keygen values are not output.ECDSA public key (including intermediate keygen values) / PSPAutomatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the module returns from the key generation function.
Use: Digital Signature generation Related keys: DRBG internal state, ECDSA public keyECDSA private key (including intermediate keygen values) / CSP
Use: Digital Signature verification Related keys: DRBG internal state, RSA private key112 - 150 bitsRSA KeyGen (A2788, A2807, A2786, A2805)The key pairs are generated conformant to SP800- 133rev2 (CKG) using FIPS186-4 Key Generation method, and the random value used in the key generation is generated using SP800- 90Arev1 DRBGN/ARAMImport and Export to calling applicati on for key pair only. Intermed iate keygen values are not output.RSA public key (including intermediate keygen values) / PSPAutomatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the module returns from the key generation function.
Use: Digital Signature generation Related keys: DRBG internal state, RSA public keyN/ARSA private key (including intermediate keygen values) / CSP
Use Random Number Generation Related keys: DRBG seed256 bitsRandom Number Generation E14, E15 (see PUD referenced in section 11.2)Obtained from two entropy sourcesN/ARAMN/ADRBG Entropy Input / CSP (IG D.L)When the system is powered down
Use: Random Number Generation Related keys: DRBG entropy input, DRBG internal state256 bitsCTR_DRBG (A2787, A2806, A2786, A2805, A2784, A2803)Derived from entropy input as defined by SP800- 90Arev1N/ARAMN/ADRBG Seed / CSP (IG D.L)When the system is powered down
Use: Random Number Generation Related keys: DRBG seed256 bitsCTR_DRBG (A2787, A2806, A2786, A2805, A2784, A2803)Derived from seed as defined by SP800- 90Arev1N/ARAMN/ADRBG Internal State V value, and Key / CSP (IG D.L)When the system is powered down
Use: PBKDF Key Derivation Related keys: PBKDF password128 - 256 bitsPBKDF (A2788 , A2807, A2786, A2805)Internally generated via SP800- 132 PBKDFN/ARAMNo Import Export to calling applicati onPBKDF Derived Keys / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: PBKDF Key Derivation Related keys: PBKDF derived keyN/APBKDF (A2788 , A2807, A2786, A2805)N/AN/ARAMimported from calling applicati on No ExportPBKDF Password / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: KBKDF Key Derivation Related keys: KBKDF derived key128 - 256 bitsKBKDF (A2788 , A2807, A2786, A2805)N/AN/ARAMimported from calling applicati on No ExportKBKDF Key Derivation Key / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: KBKDF Key Derivation Related keys: KBKDF Key Derivation Key128 - 256 bitsKBKDF (A2788 , A2807, A2786, A2805)Generated via SP800- 108rev1 KBKDFN/ARAMNo Import Export to calling applicati onKBKDF Derived Key / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: Diffie- Hellman shared secret computation Related keys: DRBG internal state, Diffie- Hellman Shared Secret112 - 200 bitsKAS-FFC-SSC (A2786, A2805)The key pairs are generated conformant to SP800- 133rev2 (CKG) using Safe-prime groups MODP groups belonging to (RFC 3526)N/ARAMImport from calling applicati on Export to calling applicati onDH public, private keys (including intermediate keygen values) / PSP- CSPAutomatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the
Use: None Related keys:, DH private and public keys112 - 200 bitsKAS-FFC-SSC (A2786, A2805)N/AEstablishe d using SP800- 56Arev3 KAS-FFC- SSCRAMNo Import Export to calling applicati onDH Shared Secret / CSPAutomatic zeroisation when structure is deallocated or when the system is powered down
Use: ECDH Shared secret computation Related keys: EC Diffie- Hellman Shared Secret112 - 256 bitsKAS-ECC-SSC (A2786, A2805)The key pairs are generated conformant to SP800- 133rev2 (CKG) using FIPS 186-4 Key Generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBGN/ARAMImport from and Export to calling applicati on for key pair only. Intermed iate keygen values are not output.ECDH public, private keys (including intermediate keygen values) / PSP- CSPAutomatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the module returns from the key generation function.
Use: None Related keys: ECDH private and public keys112 - 256 bitsKAS-ECC-SSC (A2786, A2805)N/AEstablishe d using SP800- 56Arev3 KAS-ECC- SSCRAMNo Import Export to calling applicati onECDH Shared SecretAutomatic zeroisation when structure is deallocated or when the system is powered down

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Sensitive Security Parameter Management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module: N/A N/A N/A N/A N/A N/A N/A N/A 128256 N/A This document may be reproduced and distributed only in its original entirely without revision.

25 of 40
Page 26

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A N/A to SP800133rev2 using SP80090Arev1 to SP800133rev2 using SP80090Arev1 N/A N/A N/A SP80090Arev1 N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

26 of 40
Page 27

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] SP80090Arev1 N/A N/A N/A N/A N/A N/A N/A N/A via SP800108rev1 N/A values) / PSPCSP to SP800133rev2 N/A state, DiffieHellman This document may be reproduced and distributed only in its original entirely without revision.

27 of 40
Page 28

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A SP80056Arev3 KAS-FFCSSC values) / PSPCSP N/A to SP800133rev2 using SP80090Arev1 N/A SP80056Arev3 KAS-ECCSSC EC DiffieHellman Table 15 - SSPs 9.1 The NIST SP 800-90Arev1 approved deterministic random bit generator is a CTR_DRBG based on block cipher. The CTR_DRBG is using AES-256 with derivation function and without prediction resistance. The module performs DRBG health tests according to section 11.3 of [SP800-90Arev1]. The deterministic random bit generators are seeded by /dev/random. The /dev/random is the User Space interface. No non-DRBG functions or instances are able to access the DRBG internal state This document may be reproduced and distributed only in its original entirely without revision.

28 of 40
Page 29
Approved algorithm
NameKey Size
DetailsEntropy SourcesMinimum number of
The entropy source consists of twenty-four Free Ring Oscillator (FROs) with a vetted conditioning function SHA-256 (ACVP cert. # C1223)256 bitsESV #E14 (Apple corecrypto physical entropy source)
The non-physical entropy source is based upon interrupt timings with a vetted conditioning function SHA-256 (ACVP certs. # A2797, A2869)256 bitsESV #E15 (Apple corecrypto non-physical entropy source)

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Two entropy sources (one non-physical entropy source and one physical entropy source) residing within the TOEPP provide the random bits. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The output of entropy pool provides 256-bits of entropy to seed and reseed SP800-90Arev1 DRBG during initialization (seed) and reseeding (reseed). Table 16

1 (vendor affirmed), compliant with [FIPS186-4], and using DRBG compliant with [SP800-90A]. A seed (i.e., the

random value) used in asymmetric key generation is obtained from [SP800-90A] DRBG. The key generation service for RSA, ECDSA, Diffie-Hellman and EC Diffie-Hellman as well as the [SP 800-90A] DRBG have been ACVT tested with algorithm certificates found in Table 6. The key derivation functions are as follows:

29 of 40
Page 30
Sensitive security parameter
NameTypeDescription
RAMdynamicThe module stores ephemeral keys/SSPs in RAM provided by the operational environment. They are received for use or generated by the module only at the command of the calling application. The operating system protects all keys/SSPs through the memory separation and protection mechanisms. No process other than the module itself can access the keys/SSPs in its process’ memory.

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] The module implements a Key Transport Scheme (KTS) using AES-KW compliant to [SP800-38F], IG D.G. The SSP establishment methodology provides between 128 and 256 bits of encryption strength.

30 of 40
Page 31
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIIndicatorCondition
HMAC-SHA-256HMAC-SHA-256Message AuthenticationSoftware Integrity112-bit keyModule successful execution
AES-GCM AES-CCMAES-GCM AES-CCMKATCASTAuthenticated decryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB AES-CBC AES-XTS (Testing Revision 2.0)AES-ECB AES-CBC AES-XTS (Testing Revision 2.0)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB AES-CBCAES-ECB AES-CBCKATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CCM AES-CMACAES-CCM AES-CMACKATCASTAuthenticated encryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
CTR_DRBGCTR_DRBGKATCASTKAT and Health test per SP800-90Arev1 section 11.3AES 128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
HMAC-SHA-256HMAC-SHA-256KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at Power-on before the integrity test
HMAC-SHA-1HMAC-SHA-1KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at Power-on before the integrity test
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIIndicatorCondition
HMAC-SHA-256HMAC-SHA-256Message AuthenticationSoftware Integrity112-bit keyModule successful execution
AES-GCM AES-CCMAES-GCM AES-CCMKATCASTAuthenticated decryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB AES-CBC AES-XTS (Testing Revision 2.0)AES-ECB AES-CBC AES-XTS (Testing Revision 2.0)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB AES-CBCAES-ECB AES-CBCKATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CCM AES-CMACAES-CCM AES-CMACKATCASTAuthenticated encryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
CTR_DRBGCTR_DRBGKATCASTKAT and Health test per SP800-90Arev1 section 11.3AES 128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
HMAC-SHA-256HMAC-SHA-256KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at Power-on before the integrity test
HMAC-SHA-1HMAC-SHA-1KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at Power-on before the integrity test
HMAC-SHA-512HMAC-SHA-512KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at Power-on before the integrity test
SHA-1 SHA-256 SHA-512SHA-1 SHA-256 SHA-512KATCASTMessage digestCAST is covered by higher level HMAC KAT per IG 10.3.BModule becomes operationalTest runs at Power-on before the integrity test
RSA Signature GenerationRSA Signature GenerationKATCASTSignature Generation or Key Generation service request2048-bit modulus with SHA-256Module becomes operationalTest runs at Power-on before the integrity test
RSA Signature VerificationRSA Signature VerificationKATCASTSignature Verification or Signature Verification or Key Generation service request2048-bit modulus with SHA-256Module becomes operationalTest runs at Power-on before the integrity test
ECDSA Signature GenerationECDSA Signature GenerationKATCASTSignature Generation or Key Generation service requestP-224 curve with SHA-224Module becomes operationalTest runs at Power-on before the integrity test
ECDSA Signature VerificationECDSA Signature VerificationKATCASTSignature Verification or Key Generation service requestP-224 curve with SHA-224Module becomes operationalTest runs at Power-on before the integrity test
Diffie-Hellman shared secret computationDiffie-Hellman shared secret computationKATCASTShared secret computationMODP-2048Module becomes operationalTest runs at Power-on before the integrity test
EC Diffie-Hellman shared secret computationEC Diffie-Hellman shared secret computationKATCASTShared secret computationP-224 curveModule becomes operationalTest runs at Power-on before the integrity test
PBKDFPBKDFKATCASTKey DerivationSHA-1, SHA-256, SHA-512Module becomes operationalTest runs at Power-on before the integrity test
KBKDFKBKDFKATCASTKey DerivationCounter mode using SHA-1, SHA- 256, SHA-512Module becomes operationalTest runs at Power-on before the integrity test

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]

10 Self-tests

While the module is executing the self-tests, services are not available, and input and output are inhibited. If the test fails either pre-operational and conditional self-tests, the module reports an error message indicating the cause of the failure and enters the Error State (See section 10.3). The module permits operators to initiate the pre-operational or conditional self-tests for on demand and periodic testing by rebooting the system (i.e., power-cycling). 10.1 The module performs a pre-operational software integrity test automatically when the module is loaded into performed on the runtime image of the Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] with HMAC-SHA256 which is an approved integrity technique. The HMAC value of the runtime image is recalculated and compared with the stored HMAC value precomputed at compilation time Table 18 - Preoperational Self-Tests

10.2 Conditional Self-Tests
10.2.1 Conditional Cryptographic Algorithm Self-Tests

This document may be reproduced and distributed only in its original entirely without revision.

31 of 40
Page 32

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table 19

10.2.2 Conditional Pairwise Consistency Test

The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] generates RSA, Diffie-Hellman, EC DiffieHellman and ECDSA asymmetric keys and performs a pair-wise consistency tests on the newly generated key pairs. Error States If any of the above-mentioned self-tests described in Sections 10.1, 10.2.1 or 10.2.2 fail, the module reports the cause of the error and enters an error state. In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to power cycle the device which results in the module being reloaded into memory and reperforming the pre-operational self-test and the conditional This document may be reproduced and distributed only in its original entirely without revision.

32 of 40
Page 33
Service
NameDescriptionRole AccessIndicator
Error StateThe HMAC-SHA-256 value computed over the module did not match the pre-computed valuePre-operational Software Integrity Test failureError message “FAILED: fipspost_post_integrity” is sent to the callermodule reset
Error StateThe computed value in the invoked Conditional CAST did not match the known valueConditional CAST failureError message “FAILED:<event>” sent to the caller (<event> refers to any of the cryptographic functions listed in Table 19.)module reset
Error StateThe signature failed to verify successfully in the Conditional PCT.Conditional PCT failureError message “CCEC_GENERATE_KEY_CONSISTENCY” returned for EC Error message “CCRSA_GENERATE_KEY_CONSISTENCY” returned for RSA Error message “CCDH_GENERATE_KEY_CONSISTENCY” returned for DHmodule reset

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] algorithm self-tests. The module will only enter into the operational state after successfully passing the preoperational self-test and the conditional self-tests. Table 20- Error states This document may be reproduced and distributed only in its original entirely without revision.

33 of 40
Page 34

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]

11 Life-cycle assurance

11.1 Installation, Initialization, and Startup Procedures Startup Procedures: The module is built into Device OS defined in section 2 and delivered with the respective Device OS. There is no standalone delivery of the module as a software library. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self-tests. 11.2 Crypto Officer Guidance The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 14 - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E14_PublicUse.pdf The ESV Public Use Document (PUD) reference for non-physical entropy source is: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/15 Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation. 11.3 Non-Administrator Guidance Not Applicable 11.4 Design and Rules The Crypto Officer shall consider the following requirements and restrictions when using the module.

34 of 40
Page 35

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] The GCM IV generation follows RFC 4106 and shall only be used for the IPsec-v3 protocol version 3. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the IPsec protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the IPsec protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. In both protocols in case the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the module; however, it is met implicitly. The module does not retain any state when power is lost. As indicated in Table 11, column Storage, the module exclusively uses volatile storage. This means that AES-GCM key/IVs are not persistently stored during power off: therefore, there is no re-connection possible when the power is back on with re-generation of the key used for GCM. After restoration of the power, the user of the module (e.g., TLS, IKE) along with User application that implements the protocol, must perform a complete new key establishment operation using new random numbers (Entropy input string, DRBG seed, DRBG internal state V and Key, shared secret values that are not retained during power cycle, see table 11) with subsequent KDF operations to establish a new GCM key/IV pair on either side of the network communication channel. These protocols have not been reviewed or tested by the CAVP and CMVP.

35 of 40
Page 36

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]

12 Mitigation of other attacks

The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.

36 of 40
Page 37

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Appendix A. AES CAVP CAST CAST5 CBC CCM CFB CMAC CMVP CSP CTR DRBG ECB ESVP FFC FIPS GCM HMAC KAS KAT KBKDF KDF KW MAC NIST OAEP OFB PAA PBKDF PKG PKV PRF PSS PUD RSA SHA SHS SSC TOEPP XTS Glossary and Abbreviations Advanced Encryption Standard Cryptographic Algorithm Validation Program Cryptographic Algorithm Self-Test A symmetric-key 64-bit block cipher with 128-bit key Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Mode Deterministic Random Bit Generator Electronic Code Book Entropy Source Validation Program Finite Field Cryptography Federal Information Processing Standards Publication Galois Counter Mode Hash Message Authentication Code Key Agreement Schema Known Answer Test Key Based Key Derivation Function Key Derivation Function AES Key Wrap Message Authentication Code National Institute of Science and Technology Optimal Asymmetric Encryption Padding Output Feedback Processor Algorithm Acceleration Password Based Key Derivation Function Key-Pair Generation Public Key Validation Pseudo-Random Function Probabilistic Signature Scheme Public Use Document Rivest, Shamir, Adleman Secure Hash Algorithm Secure Hash Standard Shared Secret Computation Tested Operational Environment Physical Perimeter XEX-based Tweaked-codebook mode with cipher text Stealing This document may be reproduced and distributed only in its original entirely without revision.

37 of 40
Page 38

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program August 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%201403/Draft%20FIPS-140-3-CMVP%20Management%20Manual%2009-18-2020.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140B CMVP Security Policy Requirements https://csrc.nist.gov/publications/detail/sp/800-140b/final SP 800-140C CMVP Approved Security Functions https://csrc.nist.gov/publications/detail/sp/800-140c/final SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140d/final SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt This document may be reproduced and distributed only in its original entirely without revision.

38 of 40
Page 39

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019, https://doi.org/10.6028/NIST.SP.800-52r2 SP800-56Arev3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography April, 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Brev2 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf SP800-56Crev2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf This document may be reproduced and distributed only in its original entirely without revision.

39 of 40
Page 40

Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800-90Arev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108r1 NIST Special Publication 800-108r1-upd1 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP800-131Arev2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133rev2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf platform certifications Apple Security Certifications and Compliance Center https://support.apple.com/en-gw/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.

40 of 40

Referenced URLs