| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/30/2026 |
| Caveat | Interim validation. When operated in approved mode |
| Vendor | Apple Inc. |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
flowchart LR
%% Deterministic review-risk graph for Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Apple Inc. Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] September 2024 Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectualproperty/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table of Contents 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 4.1 4.2 4.3 9.1 9.2 9.3 9.4 9.5 9.6 5.1 5.2 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed... 14 10.1 10.2 10.2.1 10.2.2 10.3 11.1 11.2 11.3 11.4 11.5 This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] List of Tables This document may be reproduced and distributed only in its original entirely without revision.
| Name | ISO Section | Requirement | Level | ISO/IEC 24759 Section 6. |
|---|---|---|---|---|
| 1 | 1 | General | 1 | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 | |
| 3 | 3 | Cryptographic Module Interfaces | 1 | |
| 4 | 4 | Roles, Services, and Authentication | 1 | |
| 5 | 5 | Software/Firmware Security | 1 | |
| 6 | 6 | Operational Environment | 1 | |
| 7 | 7 | Physical Security | Not Applicable | |
| 8 | 8 | Non-invasive Security | Not Applicable | |
| 9 | 9 | Sensitive Security Parameter Management | 1 | |
| 10 | 10 | Self-tests | 1 | |
| 11 | 11 | Life-cycle Assurance | 1 | |
| 12 | 12 | Mitigation of Other Attacks | Not Applicable |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. The column names of the tables follow the template tables provided in NIST SP 800-140B. Table 1 describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. [Number Below] Table 1 - Security Levels This document may be reproduced and distributed only in its original entirely without revision.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | iPadOS 15 | iPad (5th generation) | Apple A Series A9 | With and without PAA | 1 |
| 2 | iPadOS 15 | iPad Pro 9.7-inch | Apple A Series A9X | With and without PAA | 2 |
| 3 | iPadOS 15 | iPad (7th generation) | Apple A Series A10 Fusion | With and without PAA | 3 |
| 4 | iPadOS 15 | iPad Pro 10.5-inch | Apple A Series A10X Fusion | With and without PAA | 4 |
| 5 | iPadOS 15 | iPad mini (5th generation) | Apple A Series A12 Bionic | With and without PAA | 5 |
| 6 | iPadOS 15 | iPad Pro 11-inch (1st generation) | Apple A Series A12X Bionic | With and without PAA | 6 |
| 7 | iPadOS 15 | iPad Pro 11-inch (2nd generation) | Apple A Series A12Z Bionic | With and without PAA | 7 |
| 8 | iPadOS 15 | iPad (9th generation) | Apple A Series A13 Bionic | With and without PAA | 8 |
| 9 | iPadOS 15 | iPad Air (4th generation) | Apple A Series A14 Bionic | With and without PAA | 9 |
| 10 | iPadOS 15 | iPad mini (6th generation) | Apple A Series A15 Bionic | With and without PAA | 10 |
| 11 | iPadOS 15 | iPad Pro 11-inch (3rd generation) | Apple M Series M1 | With and without PAA | 11 |
| 12 | iOS 15 | iPhone 6S | Apple A Series A9 | With and without PAA | 12 |
| 13 | iOS 15 | iPhone 7 Plus | Apple A Series A10 Fusion | With and without PAA | 13 |
| 14 | iOS 15 | iPhone X | Apple A Series A11 Bionic | With and without PAA | 14 |
| 15 | iOS 15 | iPhone XS Max | Apple A Series A12 Bionic | With and without PAA | 15 |
| 16 | iOS 15 | iPhone 11 Pro | Apple A Series A13 Bionic | With and without PAA | 16 |
| 17 | iOS 15 | iPhone 12 | Apple A Series A14 Bionic | With and without PAA | 17 |
| 18 | iOS 15 | iPhone 13 Pro Max | Apple A Series A15 Bionic | With and without PAA | 18 |
| 19 | watchOS 8 | Apple Watch Series S3 | Apple S Series S3 | With and without PAA | 19 |
| 20 | watchOS 8 | Apple Watch Series S4 | Apple S Series S4 | With and without PAA | 20 |
| 21 | watchOS 8 | Apple Watch Series S5 | Apple S Series S5 | With and without PAA | 21 |
| 22 | watchOS 8 | Apple Watch Series S6 | Apple S Series S6 | With and without PAA | 22 |
| 23 | watch OS 8 | Apple Watch Series S7 | Apple S Series S7 | With and without PAA | 23 |
| 24 | tvOS 15 | Apple TV 4K | Apple A Series A10X Fusion | With and without PAA | 24 |
| 25 | tvOS 15 | Apple TV 4K (2nd generation) | Apple A Series A12 Bionic | With and without PAA | 25 |
| 26 | T2OS 12 | Apple Security Chip T2 | Apple T Series T2 | With and without PAA | 26 |
| 27 | macOS 12 Monterey | MacBook Pro (13-inch, M1, 2020) | Apple M Series M1 | With and without PAA | 27 |
| 28 | macOS 12 Monterey | MacBook Pro 14-inch | Apple M Series M1 Pro | With and without PAA | 28 |
| 29 | macOS 12 Monterey | MacBook Pro 16-inch | Apple M Series M1 Max | With and without PAA | 29 |
| 1 | iPadOS 15 | iPad Pro 12.9-inch | 1 | ||
| 2 | iPadOS 15 | iPad (6th generation) | 2 | ||
| 3 | iPadOS 15 | iPad Pro 12.9-inch (2nd generation) | 3 | ||
| 4 | iPadOS 15 | iPad Air (3rd generation) | 4 | ||
| 5 | iPadOS 15 | iPad (8th generation) | 5 | ||
| 6 | iPadOS 15 | iPad Pro 12.9-inch (3rd generation) | 6 | ||
| 7 | iPadOS 15 | iPad Pro 12.9-inch (4th generation) | 7 | ||
| 8 | iPadOS 15 | iPad Pro 12.9-inch (5th generation) | 8 | ||
| 9 | iOS 15 | iPhone SE | 9 | ||
| 10 | iOS 15 | iPhone 6S Plus | 10 | ||
| 11 | iOS 15 | iPhone 7 | 11 | ||
| 12 | iOS 15 | iPhone 8 | 12 | ||
| 13 | iOS 15 | iPhone 8 Plus | 13 | ||
| 14 | iOS 15 | iPhone XS | 14 | ||
| 15 | iOS 15 | iPhone XR | 15 | ||
| 16 | iOS 15 | iPhone 11 | 16 | ||
| 17 | iOS 15 | iPhone 11 Pro Max | 17 | ||
| 18 | iOS 15 | iPhone SE (2nd generation) | 18 | ||
| 19 | iOS 15 | iPhone 12 mini | 19 |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Cryptographic Module Specification The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] cryptographic module (hereafter referred to as “the module”) is a Software module running on a multi-chip standalone general-purpose computing platform. The version of module is 12.0. The module provides implementations of low-level cryptographic primitives to the Device OS’s (iOS 15, iPadOS 15, watchOS 8, tvOS 15, T2OS 12 and macOS 12 Monterey) Security Framework and Common Crypto. 2.1 Tested Operational Environments # This document may be reproduced and distributed only in its original entirely without revision.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 21 | watchOS 8 | Apple Watch Series S5 | Apple S Series S5 | With and without PAA | 21 |
| 22 | watchOS 8 | Apple Watch Series S6 | Apple S Series S6 | With and without PAA | 22 |
| 23 | watch OS 8 | Apple Watch Series S7 | Apple S Series S7 | With and without PAA | 23 |
| 24 | tvOS 15 | Apple TV 4K | Apple A Series A10X Fusion | With and without PAA | 24 |
| 25 | tvOS 15 | Apple TV 4K (2nd generation) | Apple A Series A12 Bionic | With and without PAA | 25 |
| 26 | T2OS 12 | Apple Security Chip T2 | Apple T Series T2 | With and without PAA | 26 |
| 27 | macOS 12 Monterey | MacBook Pro (13-inch, M1, 2020) | Apple M Series M1 | With and without PAA | 27 |
| 28 | macOS 12 Monterey | MacBook Pro 14-inch | Apple M Series M1 Pro | With and without PAA | 28 |
| 29 | macOS 12 Monterey | MacBook Pro 16-inch | Apple M Series M1 Max | With and without PAA | 29 |
| 1 | iPadOS 15 | iPad Pro 12.9-inch | 1 | ||
| 2 | iPadOS 15 | iPad (6th generation) | 2 | ||
| 3 | iPadOS 15 | iPad Pro 12.9-inch (2nd generation) | 3 | ||
| 4 | iPadOS 15 | iPad Air (3rd generation) | 4 | ||
| 5 | iPadOS 15 | iPad (8th generation) | 5 | ||
| 6 | iPadOS 15 | iPad Pro 12.9-inch (3rd generation) | 6 | ||
| 7 | iPadOS 15 | iPad Pro 12.9-inch (4th generation) | 7 | ||
| 8 | iPadOS 15 | iPad Pro 12.9-inch (5th generation) | 8 | ||
| 9 | iOS 15 | iPhone SE | 9 | ||
| 10 | iOS 15 | iPhone 6S Plus | 10 | ||
| 11 | iOS 15 | iPhone 7 | 11 | ||
| 12 | iOS 15 | iPhone 8 | 12 | ||
| 13 | iOS 15 | iPhone 8 Plus | 13 | ||
| 14 | iOS 15 | iPhone XS | 14 | ||
| 15 | iOS 15 | iPhone XR | 15 | ||
| 16 | iOS 15 | iPhone 11 | 16 | ||
| 17 | iOS 15 | iPhone 11 Pro Max | 17 | ||
| 18 | iOS 15 | iPhone SE (2nd generation) | 18 | ||
| 19 | iOS 15 | iPhone 12 mini | 19 | ||
| 20 | iOS 15 | iPhone 12 Pro | 20 | ||
| 21 | iOS 15 | iPhone 12 Pro Max | 21 | ||
| 22 | iOS 15 | iPhone 13 mini | 22 | ||
| 23 | iOS 15 | iPhone 13 | 23 | ||
| 24 | iOS 15 | iPhone 13 Pro | 24 | ||
| 25 | watchOS 8 | Apple Watch SE | 25 | ||
| 26 | macOS 12 Monterey | MacBook Air | 26 | ||
| 27 | macOS 12 Monterey | Mac mini | 27 | ||
| 28 | macOS 12 Monterey | iMac (24-inch) | 28 |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] # Table 2 - Tested Operational Environments 2.2 Vendor-affirmed Operational Environments # This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved mode | Non-Approved mode of operation is entered when the module utilizes non- approved security functions in Table 8. | return a '0' from fips_allowed_mode() for block cipher functions and fips_allowed() for all other services to indicate the executed cryptographic algorithm was non-approved | Non-Approved |
| Name | Use Function | |
|---|---|---|
| CKG [SP800-133rev2] (asymmetric) | vendor affirmed | Cryptographic key Generation for asymmetric (RSA/EC and DH) key pair; FIPS 140-3 IG D.H and SP800-133rev2 section 4 example 1 |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. 2.3 the service utilized. by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 14 - Non-Approved Services. If the device starts up successfully, then the module has NonApproved 2.4 This document may be reproduced and distributed only in its original entirely without revision.
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES [FIPS 197; SP | A2783, A2802 | CBC | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (asm_arm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | CBC | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2785, A2804 | CBC | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_glad) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | CBC | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2787, A2806 | CCM | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38C] | (vng_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | CCM | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38C] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | CCM | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38C] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2783, A2802 | CFB128 | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (asm_arm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | CFB128 | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | CFB128 | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | CFB8 | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | CFB8 | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | CMAC | Key Size / Key Strength: 128, 192, 256 bits | Message |
| 800-38B] | (c_ltc) | authentication (MAC) | ||
| AES [FIPS 197; SP | A2787, A2806 | CTR | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (vng_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | CTR | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | CTR | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2783, A2802 | ECB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (asm_arm) | and Decryption | ||
| AES [FIPS 197; SP | A2787, A2806 | ECB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (vng_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | ECB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | ECB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2787, A2806 | GCM | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38D] | (vng_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | GCM | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38D] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | GCM | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38D] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2783, A2802 | OFB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (asm_arm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | OFB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | OFB | Key Size / Key Strength: 128, 192, 256 bits | Symmetric Encryption |
| 800-38A] | (c_asm) | and Decryption | ||
| AES [FIPS 197; SP | A2783, A2802 | XTS | Key Size / Key Strength: 128, 256 bits | Symmetric Encryption |
| 800-38E] | (asm_arm) | and Decryption | ||
| AES [FIPS 197; SP | A2786, A2805 | XTS | Key Size / Key Strength: 128, 256 bits | Symmetric Encryption |
| 800-38E] | (c_ltc) | and Decryption | ||
| AES [FIPS 197; SP | A2784, A2803 | XTS | Key Size / Key Strength: 128, 256 bits | Symmetric Encryption |
| 800-38E] | (c_asm) | and Decryption | ||
| DRBG [SP800- | A2787, A2806 | CTR_DRBG: AES-128, | Key Size / Key Strength: 128, 256 bits | Random Number |
| 90Arev1] | (vng_asm) | AES-256 | Derivation Function Enabled, No Prediction | Generation |
| DRBG [SP800- | A2786, A2805 | CTR_DRBG: AES-128, | Key Size / Key Strength: 128, 256 bits | Random Number |
| 90Arev1] | (c_ltc) | AES-256 | Derivation Function Enabled, No Prediction | Generation |
| DRBG [SP800- | A2784, A2803 | CTR_DRBG: AES-128, | Key Size / Key Strength: 128, 256 bits | Random Number |
| 90Arev1] | (c_asm) | AES-256 | Derivation Function Enabled, No Prediction | Generation |
| ECDSA | A2788, A2807 | Key Pair Generation | Curve: P-224, P-256, P-384, P-521 | Asymmetric Key |
| ANSI X9.62 | (vng_ltc) | (CKG using method in | Key Strength: from 112 - 256 bits | Generation |
| [FIPS 186-4] | Section 4 [SP 800- | |||
| ECDSA | A2786, A2805 | Key Pair Generation | Curve: P-224, P-256, P-384, P-521 | Asymmetric Key |
| ANSI X9.62 | (c_ltc) | (CKG using method in | Key Strength: from 112 - 256 bits | Generation |
| [FIPS 186-4] | Section 4 [SP 800- | |||
| ECDSA | A2788, A2807 | N/A | Curve: P-224, P-256, P-384, P-521 | Key Validation |
| ANSI X9.62 | (vng_ltc) | Key Strength: from 112 - 256 bits | ||
| ECDSA | A2786, A2805 | N/A | Curve: P-224, P-256, P-384, P-521 | Key Validation |
| ANSI X9.62 | (c_ltc) | Key Strength: from 112 - 256 bits | ||
| ECDSA | A2788, A2807 | SHA2-224, SHA2-256, | Curve: P-224, P-256, P-384, P-521 | Digital Signature |
| ANSI X9.62 | (vng_ltc) | SHA2-384, SHA2-512 | Key Strength: from 112 - 256 bits | Generation |
| ECDSA | A2786, A2805 | SHA2-224, SHA2-256, | Curve: P-224, P-256, P-384, P-521 | Digital Signature |
| ANSI X9.62 | (c_ltc) | SHA2-384, SHA2-512 | Key Strength: from 112 - 256 bits | Generation |
| ECDSA | A2788, A2807 | SHA-1 (legacy), SHA2- | Curve: P-224, P-256, P-384, P-521 | Digital Signature |
| ANSI X9.62 | (vng_ltc) | 224, SHA2-256, SHA2- | Key Strength: from 112 - 256 bits | Verification |
| [FIPS 186-4] | 384, SHA2-512 | |||
| ECDSA | A2786, A2805 | SHA-1(legacy), SHA2- | : P-224, P-256, P-384, P-521 | Digital Signature |
| ANSI X9.62 | (c_ltc) | 224, SHA2-256, SHA2- | Key Strength: from 112 - 256 bits | Verification |
| [FIPS 186-4] | 384, SHA2-512 | |||
| HMAC [FIPS 198] | A2788, A2807 | SHA-1 | Key Size: 128 - 262144 bits | Message |
| (vng_ltc) | (vng_ltc) | Key Strength: 128 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2786, A2805 | SHA-1 | Key Size: 128 - 262144 bits | Message |
| (c_ltc) | (c_ltc) | Key Strength: 128 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2788, A2807 | SHA-224 | Key Size: 224 - 262144 bits | Message |
| (vng_ltc) | (vng_ltc) | Key Strength: 224 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2786, A2805 | SHA-224 | Key Size: 224 - 262144 bits | Message |
| (c_ltc) | (c_ltc) | Key Strength: 224 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2788, A2807 | SHA-256 | Key Size: 224 - 262144 bits | Message |
| (vng_ltc) | (vng_ltc) | Key Strength: 256 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2786, A2805 | SHA-256 | Key Size: 256 - 262144 bits | Message |
| (c_ltc) | (c_ltc) | Key Strength: 256 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2789, A2808 | SHA-256 (for all CPUs in | Key Size: 256 - 262144 bits | Message |
| (vng_neon) | (vng_neon) | Table 2 except S3) | Key Strength: 256 bits | authentication (MAC) |
| HMAC [FIPS 198] | A2788, A2807 | SHA-384 | Key Size: 384 - 262144 bits | Message |
| (vng_ltc) | (vng_ltc) | Key Strength: 384 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2786, A2805 | SHA-384 | Key Size: 384 - 262144 bits | Message |
| (c_ltc) | (c_ltc) | Key Strength: 384 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2788, A2807 | SHA-512 | Key Size: 512 - 262144 bits | Message |
| (vng_ltc) | (vng_ltc) | Key Strength: 512 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2786, A2805 | SHA-512 | Key Size: 512 - 262144 bits | Message |
| (c_ltc) | (c_ltc) | Key Strength: 512 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2788, A2807 | SHA-512/256 | Key Size: 512 - 262144 bits | Message |
| (vng_ltc) | (vng_ltc) | Key Strength: 256 bits | authentication (MAC) | |
| HMAC [FIPS 198] | A2786, A2805 | SHA-512/256 | Key Size: 512 - 262144 bits | Message |
| (c_ltc) | (c_ltc) | Key Strength: 256 bits | authentication (MAC) | |
| KAS-ECC-SSC | A2786, A2805 | Scheme: ephemeral | Curve: P-224, P-256, P-384, P-521 | Shared Secret |
| [SP800-56Arev 3] | (c_ltc) | Unified | Key Strength: from 112 - 256 bits | Computation |
| KAS-FFC-SSC | A2786, A2805 | Scheme: dh Ephem with | Key Size: MODP-2048, MODP-3072, MODP-4096, | Shared Secret |
| [SP800-56Arev3] | (c_ltc) | safe prime groups | MODP-6144, MODP-8192. | Computation |
| KAS Role: initiator, | KAS Role: initiator, | Key Strength: from 112 - 200 bits | ||
| KBKDF | A2788, A2807 | KDF Mode: Counter and | Key Size / Key Strength: 128 -256 bits | Key Derivation |
| [SP800-108rev1] | (vng_ltc) | Feedback | Supported [output] Lengths: 8-4096 Increment 8 | |
| A2786, A2805 | A2786, A2805 | MAC Mode: HMAC-SHA- | Fixed Data Order: Before Fixed Data | |
| (c_ltc) | (c_ltc) | 1, HMAC-SHA2-224, | Counter Length: 32 | |
| KBKDF | A2786, A2805 | KDF Mode: Counter | Key Size / Key Strength: 128 - 256 bits | Key Derivation |
| [SP800-108rev1] | (c_ltc) | MAC Mode: CMAC- | Supported [output] Lengths: 8-4096 Increment 8 | |
| AES128, CMAC-AES192, | AES128, CMAC-AES192, | Fixed Data Order: Before Fixed Data | ||
| CMAC-AES256 | CMAC-AES256 | Counter Length: 8, 16, 24, 32 | ||
| KTS (AES) [FIPS | A2786, A2805 | AES-KW | Key Size / Key Strength: 128, 192, 256 bits | Key Wrapping |
| 197; SP 800-38 F] | (c_ltc) | |||
| KTS (AES) [FIPS | A2784, A2803 | AES-KW | Key Size / Key Strength: 128, 192, 256 bits | Key Wrapping |
| 197; SP 800-38 F] | (c_asm) | |||
| PBKDF [SP800- | A2788, A2807 | HMAC with: SHA-1, | Key Size / Key Strength: 128 - 256 bits | Key Derivation |
| 132] | (vng_ltc) | SHA-224, SHA-256, SHA- | Password length: 8- 128 bytes Increment 1 | |
| 384, SHA-512 | 384, SHA-512 | Salt Length: 128-4096 Increment 8 | ||
| PBKDF [SP800- | A2786, A2805 | HMAC with: SHA-1, | Key Size / Key Strength: 128 - 256 bits | Key Derivation |
| 132] | (c_ltc) | SHA-224, SHA-256, SHA- | Password length: 8- 128 bytes | |
| 384, SHA-512 | 384, SHA-512 | Increment 1 | ||
| RSA [FIPS 186-4] | A2788, A2807 | ANSI X9.31; CKG using | Key Size: 2048, 3072, 4096 bits | Asymmetric Key |
| (vng_ltc) | (vng_ltc) | method in Section 4 | Key Strength: from 112 - 150 bits | Generation |
| RSA [FIPS 186-4] | A2786, A2805 | ANSI X9.31; CKG using | Key Size: 2048, 3072, 4096 bits | Asymmetric Key |
| (c_ltc) | (c_ltc) | method in Section 4 | Key Strength: from 112 - 150 bits | Generation |
| RSA [FIPS 186-4] | A2788, A2807 | PKCS#1 v1.5: and PKCS | Key Size: 2048, 3072, 4096 bits | Digital Signature |
| (vng_ltc) | (vng_ltc) | PSS | Key Strength: from 112 - 150 bits | Generation |
| RSA [FIPS 186-4] | A2786, A2805 | PKCS#1 v1.5 and PKCS | Key Size: 2048, 3072, 4096 bits | Digital Signature |
| (c_ltc) | (c_ltc) | PSS | Key Strength: from 112 - 150 bits | Generation |
| RSA [FIPS 186-4] | A2788, A2807 | PKCS#1 v1.5 and PKCS | Key Size: 1024 (legacy), 2048, 3072, 4096 bits | Digital Signature |
| (vng_ltc) | (vng_ltc) | PSS | Key Strength: from 80 - 150 bits | Verification |
| RSA [FIPS 186-4] | A2786, A2805 | PKCS#1 v1.5 and PKCS | Key Size: 1024 (legacy), 2048, 3072, 4096 bits | Digital Signature |
| (c_ltc) | (c_ltc) | PSS | Key Strength: from 80 - 150 bits | Verification |
| Safe Primes Key | A2786, A2805 | CKG using method in | Safe Prime Groups: MODP-2048, MODP-3072, | Key Generation |
| 800-133Rev2) | 800-133Rev2) | Key Strength: from 112 - 200 bits | ||
| SHS [FIPS 180-4] | A2788, A2807 | SHA-1 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2786, A2805 | SHA-1 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2788, A2807 | SHA-224 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2786, A2805 | SHA-224 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2788, A2807 | SHA-256 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2786, A2805 | SHA-256 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2789, A2808 | SHA-256 (for all CPUs in | N/A | Message Digest |
| (vng_neon) | (vng_neon) | Table 2 except S3) | ||
| SHS [FIPS 180-4] | A2788, A2807 | SHA-384 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2786, A2805 | SHA-384 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2788, A2807 | SHA-512 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2786, A2805 | SHA-512 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2788, A2807 | SHA-512/256 | N/A | Message Digest |
| SHS [FIPS 180-4] | A2786, A2805 | SHA-512/256 | N/A | Message Digest |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] 2.5 Approved Algorithms The table below lists all Approved security functions of the module, including specific key size(s) -in bits otherwise noted- employed for approved services. Not all algorithms tested with CAVP are used by the module. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] DRBG [SP80090Arev1] DRBG [SP80090Arev1] DRBG [SP80090Arev1] This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A N/A This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] PBKDF [SP800132] PBKDF [SP800132] This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Table 6 - Approved Algorithms 2.6 Non-Approved Algorithms Allowed in the Approved Mode of Operation There are no non-Approved but “Allowed functions” with security claimed algorithms in approved mode. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Use Function | Use/Function |
|---|---|---|
| MD5 | Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit | Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only) |
| RSA Key Pair Generation | ANSI X9.31 Key Pair Generation Key Size < 2048 | |
| RSA Signature Generation | PKCS#1 v1.5 and PSS Signature Generation Key Size < 2048 | |
| RSA Signature Verification | PKCS#1 v1.5 and PSS Signature Verification Key Size < 1024 | |
| RSA Key Wrapping | OAEP, PKCS#1 v1.5 and PSS schemes | |
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | |
| EC Diffie-Hellman | Shared Secret Computation using curves < P-224 | |
| EdDSA | Key Generation with Ed25519 Signature Generation with Ed25519 Signature Verification with Ed25519 Key Agreement with X25519 | |
| ANSI X9.63 KDF | Hash based Key Derivation Function | |
| RFC6637 | Key Derivation Function | |
| HKDF [SP800-56Crev2] | Key Derivation Function | |
| DES | Encryption / Decryption Key Size 56-bits | |
| CAST5 | Encryption / Decryption Key Sizes 40 to 128-bits in 8-bit increments | |
| AES-GCM using external IV | Authenticated Encryption / Decryption | |
| RC4 | Encryption / Decryption Key Sizes 8 to 4096-bits | |
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits | |
| MD2 | Message Digest Digest size 128-bit | |
| MD4 | Message Digest Digest size 128-bit | |
| RIPEMD | Message Digest Digest size 160-bits | |
| ECDSA | PKG: Curve P-192 with security strength of 96 bits PKV: Curve P-192 Signature Generation: Curve P-192 Signature Verification: Curve P-192 | |
| ECDSA | Key Pair Generation for compact point representation of points |
| Name | Use Function | Use/Function |
|---|---|---|
| MD5 | Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit | Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only) |
| RSA Key Pair Generation | ANSI X9.31 Key Pair Generation Key Size < 2048 | |
| RSA Signature Generation | PKCS#1 v1.5 and PSS Signature Generation Key Size < 2048 | |
| RSA Signature Verification | PKCS#1 v1.5 and PSS Signature Verification Key Size < 1024 | |
| RSA Key Wrapping | OAEP, PKCS#1 v1.5 and PSS schemes | |
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | |
| EC Diffie-Hellman | Shared Secret Computation using curves < P-224 | |
| EdDSA | Key Generation with Ed25519 Signature Generation with Ed25519 Signature Verification with Ed25519 Key Agreement with X25519 | |
| ANSI X9.63 KDF | Hash based Key Derivation Function | |
| RFC6637 | Key Derivation Function | |
| HKDF [SP800-56Crev2] | Key Derivation Function | |
| DES | Encryption / Decryption Key Size 56-bits | |
| CAST5 | Encryption / Decryption Key Sizes 40 to 128-bits in 8-bit increments | |
| AES-GCM using external IV | Authenticated Encryption / Decryption | |
| RC4 | Encryption / Decryption Key Sizes 8 to 4096-bits | |
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits | |
| MD2 | Message Digest Digest size 128-bit | |
| MD4 | Message Digest Digest size 128-bit | |
| RIPEMD | Message Digest Digest size 160-bits | |
| ECDSA | PKG: Curve P-192 with security strength of 96 bits PKV: Curve P-192 Signature Generation: Curve P-192 Signature Verification: Curve P-192 | |
| ECDSA | Key Pair Generation for compact point representation of points | |
| Integrated Encryption Scheme on elliptic curves (ECIES) | Hybrid Encryption scheme | |
| Blowfish | Encryption / Decryption | |
| OMAC (One-Key CBC MAC) | MAC generation / verification | |
| Triple-DES [SP 800-67] | Encryption/Decryption with modes CBC, CTR, CFB64, ECB, CFB8, OFB |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] 2.7 2.8 This document may be reproduced and distributed only in its original entirely without revision.
| Name | Software Version | Package | Integrity Test |
|---|---|---|---|
| corecrypto-1217.40.11 | 12.0 | corecrypto-1217.40.11 | HMAC-SHA-256 |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table 8 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation 2.9 Module components Table 9 - Executable Code Sets The module cryptographic boundary is delineated by the dotted green rectangle in the Figure
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs | As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs | Data Input | Data inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers |
| Data Output | Data Output | Data outputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers | |
| Control Input | Control Input | Control inputs which control the mode of the module are provided through dedicated parameters. | |
| Status Output | Status Output | Status output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation. |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Cryptographic Module Interfaces detail these interfaces are described in (Table 10): Table 10 - Ports and Interfaces The module is optimized for library use within the Device OS user space and does not contain any terminating assertions or exceptions. It is implemented as a Device OS dynamically loadable library. After the dynamically loadable library is loaded, its cryptographic functions are made available to the Device OS application. Any internal error detected by the module is returned to the caller with an appropriate return code. The calling Device OS application must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus Caller-induced or internal errors do not reveal any sensitive material to callers. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Roles | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Properties | Input | Output | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | Implicit | ||||||||||||
| KAS-ECC | KAS-ECC-SSC SP800- | Curves P-224, P-256, P-384, P-521 | Curves P-224, P-256, P-384, P-521 providing from 112 to 256 bits of encryption strength | KAS-ECC | KAS | EC Diffie-Hellman Shared Secret computation SP 800- 56ARev3. KAS-ECC per IG D.F Scenario 2 path (1) | KAS-ECC-SSC SP800- 56ARev3 / A2786, A2805 | ||||||||
| providing from 112 to 256 bits o | 56ARev3 / A2786, A280 | providing from 112 to 256 bits o | |||||||||||||
| KAS-FFC | Safe Prime Groups MODP-2048, MODP- | KAS-FFC | KAS | Diffie-Hellman Shared Secret Computation KAS-FFC per IG D.F Scenario 2 path (1). | KAS-FFC-SSC SP800- 56ARev3/ A2786, A2805 | ||||||||||
| KTS | 128, 192, and 256-bit AES keys providing | KTS | KTS | SP 800-38F, IG D.G. AES key wrapping and unwrapping | AES-KW/ A2786, A2805 AES-KW/ A2784, A2803 | ||||||||||
| Symmetric Encryption | Execute AES-mode encrypt operation | CO | W,E | AES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM | 1 | AES key, plaintext data | ciphertext data | ||||||||
| Symmetric Decryption | Execute AES-mode decrypt operation | CO | W,E | AES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM | 1 | AES key, ciphertext data | plaintext data |
| Name | Description | Roles | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Properties | Input | Output | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | Implicit | ||||||||||||
| KAS-ECC | KAS-ECC-SSC SP800- | Curves P-224, P-256, P-384, P-521 | Curves P-224, P-256, P-384, P-521 providing from 112 to 256 bits of encryption strength | KAS-ECC | KAS | EC Diffie-Hellman Shared Secret computation SP 800- 56ARev3. KAS-ECC per IG D.F Scenario 2 path (1) | KAS-ECC-SSC SP800- 56ARev3 / A2786, A2805 | ||||||||
| providing from 112 to 256 bits o | 56ARev3 / A2786, A280 | providing from 112 to 256 bits o | |||||||||||||
| KAS-FFC | Safe Prime Groups MODP-2048, MODP- | KAS-FFC | KAS | Diffie-Hellman Shared Secret Computation KAS-FFC per IG D.F Scenario 2 path (1). | KAS-FFC-SSC SP800- 56ARev3/ A2786, A2805 | ||||||||||
| KTS | 128, 192, and 256-bit AES keys providing | KTS | KTS | SP 800-38F, IG D.G. AES key wrapping and unwrapping | AES-KW/ A2786, A2805 AES-KW/ A2784, A2803 | ||||||||||
| Symmetric Encryption | Execute AES-mode encrypt operation | CO | W,E | AES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM | 1 | AES key, plaintext data | ciphertext data | ||||||||
| Symmetric Decryption | Execute AES-mode decrypt operation | CO | W,E | AES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM | 1 | AES key, ciphertext data | plaintext data |
| Name | Description | Roles | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Properties | Input | Output | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | Implicit | ||||||||||||
| KAS-ECC | KAS-ECC-SSC SP800- | Curves P-224, P-256, P-384, P-521 | Curves P-224, P-256, P-384, P-521 providing from 112 to 256 bits of encryption strength | KAS-ECC | KAS | EC Diffie-Hellman Shared Secret computation SP 800- 56ARev3. KAS-ECC per IG D.F Scenario 2 path (1) | KAS-ECC-SSC SP800- 56ARev3 / A2786, A2805 | ||||||||
| providing from 112 to 256 bits o | 56ARev3 / A2786, A280 | providing from 112 to 256 bits o | |||||||||||||
| KAS-FFC | Safe Prime Groups MODP-2048, MODP- | KAS-FFC | KAS | Diffie-Hellman Shared Secret Computation KAS-FFC per IG D.F Scenario 2 path (1). | KAS-FFC-SSC SP800- 56ARev3/ A2786, A2805 | ||||||||||
| KTS | 128, 192, and 256-bit AES keys providing | KTS | KTS | SP 800-38F, IG D.G. AES key wrapping and unwrapping | AES-KW/ A2786, A2805 AES-KW/ A2784, A2803 | ||||||||||
| Symmetric Encryption | Execute AES-mode encrypt operation | CO | W,E | AES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM | 1 | AES key, plaintext data | ciphertext data | ||||||||
| Symmetric Decryption | Execute AES-mode decrypt operation | CO | W,E | AES-CBC, AES-ECB, AES-CFB128, AES- CFB8, AES-OFB, AES- CTR, AES-XTS, AES- GCM, AES-CCM | 1 | AES key, ciphertext data | plaintext data |
| SP 800 | |
|---|---|
| 56ARev3. KAS-ECC per IG | |
| D.F Scenario 2 path (1) |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] 4.1 The module supports a single instance of one authorized role: the Crypto Officer. No support is provided for multiple concurrent operators. Table 11 - Roles 4.2 FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not support an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see - Approved Services and - Non-Approved Services below). 4.3 Services The module implements a dedicated API function (section "Modes of Operation" above) to indicate if a requested service utilizes an approved security function. For services listed in Table Approved Services, the W,E W,E This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Roles | Csps Accessed | Approved Functions | Indicator | Input | Output | ||
|---|---|---|---|---|---|---|---|---|---|
| Key Wrapping | Execute AES-key wrapping operation | CO | W, E | AES-KW | 1 | AES key-wrappin | wrapped key | g key | |
| key, un | key, un | wrapped | |||||||
| Key Unwrapping | Execute AES-key unwrapping operation | CO | W, E | AES-KW | 1 | AES key- wrappin | unwrapped key | ||
| Message Digest Generation | Generate a digest for the requested algorithm | CO | N/A | SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA- 512/256, MD52 | 1 | Message | message digest | ||
| Message Authentication Code (CMAC/HMAC) Generation | Generate a Message Authentication Code | CO | W, E | HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA-512/256, AES-CMAC | 1 | HMAC key or AES key, MAC algorithm, message | MAC | ||
| Message Authentication Code (CMAC) Verification | Verify a Message Authentication Code | CO | W, E | AES-CMAC | 1 | MAC, message, A | pass/fail | ||
| Signature generation (RSA) | Sign a message with a specified RSA private key. | CO | W, E | RSA SigGen | 1 | RSA private key, | computed signature | ||
| Signature verification (RSA) | Verify the signature of a message with a specified RSA public key. | CO | W, E | RSA SigVer | 1 | RSA public key, | pass/fail result | ||
| digital signature, | digital signature, | of digital | |||||||
| Signature generation (ECDSA) | Sign a message with a specified ECDSA private key | CO | W, E | ECDSA SigGen | 1 | ECDSA private ke | computed signature | ||
| Signature verification (ECDSA) | Verify the signature of a message with a specified ECDSA public key | CO | W, E | ECDSA SigVer | 1 | ECDSA public ke | pass/fail result | ||
| digital signature, | digital signature, | of digital | |||||||
| Random number generation | Generate Random number | CO | E/ G, W, E / G, W, E | CTR_DRBG | 1 | Entropy Input, DRBG seed, Internal, state V value, and key | random bit- string | ||
| Key Derivation (PBKDF) | Derive key from password | CO | W, E / G, R | PBKDF | 1 | PBKDF password | PBKDF derived key | ||
| Key Derivation (KBKDF) | Derive key from key derivation key | CO | W, E / G, R | KBKDF | 1 | KBKDF key derivation key | KBKDF derived key | ||
| Key pair generation (RSA) | Generate a keypair for a requested modulus | CO | G, R | RSA KeyGen, CKG | 1 | key size | RSA Key Pair | ||
| Key pair generation (ECDSA) | Generate a keypair for a requested elliptic curve | CO | G, R | ECDSA KeyGen, CKG | 1 | key size | ECDSA Key Pair | ||
| Public key validation (ECDSA) | Verify a public key for a requested elliptic curve | CO | E, W | ECDSA KeyVer | 1 | ECDSA public key | pass/fail result |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] message, hash message, hash message, hash message, hash W, E W, E N/A W, E W, E W, E random bitstring W, E E/ G, W, E / G, W, E W, E / G, R W, E / G, R G, R W, E W, E G, R E, W
2 non-approved but allowed for TLS 1.0/1.1. Used in the context of TLS in conjunction with the approved algorithm SHA-1. No security claimed.
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Roles | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|
| Safe primes key generation | Generate a keypair for a requested 'safe' domain parameter | CO | G, R | Safe primes key generation | 1 | domain parameter | DH Key Pair |
| Diffie-Hellman Shared Secret Computation | Generate a shared secret | CO | W, E/ W, E/ G, R | KAS-FFC-SSC | 1 | received DH public | DH shared secret |
| EC Diffie-Hellman Shared Secret Computation | Generate a shared secret | CO | W, E/ W, E/ G, R | KAS-ECC-SSC | 1 | received ECDH public | ECDH shared secret |
| Release all resources of hash context | Release all resources of hash context | CO | Z | N/A | 1 | HMAC key | N/A |
| Release of all resources of Diffie- Hellman context for Diffie-Hellman and EC Diffie-Hellman | Release of all resources of Diffie- Hellman context for Diffie-Hellman and EC Diffie-Hellman | CO | Z | N/A | 1 | Asymmetric keys (ECDH/DH) and shared secret | N/A |
| Release of all resources of asymmetric crypto function context | Release of all resources of asymmetric crypto function context | CO | Z | N/A | 1 | RSA/ ECDSA key pair | N/A |
| Release of all resources of key derivation function context | Release of all resources of key derivation function context | CO | Z | N/A | 1 | KBKDF key derivation key, PBKDF password, KBKDF and PBKDF derived key | N/A |
| Self-test | Execute the CASTs | CO | N/A | Algorithms listed in table Table 19 | 1 | None | pass/fail results |
| Show Status | Return the module status | CO | N/A | N/A | None | None | status output |
| Show Module Info | Return Module Base Name and Module Version Number | CO | N/A | N/A | None | None | name and version information |
| Name | Description | Role | Access |
|---|---|---|---|
| Triple-DES encryption / decryption | Modes CBC, CTR, CFB64, ECB, CFB8, OFB | CO | Triple-DES |
| RSA Key Encapsulation | The CAST does not perform the full KTS, only the raw RSA encrypt/ decrypt. | CO | RSA encrypt/ decrypt |
| RSA Key-pair Generation | ANSI X9.31 Key-pair Generation Key Size < 2048 | CO | RSA KeyGen |
| RSA Signature Generation | PKCS#1 v1.5 and PSS Signature Generation Key Size < 2048 | CO | RSA Signature Generation |
| RSA Signature Verification | PKCS#1 v1.5 and PSS Signature Verification Key Size < 1024 | CO | RSA Signature Verification |
| Diffie Hellman Shared Secret Computation | for key sizes < 2048 | CO | Diffie Hellman Shared Secret Computation |
| EC Diffie Hellman Shared Secret Computation | for curve sizes < P-224 | CO | EC Diffie Hellman Shared Secret Computation |
| ECDSA Key-pair Generation (PKG) and ECDSA Key Validation (PKV) | ECDSA PKG and PKV using curve P-192 | CO | ECDSA Key Generation, ECDSA Key Validation |
| ECDSA Signature Generation | ECDSA Signature Generation using curve P-192 | CO | ECDSA Signature Generation |
| ECDSA Signature Verification | ECDSA Signature Verification using curve P-192 | CO | ECDSA Signature Verification |
| ECDSA Key Pair Generation for compact point representation of points | Key Pair Generation for compact point representation of points | CO | ECDSA Key Generation |
| EdDSA Key Generation | Key Generation with Ed25519 | CO | EdDSA Key Generation |
| EdDSA Signature Generation | Signature Generation with Ed25519 | CO | EdDSA Signature Generation |
| EdDSA Signature Verification | Signature Verification with Ed25519 | CO | EdDSA Signature Verification |
| EdDSA Key Agreement | Key Agreement with X25519 | CO | EdDSA Key Agreement |
| ECIES | Elliptic Curve encrypt | CO | ECIES Encrypt |
| ANSI X9.63 Key Derivation | SHA-1 hash-based | CO | SHA-1 |
| SP800-56Crev2 Key Derivation (HKDF) | SHA-256 hash-based | CO | SHA-256 |
| RFC6637 Key Derivation | SHA hash based | CO | SHA-256, SHA-512, AES-128, AES-256 |
| OMAC Message Authentication Code Generation and Verification | One-Key CBC-MAC using 128-bit key | CO | OMAC |
| Message digest generation | Message digest generation using non-approved algorithms | CO | MD2, MD4 RIPEMD |
| Authenticated Encryption / decryption | Encrypt a plaintext / Decrypt a ciphertext | CO | AES-GCM using external IV |
| (other) symmetric encryption / decryption | symmetric encryption / decryption using non-approved algorithms | CO | Blowfish, CAST5, DES, RC2, RC4 |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] G, R W, E/ W, E/ G, R W, E/ W, E/ G, R N/A N/A Z N/A N/A Z N/A N/A Z N/A N/A Z N/A Z N/A N/A N/A N/A N/A Table 13 - Approved Services The abbreviations of the access rights to SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. N/A = The service does not access any SSP during its operation. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table 14 - Non-Approved Services This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Software/Firmware security 5.1 Integrity Techniques The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] which is made up of a single component, is provided in the form of binary executable code. A software integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e., the module is not operational. 5.2 On-Demand Integrity Test The module’s integrity test can be performed on demand by power-cycling the computing platform. Integrity test on demand is performed as part of the Pre-Operational Self-Tests, automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Operational Environment The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module is supplied as part of Device OS, a commercially available general-purpose operating system executing on the computing platforms specified in section 2. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Physical Security The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Non-invasive Security Currently, the ISO/IEC 19790:2012 non-invasive security area is not required by FIPS 140-3 (see NIST SP 800140F). The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Strength | Security Function | Generation | Establishment | Storage | Import Export | Key /SSP Name/ Type | Zeroisation |
|---|---|---|---|---|---|---|---|---|
| Use: Symmetric Encryption and Decryption; message authentication code (CMAC) Related keys: N/A | 128 - 256 bits | AES-CBC (A2783, A2784, A2785, A2786, A2802, A2803, A2804, A2805) AES-CCM (A2784, A2786, A2787, A2803, A2805, A2806) AES-CFB8, (A2784, A2786, A2803, A2805) AES-CFB128 (A2783, A2784, A2786, A2802, A2803, A2805) AES-CMAC (A2786, A2805) AES-CTR (A2784, A2786, A2787, A2803, A2805, A2806) AES-ECB (A2783, A2784, A2786. A2787, A2802, A2803, A2805, A2806) AES-GCM (A2784, A2786, A2787, A2803, A2805, A2806) AES- OFB (A2783, A2784, A2786, A2802, A2805, A2803) AES-XTS (A2783, A2784, A2786, A2802, A2803, A2805) | N/A | N/A | RAM | Import from calling applicati on No Export | AES Key / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: Key Wrapping Related keys: N/A | 128 - 256 bits | AES-KW (A2784, A2803, A2786, A2805) | N/A | N/A | RAM | Import from calling applicati on No Export | AES key- wrapping Key / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: Message authentication code generation (HMAC) Related keys: N/A | 128- 256 bits | HMAC-SHA-1, HMAC- SHA-224, HMAC-SHA- 256, HMAC-SHA-384, HMAC-SHA-512, HMAC-SHA-512/256 (A2788, A2807, A2786, A2805, A2789, A2808) | N/A | N/A | RAM | Import from calling applicati on No Export | HMAC Key / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: Digital Signature verification Related keys: DRBG internal state, ECDSA private key | 112 - 256 bits | ECDSA KeyGen (A2788, A2807, A2786, A2805) | The key pairs are generated conformant to SP800- 133rev2 (CKG) using FIPS186-4 Key Generation method, and the random value used in the key generation is generated using SP800- 90Arev1 DRBG | N/A | RAM | Import and Export to calling applicati on for key pair only. Intermed iate keygen values are not output. | ECDSA public key (including intermediate keygen values) / PSP | Automatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the module returns from the key generation function. |
| Use: Digital Signature generation Related keys: DRBG internal state, ECDSA public key | ECDSA private key (including intermediate keygen values) / CSP | |||||||
| Use: Digital Signature verification Related keys: DRBG internal state, RSA private key | 112 - 150 bits | RSA KeyGen (A2788, A2807, A2786, A2805) | The key pairs are generated conformant to SP800- 133rev2 (CKG) using FIPS186-4 Key Generation method, and the random value used in the key generation is generated using SP800- 90Arev1 DRBG | N/A | RAM | Import and Export to calling applicati on for key pair only. Intermed iate keygen values are not output. | RSA public key (including intermediate keygen values) / PSP | Automatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the module returns from the key generation function. |
| Use: Digital Signature generation Related keys: DRBG internal state, RSA public key | N/A | RSA private key (including intermediate keygen values) / CSP | ||||||
| Use Random Number Generation Related keys: DRBG seed | 256 bits | Random Number Generation E14, E15 (see PUD referenced in section 11.2) | Obtained from two entropy sources | N/A | RAM | N/A | DRBG Entropy Input / CSP (IG D.L) | When the system is powered down |
| Use: Random Number Generation Related keys: DRBG entropy input, DRBG internal state | 256 bits | CTR_DRBG (A2787, A2806, A2786, A2805, A2784, A2803) | Derived from entropy input as defined by SP800- 90Arev1 | N/A | RAM | N/A | DRBG Seed / CSP (IG D.L) | When the system is powered down |
| Use: Random Number Generation Related keys: DRBG seed | 256 bits | CTR_DRBG (A2787, A2806, A2786, A2805, A2784, A2803) | Derived from seed as defined by SP800- 90Arev1 | N/A | RAM | N/A | DRBG Internal State V value, and Key / CSP (IG D.L) | When the system is powered down |
| Use: PBKDF Key Derivation Related keys: PBKDF password | 128 - 256 bits | PBKDF (A2788 , A2807, A2786, A2805) | Internally generated via SP800- 132 PBKDF | N/A | RAM | No Import Export to calling applicati on | PBKDF Derived Keys / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: PBKDF Key Derivation Related keys: PBKDF derived key | N/A | PBKDF (A2788 , A2807, A2786, A2805) | N/A | N/A | RAM | imported from calling applicati on No Export | PBKDF Password / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: KBKDF Key Derivation Related keys: KBKDF derived key | 128 - 256 bits | KBKDF (A2788 , A2807, A2786, A2805) | N/A | N/A | RAM | imported from calling applicati on No Export | KBKDF Key Derivation Key / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: KBKDF Key Derivation Related keys: KBKDF Key Derivation Key | 128 - 256 bits | KBKDF (A2788 , A2807, A2786, A2805) | Generated via SP800- 108rev1 KBKDF | N/A | RAM | No Import Export to calling applicati on | KBKDF Derived Key / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: Diffie- Hellman shared secret computation Related keys: DRBG internal state, Diffie- Hellman Shared Secret | 112 - 200 bits | KAS-FFC-SSC (A2786, A2805) | The key pairs are generated conformant to SP800- 133rev2 (CKG) using Safe-prime groups MODP groups belonging to (RFC 3526) | N/A | RAM | Import from calling applicati on Export to calling applicati on | DH public, private keys (including intermediate keygen values) / PSP- CSP | Automatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the |
| Use: None Related keys:, DH private and public keys | 112 - 200 bits | KAS-FFC-SSC (A2786, A2805) | N/A | Establishe d using SP800- 56Arev3 KAS-FFC- SSC | RAM | No Import Export to calling applicati on | DH Shared Secret / CSP | Automatic zeroisation when structure is deallocated or when the system is powered down |
| Use: ECDH Shared secret computation Related keys: EC Diffie- Hellman Shared Secret | 112 - 256 bits | KAS-ECC-SSC (A2786, A2805) | The key pairs are generated conformant to SP800- 133rev2 (CKG) using FIPS 186-4 Key Generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG | N/A | RAM | Import from and Export to calling applicati on for key pair only. Intermed iate keygen values are not output. | ECDH public, private keys (including intermediate keygen values) / PSP- CSP | Automatic zeroisation when structure is deallocated or when the system is powered down. Intermediate keygen values are zeroized before the module returns from the key generation function. |
| Use: None Related keys: ECDH private and public keys | 112 - 256 bits | KAS-ECC-SSC (A2786, A2805) | N/A | Establishe d using SP800- 56Arev3 KAS-ECC- SSC | RAM | No Import Export to calling applicati on | ECDH Shared Secret | Automatic zeroisation when structure is deallocated or when the system is powered down |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Sensitive Security Parameter Management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module: N/A N/A N/A N/A N/A N/A N/A N/A 128256 N/A This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A N/A to SP800133rev2 using SP80090Arev1 to SP800133rev2 using SP80090Arev1 N/A N/A N/A SP80090Arev1 N/A N/A This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] SP80090Arev1 N/A N/A N/A N/A N/A N/A N/A N/A via SP800108rev1 N/A values) / PSPCSP to SP800133rev2 N/A state, DiffieHellman This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] N/A SP80056Arev3 KAS-FFCSSC values) / PSPCSP N/A to SP800133rev2 using SP80090Arev1 N/A SP80056Arev3 KAS-ECCSSC EC DiffieHellman Table 15 - SSPs 9.1 The NIST SP 800-90Arev1 approved deterministic random bit generator is a CTR_DRBG based on block cipher. The CTR_DRBG is using AES-256 with derivation function and without prediction resistance. The module performs DRBG health tests according to section 11.3 of [SP800-90Arev1]. The deterministic random bit generators are seeded by /dev/random. The /dev/random is the User Space interface. No non-DRBG functions or instances are able to access the DRBG internal state This document may be reproduced and distributed only in its original entirely without revision.
| Name | Key Size | ||
|---|---|---|---|
| Details | Entropy Sources | Minimum number of | |
| The entropy source consists of twenty-four Free Ring Oscillator (FROs) with a vetted conditioning function SHA-256 (ACVP cert. # C1223) | 256 bits | ESV #E14 (Apple corecrypto physical entropy source) | |
| The non-physical entropy source is based upon interrupt timings with a vetted conditioning function SHA-256 (ACVP certs. # A2797, A2869) | 256 bits | ESV #E15 (Apple corecrypto non-physical entropy source) |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Two entropy sources (one non-physical entropy source and one physical entropy source) residing within the TOEPP provide the random bits. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The output of entropy pool provides 256-bits of entropy to seed and reseed SP800-90Arev1 DRBG during initialization (seed) and reseeding (reseed). Table 16
1 (vendor affirmed), compliant with [FIPS186-4], and using DRBG compliant with [SP800-90A]. A seed (i.e., the
random value) used in asymmetric key generation is obtained from [SP800-90A] DRBG. The key generation service for RSA, ECDSA, Diffie-Hellman and EC Diffie-Hellman as well as the [SP 800-90A] DRBG have been ACVT tested with algorithm certificates found in Table 6. The key derivation functions are as follows:
| Name | Type | Description |
|---|---|---|
| RAM | dynamic | The module stores ephemeral keys/SSPs in RAM provided by the operational environment. They are received for use or generated by the module only at the command of the calling application. The operating system protects all keys/SSPs through the memory separation and protection mechanisms. No process other than the module itself can access the keys/SSPs in its process’ memory. |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] The module implements a Key Transport Scheme (KTS) using AES-KW compliant to [SP800-38F], IG D.G. The SSP establishment methodology provides between 128 and 256 bits of encryption strength.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | I | Indicator | Condition |
|---|---|---|---|---|---|---|---|---|
| HMAC-SHA-256 | HMAC-SHA-256 | Message Authentication | Software Integrity | 112-bit key | Module successful execution | |||
| AES-GCM AES-CCM | AES-GCM AES-CCM | KAT | CAST | Authenticated decryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| AES-ECB AES-CBC AES-XTS (Testing Revision 2.0) | AES-ECB AES-CBC AES-XTS (Testing Revision 2.0) | KAT | CAST | Encryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| AES-ECB AES-CBC | AES-ECB AES-CBC | KAT | CAST | Decryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| AES-CCM AES-CMAC | AES-CCM AES-CMAC | KAT | CAST | Authenticated encryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| CTR_DRBG | CTR_DRBG | KAT | CAST | KAT and Health test per SP800-90Arev1 section 11.3 | AES 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| HMAC-SHA-256 | HMAC-SHA-256 | KAT | CAST | Message authentication | SHA2-256 | Module becomes operational | Test runs at Power-on before the integrity test | |
| HMAC-SHA-1 | HMAC-SHA-1 | KAT | CAST | Message authentication | SHA-1 | Module becomes operational | Test runs at Power-on before the integrity test |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | I | Indicator | Condition |
|---|---|---|---|---|---|---|---|---|
| HMAC-SHA-256 | HMAC-SHA-256 | Message Authentication | Software Integrity | 112-bit key | Module successful execution | |||
| AES-GCM AES-CCM | AES-GCM AES-CCM | KAT | CAST | Authenticated decryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| AES-ECB AES-CBC AES-XTS (Testing Revision 2.0) | AES-ECB AES-CBC AES-XTS (Testing Revision 2.0) | KAT | CAST | Encryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| AES-ECB AES-CBC | AES-ECB AES-CBC | KAT | CAST | Decryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| AES-CCM AES-CMAC | AES-CCM AES-CMAC | KAT | CAST | Authenticated encryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| CTR_DRBG | CTR_DRBG | KAT | CAST | KAT and Health test per SP800-90Arev1 section 11.3 | AES 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test | |
| HMAC-SHA-256 | HMAC-SHA-256 | KAT | CAST | Message authentication | SHA2-256 | Module becomes operational | Test runs at Power-on before the integrity test | |
| HMAC-SHA-1 | HMAC-SHA-1 | KAT | CAST | Message authentication | SHA-1 | Module becomes operational | Test runs at Power-on before the integrity test | |
| HMAC-SHA-512 | HMAC-SHA-512 | KAT | CAST | Message authentication | SHA2-512 | Module becomes operational | Test runs at Power-on before the integrity test | |
| SHA-1 SHA-256 SHA-512 | SHA-1 SHA-256 SHA-512 | KAT | CAST | Message digest | CAST is covered by higher level HMAC KAT per IG 10.3.B | Module becomes operational | Test runs at Power-on before the integrity test | |
| RSA Signature Generation | RSA Signature Generation | KAT | CAST | Signature Generation or Key Generation service request | 2048-bit modulus with SHA-256 | Module becomes operational | Test runs at Power-on before the integrity test | |
| RSA Signature Verification | RSA Signature Verification | KAT | CAST | Signature Verification or Signature Verification or Key Generation service request | 2048-bit modulus with SHA-256 | Module becomes operational | Test runs at Power-on before the integrity test | |
| ECDSA Signature Generation | ECDSA Signature Generation | KAT | CAST | Signature Generation or Key Generation service request | P-224 curve with SHA-224 | Module becomes operational | Test runs at Power-on before the integrity test | |
| ECDSA Signature Verification | ECDSA Signature Verification | KAT | CAST | Signature Verification or Key Generation service request | P-224 curve with SHA-224 | Module becomes operational | Test runs at Power-on before the integrity test | |
| Diffie-Hellman shared secret computation | Diffie-Hellman shared secret computation | KAT | CAST | Shared secret computation | MODP-2048 | Module becomes operational | Test runs at Power-on before the integrity test | |
| EC Diffie-Hellman shared secret computation | EC Diffie-Hellman shared secret computation | KAT | CAST | Shared secret computation | P-224 curve | Module becomes operational | Test runs at Power-on before the integrity test | |
| PBKDF | PBKDF | KAT | CAST | Key Derivation | SHA-1, SHA-256, SHA-512 | Module becomes operational | Test runs at Power-on before the integrity test | |
| KBKDF | KBKDF | KAT | CAST | Key Derivation | Counter mode using SHA-1, SHA- 256, SHA-512 | Module becomes operational | Test runs at Power-on before the integrity test |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
While the module is executing the self-tests, services are not available, and input and output are inhibited. If the test fails either pre-operational and conditional self-tests, the module reports an error message indicating the cause of the failure and enters the Error State (See section 10.3). The module permits operators to initiate the pre-operational or conditional self-tests for on demand and periodic testing by rebooting the system (i.e., power-cycling). 10.1 The module performs a pre-operational software integrity test automatically when the module is loaded into performed on the runtime image of the Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] with HMAC-SHA256 which is an approved integrity technique. The HMAC value of the runtime image is recalculated and compared with the stored HMAC value precomputed at compilation time Table 18 - Preoperational Self-Tests
This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Table 19
The Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] generates RSA, Diffie-Hellman, EC DiffieHellman and ECDSA asymmetric keys and performs a pair-wise consistency tests on the newly generated key pairs. Error States If any of the above-mentioned self-tests described in Sections 10.1, 10.2.1 or 10.2.2 fail, the module reports the cause of the error and enters an error state. In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to power cycle the device which results in the module being reloaded into memory and reperforming the pre-operational self-test and the conditional This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Error State | The HMAC-SHA-256 value computed over the module did not match the pre-computed value | Pre-operational Software Integrity Test failure | Error message “FAILED: fipspost_post_integrity” is sent to the caller | module reset |
| Error State | The computed value in the invoked Conditional CAST did not match the known value | Conditional CAST failure | Error message “FAILED:<event>” sent to the caller (<event> refers to any of the cryptographic functions listed in Table 19.) | module reset |
| Error State | The signature failed to verify successfully in the Conditional PCT. | Conditional PCT failure | Error message “CCEC_GENERATE_KEY_CONSISTENCY” returned for EC Error message “CCRSA_GENERATE_KEY_CONSISTENCY” returned for RSA Error message “CCDH_GENERATE_KEY_CONSISTENCY” returned for DH | module reset |
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] algorithm self-tests. The module will only enter into the operational state after successfully passing the preoperational self-test and the conditional self-tests. Table 20- Error states This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
11.1 Installation, Initialization, and Startup Procedures Startup Procedures: The module is built into Device OS defined in section 2 and delivered with the respective Device OS. There is no standalone delivery of the module as a software library. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self-tests. 11.2 Crypto Officer Guidance The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 14 - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E14_PublicUse.pdf The ESV Public Use Document (PUD) reference for non-physical entropy source is: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/15 Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation. 11.3 Non-Administrator Guidance Not Applicable 11.4 Design and Rules The Crypto Officer shall consider the following requirements and restrictions when using the module.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] The GCM IV generation follows RFC 4106 and shall only be used for the IPsec-v3 protocol version 3. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the IPsec protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the IPsec protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. In both protocols in case the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the module; however, it is met implicitly. The module does not retain any state when power is lost. As indicated in Table 11, column Storage, the module exclusively uses volatile storage. This means that AES-GCM key/IVs are not persistently stored during power off: therefore, there is no re-connection possible when the power is back on with re-generation of the key used for GCM. After restoration of the power, the user of the module (e.g., TLS, IKE) along with User application that implements the protocol, must perform a complete new key establishment operation using new random numbers (Entropy input string, DRBG seed, DRBG internal state V and Key, shared secret values that are not retained during power cycle, see table 11) with subsequent KDF operations to establish a new GCM key/IV pair on either side of the network communication channel. These protocols have not been reviewed or tested by the CAVP and CMVP.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1]
The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Appendix A. AES CAVP CAST CAST5 CBC CCM CFB CMAC CMVP CSP CTR DRBG ECB ESVP FFC FIPS GCM HMAC KAS KAT KBKDF KDF KW MAC NIST OAEP OFB PAA PBKDF PKG PKV PRF PSS PUD RSA SHA SHS SSC TOEPP XTS Glossary and Abbreviations Advanced Encryption Standard Cryptographic Algorithm Validation Program Cryptographic Algorithm Self-Test A symmetric-key 64-bit block cipher with 128-bit key Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Mode Deterministic Random Bit Generator Electronic Code Book Entropy Source Validation Program Finite Field Cryptography Federal Information Processing Standards Publication Galois Counter Mode Hash Message Authentication Code Key Agreement Schema Known Answer Test Key Based Key Derivation Function Key Derivation Function AES Key Wrap Message Authentication Code National Institute of Science and Technology Optimal Asymmetric Encryption Padding Output Feedback Processor Algorithm Acceleration Password Based Key Derivation Function Key-Pair Generation Public Key Validation Pseudo-Random Function Probabilistic Signature Scheme Public Use Document Rivest, Shamir, Adleman Secure Hash Algorithm Secure Hash Standard Shared Secret Computation Tested Operational Environment Physical Perimeter XEX-based Tweaked-codebook mode with cipher text Stealing This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program August 2023 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%201403/Draft%20FIPS-140-3-CMVP%20Management%20Manual%2009-18-2020.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140B CMVP Security Policy Requirements https://csrc.nist.gov/publications/detail/sp/800-140b/final SP 800-140C CMVP Approved Security Functions https://csrc.nist.gov/publications/detail/sp/800-140c/final SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140d/final SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019, https://doi.org/10.6028/NIST.SP.800-52r2 SP800-56Arev3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography April, 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Brev2 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf SP800-56Crev2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800-90Arev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108r1 NIST Special Publication 800-108r1-upd1 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP800-131Arev2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133rev2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf platform certifications Apple Security Certifications and Compliance Center https://support.apple.com/en-gw/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.