All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility

Certificate#4847StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorKeysight Technologies
Low review priority  ·  exposes network crypto parser/protocol  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/28/2029
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorKeysight Technologies

Approved Algorithms (83)

AlgorithmACVP Cert
AES-CBCA7176
AES-CBC-CS1A7176
AES-CBC-CS2A7176
AES-CBC-CS3A7176
AES-CCMA7176
AES-CFB128A7176
AES-CFB8A7176
AES-CMACA7176
AES-CTRA7176
AES-ECBA7176
AES-FF1A7176
AES-GCMA7176
AES-GMACA7176
AES-KWA7176
AES-KWPA7176
AES-OFBA7176
Counter DRBGA7176
cSHAKE-128A7176
cSHAKE-256A7176
DSA KeyGen (FIPS186-4)A7176
DSA PQGGen (FIPS186-4)A7176
DSA PQGVer (FIPS186-4)A7176
DSA SigGen (FIPS186-4)A7176
DSA SigVer (FIPS186-4)A7176
ECDSA KeyGen (FIPS186-4)A7176
ECDSA KeyVer (FIPS186-4)A7176
ECDSA SigGen (FIPS186-4)A7176
ECDSA SigVer (FIPS186-4)A7176
Hash DRBGA7176
HMAC DRBGA7176
HMAC-SHA-1A7176
HMAC-SHA2-224A7176
HMAC-SHA2-256A7176
HMAC-SHA2-384A7176
HMAC-SHA2-512A7176
HMAC-SHA2-512/224A7176
HMAC-SHA2-512/256A7176
HMAC-SHA3-224A7176
HMAC-SHA3-256A7176
HMAC-SHA3-384A7176
HMAC-SHA3-512A7176
KAS-ECC Sp800-56Ar3A7176
KAS-FFC Sp800-56Ar3A7176
KAS-IFCA7176
KDA HKDF SP800-56Cr2A7176
KDA OneStep SP800-56Cr2A7176
KDA TwoStep SP800-56Cr2A7176
KDF ANS 9.63A7176
KDF IKEv2A7176
KDF SNMPA7176
KDF SP800-108A7176
KDF SRTPA7176
KDF SSHA7176
KDF TLSA7176
KMAC-128A7176
KMAC-256A7176
KTS-IFCA7176
ParallelHash-128A7176
ParallelHash-256A7176
PBKDFA7176
RSA Decryption PrimitiveA7176
RSA KeyGen (FIPS186-4)A7176
RSA SigGen (FIPS186-4)A7176
RSA Signature PrimitiveA7176
RSA SigVer (FIPS186-2)A7176
RSA SigVer (FIPS186-4)A7176
Safe Primes Key GenerationA7176
Safe Primes Key VerificationA7176
SHA-1A7176
SHA2-224A7176
SHA2-256A7176
SHA2-384A7176
SHA2-512A7176
SHA2-512/224A7176
SHA2-512/256A7176
SHA3-224A7176
SHA3-256A7176
SHA3-384A7176
SHA3-512A7176
SHAKE-128A7176
SHAKE-256A7176
TupleHash-128A7176
TupleHash-256A7176

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Document Version 1.2 July 30, 2025 Prepared for: Prepared by: Keysight Technologies

8310 N. Capital of Texas Hwy

Bldg. 2, Suite 300 Austin, TX 78731 keysight.com KeyPair Consulting Inc.

987 Osos Street

San Luis Obispo, CA 93401 +1 805.316.5024 keypair.us

Page 2

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table of Contents

Page 3

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility List of Tables List of Figures

Page 4
Security level
NameISO SectionRequirementLevelGeneral
2Cryptographic Module Specification21
331Cryptographic Module Interfaces
4Roles, Services, and Authentication41
551Software/Firmware Security
6Operational Environment61
77N/APhysical Security
8Non-Invasive Security8N/A
991Sensitive Security Parameter Management
10Self-Tests101
11111Life-Cycle Assurance
12Mitigation of Other Attacks121

Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Introduction This document defines the Security Policy for the Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility, hereafter denoted the module. The module is a cryptographic library and has a Multi-Chip Stand Alone embodiment. The module meets FIPS 140-3 overall Level 1 requirements. The SW version is 2.0.0. The FIPS 140-3 security levels for the module are given in Table 1 as follows: Table 1. Security Levels 1.1 N/A N/A Confirming the Module Checksum, Functionality, and Versioning The module checksum, functionality, and versioning can be confirmed by executing the command: java ‐cp bc‐fips‐2.0.0.jar org.bouncycastle.util.DumpInfo which should display: Version Info: BouncyCastle Security Provider (FIPS edition) v2.0.0 FIPS Ready Status: READY Module SHA‐256 HMAC: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e Indicating the jar represents the software release 2.0.0, that it has successfully passed all its startup tests, and that the software release is confirmed to have a HMAC of: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e

Page 5

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Cryptographic Module Specification The module is intended for use by US Federal agencies and other markets that require a FIPS 140-3 validated Cryptographic Library. The module is of type software and the module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips2.0.0.jar. This module is the only software component within the Cryptographic Boundary and the only software component that carries out cryptographic functions covered by FIPS 140-3. Figure 1 shows the logical relationship of the cryptographic module to the other software and hardware components of the computer. The BC classes are executed on the Java Virtual Machine (JVM) using the classes of the Java Runtime Environment (JRE). The JVM is the interface to the computer’s Operating System (OS) that is the interface to the various physical components of the computer. Figure 1. Cryptographic Boundary

Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1NVOS 6.7 with Java SE Runtime Environment v8 (1.8)Vision ONEIntel i7 3555LE (Ivy Bridge)Without PAA1
1Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE RuntimeVision Edge 40 Network Packet Broker (NPB) with Intel x8611
Environment v8 (1.8)Environment v8 (1.8)Atom® (Rangely) C2538 processor
22Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision 7712 NPB with Intel x86 Atom® (Rangely) C2538 processor
3Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime3Vision 5812 NPB with Intel x86 Atom® (Rangely) C2538 processor
44Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision Edge 100 NPB with Intel Xeon D-1518 (Broadwell) processor
5Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime5Vision Edge 50 NPB with Intel Xeon D-1518 (Broadwell) processor
66Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision 7816 NPB with Intel Xeon D-1518 (Broadwell) processor
7Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime7Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor
88AppStack release 4.16.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v17 (1.17) container on MakoOS v2.1.1 and laterVision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor, including Visibility Application Module with Intel Xeon E5-2695 (Broadwell)
9Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor,9SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later
1010Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1NVOS 6.7 with Java SE Runtime Environment v8 (1.8)Vision ONEIntel i7 3555LE (Ivy Bridge)Without PAA1
1Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE RuntimeVision Edge 40 Network Packet Broker (NPB) with Intel x8611
Environment v8 (1.8)Environment v8 (1.8)Atom® (Rangely) C2538 processor
22Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision 7712 NPB with Intel x86 Atom® (Rangely) C2538 processor
3Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime3Vision 5812 NPB with Intel x86 Atom® (Rangely) C2538 processor
44Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision Edge 100 NPB with Intel Xeon D-1518 (Broadwell) processor
5Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime5Vision Edge 50 NPB with Intel Xeon D-1518 (Broadwell) processor
66Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision 7816 NPB with Intel Xeon D-1518 (Broadwell) processor
7Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime7Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor
88AppStack release 4.16.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v17 (1.17) container on MakoOS v2.1.1 and laterVision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor, including Visibility Application Module with Intel Xeon E5-2695 (Broadwell)
9Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor,9SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later
1010Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor
11AppStack release 4.18.0 (requires NPB release 6.9.0) and later running Debian version 12.5 withVision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor,1111AppStack release 4.18.0 (requires NPB release 6.9.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later
Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and laterJava SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and laterincluding MVX-AM4PC module with Intel Xeon-D 2718NT
1212SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and laterVision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor, including MVX-AM4PC module with Intel Xeon-D 2718NT (Skylake-D)
13Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime13TradeVision NPB with Intel i7 3555LE (Ivy Bridge) processor
1414Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8)Vision Edge 10S NPB with Intel Celeron 3965U (Kaby Lake) processor
15Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SEVision 9516 NPB with Intel Pentium D-1517 (Broadwell)15
Runtime Environment v8 (1.8)Runtime Environment v8 (1.8)processor
1616Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE Runtime Environment v8 (1.8)Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor
17AppStack release 4.18.0 (requires NPB release 6.9.0) and later running on Debian 12.5 with Java17Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor
1818SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running on Debian 12.5 with Java SE Runtime Environment v11 (1.11) containerVision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor
19Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SEVision Edge 400S NPB with Intel Xeon D-1714) (Icelake-D)19
Runtime Environment v8 (1.8)Runtime Environment v8 (1.8)processor
2020Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE Runtime Environment v8 (1.8)Vision Edge 400P NPB with Intel Xeon D-1627 (Hewitt Lake) processor
21Vision NPB release 6.9.0 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SEVision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D)21
Runtime Environment v8 (1.8)Runtime Environment v8 (1.8)processor
2222AppStack release 4.18.0 (requires NPB release 6.9.0) and later running on Debian 12.5 with Java SE Runtime Environment v17 (1.17) containerVision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) processor
23SecureStack release 2.14.0 (requires NPB release 6.9.0) and later running on Debian 12.5 withVision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D)23
Java SE Runtime Environment v11 (1.11) containerJava SE Runtime Environment v11 (1.11) containerprocessor

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The cryptographic module was tested on the following operational environments on the general-purpose computer (GPC) platforms detailed in Table 2, which is also the TOEPP (Tested Operational Environment’s Physical Perimeter) of the module. Table

  1. Tested Operational Environments # The cryptographic module will remain compliant with the FIPS 140-3 validation when operating on any general-purpose computer (GPC) provided that:
  2. No source code has been modified.
  3. The GPC uses the specified single-user platform, or another compatible single-user platform such as one of the Java SE Runtime Environments listed on any of the following: Table
  4. Vendor Affirmed Operational Environments #
Page 7

FIPS 140-3 Security Policy # Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility For the avoidance of doubt, it is hereby stated that the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. The module implements the Approved and Non-Approved but Allowed cryptographic functions with no security claimed listed in Table 4 and Table 5 below. There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. The module supports both Approved and Non-Approved mode of operation. Please see Section 6.3 for configuration of the module in Approved mode of operation. Please see Section 11 for initialization steps.

Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionUse / Function
AESA7176ECB, CBC, OFB, CFB8,Key sizes: 128, 192, 256 bitsEncryption, DecryptionA7176ECB, CBC, OFB, CFB8, CFB128, CTR, FF1Key sizes: 128, 192, 256 bitsEncryption, Decryption
[FIPS 197, SP 800-38A], AESFF1CFB128, CTR, FF1
A7176A7176CBC-CS1, CBC-CS2, CBC-CS3Key sizes: 128, 192, 256 bitsEncryption, DecryptionAES-CBC Ciphertext Stealing (CS) [Addendum to SP 800-38A, Oct 2010]
CCMA7176N/AKey sizes: 128, 192, 256 bitsGeneration, Authentication
A7176A7176AESKey sizes: AES with 128, 192, 256 bitsGeneration, AuthenticationCMAC [SP 800-38B]
GCM/GMAC1A7176N/AKey sizes: 128, 192, 256 bitsGeneration, Authentication
A7176A7176N/AAES-128, AES-192, AES-256AES-CTR DRBGCounter DRBG [SP 800-90Ar1]
Hash DRBGSHA sizes: SHA-1, SHA2-224,A7176N/AHash DRBG
[SP 800-90Ar1]SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256
A7176A7176N/ASHA sizes: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256HMAC DRBGHMAC DRBG [SP 800-90Ar1]
A7176PQG Generation, PQGA7176N/AKey sizes: 1024, 2048, 3072 bits (1024 only for SigVer)DSA2 [FIPS 186-4]
A7176A7176N/ACurves/Key sizes: P-192*, P-224, P-256, P-384, P-521, K163*, K-233, K-283, K-409, K-571, B-163*, B-233, B283, B-409, B-571 * Curves only used for Signature Verification and Public Key ValidationPublic Key Generation, Signature Generation, Signature Verification, Public Key ValidationECDSA [FIPS 186-4]
A7176PRFs: HMAC SHA-1, HMAC SHA-224, HMAC SHA-256,A7176N/AKey DerivationKDA-HKDF [SP 800-56C-rev2]
A7176A7176N/ASHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512Generation, AuthenticationHMAC [FIPS 198-1]
A7176Domain Parameter GenerationA7176N/AKey AgreementKAS-FFC3 [SP 800-56A-rev3]
A7176A7176N/ADomain Parameter Generation Methods/Scheme: P-224, P-256, P-384, P-521,K-233, K283, K-409, K-571, B-233, B-283, B-409, B-571 ephemeralUnified, fullMqv, fullUnified, onePassDh, onePassMqv, onePassUnified, staticUnified Curves specified above providing between 112 and 256 bits of encryption strengthKey AgreementKAS-ECC3 [SP 800-56A-rev3]
A7176PRFs: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,A7176N/AKey DerivationKDA, One Step [SP 800-56C-rev2]
A7176A7176N/APRFs: HMAC SHA-1, HMAC SHA-224, HMAC SHA-256, HMAC SHA-384, HMAC SHA-512, HMAC SHA-512/224, HMAC SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3-512, KMAC-128, KMAC-256Key DerivationKDA, Two Step [SP 800-56C-rev2]
KDF, Existing Application-Specific4CVLTLS v1.0/1.1 KDFN/AKey Derivation
[SP 800-135-rev1]A7176SHA sizes: SHA2-256, SHA2-384, SHA2-512
CVL A7176CVL A7176N/ATLS 1.2 KDF SHA sizes: SHA2-256, SHA2-384, SHA2-512Key DerivationKDF, Existing Application-Specific4 [SP 800-135-rev1]
KDF, Existing Application-Specific4CVLSNMP KDFN/AKey Derivation
[SP 800-135-rev1]A7176Password Length: 64, 8192
CVL A7176CVL A7176N/ASSH KDF SHA sizes: SHA2-224Key DerivationKDF, Existing Application-Specific4 [SP 800-135-rev1]
CVL A7176Key DerivationCVL A7176N/AX9.63 KDF SHA sizes: SHA2-224, SHA2-256, SHA2-384, SHA2-512KDF, Existing Application-Specific4 [SP 800-135-rev1]
CVL A7176CVL A7176N/AIKEv2 KDF SHA sizes:SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512Key DerivationKDF, Existing Application-Specific4 [SP 800-135-rev1]
KDF, Existing Application-Specific4CVLN/ASRTP KDFKey Derivation
[SP 800-135-rev1]A7176
A7176A7176N/AOptions: PBKDF with Option 1a Types: HMAC-based KDF using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512Key DerivationKDF, Password-Based [SP 800-132]
A7176Counter Mode,A7176Types: CMAC-based KBKDF with AES, HMAC-based KBKDF with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512Key DerivationKDF, using Pseudorandom Functions5 [SP 800-108-rev1]
A7176A7176AES KW, KWPKey sizes: 128, 192, 256 bits (Key establishment methodology providing 128, 192 or 256 bits of encryption strength)Key WrappingKey Wrapping Using Block Ciphers6 [SP 800-38F]
RSAA7176N/AKey sizes: 2048, 3072, 4096Key Pair Generation
A7176A7176N/AKey sizes: 2048, 3072, 4096Signature GenerationRSA [FIPS 186-4, ANSI X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]
RSAA7176N/AKey sizes: 1024, 2048, 3072, 4096Signature Verification
A7176A7176N/AKey sizes: 1024, 1536, 2048, 3072, 4096Signature VerificationRSA [FIPS 186-2, ANSI X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]
CVLCVLN/A2048Component TestRSA Decryption Primitive
CVL A7176CVL A7176N/A2048Component TestRSA Signature Primitive
A7176RSA-OAEP with, and without, key confirmation.A7176N/AKey TransportKTS-IFC [SP 800-56B-rev2, Section 7.2.2]
A7176A7176N/ARSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strengthKey AgreementKAS-IFC [SP 800-56B-rev2, Section 7.2.1]
A7176Parameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144,A7176N/AKey Generation, Key VerificationSafe Primes [SP 800-56A-rev3]
A7176A7176N/ASHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256Digital Signature Generation, Digital Signature Verification, non-Digital Signature ApplicationsSHS [FIPS 180-4]
A7176Digital Signature Generation,A7176N/ASHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256SHA-3, SHAKE [FIPS 202]
A7176A7176N/ATypes: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash- 128, cSHAKE256, KMAC-256, TupleHash-256, ParallelHash-256Digital Signature Generation, Digital Signature Verification, non-Digital Signature ApplicationsSHA-3 Derived Functions [SP 800-185]
VendorVendorN/ASection 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG)Key GenerationCKG using output from DRBG7 [SP 800-133-rev2]
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table 4. Approved Algorithms N/A N/A N/A N/A N/A N/A N/A N/A

1 GCM encryption with an internally generated IV, see section 2.2 concerning external IVs. IV generation is compliant with IG C.H.

Page 9

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A

3 Keys are not established directly into the module using the key agreement algorithms.

4 No parts of the protocols (TLS, SSHv2, X9.63, IKEv2, SRTP, SNMPv3), other than the approved cryptographic algorithms and the KDFs, have been reviewed or tested by the CAVP and CMVP.

Page 10

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A

5 Note: CAVP testing is not provided for use of the PRFs SHA-512/224 and SHA-512/256. These must not be used in approved mode.

6 Keys are not established directly into the module using key unwrapping.
Page 11
Approved algorithm
NameCAVP CertKey SizeUse FunctionUse / Function
CVL A7176CVL A7176RSA Signature PrimitiveN/A2048Component Test
A7176RSA-OAEP with, and without, key confirmation.A7176KTS-IFC [SP 800-56B-rev2, Section 7.2.2]N/AKey Transport
A7176A7176KAS-IFC [SP 800-56B-rev2, Section 7.2.1]N/ARSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strengthKey Agreement
A7176Parameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144,A7176Safe Primes [SP 800-56A-rev3]N/AKey Generation, Key Verification
A7176A7176SHS [FIPS 180-4]N/ASHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications
A7176Digital Signature Generation,A7176SHA-3, SHAKE [FIPS 202]N/ASHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256
A7176A7176SHA-3 Derived Functions [SP 800-185]N/ATypes: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash- 128, cSHAKE256, KMAC-256, TupleHash-256, ParallelHash-256Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications
VendorVendorCKG using output from DRBG7 [SP 800-133-rev2]N/ASection 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG)Key Generation
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A D.H N/A Table 5. Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed

7 The resulting key or a generated seed is an unmodified output from a DRBG.
Page 12
Approved algorithm
NameMode Method
ARC4 (RC4)ARC4 (RC4)ARC4/RC4 stream cipher
BlowfishBlowfish block cipher
CamelliaCamelliaCamellia block cipher
CAST5CAST5 block cipher
ChaCha20ChaCha20ChaCha20 stream cipher
ChaCha20-Poly1305AEAD ChaCha20 using Poly1305 as the MAC
DESDESDES block cipher
Diffie-Hellman KAS (non-compliant9)Non-compliant key agreement methods
DSA (non-compliant10)DSA (non-compliant10)Non-approved digest signatures using DSA
DSTU4145DSTU4145 EC algorithm
ECDSA (non-compliant10)ECDSA (non-compliant10)Non-approved digest signatures using ECDSA
EdDSAEd25519 and Ed448 signature algorithms
ElGamalElGamalElGamal key transport algorithm
FF3-1Format Preserving Encryption – AES FF3-1
GOST28147GOST28147GOST-28147 block cipher
GOST3410-1994GOST-3410-1994 algorithm
GOST3410-2001GOST3410-2001GOST-3410-2001 EC algorithm
GOST3410-2012GOST-3410-2012 EC algorithm
GOST3411GOST3411GOST-3411-1994 message digest
GOST3411-2012-256GOST-3411-2012 256-bit message digest
GOST3411-2012-512GOST3411-2012-512GOST-3411-2012 512-bit message digest
HMAC-GOST3411GOST-3411 HMAC
HMAC-MD5HMAC-MD5MD5 HMAC
HMAC-RIPEMD128RIPEMD128 HMAC
HMAC-RIPEMD160HMAC-RIPEMD160RIPEMD160 HMAC
HMAC-RIPEMD256RIPEMD256HMAC
HMAC-RIPEMD320HMAC-RIPEMD320RIPEMD320 HMAC
HMAC-TIGERTIGER HMAC
HMAC-WHIRLPOOLHMAC-WHIRLPOOLWHIRLPOOL HMAC
HSSHSS signature scheme (RFC 8708)
IDEAIDEAIDEA block cipher
KAS11 using SHA-512/224 or SHA-512/256Key Agreement using SHA-512/224 and SHA-512/256 based KDFs
KBKDF using SHA-512/224 or SHA-512/256 (non-compliant)KBKDF using SHA-512/224 or SHA-512/256 (non-compliant)PBKDF2 using the PRFs SHA-512/224 and SHA-512/256
LMSLMS signature scheme (RFC 8708)
MD5MD5MD5 message digest
OpenSSL PBKDF (non-compliant)OpenSSL PBE key derivation scheme
PKCS#12 PBKDF (non-compliant)PKCS#12 PBKDF (non-compliant)PKCS#12 PBE key derivation scheme
PKCS#5 Scheme 1 PBKDF (non-compliant)PKCS#5 PBE key derivation scheme
Poly1305Poly1305Poly1305 message MAC
PRNG X9.31X9.31 PRNG
RC2RC2RC2 block cipher
RIPEMD128RIPEMD128 message digest
RIPEMD160RIPEMD160RIPEMD160 message digest
RIPEMD256RIPEMD256 message digest
RIPEMD320RIPEMD320RIPEMD320 message digest
RSA (non-compliant12)Non-compliant RSA signature schemes
RSA KTS (non-compliant13)RSA KTS (non-compliant13)Non-compliant RSA key transport schemes
SCrypt (non-compliant)Scrypt using non-compliant PBKDF2
SEEDSEEDSEED block cipher
SerpentSerpent block cipher
SipHashSipHashSipHash MAC
SHACAL-2SHACAL2 block cipher
TIGERTIGERTIGER message digest
Triple-DESTriple-DES cipher
TwofishTwofishTwofish block cipher
WHIRLPOOLWHIRLPOOL message digest
XDHXDHX25519 and X448 key agreement algorithms

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table 6. Non-Approved Algorithms Not Allowed in the Approved Mode of Operation

8 Support for additional modes of operation.

9 Support for additional key sizes and the establishment of keys of less than 112 bits of security strength.

10 Deterministic signature calculation, support for additional digests, and key sizes.

Page 13

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility

11 Keys are not directly established into the module using key agreement or transport techniques.

12 Support for additional digests and signature formats, PKCS#1 1.5 key wrapping, support for additional key sizes.

13 Support for additional key sizes and the establishment of keys of less than 112 bits of security strength.

Page 14

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility 2.1 Basic Enforcement The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module: 1. 2. 3. 4.

  1. The module shall provide two distinct operator roles: User and Cryptographic Officer. The module does not provide authentication. The operator shall be capable of commanding the module to perform the power up self-tests by cycling power or resetting the module. Power up self-tests do not require any operator action. Data output shall be inhibited during self-tests, zeroization, and error states. Output related to keys and their use is inhibited until the key concerned has been fully generated.
  2. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  3. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  4. The module does not support concurrent operators.
  5. The module does not have any external input/output devices used for entry/output of data.
  6. The module does not enter or output plaintext CSPs from the module’s physical perimeter.
  7. The module does not output intermediate key values. HMAC algorithms specified in the Approved Algorithms table produce truncated versions of the HMAC in question. The right most bits are truncated as per the NIST SP 800-107 rev1. When the module is used within the context of Java Security Manager or the system/security property org.bouncycastle.fips.approved_only is set to true, the module will start in approved mode and non-approved services are not accessible in this mode. When the module is not used within the context of Java Security Manager, the module will start in a non-approved mode by default. From non-approved mode to approved mode: It is a combination of granted permission (a) and request to change mode (b): a. org.bouncycastle.crypto.CryptoServicesPermission “changeToApprovedModeEnabled” b. CryptoServicesRegistrar.setApprovedMode(true) The CSPs made available in non-approved mode will not be accessible, once the thread transitions into approved mode. The CSPs generated using the nonapproved mode cannot be passed or shared with algorithms operating in approved mode, and vice-versa. This is done by indicating within the class (object), instantiating the key, as being created in an approved mode or non-approved mode.
Page 15

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Any attempt by a thread within the execution of the module to use the key in an opposite mode will result in an exception being generated by the module. For example, if an RSA private key has been created in either approved or non-approved mode, then any request to access that key will first need to see if the thread making the request is in the same mode. From approved mode to non-approved mode: The module cannot transition from approved mode to non-approved mode. To initiate the module in nonapproved mode, either it should not be used in the context of Java Security Manager, or the module should have the permission “org.bouncycastle.crypto.CryptoServicesPermissionunapprovedModeEnabled” granted by the Java Security Manager. 2.2 Enforcement and Guidance for GCM IVs IVs for GCM can be generated randomly, or via a FipsNonceGenerator. Where an IV is not generated within the module the module supports the importing of GCM IVs. In approved mode, when a GCM IV is generated randomly, the module enforces the use of an approved DRBG in line with Section 8.2.2 of SP 800-38D. In approved mode, when a GCM IV is generated using the FipsNonceGenerator a counter is used as the basis for the nonce and the IV is generated in accordance with TLS protocol. Rollover of the counter in the FipsNonceGenerator will result in an IllegalStateException indicating the FipsNonceGenerator is exhausted and, as per IG C.H, where used for TLS 1.2, rollover will terminate any TLS session in process using the current key and the exception can only be recovered from by using a new handshake and creating a new FipsNonceGenerator. In approved mode, importing a GCM IV for encryption that originates from outside the module is non-conformant. A service indicator for IV usage is provided in the module through Java logging. Setting the logging level to Level.FINE for the named logger “org.bouncycastle.jcajce.provider.BaseCipher” will produce a log message when an IV which may have been produced outside the module and/or not from a compliant source is detected. The log message will be of the standard form including the detail: FINE: Passed in GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Setting the logging level to Level.FINER will produce an additional log message for any GCM IV which is used if the previous Level.FINE message is not activated. Log messages in this case will show the detail as: FINER: GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Per IG C.H, in the event module power is lost and restored the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The AES-GCM Mode falls under:

3.3.1 of the SP800-52rev2.
Page 16

FIPS 140-3 Security Policy 2.3 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Enforcement and Guidance for use of the Approved PBKDF In line with the requirements for SP 800-132, keys generated using the approved PBKDF must only be used for storage applications. Any other use of the approved PBKDF is non-conformant. In approved mode the module enforces that any password used must encode to at least 14 bytes (112 bits) and that the salt is at least 16 bytes (128 bits) long. The iteration count associated with the PBKDF should be as large as practical. As the module is a general-purpose software module, it is not possible to anticipate all the levels of use for the PBKDF, however a user of the module should also note that a password should at least contain enough entropy to be unguessable and also contain enough entropy to reflect the security strength required for the key being generated. In the event a password encoding is simply based on ASCII a 14 byte password is unlikely to contain sufficient entropy for most purposes as the standard set of printable characters only allows for as much as 6 bits of entropy per byte, giving a password which for the case of 14 bytes, yields a key that has been generated using 14 * 6 bits, giving only 84 bits of security, well below what is required for a key with the same level of hardness as a 112 bit one. Users are referred to Appendix A, “Security Considerations” of SP 800-132 for further information on password, salt, and iteration count selection. The iteration count value is provided by the user

Page 17
Ports and interfaces
NamePhysical PortLogical Interface
Data OutputData OutputAPI output parameters and return values – plaintext and/or ciphertext data.
Control InputAPI method calls – method calls, or input parameters, that specify commands and/or control data used to control the operation of the module.Control Input
Status OutputStatus OutputAPI output parameters and return/error codes that provide status information used to indicate the state of the module.

FIPS 140-3 Security Policy 2.5 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Guidance for the use of Format-Preserving Encryption The module supports both FF1 and, in non-approved mode, FF3-1 format preserving encryption. Below shows the parameter constraints applicable to the module’s implementation. SP800-38G Format-Preserving Encryption Constraints: radix radixminlen minlen maxlen maxTlen in range of 2..216 >= 1000000 >= 2 octets < 232 octets >= 0 octets in range of 2..216 >= 1000000

2 octets
2 * floor(logradix(296)) octets
8 octets (fixed)

An attempt to use the FF1 or FF3-1 without meeting the radixminlen constraint or by exceeding maxlen will result in an IllegalArgumentException. Note: only FF1 should be used in approved mode. 2.6 Cryptographic Key Generation The module performs Cryptographic Key Generation in conformance to FIPS 140-3 IG D.H. The CKG for symmetric keys and seeds used for generating asymmetric keys is performed as per Section 4 of the SP800-133r2 and compliant with FIPS 186-4 and SP800-90Arev1 for DRBG. The seed used in asymmetric key generation is the direct output of SP800-90Arev1 DRBG. Cryptographic Module Interfaces The module is a software module, and, therefore, control of the physical ports is outside of the module’s scope. The module does provide a set of logical interfaces which are mapped to the following FIPS 140-3 defined logical interfaces: data input, data output, control input, status output, and power. When the module performs self-tests, is in an error state, is generating keys, or performing zeroization, the module prevents all output on the logical data output interface as only the thread performing the operation has access to the data. The module is single-threaded, and in an error state, the module does not return any output data, only an error value. The module does not implement control output interface. The mapping of the FIPS 140-3 logical interfaces to the module is described in Table

  1. Table
  2. Ports and Interfaces
Page 18
Service
NameRolesInputOutput
Data EncryptionCO/UserKey, PlaintextCiphertext
CO/UserCO/UserData DecryptionKey, CiphertextPlaintext
MAC CalculationCO/UserKey, MessageMAC
CO/UserCO/UserSignature AuthenticationKey, MessageSignature
Signature VerificationCO/UserKey, Message, SignatureBoolean
Message HashingCO/UserMessageHash
CO/UserCO/UserKeyed Message HashingKey, MessageHash
TLS Key Derivation FunctionCO/UserTLS ParametersData
CO/UserCO/UserSP 800-108-rev1 KDFKDF ParametersData
SSH Derivation FunctionCO/UserSSH ParametersData
CO/UserCO/UserX9.63 Derivation FunctionX9.63 ParametersData
SP 800-56C-rev2 OneStep/TwoStep Key Derivation Function (KDM)CO/UserKDM ParametersData
CO/UserCO/UserIKEv2 Derivation FunctionIKEv2 ParametersData
SRTP Derivation FunctionCO/UserSRTP ParametersData
CO/UserCO/UserPBKDFPassword, PBKDF ParametersData
Key Agreement SchemesCO/UserKey Agreement keys, parametersData
CO/UserCO/UserKey WrappingWrapping key, KeyWrapped key
Key UnwrappingCO/UserUnwrapping Key, Wrapped keyKey
CO/UserCO/UserKey GenerationKey Generation ParametersKey Pair
Key VerificationCO/UserKey PairBoolean
CO/UserCO/UserSSP Export OperationSSPData

FIPS 140-3 Security Policy Roles, Services, and Authentication 4.1 Basic Guidance Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The jar file representing the module needs to be installed in a JVM’s class path in a manner appropriate to its use in applications running on the JVM. Functionality in the module is provided in two ways. At the lowest level there are distinct classes that provide access to the approved and non-approved services provided by the module. A more abstract level of access can also be gained using strings providing operation names passed into the module’s Java cryptography provider through the APIs described in the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). When the module is being used in approved mode, classes providing implementations of algorithms which are not approved, or allowed, are explicitly disabled. SSPs such as private and secret keys implement the Destroyable interface. Where appropriate these SSPs can be zeroized on demand by invoking the destroy() method. The return of the destroy() method indicates that the zeroization is complete. Roles, with corresponding service with input and output is specified in Table 8 below: Table 8. Roles, Service Commands, Input and Output N/A N/A N/A N/A N/A

Page 19

FIPS 140-3 Security Policy 4.2 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A Assumption of Roles The module supports two distinct operator roles, User and Cryptographic Officer (CO). The cryptographic module implicitly maps the two roles to the services. A user is considered the owner of the thread that instantiates the module and, therefore, only one concurrent user is allowed. Table 9 lists all operator roles supported by the module. The module does not support a maintenance role and/or bypass capability. The module does not support authentication. Table 9. Roles and Authentication 4.3 N/A N/A Services Table 10 lists the services and a description of each service with the usage and roles. Services in the module are accessed via the public APIs of the jar file. The ability of a thread to invoke non-approved services depends on whether it has been registered with the module as approved mode only. In approved only mode no non-approved services are accessible. In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific permissions to be configured in the JVM configuration by the Cryptographic Officer or User. In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.

Page 20

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The modes of access shown in the table are defined as:

14 Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved mode, false otherwise.

Page 21
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Data DecryptionUsed to decrypt data.CO/UserAES Decryption KeyAES-ECB, AES-CBC, AES-OFB, AES-CFB8, AES-CFB128, AES-CTR, AES-CBC-CS, CCM, GCM, FF1EFlag
MAC CalculationUsed to calculate data integrity codes with CMAC.CO/UserCMAC, GMACEFlagAES Authentication Key,
Signature AuthenticationUsed to generate signatures (DSA, ECDSA, RSA).CO/UserDSA Signing Key, EC Signing Key, RSA Signing KeyDSA, ECDSA, RSAEFlag
Signature VerificationUsed to verify digital signatures.CO/UserDSA, ECDSA, RSAEFlagDSA Verification Key,
DRBG (SP800-90Arev1) outputUsed for random number, IV and key generation.CO/UserAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DRBG Seed, Internal State V and C value, and DRBG Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public KeyCounter DRBG, Hash DRBG, HMAC DRBGGFlag
DRBG Seed, Internal State V and C value, and DRBG KeyCO/UserDRBG Seed, Internal State V and C value, and DRBG KeyE

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility E E E E G E

Page 22
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorAccess rights to Keys and/or SSPs
Message HashingUsed to generate message digest, SHAKE output.CO/UserN/AN/AFlagSHS, SHA-3, SHAKE, SHA-3N/A
Keyed Message HashingUsed to calculate data integrity codes with HMAC and KMAC.CO/UserHMAC Authentication Key, KMAC Authentication KeyHMAC, SHA-3 Derived Functions (KMAC)EFlag
TLS Key DerivationCO/UserTLS KDF Secret ValueEFlagHKDF, KDF, Existing Application-TLS Key DerivationUsed to calculate a value suitable to
SP 800-108-rev1 KDFUsed to calculate a value suitable to be used for a secret key.CO/UserSP800-108-rev1 KDF Secret ValueKBKDF, using Pseudorandom FunctionsEFlag
SSH DerivationCO/UserSSH KDF Secret ValueEFlagExisting Application-SpecificSSH DerivationUsed to calculate a value suitable to
X9.63 Derivation FunctionUsed to calculate a value suitable to be used for a secret key.CO/UserDH Agreement Private Key, EC Agreement Private Key, RSA Signing KeyExisting Application-Specific (X9.63 KDF)GFlag
X9.63 KDF Secret ValueCO/UserX9.63 KDF Secret ValueE
SP 800-56C-rev2Used to calculate a value suitable to be used for a secret key.CO/UserHKDF, KDF One Step, KDF Two StepGFlagSP 800-56C-rev2DH Agreement Private Key,
OneStep/TwoStepOneStep/TwoStepEC Agreement Private Key,
Key DerivationKey DerivationRSA Signing Key
Function (KDM)EFunction (KDM)SP800-56C-rev2 KDF Secret ValueCO/User
IKEv2 Derivation FunctionUsed to calculate a value suitable to be used for a secret key.CO/UserIKEv2 KDF Secret ValueExisting Application-Specific (IKEv2)EFlag
SRTP DerivationCO/UserSRTP KDF Secret ValueEFlagExisting Application-SpecificSRTP DerivationUsed to calculate a value suitable to
PBKDFUsed to generate a key using an encoding of a password and message hash.CO/UserHMAC Authentication Key, KMAC Authentication KeyKDF, Password-BasedGFlag
HMAC Authentication Key, KMAC Authentication Key, PBDKF SecretCO/UserHMAC Authentication Key, KMAC Authentication Key, PBDKF SecretE

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A E E E E G E G E E E G E N/A

Page 23
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorKeys and/or SSPs
Key Agreement SchemesUsed to calculate key agreement values (SP800-56A-rev3, Diffie- Hellman).CO/UserAES Encryption Key,KAS-FFC, KAS-ECC, KAS-IFC, SafePrimesGFlagG
DH Agreement Private Key,CO/UserDH Agreement Private Key,E
Key WrappingUsed to encrypt a key value (RSA, AES).CO/UserAES KW, AES KWP, KTS-IFCFlagEAES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key, RSA Key Transport Private Key
Key UnwrappingUsed to decrypt a key value (RSA, AES)CO/UserAES Wrapping Key,AES KW, AES KWP, KTS-IFCFlagE
Key VerificationUsed to verify key pair.CO/UserEC Signing Key,ECDSA KeyVerFlagE
Entropy CallbackGathers entropy in a passive manner from a user-provided function.CO/UserDRBG, CKGFlagGDRBG Seed, Internal State V and C value, and DRBG Key
DRBG Health-TestsCO/UserDRBGFlagN/AN/AUsed to perform checks of incoming

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A G E E E E E G N/A

Page 24
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
SSP Export OperationReturns a CSP as data that can be used for later output.CO/UserAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public KeyN/ARFlag
UtilityCO/UserN/AN/AN/AFlagMiscellaneous utility functions, does
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
SSP Export OperationReturns a CSP as data that can be used for later output.CO/UserAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public KeyN/ARFlag
UtilityCO/UserN/AN/AN/AFlagMiscellaneous utility functions, does

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility R N/A N/A N/A N/A Table 11. Non-Approved Services

15 Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved mode, false otherwise.

Page 25

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Software/Firmware Security The module type is software. The module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips2.0.0.jar. Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Self–tests are available on demand by power cycling the module. The integrity is verified using HMAC-SHA2-256. The HMAC of the module JAR file excluding directories and metadata is calculated and compared to the expected value embedded within the module’s properties. If the calculated value does not match the expected value, the module raises an error and fails to load. The integrity test can be performed on demand by power cycling the host platform. CASTs are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target. Operational Environment The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module runs on a GPC running one of the operating systems specified in the approved operational environment list in Table 2. Each approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module within the process space of the Java Virtual Machine. The module optionally uses the Java Security Manager and starts in approved mode by default when used with the Java Security Manager. 6.1 Use of External RNG The module makes use of the JVM's configured SecureRandom entropy source to provide entropy when required. The module will request entropy as appropriate to the security strength and seeding configuration for the DRBG that is using it and for the default DRBG will request a minimum of 256 bits of entropy. In approved mode the minimum amount of entropy that can be requested by a DRBG is 112 bits. The module will wait until the SecureRandom.generateSeed() returns the requested amount of entropy, blocking if necessary. The JVMs entropy source can be configured through setting the security property: securerandom.strongAlgorithms in the JVM's java.security file. 6.2 Additional Enforcement with a Java SecurityManager In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific policy permissions to be configured in the JVM configuration by the Cryptographic Officer or User. The SecurityManager can also be used to restrict the ability of particular code bases to examine CSPs. See Section 6.3 for further advice. In the absence of a Java SecurityManager, specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.

Page 26
PermissionSettingsReqUsage

FIPS 140-3 Security Policy 6.3 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Approved Mode Configuration In default operation the module will start with all algorithms and services enabled. If the module detects that the system property org.bouncycastle.fips.approved_only is set to true the module will start in approved mode and non-approved mode functionality will not be available. If the underlying JVM is running with a Java Security Manager installed the module will be running in approved mode with secret and private key export disabled. When the module is not used within the context of the Java Security Manager, it will start by default in the non-approved mode. Use of the module with a Java Security manager requires the setting of some basic permissions to allow the module HMAC-SHA-256 software integrity test to take place as well as to allow the module itself to examine secret and private keys. The basic permissions required for the module to operate correctly with a Java Security manager are indicated by a Y: Available Java Permissions RuntimePermission RuntimePermission PropertyPermission SecurityPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission “getProtectionDomain” “accessDeclaredMembers” “java.runtime.name”, “read” "putProviderProperty.BCFIPS" “unapprovedModeEnabled” “changeToApprovedModeEnabled” “exportSecretKey” “exportPrivateKey” “exportKeys” “tlsNullDigestEnabled” “tlsPKCS15KeyWrapEnabled” “tlsAlgorithmsEnabled” “defaultRandomConfig” “threadLocalConfig” “globalConfig” Y Y N N N N N N Y N N N N N N Allows checksum to be carried out on jar. Allows use of reflection API within the provider. Only if configuration properties are used. Only if provider installed during execution. Only if non-approved mode algorithms required. Only if threads allowed to change modes. To allow export of secret keys only. To allow export of private keys only. Required to be applied for the module itself. Optional for any other codebase. Only required for TLS digest calculations. Only required if TLS is used with RSA encryption. Enables both NullDigest and PKCS15KeyWrap. Allows setting of default SecureRandom. Required to set a thread local property in the CryptoServicesRegistrar. Required to set a global property in the CryptoServicesRegistrar. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2) by default. These values can also be configured by the Cryptographic Officer using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H.

Page 27

FIPS 140-3 Security Policy 6.4 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Guidance for the use of DRBGs and Configuring the JVM's Entropy Source A user can instantiate the default Approved DRBG for the module explicitly by using SecureRandom.getInstance("DEFAULT", "BCFIPS"), or by using a BouncyCastleFipsProvider object instead of the provider name as appropriate. This will seed the Approved DRBG from the live entropy source of the JVM with a number of bits of entropy appropriate to the security strength of the default Approved DRBG configured for the module. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2). These values can also be configured by the user using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H. For the default the property would be set as: org.bouncycastle.entropy.factors: 4, 13, 8.0 in the java.security property file. An additional option is available using the Approved Hash_DRBG and the process outlined in SP800 90A, Section 8.6.5. This can be turned on by following the instructions in Section 2.3 of the User Guide. The two DRBGs are instantiated in a chain as a "Source DRBG" to seed the "Target DRBG" in accordance with Section 7 of Draft NIST SP 800-90C, where the Target DRBG is the default Approved DRBG used by the module. The initial seed and the subsequent reseeds for the DRBG chain come from the live entropy source configured for the JVM. The DRBG chain will reseed automatically by pausing for 20 requests (which will usually equate to 5120 bytes). An entropy gathering thread reseeds the DRBG chain when it has gathered sufficient entropy (currently 256 bits) from the live entropy source. Once reseeded, the request counter is reset and the reseed process begins again. The “Source DRBG” in the chain is internal to the module and inaccessible to the user to ensure it is only used for generating seeds for the default Approved DRBG of the module. The user shall ensure that the entropy source is configured per Section 6.1 of this Security Policy and will block, or fail, if it is unable to provide the amount of entropy requested. Physical Security This section is not applicable as the module is a software module. Non-Invasive Security This section is not applicable to this module. Sensitive Security Parameter Management All Sensitive Security Parameters (SSPs) used by the module are described in this section in Table 12. All usage of these SSPs by the module (including all SSP lifecycle states) is described in the services detailed in Section 4.3. Please note that the module does not perform automatic SSP establishment, it only provides the components to the calling application which can be used in SSP establishment.

Page 28
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
AES Encryption Key128, 192, 256 bitsAES ECB, CBC, OFB,DRBG16N/AN/A, the module does not provide persistent storageAES encryption19Import17,AES Encryption KeyImport17, Export18destroy() service call or host platform power cycle
CFB8, CFB128, CTR,CFB8, CFB128, CTR,Export18
AES Decryption Key128, 192, 256 bitsDRBG16N/AN/A, the module does not provide persistent storageAES decryptionAES Decryption KeyImport17, Export18destroy() service call or host platform power cycleAES ECB, CBC, OFB, CFB8, CFB128, CTR, FF1, CBCCS1, CBCCS2, CBCCS3, GCM, CKG A7176
AES Authentication Key128, 192, 256 bitsDRBG16N/AAES CMAC/GMACAES Authentication KeyImport17, Export18AES CMAC, GMAC, CKG A7176N/A, the moduledestroy()
does not providedoes not provideservice call or
persistentpersistenthost platform
AES Wrapping Key128, 192, 256 bitsDRBG16N/AN/A, the module does not provide persistent storageAES (128/192/256) key wrapping key for KTSAES Wrapping KeyImport17, Export18destroy() service call or host platform power cycleAES KW, KWP, CKG A7176
DH Agreement Private Key112, 128, 152, 176, 200 bitsDRBG16N/ADiffie-Hellman key agreementDH Agreement Private KeyImport17, Export18KAS-FFC, CKG A7176N/A, the moduledestroy()
does not providedoes not provideservice call or
persistentpersistenthost platform
DH Agreement Public Key112, 128, 152, 176, 200 bitsDRBG16N/AN/A, the module does not provide persistent storageDiffie-Hellman key agreementDH Agreement Public KeyImport17, Export18Not zeroized, public key value known outside of moduleKAS-FFC, CKG A7176

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table 12. SSPs N/A N/A N/A N/A N/A N/A

16 Key generator used in conjunction with an approved DRBG.
17 Import done via key constructor and/or factory (Electronic Entry).

18 Export done via key recovery using getEncoded() method and followed by separate step to export key details as either plaintext or encrypted (Electronic Entry).

19 The AES-GCM key and IV is generated randomly per IG C.H, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application

must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed.

Page 29
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
DSA Signing Key112, 128 bitsDSA SignatureDRBG16N/ADSA signature generationImport17,DSA Signing KeyDSA Signature Generation, CKG A7176Import17, Export18N/A, the moduledestroy()
Generation, CKGGeneration, CKGExport18does not provideservice call or
A7176A7176persistenthost platform
DSA Verification Key80, 112, 128 bitsDRBG16N/AN/A, the module does not provide persistent storageDSA signature verificationDSA Verification KeyDSA Signature Verification, CKG A7176Import17, Export18Not zeroized, public key value known outside of module
EC Agreement Private Key112, 128, 192, 256 bitsDRBG16N/AN/A, the module does not provide persistent storageEC Agreement Private KeyKAS-ECC, CKG A7176Import17, Export18destroy() service call or host platform power cycleEC (P-224, P-256, P-384,
EC Agreement Public Key112, 128, 192, 256 bitsDRBG16N/AN/A, the module does not provide persistent storageEC (P-224, P-256, P-384, P-521, K-233, K-283, K-409, K571, B-233, B-283, B-409 and B-571) key agreementEC Agreement Public KeyKAS-ECC, CKG A7176Import17, Export18Not zeroized, public key value known outside of module
EC Signing Key112, 128, 192, 256 bitsDRBG16N/AN/A, the module does not provide persistent storageEC Signing KeyECDSA Signature Generation, CKG A7176Import17, Export18destroy() service call or host platform power cycleECDSA (P-224, P-256,
EC Verification Key80, 112, 128, 192, 256 bitsDRBG16N/AN/A, the module does not provide persistent storageECDSA (P-192, P-224, P-256, P-384, P-521, K-163, K-233, K-283, K-409, K-571, B-163, B-233, B-283, B-409 and B-571) signature verificationEC Verification KeyECDSA Signature Verification, CKG A7176Import17, Export18Not zeroized, public key value known outside of module
HMAC/KMAC Authentication Key112-256 bitsDRBG16N/AKeyed-Hash calculation (SHA-1, SHA2, SHA-3, KMAC)HMAC/KMAC Authentication KeySHA-1, SHA2, SHA3, KMAC, CKG A7176Import17, Export18N/A, the moduledestroy()
does not providedoes not provideservice call or
persistentpersistenthost platform
RSA Signing Key112, 128, 152 bitsDRBG16N/AImport17, Export18RSA Signing KeyRSA Signature Generation, CKG A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleRSA signature generation
RSA Verification Key80, 112, 128, 152 bitsDRBG16N/ANot zeroized,Import17, Export18RSA Verification KeyRSA Signature Verification, CKG A7176N/A, the moduleRSA signature verification
does not providepublic key valuedoes not provide
persistentknown outsidepersistent
RSA Key Transport Private Key20112, 128, 152 bitsDRBG16N/AImport17, Export18RSA Key Transport Private Key20KTS-IFC, CKG A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleRSA key transport and decryption
RSA Key Transport Public Key20112, 128, 152 bitsDRBG16N/ANot zeroized,Import17, Export18RSA Key Transport Public Key20KTS-IFC, CKG A7176N/A, the moduleRSA key transport
does not providepublic key valuedoes not provide
persistentknown outsidepersistent
IKEv2 KDF Secret Value112, 128, 192, 256 bitsGenerated as output of an IKEv2 agreement schemeN/AN/AIKEv2 KDF Secret ValueKDF IKEv2 A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleKey Derivation
PBKDF Secret Value112-256 bitsN/Adestroy()N/APBKDF Secret ValuePBKDF A7176Generated asN/A, the moduleKey Derivation
output of aservice call oroutput of adoes not provide
PBE key and ahost platformPBE key and apersistent
PRFpower cyclePRFstorage
SP 800-56C-rev2 OneStep/TwoStep KDF Secret Value112, 128, 192, 256 bitsGenerated as output of an agreement schemeN/AN/ASP 800-56C-rev2 OneStep/TwoStep KDF Secret ValueKDA OneStep SP800- 56Cr2, KDA TwoStep SP800-56Cr2 A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleKey Derivation
SP 800-108-rev1 KDF Secret Value112, 128, 192, 256 bitsN/Adestroy()N/ASP 800-108-rev1 KDF Secret ValueKDF SP800-108 A7176Generated asN/A, the moduleKey Derivation
output of anservice call oroutput of andoes not provide
agreementhost platformagreementpersistent
schemepower cycleschemestorage
SRTP KDF Secret Value128, 192, 256 bitsGenerated as output of an SRTP agreement schemeN/AN/ASRTP KDF Secret ValueKDF SRTP A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleKey Derivation
SSH KDF Secret Value80, 112, 128, 192, 256 bitsN/AN/ASSH KDF Secret ValueKDF SSH A7176Generated asN/A, the module does not provide persistent storagedestroy() service call or host platform power cycleKey Derivation
TLS Premaster Secret Value384 bitsProtocol version (2 bytes) and 46 bytes from a DRBG16N/AImport17, Export18TLS Premaster Secret ValueKDF TLS A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleUsed to derive keys using TLS KDF
TLS KDF Secret Value112, 128, 192, 256 bitsN/Adestroy()N/ATLS KDF Secret ValueKDF TLS A7176Generated asN/A, the moduleKey Derivation
output of TLSservice call oroutput of TLSdoes not provide
agreementhost platformagreementpersistent
schemepower cycleschemestorage
X9.63 KDF Secret Value112, 128, 192, 256 bitsGenerated as output of an agreement schemeN/AN/AX9.63 KDF Secret ValueKDF ANS 9.63 A7176N/A, the module does not provide persistent storagedestroy() service call or host platform power cycleKey Derivation
Entropy Input String>128 bitsN/AObtainedN/Adestroy()Entropy Input StringN/AN/A, the moduleRandom Number Generation
from thefrom theservice call ordoes not provide
entropyentropyhost platformpersistent
sourcesourcepower cyclestorage
CTR DRBG Seed128, 192, 256 bitsN/AN/AObtained from the entropy sourceCTR DRBG SeedN/AN/A, the module does not provide persistent storageImmediately after use or host platform power cycleInternal use
CTR DRBG V Value128 bitsFrom seed valueN/Areseed() serviceN/ACTR DRBG V ValueN/AN/A, the moduleInternal use
does not providecall or hostdoes not provide
persistentplatform powerpersistent
CTR DRBG Key128, 192, 256 bitsFrom DRBG V valueN/AN/A, the module does not provide persistent storageInternal useCTR DRBG KeyN/AN/Areseed() service call or host platform power cycle
Hash DRBG Seed112, 128, 192, 256 bitsN/AN/AInternal useHash DRBG SeedN/AFrom external entropy sourceN/A, the moduleImmediately
does not providedoes not provideafter use or
persistentpersistenthost platform
Hash DRBG V Value112, 128, 192, 256 bitsFrom seed valueN/AN/A, the module does not provide persistent storageInternal useHash DRBG V ValueN/AN/Areseed() service call or host platform power cycle
Hash DRBG C Value112, 128, 192, 256 bitsFrom DRBG V valueN/AInternal useHash DRBG C ValueN/AN/AN/A, the modulereseed() service
does not providedoes not providecall or host
persistentpersistentplatform power
HMAC DRBG Seed112, 128, 192, 256 bitsN/AN/AN/A, the module does not provide persistent storageInternal useHMAC DRBG SeedN/AFrom external entropy sourceImmediately after use or host platform power cycle
HMAC DRBG V Value112, 128, 192, 256 bitsFrom seed valueN/AInternal useHMAC DRBG V ValueN/AN/AN/A, the modulereseed() service
does not providedoes not providecall or host
persistentpersistentplatform power
HMAC DRBG Key112, 128, 192, 256 bitsFrom DRBG V valueN/AN/A, the module does not provide persistent storageInternal useHMAC DRBG KeyN/AN/Areseed() service call or host platform power cycle
DRBG Output128, 192, 256 bitsDRBGN/AN/A, the module does not provide persistent storageDRBG OutputN/AN/Adestroy() service call or host platform power cycleUsed as seed for

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A

Page 30

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A

20 RSA key transport using PKCS#1 1.5 padding is deprecated through 2023 and disallowed after 2023.

Page 31

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Page 32

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Page 33
Entropy sourcesMinimum number of bits of entropyDetails
Passive Entropy128As per FIPS 140-3 IG 9.3.A Section 2b, a minimum of 16 bytes is required from the source configured for seed
generation for the JVM. The entropy reader will block until the seed generator has provided the minimum number of
bytes.

FIPS 140-3 Security Policy 9.1 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The module’s use of Non-Deterministic Random Number Generators is determined by the settings described in Section 6.1. Table 13. Non-Deterministic Random Number Generation Specification

10 Self-tests

CASTs are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target.

10.1 Pre-Operational Self-Tests

Each time the module is powered up, it performs the pre-operational self-tests to confirm that sensitive data have not been damaged. The pre-operational tests include the Software Integrity test, which verifies the module using HMAC-SHA2-256, and the HMAC and SHS Conditional Cryptographic Algorithm SelfTests (CAST) which are run prior to the Software Integrity test to ensure the correctness of the HMAC used. Pre-operational self–tests are available on demand by power cycling the module.

10.2 Conditional Self-Tests

The module performs conditional self-tests when the conditions specified for cryptographic algorithm self-test and pair-wise consistency tests occur. Below are the self-tests implemented: Conditional Cryptographic Algorithm Self-Tests:

Page 34

FIPS 140-3 Security Policy

Page 35

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Conditional Pair-wise Consistency Tests:

10.3 Error Handling

If any of the above-mentioned self-tests fail, the module enters an error state called “Hard Error” state. Upon entering the error state, the module outputs status by way of an exception. An example exception for AES Encryption failure is mentioned below: “Failed self-test on encryption: AES” The module can be recovered by power cycling the module which results in execution of preoperational self-tests and conditional cryptographic algorithm self-tests. If the tests pass, then the module will be available for use.

11 Life-Cycle Assurance

Vulnerabilities found in the module will be reported on the National Vulnerability Database, located at https://nvd.nist.gov/. Researchers and users are encouraged to report any security related concerns to feedbackcrypto@bouncycastle.org. A PGP public key can be provided if confidentiality is required around the report. Please find the procedures for secure installation, initialization, startup and operation of the module: The module exists as part of the running JVM as such:

Page 36

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility

12 Mitigation of Other Attacks Policy

The module implements basic protections to mitigate against timing-based attacks against its internal implementations. There are two countermeasures used. The first is Constant Time Comparisons, which protect the digest and integrity algorithms by strictly avoiding “fast fail” comparison of MACs, signatures, and digests so the time taken to compare a MAC, signature, or digest is constant regardless of whether the comparison passes or fails. The second is made up of Numeric Blinding and decryption/signing verification which both protect the RSA algorithm. Numeric Blinding prevents timing attacks against RSA decryption and signing by providing a random input into the operation which is subsequently eliminated when the result is produced. The random input makes it impossible for a third party observing the private key operation to attempt a timing attack on the operation as they do not have knowledge of the random input and consequently the time taken for the operation tells them nothing about the private value of the RSA key. Decryption/signing verification is carried out by calculating a primitive encryption or signature verification operation after a corresponding decryption or signing operation before the result of the decryption or signing operation is returned. The purpose of this is to protect against Lenstra's CRT attack by verifying the correctness of the private key calculations involved. Lenstra's CRT attack takes advantage of undetected errors in the use of RSA private keys with CRT values and, if exploitable, can be used to discover the private value of the RSA key.

Page 37

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Appendix: References and Definitions The following standards are referred to in this Security Policy: ANSI X9.31 FIPS 140-3 FIPS 180-4 FIPS 186-3 FIPS 186-4 FIPS 197 FIPS 198-1 FIPS 202 IG PKCS#1 v2.1 PKCS#5 PKCS#12 SP 800-38A SP 800-38B SP 800-38C SP 800-38D SP 800-38F SP 800-38G SP 800-56A-rev3 SP 800-56B-rev2 SP 800-56C-rev2 SP 800-67-rev2 SP 800-89 SP 800-90A SP 800-90B SP 800-108-rev1 SP 800-132 SP 800-133-rev2 SP 800-135-rev1 X9.31-1998, Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), September 9, 1998 Security Requirements for Cryptographic modules, March 22, 2019 Secure Hash Standard (SHS) Digital Signature Standard (DSS) Digital Signature Standard (DSS) Advanced Encryption Standard The Keyed-Hash Message Authentication Code (HMAC) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program RSA Cryptography Standard Password-Based Cryptography Standard Personal Information Exchange Syntax Standard Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography Recommendation for Key Derivation through Extraction-then-Expansion Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher Recommendation for Obtaining Assurances for Digital Signature Applications Recommendation for Random Number Generation Using Deterministic Random Bit Generators Recommendation for the Entropy Sources Used for Random Bit Generation Recommendation for Key Derivation Using Pseudorandom Functions Recommendation for Password-Based Key Derivation Recommendation for Cryptographic Key Generation Recommendation for Existing Application

Page 38

FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The following are acronyms used in this Security Policy: AES API BC BC-FJA CBC CCM CDH CFB CMAC CMVP CO CPU CS CSP CTR CVL DES DH DRAM DRBG DSA DSTU4145 EC ECB ECC ECDSA EdDSA EMC EMI FIPS GCM GMAC GOST Advanced Encryption Standard Application Programming Interface Bouncy Castle Bouncy Castle FIPS Java API Cipher-Block Chaining Counter with CBC-MAC Computational Diffie-Hellman Cipher Feedback Mode Cipher-based Message Authentication Code Crypto Module Validation Program Cryptographic Officer Central Processing Unit Ciphertext Stealing Critical Security Parameter Counter-mode Component Validation List Data Encryption Standard Diffie-Hellman Dynamic Random Access Memory Deterministic Random Bit Generator Digital Signature Authority Ukrainian DSTU-4145-2002 Elliptic Curve Scheme Elliptic Curve Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Authority Edwards Curve DSA using Ed25519, Ed448 Electromagnetic Compatibility Electromagnetic Interference Federal Information Processing Standards Galois/Counter Mode Galois Message Authentication Code Gosudarstvennyi Standard Soyuza SSR/Government Standard of the Union of Soviet Socialist Republics

Page 39

FIPS 140-3 Security Policy GPC HMAC IG JAR JCA JCE JDK JRE JVM IV KAS KAT KDF KW KWP KMAC MAC MD5 N/A OCB OFB OS PBKDF PKCS PQG RC RIPEMD RSA SHA SSP TCBC TCFB TDEA TDES Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility General Purpose Computer key-Hashed Message Authentication Code See References Java ARchive Java Cryptography Architecture Java Cryptography Extension Java Development Kit Java Runtime Environment Java Virtual Machine Initialization Vector Key Agreement Scheme Known Answer Test Key Derivation Function Key Wrap Key Wrap with Padding KECCAK Message Authentication Code Message Authentication Code Message Digest algorithm MD5 Non Applicable Offset Codebook Mode Output Feedback Operating System Password-Based Key Derivation Function Public Key Cryptography Standards Diffie-Hellman Parameters P, Q and G Rivest Cipher, Ron’s Code RACE Integrity Primitives Evaluation Message Digest Rivest Shamir Adleman Secure Hash Algorithm Sensitive Security Parameter TDEA Cipher-Block Chaining TDEA Cipher Feedback Mode Triple Data Encryption Algorithm Triple Data Encryption Standard

Page 40

FIPS 140-3 Security Policy TECB TOFB TLS USB XDH XOF Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility TDEA Electronic Codebook TDEA Output Feedback Transport Layer Security Universal Serial Bus Edwards Curve Diffie-Hellman using X25519, X448 Extendable-Output Function

Referenced URLs