| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/28/2029 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Keysight Technologies |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Document Version 1.2 July 30, 2025 Prepared for: Prepared by: Keysight Technologies
Bldg. 2, Suite 300 Austin, TX 78731 keysight.com KeyPair Consulting Inc.
San Luis Obispo, CA 93401 +1 805.316.5024 keypair.us
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table of Contents
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility List of Tables List of Figures
| Name | ISO Section | Requirement | Level | General | ||
|---|---|---|---|---|---|---|
| 2 | Cryptographic Module Specification | 2 | 1 | |||
| 3 | 3 | 1 | Cryptographic Module Interfaces | |||
| 4 | Roles, Services, and Authentication | 4 | 1 | |||
| 5 | 5 | 1 | Software/Firmware Security | |||
| 6 | Operational Environment | 6 | 1 | |||
| 7 | 7 | N/A | Physical Security | |||
| 8 | Non-Invasive Security | 8 | N/A | |||
| 9 | 9 | 1 | Sensitive Security Parameter Management | |||
| 10 | Self-Tests | 10 | 1 | |||
| 11 | 11 | 1 | Life-Cycle Assurance | |||
| 12 | Mitigation of Other Attacks | 12 | 1 |
Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Introduction This document defines the Security Policy for the Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility, hereafter denoted the module. The module is a cryptographic library and has a Multi-Chip Stand Alone embodiment. The module meets FIPS 140-3 overall Level 1 requirements. The SW version is 2.0.0. The FIPS 140-3 security levels for the module are given in Table 1 as follows: Table 1. Security Levels 1.1 N/A N/A Confirming the Module Checksum, Functionality, and Versioning The module checksum, functionality, and versioning can be confirmed by executing the command: java ‐cp bc‐fips‐2.0.0.jar org.bouncycastle.util.DumpInfo which should display: Version Info: BouncyCastle Security Provider (FIPS edition) v2.0.0 FIPS Ready Status: READY Module SHA‐256 HMAC: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e Indicating the jar represents the software release 2.0.0, that it has successfully passed all its startup tests, and that the software release is confirmed to have a HMAC of: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Cryptographic Module Specification The module is intended for use by US Federal agencies and other markets that require a FIPS 140-3 validated Cryptographic Library. The module is of type software and the module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips2.0.0.jar. This module is the only software component within the Cryptographic Boundary and the only software component that carries out cryptographic functions covered by FIPS 140-3. Figure 1 shows the logical relationship of the cryptographic module to the other software and hardware components of the computer. The BC classes are executed on the Java Virtual Machine (JVM) using the classes of the Java Runtime Environment (JRE). The JVM is the interface to the computer’s Operating System (OS) that is the interface to the various physical components of the computer. Figure 1. Cryptographic Boundary
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # | |||
|---|---|---|---|---|---|---|---|---|
| 1 | NVOS 6.7 with Java SE Runtime Environment v8 (1.8) | Vision ONE | Intel i7 3555LE (Ivy Bridge) | Without PAA | 1 | |||
| 1 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | Vision Edge 40 Network Packet Broker (NPB) with Intel x86 | 1 | 1 | ||||
| Environment v8 (1.8) | Environment v8 (1.8) | Atom® (Rangely) C2538 processor | ||||||
| 2 | 2 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision 7712 NPB with Intel x86 Atom® (Rangely) C2538 processor | |||||
| 3 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 3 | Vision 5812 NPB with Intel x86 Atom® (Rangely) C2538 processor | |||||
| 4 | 4 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision Edge 100 NPB with Intel Xeon D-1518 (Broadwell) processor | |||||
| 5 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 5 | Vision Edge 50 NPB with Intel Xeon D-1518 (Broadwell) processor | |||||
| 6 | 6 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision 7816 NPB with Intel Xeon D-1518 (Broadwell) processor | |||||
| 7 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 7 | Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor | |||||
| 8 | 8 | AppStack release 4.16.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v17 (1.17) container on MakoOS v2.1.1 and later | Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor, including Visibility Application Module with Intel Xeon E5-2695 (Broadwell) | |||||
| 9 | Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor, | 9 | SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later | |||||
| 10 | 10 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # | |||
|---|---|---|---|---|---|---|---|---|
| 1 | NVOS 6.7 with Java SE Runtime Environment v8 (1.8) | Vision ONE | Intel i7 3555LE (Ivy Bridge) | Without PAA | 1 | |||
| 1 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | Vision Edge 40 Network Packet Broker (NPB) with Intel x86 | 1 | 1 | ||||
| Environment v8 (1.8) | Environment v8 (1.8) | Atom® (Rangely) C2538 processor | ||||||
| 2 | 2 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision 7712 NPB with Intel x86 Atom® (Rangely) C2538 processor | |||||
| 3 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 3 | Vision 5812 NPB with Intel x86 Atom® (Rangely) C2538 processor | |||||
| 4 | 4 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision Edge 100 NPB with Intel Xeon D-1518 (Broadwell) processor | |||||
| 5 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 5 | Vision Edge 50 NPB with Intel Xeon D-1518 (Broadwell) processor | |||||
| 6 | 6 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision 7816 NPB with Intel Xeon D-1518 (Broadwell) processor | |||||
| 7 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 7 | Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor | |||||
| 8 | 8 | AppStack release 4.16.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v17 (1.17) container on MakoOS v2.1.1 and later | Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor, including Visibility Application Module with Intel Xeon E5-2695 (Broadwell) | |||||
| 9 | Vision ONE NPB with Intel i7 3555LE (Ivy Bridge) processor, | 9 | SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later | |||||
| 10 | 10 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor | |||||
| 11 | AppStack release 4.18.0 (requires NPB release 6.9.0) and later running Debian version 12.5 with | Vision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor, | 11 | 11 | AppStack release 4.18.0 (requires NPB release 6.9.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later | |||
| Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later | Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later | including MVX-AM4PC module with Intel Xeon-D 2718NT | ||||||
| 12 | 12 | SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running Debian version 12.5 with Java SE Runtime Environment v11 (1.11) container on MakoOS v2.1.1 and later | Vision X NPB with Intel Xeon D-1527 (Broadwell-DE) processor, including MVX-AM4PC module with Intel Xeon-D 2718NT (Skylake-D) | |||||
| 13 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime | 13 | TradeVision NPB with Intel i7 3555LE (Ivy Bridge) processor | |||||
| 14 | 14 | Vision NPB release 6.7.0 and later on Yocto poky-scarthgap (v5.0.x) with Java SE Runtime Environment v8 (1.8) | Vision Edge 10S NPB with Intel Celeron 3965U (Kaby Lake) processor | |||||
| 15 | Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE | Vision 9516 NPB with Intel Pentium D-1517 (Broadwell) | 15 | |||||
| Runtime Environment v8 (1.8) | Runtime Environment v8 (1.8) | processor | ||||||
| 16 | 16 | Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE Runtime Environment v8 (1.8) | Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor | |||||
| 17 | AppStack release 4.18.0 (requires NPB release 6.9.0) and later running on Debian 12.5 with Java | 17 | Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor | |||||
| 18 | 18 | SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running on Debian 12.5 with Java SE Runtime Environment v11 (1.11) container | Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor | |||||
| 19 | Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE | Vision Edge 400S NPB with Intel Xeon D-1714) (Icelake-D) | 19 | |||||
| Runtime Environment v8 (1.8) | Runtime Environment v8 (1.8) | processor | ||||||
| 20 | 20 | Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE Runtime Environment v8 (1.8) | Vision Edge 400P NPB with Intel Xeon D-1627 (Hewitt Lake) processor | |||||
| 21 | Vision NPB release 6.9.0 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) with Java SE | Vision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) | 21 | |||||
| Runtime Environment v8 (1.8) | Runtime Environment v8 (1.8) | processor | ||||||
| 22 | 22 | AppStack release 4.18.0 (requires NPB release 6.9.0) and later running on Debian 12.5 with Java SE Runtime Environment v17 (1.17) container | Vision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) processor | |||||
| 23 | SecureStack release 2.14.0 (requires NPB release 6.9.0) and later running on Debian 12.5 with | Vision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) | 23 | |||||
| Java SE Runtime Environment v11 (1.11) container | Java SE Runtime Environment v11 (1.11) container | processor |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The cryptographic module was tested on the following operational environments on the general-purpose computer (GPC) platforms detailed in Table 2, which is also the TOEPP (Tested Operational Environment’s Physical Perimeter) of the module. Table
FIPS 140-3 Security Policy # Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility For the avoidance of doubt, it is hereby stated that the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. The module implements the Approved and Non-Approved but Allowed cryptographic functions with no security claimed listed in Table 4 and Table 5 below. There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. The module supports both Approved and Non-Approved mode of operation. Please see Section 6.3 for configuration of the module in Approved mode of operation. Please see Section 11 for initialization steps.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | Use / Function | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| AES | A7176 | ECB, CBC, OFB, CFB8, | Key sizes: 128, 192, 256 bits | Encryption, Decryption | A7176 | ECB, CBC, OFB, CFB8, CFB128, CTR, FF1 | Key sizes: 128, 192, 256 bits | Encryption, Decryption | ||
| [FIPS 197, SP 800-38A], AESFF1 | CFB128, CTR, FF1 | |||||||||
| A7176 | A7176 | CBC-CS1, CBC-CS2, CBC-CS3 | Key sizes: 128, 192, 256 bits | Encryption, Decryption | AES-CBC Ciphertext Stealing (CS) [Addendum to SP 800-38A, Oct 2010] | |||||
| CCM | A7176 | N/A | Key sizes: 128, 192, 256 bits | Generation, Authentication | ||||||
| A7176 | A7176 | AES | Key sizes: AES with 128, 192, 256 bits | Generation, Authentication | CMAC [SP 800-38B] | |||||
| GCM/GMAC1 | A7176 | N/A | Key sizes: 128, 192, 256 bits | Generation, Authentication | ||||||
| A7176 | A7176 | N/A | AES-128, AES-192, AES-256 | AES-CTR DRBG | Counter DRBG [SP 800-90Ar1] | |||||
| Hash DRBG | SHA sizes: SHA-1, SHA2-224, | A7176 | N/A | Hash DRBG | ||||||
| [SP 800-90Ar1] | SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | |||||||||
| A7176 | A7176 | N/A | SHA sizes: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | HMAC DRBG | HMAC DRBG [SP 800-90Ar1] | |||||
| A7176 | PQG Generation, PQG | A7176 | N/A | Key sizes: 1024, 2048, 3072 bits (1024 only for SigVer) | DSA2 [FIPS 186-4] | |||||
| A7176 | A7176 | N/A | Curves/Key sizes: P-192*, P-224, P-256, P-384, P-521, K163*, K-233, K-283, K-409, K-571, B-163*, B-233, B283, B-409, B-571 * Curves only used for Signature Verification and Public Key Validation | Public Key Generation, Signature Generation, Signature Verification, Public Key Validation | ECDSA [FIPS 186-4] | |||||
| A7176 | PRFs: HMAC SHA-1, HMAC SHA-224, HMAC SHA-256, | A7176 | N/A | Key Derivation | KDA-HKDF [SP 800-56C-rev2] | |||||
| A7176 | A7176 | N/A | SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | Generation, Authentication | HMAC [FIPS 198-1] | |||||
| A7176 | Domain Parameter Generation | A7176 | N/A | Key Agreement | KAS-FFC3 [SP 800-56A-rev3] | |||||
| A7176 | A7176 | N/A | Domain Parameter Generation Methods/Scheme: P-224, P-256, P-384, P-521,K-233, K283, K-409, K-571, B-233, B-283, B-409, B-571 ephemeralUnified, fullMqv, fullUnified, onePassDh, onePassMqv, onePassUnified, staticUnified Curves specified above providing between 112 and 256 bits of encryption strength | Key Agreement | KAS-ECC3 [SP 800-56A-rev3] | |||||
| A7176 | PRFs: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, | A7176 | N/A | Key Derivation | KDA, One Step [SP 800-56C-rev2] | |||||
| A7176 | A7176 | N/A | PRFs: HMAC SHA-1, HMAC SHA-224, HMAC SHA-256, HMAC SHA-384, HMAC SHA-512, HMAC SHA-512/224, HMAC SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3-512, KMAC-128, KMAC-256 | Key Derivation | KDA, Two Step [SP 800-56C-rev2] | |||||
| KDF, Existing Application-Specific4 | CVL | TLS v1.0/1.1 KDF | N/A | Key Derivation | ||||||
| [SP 800-135-rev1] | A7176 | SHA sizes: SHA2-256, SHA2-384, SHA2-512 | ||||||||
| CVL A7176 | CVL A7176 | N/A | TLS 1.2 KDF SHA sizes: SHA2-256, SHA2-384, SHA2-512 | Key Derivation | KDF, Existing Application-Specific4 [SP 800-135-rev1] | |||||
| KDF, Existing Application-Specific4 | CVL | SNMP KDF | N/A | Key Derivation | ||||||
| [SP 800-135-rev1] | A7176 | Password Length: 64, 8192 | ||||||||
| CVL A7176 | CVL A7176 | N/A | SSH KDF SHA sizes: SHA2-224 | Key Derivation | KDF, Existing Application-Specific4 [SP 800-135-rev1] | |||||
| CVL A7176 | Key Derivation | CVL A7176 | N/A | X9.63 KDF SHA sizes: SHA2-224, SHA2-256, SHA2-384, SHA2-512 | KDF, Existing Application-Specific4 [SP 800-135-rev1] | |||||
| CVL A7176 | CVL A7176 | N/A | IKEv2 KDF SHA sizes:SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 | Key Derivation | KDF, Existing Application-Specific4 [SP 800-135-rev1] | |||||
| KDF, Existing Application-Specific4 | CVL | N/A | SRTP KDF | Key Derivation | ||||||
| [SP 800-135-rev1] | A7176 | |||||||||
| A7176 | A7176 | N/A | Options: PBKDF with Option 1a Types: HMAC-based KDF using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 | Key Derivation | KDF, Password-Based [SP 800-132] | |||||
| A7176 | Counter Mode, | A7176 | Types: CMAC-based KBKDF with AES, HMAC-based KBKDF with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | Key Derivation | KDF, using Pseudorandom Functions5 [SP 800-108-rev1] | |||||
| A7176 | A7176 | AES KW, KWP | Key sizes: 128, 192, 256 bits (Key establishment methodology providing 128, 192 or 256 bits of encryption strength) | Key Wrapping | Key Wrapping Using Block Ciphers6 [SP 800-38F] | |||||
| RSA | A7176 | N/A | Key sizes: 2048, 3072, 4096 | Key Pair Generation | ||||||
| A7176 | A7176 | N/A | Key sizes: 2048, 3072, 4096 | Signature Generation | RSA [FIPS 186-4, ANSI X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)] | |||||
| RSA | A7176 | N/A | Key sizes: 1024, 2048, 3072, 4096 | Signature Verification | ||||||
| A7176 | A7176 | N/A | Key sizes: 1024, 1536, 2048, 3072, 4096 | Signature Verification | RSA [FIPS 186-2, ANSI X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)] | |||||
| CVL | CVL | N/A | 2048 | Component Test | RSA Decryption Primitive | |||||
| CVL A7176 | CVL A7176 | N/A | 2048 | Component Test | RSA Signature Primitive | |||||
| A7176 | RSA-OAEP with, and without, key confirmation. | A7176 | N/A | Key Transport | KTS-IFC [SP 800-56B-rev2, Section 7.2.2] | |||||
| A7176 | A7176 | N/A | RSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength | Key Agreement | KAS-IFC [SP 800-56B-rev2, Section 7.2.1] | |||||
| A7176 | Parameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, | A7176 | N/A | Key Generation, Key Verification | Safe Primes [SP 800-56A-rev3] | |||||
| A7176 | A7176 | N/A | SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 | Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications | SHS [FIPS 180-4] | |||||
| A7176 | Digital Signature Generation, | A7176 | N/A | SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 | SHA-3, SHAKE [FIPS 202] | |||||
| A7176 | A7176 | N/A | Types: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash- 128, cSHAKE256, KMAC-256, TupleHash-256, ParallelHash-256 | Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications | SHA-3 Derived Functions [SP 800-185] | |||||
| Vendor | Vendor | N/A | Section 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG) | Key Generation | CKG using output from DRBG7 [SP 800-133-rev2] | |||||
| MD5 within TLS | Allowed per IG 2.4.A, no security claimed | MD5 used within a TLS handshake |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table 4. Approved Algorithms N/A N/A N/A N/A N/A N/A N/A N/A
1 GCM encryption with an internally generated IV, see section 2.2 concerning external IVs. IV generation is compliant with IG C.H.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A
3 Keys are not established directly into the module using the key agreement algorithms.
4 No parts of the protocols (TLS, SSHv2, X9.63, IKEv2, SRTP, SNMPv3), other than the approved cryptographic algorithms and the KDFs, have been reviewed or tested by the CAVP and CMVP.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A
5 Note: CAVP testing is not provided for use of the PRFs SHA-512/224 and SHA-512/256. These must not be used in approved mode.
| Name | CAVP Cert | Key Size | Use Function | Use / Function | |||||
|---|---|---|---|---|---|---|---|---|---|
| CVL A7176 | CVL A7176 | RSA Signature Primitive | N/A | 2048 | Component Test | ||||
| A7176 | RSA-OAEP with, and without, key confirmation. | A7176 | KTS-IFC [SP 800-56B-rev2, Section 7.2.2] | N/A | Key Transport | ||||
| A7176 | A7176 | KAS-IFC [SP 800-56B-rev2, Section 7.2.1] | N/A | RSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength | Key Agreement | ||||
| A7176 | Parameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, | A7176 | Safe Primes [SP 800-56A-rev3] | N/A | Key Generation, Key Verification | ||||
| A7176 | A7176 | SHS [FIPS 180-4] | N/A | SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 | Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications | ||||
| A7176 | Digital Signature Generation, | A7176 | SHA-3, SHAKE [FIPS 202] | N/A | SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 | ||||
| A7176 | A7176 | SHA-3 Derived Functions [SP 800-185] | N/A | Types: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash- 128, cSHAKE256, KMAC-256, TupleHash-256, ParallelHash-256 | Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications | ||||
| Vendor | Vendor | CKG using output from DRBG7 [SP 800-133-rev2] | N/A | Section 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG) | Key Generation | ||||
| MD5 within TLS | Allowed per IG 2.4.A, no security claimed | MD5 used within a TLS handshake |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A D.H N/A Table 5. Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed
| Name | Mode Method | ||
|---|---|---|---|
| ARC4 (RC4) | ARC4 (RC4) | ARC4/RC4 stream cipher | |
| Blowfish | Blowfish block cipher | ||
| Camellia | Camellia | Camellia block cipher | |
| CAST5 | CAST5 block cipher | ||
| ChaCha20 | ChaCha20 | ChaCha20 stream cipher | |
| ChaCha20-Poly1305 | AEAD ChaCha20 using Poly1305 as the MAC | ||
| DES | DES | DES block cipher | |
| Diffie-Hellman KAS (non-compliant9) | Non-compliant key agreement methods | ||
| DSA (non-compliant10) | DSA (non-compliant10) | Non-approved digest signatures using DSA | |
| DSTU4145 | DSTU4145 EC algorithm | ||
| ECDSA (non-compliant10) | ECDSA (non-compliant10) | Non-approved digest signatures using ECDSA | |
| EdDSA | Ed25519 and Ed448 signature algorithms | ||
| ElGamal | ElGamal | ElGamal key transport algorithm | |
| FF3-1 | Format Preserving Encryption – AES FF3-1 | ||
| GOST28147 | GOST28147 | GOST-28147 block cipher | |
| GOST3410-1994 | GOST-3410-1994 algorithm | ||
| GOST3410-2001 | GOST3410-2001 | GOST-3410-2001 EC algorithm | |
| GOST3410-2012 | GOST-3410-2012 EC algorithm | ||
| GOST3411 | GOST3411 | GOST-3411-1994 message digest | |
| GOST3411-2012-256 | GOST-3411-2012 256-bit message digest | ||
| GOST3411-2012-512 | GOST3411-2012-512 | GOST-3411-2012 512-bit message digest | |
| HMAC-GOST3411 | GOST-3411 HMAC | ||
| HMAC-MD5 | HMAC-MD5 | MD5 HMAC | |
| HMAC-RIPEMD128 | RIPEMD128 HMAC | ||
| HMAC-RIPEMD160 | HMAC-RIPEMD160 | RIPEMD160 HMAC | |
| HMAC-RIPEMD256 | RIPEMD256HMAC | ||
| HMAC-RIPEMD320 | HMAC-RIPEMD320 | RIPEMD320 HMAC | |
| HMAC-TIGER | TIGER HMAC | ||
| HMAC-WHIRLPOOL | HMAC-WHIRLPOOL | WHIRLPOOL HMAC | |
| HSS | HSS signature scheme (RFC 8708) | ||
| IDEA | IDEA | IDEA block cipher | |
| KAS11 using SHA-512/224 or SHA-512/256 | Key Agreement using SHA-512/224 and SHA-512/256 based KDFs | ||
| KBKDF using SHA-512/224 or SHA-512/256 (non-compliant) | KBKDF using SHA-512/224 or SHA-512/256 (non-compliant) | PBKDF2 using the PRFs SHA-512/224 and SHA-512/256 | |
| LMS | LMS signature scheme (RFC 8708) | ||
| MD5 | MD5 | MD5 message digest | |
| OpenSSL PBKDF (non-compliant) | OpenSSL PBE key derivation scheme | ||
| PKCS#12 PBKDF (non-compliant) | PKCS#12 PBKDF (non-compliant) | PKCS#12 PBE key derivation scheme | |
| PKCS#5 Scheme 1 PBKDF (non-compliant) | PKCS#5 PBE key derivation scheme | ||
| Poly1305 | Poly1305 | Poly1305 message MAC | |
| PRNG X9.31 | X9.31 PRNG | ||
| RC2 | RC2 | RC2 block cipher | |
| RIPEMD128 | RIPEMD128 message digest | ||
| RIPEMD160 | RIPEMD160 | RIPEMD160 message digest | |
| RIPEMD256 | RIPEMD256 message digest | ||
| RIPEMD320 | RIPEMD320 | RIPEMD320 message digest | |
| RSA (non-compliant12) | Non-compliant RSA signature schemes | ||
| RSA KTS (non-compliant13) | RSA KTS (non-compliant13) | Non-compliant RSA key transport schemes | |
| SCrypt (non-compliant) | Scrypt using non-compliant PBKDF2 | ||
| SEED | SEED | SEED block cipher | |
| Serpent | Serpent block cipher | ||
| SipHash | SipHash | SipHash MAC | |
| SHACAL-2 | SHACAL2 block cipher | ||
| TIGER | TIGER | TIGER message digest | |
| Triple-DES | Triple-DES cipher | ||
| Twofish | Twofish | Twofish block cipher | |
| WHIRLPOOL | WHIRLPOOL message digest | ||
| XDH | XDH | X25519 and X448 key agreement algorithms |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table 6. Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
9 Support for additional key sizes and the establishment of keys of less than 112 bits of security strength.
10 Deterministic signature calculation, support for additional digests, and key sizes.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility
11 Keys are not directly established into the module using key agreement or transport techniques.
12 Support for additional digests and signature formats, PKCS#1 1.5 key wrapping, support for additional key sizes.
13 Support for additional key sizes and the establishment of keys of less than 112 bits of security strength.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility 2.1 Basic Enforcement The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module: 1. 2. 3. 4.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Any attempt by a thread within the execution of the module to use the key in an opposite mode will result in an exception being generated by the module. For example, if an RSA private key has been created in either approved or non-approved mode, then any request to access that key will first need to see if the thread making the request is in the same mode. From approved mode to non-approved mode: The module cannot transition from approved mode to non-approved mode. To initiate the module in nonapproved mode, either it should not be used in the context of Java Security Manager, or the module should have the permission “org.bouncycastle.crypto.CryptoServicesPermissionunapprovedModeEnabled” granted by the Java Security Manager. 2.2 Enforcement and Guidance for GCM IVs IVs for GCM can be generated randomly, or via a FipsNonceGenerator. Where an IV is not generated within the module the module supports the importing of GCM IVs. In approved mode, when a GCM IV is generated randomly, the module enforces the use of an approved DRBG in line with Section 8.2.2 of SP 800-38D. In approved mode, when a GCM IV is generated using the FipsNonceGenerator a counter is used as the basis for the nonce and the IV is generated in accordance with TLS protocol. Rollover of the counter in the FipsNonceGenerator will result in an IllegalStateException indicating the FipsNonceGenerator is exhausted and, as per IG C.H, where used for TLS 1.2, rollover will terminate any TLS session in process using the current key and the exception can only be recovered from by using a new handshake and creating a new FipsNonceGenerator. In approved mode, importing a GCM IV for encryption that originates from outside the module is non-conformant. A service indicator for IV usage is provided in the module through Java logging. Setting the logging level to Level.FINE for the named logger “org.bouncycastle.jcajce.provider.BaseCipher” will produce a log message when an IV which may have been produced outside the module and/or not from a compliant source is detected. The log message will be of the standard form including the detail: FINE: Passed in GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Setting the logging level to Level.FINER will produce an additional log message for any GCM IV which is used if the previous Level.FINE message is not activated. Log messages in this case will show the detail as: FINER: GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Per IG C.H, in the event module power is lost and restored the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The AES-GCM Mode falls under:
FIPS 140-3 Security Policy 2.3 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Enforcement and Guidance for use of the Approved PBKDF In line with the requirements for SP 800-132, keys generated using the approved PBKDF must only be used for storage applications. Any other use of the approved PBKDF is non-conformant. In approved mode the module enforces that any password used must encode to at least 14 bytes (112 bits) and that the salt is at least 16 bytes (128 bits) long. The iteration count associated with the PBKDF should be as large as practical. As the module is a general-purpose software module, it is not possible to anticipate all the levels of use for the PBKDF, however a user of the module should also note that a password should at least contain enough entropy to be unguessable and also contain enough entropy to reflect the security strength required for the key being generated. In the event a password encoding is simply based on ASCII a 14 byte password is unlikely to contain sufficient entropy for most purposes as the standard set of printable characters only allows for as much as 6 bits of entropy per byte, giving a password which for the case of 14 bytes, yields a key that has been generated using 14 * 6 bits, giving only 84 bits of security, well below what is required for a key with the same level of hardness as a 112 bit one. Users are referred to Appendix A, “Security Considerations” of SP 800-132 for further information on password, salt, and iteration count selection. The iteration count value is provided by the user
| Name | Physical Port | Logical Interface | ||
|---|---|---|---|---|
| Data Output | Data Output | API output parameters and return values – plaintext and/or ciphertext data. | ||
| Control Input | API method calls – method calls, or input parameters, that specify commands and/or control data used to control the operation of the module. | Control Input | ||
| Status Output | Status Output | API output parameters and return/error codes that provide status information used to indicate the state of the module. |
FIPS 140-3 Security Policy 2.5 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Guidance for the use of Format-Preserving Encryption The module supports both FF1 and, in non-approved mode, FF3-1 format preserving encryption. Below shows the parameter constraints applicable to the module’s implementation. SP800-38G Format-Preserving Encryption Constraints: radix radixminlen minlen maxlen maxTlen in range of 2..216 >= 1000000 >= 2 octets < 232 octets >= 0 octets in range of 2..216 >= 1000000
An attempt to use the FF1 or FF3-1 without meeting the radixminlen constraint or by exceeding maxlen will result in an IllegalArgumentException. Note: only FF1 should be used in approved mode. 2.6 Cryptographic Key Generation The module performs Cryptographic Key Generation in conformance to FIPS 140-3 IG D.H. The CKG for symmetric keys and seeds used for generating asymmetric keys is performed as per Section 4 of the SP800-133r2 and compliant with FIPS 186-4 and SP800-90Arev1 for DRBG. The seed used in asymmetric key generation is the direct output of SP800-90Arev1 DRBG. Cryptographic Module Interfaces The module is a software module, and, therefore, control of the physical ports is outside of the module’s scope. The module does provide a set of logical interfaces which are mapped to the following FIPS 140-3 defined logical interfaces: data input, data output, control input, status output, and power. When the module performs self-tests, is in an error state, is generating keys, or performing zeroization, the module prevents all output on the logical data output interface as only the thread performing the operation has access to the data. The module is single-threaded, and in an error state, the module does not return any output data, only an error value. The module does not implement control output interface. The mapping of the FIPS 140-3 logical interfaces to the module is described in Table
| Name | Roles | Input | Output | ||||
|---|---|---|---|---|---|---|---|
| Data Encryption | CO/User | Key, Plaintext | Ciphertext | ||||
| CO/User | CO/User | Data Decryption | Key, Ciphertext | Plaintext | |||
| MAC Calculation | CO/User | Key, Message | MAC | ||||
| CO/User | CO/User | Signature Authentication | Key, Message | Signature | |||
| Signature Verification | CO/User | Key, Message, Signature | Boolean | ||||
| Message Hashing | CO/User | Message | Hash | ||||
| CO/User | CO/User | Keyed Message Hashing | Key, Message | Hash | |||
| TLS Key Derivation Function | CO/User | TLS Parameters | Data | ||||
| CO/User | CO/User | SP 800-108-rev1 KDF | KDF Parameters | Data | |||
| SSH Derivation Function | CO/User | SSH Parameters | Data | ||||
| CO/User | CO/User | X9.63 Derivation Function | X9.63 Parameters | Data | |||
| SP 800-56C-rev2 OneStep/TwoStep Key Derivation Function (KDM) | CO/User | KDM Parameters | Data | ||||
| CO/User | CO/User | IKEv2 Derivation Function | IKEv2 Parameters | Data | |||
| SRTP Derivation Function | CO/User | SRTP Parameters | Data | ||||
| CO/User | CO/User | PBKDF | Password, PBKDF Parameters | Data | |||
| Key Agreement Schemes | CO/User | Key Agreement keys, parameters | Data | ||||
| CO/User | CO/User | Key Wrapping | Wrapping key, Key | Wrapped key | |||
| Key Unwrapping | CO/User | Unwrapping Key, Wrapped key | Key | ||||
| CO/User | CO/User | Key Generation | Key Generation Parameters | Key Pair | |||
| Key Verification | CO/User | Key Pair | Boolean | ||||
| CO/User | CO/User | SSP Export Operation | SSP | Data |
FIPS 140-3 Security Policy Roles, Services, and Authentication 4.1 Basic Guidance Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The jar file representing the module needs to be installed in a JVM’s class path in a manner appropriate to its use in applications running on the JVM. Functionality in the module is provided in two ways. At the lowest level there are distinct classes that provide access to the approved and non-approved services provided by the module. A more abstract level of access can also be gained using strings providing operation names passed into the module’s Java cryptography provider through the APIs described in the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). When the module is being used in approved mode, classes providing implementations of algorithms which are not approved, or allowed, are explicitly disabled. SSPs such as private and secret keys implement the Destroyable interface. Where appropriate these SSPs can be zeroized on demand by invoking the destroy() method. The return of the destroy() method indicates that the zeroization is complete. Roles, with corresponding service with input and output is specified in Table 8 below: Table 8. Roles, Service Commands, Input and Output N/A N/A N/A N/A N/A
FIPS 140-3 Security Policy 4.2 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A Assumption of Roles The module supports two distinct operator roles, User and Cryptographic Officer (CO). The cryptographic module implicitly maps the two roles to the services. A user is considered the owner of the thread that instantiates the module and, therefore, only one concurrent user is allowed. Table 9 lists all operator roles supported by the module. The module does not support a maintenance role and/or bypass capability. The module does not support authentication. Table 9. Roles and Authentication 4.3 N/A N/A Services Table 10 lists the services and a description of each service with the usage and roles. Services in the module are accessed via the public APIs of the jar file. The ability of a thread to invoke non-approved services depends on whether it has been registered with the module as approved mode only. In approved only mode no non-approved services are accessible. In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific permissions to be configured in the JVM configuration by the Cryptographic Officer or User. In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The modes of access shown in the table are defined as:
14 Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved mode, false otherwise.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | |
|---|---|---|---|---|---|---|---|
| Data Decryption | Used to decrypt data. | CO/User | AES Decryption Key | AES-ECB, AES-CBC, AES-OFB, AES-CFB8, AES-CFB128, AES-CTR, AES-CBC-CS, CCM, GCM, FF1 | E | Flag | |
| MAC Calculation | Used to calculate data integrity codes with CMAC. | CO/User | CMAC, GMAC | E | Flag | AES Authentication Key, | |
| Signature Authentication | Used to generate signatures (DSA, ECDSA, RSA). | CO/User | DSA Signing Key, EC Signing Key, RSA Signing Key | DSA, ECDSA, RSA | E | Flag | |
| Signature Verification | Used to verify digital signatures. | CO/User | DSA, ECDSA, RSA | E | Flag | DSA Verification Key, | |
| DRBG (SP800-90Arev1) output | Used for random number, IV and key generation. | CO/User | AES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DRBG Seed, Internal State V and C value, and DRBG Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public Key | Counter DRBG, Hash DRBG, HMAC DRBG | G | Flag | |
| DRBG Seed, Internal State V and C value, and DRBG Key | CO/User | DRBG Seed, Internal State V and C value, and DRBG Key | E |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility E E E E G E
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Access rights to Keys and/or SSPs | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Message Hashing | Used to generate message digest, SHAKE output. | CO/User | N/A | N/A | Flag | SHS, SHA-3, SHAKE, SHA-3 | N/A | |||||
| Keyed Message Hashing | Used to calculate data integrity codes with HMAC and KMAC. | CO/User | HMAC Authentication Key, KMAC Authentication Key | HMAC, SHA-3 Derived Functions (KMAC) | E | Flag | ||||||
| TLS Key Derivation | CO/User | TLS KDF Secret Value | E | Flag | HKDF, KDF, Existing Application- | TLS Key Derivation | Used to calculate a value suitable to | |||||
| SP 800-108-rev1 KDF | Used to calculate a value suitable to be used for a secret key. | CO/User | SP800-108-rev1 KDF Secret Value | KBKDF, using Pseudorandom Functions | E | Flag | ||||||
| SSH Derivation | CO/User | SSH KDF Secret Value | E | Flag | Existing Application-Specific | SSH Derivation | Used to calculate a value suitable to | |||||
| X9.63 Derivation Function | Used to calculate a value suitable to be used for a secret key. | CO/User | DH Agreement Private Key, EC Agreement Private Key, RSA Signing Key | Existing Application-Specific (X9.63 KDF) | G | Flag | ||||||
| X9.63 KDF Secret Value | CO/User | X9.63 KDF Secret Value | E | |||||||||
| SP 800-56C-rev2 | Used to calculate a value suitable to be used for a secret key. | CO/User | HKDF, KDF One Step, KDF Two Step | G | Flag | SP 800-56C-rev2 | DH Agreement Private Key, | |||||
| OneStep/TwoStep | OneStep/TwoStep | EC Agreement Private Key, | ||||||||||
| Key Derivation | Key Derivation | RSA Signing Key | ||||||||||
| Function (KDM) | E | Function (KDM) | SP800-56C-rev2 KDF Secret Value | CO/User | ||||||||
| IKEv2 Derivation Function | Used to calculate a value suitable to be used for a secret key. | CO/User | IKEv2 KDF Secret Value | Existing Application-Specific (IKEv2) | E | Flag | ||||||
| SRTP Derivation | CO/User | SRTP KDF Secret Value | E | Flag | Existing Application-Specific | SRTP Derivation | Used to calculate a value suitable to | |||||
| PBKDF | Used to generate a key using an encoding of a password and message hash. | CO/User | HMAC Authentication Key, KMAC Authentication Key | KDF, Password-Based | G | Flag | ||||||
| HMAC Authentication Key, KMAC Authentication Key, PBDKF Secret | CO/User | HMAC Authentication Key, KMAC Authentication Key, PBDKF Secret | E |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A E E E E G E G E E E G E N/A
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Keys and/or SSPs | ||
|---|---|---|---|---|---|---|---|---|---|
| Key Agreement Schemes | Used to calculate key agreement values (SP800-56A-rev3, Diffie- Hellman). | CO/User | AES Encryption Key, | KAS-FFC, KAS-ECC, KAS-IFC, SafePrimes | G | Flag | G | ||
| DH Agreement Private Key, | CO/User | DH Agreement Private Key, | E | ||||||
| Key Wrapping | Used to encrypt a key value (RSA, AES). | CO/User | AES KW, AES KWP, KTS-IFC | Flag | E | AES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key, RSA Key Transport Private Key | |||
| Key Unwrapping | Used to decrypt a key value (RSA, AES) | CO/User | AES Wrapping Key, | AES KW, AES KWP, KTS-IFC | Flag | E | |||
| Key Verification | Used to verify key pair. | CO/User | EC Signing Key, | ECDSA KeyVer | Flag | E | |||
| Entropy Callback | Gathers entropy in a passive manner from a user-provided function. | CO/User | DRBG, CKG | Flag | G | DRBG Seed, Internal State V and C value, and DRBG Key | |||
| DRBG Health-Tests | CO/User | DRBG | Flag | N/A | N/A | Used to perform checks of incoming |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A G E E E E E G N/A
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | |
|---|---|---|---|---|---|---|---|
| SSP Export Operation | Returns a CSP as data that can be used for later output. | CO/User | AES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public Key | N/A | R | Flag | |
| Utility | CO/User | N/A | N/A | N/A | Flag | Miscellaneous utility functions, does |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | |
|---|---|---|---|---|---|---|---|
| SSP Export Operation | Returns a CSP as data that can be used for later output. | CO/User | AES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public Key | N/A | R | Flag | |
| Utility | CO/User | N/A | N/A | N/A | Flag | Miscellaneous utility functions, does |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility R N/A N/A N/A N/A Table 11. Non-Approved Services
15 Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved mode, false otherwise.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Software/Firmware Security The module type is software. The module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips2.0.0.jar. Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Self–tests are available on demand by power cycling the module. The integrity is verified using HMAC-SHA2-256. The HMAC of the module JAR file excluding directories and metadata is calculated and compared to the expected value embedded within the module’s properties. If the calculated value does not match the expected value, the module raises an error and fails to load. The integrity test can be performed on demand by power cycling the host platform. CASTs are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target. Operational Environment The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module runs on a GPC running one of the operating systems specified in the approved operational environment list in Table 2. Each approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module within the process space of the Java Virtual Machine. The module optionally uses the Java Security Manager and starts in approved mode by default when used with the Java Security Manager. 6.1 Use of External RNG The module makes use of the JVM's configured SecureRandom entropy source to provide entropy when required. The module will request entropy as appropriate to the security strength and seeding configuration for the DRBG that is using it and for the default DRBG will request a minimum of 256 bits of entropy. In approved mode the minimum amount of entropy that can be requested by a DRBG is 112 bits. The module will wait until the SecureRandom.generateSeed() returns the requested amount of entropy, blocking if necessary. The JVMs entropy source can be configured through setting the security property: securerandom.strongAlgorithms in the JVM's java.security file. 6.2 Additional Enforcement with a Java SecurityManager In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific policy permissions to be configured in the JVM configuration by the Cryptographic Officer or User. The SecurityManager can also be used to restrict the ability of particular code bases to examine CSPs. See Section 6.3 for further advice. In the absence of a Java SecurityManager, specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.
| Permission | Settings | Req | Usage |
|---|
FIPS 140-3 Security Policy 6.3 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Approved Mode Configuration In default operation the module will start with all algorithms and services enabled. If the module detects that the system property org.bouncycastle.fips.approved_only is set to true the module will start in approved mode and non-approved mode functionality will not be available. If the underlying JVM is running with a Java Security Manager installed the module will be running in approved mode with secret and private key export disabled. When the module is not used within the context of the Java Security Manager, it will start by default in the non-approved mode. Use of the module with a Java Security manager requires the setting of some basic permissions to allow the module HMAC-SHA-256 software integrity test to take place as well as to allow the module itself to examine secret and private keys. The basic permissions required for the module to operate correctly with a Java Security manager are indicated by a Y: Available Java Permissions RuntimePermission RuntimePermission PropertyPermission SecurityPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission CryptoServicesPermission “getProtectionDomain” “accessDeclaredMembers” “java.runtime.name”, “read” "putProviderProperty.BCFIPS" “unapprovedModeEnabled” “changeToApprovedModeEnabled” “exportSecretKey” “exportPrivateKey” “exportKeys” “tlsNullDigestEnabled” “tlsPKCS15KeyWrapEnabled” “tlsAlgorithmsEnabled” “defaultRandomConfig” “threadLocalConfig” “globalConfig” Y Y N N N N N N Y N N N N N N Allows checksum to be carried out on jar. Allows use of reflection API within the provider. Only if configuration properties are used. Only if provider installed during execution. Only if non-approved mode algorithms required. Only if threads allowed to change modes. To allow export of secret keys only. To allow export of private keys only. Required to be applied for the module itself. Optional for any other codebase. Only required for TLS digest calculations. Only required if TLS is used with RSA encryption. Enables both NullDigest and PKCS15KeyWrap. Allows setting of default SecureRandom. Required to set a thread local property in the CryptoServicesRegistrar. Required to set a global property in the CryptoServicesRegistrar. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2) by default. These values can also be configured by the Cryptographic Officer using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H.
FIPS 140-3 Security Policy 6.4 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Guidance for the use of DRBGs and Configuring the JVM's Entropy Source A user can instantiate the default Approved DRBG for the module explicitly by using SecureRandom.getInstance("DEFAULT", "BCFIPS"), or by using a BouncyCastleFipsProvider object instead of the provider name as appropriate. This will seed the Approved DRBG from the live entropy source of the JVM with a number of bits of entropy appropriate to the security strength of the default Approved DRBG configured for the module. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2). These values can also be configured by the user using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H. For the default the property would be set as: org.bouncycastle.entropy.factors: 4, 13, 8.0 in the java.security property file. An additional option is available using the Approved Hash_DRBG and the process outlined in SP800 90A, Section 8.6.5. This can be turned on by following the instructions in Section 2.3 of the User Guide. The two DRBGs are instantiated in a chain as a "Source DRBG" to seed the "Target DRBG" in accordance with Section 7 of Draft NIST SP 800-90C, where the Target DRBG is the default Approved DRBG used by the module. The initial seed and the subsequent reseeds for the DRBG chain come from the live entropy source configured for the JVM. The DRBG chain will reseed automatically by pausing for 20 requests (which will usually equate to 5120 bytes). An entropy gathering thread reseeds the DRBG chain when it has gathered sufficient entropy (currently 256 bits) from the live entropy source. Once reseeded, the request counter is reset and the reseed process begins again. The “Source DRBG” in the chain is internal to the module and inaccessible to the user to ensure it is only used for generating seeds for the default Approved DRBG of the module. The user shall ensure that the entropy source is configured per Section 6.1 of this Security Policy and will block, or fail, if it is unable to provide the amount of entropy requested. Physical Security This section is not applicable as the module is a software module. Non-Invasive Security This section is not applicable to this module. Sensitive Security Parameter Management All Sensitive Security Parameters (SSPs) used by the module are described in this section in Table 12. All usage of these SSPs by the module (including all SSP lifecycle states) is described in the services detailed in Section 4.3. Please note that the module does not perform automatic SSP establishment, it only provides the components to the calling application which can be used in SSP establishment.
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AES Encryption Key | 128, 192, 256 bits | AES ECB, CBC, OFB, | DRBG16 | N/A | N/A, the module does not provide persistent storage | AES encryption19 | Import17, | AES Encryption Key | Import17, Export18 | destroy() service call or host platform power cycle | |||
| CFB8, CFB128, CTR, | CFB8, CFB128, CTR, | Export18 | |||||||||||
| AES Decryption Key | 128, 192, 256 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | AES decryption | AES Decryption Key | Import17, Export18 | destroy() service call or host platform power cycle | AES ECB, CBC, OFB, CFB8, CFB128, CTR, FF1, CBCCS1, CBCCS2, CBCCS3, GCM, CKG A7176 | ||||
| AES Authentication Key | 128, 192, 256 bits | DRBG16 | N/A | AES CMAC/GMAC | AES Authentication Key | Import17, Export18 | AES CMAC, GMAC, CKG A7176 | N/A, the module | destroy() | ||||
| does not provide | does not provide | service call or | |||||||||||
| persistent | persistent | host platform | |||||||||||
| AES Wrapping Key | 128, 192, 256 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | AES (128/192/256) key wrapping key for KTS | AES Wrapping Key | Import17, Export18 | destroy() service call or host platform power cycle | AES KW, KWP, CKG A7176 | ||||
| DH Agreement Private Key | 112, 128, 152, 176, 200 bits | DRBG16 | N/A | Diffie-Hellman key agreement | DH Agreement Private Key | Import17, Export18 | KAS-FFC, CKG A7176 | N/A, the module | destroy() | ||||
| does not provide | does not provide | service call or | |||||||||||
| persistent | persistent | host platform | |||||||||||
| DH Agreement Public Key | 112, 128, 152, 176, 200 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | Diffie-Hellman key agreement | DH Agreement Public Key | Import17, Export18 | Not zeroized, public key value known outside of module | KAS-FFC, CKG A7176 |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Table 12. SSPs N/A N/A N/A N/A N/A N/A
18 Export done via key recovery using getEncoded() method and followed by separate step to export key details as either plaintext or encrypted (Electronic Entry).
19 The AES-GCM key and IV is generated randomly per IG C.H, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application
must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed.
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DSA Signing Key | 112, 128 bits | DSA Signature | DRBG16 | N/A | DSA signature generation | Import17, | DSA Signing Key | DSA Signature Generation, CKG A7176 | Import17, Export18 | N/A, the module | destroy() | |||
| Generation, CKG | Generation, CKG | Export18 | does not provide | service call or | ||||||||||
| A7176 | A7176 | persistent | host platform | |||||||||||
| DSA Verification Key | 80, 112, 128 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | DSA signature verification | DSA Verification Key | DSA Signature Verification, CKG A7176 | Import17, Export18 | Not zeroized, public key value known outside of module | |||||
| EC Agreement Private Key | 112, 128, 192, 256 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | EC Agreement Private Key | KAS-ECC, CKG A7176 | Import17, Export18 | destroy() service call or host platform power cycle | EC (P-224, P-256, P-384, | |||||
| EC Agreement Public Key | 112, 128, 192, 256 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | EC (P-224, P-256, P-384, P-521, K-233, K-283, K-409, K571, B-233, B-283, B-409 and B-571) key agreement | EC Agreement Public Key | KAS-ECC, CKG A7176 | Import17, Export18 | Not zeroized, public key value known outside of module | |||||
| EC Signing Key | 112, 128, 192, 256 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | EC Signing Key | ECDSA Signature Generation, CKG A7176 | Import17, Export18 | destroy() service call or host platform power cycle | ECDSA (P-224, P-256, | |||||
| EC Verification Key | 80, 112, 128, 192, 256 bits | DRBG16 | N/A | N/A, the module does not provide persistent storage | ECDSA (P-192, P-224, P-256, P-384, P-521, K-163, K-233, K-283, K-409, K-571, B-163, B-233, B-283, B-409 and B-571) signature verification | EC Verification Key | ECDSA Signature Verification, CKG A7176 | Import17, Export18 | Not zeroized, public key value known outside of module | |||||
| HMAC/KMAC Authentication Key | 112-256 bits | DRBG16 | N/A | Keyed-Hash calculation (SHA-1, SHA2, SHA-3, KMAC) | HMAC/KMAC Authentication Key | SHA-1, SHA2, SHA3, KMAC, CKG A7176 | Import17, Export18 | N/A, the module | destroy() | |||||
| does not provide | does not provide | service call or | ||||||||||||
| persistent | persistent | host platform | ||||||||||||
| RSA Signing Key | 112, 128, 152 bits | DRBG16 | N/A | Import17, Export18 | RSA Signing Key | RSA Signature Generation, CKG A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | RSA signature generation | |||||
| RSA Verification Key | 80, 112, 128, 152 bits | DRBG16 | N/A | Not zeroized, | Import17, Export18 | RSA Verification Key | RSA Signature Verification, CKG A7176 | N/A, the module | RSA signature verification | |||||
| does not provide | public key value | does not provide | ||||||||||||
| persistent | known outside | persistent | ||||||||||||
| RSA Key Transport Private Key20 | 112, 128, 152 bits | DRBG16 | N/A | Import17, Export18 | RSA Key Transport Private Key20 | KTS-IFC, CKG A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | RSA key transport and decryption | |||||
| RSA Key Transport Public Key20 | 112, 128, 152 bits | DRBG16 | N/A | Not zeroized, | Import17, Export18 | RSA Key Transport Public Key20 | KTS-IFC, CKG A7176 | N/A, the module | RSA key transport | |||||
| does not provide | public key value | does not provide | ||||||||||||
| persistent | known outside | persistent | ||||||||||||
| IKEv2 KDF Secret Value | 112, 128, 192, 256 bits | Generated as output of an IKEv2 agreement scheme | N/A | N/A | IKEv2 KDF Secret Value | KDF IKEv2 A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | Key Derivation | |||||
| PBKDF Secret Value | 112-256 bits | N/A | destroy() | N/A | PBKDF Secret Value | PBKDF A7176 | Generated as | N/A, the module | Key Derivation | |||||
| output of a | service call or | output of a | does not provide | |||||||||||
| PBE key and a | host platform | PBE key and a | persistent | |||||||||||
| PRF | power cycle | PRF | storage | |||||||||||
| SP 800-56C-rev2 OneStep/TwoStep KDF Secret Value | 112, 128, 192, 256 bits | Generated as output of an agreement scheme | N/A | N/A | SP 800-56C-rev2 OneStep/TwoStep KDF Secret Value | KDA OneStep SP800- 56Cr2, KDA TwoStep SP800-56Cr2 A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | Key Derivation | |||||
| SP 800-108-rev1 KDF Secret Value | 112, 128, 192, 256 bits | N/A | destroy() | N/A | SP 800-108-rev1 KDF Secret Value | KDF SP800-108 A7176 | Generated as | N/A, the module | Key Derivation | |||||
| output of an | service call or | output of an | does not provide | |||||||||||
| agreement | host platform | agreement | persistent | |||||||||||
| scheme | power cycle | scheme | storage | |||||||||||
| SRTP KDF Secret Value | 128, 192, 256 bits | Generated as output of an SRTP agreement scheme | N/A | N/A | SRTP KDF Secret Value | KDF SRTP A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | Key Derivation | |||||
| SSH KDF Secret Value | 80, 112, 128, 192, 256 bits | N/A | N/A | SSH KDF Secret Value | KDF SSH A7176 | Generated as | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | Key Derivation | |||||
| TLS Premaster Secret Value | 384 bits | Protocol version (2 bytes) and 46 bytes from a DRBG16 | N/A | Import17, Export18 | TLS Premaster Secret Value | KDF TLS A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | Used to derive keys using TLS KDF | |||||
| TLS KDF Secret Value | 112, 128, 192, 256 bits | N/A | destroy() | N/A | TLS KDF Secret Value | KDF TLS A7176 | Generated as | N/A, the module | Key Derivation | |||||
| output of TLS | service call or | output of TLS | does not provide | |||||||||||
| agreement | host platform | agreement | persistent | |||||||||||
| scheme | power cycle | scheme | storage | |||||||||||
| X9.63 KDF Secret Value | 112, 128, 192, 256 bits | Generated as output of an agreement scheme | N/A | N/A | X9.63 KDF Secret Value | KDF ANS 9.63 A7176 | N/A, the module does not provide persistent storage | destroy() service call or host platform power cycle | Key Derivation | |||||
| Entropy Input String | >128 bits | N/A | Obtained | N/A | destroy() | Entropy Input String | N/A | N/A, the module | Random Number Generation | |||||
| from the | from the | service call or | does not provide | |||||||||||
| entropy | entropy | host platform | persistent | |||||||||||
| source | source | power cycle | storage | |||||||||||
| CTR DRBG Seed | 128, 192, 256 bits | N/A | N/A | Obtained from the entropy source | CTR DRBG Seed | N/A | N/A, the module does not provide persistent storage | Immediately after use or host platform power cycle | Internal use | |||||
| CTR DRBG V Value | 128 bits | From seed value | N/A | reseed() service | N/A | CTR DRBG V Value | N/A | N/A, the module | Internal use | |||||
| does not provide | call or host | does not provide | ||||||||||||
| persistent | platform power | persistent | ||||||||||||
| CTR DRBG Key | 128, 192, 256 bits | From DRBG V value | N/A | N/A, the module does not provide persistent storage | Internal use | CTR DRBG Key | N/A | N/A | reseed() service call or host platform power cycle | |||||
| Hash DRBG Seed | 112, 128, 192, 256 bits | N/A | N/A | Internal use | Hash DRBG Seed | N/A | From external entropy source | N/A, the module | Immediately | |||||
| does not provide | does not provide | after use or | ||||||||||||
| persistent | persistent | host platform | ||||||||||||
| Hash DRBG V Value | 112, 128, 192, 256 bits | From seed value | N/A | N/A, the module does not provide persistent storage | Internal use | Hash DRBG V Value | N/A | N/A | reseed() service call or host platform power cycle | |||||
| Hash DRBG C Value | 112, 128, 192, 256 bits | From DRBG V value | N/A | Internal use | Hash DRBG C Value | N/A | N/A | N/A, the module | reseed() service | |||||
| does not provide | does not provide | call or host | ||||||||||||
| persistent | persistent | platform power | ||||||||||||
| HMAC DRBG Seed | 112, 128, 192, 256 bits | N/A | N/A | N/A, the module does not provide persistent storage | Internal use | HMAC DRBG Seed | N/A | From external entropy source | Immediately after use or host platform power cycle | |||||
| HMAC DRBG V Value | 112, 128, 192, 256 bits | From seed value | N/A | Internal use | HMAC DRBG V Value | N/A | N/A | N/A, the module | reseed() service | |||||
| does not provide | does not provide | call or host | ||||||||||||
| persistent | persistent | platform power | ||||||||||||
| HMAC DRBG Key | 112, 128, 192, 256 bits | From DRBG V value | N/A | N/A, the module does not provide persistent storage | Internal use | HMAC DRBG Key | N/A | N/A | reseed() service call or host platform power cycle | |||||
| DRBG Output | 128, 192, 256 bits | DRBG | N/A | N/A, the module does not provide persistent storage | DRBG Output | N/A | N/A | destroy() service call or host platform power cycle | Used as seed for |
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A
20 RSA key transport using PKCS#1 1.5 padding is deprecated through 2023 and disallowed after 2023.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
| Entropy sources | Minimum number of bits of entropy | Details | |
|---|---|---|---|
| Passive Entropy | 128 | As per FIPS 140-3 IG 9.3.A Section 2b, a minimum of 16 bytes is required from the source configured for seed | |
| generation for the JVM. The entropy reader will block until the seed generator has provided the minimum number of | |||
| bytes. |
FIPS 140-3 Security Policy 9.1 Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The module’s use of Non-Deterministic Random Number Generators is determined by the settings described in Section 6.1. Table 13. Non-Deterministic Random Number Generation Specification
CASTs are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target.
Each time the module is powered up, it performs the pre-operational self-tests to confirm that sensitive data have not been damaged. The pre-operational tests include the Software Integrity test, which verifies the module using HMAC-SHA2-256, and the HMAC and SHS Conditional Cryptographic Algorithm SelfTests (CAST) which are run prior to the Software Integrity test to ensure the correctness of the HMAC used. Pre-operational self–tests are available on demand by power cycling the module.
The module performs conditional self-tests when the conditions specified for cryptographic algorithm self-test and pair-wise consistency tests occur. Below are the self-tests implemented: Conditional Cryptographic Algorithm Self-Tests:
FIPS 140-3 Security Policy
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Conditional Pair-wise Consistency Tests:
If any of the above-mentioned self-tests fail, the module enters an error state called “Hard Error” state. Upon entering the error state, the module outputs status by way of an exception. An example exception for AES Encryption failure is mentioned below: “Failed self-test on encryption: AES” The module can be recovered by power cycling the module which results in execution of preoperational self-tests and conditional cryptographic algorithm self-tests. If the tests pass, then the module will be available for use.
Vulnerabilities found in the module will be reported on the National Vulnerability Database, located at https://nvd.nist.gov/. Researchers and users are encouraged to report any security related concerns to feedbackcrypto@bouncycastle.org. A PGP public key can be provided if confidentiality is required around the report. Please find the procedures for secure installation, initialization, startup and operation of the module: The module exists as part of the running JVM as such:
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility
The module implements basic protections to mitigate against timing-based attacks against its internal implementations. There are two countermeasures used. The first is Constant Time Comparisons, which protect the digest and integrity algorithms by strictly avoiding “fast fail” comparison of MACs, signatures, and digests so the time taken to compare a MAC, signature, or digest is constant regardless of whether the comparison passes or fails. The second is made up of Numeric Blinding and decryption/signing verification which both protect the RSA algorithm. Numeric Blinding prevents timing attacks against RSA decryption and signing by providing a random input into the operation which is subsequently eliminated when the result is produced. The random input makes it impossible for a third party observing the private key operation to attempt a timing attack on the operation as they do not have knowledge of the random input and consequently the time taken for the operation tells them nothing about the private value of the RSA key. Decryption/signing verification is carried out by calculating a primitive encryption or signature verification operation after a corresponding decryption or signing operation before the result of the decryption or signing operation is returned. The purpose of this is to protect against Lenstra's CRT attack by verifying the correctness of the private key calculations involved. Lenstra's CRT attack takes advantage of undetected errors in the use of RSA private keys with CRT values and, if exploitable, can be used to discover the private value of the RSA key.
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility Appendix: References and Definitions The following standards are referred to in this Security Policy: ANSI X9.31 FIPS 140-3 FIPS 180-4 FIPS 186-3 FIPS 186-4 FIPS 197 FIPS 198-1 FIPS 202 IG PKCS#1 v2.1 PKCS#5 PKCS#12 SP 800-38A SP 800-38B SP 800-38C SP 800-38D SP 800-38F SP 800-38G SP 800-56A-rev3 SP 800-56B-rev2 SP 800-56C-rev2 SP 800-67-rev2 SP 800-89 SP 800-90A SP 800-90B SP 800-108-rev1 SP 800-132 SP 800-133-rev2 SP 800-135-rev1 X9.31-1998, Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), September 9, 1998 Security Requirements for Cryptographic modules, March 22, 2019 Secure Hash Standard (SHS) Digital Signature Standard (DSS) Digital Signature Standard (DSS) Advanced Encryption Standard The Keyed-Hash Message Authentication Code (HMAC) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program RSA Cryptography Standard Password-Based Cryptography Standard Personal Information Exchange Syntax Standard Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography Recommendation for Key Derivation through Extraction-then-Expansion Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher Recommendation for Obtaining Assurances for Digital Signature Applications Recommendation for Random Number Generation Using Deterministic Random Bit Generators Recommendation for the Entropy Sources Used for Random Bit Generation Recommendation for Key Derivation Using Pseudorandom Functions Recommendation for Password-Based Key Derivation Recommendation for Cryptographic Key Generation Recommendation for Existing Application
FIPS 140-3 Security Policy Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility The following are acronyms used in this Security Policy: AES API BC BC-FJA CBC CCM CDH CFB CMAC CMVP CO CPU CS CSP CTR CVL DES DH DRAM DRBG DSA DSTU4145 EC ECB ECC ECDSA EdDSA EMC EMI FIPS GCM GMAC GOST Advanced Encryption Standard Application Programming Interface Bouncy Castle Bouncy Castle FIPS Java API Cipher-Block Chaining Counter with CBC-MAC Computational Diffie-Hellman Cipher Feedback Mode Cipher-based Message Authentication Code Crypto Module Validation Program Cryptographic Officer Central Processing Unit Ciphertext Stealing Critical Security Parameter Counter-mode Component Validation List Data Encryption Standard Diffie-Hellman Dynamic Random Access Memory Deterministic Random Bit Generator Digital Signature Authority Ukrainian DSTU-4145-2002 Elliptic Curve Scheme Elliptic Curve Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Authority Edwards Curve DSA using Ed25519, Ed448 Electromagnetic Compatibility Electromagnetic Interference Federal Information Processing Standards Galois/Counter Mode Galois Message Authentication Code Gosudarstvennyi Standard Soyuza SSR/Government Standard of the Union of Soviet Socialist Republics
FIPS 140-3 Security Policy GPC HMAC IG JAR JCA JCE JDK JRE JVM IV KAS KAT KDF KW KWP KMAC MAC MD5 N/A OCB OFB OS PBKDF PKCS PQG RC RIPEMD RSA SHA SSP TCBC TCFB TDEA TDES Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility General Purpose Computer key-Hashed Message Authentication Code See References Java ARchive Java Cryptography Architecture Java Cryptography Extension Java Development Kit Java Runtime Environment Java Virtual Machine Initialization Vector Key Agreement Scheme Known Answer Test Key Derivation Function Key Wrap Key Wrap with Padding KECCAK Message Authentication Code Message Authentication Code Message Digest algorithm MD5 Non Applicable Offset Codebook Mode Output Feedback Operating System Password-Based Key Derivation Function Public Key Cryptography Standards Diffie-Hellman Parameters P, Q and G Rivest Cipher, Ron’s Code RACE Integrity Primitives Evaluation Message Digest Rivest Shamir Adleman Secure Hash Algorithm Sensitive Security Parameter TDEA Cipher-Block Chaining TDEA Cipher Feedback Mode Triple Data Encryption Algorithm Triple Data Encryption Standard
FIPS 140-3 Security Policy TECB TOFB TLS USB XDH XOF Keysight BC-FJA (Bouncy Castle FIPS Java API) for Network Visibility TDEA Electronic Codebook TDEA Output Feedback Transport Layer Security Universal Serial Bus Edwards Curve Diffie-Hellman using X25519, X448 Extendable-Output Function