All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Quantum Xchange Phio TX

Certificate#4850StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorQuantum Xchange
Medium review priority  ·  exposes network crypto parser/protocol, debug/recovery interface  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date10/22/2029
EntropyENT (NP)
CaveatWhen installed, initialized and configured as specified in Section 11 of the Security Policy.
VendorQuantum Xchange
Hardware versionsPhioTX, PhioTX-Q

Vendor resources (verify with the vendor)

Product pagehttps://quantumxc.com/phio-tx/
Support pagehttps://quantumxc.com/product-information/ partial support
Documentationhttps://quantumxc.com/product-information/
https://quantumxc.com/resource-hub/
AssessmentPublic product-information page with datasheets, a product guide, and white papers; deployment/admin documentation and demos are gated behind a request form.

Approved Algorithms (19)

AlgorithmACVP Cert
AES-CBCA2983
AES-ECBA2983
AES-GCMA2983
Counter DRBGA2983
DSA KeyGen (FIPS186-4)A2983
ECDSA KeyGen (FIPS186-4)A2983
ECDSA SigGen (FIPS186-4)A2983
ECDSA SigVer (FIPS186-4)A2983
HMAC-SHA-1A2983
HMAC-SHA2-256A2983
HMAC-SHA2-384A2983
KAS-ECC-SSC Sp800-56Ar3A2983
KAS-FFC-SSC Sp800-56Ar3A2983
KDF SSHA2983
RSA SigGen (FIPS186-4)A2983
RSA SigVer (FIPS186-4)A2983
SHA-1A2983
SHA2-256A2983
TLS v1.2 KDF RFC7627A2983

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces2
Roles, Services, and Authentication2
Software/Firmware Security2
Operational EnvironmentN/A
Physical Security2
Non-Invasive SecurityN/A
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Quantum Xchange Phio TX
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>3.2.3</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>CLI: User management.</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CLI: Run CASTs.</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial console (qty. 1): RJ-45 connector.<br/>USB (qty. 2): USB 3.0 ports.</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C4,C5,C6 clue;
  class I1,I2,I3,I4,I5,I6 infer;
  class R1,R2,R3,R4,R5,R6 risk;
  class E1,E2,E3,E4,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Quantum Xchange Phio TX
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>3.2.3</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>CLI: User management.</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>CLI: Run CASTs.</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial console (qty. 1): RJ-45 connector.<br/>USB (qty. 2): USB 3.0 ports.</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3,C4 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Phio TX Document Version 1.7 October 16, 2024 Prepared for: Prepared by: Quantum Xchange

7700 Old Georgetown Road, Suite 850

Bethesda, MD 20814 info@quantumxc.com KeyPair Consulting Inc.

987 Osos Street

San Luis Obispo, CA 93401 keypair.us +1 805.316.5024

Page 2

Quantum Xchange Phio TX FIPS 140-3 Security Policy Table of Contents List of Tables List of Figures

Page 3
Security level
NameISO SectionRequirementLevelGeneral2
33Cryptographic Module Interfaces2
4Roles, Services, and Authentication24
55Software/Firmware Security2
6Operational EnvironmentN/A6
77Physical Security2
8Non-Invasive SecurityN/A8
99Sensitive Security Parameters Management2
10Self-tests210
1111Life-cycle Assurance2
12Mitigation of Other AttacksN/A12
Module configuration
NameModelHardware VersionFirmware VersionFeatures
Phio TX-QPhio TX-QF109158-Q3.2.3With QRNG hardware option.

Quantum Xchange This document defines the Security Policy for the Quantum Xchange Phio TX, hereafter denoted the Module. The Module is a of type hardware, with a multi-chip standalone embodiment and is validated to FIPS 140-3 overall Level

2 requirements with security levels as follows:

Table 1: Security Levels [Number Below] N/A N/A N/A The Phio TX has a multi-chip standalone embodiment in [FIPS140-3] terminology. The Phio TX provides network and secure communications functionality to facilitate propagation of keys between Phio TX nodes and endpoint clients in a Phio Hive (a dynamic peer network). The tested configurations are specified in Table 2 below. Table 2: Cryptographic Module Tested Configuration [Part Number and Version] 3.2.3 3.2.3 The optional QRNG is a quantum entropy source, with output used as additional entropy input that is not credited in the DRBG seeding strength rationale. As the QRNG is an optional feature, the Phio TX does not rely on it for assurance of key generation security strength in the [FIPS140-3] process. See the SSP section below for additional information.

Page 4

Quantum Xchange 2.1 Phio TX FIPS 140-3 Security Policy Cryptographic Boundary The physical form of the Module is depicted below. The cryptographic boundary is the metal chassis shown in Figure 1 and Figure 2; as such the Phio TX is validated as a hardware module in [FIPS140-3] terms. The figures represent both hardware versions listed in Table 2. Figure 1: Module Cryptographic Boundary

Figure 1: Module Cryptographic Boundary – Top/Front/Left Side View
Figure 1: Module Cryptographic Boundary – Top/Front/Left Side View
Page 5

Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module logical functionality (outlined in red) is shown below. All Module firmware is contained within the boundary. Figure 5: Module High Level Block Diagram The following hardware/firmware components are excluded from the cryptographic boundary and thus the FIPS 140-3 requirements: - TPM (use is optional): used to measure and track Module configuration. - Whole disk encryption (use is optional): not security relevant, similar to [FIPS 140-3_IG] 2.4.A Scenario 2. - PQC (use is optional): used for redundant communications channel obfuscation. - QRNG (hardware option): used for redundant entropy input. - Password hash: not security relevant, similar to [FIPS 140-3_IG] 2.4.A Scenario

  1. None of the excluded components listed above are necessary to meet FIPS 140-3 requirements. 2.2 Modes of Operation, Security Rules and Guidance Configuration of the Module for conformance to this Security Policy requires installation of a valid Phio TX License with locked Approved mode enforcement, prior to doing so the Module is in a non-complaint state. Once configured for Approved operation, the Module does not require operator actions to operate in the approved mode and provides only Approved services and enforces the security rules listed next. The Module does not support a non-Approved or a degraded mode of operation.
  2. No additional interface or service is implemented by the Module which would provide access to CSPs.
  3. Data output is inhibited during key generation, self-tests, zeroisation, and error states.
  4. All CSPs are zeroised by the zeroisation service (tx_reset command) with the exception of the FWIK, which can be destroyed if required by the secure sanitization process.
  5. The Module does not support manual key entry.
Figure 5: Module High Level Block Diagram
Figure 5: Module High Level Block Diagram
Page 6

Quantum Xchange 5. 6. 7. 8. 9. Phio TX FIPS 140-3 Security Policy The Module does not output plaintext CSPs or intermediate key values. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module. The Module can use only algorithms that have passed self-tests. The Module prohibits changing to the Crypto Officer state from any other role other than the Crypto Officer. The Module does not support multiple concurrent operators (over the serial console), a maintenance role, or a bypass capability. The Module design corresponds to the Module security rules. Initialization and installation requirements of the Module have been specified in Section 11 of this document. AES GCM is used to support TLS and SSH secure communications and adheres to the [FIPS140-3_IG] C.H Resolution 1a TLS

1.2 and 1d SSH protocol IV generation requirements.

AES-GCM IVs shall be used in compliance with [FIPS140-3_IG] C.H scenario 1a (TLS/DTLS 1.2, per [RFC5288]) and 1d (SSHv2, per [RFC5647]). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The Module’s implementation of AES-GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; Per [FIPS1403_IG] D.C, no parts of these protocols, other than the approved cryptographic algorithms and KDF, have been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power-cycles: AES-GCM key/IVs are not stored in non-volatile persistent memory (i.e., disk), hence no re-connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. Connections are monitored, with a maximum lifetime of two hours or a maximum transaction count that is established to be less than the number of transactions prior to IV “rollover”.

Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionCAVP Cert.1
AES-CBCA2983AES-CBC.AES-128 (s = 128),A2983Encryption and decryption.
[FIPS197],AES-192 (s = 192),CBC: TLS, SSH ciphers.
[SP800-38A]AES-256 (s = 256).
A2983A2983AES-ECB.AES primitive used by CBC and CTR_DRBG.AES-ECB [FIPS197], [SP800-38A]AES-128 (s = 128), AES-192 (s = 192), AES-256 (s = 256).
AES-GCMA2983AES-GCM.AES-128 (s = 128),Authenticated encryption and decryption.
[SP800-38D]AES-256 (s = 256).TLS, SSH cipher options.
Vendor AffirmedVendor Affirmed§4, §5.2, §6.2.1: Unmodified DRBG output.Asymmetric, symmetric key generation per [FIPS140-3_IG] D.H.CKG [SP800-133r2]N/A.
A2983A2983Random numbers used in key, IV and nonce generation.Counter DRBG [SP800-90Ar1]AES-256 (s = 256).AES CTR_DRBG:
A2983A2983FFC key generation.TLS DH/DHE key exchange.DSA KeyGen [FIPS186-4]L=2048, N=256 (s = 112); L=3072, N=256 (s = 128). See Note 4 and Note 6.
A2983A2983ECC key generation.P-256 (s ~= 128),TLS, SSH key exchange and authentication.ECDSA KeyGen [FIPS186-4]
A2983A2983ECDSA signature generation (tested with SHA2-256, SHA2-384).TLS, SSH authentication. Certificate signing.ECDSA SigGen [FIPS186-4]P-256 (s ~= 128), P-384 (s ~= 192). See Note 2.
A2983A2983ECDSA signature verification (tested with SHA2-256, SHA2-384).P-256 (s ~= 128),TLS, SSH authentication. Certificate verification.ECDSA SigVer [FIPS186-4]
N/AN/AEntropy source.Used only to seed the approved DRBG.ENT (NP) [SP800-90B]256 bits.
HMAC-SHA-1A2983TLS message integrity.SHA-1 (s = 160).HMAC generation, verification with
[FIPS198-1]SHA-1.
A2983A2983HMAC generation, verification with the listed SHA2 modes.SSH, TLS message integrity. Firmware integrity.HMAC-SHA2 [FIPS198-1]SHA2-256 (s = 256), SHA2-384 (s = 384).
A2983A2983Scheme: Ephemeral Unified. Role: Initiator, Responder.P-256 (s ~= 128),TLS ECDH/ECDHE key exchange. SSH key exchange.KAS-ECC-SSC [SP800-56Ar3]
A2983A2983Scheme: dhEphem. Role: Initiator, Responder. [FIPS140-3_IG] D.F Scenario 2, path 2) with TLS v1.2 KDF [RFC7627] and KDF SSH, per [FIPS140-3_IG] 2.4.B.TLS DH/DHE key exchange.KAS-FFC-SSC [SP800-56Ar3]FB (s = 112), ffdhe2048 (s = 112), ffdhe3072 (112 ≤ s ≤ 128). See Note 5.

Quantum Xchange 2.3 Phio TX FIPS 140-3 Security Policy Approved and Allowed Cryptographic Functionality The Module implements the Approved cryptographic functions listed in Table 3. Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources (refer to the notes below Table 3). This table is referenced by Table 9 (SSPs). All references to the algorithm standards cited throughout this document can be found in the References section. Table 3: Approved Algorithms N/A. §4, §5.2, §6.2.1: N/A

1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the

algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module.

Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
TLS v1.2 KDFCVLSHA2-256 (s = 256),TLS key derivation.CVL A2983TLS v1.2 KDF [RFC7627]TLS [RFC7627] key derivation withSHA2-256 (s = 256), SHA2-384 (s = 384).
[RFC7627]A2983SHA2-384 (s = 384).Extended Master Secret (EMS)
CVL A2983SSH v2 KDF using the listed hash algorithms.SSH key derivation.CVL A2983KDF SSH [SP800-135r1]SHA2-256 (s = 256), SHA2-384 (s = 384).
A2983SSH, TLS authentication. Certificate signing.A2983RSA SigGen [FIPS186-4]PSS signature generation (testedk=2048 (s ~= 112), k=3072 (s ~= 128). See Note 4 and Note 7.
A2983PSS signature verification (tested with the listed moduli and the following hash algorithms: SHA2-256, SHA2-384).SSH, TLS authentication. Certificate verification.A2983RSA SigVer [FIPS186-4]K=2048 (s ~= 112), k=3072 (s ~= 128). See Note 4 and Note 7.
SHA-1N/A.Primitive used by HMAC.A2983SHA-1 (s = 160).
A2983SHA2 modes listed at right.Message digest generation. Primitive used by HMAC, ECDSA, RSA and KDFs.A2983SHA2 [FIPS180-4]SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) See Note 1.
A2983AES-CBC, AES-GCM, HMAC-SHA2, HMAC-SHA-1.SP 800-38D and SP 800-TLS key establishment.A2983KTS-1
A2983AES-CBC, AES-GCM, HMAC-SHA2.SSH key establishment.A2983KTS-2SP 800-38D and SP 800- 38F. KTS (key wrapping) per IG D.G. 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strength.
A2983Schemes: Ephemeral Unified. Roles: Initiator, Responder. KAS-ECC-SSC curves: P-256, P-384. TLS v1.2 KDF [RFC7627].SP 800-56Arev3. KAS-ECCTLS key agreement.A2983KAS-1
A2983Schemes: Ephemeral Unified. Roles: Initiator, Responder. KAS-ECC-SSC curves: P-256, P-384. KDF SSH.SSH key agreement.A2983KAS-2SP 800-56Arev3. KAS-ECC per IG D.F Scenario 2 path (2) option 2. P-256 and P-384 curves providing 128 or 192 bits of encryption strength.
A2983TLS key agreement.A2983KAS-3Schemes: dhEphem.SP 800-56Arev3. KAS-FFC per IG D.F Scenario 2 path (2) option 2.

Quantum Xchange Phio TX FIPS 140-3 Security Policy N/A.

Page 9

Quantum Xchange Phio TX FIPS 140-3 Security Policy Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table

  1. Note 2: Elliptic curve strengths are annotated as approximate (i.e., s ~=) since [SP800-186] Table 1 provides approximate security strengths. Note 3: Approved elliptic curves for ECC key agreement are given in [SP800-56Ar3] Table
  2. Note 4: In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Note 5: Approved key types for FFC key agreement are given in [SP800-56Ar3] Tables 25,
  3. The group notation of Table 26 is used for consistency with CAVP algorithm listings and ACVP capability registration. Note 6: Security strength for L=2048/N=256 is determined in accordance with [FIPS140-3_IG] D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112. Note 7: Estimated security strengths of common RSA moduli are given in [SP800-56Br2] Table
  4. IFC key types approved for Digital Signature Generation and Verification are given in [SP800-57P1r5] Table
  5. Equivalent strengths are annotated as approximate (i.e., s ~=) since [SP800-56Br2] Table 4 provides approximate security strengths. Reference sources for the strengths provided in Table 3 are as follows: • • • • • AES (AES-128, AES-192, AES-256): [SP800-57P1r5] Table
  6. ECC (P-256, P-384): [SP800-186] Table
  7. FFC (L=2048/N=256, L=3072/N=256): [SP800-57P1r5] Table
  8. FFC (FB, ffdhe2048, ffdhe3072): [SP800-56Ar3] Tables 1 and
  9. IFC (k=2048, k=3072): [SP800-56Br2] Table
  10. The Module does not implement the following: • • • Non-Approved Algorithms Allowed in the Approved Mode of Operation. Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved Algorithms Not Allowed in the Approved Mode of Operation. The Module supports the following ciphersuites for use with Module TLS v1.2 primitives2: • • TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] (Hex Enum: 0x00,0x69) o KEx: DHE o Signature: RSA o PRF: HMAC-SHA2-256 o Cipher: AES-256 o Authentication: HMAC TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] (Hex Enum: 0x00,0x6B) o KEx: DHE o Signature: RSA o PRF: HMAC-SHA2-256 o Cipher: AES-256 o Authentication: HMAC
2 Specified according to IETF cipher suite enumeration conventions.
Page 10

Quantum Xchange Phio TX FIPS 140-3 Security Policy

Page 11

Quantum Xchange Phio TX FIPS 140-3 Security Policy

Page 12

Quantum Xchange

Page 13
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
LED (qty. 1): “PWR”.LED (qty. 1): “PWR”.SO.Phio TX power status (green=on).
LCD screen (qty. 1): Basic information display.Status output, two lines of 20 characters.LCD screen (qty. 1): Basic information display.SO.
Control button (qty. 4): Pushbuttons.Control button (qty. 4): Pushbuttons.CI.Unused.
LED (qty. 4): Indicators (details at right).Activity LEDs (green = OK; red = not OK).LED (qty. 4): Indicators (details at right).SO.
Reset button (qty. 1): Recessed paper clip reset button.Reset button (qty. 1): Recessed paper clip reset button.CI.Push button reset.
Serial console (qty. 1): RJ-45 connector.Serial console (qty. 1): RJ-45 connector.DI, DO, CI, SO.System console, local administration TTY.
USB (qty. 2): USB 3.0 ports.USB (qty. 2): USB 3.0 ports.DI, DO, CI, SO.System update.
Ethernet (qty. 6): RJ-45 connectors (numbered 1 - 6).Ethernet (qty. 6): RJ-45 connectors (numbered 1 - 6).DI, DO, CI, SO.Phio Hive and client endpoint traffic.
Ethernet activity LED (qty. 12): Activity/rate indicators on each RJ-45.Ethernet activity LED (qty. 12): Activity/rate indicators on each RJ-45.SO.Left LED: activity. Right LED: connection rate.
SFP1 (qty. 1): Fiber optic networking connector.SFP1 (qty. 1): Fiber optic networking connector.DI, DO, CI, SO.Phio Hive and client endpoint traffic.
SFP2 (qty. 1): Fiber optic networking connector.SFP2 (qty. 1): Fiber optic networking connector.DI, DO, CI, SO.Phio Hive and client endpoint traffic.
Ground (qty. 1): Banana plug for ESD wrist strap.Ground (qty. 1): Banana plug for ESD wrist strap.N/A.N/A – power.
Ground (qty. 1): Chassis ground screw.Ground (qty. 1): Chassis ground screw.N/A.N/A – power (Note: left of AC power switch).
Power switch (qty. 1): AC power rocker switch.Power switch (qty. 1): AC power rocker switch.CI.N/A – power.
Alarm reset (qty. 1): Power supply alarm reset.Unused. Present only for supplies with audibleAlarm reset (qty. 1): Power supply alarm reset.SO.
LED (qty. 2): Power indicators (on power supplies).LED (qty. 2): Power indicators (on power supplies).SO.Individual power supply indicators.
Power (qty. 2): Power supply (2x) NEMA connectors.Power (qty. 2): Power supply (2x) NEMA connectors.N/A.N/A – power.

Quantum Xchange Phio TX FIPS 140-3 Security Policy Cryptographic Module Interfaces The Module supports the physical ports shown in Error! Reference source not found. and Error! Reference source not fo und. in Section 2 of this document. The ports and corresponding logical interfaces are described in Table 4. Table 4: Ports and Interfaces N/A. N/A. N/A. interfaces, and as such are marked as N/A in the logical interface and data columns.

Page 14
Service
NameRolesIndicatorInput
CO, ACO, ACLI: SSH connect.Username, password. SSH handshake input.Status; CLI shell prompt on success. SSH handshake output.
CLI: Miscellaneous.CO, AStatus; CLI shell prompt on success.Phio TX CLI command and arguments.
CO, ACO, ACLI: Certificate management.Phio TX CLI command and arguments.Status; CLI shell prompt on success.
CLI: User management.CO, AStatus; CLI shell prompt on success.Phio TX CLI command and arguments.
CO, ACO, ACLI: Tests.Phio TX CLI command and arguments.Status; CLI shell prompt on success.
CLI: Status.CO, AStatus; module identifier & version; prompt.tx_status command line.
CO, ACO, ACLI: Run CASTs.txfips command line.Status; CAST results; prompt.
CLI: Run FW integrity tests.CO, AStatus; prompt.txscan command line.
CO, ACO, ACLI: Zeroise.tx_reset command.Status; prompt.
CO, Ahttps / TLS handshake output.https / TLS handshake input.CO, AWeb Monitor.
Mouse and keyboard events.Status; Web monitor page display.Mouse and keyboard events.
UserUserETSI REST Services.JSON GET/POST/PUT messages.Status; JSON response messages.
SKIP REST Services.UserStatus; JSON response messages.JSON GET/POST/PUT messages.
UserUserPhio Hive REST Services.JSON GET/POST/PUT messages.Status; JSON response messages.
Authentication MethodRoleWithin 1 minuteOne time
CO, ACO, ADebian login (memorized secret).6.6E+151.1E+08
OpenSSL client authentication (based on ECDSA P-384 SHA2-384 signatureCO, A6.3E+571.0E+50
UserUserJSON Web Token authentication (based on RSA 2048).5.2E+338.7E+25

Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module supports three roles using role-based authentication: the Cryptographic Officer (CO) role, a limited privilege Admin role (abbreviated as ‘A’ in tables below) and the User role. Each role is implicitly identified by the service requested, with authentication as shown in Table 6. The Status service may be used to determine the current status of the Module, as well as provide the CMVP listing information for the Module (identifiers and version). Table 5: Roles, Service Commands, Input and Output Commands corresponding to [FIPS140-3] required services are italicized: tx_status (output module identifier and version, Table 6: Roles and Authentication For an operator in the CO or Admin role, connected via the console or SSH (Debian login (memorized secret)):

112 bits of security or 2112 = 5.2E+33.
Page 15
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
CLI: Console connect.COCO-IPW CO-RPWN/A.WEZLCD-R SH-LOGINConsole login, passwordWEZ E
(memorized secret)E(memorized secret)
CLI: SSH connect.SSH login, password (memorized secret) authentication. SSH†.CO, ACO-IPW CO-RPW SSH†SSH†.LCD-R SH-LOGINWEZ E SSH†
CLI: Miscellaneous. No security function or CSP usage.CO, AN/AN/A.LCD-R SH-LOGINCO administrative commands,N/A
CLI: Certificate management.Commands to generate, install, set or remove certificates and keys.CO, ASSH-HSK-Pri SSH-HSK-Pub SSH-KEX-Pri SSH-KEX-Pub TLS-HSK-Pri TLS-HSK-Pub TLS-KEX-Pri TLS-KEX-PubDSA KeyGen, ECDSA KeyGen, ECDSA SigGen, ECDSA SigVer, RSA SigGen, RSA SigVer, CKG.LCD-R SH-CMDGWEZ GWEZ GWEZ GWEZ GWEZ GWEZ GWEZ GWEZ
CLI: User management.Add, remove or update users.N/A.WLCD-RCO-IPWCO,
CO-RPWWCO-RPWA
CLI: Tests.Check: - a Phio Hive connection. - e-mail problem notification setup. SSH† (command invocation). TLS‡ (peer interaction).CO, ASSH† TLS‡SSH† TLS‡.LCD-RSSH† TLS†
CLI: Status.N/A.N/ALCD-R SH-STATReport Phio TX identifier,N/AN/ACO, A
CLI: Run CASTs.Run CASTs on demand (all conditional self-tests in Section 10, for self-test only).SSH†.LCD-R > LCD-CF SH-CASTSSH†SSH†A
CLI: Run FW integrity tests.Run firmware integrity test on demand.SSH†.LCD-R > LCD-CF SH-FWITN/A SSH†N/A SSH†CO, A
CLI: Zeroise.Factory reset zeroises Phio TX SSPs.N/A.LCD-R > LCD-NR SH-RSTZ Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z ZJWT-Pub CO-IPW CO-RPW SSH-HSK-Pri SSH-HSK-Pub SSH-KEX-Pri SSH-KEX-Pub SSH-EDK SSH-MK SSH-SS TLS-EDK TLS-HSK-Pri TLS-HSK-Pub TLS-KEX-Pri TLS-KEX-Pub TLS-MK TLS-MS TLS-SSCO, A
Web Monitor.TLS‡TLS‡.TLS†LCD-RVisual display of Phio HiveCO, A
connections.CO-IPWWconnections.
TLS‡ (web server interaction).CO-RPWETLS‡ (web server interaction).
ETSI REST Services.Connect to an endpoint using ETSI. Respond to ETSI REST API functions. TLS‡ (REST interaction).TLS‡.LCD-RTLS†TLS‡User
SKIP REST Services.TLS‡.LCD-RConnect to an endpoint usingTLS†TLS‡User
Phio Hive REST Services.Connect to a Phio TX peer. Respond to Phio TX REST API functions. TLS‡ (REST interaction).TLS‡.LCD-RTLS†TLS‡User
SSH† = SSH Usage.This entry indicates all security functions and SSPs associated with SSH usage. SSH is used for Admin shell functions.SSH-HSK-PriAES-CBC, AES-GCM, ECDSA KeyGen, ECDSA SigGen, ECDSA SigVer, HMAC-SHA2-256, HMAC-SHA2-384, KAS-ECC-SSC, RSA SigGen, RSA SigVer, KDF SSH, CKG.LCD-R SH-LOGINGEZCO, A

Quantum Xchange

Page 16

Quantum Xchange Phio TX FIPS 140-3 Security Policy N/A. N/A A N/A A N/A A N/A N/A. A Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z A W E A

Page 17
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
TLS‡ = TLS usage.This entry indicates all security functions and SSPs associated with TLS usage. TLS is used for Web Monitor (CO) and ETSI, SKIP and PHIO REST services (User).CO, A, UserTLS-HSK-Pri TLS-HSK-Pub TLS-KEX-Pri TLS-KEX-Pub TLS-SS TLS-MS TLS-EDK TLS-MKAES-CBC, AES-GCM, DSA KeyGen, ECDSA KeyGen, ECDSA SigGen, ECDSA SigVer, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA-1, KAS-ECC-SSC, KAS-FFC-SSC, RSA SigGen, RSA SigVer, TLS v1.2 KDF [RFC7627], CKG.E ER E ER GEZ GEZ GEZ GEZLCD-R

Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module supports self-initiated cryptographic output capability in the context of the TLS v1.2 protocol. The following two actions are performed prior to activation of the self-initiated cryptographic output capability: Action 1: installation of credentials (PKIs), using tx_generate_tx_csr followed by tx_install_tx_crt. Action 2: registration of the peer in the config file, specifying name (matching the peer CN) and optionally IP address. For self-initiated cryptography to function, both actions are required on each peer (both sides of the connection). The Module supports a partial firmware load from an external source and this functionality is limited to the Crypto Officer role thus ensuring that unauthorised access to and use of the Module is not feasible. The firmware load test using HMAC-SHA2-384 performed prior to installation of the loaded firmware ensures an isolation of code. Software/Firmware Security The Module uses HMAC-SHA2-384 performed over all Module firmware as the integrity technique. The operator can initiate the integrity test on demand via the txscan command.The Phio TX application is delivered in a single executable binary, as a self-extracting installation package which can be installed on any system on which the base OS has been installed. The Module supports firmware loading (partial update). HMAC-SHA2-384 with (256-bit HMAC key) is performed on updated components. Operational Environment The Module is classified in [FIPS140-3] terms as a limited operational environment. Physical Security The Phio TX is a hardware Module (multichip standalone embodiment) packaged in a metal chassis as shown in Figure 1 and Figure 2. The enclosure is protected by four (4) tamper-evident seals as shown in Figure 6, is production grade and opaque in the visible spectrum. The Crypto Officer role is responsible for securing and having control at all times of any unused seals, and the direct control and observation of any changes to the Module such as reconfigurations where the

Page 18
Physical Security MechanismRecommended Frequency of Inspection/TestInspection/Test Guidance Details
Tamper-evident seals (qty. 4) over chassis screws.Seals should be inspected during physical maintenanceInspect seals for evidence of lifted edges or excessive wear.Inspect seals for evidence of lifted edges
operations and when circumstances dictate (e.g., ifor excessive wear.
tampering is suspected).
Establishment (equated to Key Agreement [FIPS140-3_IG] D.F)
E1: Calculated using KAS-ECC-SSC or KAS-FFC-SSC.
E2: Calculated using approved TLS KDF.
E3: Calculated using approved SSH KDF.
Zeroisation
Z1: Overwritten by zeros after use (Module initiated), shutdown or loss of power (operator initiated).
Z2: Overwritten by zeros by Zeroisation service (operator initiated).

Quantum Xchange Phio TX FIPS 140-3 Security Policy tamper evident seals or security appliances are removed or installed to ensure the security of the Module is maintained during such changes and the Module is returned to the Approved state. Rear right tamper seal Rear left tamper seal Left front tamper seal Right front tamper seal Figure 6: Module Seal Application Locations Non-Invasive Security The Module does not implement non-invasive security measures. Sensitive Security Parameters Management Table 9 summarizes the SSPs implemented by the Module. System keys handled by the Phio TX are not classified as SSPs as they are not used by the Phio TX. All such data crosses the boundary via TLS connections, such that system secrets are TLS protected. Generation, inclusive of derivation (Key-entity association) G1: Generated by on-chip [SP800-90B] ENT (NP) (memory map). G2: Derived using [SP800-90Ar1] with Block_cipher_df (memory map). G3: FFC (DSA) or ECC (ECDSA) or RSA (memory map). Storage (associated to entity by memory mapping) S1: Stored in plaintext in RAM, dynamic storage. S2: Stored in PEM format in hard drive media, static storage. IE1: Provided in plaintext to the Module (message parameter). IE2: Imported and exported in ciphertext (positional parameter). IE3: Established in Quantum Xchange manufacturing facility.

Figure 6: Module Seal Application Locations
Figure 6: Module Seal Application Locations
Page 19
Sensitive security parameter
NameStrengthSecurity FunctionUseG1S1Z1Key/SSP Name/Type DRBG-EI (CSP)N o it a r e n e G G1
SSH-HSK-Pri (CSP)128 or 192ECDSA (P-256, P-384) or RSA (2048, 3072) private key - signature generation.ECDSA SigGen #A2983.G3S2Z2
SSH-HSK-Pub (PSP)128 or 192ECDSA SigVer #A2983. RSA SigVer #A2983. CKG.ECDSA (P-256, P-384) or RSA (2048, 3072) public key - signature verification.G3S2Z2
SSH-KEX-Pri (CSP)128 or 192ECDSA (P-256, P-384) private key for SSH key exchange.KAS-ECC-SSC #A2983.G3S1 S2Z1 Z2
TLS-HSK-PriECDSA SigGen #A2983.S2Z2TLS-HSK-Pri128 or 192G3ECDSA (P-256, P-384) or RSA (2048, 3072) private key

Quantum Xchange Phio TX FIPS 140-3 Security Policy Import/Export Establishment Storage Zeroisation Table 9: SSPs ---------------------------

3 Strength is provided in bits. Please refer to Table 3 and the notes below it for the strength provenance (traceability to applicable standards and

Page 20
Approved algorithm
NameKey SizeUse Function
ECDSA SigVer #A2983. RSA SigVer #A2983. CKG.ECDSA (P-256, P-384) or RSA (2048, 3072) public key for digital signature verification.TLS-HSK-Pub (PSP)128 or 192 112 or 128G3IE3S2Z2
TLS-KEX-Pri (CSP)ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) private key for TLS KAS SSC.TLS-KEX-Pri (CSP)112 or 128 128 or 192G3IE3S1 S2Z1 Z2KAS-FFC-SSC #A2983.
KAS-FFC-SSC #A2983. KAS-ECC-SSC #A2983.ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) public key for TLS KAS SSC.TLS-KEX-Pub (PSP)112 or 128 128 or 192IE1 AD /EES1 S2Z1 Z2
TLS-MK (CSP)TLS Session MAC Key (for non-AEAD suites).TLS-MK (CSP)256 or 384E2S1Z1HMAC-SHA2-256
TLS v1.2 KDF [RFC7627] #A2983. CKG.TLS Master Secret: derive key block; finalize.TLS-MS (CSP)256 or 384E2S1Z1
TLS-SS (CSP)TLS Shared Secret: derive TLS Master Secret.TLS-SS (CSP)128 or 192 112 or 128E1S1Z1KAS-ECC-SSC #A2983.
EntropyMinimum numberEntropyDetails
sourcesof bits of entropysources
[SP800-90Ar1] min_length: 256 bits. [SP800-90Ar1] seedlen: 384 bits.[SP800-90Ar1] min_length:JentJent[FIPS140-3_IG] 9.3.A: The Module generates ENT within the Module boundary: option 1(a)
256 bits.256 bits.using a [SP800-90B] compliant ENT (NP).
[SP800-90Ar1] seedlen:[SP800-90Ar1] seedlen:Per [SP800-90Ar1] Table 2, the AES CTR_DRBG requires 384 bits of entropy in the
384 bits.384 bits.DRBG_Seed value.
Approved algorithm
NameKey SizeUse Function
ECDSA SigVer #A2983. RSA SigVer #A2983. CKG.ECDSA (P-256, P-384) or RSA (2048, 3072) public key for digital signature verification.TLS-HSK-Pub (PSP)128 or 192 112 or 128G3IE3S2Z2
TLS-KEX-Pri (CSP)ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) private key for TLS KAS SSC.TLS-KEX-Pri (CSP)112 or 128 128 or 192G3IE3S1 S2Z1 Z2KAS-FFC-SSC #A2983.
KAS-FFC-SSC #A2983. KAS-ECC-SSC #A2983.ECDSA (P-256, P-384) or FFC (L=2048, N=224, 256; L=3072, N=256) public key for TLS KAS SSC.TLS-KEX-Pub (PSP)112 or 128 128 or 192IE1 AD /EES1 S2Z1 Z2
TLS-MK (CSP)TLS Session MAC Key (for non-AEAD suites).TLS-MK (CSP)256 or 384E2S1Z1HMAC-SHA2-256
TLS v1.2 KDF [RFC7627] #A2983. CKG.TLS Master Secret: derive key block; finalize.TLS-MS (CSP)256 or 384E2S1Z1
TLS-SS (CSP)TLS Shared Secret: derive TLS Master Secret.TLS-SS (CSP)128 or 192 112 or 128E1S1Z1KAS-ECC-SSC #A2983.
EntropyMinimum numberEntropyDetails
sourcesof bits of entropysources
[SP800-90Ar1] min_length: 256 bits. [SP800-90Ar1] seedlen: 384 bits.[SP800-90Ar1] min_length:JentJent[FIPS140-3_IG] 9.3.A: The Module generates ENT within the Module boundary: option 1(a)
256 bits.256 bits.using a [SP800-90B] compliant ENT (NP).
[SP800-90Ar1] seedlen:[SP800-90Ar1] seedlen:Per [SP800-90Ar1] Table 2, the AES CTR_DRBG requires 384 bits of entropy in the
384 bits.384 bits.DRBG_Seed value.

Quantum Xchange Phio TX FIPS 140-3 Security Policy ------------ = not applicable. The firmware integrity key (FWIK, formally not a SSP) is a 256-bit HMAC key used with HMAC-SHA2-384. Table 10: Non-Deterministic Random Number Generation Specification

Page 21

Quantum Xchange Phio TX FIPS 140-3 Security Policy

10 Self-tests

The Module automatically invokes all tests listed below on each power-on or reset. The FW integrity test is run periodically as a scheduled system service (nominally every eight hours) and may also be run on demand by running txscan on an SSH or Console connection. The complete set of ACVP tests used to achieve the CAVP listings are run at power-on (as listed under Conditional Selftests below), are also run periodically as a scheduled system service (nominally every eight hours) and may also be run on demand by running txfips on an SSH or Console connection. All cryptographic algorithm self-tests (CASTs) must complete successfully prior to any other use of cryptography by the Module. If the firmware integrity test fails, the Module enters the ERR_TXSCAN state (indicated by LCD-IF, see Table 7). If one of the CASTs fails, the Module enters the ERR_TXFIPS state (indicated by LCD-CF, see Table 7). The ERR_TXFIPS and ERR_TXSCAN error states are persistent, cleared by successful completion of txfips or txscan, respectively. When in an error state, only self-test and status services are available. All attempts to use the Module’s services result in the return of the error state indicator (Failed TXFIPS or Failed TXSCAN). Pre-operational Self-tests

Page 22

Quantum Xchange Phio TX FIPS 140-3 Security Policy

11 Life-cycle Assurance

Installation, initialization, configuration, and provisioning are managed using Quantum Xchange provided scripts as well as the administrative tools of the Phio TX shell available via SSH or the console. This involves installation of a valid Phio TX License with locked Approved mode enforcement. Once configured, the Approved mode of operation persists. Quantum Xchange recommends the use of the tx_reset command to reset the Phio TX to factory defaults.

Page 23

Quantum Xchange Phio TX FIPS 140-3 Security Policy The Module Guidance Documentation [GD] provides detailed procedures for secure installation, initialization, configuration, provisioning, decommissioning, and sanitization of the Module. No maintenance requirements are defined for the Phio TX. The Phio TX application is delivered as a single executable binary. The binary must be run with the root account to install the upgrade. The firmware load test and integrity tests implemented ensure protection of the firmware during delivery.

12 Mitigation of Other Attacks

The Module does not implement mitigations of other attacks outside the scope of [FIPS140-3].

Page 24

Quantum Xchange Phio TX FIPS 140-3 Security Policy References

Page 25

Quantum Xchange Phio TX FIPS 140-3 Security Policy

Page 26

Quantum Xchange