All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Forcepoint Next Generation Firewall

Certificate#4867StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorForcepoint
High review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/5/2029
CaveatWhen installed, initialized and configured as specified in Section 11.1 of the Security Policy. The tamper evident seals ACFIPS3 Forcepoint NGFW FIPS Kit installed as indicated in the Security Policy
VendorForcepoint

Approved Algorithms (46)

AlgorithmACVP Cert
AES-CBCA2155
AES-CBCA2166
AES-CFB128A2209
AES-ECBA2155
AES-ECBA2209
AES-GCMA2155
AES-GCMA2166
AES-KWPA2155
Counter DRBGA2155
ECDSA KeyGen (FIPS186-4)A2155
ECDSA KeyVer (FIPS186-4)A2155
ECDSA SigGen (FIPS186-4)A2155
ECDSA SigVer (FIPS186-4)A2155
HMAC-SHA-1A2155
HMAC-SHA-1A2166
HMAC-SHA2-224A2155
HMAC-SHA2-224A2166
HMAC-SHA2-256A2155
HMAC-SHA2-256A2166
HMAC-SHA2-384A2155
HMAC-SHA2-384A2166
HMAC-SHA2-512A2155
HMAC-SHA2-512A2166
KAS-ECC-SSC Sp800-56Ar3A2155
KAS-FFC-SSC Sp800-56Ar3A2155
KDF IKEv1A2155
KDF IKEv2A2155
KDF SP800-108A2209
PBKDFA2209
RSA KeyGen (FIPS186-4)A2155
RSA SigGen (FIPS186-4)A2155
RSA SigVer (FIPS186-4)A2155
Safe Primes Key GenerationA2155
Safe Primes Key VerificationA2155
SHA-1A2155
SHA-1A2166
SHA2-224A2155
SHA2-224A2166
SHA2-256A2155
SHA2-256A2166
SHA2-384A2155
SHA2-384A2166
SHA2-512A2155
SHA2-512A2166
SHA3-256A2167
TLS v1.2 KDF RFC7627A2155

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Forcepoint Next Generation Firewall
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>upgrade<br/>firmware load<br/>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Forcepoint Next Generation Firewall
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>upgrade<br/>firmware load<br/>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Forcepoint Next Generation Firewall 10900-A Stonelake Blvd. Austin, TX 78759, USA www.forcepoint.com

Page 2

Revision History Revision Date Reason A March 9, 2022 Initial release. B February 22, 2024 CMVP Comment Responses © 2024 Forcepoint. This document may be freely reproduced and distributed whole and intact including this Preface This is a non-proprietary Cryptographic Module Security Policy for the Next Generation Firewall (Hardware Version: 2201, 2205, 2210, 3401 and 3410; firmware Version: 6.10.3.26158) from Forcepoint. This Security Policy describes how the Next Generation Firewall appliances (referred as NGFW appliances, modules, firewalls) meet the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program This document also describes how to run the modules in a secure Approved mode of operation. This policy was prepared as part of the Level 2 FIPS 140-3 validation of the module. The Next Generation Firewall appliances are referred to in this document as the NGFW appliances, crypto modules, or modules.

Page 3
Table of Contents
#SectionPage
Page 5
List of Figures
ItemPage
FIGURE 1: 2201 FRONT PANEL7
FIGURE 2: 2201/2205 REAR PANEL7
FIGURE 3: 2205/2210 FRONT PANEL7
FIGURE 4: 2210 REAR PANEL7
FIGURE 5: 3400 SERIES FRONT PANEL8
FIGURE 6: 3400 SERIES REAR PANEL8
FIGURE 7: SELF-INITIATED CRYPTOGRAPHIC OUTPUT CAPABILITY STATUS ON SMC WEB GUI41
FIGURE 8: 2205/2210 FRONT TEL PLACEMENTS43
FIGURE 9: 2210 REAR TEL PLACEMENTS43
FIGURE 10: 2201 FRONT TEL PLACEMENT44
FIGURE 11: 2201/2205 REAR TEL PLACEMENT44
FIGURE 12: 3400 SERIES FRONT TEL PLACEMENTS45
FIGURE 13: 3400 SERIES RIGHT SIDE TEL PLACEMENT45
FIGURE 14: 3400 SERIES REAR TEL PLACEMENTS46
FIGURE 15: 3400 SERIES LEFT SIDE TEL PLACEMENT46
FIGURE 16: DEPICTION OF VENT PROTECTED BY INTERNAL BAFFLE47
FIGURE 17: DEPICTION OF THE MODULE VERSION DISPLAYED IN THE SMC GUI75
TABLE 1: SECURITY LEVELS6
TABLE 2: CRYPTOGRAPHIC MODULE TESTED CONFIGURATION9
TABLE 3: APPROVED ALGORITHMS12
.18
TABLE 5: PORTS AND INTERFACES18
TABLE 6: ROLES, SERVICES, INPUT AND OUTPUT20
TABLE 7: ROLES AND REQUIRED IDENTIFICATION AND AUTHENTICATION22
TABLE 8: MODULE SERVICES25
TABLE 9: PHYSICAL SECURITY INSPECTION GUIDELINES48
TABLE 10: SUMMARY OF SSPS50
TABLE 11: NON-DETERMINISTIC RANDOM NUMBER GENERATION SPECIFICATION66
TABLE 12: PRE-OPERATIONAL SELF-TESTS67
TABLE 13: CONDITIONAL CRYPTOGRAPHIC ALGORITHM SELF-TESTS67
TABLE 14: CONDITIONAL PAIR-WISE CONSISTENCY TESTS69
Page 6
1.1 Security Level

The Forcepoint Next Generation Firewall meets all level 2 security requirements for FIPS 140-3 as summarized in the table below: TABLE 1: SECURITY LEVELS ISO/IEC 24759 Section 6 FIPS 140-3 Section Title Security Level [Number Below]

1 General 2

2 Cryptographic Module Specification 2

3 Cryptographic Module Interfaces 2

4 Roles, Services, and Authentication 2

5 Software/Firmware Security 2

6 Operational Environment N/A

7 Physical Security 2

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 2

10 Self-Tests 2

11 Life-Cycle Assurance 2

12 Mitigation of Other Attacks N/A

2.1 Module Overview

The NGFW appliances are high-performance network security appliances that add a broad range of built-in security features, including VPN, IPS, anti-evasion, TLS inspection, SD-WAN, and mission-critical application proxies, to a traditional firewall and provides end-to-end protection across the entire enterprise network. All appliances can be

Page 7

Cryptographic Module Specification deployed as either a Layer 2 or Layer 3 firewall or a next generation IPS. However, in the FIPS 140-3 approved mode, the appliances are deployed in Firewall/VPN mode of operation, which provides access control and VPN connectivity. Each of the appliances run NGFW firmware version 6.10.3.26158 based on the NGFW OS 10 operating system with Linux kernel version 4.19.

2.2 Module Description

The cryptographic module is a hardware module of type multi-chip standalone. The cryptographic boundary of the module is shown in the figures below. The cryptographic boundary is defined as the outer edge of the chassis. The NGFW 2201, 2205, and 2210 appliances are a 1U rack-mounted design featuring modular connectivity. All the units are equipped with 9x GE RJ45 and 4x (2201) or 8x (2205, 2210) 10 Gbps SFP+ fixed Ethernet ports, and include an interface module slot, allowing for additional connectivity. The appliances contain an integrated, dual redundant (on the 2210), power supply that supports a wide range of voltages: 100

Page 8

Cryptographic Module Specification The NGFW 3401 and 3410 are a 2U rack-mounted design featuring modular connectivity. The NGFW 3400 series is equipped with 1x GE RJ45 and 2x 10 Gbps SFP+ fixed Ethernet ports, and includes eight Network I/O slots, allowing for additional connectivity. The appliance contains an integrated, dual redundant, power supply that supports a wide range of voltages: 100

Page 9
2.3 Test Configuration

The following tested configurations are covered in this security policy: TABLE 2: CRYPTOGRAPHIC MODULE TESTED CONFIGURATION Model Hardware Firmware Version Distinguishing Features [Part Number and Version] NGFW 2201 2201 Firmware: 6.10.3.26158 1U

Page 10

Cryptographic Module Specification Model Hardware Firmware Version Distinguishing Features [Part Number and Version] NGFW 3401 3401 Firmware: 6.10.3.26158 2U

Page 11
2.4 Cryptographic Algorithms

The following cryptographic library and associated CAVP certificates are used by the cryptographic module:  Forcepoint NGFW FIPS Cryptographic Module (Cert. #A2155)  Forcepoint NGFW FIPS Library (Cert. #A2209)  Forcepoint NGFW Cryptographic Kernel Module (Cert. #A2166)  Forcepoint NGFW Entropy Library (Cert. #A2167) The approved algorithms implemented by the module alongside their mapping to the certificates above alongside algorithms use by services are listed in the table below. Note that the referenced algorithm certificates may contain more tested options than are utilized by the module, and that only those listed in the table below are implemented and used.

Page 12

Cryptographic Module Specification TABLE 3: APPROVED ALGORITHMS CAVP Algorithm Mode / Method Description / Key Use / Function Cert and Size(s) / Key Standard Strength(s) Forcepoint NGFW FIPS Cryptographic Module #A2155 AES AES-CBC, AES-ECB, AES- Direction: Encrypt, Used for confidentiality of GCM, AES-KWP Decrypt configuration files, logs, and FIPS 197, SP monitoring data, management 800-38A, SP Key Length: 128, 192, connections and services, peer 800-38D, SP 256 connections, VPN, HTTPS, and TLS 800-38F connections Vendor CKG RSA, EC, and FFC key RSA 2048, 3072 bits Key generation for all module Affirmed pairs per FIPS 186-4 services that utilize internal SP 800- EC P-224, P-256, Pand SP 800-56Arev3 generation 133rev21 384, P-521 curves using the unmodified output of the DRBG for FFC 2048-8192 bits seeds. Symmetric keys using the unmodified output of the DRBG #A2155 CVL IKEv1 KDF, IKEv2 KDF, IKE with SHA-1, SHA2- TLS and IPsec connections TLS 1.2 KDF2 256, SHA2-384, SHA2SP 800135rev1 TLS with SHA2-256, SHA2-384, SHA2-512

1 The module complies with Section 6.1, 5, and Section 4 (Bullet 1) of SP 800-133rev2.

2 No parts of the IKEv1, IKEv2, or TLS protocol, other than the approved cryptographic algorithms and the KDFs, have

been tested by the CAVP and CMVP

Page 13

Cryptographic Module Specification CAVP Algorithm Mode / Method Description / Key Use / Function Cert and Size(s) / Key Standard Strength(s) #A2155 DRBG AES-256-CTR Prediction Resistance: All random number generation and No key generation within the module SP 800-90A Supports Reseed Capabilities: Derivation Function Enabled: Yes Additional Input: 0-256 bits Entropy Input: 512-

1024 bits

Nonce: 256 bits Personalization String Length: 0-256 bits #A2155 ECDSA Key Pair Generation, P-224, P-256, P-384 Used in TLS and VPN connections Signature Generation, and P-521 curves for digital signatures FIPS 186-4 Signature Verification, SHA2-224, SHA2-256, Public Key Validation SHA2-384, SHA2-512 #A2155 HMAC SHA-1, SHA2-224, > 256 bit keys Used for authentication of SHA2-256, SHA2-384, configuration files, logs, and FIPS 198-1 SHA2-512 monitoring data, management connections and services, peer connections, VPN, HTTPS, TLS connections and SNMP monitoring.

Page 14

Cryptographic Module Specification CAVP Algorithm Mode / Method Description / Key Use / Function Cert and Size(s) / Key Standard Strength(s) #A2155 KAS KAS-ECC-SSC with CVL See KAS-ECC-SSC and Establishing session keys for VPN (IKEv1 KDF)3 CVL entries connections SP 80056Arev3 KAS-ECC-SSC with CVL See KAS-ECC-SSC and Establishing session keys for VPN (IKEv2 KDF)3 CVL entries connections KAS-FFC-SSC with CVL See KAS-FFC-SSC and Establishing session keys for VPN (IKEv1 KDF)4 CVL entries connections KAS-FFC-SSC with CVL See KAS-FFC-SSC and Establishing session keys for VPN (IKEv2 KDF)4 CVL entries connections #A2155 KAS KAS-ECC-SSC with CVL See KAS-ECC-SSC and Establishing session keys for TLS (TLS 1.2 KDF)3 CVL entries connections SP 80056Arev3 KAS-FFC-SSC with CVL See KAS-FFC-SSC and Establishing session keys for TLS (TLS 1.2 KDF)3 CVL entries connections #A2155 KAS-ECC- ephemeralUnified Domain Parameter Establishing shared secrets for TLS SSC Generation Methods: and VPN connections KAS Role: initiator, P-224, P-256, P-384, PSP 800- responder 56Arev3

3 Key establishment methodology provides between 112 and 256 bits of encryption strength.

4 Key establishment methodology provides between 112 and 202 bits of encryption strength.

Page 15

Cryptographic Module Specification CAVP Algorithm Mode / Method Description / Key Use / Function Cert and Size(s) / Key Standard Strength(s) #A2155 KAS-FFC-SSC dhEphem Domain Parameter Establishing shared secrets for TLS Generation Methods: and VPN connections SP 800- KAS Role: initiator, ffdhe2048, ffdhe3072, 56Arev3 responder ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP6144, MODP-8192 #A2155 KTS5 AES-CBC AES-128, AES-256 TLS and IPsec connections SP 800-38F HMAC HMAC-SHA-1 with 160-bit keys HMAC-SHA2-256 with 256-bit keys HMAC-SHA2-384 with 384-bit keys #A2155 KTS5 AES-GCM AES-128, AES-256 TLS and IPsec connections SP 800-38F #A2155 KTS6 AES-KWP AES-256 Used in VPN connections SP 800-38F

5 Key establishment methodology provides 128 and 256 bits of encryption strength.

6 Key establishment methodology provides 256 bits of encryption strength.
Page 16

Cryptographic Module Specification CAVP Algorithm Mode / Method Description / Key Use / Function Cert and Size(s) / Key Standard Strength(s) #A2155 RSA Key Pair Generation, 1024 (verification Used in TLS and VPN connections Signature Generation, only), 2048, 3072, for digital signatures FIPS 186-4 Signature Verification 4096 bits PKCS #1 v1.5 and PSS SHA2-224, SHA2-256, SHA2-384, SHA2-512 #A2155 Safe Primes FFC key pairs per SP Safe Prime Groups: Key generation for all module Key 800-56Arev3 using the ffdhe2048, ffdhe3072, services that utilize KAS-FFC-SSC Generation unmodified output of ffdhe4096, ffdhe6144, the DRBG for seeds ffdhe8192, MODPSafe Primes 2048, MODP-3072, Key MODP-4096, MODPVerification 6144, MODP-8192 SP 80056Arev3 #A2155 SHS SHA-1, SHA2-224, BYTE only Used in HTTPS user authentication SHA2-256, SHA2-384, and as a prerequisite for higherFIPS 180-4 SHA2-512 level algorithms Forcepoint NGFW FIPS Library #A2209 AES AES-ECB, AES-CFB128 Direction: Encrypt, Used in peer connections, SNMP Decrypt monitoring FIPS 197, SP 800-38A, SP Key Length: 128, 192, 800-38C 256 #A2209 KBKDF SHA2-256 > 112 bit keys Key Derivation SP 800-108 Counter and Feedback Mode

Page 17

Cryptographic Module Specification CAVP Algorithm Mode / Method Description / Key Use / Function Cert and Size(s) / Key Standard Strength(s) #A2209 PBKDF SHA-1, SHA2-256 128, 256-bit keys Key Encryption, Key Derivation SP 800-132 Forcepoint NGFW Cryptographic Kernel Module #A2166 AES AES-CBC, AES-GCM Direction: Encrypt, Used in VPN connections Decrypt FIPS 197, SP 800-38A, SP Key Length: 128, 192, 800-38D 256 #A2166 HMAC SHA-1, SHA2-224, > 112 bit keys Used in VPN connections SHA2-256, SHA2-384, FIPS 198-1 SHA2-512 #A2166 SHS SHA-1, SHA2-224, BYTE only Used as a prerequisite for higherSHA2-256, SHA2-384, level algorithms (HMAC) FIPS 180-4 SHA2-512 Forcepoint NGFW Entropy Library N/A ENT (NP) Non-physical RNG Entropy source Used to seed the module’s DRBG based on CPU timing expected to provide SP 800-90B jitter full entropy in its outputs due to the vetted conditioning component. Raw noise expected to provide at least 1/3 bits of min-entropy per 64-bit sample. #A2167 SHA-3 SHA3-256 BYTE only Conditioning within the entropy source FIPS 202

Page 18

Cryptographic Module Interfaces TABLE 4: NON-APPROVED ALGORITHMS ALLOWED IN THE APPROVED MODE OF OPERATION WITH NO SECURITY CLAIMED Algorithm Caveat Use / Function Triple-DES-CBC Use of a non-approved Used to obfuscate/de-obfuscate private keys stored on cryptographic algorithm to disk “obfuscate” a CSP allowed as per IG 2.4.A Scenario

  1. SHA-1 Use of a non-approved Used to derive the key pair obfuscation and integrity cryptographic algorithm to protection keys “obfuscate” a CSP allowed as per IG 2.4.A Scenario 1.
  2. Cryptographic Module Interfaces
3.1 Ports and Interface Overview

The figures in section Module Description identify the physical interfaces to the cryptographic module. The following table maps the physical interface to logical interfaces and supported data: TABLE 5: PORTS AND INTERFACES Physical port Logical interfaces Data that passes over port/interface VGA port Status output Used for external connections to monitors, which can be used for status monitoring SSD port (x2) N/A None SSD port LEDs (x4) Status output Used to indicate whether an SSD is in the bay and SSD activity (reads and writes) Interface module slot (x1 Data input, Data output, Control input, Control output, Network traffic on 2200 series, x8 on Status output

3400 series)
Page 19

Cryptographic Module Interfaces Physical port Logical interfaces Data that passes over port/interface Interface module slot Status output Used to indicate link status and LEDs network activity Power button Control input Used to turn on and turn off the module Power LEDs (x3) Status output Used to indicate whether the module is running, in a standby state, or powered down IPMI port Disabled in the validated configuration None IPMI port LEDs (x2) Status output Used to indicate link status and network activity Fixed Gb ethernet port (x9 Data input, Data output, Control input, Control output, Network traffic on 2200 series, x1 on Status output

3400 series)

Fixed ethernet port LEDs Status output Used to indicate link status and (x18 on 2200 series, x2 on network activity

3400 series)

Fixed SFP+ ports (x2 on Data input, Data output, Control input, Control output, Network traffic

3400 series, x4 on 2201, Status output

x8 on 2205, 2210) Fixed SFP+ port LEDs (x4 Status output Used to indicate link status and on 3400 series, x8 on network activity 2201, x16 on 2205, 2210) Console port Status output Used for external connections to console monitors, which can be used for status monitoring Console port LEDs (x2) Status output Used to indicate link status and console activity

Page 20

Roles, Services, and Authentication Physical port Logical interfaces Data that passes over port/interface USB ports (x2) Control input, disabled after initialization Can be used to input initial configuration from SMC Power input (x1 on 2201, Power input Used to input power to the 2205, x2 on 2210, 3400 module series) Power input LEDs (x2) Status output Used to indicate power input status Fan LEDs (x3) Status output Used to indicate fan status 4. Roles, Services, and Authentication

4.1 Roles

The mapping of the cryptographic module’s roles services is in the table below: TABLE 6: ROLES, SERVICES, INPUT AND OUTPUT Role Service Input Output Crypto officer Initialize module NA NA Crypto officer Shut down the module NA NA Crypto officer Zeroize keys NA NA Crypto officer Display versioning NA Module version information information Crypto officer Show status NA Module status Crypto officer Perform self-tests NA NA Crypto officer Management Connection Configuration Configuration status Service commands

Page 21

Roles, Services, and Authentication Role Service Input Output Crypto officer Peer Connection Service NA Heartbeat, state synchronization data, and data synchronization data Crypto officer Key pair management Key pair request NA service Crypto officer User management service Password hashes NA Crypto officer Modify and apply Configuration Configuration status configuration commands User IPsec VPN Service IKE key negotiation IKE key negotiation IPsec traffic IPsec traffic User Mobile VPN Service IKE key negotiation IKE key negotiation IPsec traffic IPsec traffic User HTTPS User TLS data TLS data Authentication Service User TLS Inspection Service TLS data TLS data User HTTPS Proxy Service TLS data TLS data Crypto officer Export Logs and NA Logs and monitoring Monitoring Data Service data User SNMP Monitoring Service SNMP requests SNMP responses

4.2 Roles and Authentication

The module supports role-based authentication within the module, where all roles must authenticate to the module by providing their authentication data. The module does not implement a limit on consecutive authentication attempts, as described in section 5.2.2 of SP 80063B. However, this is mitigated by the two-second delay for failed user password attempts and by a conservative argument about network session rate for the other authenticators. The success probability for random attempts during a one-minute period, as shown in the third column of the below table, shows that the module is well protected against password guessing attacks for all authenticators.

Page 22

Roles, Services, and Authentication Note: The strength of HMAC SHA-1 is estimated at 80 bits of strength in the analysis, below. NIST SP 800-107 states that the strength is somewhat less than 80 bits but does not specify a value. For simplicity, 80 bits are used in the analysis below. This does not change the conclusion if the actual strength is somewhat less than 80 bits. TABLE 7: ROLES AND REQUIRED IDENTIFICATION AND AUTHENTICATION Role Authentication Method Authentication Strength Crypto Officer (SMC, Peer NGFW, Single factor cryptographic software The public key used for Log Server) (ECDSA Digital Signature, HMAC- authentication is ECDSA, yielding at SHA-1) least 112 bits of strength, assuming the smallest curve size P-224. The chance of a random authentication attempt falsely succeeding is 1 / (2112). Assuming 1 attempt per microsecond, there can be 60,000,000 attempts in a oneminute period. This means that at worst case an attacker has the probability of breaking the authentication in one minute as 60,000,000 / (2112). User (SNMP) Single factor cryptographic software The SNMP key is the output of the (HMAC-SHA-1) SNMP KDF as described in NIST SP 800-135. The key is a 160-bit SHA-1 hash value. The chance of a random attempt falsely succeeding is 1 / (280). Assuming 1 attempt per microsecond, there can be 60,000,000 attempts in a oneminute period. This means that in the worst case, an attacker has the probability of guessing the key in one minute as 60,000,000/ (280). User (HTTPS, Mobile VPN) Memorized secret (SHA2-512) Once properly configured, the

Page 23

Roles, Services, and Authentication Role Authentication Method Authentication Strength minimum length of the password is

10 characters, with 94 different

case-sensitive alphanumeric characters and symbols possible for usage. Assuming a minimum password length of 10 characters, the chance of a random attempt falsely succeeding is 1 / (9410). The module adds a two-second delay between each login attempt. Therefore, the maximum number of login attempts is limited to 30 per minute. This means that in the worst case, an attacker has the probability of guessing the password in one minute as 30 / (9410). User (IPsec VPN) Single factor cryptographic software PSK: The minimum PSK length is 14 (RSA or ECDSA Digital Signature) characters. Therefore, assuming a minimum length password of 14 Memorized secret (HMAC-SHA-1) characters, the probability to guess every character successfully is 1 / (9414). Assuming 1 attempt per microsecond, there can be 60,000,000 attempts in a oneminute period. This means that in the worst case, an attacker has the probability of guessing the key in one minute as 60,000,000 / (9414). Digital Signature: The public key used for authentication can be either ECDSA or RSA, yielding at least 112 bits of strength, assuming

Page 24

Roles, Services, and Authentication Role Authentication Method Authentication Strength the smallest curve size P-224 or modulus size 2048 bit. The chance of a random authentication attempt falsely succeeding is 1 / (2112). Assuming 1 attempt per microsecond, there can be 60,000,000 attempts in a oneminute period. This means that at worst case an attacker has the probability of breaking the authentication in one minute as 60,000,000 / (2112).

4.3 Services

All services listed in the table below can be accessed in approved mode and when in this mode exclusively use the security functions listed in Cryptographic Algorithms. Notes on the content of Table 8: Module Services:  In the ‘Access Rights to Keys and/or SSPs’ column:

Page 25

Roles, Services, and Authentication TABLE 8: MODULE SERVICES Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Initialize module Set up the module Configuration File Crypto officer G, R,W,E Log field DRBG using NGFW Initial Protection Key Started in FIPS 140 Configuration Configuration File operating mode. Wizard. The setup Protection process includes Passphrase mandatory firmware upgrade, applying initial configuration and enabling the Approved Mode of operation.

Page 26

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Shut down the Terminate module None Ephemeral SSPs7 Crypto officer Z Power LED module operations in A shut down preparation for module is indicated powering off. by an unlit power LED.

7 The designation of ‘Ephemeral SSPs’ encompasses any keys noted to be stored solely in the module’s SDRAM in Table 10: Summary of SSPs

Page 27

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Zeroize keys The module will All CSPs Crypto officer E,Z Console output DRBG overwrite all CSPs. System zeroization Zeroization of keys complete following can be invoked by reboot. performing a factory reset Factory default exercising settings restored. commands. The zeroization occurs while the module is still in the Approved mode, and the module is restored to a factory state. Display versioning Display the module None Crypto officer N/A Console output: None information name and version Forcepoint NGFW information. version <version> SMC monitoring interface: version displayed in SMC monitoring window.

Page 28

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Show status Report the status of None Crypto officer N/A SMC monitoring None the module. interface SMC: Approved mode displayed in SMC monitoring window Perform self-tests Perform all power- Firmware Integrity Crypto officer R,E Console output: See section Selfon self-tests. Check Public Key FIPS power-up tests Tests succeeded. Log field: Cryptographic selftests succeeded

Page 29

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Management SMC establishes AES, DRBG, ECDSA, TLS SSPs8 Crypto officer G,R,W,E Log field Connection Service secure HMAC, KAS-ECCDRBG SSPs9 Management; TLS: management SSC, SHA, TLS KDF Connection connections to the established module over TLS. After initializing the module and initial contact with SMC, all post-installation configuration and modification of initial configuration is secured using TLS connections from SMC.

8 The designation of ‘TLS SSPs’ encompasses the TLS Encryption Key, TLS Authentication Key, TLS Pre-Master Secret, TLS Master Secret, TLS ECDSA Private Key, TLS

ECDSA Public Key, TLS ECDH Private Key, TLS ECDH Public Key, TLS Trusted Certificates

9 The designation of ‘DRBG SSPs’ encompasses the 256-bit DRBG Entropy Input, 256-bit DRBG Seed, 128-bit DRBG ‘V’ Value, and 256-bit DRBG ‘Key’ Value

Page 30

Roles, Services, and Authentication Peer Connection Peer NGFW AES, DRBG, ECDSA, Cluster Protocol Crypto officer G,R,W,E Log field Service modules establish HMAC, KAS-ECC- Key, State dsd: FIPS: starting secure network SSC, KAS-FFC-SSC, Synchronization in FIPS compliant connection within a RSA, SHA, TLS KDF Key, HTTPS RSA mode cluster. Private Key, HTTPS RSA Public Key, IKE ssd: FIPS: starting in Encryption Key, IKE FIPS compliant Authentication Key, mode SKEYID, SKEYID_d, SKEYSEED, SK_d, sendlogd: FIPS: SK_pi, SK_pr, IPsec starting in FIPS Encryption Key, compliant mode IPsec Authentication Key, VPN RSA Private Key, VPN RSA Public Key, VPN ECDSA Private Key, VPN ECDSA Public Key, VPN DH Public Key, VPN ECDH Public Key TLS SSPs8 DRBG SSPs9

Page 31

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Key pair SMC using the AES, DRBG, ECDSA, VPN RSA Private Crypto officer G,R,W,E Log field management management HMAC, KAS-ECC- Key, VPN RSA Private key service communication SSC, KBKDF, RSA, Public Key, VPN <filename> has protocol requests SHA, TLS KDF ECDSA Private Key, been created engine to generate VPN ECDSA Public key pair and Key, HTTPS RSA certificate signing Private Key, HTTPS request. RSA Public Key, Configuration File Encryption Key, Configuration File Authentication Key TLS SSPs8 DRBG SSPs9 User management SMC enters the AES, DRBG, ECDSA, User Password Crypto officer G,R,W,E Log field service user password HMAC, KAS-ECCTLS SSPs8 slapd: FIPS: running hashes using SSC, SHA, TLS KDF in FIPS compliant LDAPS. DRBG SSPs9 mode

Page 32

Roles, Services, and Authentication Modify and apply Verify and apply Configuration file Crypto officer G,R,W,E Log field AES, HMAC, KBKDF, configuration the configuration encryption key, PBKDF Inspection: System changes to the Configuration file Policy-Loaded modules securely authentication key, including Key Encryption Inspection: System configuration of Passphrase, Key Policy-Applied client protection Encryption Key, and server VPN Pre-Shared protection Key, Client certificate authority Protection CA RSA and TLS credentials. Private Key, Client Protection IM CA RSA Private Key, Client Protection IM CA ECDSA Private Key, Client Protection RSA Private Key, Client Protection ECDSA Private Key, SNMP Encryption Key, SNMP Authentication Key, Cluster Protocol Key

Page 33

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs IPsec VPN Service VPN tunneling AES, DRBG, ECDSA, User Password, IKE User G,R,W,E Log field clients establish HMAC, IKE KDF, Encryption Key, IKE IPsec VPN: IPsec SA secure IPsec VPN KAS-ECC-SSC, KAS- Authentication Key, initiator done connections to the FFC-SSC, RSA, SHA SKEYID, SKEYID_d, module. SKEYSEED,SK_d,SK_ IPsec VPN: IPsec SA pi,SK_pr, IPsec responder done Encryption Key, IPsec Authentication Key, VPN Trusted Certificates VPN SSPs10 DRBG SSPs9

10 The designation of ‘VPN SSPs’ encompasses the VPN RSA Private Key, VPN ECDSA Private Key, VPN Pre-Shared Key, VPN DH Private Key, VPN DH Shared Secret,

VPN ECDH Private Key, VPN ECDH Shared Secret, VPN Key Wrapping Key, VPN RSA Public Key, VPN ECDSA Public Key, VPN DH Public Key, VPN ECDH Public Key

Page 34

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs Mobile VPN Service VPN tunneling AES, DRBG, ECDSA, User Password, IKE User G,R,W,E Log field clients establish HMAC, IKE KDF, Encryption Key, IKE IPsec VPN: Mobile secure IPsec VPN KAS-ECC-SSC, KAS- Authentication Key, session created connections to the FFC-SSC, RSA, SHA, SKEYID, SKEYID_d, module. TLS KDF SKEYSEED,SK_d,SK_ IPsec VPN: Mobile pi,SK_pr, IPsec session closed Encryption Key, IPsec Authentication Key, VPN Trusted Certificates TLS SSPs8 VPN SSPs10 DRBG SSPs9

Page 35

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs HTTPS User End user’s AES, DRBG, ECDSA, User Password User G,R,W,E Log field Authentication authentication to HMAC, KAS-ECCHTTPS SSPs11 New user has been Service the module via web SSC, KAS-FFC-SSC, authorized browser. RSA, SHA, TLS KDF DRBG SSPs9 User has been reauthorized

11 The designation of ‘HTTPS SSPs’ encompasses the HTTPS Encryption Key, HTTPS Authentication Key, HTTPS Pre-Master Secret, HTTPS Master Secret, HTTPS RSA

Private Key, HTTPS DH Private Key, HTTPS ECDH Private Key, HTTPS RSA Public Key, HTTPS DH Public Key, HTTPS ECDH Public Key

Page 36

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs TLS Inspection Perform TLS AES, DRBG, ECDSA, Trusted Internet User G,R,W,E Log field Service inspection on HMAC, KAS-ECC- Certificates Inspection; TLS HTTPS network SSC, KAS-FFC-SSC, Inspection SSPs Decrypted=true traffic. RSA, SHA, TLS KDF Client Protection SSPs13 Server Protection SSPs14 DRBG SSPs9

12 The designation of ‘Inspection SSPs’ encompasses the Inspection DH Private Key, Inspection ECDH Private Key, Inspection Encryption Key, Inspection

Authentication Key, Inspection Pre-Master Secret, Inspection Master Secret, Inspection DH Public Key, Inspection ECDH Public Key

13 The designation of ‘Client Protection SSPs’ encompasses the Client Protection CA RSA Private Key, Client Protection IM CA RSA Private Key, Client Protection IM

CA ECDSA Private Key, Client Protection RSA Private Key, Client Protection ECDSA Private Key, Client Protection CA RSA Public Key, Client Protection IM CA RSA Public Key, Client Protection IM CA ECDSA Public Key, Client Protection ECDSA Public Key, and Client Protection ECDSA Public Key, Client Protection RSA Public Key

14 The designation of ‘Server Protection SSPs’ encompasses the Server Protection RSA Private Key, Server Protection ECDSA Private Key, Server Protection RSA Public

Key, and Server Protection ECDSA Public Key

Page 37

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs HTTPS Proxy Sidewinder proxy AES, DRBG, ECDSA, Key Encryption Key, User G,R,W,E Log field Service used for outbound HMAC, KAS-ECC- Trusted Internet SSM Proxy; TLS traffic. SSC, KAS-FFC-SSC, Certificates Decrypted=true PBKDF, RSA, SHA. SSM SSPs15 TLS KDF DRBG SSPs9 Export Logs and Traffic logs and AES, DRBG, ECDSA, TLS SSPs8 Crypto officer G,R,W,E Log field entries are Monitoring Data monitoring data are HMAC, KAS-ECC- received by the log DRBG SSPs9 Service exported to Log SSC, KAS-FFC-SSC, server. Server securely. RSA, SHA, TLS KDF SMC Monitoring data shown in the SMC monitoring window

15 The designation ‘SSM SSPs’ encompasses the SSM HTTPS DH Private Key, SSM HTTPS DH Public Key, SSM HTTPS ECDH Private Key, SSM HTTPS ECDH Public Key,

SSM HTTPS Encryption Key, SSM HTTPS Authentication Key, SSM HTTPS Pre-Master Secret, SSM HTTPS Master Secret, SSM Client Protection RSA Private Key, SSM Client Protection ECDSA Private Key, SSM Client Protection RSA Public Key, and SSM Client Protection ECDSA Public Key

Page 38

Roles, Services, and Authentication Approved Security Key and/or Access Rights to Service Description Roles Indicator Functions SSPs Keys and/or SSPs SNMP Monitoring SNMP manager SNMP Encryption User R,E Log field AES, HMAC Service receives network Key, SNMP smonitd: FIPS management Authentication Key starting in FIPS information and compliant mode traps.

Page 39

Roles, Services, and Authentication

4.4 Alternating Bypass Feature

The module operates in an alternating bypass mode according to the policies set. The enabling and disabling of the bypass capability is performed via ‘Modify and apply configuration’ service allocated to the CO role. The module implements the following forms of alternating bypass: VPN network traffic: For policy-based VPN traffic, the module operates with bypass deactivated if the module action is set to IPsec VPN, where the module is operating to provide VPN service for the specified source/destination addresses. The module will encrypt/decrypt network traffic according to the policy. The module operates with bypass activated if the module action is set to allow in Access rules for network traffic, where the module is accepting/sending plaintext data for the specified source/destination addresses. For route-based VPN traffic, the module operates with bypass deactivated when network traffic is routed to module interfaces that are designated as endpoints for a VPN tunnel and is sent into the VPN tunnel. If Access rules allow the traffic, traffic is automatically sent through the tunnel to the endpoint. The module operates with bypass activated when network traffic is routed to module interfaces that accept plaintext data. Based on the Access rule (allow/discard), the traffic is either forwarded to the endpoint or dropped. In both cases, to activate the bypass feature, two independent actions must be taken by a CO. The CO must create the firewall policy allowing the bypass feature and apply the policy to the module to enable it. Firewall network traffic: The default action for network traffic in firewall Access rules is discard. For firewall traffic, the module operates with bypass deactivated if the traffic from the endpoint is sent/received using HTTPS, and the module action is set to allow. If traffic from the endpoint is passed directly to the module using HTTP, and the module action is set to allow, then the module is operating with bypass activated. For incoming traffic, if the HTTPS option is selected, the module connections with the endpoint are encrypted using TLS (bypass deactivated). If the HTTP option is selected, the module accepts connections in plaintext (bypass activated). For Outgoing traffic, If HTTPS is selected, web traffic will be re-encrypted using TLS (bypass deactivated). If HTTP is configured, web traffic is sent in plaintext (bypass activated). Two independent actions must be taken by a CO. The CO must create the firewall policy allowing bypass and apply to the module to enable it. The rules in the policy that is currently applied to the module specify whether the module allows the encrypted or plaintext traffic. The status information for the bypass activation and deactivation can be viewed via established management connection from SMC as indicated below: Bypass

Page 40

Roles, Services, and Authentication TLS inspection

4.5 Self-Initiated Cryptographic Output Capability

The Export Logs and Monitoring Data Service and the Peer Connection Service are self-initiated cryptographic output capabilities supported by the module. In both cases, these services are triggered by the module itself without a specific request to perform the service. The Export Logs and Monitoring Data Service is enabled on the first policy push from the SMC where the Log Server address is specified. This is configured through two independent steps: adding the Log Server and activating the policy. The Peer Connection Service is enabled when the module is joined to a cluster. While the module is in a cluster, this communication happens, and it stops when module is removed from the cluster. This is also configured through two independent steps:

Page 41

Software/Firmware Security FIGURE 7: SELF-INITIATED CRYPTOGRAPHIC OUTPUT CAPABILITY STATUS ON SMC WEB GUI 5. Software/Firmware Security

5.1 Firmware Integrity

The Forcepoint Next Generation Firewall’s firmware integrity is checked on startup as described in section Self-Tests. The module runs the self-test functions to check the firmware integrity as well as the cryptographic algorithms used. Any failures during these tests will result in a module halt in which an error message is output, the module reboots and data output is inhibited. The images are stored as signed binaries using the “Firmware Integrity Check Public Key” which uses ECDSA with P-521 and SHA2-512. The operator can trigger an on-demand check of the module firmware by rebooting the module. 6. Operational Environment Per Section 7.5 of the FIPS 140-3 Management Manual, this section is not-applicable. The module supports a non-modifiable operating environment as defined by ISO/IEC 19790:2012 and meets the Level 2 Physical Security requirements.

Page 42

Physical Security 7. Physical Security

7.1 Module Construction

The module is enclosed in a strong metal (steel) enclosure that provides tamper-evidence. Any tampering that might compromise a module’s security is detectable by visual inspection of the physical integrity of a module. The Crypto Officer should perform a visual inspection of the module at regular intervals. The module’s enclosure is opaque to resist visual inspection of the device design, physical probing of the device and attempts to access sensitive data on individual components of the device.

7.2 Tamper-Evident Labels

The following table depicts the number of tamper evident labels required for each hardware module: Hardware Module Number of Tamper Evident Labels Required NGFW 2201 2 NGFW 2205 3 NGFW 2210 4 NGFW 3400 14 Each shipment of the Forcepoint NGFW FIPS Kit includes 25 tamper labels. Additional tamper labels can be purchased in single boxes of 25 (SKU: ACFIPS3) from Forcepoint. In addition to the strong metal enclosure, the module employs uniquely numbered tamper-evident labels. The following images depict the tested, Approved TEL configurations for the modules:

Page 43

Physical Security FIGURE 8: 2205/2210 FRONT TEL PLACEMENTS FIGURE 9: 2210 REAR TEL PLACEMENTS

Page 44

Physical Security FIGURE 10: 2201 FRONT TEL PLACEMENT FIGURE 11: 2201/2205 REAR TEL PLACEMENT

Page 45

Physical Security FIGURE 12: 3400 SERIES FRONT TEL PLACEMENTS FIGURE 13: 3400 SERIES RIGHT SIDE TEL PLACEMENT

Page 46

Physical Security FIGURE 14: 3400 SERIES REAR TEL PLACEMENTS FIGURE 15: 3400 SERIES LEFT SIDE TEL PLACEMENT

7.3 Internal Baffles

The module also employs internal baffles to deter visual observation of the internal components of the modules through vents. The following image depicts a vent that is protected by a baffle:

Page 47

Physical Security FIGURE 16: DEPICTION OF VENT PROTECTED BY INTERNAL BAFFLE

Page 48
7.4 Module Inspection

The following routine inspections are recommended. TABLE 9: PHYSICAL SECURITY INSPECTION GUIDELINES Physical Security Recommended Frequency of Inspection/Test Inspection/Test Mechanism Guidance Details Physical inspection of On receipt of module following transport. <see below>. enclosure surfaces and At any point following any un-authorized access to the tamper-evident seals for environment hosting the module. signs of tamper. Following any extended periods of unattended storage for the module. Any attempts to remove the covers will result in tamper evidence. Example (but not exhaustive) pictures of potential attempts to tamper a module are shown below:

Page 49

Non-Invasive Security If any evidence of tampering is observed on the module enclosures or tamper-evident seals, the modules shall be considered in a non-compliant state. Upon such discovery, the CO shall immediately take the module out of operation and contact Forcepoint Customer Support.

  1. Non-Invasive Security N/A: Section 8, Non-Invasive Security is Not-Applicable as there are currently no requirements in SP 800-140F.
  2. SSP Management
9.1 Sensitive Security Parameter

The following table lists Sensitive Security Parameters (SSP) used to perform approved security functions supported by the cryptographic module. The following notes should be observed when reading the table:

Page 50

SSP Management

Page 51

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number TLS ECDH Private 112-256 KAS-ECC- SP 800- N/A Generated Plaintext in Automatically at Private ephemeral key Key bits SSC Cert. 56Ar3, SDRAM the expiration of agreement key used in TLS. #A2155 Testing the session or Related SSPs: TLS Pre-Master Candidates Power off Secret, TLS ECDH Public Key IKE Encryption 128, 256 AES Cert. N/A Input and Derived using IKEv1 or Plaintext in Automatically at Data encryption key used in IKE Key bits #A2155 Output IKEv2 KDF SDRAM the expiration of negotiations. Encrypted via the session or Related SSPs: SKEYID, SKEYID_d, TLS (KTS) Power off SKEYSEED, SK_d, SK_pi, SK_pr IKE 128-256 HMAC N/A Input and Derived using IKEv1 or Plaintext in Automatically at Authentication key used in IKE Authentication bits Cert Output IKEv2 KDF SDRAM the expiration of negotiations. Key #A2155 Encrypted via the session or Related SSPs: SKEYID, SKEYID_d, TLS (KTS) Power off SKEYSEED, SK_d, SK_pi, SK_pr SKEYID, SKEYID_d 112-256 KDF IKE N/A Input and Derived using IKEv1 Plaintext in Automatically at Values calculated during IKE v1 bits Cert. Output KDF SDRAM the expiration of negotiation. #A2155 Encrypted via the session or Related SSPs: VPN DH Shared TLS (KTS) Power off Secret, VPN ECDH Shared Secret, VPN Pre-Shared Key, IKE Encryption Key, IKE Authentication Key, IPsec Encryption Key, IPsec Authentication Key

Page 52

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number SKEYSEED, SK_d, 112-256 KDF IKE N/A Input and Derived using IKEv2 Plaintext in Automatically at Values calculated during IKEv2 SK_pi, SK_pr bits Cert. Output KDF SDRAM the expiration of negotiation. #A2155 Encrypted via the session or Related SSPs: VPN DH Shared TLS (KTS) Power off Secret, VPN ECDH Shared Secret, VPN Pre-Shared Key, IKE Encryption Key, IKE Authentication Key, IPsec Encryption Key, IPsec Authentication Key IPsec Encryption 128, 256 AES Cert. N/A Input and Derived using IKEv1 or Plaintext in Automatically at Data encryption key used in Key bits #A2166 Output IKEv2 KDF SDRAM the expiration of IPsec negotiations. Encrypted via the session or Related SSPs: SKEYID, SKEYID_d, TLS (KTS) Power off SKEYSEED, SK_d, SK_pi, SK_pr IPsec 128-256 HMAC N/A Input and Derived using IKEv1 or Plaintext in Automatically at Authentication key used in IPsec Authentication bits Cert Output IKEv2 KDF SDRAM the expiration of negotiations. Key #A2166 Encrypted via the session or Related SSPs: SKEYID, SKEYID_d, TLS (KTS) Power off SKEYSEED, SK_d, SK_pi, SK_pr VPN RSA Private 112-150 RSA Cert. FIPS 186-4, Input and Generated Encrypted on Disk erasure Private authentication key used Key bits #A2155 B.3.6 Output disk in IKE. Encrypted via Related SSPs: VPN RSA Public TLS (KTS) Key VPN ECDSA 112-256 ECDSA FIPS 186-4, Input and Generated Encrypted on Disk erasure Private authentication key used Private Key bits Cert. Testing Output disk in IKE. #A2155 Candidates Encrypted via Related SSPs: VPN ECDSA Public TLS (KTS) Key VPN Pre-Shared 112-256 KDF IKE N/A Input Input Plaintext or Disk erasure Shared secret used in IKE. Key bits Cert. Encrypted via encrypted on Related SSPs: SKEYID, SKEYID_d, #A2155 TLS (KTS) disk SKEYSEED, SK_d, SK_pi, SK_pr

Page 53

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number VPN DH Private 112-202 KAS-FFC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used in IKE. #A2155 Testing Power off Related SSPs: VPN DH Public Candidates Key, VPN DH Shared Secret VPN DH Shared 112-202 KDF IKE N/A N/A Established via KAS- Plaintext in Automatically Diffie-Hellman shared secret in Secret bits Cert. FFC-SSC Key SDRAM after use or IKE #A2155 Agreement Power off Related SSPs: VPN DH Private Key, VPN DH Public Key VPN ECDH Private 112-256 KAS-ECC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used in IKE. #A2155 Testing Power off Related SSPs: VPN ECDH Public Candidates Key, VPN ECDH Shared Secret VPN ECDH Shared 112-256 KDF IKE N/A N/A Established via KAS- Plaintext in Automatically Elliptical curve Diffie-Hellman Secret bits Cert. ECC-SSC Key SDRAM after use or shared secret in IKE #A2155 Agreement Power off Related SSPs: VPN ECDH Private Key, VPN ECDH Public Key VPN Key 256 bits AES Cert. N/A N/A Derived via KBKDF Plaintext in Power off IKE and IPsec key and key Wrapping Key #A2155 SDRAM wrapping material Related SSPs: Cluster Protocol Key HTTPS Encryption 128, 256 AES Cert. N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Data encryption key used in TLS. Key bits #A2155 KDF SDRAM the expiration of Related SSPs: HTTPS Master the session or Secret Power off HTTPS 256 bits HMAC N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Authentication key used in TLS. Authentication Cert. KDF SDRAM the expiration of Related SSPs: HTTPS Master Key #A2155 the session or Secret Power off

Page 54

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number HTTPS Pre-Master 112-256 KDF TLS N/A N/A Established through Plaintext in Automatically at Shared secret generated or Secret bits Cert. Diffie-Hellman SDRAM the expiration of established for a TLS session. #A2155 agreement or Elliptical the session or Related SSPs: HTTPS DH Private Curve Diffie-Hellman Power off Key, HTTPS DH Public Key, agreement using NIST HTTPS ECDH Private Key, HTTPS SP 800-56Arev3 ECDH Public Key, HTTPS Master Secret HTTPS Master 112-256 KDF TLS N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Value calculated during TLS Secret bits Cert. KDF SDRAM the expiration of handshake. #A2155 the session Related SSPs: HTTPS Pre-master or Power off Secret, HTTPS Encryption Key, HTTPS Authentication Key HTTPS RSA 112-150 RSA Cert. FIPS 186-4, Input and Generated Obfuscated Disk erasure Private authentication key used Private Key bits #A2155 B.3.6 Output (equivalent to in HTTPS user authentication. Encrypted via Plaintext) on Related SSPs: HTTPS RSA Public TLS (KTS) disk Key HTTPS DH Private 112-202 KAS-FFC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used in TLS. #A2155 Testing Power off Related SSPs: HTTPS DH Public Candidates Key, HTTPS Pre-master Secret HTTPS ECDH 112-256 KAS-ECC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Private Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used in TLS. #A2155 Testing Power off Related SSPs: HTTPS ECDH Candidates Public Key, HTTPS Pre-master Secret

Page 55

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number Client Protection 112-150 RSA Cert. N/A Input Input Encrypted on Disk erasure Private signature key used in TLS CA RSA Private bits #A2155 Encrypted via disk inspection CA. Key TLS (KTS) Related SSPs: Client Protection CA RSA Public Key Client Protection 112-150 RSA Cert. FIPS 186-4, N/A Generated Plaintext in Power off Private authentication key used IM CA RSA Private bits #A2155 B.3.6 SDRAM in TLS inspection. Key Related SSPs: Client Protection IM CA RSA Public Key Client Protection 112-256 ECDSA FIPS 186-4, N/A Generated Plaintext in Power off Private authentication key used IM CA ECDSA bits Cert. Testing SDRAM in TLS inspection. Private Key #A2155 Candidates Related SSPs: Client Protection IM CA ECDSA Public Key Client Protection 112-150 RSA Cert. FIPS 186-4, N/A Generated Plaintext in Power off Private authentication key used RSA Private Key bits #A2155 B.3.6 SDRAM in TLS inspection. Related SSPs: Client Protection RSA Public Key Server Protection 112-150 RSA Cert. N/A Input Input Encrypted on Disk erasure Private authentication key used RSA Private Key bits #A2155 Encrypted via disk in TLS inspection. TLS (KTS) Related SSPs: Server Protection RSA Public Key Client Protection 112-256 ECDSA FIPS 186-4, N/A Generated Plaintext in Power off Private authentication key used ECDSA Private bits Cert. Testing SDRAM in TLS inspection. Key #A2155 Candidates Related SSPs: Client Protection ECDSA Public Key Server Protection 112-256 ECDSA N/A Input Input Encrypted on Disk erasure Private authentication key used ECDSA Private bits Cert. Encrypted via disk in TLS inspection. Key #A2155 TLS (KTS) Related SSPs: Server Protection ECDSA Public Key

Page 56

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number Inspection DH 112-202 KAS-FFC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Private Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used in TLS #A2155 Testing Power off inspection. Candidates Related SSPs: Inspection DH Public Key, Inspection PreMaster Secret Inspection ECDH 112-256 KAS-ECC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Private Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used in TLS #A2155 Testing Power off inspection. Candidates Related SSPs: Inspection ECDH Public Key, Inspection PreMaster Secret Inspection 128, 256 AES Cert. N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Data encryption key used in TLS Encryption Key bits #A2155 KDF SDRAM the expiration of inspection. the session Related SSPs: Inspection Master or Power off Secret Inspection 256 bits HMAC N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Authentication key used in TLS Authentication Cert. KDF SDRAM the expiration of inspection. Key #A2155 the session Related SSPs: Inspection Master or Power off Secret Inspection Pre- 112-256 KDF TLS N/A N/A Established through Plaintext in Automatically at Shared secret generated or Master Secret bits Cert. Diffie-Hellman SDRAM the expiration of established for TLS inspection. #A2155 agreement or Elliptical the session Related SSPs: Inspection ECDH Curve Diffie-Hellman or Power off Private Key, Inspection ECDH agreement using NIST Public Key, Inspection DH SP 800-56Arev3 Private Key, Inspection DH Public Key, Inspection Master Secret

Page 57

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number Inspection Master 112-256 KDF TLS N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Value calculated during TLS Secret bits Cert. KDF SDRAM the expiration of inspection. #A2155 the session Related SSPs: Inspection Preor Power off Master Secret, Inspection Encryption Key, Inspection Authentication Key SSM HTTPS DH 112-202 KAS-FFC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Private Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used #A2155 Testing Power off in HTTPS inspection. Candidates Related SSPs: SSM HTTPS DH Public Key, SSM HTTPS PreMaster Secret SSM HTTPS ECDH 112-256 KAS-ECC- SP 800- N/A Generated Plaintext in Automatically Private ephemeral key Private Key bits SSC Cert. 56Ar3, SDRAM after use or agreement key used #A2155 Testing Power off in HTTPS inspection. Candidates Related SSPs: SSM HTTPS ECDH Public Key, SSM HTTPS PreMaster Secret SSM HTTPS 128, 256 AES Cert. N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Data encryption key used in Encryption Key bits #A2155 KDF SDRAM the expiration of HTTPS inspection. the session Related SSPs: SSM HTTPS Master or Power off Secret SSM HTTPS 256 bits HMAC N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Authentication key used in Authentication Cert. KDF SDRAM the expiration of HTTPS inspection. Key #A2155 the session Related SSPs: SSM HTTPS Master or Power off Secret

Page 58

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number SSM HTTPS Pre- 112-256 KDF TLS N/A N/A Established through Plaintext in Automatically at Shared secret generated or Master Secret bits Cert. Diffie-Hellman SDRAM the expiration of established for #A2155 agreement or Elliptical the session HTTPS inspection. Curve Diffie-Hellman or Power off Related SSPs: SSM HTTPS DH agreement using NIST Private Key, SSM HTTPS DH SP 800-56Arev3 Public Key, SSM HTTPS ECDH Private Key, SSM HTTPS ECDH Public Key, SSM HTTPS Master Secret SSM HTTPS 112-256 KDF TLS N/A N/A Derived using TLS 1.2 Plaintext in Automatically at Value calculated during Master Secret bits Cert. KDF SDRAM the expiration of HTTPS inspection. #A2155 the session Related SSPs: SSM HTTPS Preor Power off Master Secret, SSM HTTPS Encryption Key, SSM HTTPS Authentication Key SSM Client 112-150 RSA Cert. FIPS 186-4, N/A Generated Plaintext in Power off Used to identify the module in Protection RSA bits #A2155 B.3.6 SDRAM the SSM Proxy Service Private Key Related SSPs: SSM Client Protection RSA Public Key SSM Client 112-256 ECDSA FIPS 186-4, N/A Generated Plaintext in Power off Used to identify the module in Protection ECDSA bits Cert. Testing SDRAM the SSM Proxy Service Private Key #A2155 Candidates Related SSPs: SSM Client Protection ECDSA Public Key SSM Client 112-150 RSA Cert. FIPS 186-4, Output in Generated Plaintext in Power off Used to identify the module in Protection RSA bits #A2155 B.3.6 Plaintext as SDRAM the SSM Proxy Service Public Key part of TLS Related SSPs: SSM Client protocol Protection RSA Private Key

Page 59

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number SSM Client 112-256 ECDSA FIPS 186-4, Output in Generated Plaintext in Power off Used to identify the module in Protection ECDSA bits Cert. Testing Plaintext as SDRAM the SSM Proxy Service Public Key #A2155 Candidates part of TLS Related SSPs: SSM Client protocol Protection ECDSA Private Key SNMP Encryption 128, 256 AES Cert. N/A Input Input Plaintext or Disk erasure Data encryption key used in Key bits #A2155 Encrypted via encrypted on SNMPv3. TLS (KTS) disk Related SSPs: None SNMP 256 bits HMAC N/A Input Input Plaintext or Disk erasure Authentication key used in Authentication Cert. Encrypted via encrypted on SNMPv3. Key #A2155 TLS (KTS) disk Related SSPs: None TLS ECDSA Public 112-256 ECDSA FIPS 186-4, Output in Generated Plaintext on Disk erasure Public key used in TLS signature. Key bits Cert. Testing Plaintext as disk Related SSPs: TLS ECDSA Private #A2155 Candidates part of TLS Key protocol TLS ECDH Public 112-256 KAS-ECC- SP 800- Input and Generated, Input Plaintext in Automatically at Public ephemeral key Key bits SSC Cert. 56Ar3, Output in SDRAM the expiration of agreement key used in TLS. #A2155 Testing Plaintext as the session Related SSPs: TLS ECDH Private Candidates part of TLS or Power off Key, TLS Pre-Master Secret protocol VPN RSA Public 112-150 RSA Cert. FIPS 186-4, Input and Generated, Input Encrypted on Disk erasure Public authentication key used Key bits #A2155 B.3.6 Output in disk in IKE. Plaintext as Related SSPs: VPN RSA Private part of Key TLS/IKE protocols

Page 60

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number VPN ECDSA Public 112-256 ECDSA FIPS 186-4, Input and Generated, Input Encrypted on Disk erasure Public authentication key used Key bits Cert. Testing Output in disk in IKE. #A2155 Candidates Plaintext as part of Related SSPs: VPN ECDSA TLS/IKE Private Key protocols VPN DH Public 112-202 KAS-FFC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used in IKE. #A2155 Testing Plaintext as Power off Related SSPs: VPN DH Private Candidates part of IKE Key, VPN DH Shared Secret protocol VPN ECDH Public 112-256 KAS-ECC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used in IKE. #A2155 Testing Plaintext as Power off Related SSPs: VPN ECDH Private Candidates part of IKE Key, VPN ECDH Shared Secret protocol HTTPS RSA Public 112-150 RSA Cert. FIPS 186-4, Input and Generated, Input Plaintext on Disk erasure Public authentication key used Key bits #A2155 B.3.6 Output in disk in HTTPS user authentication. Plaintext as Related SSPs: HTTPS RSA Private part of TLS Key protocols HTTPS DH Public 112-202 KAS-FFC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used in TLS. #A2155 Testing Plaintext as Power off Related SSPs: HTTPS DH Private Candidates part of TLS Key, HTTPS Pre-master Secret protocol

Page 61

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number HTTPS ECDH 112-256 KAS-ECC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Public Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used in TLS. #A2155 Testing Plaintext as Power off Related SSPs: HTTPS ECDH Candidates part of TLS Private Key, HTTPS Pre-master protocol Secret Client Protection 112-150 RSA Cert. N/A Input Input Encrypted on Disk erasure Public signature key used in TLS CA RSA Public Key bits #A2155 Encrypted via disk inspection CA. TLS (KTS) Related SSPs: Client Protection CA RSA Private Key Client Protection 112-150 RSA Cert. FIPS 186-4, N/A Generated Plaintext in Power off Public authentication key used IM CA RSA Public bits #A2155 B.3.6 SDRAM in TLS inspection. Key Related SSPs: Client Protection IM CA RSA Private Key Client Protection 112-256 ECDSA FIPS 186-4, N/A Generated Plaintext in Power off Public authentication key used IM CA ECDSA bits Cert. Testing SDRAM in TLS inspection. Public Key #A2155 Candidates Related SSPs: Client Protection IM CA ECDSA Private Key Client Protection 112-150 RSA Cert. FIPS 186-4, Output in Generated Plaintext in Power off Public authentication key used RSA Public Key bits #A2155 B.3.6 Plaintext as SDRAM in TLS inspection. part of TLS Related SSPs: Client Protection protocol RSA Private Key Server Protection 112-150 RSA Cert. N/A Input Input Encrypted on Disk erasure Public authentication key used RSA Public Key bits #A2155 Encrypted via disk in TLS inspection. TLS (KTS) Related SSPs: Server Protection RSA Private Key Client Protection 112-256 ECDSA FIPS 186-4, Output in Generated Plaintext in Power off Public authentication key used ECDSA Public Key bits Cert. Testing Plaintext as SDRAM in TLS inspection. #A2155 Candidates part of TLS Related SSPs: Client Protection protocol ECDSA Private Key

Page 62

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number Server Protection 112-256 ECDSA N/A Input Input Encrypted on Disk erasure Public authentication key used ECDSA Public Key bits Cert. Encrypted via disk in TLS inspection. #A2155 TLS (KTS) Inspection DH 112-202 KAS-FFC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Public Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used in TLS #A2155 Testing Plaintext as Power off inspection. Candidates part of TLS Related SSPs: Inspection DH protocol Private Key, Inspection PreMaster Secret Inspection ECDH 112-256 KAS-ECC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Public Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used in TLS #A2155 Testing Plaintext as Power off inspection. Candidates part of TLS Related SSPs: Inspection ECDH protocol Private Key, Inspection PreMaster Secret SSM HTTPS DH 112-202 KAS-FFC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Public Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used #A2155 Testing Plaintext as Power off in HTTPS inspection. Candidates part of TLS Related SSPs: SSM HTTPS DH protocol Private Key, SSM HTTPS PreMaster Secret SSM HTTPS ECDH 112-256 KAS-ECC- SP 800- Input and Generated, Input Plaintext in Automatically Public ephemeral key Public Key bits SSC Cert. 56Ar3, Output in SDRAM after use or agreement key used #A2155 Testing Plaintext as Power off in HTTPS inspection. Candidates part of TLS Related SSPs: SSM HTTPS ECDH protocol Private Key, SSM HTTPS PreMaster Secret

Page 63

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number TLS Trusted 112-256 RSA Cert. N/A Input Input Plaintext in Disk erasure Trusted certificates for use in Certificates bits #A2155 Encrypted via SDRAM TLS ECDSA TLS (KTS) Related SSPs: None Cert. #A2155 Trusted Internet 112-256 RSA Cert. N/A Input Input Plaintext in Disk erasure Trusted certificates for Certificates bits #A2155 Encrypted via SDRAM authenticating internet servers ECDSA TLS (KTS) Related SSPs: None Cert. #A2155 VPN Trusted 112-256 RSA Cert. N/A Input Input Plaintext on Disk erasure Trusted certificates for use in Certificates bits #A2155 Encrypted via disk VPNs ECDSA TLS (KTS) Related SSPs: None Cert. #A2155 256-bit DRBG 256 DRBG ENT (NP) N/A Generated Plaintext in Automatically Entropy input for 256-bit DRBG Entropy Input Cert. SDRAM after use Related SSPs: 128-bit DRBG ‘V’ #A2155 or Power off Value, 256-bit DRBG ‘Key’ Value, 256-bit DRBG Seed 128-bit DRBG ‘V’ 128 DRBG SP 800-90A N/A Derived via SP 800- Plaintext in Automatically V (128 bits) for 256-bit DRBG Value Cert. 90A mechanisms SDRAM after use Related SSPs: 256-bit DRBG #A2155 based on entropy or Power off Entropy Input, 256-bit DRBG input Seed 256-bit DRBG 256 DRBG SP 800-90A N/A Derived via SP 800- Plaintext in Automatically Key (256 bits) for 256-bit DRBG ‘Key’ Value Cert. 90A mechanisms SDRAM after use Related SSPs: 256-bit DRBG #A2155 based on entropy or Power off Entropy Input, 256-bit DRBG input Seed

Page 64

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number 256-bit DRBG 256 DRBG SP 800-90A N/A Derived via SP 800- Plaintext in Automatically Seeding material for the DRBG Seed Cert. 90A mechanisms SDRAM after use Related SSPs: 256-bit DRBG #A2155 based on entropy or Power off Entropy Input, 128-bit DRBG ‘V’ input Value, 256-bit DRBG ‘Key’ Value Cluster Protocol 256 HMAC N/A Input Input Plaintext or Disk erasure Used for authentication within Key Cert. Encrypted via encrypted on the cluster protocol. #A2155 TLS (KTS) disk Related SSPs: None State 128 AES Cert. CKG using Input and Generated, Input Plaintext in Power off Used for encryption and Synchronization #A2155 unmodified Output SDRAM authentication in the state Key HMAC DRBG output Encrypted via synchronization protocol. Cert. TLS (KTS) Related SSPs: None #A2155 Configuration File 256 KBKDF CKG using N/A Generated Plaintext on Disk erasure Used to derive the configuration Protection Key Cert. unmodified disk file encryption and #A2209 DRBG output authentication keys. Related SSPs: Configuration File Encryption Key, Configuration File Authentication Key Configuration File 256 PBKDF CKG using N/A Generated Plaintext on Disk erasure Used to derive the key pair Protection Cert. unmodified disk obfuscation and integrity Passphrase #A2209 DRBG output protection keys. Related SSPs: None Configuration File 256 AES Cert. N/A N/A Derived via KBKDF Plaintext in Automatically Used to encrypt configuration Encryption Key #A2155 SDRAM after use files on disk. or Power off Related SSPs: Configuration file protection Key

Page 65

SSP Management Key / SSP Name / Strength Security Generation Import/ Establishment Storage Zeroisation Use and Related Keys Type Function Export and Cert Number Configuration File 256 HMAC N/A N/A Derived via KBKDF Plaintext in Automatically Used to authenticate Authentication Cert. SDRAM after use configuration files on disk. Key #A2155 or Power off Related SSPs: Configuration file protection Key User Password >65 bits N/A N/A Input hashed Input SHA2-512 Disk erasure Identify users in HTTPS (SHA2-512) digest on disk authentication and Mobile VPN. and salted Related SSPs: None Key Encryption 256 PBKDF N/A Input Input Plaintext on Disk erasure Derive the key encryption key Passphrase Cert. Encrypted via disk used to protect private keys #A2209 TLS (KTS) stored on disk. Related SSPs: Key Encryption Key Key Encryption 128 AES Cert. N/A N/A Derived via PBKDF Plaintext in Automatically Used to encrypt/decrypt private Key #A2155 SDRAM after use keys stored on disk. or Power off Related SSPs: Key Encryption Passphrase Firmware 256 ECDSA N/A N/A Pre-loaded by the Plaintext on Disk erasure Used for firmware integrity Integrity Check Cert. manufacturer disk check. Public Key 16 #A2155 Related SSPs: None

16 The key “Firmware Integrity Check Public Key” is not considered to be an SSP, but otherwise included for completeness.

Page 66
9.2 Non-Deterministic Random Number Generation Specification

The module includes a non-deterministic Random Number Generator (RNG) within the module boundary. The non-deterministic RNG is used exclusively to feed an approved SHA-3 conditioning function where in-turn the output of the conditioning function is used to seed the DRBG. The Non-Deterministic RNG complies with SP 800-90B and has been certified using FIPS 140-3 IG D.J with guidance set out in FIPS 140-3 IG D.K. TABLE 11: NON-DETERMINISTIC RANDOM NUMBER GENERATION SPECIFICATION Entropy sources Minimum number of Details bits of entropy CPU timing jitter Full-entropy output SP 800-90B compliant Non-Deterministic RNG using a softwarebased noise source internal to the module boundary. Output from the noise source is fed through an approved conditioning function based on SHA3-256. Raw noise is generated based on non-deterministic jitter inherent in CPUs from factors such as CPU instruction pipelines, CPU clock cycles being different from memory bus clock speeds, CPU frequency scaling, CPU power management, instruction and data cache states, CPU topology, different CPU cache technologies, CPU branch prediction, hardware interrupts, etc. The module achieves full entropy from the output of the conditioning function where every 512-bits used to seed the DRBG includes 512-bits of entropy. All outputs from the noise source are subjected to health testing ahead of being fed to the conditioning function. 10. Self-Tests

10.1 Pre-Operational Tests

The module performs the pre-operational self-tests upon power-up to confirm the firmware integrity, and to check the continued correct operation of the random number generator and each of the implemented cryptographic algorithms used in support of the integrity checks. While the module is running these self-tests, all data output interfaces are disabled until the successful completion of the self-tests. If one of the pre-operational self-tests fails or a conditional self-test fails, the module enters an error state. An error message is output on the status output interface specifying the library within the module that failed the self-test. In this state, all data output via the module’s data output interfaces is inhibited. The module proceeds to reboot and reruns all self-tests. Successful completion of the self-tests will clear the error state, and the module will return to the Approved mode of operation. For any consecutive failure of the self-tests during restart, the appliance continues to restart. If the problem persists, CO intervention is required to either perform a restore to factory defaults settings and reinstall, or power-off and contact Forcepoint Customer Support.

Page 67

Self-Tests TABLE 12: PRE-OPERATIONAL SELF-TESTS Test Operations Performed Indicator Root Filesystem Integrity Test (ECDSA with P-521 Verify Error output and module and SHA2-512) reboot. Pre-operational Bypass Test Bypass Error output and module reboot.

10.2 Conditional Self-Tests

The module automatically performs conditional self-tests based on the module operation. These self-tests do not require operator input to initiate. Implemented conditional tests are in one of the following forms:

Page 68

Self-Tests Cryptographic Mechanism When Operations Test Location Indicator Tested Performed Performed KAT for EC KAS-ECC-SSC w/ P-224 Cert. Upon Library Shared Secret Error output and Diffie-Hellman #A2155 Load Computation module reboot. (KAS-ECC-SSC) KAT for ECDSA ECDSA P-224 w/ SHA2-224 Cert. Upon Library Verify Error output and verification #A2155 Load module reboot. KAT for ECDSA ECDSA P-224 w/ SHA2-224 Cert. Upon Library Sign Error output and signing #A2155 Load module reboot. KAT for HMAC HMAC-SHA2-256 Cert. Upon Library MAC Generation, Error output and #A2155 Load Verification module reboot. Configuration HMAC Cert. New Policy MAC Verification Error output and Bypass Test #A2155 Files Received module reboot. KAT for RSA RSA 2048 w/ SHA2-256 Cert. Upon Library Verify Error output and verification PKCS#1v1.5 #A2155 Load module reboot. KAT for RSA RSA 2048 w/ SHA2-256 Cert. Upon Library Sign Error output and signing PKCS#1v1.5 #A2155 Load module reboot. KAT test for SHA-1, SHA2-512 Cert. Upon Library Hashing Error output and SHA #A2155 Load module reboot. KAT for IKEv1 IKEv1 and IKEv2 KDFs Cert. Upon Library Key Derivation Error output and and IKEv2 KDF #A2155 Load module reboot. KAT for TLSv1.2 KDF Cert. Upon Library Key Derivation Error output and TLSv1.2 KDF #A2155 Load module reboot. Forcepoint NGFW FIPS Library KAT test for AES-CCM-192 Cert. Upon Library Encryption, Error output and AES encryption #A2209 Load Decryption module reboot. and decryption AES-CCM can only be used for self-testing purposes. KAT test for AES-ECB-128 Cert. Upon Library Encryption, Error output and AES encryption #A2209 Load Decryption module reboot. end decryption KAT test for PBKDF w/ SHA2-256 Cert. Upon Library Key Derivation Error output and PBKDF2 #A2209 Load module reboot. KAT test for KBKDF w/ HMAC-SHA2-256 Cert. Upon Library Key Derivation Error output and KBKDF #A2209 Load module reboot. Forcepoint NGFW Cryptographic Kernel Module KAT test for AES-CBC, CFB, ECB, OFB Cert. Upon Library Encryption, Error output and AES encryption 128, 192, 256 #A2166 Load Decryption module reboot. and decryption

Page 69

Self-Tests Cryptographic Mechanism When Operations Test Location Indicator Tested Performed Performed KAT test for AES-GCM-128 Cert. Upon Library Encryption, Error output and AES-GCM #A2166 Load Decryption module reboot. authenticated encryption and decryption KAT test for SHA-1, SHA2-256, SHA2-512 Cert. Upon Library Hashing Error output and SHA #A2166 Load module reboot. KAT test for HMAC-SHA-1, SHA2-256, Cert. Upon Library MAC Generation, Error output and HMAC SHA2-512 #A2166 Load Verification module reboot. Forcepoint NGFW Entropy Library KAT for SHA3- SHA3-256 Cert. Upon Library Hashing Error output and

256 #A2167 Load module reboot.

Repetition ENT (NP) N/A At Startup and Comparison of Error output and Count Test Upon Entropy Subsequent Entropy module reboot. Generation Samples Adaptive ENT (NP) N/A At Startup and Comparison of Error output and Proportion Upon Entropy Samples within module reboot. Test Generation Window TABLE 14: CONDITIONAL PAIR-WISE CONSISTENCY TESTS Cryptographic When Operations Test Location Indicator Mechanism Tested Performed Performed PCT for RSA key pairs RSA w/ PKCS#1v1.5 Cert. Upon RSA Key Sign, Verify Error output created for digital #A2155 Generation and module signature purposes reboot. PCT for ECDSA key pairs ECDSA Cert. Upon ECDSA Key Sign, Verify Error output created for digital #A2155 Generation and module signature purposes reboot. PCT for DH key pairs KAS-FFC-SSC Cert. Upon DH Key Public Key Error output created for key agreement #A2155 Generation Recalculation and module purposes reboot. PCT for ECDH key pairs KAS-ECC-FFC Cert. Upon ECDH Key Public Key Error output created for key agreement #A2155 Generation Recalculation and module purposes reboot.

Page 70

Life-Cycle Assurance 11. Life-Cycle Assurance Operating the module without following the guidance below will result in non-compliant behavior and is outside the scope of this Security Policy.

11.1 Performing Secure Initialization of the Module
11.1.1 Hardware Setup

Upon receiving the NGFW hardware, the CO shall check that the appliance is not damaged and that all required parts and instructions are included. If the Network Components are not installed in the appliance, the CO must insert them by performing the following: Note: Read all safety instructions before installing the Network Components. Do not install any Network Components while the appliance is on. Fasten a grounding strip from the wrist to the appliance.

  1. Locate the Network Component slots on the front of the appliance.
  2. If the appliance was shipped with the Network Component slot(s) covered by a plate, remove the thumbscrew and plate from the appliance. Store the thumbscrew and plate in case the Network Component is eventually removed.
  3. Push the Network Component into the slot. The Network Component is properly installed when the front of the Network Component is flush with the front of the appliance. The NGFW uses tamper-evident seals to protect against unauthorized access to the internal components of the chassis through removable covers. The CO shall apply labels to the module as depicted in section Tamper-Evident Labels.
11.1.2 Creating a Configuration for the Approved Mode of Operation

The administration of the NGFW modules is done through the SMC, which provides centralized administrative functionalities for all the managed NGFW modules. The SMC can be shipped preinstalled on its own Forcepoint hardware appliance, installed as a virtual machine on a virtualization platform, or installed on a third-party Windows or Linux platform. The SMC can be accessed by an administrator via a Java-based Management Client running on the administrator’s workstation. Using the Management Client, create a configuration for the NGFW Engine in the Approved Mode of Operation. 1. To use HTTPS User Authentication and TLS Inspection for Client Protection or Server Protection, create a TLS Cryptography Suite Set element. Select only the Approved and Allowed algorithms and TLS cipher suites. The Management Connection Service, Peer Connection Service, Key Pair Management Service, and User Management Service utilize the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite. Refer to Table 3: Approved Algorithms above for a list of algorithms implemented. For more information, see the “Create TLS Cryptographic Suite Set elements” topic of the Forcepoint NGFW Product Guide.

Page 71

Life-Cycle Assurance o TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 o TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 o TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 o TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 o TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  1. To use certificates signed by a Certificate Authority (CA) that is not one of the default Trusted Certificate Authority elements, create a Trusted Certificate Authority element. Import only a certificate signed using a Approved signature algorithm. For more information, see the “Create Trusted Certificate Authority elements” topic of the Forcepoint NGFW Product Guide.
  2. To use HTTPS User Authentication, create a TLS Profile element. Select the TLS Cryptography Suite Set element, the Trusted Certificate Authority, and the minimum TLS version. For more information, see the “Create TLS Profile elements” topic of the Forcepoint NGFW Product Guide.
  3. Create the NGFW Engine Element by defining the properties in the Engine Editor. • Browse to Advanced Settings, then select FIPS-Compatible Operating Mode. • Select “FIPS-Disable Remote Engine Upgrades” for the NGFW to prevent firmware load attempts from the SMC. • To use HTTPS User Authentication, browse to Add-Ons | User Authentication, then enable HTTPS and select the TLS Profile element. Use 2048 or greater as the Key Length when creating a certificate signing request in HTTPS Settings. For more information, see the “Enable browser-based user authentication” topic of the Forcepoint NGFW Product Guide. • To use TLS Inspection for Client Protection, create a Client Protection Certificate Authority element and import the private key and the certificate used to issue certificates in TLS Inspection. Use only the Approved algorithms and key size for the key pair and certificate. In the Engine Editor, browse to Add-Ons | TLS Inspection, then select the Cryptography Suite Set. For more information, see the “Configure TLS inspection for client protection” and “Activating TLS inspection” topics in the “Setting up TLS Inspection” chapter of the Forcepoint NGFW Product Guide. • To use TLS Inspection for Server Protection, browse to Add-Ons | TLS Inspection, then select the Cryptography Suite Set. For more information, see the “Activating TLS inspection” topic in the “Setting up TLS Inspection” chapter of the Forcepoint NGFW Product Guide. • When using TLS Inspection or Sidewinder HTTPS proxy, create a Firewall Policy that has an Access rule that allows the TLS connection and create an Inspection Policy that has an Inspection rule that terminates connections that match the TLS_Certificate-Verify-Failed Situation. On the Inspection tab of the Firewall Policy, you must select the Inspection Policy that you created. • To use Sidewinder HTTP and HTTPS proxies, browse to Add-Ons | Sidewinder Proxy, click Advanced, then set the value of the tls_cipher_override property to TLSv1.2+ECDHE+AES!AESCCM:TLSv1.2+DHE+AES!AESCCM!DSS on the HTTP tab. For more information, see the “Advanced settings for Sidewinder Proxies” topic in the “Sidewinder Proxies” chapter of the Forcepoint NGFW Product Guide.
Page 72

Life-Cycle Assurance • When using IPsec, disable Automated RSA Certificate Management. Browse to VPN | Certificates, then deselect Automated RSA Certificate Management. • To use IPsec, right-click the Gateway element, then select Tools | Generate Certificate to create a certificate signing request. Select RSA with 2048 or greater key size, or ECDSA as the Public Key Algorithm. For more information, see the “Create a VPN certificate or certificate request for a VPN Gateway element” topic in the “Managing VPN certificates” chapter of the Forcepoint NGFW Product Guide.

  1. To use an IPsec VPN, create a VPN Profile element. Use only the Approved and Allowed algorithms and key sizes in the profile. Refer to Table 3: Approved Algorithms above for a list of algorithms implemented. Additionally, in the profile element, the IPsec Tunnel Lifetime should be set to less than 232 bytes. Select the VPN Profile element. For more information, see the “Create VPN Profile elements” topic in the “VPNs in Forcepoint NGFW” chapter of the Forcepoint NGFW Product Guide.
  2. Create Access Rules to configure the Alternating Bypass Feature.
  3. Save the initial configuration for the NGFW Engine. Make a note of the one-time password, which is required for initial contact with the SMC. See section “Setting up the Approved Configuration” for setting up the device configurations.
11.1.3 Downloading and Upgrading to an Approved Firmware Version

The NGFW appliances are delivered in an operational state with the most recent firmware preinstalled. The NGFW firmware must be upgraded to the FIPS 140-3 validated NGFW firmware version to be placed in the Approved mode of operation. Note: The upgrade to the FIPS 140-3 validated NGFW firmware version is necessary even if the same version was installed previously. This is required because the file system checksum is stored during the upgrade process. A method to update the firmware image with a SHA2-512 checksum signed with ECDSA P-521 is provided. Prior to installing the new image, its associated checksum is checked. If the signature check fails, the new firmware is ignored, and the current firmware remains loaded. If the signature check passes, the new image will be installed and executed after the appliance is restarted. Any firmware loaded into the module other than version 6.10.3.26158 is out of the scope of this validation and will mean that the module is not operating in the approved mode of operation. A FIPS 140-3 Validated NGFW firmware version is downloaded as follows:

  1. Login to the Forcepoint Support https://support.forcepoint.com/Login
  2. Proceed to the Forcepoint NGFW downloads section.
  3. Download the firmware version 6.10.3.26158 installation file (sg_engine_6.10.3.26158_x86-64-small.zip).
  4. Verify the SHA checksum. Note: The correct checksums are shown on the download page and can also be found in the release notes After downloading the firmware, the operator can upgrade to a FIPS 140-3 validated firmware version:
  5. Save the FIPS 140-3 validated NGFW firmware version upgrade .zip file to the root directory of a USB drive. Note – The firmware upgrade zip file must be in the root directory of the media.
  6. Connect to the appliance using a monitor and keyboard.
  7. Power on the appliance and start the NGFW Configuration Wizard.
Page 73

Life-Cycle Assurance

  1. Select the Firewall/VPN option.
  2. Select Upgrade. The Select Source Media dialog opens.
  3. Select the appropriate media type and select OK. The firmware update signature is verified.
  4. Select OK. The upgrade starts.
  5. Select “Set kernel in FIPS mode” after restart. Select OK.
  6. The NGFW appliance restarts and displays the upgraded version.
  7. Verify the NGFW firmware version to ensure that the FIPS validated NGFW firmware version is loaded.
11.1.4 Setting up the Approved Configuration

To configure the NGFW Engine:

  1. Start the NGFW Configuration Wizard as instructed in the Configuring the Engine in the Engine Configuration Wizard section of the NGFW Installation Guide.
  2. Configure the network interfaces according to your environment as instructed in the Configuring the Network Interfaces section of the NGFW Installation Guide. a. Configure the operating system settings according to the "Configuring the Operating System Settings" section of the NGFW Installation Guide. b. Select both: - "Restricted FIPS-compatible operating mode" (This automatically disables the SSH daemon and root password options in the Engine Configuration Wizard). - "FIPS 140-3 compatible mode" (This setting ensures the module uses only FIPS 140-3 approved algorithms and security functions).
  3. Contact the Management Server as instructed in the Contacting the Management Server section of the NGFW Installation Guide. Enter node IP address manually is selected by default and other IP address options are disabled when the “Restricted FIPS-compatible operating mode” setting is enabled. The engine restarts.
  4. To verify the “FIPS 140-3 compatible operating mode” setting is activated: a. Verify that the following messages are displayed on the console when the engine restarts: - FIPS: rootfs integrity check OK (Displayed after the root file system integrity test has been executed successfully) - FIPS power-up tests succeeded (Displayed after the FIPS 140 power-up tests have been executed successfully) b. Continue as instructed in the “After Successful Management Server Contact” section of the NGFW Installation Guide. Note: If the engine does not enter the “Restricted FIPS-compatible operating mode” even though it is configured to do so, or if the power-up tests fail (a power-up test error message is displayed or the success message is not displayed), the appliance must be reset to factory settings and reinstalled. Note: The “FIPS 140-3 compatible operating mode” and “Restricted FIPS-compatible operating mode” settings must be enabled during the initial configuration of the appliance.
Page 74
11.1.5 Resetting the Module to Factory Settings (Sanitization)

Resetting the appliance to factory settings is not part of the normal installation procedure. There is no need to reset the appliance to factory settings before starting to use it for the first time. These instructions can be used to reset the appliance to factory settings when necessary, such as when initial configuration has been completed without enabling the “Restricted FIPS-compatible operating mode”, during use, or when the appliance is being removed from use. To reset the appliance to factory settings:

  1. Reboot the appliance and select System restore options from the boot menu. NGFW System Restore starts.
  2. Enter 2 for Advanced data removal options.
  3. Enter one of the following options: • 1 for 1 pass overwrite • 8 for a Custom number of overwrite passes If you selected Custom, enter the number of overwrite passes. A larger number of overwrites is more secure, but it may take a considerable amount of time depending on the appliance storage capacity
Page 75

Mitigation of Other Attacks

  1. Mitigation of Other Attacks This section is not applicable. The modules do not claim to mitigate any attacks beyond the FIPS 140-3 Level 2 requirements for this validation.
  2. Guidance
13.1 Identifying the Module Version
  1. At the Home screen of the SMC that is being used to manage the module, click on the firewall.
  2. On the right-hand column, under “Info”, the firewall version (and update package) will be in the “General” tab FIGURE 17: DEPICTION OF THE MODULE VERSION DISPLAYED IN THE SMC GUI
13.2 Non-Approved Mode of Operation

When configured according to the guidance in this Security Policy, the modules do not support a Non-Approved mode of operation.

13.3 Additional Guidance and Usage Policies

The notes below provide additional guidance and policies that must be followed by module operators:

3.3.1 and shall only be used for the TLS protocol version 1.2. The GCM IV generation in the IPsec context

follows RFC 4106 and RFC 7296 and shall only be used with IPsec and IKEv2 to be compliant with IG C.H. The implementation of the 64-bit nonce_explicit part of the IV is deterministic and management logic is inside the module. By the design of the module and by virtue of the data size limit (see above section Creating a Configuration for the Approved Mode of Operation) set, the maximum number possible value of 2^64 for nonce_explicit part of the IV is never reached. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed.

Page 76

1000 and 10000 to allow the recommended minimum in SP 800-132 while keeping performance the

impact small, and the passphrase must be at least 14 characters. • Use of insecure protocols – The following insecure protocols are disabled by default: SSH, Console Access, and WIFI Interfaces. The root password option is automatically disabled. To maintain compliance with FIPS requirements, these protocols and services shall not be enabled. • Network Component replacement – As noted earlier, the NGFW appliances are modular by design. The Network Components are field-replaceable. Operators in the field can order the desired Network Components directly from Forcepoint Customer Support using the appropriate part numbers. The CO must install the Network Components as described in section Hardware Setup above. Because these Network Components play a role in maintaining the module’s physical security, they are secured in place using tamper-evident labels. Thus, replacing a Network Component necessitates the replacement of any tamper-evident label affixed to the Network Component as well. When a CO orders Network Components, they must also order a Forcepoint NGFW FIPS kit with the Stock Keeping Unit ACFIPS3. The FIPS kit is delivered with the number of tamper-evident labels required for proper installation (see details per NGFW appliance in section Tamper-Evident Labels). Module operators must follow the guidance below to ensure continued compliance with FIPS requirements:

  1. Zeroize all keys and CSPs on the module.
  2. Remove power from the module.
  3. Remove the Network Component to be replaced.
  4. Remove any remaining bits of the now-broken tamper-evident label from the module chassis.
  5. Install the replacement Network Component in the open slot.
  6. Using a 99% isopropyl alcohol solution, clean the chassis surface in the area where the replacement tamper-evident label will be placed.
  7. Affix the replacement tamper-evident label to the chassis (refer to section Tamper-Evident Labels for placements). Allow 24 hours for the seal to fully cure.
  8. Apply power to the module
13.4 External Guidance Documents

Forcepoint NGFW Installation Guide: https://help.forcepoint.com/docs/ngfw/v610/install/ngfw_6100_ig_a_en-us.pdf Forcepoint NGFW Product Guide: https://help.forcepoint.com/docs/ngfw/v610/mgmt/ngfw_6100_pg_a_en-us.pdf

Page 77

Appendix A. Acronyms and Abbreviations Appendix A. Acronyms and Abbreviations Term Definition AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface CBC Cipher Block Chaining CKG Cryptographic Key Generation CFB Cipher Feedback CMVP Cryptographic Module Validation Program CO Crypto Officer CSP Critical Security Parameter CTR Counter CVL Component Validation List DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptography FIPS Federal Information Processing Standard GCM Galois Counter Mode HMAC Keyed-Hash Message Authentication Code IG Implementation Guidance

Page 78

Appendix A. Acronyms and Abbreviations Term Definition ISO/IEC International Organization for Standardization / International Electrotechnical Commission I/O Input/Output IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-Based Key Derivation Function KDF Key Derivation Function KTS Key Transport Scheme LED Light Emitting Diode MAC Message Authentication Code Mbps Megabits per second NIST National Institute of Science and Technology N/A Not Applicable OFB Output Feedback PBKDF Password Based Key Derivation Function PCT Pair-Wise Consistency Test PKCS Public-Key Cryptography Standards POST Power-on Self-Test RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SSC Shared Secret Computation SSP Sensitive Security Parameter

Page 79

Appendix A. Acronyms and Abbreviations Term Definition USB Universal Serial Bus