| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Firmware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/17/2026 |
| Caveat | Interim Validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals with F5-ADD-BIG-FIPS140 kit installed as indicated in the Security Policy. |
| Vendor | F5, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3896 |
| AES-CBC | A5260 |
| AES-CTR | A3896 |
| AES-CTR | A5260 |
| AES-ECB | A3896 |
| AES-ECB | A5260 |
| AES-GCM | A3896 |
| AES-GCM | A5260 |
| AES-GMAC | A3896 |
| AES-GMAC | A5260 |
| Counter DRBG | A3896 |
| Counter DRBG | A5260 |
| ECDSA KeyGen (FIPS186-4) | A3896 |
| ECDSA KeyGen (FIPS186-4) | A5260 |
| ECDSA KeyVer (FIPS186-4) | A3896 |
| ECDSA KeyVer (FIPS186-4) | A5260 |
| ECDSA SigGen (FIPS186-4) | A3896 |
| ECDSA SigGen (FIPS186-4) | A5260 |
| ECDSA SigVer (FIPS186-4) | A3896 |
| ECDSA SigVer (FIPS186-4) | A5260 |
| HMAC-SHA-1 | A3896 |
| HMAC-SHA-1 | A5260 |
| HMAC-SHA2-256 | A3896 |
| HMAC-SHA2-256 | A5260 |
| HMAC-SHA2-384 | A3896 |
| HMAC-SHA2-384 | A5260 |
| KAS-ECC-SSC Sp800-56Ar3 | A3896 |
| KAS-ECC-SSC Sp800-56Ar3 | A5260 |
| KDF SSH | A3896 |
| KDF SSH | A5260 |
| RSA KeyGen (FIPS186-4) | A3896 |
| RSA KeyGen (FIPS186-4) | A5260 |
| RSA SigGen (FIPS186-4) | A3896 |
| RSA SigGen (FIPS186-4) | A5260 |
| RSA SigVer (FIPS186-4) | A3896 |
| RSA SigVer (FIPS186-4) | A5260 |
| SHA-1 | A3896 |
| SHA-1 | A5260 |
| SHA2-256 | A3896 |
| SHA2-256 | A5260 |
| SHA2-384 | A3896 |
| SHA2-384 | A5260 |
| TLS v1.2 KDF RFC7627 | A3896 |
| TLS v1.2 KDF RFC7627 | A5260 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 2 |
| Roles, Services, and Authentication | 2 |
| Software/Firmware Security | 2 |
| Operational Environment | N/A |
| Physical Security | 2 |
| Sensitive Security Parameter Management | 2 |
| Self-Tests | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for F5OS-A Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>1.5.1</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C5,C6 clue;
class I1,I2,I3,I5,I6 infer;
class R1,R2,R3,R5,R6 risk;
class E1,E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for F5OS-A Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>1.5.1</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3 clueHigh;
class C5,C6 clueLow;F5, Inc. F5OS-A Cryptographic Module Module Version: 1.5.1 FIPS Security Level 2 Document Version 1.2 Last update: November 2024 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
F5OS-A Cryptographic Module Table of Contents 2.1 2.2 2.3 2.4 2.5 4.1 4.2 4.3 5.1 5.2 5.3 6.1 7.1 9.1 9.2 9.3 9.4 9.5 9.6 10.1.1 10.2.1 10.2.2 10.2.3 11.2.1 11.2.2 11.2.3 © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module 11.3.1 11.3.2 11.3.3 © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module F5®, BIG-IP® are registered trademarks of F5, Inc. Intel®, Atom® and Xeon® are registered trademarks of Intel Corporation. © 2024 F5, Inc. / atsec information security.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 2 |
| 2 | 2 | Cryptographic Module Specification | 2 |
| 3 | 3 | Cryptographic Module Interfaces | 2 |
| 4 | 4 | Roles, Services, and Authentication | 2 |
| 5 | 5 | Software/Firmware Security | 2 |
| 6 | 6 | Operational Environment | N/A |
| 7 | 7 | Physical Security | 2 |
| 8 | 8 | Non-invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 2 |
| 10 | 10 | Self-tests | 2 |
| 11 | 11 | Life-cycle Assurance | 2 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
This document is the non-proprietary FIPS 140-3 Security Policy for the F5OS-A Cryptographic Module with firmware version 1.5.1. The document contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. N/A N/A N/A Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.
| Name | Operating System | Hardware Platform | Processor | Paa Pai |
|---|---|---|---|---|
| F5OS-A 1.5.1 | F5OS-A 1.5.1 | r4800 | Intel® Atom® P5342 Snow Ridge NS | with and without PAA |
| F5OS-A 1.5.1 | F5OS-A 1.5.1 | r5900 | Intel® Xeon® Silver 4314 Ice Lake-SP | with and without PAA |
| F5OS-A 1.5.1 | F5OS-A 1.5.1 | r5920-DF | Intel® Xeon® Silver 4314 Ice Lake-SP | with and without PAA |
| F5OS-A 1.5.1 | F5OS-A 1.5.1 | r10900 | Intel® Xeon® Gold 6312U Ice Lake-SP | with and without PAA |
| F5OS-A 1.5.1 | F5OS-A 1.5.1 | r10920-DF | Intel® Xeon® Gold 6312U Ice Lake-SP | with and without PAA |
Purpose and Use: The F5OS-A Cryptographic Module (hereafter referred to as “the module”) is a microservices-based, proprietary platform layer that provides an interface between the BIG-IP ADC and the rSeries hardware. Module Type: Firmware Module Embodiment: Multi Chip Standalone
Table 2 - Tested Operational Environments
The module supports two modes of operation:
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES | A3896, | ECB, CBC, GCM, CTR | 128 / 192 / 256-bit keys | Encryption and |
| [FIPS 197, SP800- | A5260 | with key strengths from | Decryption | |
| 38A, | 128 to 256 bits | |||
| KTS (AES) | A3896, | GCM | 128 / 256-bit AES keys | Key Wrapping / |
| [FIPS 197, SP800- | A5260 | with key strengths 128 or | Unwrapping | |
| 38D, SP800- 38F] | 256 bits | |||
| A3896, | A3896, | AES-CBC key and | 128 / 256-bit AES and | |
| A5260 | A5260 | HMAC-SHA-1, HMAC- | HMAC keys with key | |
| SHA2-256, or HMAC- | SHA2-256, or HMAC- | strengths 128 or 256 bits | ||
| A3896, | A3896, | AES-CBC/ AES-CTR keys | 128 / 256-bit AES and | |
| A5260 | A5260 | and HMAC-SHA-1, | HMAC keys with key | |
| HMAC-SHA2-256 | HMAC-SHA2-256 | strengths from 128 or 256 | ||
| AES | A3896, | GMAC | 128 / 192 / 256-bit AES | MAC Generation and |
| [FIPS 197, SP800- | A5260 | keys with key strengths | Verification | |
| 38B, SP800 38D] | from 128 and 256 bits | |||
| CTR_DRBG [SP800- | A3896, | AES 256 in CTR mode, | Entropy input string | Random Number |
| 90Ar1] | A5260 | with / without | (256-bits), V (128-bits) and | Generation |
| derivation function, | derivation function, | key (256-bits) values | ||
| RSA | A3896, | B.3.3 Random Probable | 2048, 3072 and 4096-bit | RSA key generation |
| [FIPS 186-4] | A5260 | Primes | keys with key strengths | |
| PKCS#1v1.5: SHA2- | PKCS#1v1.5: SHA2- | 2048, 3072 and 4096-bit | RSA signature | |
| 256, SHA2-384 | 256, SHA2-384 | keys with key strengths | generation | |
| PKCS#1v1.5: SHA2- | PKCS#1v1.5: SHA2- | 2048, 3072 and 4096-bit | RSA signature | |
| 256, SHA2-384 | 256, SHA2-384 | keys with key strengths | verification | |
| ECDSA | A3896, | B.4.2 Testing | P-256 and P-384 with key | ECDSA key pair |
| [FIPS 186-4] | A5260 | Candidates | strengths 128 and 192-bits | generation / |
| SHA2-256, SHA2-384 | SHA2-256, SHA2-384 | P-256 and P-384 with key | ECDSA signature | |
| strengths 128 and 192-bits | strengths 128 and 192-bits | generation and | ||
| SHS | A3896, | SHA-1 | N/A | Message digest |
| [FIPS180-4] | A5260 | SHA2-256 | ||
| HMAC | A3896, | HMAC-SHA-1 | 112 bits to 1024-bits with | Message |
| [FIPS 198-1] | A5260 | HMAC-SHA2-256 | key strengths 112 to 256- | authentication |
| HMAC-SHA2-384 | HMAC-SHA2-384 | bits | ||
| KAS-ECC-SSC | A3896, | Ephemeral Unified: | P-256, P-384 with key | Shared Secret |
| [SP800-56Ar3] | A5260 | KAS Role: initiator, | strengths 128 and 192-bits | Computation used in |
| responder | responder | Key Agreement | ||
| SSH KDF1 (CVL) | A3896, | AES-128, AES-256 with | 256-bit keys with 256-bits | Key derivation |
| [SP800-135] | A5260 | SHA2-256, SHA2-384 | key strength | |
| TLS KDF1 (CVL) | A3896, | TLS v1.2 | 256-bits | Key derivation |
| [SP800-135, RFC | A5260 | |||
| CKG | (vendor | DRBG produces the | RSA Sizes: 2048, 3072 and | Key generation |
| [SP800-133r2] | affirmed) | random numbers for | 4096-bits key with 112 and | |
| CTR_DRBG [SP800- | key generation of RSA, | 150-bits key strength | ||
| 90Ar1] | ECDSA and EC Diffie- | ECDSA and EC Diffie- | ||
| KAS-ECC-SSC | Hellman | Hellman: P-256 and P-384 | ||
| [SP800-56Ar3] | with 128 and 192-bits key | |||
| RSA, ECDSA [FIPS | strength | |||
| AES modes: CCM, CFB, OFB, XTS and KW modes; DES; RC4; Triple-DES; SM2, SM4 | Symmetric Encryption and Decryption | |||
| RSA | Asymmetric Encryption and Decryption | |||
| RSA Key generation | with modulus size other than 2048, 3072 and 4096-bits; | |||
| DSA | domain parameter generation, domain parameter verification, Key pair generation | |||
| DSA digital signature | Signature generation and verification using any key size |
F5OS-A Cryptographic Module N/A © 2024 F5, Inc. / atsec information security.
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| KAS-ECC-SSC | A3896, | Ephemeral Unified: | P-256, P-384 with key | Shared Secret |
| [SP800-56Ar3] | A5260 | KAS Role: initiator, | strengths 128 and 192-bits | Computation used in |
| responder | responder | Key Agreement | ||
| SSH KDF1 (CVL) | A3896, | AES-128, AES-256 with | 256-bit keys with 256-bits | Key derivation |
| [SP800-135] | A5260 | SHA2-256, SHA2-384 | key strength | |
| TLS KDF1 (CVL) | A3896, | TLS v1.2 | 256-bits | Key derivation |
| [SP800-135, RFC | A5260 | |||
| CKG | (vendor | DRBG produces the | RSA Sizes: 2048, 3072 and | Key generation |
| [SP800-133r2] | affirmed) | random numbers for | 4096-bits key with 112 and | |
| CTR_DRBG [SP800- | key generation of RSA, | 150-bits key strength | ||
| 90Ar1] | ECDSA and EC Diffie- | ECDSA and EC Diffie- | ||
| KAS-ECC-SSC | Hellman | Hellman: P-256 and P-384 | ||
| [SP800-56Ar3] | with 128 and 192-bits key | |||
| RSA, ECDSA [FIPS | strength | |||
| AES modes: CCM, CFB, OFB, XTS and KW modes; DES; RC4; Triple-DES; SM2, SM4 | Symmetric Encryption and Decryption | |||
| RSA | Asymmetric Encryption and Decryption | |||
| RSA Key generation | with modulus size other than 2048, 3072 and 4096-bits; | |||
| DSA | domain parameter generation, domain parameter verification, Key pair generation | |||
| DSA digital signature | Signature generation and verification using any key size | |||
| EdDSA digital signature | Signature generation and verification using Ed25519 | |||
| ECDSA Key generation/ verification | With curves other than P-256 and P-384 | |||
| Safe Primes Key generation/verificatio n | Key generation for Diffie-Hellman using any safe prime groups | |||
| RSA digital signature | - Signature Generation: PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Verification PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Generation and Verification using PKCS #1 v1.5 scheme with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes - Signature Generation PSS using 2048, 3072 or 4096-bits modulus - Signature Verification PSS using 2048, 3072 or 4096-bits modulus - Signature Generation and Verification using Probabilistic Signature Scheme (PSS) specified in ANSI X9.31 standard - modulus sizes other than 2048, 3072 and 4096-bits | |||
| ECDSA digital signature | - Digital Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes - Digital Signature Generation using curves P-256 and P-384 with SHA-1, SHA2- 224, SHA2-512, SHA3 - Digital Signature Verification using curves P-256 and P-384 with SHA2-224, SHA2-512, SHA3 | |||
| SHA2-224 SHA2-512 SM3 MD5 | Message Digest | |||
| HMAC-SHA2-224 HMAC-SHA2-512 AES-CMAC Triple-DES | Message Authentication | |||
| Diffie-Hellman EC Diffie-Hellman | Key Agreement Scheme: - All Diffie-Hellman Groups - EC Diffie-Hellman using curves other than P-256 and P-384 - EC Diffie-Hellman using curves P-256 and P-384 Static Unified and OnePassDh schemes | |||
| TLS KDF SNMP KDF, IKEv1, IKEv2 KDF | Key Derivation function in the context of: - TLS using MD5 / SHA-1 / SHA2-224 / SHA2-512 / SHA3 - SNMP using any SHA variant - IKE using any SHA variant |
F5OS-A Cryptographic Module Table 3 - Approved Algorithms The module does not implement any non-approved algorithms allowed in the approved mode of operation with or without security claimed. The following table lists the non-approved algorithms not allowed in approved mode along with their usage.
1 No parts of the TLS / SSH protocols except the KDF has been reviewed or tested by the CAVP and
CMVP © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module n Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
Figures below show the various platforms on which the module was tested. © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Figure 1 - r4800 isometric view Figure 2 - r5900 front view Figure 3 - r5920-DF front view © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Figure 4
The module cryptographic boundary is defined by the red dotted line in Figure
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | TLS/SSH protocol input messages Configuration commands for interface management |
| N/A | N/A | Data Output | TLS/SSH protocol output messages Status log |
| N/A | N/A | Control Input | API which control system state (e.g. reset system, power-off system). |
| N/A | N/A | Status Output | API which provides system status information. |
| Power interface | Power interface | Power Input | Power |
The logical interfaces are the commands through which users of the module request services. There are no external input or output devices to the module can be used for For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. N/A N/A N/A N/A Table 5 - Ports and Interfaces
© 2024 F5, Inc. / atsec information security.
| Name | Roles | Input | Output | Module Role |
|---|---|---|---|---|
| List users | CO User | None | List of user accounts | Administrator Resource Admin Operator |
| Create additional User | CO | Username / password | Confirmation of account creation | Administrator |
| Modify existing Users | CO | Username / modification (new username, role, password expiry date/tally count) | Confirmation of account modification | Administrator |
| Delete User | CO | Username | Confirmation of deletion | Administrator |
| Unlock User | CO | Username | Confirmation of unlock | Administrator |
| Update own password | CO User | Own password | Confirmation of update of password | Administrator Resource Admin Operator |
| Update others password | CO | Username / password | Confirmation of update | Administrator |
| Configure password policy | CO | New password policy | Confirmation of configuration change | Administrator |
| Create TLS certificate | CO User | Certificate identification information | Confirmation of certificate creation | Administrator Resource Admin |
| Create TLS Key | CO User | Key identification information | Confirmation of key creation | Administrator Resource Admin |
| Delete TLS Certificate/Key | CO User | Key identification information | Confirmation of key deletion | Administrator Resource Admin |
| List Certificate | CO User | List of certificates to display | Certificate expiration information | Administrator Resource Admin |
| List private keys | CO User | List of private keys to display | List of private keys | Administrator Resource Admin |
| View System Audit Log | CO User | N/A | Display of system audit logs | Administrator Resource Admin |
| Configure SSH access options | CO User | SSH access / IP address list | Confirmation of configuration of SSH access options | Administrator Resource Admin |
| Configure SSH user configuration | CO | SSH ECDSA key pair (public) | Confirmation of configuration of SSH user configuration | Administrator |
| Create a tenant | CO User | password / tenant console role | Confirmation of the tenant- console role | Administrator Resource Admin |
| Connecting to tenant-console via SSH | User | F5 rSeries platform management address / tenant- console / password | Confirmation of Access to the tenant-console remotely over SSH | Tenant-console |
| Closing the tenant-console SSH session | User | N/A | Confirmation of tenant-console SSH session closure | Tenant-console |
| Reboot System | CO | N/A | Confirmation of system reboot | Administrator |
| Secure Erase | CO | Selection option | Confirmation of full system zeroization | Administrator |
| SSH session service | CO User | User / address / password / algorithms / key sizes/ primary secret | Confirmation of SSH session establishment | Administrator Resource Admin Operator |
| Closing SSH Session | CO User | N/A | Confirmation of SSH session closure | Administrator Resource Admin Operator |
| TLS session service | CO User | Address / algorithms/ keys | Confirmation of establishment of TLS session | Administrator Resource Admin Operator |
| Closing TLS session | CO User | N/A | Confirmation of TLS session closure | Administrator Resource Admin Operator |
| Show version | CO User | None | Version information, and module name | Administrator Resource Admin Operator |
| Show license | CO User | None | FIPS license information | Administrator Resource Admin Operator |
| Show status | CO User | None | Status of the specific service passed in the show status command | Administrator Resource Admin Operator |
| Self- test | CO User | None | Pass/ fail results of self-tests | Administrator Resource Admin Operator |
| Show tenant | CO User | None | Lists tenant information | Administrator Resource Admin Operator |
The module supports one CO role and one User role. Maintenance role is not supported. The FIPS 140-3 roles are defined below and corresponding service with input and output are described in Table 6.
F5OS-A Cryptographic Module N/A N/A N/A N/A Table 6 - Roles, Service Commands, Input and Output
The module supports role-based authentication. The module supports concurrent operators belonging to different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces are used to access the module: © 2024 F5, Inc. / atsec information security.
| Name | Key Size | |
|---|---|---|
| role-based authentication with Password (CLI or WebUI) | The password must consist of a minimum of 8 characters with at least one from each of the three-character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z) Assuming a worst-case scenario where the password contains six numerical digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000. | Crypto Officer User |
| role-based authentication with SSH ECDSA key-pair (CLI only) | The ECDSA using P-256 or P-384 curves for key based authentication yields a minimum security-strength of 128 bits. The chance of a random authentication attempt falsely succeeding is at most 1/(2128) that is less than 1/1,000,000. The maximum number of login attempts is limited to 1 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000. | Crypto Officer User |
F5OS-A Cryptographic Module
Table 8 lists the Approved services, the service name, description, the Approved security function being used by the service, the keys and SSPs accessed by the service, the roles used by the service, access rights to keys and SSPs and the FIPS 140-3 service indicator returned by the service. The environment variable SECURITY_FIPS140_CIPHER_STRICT is exported with the cipher restriction status. If the cipher_restricted status is enabled, the status output from the © 2024 F5, Inc. / atsec information security.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| List users | Display list of all user accounts | CO User | N/A | N/A | N/A | None |
| Create additional User | Create additional user | CO | password | N/A | W | None |
| Modify existing Users | Modify existing users | CO | N/A | N/A | N/A | None |
| Delete User | Delete existing user | CO | N/A | N/A | N/A | None |
| Unlock User | Remove lock from user who has exceeded login attempts | CO | N/A | N/A | N/A | None |
| Update own password | Update own password | CO User | password | N/A | W | None |
| Update others password | Update others password | CO | password | N/A | W | None |
| Configure Password Policy | Set password policy features | CO | N/A | N/A | N/A | None |
| Create TLS Certificate | Self-signed certificate creation | CO User | TLS RSA Public / Private keys RLS ECDSA Public / Private keys | RSA / ECDSA SigGen | E | Service Indicator: Approved |
| Create TLS Key | Used for the SSL Certificate key file | CO User | TLS RSA Public / Private keys TLS ECDSA Public / Private keys | RSA / ECDSA KeyGen CTR_DRBG CKG | G | Service Indicator: Approved |
| DRBG seed | DRBG seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| Delete TLS Certificate /Key | Self-signed certificate / key deletion | CO User | TLS RSA Public / Private keys TLS ECDSA Public / Private keys | N/A | N/A | None |
| List Certificate | Display / log expiration data of installed certificates | CO User | N/A | N/A | N/A | None |
| List private keys | List private keys | CO User | N/A | N/A | N/A | None |
| View System Audit Log | Display logs/files of configuration changes | CO User | N/A | N/A | N/A | None |
| Export Analytics Logs System | Export analytics logs system | CO | N/A | N/A | N/A | None |
| Create Tenant | Create tenant deployment | CO User | N/A | N/A | N/A | None |
| Tenant SSH establish connection | Connecting to tenant-console via SSH | User | N/A | N/A | N/A | None |
| Tenant SSH close connection | Closing the tenant- console SSH session | User | N/A | N/A | N/A | None |
| Configure SSH access options | Enable / Disable SSH access, configure IP address allow list | CO User | N/A | N/A | N/A | None |
| Configure SSH user configurati on | Update ssh/ authorized_keys file for user authentication | CO | SSH ECDSA public key SSH ECDSA private key | N/A | W | None |
| Reboot System | Restart cryptographic module | CO | SSPs listed in Table 12 | N/A | Z | Module reboots |
| Secure Erase | Full system zeroization | CO | SSPs listed in Table 12 | N/A | Z | Module end of life |
| Establish SSH session | Key authentication | CO User | SSH ECDSA public key SSH ECDSA private key | ECDSA with SHA2-256 / SHA2-384 curves P-256 / P-384 | W | SSH connection successful |
| Password authentication | Password authentication | CO User | Password | N/A | W | SSH connection successful |
| Key exchange | Key exchange | CO User | SSH EC Diffie-Hellman public key SSH EC Diffie-Hellman private key | ECDSA KeyGen, CTR_DRBG | G | SSH connection successful |
| DRBG Seed | DRBG Seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| KAS-ECC-SSC | CO User | SSH EC Diffie-Hellman public key | KAS-ECC-SSC | W | SSH connection successful | |
| SSH EC Diffie-Hellman private key | SSH EC Diffie-Hellman private key | E | ||||
| SSH shared secret | SSH shared secret | G | ||||
| Key derivation | Key derivation | CO User | SSH shared secret | [SP 800-135] SSH KDF | E | SSH connection successful |
| derived SSH session key (AES, HMAC) | derived SSH session key (AES, HMAC) | G | ||||
| Maintain SSH Session | Data encryption and decryption | CO User | derived SSH Session key (AES) | AES-CBC AES-CTR | E | SSH connection successful |
| Data integrity (MAC): HMAC-with SHA-1/ SHA2-256 | Data integrity (MAC): HMAC-with SHA-1/ SHA2-256 | CO User | derived SSH session key (HMAC) | HMAC | E | SSH connection successful |
| Close SSH Session | Close SSH session | CO User | SSH EC Diffie-Hellman key- pair; SSH shared secret; derived SSH session key | N/A | Z | SSH connection closed |
| Establish TLS Session | SigGen / SigVer | CO User | TLS RSA Public / Private keys TLS ECDSA Public / Private keys | ECDSA / RSA | W | Service Indicator: Approved |
| Key exchange | Key exchange | CO User | TLS EC Diffie-Hellman public key TLS EC Diffie-Hellman private key | ECDSA KeyGen, CTR_DRBG | G | Service Indicator: Approved |
| DRBG Seed | DRBG Seed | E | ||||
| DRBG internal state (V and key values) | DRBG internal state (V and key values) | W, E | ||||
| KAS-ECC-SSC | TLS EC Diffie-Hellman public key | KAS-ECC-SSC | W | |||
| TLS EC Diffie-Hellman private key | TLS EC Diffie-Hellman private key | E | ||||
| TLS pre-primary secret | TLS pre-primary secret | G | ||||
| Key derivation | Key derivation | CO User | TLS pre-primary secret | [SP 800-135] TLS KDF | E | Service Indicator: Approved |
| TLS primary secret | TLS primary secret | G, E | ||||
| TLS derived session keys (AES and HMAC or authentication cypher) | TLS derived session keys (AES and HMAC or authentication cypher) | G | ||||
| Maintain TLS Session | Data encryption, data authentication | CO User | Derived TLS session keys (AES and HMAC or authentication cypher) | AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCM | E | Service Indicator: Approved |
| Close TLS session | Close TLS session | CO User | TLS EC Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS pre-primary secret; TLS primary secret; TLS derived session keys | N/A | Z | TLS connection closed |
| Show version | Return the module name and version | CO User | N/A | N/A | N/A | None |
| Show license | Return license indication | CO User | N/A | N/A | N/A | None |
| Show status | Return the module status | CO User | N/A | N/A | N/A | None |
| Self- test | Execute integrity test; Execute the CASTs | CO User | N/A (key for self-tests are not SSPs) | All the algorithms listed in table section 10 | N/A | None |
| Show tenant | Lists tenant information | CO User | N/A | N/A | N/A | None |
| Establish TLS session | Signature generation and verification | User/ CO | algorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signature | No indicator | ||
| Key exchange | Key exchange | User/ CO | - TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512, SHA3 - Diffie-Hellman - RSA Key wrapping with all keys - EC Diffie-Hellman using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDh | No indicator | ||
| Maintain TLS session | Data encryption | User/ CO | AES-CCM, AES-CFB, AES-OFB, AES-XTS, AES-KW, DES, RC4, Triple-DES, SM2, SM4 | No indicator | ||
| Data authentication | Data authentication | User/ CO | HMAC-SHA2-224, HMAC-SHA2-512, AES-CMAC, Triple-DES | No indicator | ||
| Create TLS key | Key generation | User/ CO | RSA Key Generation with modulus sizes other than 2048, 3072 and 4096-bits ECDSA Key Generation and Verification with curves other than P-256 and P-384 Safe Primes Key Generation and Verification for Diffie-Hellman | No indicator |
F5OS-A Cryptographic Module service indicator is returned in the /var/log/audit.log file. Using an approved service will provide an indicator which shows which approved algorithms were used. If the cipher_restricted status is disabled, there is no service indicator output. For SSH service the service indicator is implicit: when the SSH connection is established the service with the cipher selected is approved.
N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A W Z Z W W N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module G E W, E E W E G G E E N/A Z W G E W, E W E G E G, E G © 2024 F5, Inc. / atsec information security.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Maintain TLS Session | Data encryption, data authentication | CO User | Derived TLS session keys (AES and HMAC or authentication cypher) | AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCM | E | Service Indicator: Approved |
| Close TLS session | Close TLS session | CO User | TLS EC Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS pre-primary secret; TLS primary secret; TLS derived session keys | N/A | Z | TLS connection closed |
| Show version | Return the module name and version | CO User | N/A | N/A | N/A | None |
| Show license | Return license indication | CO User | N/A | N/A | N/A | None |
| Show status | Return the module status | CO User | N/A | N/A | N/A | None |
| Self- test | Execute integrity test; Execute the CASTs | CO User | N/A (key for self-tests are not SSPs) | All the algorithms listed in table section 10 | N/A | None |
| Show tenant | Lists tenant information | CO User | N/A | N/A | N/A | None |
| Establish TLS session | Signature generation and verification | User/ CO | algorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signature | No indicator | ||
| Key exchange | Key exchange | User/ CO | - TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512, SHA3 - Diffie-Hellman - RSA Key wrapping with all keys - EC Diffie-Hellman using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDh | No indicator | ||
| Maintain TLS session | Data encryption | User/ CO | AES-CCM, AES-CFB, AES-OFB, AES-XTS, AES-KW, DES, RC4, Triple-DES, SM2, SM4 | No indicator | ||
| Data authentication | Data authentication | User/ CO | HMAC-SHA2-224, HMAC-SHA2-512, AES-CMAC, Triple-DES | No indicator | ||
| Create TLS key | Key generation | User/ CO | RSA Key Generation with modulus sizes other than 2048, 3072 and 4096-bits ECDSA Key Generation and Verification with curves other than P-256 and P-384 Safe Primes Key Generation and Verification for Diffie-Hellman | No indicator | ||
| Key derivation | Key derivation | User/ CO | SNMP KDF IKEv1 KDF IKEv2 KDF | No indicator | ||
| Message digest | Message digest | User/ CO | SHA2-224 SHA2-512 SM3 MD5 | No indicator |
F5OS-A Cryptographic Module N/A E Z N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Table 9 - Non-Approved Services © 2024 F5, Inc. / atsec information security.
The integrity of the module is verified using the approved integrity technique HMAC-SHA384, as listed in the section 10.1.1 by comparing the HMAC-SHA-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match, the module enters the Error state. Integrity tests are performed as part of the Pre-Operational Self-Tests.
The on demand pre-operational self-tests, including the integrity test on demand, are performed by rebooting the module.
The executable code is defined by the firmware version 1.5.1. All code belonging to this firmware version is the executable code of the module. © 2024 F5, Inc. / atsec information security.
The module operates in a non-modifiable operational environment provided by F5 with firmware version 1.5.1. Once the module is operational, it does not allow the loading of any additional firmware. The module is a firmware validated at a Security Level 2 in Physical Security then the security area is N/A. © 2024 F5, Inc. / atsec information security.
| Physical Security Mechanism | Recommended | Inspection/Test Guidance Details | |
|---|---|---|---|
| Frequency of | |||
| Inspection / Test | |||
| Production grade enclosure (SL1) | N/A | N/A | |
| Opaque enclosure (SL2) | N/A | N/A | |
| Tamper Evident Labels (SL2) | Once per month | The CO checks the quality of the tamper evident labels for any sign of removal, replacement, tearing. In the event that the tamper evident labels require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-ADD-BIG- FIPS140). The Crypto Officer shall be responsible for the storage of the label kits. |
| Hardware Platform | # of Tamper Labels |
|---|---|
| r4800 | 5 |
| r5900 | 4 |
| r5920-DF | 5 |
| r10900 r10920-DF | 5 |
F5OS-A Cryptographic Module The module tested in the platforms listed in Table 2 is enclosed in a hard-metallic production grade enclosure that provides opacity and prevents visual inspection of the internals. Each test platform is fitted with tamper evident labels to provide physical evidence of attempts to gain access inside the enclosure. The tamper evident labels shall be installed on the module's platform to operate in approved mode of operation N/A N/A N/A N/A Table 10 - Physical Security Inspection Guidelines The pictures below show the location of all tamper-evident labels for each platform. Label application instructions are provided in Section 11.2.1 of the Crypto-Officer guidance below. The tamper label placements are delineated with red circles. © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Figure 6 - Tamper labels on r4800 (5 of 5 tamper labels) Figure 7
F5OS-A Cryptographic Module Figure 8 - Tamper labels on r5920-DF (5 of 5 tamper labels). Labels are located on the lateral sides of the platform -labels 1,2,3 and
This section is N/A until non-invasive security is defined. © 2024 F5, Inc. / atsec information security.
| Name | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Import Export | Key/ SSP Name/ Type |
|---|---|---|---|---|---|---|---|---|
| Use: Key generation, Digital signature verification used in the TLS protocol Related SSPs: TLS RSA private key, DRBG internal state (V and key values) | 112- bits and 150- bits | RSA A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90Ar1] DRBG | N/A | SSD | Secure Erase | Public key input during protocol handshake Public key output during protocol handshake | TLS RSA public key / asymm etric |
| Use: Key generation, Digital signature generation used in the TLS protocol Related SSPs: TLS RSA private key, DRBG internal state (V and key values) | 112- bits and 150- bits | RSA A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90Ar1] DRBG | N/A | SSD | Secure Erase | N/A | TLS RSA private key / asymm etric |
| Use: Key generation, Digital signature verification used in the TLS protocol Related SSPs: TLS ECDSA private key, DRBG internal state (V and key values) | 128- bits and 192- bits | ECDSA A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] ECDSA Key Generation method; random values are obtained using [SP 800- 90Ar1] DRBG | N/A | SSD | Secure Erase | Public key input during protocol handshake Public key output during protocol handshake | TLS ECDSA public key / asymm etric |
| Use: Key generation, Digital signature | 128- bits and | ECDSA A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using | N/A | SSD | Secure Erase | N/A | TLS ECDSA private key / |
| generation used in the TLS protocol Related SSPs: TLS ECDSA public key, DRBG internal state (V and key values) | 192- bits | [FIPS 186-4] ECDSA Key Generation method; random values are obtained using [SP 800- 90Ar1] DRBG | asymm etric | |||||
| Use: Key generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman private key, TLS pre- primary secret, DRBG internal state (V and key values) | 128- bits and 192- bits | EC Diffie- Hellma n A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90Ar1] DRBG | N/A | RAM | Secure Erase; Closing TLS session; Reboot System | Public key input during protocol handshake Public key output during protocol handshake | TLS EC Diffie- Hellma n public key / asymm etric |
| Use: Key generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman public key DRBG, TLS pre-primary secret, DRBG internal state (V and key values) | 128- bits and 192- bits | EC Diffie- Hellma n A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90Ar1] DRBG | N/A | RAM | Secure Erase; Closing TLS session; Reboot System | N/A | TLS EC Diffie- Hellma n private key / asymm etric |
| Use: TLS protocol Related SSPs: TLS EC Diffie-Hellman public key; TLS EC Diffie- Hellman private key; TLS primary secret | EC Diffie- Hellm an: 128- bits and 192- bits | TLS KDF A3896, A5260 | N/A | Establi shed via SP800- 56Ar3 during key agree ment for EC Diffie- Hellma n | RAM | Secure Erase; Closing TLS session; Reboot System | N/A | TLS pre- primar y secret |
| Use: TLS protocol Related SSPs: TLS pre-primary secret; TLS derived key | 256- bits | TLS KDF A3896, A5260 | Derived from SP 800-135 TLS KDF | N/A | RAM | Secure Erase; Closing TLS session; Reboot System | N/A | TLS primar y secret |
| Use: TLS protocol Related SSPs: TLS pre-primary secret, TLS primary secret | 128 and 256- bits (AES) 112 to 256- bits (HMAC ) | AES HMAC A3896, A5260 | Derived from SP 800-135 TLS KDF | N/A | RAM | Secure Erase; Closing TLS session; Reboot System | N/A | TLS derive d session key |
| Use: SSH key- based authentication Related SSPs: SSH ECDSA private key | 128 and 192- bits | ECDSA A3896, A5260 | N/A | N/A | SSD | Secure Erase | SSPs input during TLS/SSH sessions | SSH ECDSA public key / asymm etric |
| Use: SSH key- based authentication Related SSPs: SSH ECDSA public key | 128 and 192- bits | ECDSA A3896, A5260 | N/A | N/A | SSD | Secure Erase | N/A | SSH ECDSA private key / asymm etric |
| Use: SSH handshake Related SSPs: SSH EC Diffie-Hellman private key, SSH shared secret, DRBG internal state | 128 and 192- bits | KAS- ECC- SSC A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FPIS 186-4] Key generation method; random values are obtained using [SP 800- 90Ar1] DRBG | N/A | RAM | Secure Erase; Closing SSH session or terminatin g the SSH applicatio n; Reboot System | Public key output during protocol handshake Public key input during protocol handshake | SSH EC Diffie- Hellma n public key / asymm etric |
| Use: SSH handshake Related SSPs: SSH EC Diffie-Hellman public key, SSH shared | 128 and 192- bits | KAS- ECC- SSC A3896, A5260 | Generated conformant to SP800-133r2 (CKG) using [FPIS 186-4] Key generation method; random values are obtained | N/A | RAM | Secure Erase; Closing SSH session or terminatin g the SSH applicatio | N/A | SSH EC Diffie- Hellma n private key / asymm etric |
| secret, DRBG internal state | using [SP 800- 90Ar1] DRBG | n; Reboot System | ||||||
| Use: Key derivation; SSH shared secret; Related SSPs: SSH EC Diffie-Hellman public key, SSH EC Diffie- Hellman private key, SSH derived session key | 128 and 256- bits | SSH KDF A3896, A5260 | N/A | Establi shed via SP800- 56Ar3 KAS- ECC- SSC | RAM | Secure Erase; Closing SSH session or terminatin g the SSH applicatio n; Reboot System | N/A | SSH shared secret |
| Use: Used in data encryption / decryption and MAC calculations in SSH protocol Related SSPs: SSH shared secret | 128 and 256- bits AES) 112 and 256- bits (HMAC ) | AES HMAC A3896, A5260 | Derived from SP 800-135 SSH KDF | N/A | RAM | Secure Erase; Closing SSH session or terminatin g the SSH applicatio n; Reboot System | N/A | SSH derive d session key |
| Use: SSH authentication ; WebUI login Related SSPs: N/A | 1/676, 000,0 00 (see Table 7) | N/A | N/A | N/A | SSD as has ed for mat | Secure Erase | SSPs input during TLS/SSH sessions | Passwo rd |
| Use: random number generation Related SSPs: DRBG seed | 256 bits | ESV Cert. #E85 | Obtained from non-physical entropy source | N/A | RAM | Secure Erase; Reboot System | N/A | Entrop y input string |
| Use: random number generation Related SSPs: Entropy input, DRBG internal state (V and key values) | 256 bits | CTR_DR BG A3896, A5260 | Derived from the entropy string as defined by [SP 800-90Ar1] | N/A | RAM | Secure Erase; Reboot System | N/A | DRBG seed |
| Use: random number generation Related SSPs: Entropy | 256 bits | CTR_DR BG A3896, A5260 | Derived from the seed as defined by [SP 800-90Ar1] | N/A | RAM | Secure Erase; Reboot System | N/A | DRBG interna l state (V and |
112bits 150bits 112bits 150bits 128bits 192bits 128bits n N/A N/A N/A N/A N/A N/A
3 "CST Establishment" column defines the distribution and entry options from IG 9.5.A e.g.
Automated Distribution / Electronic Entry = AD/EE © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module 192bits DiffieHellma n 128bits 192bits DiffieHellma n N/A EC DiffieHellman TLS preprimary DiffieHellma n 128bits 192bits DiffieHellma n N/A N/A EC DiffieHellman preprimar y DiffieHellm 128bits 192bits N/A N/A SP80056Ar3 DiffieHellma n n © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module n y 256bits N/A N/A d 256bits 256bits ) 192bits N/A N/A N/A N/A 192bits N/A N/A N/A DiffieHellma n 192bits KASECCSSC N/A DiffieHellma n 192bits KASECCSSC N/A N/A © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module n 256bits N/A N/A SP80056Ar3 KASECCSSC d 256bits 256bits ) 7) N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
| Name | Strength |
|---|---|
| input, DRBG seed | key values) |
| Name | Key Size | ||
|---|---|---|---|
| Details | Entropy Source | Minimum number of bits | |
| The CPU Jitter RNG version 3.4.1 entropy source uses jitter variations caused by executing instructions and memory accessed. The entropy source has been shown to provide full 256-bits of entropy at the output of the SHA3-256 vetted conditioning function (#A3769). | 256-bits | ESV #E85 (non- physical noise source) |
F5OS-A Cryptographic Module n Table 12 - SSPs The module employs a Deterministic Random Bit Generator (DRBG) based on [SP80090Ar1] for the generation of random value used in asymmetric keys. The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The module uses the SP800-90B compliant entropy source specified in Table 13 to seed the DRBG. In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. No non-DRBG functions or instances are able to access the DRBG internal state. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The F5 ES is tested in the OEs listed in Table 2. Table 13 - Non-Deterministic Random Number Generation Specification The module implements RSA, ECDSA and EC Diffie-Hellman asymmetric key generation services compliant with [FIPS186-4], and using an [SP800-90Ar1] DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 4 example 1 [SP800-133r2] (vendor affirmed). The RSA and ECDSA key pairs used for Digital Signature Schemes are generated in accordance with section 5.1 of [SP800-133r2] and maps specifically to [FIPS 186-4]. The ECDH key pair used for Key Establishment are generated in accordance with section
5.2 of [SP800-133r2] i.e. key generation method specified in [SP 800-56Ar3]. For this
module applicable method from [SP800-56Ar3] is 5.6.1.2 ECC Key Pair Generation which maps to [FIPS 186-4]. The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133r2] section 6.2.1 Symmetric keys generated using Key Agreement Scheme.
The module provides the following key establishment services:
During the TLS handshake, the keys that are entered or output to the module over the network includes RSA/ECDSA public keys. For TLS with EC Diffie-Hellman key exchange, the TLS pre-primary secret is established during key agreement and is not output from the module. Once the TLS session is established, any key or data transfer performed thereafter is protected by authenticated encryption mode using AES-GCM or by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 TLS KDF. For SSH with EC Diffie-Hellman key exchange, the SSH shared secret is established during key agreement and is not output from the module. SSH ECDSA public keys can be imported into the module by the CO using the "Configure SSH user configuration" service. Once the SSH session is established, any key or data transfer performed thereafter is protected by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 SSH KDF. There are no encrypted SSPs that are directly entered.
As shown in Table 12 the keys are stored in the volatile memory (RAM) in plaintext form and are destroyed when released by the appropriate zeroization calls or when the system is rebooted. The static SSPs are persistently stored in plaintext in the module's non-volatile memory solid-state drive (SSD). The static SSPs remain on the system across power cycle. SSPs are only accessible to the authenticated operator, to which the SSPs are associated. © 2024 F5, Inc. / atsec information security.
The zeroization methods listed in Table 12, overwrites the memory occupied by keys with “zeros” or pre-defined values. The zeroization of temporary values are performed when they are no longer needed. The zeroization can be enforced by the crypto officer with the following services:
| Algorithm | Test |
|---|---|
| non-physical entropy source | SP800-90B health test (APT and RCT) classified as CAST: • at start-up: performed on 1,024 consecutive samples. • during runtime. |
| CTR_DRBG | CAST KAT with AES 256 bits with and without derivation function SP800-90Ar1 section 11.3 health tests |
| AES | CAST KAT of AES encryption / decryption separately with AES-GCM mode and 256-bit key CAST KAT of AES encryption / decryption separately with ECB mode and 128 bit-key |
| RSA | CAST KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and SHA2-256 CAST KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and SHA2-256 |
| ECDSA | CAST KAT of ECDSA signature generation using P-256 and SHA2-256 |
The pre-operational self-test are performed automatically when the module is powered on. At initialization the module performed pre-operational self-test (integrity test) and the conditional cryptographic algorithm tests (CASTs). Services are not available during the pre-operational self-test and the data output interface is inhibited. On successful completion of the pre-operational self-tests and CASTs, the module enters the approved mode and cryptographic services are available. If the module fails any of the tests, the module returns an error code, and transitions to an the error state where any cryptographic operations are prohibited. Both the pre-operational tests and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module. 10.1.1 Pre-operational Software/Firmware Integrity Test The integrity of the module is verified by comparing the HMAC-SHA-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match the module enters the error state (see Table 15). The HMAC-SHA-384 algorithm is self-tested prior to the integrity test being run.
10.2.1 Conditional Cryptographic Algorithm Tests The module performs cryptographic algorithm self-tests (CASTs) on all Approved cryptographic algorithms. The module performs the CASTs shown in Table 14 during power-up. The CASTs consist of Known Answer Tests for all the approved cryptographic © 2024 F5, Inc. / atsec information security.
| Name | Key Size |
|---|---|
| CAST KAT of ECDSA signature verification using P-256 and SHA2-256 | CAST KAT of ECDSA signature verification using P-256 and SHA2-256 |
| KAS-ECC-SSC | CAST KAT of shared secret computation with P-256 curve |
| HMAC-SHA-1, HMAC-SHA2- 256, HMAC-SHA2-384 | CAST KAT of HMAC-SHA-1, CAST KAT of HMAC-SHA2-256 CAST KAT of HMAC-SHA2-384 (prior integrity tests during pre-operational self-tests) |
| SHA-1, SHA2-256, SHA2-384 | CAST KATs for all SHA sizes are covered by the respective HMAC KATs (allowed per IG 10.3.B) |
| [SP800-135] KDF | SSH CAST KAT TLS1.2 CAST KAT |
| Error State | Cause of Error | Status Indicator |
|---|---|---|
| Error State | HMAC-SHA2-384 integrity test failure | Module will not load |
| Failure of any of the CAST | Module will not load | |
| Failure of any of the PCTs | Module will reboot | |
| Failure of the APT, RCT at runtime | Module will reboot | |
| Failure of the APT, RCT at restart (power on) | Module will not load |
F5OS-A Cryptographic Module Table 14
The hardware platforms are shipped directly from the hardware manufacturer/authorized subcontractor via trusted carrier and tracked by that carrier. The hardware is shipped in a sealed box that includes a packing slip with a list of components inside, and with labels outside printed with the product nomenclature, sales order number, and product serial number. Upon receipt of the hardware, the customer is required to perform the following verifications:
The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the approved mode validated configuration. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/85. 11.2.1 Installing Tamper Evident Labels Before the hardware platform is installed in the production environment, tamper-evident labels must be installed in the location identified for each module in Section 7.1. The following steps should be taken when installing or replacing the tamper evident labels on the test platforms on which the module runs. The instructions are also included in F5 Platforms: FIPS Kit Installation provided with each hardware platform.
F5OS-A Cryptographic Module
The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3. The Approved and non-Approved modes of operation are specified in section 2.3. The algorithm-specific information is listed in sub-section below. 11.3.1 AES GCM IV AES-GCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario 1a. The implementation of the nonce_explicit management logic inside the module ensures that when the IV exhausts the maximum number of possible values for a © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module given session key, the module triggers a new handshake request to establish a new key. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed. The AES GCM IV generation follows [RFC 5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-3_IG] IG C.H scenario 1a; thus, the module is compliant with [SP800-52r2] section 3.3.1. 11.3.2 RSA SigGen/SigVer All the modulus sizes supported by the module have been ACVP tested (per IG C.F). 11.3.3 Legacy Algorithms The use of SHA-1 within Digital Signature Verification is allowed for legacy use per SP800131Ar2 section 9. This may only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. © 2024 F5, Inc. / atsec information security.
The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Appendix A. Glossary and Abbreviations ADC AES API ACVP CAVP CBC CCM CFB CKG CLI CMAC CMVP CSP CTR DES DSA DRBG ECB ECC ECDSA ESV FIPS GCM GMAC HMAC IKE KAS KAT KDF KTS KW MAC NIST OFB PAA PUD PSS RNG RSA SHA SHS SNMP SSC SSD SSH SSP Application Delivery Controller Advanced Encryption Standard Application Programming Interface Automated Cryptographic Validation Protocol Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cryptographic Key Generation Command Line Interface Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Mode Data Encryption Standard Digital Signature Algorithm Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Algorithm Entropy Source Validation Federal Information Processing Standards Publication Galois Counter Mode Galois Message Authentication Code Hash Message Authentication Code Internet Key Exchange Key Agreement Schema Known Answer Test Key Derivation Function Key Transport Scheme AES Key Wrap Message Authentication Code National Institute of Science and Technology Output Feedback Processor Algorithm Accelerators Public Use Document Probabilistic Signature Scheme Random Number Generator Rivest, Shamir, Adleman Secure Hash Algorithm Secure Hash Standard Simple Network Mail Protocol Shared-Secret Computation Solid State Drive Secure Shell Sensitive Security Parameter © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module TLS Triple-DES XTS Transport Layer Security Triple Data Encryption Standard XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf RFC 2313 PKCS #1: RSA Encryption Version 1.5 March 1998 https://datatracker.ietf.org/doc/html/rfc2313 RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7627 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension September 2015 https://www.ietf.org/rfc/rfc7627.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-133r2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.