All modules
CMVP Validated Module · FIPS 140-3 Security Policy

F5OS-A Cryptographic Module

Certificate#4883StandardFIPS 140-3Level2TypeFirmwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorF5, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeFirmware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/17/2026
CaveatInterim Validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals with F5-ADD-BIG-FIPS140 kit installed as indicated in the Security Policy.
VendorF5, Inc.

Approved Algorithms (44)

AlgorithmACVP Cert
AES-CBCA3896
AES-CBCA5260
AES-CTRA3896
AES-CTRA5260
AES-ECBA3896
AES-ECBA5260
AES-GCMA3896
AES-GCMA5260
AES-GMACA3896
AES-GMACA5260
Counter DRBGA3896
Counter DRBGA5260
ECDSA KeyGen (FIPS186-4)A3896
ECDSA KeyGen (FIPS186-4)A5260
ECDSA KeyVer (FIPS186-4)A3896
ECDSA KeyVer (FIPS186-4)A5260
ECDSA SigGen (FIPS186-4)A3896
ECDSA SigGen (FIPS186-4)A5260
ECDSA SigVer (FIPS186-4)A3896
ECDSA SigVer (FIPS186-4)A5260
HMAC-SHA-1A3896
HMAC-SHA-1A5260
HMAC-SHA2-256A3896
HMAC-SHA2-256A5260
HMAC-SHA2-384A3896
HMAC-SHA2-384A5260
KAS-ECC-SSC Sp800-56Ar3A3896
KAS-ECC-SSC Sp800-56Ar3A5260
KDF SSHA3896
KDF SSHA5260
RSA KeyGen (FIPS186-4)A3896
RSA KeyGen (FIPS186-4)A5260
RSA SigGen (FIPS186-4)A3896
RSA SigGen (FIPS186-4)A5260
RSA SigVer (FIPS186-4)A3896
RSA SigVer (FIPS186-4)A5260
SHA-1A3896
SHA-1A5260
SHA2-256A3896
SHA2-256A5260
SHA2-384A3896
SHA2-384A5260
TLS v1.2 KDF RFC7627A3896
TLS v1.2 KDF RFC7627A5260

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces2
Roles, Services, and Authentication2
Software/Firmware Security2
Operational EnvironmentN/A
Physical Security2
Sensitive Security Parameter Management2
Self-Tests1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for F5OS-A Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>1.5.1</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C5,C6 clue;
  class I1,I2,I3,I5,I6 infer;
  class R1,R2,R3,R5,R6 risk;
  class E1,E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for F5OS-A Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>1.5.1</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configurati on</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

F5, Inc. F5OS-A Cryptographic Module Module Version: 1.5.1 FIPS Security Level 2 Document Version 1.2 Last update: November 2024 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

F5OS-A Cryptographic Module Table of Contents 2.1 2.2 2.3 2.4 2.5 4.1 4.2 4.3 5.1 5.2 5.3 6.1 7.1 9.1 9.2 9.3 9.4 9.5 9.6 10.1.1 10.2.1 10.2.2 10.2.3 11.2.1 11.2.2 11.2.3 © 2024 F5, Inc. / atsec information security.

2 of 43
Page 3

F5OS-A Cryptographic Module 11.3.1 11.3.2 11.3.3 © 2024 F5, Inc. / atsec information security.

3 of 43
Page 4

F5OS-A Cryptographic Module F5®, BIG-IP® are registered trademarks of F5, Inc. Intel®, Atom® and Xeon® are registered trademarks of Intel Corporation. © 2024 F5, Inc. / atsec information security.

4 of 43
Page 5
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic Module Specification2
33Cryptographic Module Interfaces2
44Roles, Services, and Authentication2
55Software/Firmware Security2
66Operational EnvironmentN/A
77Physical Security2
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management2
1010Self-tests2
1111Life-cycle Assurance2
1212Mitigation of Other AttacksN/A

This document is the non-proprietary FIPS 140-3 Security Policy for the F5OS-A Cryptographic Module with firmware version 1.5.1. The document contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. N/A N/A N/A Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.

5 of 43
Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai
F5OS-A 1.5.1F5OS-A 1.5.1r4800Intel® Atom® P5342 Snow Ridge NSwith and without PAA
F5OS-A 1.5.1F5OS-A 1.5.1r5900Intel® Xeon® Silver 4314 Ice Lake-SPwith and without PAA
F5OS-A 1.5.1F5OS-A 1.5.1r5920-DFIntel® Xeon® Silver 4314 Ice Lake-SPwith and without PAA
F5OS-A 1.5.1F5OS-A 1.5.1r10900Intel® Xeon® Gold 6312U Ice Lake-SPwith and without PAA
F5OS-A 1.5.1F5OS-A 1.5.1r10920-DFIntel® Xeon® Gold 6312U Ice Lake-SPwith and without PAA
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The F5OS-A Cryptographic Module (hereafter referred to as “the module”) is a microservices-based, proprietary platform layer that provides an interface between the BIG-IP ADC and the rSeries hardware. Module Type: Firmware Module Embodiment: Multi Chip Standalone

2.2 Operating Environments

Table 2 - Tested Operational Environments

2.3 Modes of Operation

The module supports two modes of operation:

6 of 43
Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AESA3896,ECB, CBC, GCM, CTR128 / 192 / 256-bit keysEncryption and
[FIPS 197, SP800-A5260with key strengths fromDecryption
38A,128 to 256 bits
KTS (AES)A3896,GCM128 / 256-bit AES keysKey Wrapping /
[FIPS 197, SP800-A5260with key strengths 128 orUnwrapping
38D, SP800- 38F]256 bits
A3896,A3896,AES-CBC key and128 / 256-bit AES and
A5260A5260HMAC-SHA-1, HMAC-HMAC keys with key
SHA2-256, or HMAC-SHA2-256, or HMAC-strengths 128 or 256 bits
A3896,A3896,AES-CBC/ AES-CTR keys128 / 256-bit AES and
A5260A5260and HMAC-SHA-1,HMAC keys with key
HMAC-SHA2-256HMAC-SHA2-256strengths from 128 or 256
AESA3896,GMAC128 / 192 / 256-bit AESMAC Generation and
[FIPS 197, SP800-A5260keys with key strengthsVerification
38B, SP800 38D]from 128 and 256 bits
CTR_DRBG [SP800-A3896,AES 256 in CTR mode,Entropy input stringRandom Number
90Ar1]A5260with / without(256-bits), V (128-bits) andGeneration
derivation function,derivation function,key (256-bits) values
RSAA3896,B.3.3 Random Probable2048, 3072 and 4096-bitRSA key generation
[FIPS 186-4]A5260Primeskeys with key strengths
PKCS#1v1.5: SHA2-PKCS#1v1.5: SHA2-2048, 3072 and 4096-bitRSA signature
256, SHA2-384256, SHA2-384keys with key strengthsgeneration
PKCS#1v1.5: SHA2-PKCS#1v1.5: SHA2-2048, 3072 and 4096-bitRSA signature
256, SHA2-384256, SHA2-384keys with key strengthsverification
ECDSAA3896,B.4.2 TestingP-256 and P-384 with keyECDSA key pair
[FIPS 186-4]A5260Candidatesstrengths 128 and 192-bitsgeneration /
SHA2-256, SHA2-384SHA2-256, SHA2-384P-256 and P-384 with keyECDSA signature
strengths 128 and 192-bitsstrengths 128 and 192-bitsgeneration and
SHSA3896,SHA-1N/AMessage digest
[FIPS180-4]A5260SHA2-256
HMACA3896,HMAC-SHA-1112 bits to 1024-bits withMessage
[FIPS 198-1]A5260HMAC-SHA2-256key strengths 112 to 256-authentication
HMAC-SHA2-384HMAC-SHA2-384bits
KAS-ECC-SSCA3896,Ephemeral Unified:P-256, P-384 with keyShared Secret
[SP800-56Ar3]A5260KAS Role: initiator,strengths 128 and 192-bitsComputation used in
responderresponderKey Agreement
SSH KDF1 (CVL)A3896,AES-128, AES-256 with256-bit keys with 256-bitsKey derivation
[SP800-135]A5260SHA2-256, SHA2-384key strength
TLS KDF1 (CVL)A3896,TLS v1.2256-bitsKey derivation
[SP800-135, RFCA5260
CKG(vendorDRBG produces theRSA Sizes: 2048, 3072 andKey generation
[SP800-133r2]affirmed)random numbers for4096-bits key with 112 and
CTR_DRBG [SP800-key generation of RSA,150-bits key strength
90Ar1]ECDSA and EC Diffie-ECDSA and EC Diffie-
KAS-ECC-SSCHellmanHellman: P-256 and P-384
[SP800-56Ar3]with 128 and 192-bits key
RSA, ECDSA [FIPSstrength
AES modes: CCM, CFB, OFB, XTS and KW modes; DES; RC4; Triple-DES; SM2, SM4Symmetric Encryption and Decryption
RSAAsymmetric Encryption and Decryption
RSA Key generationwith modulus size other than 2048, 3072 and 4096-bits;
DSAdomain parameter generation, domain parameter verification, Key pair generation
DSA digital signatureSignature generation and verification using any key size

F5OS-A Cryptographic Module N/A © 2024 F5, Inc. / atsec information security.

7 of 43
Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
KAS-ECC-SSCA3896,Ephemeral Unified:P-256, P-384 with keyShared Secret
[SP800-56Ar3]A5260KAS Role: initiator,strengths 128 and 192-bitsComputation used in
responderresponderKey Agreement
SSH KDF1 (CVL)A3896,AES-128, AES-256 with256-bit keys with 256-bitsKey derivation
[SP800-135]A5260SHA2-256, SHA2-384key strength
TLS KDF1 (CVL)A3896,TLS v1.2256-bitsKey derivation
[SP800-135, RFCA5260
CKG(vendorDRBG produces theRSA Sizes: 2048, 3072 andKey generation
[SP800-133r2]affirmed)random numbers for4096-bits key with 112 and
CTR_DRBG [SP800-key generation of RSA,150-bits key strength
90Ar1]ECDSA and EC Diffie-ECDSA and EC Diffie-
KAS-ECC-SSCHellmanHellman: P-256 and P-384
[SP800-56Ar3]with 128 and 192-bits key
RSA, ECDSA [FIPSstrength
AES modes: CCM, CFB, OFB, XTS and KW modes; DES; RC4; Triple-DES; SM2, SM4Symmetric Encryption and Decryption
RSAAsymmetric Encryption and Decryption
RSA Key generationwith modulus size other than 2048, 3072 and 4096-bits;
DSAdomain parameter generation, domain parameter verification, Key pair generation
DSA digital signatureSignature generation and verification using any key size
EdDSA digital signatureSignature generation and verification using Ed25519
ECDSA Key generation/ verificationWith curves other than P-256 and P-384
Safe Primes Key generation/verificatio nKey generation for Diffie-Hellman using any safe prime groups
RSA digital signature- Signature Generation: PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Verification PKCS#1 v1.5 using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 - Signature Generation and Verification using PKCS #1 v1.5 scheme with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes - Signature Generation PSS using 2048, 3072 or 4096-bits modulus - Signature Verification PSS using 2048, 3072 or 4096-bits modulus - Signature Generation and Verification using Probabilistic Signature Scheme (PSS) specified in ANSI X9.31 standard - modulus sizes other than 2048, 3072 and 4096-bits
ECDSA digital signature- Digital Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes - Digital Signature Generation using curves P-256 and P-384 with SHA-1, SHA2- 224, SHA2-512, SHA3 - Digital Signature Verification using curves P-256 and P-384 with SHA2-224, SHA2-512, SHA3
SHA2-224 SHA2-512 SM3 MD5Message Digest
HMAC-SHA2-224 HMAC-SHA2-512 AES-CMAC Triple-DESMessage Authentication
Diffie-Hellman EC Diffie-HellmanKey Agreement Scheme: - All Diffie-Hellman Groups - EC Diffie-Hellman using curves other than P-256 and P-384 - EC Diffie-Hellman using curves P-256 and P-384 Static Unified and OnePassDh schemes
TLS KDF SNMP KDF, IKEv1, IKEv2 KDFKey Derivation function in the context of: - TLS using MD5 / SHA-1 / SHA2-224 / SHA2-512 / SHA3 - SNMP using any SHA variant - IKE using any SHA variant

F5OS-A Cryptographic Module Table 3 - Approved Algorithms The module does not implement any non-approved algorithms allowed in the approved mode of operation with or without security claimed. The following table lists the non-approved algorithms not allowed in approved mode along with their usage.

1 No parts of the TLS / SSH protocols except the KDF has been reviewed or tested by the CAVP and

CMVP © 2024 F5, Inc. / atsec information security.

8 of 43
Page 9

F5OS-A Cryptographic Module n Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation

2.4 Hardware Platform Photographs

Figures below show the various platforms on which the module was tested. © 2024 F5, Inc. / atsec information security.

9 of 43
Page 10

F5OS-A Cryptographic Module Figure 1 - r4800 isometric view Figure 2 - r5900 front view Figure 3 - r5920-DF front view © 2024 F5, Inc. / atsec information security.

10 of 43
Page 11

F5OS-A Cryptographic Module Figure 4

2.5 Block Diagram and Cryptographic Boundary Descriptions

The module cryptographic boundary is defined by the red dotted line in Figure

  1. The TOEPP is defined by the tested platforms listed in Table 2 and delineated by the black rectangle in Figure
  2. Figure 5 also depicts the flow of status output (SO), control input (CI), data input (DI) and data output (DO) interfaces. Figure 5 - Block Diagram © 2024 F5, Inc. / atsec information security.
11 of 43
Page 12
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputTLS/SSH protocol input messages Configuration commands for interface management
N/AN/AData OutputTLS/SSH protocol output messages Status log
N/AN/AControl InputAPI which control system state (e.g. reset system, power-off system).
N/AN/AStatus OutputAPI which provides system status information.
Power interfacePower interfacePower InputPower
3 Cryptographic Module Interfaces

The logical interfaces are the commands through which users of the module request services. There are no external input or output devices to the module can be used for For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. N/A N/A N/A N/A Table 5 - Ports and Interfaces

2 The module does not implement Control Output interface.

© 2024 F5, Inc. / atsec information security.

12 of 43
Page 13
Service
NameRolesInputOutputModule Role
List usersCO UserNoneList of user accountsAdministrator Resource Admin Operator
Create additional UserCOUsername / passwordConfirmation of account creationAdministrator
Modify existing UsersCOUsername / modification (new username, role, password expiry date/tally count)Confirmation of account modificationAdministrator
Delete UserCOUsernameConfirmation of deletionAdministrator
Unlock UserCOUsernameConfirmation of unlockAdministrator
Update own passwordCO UserOwn passwordConfirmation of update of passwordAdministrator Resource Admin Operator
Update others passwordCOUsername / passwordConfirmation of updateAdministrator
Configure password policyCONew password policyConfirmation of configuration changeAdministrator
Create TLS certificateCO UserCertificate identification informationConfirmation of certificate creationAdministrator Resource Admin
Create TLS KeyCO UserKey identification informationConfirmation of key creationAdministrator Resource Admin
Delete TLS Certificate/KeyCO UserKey identification informationConfirmation of key deletionAdministrator Resource Admin
List CertificateCO UserList of certificates to displayCertificate expiration informationAdministrator Resource Admin
List private keysCO UserList of private keys to displayList of private keysAdministrator Resource Admin
View System Audit LogCO UserN/ADisplay of system audit logsAdministrator Resource Admin
Configure SSH access optionsCO UserSSH access / IP address listConfirmation of configuration of SSH access optionsAdministrator Resource Admin
Configure SSH user configurationCOSSH ECDSA key pair (public)Confirmation of configuration of SSH user configurationAdministrator
Create a tenantCO Userpassword / tenant console roleConfirmation of the tenant- console roleAdministrator Resource Admin
Connecting to tenant-console via SSHUserF5 rSeries platform management address / tenant- console / passwordConfirmation of Access to the tenant-console remotely over SSHTenant-console
Closing the tenant-console SSH sessionUserN/AConfirmation of tenant-console SSH session closureTenant-console
Reboot SystemCON/AConfirmation of system rebootAdministrator
Secure EraseCOSelection optionConfirmation of full system zeroizationAdministrator
SSH session serviceCO UserUser / address / password / algorithms / key sizes/ primary secretConfirmation of SSH session establishmentAdministrator Resource Admin Operator
Closing SSH SessionCO UserN/AConfirmation of SSH session closureAdministrator Resource Admin Operator
TLS session serviceCO UserAddress / algorithms/ keysConfirmation of establishment of TLS sessionAdministrator Resource Admin Operator
Closing TLS sessionCO UserN/AConfirmation of TLS session closureAdministrator Resource Admin Operator
Show versionCO UserNoneVersion information, and module nameAdministrator Resource Admin Operator
Show licenseCO UserNoneFIPS license informationAdministrator Resource Admin Operator
Show statusCO UserNoneStatus of the specific service passed in the show status commandAdministrator Resource Admin Operator
Self- testCO UserNonePass/ fail results of self-testsAdministrator Resource Admin Operator
Show tenantCO UserNoneLists tenant informationAdministrator Resource Admin Operator
4 Roles, Services, and Authentication
4.1 Roles

The module supports one CO role and one User role. Maintenance role is not supported. The FIPS 140-3 roles are defined below and corresponding service with input and output are described in Table 6.

13 of 43
Page 14

F5OS-A Cryptographic Module N/A N/A N/A N/A Table 6 - Roles, Service Commands, Input and Output

4.2 Authentication

The module supports role-based authentication. The module supports concurrent operators belonging to different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces are used to access the module: © 2024 F5, Inc. / atsec information security.

14 of 43
Page 15
Approved algorithm
NameKey Size
role-based authentication with Password (CLI or WebUI)The password must consist of a minimum of 8 characters with at least one from each of the three-character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z) Assuming a worst-case scenario where the password contains six numerical digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000.Crypto Officer User
role-based authentication with SSH ECDSA key-pair (CLI only)The ECDSA using P-256 or P-384 curves for key based authentication yields a minimum security-strength of 128 bits. The chance of a random authentication attempt falsely succeeding is at most 1/(2128) that is less than 1/1,000,000. The maximum number of login attempts is limited to 1 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000.Crypto Officer User

F5OS-A Cryptographic Module

4.3 Services

Table 8 lists the Approved services, the service name, description, the Approved security function being used by the service, the keys and SSPs accessed by the service, the roles used by the service, access rights to keys and SSPs and the FIPS 140-3 service indicator returned by the service. The environment variable SECURITY_FIPS140_CIPHER_STRICT is exported with the cipher restriction status. If the cipher_restricted status is enabled, the status output from the © 2024 F5, Inc. / atsec information security.

15 of 43
Page 16
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
List usersDisplay list of all user accountsCO UserN/AN/AN/ANone
Create additional UserCreate additional userCOpasswordN/AWNone
Modify existing UsersModify existing usersCON/AN/AN/ANone
Delete UserDelete existing userCON/AN/AN/ANone
Unlock UserRemove lock from user who has exceeded login attemptsCON/AN/AN/ANone
Update own passwordUpdate own passwordCO UserpasswordN/AWNone
Update others passwordUpdate others passwordCOpasswordN/AWNone
Configure Password PolicySet password policy featuresCON/AN/AN/ANone
Create TLS CertificateSelf-signed certificate creationCO UserTLS RSA Public / Private keys RLS ECDSA Public / Private keysRSA / ECDSA SigGenEService Indicator: Approved
Create TLS KeyUsed for the SSL Certificate key fileCO UserTLS RSA Public / Private keys TLS ECDSA Public / Private keysRSA / ECDSA KeyGen CTR_DRBG CKGGService Indicator: Approved
DRBG seedDRBG seedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
Delete TLS Certificate /KeySelf-signed certificate / key deletionCO UserTLS RSA Public / Private keys TLS ECDSA Public / Private keysN/AN/ANone
List CertificateDisplay / log expiration data of installed certificatesCO UserN/AN/AN/ANone
List private keysList private keysCO UserN/AN/AN/ANone
View System Audit LogDisplay logs/files of configuration changesCO UserN/AN/AN/ANone
Export Analytics Logs SystemExport analytics logs systemCON/AN/AN/ANone
Create TenantCreate tenant deploymentCO UserN/AN/AN/ANone
Tenant SSH establish connectionConnecting to tenant-console via SSHUserN/AN/AN/ANone
Tenant SSH close connectionClosing the tenant- console SSH sessionUserN/AN/AN/ANone
Configure SSH access optionsEnable / Disable SSH access, configure IP address allow listCO UserN/AN/AN/ANone
Configure SSH user configurati onUpdate ssh/ authorized_keys file for user authenticationCOSSH ECDSA public key SSH ECDSA private keyN/AWNone
Reboot SystemRestart cryptographic moduleCOSSPs listed in Table 12N/AZModule reboots
Secure EraseFull system zeroizationCOSSPs listed in Table 12N/AZModule end of life
Establish SSH sessionKey authenticationCO UserSSH ECDSA public key SSH ECDSA private keyECDSA with SHA2-256 / SHA2-384 curves P-256 / P-384WSSH connection successful
Password authenticationPassword authenticationCO UserPasswordN/AWSSH connection successful
Key exchangeKey exchangeCO UserSSH EC Diffie-Hellman public key SSH EC Diffie-Hellman private keyECDSA KeyGen, CTR_DRBGGSSH connection successful
DRBG SeedDRBG SeedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
KAS-ECC-SSCCO UserSSH EC Diffie-Hellman public keyKAS-ECC-SSCWSSH connection successful
SSH EC Diffie-Hellman private keySSH EC Diffie-Hellman private keyE
SSH shared secretSSH shared secretG
Key derivationKey derivationCO UserSSH shared secret[SP 800-135] SSH KDFESSH connection successful
derived SSH session key (AES, HMAC)derived SSH session key (AES, HMAC)G
Maintain SSH SessionData encryption and decryptionCO Userderived SSH Session key (AES)AES-CBC AES-CTRESSH connection successful
Data integrity (MAC): HMAC-with SHA-1/ SHA2-256Data integrity (MAC): HMAC-with SHA-1/ SHA2-256CO Userderived SSH session key (HMAC)HMACESSH connection successful
Close SSH SessionClose SSH sessionCO UserSSH EC Diffie-Hellman key- pair; SSH shared secret; derived SSH session keyN/AZSSH connection closed
Establish TLS SessionSigGen / SigVerCO UserTLS RSA Public / Private keys TLS ECDSA Public / Private keysECDSA / RSAWService Indicator: Approved
Key exchangeKey exchangeCO UserTLS EC Diffie-Hellman public key TLS EC Diffie-Hellman private keyECDSA KeyGen, CTR_DRBGGService Indicator: Approved
DRBG SeedDRBG SeedE
DRBG internal state (V and key values)DRBG internal state (V and key values)W, E
KAS-ECC-SSCTLS EC Diffie-Hellman public keyKAS-ECC-SSCW
TLS EC Diffie-Hellman private keyTLS EC Diffie-Hellman private keyE
TLS pre-primary secretTLS pre-primary secretG
Key derivationKey derivationCO UserTLS pre-primary secret[SP 800-135] TLS KDFEService Indicator: Approved
TLS primary secretTLS primary secretG, E
TLS derived session keys (AES and HMAC or authentication cypher)TLS derived session keys (AES and HMAC or authentication cypher)G
Maintain TLS SessionData encryption, data authenticationCO UserDerived TLS session keys (AES and HMAC or authentication cypher)AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCMEService Indicator: Approved
Close TLS sessionClose TLS sessionCO UserTLS EC Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS pre-primary secret; TLS primary secret; TLS derived session keysN/AZTLS connection closed
Show versionReturn the module name and versionCO UserN/AN/AN/ANone
Show licenseReturn license indicationCO UserN/AN/AN/ANone
Show statusReturn the module statusCO UserN/AN/AN/ANone
Self- testExecute integrity test; Execute the CASTsCO UserN/A (key for self-tests are not SSPs)All the algorithms listed in table section 10N/ANone
Show tenantLists tenant informationCO UserN/AN/AN/ANone
Establish TLS sessionSignature generation and verificationUser/ COalgorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signatureNo indicator
Key exchangeKey exchangeUser/ CO- TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512, SHA3 - Diffie-Hellman - RSA Key wrapping with all keys - EC Diffie-Hellman using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDhNo indicator
Maintain TLS sessionData encryptionUser/ COAES-CCM, AES-CFB, AES-OFB, AES-XTS, AES-KW, DES, RC4, Triple-DES, SM2, SM4No indicator
Data authenticationData authenticationUser/ COHMAC-SHA2-224, HMAC-SHA2-512, AES-CMAC, Triple-DESNo indicator
Create TLS keyKey generationUser/ CORSA Key Generation with modulus sizes other than 2048, 3072 and 4096-bits ECDSA Key Generation and Verification with curves other than P-256 and P-384 Safe Primes Key Generation and Verification for Diffie-HellmanNo indicator

F5OS-A Cryptographic Module service indicator is returned in the /var/log/audit.log file. Using an approved service will provide an indicator which shows which approved algorithms were used. If the cipher_restricted status is disabled, there is no service indicator output. For SSH service the service indicator is implicit: when the SSH connection is established the service with the cipher selected is approved.

16 of 43
Page 17

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A W Z Z W W N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

17 of 43
Page 18

F5OS-A Cryptographic Module G E W, E E W E G G E E N/A Z W G E W, E W E G E G, E G © 2024 F5, Inc. / atsec information security.

18 of 43
Page 19
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Maintain TLS SessionData encryption, data authenticationCO UserDerived TLS session keys (AES and HMAC or authentication cypher)AES-CBC with HMAC-SHA2-256 / SHA2-384 or AES-GCMEService Indicator: Approved
Close TLS sessionClose TLS sessionCO UserTLS EC Diffie-Hellman private key; TLS EC Diffie- Hellman public key; TLS pre-primary secret; TLS primary secret; TLS derived session keysN/AZTLS connection closed
Show versionReturn the module name and versionCO UserN/AN/AN/ANone
Show licenseReturn license indicationCO UserN/AN/AN/ANone
Show statusReturn the module statusCO UserN/AN/AN/ANone
Self- testExecute integrity test; Execute the CASTsCO UserN/A (key for self-tests are not SSPs)All the algorithms listed in table section 10N/ANone
Show tenantLists tenant informationCO UserN/AN/AN/ANone
Establish TLS sessionSignature generation and verificationUser/ COalgorithms listed in Table 4 rows DSA, RSA, ECDSA, EdDSA digital signatureNo indicator
Key exchangeKey exchangeUser/ CO- TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512, SHA3 - Diffie-Hellman - RSA Key wrapping with all keys - EC Diffie-Hellman using curves other than P-256 and P-384 - EC Diffie-Hellman using P-256 and P-384 with Static Unified and OnePassDhNo indicator
Maintain TLS sessionData encryptionUser/ COAES-CCM, AES-CFB, AES-OFB, AES-XTS, AES-KW, DES, RC4, Triple-DES, SM2, SM4No indicator
Data authenticationData authenticationUser/ COHMAC-SHA2-224, HMAC-SHA2-512, AES-CMAC, Triple-DESNo indicator
Create TLS keyKey generationUser/ CORSA Key Generation with modulus sizes other than 2048, 3072 and 4096-bits ECDSA Key Generation and Verification with curves other than P-256 and P-384 Safe Primes Key Generation and Verification for Diffie-HellmanNo indicator
Key derivationKey derivationUser/ COSNMP KDF IKEv1 KDF IKEv2 KDFNo indicator
Message digestMessage digestUser/ COSHA2-224 SHA2-512 SM3 MD5No indicator

F5OS-A Cryptographic Module N/A E Z N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

19 of 43
Page 20

F5OS-A Cryptographic Module Table 9 - Non-Approved Services © 2024 F5, Inc. / atsec information security.

20 of 43
Page 21
5 Software/Firmware security
5.1 Integrity Techniques

The integrity of the module is verified using the approved integrity technique HMAC-SHA384, as listed in the section 10.1.1 by comparing the HMAC-SHA-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match, the module enters the Error state. Integrity tests are performed as part of the Pre-Operational Self-Tests.

5.2 On-Demand Integrity Test

The on demand pre-operational self-tests, including the integrity test on demand, are performed by rebooting the module.

5.3 Executable Code

The executable code is defined by the firmware version 1.5.1. All code belonging to this firmware version is the executable code of the module. © 2024 F5, Inc. / atsec information security.

21 of 43
Page 22
6 Operational Environment
6.1 Applicability

The module operates in a non-modifiable operational environment provided by F5 with firmware version 1.5.1. Once the module is operational, it does not allow the loading of any additional firmware. The module is a firmware validated at a Security Level 2 in Physical Security then the security area is N/A. © 2024 F5, Inc. / atsec information security.

22 of 43
Page 23
Physical Security MechanismRecommendedInspection/Test Guidance Details
Frequency of
Inspection / Test
Production grade enclosure (SL1)N/AN/A
Opaque enclosure (SL2)N/AN/A
Tamper Evident Labels (SL2)Once per monthThe CO checks the quality of the tamper evident labels for any sign of removal, replacement, tearing. In the event that the tamper evident labels require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-ADD-BIG- FIPS140). The Crypto Officer shall be responsible for the storage of the label kits.
Hardware Platform# of Tamper Labels
r48005
r59004
r5920-DF5
r10900 r10920-DF5

F5OS-A Cryptographic Module The module tested in the platforms listed in Table 2 is enclosed in a hard-metallic production grade enclosure that provides opacity and prevents visual inspection of the internals. Each test platform is fitted with tamper evident labels to provide physical evidence of attempts to gain access inside the enclosure. The tamper evident labels shall be installed on the module's platform to operate in approved mode of operation N/A N/A N/A N/A Table 10 - Physical Security Inspection Guidelines The pictures below show the location of all tamper-evident labels for each platform. Label application instructions are provided in Section 11.2.1 of the Crypto-Officer guidance below. The tamper label placements are delineated with red circles. © 2024 F5, Inc. / atsec information security.

23 of 43
Page 24

F5OS-A Cryptographic Module Figure 6 - Tamper labels on r4800 (5 of 5 tamper labels) Figure 7

24 of 43
Page 25

F5OS-A Cryptographic Module Figure 8 - Tamper labels on r5920-DF (5 of 5 tamper labels). Labels are located on the lateral sides of the platform -labels 1,2,3 and

  1. The tamper label 5 on the chassis lid is covering the ventilation fan tray that allows access to SSD. Figure 9 – Tamper labels on r10900, r10920-DF (4 +1 tamper labels shown). Labels are located on the lateral sides of the platform -labels 1,2,3 and
  2. The tamper label 5 on the chassis lid is covering the ventilation fan tray that allows access to SSD. © 2024 F5, Inc. / atsec information security.
25 of 43
Page 26
8 Non-invasive Security

This section is N/A until non-invasive security is defined. © 2024 F5, Inc. / atsec information security.

26 of 43
Page 27
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationImport ExportKey/ SSP Name/ Type
Use: Key generation, Digital signature verification used in the TLS protocol Related SSPs: TLS RSA private key, DRBG internal state (V and key values)112- bits and 150- bitsRSA A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90Ar1] DRBGN/ASSDSecure ErasePublic key input during protocol handshake Public key output during protocol handshakeTLS RSA public key / asymm etric
Use: Key generation, Digital signature generation used in the TLS protocol Related SSPs: TLS RSA private key, DRBG internal state (V and key values)112- bits and 150- bitsRSA A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key generation method; random values are obtained using [SP 800- 90Ar1] DRBGN/ASSDSecure EraseN/ATLS RSA private key / asymm etric
Use: Key generation, Digital signature verification used in the TLS protocol Related SSPs: TLS ECDSA private key, DRBG internal state (V and key values)128- bits and 192- bitsECDSA A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] ECDSA Key Generation method; random values are obtained using [SP 800- 90Ar1] DRBGN/ASSDSecure ErasePublic key input during protocol handshake Public key output during protocol handshakeTLS ECDSA public key / asymm etric
Use: Key generation, Digital signature128- bits andECDSA A3896, A5260Generated conformant to SP800-133r2 (CKG) usingN/ASSDSecure EraseN/ATLS ECDSA private key /
generation used in the TLS protocol Related SSPs: TLS ECDSA public key, DRBG internal state (V and key values)192- bits[FIPS 186-4] ECDSA Key Generation method; random values are obtained using [SP 800- 90Ar1] DRBGasymm etric
Use: Key generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman private key, TLS pre- primary secret, DRBG internal state (V and key values)128- bits and 192- bitsEC Diffie- Hellma n A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90Ar1] DRBGN/ARAMSecure Erase; Closing TLS session; Reboot SystemPublic key input during protocol handshake Public key output during protocol handshakeTLS EC Diffie- Hellma n public key / asymm etric
Use: Key generation, TLS protocol key exchange Related SSPs: TLS EC Diffie- Hellman public key DRBG, TLS pre-primary secret, DRBG internal state (V and key values)128- bits and 192- bitsEC Diffie- Hellma n A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FIPS 186-4] Key Generation; random values are obtained using [SP 800- 90Ar1] DRBGN/ARAMSecure Erase; Closing TLS session; Reboot SystemN/ATLS EC Diffie- Hellma n private key / asymm etric
Use: TLS protocol Related SSPs: TLS EC Diffie-Hellman public key; TLS EC Diffie- Hellman private key; TLS primary secretEC Diffie- Hellm an: 128- bits and 192- bitsTLS KDF A3896, A5260N/AEstabli shed via SP800- 56Ar3 during key agree ment for EC Diffie- Hellma nRAMSecure Erase; Closing TLS session; Reboot SystemN/ATLS pre- primar y secret
Use: TLS protocol Related SSPs: TLS pre-primary secret; TLS derived key256- bitsTLS KDF A3896, A5260Derived from SP 800-135 TLS KDFN/ARAMSecure Erase; Closing TLS session; Reboot SystemN/ATLS primar y secret
Use: TLS protocol Related SSPs: TLS pre-primary secret, TLS primary secret128 and 256- bits (AES) 112 to 256- bits (HMAC )AES HMAC A3896, A5260Derived from SP 800-135 TLS KDFN/ARAMSecure Erase; Closing TLS session; Reboot SystemN/ATLS derive d session key
Use: SSH key- based authentication Related SSPs: SSH ECDSA private key128 and 192- bitsECDSA A3896, A5260N/AN/ASSDSecure EraseSSPs input during TLS/SSH sessionsSSH ECDSA public key / asymm etric
Use: SSH key- based authentication Related SSPs: SSH ECDSA public key128 and 192- bitsECDSA A3896, A5260N/AN/ASSDSecure EraseN/ASSH ECDSA private key / asymm etric
Use: SSH handshake Related SSPs: SSH EC Diffie-Hellman private key, SSH shared secret, DRBG internal state128 and 192- bitsKAS- ECC- SSC A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FPIS 186-4] Key generation method; random values are obtained using [SP 800- 90Ar1] DRBGN/ARAMSecure Erase; Closing SSH session or terminatin g the SSH applicatio n; Reboot SystemPublic key output during protocol handshake Public key input during protocol handshakeSSH EC Diffie- Hellma n public key / asymm etric
Use: SSH handshake Related SSPs: SSH EC Diffie-Hellman public key, SSH shared128 and 192- bitsKAS- ECC- SSC A3896, A5260Generated conformant to SP800-133r2 (CKG) using [FPIS 186-4] Key generation method; random values are obtainedN/ARAMSecure Erase; Closing SSH session or terminatin g the SSH applicatioN/ASSH EC Diffie- Hellma n private key / asymm etric
secret, DRBG internal stateusing [SP 800- 90Ar1] DRBGn; Reboot System
Use: Key derivation; SSH shared secret; Related SSPs: SSH EC Diffie-Hellman public key, SSH EC Diffie- Hellman private key, SSH derived session key128 and 256- bitsSSH KDF A3896, A5260N/AEstabli shed via SP800- 56Ar3 KAS- ECC- SSCRAMSecure Erase; Closing SSH session or terminatin g the SSH applicatio n; Reboot SystemN/ASSH shared secret
Use: Used in data encryption / decryption and MAC calculations in SSH protocol Related SSPs: SSH shared secret128 and 256- bits AES) 112 and 256- bits (HMAC )AES HMAC A3896, A5260Derived from SP 800-135 SSH KDFN/ARAMSecure Erase; Closing SSH session or terminatin g the SSH applicatio n; Reboot SystemN/ASSH derive d session key
Use: SSH authentication ; WebUI login Related SSPs: N/A1/676, 000,0 00 (see Table 7)N/AN/AN/ASSD as has ed for matSecure EraseSSPs input during TLS/SSH sessionsPasswo rd
Use: random number generation Related SSPs: DRBG seed256 bitsESV Cert. #E85Obtained from non-physical entropy sourceN/ARAMSecure Erase; Reboot SystemN/AEntrop y input string
Use: random number generation Related SSPs: Entropy input, DRBG internal state (V and key values)256 bitsCTR_DR BG A3896, A5260Derived from the entropy string as defined by [SP 800-90Ar1]N/ARAMSecure Erase; Reboot SystemN/ADRBG seed
Use: random number generation Related SSPs: Entropy256 bitsCTR_DR BG A3896, A5260Derived from the seed as defined by [SP 800-90Ar1]N/ARAMSecure Erase; Reboot SystemN/ADRBG interna l state (V and
9 Sensitive Security Parameter Management

112bits 150bits 112bits 150bits 128bits 192bits 128bits n N/A N/A N/A N/A N/A N/A

3 "CST Establishment" column defines the distribution and entry options from IG 9.5.A e.g.

Automated Distribution / Electronic Entry = AD/EE © 2024 F5, Inc. / atsec information security.

27 of 43
Page 28

F5OS-A Cryptographic Module 192bits DiffieHellma n 128bits 192bits DiffieHellma n N/A EC DiffieHellman TLS preprimary DiffieHellma n 128bits 192bits DiffieHellma n N/A N/A EC DiffieHellman preprimar y DiffieHellm 128bits 192bits N/A N/A SP80056Ar3 DiffieHellma n n © 2024 F5, Inc. / atsec information security.

28 of 43
Page 29

F5OS-A Cryptographic Module n y 256bits N/A N/A d 256bits 256bits ) 192bits N/A N/A N/A N/A 192bits N/A N/A N/A DiffieHellma n 192bits KASECCSSC N/A DiffieHellma n 192bits KASECCSSC N/A N/A © 2024 F5, Inc. / atsec information security.

29 of 43
Page 30

F5OS-A Cryptographic Module n 256bits N/A N/A SP80056Ar3 KASECCSSC d 256bits 256bits ) 7) N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

30 of 43
Page 31
Sensitive security parameter
NameStrength
input, DRBG seedkey values)
Approved algorithm
NameKey Size
DetailsEntropy SourceMinimum number of bits
The CPU Jitter RNG version 3.4.1 entropy source uses jitter variations caused by executing instructions and memory accessed. The entropy source has been shown to provide full 256-bits of entropy at the output of the SHA3-256 vetted conditioning function (#A3769).256-bitsESV #E85 (non- physical noise source)

F5OS-A Cryptographic Module n Table 12 - SSPs The module employs a Deterministic Random Bit Generator (DRBG) based on [SP80090Ar1] for the generation of random value used in asymmetric keys. The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The module uses the SP800-90B compliant entropy source specified in Table 13 to seed the DRBG. In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. No non-DRBG functions or instances are able to access the DRBG internal state. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The F5 ES is tested in the OEs listed in Table 2. Table 13 - Non-Deterministic Random Number Generation Specification The module implements RSA, ECDSA and EC Diffie-Hellman asymmetric key generation services compliant with [FIPS186-4], and using an [SP800-90Ar1] DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per section 4 example 1 [SP800-133r2] (vendor affirmed). The RSA and ECDSA key pairs used for Digital Signature Schemes are generated in accordance with section 5.1 of [SP800-133r2] and maps specifically to [FIPS 186-4]. The ECDH key pair used for Key Establishment are generated in accordance with section

5.2 of [SP800-133r2] i.e. key generation method specified in [SP 800-56Ar3]. For this

module applicable method from [SP800-56Ar3] is 5.6.1.2 ECC Key Pair Generation which maps to [FIPS 186-4]. The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] © 2024 F5, Inc. / atsec information security.

31 of 43
Page 32

F5OS-A Cryptographic Module as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133r2] section 6.2.1 Symmetric keys generated using Key Agreement Scheme.

9.3 SSP Establishment

The module provides the following key establishment services:

128 or 256 bits of encryption strength (AES and HMAC Certs. #A3896, #A5260).
9.4 SSP Entry / Output

During the TLS handshake, the keys that are entered or output to the module over the network includes RSA/ECDSA public keys. For TLS with EC Diffie-Hellman key exchange, the TLS pre-primary secret is established during key agreement and is not output from the module. Once the TLS session is established, any key or data transfer performed thereafter is protected by authenticated encryption mode using AES-GCM or by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 TLS KDF. For SSH with EC Diffie-Hellman key exchange, the SSH shared secret is established during key agreement and is not output from the module. SSH ECDSA public keys can be imported into the module by the CO using the "Configure SSH user configuration" service. Once the SSH session is established, any key or data transfer performed thereafter is protected by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying SP 800-135 SSH KDF. There are no encrypted SSPs that are directly entered.

9.5 SSP Storage

As shown in Table 12 the keys are stored in the volatile memory (RAM) in plaintext form and are destroyed when released by the appropriate zeroization calls or when the system is rebooted. The static SSPs are persistently stored in plaintext in the module's non-volatile memory solid-state drive (SSD). The static SSPs remain on the system across power cycle. SSPs are only accessible to the authenticated operator, to which the SSPs are associated. © 2024 F5, Inc. / atsec information security.

32 of 43
Page 33
9.6 SSP Zeroization

The zeroization methods listed in Table 12, overwrites the memory occupied by keys with “zeros” or pre-defined values. The zeroization of temporary values are performed when they are no longer needed. The zeroization can be enforced by the crypto officer with the following services:

33 of 43
Page 34
AlgorithmTest
non-physical entropy sourceSP800-90B health test (APT and RCT) classified as CAST: • at start-up: performed on 1,024 consecutive samples. • during runtime.
CTR_DRBGCAST KAT with AES 256 bits with and without derivation function SP800-90Ar1 section 11.3 health tests
AESCAST KAT of AES encryption / decryption separately with AES-GCM mode and 256-bit key CAST KAT of AES encryption / decryption separately with ECB mode and 128 bit-key
RSACAST KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and SHA2-256 CAST KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and SHA2-256
ECDSACAST KAT of ECDSA signature generation using P-256 and SHA2-256
10 Self-tests
10.1 Pre-Operational Self-Tests

The pre-operational self-test are performed automatically when the module is powered on. At initialization the module performed pre-operational self-test (integrity test) and the conditional cryptographic algorithm tests (CASTs). Services are not available during the pre-operational self-test and the data output interface is inhibited. On successful completion of the pre-operational self-tests and CASTs, the module enters the approved mode and cryptographic services are available. If the module fails any of the tests, the module returns an error code, and transitions to an the error state where any cryptographic operations are prohibited. Both the pre-operational tests and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module. 10.1.1 Pre-operational Software/Firmware Integrity Test The integrity of the module is verified by comparing the HMAC-SHA-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match the module enters the error state (see Table 15). The HMAC-SHA-384 algorithm is self-tested prior to the integrity test being run.

10.2 Conditional Self-Tests

10.2.1 Conditional Cryptographic Algorithm Tests The module performs cryptographic algorithm self-tests (CASTs) on all Approved cryptographic algorithms. The module performs the CASTs shown in Table 14 during power-up. The CASTs consist of Known Answer Tests for all the approved cryptographic © 2024 F5, Inc. / atsec information security.

34 of 43
Page 35
Approved algorithm
NameKey Size
CAST KAT of ECDSA signature verification using P-256 and SHA2-256CAST KAT of ECDSA signature verification using P-256 and SHA2-256
KAS-ECC-SSCCAST KAT of shared secret computation with P-256 curve
HMAC-SHA-1, HMAC-SHA2- 256, HMAC-SHA2-384CAST KAT of HMAC-SHA-1, CAST KAT of HMAC-SHA2-256 CAST KAT of HMAC-SHA2-384 (prior integrity tests during pre-operational self-tests)
SHA-1, SHA2-256, SHA2-384CAST KATs for all SHA sizes are covered by the respective HMAC KATs (allowed per IG 10.3.B)
[SP800-135] KDFSSH CAST KAT TLS1.2 CAST KAT
Error StateCause of ErrorStatus Indicator
Error StateHMAC-SHA2-384 integrity test failureModule will not load
Failure of any of the CASTModule will not load
Failure of any of the PCTsModule will reboot
Failure of the APT, RCT at runtimeModule will reboot
Failure of the APT, RCT at restart (power on)Module will not load

F5OS-A Cryptographic Module Table 14

35 of 43
Page 36
11 Life-cycle assurance
11.1 Delivery and Operation

The hardware platforms are shipped directly from the hardware manufacturer/authorized subcontractor via trusted carrier and tracked by that carrier. The hardware is shipped in a sealed box that includes a packing slip with a list of components inside, and with labels outside printed with the product nomenclature, sales order number, and product serial number. Upon receipt of the hardware, the customer is required to perform the following verifications:

11.2 Crypto Officer Guidance

The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the approved mode validated configuration. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/85. 11.2.1 Installing Tamper Evident Labels Before the hardware platform is installed in the production environment, tamper-evident labels must be installed in the location identified for each module in Section 7.1. The following steps should be taken when installing or replacing the tamper evident labels on the test platforms on which the module runs. The instructions are also included in F5 Platforms: FIPS Kit Installation provided with each hardware platform.

36 of 43
Page 37

F5OS-A Cryptographic Module

11.3 User Guidance

The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3. The Approved and non-Approved modes of operation are specified in section 2.3. The algorithm-specific information is listed in sub-section below. 11.3.1 AES GCM IV AES-GCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario 1a. The implementation of the nonce_explicit management logic inside the module ensures that when the IV exhausts the maximum number of possible values for a © 2024 F5, Inc. / atsec information security.

37 of 43
Page 38

F5OS-A Cryptographic Module given session key, the module triggers a new handshake request to establish a new key. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed. The AES GCM IV generation follows [RFC 5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-3_IG] IG C.H scenario 1a; thus, the module is compliant with [SP800-52r2] section 3.3.1. 11.3.2 RSA SigGen/SigVer All the modulus sizes supported by the module have been ACVP tested (per IG C.F). 11.3.3 Legacy Algorithms The use of SHA-1 within Digital Signature Verification is allowed for legacy use per SP800131Ar2 section 9. This may only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. © 2024 F5, Inc. / atsec information security.

38 of 43
Page 39
12 Mitigation of other attacks

The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.

39 of 43
Page 40

F5OS-A Cryptographic Module Appendix A. Glossary and Abbreviations ADC AES API ACVP CAVP CBC CCM CFB CKG CLI CMAC CMVP CSP CTR DES DSA DRBG ECB ECC ECDSA ESV FIPS GCM GMAC HMAC IKE KAS KAT KDF KTS KW MAC NIST OFB PAA PUD PSS RNG RSA SHA SHS SNMP SSC SSD SSH SSP Application Delivery Controller Advanced Encryption Standard Application Programming Interface Automated Cryptographic Validation Protocol Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cryptographic Key Generation Command Line Interface Cipher-based Message Authentication Code Cryptographic Module Validation Program Critical Security Parameter Counter Mode Data Encryption Standard Digital Signature Algorithm Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Algorithm Entropy Source Validation Federal Information Processing Standards Publication Galois Counter Mode Galois Message Authentication Code Hash Message Authentication Code Internet Key Exchange Key Agreement Schema Known Answer Test Key Derivation Function Key Transport Scheme AES Key Wrap Message Authentication Code National Institute of Science and Technology Output Feedback Processor Algorithm Accelerators Public Use Document Probabilistic Signature Scheme Random Number Generator Rivest, Shamir, Adleman Secure Hash Algorithm Secure Hash Standard Simple Network Mail Protocol Shared-Secret Computation Solid State Drive Secure Shell Sensitive Security Parameter © 2024 F5, Inc. / atsec information security.

40 of 43
Page 41

F5OS-A Cryptographic Module TLS Triple-DES XTS Transport Layer Security Triple Data Encryption Standard XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.

41 of 43
Page 42

F5OS-A Cryptographic Module Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf RFC 2313 PKCS #1: RSA Encryption Version 1.5 March 1998 https://datatracker.ietf.org/doc/html/rfc2313 RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7627 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension September 2015 https://www.ietf.org/rfc/rfc7627.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2024 F5, Inc. / atsec information security.

42 of 43
Page 43

F5OS-A Cryptographic Module SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP800-133r2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.

43 of 43

Referenced URLs