| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/10/2029 |
| Caveat | No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Gallagher Group Ltd |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Gallagher FIPS Provider for OpenSSL 3
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Self-test<br/>failure</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Cipher (Unauth)<br/>HMAC, KMAC)<br/>Cipher</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Gallagher FIPS Provider for OpenSSL 3
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Self-test<br/>failure</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Cipher (Unauth)<br/>HMAC, KMAC)<br/>Cipher</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;Gallagher Group Ltd Gallagher FIPS Provider for OpenSSL 3 Document Version 1.1 April 15, 2026 Prepared for: Prepared by: Gallagher Group Ltd
Hamilton 3206 New Zealand gallagher.com +64 7 838 9800 KeyPair Consulting Inc.
San Luis Obispo, CA 93401 USA keypair.us +1 805.316.5024
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table of Contents 1.1 1.2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 6.1 5.1 5.2 5.3 4.1 4.2 4.3 4.4 4.5 3.1 9.1
FIPS 140-3 Security Policy 9.2 9.3 9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 12.1 12.2 12.3 Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 List of Tables List of Figures
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 3 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
(Gallagher), hereafter denoted the Module. The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as shown in Section 1.2. In accordance with AS02.05, ISO/IEC 19790:2012 §7.7 Physical Security is optional and does not apply to the Module.
Purpose and Use: The Module is a cryptographic software library, intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Embodiment: Multi-Chip Standalone
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The General Purpose Computer is the TOEPP. Figure 1: Block Diagram
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | N/A | fips.so | HMAC-SHA2-256 #A4481 over the | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with KP_1.2 | NXP i.MX 8X (Cortex-A35) | Yes | ||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with KP_1.2 | NXP i.MX 8X (Cortex-A35) | No | ||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 6000 | 3.0.10 with KP_1.2 | Atmel AT91SAM9 | No | ||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 7000 with NXP i.MX 8X (Cortex-A35) |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | N/A | fips.so | HMAC-SHA2-256 #A4481 over the | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with KP_1.2 | NXP i.MX 8X (Cortex-A35) | Yes | ||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with KP_1.2 | NXP i.MX 8X (Cortex-A35) | No | ||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 6000 | 3.0.10 with KP_1.2 | Atmel AT91SAM9 | No | ||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 7000 with NXP i.MX 8X (Cortex-A35) |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | N/A | fips.so | HMAC-SHA2-256 #A4481 over the | |||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with KP_1.2 | NXP i.MX 8X (Cortex-A35) | Yes | ||||
| Linux 5.4 | Linux 5.4 | Gallagher Controller 7000 | 3.0.10 with KP_1.2 | NXP i.MX 8X (Cortex-A35) | No | ||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 6000 | 3.0.10 with KP_1.2 | Atmel AT91SAM9 | No | ||||
| Linux 6.1 | Linux 6.1 | Gallagher Controller 7000 with NXP i.MX 8X (Cortex-A35) |
| Name | Description | Type |
|---|---|---|
| Nominal | Approved mode of operation | Approved |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
Tested Module Identification
N/A for this Module. Modes List and Description: Table 5: Modes List and Description
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CBC-CS1 | A4481 | Direction - decrypt, encrypt | SP 800-38A |
| AES-CBC-CS2 | A4481 | Direction - decrypt, encrypt | SP 800-38A |
| AES-CBC-CS3 | A4481 | Direction - decrypt, encrypt | SP 800-38A |
| AES-CCM | A4481 | Key Length - 128, 192, 256 | SP 800-38C |
| AES-CFB1 | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CFB128 | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CFB8 | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-CTR | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-ECB | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-GCM | A4481 | Direction - Decrypt, Encrypt | SP 800-38D |
| AES-KW | A4481 | Direction - Decrypt, Encrypt | SP 800-38F |
| AES-KWP | A4481 | Direction - Decrypt, Encrypt | SP 800-38F |
| AES-OFB | A4481 | Direction - Decrypt, Encrypt | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A4481 | Direction - Decrypt, Encrypt | SP 800-38E |
| KAS-ECC CDH-Component | A4481 | Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | SP 800-56A |
| SP800-56Ar3 (CVL) | Rev. 3 | ||
| KAS-ECC-SSC Sp800-56Ar3 | A4481 | Domain Parameter Generation Methods - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A |
| KAS-FFC-SSC Sp800-56Ar3 | A4481 | Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, modp-4096, modp-6144, modp-8192 Scheme - dhEphem - KAS Role - initiator, responder | SP 800-56A |
| KAS-IFC-SSC | A4481 | Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responder KAS2 - KAS Role - initiator, responder Fixed Public Exponent - 010001 | SP 800-56A |
| KDA HKDF SP800- | A4481 | Fixed Info Pattern - algorithmId||l||uPartyInfo||vPartyInfo | SP 800-56C Rev. 2 |
| 56Cr2 | Fixed Info Encoding - concatenation | ||
| KDA OneStep | A4481 | Auxiliary Function Methods - | SP 800-56C Rev. 2 |
| SP800-56Cr2 | Auxiliary Function Name - SHA2-512 | ||
| KDA TwoStep | A4481 | MAC Salting Methods - default, random | SP 800-56C Rev. 2 |
| SP800-56Cr2 | Fixed Info Pattern - algorithmId||l||uPartyInfo||vPartyInfo | ||
| KDF ANS 9.42 | A4481 | KDF Type - DER | SP 800-135 Rev. 1 |
| (CVL) | Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- | ||
| KDF ANS 9.63 | A4481 | Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| (CVL) | Field Size - 224, 571 | ||
| KDF SP800-108 | A4481 | KDF Mode - Counter, Feedback | SP 800-108 Rev. 1 |
| KDF SSH (CVL) | A4481 | Cipher - AES-128, AES-192, AES-256 | SP 800-135 Rev. 1 |
| PBKDF | A4481 | Iteration Count - Iteration Count: 1-10000 Increment 1 | SP 800-132 |
| TLS v1.2 KDF | A4481 | Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| RFC7627 (CVL) | Key Block Length - Key Block Length: 1024 | ||
| TLS v1.3 KDF | A4481 | HMAC Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
| (CVL) | KDF Running Modes - DHE, PSK, PSK-DHE | ||
| DSA KeyGen (FIPS186- | A4481 | L - 2048, 3072 | FIPS 186-4 |
| 4) | N - 224, 256 | ||
| DSA PQGGen (FIPS186- | A4481 | P/Q Generation Methods - Probable | FIPS 186-4 |
| 4) | G Generation Methods - Canonical, Unverifiable | ||
| DSA PQGVer (FIPS186- | A4481 | P/Q Generation Methods - Probable | FIPS 186-4 |
| 4) | G Generation Methods - Canonical, Unverifiable | ||
| ECDSA KeyGen | A4481 | Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | FIPS 186-4 |
| (FIPS186-4) | Secret Generation Mode - Testing Candidates | ||
| ECDSA KeyVer | A4481 | Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P- | FIPS 186-4 |
| (FIPS186-4) | 521 | ||
| EDDSA KeyGen | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA KeyVer | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| Safe Primes Key | A4481 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, | SP 800-56A Rev. 3 |
| Safe Primes Key | A4481 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, | SP 800-56A Rev. 3 |
| Verification | modp-4096, modp-6144, modp-8192 | ||
| RSA KeyGen (FIPS186- | A4481 | Key Generation Mode - B.3.3 | FIPS 186-4 |
| 4) | Modulo - 2048, 3072, 4096 | ||
| KTS-IFC | A4481 | Function - keyPairGen, partialVal IUT ID - CAFEFACE Modulo - 2048, 3072, 4096, 6144 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime- factor Fixed Public Exponent - 010001 Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Hash Algorithms - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Supports Null Associated Data - Yes Associated Data Encoding - concatenation Key Length - 1024 | SP 800-56B Rev. |
| AES-CMAC | A4481 | Direction - Generation, Verification | SP 800-38B |
| AES-GMAC | A4481 | Direction - Decrypt, Encrypt | SP 800-38D |
| HMAC-SHA-1 | A4481 | MAC - MAC: 32-160 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-224 | A4481 | MAC - MAC: 32-224 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-256 | A4481 | MAC - MAC: 32-256 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-384 | A4481 | MAC - MAC: 32-384 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512 | A4481 | MAC - MAC: 32-512 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512/224 | A4481 | MAC - MAC: 32-224 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512/256 | A4481 | MAC - MAC: 32-256 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-224 | A4481 | MAC - MAC: 32-224 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-256 | A4481 | MAC - MAC: 32-256 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-384 | A4481 | MAC - MAC: 32-384 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-512 | A4481 | MAC - MAC: 32-512 Increment 8 | FIPS 198-1 |
| KMAC-128 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | SP 800-185 |
| KMAC-256 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | SP 800-185 |
| SHA-1 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-224 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-384 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-512 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-512/224 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA2-512/256 | A4481 | Message Length - Message Length: 0-65528 Increment 8 | FIPS 180-4 |
| SHA3-224 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-256 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-384 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-512 | A4481 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHAKE-128 | A4481 | Supports Bit-Oriented Messages - No | FIPS 202 |
| SHAKE-256 | A4481 | Supports Bit-Oriented Messages - No | FIPS 202 |
| Counter A DRBG | 4481 | Prediction Resistance - Yes | SP 800-90A Rev. 1 |
| Hash DRBG | A4481 | Prediction Resistance - Yes | SP 800-90A Rev. 1 |
| HMAC | A4481 | Prediction Resistance - Yes | SP 800-90A Rev. 1 |
| DRBG | Supports Reseed - Yes | ||
| ECDSA SigGen (FIPS186-4) | A4481 | Component - No, Yes Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A4481 | Component - No Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P- 384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| DSA SigGen (FIPS186-4) | A4481 | L - 2048, 3072 | FIPS 186-4 |
| DSA SigVer (FIPS186-4) | A4481 | L - 1024, 2048, 3072 | FIPS 186-4 |
| EDDSA SigGen | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA SigVer | A4481 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| RSA SigGen (FIPS186-4) | A4481 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS | FIPS 186-4 |
| RSA SigGen (FIPS186-5) | A4481 | Hash Pair - | FIPS 186-5 |
| RSA Signature Primitive | A4481 | Private Key Format - crt | FIPS 186-4 |
| (CVL) | Public Exponent Mode - fixed | ||
| RSA SigVer (FIPS186-4) | A4481 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS | FIPS 186-4 |
| RSA SigVer (FIPS186-5) | A4481 | Hash Pair - | FIPS 186-5 |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 The Module only supports an Approved mode of operation. The conditions for using the Module in the Approved mode of operation are:
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 6: Approved Algorithms - Cipher
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Key agreement Table 7: Approved Algorithms - Key agreement Key derivation
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 8: Approved Algorithms - Key derivation Key management 4) 4)
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Message authentication
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 11: Approved Algorithms - Message authentication
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Message digest Table 12: Approved Algorithms - Message digest Random
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 13: Approved Algorithms - Random Signature
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 14: Approved Algorithms - Signature
| Name | Description | Approved Functions | Type | Properties | Reference |
|---|---|---|---|---|---|
| CKG Section 4 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 | |||
| CKG Section 5 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 | |||
| CKG Section 6.2 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 | |||
| Hash DRBG with SHA3-256, SHA3-512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-90A Rev. 1 | |||
| HMAC DRBG with SHA3-256, SHA3-512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-90A Rev. 1 | |||
| Cipher (Unauth) | AES ciphers | AES-CBC: (A4481) | BC-UnAuth | ||
| Cipher (Auth) | Authenticated ciphers | AES-CCM: (A4481) | BC-Auth | ||
| CKG Section 4 | Using the Output of a Random | CKG Section 4: () | CKG |
| Name | Description | Approved Functions | Type | Properties | Reference |
|---|---|---|---|---|---|
| CKG Section 4 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 | |||
| CKG Section 5 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 | |||
| CKG Section 6.2 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-133 Rev. 2 | |||
| Hash DRBG with SHA3-256, SHA3-512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-90A Rev. 1 | |||
| HMAC DRBG with SHA3-256, SHA3-512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800-90A Rev. 1 | |||
| Cipher (Unauth) | AES ciphers | AES-CBC: (A4481) | BC-UnAuth | ||
| Cipher (Auth) | Authenticated ciphers | AES-CCM: (A4481) | BC-Auth | ||
| CKG Section 4 | Using the Output of a Random | CKG Section 4: () | CKG | ||
| CKG Section 5 | Generation of Key Pairs for Asymmetric-Key Algorithms | CKG Section 5: () | CKG | ||
| CKG Section 6.2 | Derivation of Symmetric Keys | CKG Section 6.2: () | CKG | ||
| Key agreement | Key agreement | KAS-ECC CDH-Component | KAS-SSC | KAS:KAS-ECC-SSC provides between 112 and 256 bits of encryption strength; KAS-FFC- SSC provides between 112 and 200 bits of encryption strength; KAS-IFC-SSC provides between 112 and 200 bits of encryption strength | |
| Key derivation | KAS-KDF HKDF SP800-56Cr2: | KAS-135KDF | |||
| KAS-56CKDF | (A4481) | KAS-56CKDF | |||
| KBKDF | KAS-KDF OneStep SP800-56Cr2: | KBKDF | |||
| PBKDF | (A4481) | PBKDF | |||
| Key management ECC | ECDSA KeyGen (FIPS186-4): | AsymKeyPair-KeyGen | |||
| AsymKeyPair-KeyVer | (A4481) | AsymKeyPair-KeyVer | |||
| Key management Edwards | EDDSA KeyGen: (A4481) | AsymKeyPair-KeyGen | |||
| AsymKeyPair-KeyVer | EDDSA KeyVer: (A4481) | AsymKeyPair-KeyVer | |||
| Key management FFC | DSA KeyGen (FIPS186-4): | AsymKeyPair-KeyGen | |||
| Key management IFC | RSA KeyGen (FIPS186-4): | AsymKeyPair-KeyGen | |||
| Key transport | KTS-IFC: (A4481) | KTS-Encap | KTS:2048, 3072, 4096 or 6144- bit keys provide between 112 and 176 bits of encryption strength | ||
| KTS (Cipher w/ CMAC, GMAC, | SP 800-38F Section 3.1 Provisions | AES-CBC: (A4481) | BC-Auth | KTS:128, 192 or 256-bit keys provide between 128 and 256 bits of encryption strength | |
| HMAC, KMAC) | AES-CBC-CS1: (A4481) | BC-UnAuth | |||
| MAC | AES-CBC-CS2: (A4481) | MAC | |||
| KTS (AES KW, KWP) | AES-KW: (A4481) | BC-Auth | KTS:128, 192 or 256-bit keys provide between 128 and 256 bits of encryption strength | ||
| MAC AES (CMAC, GMAC) | AES-GMAC: (A4481) | MAC | |||
| MAC HMAC | HMAC-SHA-1: (A4481) | MAC | |||
| MAC KMAC (XOF) | KMAC-128: (A4481) | XOF | |||
| Message Digest | SHA-1: (A4481) | SHA | |||
| Message Digest (XOF SHAKE) | SHAKE-128: (A4481) | XOF | |||
| Random | Counter DRBG: (A4481) | DRBG | |||
| Signature DSA | DSA SigGen (FIPS186-4): | DigSig-SigGen | |||
| DigSig-SigVer | (A4481) | DigSig-SigVer | |||
| Signature ECDSA | ECDSA SigGen (FIPS186-4): | DigSig-SigGen | |||
| DigSig-SigVer | (A4481) | DigSig-SigVer | |||
| Signature EDDSA | EDDSA SigGen: (A4481) | DigSig-SigGen | |||
| DigSig-SigVer | EDDSA SigVer: (A4481) | DigSig-SigVer | |||
| Signature RSA | RSA SigGen (FIPS186-4): | DigSig-SigGen | |||
| DigSig-SigVer | (A4481) | DigSig-SigVer |
FIPS 140-3 Security Policy Vendor-Affirmed Algorithms: Table 15: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this Module. Non-Approved, Not Allowed Algorithms: N/A for this Module.
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 16: Security Function Implementations
AES-GCM: The Module supports internal IV generation using the Approved DRBG. The IV is at least 96 bits in length per SP 800-38D Section 8.2.2, and the Approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2-32 per SP 800-38D Section 8. AES-GCM IVs shall be used in compliance with FIPS 140-3 IG C.H scenario 1a (TLS/DTLS 1.2, per RFC 5288), 1d (SSHv2, per RFC 5647) and 5 (TLS 1.3, per RFC 8446). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from SP 800-52 Rev. 1 Section 3.3.1. The Module’s implementation of AES-GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; these protocols have not been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power-cycles: AES-GCM key/IVs are not stored in non-volatile persistent memory (i.e., disk), hence no re-connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. If this exhaustion condition is observed, the Module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. XTS-AES: In accordance with SP 800-38E, the XTS-AES algorithm is to be used for confidentiality on storage devices. The Module complies with FIPS 140-3 IG C.I by:
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Key Agreement: The Module implements the following Approved key agreement methods which have been CAVP tested and validated:
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 The iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. The Module enforces the following SP 800-132 compliance checks:
N/A for this Module. The calling application is responsible for use of a SP 800-90B compliant entropy source outside the Module boundary providing at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The following caveat applies per FIPS 140-3 IG 9.3.A: No assurance of the minimum strength of generated SSPs (e.g., keys).
The Module:
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A (API - input) | N/A (API - input) | Control Input | API input: stack frame including non-sensitive parameters. |
| Data Input | Data Input | ||
| N/A (API - output) | N/A (API - output) | Data Output | API output: output parameters and return value resulting from call execution. |
| Status Output | Status Output |
| Name | Role Access | Type |
|---|---|---|
| CO | CO | Role |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
The Module implements key agreement methods compliant with FIPS 140-3 IG D.F and key transport methods compliant with FIPS 140-3 IG D.G. Strengths are provided in Section 2.6.
The Module conforms to FIPS 140-3 IG D.C References to the Support of Industry Protocols: while it provides SP 800-56A Rev. 3 conformant schemes and API entry points oriented to TLS usage, the Module does not contain the full implementation of TLS. The following caveat is required: No parts of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.
Table 17: Ports and Interfaces The Module does not interact with physical ports. The Control Output interface is not applicable, as the Module does not control other components.
Table 18: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified), and does not support a maintenance role or a bypass capability. The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document and in associated Guidance Documentation.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Cipher | Encrypt or decrypt data, | CO | Cipher (Unauth) Cipher (Auth) | FIPS_OK | Encryption or decryption key; plaintext or ciphertext data; flags. | Status return. Plaintext or ciphertext data. |
| including AEAD modes (CCM, | including AEAD modes (CCM, | - SC_EDK_AES: W,E | ||||
| GCM). | GCM). | - SC_EDK_XTS: W,E | ||||
| Get capabilities | Reports information on the | FIPS_OK | Provider context, capability, callback pointer and arguments. | Description of capabilities. | ||
| Initialize | Module initialization, | CO | Random MAC HMAC | FIPS_OK | Core handle, dispatch in and out, provider context. | Initialization status (1 = pass, 0 = fail). |
| including instantiation of the | including instantiation of the | - DRBG_EI: W,E,Z | ||||
| opaque (managed within the | opaque (managed within the | - DRBG_Seed: G,E,Z | ||||
| module) Counter DRBG | module) Counter DRBG | - DRBG_Key: G,W,E | ||||
| instance. | instance. | - DRBG_V: G,W,E | ||||
| Key agreement | Perform key agreement | CO | CKG Section 5 Key agreement | FIPS_OK | Key structs (key agreement keys); flags. | Status return; key agreement shared secret. |
| primitives on behalf of the | primitives on behalf of the | - KAS_Private_ECC: | ||||
| calling process (does not | calling process (does not | W,E | ||||
| establish keys into the | establish keys into the | - KAS_Public_ECC: W,E | ||||
| module). | module). | - KAS_Private_FFC: W,E | ||||
| Key derivation | Derive keying material from a | CO | Key derivation CKG Section 6.2 | FIPS_OK | Key agreement shared secret; flags. | Status return; derived keying material. |
| shared secret. | shared secret. | - KD_DKM_KDF: G,R | ||||
| Key management | Generate asymmetric key | CO | Key management ECC Key management Edwards Key management FFC Key management IFC CKG Section 4 | FIPS_OK | ECDSA, EdDSA: curve identifier. DSA, RSA: domain parameter targets. | Status return; general digital signature private and public keys. |
| pairs. | pairs. | - DRBG_C: G,W,E | ||||
| Key transport | Encapsulate or decapsulate | CO | CKG Section 5 Key transport KTS (Cipher w/ CMAC, GMAC, HMAC, KMAC) KTS (AES KW, KWP) | FIPS_OK | Key encapsulation/decapsulation key or Key wrap/unwrap key. | Status return; key transport shared secret. |
| key material on behalf of the | key material on behalf of the | - KTS_KDK_IFC: W,E | ||||
| calling process. | calling process. | - KTS_KEK_IFC: W,E | ||||
| Message authentication | Generate or verify data | CO | MAC AES (CMAC, GMAC) MAC HMAC MAC KMAC (XOF) | FIPS_OK | Keyed hash key. | Status return; MAC output value. |
| integrity. | integrity. | - KH_Key_AES-CMAC: | ||||
| Message digest | Generate a message digest. | Message Digest Message Digest (XOF SHAKE) | FIPS_OK | Message; flags. | Status return; Hash output value. | |
| Query | Report available crypto | FIPS_OK | Provider context, operation ID. | Array of available operations. | ||
| Random | Generate random bits using | CO | Random CKG Section 4 | FIPS_OK | DRBG struct (RBG State); DRBG_Seed. | Status return; Random value. |
| the DRBG. | the DRBG. | - DRBG_C: W,E | ||||
| Self-test | Perform the self-test | FIPS_OK | Provider context. | Status (1 = pass, 0 = fail). | ||
| Show module name and versioning information | Return module name and | FIPS_OK | Provider context, parameter types (array). | Parameter types (array) with: Name, Version. | ||
| Show status | OpenSSL core metadata | FIPS_OK | Provider context, parameter types (array). | Parameter types with: BuildInfo, Status, SecurityChecks; Status return. | ||
| Signature | Generate or verify digital | CO | CKG Section 5 Signature DSA Signature ECDSA Signature EDDSA Signature RSA | FIPS_OK | Sign: signing key; message. Verify: signature value; flags; sizes. | Status return; Signature value. |
| signatures. (SSPs are passed in | signatures. (SSPs are passed in | - DS_SGK_ECC: W,E | ||||
| by the calling process.) | by the calling process.) | - DS_SVK_ECC: W,E | ||||
| Teardown | Uninstantiate the module; | CO | FIPS_OK | Provider context. | None. | |
| zeroizes internal CTR DRBG | zeroizes internal CTR DRBG | - DRBG_Key: Z | ||||
| state (DRBG_Key, DRBG_V). | state (DRBG_Key, DRBG_V). | - DRBG_V: Z | ||||
| Zeroize | Zeroization of allocated key | CO | FIPS_OK | Memory pointer. | Void. | |
| structures using | structures using | - DRBG_C: Z | ||||
| openssl_cleanse. | openssl_cleanse. | - DRBG_EI: Z |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 G,R W,E W,E
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Z Table 19: Approved Services All services implemented by the Module correspond to the functionality described by the fips_query function, which returns available services based on an operation_id input. The fips_get_params function provides access to the current status of the Module as well as the name and version; this information correlates to the validation listing. A 1 value returned in status indicates the Module is running without error (FIPS_OK); a 0 return indicates an error (with additional error details indicated as described in the release specific API documentation). Services are only operational in the running state. Any attempts to access services in any other state will result in an error being returned. If the integrity test or any CAST fails then any attempt to access any service will result in an error being returned. The OpenSSL toolkit OSSL_PROVIDER_get_params function is used to invoke fips_get_params, when called with the Module’s global handle and a pointer to a parameter structure (initialized using provider_gettable_params or the equivalent).
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Regarding the Indicator of approved security services, the Module conforms to FIPS 140-3 IG 2.4.C Approved Security Service Indicator, similar to example 2. Each service provides context sensitive status responses as described in the OpenSSL 3 API manual pages; generally, functions of return type int return the value 1 for success with other error codes as appropriate for the call (described in API documentation). The Module’s name and version parameters (as cited in Section 2) along with the Module’s internal indicators of the security-check and conditional-errors settings are used to confirm the Module is the validated Module operating in the approved mode with only approved security services. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module.
The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fips.so.mac contains the integrity reference value. The Module is provided in an executable form (as fips.so shared object for use in Linux environments).
The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.
In accordance with ISO/IEC 19790:2012 Annex B, as the Module is open source, the tools used to build the Module as tested are:
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
Type of Operational Environment: Modifiable No operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2.4. The Module conforms to FIPS 140-3 IG 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by FIPS 140-3 IG 2.3.C as a known PAA.
| Name | Approved Functions | Type | From | To | Distribution Type |
|---|---|---|---|---|---|
| I | Electronic | Plaintext | Calling process | Call stack (API) input parameters | Manual |
| O | Electronic | Plaintext | Call stack (API) output parameters | Calling process | Manual |
| Name | Type | Description | Strength | Generation | Establishment | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|---|---|
| DRBG_C | Hash_DRBG_C - CSP | Element of Hash DRBG state. | Size: 440-888 - | Random | Random | ||||||
| DRBG_EI | Other - CSP | Entropy input from an external source used for DRBG seeding. | Size: 128-2^35 - | Random | |||||||
| DRBG_Key | CTR_DRBG_Key, HMAC_DRBG_Key - CSP | Element of CTR DRBG or HMAC DRBG state. | Size: 128-256, 128-256 - | Random | Random | ||||||
| DRBG_Seed | Other - CSP | Seed used for DRBG Instantiation and Reseed. | Size: 128-256 - | Random | Random | ||||||
| DRBG_V | CTR_DRBG_Key, Hash_DRBG_Key, HMAC_DRBG_Key - CSP | Element of CTR, Hash or HMAC DRBG state. | Size: 128-256, 128-256, 128-256 | Random | Random | ||||||
| DS_SGK_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - CSP | SigGen (private) key. | Size: 233, 283, 409, 571, 233, | Signature | |||||||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | ECDSA | |||||||||
| DS_SGK_Edwards | Edwards25519, Edwards448 - CSP | SigGen (private) key. | Size: 255, 448 - | Signature | |||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | EDDSA | |||||||||
| DS_SGK_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 - CSP | SigGen (private) key. | Size: 2048, 2048, 3072 - | Signature DSA | |||||||
| DS_SGK_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - CSP | SigGen (private) key. | Size: 2048, 3072, 4096, 6144, | Signature RSA | |||||||
| DS_SVK_ECC | B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 - PSP | SigVer (public) key. | Size: 163, 233, 283, 409, 571, | Signature | |||||||
| 163, 233, 283, 409, 571, 192, | 163, 233, 283, 409, 571, 192, | ECDSA | |||||||||
| DS_SVK_Edwards | Edwards25519, Edwards448 - PSP | SigVer (public) key. | Size: 255, 448 - | Signature | |||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | EDDSA | |||||||||
| DS_SVK_FFC | L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256 - PSP | SigVer (public) key. | Size: 1024, 2048, 2048, 3072 - | Signature DSA | |||||||
| DS_SVK_IFC | k=1024, k=2048, k=3072, k=4096, k=6144, k=8192 - PSP | SigVer (public) key. | Size: 1024, 2048, 3072, 4096, | Signature RSA | |||||||
| GKP_Private_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - CSP | General ECDSA (private) key. | Size: 233, 283, 409, 571, 233, | Key | Key | ||||||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | management | management | ||||||||
| 521 - | 521 - | ECC | ECC | ||||||||
| GKP_Private_Edwards | Edwards25519, Edwards448 - CSP | General EdDSA (private) key. | Size: 255, 448 - | Key | Key | ||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | management | management | ||||||||
| Edwards | Edwards | Edwards | |||||||||
| GKP_Private_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 - CSP | General FFC (private) key. | Size: 2048, 2048, 3072 - | Key | Key | ||||||
| Strength: s = 112, s = 112, s = | Strength: s = 112, s = 112, s = | management | management | ||||||||
| 128 | 128 | FFC | FFC | ||||||||
| GKP_Private_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - CSP | General RSA (private) key. | Size: 2048, 3072, 4096, 6144, | Key | Key | ||||||
| 8192 - | 8192 - | management | management | ||||||||
| Strength: s = 112, s = 128, s = | Strength: s = 112, s = 128, s = | IFC | IFC | ||||||||
| GKP_Public_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - PSP | General ECDSA (public) key. | Size: 233, 283, 409, 571, 233, | Key | Key | ||||||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | management | management | ||||||||
| 521 - | 521 - | ECC | ECC | ||||||||
| GKP_Public_Edwards | Edwards25519, Edwards448 - PSP | General EdDSA (public) key. | Size: 255, 448 - | Key | Key | ||||||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | management | management | ||||||||
| Edwards | Edwards | Edwards | |||||||||
| GKP_Public_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 - PSP | General FFC (public) key. | Size: 2048, 2048, 3072 - | Key | Key | ||||||
| Strength: s = 112, s = 112, s = | Strength: s = 112, s = 112, s = | management | management | ||||||||
| 128 | 128 | FFC | FFC | ||||||||
| GKP_Public_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - PSP | General RSA (public) key. | Size: 2048, 3072, 4096, 6144, | Key management IFC | Key | ||||||
| 8192 - | 8192 - | management | |||||||||
| Strength: s = 112, s = 128, s = | Strength: s = 112, s = 128, s = | IFC | |||||||||
| KAS_Private_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - CSP | Key pair component used for shared secret generation. | Size: 233, 283, 409, 571, 233, | Key agreement | |||||||
| KAS_Private_FFC | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - CSP | Key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_Private_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - CSP | Key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_Public_ECC | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 - PSP | Peer key pair component used for shared secret generation. | Size: 233, 283, 409, 571, 233, | Key agreement | |||||||
| KAS_Public_FFC | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 - PSP | Peer key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_Public_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 - PSP | Peer key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | |||||||
| KAS_SS_ECC | Other - CSP | Shared secret calculation z output value (for KDF). | Size: 112 - 256 - | Key | Key agreement | ||||||
| Strength: 112 - 256 | Strength: 112 - 256 | agreement | |||||||||
| KAS_SS_FFC | Other - CSP | Shared secret calculation z output value (for KDF). | Size: 112 - 256 - | Key | Key agreement | ||||||
| Strength: 112 - 200 | Strength: 112 - 200 | agreement | |||||||||
| KAS_SS_IFC | Other - CSP | Shared secret calculation z output value (for KDF). | Size: 112 - 256 - | Key | Key agreement | ||||||
| Strength: 112 - 200 | Strength: 112 - 200 | agreement | |||||||||
| KD_DKM_KDF | Other - CSP | Key derivation derived keying material. | Size: 128 - 256 - | Key derivation | Key derivation | ||||||
| KD_DKM_PBKDF | Other - CSP | PBKDF derived key material | Size: 128 - | Key derivation | Key derivation | ||||||
| KD_PW_PBKDF | Other - CSP | PBKDF password input. | Size: 128 - | Key derivation | Key derivation | ||||||
| KD_SK | Other - CSP | Key derivation source key material. | Size: 128 - 256 - | Key derivation | |||||||
| KH_Key_AES-CMAC | AES-128, AES-192, AES-256 - CSP | Keyed Hash key. | Size: 128, 192, 256 - | MAC AES | |||||||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (CMAC, GMAC) | |||||||||
| KH_Key_AES-GMAC | AES-128, AES-192, AES-256 - CSP | Keyed Hash key. | Size: 128, 192, 256 - | MAC AES | |||||||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (CMAC, GMAC) | |||||||||
| KH_Key_HMAC | Other - CSP | Keyed Hash key. | Size: 112 - 2048 - | MAC HMAC | |||||||
| KH_Key_KMAC | KMAC128, KMAC256 - CSP | Keyed Hash key. | Size: 128, 256 - | MAC KMAC | |||||||
| Strength: 112 = s = 128, 112 = s = | Strength: 112 = s = 128, 112 = s = | (XOF) | |||||||||
| KTS_KDK_IFC | Other - CSP | RSA key de- encapsulation Key (key transport). | Size: 2048, 3072, 4096, 6144 - | Key transport | |||||||
| KTS_KEK_IFC | Other - PSP | RSA key encapsulation Key (key transport). | Size: 2048, 3072, 4096, 6144 - | Key transport | |||||||
| KTS_SS_IFC | Other - CSP | RSA key transport shared secret. | Size: 112 - 256 - | Key | Key transport | ||||||
| Strength: s = 112 - s = 176 | Strength: s = 112 - s = 176 | transport | |||||||||
| SC_EDK_AES | AES-128, AES-192, AES-256 - CSP | Symmetric encryption | Size: 128, 192, 256 - Strength: s = 128, s = 192, s = 256 | Cipher | |||||||
| and decryption. | and decryption. | (Unauth) | |||||||||
| SC_EDK_XTS | XTS-128, XTS-256 - CSP | Symmetric encryption | Size: 256, 512 - Strength: s = 128, s = 256 | Cipher | |||||||
| and decryption. | and decryption. | (Unauth) | |||||||||
| DRBG_C | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Derived From | ||||||
| O | O | DRBG_V:Used with | |||||||||
| DRBG_EI | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Constituent | ||||||
| DRBG_Key | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | ||||||
| O | O | DRBG_V:Used with | |||||||||
| DRBG_Seed | RAM:Plaintext | C | Call lifetime | DRBG_C:Derives | |||||||
| DRBG_V | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | ||||||
| O | O | DRBG_Key:Used with | |||||||||
| DS_SGK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_ECC:Paired With | ||||||
| DS_SGK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SVK_Edwards:Paired With | ||||||
| DS_SGK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_FFC:Paired With | ||||||
| DS_SGK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_IFC:Paired With | ||||||
| DS_SVK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_ECC:Paired With | ||||||
| DS_SVK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SGK_Edwards:Paired With | ||||||
| DS_SVK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_FFC:Paired With | ||||||
| DS_SVK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_IFC:Paired With | ||||||
| GKP_Private_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_ECC:Paired With | ||||||
| GKP_Private_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Public_Edwards:Paired With | ||||||
| GKP_Private_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_FFC:Paired With | ||||||
| GKP_Private_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_IFC:Paired With | ||||||
| GKP_Public_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_ECC:Paired With | ||||||
| GKP_Public_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Private_Edwards:Paired With | ||||||
| GKP_Public_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_FFC:Paired With | ||||||
| GKP_Public_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_IFC:Paired With |
| Storage | Description | Persistenc |
|---|---|---|
| Area | Type | |
| Name | ||
| RAM | R: Random access memory | Dynamic |
| Zeroization | Description | Rationale | Operator Initiation |
|---|---|---|---|
| Method | |||
| C | C (Cleanse): Caller invocation of openssl_cleanse. | Overwrites with zeros | Caller invocation of openssl_cleanse |
| T | T (Teardown): Module unload - invokes cleanse internally. | Overwrites with zeros | Occurs when module is unloaded |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
Persistence Table 20: Storage Areas
I O Table 21: SSP Input-Output Methods
C T Table 22: SSP Zeroization Methods All SSPs are zeroized (overwritten with 0s) when they are no longer needed:
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|---|---|---|---|
| SC_EDK_AES | AES-128, AES-192, AES-256 - CSP | Symmetric encryption | Size: 128, 192, 256 - Strength: s = 128, s = 192, s = 256 | Cipher | |||||
| and decryption. | and decryption. | (Unauth) | |||||||
| SC_EDK_XTS | XTS-128, XTS-256 - CSP | Symmetric encryption | Size: 256, 512 - Strength: s = 128, s = 256 | Cipher | |||||
| and decryption. | and decryption. | (Unauth) | |||||||
| DRBG_C | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Derived From | ||||
| O | O | DRBG_V:Used with | |||||||
| DRBG_EI | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Constituent | ||||
| DRBG_Key | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | ||||
| O | O | DRBG_V:Used with | |||||||
| DRBG_Seed | RAM:Plaintext | C | Call lifetime | DRBG_C:Derives | |||||
| DRBG_V | RAM:Plaintext | C T | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From | ||||
| O | O | DRBG_Key:Used with | |||||||
| DS_SGK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_ECC:Paired With | ||||
| DS_SGK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SVK_Edwards:Paired With | ||||
| DS_SGK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_FFC:Paired With | ||||
| DS_SGK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_IFC:Paired With | ||||
| DS_SVK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_ECC:Paired With | ||||
| DS_SVK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SGK_Edwards:Paired With | ||||
| DS_SVK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_FFC:Paired With | ||||
| DS_SVK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_IFC:Paired With | ||||
| GKP_Private_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_ECC:Paired With | ||||
| GKP_Private_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Public_Edwards:Paired With | ||||
| GKP_Private_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_FFC:Paired With | ||||
| GKP_Private_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_IFC:Paired With | ||||
| GKP_Public_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_ECC:Paired With | ||||
| GKP_Public_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Private_Edwards:Paired With | ||||
| GKP_Public_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_FFC:Paired With | ||||
| GKP_Public_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_IFC:Paired With | ||||
| KAS_Private_ECC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_ECC:Paired With | ||||
| KAS_Private_FFC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_FFC:Paired With | ||||
| KAS_Private_IFC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_IFC:Paired With | ||||
| KAS_Public_ECC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_ECC:Paired With | ||||
| KAS_Public_FFC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_FFC:Paired With | ||||
| KAS_Public_IFC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_IFC:Paired With | ||||
| KAS_SS_ECC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_ECC:Calculated From | ||||
| KAS_SS_FFC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_FFC:Calculated From | ||||
| KAS_SS_IFC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_IFC:Calculated From | ||||
| KD_DKM_KDF | RAM:Plaintext | C | O | Call lifetime | KD_SK:Derived From | ||||
| KD_DKM_PBKDF | RAM:Plaintext | C | O | Call lifetime | KD_PW_PBKDF:Derived From | ||||
| KD_PW_PBKDF | RAM:Plaintext | C | I | Call lifetime | KD_DKM_PBKDF:Derives | ||||
| KD_SK | RAM:Plaintext | C | I | Call lifetime | KD_DKM_KDF:Derives | ||||
| KH_Key_AES-CMAC | RAM:Plaintext | C | I | Call lifetime | |||||
| KH_Key_AES-GMAC | RAM:Plaintext | C | I | Call lifetime | |||||
| KH_Key_HMAC | RAM:Plaintext | C | I | Call lifetime | |||||
| KH_Key_KMAC | RAM:Plaintext | C | I | Call lifetime | |||||
| KTS_KDK_IFC | RAM:Plaintext | C | I | Call lifetime | KTS_SS_IFC:Unwraps | ||||
| KTS_KEK_IFC | RAM:Plaintext | C | I | Call lifetime | KTS_SS_IFC:Wraps | ||||
| KTS_SS_IFC | RAM:Plaintext | C | O | Call lifetime | KTS_KDK_IFC:Unwrapped By | ||||
| SC_EDK_AES | RAM:Plaintext | C | I | Call lifetime | |||||
| SC_EDK_XTS | RAM:Plaintext | C | I | Call lifetime |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 23: SSP Table 1 I C O I C I O T C I O T I C I C I C I C I C I C I C I C O C C O C O C O C C O C O C
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 I I I I I I O O C O C O O I I I I I I I I O C C C C C C C C C C C Table 24: SSP Table 2 I I C C C C C C C C C Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. The Module maintains only the Counter DRBG state used for key generation as a persistent CSP; this DRBG instance is used exclusively for approved services.
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
Key/Algorithm Type Equivalent Strengths: Reference sources for the strengths provided in SSP Table 1 are specified below. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). Block Cipher (and related functions): • AES (AES-128, AES-192, AES-256): SP 800-57 Part 1 Rev. 5 Table
| Name | Algorithm Or Test | Test Method | Test Type | Test Properties | Indicator |
|---|---|---|---|---|---|
| SW Integrity | SW Integrity | HMAC over the complete module file image | SW/FW Integrity | HMAC-SHA2-256 #A4481 | FIPS_OK or PROV_R_FIPS_MODULE_IN_ERROR_STATE |
| Name | Properties | Test | Indicator | Details | Conditions |
|---|---|---|---|---|---|
| Test | Type | ||||
| AES-ECB | 128-bit | CAST | FIPS_OK | Encrypt | Performed on module load. |
| AES-ECB | 128-bit | CAST | FIPS_OK | Decrypt | Performed on module load. |
| AES-GCM | 256-bit | CAST | FIPS_OK | Encrypt | Performed on module load. |
| AES-GCM | 256-bit | CAST | FIPS_OK | Decrypt | Performed on module load. |
| Counter DRBG | AES-128 with derivation function | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| DSA SigGen | 2048-bit with SHA2-384 | CAST | FIPS_OK | Sign | Performed on module load. |
| DSA SigVer | 2048-bit with SHA2-384 | CAST | FIPS_OK | Verify | Performed on module load. |
| ECDSA SigGen | P-224 with SHA2-512 | CAST | FIPS_OK | Sign | Performed on module load. |
| ECDSA SigVer | P-224 with SHA2-512 | CAST | FIPS_OK | Verify | Performed on module load. |
| EDDSA ED448 | Edwards448 SigGen with SHA2- 256 | CAST | FIPS_OK | Sign | Performed on module load. |
| EDDSA ED448 | Edwards448 SigVer with SHA2- 256 | CAST | FIPS_OK | Verify | Performed on module load. |
| EDDSA ED25519 | Edwards25519 SigGen with SHA2-512 | CAST | FIPS_OK | Sign | Performed on module load. |
| EDDSA ED25519 | Edwards25519 SigVer with SHA2-512 | CAST | FIPS_OK | Verify | Performed on module load. |
| Hash DRBG | SHA2-256 | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| HMAC DRBG | SHA-1 | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| HMAC-SHA2-256 | SHA2-256 with a 256-bit key | CAST | FIPS_OK | Generate | Performed on module load. |
| Test | Type | ||||
| KAS-ECC-SSC | P-256 | CAST | FIPS_OK | Ephemeral Unified Shared Secret | Performed on module load. |
| Sp800-56Ar3 | (Z) Computation | ||||
| KAS-FFC-SSC | L=2048/N=256 | CAST | FIPS_OK | dhEphem Shared Secret (Z) | Performed on module load. |
| Sp800-56Ar3 | Computation | ||||
| KAS-IFC-SSC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Section 8.2.2 RSA | Performed on module load. |
| KAS-KDF | SHA2-224 | CAST | FIPS_OK | SP 800-56C Rev. 2 Section 4 | Performed on module load. |
| OneStep SP800- | OneStep KDF (AKA OpenSSL single- | ||||
| 56Cr2 | step or SS-KDF) | ||||
| KAS-KDF | SHA2-256 | CAST | FIPS_OK | SP 800-56C Rev. 2 Section 5 | Performed on module load. |
| TwoStep SP800- | TwoStep KDF (HKDF variant) | ||||
| KDF ANS 9.42 | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 5.1 ANSI | Performed on module load. |
| KDF ANS 9.63 | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 5.1 | Performed on module load. |
| KDF SP800-108 | HMAC-SHA2-256 | CAST | FIPS_OK | SP 800-108 Rev. 1 Section 4.1 KAT | Performed on module load. |
| KDF SSH | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 5.2 | Performed on module load. |
| KTS-IFC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Decrypt for CRT | Performed on module load. |
| KTS-IFC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Encrypt for Basic | Performed on module load. |
| KTS-IFC | k=2048 | CAST | FIPS_OK | SP 800-56B Rev. 2 Decrypt for Basic | Performed on module load. |
| PBKDF | SHA2-256, 24-byte password, 36-byte salt, iteration count of 4096 | CAST | FIPS_OK | SP 800-132 Section 5.3 KAT of | Performed on module load. |
| RSA SigGen | k=2048 with SHA2-256 | CAST | FIPS_OK | Sign | Performed on module load. |
| RSA SigVer | k=2048 with SHA2-256 | CAST | FIPS_OK | Verify | Performed on module load. |
| SHA-1 | SHA-1 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| SHA2-512 | SHA2-512 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| SHA3-256 | SHA3-256 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| TLS v1.2 KDF | Fixed input KAT | CAST | FIPS_OK | SP 800-135 Rev. 1 Section 4.2.2 TLS | Performed on module load. |
| RFC7627 | 1.2 KAT |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
Table 25: Pre-Operational Self-Tests
FIPS 140-3 Security Policy OneStep SP80056Cr2 TwoStep SP80056Cr2
| Name | Mode Method | Properties | Tes | T Indicator e | Details | Conditions |
|---|---|---|---|---|---|---|
| Test | Typ | |||||
| TLS v1.3 KDF | KAT | Fixed input KAT | CAS | T FIPS_OK | RFC8446 Section 7.1 TLS v1.3 KDF KAT | Performed on module load. |
| DSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on FFC (DSA, KAS-FFC-SSC) key pair |
| (FIPS186-4) | generated key pair | generation, prior to returning the key pair on | ||||
| ECDSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on ECC (ECDSA) key pair generation, |
| (FIPS186-4) | generated key pair | prior to returning the key pair on conclusion of | ||||
| EDDSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on Edwards (EdDSA) key pair |
| generated key pair | generated key pair | generation, prior to returning the key pair on | ||||
| RSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on IFC (RSA, KAS-IFC-SSC, KTS-IFC) key |
| (FIPS186-4) | generated key pair | pair generation, prior to returning the key pair on |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| SW Integrity | SW Integrity | HMAC over the complete module file image | SW/FW Integrity | On demand | Module load |
| AES-ECB | AES-ECB | KAT C | AST | On demand | On power on or reset |
| AES-ECB | AES-ECB | KAT C | AST | On demand | On power on or reset |
| AES-GCM | AES-GCM | KAT C | AST | On demand | On power on or reset |
| AES-GCM | AES-GCM | KAT C | AST | On demand | On power on or reset |
| Counter DRBG | Counter DRBG | KAT C | AST | On demand | On power on or reset |
| DSA SigGen (FIPS186-4) | DSA SigGen (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| DSA SigVer (FIPS186-4) | DSA SigVer (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| ECDSA SigGen (FIPS186-4) | ECDSA SigGen (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| ECDSA SigVer (FIPS186-4) | ECDSA SigVer (FIPS186-4) | KAT C | AST | On demand | On power on or reset |
| EDDSA ED448 SigGen | EDDSA ED448 SigGen | KAT C | AST | On demand | On power on or reset |
| EDDSA ED448 SigVer | EDDSA ED448 SigVer | KAT | CAST | On demand | On power on or reset |
| EDDSA ED25519 SigGen | EDDSA ED25519 SigGen | KAT | CAST | On demand | On power on or reset |
| EDDSA ED25519 SigVer | EDDSA ED25519 SigVer | KAT | CAST | On demand | On power on or reset |
| Hash DRBG | Hash DRBG | KAT | CAST | On demand | On power on or reset |
| HMAC DRBG | HMAC DRBG | KAT | CAST | On demand | On power on or reset |
| HMAC-SHA2-256 | HMAC-SHA2-256 | KAT | CAST | On demand | On power on or reset |
| KAS-ECC-SSC Sp800-56Ar3 | KAS-ECC-SSC Sp800-56Ar3 | KAT | CAST | On demand | On power on or reset |
| KAS-FFC-SSC Sp800-56Ar3 | KAS-FFC-SSC Sp800-56Ar3 | KAT | CAST | On demand | On power on or reset |
| KAS-IFC-SSC | KAS-IFC-SSC | KAT | CAST | On demand | On power on or reset |
| KAS-KDF OneStep SP800-56Cr2 | KAS-KDF OneStep SP800-56Cr2 | KAT | CAST | On demand | On power on or reset |
| KAS-KDF TwoStep SP800-56Cr2 | KAS-KDF TwoStep SP800-56Cr2 | KAT | CAST | On demand | On power on or reset |
| KDF ANS 9.42 | KDF ANS 9.42 | KAT | CAST | On demand | On power on or reset |
| KDF ANS 9.63 | KDF ANS 9.63 | KAT | CAST | On demand | On power on or reset |
| KDF SP800-108 | KDF SP800-108 | KAT | CAST | On demand | On power on or reset |
| KDF SSH | KDF SSH | KAT | CAST | On demand | On power on or reset |
| KTS-IFC | KTS-IFC | KAT | CAST | On demand | On power on or reset |
| KTS-IFC | KTS-IFC | KAT | CAST | On demand | On power on or reset |
| KTS-IFC | KTS-IFC | KAT | CAST | On demand | On power on or reset |
| PBKDF | PBKDF | KAT | CAST | On demand | On power on or reset |
| RSA SigGen (FIPS186-4) | RSA SigGen (FIPS186-4) | KAT | CAST | On demand | On power on or reset |
| RSA SigVer (FIPS186-4) | RSA SigVer (FIPS186-4) | KAT | CAST | On demand | On power on or reset |
| SHA-1 | SHA-1 | KAT | CAST | On demand | On power on or reset |
| SHA2-512 | SHA2-512 | KAT | CAST | On demand | On power on or reset |
| SHA3-256 | SHA3-256 | KAT | CAST | On demand | On power on or reset |
| TLS v1.2 KDF RFC7627 | TLS v1.2 KDF RFC7627 | KAT | CAST | On demand | On power on or reset |
| TLS v1.3 KDF | TLS v1.3 KDF | KAT | CAST | On demand | On power on or reset |
| DSA KeyGen (FIPS186-4) | DSA KeyGen (FIPS186-4) | PCT | PCT | On demand | On power on or reset |
| ECDSA KeyGen (FIPS186-4) | ECDSA KeyGen (FIPS186-4) | PCT | PCT | On demand | On power on or reset |
| EDDSA KeyGen | EDDSA KeyGen | PCT | PCT | On demand | On power on or reset |
| RSA KeyGen (FIPS186-4) | RSA KeyGen (FIPS186-4) | PCT | PCT | On demand | On power on or reset |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3 Table 26: Conditional Self-Tests The intended usage of asymmetric key pairs generated by the Module is not known at the time when the key pair is generated and the pairwise consistency test (PCT) is performed. In all cases, a sign and verify PCT is performed.
Table 27: Pre-Operational Periodic Information CAST CAST CAST CAST CAST CAST CAST CAST CAST CAST
FIPS 140-3 Security Policy Table 28: Conditional Periodic Information Gallagher FIPS Provider for OpenSSL 3
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Self-test | The self-test failure error | If one of the KATs fails or integrity test | PROV_R_FIPS_MODULE_IN_ERROR_STATE | Reload the Module into |
| failure | state | fails | memory |
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. The pre-operational self-tests are available on demand by reloading the Module. On instantiation, the Module performs the pre-operational self-test and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. The fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11.
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
During the manufacturing process, Gallagher Group Ltd executes the build and installation instructions for the Module. The Module is pre-installed and configured in supported Gallagher Group Ltd solutions. The approved mode is enabled by default. There are no additional installation, configuration, or usage instructions for operators intending to use the Module.
Guidance Documentation is inclusive of all information required per ISO/IEC 19790:2012 Section 7.11.9.
The inherent properties of the Module are:
FIPS 140-3 Security Policy Gallagher FIPS Provider for OpenSSL 3
The Module implements mitigations for constant-time implementations and blinding attacks.
Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.
The mitigation mechanisms described in Section 12.2 are inherent within the validated algorithms. No other guidance or constraints are specified.