All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Keysight OpenSSL 3 FIPS Provider for Network Visibility

Certificate#4888StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorKeysight Technologies
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 39 CVEs since this module's initial validation  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/10/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys).
VendorKeysight Technologies

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Keysight OpenSSL 3 FIPS Provider for Network Visibility
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Unauth<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Keysight OpenSSL 3 FIPS Provider for Network Visibility
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Unauth<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Keysight Technologies Keysight OpenSSL 3 FIPS Provider for Network Visibility Document Version 1.2 June 6, 2025 Prepared for: Prepared by: Keysight Technologies KeyPair Consulting Inc.

8310 N. Capital of Texas Hwy 987 Osos Street

Bldg. 2, Suite 300 San Luis Obispo, CA 93401 Austin, TX 78731 +1 805.316.5024 keysight.com keypair.us

Page 2

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Table of Contents

Page 3

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

Page 4

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility List of Tables List of Figures

Page 5

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

1 General
1.1 Overview

Technologies, hereafter denoted the Module. The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as shown in Section 1.2. In accordance with AS02.05, ISO/IEC 19790:2012 §7.7 Physical Security is optional and does not apply to the Module.

1.2 Security Levels

Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 3
12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Module is a cryptographic software library, intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Type: Software Module Embodiment: MultiChipStand

Page 6

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The General Purpose Computer is the TOEPP. Figure 1: Block Diagram

Page 7

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Operating System Hardware Platform Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) Vision 9516 NPB with Intel Pentium D-1517 (Broadwell) processor Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor AppStack release 4.18.0 (requires NPB release 6.9.0) and later running on Debian 12.5 Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor SecureStack release 2.13.0 (requires NPB release 6.8.0) and later running on Debian 12.5 Vision 400 NPB with Intel Xeon Silver 4314 (Icelake-SP) processor Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) Vision Edge 400S NPB with Intel Xeon D-1714) (Icelake-D) processor Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) Vision Edge 400P NPB with Intel Xeon D-1627 (Hewitt Lake) processor Vision NPB release 6.7.1 and later on Ubuntu version 22.04 LTS (Jammy Jellyfish) Vision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) processor AppStack release 4.18.0 (requires NPB release 6.9.0) and later running on Debian 12.5 Vision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) processor SecureStack release 2.14.0 (requires NPB release 6.9.0) and later running on Debian 12.5 Vision 400XT NPB with Intel Xeon Gold 6338N (Icelake-D) processor iBypass DUO release 1.5.1 and later on Yocto poky-kirkstone (v4.0) and later iBypass DUO with Intel E3805 (Atom® E Series) processor CloudLens vTAP release 6.10.0 and later on Ubuntu Version 20.04 LTS (Focal Fossa) Hardware platform with Intel x86_64 processor CloudLens vTAP release 6.10.0 and later on Ubuntu Version 20.04 LTS (Focal Fossa) Hardware platform with amd64 processor Keysight Vision Orchestrator (KVO) release 2.10.0 and later on Ubuntu version 20.04 LTS Hardware platform with Intel x86_64 processor (Focal Fossa) Keysight Vision Orchestrator (KVO) release 2.10.0 and later on Ubuntu version 20.04 LTS Hardware platform with amd64 processor (Focal Fossa) Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the Module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components
Page 9

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Nominal Approved mode of operation Approved Table 5: Modes List and Description The Module only supports an Approved mode of operation. The conditions for using the Module in the Approved mode of operation are:

  1. Installation of the Module as described in Section 11.1 results in the settings described below, which are required for operation in the Approved mode: a. security-checks = 1 Enforce minimum key strengths and approved curve names. b. allow-plaintext-csp-output = 1 Enforce the AS09.16 and AS09.17 requirement for a second independent action to output CSPs as a result of calls that produce CSPs, such as key generation, key unwrap (or decapsulate) and shared secret calculation. c. conditional-errors = 1 Enforce the Module entering the error state on conditional test errors such as PCT failure.
  2. The Module is a cryptographic library used by a calling application. The calling application is responsible for: a. Use of the primitives in the correct sequence. b. Use of keys in accordance with SP 800-140D Rev. 2 (as the keys used by the Module for cryptographic purposes are provided over the call stack by the calling application). c. Use of a SP 800-90B compliant entropy source outside the Module boundary with at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met.
2.5 Algorithms

Approved Algorithms: Cipher Algorithm CAVP Cert Properties Reference AES-CBC A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A6771 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A6771 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A6771 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256

Page 10

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm CAVP Cert Properties Reference AES-CCM A6771 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A6771 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A6771 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A6771 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A6771 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing Revision 2.0 A6771 Direction - Decrypt, Encrypt SP 800-38E Key Length - 128, 256 Table 6: Approved Algorithms - Cipher Key agreement Algorithm CAVP Cert Properties Reference KAS-ECC CDH-Component A6771 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 SP 800-56A SP800-56Ar3 (CVL) Rev. 3 KAS-ECC-SSC Sp800-56Ar3 A6771 Domain Parameter Generation Methods - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, SP 800-56A P-256, P-384, P-521 Rev. 3 Scheme - ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC Sp800-56Ar3 A6771 Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, SP 800-56A modp-2048, modp-3072, modp-4096, modp-6144, modp-8192 Rev. 3 Scheme - dhEphem KAS Role - initiator, responder

Page 11

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm CAVP CertProperties Reference KAS-IFC-SSC A6771 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2-basic, rsakpg2-crt, Rev. 3 rsakpg2-prime-factor Scheme - KAS1 KAS Role - initiator, responder Scheme - KAS2 KAS Role - initiator, responder Table 7: Approved Algorithms - Key agreement Key derivation Algorithm CAVP Cert Properties Reference KDA HKDF SP800-56Cr2 A6771 Derived Key Length - 2048 SP 800-56C Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 Rev. 2 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 KDA OneStep SP800-56Cr2 A6771 Derived Key Length - 2048 SP 800-56C Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 Rev. 2 KDA TwoStep SP800-56Cr2 A6771 MAC Salting Methods - default, random SP 800-56C KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 (CVL) A6771 KDF Type - DER SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3- Rev. 1 224, SHA3-256, SHA3-384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 (CVL) A6771 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 SP 800-135 Key Data Length - Key Data Length: 128, 4096 Rev. 1 KDF SP800-108 A6771 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096 Rev. 1 KDF SSH (CVL) A6771 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 Rev. 1 PBKDF A6771 Iteration Count - Iteration Count: 1-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 8 TLS v1.2 KDF RFC7627 (CVL) A6771 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 Rev. 1 TLS v1.3 KDF (CVL) A6771 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 8: Approved Algorithms - Key derivation

Page 12

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Key management Algorithm CAVP Cert Properties Reference DSA KeyGen (FIPS186-4) A6771 L - 2048, 3072 FIPS 186-4 N - 224, 256 DSA PQGGen (FIPS186-4) A6771 L - 2048, 3072 FIPS 186-4 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA PQGVer (FIPS186-4) A6771 L - 1024, 2048, 3072 FIPS 186-4 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA KeyGen (FIPS186-4) A6771 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 FIPS 186-4 Secret Generation Mode - Testing Candidates ECDSA KeyVer (FIPS186-4) A6771 Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, FIPS 186-4 P-521 EDDSA KeyGen A6771 Curve - ED-25519, ED-448 FIPS 186-5 EDDSA KeyVer A6771 Curve - ED-25519, ED-448 FIPS 186-5 Safe Primes Key Generation A6771 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, SP 800-56A modp-4096, modp-6144, modp-8192 Rev. 3 Safe Primes Key Verification A6771 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, SP 800-56A modp-4096, modp-6144, modp-8192 Rev. 3 RSA KeyGen (FIPS186-4) A6771 Key Generation Mode - B.3.3 FIPS 186-4 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard Table 9: Approved Algorithms - Key management Key transport Algorithm CAVP Cert Properties Reference KTS-IFC A6771 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2-basic, rsakpg2-crt, Rev. 2 rsakpg2-prime-factor Scheme -KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 Table 10: Approved Algorithms - Key transport

Page 13

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Message authentication Algorithm CAVP CertProperties Reference AES-CMAC A6771 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-GMAC A6771 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 HMAC-SHA-1 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA2-224 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA2-256 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA2-384 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA2-512 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA2-512/224 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA2-512/256 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA3-224 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA3-256 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA3-384 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 HMAC-SHA3-512 A6771 Key Length - Key Length: 112-2048 Increment 8 FIPS 198-1 KMAC-128 A6771 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A6771 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 Table 11: Approved Algorithms - Message authentication Message digest Algorithm CAVP Cert Properties Reference SHA-1 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8

Page 14

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm CAVP Cert Properties Reference SHA2-512/224 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A6771 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A6771 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A6771 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A6771 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A6771 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A6771 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A6771 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 Table 12: Approved Algorithms - Message digest Random Algorithm CAVP Cert Properties Reference Counter DRBG A6771 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes Hash DRBG A6771 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Rev. 1 HMAC DRBG A6771 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Rev. 1 Table 13: Approved Algorithms - Random Signature Algorithm CAVP Cert Properties Reference ECDSA SigGen (FIPS186-4) A6771 Component - No FIPS 186-4 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA SigVer (FIPS186-4) A6771 Component - No FIPS 186-4 Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256

Page 15

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm CAVP Cert Properties Reference DSA SigGen (FIPS186-4) A6771 L - 2048, 3072 FIPS 186-4 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigVer (FIPS186-4) A6771 L - 1024, 2048, 3072 FIPS 186-4 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 EDDSA SigGen A6771 Curve - ED-25519, ED-448 FIPS 186-5 EDDSA SigVer A6771 Curve - ED-25519, ED-448 FIPS 186-5 RSA SigGen (FIPS186-4) A6771 Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS FIPS 186-4 Modulo - 2048, 3072, 4096 RSA SigGen (FIPS186-5) A6771 Modulo - 2048, 3072, 4096 FIPS 186-5 Signature Type - pkcs1v1.5, pss RSA Signature Primitive (CVL) A6771 Private Key Format - crt FIPS 186-4 RSA SigVer (FIPS186-4) A6771 Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS FIPS 186-4 Modulo - 1024, 2048, 3072, 4096 RSA SigVer (FIPS186-5) A6771 Modulo - 2048, 3072, 4096 FIPS 186-5 Signature Type - pkcs1v1.5, pss Table 14: Approved Algorithms - Signature Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Section 4 Keysight OpenSSL 3 FIPS Provider for Network Visibility NIST, SP 800-133 Rev. 2 CKG Section 5 Keysight OpenSSL 3 FIPS Provider for Network Visibility NIST, SP 800-133 Rev. 2 CKG Section 6.2 Keysight OpenSSL 3 FIPS Provider for Network Visibility NIST, SP 800-133 Rev. 2 Hash DRBG with SHA3-256, SHA3-512 Keysight OpenSSL 3 FIPS Provider for Network Visibility NIST, SP 800-90A Rev. 1 HMAC DRBG with SHA3-256, SHA3-512 Keysight OpenSSL 3 FIPS Provider for Network Visibility NIST, SP 800-90A Rev. 1 Table 15: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this Module. Non-Approved, Not Allowed Algorithms: N/A for this Module.

Page 16

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

2.6 Security Function Implementations

Name Type Description Properties Algorithms Cipher (Unauth) BC-UnAuth AES ciphers AES-CBC: (A6771) AES-CBC-CS1: (A6771) AES-CBC-CS2: (A6771) AES-CBC-CS3: (A6771) AES-CFB1: (A6771) AES-CFB128: (A6771) AES-CFB8: (A6771) AES-CTR: (A6771) AES-ECB: (A6771) AES-OFB: (A6771) AES-XTS Testing Revision 2.0: (A6771) Cipher (Auth) BC-Auth Authenticated ciphers AES-CCM: (A6771) AES-GCM: (A6771) AES-KW: (A6771) AES-KWP: (A6771) CKG Section 4 CKG Using the Output of a Random CKG Section 4: () Bit Generator CKG Section 5 CKG Generation of Key Pairs for CKG Section 5: () Asymmetric-Key Algorithms CKG Section 6.2 CKG Derivation of Symmetric Keys CKG Section 6.2: () Key agreement KAS-SSC Key agreement KAS:KAS-ECC-SSC provides between 112 KAS-ECC CDH-Component SP800-56Ar3: and 256 bits of encryption strength; KAS- (A6771) FFC-SSC provides between 112 and 200 KAS-ECC-SSC Sp800-56Ar3: (A6771) bits of encryption strength; KAS-IFC-SSC KAS-FFC-SSC Sp800-56Ar3: (A6771) provides between 112 and 200 bits of KAS-IFC-SSC: (A6771) encryption strength Key derivation KAS-135KDF KAS-KDF HKDF SP800-56Cr2: (A6771) KAS-56CKDF KAS-KDF OneStep SP800-56Cr2: (A6771) KBKDF KAS-KDF TwoStep SP800-56Cr2: (A6771) PBKDF KDF ANS 9.42: (A6771) KDF ANS 9.63: (A6771) KDF SP800-108: (A6771) KDF SSH: (A6771) PBKDF: (A6771) TLS v1.2 KDF RFC7627: (A6771) TLS v1.3 KDF: (A6771)

Page 17

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Type Description Properties Algorithms Key management ECC AsymKeyPair-KeyGen ECDSA KeyGen (FIPS186-4): (A6771) AsymKeyPair-KeyVer ECDSA KeyVer (FIPS186-4): (A6771) Key management AsymKeyPair-KeyGen EDDSA KeyGen: (A6771) Edwards AsymKeyPair-KeyVer EDDSA KeyVer: (A6771) Key management FFC AsymKeyPair-KeyGen DSA KeyGen (FIPS186-4): (A6771) DSA PQGGen (FIPS186-4): (A6771) DSA PQGVer (FIPS186-4): (A6771) Safe Primes Key Generation: (A6771) Safe Primes Key Verification: (A6771) Key management IFC AsymKeyPair-KeyGen RSA KeyGen (FIPS186-4): (A6771) Key transport KTS-Encap KTS:2048, 3072, 4096 or 6144-bit keys KTS-IFC: (A6771) provide between 112 and 176 bits of encryption strength KTS (Cipher w/ CMAC, BC-Auth SP 800-38F Section 3.1 KTS:128, 192 or 256-bit keys provide AES-CBC: (A6771) GMAC, HMAC, KMAC) BC-UnAuth Provisions between 128 and 256 bits of encryption AES-CBC-CS1: (A6771) MAC strength AES-CBC-CS2: (A6771) AES-CBC-CS3: (A6771) AES-CFB1: (A6771) AES-CFB128: (A6771) AES-CFB8: (A6771) AES-CTR: (A6771) AES-ECB: (A6771) AES-OFB: (A6771) AES-CCM: (A6771) AES-GCM: (A6771) AES-GMAC: (A6771) AES-CMAC: (A6771) HMAC-SHA-1: (A6771) HMAC-SHA2-224: (A6771) HMAC-SHA2-256: (A6771) HMAC-SHA2-384: (A6771) HMAC-SHA2-512: (A6771) HMAC-SHA2-512/224: (A6771) HMAC-SHA2-512/256: (A6771) HMAC-SHA3-224: (A6771) HMAC-SHA3-256: (A6771) HMAC-SHA3-384: (A6771) HMAC-SHA3-512: (A6771)

Page 18

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Type Description Properties Algorithms KMAC-128: (A6771) KMAC-256: (A6771) KTS (AES KW, KWP) BC-Auth KTS:128, 192 or 256-bit keys provide AES-KW: (A6771) between 128 and 256 bits of encryption AES-KWP: (A6771) strength MAC AES (CMAC, GMAC) MAC AES-GMAC: (A6771) AES-CMAC: (A6771) MAC HMAC MAC HMAC-SHA-1: (A6771) HMAC-SHA2-224: (A6771) HMAC-SHA2-256: (A6771) HMAC-SHA2-384: (A6771) HMAC-SHA2-512: (A6771) HMAC-SHA2-512/224: (A6771) HMAC-SHA2-512/256: (A6771) HMAC-SHA3-224: (A6771) HMAC-SHA3-256: (A6771) HMAC-SHA3-384: (A6771) HMAC-SHA3-512: (A6771) MAC KMAC (XOF) XOF KMAC-128: (A6771) KMAC-256: (A6771) Message Digest SHA SHA-1: (A6771) SHA2-224: (A6771) SHA2-256: (A6771) SHA2-384: (A6771) SHA2-512: (A6771) SHA2-512/224: (A6771) SHA2-512/256: (A6771) SHA3-224: (A6771) SHA3-256: (A6771) SHA3-384: (A6771) SHA3-512: (A6771) Message Digest (XOF XOF SHAKE-128: (A6771) SHAKE) SHAKE-256: (A6771) Random DRBG Counter DRBG: (A6771) Hash DRBG: (A6771) HMAC DRBG: (A6771) Signature DSA DigSig-SigGen DSA SigGen (FIPS186-4): (A6771) DigSig-SigVer DSA SigVer (FIPS186-4): (A6771)

Page 19

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Type Description Properties Algorithms Signature ECDSA DigSig-SigGen ECDSA SigGen (FIPS186-4): (A6771) DigSig-SigVer ECDSA SigVer (FIPS186-4): (A6771) Signature EDDSA DigSig-SigGen EDDSA SigGen: (A6771) DigSig-SigVer EDDSA SigVer: (A6771) Signature RSA DigSig-SigGen RSA SigGen (FIPS186-4): (A6771) DigSig-SigVer RSA SigGen (FIPS186-5): (A6771) RSA Signature Primitive: (A6771) RSA SigVer (FIPS186-4): (A6771) RSA SigVer (FIPS186-5): (A6771) Table 16: Security Function Implementations

2.7 Algorithm Specific Information

AES-GCM: The Module supports internal IV generation using the Approved DRBG. The IV is at least 96 bits in length per SP 800-38D Section 8.2.2, and the Approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2-32 per SP 800-38D Section 8. AES-GCM IVs shall be used in compliance with FIPS 140-3 IG C.H scenario 1a (TLS/DTLS 1.2, per RFC 5288), 1d (SSHv2, per RFC 5647) and 5 (TLS 1.3, per RFC 8446). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from SP 800-52 Rev. 1 Section 3.3.1. The Module’s implementation of AES-GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; these protocols have not been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power-cycles: AES-GCM key/IVs are not stored in non-volatile persistent memory (i.e., disk), hence no re-connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264-1 for a given session key. If this exhaustion condition is observed, the Module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. XTS-AES: In accordance with SP 800-38E, the XTS-AES algorithm is to be used for confidentiality on storage devices. The Module complies with FIPS 140-3 IG C.I by:  Generating Key_1 and Key_2 independently according to the rules for component symmetric keys from SP 800-133 Rev. 2, Section 6.3.  Explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them.

Page 20

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Key Agreement: The Module implements the following Approved key agreement methods which have been CAVP tested and validated:  KAS-ECC-SSC per SP 800-56A Rev. 3 (FIPS 140-3 IG D.F Scenario 2, path 1).  KAS-FFC-SSC per SP 800-56A Rev. 3 (FIPS 140-3 IG D.F Scenario 2, path 1).  KAS-IFC-SSC per SP 800-56B Rev. 2 (FIPS 140-3 IG D.F Scenario 1, path 1). The Module obtains the FIPS 140-3 IG D.F required key agreement assurances:  SP 800-56A Rev. 3 in accordance with Section 5.6.2.  SP 800-56B Rev. 2 in accordance with Section 6.4. PBKDF: The implemented PBKDF uses Option 1a specified in SP 800-132 Section 5.4. FIPS 140-3 IG D.N SP 800-132 Password-Based Key Derivation for Storage Applications notes that: The strength of the Data Protection Key is based on the strength of the Password and/or Passphrase used in key derivation. SP 800-132 does not impose any strictly defined requirements on the strength of a password. It says that “passwords should be strong enough so that it is infeasible for attackers to get access by guessing a password.” The choice to use the PBKDF with a password or passphrase is entirely outside the scope of the Module, managed by the calling application

Page 21

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility The iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. The Module enforces the following SP 800-132 compliance checks:  The iteration count is at least 1000.  The salt length is at least 128 bits.  The derived key length is at least 112 bits. RSA: The Module complies with FIPS 140-3 IG C.F as follows:  RSA Key Generation, Signature Generation and Signature Verification have been tested and validated with all implemented modulus lengths for which CAVP testing is available: k = 1024 (legacy Signature Verification only), k = 2048, k = 3072, and k = 4096.  The Module also supports RSA Key Generation, Signature Generation and Signature Verification with modulus lengths for which CAVP testing is not available: k > 4096. SHA-3 and SHAKE: The Module complies with FIPS 140-3 IG C.C as follows:  All implemented SHA-3 and SHAKE functions have been tested and validated on all of the Module’s operating environments.  Vendor affirmation is claimed for use of the SHA3-256 and SHA3-512 hash functions as part of the Hash DRBG and HMAC DRBG, for which CAVP testing with SHA-3 is not available.

2.8 RBG and Entropy

N/A for this Module. The calling application is responsible for use of a SP 800-90B compliant entropy source outside the Module boundary providing at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The following caveat applies per FIPS 140-3 IG 9.3.A: No assurance of the minimum strength of generated SSPs (e.g., keys).

2.9 Key Generation

The Module:  Produces random values in accordance with SP 800-133 Rev. 2 Section 4, in that the DRBG output is provided directly as the random output.  Does not provide any service beyond random value generation for symmetric key generation. SSPs used with symmetric key algorithms are provided by the calling application.  Produces asymmetric keys in accordance with SP 800-133 Rev. 2 Section 5, in that all asymmetric keys generated by the Module (the Key management service) provide the output of the approved key generation algorithm with no post-processing or manipulation of the generated key pairs. As noted in the previous item, random values used in the asymmetric key generation algorithms are direct outputs of the DRBG. Keys produced by the Module use an internal Counter DRBG for which the minimum key size and equivalent security strength is 128 bits.  Supports symmetric key derivation in accordance with SP 800-133 Rev. 2 Section 6.2, using the approved and CAVP listed KDF algorithms.

Page 22

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

2.10 Key Establishment

The Module implements key agreement methods compliant with FIPS 140-3 IG D.F and key transport methods compliant with FIPS 140-3 IG D.G. Strengths are provided in Section 2.6.

2.11 Industry Protocols

The Module conforms to FIPS 140-3 IG D.C References to the Support of Industry Protocols: while it provides SP 800-56A Rev. 3 conformant schemes and API entry points oriented to TLS usage, the Module does not contain the full implementation of TLS. The following caveat is required: No parts of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Port Logical Interface(s) Data That Passes N/A (API - input) Control Input API input: stack frame including non-sensitive parameters. Data Input N/A (API - output) Data Output API output: output parameters and return value resulting from call execution. Status Output Table 17: Ports and Interfaces The Module does not interact with physical ports. The Control Output interface is not applicable, as the Module does not control other components.

4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods CO Role CO Table 18: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified), and does not support a maintenance role or a bypass capability. The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document and in associated Guidance Documentation.

Page 23

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

4.3 Approved Services

Name Description Indicator Inputs Outputs Security Functions SSP Access Cipher Encrypt or decrypt data, FIPS_OK Encryption or decryption Status return. Plaintext Cipher (Unauth) CO including AEAD modes key; plaintext or or ciphertext data. Cipher (Auth) - SC_EDK_AES: W,E (CCM, GCM). ciphertext data; flags. - SC_EDK_XTS: W,E Get capabilities Reports information on the FIPS_OK Provider context, Description of requested capabilities. capability, callback capabilities. pointer and arguments. Initialize Module initialization, FIPS_OK Core handle, dispatch in Initialization status (1 = Random CO including instantiation of and out, provider pass, 0 = fail). MAC HMAC - DRBG_EI: W,E,Z the opaque (managed context. - DRBG_Seed: G,E,Z within the module) Counter - DRBG_Key: G,W,E DRBG instance. - DRBG_V: G,W,E Key agreement Perform key agreement FIPS_OK Key structs (key Status return; key CKG Section 5 CO primitives on behalf of the agreement keys); flags. agreement shared Key agreement - KAS_Private_ECC: W,E calling process (does not secret. - KAS_Public_ECC: W,E establish keys into the - KAS_Private_FFC: W,E module). - KAS_Public_FFC: W,E - KAS_Private_IFC: W,E - KAS_Public_IFC: W,E - KAS_SS_ECC: G,R - KAS_SS_FFC: G,R - KAS_SS_IFC: G,R Key derivation Derive keying material from FIPS_OK Key agreement shared Status return; derived Key derivation CO a shared secret. secret; flags. keying material. CKG Section 6.2 - KD_DKM_KDF: G,R - KD_PW_PBKDF: W,E - KD_DKM_PBKDF: G,R - KD_SK: W,E Key management Generate asymmetric key FIPS_OK ECDSA, EdDSA: curve Status return; general Key management ECC CO pairs. identifier. DSA, RSA: digital signature private Key management - DRBG_C: G,W,E domain parameter and public keys. Edwards - DRBG_Key: W,G,E targets. Key management FFC - DRBG_V: W,G,E Key management IFC - GKP_Private_ECC: G,R CKG Section 4 - GKP_Public_ECC: G,R - GKP_Private_Edwards: G,R - GKP_Public_Edwards: G,R - GKP_Private_FFC: G,R - GKP_Public_FFC: G,R

Page 24

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Indicator Inputs Outputs Security Functions SSP Access - GKP_Private_IFC: G,R - GKP_Public_IFC: G,R Key transport Encapsulate or decapsulate FIPS_OK Key encapsulation/ Status return; key CKG Section 5 CO key material on behalf of decapsulation key or Key transport shared secret. Key transport - KTS_KDK_IFC: W,E the calling process. wrap/unwrap key. KTS (Cipher w/ CMAC, - KTS_KEK_IFC: W,E GMAC, HMAC, KMAC) - KTS_SS_IFC: G,R KTS (AES KW, KWP) Message Generate or verify data FIPS_OK Keyed hash key. Status return; MAC MAC AES (CMAC, CO authentication integrity. output value. GMAC) - KH_Key_AES-CMAC: W,E MAC HMAC - KH_Key_AES-GMAC: W,E MAC KMAC (XOF) - KH_Key_HMAC: W,E - KH_Key_KMAC: W,E Message digest Generate a message digest. FIPS_OK Message; flags. Status return; Hash Message Digest output value. Message Digest (XOF SHAKE) Query Report available crypto FIPS_OK Provider context, Array of available operations. operation ID. operations. Random Generate random bits using FIPS_OK DRBG struct (RBG State); Status return; Random Random CO the DRBG. DRBG_Seed. value. CKG Section 4 - DRBG_C: W,E - DRBG_EI: W,E,Z - DRBG_Seed: G,E,Z - DRBG_Key: W,E - DRBG_V: W,E Self-test Perform the self-test FIPS_OK Provider context. Status (1 = pass, 0 = fail). sequence. Show module Return module name and FIPS_OK Provider context, Parameter types (array) name and versioning information. parameter types (array). with: Name, Version. versioning information Show status OpenSSL core metadata FIPS_OK Provider context, Parameter types with: (Gettable parameters; Get parameter types (array). BuildInfo, Status, parameters). SecurityChecks; Status return. Signature Generate or verify digital FIPS_OK Sign: signing key; Status return; Signature CKG Section 5 CO signatures. (SSPs are passed message. Verify: value. Signature DSA - DS_SGK_ECC: W,E in by the calling process.) signature value; flags; Signature ECDSA - DS_SVK_ECC: W,E sizes. Signature EDDSA - DS_SGK_Edwards: W,E Signature RSA - DS_SVK_Edwards: W,E

Page 25

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Indicator Inputs Outputs Security Functions SSP Access - DS_SGK_FFC: W,E - DS_SVK_FFC: W,E - DS_SGK_IFC: W,E - DS_SVK_IFC: W,E Teardown Uninstantiate the module; FIPS_OK Provider context. None. CO zeroizes internal CTR DRBG - DRBG_Key: Z state (DRBG_Key, DRBG_V). - DRBG_V: Z Zeroize Zeroization of allocated key FIPS_OK Memory pointer. Void. CO structures using - DRBG_C: Z openssl_cleanse. - DRBG_EI: Z - DRBG_Key: Z - DRBG_Seed: Z - DRBG_V: Z - DS_SGK_ECC: Z - DS_SGK_Edwards: Z - DS_SGK_FFC: Z - DS_SGK_IFC: Z - DS_SVK_ECC: Z - DS_SVK_Edwards: Z - DS_SVK_FFC: Z - DS_SVK_IFC: Z - GKP_Private_ECC: Z - GKP_Private_Edwards: Z - GKP_Private_FFC: Z - GKP_Private_IFC: Z - GKP_Public_ECC: Z - GKP_Public_Edwards: Z - GKP_Public_FFC: Z - GKP_Public_IFC: Z - KAS_Private_ECC: Z - KAS_Private_FFC: Z - GKP_Private_ECC: Z - KAS_Private_IFC: Z - KAS_Public_ECC: Z - KAS_Public_FFC: Z - KAS_Public_IFC: Z - KAS_SS_ECC: Z - KD_DKM_KDF: Z - KD_DKM_PBKDF: Z

Page 26

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Indicator Inputs Outputs Security Functions SSP Access - KD_SK: Z - KH_Key_AES-CMAC: Z - KH_Key_AES-GMAC: Z - KH_Key_HMAC: Z - KH_Key_KMAC: Z - KTS_KDK_IFC: Z - KTS_KEK_IFC: Z - KTS_SS_IFC: Z - KAS_SS_ECC: Z - SC_EDK_AES: Z - SC_EDK_XTS: Z Table 19: Approved Services All services implemented by the Module correspond to the functionality described by the fips_query function, which returns available services based on an operation_id input. The fips_get_params function provides access to the current status of the Module as well as the name and version; this information correlates to the validation listing. A 1 value returned in status indicates the Module is running without error (FIPS_OK); a 0 return indicates an error (with additional error details indicated as described in the release specific API documentation). Services are only operational in the running state. Any attempts to access services in any other state will result in an error being returned. If the integrity test or any CAST fails then any attempt to access any service will result in an error being returned. The OpenSSL toolkit OSSL_PROVIDER_get_params function is used to invoke fips_get_params, when called with the Module’s global handle and a pointer to a parameter structure (initialized using provider_gettable_params or the equivalent). Regarding the Indicator of approved security services, the Module conforms to FIPS 140-3 IG 2.4.C Approved Security Service Indicator, similar to example 2. Each service provides context sensitive status responses as described in the OpenSSL 3 API manual pages; generally, functions of return type int return the value 1 for success with other error codes as appropriate for the call (described in API documentation). The Module’s name and version parameters (as cited in Section 2) along with the Module’s internal indicators of the security-check and conditional-errors settings are used to confirm the Module is the validated Module operating in the approved mode with only approved security services. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module.

4.4 Non-Approved Services
4.5 External Software/Firmware Loaded
Page 27

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fips.so.mac contains the integrity reference value. The Module is provided in an executable form (as fips.so shared object for use in Linux environments).

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.

5.3 Open-Source Parameters

In accordance with ISO/IEC 19790:2012 Annex B, as the Module is open source, the tools used to build the Module as tested are:  gcc version 9.3.0  perl v5.30.0  gnu make v4.2.1

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable No operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2.4. The Module conforms to FIPS 140-3 IG 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by FIPS 140-3 IG 2.3.C as a known PAA.

7 Physical Security
8 Non-Invasive Security
Page 28

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Name Description Persistence Type RAM R: Random access memory Dynamic Table 20: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Type Distribution Type Entry Type SFI or Algorithm I Calling process Call stack (API) input parameters Plaintext Manual Electronic O Call stack (API) output parameters Calling process Plaintext Manual Electronic Table 21: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Method Description Rationale Operator Initiation C C (Cleanse): Caller invocation of openssl_cleanse. Overwrites with zeros Caller invocation of openssl_cleanse T T (Teardown): Module unload - invokes cleanse internally. Overwrites with zeros Occurs when module is unloaded Table 22: SSP Zeroization Methods All SSPs are zeroized (overwritten with 0s) when they are no longer needed:

9.4 SSPs

Name Description Size - Strength Type - Category Generated By Established By Used By DRBG_C Element of Hash DRBG Size: 440-888 - Hash_DRBG_C - CSP Random Random state. Strength: 160 ≤ s ≤ 256 DRBG_EI Entropy input from an Size: 128-2^35 - Other - CSP Random external source used Strength: 128 ≤ s ≤ 256 for DRBG seeding. DRBG_Key Element of CTR DRBG Size: 128-256, 128-256 - CTR_DRBG_Key, Random Random or HMAC DRBG state. Strength: 128 ≤ s ≤ 256, HMAC_DRBG_Key - CSP

160 ≤ s ≤ 256
Page 29

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Size - Strength Type - Category Generated By Established By Used By DRBG_Seed Seed used for DRBG Size: 128-256 - Other - CSP Random Random Instantiation and Strength: 128 ≤ s ≤ 256 Reseed. DRBG_V Element of CTR, Hash Size: 128-256, 128-256, 128-256 - CTR_DRBG_Key, Hash_DRBG_Key, Random Random or HMAC DRBG state. Strength: 128 ≤ s ≤ 256, HMAC_DRBG_Key - CSP

128 ≤ s ≤ 256, 128 ≤ s ≤ 256

DS_SGK_ECC SigGen (private) key. Size: 233, 283, 409, 571, 233, 283, B-233, B-283, B-409, B-571, K-233, Signature 409, 571, 224, 256, 384, 521 - K-283, K-409, K-571, P-224, P-256, ECDSA Strength: s = 112, s = 128, s = 192, P-384, P-521 - CSP s = 256, s = 112, s = 128, s = 192, s = 256, s = 112, s = 128, s = 192, s = 256 DS_SGK_Edwards SigGen (private) key. Size: 255, 448 - Edwards25519, Edwards448 - CSP Signature Strength: s = 128, s = 224 EDDSA DS_SGK_FFC SigGen (private) key. Size: 2048, 2048, 3072 - L=2048/N=224, L=2048/N=256, Signature DSA Strength: s = 112, s = 112, s = 128 L=3072/N=256 - CSP DS_SGK_IFC SigGen (private) key. Size: 2048, 3072, 4096, 6144, k=2048, k=3072, k=4096, k=6144, Signature RSA

8192 - k=8192 - CSP

Strength: s = 112, s = 128, s = 152, s = 176, s = 200 DS_SVK_ECC SigVer (public) key. Size: 163, 233, 283, 409, 571, 163, B-163, B-233, B-283, B-409, B-571, Signature 233, 283, 409, 571, 192, 224, 256, K-163, K-233, K-283, K-409, K-571, ECDSA 384, 521 - P-192, P-224, P-256, P-384, P-521 Strength: s < 112, s = 112, s = 128, PSP s = 192, s = 256, s < 112, s = 112, s = 128, s = 192, s = 256, s < 112, s = 112, s = 128, s = 192, s = 256 DS_SVK_Edwards SigVer (public) key. Size: 255, 448 - Edwards25519, Edwards448 - PSP Signature Strength: s = 128, s = 224 EDDSA DS_SVK_FFC SigVer (public) key. Size: 1024, 2048, 2048, 3072 - L=1024/N=160, L=2048/N=224, Signature DSA Strength: s < 112, s = 112, s = 112, L=2048/N=256, L=3072/N=256 s = 128 PSP DS_SVK_IFC SigVer (public) key. Size: 1024, 2048, 3072, 4096, k=1024, k=2048, k=3072, k=4096, Signature RSA 6144, 8192 - k=6144, k=8192 - PSP Strength: s ≤ 112, s = 112, s = 128, s = 152, s = 176, s = 200

Page 30

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Size - Strength Type - Category Generated By Established By Used By GKP_Private_ECC General ECDSA Size: 233, 283, 409, 571, 233, 283, B-233, B-283, B-409, B-571, K-233, Key Key (private) key. 409, 571, 224, 256, 384, 521 - K-283, K-409, K-571, P-224, P-256, management management Strength: s = 112, s = 128, s = 192, P-384, P-521 - CSP ECC ECC s = 256, s = 112, s = 128, s = 192, s = 256, s = 112, s = 128, s = 192, s = 256 GKP_Private_Edwards General EdDSA Size: 255, 448 - Edwards25519, Edwards448 - CSP Key Key (private) key. Strength: s = 128, s = 224 management management Edwards Edwards GKP_Private_FFC General FFC (private) Size: 2048, 2048, 3072 - L=2048/N=224, L=2048/N=256, Key Key key. Strength: s = 112, s = 112, s = 128 L=3072/N=256 - CSP management management FFC FFC GKP_Private_IFC General RSA (private) Size: 2048, 3072, 4096, 6144, k=2048, k=3072, k=4096, k=6144, Key Key key. 8192 - k=8192 - CSP management management Strength: s = 112, s = 128, s = 152, IFC IFC s = 176, s = 200 GKP_Public_ECC General ECDSA (public) Size: 233, 283, 409, 571, 233, 283, B-233, B-283, B-409, B-571, K-233, Key Key key. 409, 571, 224, 256, 384, 521 - K-283, K-409, K-571, P-224, P-256, management management Strength: s = 112, s = 128, s = 192, P-384, P-521 - PSP ECC ECC s = 256, s = 112, s = 128, s = 192, s = 256, s = 112, s = 128, s = 192, s = 256 GKP_Public_Edwards General EdDSA (public) Size: 255, 448 - Edwards25519, Edwards448 - PSP Key Key key. Strength: s = 128, s = 224 management management Edwards Edwards GKP_Public_FFC General FFC (public) Size: 2048, 2048, 3072 - L=2048/N=224, L=2048/N=256, Key Key key. Strength: s = 112, s = 112, s = 128 L=3072/N=256 - PSP management management FFC FFC GKP_Public_IFC General RSA (public) Size: 2048, 3072, 4096, 6144, k=2048, k=3072, k=4096, k=6144, Key Key key. 8192 - k=8192 - PSP management management Strength: s = 112, s = 128, s = 152, IFC IFC s = 176, s = 200 KAS_Private_ECC Key pair component Size: 233, 283, 409, 571, 233, 283, B-233, B-283, B-409, B-571, K-233, Key used for shared secret 409, 571, 224, 256, 384, 521 - K-283, K-409, K-571, P-224, P-256, agreement generation. Strength: s = 112, s = 128, s = 192, P-384, P-521 - CSP s = 256, s = 112, s = 128, s = 192, s = 256, s = 112, s = 128, s = 192, s = 256

Page 31

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Size - Strength Type - Category Generated By Established By Used By KAS_Private_FFC Key pair component Size: 2048, 3072, 4096, 6144, ffdhe2048, ffdhe3072, ffdhe4096, Key used for shared secret 8192 - ffdhe6144, ffdhe8192 - CSP agreement generation. Strength: s = 112, 112 ≤ s ≤ 128,

112 ≤ s ≤ 152, 112 ≤ s ≤ 176,
112 ≤ s ≤ 200

KAS_Private_IFC Key pair component Size: 2048, 3072, 4096, 6144, k=2048, k=3072, k=4096, k=6144, Key used for shared secret 8192 - k=8192 - CSP agreement generation. Strength: s = 112, s = 128, s = 152, s = 176, s = 200 KAS_Public_ECC Peer key pair Size: 233, 283, 409, 571, 233, 283, B-233, B-283, B-409, B-571, K-233, Key component used for 409, 571, 224, 256, 384, 521 - K-283, K-409, K-571, P-224, P-256, agreement shared secret Strength: s = 112, s = 128, s = 192, P-384, P-521 - PSP generation. s = 256, s = 112, s = 128, s = 192, s = 256, s = 112, s = 128, s = 192, s = 256 KAS_Public_FFC Peer key pair Size: 2048, 3072, 4096, 6144, ffdhe2048, ffdhe3072, ffdhe4096, Key component used for 8192 - ffdhe6144, ffdhe8192 - PSP agreement shared secret Strength: s = 112, 112 ≤ s ≤ 128, generation. 112 ≤ s ≤ 152, 112 ≤ s ≤ 176,

112 ≤ s ≤ 200

KAS_Public_IFC Peer key pair Size: 2048, 3072, 4096, 6144, k=2048, k=3072, k=4096, k=6144, Key component used for 8192 - k=8192 - PSP agreement shared secret Strength: s = 112, s = 128, s = 152, generation. s = 176, s = 200 KAS_SS_ECC Shared secret Size: 112 - 256 - Other - CSP Key Key calculation z output Strength: 112 - 256 agreement agreement value (for KDF). KAS_SS_FFC Shared secret Size: 112 - 256 - Other - CSP Key Key calculation z output Strength: 112 - 200 agreement agreement value (for KDF). KAS_SS_IFC Shared secret Size: 112 - 256 - Other - CSP Key Key calculation z output Strength: 112 - 200 agreement agreement value (for KDF). KD_DKM_KDF Key derivation derived Size: 128 - 256 - Other - CSP Key derivation Key derivation keying material. Strength: 128 - 256 KD_DKM_PBKDF PBKDF derived key Size: 128 - Other - CSP Key derivation Key derivation material Strength: 128

Page 32

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Description Size - Strength Type - Category Generated By Established By Used By KD_PW_PBKDF PBKDF password input. Size: 128 - Other - CSP Key derivation Key derivation Strength: 128 KD_SK Key derivation source Size: 128 - 256 - Other - CSP Key derivation key material. Strength: 128 - 256 KH_Key_AES-CMAC Keyed Hash key. Size: 128, 192, 256 - AES-128, AES-192, AES-256 - CSP MAC AES Strength: s = 128, s = 192, s = 256 (CMAC, GMAC) KH_Key_AES-GMAC Keyed Hash key. Size: 128, 192, 256 - AES-128, AES-192, AES-256 - CSP MAC AES Strength: s = 128, s = 192, s = 256 (CMAC, GMAC) KH_Key_HMAC Keyed Hash key. Size: 112 - 2048 - Other - CSP MAC HMAC Strength: 112 - 256 KH_Key_KMAC Keyed Hash key. Size: 128, 256 - KMAC128, KMAC256 - CSP MAC KMAC Strength: 112 ≤ s ≤ 128, (XOF)

112 ≤ s ≤ 256

KTS_KDK_IFC RSA key de- Size: 2048, 3072, 4096, 6144 - Other - CSP Key transport encapsulation Key (key Strength: s = 112, s = 128, s = 152, transport). s = 176 KTS_KEK_IFC RSA key encapsulation Size: 2048, 3072, 4096, 6144 - Other - PSP Key transport Key (key transport). Strength: s = 112, s = 128, s = 152, s = 176 KTS_SS_IFC RSA key transport Size: 112 - 256 - Other - CSP Key transport Key transport shared secret. Strength: s = 112 - s = 176 SC_EDK_AES Symmetric encryption Size: 128, 192, 256 - AES-128, AES-192, AES-256 - CSP Cipher and decryption. Strength: s = 128, s = 192, s = 256 (Unauth) Cipher (Auth) SC_EDK_XTS Symmetric encryption Size: 256, 512 - XTS-128, XTS-256 - CSP Cipher and decryption. Strength: s = 128, s = 256 (Unauth) Table 23: SSP Table 1 Name Input - Output Storage Storage Duration Zeroization Related SSPs DRBG_C I RAM:Plaintext Call lifetime C DRBG_Seed:Derived From O DRBG_V:Used with DRBG_EI I RAM:Plaintext Call lifetime C DRBG_Seed:Constituent DRBG_Key I RAM:Plaintext Call lifetime (module up time for internal DRBG) C DRBG_Seed:Derived From O T DRBG_V:Used with

Page 33

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Input - Output Storage Storage Duration Zeroization Related SSPs DRBG_Seed RAM:Plaintext Call lifetime C DRBG_C:Derives DRBG_Key:Derives DRBG_V:Derives DRBG_EI:Incorporates DRBG_V I RAM:Plaintext Call lifetime (module up time for internal DRBG) C DRBG_Seed:Derived From O T DRBG_Key:Used with DS_SGK_ECC I RAM:Plaintext Call lifetime C DS_SVK_ECC:Paired With DS_SGK_Edwards I RAM:Plaintext Call lifetime C DS_SVK_Edwards:Paired With DS_SGK_FFC I RAM:Plaintext Call lifetime C DS_SVK_FFC:Paired With DS_SGK_IFC I RAM:Plaintext Call lifetime C DS_SVK_IFC:Paired With DS_SVK_ECC I RAM:Plaintext Call lifetime C DS_SGK_ECC:Paired With DS_SVK_Edwards I RAM:Plaintext Call lifetime C DS_SGK_Edwards:Paired With DS_SVK_FFC I RAM:Plaintext Call lifetime C DS_SGK_FFC:Paired With DS_SVK_IFC I RAM:Plaintext Call lifetime C DS_SGK_IFC:Paired With GKP_Private_ECC O RAM:Plaintext Call lifetime C GKP_Public_ECC:Paired With GKP_Private_Edwards O RAM:Plaintext Call lifetime C GKP_Public_Edwards:Paired With GKP_Private_FFC O RAM:Plaintext Call lifetime C GKP_Public_FFC:Paired With GKP_Private_IFC O RAM:Plaintext Call lifetime C GKP_Public_IFC:Paired With GKP_Public_ECC O RAM:Plaintext Call lifetime C GKP_Private_ECC:Paired With GKP_Public_Edwards O RAM:Plaintext Call lifetime C GKP_Private_Edwards:Paired With GKP_Public_FFC O RAM:Plaintext Call lifetime C GKP_Private_FFC:Paired With GKP_Public_IFC O RAM:Plaintext Call lifetime C GKP_Private_IFC:Paired With KAS_Private_ECC I RAM:Plaintext Call lifetime C KAS_Public_ECC:Paired With KAS_Private_FFC I RAM:Plaintext Call lifetime C KAS_Public_FFC:Paired With KAS_Private_IFC I RAM:Plaintext Call lifetime C KAS_Public_IFC:Paired With KAS_Public_ECC I RAM:Plaintext Call lifetime C KAS_Private_ECC:Paired With KAS_Public_FFC I RAM:Plaintext Call lifetime C KAS_Private_FFC:Paired With KAS_Public_IFC I RAM:Plaintext Call lifetime C KAS_Private_IFC:Paired With KAS_SS_ECC O RAM:Plaintext Call lifetime C KAS_Private_ECC:Calculated From KAS_Public_ECC:Calculated From KAS_SS_FFC O RAM:Plaintext Call lifetime C KAS_Private_FFC:Calculated From KAS_Public_FFC:Calculated From KAS_SS_IFC O RAM:Plaintext Call lifetime C KAS_Private_IFC:Calculated From KAS_Public_IFC:Calculated From KD_DKM_KDF O RAM:Plaintext Call lifetime C KD_SK:Derived From KD_DKM_PBKDF O RAM:Plaintext Call lifetime C KD_PW_PBKDF:Derived From

Page 34

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Name Input - Output Storage Storage Duration Zeroization Related SSPs KD_PW_PBKDF I RAM:Plaintext Call lifetime C KD_DKM_PBKDF:Derives KD_SK I RAM:Plaintext Call lifetime C KD_DKM_KDF:Derives KH_Key_AES-CMAC I RAM:Plaintext Call lifetime C KH_Key_AES-GMAC I RAM:Plaintext Call lifetime C KH_Key_HMAC I RAM:Plaintext Call lifetime C KH_Key_KMAC I RAM:Plaintext Call lifetime C KTS_KDK_IFC I RAM:Plaintext Call lifetime C KTS_SS_IFC:Unwraps KTS_KEK_IFC I RAM:Plaintext Call lifetime C KTS_SS_IFC:Wraps KTS_SS_IFC O RAM:Plaintext Call lifetime C KTS_KDK_IFC:Unwrapped By KTS_KEK_IFC:Wrapped By SC_EDK_AES I RAM:Plaintext Call lifetime C SC_EDK_XTS I RAM:Plaintext Call lifetime C Table 24: SSP Table 2 Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. The Module maintains only the Counter DRBG state used for key generation as a persistent CSP; this DRBG instance is used exclusively for approved services.

Page 35

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

9.5 Additional Information

Key/Algorithm Type Equivalent Strengths: Reference sources for the strengths provided in SSP Table 1 are specified below. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). Block Cipher (and related functions):  AES (AES-128, AES-192, AES-256): SP 800-57 Part 1 Rev. 5 Table

  1. Digital Signature:  ECC (B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521): SP 800-186 Table 1 (provides approximate elliptic curve security strengths). SP 800-186 and FIPS 140-3 IG C.K indicate that the Binary (B-) and Koblitz (K-) curves are deprecated.  EdDSA (ED-25519, ED-448): SP 800-186 Table 1.  FFC (DSA: L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256): SP 800-57 Part 1 Rev. 5 Table
  2. Security strength for L=2048/N=256 is determined in accordance with FIPS 140-3 IG D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112.  IFC (RSA: k=1024, k=2048, k=3072, k=4096): SP 800-57 Part 1 Rev. 5 Table
  3. In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Secure Hash (and related functions):  SHA-1, SHA2 (SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256): SP 800-107 Rev. 1 Table 1.  SHA3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512): SP 800-57 Part 1 Rev. 5 Table 3.  SHAKE (SHAKE128, SHAKE256): SP 800-185 Section 8.1. Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in SP 800-57 Part 1 Rev. 5 Table
  4. Message Authentication:  KMAC (KMAC128, KMAC256): SP 800-56C Rev. 2 Table
  5. Key Agreement:  KAS-ECC-SSC (B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521): SP 800-56A Rev. 3 Table 24.  KAS-FFC-SSC (FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp-2048, modp-3072, modp-4096, modp-6144, modp-8192): SP 800-56A Rev. 3 Tables 25 and 26.  KAS-IFC-SSC (k=2048, k=3072, k=4096, k=6144, k=8192): SP 800-56B Rev. 2 Table 4 (provides approximate security strengths). Key Agreement Key Derivation:  KDA OneStep: SP 800-56C Rev. 2 Table 1 (hash), Table 2 (HMAC) and Table 3 (KMAC).
Page 36

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Properties Test Method Test Type Indicator Details Test SW Integrity HMAC-SHA2-256 #A6771 HMAC over the complete SW/FW Integrity FIPS_OK or module file image PROV_R_FIPS_MODULE_IN_ERROR_STATE Table 25: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Algorithm or Test Properties Test Test Type Indicator Details Conditions Test Method AES-ECB 128-bit KAT CAST FIPS_OK Encrypt Performed on module load. AES-ECB 128-bit KAT CAST FIPS_OK Decrypt Performed on module load. AES-GCM 256-bit KAT CAST FIPS_OK Encrypt Performed on module load. AES-GCM 256-bit KAT CAST FIPS_OK Decrypt Performed on module load. Counter DRBG AES-128 with derivation KAT CAST FIPS_OK Instantiate, Generate, Reseed Performed on module load. function DSA SigGen 2048-bit with SHA2-384 KAT CAST FIPS_OK Sign Performed on module load. (FIPS186-4) DSA SigVer 2048-bit with SHA2-384 KAT CAST FIPS_OK Verify Performed on module load. (FIPS186-4) ECDSA SigGen P-224 with SHA2-512 KAT CAST FIPS_OK Sign Performed on module load. (FIPS186-4) ECDSA SigVer P-224 with SHA2-512 KAT CAST FIPS_OK Verify Performed on module load. (FIPS186-4) EDDSA ED448 Edwards448 SigGen with KAT CAST FIPS_OK Sign Performed on module load. SigGen SHA2-256 EDDSA ED448 Edwards448 SigVer with KAT CAST FIPS_OK Verify Performed on module load. SigVer SHA2-256 EDDSA ED25519 Edwards25519 SigGen with KAT CAST FIPS_OK Sign Performed on module load. SigGen SHA2-512 EDDSA ED25519 Edwards25519 SigVer with KAT CAST FIPS_OK Verify Performed on module load. SigVer SHA2-512 Hash DRBG SHA2-256 KAT CAST FIPS_OK Instantiate, Generate, Reseed Performed on module load. HMAC DRBG SHA-1 KAT CAST FIPS_OK Instantiate, Generate, Reseed Performed on module load. HMAC-SHA2-256 SHA2-256 with a 256-bit key KAT CAST FIPS_OK Generate Performed on module load.

Page 37

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm or Test Properties Test Test Type Indicator Details Conditions Test Method KAS-ECC-SSC P-256 KAT CAST FIPS_OK Ephemeral Unified Shared Secret Performed on module load. Sp800-56Ar3 (Z) Computation KAS-FFC-SSC L=2048/N=256 KAT CAST FIPS_OK dhEphem Shared Secret (Z) Performed on module load. Sp800-56Ar3 Computation KAS-IFC-SSC k=2048 KAT CAST FIPS_OK SP 800-56B Rev. 2 Section 8.2.2 Performed on module load. RSA Primitive Computation KAS-KDF SHA2-224 KAT CAST FIPS_OK SP 800-56C Rev. 2 Section 4 Performed on module load. OneStep SP800- OneStep KDF (AKA OpenSSL 56Cr2 single-step or SS-KDF) KAS-KDF SHA2-256 KAT CAST FIPS_OK SP 800-56C Rev. 2 Section 5 Performed on module load. TwoStep SP800- TwoStep KDF (HKDF variant) 56Cr2 KDF ANS 9.42 Fixed input KAT KAT CAST FIPS_OK SP 800-135 Rev. 1 Section 5.1 Performed on module load. ANSI X9.42-2001 KDF KAT KDF ANS 9.63 Fixed input KAT KAT CAST FIPS_OK SP 800-135 Rev. 1 Section 5.1 Performed on module load. X9.63-2001 KDF KAT KDF SP800-108 HMAC-SHA2-256 KAT CAST FIPS_OK SP 800-108 Rev. 1 Section 4.1 KAT Performed on module load. for a Counter Mode KDF KDF SSH Fixed input KAT KAT CAST FIPS_OK SP 800-135 Rev. 1 Section 5.2 Performed on module load. SSHv2 KDF KAT KTS-IFC k=2048 KAT CAST FIPS_OK SP 800-56B Rev. 2 Decrypt for CRT Performed on module load. KTS-IFC k=2048 KAT CAST FIPS_OK SP 800-56B Rev. 2 Encrypt for Performed on module load. Basic KTS-IFC k=2048 KAT CAST FIPS_OK SP 800-56B Rev. 2 Decrypt for Performed on module load. Basic PBKDF SHA2-256, 24-byte password, KAT CAST FIPS_OK SP 800-132 Section 5.3 KAT of Performed on module load. 36-byte salt, iteration count Master Key derivation of 4096 RSA SigGen k=2048 with SHA2-256 KAT CAST FIPS_OK Sign Performed on module load. (FIPS186-4) RSA SigVer k=2048 with SHA2-256 KAT CAST FIPS_OK Verify Performed on module load. (FIPS186-4) SHA-1 SHA-1 KAT CAST FIPS_OK Simple SHA KAT Performed on module load. SHA2-512 SHA2-512 KAT CAST FIPS_OK Simple SHA KAT Performed on module load. SHA3-256 SHA3-256 KAT CAST FIPS_OK Simple SHA KAT Performed on module load.

Page 38

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm or Test Properties Test Test Type Indicator Details Conditions Test Method TLS v1.2 KDF Fixed input KAT KAT CAST FIPS_OK SP 800-135 Rev. 1 Section 4.2.2 Performed on module load. RFC7627 TLS 1.2 KAT TLS v1.3 KDF Fixed input KAT KAT CAST FIPS_OK RFC8446 Section 7.1 TLS v1.3 KDF Performed on module load. KAT DSA KeyGen PCT performed using the PCT PCT FIPS_OK Sign, Verify Performed on FFC (DSA, KAS-FFC-SSC) key pair (FIPS186-4) generated key pair generation, prior to returning the key pair on conclusion of the call. ECDSA KeyGen PCT performed using the PCT PCT FIPS_OK Sign, Verify Performed on ECC (ECDSA) key pair (FIPS186-4) generated key pair generation, prior to returning the key pair on conclusion of the call. EDDSA KeyGen PCT performed using the PCT PCT FIPS_OK Sign, Verify Performed on Edwards (EdDSA) key pair generated key pair generation, prior to returning the key pair on conclusion of the call. RSA KeyGen PCT performed using the PCT PCT FIPS_OK Sign, Verify Performed on IFC (RSA, KAS-IFC-SSC, KTS-IFC) (FIPS186-4) generated key pair key pair generation, prior to returning the key pair on conclusion of the call. Table 26: Conditional Self-Tests The intended usage of asymmetric key pairs generated by the Module is not known at the time when the key pair is generated and the pairwise consistency test (PCT) is performed. In all cases, a sign and verify PCT is performed.

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method SW Integrity HMAC over the complete SW/FW Integrity On demand Module load module file image Table 27: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB KAT CAST On demand On power on or reset AES-ECB KAT CAST On demand On power on or reset AES-GCM KAT CAST On demand On power on or reset AES-GCM KAT CAST On demand On power on or reset Counter DRBG KAT CAST On demand On power on or reset DSA SigGen (FIPS186-4) KAT CAST On demand On power on or reset DSA SigVer (FIPS186-4) KAT CAST On demand On power on or reset ECDSA SigGen (FIPS186-4) KAT CAST On demand On power on or reset

Page 39

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility Algorithm or Test Test Method Test Type Period Periodic Method ECDSA SigVer (FIPS186-4) KAT CAST On demand On power on or reset EDDSA ED448 SigGen KAT CAST On demand On power on or reset EDDSA ED448 SigVer KAT CAST On demand On power on or reset EDDSA ED25519 SigGen KAT CAST On demand On power on or reset EDDSA ED25519 SigVer KAT CAST On demand On power on or reset Hash DRBG KAT CAST On demand On power on or reset HMAC DRBG KAT CAST On demand On power on or reset HMAC-SHA2-256 KAT CAST On demand On power on or reset KAS-ECC-SSC Sp800-56Ar3 KAT CAST On demand On power on or reset KAS-FFC-SSC Sp800-56Ar3 KAT CAST On demand On power on or reset KAS-IFC-SSC KAT CAST On demand On power on or reset KAS-KDF OneStep SP800-56Cr2 KAT CAST On demand On power on or reset KAS-KDF TwoStep SP800-56Cr2 KAT CAST On demand On power on or reset KDF ANS 9.42 KAT CAST On demand On power on or reset KDF ANS 9.63 KAT CAST On demand On power on or reset KDF SP800-108 KAT CAST On demand On power on or reset KDF SSH KAT CAST On demand On power on or reset KTS-IFC KAT CAST On demand On power on or reset KTS-IFC KAT CAST On demand On power on or reset KTS-IFC KAT CAST On demand On power on or reset PBKDF KAT CAST On demand On power on or reset RSA SigGen (FIPS186-4) KAT CAST On demand On power on or reset RSA SigVer (FIPS186-4) KAT CAST On demand On power on or reset SHA-1 KAT CAST On demand On power on or reset SHA2-512 KAT CAST On demand On power on or reset SHA3-256 KAT CAST On demand On power on or reset TLS v1.2 KDF RFC7627 KAT CAST On demand On power on or reset TLS v1.3 KDF KAT CAST On demand On power on or reset DSA KeyGen (FIPS186-4) PCT PCT On demand On power on or reset ECDSA KeyGen (FIPS186-4) PCT PCT On demand On power on or reset EDDSA KeyGen PCT PCT On demand On power on or reset RSA KeyGen (FIPS186-4) PCT PCT On demand On power on or reset Table 28: Conditional Periodic Information

Page 40

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

10.4 Error States

Name Description Conditions Recovery Method Indicator Self-test failure The self-test failure error state If one of the KATs fails or Reload the Module into memory PROV_R_FIPS_MODULE_IN_ERROR_STATE integrity test fails Table 29: Error States

10.5 Operator Initiation of Self-Tests

Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. The pre-operational self-tests are available on demand by reloading the Module. On instantiation, the Module performs the pre-operational self-test and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. The fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

During the manufacturing process, Keysight Technologies executes the build and installation instructions for the Module. The Module is pre-installed and configured in supported Keysight Technologies solutions. The approved mode is enabled by default. There are no additional installation, configuration, or usage instructions for operators intending to use the Module.

11.2 Administrator Guidance

Guidance Documentation is inclusive of all information required per ISO/IEC 19790:2012 Section 7.11.9.

11.3 Non-Administrator Guidance
11.4 Design and Rules

The inherent properties of the Module are:

  1. Manual key entry is not supported.
  2. Data output is inhibited during self-tests, zeroization, SSP generation, and error states.
  3. The Module does not perform any cryptographic function if any self-test has failed.
Page 41

FIPS 140-3 Security Policy Keysight OpenSSL 3 FIPS Provider for Network Visibility

12 Mitigation of Other Attacks
12.1 Attack List

The Module implements mitigations for constant-time implementations and blinding attacks.

12.2 Mitigation Effectiveness

Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.

12.3 Guidance and Constraints

The mitigation mechanisms described in Section 12.2 are inherent within the validated algorithms. No other guidance or constraints are specified.