| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Firmware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/17/2029 |
| Caveat | Interim validation. When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Cisco Systems, Inc |
flowchart LR
%% Deterministic review-risk graph for CiscoSSL FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for CiscoSSL FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Cisco Systems, Inc CiscoSSL FIPS Provider Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 7 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 7 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 7 |
| Table 5: Modes List and Description | 8 |
| Table 6: Approved Algorithms - PAA | 14 |
| Table 7: Approved Algorithms - Non-PAA | 19 |
| Table 8: Vendor-Affirmed Algorithms | 20 |
| Table 9: Non-Approved, Not Allowed Algorithms | 20 |
| Table 10: Security Function Implementations | 27 |
| Table 11: Entropy Sources | 29 |
| Table 12: Ports and Interfaces | 30 |
| Table 13: Roles | 31 |
| Table 14: Approved Services | 36 |
| Table 15: Non-Approved Services | 37 |
| Table 16: Storage Areas | 38 |
| Table 17: SSP Input-Output Methods | 38 |
| Table 18: SSP Zeroization Methods | 39 |
| Table 19: SSP Table 1 | 43 |
| Table 20: SSP Table 2 | 47 |
| Table 21: Pre-Operational Self-Tests | 48 |
| Table 22: Conditional Self-Tests | 58 |
| Table 23: Pre-Operational Periodic Information | 58 |
| Table 24: Conditional Periodic Information | 64 |
| Table 25: Error States | 64 |
| Figure 1: Block Diagram | 6 |
FIPS Provider, firmware version 8.0. This Security Policy is provided in accordance with ISO/IEC 19790 Annex B, FIPS 140-3, and SP 800-140B. This Security Policy was prepared as part of the Level 1 FIPS 140-3 validation of the CiscoSSL FIPS provider, and the module meets the overall Level 1 requirements. The following table lists the level of validation for each area in the FIPS PUB 140-3.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security 1
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks 1
Overall Level 1 Table 1: Security Levels
Purpose and Use: The CiscoSSL FIPS Provider is a firmware library that provides cryptographic services to a vast array of Cisco's networking and collaboration products. The cryptographic module provides the cipher operations and Key Derivation functions to support the following protocols: IKEv2/IPSec, sRTP, SSH, TLS, SNMPv3, ANS X9.42, and ANS X.9.63. Full implementations of these protocols are not supported by the module. No parts of the protocols, other than the KDF, have been tested by the CAVP or CMVP. The tested module version is 8.0. The overall security level is 1. The object code in the object module file is incorporated into the runtime executable application at the time the binary executable is generated. The module is provided in an executable form
(as fips.so shared object). The module performs no communications other than with the consuming host application (the process that invokes the module services via the module’s API), which can be considered as the host for the module. Module Type: Firmware Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is the CiscoSSL FIPS Provider, a dynamically loadable library. The module is comprised of a single object module file called fips.so. The module performs no communication other than with the calling application via APIs that invoke the module. Tested Operational Environment’s Physical Perimeter (TOEPP): The module’s TOEPP is the physical perimeter of the tested platforms listed in Table “Tested Operational Environments - Software, Firmware, Hybrid” below. The components of the TOEPP include: Hardware components [Cisco UCS, Storage, RAM, Network Interface Cards]. The module’s block diagram is shown in Figure 1 below. The dashed orange border in the figure denotes the cryptographic boundary of the module. The green border denotes the TOEPP of the module. TOEPP Figure 1: Block Diagram
Tested Module Identification
(UCS) Cisco IOS-XE Cisco Unified Intel Xeon No ESXi 7.0 8.0
(UCS) Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating Hardware System Platform N/A N/A Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
There are no components excluded from the module.
Modes List and Description: Mode Name Description Type Status Indicator Approved Provides services Approved Returns 1 when approved services Mode approved by FIPS 140-3 are run successfully Non- Provides services not Non- Returns 3, ED25519, ED448, Approved approved for use in FIPS Approved X25519, X448 when non-approved Mode 140-3 services are run successfully Table 5: Modes List and Description The module supports both approved and non-approved modes of operation. The module will only enter the approved mode if the module is reloaded and the call to SELF_TEST_post() succeeds, and only approved services are invoked. The module enters non-approved mode when a non-approved service is invoked. Mode Change Instructions and Status: When a non-approved service is invoked while in approved mode of operation, the module implicitly transitions to a non-approved mode. Similarly, when a call to an approved service is made while in non-approved mode of operation, the module transitions to approved mode of operation. The mode can be identified by the indicator, as listed in the table “Modes List and Description” above.
Approved Algorithms: PAA Algorithm CAVP Properties Reference Cert AES-CBC A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3032 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3032 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3032 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3032 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256
Algorithm CAVP Properties Reference Cert AES-CFB128 A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3032 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3032 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3032 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A3032 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3032 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3032 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3032 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A3032 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes DSA KeyGen A3032 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA PQGGen A3032 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256 DSA PQGVer A3032 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigGen A3032 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256
Algorithm CAVP Properties Reference Cert DSA SigVer A3032 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA KeyGen A3032 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3032 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3032 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256 ECDSA SigVer A3032 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Hash DRBG A3032 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256 HMAC DRBG A3032 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256 HMAC-SHA-1 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-224 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-256 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-384 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-512 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2- A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/224 8 HMAC-SHA2- A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/256 8 HMAC-SHA3-224 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-256 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1
Algorithm CAVP Properties Reference Cert HMAC-SHA3-384 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-512 A3032 Key Length - Key Length: 8-524288 Increment FIPS 198-1 KAS-ECC CDH- A3032 Curve - P-256, P-384, P-521 SP 800-56A Component Rev. 3 SP800-56Ar3 (CVL) KAS-ECC-SSC A3032 Domain Parameter Generation Methods - P- SP 800-56A Sp800-56Ar3 256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3032 Domain Parameter Generation Methods - FB, SP 800-56A Sp800-56Ar3 FC, ffdhe2048, ffdhe3072, ffdhe4096, modp- Rev. 3 2048, modp-3072, modp-4096 Scheme dhEphem KAS Role - initiator, responder KAS-IFC-SSC A3032 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, Rev. 3 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KDA HKDF SP800- A3032 Derived Key Length - 2048 SP 800-56C 56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA OneStep A3032 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 KDA TwoStep A3032 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 A3032 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512, SHA2-512/224,
Algorithm CAVP Properties Reference Cert SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 A3032 Hash Algorithm - SHA2-224, SHA2-256, SP 800-135 (CVL) SHA2-384, SHA2-512 Rev. 1 Key Data Length - Key Data Length: 128, 4096 KDF IKEv2 (CVL) A3032 Diffie-Hellman Shared Secret Length - Diffie- SP 800-135 Hellman Shared Secret Length: 2048 Rev. 1 Derived Keying Material Length - Derived Keying Material Length: 3072 Hash Algorithm - SHA-1 KDF SNMP (CVL) A3032 Password Length - Password Length: 256, 64 SP 800-135 Rev. 1 KDF SP800-108 A3032 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, Rev. 1 72, 128, 776, 3456, 4096 KDF SRTP (CVL) A3032 AES Key Length - 128, 192, 256 SP 800-135 Rev. 1 KDF SSH (CVL) A3032 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 KMAC-128 A3032 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3032 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KTS-IFC A3032 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, Rev. 2 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 PBKDF A3032 Iteration Count - Iteration Count: 1-10000 SP 800-132 Increment 1 Password Length - Password Length: 8-128 Increment 8 RSA KeyGen A3032 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096
Algorithm CAVP Properties Reference Cert Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3032 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 2048, 3072, 4096 RSA Signature A3032 Private Key Format - crt FIPS 186-4 Primitive (CVL) RSA SigVer A3032 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 1024, 2048, 3072, 4096 Safe Primes Key A3032 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Generation ffdhe4096, modp-2048, modp-3072, modp- Rev. 3 4096 Safe Primes Key A3032 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Verification ffdhe4096, modp-2048, modp-3072, modp- Rev. 3 4096 SHA-1 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-224 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-256 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-384 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512/224 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512/256 A3032 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA3-224 A3032 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-256 A3032 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-384 A3032 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-512 A3032 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHAKE-128 A3032 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 SHAKE-256 A3032 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 TLS v1.2 KDF A3032 Hash Algorithm - SHA2-256, SHA2-384, SP 800-135 RFC7627 (CVL) SHA2-512 Rev. 1
Algorithm CAVP Properties Reference Cert TLS v1.3 KDF A3032 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 TDES-CBC A3032 Direction - Decrypt SP 800-67 Rev. 2 TDES-CMAC A3032 Direction - Verification SP 800-67 Rev. 2 TDES-ECB A3032 Direction - Decrypt SP 800-67 Rev. 2 Table 6: Approved Algorithms - PAA Non-PAA Algorithm CAVP Properties Reference Cert AES-CBC A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3252 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3252 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3252 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3252 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3252 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3252 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3252 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A3252 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3252 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256
Algorithm CAVP Properties Reference Cert AES-OFB A3252 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3252 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A3252 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes DSA KeyGen A3252 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA PQGGen A3252 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256 DSA PQGVer A3252 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigGen A3252 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256 DSA SigVer A3252 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA KeyGen A3252 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3252 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3252 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256 ECDSA SigVer A3252 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Hash DRBG A3252 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1
Algorithm CAVP Properties Reference Cert 384, SHA2-512, SHA2-512/224, SHA2512/256 HMAC DRBG A3252 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256 HMAC-SHA-1 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-224 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-256 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-384 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-512 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2- A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/224 8 HMAC-SHA2- A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/256 8 HMAC-SHA3-224 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-256 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-384 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-512 A3252 Key Length - Key Length: 8-524288 Increment FIPS 198-1 KAS-ECC CDH- A3252 Curve - P-256, P-384, P-521 SP 800-56A Component Rev. 3 SP800-56Ar3 (CVL) KAS-ECC-SSC A3252 Domain Parameter Generation Methods - P- SP 800-56A Sp800-56Ar3 256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3252 Domain Parameter Generation Methods - FB, SP 800-56A Sp800-56Ar3 FC, ffdhe2048, ffdhe3072, ffdhe4096, modp- Rev. 3 2048, modp-3072, modp-4096 Scheme dhEphem KAS Role - initiator, responder KAS-IFC-SSC A3252 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, Rev. 3
Algorithm CAVP Properties Reference Cert rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KDA HKDF SP800- A3252 Derived Key Length - 2048 SP 800-56C 56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA OneStep A3252 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 KDA TwoStep A3252 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 A3252 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 A3252 Hash Algorithm - SHA2-224, SHA2-256, SP 800-135 (CVL) SHA2-384, SHA2-512 Rev. 1 Key Data Length - Key Data Length: 128, 4096 KDF IKEv2 (CVL) A3252 Diffie-Hellman Shared Secret Length - Diffie- SP 800-135 Hellman Shared Secret Length: 2048 Rev. 1 Derived Keying Material Length - Derived Keying Material Length: 3072 Hash Algorithm - SHA-1 KDF SNMP (CVL) A3252 Password Length - Password Length: 256, 64 SP 800-135 Rev. 1 KDF SP800-108 A3252 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, Rev. 1 72, 128, 776, 3456, 4096 KDF SRTP (CVL) A3252 AES Key Length - 128, 192, 256 SP 800-135 Rev. 1
Algorithm CAVP Properties Reference Cert KDF SSH (CVL) A3252 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 KMAC-128 A3252 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3252 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KTS-IFC A3252 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, Rev. 2 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 PBKDF A3252 Iteration Count - Iteration Count: 1-10000 SP 800-132 Increment 1 Password Length - Password Length: 8-128 Increment 8 RSA KeyGen A3252 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3252 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 2048, 3072, 4096 RSA Signature A3252 Private Key Format - crt FIPS 186-4 Primitive (CVL) RSA SigVer A3252 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 1024, 2048, 3072, 4096 Safe Primes Key A3252 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Generation ffdhe4096, modp-2048, modp-3072, modp- Rev. 3 4096 Safe Primes Key A3252 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Verification ffdhe4096, modp-2048, modp-3072, modp- Rev. 3 4096 SHA-1 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-224 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8
Algorithm CAVP Properties Reference Cert SHA2-256 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-384 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512/224 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512/256 A3252 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA3-224 A3252 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-256 A3252 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-384 A3252 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-512 A3252 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHAKE-128 A3252 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 SHAKE-256 A3252 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 TLS v1.2 KDF A3252 Hash Algorithm - SHA2-256, SHA2-384, SP 800-135 RFC7627 (CVL) SHA2-512 Rev. 1 TLS v1.3 KDF A3252 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 TDES-CBC A3252 Direction - Decrypt SP 800-67 Rev. 2 TDES-CMAC A3252 Direction - Verification SP 800-67 Rev. 2 TDES-ECB A3252 Direction - Decrypt SP 800-67 Rev. 2 Table 7: Approved Algorithms - Non-PAA The module implements the cryptographic algorithms listed in the above tables. The module also supports RSA KeyGen, SigGen and SigVer with modulus size greater than 4096, where CAVP testing is not available. Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG CiscoSSL FIPS Provider Cryptographic Section 4 of NIST SP Section 4 Implementation 800-133 rev2 CKG CiscoSSL FIPS Provider Cryptographic Section 4 of NIST SP Section 4 Implementation Non-PAA 800-133 rev2
Name Properties Implementation Reference CKG CiscoSSL FIPS Provider Cryptographic Section 5 of NIST SP Section 5 Implementation 800-133 rev2 CKG CiscoSSL FIPS Provider Cryptographic Section 5 of NIST SP Section 5 Implementation Non-PAA 800-133 rev2 CKG CiscoSSL FIPS Provider Cryptographic Section 6 of NIST SP Section 6.2 Implementation 800-133 rev2 CKG CiscoSSL FIPS Provider Cryptographic Section 6 of NIST SP Section 6.2 Implementation Non-PAA 800-133 rev2 CKG CiscoSSL FIPS Provider Cryptographic Section 6 of NIST SP Section 6.1 Implementation 800-133 rev2 CKG CiscoSSL FIPS Provider Cryptographic Section 6 of NIST SP Section 6.1 Implementation Non-PAA 800-133 rev2 Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. There are no non-approved and allowed algorithms, hence the table is excluded. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. There are no algorithms that are non-approved but allowed with no security claimed, hence the table is excluded. Non-Approved, Not Allowed Algorithms: Name Use and Function EdDSA KeyGen Asymmetric Key Generation (Ed25519, Ed448, X25519, and X448) EdDSA SigGen Signature generation using Edwards curves (ED25519, ED448) EdDSA SigVer Signature verification using Edwards curves (ED25519, ED448) RSA Primitives RSA Signature generation, verification, encrypt and decrypt primitives Table 9: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Random Number DRBG Used for Counter DRBG Generation random Hash DRBG number and HMAC DRBG Counter DRBG
Name Type Description Properties Algorithms symmetric key Hash DRBG generation HMAC DRBG Asymmetric Key AsymKeyPair- Used to DSA KeyGen Generation KeyGen generate DSA, (FIPS186-4) ECDSA, RSA, ECDSA DH, ECDH, KeyGen keys (FIPS186-4) RSA KeyGen (FIPS186-4) DSA PQGGen (FIPS186-4) Safe Primes Key Generation DSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) DSA PQGGen (FIPS186-4) Safe Primes Key Generation Key Derivation KAS-135KDF Used to derive KDA HKDF Function (KDF) KAS-56CKDF keys using SP800-56Cr2 KBKDF KBKDF, KDF ANS 9.42 PBKDF PBKDF2, KDF ANS 9.63 HKDF, SP KDF IKEv2 800-56C rev2, KDF SNMP One-Step KDF KDF SP800(KDA), Two- 108 Step KDF KDF SRTP (KDA), SP KDF SSH 800-135 rev1 PBKDF TLS 1.2, TLS v1.2 KDF SSHv2, RFC7627 SNMPv3, TLS v1.3 KDF SRTP, IKEv2, KDA HKDF ANSI X9.63- SP800-56Cr2 2001, ANSI KDF ANS 9.42 X9.42-2001 KDF ANS 9.63 KDFs and TLS KDF IKEv2
Name Type Description Properties Algorithms KDF SRTP KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDF KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 Symmetric BC-Auth Used to AES-CBC Encrypt/Decrypt BC-UnAuth encrypt or AES-CBC-CS1 decrypt data. AES-CBC-CS2 TDES: decrypt AES-CBC-CS3 only. Executes AES-CCM using AES AES-CFB1 EDK/TDES DK AES-CFB128 (passed in by AES-CFB8 the calling AES-CTR application) AES-ECB AES-GCM AES-GMAC AES-OFB AES-XTS Testing Revision 2.0 AES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB1 AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-GCM AES-GMAC AES-OFB AES-XTS Testing Revision 2.0
Name Type Description Properties Algorithms TDES-CBC TDES-ECB TDES-CBC TDES-ECB Message Digest SHA Used to SHA-1 (SHS) generate a SHA2-224 SHA-1, SHA-2, SHA2-256 or SHA-3 SHA2-384 message SHA2-512 digest SHA2-512/224 SHA2-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-128 SHAKE-256 SHAKE-128 SHAKE-256 Keyed Hash MAC Used to HMAC-SHA-1 (HMAC/KMAC/CMAC) generate or HMAC-SHA2verify data 224 integrity with HMAC-SHA2HMAC, KMAC 256 or CMAC. HMAC-SHA2TDES: verify 384 only. Executes HMAC-SHA2using HMAC , 512 KMAC, AES or HMAC-SHA2TDES Key 512/224 (passed in by HMAC-SHA2the calling 512/256 application) HMAC-SHA3HMAC-SHA3-
Name Type Description Properties Algorithms HMAC-SHA3HMAC-SHA3HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2512/224 HMAC-SHA2512/256 HMAC-SHA3HMAC-SHA3HMAC-SHA3HMAC-SHA3KMAC-128 KMAC-256 KMAC-128 KMAC-256 AES-CMAC AES-CMAC TDES-CMAC TDES-CMAC Key Wrapping (KW) BC-UnAuth Used to AES-KW encrypt a key AES-KWP value on behalf AES-KW of the calling AES-KWP application. Executes using AES Key Wrapping Key (passed in by the calling application). Key sizes 128,
Name Type Description Properties Algorithms
bits of encryption strength. AESKW, AES-KWP is CAVP tested per FIPS 140-3 IG D.G. Key KAS-SSC Used to KAS-ECC Agreement/Agreement perform key CDHComponent (SP 800- agreement Component 56A rev3, SP 800-56B primitives on SP800-56Ar3 rev2) behalf of the KAS-ECC-SSC calling Sp800-56Ar3 application KAS-FFC-SSC (does not Sp800-56Ar3 establish keys KAS-IFC-SSC into the KAS-ECC module). CDHExecutes using Component DH Private, DH SP800-56Ar3 Public, EC DH KAS-ECC-SSC Private, EC DH Sp800-56Ar3 Public, RSA KAS-FFC-SSC SGK, RSA Sp800-56Ar3 SVK (passed KAS-IFC-SSC in by the calling application). For ECC: Curves P-256, P-384 and P-
of encryption strength. For FFC: 2048,
bit keys providing 112 to 152 bits of security strength. For IFC: 2048, 3072, 4096, 6144, 8192 bit modulus
Name Type Description Properties Algorithms providing 112 to 200 bits of encryption strength. The module follows SP 800-56A rev3 KASECC-SSC (FIPS 140-3 IG D.F Scenario 2 path 1), SP 800-56A rev3 KAS-FFC-SSC (FIPS 140-3 IG D.F Scenario 2 path 1) and SP 800-56B rev2 KAS-IFC-SSC (FIPS 140-3 IG D.F Scenario 1 path 1) Digital Signature DigSig-SigGen Used to DSA SigGen DigSig-SigVer generate or (FIPS186-4) verify RSA, DSA SigVer DSA, ECDSA, (FIPS186-4) digital ECDSA signatures. SigGen Executes using (FIPS186-4) RSA SGK, ECDSA SigVer RSA SVK; (FIPS186-4) DSA SGK, RSA SigGen DSA SVK; (FIPS186-4) ECDSA SGK, DSA SigGen ECDSA SVK, (FIPS186-4) (passed in by DSA SigVer the calling (FIPS186-4) application) ECDSA SigGen (FIPS186-4) ECDSA SigVer (FIPS186-4) RSA SigGen (FIPS186-4) DSA PQGVer (FIPS186-4) DSA PQGVer (FIPS186-4)
Name Type Description Properties Algorithms RSA Signature Primitive RSA SigVer (FIPS186-4) RSA Signature Primitive RSA SigVer (FIPS186-4) Asymmetric Key AsymKeyPair- Used to verify ECDSA Verification KeyVer ECDSA public KeyVer key and (FIPS186-4) SafePrime Safe Primes keys Key Verification ECDSA KeyVer (FIPS186-4) Safe Primes Key Verification Key Transport KTS-Encap Used for key KTS-IFC transport, KTS-IFC supports KTSOAEP. 2048, 3072, 4096 and 6144 bit modulus providing 112 to 176 bits of encryption strength. The module follows SP 800-56B rev2 KTS-IFC (FIPS 140-3 IG D.G). Table 10: Security Function Implementations
AES GCM IV Generation In the case of AES-GCM, the IV generation method is user-selectable, and the value can be computed in more than one manner as follows:
In line with the requirements of SP 800-38E and FIPS 140-3 IG C.I, the keys are generated independently according to Section 6.3 of SP 800-133 rev2 and verification of the keys (key1 ≠ key2) is performed before using them in the AES-XTS algorithm. Key Agreement The module implements the following CAVP tested key agreement methods: SP 800-56A rev3 KAS-ECC-SSC (FIPS 140-3 IG D.F Scenario 2 path
N/A for this module. Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample N/A Non-Physical N/A N/A N/A Table 11: Entropy Sources N/A for this module. The module passively receives entropy from outside the boundary. The caveat “No assurance of the minimum strength of generated SSPs (e.g., keys)” applies to this module. Applications shall use entropy sources that meet the security strength required for the random number generation mechanism as shown in [SP 800-90A rev1] Table 2 (Hash_DRBG, HMAC_DRBG, CTR_DRBG). A minimum of 112-bits of entropy must be supplied. This entropy
is supplied by means of callback functions. Those functions must return an error if the minimum entropy strength cannot be met.
The module generates symmetric and asymmetric keys following the sections of SP 800-133 rev2 as specified in Table “Vendor-Affirmed Algorithms” above. Private and secret keys as well as seeds and entropy input are provided to the module by the calling application and are destroyed when released by the appropriate API function calls. Keys residing in internally allocated data structures (during the lifetime of an API call) can only be accessed using the module defined API. The operating system protects application space from unauthorized access. Only the calling application that creates or imports keys can use or export such keys. All API functions (Module Services) are executed by the calling application invoking an API. Each API either succeeds or fails and is logically non-interruptible from the point of view of the calling application. The module supports generation of ECDSA, RSA, DSA, EC Diffie-Hellman and Diffie-Hellman key pairs per Section 5 in SP 800-133 rev2. The output of SP 800-90A rev1 random bit generator is used for generating the seed used in asymmetric key generation. The module also complies with Sections 6.1 and 6.2 of SP 800-133 rev2.
The module implements key agreement methods per FIPS 140-3 IG D.F and key transport methods per FIPS 140-3 IG D.G (SP 800-38F AES-KW and AES-KWP, SP 800-56B rev2 KTSIFC). Detailed information is provided in Table “Security Function Implementations” Section above.
In reference to FIPS 140-3 IG D.C, the module implements the KDFs of SSH, TLS, IKE, SRTP, SNMP, ANS X9.42 and ANS X9.63 but no parts of the protocols other than the approved cryptographic algorithms and the KDFs have been tested by the CAVP and CMVP.
Physical Logical Data That Passes Port Interface(s) N/A Data Input API entry point data input stack parameters N/A Data Output API output parameters resulting from call execution N/A Control Input API entry point and corresponding stack parameters N/A Status Output API return value resulting from call execution Table 12: Ports and Interfaces
The logical interface is a C-language application program interface (API). The Data Input interface consists of the input parameters of the API functions. The Data Output interface consists of the output parameters of the API functions. The Control Input interface consists of the actual API functions. The Status Output interface includes the return values of the API functions.
Please note that the module does not support a control output interface and is not applicable for this module.
N/A for this module. The module does not implement authentication mechanisms and does not allow concurrent operators.
Name Type Operator Type Authentication Methods Crypto-Officer Role Crypto-Officer None User Role User None Table 13: Roles The module meets all FIPS 140-3 level 1 requirements for Roles. The Module implements both a User Role (User) as well as the Crypto Officer (CO) role. The User and Crypto Officer roles are implicitly assumed by the application accessing services implemented by the Module.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access Random Used for 1 DRBG Status Random Number CryptoNumber random struct return; Generation Officer Generation number (RBG Random and State); value DRBG_C: symmetri DRBG_S W,E c key eed - Entropy generatio Input: n W,E,Z
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access DRBG_Ke y: W,E DRBG_Se ed: G,E,Z DRBG_V: W,E Asymmetric Generate 1 ECDSA: Status Asymmetric Key CryptoKey asymmet curve return; Generation Officer Generation ric key identifier. general - RSA pairs DSA, digital SGK: G,R RSA: signature - ECDSA domain private and SGK: G,R paramete public keys - DSA r targets SGK: G,R - RSA SVK: G,R - ECDSA SVK: G,R - DSA SVK: G,R - RSA KDK: G,R - RSA KEK: G,R Key Used to 1 Key Status Key Derivation CryptoDerivation derive agreemen return; Function (KDF) Officer Function keys t shared derived - KDF (KDF) using secret; keying Derived KBKDF, flags material Key: G,R PBKDF2, HKDF, SP 80056C rev2 One-Step KDF (KDA), SP 80056C rev2 Two-Step KDF (KDA), SP 800-
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access TLS 1.2, SSHv2, SNMPv3, SRTP, IKEv2, ANSI X9.62001, ANSI X9.422001 KDFs and TLS
Symmetric Used to 1 Encryptio Status Symmetric CryptoEncrypt/Dec encrypt n or return. Encrypt/Decrypt Officer rypt or decryptio Plaintext or - AES decrypt n key; ciphertext EDK: W,E data. plaintext data - AES Executes or GCM: using ciphertext W,E AES data; - AES EDK flags XTS: W,E (passed - AES Key in by the Wrapping: calling W,E applicatio - TDES n) DK: W,E Message Used to 1 Data to Status Message Digest CryptoDigest generate be return. (SHS) Officer (SHS) a SHA-1, hashed Hashed SHA-2, data or SHA-3 message digest Keyed Hash Used to 1 Data to Status Keyed Hash Cryptogenerate be return; (HMAC/KMAC/C Officer or verify hashed MAC output MAC) - HMAC data and value. Key: W,E integrity keying - KMAC with material Key: W,E HMAC, - AES KMAC or CMAC: CMAC. W,E Executes - TDES using
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access HMAC, CMAC: KMAC or W,E AES Key (passed in by the calling applicatio n) Key Used to 1 Keying Encrypted Key Wrapping CryptoWrapping encrypt a material key (KW) Officer (KW) key value - AES Key on behalf Wrapping: of the W,E calling applicatio n. Executes using AES Key Wrapping Key (passed in by the calling applicatio n). AESKW, AESKWP is CAVP tested per FIPS 140-3 IG D.G. Key Used to 1 Key Status Key CryptoAgreement/ perform structs return; key Agreement/Agree Officer Agreement key (key agreement ment Component - DH Component agreeme agreemen shared (SP 800-56A Private: (SP 800- nt t keys); secret rev3, SP 800- W,E 56A rev3) primitives flags 56B rev2) - EC DH on behalf Private: of the W,E calling - RSA applicatio SGK: W,E n (does - DH not Public:
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access establish W,E keys into - EC DH the Public: module). W,E Executes - RSA using DH SVK: W,E Private, DH Public, EC DH Private, EC DH Public, RSA SGK, RSA SVK (passed in by the calling applicatio n) Digital Used to 1 Sign: Status Digital Signature CryptoSignature generate signing return; Officer or verify key; Signature - RSA RSA, message. value SGK: W,E DSA, Verify: - RSA ECDSA, signature SVK: W,E digital value; - DSA signature flags; SGK: W,E s. sizes - DSA Executes SVK: W,E using - ECDSA RSA SGK: W,E SGK, - ECDSA RSA SVK: W,E SVK; DSA SGK, DSA SVK; ECDSA SGK, ECDSA SVK, (passed
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access in by the calling applicatio n) Asymmetric Used to 1 Public Status Asymmetric Key CryptoKey verify Key return Verification Officer Verification ECDSA - ECDSA keys SVK: W,E Module The 1 N/A N/A None Cryptoinitialization module is Officer initialized when the provider is loaded Perform Perform 1 N/A Success/fai None CryptoSelf-Test self-tests lure Officer on message demand Key Used for 1 Key to be Encrypted Key Transport CryptoTransport Key transporte key Officer Transport d - RSA KDK: W,E - RSA KEK: W,E Show Used to N/A N/A name: None CryptoModule output CiscoSSL Officer Name and module FIPS Version name Provider and version: 8.0 version Show Used to N/A N/A status: None CryptoStatus output active Officer module status Table 14: Approved Services The module meets all FIPS 140-3 level 1 requirements for Services. The initialization process is described in the Secure Distribution, Operation, and User Guidance section of this document. CO services with associated input and output are listed in the above table. All the services provided by the module can be accessed by both the User and the Crypto Officer roles. The User Role (User) can load the module and call any of the API functions. The Crypto Officer Role (CO) is responsible for installation of the module on the host computer system and calling of any API functions.
Name Description Algorithms Role Edwards curves Key Key pair generation using Edwards EdDSA CO, Generation curves (ED25519, ED448, X25519, KeyGen User X448) Edwards curves Digital Signature generation using Edwards EdDSA CO, Signature Generation curves (ED25519, ED448) SigGen User Edwards curves Digital Signature verification using Edwards EdDSA CO, Signature Verification curves (ED25519, ED448) SigVer User RSA Primitives RSA Sign, verify, encrypt, decrypt without RSA CO, hashing/padding Primitives User Table 15: Non-Approved Services The module implements non-approved services mentioned in the above table. For these specific services, the service indicators ‘3, ED25519, ED448, X25519, X448’ indicates that the service is non-approved.
Not Applicable for this module.
The module runs a HMAC SHA2-256 integrity verification on the shared object file (fips.so) during initialization by the host application. The module also runs the self-test for HMAC SHA2-
The operator can initiate on-demand integrity test by calling SELF_TEST_post() or rebooting the host platform.
The public verification key used for firmware integrity test is not an SSP.
Type of Operational Environment: Non-Modifiable
How Requirements are Satisfied: The module was tested on the platforms listed in Table 2 for the purposes of this FIPS 140-3 validation. The module is expected to execute correctly on any production grade CPU with commonly used operating system. No operational environment restrictions are required for operation in the approved mode. CiscoSSL FIPS Provider is a Firmware module and classified as a non-modifiable OE. The requirements under ISO/IEC 19790, section 7.6 “Operational environment”, are met by the module for Level 1 firmware requirements.
Not Applicable for this module.
Not Applicable for this module.
Storage Description Persistence Area Type Name RAM Volatile Memory Dynamic Table 16: Storage Areas The module stores DRBG state values for the lifetime of the DRBG instance. The module uses CSPs passed in by the calling application on the stack. The module does not store any CSP persistently (beyond the lifetime of an API call), except for DRBG state values used for the module’s default key generation service. The module implements SP 800-90A rev1 compliant DRBG services for creation of symmetric keys, and for generation of DSA, elliptic curve, and RSA keys as shown in Table 4. The calling application is responsible for storage of generated keys returned by the module.
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API Calling API input Plaintext Manual Electronic Input process parameters API API output Calling Plaintext Manual Electronic Output parameters process Table 17: SSP Input-Output Methods
All CSPs enter the module’s boundary in plaintext as API parameters, associated by memory location. However, none crosses the physical parameter. The module does not output CSPs, other than as explicit results of key generation services or keys passed into the module by the calling application.
Zeroization Method Description Rationale Operator Initiation OPENSSL_cleanse() API call clears the Zeroized SSPs will no longer Allowed temporarily stored CSPs be accessible through API calls Power Cycle Power Cycle zeroizes all Operating System zeroizes all Allowed stored SSPs the stored SSPs Table 18: SSP Zeroization Methods Zeroization of sensitive data is performed automatically by API function calls for temporarily stored CSPs. The calling application is responsible for parameters passed in and out of the module. Successful completion of the zeroization service is determined by clean execution of OPENSSL_cleanse() without any errors being returned or a successful reboot of the host platform.
Name Descripti Size - Type - Generat Establis Used By on Strength Category ed By hed By RSA Used to 2048, Signature Asymme Digital Signature SGK generate 3072, Generation tric Key Digital 4096 bits Key - CSP Generati Signature - 112, on s 128, 152 bits RSA Used in 2048, Key Transport Asymme Key Transport KDK Asymmetr 3072 Key - CSP tric Key ic Key 4096 bits Generati Operation - 112, on to to 128, 152 decrypt bits keys DSA Used to 2048, Signature Asymme Digital Signature SGK generate 3072 bits Generation tric Key Digital - 112, Key - CSP Generati Signature 128 bits on s
Name Descripti Size - Type - Generat Establis Used By on Strength Category ed By hed By ECDSA Used to 256, 384, Signature Asymme Digital Signature SGK generate 521 bits - Generation tric Key Digital 128, 192, Key - CSP Generati Signature 256 bits on s DH Used for 2048, Key Asymme Key Private Key 3072 bits Agreement tric Key Agreement/Agre Agreeme - 112, Key - CSP Generati ement nt 128 bits on Component (SP 800-56A rev3, SP 800-56B rev2) EC DH Used for 256, 384, Key Asymme Key Private Key 521 bits - Agreement tric Key Agreement/Agre Agreeme 128, 192, Key - CSP Generati ement nt 256 bits on Component (SP 800-56A rev3, SP 800-56B rev2) AES EDK Used for 128, 192, Symmetric Random Symmetric Symmetri 256 bits - Key - CSP Number Encrypt/Decrypt c encrypt 128, 192, Generati and 256 bits on decrypt operation s AES Used for 128, 192, Symmetric Random Keyed Hash CMAC MAC 256 bits - Key - CSP Number (HMAC/KMAC/C calculatio 128, 192, Generati MAC) n and 256 bits on verificatio n AES Used for 128, 192, Symmetric Random Symmetric GCM authentic 256 bits - Key - CSP Number Encrypt/Decrypt ated 128, 192, Generati cipher 256 bits on operation s AES XTS Used for 128, 256 Symmetric Random Symmetric cipher bits - Key - CSP Number Encrypt/Decrypt operation 128, 256 Generati bits on AES Key Used for 128, 192, Symmetric Random Key Wrapping Wrapping key 256 bits - Key - CSP Number (KW) wrapping 128, 192, Generati
Name Descripti Size - Type - Generat Establis Used By on Strength Category ed By hed By HMAC Used for 128 to Keyed Hash - Random Keyed Hash Key MAC 524288 CSP Number (HMAC/KMAC/C generatio bits - Generati MAC) n and greater on verificatio than 128 n bits KMAC Used for 256, 512 Keyed Hash - Keyed Hash Key MAC bits - CSP (HMAC/KMAC/C generatio 128, 256 MAC) n bits DRBG_C Element 440-888 DRBG State - Random Random of Hash bits - CSP Number Number DRBG 160-256 Generati Generation state, bits on defined per FIPS 140-3 IG D.L Entropy Entropy 128-2^35 Entropy Input Random Input input from - 128 - - CSP Number an 256 Generation external source used for DRBG seeding, defined per FIPS 140-3 IG D.L DRBG_K Element CTR_DR CTR_DRBG_ Random Random ey of CTR BG: 128- Key, Number Number DRBG or 256, HMAC_DRBG Generati Generation HMAC HMAC _Key - CSP on DRBG DRBG: state, 128-256 defined CTR_DR per FIPS BG: 128 140-3 IG 256, D.L HMAC DRBG:
DRBG_S Seed 128-256 - DRBG Seed - Random Random eed used for 128 - 256 CSP Number Number DRBG Generati Generation Instantiati on
Name Descripti Size - Type - Generat Establis Used By on Strength Category ed By hed By on and Reseed, defined per FIPS 140-3 IG D.L DRBG_V Element CTR_DR DRBG State - Random Random of CTR, BG: 128- CSP Number Number Hash or 256, Generati Generation HMAC Hash on DRBG DRBG: state, 128-256, defined HMAC per FIPS DRBG: 140-3 IG 128-256 D.L CTR_DR BG: 128 256, Hash DRBG:
RSA SVK RSA 1024, Verification Asymme Digital Signature signature 2048, Key - PSP tric Key verificatio 3072, Generati n public 4096 bits on key - 80, 112, 128, 152 bits RSA KEK RSA key 2048, Encryption Asymme Key Transport encryptio 3072, Key - PSP tric Key n (public 4096 bits Generati key - 112, on transport) 128, 152 key bits DSA SVK DSA 1024, Verification Asymme Digital Signature signature 2048, Key - PSP tric Key verificatio 3072 bits Generati n key - 80, 112, on
ECDSA ECDSA 233, 283, Verification Asymme Digital Signature SVK signature 409, 571, Key - PSP tric Key 233, 283,
Name Descripti Size - Type - Generat Establis Used By on Strength Category ed By hed By verificatio 409, 571, Generati n key 224, 256, on 384, 521 - 112, 128, 192,
DH DH public 2048, Public Key Asymme Key Public key 3072 bits Agreement tric Key Agreement/Agre agreemen - 112, Key - PSP Generati ement t key 128 bits on Component (SP 800-56A rev3, SP 800-56B rev2) EC DH EC DH 256, 384, Public Key Asymme Key Public public key 521 bits - Agreement tric Key Agreement/Agre agreemen 128, 192, Key - PSP Generati ement t key 256 bits on Component (SP 800-56A rev3, SP 800-56B rev2) KDF Key 128, 256 Derived Key - Key Key Derivation Derived derived bits - CSP Derivati Function (KDF) Key from 128, 256 on KDFs bits Function (KDF) TDES DK TDES 168 bits - Symmetric Random Symmetric Decryptio 112 bits Key - CSP Number Encrypt/Decrypt n key Generati on TDES Used for 168 bits - Verification Random Keyed Hash CMAC MAC 112 bits Key - PSP Number (HMAC/KMAC/C verificatio Generati MAC) n on Table 19: SSP Table 1 Name Input Storage Storage Zeroization Related SSPs - Duratio Outpu n t RSA SGK API RAM:Plainte Until OPENSSL_cleans RSA SVK:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call
Name Input Storage Storage Zeroization Related SSPs - Duratio Outpu n t RSA KDK API RAM:Plainte Until OPENSSL_cleans RSA KEK:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call DSA SGK API RAM:Plainte Until OPENSSL_cleans DSA SVK:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call ECDSA API RAM:Plainte Until OPENSSL_cleans ECDSA SVK:Paired SGK Input xt zeroize e() With API d by Power Cycle Outpu reboot t or API call DH Private API RAM:Plainte Until OPENSSL_cleans DH Public:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call EC DH API RAM:Plainte Until OPENSSL_cleans EC DH Public:Paired Private Input xt zeroize e() With API d by Power Cycle Outpu reboot t or API call AES EDK API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call AES CMAC API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call
Name Input Storage Storage Zeroization Related SSPs - Duratio Outpu n t AES GCM API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call AES XTS API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call AES Key API RAM:Plainte Until OPENSSL_cleans Wrapping Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call HMAC Key API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call KMAC Key API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call DRBG_C API RAM:Plainte Until OPENSSL_cleans DRBG_Seed:Derived Input xt zeroize e() From API d by Power Cycle DRBG_V:Used With Outpu reboot t or API call Entropy API RAM:Plainte Until OPENSSL_cleans DRBG_Seed:Constitu Input Input xt zeroize e() ent d by Power Cycle reboot or API call
Name Input Storage Storage Zeroization Related SSPs - Duratio Outpu n t DRBG_Key API RAM:Plainte Until OPENSSL_cleans DRBG_Seed:Derived Input xt zeroize e() From API d by Power Cycle DRBG_V:Used With Outpu reboot t or API call DRBG_See RAM:Plainte Until OPENSSL_cleans DRBG_C:Derives d xt zeroize e() DRBG_Key:Derives d by Power Cycle DRBG_V:Derives reboot Entropy or API Input:Incorporates call DRBG_V API RAM:Plainte Until OPENSSL_cleans DRBG_Seed:Derived Input xt zeroize e() From API d by Power Cycle DRBG_Key:Used With Outpu reboot t or API call RSA SVK API RAM:Plainte Until OPENSSL_cleans RSA SGK:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call RSA KEK API RAM:Plainte Until OPENSSL_cleans RSA KDK:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call DSA SVK API RAM:Plainte Until OPENSSL_cleans DSA SGK:Paired With Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call ECDSA API RAM:Plainte Until OPENSSL_cleans ECDSA SGK:Paired SVK Input xt zeroize e() With API d by Power Cycle Outpu reboot t or API call
Name Input Storage Storage Zeroization Related SSPs - Duratio Outpu n t DH Public API RAM:Plainte Until OPENSSL_cleans DH Private:Paired Input xt zeroize e() With API d by Power Cycle Outpu reboot t or API call EC DH API RAM:Plainte Until OPENSSL_cleans EC DH Private:Paired Public Input xt zeroize e() With API d by Power Cycle Outpu reboot t or API call KDF API Until OPENSSL_cleans Derived Outpu zeroize e() Key t d by Power Cycle reboot or API call TDES DK API RAM:Plainte Until OPENSSL_cleans Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call TDES API RAM:Plainte Until OPENSSL_cleans CMAC Input xt zeroize e() API d by Power Cycle Outpu reboot t or API call Table 20: SSP Table 2
Algorithm Test Test Test Indicator Details or Test Properties Method Type HMAC- 256 bits Firmware SW/FW Returns 1 The SELF_TEST_post() SHA2-256 Integrity Integrity when function performs all power-up (A3032) Test power up self-tests listed above with no
Algorithm Test Test Test Indicator Details or Test Properties Method Type self tests operator intervention required succeed when the module loads, returning a “1” if all power-up self-tests succeed, and a “0” otherwise. The power-up selftests may also be performed on-demand by calling this function and interpretation of the return code is the responsibility of the calling application HMAC- 256 bits Firmware SW/FW Returns 1 The SELF_TEST_post() SHA2-256 Integrity Integrity when function performs all power-up (A3252) Test power up self-tests listed above with no self tests operator intervention required succeed when the module loads, returning a “1” if all power-up self-tests succeed, and a “0” otherwise. The power-up selftests may also be performed on-demand by calling this function and interpretation of the return code is the responsibility of the calling application Table 21: Pre-Operational Self-Tests The module performs firmware integrity test and conditional Cryptographic Algorithm Self-Tests (CASTs) before it is operational. The module is single threaded and will not return to the calling application until the CASTs are complete. If the self-tests fail, the module goes to an error state and subsequent calls to the module will fail and thus no further cryptographic operations are possible. The CO can clear the error state by restarting the host platform.
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d AES-ECB 128 bits KAT CAS Returns 1 Encrypt Upon power-up (A3032) T on KAT and call of successful SELF_TEST_post( completio ) function n AES-ECB 128 bits KAT CAS Returns 1 Encrypt Upon power-up (A3252) T on KAT and call of
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d successful SELF_TEST_post( completio ) function n AES- 256 bits KAT CAS Returns 1 Encrypt Upon power-up GCM T on KAT and call of (A3032) successful SELF_TEST_post( completio ) function n AES- 256 bits KAT CAS Returns 1 Encrypt Upon power-up GCM T on KAT and call of (A3252) successful SELF_TEST_post( completio ) function n AES- 128, 192, 256 KAT CAS Returns 1 Generate Upon power-up CMAC bits T on KAT and call of (A3032) successful SELF_TEST_post( completio ) function n AES- 128, 192, 256 KAT CAS Returns 1 Generate Upon power-up CMAC bits T on KAT and call of (A3252) successful SELF_TEST_post( completio ) function n Counter AES-128 with KAT CAS Returns 1 Instantiate, Upon power-up DRBG derivation T on Generate, and call of (A3032) function successful Reseed SELF_TEST_post( completio ) function n Counter AES-128 with KAT CAS Returns 1 Instantiate, Upon power-up DRBG derivation T on Generate, and call of (A3252) function successful Reseed SELF_TEST_post( completio ) function n Hash SHA2-256 KAT CAS Returns 1 Instantiate, Upon power-up DRBG T on Generate, and call of (A3032) successful Reseed SELF_TEST_post( completio ) function n Hash SHA2-256 KAT CAS Returns 1 Instantiate, Upon power-up DRBG T on Generate, and call of (A3252) successful Reseed SELF_TEST_post( completio ) function n
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d HMAC SHA-1 KAT CAS Returns 1 Instantiate, Upon power-up DRBG T on Generate, and call of (A3032) successful Reseed SELF_TEST_post( completio ) function n HMAC SHA-1 KAT CAS Returns 1 Instantiate, Upon power-up DRBG T on Generate, and call of (A3252) successful Reseed SELF_TEST_post( completio ) function n DSA 2048-bit with KAT CAS Returns 1 Sign Upon power-up SigGen SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3032) n DSA 2048-bit with KAT CAS Returns 1 Sign Upon power-up SigGen SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3252) n DSA 2048-bit with KAT CAS Returns 1 Verify Upon power-up SigVer SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3032) n DSA 2048-bit with KAT CAS Returns 1 Verify Upon power-up SigVer SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3252) n ECDSA P-256 with KAT CAS Returns 1 Sign Upon power-up SigGen SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3032) n ECDSA P-256 with KAT CAS Returns 1 Sign Upon power-up SigGen SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3252) n ECDSA P-256 with KAT CAS Returns 1 Verify Upon power-up SigVer SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3032) n
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d ECDSA P-256 with KAT CAS Returns 1 Verify Upon power-up SigVer SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3252) n RSA k=2048 with KAT CAS Returns 1 Sign Upon power-up SigGen SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3032) n RSA k=2048 with KAT CAS Returns 1 Sign Upon power-up SigGen SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3252) n RSA k=2048 with KAT CAS Returns 1 Verify Upon power-up SigVer SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3032) n RSA k=2048 with KAT CAS Returns 1 Verify Upon power-up SigVer SHA2-256 T on and call of (FIPS186- successful SELF_TEST_post( 4) completio ) function (A3252) n KAS- L=2048/N=25 KAT CAS Returns 1 dhEphem Upon power-up FFC-SSC 6 T on Shared and call of Sp800- successful Secret (Z) SELF_TEST_post( 56Ar3 completio Computatio ) function (A3032) n n KAS- L=2048/N=25 KAT CAS Returns 1 dhEphem Upon power-up FFC-SSC 6 T on Shared and call of Sp800- successful Secret (Z) SELF_TEST_post( 56Ar3 completio Computatio ) function (A3252) n n KAS- P-256 KAT CAS Returns 1 Ephemeral Upon power-up ECC-SSC T on Unified and call of Sp800- successful Shared SELF_TEST_post( 56Ar3 completio Secret (Z) ) function (A3032) n Computatio n KAS- P-256 KAT CAS Returns 1 Ephemeral Upon power-up ECC-SSC T on Unified and call of Sp800- successful Shared SELF_TEST_post( Secret (Z) ) function
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d 56Ar3 completio Computatio (A3252) n n KAS-IFC- k=2048 KAT CAS Returns 1 [SP 800- Upon power-up SSC T on 56B rev2] and call of (A3032) successful Section SELF_TEST_post( completio 8.2.2 RSA ) function n Primitive Computatio n KAS-IFC- k=2048 KAT CAS Returns 1 [SP 800- Upon power-up SSC T on 56B rev2] and call of (A3252) successful Section SELF_TEST_post( completio 8.2.2 RSA ) function n Primitive Computatio n SHA-1 SHA-1 KAT CAS Returns 1 Simple SHA Upon power-up (A3032) T on KAT and call of successful SELF_TEST_post( completio ) function n SHA-1 SHA-1 KAT CAS Returns 1 Simple SHA Upon power-up (A3252) T on KAT and call of successful SELF_TEST_post( completio ) function n SHA2- SHA2-512 KAT CAS Returns 1 Simple SHA Upon power-up
512 T on KAT and call of
(A3032) successful SELF_TEST_post( completio ) function n SHA2- SHA2-512 KAT CAS Returns 1 Simple SHA Upon power-up
512 T on KAT and call of
(A3252) successful SELF_TEST_post( completio ) function n SHA3- SHA3-256 KAT CAS Returns 1 Simple SHA Upon power-up
256 T on KAT and call of
(A3032) successful SELF_TEST_post( completio ) function n SHA3- SHA3-256 KAT CAS Returns 1 Simple SHA Upon power-up
256 T on KAT and call of
(A3252) successful SELF_TEST_post( ) function
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d completio n HMAC- SHA2-256 KAT CAS Returns 1 Generate Upon power-up SHA2- with a 256-bit T on and call of
256 key successful SELF_TEST_post(
(A3032) completio ) function n HMAC- SHA2-256 KAT CAS Returns 1 Generate Upon power-up SHA2- with a 256-bit T on and call of
256 key successful SELF_TEST_post(
(A3252) completio ) function n KDF HMAC-SHA2- KAT CAS Returns 1 [S P800- Upon power-up SP800- 256 T on 108 rev1] and call of
108 successful Section 4.1 SELF_TEST_post(
(A3032) completio KAT for a ) function n Counter Mode KDF KDF HMAC-SHA2- KAT CAS Returns 1 [SP 800- Upon power-up SP800- 256 T on 108 rev1] and call of
108 successful Section 4.1 SELF_TEST_post(
(A3252) completio KAT for a ) function n Counter Mode KDF KDA SHA2-224 KAT CAS Returns 1 [SP 800- Upon power-up OneStep T on 56C rev2] and call of SP800- successful Section 4 SELF_TEST_post( 56Cr2 completio OneStep ) function (A3032) n KDF (AKA OpenSSL single-step or SS-KDF) KDA SHA2-224 KAT CAS Returns 1 [SP 800- Upon power-up OneStep T on 56C rev2] and call of SP800- successful Section 4 SELF_TEST_post( 56Cr2 completio OneStep ) function (A3252) n KDF (AKA OpenSSL single-step or SS-KDF) KDA SHA2-256 KAT CAS Returns 1 [SP 800- Upon power-up TwoStep T on 56C rev2] and call of SP800- successful Section 5 SELF_TEST_post( 56Cr2 completio TwoStep ) function (A3032) n
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d KDF (HKDF variant) KDA SHA2-256 KAT CAS Returns 1 [SP 800- Upon power-up TwoStep T on 56C rev2] and call of SP800- successful Section 5 SELF_TEST_post( 56Cr2 completio TwoStep ) function (A3252) n KDF (HKDF variant) PBKDF SHA2-256, KAT CAS Returns 1 [SP 800- Upon power-up (A3032) 24-byte T on 132] and call of password, 36- successful Section 5.3 SELF_TEST_post( byte salt, completio KAT of ) function iteration count n Master Key of 4096 derivation PBKDF SHA2-256, KAT CAS Returns 1 [SP 800- Upon power-up (A3252) 24-byte T on 132] and call of password, 36- successful Section 5.3 SELF_TEST_post( byte salt, completio KAT of ) function iteration count n Master Key of 4096 derivation TLS v1.3 Fixed input KAT CAS Returns 1 [RFC8446] Upon power-up KDF KAT T on Section 7.1 and call of (A3032) successful TLS v1.3 SELF_TEST_post( completio KDF KAT ) function n TLS v1.3 Fixed input KAT CAS Returns 1 [RFC8446] Upon power-up KDF KAT T on Section 7.1 and call of (A3252) successful TLS v1.3 SELF_TEST_post( completio KDF KAT ) function n TLS v1.2 Fixed input KAT CAS Returns 1 [SP 800- Upon power-up KDF KAT T on 135 rev1] and call of RFC7627 successful Section SELF_TEST_post( (A3032) completio 4.2.2 TLS ) function n 1.2 KAT TLS v1.2 Fixed input KAT CAS Returns 1 [SP 800- Upon power-up KDF KAT T on 135 rev1] and call of RFC7627 successful Section SELF_TEST_post( (A3252) completio 4.2.2 TLS ) function n 1.2 KAT DSA PCT PCT PCT Returns 1 Sign, Verify Performed on FFC KeyGen performed on (DSA, KAS-FFC(FIPS186- using the successful SSC) key pair 4) generated key completio generation, prior to (A3032) pair n returning the key
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d pair on conclusion of the call DSA PCT PCT PCT Returns 1 Sign, Verify Performed on FFC KeyGen performed on (DSA, KAS-FFC(FIPS186- using the successful SSC) key pair 4) generated key completio generation, prior to (A3252) pair n returning the key pair on conclusion of the call ECDSA PCT PCT PCT Returns 1 Sign, Verify Performed on ECC KeyGen performed on (ECDSA, KAS(FIPS186- using the successful ECC CDH4) generated key completio Component, KAS(A3032) pair n ECC-SSC) key pair generation, prior to returning the key pair on conclusion of the call ECDSA PCT PCT PCT Returns 1 Sign, Verify Performed on ECC KeyGen performed on (ECDSA, KAS(FIPS186- using the successful ECC CDH4) generated key completio Component, KAS(A3252) pair n ECC-SSC) key pair generation, prior to returning the key pair on conclusion of the call RSA PCT PCT PCT Returns 1 Sign, Verify Performed on IFC KeyGen performed on (RSA, KAS-IFC(FIPS186- using the successful SSC, KTS-IFC) 4) generated key completio key pair (A3032) pair n generation, prior to returning the key pair on conclusion of the call RSA PCT PCT PCT Returns 1 Sign, Verify Performed on IFC KeyGen performed on (RSA, KAS-IFC(FIPS186- using the successful SSC, KTS-IFC) 4) generated key completio key pair (A3252) pair n generation, prior to returning the key pair on conclusion of the call
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d KDF ANS Fixed input KAT CAS Returns 1 [SP 800- Upon power-up
9.42 KAT T on 135 rev1] and call of
(A3032) successful Section 5.1 SELF_TEST_post( completio ANSI ) function n X9.42-2001 KDF KAT KDF ANS Fixed input KAT CAS Returns 1 [SP 800- Upon power-up
9.63 KAT T on 135 rev1] and call of
(A3032) successful Section 5.1 SELF_TEST_post( completio X9.63-2001 ) function n KDF KAT KDF Fixed input KAT CAS Returns 1 [SP 800- Upon power-up IKEv2 KAT T on 135 rev1] and call of (A3032) successful Section SELF_TEST_post( completio 4.1.2 IKEv2 ) function n KDF KAT KDF Fixed input KAT CAS Returns 1 [SP 800- Upon power-up SNMP KAT T on 135 rev1] and call of (A3032) successful Section 5.4 SELF_TEST_post( completio SNMPv3 ) function n KDF KAT KDF Fixed input KAT CAS Returns 1 [SP 800- Upon power-up SRTP KAT T on 135 rev1] and call of (A3032) successful Section 5.3 SELF_TEST_post( completio SRTP KDF ) function n KAT KDF SSH SHA1 KAT CAS Returns 1 [SP 800- Upon power-up (A3032) T on 135 rev1] and call of successful Section 5.2 SELF_TEST_post( completio SSHv2 KDF ) function n KAT KDF ANS Fixed input KAT CAS Returns 1 [SP 800- Upon power-up
9.42 KAT T on 135 rev1] and call of
(A3252) successful Section 5.1 SELF_TEST_post( completio ANSI ) function n X9.42-2001 KDF KAT KDF ANS Fixed input KAT CAS Returns 1 [SP 800- Upon power-up
9.63 KAT T on 135 rev1] and call of
(A3252) successful Section 5.1 SELF_TEST_post( completio X9.63-2001 ) function n KDF KAT KDF Fixed input KAT CAS Returns 1 [SP 800- Upon power-up IKEv2 KAT T on 135 rev1] and call of (A3252) successful Section
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d completio 4.1.2 IKEv2 SELF_TEST_post( n KDF KAT ) function KDF Fixed input KAT CAS Returns 1 [SP 800- Upon power-up SNMP KAT T on 135 rev1] and call of (A3252) successful Section 5.4 SELF_TEST_post( completio SNMPv3 ) function n KDF KAT KDF Fixed input KAT CAS Returns 1 [SP 800- Upon power-up SRTP KAT T on 135 rev1] and call of (A3252) successful Section 5.3 SELF_TEST_post( completio SRTP KDF ) function n KAT KDF SSH SHA1 KAT CAS Returns 1 [SP 800- Upon power-up (A3252) T on 135 rev1] and call of successful Section 5.2 SELF_TEST_post( completio SSHv2 KDF ) function n KAT TDES- Keying KAT CAS Returns 1 Decrypt Upon power-up CBC Option: 1 T on KAT and call of (A3032) successful SELF_TEST_post( completio ) function n TDES- Keying KAT CAS Returns 1 Verify KAT Upon power-up CMAC Option: 1 T on and call of (A3032) successful SELF_TEST_post( completio ) function n TDES- Keying KAT CAS Returns 1 Decrypt Upon power-up CBC Option: 1 T on KAT and call of (A3252) successful SELF_TEST_post( completio ) function n TDES- Keying KAT CAS Returns 1 Verify KAT Upon power-up CMAC Option: 1 T on and call of (A3252) successful SELF_TEST_post( completio ) function n AES-ECB 128 bits KAT CAS Returns 1 Decrypt Upon power-up (A3032) T on KAT and call of successful SELF_TEST_post( completio ) function n AES-ECB 128 bits KAT CAS Returns 1 Decrypt Upon power-up (A3252) T on KAT and call of successful
Algorith Test Test Test Indicator Details Conditions m or Test Properties Metho Type d completio SELF_TEST_post( n ) function AES- 256 bits KAT CAS Returns 1 Decrypt Upon power-up GCM T on KAT and call of (A3032) successful SELF_TEST_post( completio ) function n AES- 256 bits KAT CAS Returns 1 Decrypt Upon power-up GCM T on KAT and call of (A3252) successful SELF_TEST_post( completio ) function n AES- 128, 192, 256 KAT CAS Returns 1 Verify KAT Upon power-up CMAC bits T on and call of (A3032) successful SELF_TEST_post( completio ) function n AES- 128, 192, 256 KAT CAS Returns 1 Verify KAT Upon power-up CMAC bits T on and call of (A3252) successful SELF_TEST_post( completio ) function n Table 22: Conditional Self-Tests The SELF_TEST_post() function performs all self-tests listed above with no operator intervention required when the module loads. The module returns a “1” if all self-tests succeed, and a “0” otherwise. The pre-operational and conditional self-tests may also be performed ondemand by calling this function and interpretation of the return code is the responsibility of the calling application.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Firmware SW/FW On reboot or Manual or
256 (A3032) Integrity Test Integrity SELF_TEST_post() reboot
function call HMAC-SHA2- Firmware SW/FW On reboot or Manual or
256 (A3252) Integrity Test Integrity SELF_TEST_post() reboot
function call Table 23: Pre-Operational Periodic Information
Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call AES-ECB KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call AES-GCM KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call AES-GCM KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call AES-CMAC KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call AES-CMAC KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call Counter DRBG KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call Counter DRBG KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call Hash DRBG KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call Hash DRBG KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call HMAC DRBG KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call HMAC DRBG KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call DSA SigGen KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call DSA SigGen KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call DSA SigVer KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call
Algorithm or Test Method Test Type Period Periodic Test Method DSA SigVer KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call ECDSA SigGen KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call ECDSA SigGen KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call ECDSA SigVer KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call ECDSA SigVer KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call RSA SigGen KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call RSA SigGen KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call RSA SigVer KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call RSA SigVer KAT CAST On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call KAS-FFC-SSC KAT CAST On reboot or Manual or Sp800-56Ar3 SELF_TEST_post() reboot (A3032) function call KAS-FFC-SSC KAT CAST On reboot or Manual or Sp800-56Ar3 SELF_TEST_post() reboot (A3252) function call KAS-ECC-SSC KAT CAST On reboot or Manual or Sp800-56Ar3 SELF_TEST_post() reboot (A3032) function call KAS-ECC-SSC KAT CAST On reboot or Manual or Sp800-56Ar3 SELF_TEST_post() reboot (A3252) function call KAS-IFC-SSC KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call KAS-IFC-SSC KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call
Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A3032) KAT CAST On reboot or Manual or SELF_TEST_post() reboot function call SHA-1 (A3252) KAT CAST On reboot or Manual or SELF_TEST_post() reboot function call SHA2-512 KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call SHA2-512 KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call SHA3-256 KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call SHA3-256 KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call HMAC-SHA2- KAT CAST On reboot or Manual or
256 (A3032) SELF_TEST_post() reboot
function call HMAC-SHA2- KAT CAST On reboot or Manual or
256 (A3252) SELF_TEST_post() reboot
function call KDF SP800- KAT CAST On reboot or Manual or
108 (A3032) SELF_TEST_post() reboot
function call KDF SP800- KAT CAST On reboot or Manual or
108 (A3252) SELF_TEST_post() reboot
function call KDA OneStep KAT CAST On reboot or Manual or SP800-56Cr2 SELF_TEST_post() reboot (A3032) function call KDA OneStep KAT CAST On reboot or Manual or SP800-56Cr2 SELF_TEST_post() reboot (A3252) function call KDA TwoStep KAT CAST On reboot or Manual or SP800-56Cr2 SELF_TEST_post() reboot (A3032) function call KDA TwoStep KAT CAST On reboot or Manual or SP800-56Cr2 SELF_TEST_post() reboot (A3252) function call PBKDF (A3032) KAT CAST On reboot or Manual or SELF_TEST_post() reboot function call
Algorithm or Test Method Test Type Period Periodic Test Method PBKDF (A3252) KAT CAST On reboot or Manual or SELF_TEST_post() reboot function call TLS v1.3 KDF KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call TLS v1.3 KDF KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call TLS v1.2 KDF KAT CAST On reboot or Manual or RFC7627 SELF_TEST_post() reboot (A3032) function call TLS v1.2 KDF KAT CAST On reboot or Manual or RFC7627 SELF_TEST_post() reboot (A3252) function call DSA KeyGen PCT PCT On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call DSA KeyGen PCT PCT On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call ECDSA PCT PCT On reboot or Manual or KeyGen SELF_TEST_post() reboot (FIPS186-4) function call (A3032) ECDSA PCT PCT On reboot or Manual or KeyGen SELF_TEST_post() reboot (FIPS186-4) function call (A3252) RSA KeyGen PCT PCT On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3032) function call RSA KeyGen PCT PCT On reboot or Manual or (FIPS186-4) SELF_TEST_post() reboot (A3252) function call KDF ANS 9.42 KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call KDF ANS 9.63 KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call KDF IKEv2 KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call
Algorithm or Test Method Test Type Period Periodic Test Method KDF SNMP KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call KDF SRTP KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call KDF SSH KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call KDF ANS 9.42 KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call KDF ANS 9.63 KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call KDF IKEv2 KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call KDF SNMP KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call KDF SRTP KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call KDF SSH KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call TDES-CBC KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call TDES-CMAC KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call TDES-CBC KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call TDES-CMAC KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call AES-ECB KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call AES-ECB KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call
Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call AES-GCM KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call AES-CMAC KAT CAST On reboot or Manual or (A3032) SELF_TEST_post() reboot function call AES-CMAC KAT CAST On reboot or Manual or (A3252) SELF_TEST_post() reboot function call Table 24: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Error Error State is entered when Failure of self Restarting the 0 State self tests fail tests module Table 25: Error States If any self-test fails, an internal flag is set to prevent subsequent invocation of any cryptographic function calls. The module will only enter the Approved mode if the module is reloaded and the call to SELF_TEST_post() succeeds. The CAST used to perform the approved integrity technique is passed before the execution of the pre-operational firmware integrity test (HMACSHA2-256).
The operator can initiate the self-tests by calling SELF_TEST_post() or rebooting the host platform.
Per FIPS 140-3 classification, this is a multi-chip standalone cryptographic module. CiscoSSL FIPS Provider 8.0 is a C language-based firmware module that runs on production grade chassis. A complete revision history of the source code is collaborated by Bitbucket, and version controlled by Git. Code changes are tracked by commits tied to a username. All User
documents are tracked in Cisco Document Central which requires username/password and access permission. Coverity runs static analysis on the source code before committing to the secure repository. Secure Distribution The module is distributed only for use by Cisco personnel and as such is accessible only from the secure Cisco internal repository. Only authorized Cisco personnel have access to the module. The SHA512 fingerprint of the validated distribution tarball file can be obtained by contacting Cisco. Secure Initialization The module is ready to use after extracting it from the distribution tarball. The operating system loads the module into its user space. The initialization sequence starts with a check of the integrity of the runtime executable using a HMAC-SHA2-256 digest computed at build time. If the computed HMAC-SHA2-256 digest matches the stored known digest, then the cryptographic algorithm self-tests are performed. If any self-test fails, an internal global error flag is set to prevent subsequent invocation of any cryptographic function calls. Any such failure is a hard error that can only be recovered by reloading the module. Upon encountering a failure, the module will return an integer of 0. The module will only enter the Approved mode if the module is reloaded and the call to SELF_TEST_post() succeeds. The function call “. /openssl list providers” returns the name and the version of the module. Secure Operation The tested operating systems segregate user processes into separate process spaces. Each process space is an independent virtual memory area that is logically separated from all other processes by the operating system firmware and hardware. The module functions entirely within the process space of the process that invokes it. Additional information on switching between approved and non-approved mode is provided under “Mode Change Instructions and Status” in Section 2.4 of this SP.
An additional guidance document, if required, can be obtained by contacting Cisco Systems, Inc. using the information posted on the validation certificate.
Not Applicable for this module.
If CTR_DRBG is used, then the caller shall ensure that the derivation function is enabled.
The module implements two mitigations against timing-based side-channel attacks, namely Constant time Implementations and Blinding.
Constant-time Implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric Blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.