| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/18/2029 |
| Caveat | Interim Validation. When operated in approved mode. No assurance of the minimum strength of generated SSPs |
| Vendor | Dell Inc., BSAFE Product Team |
flowchart LR
%% Deterministic review-risk graph for Dell™ BSAFE™ Crypto Module for Java 7.0
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>DTLS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Dell™ BSAFE™ Crypto Module for Java 7.0
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>DTLS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;ISO/IEC 19790 and FIPS 140-3 Non-Proprietary Security Policy for Dell™ BSAFE™ Crypto Module for Java 7.0 Software Version: 7.0 Last Updated: November 14, 2024, Version 1.2
Table of Content List of Figures List of Tables
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security1 | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | 1 |
for Java 7.0 (hereinafter referred to as the Module or JCM) with software version 7.0. The following details how this Module meets the security requirements of FIPS 140-3, SP800-140, and ISO/IEC 19790 The security requirements cover areas related to the design and implementation of a cryptographic module. attacks. Table 1 below indicates the actual security levels for each area of the cryptographic Module. N/A N/A Table 1 Security Levels 1The module relies on the physical security provided by the host on which it runs. The Module has an overall security level of 1. The Module is a multi-chip standalone software module intended to be used as part of a software system, providing cryptographic services to that system. The module’s operational environment is non-modifiable. The module is provided as a Java Archive (jar) file. It is intended to be distributed with, and used by, a Java application. The module consists of a jar file, jcmFIPS-7.0.jar. The name and version of the module can be accessed from the API ModuleConfig.getVersionInfo(). The FIPS 140-3 validation certificate can be located on the NIST Cryptographic Module Validation Program (CMVP) page using the module name and version reported. The Module has been tested on the following Operational Environments:
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | ® SUSE Linux Enterprise Server 15 SP3 (64-bit) with OpenJDK 11 | Dell PowerEdge™ R6525 | AMD EPYC™ 7513 | N/A | 1 |
| 2 | ® SUSE Linux Enterprise Server 15 SP3 (64-bit) with OpenJDK 8 | Dell PowerEdge™ R6525 | AMD EPYC™ 7513 | N/A | 2 |
| 3 | ® Windows Server 2019 (64-bit) with Oracle® JRE 8 | Dell PowerEdge™ R6525 | AMD EPYC™ 7513 | N/A | 3 |
| 4 | Windows Server® 2016 (64-bit) with ® Oracle JRE 8 | Dell PowerEdge™ T130 | ® ® Intel Xeon CPU E3-1230 | N/A | 4 |
| 1 | ® ® Apple MacOS 10.15 (x86_64) with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 1 | ||
| 2 | Apple MacOS 10.15 (x86_64) with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 2 | ||
| 3 | ® ® Canonical Ubuntu 16.04 (x86) with OpenJDK 8 (32-bit) | Generic Hardware Platform with Intel x86 (32-bit) | 3 | ||
| 4 | Canonical Ubuntu 16.04 (x86) with OpenJDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 4 | ||
| 5 | CentOS™ 7.9 (x86_64) with OpenJDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 5 | ||
| 6 | Dell PowerProtect™ Data Domain™ OS (x86_64) with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 6 | ||
| 7 | Dell PowerStoreOS™ 4.0 (x86_64) with OpenJDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 7 | ||
| 8 | ® FreeBSD Foundation 12 (x86_64) with OpenJDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) | 8 |
# N/A N/A N/A N/A Table 2 Tested Operational Environment In addition to the platforms listed in Table 2, Dell has also tested the module on the following platforms and claims vendor affirmation on them: #
| 9 | Hewlett Packard Enterprise HP-UX 11.31 with HP JDK 8 (64-bit) | Generic Hardware Platform with ® Itanium 2 |
|---|---|---|
| 10 | ® IBM AIX 7.2 with IBM JDK 8 (64-bit) | Generic Hardware Platform with ® PowerPC (64-bit) |
| 11 | ® Microsoft Windows10 Enterprise (x86_64) with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 12 | Microsoft Windows 10 Enterprise (x86_64) with Oracle JDK 8 (64- bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 13 | Microsoft Windows 10 Enterprise (x86_64) with Oracle JDK 7 (32- bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 14 | Microsoft Windows Server 2019 (x86_64) with Oracle JDK 11 (64- bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 15 | Microsoft Windows Server 2016 (x86_64) with Oracle JDK 11 (64- bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 16 | ® Oracle Solaris 11.4 with Oracle JDK 11 (64-bit) | Generic Hardware Platform with ® SPARC v9 |
| 17 | Oracle Solaris 11.4 with Oracle JDK 8 (64-bit) | Generic Hardware Platform with SPARC v9 |
| 18 | Oracle Linux 7 64-bit on Oracle X Series Servers with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 19 | Oracle Linux 7 64-bit on Oracle X Series Servers with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 20 | Oracle Linux 7 64-bit on Oracle E Series Servers with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 21 | Oracle Linux 7 64-bit on Oracle E Series Servers with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 22 | Oracle Linux 7 64-bit on Oracle A Series Servers with Oracle JDK 8 (64-bit) | Generic Hardware Platform with ARMv8 (64-bit) |
| 23 | Oracle Linux 7 64-bit on Oracle A Series Servers with Oracle JDK 11 (64-bit) | Generic Hardware Platform with ARMv8 (64-bit) |
| 24 | Oracle Linux 8 64-bit on Oracle X Series Servers with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 25 | Oracle Linux 8 64-bit on Oracle X Series Servers with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 26 | Oracle Linux 8 64-bit on Oracle E Series Servers with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
|---|---|---|
| 27 | Oracle Linux 8 64-bit on Oracle E Series Servers with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 28 | Oracle Linux 8 64-bit on Oracle A Series Servers with Oracle JDK 8 (64-bit) | Generic Hardware Platform with ARMv8 (64-bit) |
| 29 | Oracle Linux 8 64-bit on Oracle A Series Servers with Oracle JDK 11 (64-bit) | Generic Hardware Platform with ARMv8 (64-bit) |
| 30 | ® Red Hat Enterprise Linux 8.6 (x86_64) with Oracle JDK 11 (64- bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 31 | Red Hat Enterprise Linux 8.6 (x86_64) with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 32 | Red Hat Enterprise Linux 7.9 (x86_64) with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 33 | Red Hat Enterprise Linux 7.9 (x86_64) with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 34 | SUSE Linux Enterprise Server 15 SP4 (x86_64) with OpenJDK 17 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 35 | SUSE Linux Enterprise Server 15 SP4 (x86_64) with OpenJDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 36 | SUSE Linux Enterprise Server 15 SP4 (x86_64) with OpenJDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 37 | SUSE Linux Enterprise Server 15 SP2 (x86_64) with OpenJDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 38 | SUSE Linux Enterprise Server 15 SP2 (x86_64) with OpenJDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 39 | SUSE Linux Enterprise Server 12 SP5 (x86_64) with IBM JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 40 | SUSE Linux Enterprise Server 12 SP5 (x86_64) with IBM JDK 7 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 41 | SUSE Linux Enterprise Server 12 SP5 (x86_64) with OpenJDK 7 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| 42 | SUSE Linux Enterprise Server 12 SP5 (x86_64) with Oracle JDK 11 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES [FIPS 197; | A2314 | CBC | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38A, addendum] | A2314 | CBC-CS1 | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38A, addendum] | A2314 | CBC-CS2 | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38A, addendum] | A2314 | CBC-CS3 | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38C] | A2314 | CCM | Key Length: 128, 192, and 256 bits | Authenticated encryption and decryption |
| AES [FIPS 197; SP800-38A, addendum] | A2314 | CFB128 | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38B] | A2314 | CMAC | Key Length: 128, 192, and 256 bits | Message authentication |
| AES [FIPS 197; SP800-38A] | A2314 | CTR | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38A] | A2314 | ECB | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38D] | A2314 | GCM | Key Length: 128, 192, and 256 bits | Authenticated encryption and decryption |
| AES [FIPS 197; SP800-38F] | A2314 | KW, KWP | Key Length: 128, 192, and 256 bits Key establishment methodology provides between 128 and 256 bits of encryption strength | Key wrapping and unwrapping |
| AES [FIPS 197; SP800-38A] | A2314 | OFB | Key Length: 128, 192, and 256 bits | Symmetric encryption and decryption |
| AES [FIPS 197; SP800-38E] | A2314 | XTS | Key Length: 128 and 256 bits | Symmetric encryption and decryption |
| CTR_DRBG [SP800-90Arev1] | A2314 | AES-128 AES-196 AES-256 Derivation Function Enabled; Prediction Resistance: Yes, No | N/A | Random bit generation |
| DSA [FIPS 186-4] | A2314 | DSA KeyGen: -N: 224/256 -2048/3072 Modulus | L: 2048/3072 bits | DSA keypair generation |
| DSA [FIPS 186-4] | A2314 | DSA PQGGen: -P/Q Generation Methods: Probable -G Generation Methods: Unverifiable -N: 224/256 -2048/3072 Modulus with | L: 2048/3072 bits | DSA PQG generation |
| DSA [FIPS 186-4] | A2314 | DSA PQGVer: -P/Q Generation Methods: Probable -G Generation Methods: Unverifiable -N: 160/224/256 -1024/2048/3072 Modulus with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | L: 1024/2048/3072 bits | DSA PQG verification |
| DSA [FIPS 186-4] | A2314 | DSA SigGen: -N: 224/256 -2048/3072 Modulus with SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2- 512/224, SHA2-512/256 | L: 2048/3072 bits | DSA signature generation |
| DSA [FIPS 186-4] | A2314 | DSA SigVer: -N: 160/224/256 -1024/2048/3072 Modulus with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256 | L: 1024/2048/3072 bits | DSA signature verification Please note that DSA 1024 bits are only used for signature verification |
| ECDSA [FIPS 186-4] | A2314 | ECDSA KeyGen | Curves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | ECDSA keypair generation |
| ECDSA [FIPS 186-4] | A2314 | ECDSA KeyVer | Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 | ECDSA keypair verification |
| ECDSA [FIPS 186-4] | A2314 | ECDSA SigGen | Curves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | ECDSA signature generation |
| ECDSA [FIPS 186-4] | A2314 | ECDSA SigVer | Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 | ECDSA signature verification |
| HASH_DRBG [SP800-90Arev1] | A2314 | SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 Prediction Resistance: Yes No | N/A | Random bit generation |
| HMAC_DRBG [SP800-90Arev1] | A2314 | HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2-512/224 HMAC-SHA2-512/256 Prediction Resistance: Yes, No | N/A | Random bit generation |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA-1 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA2-224 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA2-256 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA2-384 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA2-512 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA2-512/224 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA2-512/256 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA3-224 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA3-256 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA3-384 | Key Length: 112 bits or greater | Message authentication |
| HMAC [FIPS 198-1] | A2314 | HMAC-SHA3-512 | Key Length: 112 bits or greater | Message authentication |
| KAS-ECC CDH Component (CVL) [SP800-56Arev3] | A2314 | KAS-ECC CDH-Component: Function: Full Public Key Validation, Key Pair Generation, Partial Public Key Validation | Curves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Key establishment methodology provides between 128 and 256 bits of encryption strength | Key agreement primitive |
| KAS-ECC-SSC (CVL) [SP800-56Arev3] | A2314 | KAS-ECC-SSC: Scheme: ephemeralUnified: KAS Role: initiator, responder staticUnified: KAS Role: initiator, responder | Curves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Key establishment methodology provides between 128 and 256 bits of encryption strength | Key agreement primitive |
| KAS-FFC-SSC (CVL) [SP800-56Arev3] | A2314 | KAS-FFC-SSC: Scheme: dhEphem: KAS Role: initiator, responder dhOneFlow: KAS Role: initiator, responder dhStatic: KAS Role: initiator, responder | Domain Parameter Generation Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Key establishment methodology provides between 112 and 200 bits of encryption strength | Key agreement primitive |
| KAS-IFC-SSC (CVL) [SP800-56Brev2] | A2314 | KAS-IFC-SSC Scheme: KAS1: KAS Role: initiator, responder | Modulus: 2048, 3072, 4096, 6144, 8192 | Key agreement primitive |
| KAS KC (CVL) [SP800-56] | A2314 | Key Confirmation Directions: Bilateral, Unilateral KAS Role: Initiator, Responder | N/A | Key agreement primitive |
| KDA [SP800-56Crev1] | A2314 | OneStep: SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 | N/A | Key agreement primitive |
| KDF [SP800-108] | A2314 | KDF Mode: Feedback MAC Mode: HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2-512/224 HMAC-SHA2-512/256 | N/A | Key derivation |
| PBKDF 1 [SP800-132] | A2314 | N/A | Key derivation | |
| RSA Decryption Primitive (CVL) [SP800-56Crev2] | A2314 | decryptionPrimitive | 2048 bit key size | Key transport primitive |
| RSA [FIPS 186-4] | A2314 | RSA KeyGen: -Mode: B.3.6 - 2048/3072/4096 Modulus | Modulus: 2048/3072/4096 bits | RSA keypair generation |
| RSA [FIPS 186-4] | A2314 | RSA SigGen: -Mode: ANSI X9.31 -2048/3072/4096 Modulus with SHA2-224/ SHA2-256/ SHA2- 384/ SHA2-512/ SHA2-512- 224/ SHA2-512-256; -Mode: PKCS 1.5 -2048/3072/4096 Modulus with SHA2-224/ SHA2-256/ SHA2- 384/ SHA2-512/ SHA2-512- 224/ SHA2-512-256; -Mode: PKCSPSS -2048/3072/4096 Modulus with SHA2-224/ SHA2-256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512- | Modulus: 2048/3072/4096 bits | RSA signature generation |
| RSA [FIPS 186-4] | A2314 | RSA SigVer: -Mode: ANSI X9.31 -2048/3072/4096 Modulus with SHA-1, SHA2-224/ SHA2- 256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512- 256; -Mode: PKCS 1.5 -2048/3072/4096 Modulus with SHA-1, SHA2-224/ SHA2- 256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512- 256; -Mode: PKCSPSS -2048/3072/4096 Modulus with SHA-1, SHA2-224/ SHA2-256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512-256; | Modulus: 1024/2048/3072/4096 bits | RSA signature verification |
| Safe Primes Key Generation [SP800-56Arev3] | A2314 | KeyGen for KAS-FFC-SSC | Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | KAS-FFC Keypair domain parameters generation |
| Safe Primes Key Verification [SP800-56Arev3] | A2314 | KeyVer for KAS-FFC-SSC | Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | KAS-FFC Keypair domain parameters verification |
| SHS [FIPS 180-4] | A2314 | SHA-1 | N/A | Message digest Note: SHA-1 is not used for digital signature generation |
| SHS [FIPS 180-4] | A2314 | SHA2-224 | N/A | Message digest |
| SHS [FIPS 180-4] | A2314 | SHA2-256 | N/A | Message digest |
| SHS [FIPS 180-4] | A2314 | SHA2-384 | N/A | Message digest |
| SHS [FIPS 180-4] | A2314 | SHA2-512 | N/A | Message digest |
| SHS [FIPS 180-4] | A2314 | SHA2-512/224 | N/A | Message digest |
| SHS [FIPS 180-4] | A2314 | SHA2-512/256 | N/A | Message digest |
| SHA3 [FIPS 202] | A2314 | SHA3-224 | N/A | Message digest |
| SHA3 [FIPS 202] | A2314 | SHA3-256 | N/A | Message digest |
| SHA3 [FIPS 202] | A2314 | SHA3-384 | N/A | Message digest |
| SHA3 [FIPS 202] | A2314 | SHA3-512 | N/A | Message digest |
| SHAKE [FIPS 202] | A2314 | SHAKE-128 | N/A | Message digest |
| SHAKE [FIPS 202] | A2314 | SHAKE-256 | N/A | Message digest |
| TLS v1.2 KDF RFC7627 [RFC7627] (CVL) | A2314 | TLS v1.2 KDF RFC7627 | N/A | Key derivation |
| TLS v1.3 KDF [RFC8446] (CVL) | A2314 | TLS v1.3 KDF | N/A | Key derivation |
| Cryptographic Key Generation (CKG)2 [SP800-133rev2] | Vendor Affirmed | N/A | N/A | Cryptographic Key Generation; SP800-133rev2 and IG D.H Note: The cryptographic module performs Cryptographic Key Generation (CKG) for symmetric and asymmetric keys as per sections 5 and 6 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800- 90Arev1 DRBG |
| AES in BPS mode for FPE | Symmetric encryption / decryption | |||
| ChaCha20 | Symmetric encryption / decryption | |||
| ChaCha20/Poly1305 | Symmetric encryption / decryption | |||
| DES | Symmetric encryption / decryption | |||
| DESX | Symmetric encryption / decryption | |||
| Deterministic DSA | Digital signatures | |||
| Deterministic ECDSA (FIPS 186-5) | Digital signatures | |||
| ECIES | Asymmetric encryption / decryption | |||
| FIPS 186-2 PRNG (Change Notice General) | Random bit generation | |||
| HMAC-MD5 | Message authentication | |||
| KDFTLS10 | Key Derivation (For use with TLS versions 1.0 and 1.1) | |||
| MD2 | Secure hashing | |||
| MD5 | Secure hashing | |||
| PBE (PKCS #12, PKCS #5, SSLCPBE) | Symmetric encryption / decryption | |||
| PBHMAC (PKCS #12, PKIX) | Message authentication | |||
| Poly1305 | Message authentication | |||
| RC2 | Symmetric encryption / decryption | |||
| RC4 | Symmetric encryption / decryption | |||
| RC5 | Symmetric encryption / decryption | |||
| RIPEMD160 | Secure hashing | |||
| RSA-KEM-KWS | Asymmetric encryption / decryption | |||
| scrypt | Key Derivation | |||
| Shamir Secret Sharing | Key Generation |
| 43 | SUSE Linux Enterprise Server 12 SP5 (x86_64) with Oracle JDK 8 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
|---|---|---|
| 44 | SUSE Linux Enterprise Server 12 SP5 (x86_64) with Oracle JDK 7 (64-bit) | Generic Hardware Platform with Intel x86_64 (64-bit) |
Table 3 Vendor Affirmed Operational Environments The CMVP makes no statement about the correct operation of the module or the security strengths of the generated keys when ported to an operational environment which is not listed on the validation certificate. Mode of operation The Module supports both approved and non-approved modes of operation. It can operate in an approved mode after initial operations are performed, and all pre-operational self-tests have been completed successfully. The non-approved mode is entered when a non-approved algorithm or service is invoked. The Approved mode of operation can only be transitioned into the Non-Approved mode by calling one of the Non-Approved services. The Module does not claim implementation of a degraded mode of operation. If any self-test fails, the cryptographic services of the module are disabled for both Approved and NonApproved modes of operation. Section 4 provides details on the service indicator implemented by the Module. Table 4 below lists all the approved or vendor-affirmed security functions of the Module, including specific key size(s)
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| SHAKE [FIPS 202] | A2314 | SHAKE-256 | N/A | Message digest |
| TLS v1.2 KDF RFC7627 [RFC7627] (CVL) | A2314 | TLS v1.2 KDF RFC7627 | N/A | Key derivation |
| TLS v1.3 KDF [RFC8446] (CVL) | A2314 | TLS v1.3 KDF | N/A | Key derivation |
| Cryptographic Key Generation (CKG)2 [SP800-133rev2] | Vendor Affirmed | N/A | N/A | Cryptographic Key Generation; SP800-133rev2 and IG D.H Note: The cryptographic module performs Cryptographic Key Generation (CKG) for symmetric and asymmetric keys as per sections 5 and 6 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800- 90Arev1 DRBG |
| AES in BPS mode for FPE | Symmetric encryption / decryption | |||
| ChaCha20 | Symmetric encryption / decryption | |||
| ChaCha20/Poly1305 | Symmetric encryption / decryption | |||
| DES | Symmetric encryption / decryption | |||
| DESX | Symmetric encryption / decryption | |||
| Deterministic DSA | Digital signatures | |||
| Deterministic ECDSA (FIPS 186-5) | Digital signatures | |||
| ECIES | Asymmetric encryption / decryption | |||
| FIPS 186-2 PRNG (Change Notice General) | Random bit generation | |||
| HMAC-MD5 | Message authentication | |||
| KDFTLS10 | Key Derivation (For use with TLS versions 1.0 and 1.1) | |||
| MD2 | Secure hashing | |||
| MD5 | Secure hashing | |||
| PBE (PKCS #12, PKCS #5, SSLCPBE) | Symmetric encryption / decryption | |||
| PBHMAC (PKCS #12, PKIX) | Message authentication | |||
| Poly1305 | Message authentication | |||
| RC2 | Symmetric encryption / decryption | |||
| RC4 | Symmetric encryption / decryption | |||
| RC5 | Symmetric encryption / decryption | |||
| RIPEMD160 | Secure hashing | |||
| RSA-KEM-KWS | Asymmetric encryption / decryption | |||
| scrypt | Key Derivation | |||
| Shamir Secret Sharing | Key Generation | |||
| TDES in CBC, CFB64, ECB, OFB modes and CBC_CS1, CBC_CS2 or CBC_CS3 mode for CTS | Symmetric encryption / decryption |
N/A N/A N/A N/A N/A Table 4 - Approved Algorithms 1Password-based key derivation function 2 (PBKDF2). As defined in NIST Special Publication 800-132, PBKDF2 can be used in Approved mode when used with Approved symmetric key and message digest algorithms. For more information, see Crypto Officer Guidance 2The module supports cryptographic key generation as described in section 4 of SP800-133rev2 where V is a constant string of binary zeroes. The module also
Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation As there are no non-Approved algorithms allowed in the approved mode of operation, the tables defined in SP800-140B for the following categories are missing from this document:
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | Plaintext, Ciphertext, Message Digest, Signature, MAC, Secret, Key text, Wrapped key text, Message, Secret |
| N/A | N/A | Data Output | Status, Ciphertext, Plaintext, Verify status, Validation status, Wrapped key text, Message digest, MAC, Random bytes |
| N/A | N/A | Control Input | Configuration parameters for the API interface ModuleConfig which sets the mode of operation |
| N/A | N/A | Status Output | Mode of operation indicator from the API CryptoModule.isFIPS140Approved(). The state of the module from the API CryptoModule.getState() |
| N/A | N/A | Control Output | N/A |
Figure 1 Module’s Block Diagram Cryptographic module interfaces The Module’s physical perimeter encompasses the case of the tested platform mentioned in Table 2 Tested Operational Environment. The Module provides its logical interfaces via API calls. The logical interfaces provided by the Module are mapped onto the FIPS 140-3 logical interfaces (Data Input, Data Output, Control Input, Control Output, and Status Output) as follows: N/A N/A N/A N/A N/A N/A Table 6 Ports and Interfaces
| Name | Roles | Input | Output |
|---|---|---|---|
| Asymmetric Encryption | Crypto Officer | Plaintext | Ciphertext, Status |
| Asymmetric Decryption | Crypto Officer | Ciphertext | Plaintext, Status |
| Digital Signature Generation | Crypto Officer | Message Digest | Signature, Status |
| Digital Signature Verification | Crypto Officer | Message Digest, Signature | Verify Status, Status |
| Key Assurance | Crypto Officer | Validation Status, Status | |
| Key Confirmation | Crypto Officer | MAC | Verify status |
| Key Deletion | Crypto Officer | ||
| Key Derivation | Crypto Officer | Secret | Key text, Status |
| Key Parameter Generation | Crypto Officer | Status | |
| Key Wrap | Crypto Officer | Wrapped Key text, Status | |
| Key Unwrap | Crypto Officer | Wrapped key text | Status |
| Message Digest | Crypto Officer | Message | Message Digest, Status |
| MAC Generation | Crypto Officer | Secret, Message | MAC, Status |
| MAC Verification | Crypto Officer | Secret, Message, MAC | Verify Status, Status |
| Random Number Generation | Crypto Officer | Random bytes, Status | |
| Self-test | Crypto Officer | Status | |
| Symmetric Encryption | Crypto Officer | Plaintext | Ciphertext, Status |
| Symmetric Decryption | Crypto Officer | Ciphertext | Plaintext, Status |
Roles, services, and authentication The Module meets all FIPS 140-3 Security Level 1 requirements for Roles, Services; and Authentication, implementing a Crypto Officer Role. As allowed by FIPS 140-3, the module does not support identification or authentication for this role. The Crypto Officer Role is implicitly assumed once the Module is loaded, and the role is cleared on Module unload. There is no maintenance role, cryptographic bypass capability, or self-initiated cryptographic output. The module does not allow concurrent operators. Table 7 Roles, Service Commands, Input, and Output The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. N/A = Not applicable: The service does not access any SSP during its operation.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Asymmetric Encryption | Perform asymmetric encryption operation | CO | RSA Public Key | RSA Encryption Primitive | E | API call |
| Asymmetric Decryption | Perform asymmetric decryption operation | CO | RSA Private Key | RSA Decryption Primitive | E | API call |
| Digital Signature Generation | Perform digital signature generation | CO | DSA Private Key ECDSA Private Key RSA Private Key | DSA PQGGen DSA SigGen ECDSA SigGen RSA SigGen | E | API call |
| Digital Signature Verification | Perform digital signature verification | CO | DSA Public Key ECDSA Public Key RSA Public Key | DSA PQGVer DSA SigVer ECDSA SigVer RSA SigVer | E | API call |
| Key Assurance | Perform key assurance operation | CO | DSA Public Key DSA Private Key ECDSA Public Key ECDSA Private Key EC Diffie- Hellman Private Key EC Diffie- Hellman Public Key Diffie-Hellman Public Key Diffie-Hellman Private Key RSA Public Key RSA Private Key | N/A | R | API call |
| Key Confirmation | Perform key confirmation operation | CO | HMAC Key | KAS KC | E | API call |
| Key Deletion | Perform key deletion operation | CO | AES Key DSA Public Key DSA Private Key ECDSA Public Key ECDSA Private Key CMAC Key HMAC Key RSA Public Key | N/A | Z | API call |
| Key Derivation | Perform key derivation operation | CO | KBKDF Key Derivation Key KBKDF Derived Key OneStep KDF Key Derivation Key OneStep KDF Derived Key PBKDF Password PBKDF Derived Key TLS Master Secret TLS Session Key TLS Session Integrity Key | KDA OneStep PBKDF TLS v1.2 KDF RFC 7627 TLS v1.3 KDF | G, R | API call |
| Key Parameter Generation | Perform key parameter generation operation | CO | DSA Public Key DSA Private Key Diffie-Hellman Public Key Diffie-Hellman Private Key Diffie-Hellman Shared Secret | KAS-FFC-SCC | G | API call |
| Key Unwrap | Perform key unwrap operation | CO | AES Key | AES-KW AES-KWP | API call | |
| Key wrap | Perform key wrap operation | CO | AES Key AES Key Wrap Key | AES-KW AES-KWP | E | API call |
| Message Digest | Perform message digest operation | CO | SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-128 SHAKE-256 | API call | ||
| MAC Generation | Perform MAC generation operation | CO | CMAC Key HMAC Key | CMAC-AES HMAC-SHA-1 | R | API call |
| MAC Verification | Perform MAC verification operation | CO | CMAC Key HMAC Key | CMAC-AES HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 | R | API call |
| Random Number Generation | Perform random number generation | CO | DRBG Entropy Input DRBG Seed DRBG Internal State V value DRBG Key | CTR_DRBG HASH_DRBG HMAC_DRBG | API call | |
| Symmetric Encryption | Perform symmetric encryption operation | CO | AES Key AES GCM IV | AES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB AES-CTR AES-ECB AES-GCM AES-OFB AES-XTS | E | API call |
| Symmetric Decryption | Perform symmetric decryption operation | CO | AES Key AES GCM IV | AES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB AES-CTR AES-ECB AES-GCM AES-OFB AES-XTS | E | API call |
Table 8 below lists all approved services that can be used in the approved mode of operation. E E E E N/A R EC DiffieHellman E Z N/A
N/A EC DiffieHellman EC DiffieHellman G, R R G
| Name | Description | Roles | Approved Functions | Indicator |
|---|---|---|---|---|
| Asymmetric Encryption | Perform asymmetric encryption operation | N/A | ECIES RSA-KEM-KWS | API call |
| Asymmetric Decryption | Perform asymmetric decryption operation | N/A | ECIES RSA-KEM-KWS | API call |
| Digital Signature Generation | Perform digital signature generation | N/A | Deterministic DSA Deterministic ECDSA | API call |
| Digital Signature Verification | Perform digital signature verification | N/A | Deterministic DSA Deterministic ECDSA | API call |
| Key Derivation | Perform key derivation operation | N/A | KDFTLS10 (For use with TLS versions 1.0 and 1.1) PKCS #5 KDF PKCS #12 KDF scrypt | API call |
| Message Digest | Perform message digest operation | N/A | MD2 MD5 RIPEMD160 | API call |
| MAC Generation | Perform MAC generation operation | N/A | HMAC-MD5 PBHMAC (PKCS #12, PKIX) Poly1305 | API call |
| MAC Verification | Perform MAC verification operation | N/A | HMAC-MD5 PBHMAC (PKCS #12, PKIX) Poly1305 | API call |
| Random Number Generation | Perform random number generation | N/A | FIPS 186-2 PRNG (Change Notice General) | API call |
| Symmetric Encryption | Perform symmetric encryption operation | N/A | AES in BPS mode for FPE ChaCha20 ChaCha20/Poly1305 DES DESX RC2 RC4 RC5 PBE (PKCS #12, PKCS #5, SSLCPBE) TDES in CBC, CFB64, ECB, OFB modes and CBC_CS1, CBC_CS2 or CBC_CS3 mode for CTS | API call |
| Symmetric Decryption | Perform symmetric decryption operation | N/A | AES in BPS mode for FPE ChaCha20 ChaCha20/Poly1305 DES DESX RC2 RC4 RC5 PBE (PKCS #12, PKCS #5, SSLCPBE) TDES in CBC, CFB64, ECB, OFB modes and CBC_CS1, CBC_CS2 or CBC_CS3 mode for CTS | API call |
Table 9 Non-Approved Services N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
The Module doesn’t support self-initiated cryptographic output capability and cryptographic Bypass capability services. Software/Firmware security Integrity techniques Module integrity check is implemented by first calculating a MAC over each of the files listed in module.files, using HMAC-SHA-1 with a fixed key. Another MAC is then calculated over all file MACs in the order that they are listed, using the same algorithm and key as for the file MACs. This two-step process is intended to allow the jar file to be processed sequentially without having to load the entire jar file into memory even after the order of the jar file entries has been changed. The expected integrity check MAC is stored in the jar file manifest. During the Integrity Test when the module is loaded, a MAC is again calculated and compared with the pre-computed MAC value contained in the jar file manifest. If these values are equal, then the software integrity check has passed and power-up of the Module can continue. Otherwise, the test has failed, and the Module is disabled. Integrity test on-demand The integrity test is performed as part of the pre-operational self-tests. It is automatically executed at power-on. The module provides the ModuleConfig.runSelfTests() API to allow the operator to perform on-demand integrity testing. The operator can also power-cycle or reboot the tested platform to initiate the software integrity test on-demand. Operational environment The Module is a software module, which is operated in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module is provided for operating systems running on a general-purpose computer platform based on an Intel CPU. The Module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values, and other SSPs by external processes during module execution. The Module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the Module are owned by the Module and are not owned by external processes or operators. Physical security The FIPS 140-3 physical security requirements do not apply to the Module since it is a software module. Non-invasive security Currently, non-invasive security is not required by FIPS 140-3 (see NIST SP800-140F). The requirements of this area are not applicable to the Module.
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zero- isatio |
|---|---|---|---|---|---|---|---|---|
| DRBG entropy input (CSP) | 256 bits | CTR_DRBG HASH_DRBG HMAC_DRBG #A2314 | Obtained from the Entropy Source within TOEPP (GPS INT Pathways). | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Random Number Generation | Import to the module via Module’s API Export: No | Automatic zeroization when the tested platform is powered down |
| DRBG Seed (CSP) | 256 bits | CTR_DRBG HASH_DRBG HMAC_DRBG #A2314 | Internally Derived from entropy input string as defined by SP800- 90Arev1. | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Random Number Generation | Import: No Export: No | Automatic zeroization when the tested platform is powered down |
| DRBG Internal State V value (CSP) | 256 bits | CTR_DRBG HASH_DRBG HMAC_DRBG #A2314 | Internally Derived from entropy input string as defined by SP800- 90Arev1. | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Random Number Generation | Import: No Export: No | Automatic zeroization when the tested platform is powered down |
| DRBG Key (CSP) | 256 bits | CTR_DRBG HASH_DRBG HMAC_DRBG #A2314 | Internally Derived from entropy input string as defined by SP800- 90Arev1. | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Random Number Generation | Import: No Export: No | Automatic zeroization when the tested platform is powered down. |
| Diffie-Hellman Private Key (CSP) | MODP- 2048 | CKG CTR_DRBG HASH_DRBG HMAC_DRBG KAS-FFC-SSC Safe Primes Key Generation #A2314 | Internally generated conformant to SP800- 133rev2 (CKG) using SP800-56A rev3 Diffie- Hellman key generation method, and the random value used in key generation is generated using SP800- 90ARev1 DRBG. | N/A | N/A: The module does not provide persistent keys/ SSPs storage. | Used to derive Diffie- Hellman Shared Secret | Import: No Export: No | Automatic zeroization when the tested platform is powered down |
| Diffie-Hellman Public Key (PSP) | MODP- 2048 | KAS-FFC-SSC Safe Primes Key Generation #A2314 | Internally derived per the Diffie- Hellman key agreement (SP800- 56Arev3). | N/A | N/A: The module does not provide persistent keys/ SSPs storage. | Used to derive Diffie- Hellman Shared Secret | Import: No Export: Yes | Automatic zeroization when the tested platform is powered down |
| Peer Diffie- Hellman Public Key (PSP) | MODP- 2048 | N/A | N/A | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Used to derive Diffie- Hellman Shared Secret | Import: Yes Export: No | Automatic zeroization when the tested platform is powered down |
| Diffie-Hellman Shared Secret (CSP) | MODP- 2048 | KAS-FFC-SSC #A2314 | Internally generated using SP800- 56Arev3 DH shared secret computation. | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Used to derive TLS session related keys | Import: No Export: No | Automatic zeroization when the tested platform is powered down |
| EC Diffie- Hellman Private Key (CSP) | P-256/P- 384/P-521 | CKG CTR_DRBG HASH_DRBG HMAC_DRBG KAS-ECC-SSC #A2314 | Internally generated conformant to SP800- 133rev2 (CKG) using SP800-56A rev3 EC Diffie- Hellman key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG | N/A | N/A: The module does not provide persistent keys/ SSPs storage. | Used to derive EC Diffie- Hellman Shared Secret | Import: No Export: No | Automatic zeroization when the tested platform is powered down |
| EC Diffie- Hellman Public Key (PSP) | P-256/P- 384/P-521 | KAS-ECC-SSC #A2314 | Internally derived per the EC Diffie- Hellman key agreement (SP800- 56Arev3). | N/A | N/A: The module does not provide persistent keys/ SSPs storage. | Used to derive EC Diffie- Hellman Shared Secret | Import: No Export: Yes | Automatic zeroization when the tested platform is powered down |
| Peer EC Diffie-Hellman Public Key (PSP) | P-256/P- 384/P-521 | N/A | N/A | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Used to derive EC Diffie- Hellman Shared Secret | Import: Yes Export: No | Automatic zeroization when the tested platform is powered down |
| EC Diffie- Hellman Shared Secret (CSP) | P-256/P- 384/P-521 | KAS-ECC-SSC #A2314 | Internally derived using SP800- 56Arev3 ECDH shared secret computation. | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Used to derive TLS session related keys | Import: No Export: No | Automatic zeroization when the tested platform is powered down |
| DSA Private Key (CSP) | 2048/3072 bits #A2314 | CKG CTR_DRBG HASH_DRBG HMAC_DRBG DSA PQGGen DSA SigGen DSA KeyGen #A2314 | Internally generated conformant to SP800-133r2 (CKG) using FIPS 186-4 DSA key generation method, and the random | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Signature generation and Verification used in TLS | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| DSA Public Key (PSP) | 1024/2048 /3072 bits #A2314 | DSA PQGVer DSA SigVer DSA KeyGen #A2314 | Internally derived per the FIPS 186- 4 DSA key generation method Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Signature generation and Verification used in TLS | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| ECDSA Private Key (CSP) | P-256/P- 384/P-521 | CKG CTR_DRBG HASH_DRBG HMAC_DRBG ECDSA KeyGen ECDSA KeyVer ECDSA SigGen #A2314 | Internally generated conformant to SP800- 133rev2 (CKG) using FIPS 186-4 ECDSA key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG. Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Signature generation and verification used in TLS | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| ECDSA Public Key (PSP) | P-256/P- 384/P-521 | ECDSA KeyGen ECDSA KeyVer ECDSA SigVer #A2314 | Internally derived per the FIPS 186- 4 ECDSA key generation method. Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Signature generation and verification used in TLS | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| RSA Private Key (CSP) | 2048/3072 /4096 bits | CKG CTR_DRBG HASH_DRBG HMAC_DRBG RSA KeyGen RSA SigGen #A2314 | Internally generated conformant to SP800- 133rev2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in the key generation is generated using SP800- 90Arev1 | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Signature generation and verification used in TLS | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| RSA Public Key (PSP) | 1024/2048 /3072/409 6 bits | RSA KeyGen RSA SigVer #A2314 | Internally derived per the FIPS 186- 4 RSA key generation method. Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Signature generation and verification used in TLS | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| TLS Master Secret (CSP) | 48 Bytes | Keying Material | Internally Derived per the key derivation function defined in SP800-135 KDF (KDF- TLS v1.2 RFC7627) | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Keying material used to derive other TLS keys | Import: No Export: No | Automatic zeroization when TLS session is terminated or when the tested platform is powered down |
| TLS Session Key (CSP) | 128/256 bits | AES-CBC AES-GCM TLS v1.2 KDF RFC7627 TLS v1.3 KDF #A2314 | Internally Derived per the key derivation function defined in SP800-135 KDF (KDF- TLS v1.2 RFC7627). | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Used for TLS session confidentialit y protection | Import: No Export: No | Automatic zeroization when TLS session is terminated or when the tested platform is powered down |
| TLS Session Integrity Key (CSP) | 256-384 bits | TLS v1.2 KDF RFC7627 TLS v1.3 KDF HMAC-SHA2- 256 HMAC-SHA2- 384 #A2314 | Internally Derived per the key derivation function defined in SP800-135 KDF (KDF- TLS v1.2 RFC7627). | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Used for TLS session integrity protection | Import: No Export: No | Automatic zeroization when TLS session is terminated or when the tested platform is powered down |
| AES Key (CSP) | 128/192/2 56 bits | AES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB AES-CTR AES-ECB AES-GCM AES-OFB AES-XTS #A2314 | Internally generated per the key generation function defined in SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Symmetric encryption and decryption | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| AES GCM IV (CSP) | N/A | AES-GCM #A2314 | Internally Derived per the key derivation function defined in: | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Authenticated symmetric encryption and decryption | Import: No Export: No | Automatic zeroization when the tested platform is |
| SP800-38D using random value generated using SP800- 90A DRBG | SP800-38D using random value generated using SP800- 90A DRBG | powered down | ||||||
| CMAC Key (CSP) | 128/192/2 56 bits | CMAC-AES #A2314 | Internally Derived per the key derivation function defined in: SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Message authentication | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| HMAC Key (CSP) | 112-256 bits | HMAC-SHA-1 HMAC-SHA2- 224 HMAC-SHA2- 256 HMAC-SHA2- 384 HMAC-SHA2- 512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3- 224 HMAC-SHA3- 256 HMAC-SHA3- 384 HMAC-SHA3- 512 #A2314 | Internally Derived per the key derivation function defined in: SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Message authentication | Import: Yes Export: Yes | Automatic zeroization when the tested platform is powered down |
| KBKDF Key Derivation Key (CSP) | N/A | KDF SP800-108 #A2314 | N/A | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Key derivation | Import: Yes Export: No | Automatic zeroization when the tested platform is powered down |
| KBKDF Derived Key (CSP) | N/A | KDF SP800-108 #A2314 | N/A | SP800-108 | N/A: The module does not provide persistent keys/SSPs storage. | Derived from key derivation key | Import: No Export: Yes | Automatic zeroization when the tested platform is powered down |
| OneStep KDF Key Derivation Key (CSP) | N/A | KDA OneStep #A2314 | N/A | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Key derivation | Import: Yes Export: No | Automatic zeroization when the tested platform is powered down |
| OneStep KDF Derived Key (CSP) | N/A | KDA OneStep #A2314 | N/A | SP800-56C Rev.1 | N/A: The module does not provide persistent keys/SSPs storage. | Derived from key derivation key | Import: No Export: Yes | Automatic zeroization when the tested platform is powered down |
| PBKDF Password (CSP) | N/A | PBKDF #A2314 | N/A | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Key derivation | Import: Yes Export: No | Automatic zeroization when the tested platform is powered down |
| PBKDF Derived Key (CSP) | N/A | PBKDF #A2314 | N/A | SP800-132 | N/A: The module does not provide persistent keys/SSPs storage. | Derived from key derivation key | Import: No Export: Yes | Automatic zeroization when the tested platform is powered down |
| AES Key Wrap Key (CSP) | 128/192/2 56 bits | AES-KW AES-KWP #A2314 | Internally generated per the key generation function defined in: SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generated | N/A | N/A: The module does not provide persistent keys/SSPs storage. | Key wrapping and unwrapping | Import: Yes Export: No | Automatic zeroization when the tested platform is powered down |
Sensitive security parameters management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the Module: shment SP80090Arev1. SP80090Arev1. SP80090Arev1. using SP80090ARev1 (SP80056Arev3). Zeroisatio n derive DiffieHellman derive DiffieHellman
N/A EC DiffieHellman N/A SP800133rev2 DiffieHellman key using SP80090Arev1 (SP80056Arev3). N/A SP800Export: No derive DiffieHellman DiffieHellman DiffieHellman DiffieHellman
using SP80090Arev1 using SP80090Arev1 SP800133rev2 using SP80090Arev1
N/A SP800133rev2 using SP800133rev2 using HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 N/A
| Name | Key Size | |||
|---|---|---|---|---|
| Entropy | Entropy | Minimum number | Details | |
| sources | sources | of bits of entropy | ||
| Entropy within the TOEPP was passively loaded into the Module to seed the 800- 90Arev1 DRBG by the Operating System. | At least 112 bits | While operating in the approved mode, the entropy and seeding material for the SP800-90Arev1 DRBG are provided by the external calling application (and not by the Module) which is outside the Module’s cryptographic boundary but contained within the Module’s Tested Operational Environment’s Physical Perimeter (TOEPP) boundary. The module receives a LOAD command with entropy obtained from the entropy source (Intel CPU processor with instructions RDRand) inside the TOEPP. The minimum effective strength of the SP800-90Arev1 DRBG seed is required to be at least 112 bits when used in an approved mode of operation, therefore the minimum number of bits of entropy requested when the Module makes a call to the SP800-90Arev1 DRBG is at least 112 bits. Per the IG 9.3.A Entropy Caveats, the following caveat applies: No assurance of the minimum strength of generated SSPs (e.g., keys) |
N/A N/A N/A N/A N/A SP800down Table 10 SSPs Table 11 Non-Deterministic Random Number Generation Specification The Module is passively receiving the entropy while exercising no control over the amount or the quality
| Name | Type | Strength | Required DRBG Security Strength |
|---|---|---|---|
| 128, 192, 256 | AES Key | 128, 192, 256 | 128, 192, 256 |
| 2048, 3072, 4096 | RSA Key Pair | 112, 128, 152 | 112, 128, 152 |
| 2048, 3072 | DSA Key Pair | 112, 128 | 112, 128 |
| 224, 256, 384, 521 | EC Key Pair | 112, 128, 192, 256 | 112, 128, 192, 256 |
| DRBG | DRBG | • When an approved algorithm requires a DRBG to perform an operation, an approved DRBG algorithm must be used. For example, when initializing an approved signature algorithm, an approved DRBG such as HMAC DRBG must be used. |
provide the required security strength, and to ensure the security strength of a DRBG is equal to or greater than the security strength of any SSPs generated using that DRBG. Entropy can be supplied to the Module using the following APIs:
When the Module is loaded or instantiated after being power-cycled or rebooted, the Module runs preoperational self-tests. The operating system is responsible for the initialization process and loading the Module. The Module is designed with a default entry point (DEP) that ensures automatic initiation of the self-tests when the Module is loaded. Before the Module provides any data output via the data output interface, the Module performs the pre-operational self-tests, ensuring all pass. A software integrity test is performed on the runtime image of the Module with an HMAC-SHA-1 algorithm. Prior to the firmware integrity test, the Module conducts an HMAC-SHA-1 Cryptographic Algorithm Self-test (CAST). If the CAST on the HMAC-SHA-1 is successful, the HMAC value of the runtime image is recalculated and compared with the stored HMAC value pre-computed at compilation time. During power-up, and following the successful pre-operational self-tests, the Module executes the Conditional CASTs for all approved cryptographic algorithms implemented by the Module. The self-test success or failure messages, for example, Error: Signature RSA test failure or ECDH P-256 test failure, are logged and function as the self-test status indicator. If any one of the self-tests fails, the Module transitions into a FIPS140State.FAILED error state and outputs the error message via the Module’s status output interface, SecurityException. While the Module is in the error state, all data through the data output interface and all cryptographic operations are disabled. The only method to recover from the error state is to power cycle the device. This results in the Module being reloaded into memory and reperforming the pre-operational software integrity test and the
Conditional CASTs. The module will only enter the operational state after successfully passing the preoperational software integrity test and the Conditional CASTs. Pre-operational self-tests Pre-operational self-tests are executed automatically when the Module is loaded into memory. They can be re-run manually after the module has loaded, by calling the ModuleConfig.runSelfTests() API. The pre-operational self-tests include the Software Integrity Test. The Software Integrity Test is comprised of an HMAC-SHA-1 verification of the files listed in fips140/module.files. The cryptographic services of the Module are disabled when the self-tests are running. When the self-tests are running, the following stands true:
o o o o o o o o o o o o o o o
Installation, Initialization, Startup, Operation and Maintenance The module is installed by adding jcmFIPS-7.0.jar to the application's classpath. The module is started by starting the application that references it. The module uses JDK services to perform the module startup when the application loads it. When loading the module, the com.rsa.crypto.jcm.ModuleLoader.load() method extracts arguments from the com.rsa.cryptoj.jcm.JavaModuleProperties class, which is created using the com.rsa.cryptoj.jcm.CryptoJModulePropertiesFactory class. The following arguments are extracted:
| Name | Mode Method |
|---|---|
| • When using an approved DRBG, the number of bytes of seed key input must be equivalent to or greater than the security strength of the keys the caller wishes to generate. For example, a 256-bit or higher seed key input when generating 256-bit AES keys. • Since the Module does not modify the output of an Approved DRBG, any generated symmetric keys or seed values are created directly from the output of the Approved DRBG. | |
| • When using GCM feedback mode for symmetric encryption, the authentication tag length and authenticated data length may be specified as input parameters, but the IV must not be specified. It must be generated internally. • Where the Module is powered down, a new key must be used for AES GCM encryption/decryption. • GCM with a partial IV supplied to the Module is approved only when used within a TLS v 1.2 or 1.3 protocol implementation. • The AES-GCM cipher, when used for symmetric encryption purposes other than TLS, must use an IV in one of the two possible ways, to comply with SP800-38D: – Allow the Module to generate the IV deterministically by not supplying any IV parameters during cipher initialization. The generated 96-bit (12-byte) IV consists of a 32-bit fixed field followed by a 64-bit invocation field where: – The fixed field bytes are derived from the Module name, version information, and memory address of a Java class within the Module. – The invocation field is a 64-bit counter that is initialized, on Module startup, to a value consisting of the 42 bits of current time, as milliseconds since Epoch, followed by 22 bits of zero. This counter value is incremented by one each time a new IV is requested. By using the current time to prefix the counter start value, in the event of Module restart, the counter will be ahead of any previous Module states, ensuring that IV values cannot be reused. The Module user must ensure the system time is valid to prevent repetition of IVs. – Generate at least 12 bytes of IV using an Approved DRBG, and input the IV to the cipher at initialization time using the RAW_IV parameter. • The AES-GCM cipher used for the TLS protocol as the cipher implementation complies with SP800-52 and is compatible with RFC 5288 with the following conditions: – The IV is configured as follows: – The four-byte salt derived from the TLS handshake process is input using the parameter PARTIAL_IV during cipher initialization. This is used as the first four bytes of IV. This 32-bit part of the IV is also referred to as the nonce value in FIPS 140-3 IG C.H and is positioned in the name field of the IV as required in FIPS 140-3 IG C.H, TLS/DTLS 1.2 protocol IV generation. – The remaining eight bytes of IV, referred to as nonce_explicit in RFC 5288, are generated deterministically by the module using the 64-bit counter used for the invocation field described above. – When the 64-bit counter exhausts the maximum number of | GCM Mode Ciphers |
| possible values for a given session key, the Module will throw a SecurityException. – Whichever party, the client or the server, that encounters this condition must trigger a handshake to establish a new encryption key. – The TLS session is aborted if the keys for the client and server negotiated in the handshake process, client_write_key and server_write_key, are identical. | |
| • The key length for an HMAC generation or verification must be between 112 and 4096 bits, inclusive. • For HMAC verification, a key length greater than or equal to 80 and less than 112 is allowed for legacy-use. | HMAC |
| • An approved HMAC must be used for extract and expand operations. • A particular key-derivation key must only be used for a single key- expansion step. For more information, see SP800-56C Rev. 1. • The derived key must be used only as a secret key. • The derived key shall not be used as a key stream for a stream cipher. • When selecting an HMAC hash, the output block size must be equal to or greater than the desired security strength of the derived key. • The pseudo-random key input to the expansion and the keying material output from the expansion must have lengths that are equal to or greater than the desired security strength of the derived key. | HMAC-Based Extract-and- Expand Key Derivation Function |
| • An approved hash function must be used to derive key materials. • When selecting a hash algorithm, the output block size must be equal to or greater than the desired security strength of the derived key. • The derived key must be used only as a secret key. • The derived key shall not be used as a key stream for a stream cipher. • The secret data input into this KDF must have a length equal to or greater than the desired security strength of the derived key. | One-Step Key Derivation Function |
| • TLS v1.2 PRF KDF is allowed only when the following conditions are satisfied: – The KDF is performed in the context of the TLS protocol. – HMAC is as specified in FIPS 198-1. – P_HASH uses either SHA-256, SHA-384, or SHA-512. For more information, see SP800-135 Rev. 1. • The TLS protocols have not been tested by the CAVP and CMVP. | TLS PRF Key Derivation Function |
| • When using an Approved DRBG to generate DH or DSA parameters, the requested DRBG must have a security strength at least as great as the security strength of the parameters being generated. That means that an Approved DRBG with an appropriate strength must be used. For more information on requesting the DRBG security strength, see the relevant API Javadoc. | Parameter Generation |
| Obtain domain parameters and assurance of the domain parameter validity: • For schemes using FFC, use one of the FFC safe-prime groups as defined in SP800-56A rev. 3 Appendix D. • For schemes using ECC, use one of the approved curves as defined in SP800-56A rev. 3 Appendix D. Obtain a key pair from domain parameters: • For all schemes: | Key Agreement |
| – All key material must be generated before any of the keys are used. – If key generation fails then the party must destroy all calculated values. – The shared secret, and any key material, is destroyed. • For schemes that use key confirmation: – Both parties must use a common, approved MAC to generate confirmation values. – The MAC key will be generated as one of the key material elements. – The input values for MAC tag generation must be formatted as per SP800-56A Rev. 3. – The MAC key and tag lengths must satisfy the requirements of SP800-56A Rev. 3. – The MAC key must be destroyed after use. – If confirmation fails then destroy all calculated values. All key material is destroyed before it is used for any other purpose. – Approved key confirmation technique(s) as specified in SP800-56A Rev. 3. | |
| • When using an approved DRBG to generate keys, the security strength of the DRBG must be at least as great as the security strength of the key being generated. For details about the comparable security strengths of symmetric block ciphers and asymmetric key algorithms refer to Table 2 of NIST SP800-57 Part 1 Rev. 5. • When generating key pairs using the KeyPairGenerator object, the generate(boolean pairwiseConsistency) method must not be invoked with an argument of false. Use of the no-argument generate() method is recommended. | Key Generation |
| • Keys used for digital signature generation and verification shall not be used for any other purpose. The module generates keys with a particular purpose that is either signing or encryption. The same purpose must always be used for a given key when exported and loaded into the module again. • The length of an RSA key pair for digital signature generation must be greater than or equal to 2048 bits. For digital signature verification, the length must be greater than or equal to 2048 bits. However, 1024 bits is allowed for legacy-use only. RSA keys shall have a public exponent of an odd number, equal to or greater than 65537. • The SHA-1 digest is disallowed for the generation of digital signatures. • For RSASSA-PSS: If nLen is 1024 bits, and the output length of the approved hash function output block is 512 bits, then the length of the salt (sLen) shall be 0<=sLen<=hLen – 2. Otherwise, the length of the salt shall be 0 <=sLen<=hLen, where hLen is the length of the hash function output block (in bytes or octets). | Digital Signatures |
| • Keys generated using PBKDF2 shall only be used in data storage applications. • Minimum Password Length: The minimum length (L) of a password generated using a cryptographically secure random password generator to provide a search space of S entries depends on the size (N) of the character set: L= ⸢log S/log N⸣ 2 2 | Password-based Key Derivation |
| The following provides examples for a password used by PBKDF2 where S = 4.32 x 1020: Character Set N L Case sensitive (a-z, A-Z) 52 13 Case sensitive alpha numeric 62 12 All ASCII printable characters except space 94 11 • A password of the strength S can be guessed at random with the probability of 1 in 2S. • The minimum length of the randomly-generated portion of the salt is 16 bytes. • The iteration count is as large as possible, with a minimum of 10,000 iterations recommended. • The maximum key length is(232 - 1)*b, where b is the digest size of the message digest function in bytes. • Derived keys can be used as specified in NIST SP800-132, Section 5.4, options 1 and 2. | |
| • AES in XTS mode is approved only for hardware storage applications. • The two keys used for XTS must be checked to ensure they are different. This check is performed automatically by the module. | XTS Mode Ciphers |
N L
RSA, EC, and DSA key operations implement blinding by default, a reversible way of modifying the input data, to make the operation immune to timing attacks. Blinding has no effect on the algorithm other than to mitigate attacks on the algorithm. For more information, see Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. RSA, EC, and DSA blinding is implemented through blinding modes, for which the following options are available: