All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Dell™ BSAFE™ Crypto Module for Java 7.0

Certificate#4892StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorDell Inc., BSAFE Product Team
Medium review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/18/2029
CaveatInterim Validation. When operated in approved mode. No assurance of the minimum strength of generated SSPs
VendorDell Inc., BSAFE Product Team

Approved Algorithms (66)

AlgorithmACVP Cert
AES-CBCA2314
AES-CBC-CS1A2314
AES-CBC-CS2A2314
AES-CBC-CS3A2314
AES-CCMA2314
AES-CFB128A2314
AES-CMACA2314
AES-CTRA2314
AES-ECBA2314
AES-GCMA2314
AES-KWA2314
AES-KWPA2314
AES-OFBA2314
AES-XTS Testing Revision 2.0A2314
Counter DRBGA2314
DSA KeyGen (FIPS186-4)A2314
DSA PQGGen (FIPS186-4)A2314
DSA PQGVer (FIPS186-4)A2314
DSA SigGen (FIPS186-4)A2314
DSA SigVer (FIPS186-4)A2314
ECDSA KeyGen (FIPS186-4)A2314
ECDSA KeyVer (FIPS186-4)A2314
ECDSA SigGen (FIPS186-4)A2314
ECDSA SigVer (FIPS186-4)A2314
Hash DRBGA2314
HMAC DRBGA2314
HMAC-SHA-1A2314
HMAC-SHA2-224A2314
HMAC-SHA2-256A2314
HMAC-SHA2-384A2314
HMAC-SHA2-512A2314
HMAC-SHA2-512/224A2314
HMAC-SHA2-512/256A2314
HMAC-SHA3-224A2314
HMAC-SHA3-256A2314
HMAC-SHA3-384A2314
HMAC-SHA3-512A2314
KAS-ECC CDH-ComponentA2314
KAS-ECC-SSC Sp800-56Ar3A2314
KAS-FFC-SSC Sp800-56Ar3A2314
KAS-IFC-SSCA2314
KAS-KC SP800-56A2314
KDA OneStep Sp800-56Cr1A2314
KDF SP800-108A2314
PBKDFA2314
RSA Decryption PrimitiveA2314
RSA KeyGen (FIPS186-4)A2314
RSA SigGen (FIPS186-4)A2314
RSA SigVer (FIPS186-4)A2314
Safe Primes Key GenerationA2314
Safe Primes Key VerificationA2314
SHA-1A2314
SHA2-224A2314
SHA2-256A2314
SHA2-384A2314
SHA2-512A2314
SHA2-512/224A2314
SHA2-512/256A2314
SHA3-224A2314
SHA3-256A2314
SHA3-384A2314
SHA3-512A2314
SHAKE-128A2314
SHAKE-256A2314
TLS v1.2 KDF RFC7627A2314
TLS v1.3 KDFA2314

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Dell™ BSAFE™ Crypto Module for Java 7.0
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>DTLS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Dell™ BSAFE™ Crypto Module for Java 7.0
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>DTLS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

ISO/IEC 19790 and FIPS 140-3 Non-Proprietary Security Policy for Dell™ BSAFE™ Crypto Module for Java 7.0 Software Version: 7.0 Last Updated: November 14, 2024, Version 1.2

Page 2

Table of Content List of Figures List of Tables

Page 3
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical security1N/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacks1

for Java 7.0 (hereinafter referred to as the Module or JCM) with software version 7.0. The following details how this Module meets the security requirements of FIPS 140-3, SP800-140, and ISO/IEC 19790 The security requirements cover areas related to the design and implementation of a cryptographic module. attacks. Table 1 below indicates the actual security levels for each area of the cryptographic Module. N/A N/A Table 1 Security Levels 1The module relies on the physical security provided by the host on which it runs. The Module has an overall security level of 1. The Module is a multi-chip standalone software module intended to be used as part of a software system, providing cryptographic services to that system. The module’s operational environment is non-modifiable. The module is provided as a Java Archive (jar) file. It is intended to be distributed with, and used by, a Java application. The module consists of a jar file, jcmFIPS-7.0.jar. The name and version of the module can be accessed from the API ModuleConfig.getVersionInfo(). The FIPS 140-3 validation certificate can be located on the NIST Cryptographic Module Validation Program (CMVP) page using the module name and version reported. The Module has been tested on the following Operational Environments:

Page 4
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1® SUSE Linux Enterprise Server 15 SP3 (64-bit) with OpenJDK 11Dell PowerEdge™ R6525AMD EPYC™ 7513N/A1
2® SUSE Linux Enterprise Server 15 SP3 (64-bit) with OpenJDK 8Dell PowerEdge™ R6525AMD EPYC™ 7513N/A2
3® Windows Server 2019 (64-bit) with Oracle® JRE 8Dell PowerEdge™ R6525AMD EPYC™ 7513N/A3
4Windows Server® 2016 (64-bit) with ® Oracle JRE 8Dell PowerEdge™ T130® ® Intel Xeon CPU E3-1230N/A4
1® ® Apple MacOS 10.15 (x86_64) with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)1
2Apple MacOS 10.15 (x86_64) with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)2
3® ® Canonical Ubuntu 16.04 (x86) with OpenJDK 8 (32-bit)Generic Hardware Platform with Intel x86 (32-bit)3
4Canonical Ubuntu 16.04 (x86) with OpenJDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)4
5CentOS™ 7.9 (x86_64) with OpenJDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)5
6Dell PowerProtect™ Data Domain™ OS (x86_64) with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)6
7Dell PowerStoreOS™ 4.0 (x86_64) with OpenJDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)7
8® FreeBSD Foundation 12 (x86_64) with OpenJDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)8

# N/A N/A N/A N/A Table 2 Tested Operational Environment In addition to the platforms listed in Table 2, Dell has also tested the module on the following platforms and claims vendor affirmation on them: #

Page 5
9Hewlett Packard Enterprise HP-UX 11.31 with HP JDK 8 (64-bit)Generic Hardware Platform with ® Itanium 2
10® IBM AIX 7.2 with IBM JDK 8 (64-bit)Generic Hardware Platform with ® PowerPC (64-bit)
11® Microsoft Windows10 Enterprise (x86_64) with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
12Microsoft Windows 10 Enterprise (x86_64) with Oracle JDK 8 (64- bit)Generic Hardware Platform with Intel x86_64 (64-bit)
13Microsoft Windows 10 Enterprise (x86_64) with Oracle JDK 7 (32- bit)Generic Hardware Platform with Intel x86_64 (64-bit)
14Microsoft Windows Server 2019 (x86_64) with Oracle JDK 11 (64- bit)Generic Hardware Platform with Intel x86_64 (64-bit)
15Microsoft Windows Server 2016 (x86_64) with Oracle JDK 11 (64- bit)Generic Hardware Platform with Intel x86_64 (64-bit)
16® Oracle Solaris 11.4 with Oracle JDK 11 (64-bit)Generic Hardware Platform with ® SPARC v9
17Oracle Solaris 11.4 with Oracle JDK 8 (64-bit)Generic Hardware Platform with SPARC v9
18Oracle Linux 7 64-bit on Oracle X Series Servers with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
19Oracle Linux 7 64-bit on Oracle X Series Servers with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
20Oracle Linux 7 64-bit on Oracle E Series Servers with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
21Oracle Linux 7 64-bit on Oracle E Series Servers with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
22Oracle Linux 7 64-bit on Oracle A Series Servers with Oracle JDK 8 (64-bit)Generic Hardware Platform with ARMv8 (64-bit)
23Oracle Linux 7 64-bit on Oracle A Series Servers with Oracle JDK 11 (64-bit)Generic Hardware Platform with ARMv8 (64-bit)
24Oracle Linux 8 64-bit on Oracle X Series Servers with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
25Oracle Linux 8 64-bit on Oracle X Series Servers with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
Page 6
26Oracle Linux 8 64-bit on Oracle E Series Servers with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
27Oracle Linux 8 64-bit on Oracle E Series Servers with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
28Oracle Linux 8 64-bit on Oracle A Series Servers with Oracle JDK 8 (64-bit)Generic Hardware Platform with ARMv8 (64-bit)
29Oracle Linux 8 64-bit on Oracle A Series Servers with Oracle JDK 11 (64-bit)Generic Hardware Platform with ARMv8 (64-bit)
30® Red Hat Enterprise Linux 8.6 (x86_64) with Oracle JDK 11 (64- bit)Generic Hardware Platform with Intel x86_64 (64-bit)
31Red Hat Enterprise Linux 8.6 (x86_64) with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
32Red Hat Enterprise Linux 7.9 (x86_64) with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
33Red Hat Enterprise Linux 7.9 (x86_64) with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
34SUSE Linux Enterprise Server 15 SP4 (x86_64) with OpenJDK 17 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
35SUSE Linux Enterprise Server 15 SP4 (x86_64) with OpenJDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
36SUSE Linux Enterprise Server 15 SP4 (x86_64) with OpenJDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
37SUSE Linux Enterprise Server 15 SP2 (x86_64) with OpenJDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
38SUSE Linux Enterprise Server 15 SP2 (x86_64) with OpenJDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
39SUSE Linux Enterprise Server 12 SP5 (x86_64) with IBM JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
40SUSE Linux Enterprise Server 12 SP5 (x86_64) with IBM JDK 7 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
41SUSE Linux Enterprise Server 12 SP5 (x86_64) with OpenJDK 7 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
42SUSE Linux Enterprise Server 12 SP5 (x86_64) with Oracle JDK 11 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197;A2314CBCKey Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38A, addendum]A2314CBC-CS1Key Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38A, addendum]A2314CBC-CS2Key Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38A, addendum]A2314CBC-CS3Key Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38C]A2314CCMKey Length: 128, 192, and 256 bitsAuthenticated encryption and decryption
AES [FIPS 197; SP800-38A, addendum]A2314CFB128Key Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38B]A2314CMACKey Length: 128, 192, and 256 bitsMessage authentication
AES [FIPS 197; SP800-38A]A2314CTRKey Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38A]A2314ECBKey Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38D]A2314GCMKey Length: 128, 192, and 256 bitsAuthenticated encryption and decryption
AES [FIPS 197; SP800-38F]A2314KW, KWPKey Length: 128, 192, and 256 bits Key establishment methodology provides between 128 and 256 bits of encryption strengthKey wrapping and unwrapping
AES [FIPS 197; SP800-38A]A2314OFBKey Length: 128, 192, and 256 bitsSymmetric encryption and decryption
AES [FIPS 197; SP800-38E]A2314XTSKey Length: 128 and 256 bitsSymmetric encryption and decryption
CTR_DRBG [SP800-90Arev1]A2314AES-128 AES-196 AES-256 Derivation Function Enabled; Prediction Resistance: Yes, NoN/ARandom bit generation
DSA [FIPS 186-4]A2314DSA KeyGen: -N: 224/256 -2048/3072 ModulusL: 2048/3072 bitsDSA keypair generation
DSA [FIPS 186-4]A2314DSA PQGGen: -P/Q Generation Methods: Probable -G Generation Methods: Unverifiable -N: 224/256 -2048/3072 Modulus withL: 2048/3072 bitsDSA PQG generation
DSA [FIPS 186-4]A2314DSA PQGVer: -P/Q Generation Methods: Probable -G Generation Methods: Unverifiable -N: 160/224/256 -1024/2048/3072 Modulus with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256L: 1024/2048/3072 bitsDSA PQG verification
DSA [FIPS 186-4]A2314DSA SigGen: -N: 224/256 -2048/3072 Modulus with SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2- 512/224, SHA2-512/256L: 2048/3072 bitsDSA signature generation
DSA [FIPS 186-4]A2314DSA SigVer: -N: 160/224/256 -1024/2048/3072 Modulus with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2-512/256L: 1024/2048/3072 bitsDSA signature verification Please note that DSA 1024 bits are only used for signature verification
ECDSA [FIPS 186-4]A2314ECDSA KeyGenCurves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521ECDSA keypair generation
ECDSA [FIPS 186-4]A2314ECDSA KeyVerCurves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521ECDSA keypair verification
ECDSA [FIPS 186-4]A2314ECDSA SigGenCurves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521ECDSA signature generation
ECDSA [FIPS 186-4]A2314ECDSA SigVerCurves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521ECDSA signature verification
HASH_DRBG [SP800-90Arev1]A2314SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 Prediction Resistance: Yes NoN/ARandom bit generation
HMAC_DRBG [SP800-90Arev1]A2314HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2-512/224 HMAC-SHA2-512/256 Prediction Resistance: Yes, NoN/ARandom bit generation
HMAC [FIPS 198-1]A2314HMAC-SHA-1Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA2-224Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA2-256Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA2-384Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA2-512Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA2-512/224Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA2-512/256Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA3-224Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA3-256Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA3-384Key Length: 112 bits or greaterMessage authentication
HMAC [FIPS 198-1]A2314HMAC-SHA3-512Key Length: 112 bits or greaterMessage authentication
KAS-ECC CDH Component (CVL) [SP800-56Arev3]A2314KAS-ECC CDH-Component: Function: Full Public Key Validation, Key Pair Generation, Partial Public Key ValidationCurves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Key establishment methodology provides between 128 and 256 bits of encryption strengthKey agreement primitive
KAS-ECC-SSC (CVL) [SP800-56Arev3]A2314KAS-ECC-SSC: Scheme: ephemeralUnified: KAS Role: initiator, responder staticUnified: KAS Role: initiator, responderCurves: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Key establishment methodology provides between 128 and 256 bits of encryption strengthKey agreement primitive
KAS-FFC-SSC (CVL) [SP800-56Arev3]A2314KAS-FFC-SSC: Scheme: dhEphem: KAS Role: initiator, responder dhOneFlow: KAS Role: initiator, responder dhStatic: KAS Role: initiator, responderDomain Parameter Generation Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Key establishment methodology provides between 112 and 200 bits of encryption strengthKey agreement primitive
KAS-IFC-SSC (CVL) [SP800-56Brev2]A2314KAS-IFC-SSC Scheme: KAS1: KAS Role: initiator, responderModulus: 2048, 3072, 4096, 6144, 8192Key agreement primitive
KAS KC (CVL) [SP800-56]A2314Key Confirmation Directions: Bilateral, Unilateral KAS Role: Initiator, ResponderN/AKey agreement primitive
KDA [SP800-56Crev1]A2314OneStep: SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512N/AKey agreement primitive
KDF [SP800-108]A2314KDF Mode: Feedback MAC Mode: HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2-512/224 HMAC-SHA2-512/256N/AKey derivation
PBKDF 1 [SP800-132]A2314N/AKey derivation
RSA Decryption Primitive (CVL) [SP800-56Crev2]A2314decryptionPrimitive2048 bit key sizeKey transport primitive
RSA [FIPS 186-4]A2314RSA KeyGen: -Mode: B.3.6 - 2048/3072/4096 ModulusModulus: 2048/3072/4096 bitsRSA keypair generation
RSA [FIPS 186-4]A2314RSA SigGen: -Mode: ANSI X9.31 -2048/3072/4096 Modulus with SHA2-224/ SHA2-256/ SHA2- 384/ SHA2-512/ SHA2-512- 224/ SHA2-512-256; -Mode: PKCS 1.5 -2048/3072/4096 Modulus with SHA2-224/ SHA2-256/ SHA2- 384/ SHA2-512/ SHA2-512- 224/ SHA2-512-256; -Mode: PKCSPSS -2048/3072/4096 Modulus with SHA2-224/ SHA2-256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512-Modulus: 2048/3072/4096 bitsRSA signature generation
RSA [FIPS 186-4]A2314RSA SigVer: -Mode: ANSI X9.31 -2048/3072/4096 Modulus with SHA-1, SHA2-224/ SHA2- 256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512- 256; -Mode: PKCS 1.5 -2048/3072/4096 Modulus with SHA-1, SHA2-224/ SHA2- 256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512- 256; -Mode: PKCSPSS -2048/3072/4096 Modulus with SHA-1, SHA2-224/ SHA2-256/ SHA2-384/ SHA2-512/ SHA2-512-224/ SHA2-512-256;Modulus: 1024/2048/3072/4096 bitsRSA signature verification
Safe Primes Key Generation [SP800-56Arev3]A2314KeyGen for KAS-FFC-SSCSafe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192KAS-FFC Keypair domain parameters generation
Safe Primes Key Verification [SP800-56Arev3]A2314KeyVer for KAS-FFC-SSCSafe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192KAS-FFC Keypair domain parameters verification
SHS [FIPS 180-4]A2314SHA-1N/AMessage digest Note: SHA-1 is not used for digital signature generation
SHS [FIPS 180-4]A2314SHA2-224N/AMessage digest
SHS [FIPS 180-4]A2314SHA2-256N/AMessage digest
SHS [FIPS 180-4]A2314SHA2-384N/AMessage digest
SHS [FIPS 180-4]A2314SHA2-512N/AMessage digest
SHS [FIPS 180-4]A2314SHA2-512/224N/AMessage digest
SHS [FIPS 180-4]A2314SHA2-512/256N/AMessage digest
SHA3 [FIPS 202]A2314SHA3-224N/AMessage digest
SHA3 [FIPS 202]A2314SHA3-256N/AMessage digest
SHA3 [FIPS 202]A2314SHA3-384N/AMessage digest
SHA3 [FIPS 202]A2314SHA3-512N/AMessage digest
SHAKE [FIPS 202]A2314SHAKE-128N/AMessage digest
SHAKE [FIPS 202]A2314SHAKE-256N/AMessage digest
TLS v1.2 KDF RFC7627 [RFC7627] (CVL)A2314TLS v1.2 KDF RFC7627N/AKey derivation
TLS v1.3 KDF [RFC8446] (CVL)A2314TLS v1.3 KDFN/AKey derivation
Cryptographic Key Generation (CKG)2 [SP800-133rev2]Vendor AffirmedN/AN/ACryptographic Key Generation; SP800-133rev2 and IG D.H Note: The cryptographic module performs Cryptographic Key Generation (CKG) for symmetric and asymmetric keys as per sections 5 and 6 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800- 90Arev1 DRBG
AES in BPS mode for FPESymmetric encryption / decryption
ChaCha20Symmetric encryption / decryption
ChaCha20/Poly1305Symmetric encryption / decryption
DESSymmetric encryption / decryption
DESXSymmetric encryption / decryption
Deterministic DSADigital signatures
Deterministic ECDSA (FIPS 186-5)Digital signatures
ECIESAsymmetric encryption / decryption
FIPS 186-2 PRNG (Change Notice General)Random bit generation
HMAC-MD5Message authentication
KDFTLS10Key Derivation (For use with TLS versions 1.0 and 1.1)
MD2Secure hashing
MD5Secure hashing
PBE (PKCS #12, PKCS #5, SSLCPBE)Symmetric encryption / decryption
PBHMAC (PKCS #12, PKIX)Message authentication
Poly1305Message authentication
RC2Symmetric encryption / decryption
RC4Symmetric encryption / decryption
RC5Symmetric encryption / decryption
RIPEMD160Secure hashing
RSA-KEM-KWSAsymmetric encryption / decryption
scryptKey Derivation
Shamir Secret SharingKey Generation
43SUSE Linux Enterprise Server 12 SP5 (x86_64) with Oracle JDK 8 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)
44SUSE Linux Enterprise Server 12 SP5 (x86_64) with Oracle JDK 7 (64-bit)Generic Hardware Platform with Intel x86_64 (64-bit)

Table 3 Vendor Affirmed Operational Environments The CMVP makes no statement about the correct operation of the module or the security strengths of the generated keys when ported to an operational environment which is not listed on the validation certificate. Mode of operation The Module supports both approved and non-approved modes of operation. It can operate in an approved mode after initial operations are performed, and all pre-operational self-tests have been completed successfully. The non-approved mode is entered when a non-approved algorithm or service is invoked. The Approved mode of operation can only be transitioned into the Non-Approved mode by calling one of the Non-Approved services. The Module does not claim implementation of a degraded mode of operation. If any self-test fails, the cryptographic services of the module are disabled for both Approved and NonApproved modes of operation. Section 4 provides details on the service indicator implemented by the Module. Table 4 below lists all the approved or vendor-affirmed security functions of the Module, including specific key size(s)

Page 13
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHAKE [FIPS 202]A2314SHAKE-256N/AMessage digest
TLS v1.2 KDF RFC7627 [RFC7627] (CVL)A2314TLS v1.2 KDF RFC7627N/AKey derivation
TLS v1.3 KDF [RFC8446] (CVL)A2314TLS v1.3 KDFN/AKey derivation
Cryptographic Key Generation (CKG)2 [SP800-133rev2]Vendor AffirmedN/AN/ACryptographic Key Generation; SP800-133rev2 and IG D.H Note: The cryptographic module performs Cryptographic Key Generation (CKG) for symmetric and asymmetric keys as per sections 5 and 6 in SP800-133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800- 90Arev1 DRBG
AES in BPS mode for FPESymmetric encryption / decryption
ChaCha20Symmetric encryption / decryption
ChaCha20/Poly1305Symmetric encryption / decryption
DESSymmetric encryption / decryption
DESXSymmetric encryption / decryption
Deterministic DSADigital signatures
Deterministic ECDSA (FIPS 186-5)Digital signatures
ECIESAsymmetric encryption / decryption
FIPS 186-2 PRNG (Change Notice General)Random bit generation
HMAC-MD5Message authentication
KDFTLS10Key Derivation (For use with TLS versions 1.0 and 1.1)
MD2Secure hashing
MD5Secure hashing
PBE (PKCS #12, PKCS #5, SSLCPBE)Symmetric encryption / decryption
PBHMAC (PKCS #12, PKIX)Message authentication
Poly1305Message authentication
RC2Symmetric encryption / decryption
RC4Symmetric encryption / decryption
RC5Symmetric encryption / decryption
RIPEMD160Secure hashing
RSA-KEM-KWSAsymmetric encryption / decryption
scryptKey Derivation
Shamir Secret SharingKey Generation
TDES in CBC, CFB64, ECB, OFB modes and CBC_CS1, CBC_CS2 or CBC_CS3 mode for CTSSymmetric encryption / decryption

N/A N/A N/A N/A N/A Table 4 - Approved Algorithms 1Password-based key derivation function 2 (PBKDF2). As defined in NIST Special Publication 800-132, PBKDF2 can be used in Approved mode when used with Approved symmetric key and message digest algorithms. For more information, see Crypto Officer Guidance 2The module supports cryptographic key generation as described in section 4 of SP800-133rev2 where V is a constant string of binary zeroes. The module also

Page 14

Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation As there are no non-Approved algorithms allowed in the approved mode of operation, the tables defined in SP800-140B for the following categories are missing from this document:

Page 15
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputPlaintext, Ciphertext, Message Digest, Signature, MAC, Secret, Key text, Wrapped key text, Message, Secret
N/AN/AData OutputStatus, Ciphertext, Plaintext, Verify status, Validation status, Wrapped key text, Message digest, MAC, Random bytes
N/AN/AControl InputConfiguration parameters for the API interface ModuleConfig which sets the mode of operation
N/AN/AStatus OutputMode of operation indicator from the API CryptoModule.isFIPS140Approved(). The state of the module from the API CryptoModule.getState()
N/AN/AControl OutputN/A

Figure 1 Module’s Block Diagram Cryptographic module interfaces The Module’s physical perimeter encompasses the case of the tested platform mentioned in Table 2 Tested Operational Environment. The Module provides its logical interfaces via API calls. The logical interfaces provided by the Module are mapped onto the FIPS 140-3 logical interfaces (Data Input, Data Output, Control Input, Control Output, and Status Output) as follows: N/A N/A N/A N/A N/A N/A Table 6 Ports and Interfaces

Page 16
Service
NameRolesInputOutput
Asymmetric EncryptionCrypto OfficerPlaintextCiphertext, Status
Asymmetric DecryptionCrypto OfficerCiphertextPlaintext, Status
Digital Signature GenerationCrypto OfficerMessage DigestSignature, Status
Digital Signature VerificationCrypto OfficerMessage Digest, SignatureVerify Status, Status
Key AssuranceCrypto OfficerValidation Status, Status
Key ConfirmationCrypto OfficerMACVerify status
Key DeletionCrypto Officer
Key DerivationCrypto OfficerSecretKey text, Status
Key Parameter GenerationCrypto OfficerStatus
Key WrapCrypto OfficerWrapped Key text, Status
Key UnwrapCrypto OfficerWrapped key textStatus
Message DigestCrypto OfficerMessageMessage Digest, Status
MAC GenerationCrypto OfficerSecret, MessageMAC, Status
MAC VerificationCrypto OfficerSecret, Message, MACVerify Status, Status
Random Number GenerationCrypto OfficerRandom bytes, Status
Self-testCrypto OfficerStatus
Symmetric EncryptionCrypto OfficerPlaintextCiphertext, Status
Symmetric DecryptionCrypto OfficerCiphertextPlaintext, Status

Roles, services, and authentication The Module meets all FIPS 140-3 Security Level 1 requirements for Roles, Services; and Authentication, implementing a Crypto Officer Role. As allowed by FIPS 140-3, the module does not support identification or authentication for this role. The Crypto Officer Role is implicitly assumed once the Module is loaded, and the role is cleared on Module unload. There is no maintenance role, cryptographic bypass capability, or self-initiated cryptographic output. The module does not allow concurrent operators. Table 7 Roles, Service Commands, Input, and Output The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. N/A = Not applicable: The service does not access any SSP during its operation.

Page 17
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Asymmetric EncryptionPerform asymmetric encryption operationCORSA Public KeyRSA Encryption PrimitiveEAPI call
Asymmetric DecryptionPerform asymmetric decryption operationCORSA Private KeyRSA Decryption PrimitiveEAPI call
Digital Signature GenerationPerform digital signature generationCODSA Private Key ECDSA Private Key RSA Private KeyDSA PQGGen DSA SigGen ECDSA SigGen RSA SigGenEAPI call
Digital Signature VerificationPerform digital signature verificationCODSA Public Key ECDSA Public Key RSA Public KeyDSA PQGVer DSA SigVer ECDSA SigVer RSA SigVerEAPI call
Key AssurancePerform key assurance operationCODSA Public Key DSA Private Key ECDSA Public Key ECDSA Private Key EC Diffie- Hellman Private Key EC Diffie- Hellman Public Key Diffie-Hellman Public Key Diffie-Hellman Private Key RSA Public Key RSA Private KeyN/ARAPI call
Key ConfirmationPerform key confirmation operationCOHMAC KeyKAS KCEAPI call
Key DeletionPerform key deletion operationCOAES Key DSA Public Key DSA Private Key ECDSA Public Key ECDSA Private Key CMAC Key HMAC Key RSA Public KeyN/AZAPI call
Key DerivationPerform key derivation operationCOKBKDF Key Derivation Key KBKDF Derived Key OneStep KDF Key Derivation Key OneStep KDF Derived Key PBKDF Password PBKDF Derived Key TLS Master Secret TLS Session Key TLS Session Integrity KeyKDA OneStep PBKDF TLS v1.2 KDF RFC 7627 TLS v1.3 KDFG, RAPI call
Key Parameter GenerationPerform key parameter generation operationCODSA Public Key DSA Private Key Diffie-Hellman Public Key Diffie-Hellman Private Key Diffie-Hellman Shared SecretKAS-FFC-SCCGAPI call
Key UnwrapPerform key unwrap operationCOAES KeyAES-KW AES-KWPAPI call
Key wrapPerform key wrap operationCOAES Key AES Key Wrap KeyAES-KW AES-KWPEAPI call
Message DigestPerform message digest operationCOSHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA2-512/256 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-128 SHAKE-256API call
MAC GenerationPerform MAC generation operationCOCMAC Key HMAC KeyCMAC-AES HMAC-SHA-1RAPI call
MAC VerificationPerform MAC verification operationCOCMAC Key HMAC KeyCMAC-AES HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512RAPI call
Random Number GenerationPerform random number generationCODRBG Entropy Input DRBG Seed DRBG Internal State V value DRBG KeyCTR_DRBG HASH_DRBG HMAC_DRBGAPI call
Symmetric EncryptionPerform symmetric encryption operationCOAES Key AES GCM IVAES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB AES-CTR AES-ECB AES-GCM AES-OFB AES-XTSEAPI call
Symmetric DecryptionPerform symmetric decryption operationCOAES Key AES GCM IVAES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB AES-CTR AES-ECB AES-GCM AES-OFB AES-XTSEAPI call

Table 8 below lists all approved services that can be used in the approved mode of operation. E E E E N/A R EC DiffieHellman E Z N/A

Page 18

N/A EC DiffieHellman EC DiffieHellman G, R R G

Page 21
Service
NameDescriptionRolesApproved FunctionsIndicator
Asymmetric EncryptionPerform asymmetric encryption operationN/AECIES RSA-KEM-KWSAPI call
Asymmetric DecryptionPerform asymmetric decryption operationN/AECIES RSA-KEM-KWSAPI call
Digital Signature GenerationPerform digital signature generationN/ADeterministic DSA Deterministic ECDSAAPI call
Digital Signature VerificationPerform digital signature verificationN/ADeterministic DSA Deterministic ECDSAAPI call
Key DerivationPerform key derivation operationN/AKDFTLS10 (For use with TLS versions 1.0 and 1.1) PKCS #5 KDF PKCS #12 KDF scryptAPI call
Message DigestPerform message digest operationN/AMD2 MD5 RIPEMD160API call
MAC GenerationPerform MAC generation operationN/AHMAC-MD5 PBHMAC (PKCS #12, PKIX) Poly1305API call
MAC VerificationPerform MAC verification operationN/AHMAC-MD5 PBHMAC (PKCS #12, PKIX) Poly1305API call
Random Number GenerationPerform random number generationN/AFIPS 186-2 PRNG (Change Notice General)API call
Symmetric EncryptionPerform symmetric encryption operationN/AAES in BPS mode for FPE ChaCha20 ChaCha20/Poly1305 DES DESX RC2 RC4 RC5 PBE (PKCS #12, PKCS #5, SSLCPBE) TDES in CBC, CFB64, ECB, OFB modes and CBC_CS1, CBC_CS2 or CBC_CS3 mode for CTSAPI call
Symmetric DecryptionPerform symmetric decryption operationN/AAES in BPS mode for FPE ChaCha20 ChaCha20/Poly1305 DES DESX RC2 RC4 RC5 PBE (PKCS #12, PKCS #5, SSLCPBE) TDES in CBC, CFB64, ECB, OFB modes and CBC_CS1, CBC_CS2 or CBC_CS3 mode for CTSAPI call

Table 9 Non-Approved Services N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Page 22

The Module doesn’t support self-initiated cryptographic output capability and cryptographic Bypass capability services. Software/Firmware security Integrity techniques Module integrity check is implemented by first calculating a MAC over each of the files listed in module.files, using HMAC-SHA-1 with a fixed key. Another MAC is then calculated over all file MACs in the order that they are listed, using the same algorithm and key as for the file MACs. This two-step process is intended to allow the jar file to be processed sequentially without having to load the entire jar file into memory even after the order of the jar file entries has been changed. The expected integrity check MAC is stored in the jar file manifest. During the Integrity Test when the module is loaded, a MAC is again calculated and compared with the pre-computed MAC value contained in the jar file manifest. If these values are equal, then the software integrity check has passed and power-up of the Module can continue. Otherwise, the test has failed, and the Module is disabled. Integrity test on-demand The integrity test is performed as part of the pre-operational self-tests. It is automatically executed at power-on. The module provides the ModuleConfig.runSelfTests() API to allow the operator to perform on-demand integrity testing. The operator can also power-cycle or reboot the tested platform to initiate the software integrity test on-demand. Operational environment The Module is a software module, which is operated in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module is provided for operating systems running on a general-purpose computer platform based on an Intel CPU. The Module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values, and other SSPs by external processes during module execution. The Module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the Module are owned by the Module and are not owned by external processes or operators. Physical security The FIPS 140-3 physical security requirements do not apply to the Module since it is a software module. Non-invasive security Currently, non-invasive security is not required by FIPS 140-3 (see NIST SP800-140F). The requirements of this area are not applicable to the Module.

Page 23
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZero- isatio
DRBG entropy input (CSP)256 bitsCTR_DRBG HASH_DRBG HMAC_DRBG #A2314Obtained from the Entropy Source within TOEPP (GPS INT Pathways).N/AN/A: The module does not provide persistent keys/SSPs storage.Random Number GenerationImport to the module via Module’s API Export: NoAutomatic zeroization when the tested platform is powered down
DRBG Seed (CSP)256 bitsCTR_DRBG HASH_DRBG HMAC_DRBG #A2314Internally Derived from entropy input string as defined by SP800- 90Arev1.N/AN/A: The module does not provide persistent keys/SSPs storage.Random Number GenerationImport: No Export: NoAutomatic zeroization when the tested platform is powered down
DRBG Internal State V value (CSP)256 bitsCTR_DRBG HASH_DRBG HMAC_DRBG #A2314Internally Derived from entropy input string as defined by SP800- 90Arev1.N/AN/A: The module does not provide persistent keys/SSPs storage.Random Number GenerationImport: No Export: NoAutomatic zeroization when the tested platform is powered down
DRBG Key (CSP)256 bitsCTR_DRBG HASH_DRBG HMAC_DRBG #A2314Internally Derived from entropy input string as defined by SP800- 90Arev1.N/AN/A: The module does not provide persistent keys/SSPs storage.Random Number GenerationImport: No Export: NoAutomatic zeroization when the tested platform is powered down.
Diffie-Hellman Private Key (CSP)MODP- 2048CKG CTR_DRBG HASH_DRBG HMAC_DRBG KAS-FFC-SSC Safe Primes Key Generation #A2314Internally generated conformant to SP800- 133rev2 (CKG) using SP800-56A rev3 Diffie- Hellman key generation method, and the random value used in key generation is generated using SP800- 90ARev1 DRBG.N/AN/A: The module does not provide persistent keys/ SSPs storage.Used to derive Diffie- Hellman Shared SecretImport: No Export: NoAutomatic zeroization when the tested platform is powered down
Diffie-Hellman Public Key (PSP)MODP- 2048KAS-FFC-SSC Safe Primes Key Generation #A2314Internally derived per the Diffie- Hellman key agreement (SP800- 56Arev3).N/AN/A: The module does not provide persistent keys/ SSPs storage.Used to derive Diffie- Hellman Shared SecretImport: No Export: YesAutomatic zeroization when the tested platform is powered down
Peer Diffie- Hellman Public Key (PSP)MODP- 2048N/AN/AN/AN/A: The module does not provide persistent keys/SSPs storage.Used to derive Diffie- Hellman Shared SecretImport: Yes Export: NoAutomatic zeroization when the tested platform is powered down
Diffie-Hellman Shared Secret (CSP)MODP- 2048KAS-FFC-SSC #A2314Internally generated using SP800- 56Arev3 DH shared secret computation.N/AN/A: The module does not provide persistent keys/SSPs storage.Used to derive TLS session related keysImport: No Export: NoAutomatic zeroization when the tested platform is powered down
EC Diffie- Hellman Private Key (CSP)P-256/P- 384/P-521CKG CTR_DRBG HASH_DRBG HMAC_DRBG KAS-ECC-SSC #A2314Internally generated conformant to SP800- 133rev2 (CKG) using SP800-56A rev3 EC Diffie- Hellman key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBGN/AN/A: The module does not provide persistent keys/ SSPs storage.Used to derive EC Diffie- Hellman Shared SecretImport: No Export: NoAutomatic zeroization when the tested platform is powered down
EC Diffie- Hellman Public Key (PSP)P-256/P- 384/P-521KAS-ECC-SSC #A2314Internally derived per the EC Diffie- Hellman key agreement (SP800- 56Arev3).N/AN/A: The module does not provide persistent keys/ SSPs storage.Used to derive EC Diffie- Hellman Shared SecretImport: No Export: YesAutomatic zeroization when the tested platform is powered down
Peer EC Diffie-Hellman Public Key (PSP)P-256/P- 384/P-521N/AN/AN/AN/A: The module does not provide persistent keys/SSPs storage.Used to derive EC Diffie- Hellman Shared SecretImport: Yes Export: NoAutomatic zeroization when the tested platform is powered down
EC Diffie- Hellman Shared Secret (CSP)P-256/P- 384/P-521KAS-ECC-SSC #A2314Internally derived using SP800- 56Arev3 ECDH shared secret computation.N/AN/A: The module does not provide persistent keys/SSPs storage.Used to derive TLS session related keysImport: No Export: NoAutomatic zeroization when the tested platform is powered down
DSA Private Key (CSP)2048/3072 bits #A2314CKG CTR_DRBG HASH_DRBG HMAC_DRBG DSA PQGGen DSA SigGen DSA KeyGen #A2314Internally generated conformant to SP800-133r2 (CKG) using FIPS 186-4 DSA key generation method, and the randomN/AN/A: The module does not provide persistent keys/SSPs storage.Signature generation and Verification used in TLSImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
DSA Public Key (PSP)1024/2048 /3072 bits #A2314DSA PQGVer DSA SigVer DSA KeyGen #A2314Internally derived per the FIPS 186- 4 DSA key generation method Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Signature generation and Verification used in TLSImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
ECDSA Private Key (CSP)P-256/P- 384/P-521CKG CTR_DRBG HASH_DRBG HMAC_DRBG ECDSA KeyGen ECDSA KeyVer ECDSA SigGen #A2314Internally generated conformant to SP800- 133rev2 (CKG) using FIPS 186-4 ECDSA key generation method, and the random value used in key generation is generated using SP800- 90Arev1 DRBG. Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Signature generation and verification used in TLSImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
ECDSA Public Key (PSP)P-256/P- 384/P-521ECDSA KeyGen ECDSA KeyVer ECDSA SigVer #A2314Internally derived per the FIPS 186- 4 ECDSA key generation method. Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Signature generation and verification used in TLSImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
RSA Private Key (CSP)2048/3072 /4096 bitsCKG CTR_DRBG HASH_DRBG HMAC_DRBG RSA KeyGen RSA SigGen #A2314Internally generated conformant to SP800- 133rev2 (CKG) using FIPS 186-4 RSA key generation method, and the random value used in the key generation is generated using SP800- 90Arev1N/AN/A: The module does not provide persistent keys/SSPs storage.Signature generation and verification used in TLSImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
RSA Public Key (PSP)1024/2048 /3072/409 6 bitsRSA KeyGen RSA SigVer #A2314Internally derived per the FIPS 186- 4 RSA key generation method. Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Signature generation and verification used in TLSImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
TLS Master Secret (CSP)48 BytesKeying MaterialInternally Derived per the key derivation function defined in SP800-135 KDF (KDF- TLS v1.2 RFC7627)N/AN/A: The module does not provide persistent keys/SSPs storage.Keying material used to derive other TLS keysImport: No Export: NoAutomatic zeroization when TLS session is terminated or when the tested platform is powered down
TLS Session Key (CSP)128/256 bitsAES-CBC AES-GCM TLS v1.2 KDF RFC7627 TLS v1.3 KDF #A2314Internally Derived per the key derivation function defined in SP800-135 KDF (KDF- TLS v1.2 RFC7627).N/AN/A: The module does not provide persistent keys/SSPs storage.Used for TLS session confidentialit y protectionImport: No Export: NoAutomatic zeroization when TLS session is terminated or when the tested platform is powered down
TLS Session Integrity Key (CSP)256-384 bitsTLS v1.2 KDF RFC7627 TLS v1.3 KDF HMAC-SHA2- 256 HMAC-SHA2- 384 #A2314Internally Derived per the key derivation function defined in SP800-135 KDF (KDF- TLS v1.2 RFC7627).N/AN/A: The module does not provide persistent keys/SSPs storage.Used for TLS session integrity protectionImport: No Export: NoAutomatic zeroization when TLS session is terminated or when the tested platform is powered down
AES Key (CSP)128/192/2 56 bitsAES-CBC AES-CBC-CS1 AES-CBC-CS2 AES-CBC-CS3 AES-CCM AES-CFB AES-CTR AES-ECB AES-GCM AES-OFB AES-XTS #A2314Internally generated per the key generation function defined in SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Symmetric encryption and decryptionImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
AES GCM IV (CSP)N/AAES-GCM #A2314Internally Derived per the key derivation function defined in:N/AN/A: The module does not provide persistent keys/SSPs storage.Authenticated symmetric encryption and decryptionImport: No Export: NoAutomatic zeroization when the tested platform is
SP800-38D using random value generated using SP800- 90A DRBGSP800-38D using random value generated using SP800- 90A DRBGpowered down
CMAC Key (CSP)128/192/2 56 bitsCMAC-AES #A2314Internally Derived per the key derivation function defined in: SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Message authenticationImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
HMAC Key (CSP)112-256 bitsHMAC-SHA-1 HMAC-SHA2- 224 HMAC-SHA2- 256 HMAC-SHA2- 384 HMAC-SHA2- 512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3- 224 HMAC-SHA3- 256 HMAC-SHA3- 384 HMAC-SHA3- 512 #A2314Internally Derived per the key derivation function defined in: SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Message authenticationImport: Yes Export: YesAutomatic zeroization when the tested platform is powered down
KBKDF Key Derivation Key (CSP)N/AKDF SP800-108 #A2314N/AN/AN/A: The module does not provide persistent keys/SSPs storage.Key derivationImport: Yes Export: NoAutomatic zeroization when the tested platform is powered down
KBKDF Derived Key (CSP)N/AKDF SP800-108 #A2314N/ASP800-108N/A: The module does not provide persistent keys/SSPs storage.Derived from key derivation keyImport: No Export: YesAutomatic zeroization when the tested platform is powered down
OneStep KDF Key Derivation Key (CSP)N/AKDA OneStep #A2314N/AN/AN/A: The module does not provide persistent keys/SSPs storage.Key derivationImport: Yes Export: NoAutomatic zeroization when the tested platform is powered down
OneStep KDF Derived Key (CSP)N/AKDA OneStep #A2314N/ASP800-56C Rev.1N/A: The module does not provide persistent keys/SSPs storage.Derived from key derivation keyImport: No Export: YesAutomatic zeroization when the tested platform is powered down
PBKDF Password (CSP)N/APBKDF #A2314N/AN/AN/A: The module does not provide persistent keys/SSPs storage.Key derivationImport: Yes Export: NoAutomatic zeroization when the tested platform is powered down
PBKDF Derived Key (CSP)N/APBKDF #A2314N/ASP800-132N/A: The module does not provide persistent keys/SSPs storage.Derived from key derivation keyImport: No Export: YesAutomatic zeroization when the tested platform is powered down
AES Key Wrap Key (CSP)128/192/2 56 bitsAES-KW AES-KWP #A2314Internally generated per the key generation function defined in: SP800- 133rev2 using random value generated using SP800- 90A DRBG Or externally generatedN/AN/A: The module does not provide persistent keys/SSPs storage.Key wrapping and unwrappingImport: Yes Export: NoAutomatic zeroization when the tested platform is powered down

Sensitive security parameters management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the Module: shment SP80090Arev1. SP80090Arev1. SP80090Arev1. using SP80090ARev1 (SP80056Arev3). Zeroisatio n derive DiffieHellman derive DiffieHellman

Page 24

N/A EC DiffieHellman N/A SP800133rev2 DiffieHellman key using SP80090Arev1 (SP80056Arev3). N/A SP800Export: No derive DiffieHellman DiffieHellman DiffieHellman DiffieHellman

Page 25

using SP80090Arev1 using SP80090Arev1 SP800133rev2 using SP80090Arev1

Page 27

N/A SP800133rev2 using SP800133rev2 using HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 N/A

Page 28
Approved algorithm
NameKey Size
EntropyEntropyMinimum numberDetails
sourcessourcesof bits of entropy
Entropy within the TOEPP was passively loaded into the Module to seed the 800- 90Arev1 DRBG by the Operating System.At least 112 bitsWhile operating in the approved mode, the entropy and seeding material for the SP800-90Arev1 DRBG are provided by the external calling application (and not by the Module) which is outside the Module’s cryptographic boundary but contained within the Module’s Tested Operational Environment’s Physical Perimeter (TOEPP) boundary. The module receives a LOAD command with entropy obtained from the entropy source (Intel CPU processor with instructions RDRand) inside the TOEPP. The minimum effective strength of the SP800-90Arev1 DRBG seed is required to be at least 112 bits when used in an approved mode of operation, therefore the minimum number of bits of entropy requested when the Module makes a call to the SP800-90Arev1 DRBG is at least 112 bits. Per the IG 9.3.A Entropy Caveats, the following caveat applies: No assurance of the minimum strength of generated SSPs (e.g., keys)

N/A N/A N/A N/A N/A SP800down Table 10 SSPs Table 11 Non-Deterministic Random Number Generation Specification The Module is passively receiving the entropy while exercising no control over the amount or the quality

Page 29
Sensitive security parameter
NameTypeStrengthRequired DRBG Security Strength
128, 192, 256AES Key128, 192, 256128, 192, 256
2048, 3072, 4096RSA Key Pair112, 128, 152112, 128, 152
2048, 3072DSA Key Pair112, 128112, 128
224, 256, 384, 521EC Key Pair112, 128, 192, 256112, 128, 192, 256
DRBGDRBG• When an approved algorithm requires a DRBG to perform an operation, an approved DRBG algorithm must be used. For example, when initializing an approved signature algorithm, an approved DRBG such as HMAC DRBG must be used.

provide the required security strength, and to ensure the security strength of a DRBG is equal to or greater than the security strength of any SSPs generated using that DRBG. Entropy can be supplied to the Module using the following APIs:

10 Self-tests

When the Module is loaded or instantiated after being power-cycled or rebooted, the Module runs preoperational self-tests. The operating system is responsible for the initialization process and loading the Module. The Module is designed with a default entry point (DEP) that ensures automatic initiation of the self-tests when the Module is loaded. Before the Module provides any data output via the data output interface, the Module performs the pre-operational self-tests, ensuring all pass. A software integrity test is performed on the runtime image of the Module with an HMAC-SHA-1 algorithm. Prior to the firmware integrity test, the Module conducts an HMAC-SHA-1 Cryptographic Algorithm Self-test (CAST). If the CAST on the HMAC-SHA-1 is successful, the HMAC value of the runtime image is recalculated and compared with the stored HMAC value pre-computed at compilation time. During power-up, and following the successful pre-operational self-tests, the Module executes the Conditional CASTs for all approved cryptographic algorithms implemented by the Module. The self-test success or failure messages, for example, Error: Signature RSA test failure or ECDH P-256 test failure, are logged and function as the self-test status indicator. If any one of the self-tests fails, the Module transitions into a FIPS140State.FAILED error state and outputs the error message via the Module’s status output interface, SecurityException. While the Module is in the error state, all data through the data output interface and all cryptographic operations are disabled. The only method to recover from the error state is to power cycle the device. This results in the Module being reloaded into memory and reperforming the pre-operational software integrity test and the

Page 30

Conditional CASTs. The module will only enter the operational state after successfully passing the preoperational software integrity test and the Conditional CASTs. Pre-operational self-tests Pre-operational self-tests are executed automatically when the Module is loaded into memory. They can be re-run manually after the module has loaded, by calling the ModuleConfig.runSelfTests() API. The pre-operational self-tests include the Software Integrity Test. The Software Integrity Test is comprised of an HMAC-SHA-1 verification of the files listed in fips140/module.files. The cryptographic services of the Module are disabled when the self-tests are running. When the self-tests are running, the following stands true:

Page 31

o o o o o o o o o o o o o o o

Page 32
11 Life-cycle assurance

Installation, Initialization, Startup, Operation and Maintenance The module is installed by adding jcmFIPS-7.0.jar to the application's classpath. The module is started by starting the application that references it. The module uses JDK services to perform the module startup when the application loads it. When loading the module, the com.rsa.crypto.jcm.ModuleLoader.load() method extracts arguments from the com.rsa.cryptoj.jcm.JavaModuleProperties class, which is created using the com.rsa.cryptoj.jcm.CryptoJModulePropertiesFactory class. The following arguments are extracted:

Page 33
Approved algorithm
NameMode Method
• When using an approved DRBG, the number of bytes of seed key input must be equivalent to or greater than the security strength of the keys the caller wishes to generate. For example, a 256-bit or higher seed key input when generating 256-bit AES keys. • Since the Module does not modify the output of an Approved DRBG, any generated symmetric keys or seed values are created directly from the output of the Approved DRBG.
• When using GCM feedback mode for symmetric encryption, the authentication tag length and authenticated data length may be specified as input parameters, but the IV must not be specified. It must be generated internally. • Where the Module is powered down, a new key must be used for AES GCM encryption/decryption. • GCM with a partial IV supplied to the Module is approved only when used within a TLS v 1.2 or 1.3 protocol implementation. • The AES-GCM cipher, when used for symmetric encryption purposes other than TLS, must use an IV in one of the two possible ways, to comply with SP800-38D: – Allow the Module to generate the IV deterministically by not supplying any IV parameters during cipher initialization. The generated 96-bit (12-byte) IV consists of a 32-bit fixed field followed by a 64-bit invocation field where: – The fixed field bytes are derived from the Module name, version information, and memory address of a Java class within the Module. – The invocation field is a 64-bit counter that is initialized, on Module startup, to a value consisting of the 42 bits of current time, as milliseconds since Epoch, followed by 22 bits of zero. This counter value is incremented by one each time a new IV is requested. By using the current time to prefix the counter start value, in the event of Module restart, the counter will be ahead of any previous Module states, ensuring that IV values cannot be reused. The Module user must ensure the system time is valid to prevent repetition of IVs. – Generate at least 12 bytes of IV using an Approved DRBG, and input the IV to the cipher at initialization time using the RAW_IV parameter. • The AES-GCM cipher used for the TLS protocol as the cipher implementation complies with SP800-52 and is compatible with RFC 5288 with the following conditions: – The IV is configured as follows: – The four-byte salt derived from the TLS handshake process is input using the parameter PARTIAL_IV during cipher initialization. This is used as the first four bytes of IV. This 32-bit part of the IV is also referred to as the nonce value in FIPS 140-3 IG C.H and is positioned in the name field of the IV as required in FIPS 140-3 IG C.H, TLS/DTLS 1.2 protocol IV generation. – The remaining eight bytes of IV, referred to as nonce_explicit in RFC 5288, are generated deterministically by the module using the 64-bit counter used for the invocation field described above. – When the 64-bit counter exhausts the maximum number ofGCM Mode Ciphers
possible values for a given session key, the Module will throw a SecurityException. – Whichever party, the client or the server, that encounters this condition must trigger a handshake to establish a new encryption key. – The TLS session is aborted if the keys for the client and server negotiated in the handshake process, client_write_key and server_write_key, are identical.
• The key length for an HMAC generation or verification must be between 112 and 4096 bits, inclusive. • For HMAC verification, a key length greater than or equal to 80 and less than 112 is allowed for legacy-use.HMAC
• An approved HMAC must be used for extract and expand operations. • A particular key-derivation key must only be used for a single key- expansion step. For more information, see SP800-56C Rev. 1. • The derived key must be used only as a secret key. • The derived key shall not be used as a key stream for a stream cipher. • When selecting an HMAC hash, the output block size must be equal to or greater than the desired security strength of the derived key. • The pseudo-random key input to the expansion and the keying material output from the expansion must have lengths that are equal to or greater than the desired security strength of the derived key.HMAC-Based Extract-and- Expand Key Derivation Function
• An approved hash function must be used to derive key materials. • When selecting a hash algorithm, the output block size must be equal to or greater than the desired security strength of the derived key. • The derived key must be used only as a secret key. • The derived key shall not be used as a key stream for a stream cipher. • The secret data input into this KDF must have a length equal to or greater than the desired security strength of the derived key.One-Step Key Derivation Function
• TLS v1.2 PRF KDF is allowed only when the following conditions are satisfied: – The KDF is performed in the context of the TLS protocol. – HMAC is as specified in FIPS 198-1. – P_HASH uses either SHA-256, SHA-384, or SHA-512. For more information, see SP800-135 Rev. 1. • The TLS protocols have not been tested by the CAVP and CMVP.TLS PRF Key Derivation Function
• When using an Approved DRBG to generate DH or DSA parameters, the requested DRBG must have a security strength at least as great as the security strength of the parameters being generated. That means that an Approved DRBG with an appropriate strength must be used. For more information on requesting the DRBG security strength, see the relevant API Javadoc.Parameter Generation
Obtain domain parameters and assurance of the domain parameter validity: • For schemes using FFC, use one of the FFC safe-prime groups as defined in SP800-56A rev. 3 Appendix D. • For schemes using ECC, use one of the approved curves as defined in SP800-56A rev. 3 Appendix D. Obtain a key pair from domain parameters: • For all schemes:Key Agreement
– All key material must be generated before any of the keys are used. – If key generation fails then the party must destroy all calculated values. – The shared secret, and any key material, is destroyed. • For schemes that use key confirmation: – Both parties must use a common, approved MAC to generate confirmation values. – The MAC key will be generated as one of the key material elements. – The input values for MAC tag generation must be formatted as per SP800-56A Rev. 3. – The MAC key and tag lengths must satisfy the requirements of SP800-56A Rev. 3. – The MAC key must be destroyed after use. – If confirmation fails then destroy all calculated values. All key material is destroyed before it is used for any other purpose. – Approved key confirmation technique(s) as specified in SP800-56A Rev. 3.
• When using an approved DRBG to generate keys, the security strength of the DRBG must be at least as great as the security strength of the key being generated. For details about the comparable security strengths of symmetric block ciphers and asymmetric key algorithms refer to Table 2 of NIST SP800-57 Part 1 Rev. 5. • When generating key pairs using the KeyPairGenerator object, the generate(boolean pairwiseConsistency) method must not be invoked with an argument of false. Use of the no-argument generate() method is recommended.Key Generation
• Keys used for digital signature generation and verification shall not be used for any other purpose. The module generates keys with a particular purpose that is either signing or encryption. The same purpose must always be used for a given key when exported and loaded into the module again. • The length of an RSA key pair for digital signature generation must be greater than or equal to 2048 bits. For digital signature verification, the length must be greater than or equal to 2048 bits. However, 1024 bits is allowed for legacy-use only. RSA keys shall have a public exponent of an odd number, equal to or greater than 65537. • The SHA-1 digest is disallowed for the generation of digital signatures. • For RSASSA-PSS: If nLen is 1024 bits, and the output length of the approved hash function output block is 512 bits, then the length of the salt (sLen) shall be 0<=sLen<=hLen – 2. Otherwise, the length of the salt shall be 0 <=sLen<=hLen, where hLen is the length of the hash function output block (in bytes or octets).Digital Signatures
• Keys generated using PBKDF2 shall only be used in data storage applications. • Minimum Password Length: The minimum length (L) of a password generated using a cryptographically secure random password generator to provide a search space of S entries depends on the size (N) of the character set: L= ⸢log S/log N⸣ 2 2Password-based Key Derivation
The following provides examples for a password used by PBKDF2 where S = 4.32 x 1020: Character Set N L Case sensitive (a-z, A-Z) 52 13 Case sensitive alpha numeric 62 12 All ASCII printable characters except space 94 11 • A password of the strength S can be guessed at random with the probability of 1 in 2S. • The minimum length of the randomly-generated portion of the salt is 16 bytes. • The iteration count is as large as possible, with a minimum of 10,000 iterations recommended. • The maximum key length is(232 - 1)*b, where b is the digest size of the message digest function in bytes. • Derived keys can be used as specified in NIST SP800-132, Section 5.4, options 1 and 2.
• AES in XTS mode is approved only for hardware storage applications. • The two keys used for XTS must be checked to ensure they are different. This check is performed automatically by the module.XTS Mode Ciphers
Page 35
Page 37

N L

Page 38
12 Mitigation of other attacks

RSA, EC, and DSA key operations implement blinding by default, a reversible way of modifying the input data, to make the operation immune to timing attacks. Blinding has no effect on the algorithm other than to mitigate attacks on the algorithm. For more information, see Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. RSA, EC, and DSA blinding is implemented through blinding modes, for which the following options are available: