All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Cryptographic Module for BIG-IP

Certificate#4895StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorF5, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/20/2029
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy.
VendorF5, Inc.
Hardware versionsN/A

Approved Algorithms (33)

AlgorithmACVP Cert
AES-CBCA3947
AES-CBCA3948
AES-CTRA3947
AES-ECBA3947
AES-ECBA3948
AES-GCMA3947
AES-GCMA3947
AES-GCMA3948
AES-GMACA3947
AES-GMACA3948
Counter DRBGA3947
Counter DRBGA3948
ECDSA KeyGen (FIPS186-4)A3947
ECDSA KeyVer (FIPS186-4)A3947
ECDSA SigGen (FIPS186-4)A3947
ECDSA SigVer (FIPS186-4)A3947
HMAC-SHA-1A3947
HMAC-SHA-1A3948
HMAC-SHA2-256A3947
HMAC-SHA2-384A3947
KAS-ECC-SSC Sp800-56Ar3A3947
KAS-FFC-SSC Sp800-56Ar3A3947
KDF SSHA3947
KDF TLSA3947
RSA KeyGen (FIPS186-4)A3947
RSA SigGen (FIPS186-4)A3947
RSA SigVer (FIPS186-4)A3947
Safe Primes Key GenerationA3947
SHA-1A3947
SHA-1A3948
SHA2-256A3947
SHA2-384A3947
TLS v1.2 KDF RFC7627A3947

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Sensitive Security Parameter Management1
Self-TestsN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Cryptographic Module for BIG-IP
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Halt Error<br/>The data output is inhibited.</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Cryptographic Module for BIG-IP
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Halt Error<br/>The data output is inhibited.</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

F5, Inc. Cryptographic Module for BIG-IP version 1.0.2za-fips Last update: November 2024 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

Cryptographic Module for BIG-IP Table of Contents 1.1 1.2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3.1 4.1 4.2 4.3 4.4 5.1 5.2 6.1 9.1 9.2 9.3 9.4 © 2024 F5, Inc. / atsec information security.

2 of 36
Page 3

Cryptographic Module for BIG-IP © 2024 F5, Inc. / atsec information security.

3 of 36
Page 4

Cryptographic Module for BIG-IP F5® and BIG-IP® are registered trademarks of F5, Inc. VMware ESXi™ is a registered trademark of VMware®, Inc. Intel® Xeon® is a registered trademark of Intel® Corporation. Dell is a registered trademark of Dell, Inc. Azure and Hyper-V are registered trademarks of Microsoft AWS is a trademark of Amazon.com, Inc. © 2024 F5, Inc. / atsec information security.

4 of 36
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityNot Applicable
88Non-invasive SecurityNot Applicable
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other AttacksNot Applicable
Overall LevelOverall Level1

Cryptographic Module for BIG-IP

1.1 Description

This document is the non-proprietary FIPS 140-3 Security Policy that contains the security rules under which the Cryptographic Module for BIG-IP must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards

1.2 Security Levels

Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.

5 of 36
Page 6

Cryptographic Module for BIG-IP

2 Cryptographic Module Specification
2.1 Description

Purpose of Use: The Cryptographic Module for BIG-IP (hereafter referred to as “the module”) is a cryptographic library offering various cryptographic mechanisms to be used by OpenSSL application running on BIG-IP Virtual Edition. The module provides cryptographic services to applications through an Application Program Interface (API). The module also interacts with the underlying operating system via system calls. Module Type: software Module Embodiment: multiple-chip standalone Cryptographic boundary: The block diagram in Figure 1 shows the module, its interfaces with the operational environment and the delimitation of its cryptographic boundary with red lines. Figure 1 Block Diagram The cryptographic module boundary consists of two components:

6 of 36
Page 7
Module configuration
NameOperating SystemHardware PlatformProcessorPaa PaiHypervisor#
1BIG-IP 17.1.0.1Dell PowerEdge R650Intel® Xeon® Gold Ice Lake 6330NWith and without PAAVMware ESXi™ 8.0.0.10100 (Build: 20920323)1
2BIG-IP 17.1.0.1Dell PowerEdge R450Intel® Xeon® Silver Ice Lake 4309YWith and without PAAHyper-V version 10.0.20348.1 Windows Server 2022 Standard2
3BIG-IP 17.1.0.1Dell PowerEdge R450Intel® Xeon® Silver Ice Lake 4309YWith and without PAAKVM Ubuntu 22.04.1 LTS3
1BIG-IP 17.1.0.1Microsoft Corporation Hyper-V Virtual Machine running on Azure CLI 2.48.1 with Intel Xeon Platinum 8272CL1
Module configuration
NameOperating SystemHardware PlatformProcessorPaa PaiHypervisor#
1BIG-IP 17.1.0.1Dell PowerEdge R650Intel® Xeon® Gold Ice Lake 6330NWith and without PAAVMware ESXi™ 8.0.0.10100 (Build: 20920323)1
2BIG-IP 17.1.0.1Dell PowerEdge R450Intel® Xeon® Silver Ice Lake 4309YWith and without PAAHyper-V version 10.0.20348.1 Windows Server 2022 Standard2
3BIG-IP 17.1.0.1Dell PowerEdge R450Intel® Xeon® Silver Ice Lake 4309YWith and without PAAKVM Ubuntu 22.04.1 LTS3
1BIG-IP 17.1.0.1Microsoft Corporation Hyper-V Virtual Machine running on Azure CLI 2.48.1 with Intel Xeon Platinum 8272CL1

Cryptographic Module for BIG-IP Figure 2

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

7 of 36
Page 8
Service
NameDescriptionIndicatorType
Non-ApprovedAutomatically entered whenever a non-approved service is requestedEquivalent to the indicator of the requested serviceNon-Approved
Approved algorithm
NameCAVP CertMode MethodUse FunctionDescriptionUse / Function
AES [FIPS 197,A3947,ECB, CBC, GCMSymmetric encryption and decryption128 / 192 / 256-bit AES
SP800-38A, SP800-A3948key / strength from
38D]128 to 256-bits
AES [FIPS 197,A3947CTRSymmetric encryption and decryption128 / 192 / 256-bit AES
SP800-38A]key / strength from
AES [FIPS 197,A3947,GMACMAC generation / verification128 / 192 / 256-bit AES
SP800-38D]A3948key / strength from
KTS (AES) [FIPS 197,A3947,GCMKey wrapping128 / 256-bit AES key /
SP800-38F, SP800-A3948strength from 128 and
38D]256-bits.
CTR_DRBG [SP800-A3947AES-256 in CTR mode,Random number generationEntropy input, seed, V
90Ar1]with / withoutand key values /
derivation function,derivation function,strength is 256-bits
CTR_DRBG [SP800-A3948AES 256 in CTR mode,Random number generationEntropy input, seed, V
90Ar1]with derivationand key values /
function, predictionfunction, predictionstrength is 256-bits
RSA KeyGen [FIPSA3947Appendix B.3.3RSA key generation2048 / 3072/ 4096-bit
186-4]Probable primes withmodulus size / strength
standard key formatstandard key formatfrom 112 to 150-bits
RSA SigGen [FIPSA3947PKCS 1.5 with SHA-RSA signature generation2048 / 3072/ 4096-bit
186-4]256, SHA-384modulus / strength
RSA SigVer [FIPSA3947PKCS 1.5 with SHA2-RSA signature verification2048 / 3072/ 4096-bit
186-4]256, SHA2-384modulus / strength
ECDSA KeyGen [FIPSA3947Appendix B.4.2:ECDSA/ ECDH key pair generationECDSA / ECDH key pair
186-4]Testing candidatesP-256 and P-384
ECDSA KeyVer [FIPSA3947N/AECDSA/ ECDH public key verificationECDSA / ECDH key pair
186-4]with P-256 and P-384
ECDSA SigGen [FIPSA3947SHA2-256, SHA2-384ECDSA signature generationECDSA P-256, P- 384
186-4]curves / strength 128
ECDSA SigVer [FIPSA3947SHA2-256, SHA2-384ECDSA signature verificationECDSA P-256, P- 384
186-4]curves / strength 128
SHA [FIPS180-4]A3947,SHA-1Message digestN/A
SHA [FIPS180-4]A3947SHA2-256, SHA2-384Message digestN/A
HMAC [FIPS 198]A3947,HMAC-SHA-1MAC generation/ verification112 to 1024-bits with
A3948A3948key strengths 112-bits
HMAC [FIPS 198]A3947HMAC-SHA2-256,MAC generation/ verification112 to 1024-bits with
HMAC-SHA2-384HMAC-SHA2-384key strengths 112 to
KAS-ECC-SSCA3947Ephemeral Unified:EC Diffie-Hellman sharedP-256, P-384 / strength
[SP800-56Ar3]KAS Role: initiator,secret computation used in128 and 192-bits
responderresponderKey Agreement Scheme (KAS)
Safe primes keyA3947Safe primeSafe primes key generationSafe Prime Groups:
generation [SP800 –ffdhe2048, ffdhe3072,
56Ar3]ffdhe4096 / strength
KAS-FFC-SSCA3947dhEphemeral:Diffie-Hellman shared secretffdhe2048, ffdhe3072,
[SP800-56Ar3]KAS Role: initiator,computation used in KAS IGffdhe4096 / strength
responderresponderD.F scenario 2 (path 1)from 112 to 150-bits
SSH KDFA3947AES-128, AES-256 withKey derivation256-bit keys with 256-
[SP800-135r1](CVL)SHA2-256, SHA2-384bit key strength
TLS KDFA3947TLS version 1.0 / 1.1Key derivation256-bits
[SP800-135r1](CVL)
TLS KDFA3947TLS v1.2Key derivation256-bits
[SP800-135r1](CVL)
MD5Allowed per IG 2.4.AMessage digest used in TLS 1.0 / 1.1 KDF only
2BIG-IP 17.1.0.1Xen 4.2.amazon running on AWS CLI 2.11.19 with Intel Xeon Scalable Processor Cascade Lake 8259CL

Cryptographic Module for BIG-IP Table 3 - Vendor Affirmed Operational Environments Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Table 4 - Modes of Operation The module becomes operational and enters the approved mode after pre-operational self-tests and conditional algorithm self-tests succeed. No operator intervention is required to reach this point. Once the module is operational, the mode of operation is implicitly assumed depending on the security function invoked and the security strength of the cryptographic keys. Using any nonapproved algorithms from Table 8 will put the module in non-approved mode implicitly.

2.5 Algorithms

1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service

of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an © 2024 F5, Inc. / atsec information security.

8 of 36
Page 9

Cryptographic Module for BIG-IP N/A N/A © 2024 F5, Inc. / atsec information security.

9 of 36
Page 10
Service
NamePropertiesImplementationReference
CKGKey Type: AsymmetricCryptographic Module forSP800-133r2, Section 4, example 1 and
BIG-IPBIG-IPIG D.I.
Approved algorithm
NameCAVP CertMode MethodUse FunctionDescriptionUse / Function
KAS-ECC-SSCA3947Ephemeral Unified:EC Diffie-Hellman sharedP-256, P-384 / strength
[SP800-56Ar3]KAS Role: initiator,secret computation used in128 and 192-bits
responderresponderKey Agreement Scheme (KAS)
Safe primes keyA3947Safe primeSafe primes key generationSafe Prime Groups:
generation [SP800 –ffdhe2048, ffdhe3072,
56Ar3]ffdhe4096 / strength
KAS-FFC-SSCA3947dhEphemeral:Diffie-Hellman shared secretffdhe2048, ffdhe3072,
[SP800-56Ar3]KAS Role: initiator,computation used in KAS IGffdhe4096 / strength
responderresponderD.F scenario 2 (path 1)from 112 to 150-bits
SSH KDFA3947AES-128, AES-256 withKey derivation256-bit keys with 256-
[SP800-135r1](CVL)SHA2-256, SHA2-384bit key strength
TLS KDFA3947TLS version 1.0 / 1.1Key derivation256-bits
[SP800-135r1](CVL)
TLS KDFA3947TLS v1.2Key derivation256-bits
[SP800-135r1](CVL)
MD5Allowed per IG 2.4.AMessage digest used in TLS 1.0 / 1.1 KDF only

Table 5 - Approved Algorithms Vendor Affirmed Algorithms: Table 6 - Vendor Affirmed Algorithms Non-Approved, Allowed Algorithms: The module does not implement any Non-Approved Allowed algorithms in the Approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: Table 7 - Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms © 2024 F5, Inc. / atsec information security.

10 of 36
Page 11
Approved algorithm
NameUse Function
AES with OFB, CCM, CFB, XTS, KW modes, Blowfish, Camellia, CAST5, DES, IDEA, RC2, RC4, SEED, SM2, SM4, Triple-DESSymmetric encryption and decryption
SHA2-224, SHA2-512, SM3, MD4, MDC2, RIPEMD, WhirlpoolMessage digest
HMAC-SHA2-224, HMAC-SHA2-512, AES CMAC, Triple-DES CMACMAC generation/ verification
RSA key generationRSA with 1024 and greater than 4096 up to 16384 modulus
RSA signature generation and verificationPKCS #1 v1.5 scheme with 1024 and greater than 4096 up to 16384 modulus, for all SHA sizes
ECDSAKey pair generation using P-224, P-521 curves
RSA encrypt / decryptRSA with modulus sizes up to 16384-bits
Safe primes key verificationPublic key verification using safe prime groups
DSA domain parameter generation, domain parameter verification, key pair generation, signature generation and verificationDSA with all key and SHA sizes
HMAC_DRBG and Hash_DRBG using all SHA sizes, CTR_DRBG with AES-128, AES-192, ANSI X9.31 RNGRandom number generation
Diffie-HellmanShared secret computation with groups other than ffdhe2048, ffdhe3072, ffdhe4096
EC Diffie-HellmanShared secret computation: - Ephemeral Unified with curves other than P-256, P-384 without KDF. - one PassDh and StaticUnified without KDF.
TLS KDF SSH KDFKey Derivation function in the context of: - TLS using SHA2-224 / SHA2-512 - SSH using SHA-1 / SHA2-224 / SHA2-512

Cryptographic Module for BIG-IP Table 8 - Non-Approved, Not Allowed Algorithms © 2024 F5, Inc. / atsec information security.

11 of 36
Page 12
Service
NameDescriptionApproved FunctionsTypeProperties
Diffie-Hellman shared secret computation[SP800-56Ar3] shared secret computation used in KAS IG D.F scenario 2 (path 1)KAS-FFC-SSC/ A3947KASffdhe2048, ffdhe3072, ffdhe4096 providing from 112 to 150-bits of encryption strength
EC Diffie-Hellman shared secret computation[SP800-56Ar3] shared secret computation used in KAS IG D.F scenario 2 (path 1)KAS-ECC-SSC/ A3947KASP-256, P-384 providing 128 and 192-bits of encryption strength
AES key wrapping[FIPS 197, SP800-38F], IG D.G comment 8, key wrapping and unwrapping, in the context of the TLS protocol, are provided by the TLS record layer using AES-GCM as the approved authenticated encryption mode.AES GCM/ A3947, A3948KTS128 / 256-bit AES-GCM keys providing 128 and 256-bits of encryption strength

Cryptographic Module for BIG-IP

2.6 Security Function Implementations

Table 9 - Security Function Implementations

2.7 Algorithm Specific Information

AES-GCM IV: The Crypto Officer shall consider the following requirements and restrictions when using the module. The IV for AES-GCM is constructed in compliance with IG C.H scenario 1a (TLS 1.2). The module is compliant with SP800-52r2 section 3.3.1 and the mechanism for IV generation is compliant with RFC5288. The module does not implement the TLS protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. generation services specified in section 9.2. For KAS-FFC-SSC the module generates keys using Safe Primes Key Generation with Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096. For KASECC-SSC, the module generates keys using ECDSA KeyGen, with curves P-384 and P-256. The module performs full public key validation on the generated public keys. Additionally, the module performs full public key validation on the received public keys. RSA modulus size (IG C.F): The module implements FIPS 186-4 RSA KeyGen, SigVer and RSA SigGen with modulus lengths of 2048, 3072, 4096 bits. All these modulus lengths have been CAVP tested.

2.8 RNG and Entropy

The module entropy source specified in Table 10 uses jitter variations caused by executing instructions and memory accessed (see details in Public Use Document referenced in section 11.2). The CPU Jitter 3.4.0 entropy source with SHA-3 vetted conditioning component is located within the physical perimeter of the module but outside the cryptographic boundary of the module. © 2024 F5, Inc. / atsec information security.

12 of 36
Page 13
Sensitive security parameter
NameTypeStrength
CPU Jitter Entropy Source for F5 cryptographic module (SHA_3) #E74Non- Physical256 bitsOEs listed in Table 2.256 bitsSHA3-256 (A2621)

NonPhysical The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90Ar1] for the generation of random value used in asymmetric keys, and for providing a RNG service to calling applications. The approved DRBG provided by the module is the counter DRBG with AES256. The output of entropy sources provides 256-bits of entropy to seed and reseed SP800-90Ar1 DRBG during initialization (seed) and reseeding (reseed).

2.9 Key Generation

The module implements RSA, ECDSA, ECDH and DH asymmetric key generation services with the following methods:

2.10 Key Establishment

See Table 9, "KAS" row.

2.11 Industry Protocol

The TLS v1.0 / 1.1 / 1.2 protocol has not been reviewed or tested by the CAVP or CMVP. See section 2.7 for details. © 2024 F5, Inc. / atsec information security.

13 of 36
Page 14
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs.As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs.Data InputData inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers
Data OutputData OutputData outputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers
Control InputControl InputControl inputs which control the mode of the module are provided through dedicated parameters.
Status OutputStatus OutputStatus output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation.

Cryptographic Module for BIG-IP

3 Cryptographic Module Interfaces

The logical interfaces are the API through which the applications request services. The following table summarizes the logical interfaces. Table 11 - Ports and Interfaces © 2024 F5, Inc. / atsec information security.

14 of 36
Page 15
Service
NameRole AccessTypeInputOutput
Crypto OfficerCORoleN/A
Encryption and decryptionPlaintext and key / ciphertext and keyCiphertext / plaintextCrypto Officer
Key wrappingWrapping key, key to be wrapped / Unwrapping key, key and key to be unwrappedWrapped key / unwrapped key
Random number generationNumber of bitsRandom numbers
RSA key pair generationKey sizePublic key, private key
ECDSA/ ECDH key pair generationElliptic curvePrivate key, public key
ECDSA/ ECDH Public key verificationPublic keyPass / fail result of public key verification
RSA/ ECDSA / DSA/ signature generationPrivate key, message, hashing algorithmComputed signature
RSA/ ECDSA / DSA signature verificationPublic key, digital signature, message, hashing algorithmPass / fail result of digital signature verification
RSA encryption and decryptionMessage, keyCiphertext / plaintext
DSA key pair generationDomain parametersPublic key, private key
DSA domain parameter generationPrime length and seed lengthDomain parameters
DSA domain parameter verificationDomain parametersReturn codes / log messages
Safe primes key generation/ verificationGroupPrivate key, public key
EC Diffie-Hellman / Diffie-Hellman shared secret computationPublic key, private keyShared secret
Service
NameRole AccessTypeInputOutput
Crypto OfficerCORoleN/A
Encryption and decryptionPlaintext and key / ciphertext and keyCiphertext / plaintextCrypto Officer
Key wrappingWrapping key, key to be wrapped / Unwrapping key, key and key to be unwrappedWrapped key / unwrapped key
Random number generationNumber of bitsRandom numbers
RSA key pair generationKey sizePublic key, private key
ECDSA/ ECDH key pair generationElliptic curvePrivate key, public key
ECDSA/ ECDH Public key verificationPublic keyPass / fail result of public key verification
RSA/ ECDSA / DSA/ signature generationPrivate key, message, hashing algorithmComputed signature
RSA/ ECDSA / DSA signature verificationPublic key, digital signature, message, hashing algorithmPass / fail result of digital signature verification
RSA encryption and decryptionMessage, keyCiphertext / plaintext
DSA key pair generationDomain parametersPublic key, private key
DSA domain parameter generationPrime length and seed lengthDomain parameters
DSA domain parameter verificationDomain parametersReturn codes / log messages
Safe primes key generation/ verificationGroupPrivate key, public key
EC Diffie-Hellman / Diffie-Hellman shared secret computationPublic key, private keyShared secret

Cryptographic Module for BIG-IP

4 Roles, Services, and Authentication
4.1 Authentication Methods

FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not implement an authentication mechanism for Crypto Officer. The Crypto Officer role is implicitly assumed when accessing all services provided by the module (see Table Approved Services and Table - Non-Approved Services below).

4.2 Roles

The module supports the Crypto Officer role only. No support is provided for multiple concurrent operators. N/A Table 12 - Roles Table below describes the authorized role in which the service can be performed with specification © 2024 F5, Inc. / atsec information security.

15 of 36
Page 16
Service
NameDescriptionRolesApproved FunctionsIndicatorInputOutputRoles
Message digestMessage, Hashing algorithmHashed message
MAC generationMessage, HMAC key or GMAC key, MAC algorithm, MAC lengthAuthenticated message
MAC verificationAuthenticated message, HMAC key or GMAC key, MAC algorithmPass/fail result of MAC verification
Key derivationPRF algorithm, TLS pre-primary secret, TLS primary secret, SSH shared secret, SSH derived keyDerived key
Show versionN/AName and Version information
Show StatusN/AStatus output
Self-TestsN/APass / fail results of self-tests
Encryption and decryptionExecutes AES- mode encrypt or decrypt operation128 / 192 / 256-bit AES key: W, E:AES-ECB, AES-CBC, AES-CTRAES-ECB, AES-CBC, AES-CTRCrypto Officer
Key wrappingExecutes AES-GCM key wrapping or unwrapping operation, per IG D.G128 / 256-bit AES key: W, EAES-GCM encrypt / decryptAES-GCMCrypto Officer
Random number generationGenerate random numberEntropy input: ECounter DRBGCTR-DRBG-AES-256Crypto Officer
RSA key pair generationGenerate RSA key pairRSA private key, RSA public key (2048 / 3072 / 4096- bits): G, RC KG [SP800-133r2] RSA KeyGen [FIPS 186-4] Counter DRBGRSA-KEY-GEN-2048, RSA-KEY-GEN-3072 RSA-KEY-GEN- 4096Crypto Officer
RSA signature generationSign a message with a specified RSA private key.RSA private key (2048 / 3072 / 4096- bits): W, ERSA SigGen [FIPS 186-4] with SHA2- 256, SHA2-384RSA-SIGCrypto Officer
RSA signature verificationVerify the signature of a message with a specified RSA public key.RSA public key (2048 / 3072 / 4096- bits): W, ERSA SigVer [FIPS 186-4] with SHA2- 256, SHA2-384RSA-VERCrypto Officer
Service
NameDescriptionRolesApproved FunctionsIndicatorInputOutputRoles
Message digestMessage, Hashing algorithmHashed message
MAC generationMessage, HMAC key or GMAC key, MAC algorithm, MAC lengthAuthenticated message
MAC verificationAuthenticated message, HMAC key or GMAC key, MAC algorithmPass/fail result of MAC verification
Key derivationPRF algorithm, TLS pre-primary secret, TLS primary secret, SSH shared secret, SSH derived keyDerived key
Show versionN/AName and Version information
Show StatusN/AStatus output
Self-TestsN/APass / fail results of self-tests
Encryption and decryptionExecutes AES- mode encrypt or decrypt operation128 / 192 / 256-bit AES key: W, E:AES-ECB, AES-CBC, AES-CTRAES-ECB, AES-CBC, AES-CTRCrypto Officer
Key wrappingExecutes AES-GCM key wrapping or unwrapping operation, per IG D.G128 / 256-bit AES key: W, EAES-GCM encrypt / decryptAES-GCMCrypto Officer
Random number generationGenerate random numberEntropy input: ECounter DRBGCTR-DRBG-AES-256Crypto Officer
RSA key pair generationGenerate RSA key pairRSA private key, RSA public key (2048 / 3072 / 4096- bits): G, RC KG [SP800-133r2] RSA KeyGen [FIPS 186-4] Counter DRBGRSA-KEY-GEN-2048, RSA-KEY-GEN-3072 RSA-KEY-GEN- 4096Crypto Officer
RSA signature generationSign a message with a specified RSA private key.RSA private key (2048 / 3072 / 4096- bits): W, ERSA SigGen [FIPS 186-4] with SHA2- 256, SHA2-384RSA-SIGCrypto Officer
RSA signature verificationVerify the signature of a message with a specified RSA public key.RSA public key (2048 / 3072 / 4096- bits): W, ERSA SigVer [FIPS 186-4] with SHA2- 256, SHA2-384RSA-VERCrypto Officer
ECDSA / EC Diffie- Hellman key pair generationGenerate a key pair for a requested elliptic curveECDSA / EC Diffie- Hellman private key, ECDSA / EC Diffie-Hellman public key (P-256 and P-384 curves, key pair): G, RCKG [SP800-133r2] ECDSA KeyGen [FIPS 186-4] Counter DRBGEC-KEYGEN-P-256, EC- KEYGEN-P-384Crypto Officer
ECDSA / EC Diffie- Hellman public key verificationPublic key verificationECDSA / EC Diffie- Hellman public key (P-256 and P-384 curves): E, WECDSA KeyVer [FIPS 186-4]EC-KEY-VERIFY-P-256, EC-KEY-VERIFY-P-384Crypto Officer
ECDSA signature generationSign a message with a specified ECDSA private key.ECDSA private key (P-256 and P-384 curves): W, EECDSA SigGen [FIPS 186-4] (SHA2-256, SHA2-384)ECDSA-SIGN-P-256, ECDSA-SIGN-P-384Crypto Officer
ECDSA signature verificationVerify the signature of a message with a specified ECDSA public key.E CDSA public key (P-256 and P-384 curves): W, EECDSA ECDSA SigVer [FIPS 186-4] (SHA2- 256, SHA2-384)ECDSA-VERIFY-P-256, ECDSA-VERIFY-P-384Crypto Officer
EC Diffie- Hellman shared secret computation IG D.F scenario 2, path 1Calculate a shared secret via the EC Diffie-Hellman algorithm.EC Diffie-Hellman private key (P-256 and P-384 curves): W, EKAS-ECC-SSC SP800- 56Ar3ECDH-COMPUTE-KEY-P- 256, ECDH-COMPUTE-KEY-P- 384Crypto Officer
Safe primes key generationGenerate a key pairDiffie-Hellman public key ( ffdhe2048, ffdhe3072, ffdhe4096): G, R Diffie-Hellman private key (ffdhe2048, ffdhe3072, ffdhe4096): G, RSafe primes key generationFFDHE2048-KEYGEN, FFDHE3072-KEYGEN, FFDHE4096-KEYGENCrypto Officer
Diffie- Hellman shared secret computation IG D.F scenario 2, path 1Calculate a shared secret via the Diffie- Hellman algorithm.Diffie-Hellman private key (ffdhe2048, ffdhe3072, ffdhe4096): W, EKAS-FFC-SSC SP800- 56Ar3FFDHE2048-COMPUTE, FFDHE3072- COMPUTE, FFDHE4096- COMPUTECrypto Officer
Message digestGenerate a digest for the requested algorithmN/ASHA-1, SHA2-256, SHA2-384MESSAGE-DIGEST-SHA- 1 MESSAGE-DIGEST-- SHA-256 MESSAGE-DIGEST-- SHA-384Crypto Officer
MAC generation / verificationGenerate / verify an HMAC or GMAC digest using the requested SHA algorithm or AES algorithm as appropriateHMAC key, AES- key: W, EHMAC-SHA-1, HMAC- SHA2-256, HMAC- SHA2-384, AES-GMACMSG-AUTH-HMAC-SHA- 1, MSG-AUTH-HMAC-SHA- 256 MSG-AUTH-HMAC-SHA- 384 AES-GMACCrypto Officer
Key derivationDeriving TLS keysTLS pre-primary secret: W, E TLS primary secret: W, E, G TLS derived key: GTLS KDF v1.0 / 1.1 / 1.2TLS-P-HASH- DERIVATION-SHA-1 TLS-P-HASH- DERIVATION-SHA-256 TLS-P-HASH- DERIVATION SHA-384Crypto Officer
Key derivationDeriving SSH keysSSH shared secret: W, E SSH derived key: GSSHv2 KDFSSH-KEY-HASH- DERIVATION-SHA-256 SSH-KEY-HASH- DERIVATION SHA-384Crypto Officer
Show versionReturn the SW version and the module's nameN/AN/ANoneCrypto Officer
Show StatusReturn the module statusN/AN/ANoneCrypto Officer
Self-testsExecute integrity test. Execute the CASTsN/A (key for self- tests are not SSPs)Integrity test, CASTs from Table 19NoneCrypto Officer
Symmetric encryption and decryptionEncryption / decryptionCrypto OfficerAES with OFB, CFB, CCM, XTS, KW modes; Triple-DES; Blowfish; Camellia; CAST5; DES; IDEA; RC2; RC4; SEED; SM2; SM4None
Message digestGenerating message digestSHA2-224, SHA2-512, SM3, MD4, MDC2, RIPEMD, Whirlpool

Cryptographic Module for BIG-IP N/A N/A N/A

4.3 Approved Services

The status output from the FIPS_set_indicator_status service indicator's call is provided in Indicator column in Table 14. To read this indicator, the calling application must register a callback function using 'FIPS_register_indicator_callback'. The callback function shall take the input of the form "char *" which is the form of the indicator being output by the module. © 2024 F5, Inc. / atsec information security.

16 of 36
Page 17

Cryptographic Module for BIG-IP W, E DiffieCalculate a shared © 2024 F5, Inc. / atsec information security.

17 of 36
Page 18
Service
NameDescriptionRolesApproved FunctionsIndicatorRoles
Message digestGenerate a digest for the requested algorithmN/ASHA-1, SHA2-256, SHA2-384MESSAGE-DIGEST-SHA- 1 MESSAGE-DIGEST-- SHA-256 MESSAGE-DIGEST-- SHA-384Crypto Officer
MAC generation / verificationGenerate / verify an HMAC or GMAC digest using the requested SHA algorithm or AES algorithm as appropriateHMAC key, AES- key: W, EHMAC-SHA-1, HMAC- SHA2-256, HMAC- SHA2-384, AES-GMACMSG-AUTH-HMAC-SHA- 1, MSG-AUTH-HMAC-SHA- 256 MSG-AUTH-HMAC-SHA- 384 AES-GMACCrypto Officer
Key derivationDeriving TLS keysTLS pre-primary secret: W, E TLS primary secret: W, E, G TLS derived key: GTLS KDF v1.0 / 1.1 / 1.2TLS-P-HASH- DERIVATION-SHA-1 TLS-P-HASH- DERIVATION-SHA-256 TLS-P-HASH- DERIVATION SHA-384Crypto Officer
Key derivationDeriving SSH keysSSH shared secret: W, E SSH derived key: GSSHv2 KDFSSH-KEY-HASH- DERIVATION-SHA-256 SSH-KEY-HASH- DERIVATION SHA-384Crypto Officer
Show versionReturn the SW version and the module's nameN/AN/ANoneCrypto Officer
Show StatusReturn the module statusN/AN/ANoneCrypto Officer
Self-testsExecute integrity test. Execute the CASTsN/A (key for self- tests are not SSPs)Integrity test, CASTs from Table 19NoneCrypto Officer
Symmetric encryption and decryptionEncryption / decryptionCrypto OfficerAES with OFB, CFB, CCM, XTS, KW modes; Triple-DES; Blowfish; Camellia; CAST5; DES; IDEA; RC2; RC4; SEED; SM2; SM4None
Message digestGenerating message digestSHA2-224, SHA2-512, SM3, MD4, MDC2, RIPEMD, Whirlpool
Message authentication code generation and verificationMAC computationHMAC-SHA2-224, HMAC-SHA2-512 AES CMAC, Triple-DES CMAC
RSA key pair generationGenerating key pairRSA KeyGen with 1024, greater than 4096 and up to 16384 modulus
RSA signature generation and verificationGenerating signature, Verifying signatureRSA SigGen / SigVer PKCS #1 v1.5 with key other than the one listed in Table 5
ECDSA key pair generationGenerating key pairECDSA KeyGen using P-224, P-521 curves
ECDSA public key verificationVerifying public keyECDSA KeyVer using P-224, P-521 curves
ECDSA signature generation & verificationGenerating signature, Verifying signatureECDSA SigGen and ECDSA SigVer using P-256, P-384 curves with SHA-1, SHA2-224 and SHA2-512
RSA encryption / decryptionEncryption / decryptionRSA with modulus size up to 16384- bits
Safe primes key verificationPublic key verificationPublic key verification using safe prime groups
DSA domain parameter generation, domain parameter verification, key pair generation, signature generation and verificationGenerating domain parameter, Verifying domain parameters, Generating key pair, Generating signature, Verifying signatureDSA with all key and SHA sizes
Random number generationGenerating deterministic random numberUsing HMAC_DRBG and Hash_DRBG for all SHA sizes
Shared secret computationCalculating shared secretDiffie-Hellman key agreement without KDF with groups other than ffdhe2048, ffdhe3072, ffdhe4096 EC Diffie-Hellman Ephemeral Unified with P-224, P-521 curves without KDF EC Diffie-Hellman one Pass and Static without KDF
Key derivation (TLS)Deriving TLS keyKey Derivation using SHA2-224 / SHA2-512
Key derivation (SSH)Deriving SSH keyKey Derivation function using SHA-1 / SHA2-224 / SHA2-512

Cryptographic Module for BIG-IP 1.2 TLS-P-HASHW, E, G W, E N/A N/A N/A N/A Table 14 - Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP.

4.4 Non-Approved Services

© 2024 F5, Inc. / atsec information security.

18 of 36
Page 19

Cryptographic Module for BIG-IP Table 15 - Non-Approved Services © 2024 F5, Inc. / atsec information security.

19 of 36
Page 20

Cryptographic Module for BIG-IP

5 Software / Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing a HMAC value calculated at run time on the libcrypto.so.1.0.2za file, using HMAC key embedded in the same file, with the HMAC-SHA2-256 value stored in the module file .libcrypto.so.1.0.2za.hmac that was computed at build time. Integrity tests are performed as part of the Pre-Operational Self-Tests.

5.2 Initiate on Demand

The on-demand integrity test is performed by power-cycling or reloading the module. © 2024 F5, Inc. / atsec information security.

20 of 36
Page 21

Cryptographic Module for BIG-IP

6 Operational Environment
6.1 Operational Environment Type and Requirements

Operational Environment Type: The module operates in a modifiable operational environment. BIG-IP consists of a Linux based operating system customized for performance that runs directly on the hardware or in virtual environment. Operational Environment Requirements: The module runs on a BIG-IP 17.1.0.1 operating system executing on the hardware and hypervisor specified in Table

  1. Configuration Settings and Restrictions: The module should be installed as stated in section
  2. The operator should confirm that the module is installed correctly by section following guidance in section 11.1 and section 11.2. © 2024 F5, Inc. / atsec information security.
21 of 36
Page 22

Cryptographic Module for BIG-IP

7 Physical Security

The module is a software and therefore this section is Not Applicable (N/A). © 2024 F5, Inc. / atsec information security.

22 of 36
Page 23

Cryptographic Module for BIG-IP

8 Non-invasive Security

Per IG 12.A: Until requirements of SP800-140F are defined, non-invasive mechanisms fall under ISO / IEC 19790:2012 Section 7.12 Mitigation of other attacks. © 2024 F5, Inc. / atsec information security.

23 of 36
Page 24
Sensitive security parameter
NameTypeDescriptionStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationImport ExportSSP Name / Type
RAMDynamicThe memory occupied by SSPs is allocated by regular memory allocation operating system calls. SSPs are stored in plaintext
Use: Encryption / decryption Related keys: N/A128 to 256-bitsECB, CBC, CTR, GCM A3947 ECB, CBC, GCM A3948N/AN/ARAMEVP_C IPHER _CTX_ clean upInput as an API parameter; No exportAES key / CSP / symme tric
Use: MAC generation and verification Related keys: N/A128 to 256-bitsGMAC, A3947 A3948N/AN/ARAMEVP_C IPHER _CTX_ clean upInput as an API parameter; No exportAES key / CSP / symme tric
Use: Key wrapping Related keys: N/A128 and 256-bitsAES GCM key wrapping A3947 A3948N/AN/ARAMFIPS_c ipher_ ctx_cl eanup ()Input as an API parameter; No exportAES key / CSP / symme tric
Use: MAC generation/ verification112 to 192-bitsHMAC- SHA-1, HMAC-N/AN/ARAMHMAC _CTX_Input as an API parameter; No exportHMAC key / CSP /
Sensitive security parameter
NameTypeDescriptionStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationImport ExportSSP Name / Type
RAMDynamicThe memory occupied by SSPs is allocated by regular memory allocation operating system calls. SSPs are stored in plaintext
Use: Encryption / decryption Related keys: N/A128 to 256-bitsECB, CBC, CTR, GCM A3947 ECB, CBC, GCM A3948N/AN/ARAMEVP_C IPHER _CTX_ clean upInput as an API parameter; No exportAES key / CSP / symme tric
Use: MAC generation and verification Related keys: N/A128 to 256-bitsGMAC, A3947 A3948N/AN/ARAMEVP_C IPHER _CTX_ clean upInput as an API parameter; No exportAES key / CSP / symme tric
Use: Key wrapping Related keys: N/A128 and 256-bitsAES GCM key wrapping A3947 A3948N/AN/ARAMFIPS_c ipher_ ctx_cl eanup ()Input as an API parameter; No exportAES key / CSP / symme tric
Use: MAC generation/ verification112 to 192-bitsHMAC- SHA-1, HMAC-N/AN/ARAMHMAC _CTX_Input as an API parameter; No exportHMAC key / CSP /
Related keys: N/ASHA-256, HMAC- SHA-384: A3947 HMAC- SHA-1 A3948clean up()symme tric
Use: Digital signature generation Related keys: RSA public key, DRBG internal state112 to 150-bitsRSA SigGen: A3947Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 (CKG)N/ARAMFIPS_r sa_fre e()Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format.RSA private key / CSP / asymm etric
Use: Digital signature verification Related keys: RSA private key, DRBG internal stateRSA SigVer: A3947RSA public key / PSP/ asymm etric
Use: Digital signature generation Related keys: ECDSA public key, DRBG internal state128 and 192-bitsECDSA SigGen: A3947Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 (CKG)N/ARAMEC_KE Y_free ()Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format.ECDSA private key / CSP / asymm etric
Use: Digital signature verification Related keys: ECDSA private key, DRBG internal stateECDSA SigVer: A3947ECDSA public key / PSP / asymm etric
Use: EC Diffie- Hellman shared secret computation Related keys: EC Diffie-Hellman public key, DRBG internal state, EC Diffie-Hellman shared secret128 and 192-bitsKAS-ECC- SSC Sp800- 56Ar3 A3947Generat ed conform ant to SP800- 133r2 section 4 exampl e 1N/ARAMEC_KE Y_free (); EC_PO INT_fr ee()Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format.EC Diffie- Hellma n private key / CSP / asymm etric
Use: EC Diffie- Hellman shared secret computation Related keys: EC Diffie-Hellman private key, DRBG internal state, EC Diffie-Hellman shared secretEC Diffie- Hellma n public key / PSP / asymm etric
Use: EC Diffie- Hellman shared secret computation Related keys: EC Diffie-Hellman private key, EC128 and 192-bitsKAS-ECC- SSC Sp800- 56Ar3: A3947N/ASP800 - 56Ar3 KAS in Table 9RAMEC_KE Y_free () EC_PO INT_fr ee()No import; Export: CM to TOEPP Path. Passed from the module via API parametersEC Diffie- Hellma n shared secret /
Diffie-Hellman public keyin plaintext format.CSP / asymm etric
Use: DH shared secret computation Related keys: Diffie- Hellman public key, DRBG internal state112 to 150-bitsKAS-FFC- SSC Sp800- 56Ar3: A3947Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 (CKG) Table 6N/ARAMDH_fr eeImport / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format.Diffie- Hellma n private key / CSP / asymm etric
Use: DH shared secret computation Related keys: Diffie- Hellman private key, DRBG internal stateDiffie- Hellma n public key / PSP / asymm etric
Use: DH shared secret computation Related keys: Diffie- Hellman private key, Diffie-Hellman public key112 to 150-bitsKAS-FFC- SSC Sp800- 56Ar3: A3947N/ASP800 - 56Ar3 KAS in Table 9RAMDH_fr eeNo import; Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext format.Diffie- Hellma n shared secret / CSP / asymm etric
Use: TLS KDF Related SSPs: EC Diffie-Hellman private and public keys and Diffie- Hellman private and public keys; TLS primary secretDH ffdhe204 8, ffdhe307 2, ffdhe409 6 / 112, 128, 150-bits ECDH: P- 256, P- 384/ 128 and 192- bitsTLS KDF A3947N/ASP800 - 56Ar3 KAS in Table 9RAMOPEN SSL_cl eanseImport; as an API parameter No exportTLS pre- primar y secret
Use: TLS KDF Related SSPs: TLS pre-primary secret; TLS derived key256-bitsTLS KDF A3947SP800- 135r1 TLS KDFN/ARAMOPEN SSL_cl eanseNo import; No exportTLS primar y secret
Use: TLS protocol Related SSPs: TLS pre-primary secret, TLS primary secret128 and 256-bits (AES) 112 and 256-bits (HMAC)AES HMAC A3947SP800- 135r1 TLS KDFN/ARAMOPEN SSL_fr eeNo import; Export: Passed from the module via API parameters in plaintext formatTLS derive d key (AES HMAC)
Use: Key derivation; Related SSPs: EC Diffie-HellmanECDH: P- 256, P- 384 / 128SSH KDF A3947N/ASP800 - 56Ar3RAMOPEN SSL_fr eeImport; as an API parameter No exportSSH shared secret
private and public keys; SSH derived keyand 192- bitsKAS in Table 9
Use: data encryption / decryption and MAC calculations in SSH protocol Related SSPs: SSH shared secret128 and 256-bits (AES) 112 and 256-bits (HMAC)AES HMAC A3947SP800- 135r1 SSH KDFN/ARAMOPEN SSL_fr eeNo import; Export: Passed from the module via API parameters in plaintext formatSSH derive d key (AES, HMAC)
Use: Random number generation Related keys: DRBG seed256-bitsESV E74Obtaine d from ESV E74 (referen ce in section 11.2)N/ARAMWhen the syste m is power ed downImport from the OS within the TOEPP; No ExportEntrop y input / CSP (IG D.L)
Use: Random number generation. Related keys: Entropy input, DRBG, Internal state256-bitsCounter DRBG A3947 A3948Derived from the entropy string as defined by [SP800- 90Ar1]N/ARAMFIPS_d rbg_u ninsta ntiateNo import: it remains within the cryptographic boundary; No ExportDRBG seed / CSP (IG D.L)
Use: Random Number Generation. Related keys: Entropy input, DRBG seed256-bitsCounter DRBG A3947 A3948Derived from the DRBG seed as defined by [SP800- 90Ar1]N/ARAMFIPS_d rbg_u ninsta ntiateNo import: it remains within the cryptographic boundary; No ExportDRBG interna l state (V and Key values) / CSP (IG D.L)

Cryptographic Module for BIG-IP

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

The module does not support manual SSP entry or intermediate key generation output. The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment (TOEPP). The SSPs can be provided to the module in plaintext form via API parameters, to and from the calling application running on the same operational environment. This is allowed by [FIPS 140-3_IG] IG 9.5.A Table 1, according to the “CM Software to/from App via TOEPP Path” entry which refers to keys communicated within the physical perimeter of the GPC.

9.3 SSP Zeroization Methods

The application is responsible for calling the appropriate destruction functions provided in the module's API. The destruction functions (listed in Table 17) overwrite the memory occupied by system call. N/A N/A N/A N/A N/A N/A HMACSHA-1, () N/A N/A © 2024 F5, Inc. / atsec information security.

24 of 36
Page 25

Cryptographic Module for BIG-IP DiffieHellma n HMACSHA-384: HMACSHA-1 SP800133r2 e1 N/A e() SP800133r2 e1 N/A () KAS-ECCSSC Sp80056Ar3 SP800133r2 e1 N/A (); KAS-ECCSSC Sp80056Ar3: N/A () DiffieHellma n DiffieHellma n © 2024 F5, Inc. / atsec information security.

25 of 36
Page 26

Cryptographic Module for BIG-IP DiffieHellma n DiffieHellma n DiffieHellma n preprimar y y KAS-FFCSSC Sp80056Ar3: SP800133r2 e1 N/A KAS-FFCSSC Sp80056Ar3: N/A 8, 2, ECDH: P256, P384/ 128 and 192bits N/A SP800135r1 N/A SP800135r1 N/A ECDH: P256, P384 / 128 N/A © 2024 F5, Inc. / atsec information security.

26 of 36
Page 27

Cryptographic Module for BIG-IP and 192bits SP800135r1 D.L) D.L) D.L) [SP80090Ar1] [SP80090Ar1] N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.

27 of 36
Page 28
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorCondition
HMAC-SHA- 256HMAC-SHA- 256Message AuthenticationIntegrity b oIntegrity of the module is verified by comparing the HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value stored in the module that was computed at build time112-bit keyModule ecomes perational
CTR_DRBGCTR_DRBGKATCASTSP800-90Ar1 section 11.3 health testsAES 256-bits with derivation functionModule becomes operationalTest runs at Power-on before the integrity test
AES-GCM; AES-CBCAES-GCM; AES-CBCKATCASTEncryption / decryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
RSA PKCS#1 v1.5RSA PKCS#1 v1.5KATCASTSignature generation / signature verification2048-bit key and SHA2-256Module becomes operationalTest runs at Power-on before the integrity test
RSARSAPCTPCTCalculation and verification of a digital signature2048-bit key and SHA2-256Asymmetric algorithm is performedTest runs at first algorithm use
ECDSAECDSAKATCASTSignature generation / signature verificationP-256 and SHA2- 256Module becomes operationalTest runs at Power-on before the integrity test
ECDSAECDSAPCTPCTCalculation and verification of a digital signatureP-256 and SHA2- 256Asymmetric algorithm is performedTest runs at first algorithm use
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorCondition
HMAC-SHA- 256HMAC-SHA- 256Message AuthenticationIntegrity b oIntegrity of the module is verified by comparing the HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value stored in the module that was computed at build time112-bit keyModule ecomes perational
CTR_DRBGCTR_DRBGKATCASTSP800-90Ar1 section 11.3 health testsAES 256-bits with derivation functionModule becomes operationalTest runs at Power-on before the integrity test
AES-GCM; AES-CBCAES-GCM; AES-CBCKATCASTEncryption / decryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
RSA PKCS#1 v1.5RSA PKCS#1 v1.5KATCASTSignature generation / signature verification2048-bit key and SHA2-256Module becomes operationalTest runs at Power-on before the integrity test
RSARSAPCTPCTCalculation and verification of a digital signature2048-bit key and SHA2-256Asymmetric algorithm is performedTest runs at first algorithm use
ECDSAECDSAKATCASTSignature generation / signature verificationP-256 and SHA2- 256Module becomes operationalTest runs at Power-on before the integrity test
ECDSAECDSAPCTPCTCalculation and verification of a digital signatureP-256 and SHA2- 256Asymmetric algorithm is performedTest runs at first algorithm use
KAS-ECC- SSCKAS-ECC- SSCKATCASTShared secret computationP-256Module becomes operationalTest runs at Power-on before the integrity test
Diffie HellmanDiffie HellmanPCTPCTSection 5.6.2.1.4 of SP800-56Ar3ffdhe2048Asymmetric algorithm is performedTest runs at first algorithm use
KAS-FFC- SSCKAS-FFC- SSCKATCASTShared secret computationffdhe2048Module becomes operationalTest runs at Power-on before the integrity test
EC Diffie HellmanEC Diffie HellmanPCTPCTCovered by ECDSA PCT (IG 10.3.A)P-256Asymmetric algorithm is performedTest runs at first algorithm use
HMAC-SHAHMAC-SHAKATCASTMACHMAC-SHA-1, HMAC-SHA2-256 HMAC-SHA2-384Module becomes operationalTest runs at Power-on before the integrity test
SHASHAKATCASTCovered by respective HMAC KATs (allowed per IG 10.3.B)SHA-1, SHA2-256, SHA2-384Module becomes operationalTest runs at Power-on before the integrity test
[SP800- 135r1] KDF[SP800- 135r1] KDFKATCASTKey derivation used in the TLS v 1.0 / 1.1 / 1.2 protocolsTLSModule becomes operationalTest runs at Power-on before the integrity test
[SP800- 135r1] KDF[SP800- 135r1] KDFKATCASTKey derivation used in the SSHv2 protocolSSHModule becomes operationalTest runs at Power-on before the integrity test

Cryptographic Module for BIG-IP

10 Self-tests

While the module is executing the pre-operational self-test, CASTs and PCTs, services are not available, and data/control input and data output are inhibited. The module does not return control to the calling application until the self-tests are completed. On successful completion of the CASTs cryptographic services are available. If the module fails any of the tests, it will return an error code and enter into the Error state to prohibit any further cryptographic operations.

10.1 Pre-Operational Self-Tests

Pre-operational self-tests are performed automatically when the module is loaded into memory; the pre-operational self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. HMAC-SHA256 Table 18 - Pre-Operational Self-Tests

10.2 Conditional Self-Tests

© 2024 F5, Inc. / atsec information security.

28 of 36
Page 29
Service
NameDescriptionRole AccessIndicatorRecovery Method
Halt ErrorThe data output is inhibited.HMAC-SHA2-256 integrity test failureModule will not loadThe module must be re-loaded
The data output is inhibited.The data output is inhibited.Failure of any of the CASTsError message related to the crypto function listed in Table 19 and the flag 'fips_selftest_fail' is set.The module must be re-loaded
The data output is inhibited.The data output is inhibited.Failure of any of the PCTsError message a PCT failure for RSA, DH, ECDH or ECDSA pairwise consistency test and the flag 'fips_selftest_fail' is set.The module must be re-loaded

Cryptographic Module for BIG-IP KAS-ECCSSC KAS-FFCSSC [SP800TLS [SP800SSH Table 19 - Conditional Self-Tests The entropy source performs its required self-tests; those are not listed in Table 19, as the entropy source is not part of the cryptographic boundary of the module.

10.3 Periodic Self-Test Information

The periodic self-tests can be invoked by powering-off and reloading the module. This service performs Conditional Cryptographic Algorithm Self-Tests (CASTs) and integrity test. During the execution of the periodic self-tests, crypto services are not available and no data output or input is possible. © 2024 F5, Inc. / atsec information security.

29 of 36
Page 30

Cryptographic Module for BIG-IP Table 20 - Error States The module must be re-loaded in order to clear the error condition.

10.5 Operator Initiation of Self-Tests

The on demand self-tests is performed by powering-off and reloading the module. During the execution of the on demand self-tests, Conditional Cryptographic Algorithm Self-Tests (CASTs) and integrity test are performed. The crypto services are not available and no data output or input is possible. © 2024 F5, Inc. / atsec information security.

30 of 36
Page 31

Cryptographic Module for BIG-IP

11 Life-cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Startup Procedures: Before the Crypto Officer can configure and use the BIG-IP system, the Crypto Officer must activate a valid license on the system. The Crypto Officer chooses the license to buy by selecting the hypervisor from Table 2, and the throughput needed. The following procedures described in "K77552 Licensing the BIG-IP system" on my.F5.com (https://my.f5.com/manage/s/article/K7752#reg) are performed:

11.2 Administrator Guidance

The Crypto Officer should verify the validity of the BIG-IP software license by running the command: ‘tmsh show sys license' which should output 'FIPS 140, BIG-IP VE-1G to 10G,’ under the ‘Active Modules’ list. On the BIG-IP product the Crypto Officer should call the dedicated Show version API, fips_get_f5fips_module_version, to ensure that the module identifier and version are shown as: Cryptographic Module for BIG-IP OpenSSL 1.0.2za-fips. If the module has passed all self-tests then it is operating in the Approved mode. The Approved mode of operation can only transition into the non-Approved mode by calling one of the nonApproved services listed in Table - Non-Approved Services. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/74

11.3 Design and Rules

The Crypto Officer shall consider the following requirements and restrictions when using the module.

31 of 36
Page 32

Cryptographic Module for BIG-IP

12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.

32 of 36
Page 33

Cryptographic Module for BIG-IP Appendix A. AES AES-NI CAST CAVP CBC CCM CFB CKG CMAC CMVP CPU CSP CTR DES DSA DRBG ECB ECC ECDSA ESV FFC FIPS GCM GMAC HMAC IV KAS KAT KDF KTS KW MAC NIST OFB PAA PCT PSP PSS RAM RNG RSA SHA SSH TDES TLS XTS Glossary and Abbreviations Advanced Encryption Standard Advanced Encryption Standard New Instructions Cryptographic Algorithm Self-Test Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cryptographic Key Generation Cipher-based Message Authentication Code Cryptographic Module Validation Program Central Processing Unit Critical Security Parameter Counter Mode Data Encryption Standard Digital Signature Algorithm Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Algorithm Entropy Source Validation Finite Field Cryptography Federal Information Processing Standards Publication Galois Counter Mode Galois Message Authentication Code Hash Message Authentication Code Initialization Vector Key Agreement Schema Known Answer Test Key Derivation Function Key Transport Scheme AES Key Wrap Message Authentication Code National Institute of Science and Technology Output Feedback Processor Algorithm Acceleration Pairwise Consistency Test Public Security Parameter Probabilistic Signature Scheme Random-Access Memory Random Number Generator Rivest, Shamir, Adleman Secure Hash Algorithm Secure Shell Triple-DES Transport Layer Security XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.

33 of 36
Page 34

Cryptographic Module for BIG-IP Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2024 F5, Inc. / atsec information security.

34 of 36
Page 35

Cryptographic Module for BIG-IP SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://doi.org/10.6028/NIST.SP.800-52r2 SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800-56Cr2 Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 4 - Recommendation for Key Management Part 1: General January 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B (Second DRAFT) NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-131Ar2 NIST Special Publication 800-131A Revision 2- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133r2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf © 2024 F5, Inc. / atsec information security.

35 of 36
Page 36

Cryptographic Module for BIG-IP SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.

36 of 36

Referenced URLs