| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/20/2029 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. |
| Vendor | F5, Inc. |
| Hardware versions | N/A |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3947 |
| AES-CBC | A3948 |
| AES-CTR | A3947 |
| AES-ECB | A3947 |
| AES-ECB | A3948 |
| AES-GCM | A3947 |
| AES-GCM | A3947 |
| AES-GCM | A3948 |
| AES-GMAC | A3947 |
| AES-GMAC | A3948 |
| Counter DRBG | A3947 |
| Counter DRBG | A3948 |
| ECDSA KeyGen (FIPS186-4) | A3947 |
| ECDSA KeyVer (FIPS186-4) | A3947 |
| ECDSA SigGen (FIPS186-4) | A3947 |
| ECDSA SigVer (FIPS186-4) | A3947 |
| HMAC-SHA-1 | A3947 |
| HMAC-SHA-1 | A3948 |
| HMAC-SHA2-256 | A3947 |
| HMAC-SHA2-384 | A3947 |
| KAS-ECC-SSC Sp800-56Ar3 | A3947 |
| KAS-FFC-SSC Sp800-56Ar3 | A3947 |
| KDF SSH | A3947 |
| KDF TLS | A3947 |
| RSA KeyGen (FIPS186-4) | A3947 |
| RSA SigGen (FIPS186-4) | A3947 |
| RSA SigVer (FIPS186-4) | A3947 |
| Safe Primes Key Generation | A3947 |
| SHA-1 | A3947 |
| SHA-1 | A3948 |
| SHA2-256 | A3947 |
| SHA2-384 | A3947 |
| TLS v1.2 KDF RFC7627 | A3947 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | N/A |
flowchart LR
%% Deterministic review-risk graph for Cryptographic Module for BIG-IP
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Halt Error<br/>The data output is inhibited.</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Cryptographic Module for BIG-IP
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Halt Error<br/>The data output is inhibited.</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;F5, Inc. Cryptographic Module for BIG-IP version 1.0.2za-fips Last update: November 2024 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
Cryptographic Module for BIG-IP Table of Contents 1.1 1.2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3.1 4.1 4.2 4.3 4.4 5.1 5.2 6.1 9.1 9.2 9.3 9.4 © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP F5® and BIG-IP® are registered trademarks of F5, Inc. VMware ESXi™ is a registered trademark of VMware®, Inc. Intel® Xeon® is a registered trademark of Intel® Corporation. Dell is a registered trademark of Dell, Inc. Azure and Hyper-V are registered trademarks of Microsoft AWS is a trademark of Amazon.com, Inc. © 2024 F5, Inc. / atsec information security.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services, and Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | Not Applicable |
| 8 | 8 | Non-invasive Security | Not Applicable |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | Not Applicable |
| Overall Level | Overall Level | 1 |
Cryptographic Module for BIG-IP
This document is the non-proprietary FIPS 140-3 Security Policy that contains the security rules under which the Cryptographic Module for BIG-IP must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards
Table 1 - Security Levels © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP
Purpose of Use: The Cryptographic Module for BIG-IP (hereafter referred to as “the module”) is a cryptographic library offering various cryptographic mechanisms to be used by OpenSSL application running on BIG-IP Virtual Edition. The module provides cryptographic services to applications through an Application Program Interface (API). The module also interacts with the underlying operating system via system calls. Module Type: software Module Embodiment: multiple-chip standalone Cryptographic boundary: The block diagram in Figure 1 shows the module, its interfaces with the operational environment and the delimitation of its cryptographic boundary with red lines. Figure 1 Block Diagram The cryptographic module boundary consists of two components:
| Name | Operating System | Hardware Platform | Processor | Paa Pai | Hypervisor | # | |
|---|---|---|---|---|---|---|---|
| 1 | BIG-IP 17.1.0.1 | Dell PowerEdge R650 | Intel® Xeon® Gold Ice Lake 6330N | With and without PAA | VMware ESXi™ 8.0.0.10100 (Build: 20920323) | 1 | |
| 2 | BIG-IP 17.1.0.1 | Dell PowerEdge R450 | Intel® Xeon® Silver Ice Lake 4309Y | With and without PAA | Hyper-V version 10.0.20348.1 Windows Server 2022 Standard | 2 | |
| 3 | BIG-IP 17.1.0.1 | Dell PowerEdge R450 | Intel® Xeon® Silver Ice Lake 4309Y | With and without PAA | KVM Ubuntu 22.04.1 LTS | 3 | |
| 1 | BIG-IP 17.1.0.1 | Microsoft Corporation Hyper-V Virtual Machine running on Azure CLI 2.48.1 with Intel Xeon Platinum 8272CL | 1 |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | Hypervisor | # | |
|---|---|---|---|---|---|---|---|
| 1 | BIG-IP 17.1.0.1 | Dell PowerEdge R650 | Intel® Xeon® Gold Ice Lake 6330N | With and without PAA | VMware ESXi™ 8.0.0.10100 (Build: 20920323) | 1 | |
| 2 | BIG-IP 17.1.0.1 | Dell PowerEdge R450 | Intel® Xeon® Silver Ice Lake 4309Y | With and without PAA | Hyper-V version 10.0.20348.1 Windows Server 2022 Standard | 2 | |
| 3 | BIG-IP 17.1.0.1 | Dell PowerEdge R450 | Intel® Xeon® Silver Ice Lake 4309Y | With and without PAA | KVM Ubuntu 22.04.1 LTS | 3 | |
| 1 | BIG-IP 17.1.0.1 | Microsoft Corporation Hyper-V Virtual Machine running on Azure CLI 2.48.1 with Intel Xeon Platinum 8272CL | 1 |
Cryptographic Module for BIG-IP Figure 2
Tested Module Identification
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non-Approved | Automatically entered whenever a non-approved service is requested | Equivalent to the indicator of the requested service | Non-Approved |
| Name | CAVP Cert | Mode Method | Use Function | Description | Use / Function |
|---|---|---|---|---|---|
| AES [FIPS 197, | A3947, | ECB, CBC, GCM | Symmetric encryption and decryption | 128 / 192 / 256-bit AES | |
| SP800-38A, SP800- | A3948 | key / strength from | |||
| 38D] | 128 to 256-bits | ||||
| AES [FIPS 197, | A3947 | CTR | Symmetric encryption and decryption | 128 / 192 / 256-bit AES | |
| SP800-38A] | key / strength from | ||||
| AES [FIPS 197, | A3947, | GMAC | MAC generation / verification | 128 / 192 / 256-bit AES | |
| SP800-38D] | A3948 | key / strength from | |||
| KTS (AES) [FIPS 197, | A3947, | GCM | Key wrapping | 128 / 256-bit AES key / | |
| SP800-38F, SP800- | A3948 | strength from 128 and | |||
| 38D] | 256-bits. | ||||
| CTR_DRBG [SP800- | A3947 | AES-256 in CTR mode, | Random number generation | Entropy input, seed, V | |
| 90Ar1] | with / without | and key values / | |||
| derivation function, | derivation function, | strength is 256-bits | |||
| CTR_DRBG [SP800- | A3948 | AES 256 in CTR mode, | Random number generation | Entropy input, seed, V | |
| 90Ar1] | with derivation | and key values / | |||
| function, prediction | function, prediction | strength is 256-bits | |||
| RSA KeyGen [FIPS | A3947 | Appendix B.3.3 | RSA key generation | 2048 / 3072/ 4096-bit | |
| 186-4] | Probable primes with | modulus size / strength | |||
| standard key format | standard key format | from 112 to 150-bits | |||
| RSA SigGen [FIPS | A3947 | PKCS 1.5 with SHA- | RSA signature generation | 2048 / 3072/ 4096-bit | |
| 186-4] | 256, SHA-384 | modulus / strength | |||
| RSA SigVer [FIPS | A3947 | PKCS 1.5 with SHA2- | RSA signature verification | 2048 / 3072/ 4096-bit | |
| 186-4] | 256, SHA2-384 | modulus / strength | |||
| ECDSA KeyGen [FIPS | A3947 | Appendix B.4.2: | ECDSA/ ECDH key pair generation | ECDSA / ECDH key pair | |
| 186-4] | Testing candidates | P-256 and P-384 | |||
| ECDSA KeyVer [FIPS | A3947 | N/A | ECDSA/ ECDH public key verification | ECDSA / ECDH key pair | |
| 186-4] | with P-256 and P-384 | ||||
| ECDSA SigGen [FIPS | A3947 | SHA2-256, SHA2-384 | ECDSA signature generation | ECDSA P-256, P- 384 | |
| 186-4] | curves / strength 128 | ||||
| ECDSA SigVer [FIPS | A3947 | SHA2-256, SHA2-384 | ECDSA signature verification | ECDSA P-256, P- 384 | |
| 186-4] | curves / strength 128 | ||||
| SHA [FIPS180-4] | A3947, | SHA-1 | Message digest | N/A | |
| SHA [FIPS180-4] | A3947 | SHA2-256, SHA2-384 | Message digest | N/A | |
| HMAC [FIPS 198] | A3947, | HMAC-SHA-1 | MAC generation/ verification | 112 to 1024-bits with | |
| A3948 | A3948 | key strengths 112-bits | |||
| HMAC [FIPS 198] | A3947 | HMAC-SHA2-256, | MAC generation/ verification | 112 to 1024-bits with | |
| HMAC-SHA2-384 | HMAC-SHA2-384 | key strengths 112 to | |||
| KAS-ECC-SSC | A3947 | Ephemeral Unified: | EC Diffie-Hellman shared | P-256, P-384 / strength | |
| [SP800-56Ar3] | KAS Role: initiator, | secret computation used in | 128 and 192-bits | ||
| responder | responder | Key Agreement Scheme (KAS) | |||
| Safe primes key | A3947 | Safe prime | Safe primes key generation | Safe Prime Groups: | |
| generation [SP800 – | ffdhe2048, ffdhe3072, | ||||
| 56Ar3] | ffdhe4096 / strength | ||||
| KAS-FFC-SSC | A3947 | dhEphemeral: | Diffie-Hellman shared secret | ffdhe2048, ffdhe3072, | |
| [SP800-56Ar3] | KAS Role: initiator, | computation used in KAS IG | ffdhe4096 / strength | ||
| responder | responder | D.F scenario 2 (path 1) | from 112 to 150-bits | ||
| SSH KDF | A3947 | AES-128, AES-256 with | Key derivation | 256-bit keys with 256- | |
| [SP800-135r1] | (CVL) | SHA2-256, SHA2-384 | bit key strength | ||
| TLS KDF | A3947 | TLS version 1.0 / 1.1 | Key derivation | 256-bits | |
| [SP800-135r1] | (CVL) | ||||
| TLS KDF | A3947 | TLS v1.2 | Key derivation | 256-bits | |
| [SP800-135r1] | (CVL) | ||||
| MD5 | Allowed per IG 2.4.A | Message digest used in TLS 1.0 / 1.1 KDF only |
| 2 | BIG-IP 17.1.0.1 | Xen 4.2.amazon running on AWS CLI 2.11.19 with Intel Xeon Scalable Processor Cascade Lake 8259CL |
|---|
Cryptographic Module for BIG-IP Table 3 - Vendor Affirmed Operational Environments Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Table 4 - Modes of Operation The module becomes operational and enters the approved mode after pre-operational self-tests and conditional algorithm self-tests succeed. No operator intervention is required to reach this point. Once the module is operational, the mode of operation is implicitly assumed depending on the security function invoked and the security strength of the cryptographic keys. Using any nonapproved algorithms from Table 8 will put the module in non-approved mode implicitly.
1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service
of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP N/A N/A © 2024 F5, Inc. / atsec information security.
| Name | Properties | Implementation | Reference |
|---|---|---|---|
| CKG | Key Type: Asymmetric | Cryptographic Module for | SP800-133r2, Section 4, example 1 and |
| BIG-IP | BIG-IP | IG D.I. |
| Name | CAVP Cert | Mode Method | Use Function | Description | Use / Function |
|---|---|---|---|---|---|
| KAS-ECC-SSC | A3947 | Ephemeral Unified: | EC Diffie-Hellman shared | P-256, P-384 / strength | |
| [SP800-56Ar3] | KAS Role: initiator, | secret computation used in | 128 and 192-bits | ||
| responder | responder | Key Agreement Scheme (KAS) | |||
| Safe primes key | A3947 | Safe prime | Safe primes key generation | Safe Prime Groups: | |
| generation [SP800 – | ffdhe2048, ffdhe3072, | ||||
| 56Ar3] | ffdhe4096 / strength | ||||
| KAS-FFC-SSC | A3947 | dhEphemeral: | Diffie-Hellman shared secret | ffdhe2048, ffdhe3072, | |
| [SP800-56Ar3] | KAS Role: initiator, | computation used in KAS IG | ffdhe4096 / strength | ||
| responder | responder | D.F scenario 2 (path 1) | from 112 to 150-bits | ||
| SSH KDF | A3947 | AES-128, AES-256 with | Key derivation | 256-bit keys with 256- | |
| [SP800-135r1] | (CVL) | SHA2-256, SHA2-384 | bit key strength | ||
| TLS KDF | A3947 | TLS version 1.0 / 1.1 | Key derivation | 256-bits | |
| [SP800-135r1] | (CVL) | ||||
| TLS KDF | A3947 | TLS v1.2 | Key derivation | 256-bits | |
| [SP800-135r1] | (CVL) | ||||
| MD5 | Allowed per IG 2.4.A | Message digest used in TLS 1.0 / 1.1 KDF only |
Table 5 - Approved Algorithms Vendor Affirmed Algorithms: Table 6 - Vendor Affirmed Algorithms Non-Approved, Allowed Algorithms: The module does not implement any Non-Approved Allowed algorithms in the Approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: Table 7 - Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms © 2024 F5, Inc. / atsec information security.
| Name | Use Function |
|---|---|
| AES with OFB, CCM, CFB, XTS, KW modes, Blowfish, Camellia, CAST5, DES, IDEA, RC2, RC4, SEED, SM2, SM4, Triple-DES | Symmetric encryption and decryption |
| SHA2-224, SHA2-512, SM3, MD4, MDC2, RIPEMD, Whirlpool | Message digest |
| HMAC-SHA2-224, HMAC-SHA2-512, AES CMAC, Triple-DES CMAC | MAC generation/ verification |
| RSA key generation | RSA with 1024 and greater than 4096 up to 16384 modulus |
| RSA signature generation and verification | PKCS #1 v1.5 scheme with 1024 and greater than 4096 up to 16384 modulus, for all SHA sizes |
| ECDSA | Key pair generation using P-224, P-521 curves |
| RSA encrypt / decrypt | RSA with modulus sizes up to 16384-bits |
| Safe primes key verification | Public key verification using safe prime groups |
| DSA domain parameter generation, domain parameter verification, key pair generation, signature generation and verification | DSA with all key and SHA sizes |
| HMAC_DRBG and Hash_DRBG using all SHA sizes, CTR_DRBG with AES-128, AES-192, ANSI X9.31 RNG | Random number generation |
| Diffie-Hellman | Shared secret computation with groups other than ffdhe2048, ffdhe3072, ffdhe4096 |
| EC Diffie-Hellman | Shared secret computation: - Ephemeral Unified with curves other than P-256, P-384 without KDF. - one PassDh and StaticUnified without KDF. |
| TLS KDF SSH KDF | Key Derivation function in the context of: - TLS using SHA2-224 / SHA2-512 - SSH using SHA-1 / SHA2-224 / SHA2-512 |
Cryptographic Module for BIG-IP Table 8 - Non-Approved, Not Allowed Algorithms © 2024 F5, Inc. / atsec information security.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| Diffie-Hellman shared secret computation | [SP800-56Ar3] shared secret computation used in KAS IG D.F scenario 2 (path 1) | KAS-FFC-SSC/ A3947 | KAS | ffdhe2048, ffdhe3072, ffdhe4096 providing from 112 to 150-bits of encryption strength |
| EC Diffie-Hellman shared secret computation | [SP800-56Ar3] shared secret computation used in KAS IG D.F scenario 2 (path 1) | KAS-ECC-SSC/ A3947 | KAS | P-256, P-384 providing 128 and 192-bits of encryption strength |
| AES key wrapping | [FIPS 197, SP800-38F], IG D.G comment 8, key wrapping and unwrapping, in the context of the TLS protocol, are provided by the TLS record layer using AES-GCM as the approved authenticated encryption mode. | AES GCM/ A3947, A3948 | KTS | 128 / 256-bit AES-GCM keys providing 128 and 256-bits of encryption strength |
Cryptographic Module for BIG-IP
Table 9 - Security Function Implementations
AES-GCM IV: The Crypto Officer shall consider the following requirements and restrictions when using the module. The IV for AES-GCM is constructed in compliance with IG C.H scenario 1a (TLS 1.2). The module is compliant with SP800-52r2 section 3.3.1 and the mechanism for IV generation is compliant with RFC5288. The module does not implement the TLS protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. generation services specified in section 9.2. For KAS-FFC-SSC the module generates keys using Safe Primes Key Generation with Safe Prime Groups: ffdhe2048, ffdhe3072, ffdhe4096. For KASECC-SSC, the module generates keys using ECDSA KeyGen, with curves P-384 and P-256. The module performs full public key validation on the generated public keys. Additionally, the module performs full public key validation on the received public keys. RSA modulus size (IG C.F): The module implements FIPS 186-4 RSA KeyGen, SigVer and RSA SigGen with modulus lengths of 2048, 3072, 4096 bits. All these modulus lengths have been CAVP tested.
The module entropy source specified in Table 10 uses jitter variations caused by executing instructions and memory accessed (see details in Public Use Document referenced in section 11.2). The CPU Jitter 3.4.0 entropy source with SHA-3 vetted conditioning component is located within the physical perimeter of the module but outside the cryptographic boundary of the module. © 2024 F5, Inc. / atsec information security.
| Name | Type | Strength | |||
|---|---|---|---|---|---|
| CPU Jitter Entropy Source for F5 cryptographic module (SHA_3) #E74 | Non- Physical | 256 bits | OEs listed in Table 2. | 256 bits | SHA3-256 (A2621) |
NonPhysical The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90Ar1] for the generation of random value used in asymmetric keys, and for providing a RNG service to calling applications. The approved DRBG provided by the module is the counter DRBG with AES256. The output of entropy sources provides 256-bits of entropy to seed and reseed SP800-90Ar1 DRBG during initialization (seed) and reseeding (reseed).
The module implements RSA, ECDSA, ECDH and DH asymmetric key generation services with the following methods:
See Table 9, "KAS" row.
The TLS v1.0 / 1.1 / 1.2 protocol has not been reviewed or tested by the CAVP or CMVP. See section 2.7 for details. © 2024 F5, Inc. / atsec information security.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs. | As a software-only module, the module does not have physical ports. Physical Ports are interpreted to be the physical ports of the hardware platform on which it runs. | Data Input | Data inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers |
| Data Output | Data Output | Data outputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers | |
| Control Input | Control Input | Control inputs which control the mode of the module are provided through dedicated parameters. | |
| Status Output | Status Output | Status output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation. |
Cryptographic Module for BIG-IP
The logical interfaces are the API through which the applications request services. The following table summarizes the logical interfaces. Table 11 - Ports and Interfaces © 2024 F5, Inc. / atsec information security.
| Name | Role Access | Type | Input | Output | ||
|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | N/A | |||
| Encryption and decryption | Plaintext and key / ciphertext and key | Ciphertext / plaintext | Crypto Officer | |||
| Key wrapping | Wrapping key, key to be wrapped / Unwrapping key, key and key to be unwrapped | Wrapped key / unwrapped key | ||||
| Random number generation | Number of bits | Random numbers | ||||
| RSA key pair generation | Key size | Public key, private key | ||||
| ECDSA/ ECDH key pair generation | Elliptic curve | Private key, public key | ||||
| ECDSA/ ECDH Public key verification | Public key | Pass / fail result of public key verification | ||||
| RSA/ ECDSA / DSA/ signature generation | Private key, message, hashing algorithm | Computed signature | ||||
| RSA/ ECDSA / DSA signature verification | Public key, digital signature, message, hashing algorithm | Pass / fail result of digital signature verification | ||||
| RSA encryption and decryption | Message, key | Ciphertext / plaintext | ||||
| DSA key pair generation | Domain parameters | Public key, private key | ||||
| DSA domain parameter generation | Prime length and seed length | Domain parameters | ||||
| DSA domain parameter verification | Domain parameters | Return codes / log messages | ||||
| Safe primes key generation/ verification | Group | Private key, public key | ||||
| EC Diffie-Hellman / Diffie-Hellman shared secret computation | Public key, private key | Shared secret |
| Name | Role Access | Type | Input | Output | ||
|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | N/A | |||
| Encryption and decryption | Plaintext and key / ciphertext and key | Ciphertext / plaintext | Crypto Officer | |||
| Key wrapping | Wrapping key, key to be wrapped / Unwrapping key, key and key to be unwrapped | Wrapped key / unwrapped key | ||||
| Random number generation | Number of bits | Random numbers | ||||
| RSA key pair generation | Key size | Public key, private key | ||||
| ECDSA/ ECDH key pair generation | Elliptic curve | Private key, public key | ||||
| ECDSA/ ECDH Public key verification | Public key | Pass / fail result of public key verification | ||||
| RSA/ ECDSA / DSA/ signature generation | Private key, message, hashing algorithm | Computed signature | ||||
| RSA/ ECDSA / DSA signature verification | Public key, digital signature, message, hashing algorithm | Pass / fail result of digital signature verification | ||||
| RSA encryption and decryption | Message, key | Ciphertext / plaintext | ||||
| DSA key pair generation | Domain parameters | Public key, private key | ||||
| DSA domain parameter generation | Prime length and seed length | Domain parameters | ||||
| DSA domain parameter verification | Domain parameters | Return codes / log messages | ||||
| Safe primes key generation/ verification | Group | Private key, public key | ||||
| EC Diffie-Hellman / Diffie-Hellman shared secret computation | Public key, private key | Shared secret |
Cryptographic Module for BIG-IP
FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not implement an authentication mechanism for Crypto Officer. The Crypto Officer role is implicitly assumed when accessing all services provided by the module (see Table Approved Services and Table - Non-Approved Services below).
The module supports the Crypto Officer role only. No support is provided for multiple concurrent operators. N/A Table 12 - Roles Table below describes the authorized role in which the service can be performed with specification © 2024 F5, Inc. / atsec information security.
| Name | Description | Roles | Approved Functions | Indicator | Input | Output | Roles |
|---|---|---|---|---|---|---|---|
| Message digest | Message, Hashing algorithm | Hashed message | |||||
| MAC generation | Message, HMAC key or GMAC key, MAC algorithm, MAC length | Authenticated message | |||||
| MAC verification | Authenticated message, HMAC key or GMAC key, MAC algorithm | Pass/fail result of MAC verification | |||||
| Key derivation | PRF algorithm, TLS pre-primary secret, TLS primary secret, SSH shared secret, SSH derived key | Derived key | |||||
| Show version | N/A | Name and Version information | |||||
| Show Status | N/A | Status output | |||||
| Self-Tests | N/A | Pass / fail results of self-tests | |||||
| Encryption and decryption | Executes AES- mode encrypt or decrypt operation | 128 / 192 / 256-bit AES key: W, E: | AES-ECB, AES-CBC, AES-CTR | AES-ECB, AES-CBC, AES-CTR | Crypto Officer | ||
| Key wrapping | Executes AES-GCM key wrapping or unwrapping operation, per IG D.G | 128 / 256-bit AES key: W, E | AES-GCM encrypt / decrypt | AES-GCM | Crypto Officer | ||
| Random number generation | Generate random number | Entropy input: E | Counter DRBG | CTR-DRBG-AES-256 | Crypto Officer | ||
| RSA key pair generation | Generate RSA key pair | RSA private key, RSA public key (2048 / 3072 / 4096- bits): G, R | C KG [SP800-133r2] RSA KeyGen [FIPS 186-4] Counter DRBG | RSA-KEY-GEN-2048, RSA-KEY-GEN-3072 RSA-KEY-GEN- 4096 | Crypto Officer | ||
| RSA signature generation | Sign a message with a specified RSA private key. | RSA private key (2048 / 3072 / 4096- bits): W, E | RSA SigGen [FIPS 186-4] with SHA2- 256, SHA2-384 | RSA-SIG | Crypto Officer | ||
| RSA signature verification | Verify the signature of a message with a specified RSA public key. | RSA public key (2048 / 3072 / 4096- bits): W, E | RSA SigVer [FIPS 186-4] with SHA2- 256, SHA2-384 | RSA-VER | Crypto Officer |
| Name | Description | Roles | Approved Functions | Indicator | Input | Output | Roles |
|---|---|---|---|---|---|---|---|
| Message digest | Message, Hashing algorithm | Hashed message | |||||
| MAC generation | Message, HMAC key or GMAC key, MAC algorithm, MAC length | Authenticated message | |||||
| MAC verification | Authenticated message, HMAC key or GMAC key, MAC algorithm | Pass/fail result of MAC verification | |||||
| Key derivation | PRF algorithm, TLS pre-primary secret, TLS primary secret, SSH shared secret, SSH derived key | Derived key | |||||
| Show version | N/A | Name and Version information | |||||
| Show Status | N/A | Status output | |||||
| Self-Tests | N/A | Pass / fail results of self-tests | |||||
| Encryption and decryption | Executes AES- mode encrypt or decrypt operation | 128 / 192 / 256-bit AES key: W, E: | AES-ECB, AES-CBC, AES-CTR | AES-ECB, AES-CBC, AES-CTR | Crypto Officer | ||
| Key wrapping | Executes AES-GCM key wrapping or unwrapping operation, per IG D.G | 128 / 256-bit AES key: W, E | AES-GCM encrypt / decrypt | AES-GCM | Crypto Officer | ||
| Random number generation | Generate random number | Entropy input: E | Counter DRBG | CTR-DRBG-AES-256 | Crypto Officer | ||
| RSA key pair generation | Generate RSA key pair | RSA private key, RSA public key (2048 / 3072 / 4096- bits): G, R | C KG [SP800-133r2] RSA KeyGen [FIPS 186-4] Counter DRBG | RSA-KEY-GEN-2048, RSA-KEY-GEN-3072 RSA-KEY-GEN- 4096 | Crypto Officer | ||
| RSA signature generation | Sign a message with a specified RSA private key. | RSA private key (2048 / 3072 / 4096- bits): W, E | RSA SigGen [FIPS 186-4] with SHA2- 256, SHA2-384 | RSA-SIG | Crypto Officer | ||
| RSA signature verification | Verify the signature of a message with a specified RSA public key. | RSA public key (2048 / 3072 / 4096- bits): W, E | RSA SigVer [FIPS 186-4] with SHA2- 256, SHA2-384 | RSA-VER | Crypto Officer | ||
| ECDSA / EC Diffie- Hellman key pair generation | Generate a key pair for a requested elliptic curve | ECDSA / EC Diffie- Hellman private key, ECDSA / EC Diffie-Hellman public key (P-256 and P-384 curves, key pair): G, R | CKG [SP800-133r2] ECDSA KeyGen [FIPS 186-4] Counter DRBG | EC-KEYGEN-P-256, EC- KEYGEN-P-384 | Crypto Officer | ||
| ECDSA / EC Diffie- Hellman public key verification | Public key verification | ECDSA / EC Diffie- Hellman public key (P-256 and P-384 curves): E, W | ECDSA KeyVer [FIPS 186-4] | EC-KEY-VERIFY-P-256, EC-KEY-VERIFY-P-384 | Crypto Officer | ||
| ECDSA signature generation | Sign a message with a specified ECDSA private key. | ECDSA private key (P-256 and P-384 curves): W, E | ECDSA SigGen [FIPS 186-4] (SHA2-256, SHA2-384) | ECDSA-SIGN-P-256, ECDSA-SIGN-P-384 | Crypto Officer | ||
| ECDSA signature verification | Verify the signature of a message with a specified ECDSA public key. | E CDSA public key (P-256 and P-384 curves): W, E | ECDSA ECDSA SigVer [FIPS 186-4] (SHA2- 256, SHA2-384) | ECDSA-VERIFY-P-256, ECDSA-VERIFY-P-384 | Crypto Officer | ||
| EC Diffie- Hellman shared secret computation IG D.F scenario 2, path 1 | Calculate a shared secret via the EC Diffie-Hellman algorithm. | EC Diffie-Hellman private key (P-256 and P-384 curves): W, E | KAS-ECC-SSC SP800- 56Ar3 | ECDH-COMPUTE-KEY-P- 256, ECDH-COMPUTE-KEY-P- 384 | Crypto Officer | ||
| Safe primes key generation | Generate a key pair | Diffie-Hellman public key ( ffdhe2048, ffdhe3072, ffdhe4096): G, R Diffie-Hellman private key (ffdhe2048, ffdhe3072, ffdhe4096): G, R | Safe primes key generation | FFDHE2048-KEYGEN, FFDHE3072-KEYGEN, FFDHE4096-KEYGEN | Crypto Officer | ||
| Diffie- Hellman shared secret computation IG D.F scenario 2, path 1 | Calculate a shared secret via the Diffie- Hellman algorithm. | Diffie-Hellman private key (ffdhe2048, ffdhe3072, ffdhe4096): W, E | KAS-FFC-SSC SP800- 56Ar3 | FFDHE2048-COMPUTE, FFDHE3072- COMPUTE, FFDHE4096- COMPUTE | Crypto Officer | ||
| Message digest | Generate a digest for the requested algorithm | N/A | SHA-1, SHA2-256, SHA2-384 | MESSAGE-DIGEST-SHA- 1 MESSAGE-DIGEST-- SHA-256 MESSAGE-DIGEST-- SHA-384 | Crypto Officer | ||
| MAC generation / verification | Generate / verify an HMAC or GMAC digest using the requested SHA algorithm or AES algorithm as appropriate | HMAC key, AES- key: W, E | HMAC-SHA-1, HMAC- SHA2-256, HMAC- SHA2-384, AES-GMAC | MSG-AUTH-HMAC-SHA- 1, MSG-AUTH-HMAC-SHA- 256 MSG-AUTH-HMAC-SHA- 384 AES-GMAC | Crypto Officer | ||
| Key derivation | Deriving TLS keys | TLS pre-primary secret: W, E TLS primary secret: W, E, G TLS derived key: G | TLS KDF v1.0 / 1.1 / 1.2 | TLS-P-HASH- DERIVATION-SHA-1 TLS-P-HASH- DERIVATION-SHA-256 TLS-P-HASH- DERIVATION SHA-384 | Crypto Officer | ||
| Key derivation | Deriving SSH keys | SSH shared secret: W, E SSH derived key: G | SSHv2 KDF | SSH-KEY-HASH- DERIVATION-SHA-256 SSH-KEY-HASH- DERIVATION SHA-384 | Crypto Officer | ||
| Show version | Return the SW version and the module's name | N/A | N/A | None | Crypto Officer | ||
| Show Status | Return the module status | N/A | N/A | None | Crypto Officer | ||
| Self-tests | Execute integrity test. Execute the CASTs | N/A (key for self- tests are not SSPs) | Integrity test, CASTs from Table 19 | None | Crypto Officer | ||
| Symmetric encryption and decryption | Encryption / decryption | Crypto Officer | AES with OFB, CFB, CCM, XTS, KW modes; Triple-DES; Blowfish; Camellia; CAST5; DES; IDEA; RC2; RC4; SEED; SM2; SM4 | None | |||
| Message digest | Generating message digest | SHA2-224, SHA2-512, SM3, MD4, MDC2, RIPEMD, Whirlpool |
Cryptographic Module for BIG-IP N/A N/A N/A
The status output from the FIPS_set_indicator_status service indicator's call is provided in Indicator column in Table 14. To read this indicator, the calling application must register a callback function using 'FIPS_register_indicator_callback'. The callback function shall take the input of the form "char *" which is the form of the indicator being output by the module. © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP W, E DiffieCalculate a shared © 2024 F5, Inc. / atsec information security.
| Name | Description | Roles | Approved Functions | Indicator | Roles |
|---|---|---|---|---|---|
| Message digest | Generate a digest for the requested algorithm | N/A | SHA-1, SHA2-256, SHA2-384 | MESSAGE-DIGEST-SHA- 1 MESSAGE-DIGEST-- SHA-256 MESSAGE-DIGEST-- SHA-384 | Crypto Officer |
| MAC generation / verification | Generate / verify an HMAC or GMAC digest using the requested SHA algorithm or AES algorithm as appropriate | HMAC key, AES- key: W, E | HMAC-SHA-1, HMAC- SHA2-256, HMAC- SHA2-384, AES-GMAC | MSG-AUTH-HMAC-SHA- 1, MSG-AUTH-HMAC-SHA- 256 MSG-AUTH-HMAC-SHA- 384 AES-GMAC | Crypto Officer |
| Key derivation | Deriving TLS keys | TLS pre-primary secret: W, E TLS primary secret: W, E, G TLS derived key: G | TLS KDF v1.0 / 1.1 / 1.2 | TLS-P-HASH- DERIVATION-SHA-1 TLS-P-HASH- DERIVATION-SHA-256 TLS-P-HASH- DERIVATION SHA-384 | Crypto Officer |
| Key derivation | Deriving SSH keys | SSH shared secret: W, E SSH derived key: G | SSHv2 KDF | SSH-KEY-HASH- DERIVATION-SHA-256 SSH-KEY-HASH- DERIVATION SHA-384 | Crypto Officer |
| Show version | Return the SW version and the module's name | N/A | N/A | None | Crypto Officer |
| Show Status | Return the module status | N/A | N/A | None | Crypto Officer |
| Self-tests | Execute integrity test. Execute the CASTs | N/A (key for self- tests are not SSPs) | Integrity test, CASTs from Table 19 | None | Crypto Officer |
| Symmetric encryption and decryption | Encryption / decryption | Crypto Officer | AES with OFB, CFB, CCM, XTS, KW modes; Triple-DES; Blowfish; Camellia; CAST5; DES; IDEA; RC2; RC4; SEED; SM2; SM4 | None | |
| Message digest | Generating message digest | SHA2-224, SHA2-512, SM3, MD4, MDC2, RIPEMD, Whirlpool | |||
| Message authentication code generation and verification | MAC computation | HMAC-SHA2-224, HMAC-SHA2-512 AES CMAC, Triple-DES CMAC | |||
| RSA key pair generation | Generating key pair | RSA KeyGen with 1024, greater than 4096 and up to 16384 modulus | |||
| RSA signature generation and verification | Generating signature, Verifying signature | RSA SigGen / SigVer PKCS #1 v1.5 with key other than the one listed in Table 5 | |||
| ECDSA key pair generation | Generating key pair | ECDSA KeyGen using P-224, P-521 curves | |||
| ECDSA public key verification | Verifying public key | ECDSA KeyVer using P-224, P-521 curves | |||
| ECDSA signature generation & verification | Generating signature, Verifying signature | ECDSA SigGen and ECDSA SigVer using P-256, P-384 curves with SHA-1, SHA2-224 and SHA2-512 | |||
| RSA encryption / decryption | Encryption / decryption | RSA with modulus size up to 16384- bits | |||
| Safe primes key verification | Public key verification | Public key verification using safe prime groups | |||
| DSA domain parameter generation, domain parameter verification, key pair generation, signature generation and verification | Generating domain parameter, Verifying domain parameters, Generating key pair, Generating signature, Verifying signature | DSA with all key and SHA sizes | |||
| Random number generation | Generating deterministic random number | Using HMAC_DRBG and Hash_DRBG for all SHA sizes | |||
| Shared secret computation | Calculating shared secret | Diffie-Hellman key agreement without KDF with groups other than ffdhe2048, ffdhe3072, ffdhe4096 EC Diffie-Hellman Ephemeral Unified with P-224, P-521 curves without KDF EC Diffie-Hellman one Pass and Static without KDF | |||
| Key derivation (TLS) | Deriving TLS key | Key Derivation using SHA2-224 / SHA2-512 | |||
| Key derivation (SSH) | Deriving SSH key | Key Derivation function using SHA-1 / SHA2-224 / SHA2-512 |
Cryptographic Module for BIG-IP 1.2 TLS-P-HASHW, E, G W, E N/A N/A N/A N/A Table 14 - Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP.
© 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP Table 15 - Non-Approved Services © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP
The integrity of the module is verified by comparing a HMAC value calculated at run time on the libcrypto.so.1.0.2za file, using HMAC key embedded in the same file, with the HMAC-SHA2-256 value stored in the module file .libcrypto.so.1.0.2za.hmac that was computed at build time. Integrity tests are performed as part of the Pre-Operational Self-Tests.
The on-demand integrity test is performed by power-cycling or reloading the module. © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP
Operational Environment Type: The module operates in a modifiable operational environment. BIG-IP consists of a Linux based operating system customized for performance that runs directly on the hardware or in virtual environment. Operational Environment Requirements: The module runs on a BIG-IP 17.1.0.1 operating system executing on the hardware and hypervisor specified in Table
Cryptographic Module for BIG-IP
The module is a software and therefore this section is Not Applicable (N/A). © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP
Per IG 12.A: Until requirements of SP800-140F are defined, non-invasive mechanisms fall under ISO / IEC 19790:2012 Section 7.12 Mitigation of other attacks. © 2024 F5, Inc. / atsec information security.
| Name | Type | Description | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Import Export | SSP Name / Type |
|---|---|---|---|---|---|---|---|---|---|---|
| RAM | Dynamic | The memory occupied by SSPs is allocated by regular memory allocation operating system calls. SSPs are stored in plaintext | ||||||||
| Use: Encryption / decryption Related keys: N/A | 128 to 256-bits | ECB, CBC, CTR, GCM A3947 ECB, CBC, GCM A3948 | N/A | N/A | RAM | EVP_C IPHER _CTX_ clean up | Input as an API parameter; No export | AES key / CSP / symme tric | ||
| Use: MAC generation and verification Related keys: N/A | 128 to 256-bits | GMAC, A3947 A3948 | N/A | N/A | RAM | EVP_C IPHER _CTX_ clean up | Input as an API parameter; No export | AES key / CSP / symme tric | ||
| Use: Key wrapping Related keys: N/A | 128 and 256-bits | AES GCM key wrapping A3947 A3948 | N/A | N/A | RAM | FIPS_c ipher_ ctx_cl eanup () | Input as an API parameter; No export | AES key / CSP / symme tric | ||
| Use: MAC generation/ verification | 112 to 192-bits | HMAC- SHA-1, HMAC- | N/A | N/A | RAM | HMAC _CTX_ | Input as an API parameter; No export | HMAC key / CSP / |
| Name | Type | Description | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Import Export | SSP Name / Type |
|---|---|---|---|---|---|---|---|---|---|---|
| RAM | Dynamic | The memory occupied by SSPs is allocated by regular memory allocation operating system calls. SSPs are stored in plaintext | ||||||||
| Use: Encryption / decryption Related keys: N/A | 128 to 256-bits | ECB, CBC, CTR, GCM A3947 ECB, CBC, GCM A3948 | N/A | N/A | RAM | EVP_C IPHER _CTX_ clean up | Input as an API parameter; No export | AES key / CSP / symme tric | ||
| Use: MAC generation and verification Related keys: N/A | 128 to 256-bits | GMAC, A3947 A3948 | N/A | N/A | RAM | EVP_C IPHER _CTX_ clean up | Input as an API parameter; No export | AES key / CSP / symme tric | ||
| Use: Key wrapping Related keys: N/A | 128 and 256-bits | AES GCM key wrapping A3947 A3948 | N/A | N/A | RAM | FIPS_c ipher_ ctx_cl eanup () | Input as an API parameter; No export | AES key / CSP / symme tric | ||
| Use: MAC generation/ verification | 112 to 192-bits | HMAC- SHA-1, HMAC- | N/A | N/A | RAM | HMAC _CTX_ | Input as an API parameter; No export | HMAC key / CSP / | ||
| Related keys: N/A | SHA-256, HMAC- SHA-384: A3947 HMAC- SHA-1 A3948 | clean up() | symme tric | |||||||
| Use: Digital signature generation Related keys: RSA public key, DRBG internal state | 112 to 150-bits | RSA SigGen: A3947 | Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 (CKG) | N/A | RAM | FIPS_r sa_fre e() | Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format. | RSA private key / CSP / asymm etric | ||
| Use: Digital signature verification Related keys: RSA private key, DRBG internal state | RSA SigVer: A3947 | RSA public key / PSP/ asymm etric | ||||||||
| Use: Digital signature generation Related keys: ECDSA public key, DRBG internal state | 128 and 192-bits | ECDSA SigGen: A3947 | Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 (CKG) | N/A | RAM | EC_KE Y_free () | Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format. | ECDSA private key / CSP / asymm etric | ||
| Use: Digital signature verification Related keys: ECDSA private key, DRBG internal state | ECDSA SigVer: A3947 | ECDSA public key / PSP / asymm etric | ||||||||
| Use: EC Diffie- Hellman shared secret computation Related keys: EC Diffie-Hellman public key, DRBG internal state, EC Diffie-Hellman shared secret | 128 and 192-bits | KAS-ECC- SSC Sp800- 56Ar3 A3947 | Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 | N/A | RAM | EC_KE Y_free (); EC_PO INT_fr ee() | Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format. | EC Diffie- Hellma n private key / CSP / asymm etric | ||
| Use: EC Diffie- Hellman shared secret computation Related keys: EC Diffie-Hellman private key, DRBG internal state, EC Diffie-Hellman shared secret | EC Diffie- Hellma n public key / PSP / asymm etric | |||||||||
| Use: EC Diffie- Hellman shared secret computation Related keys: EC Diffie-Hellman private key, EC | 128 and 192-bits | KAS-ECC- SSC Sp800- 56Ar3: A3947 | N/A | SP800 - 56Ar3 KAS in Table 9 | RAM | EC_KE Y_free () EC_PO INT_fr ee() | No import; Export: CM to TOEPP Path. Passed from the module via API parameters | EC Diffie- Hellma n shared secret / | ||
| Diffie-Hellman public key | in plaintext format. | CSP / asymm etric | ||||||||
| Use: DH shared secret computation Related keys: Diffie- Hellman public key, DRBG internal state | 112 to 150-bits | KAS-FFC- SSC Sp800- 56Ar3: A3947 | Generat ed conform ant to SP800- 133r2 section 4 exampl e 1 (CKG) Table 6 | N/A | RAM | DH_fr ee | Import / Export: CM to / from TOEPP Path. Passed to / from the module via API parameters in plaintext format. | Diffie- Hellma n private key / CSP / asymm etric | ||
| Use: DH shared secret computation Related keys: Diffie- Hellman private key, DRBG internal state | Diffie- Hellma n public key / PSP / asymm etric | |||||||||
| Use: DH shared secret computation Related keys: Diffie- Hellman private key, Diffie-Hellman public key | 112 to 150-bits | KAS-FFC- SSC Sp800- 56Ar3: A3947 | N/A | SP800 - 56Ar3 KAS in Table 9 | RAM | DH_fr ee | No import; Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext format. | Diffie- Hellma n shared secret / CSP / asymm etric | ||
| Use: TLS KDF Related SSPs: EC Diffie-Hellman private and public keys and Diffie- Hellman private and public keys; TLS primary secret | DH ffdhe204 8, ffdhe307 2, ffdhe409 6 / 112, 128, 150-bits ECDH: P- 256, P- 384/ 128 and 192- bits | TLS KDF A3947 | N/A | SP800 - 56Ar3 KAS in Table 9 | RAM | OPEN SSL_cl eanse | Import; as an API parameter No export | TLS pre- primar y secret | ||
| Use: TLS KDF Related SSPs: TLS pre-primary secret; TLS derived key | 256-bits | TLS KDF A3947 | SP800- 135r1 TLS KDF | N/A | RAM | OPEN SSL_cl eanse | No import; No export | TLS primar y secret | ||
| Use: TLS protocol Related SSPs: TLS pre-primary secret, TLS primary secret | 128 and 256-bits (AES) 112 and 256-bits (HMAC) | AES HMAC A3947 | SP800- 135r1 TLS KDF | N/A | RAM | OPEN SSL_fr ee | No import; Export: Passed from the module via API parameters in plaintext format | TLS derive d key (AES HMAC) | ||
| Use: Key derivation; Related SSPs: EC Diffie-Hellman | ECDH: P- 256, P- 384 / 128 | SSH KDF A3947 | N/A | SP800 - 56Ar3 | RAM | OPEN SSL_fr ee | Import; as an API parameter No export | SSH shared secret | ||
| private and public keys; SSH derived key | and 192- bits | KAS in Table 9 | ||||||||
| Use: data encryption / decryption and MAC calculations in SSH protocol Related SSPs: SSH shared secret | 128 and 256-bits (AES) 112 and 256-bits (HMAC) | AES HMAC A3947 | SP800- 135r1 SSH KDF | N/A | RAM | OPEN SSL_fr ee | No import; Export: Passed from the module via API parameters in plaintext format | SSH derive d key (AES, HMAC) | ||
| Use: Random number generation Related keys: DRBG seed | 256-bits | ESV E74 | Obtaine d from ESV E74 (referen ce in section 11.2) | N/A | RAM | When the syste m is power ed down | Import from the OS within the TOEPP; No Export | Entrop y input / CSP (IG D.L) | ||
| Use: Random number generation. Related keys: Entropy input, DRBG, Internal state | 256-bits | Counter DRBG A3947 A3948 | Derived from the entropy string as defined by [SP800- 90Ar1] | N/A | RAM | FIPS_d rbg_u ninsta ntiate | No import: it remains within the cryptographic boundary; No Export | DRBG seed / CSP (IG D.L) | ||
| Use: Random Number Generation. Related keys: Entropy input, DRBG seed | 256-bits | Counter DRBG A3947 A3948 | Derived from the DRBG seed as defined by [SP800- 90Ar1] | N/A | RAM | FIPS_d rbg_u ninsta ntiate | No import: it remains within the cryptographic boundary; No Export | DRBG interna l state (V and Key values) / CSP (IG D.L) |
Cryptographic Module for BIG-IP
The module does not support manual SSP entry or intermediate key generation output. The module does not support entry and output of SSPs beyond the physical perimeter of the operational environment (TOEPP). The SSPs can be provided to the module in plaintext form via API parameters, to and from the calling application running on the same operational environment. This is allowed by [FIPS 140-3_IG] IG 9.5.A Table 1, according to the “CM Software to/from App via TOEPP Path” entry which refers to keys communicated within the physical perimeter of the GPC.
The application is responsible for calling the appropriate destruction functions provided in the module's API. The destruction functions (listed in Table 17) overwrite the memory occupied by system call. N/A N/A N/A N/A N/A N/A HMACSHA-1, () N/A N/A © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP DiffieHellma n HMACSHA-384: HMACSHA-1 SP800133r2 e1 N/A e() SP800133r2 e1 N/A () KAS-ECCSSC Sp80056Ar3 SP800133r2 e1 N/A (); KAS-ECCSSC Sp80056Ar3: N/A () DiffieHellma n DiffieHellma n © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP DiffieHellma n DiffieHellma n DiffieHellma n preprimar y y KAS-FFCSSC Sp80056Ar3: SP800133r2 e1 N/A KAS-FFCSSC Sp80056Ar3: N/A 8, 2, ECDH: P256, P384/ 128 and 192bits N/A SP800135r1 N/A SP800135r1 N/A ECDH: P256, P384 / 128 N/A © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP and 192bits SP800135r1 D.L) D.L) D.L) [SP80090Ar1] [SP80090Ar1] N/A N/A N/A N/A © 2024 F5, Inc. / atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Condition |
|---|---|---|---|---|---|---|---|
| HMAC-SHA- 256 | HMAC-SHA- 256 | Message Authentication | Integrity b o | Integrity of the module is verified by comparing the HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value stored in the module that was computed at build time | 112-bit key | Module ecomes perational | |
| CTR_DRBG | CTR_DRBG | KAT | CAST | SP800-90Ar1 section 11.3 health tests | AES 256-bits with derivation function | Module becomes operational | Test runs at Power-on before the integrity test |
| AES-GCM; AES-CBC | AES-GCM; AES-CBC | KAT | CAST | Encryption / decryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test |
| RSA PKCS#1 v1.5 | RSA PKCS#1 v1.5 | KAT | CAST | Signature generation / signature verification | 2048-bit key and SHA2-256 | Module becomes operational | Test runs at Power-on before the integrity test |
| RSA | RSA | PCT | PCT | Calculation and verification of a digital signature | 2048-bit key and SHA2-256 | Asymmetric algorithm is performed | Test runs at first algorithm use |
| ECDSA | ECDSA | KAT | CAST | Signature generation / signature verification | P-256 and SHA2- 256 | Module becomes operational | Test runs at Power-on before the integrity test |
| ECDSA | ECDSA | PCT | PCT | Calculation and verification of a digital signature | P-256 and SHA2- 256 | Asymmetric algorithm is performed | Test runs at first algorithm use |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Condition |
|---|---|---|---|---|---|---|---|
| HMAC-SHA- 256 | HMAC-SHA- 256 | Message Authentication | Integrity b o | Integrity of the module is verified by comparing the HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value stored in the module that was computed at build time | 112-bit key | Module ecomes perational | |
| CTR_DRBG | CTR_DRBG | KAT | CAST | SP800-90Ar1 section 11.3 health tests | AES 256-bits with derivation function | Module becomes operational | Test runs at Power-on before the integrity test |
| AES-GCM; AES-CBC | AES-GCM; AES-CBC | KAT | CAST | Encryption / decryption | 128-bit key | Module becomes operational | Test runs at Power-on before the integrity test |
| RSA PKCS#1 v1.5 | RSA PKCS#1 v1.5 | KAT | CAST | Signature generation / signature verification | 2048-bit key and SHA2-256 | Module becomes operational | Test runs at Power-on before the integrity test |
| RSA | RSA | PCT | PCT | Calculation and verification of a digital signature | 2048-bit key and SHA2-256 | Asymmetric algorithm is performed | Test runs at first algorithm use |
| ECDSA | ECDSA | KAT | CAST | Signature generation / signature verification | P-256 and SHA2- 256 | Module becomes operational | Test runs at Power-on before the integrity test |
| ECDSA | ECDSA | PCT | PCT | Calculation and verification of a digital signature | P-256 and SHA2- 256 | Asymmetric algorithm is performed | Test runs at first algorithm use |
| KAS-ECC- SSC | KAS-ECC- SSC | KAT | CAST | Shared secret computation | P-256 | Module becomes operational | Test runs at Power-on before the integrity test |
| Diffie Hellman | Diffie Hellman | PCT | PCT | Section 5.6.2.1.4 of SP800-56Ar3 | ffdhe2048 | Asymmetric algorithm is performed | Test runs at first algorithm use |
| KAS-FFC- SSC | KAS-FFC- SSC | KAT | CAST | Shared secret computation | ffdhe2048 | Module becomes operational | Test runs at Power-on before the integrity test |
| EC Diffie Hellman | EC Diffie Hellman | PCT | PCT | Covered by ECDSA PCT (IG 10.3.A) | P-256 | Asymmetric algorithm is performed | Test runs at first algorithm use |
| HMAC-SHA | HMAC-SHA | KAT | CAST | MAC | HMAC-SHA-1, HMAC-SHA2-256 HMAC-SHA2-384 | Module becomes operational | Test runs at Power-on before the integrity test |
| SHA | SHA | KAT | CAST | Covered by respective HMAC KATs (allowed per IG 10.3.B) | SHA-1, SHA2-256, SHA2-384 | Module becomes operational | Test runs at Power-on before the integrity test |
| [SP800- 135r1] KDF | [SP800- 135r1] KDF | KAT | CAST | Key derivation used in the TLS v 1.0 / 1.1 / 1.2 protocols | TLS | Module becomes operational | Test runs at Power-on before the integrity test |
| [SP800- 135r1] KDF | [SP800- 135r1] KDF | KAT | CAST | Key derivation used in the SSHv2 protocol | SSH | Module becomes operational | Test runs at Power-on before the integrity test |
Cryptographic Module for BIG-IP
While the module is executing the pre-operational self-test, CASTs and PCTs, services are not available, and data/control input and data output are inhibited. The module does not return control to the calling application until the self-tests are completed. On successful completion of the CASTs cryptographic services are available. If the module fails any of the tests, it will return an error code and enter into the Error state to prohibit any further cryptographic operations.
Pre-operational self-tests are performed automatically when the module is loaded into memory; the pre-operational self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. HMAC-SHA256 Table 18 - Pre-Operational Self-Tests
© 2024 F5, Inc. / atsec information security.
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Halt Error | The data output is inhibited. | HMAC-SHA2-256 integrity test failure | Module will not load | The module must be re-loaded |
| The data output is inhibited. | The data output is inhibited. | Failure of any of the CASTs | Error message related to the crypto function listed in Table 19 and the flag 'fips_selftest_fail' is set. | The module must be re-loaded |
| The data output is inhibited. | The data output is inhibited. | Failure of any of the PCTs | Error message a PCT failure for RSA, DH, ECDH or ECDSA pairwise consistency test and the flag 'fips_selftest_fail' is set. | The module must be re-loaded |
Cryptographic Module for BIG-IP KAS-ECCSSC KAS-FFCSSC [SP800TLS [SP800SSH Table 19 - Conditional Self-Tests The entropy source performs its required self-tests; those are not listed in Table 19, as the entropy source is not part of the cryptographic boundary of the module.
The periodic self-tests can be invoked by powering-off and reloading the module. This service performs Conditional Cryptographic Algorithm Self-Tests (CASTs) and integrity test. During the execution of the periodic self-tests, crypto services are not available and no data output or input is possible. © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP Table 20 - Error States The module must be re-loaded in order to clear the error condition.
The on demand self-tests is performed by powering-off and reloading the module. During the execution of the on demand self-tests, Conditional Cryptographic Algorithm Self-Tests (CASTs) and integrity test are performed. The crypto services are not available and no data output or input is possible. © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP
Startup Procedures: Before the Crypto Officer can configure and use the BIG-IP system, the Crypto Officer must activate a valid license on the system. The Crypto Officer chooses the license to buy by selecting the hypervisor from Table 2, and the throughput needed. The following procedures described in "K77552 Licensing the BIG-IP system" on my.F5.com (https://my.f5.com/manage/s/article/K7752#reg) are performed:
The Crypto Officer should verify the validity of the BIG-IP software license by running the command: ‘tmsh show sys license' which should output 'FIPS 140, BIG-IP VE-1G to 10G,’ under the ‘Active Modules’ list. On the BIG-IP product the Crypto Officer should call the dedicated Show version API, fips_get_f5fips_module_version, to ensure that the module identifier and version are shown as: Cryptographic Module for BIG-IP OpenSSL 1.0.2za-fips. If the module has passed all self-tests then it is operating in the Approved mode. The Approved mode of operation can only transition into the non-Approved mode by calling one of the nonApproved services listed in Table - Non-Approved Services. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/74
The Crypto Officer shall consider the following requirements and restrictions when using the module.
Cryptographic Module for BIG-IP
The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP Appendix A. AES AES-NI CAST CAVP CBC CCM CFB CKG CMAC CMVP CPU CSP CTR DES DSA DRBG ECB ECC ECDSA ESV FFC FIPS GCM GMAC HMAC IV KAS KAT KDF KTS KW MAC NIST OFB PAA PCT PSP PSS RAM RNG RSA SHA SSH TDES TLS XTS Glossary and Abbreviations Advanced Encryption Standard Advanced Encryption Standard New Instructions Cryptographic Algorithm Self-Test Cryptographic Algorithm Validation Program Cipher Block Chaining Counter with Cipher Block Chaining-Message Authentication Code Cipher Feedback Cryptographic Key Generation Cipher-based Message Authentication Code Cryptographic Module Validation Program Central Processing Unit Critical Security Parameter Counter Mode Data Encryption Standard Digital Signature Algorithm Deterministic Random Bit Generator Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Digital Signature Algorithm Entropy Source Validation Finite Field Cryptography Federal Information Processing Standards Publication Galois Counter Mode Galois Message Authentication Code Hash Message Authentication Code Initialization Vector Key Agreement Schema Known Answer Test Key Derivation Function Key Transport Scheme AES Key Wrap Message Authentication Code National Institute of Science and Technology Output Feedback Processor Algorithm Acceleration Pairwise Consistency Test Public Security Parameter Probabilistic Signature Scheme Random-Access Memory Random Number Generator Rivest, Shamir, Adleman Secure Hash Algorithm Secure Shell Triple-DES Transport Layer Security XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52r2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://doi.org/10.6028/NIST.SP.800-52r2 SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800-56Cr2 Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 4 - Recommendation for Key Management Part 1: General January 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B (Second DRAFT) NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-131Ar2 NIST Special Publication 800-131A Revision 2- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133r2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf © 2024 F5, Inc. / atsec information security.
Cryptographic Module for BIG-IP SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf © 2024 F5, Inc. / atsec information security.