| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/20/2026 |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Corsec Security, Inc. |
flowchart LR
%% Deterministic review-risk graph for CorSSL
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for CorSSL
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;Corsec Security, Inc. CorSSL™ Software Version: 1.1.1s.005 FIPS Security Level: 1 Document Version: 0.1 Prepared by: Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 www.corsec.com
Abstract This is a non-proprietary Cryptographic Module Security Policy for CorSSL™ (version: 1.1.1s.005) from Corsec Security, Inc. (Corsec). This Security Policy describes how CorSSL™ meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. CorSSL™ is also referred to in this document as the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1 – Security Levels | 5 |
| Table 2 – Tested Operational Environments | 7 |
| Table 3 – Approved Algorithms | 8 |
| Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation | 14 |
| Table 5 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation | 14 |
| Table 6 – Ports and Interfaces | 18 |
| Table 7 – Roles, Service Commands, Input and Output | 19 |
| Table 8 – Approved Services | 21 |
| Table 9 – Non-Approved Services | 23 |
| Table 10 – Keys | 29 |
| Table 11 – Non-Deterministic Random Number Generation Specification | 33 |
| Table 12 – CVEs | 39 |
| Table 13 – Acronyms and Abbreviations | 41 |
| Figure 1 – GPC Block Diagram | 16 |
| Figure 2 – Module Block Diagram (with Cryptographic Boundary) | 17 |
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
API
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
ISO/IEC 24579 Section 6. FIPS 140-3 Section Title Security Level [Number Below]
9 Sensitive Security Parameter Management 1
10 Self-tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A
The module has an overall security level of 1. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
2. Cryptographic Module Specification CorSSL™ v1.1.1s.005 is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment.
The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in Table 2. Table 2
1 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R With (AES-NI)
2 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R Without
The module is designed to utilize the AES-NI5 extended instruction set when available on the host platform’s CPU to accelerate the processing of its AES implementation. There are no vendor-affirmed operational environments claimed. The cryptographic module maintains validation compliance when operating on any general-purpose computer (GPC) provided that the GPC uses any single-user operating system/mode specified on the validation certificate, or another compatible single-user operating system. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment not listed on the validation certificate.
The module implements cryptographic algorithms in the following providers:
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Table 3
6 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.
KWP
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 AES-XTS19,20,21 Testing Revision XTS22,23,24 128, 256 Encryption/Decryption 2.0 NIST SP 800-38E A3254 Counter DRBG25 Counter-based 128, 192, 256-bit AES-CTR Deterministic Random Bit NIST SP 800-90Arev1 Generation A3254 DSA26 KeyGen (FIPS186-4) DSA KeyGen 2048/224, 2048/256, Key Pair Generation FIPS PUB 186-4 3072/256 A3254 DSA PQGGen (FIPS186-4) DSA PQGGen 2048/224, 2048/256, Domain Parameter FIPS PUB 186-4 3072/256 (SHA2-224, Generation SHA2-256, SHA2-384, SHA2-512) A3254 DSA PQGVer (FIPS186-4) DSA PQGVer 1024/160, 2048/224, Domain Parameter FIPS PUB 186-4 2048/256, 3072/256 (SHA- Verification 1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 DSA SigGen (FIPS186-4) DSA SigGen 2048/224, 2048/256, Digital Signature Generation FIPS PUB 186-4 3072/256 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 DSA SigVer (FIPS186-4) DSA SigVer 1024/160, 2048/224, Digital Signature Verification FIPS PUB 186-4 2048/256, 3072/256 (SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 ECDSA27 KeyGen (FIPS186-4) ECDSA KeyGen B-233, B-283, B-409, B-571, Key Pair Generation FIPS PUB 186-4 Secret generation K-233, K-283, K-409, K-571, mode: Testing P-224, P-256, P-384, P-521 candidates A3254 ECDSA KeyVer (FIPS186-4) ECDSA KeyVer B-163, B-233, B-283, B-409, Public Key Validation FIPS PUB 186-4 B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 ECDSA SigGen (FIPS186-4) ECDSA SigGen B-233, B-283, B-409, B-571, Digital Signature Generation FIPS PUB 186-4 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2-384, SHA2-512)
XTS
DSA
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 ECDSA SigVer (FIPS186-4) ECDSA SigVer B-163, B-233, B-283, B-409, Digital Signature Verification FIPS PUB 186-4 B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 HMAC SHA-1 SHA-1 MAC: 80-160 Increment 8 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 The module also supports HMAC SHA-1-80. A3254 HMAC SHA2-224 SHA2-224 MAC: 224 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA2-256 SHA2-256 MAC: 256 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA2-384 SHA2-384 MAC: 384 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA2-512 SHA2-512 MAC: 512 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-224 SHA3-224 MAC: 224 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-256 SHA3-256 MAC: 256 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-384 SHA3-384 MAC: 384 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-512 SHA3-512 MAC: 512 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 KAS-ECC-SSC28 Sp800-56Ar3 ephemeralUnified B-233, B-283, B-409, B-571, Shared Secret Computation NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 A3254 KAS-FFC-SSC29 Sp800-56Ar3 dhEphem 2048/224 (FB), 2048/256 Shared Secret Computation NIST SP 800-56Arev3 (FC) A3254 PBKDF230 Section 5.4, option SHA-1, SHA2-224, SHA2- Password-Based Key NIST SP 800-132 1a 256, SHA2-384, SHA2-512, Derivation SHA3-224, SHA3-256, SHA3-384, SHA3-512
28 KAS-ECC-SSC
KAS-FFC-SSC
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 RSA31 KeyGen (FIPS186-4) Key generation 2048, 3072, 4096 Key Pair Generation FIPS PUB 186-4 mode: B.3.3 A3254 RSA32 SigGen (FIPS186-4) X9.31 2048, 3072, 4096 (SHA2- Digital Signature Generation FIPS PUB 186-4 256, SHA2-384, SHA2-512) PKCS#1 v1.5 2048, 3072, 4096 (SHA2- Digital Signature Generation 224, SHA2-256, SHA2-384, SHA2-512) PSS33 2048, 3072, 4096 (SHA2- Digital Signature Generation 224, SHA2-256, SHA2-384, SHA2-512) A3254 RSA34 SigVer (FIPS186-4) X9.31 1024, 2048, 3072, 4096 Digital Signature Verification FIPS PUB 186-4 (SHA-1, SHA2-256, SHA2384, SHA2-512) PKCS#1 v1.5 1024, 2048, 3072, 4096 Digital Signature Verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS35 1024, 2048, 3072, 4096 Digital Signature Verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A3254 SHA-1 SHA-1 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-224 SHA2-224 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-256 SHA2-256 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-384 SHA2-384 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-512 SHA2-512 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA3-224 SHA3-224 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHA3-256 SHA3-256 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHA3-384 SHA3-384 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHA3-512 SHA3-512 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHAKE36-128 SHAKE-128 Output Length: 16-1024 Message Digest FIPS PUB 202 Increment 8
PSS
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 SHAKE-256 SHAKE-256 Output Length: 16-1024 Message Digest FIPS PUB 202 Increment 8 A3254 TDES-CBC CBC 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CFB1 CFB1 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CFB64 CFB64 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CFB8 CFB8 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CMAC CMAC 112, 168 MAC verification NIST SP 800-67rev2 NIST SP 800-38B A3254 TDES-ECB ECB 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-OFB OFB 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TLS v1.2 KDF RFC 7627 KDF (TLS37 v1.2) SHA2-256, SHA2-384, Key Derivation CVL SHA2-512 NIST SP 800-135rev1 No part of the TLS 1.2 protocol, RFC 7627 other than the KDF, has been tested by the CAVP and CMVP. CorSSL (libssl) A3253 TLS v1.3 KDF KDF (TLS v1.3) SHA2-256, SHA2-384 Key Derivation CVL NIST SP 800-135rev1 No part of the TLS 1.3 protocol, RFC 8446 other than the KDF, has been tested by the CAVP and CMVP. Security Function Implementations (SFIs) KAS-ECC-SSC KAS38 NIST SP 800- B-233, B-283, B-409, B-571, Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-ECC K-233, K-283, K-409, K-571, NIST SP 800-135rev1 per IG D.F Scenario P-224, P-256, P-384, and PTLS v1.2 KDF RFC 7627 2 path (2) 521 curves providing RFC7627 between 112 and 256 bits A3254 of encryption strength KAS-ECC-SSC KAS NIST SP 800- B-233, B-283, B-409, B-571, Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-ECC K-233, K-283, K-409, K-571, NIST SP 800-135rev1 per IG D.F Scenario P-224, P-256, P-384, and PTLS v1.3 KDF RFC 8446 2 path (2) 521 curves providing A3253 between 112 and 256 bits of encryption strength TLS
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) KAS-FFC-SSC KAS NIST SP 800- 2048-bit key providing 112 Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-FFC bits of encryption strength NIST SP 800-135rev1 per IG D.F Scenario TLS v1.2 KDF RFC 7627 2 path (2) RFC7627 A3254 KAS-FFC-SSC KAS NIST SP 800- 2048-bit key providing 112 Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-FFC bits of encryption strength NIST SP 800-135rev1 per IG D.F Scenario TLS v1.3 KDF RFC 8446 2 path (2) A3253 AES-CCM KTS39 NIST SP 800-38C 128, 192, and 256-bit keys Key Wrap/Unwrap40 A3254 NIST SP 800-38C and NIST SP 800- provide between 128 and NIST SP 800-38F 38F. KTS (key 256 bits of encryption wrapping and strength unwrapping) per IG D.G. AES-GCM KTS NIST SP 800-38D 128, 192, and 256-bit keys Key Wrap/Unwrap41 A3254 NIST SP 800-38D and NIST SP 800- provide between 128 and NIST SP 800-38F 38F. KTS (key 256 bits of encryption wrapping and strength unwrapping) per IG D.G. AES-KW KTS NIST SP 800-38F. 128, 192, and 256-bit keys Key Wrap/Unwrap A3254 NIST SP 800-38F KTS (key wrapping provide between 128 and and unwrapping) 256 bits of encryption per IG D.G. strength AES-KWP KTS NIST SP 800-38F. 128, 192, and 256-bit keys Key Wrap/Unwrap A3254 NIST SP 800-38F KTS (key wrapping provide between 128 and and unwrapping) 256 bits of encryption per IG D.G. strength Vendor Affirmed Vendor CKG42 - - Cryptographic Key Generation Affirmed NIST SP 800-133rev2 The vendor affirms the following cryptographic security methods:
40 Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is Approved for key wrap/unwrap.
Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is Approved for key wrap/unwrap.
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the operational environment inside the module’s physical perimeter but outside the cryptographic boundary. Thus, there is no assurance of the minimum strength of generated SSPs (e.g., keys) The module implements the Non-Approved but allowed algorithms shown in Table 4 below. Table 4
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Algorithm / Function Use / Function DSA (non-compliant with key sizes below the Key Pair Generation; Digital Signature Generation; Digital minimums for Approved mode) Signature Verification ECDH (non-compliant with curves P-192, K-163, B- Key Agreement 163, and non-NIST curves) ECDSA (non-compliant with curves P-192, K-163, B- Key Pair Generation; Digital Signature Generation; Digital 163, and non-NIST curves) Signature Verification EdDSA44 Key Pair Generation; Digital Signature Generation; Digital Signature Verification IDEA Encryption/Decryption KDF Key Derivation Functions for TLS 1.0/1.1; HKDF; X9.42 MD2, MD4, MD5 Message Digest Poly1305 Message Authentication Code RC245, RC4, RC5 Encryption/Decryption RIPEMD Message Digest RMD160 Message Digest RSA (non-compliant with non-approved/untested key Key Pair Generation; Digital Signature Generation; Digital sizes, and functions) Signature Verification; Key Transport SEED Encryption/Decryption SHA-1 (non-compliant) Signature Generation for TLS 1.0/1.1 SM2, SM3 Message Digest SM4 Encryption/Decryption Triple-DES (non-compliant) Encryption; MAC Generation; Key Wrapping Whirlpool Message Digest
As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 below illustrates a block diagram of a typical GPC and the module’s physical perimeter. EdDSA
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: BIOS
libssl libssl.hmac Calling Application libcrypto libcrypto.hmac KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output CPU Memory Storage Ports Status Output System Calls Host Device Figure 2
The module supports two modes of operation: Approved and Non-Approved. The module operates in the Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked. Table 3 and Table 4 list the Approved and allowed algorithms, while Table 8 provides descriptions of the Approved services. The module alternates on a service-by-service basis between Approved and Non-Approved modes of operation. The module will implicitly switch to the Non-Approved mode upon execution of a Non-Approved service. The module will implicitly switch back to the Approved mode upon execution of an Approved service. Table 5 lists the Non-Approved algorithms implemented by the module, while Table 9 below lists the services that constitute the Non-Approved mode. When following the guidance in section 11.5 of this document, CSPs are not shared between Approved and nonApproved services and modes of operation. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.
The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs cryptographic initialization or management functions and general security services. The module also supports the following role(s):
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Role Service Input Output User Verify Digital Signature API call parameters, key, Status signature, message User Perform Key Wrap API call parameters, encryption Status, encrypted key key, key User Perform Key Unwrap API call parameters, decryption Status, decrypted key key, key User Compute Shared Secret API call parameters Status, shared secret User Derive Keys via TLS KDF API call parameters, TLS pre- Status, TLS keys master secret User Perform Key Agreement Functions API call parameters Status, symmetric key User Derive Key via PBKDF2 API call parameters, password Status, key
The module does not support authentication methods; operators implicitly assume an authorized role based on the service selected.
Descriptions of the approved services available to the authorized roles are provided in Table 8 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided by the module are considered the module’s security services. Indicators for Approved services (in the case of this module, those security functions with algorithm validation certificates and all required self-tests) are provided via API return value. When invoking a security function, the calling application provides inputs via an internal structure, or “context”. Upon each service invocation, the module will determine if the invoked security function is an Approved service. To access the resulting value, the calling application must pass the finalized context to the indicator API associated with that security function (note the indicator check must be performed prior to any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing Non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix B below. The keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:
Table 8
Service Description Approved Security Functions Keys and/or SSPs Roles Access Rights to Keys Indicator and/or SSPs Perform Hash Compute a SHA-1 (Cert. A3254) None User N/A API return Operation message digest SHA2-224 (Cert. A3254) value SHA2-256 (Cert. A3254) SHA2-384 (Cert. A3254) SHA2-512 (Cert. A3254) SHA3-224 (Cert. A3254) SHA3-256 (Cert. A3254) SHA3-384 (Cert. A3254) SHA3-512 (Cert. A3254) Generate DSA Generate DSA DSA PQGGen (FIPS186-4) (Cert. A3254) None User N/A API return Domain domain value Parameters parameters Verify DSA Verify DSA DSA PQGVer (FIPS186-4) (Cert. A3254) None User N/A API return Domain domain value Parameters parameters Generate Generate a DSA KeyGen (FIPS186-4) (Cert. A3254) DSA public key User DSA public key
Service Description Algorithms Accessed Role Indicator Perform Key Pair Generation Perform key pair generation DSA (non-compliant), ECDSA User API return value (Non-Compliant) (non-compliant), EdDSA, RSA (non-compliant) CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
5. Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file; failure of the integrity test for either library file will cause the module to enter a critical error state. Details regarding the keys used for the integrity checks can be found in Table 10 below. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. CorSSL™ is not a standalone application; it is a cryptographic toolkit intended for use in a with a vendor’s solution. The module will be linked to a host application, and the host application will be pre-installed onto a target platform by the vendor or installed onto target platforms by the end-user. The module requires no configuration steps to be performed by application developers or end-users, and no action is required from developers or end-users to initialize the module for operation. The module is designed with a default entry point (DEP) that ensures that the pre-operational tests and conditional CASTs are initiated automatically when the module is loaded. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
6. Operational Environment The CorSSL™ comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environment provides the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
7. Physical Security The cryptographic module is software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2021 section 7.7.1, requirements for physical security are not applicable. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
8. Non-Invasive Security This section is not applicable. There is currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
9. Sensitive Security Parameter Management
The module supports the keys and other SSPs listed Table 10 below. Table 10
Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroisation Use & Name/Type Cert. Number Related Keys (Cert. A3254) AES GCM Key Between 128 AES-GCM - Imported in Derived via Plaintext in Unload Authenticated (CSP) and 256 bits (Cert. A3254) plaintext via API TLS KDF volatile module; Symmetric parameter memory Remove power Encryption, KTS (AES-GCM) Decryption; (Cert. A3254) Never exported Key Transport AES XTS Key 256 bits AES-XTS - Imported in - Plaintext in Unload Symmetric (CSP) (Cert. A3254) plaintext via API volatile module; Encryption, parameter memory Remove power Decryption Never exported AES CMAC Key Between 128 AES-CMAC - Imported in - Plaintext in Unload MAC (CSP) and 256 bits (Cert. A3254) plaintext via API volatile module; Generation, parameter memory Remove power Verification Never exported AES GMAC Key Between 128 AES-GMAC - Imported in - Plaintext in Unload MAC (CSP) and 256 bits (Cert. A3254) plaintext via API volatile module; Generation, parameter memory Remove power Verification Never exported Triple-DES Key 168 bits TDES-CBC - Imported in - Plaintext in Unload Symmetric (CSP) (Cert. A3254) plaintext via API volatile module; Decryption; parameter memory Remove power Key TDES-CFB1 Unwrapping (Cert. A3254) Never exported TDES-CFB64 (Cert. A3254) TDES-CFB8 (Cert. A3254) TDES-ECB (Cert. A3254) TDES-OFB (Cert. A3254) Triple-DES 168 bits TDES-CMAC - Imported in - Plaintext in Unload MAC CMAC Key (Cert. A3254) plaintext via API volatile module; Verification (CSP) parameter memory Remove power Never exported HMAC Key 112 bits HMAC SHA-1 - Imported in Derived via Plaintext in Unload Keyed Hash (CSP) (minimum) (Cert. A3254) plaintext via API TLS KDF volatile module; parameter memory Remove power HMAC SHA2-224 (Cert. A3254) Never exported HMAC SHA2-256 (Cert. A3254) HMAC SHA2-384 (Cert. A3254) HMAC SHA2-512 (Cert. A3254) HMAC SHA3-224 (Cert. A3254) HMAC SHA3-256 (Cert. A3254) HMAC SHA3-384 (Cert. A3254) HMAC SHA3-512 (Cert. A3254) DSA Private Key 112 or 128 DSA SigGen (FIPS186- Generated Imported in - Plaintext in Unload Digital (CSP) bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Generation CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroisation Use & Name/Type Cert. Number Related Keys Exported in Paired with: plaintext via API DSA Public Key parameter DSA Public Key 112 or 128 DSA SigVer (FIPS186- Generated Imported in - Plaintext in Unload Digital (PSP) bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Verification Exported in Paired with: plaintext via API DSA Private parameter Key ECDSA Private Between 112 ECDSA SigGen Generated Imported in - Plaintext in Unload Digital Key and 256 bits (FIPS186-4) internally via plaintext via API volatile module; Signature (CSP) (Cert. A3254) approved DRBG parameter memory Remove power Generation Exported in Paired with: plaintext via API ECDSA Public parameter Key ECDSA Public Between 112 ECDSA SigVer Generated Imported in - Plaintext in Unload Digital Key and 256 bits (FIPS186-4) internally via plaintext via API volatile module; Signature (PSP) (Cert. A3254) approved DRBG parameter memory Remove power Verification Exported in Paired with: plaintext via API ECDSA Private parameter Key RSA Private Key Between 112 RSA SigGen (FIPS186- Generated Imported in - Plaintext in Unload Digital (CSP) and 150 bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Generation Exported in Paired with: plaintext via API RSA Public Key parameter RSA Public Key Between 80 RSA SigVer (FIPS186- Generated Imported in - Plaintext in Unload Digital (PSP) and 150 bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Verification Exported in Paired with: plaintext via API RSA Private parameter Key DH Private Key 112 bits KAS-SSC-FFC Sp800- Generated Imported in - Plaintext in Unload DH Shared (CSP) 56Ar3 internally via plaintext via API volatile module; Secret (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API DH Public Key parameter DH Public Key 112 bits KAS-SSC-FFC Sp800- Generated Imported in - Plaintext in Unload DH Shared (PSP) 56Ar3 internally via plaintext via API volatile module; Secret (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API DH Public Key parameter ECDH Private Between 112 KAS-SSC-ECC Sp800- Generated Imported in - Plaintext in Unload ECDH Shared Key and 256 bits 56Ar3 internally via plaintext via API volatile module; Secret (CSP) (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API ECDH Public parameter Key ECDH Public Key Between 112 KAS-SSC-ECC Sp800- Generated Imported in - Plaintext in Unload ECDH Shared (PSP) and 256 bits 56Ar3 internally via plaintext via API volatile module; Secret (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API ECDH Private parameter Key Other SSPs Passphrase - PBKDF2 - Imported in - Plaintext in Unload Input to PBKDF (PSP) (Cert. A3254) plaintext via API volatile module; for key parameter memory Remove power derivation CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroisation Use & Name/Type Cert. Number Related Keys Never exported AES GCM IV - AES-GCM Generated - - Plaintext in Unload Initialization (CSP) (Cert. A3254) internally in volatile module; vector for AES compliance with memory Remove power GCM the provisions of a peer-to-peer Paired with: industry standard AES GCM Key protocol TLS pre-master - TLS v1.2 KDF - Imported in - Plaintext in Unload Derivation of secret RFC7627) plaintext via API volatile module; the TLS master (CSP) (Cert. A3254) parameter memory Remove power secret TLS v1.3 KDF Never exported (Cert. A3253) TLS master - TLS v1.2 KDF - - Derived Plaintext in Unload Derivation of secret RFC7627) internally via volatile module; the AES key, (CSP) (Cert. A3254) TLS KDF memory Remove power AES-GCM key, and HMAC key TLS v1.3 KDF used for (Cert. A3253) securing TLS connections Derived from: TLS pre-master secret DRBG entropy - Counter DRBG - Imported in - Plaintext in Unload Entropy input (Cert. A3254) plaintext via API volatile module; material for (CSP) parameter47 memory Remove power DRBG Never exported DRBG seed - Counter DRBG Generated - - Plaintext in Unload Seeding (CSP) (Cert. A3254) internally using volatile module; material for nonce along with memory Remove power DRBG DRBG entropy input DRBG ‘V’ value - Counter DRBG Generated - - Plaintext in Unload State values (CSP) (Cert. A3254) internally volatile module; for DRBG memory Remove power DRBG ‘Key’ - Counter DRBG Generated - - Plaintext in Unload State values value (Cert. A3254) internally volatile module; for DRBG (CSP) memory Remove power
The module implements the following Approved DRBG:
There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.
Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can unload the module from memory or reboot/power-cycle the host device.
Table 11 below specifies the module’s entropy sources. Table 11
10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.
The module performs the following pre-operational self-test(s):
The module performs the following conditional self-tests:
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
The CO can initiate the pre-operational self-tests and conditional CASTs on demand for periodic testing of the module by re-instantiating the module, rebooting/power-cycling the host device, or issuing the FIPS_selftest() API command.
The module reaches the critical error state when any self-test fails. Upon test failure, the module immediately terminates the calling application’s API call with a returned error code and sets an internal flag, signaling the error condition. For any subsequent request made by the calling application for cryptographic services, the module will return a failure indicator, thereby disabling all access to its cryptographic functions, sensitive security parameters (SSPs), and data output services while the error condition persists. To recover, the module must be re-instantiated by the calling application. If the pre-operational self-tests complete successfully, then the module can resume normal operations. If the module continues to experience self-test failures after reinitializing, then the module will not be able to resume normal operations, and the CO should contact Corsec Security, Inc. for assistance.
CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:
The module is distributed as a package containing the binaries and HMAC digest files that the Crypto Officer is to install onto a target platform specified in section 2.1 or one where portability is maintained.
This module is designed to support third-party vendor applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required to initialization the module. The pre-operational integrity test and conditional CASTs are performed automatically via a default entry point (DEP) when the module is loaded for execution, without any specific action from the calling application or the end-user. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.
No startup steps are required to be performed by end-users.
There are no specific management activities required of the CO role to ensure that the module runs securely. If any irregular activity is observed, or if the module is consistently reporting errors, then Corsec Customer Support should be contacted. The following list provides additional guidance for the CO:
The following list provides additional policies for the User role:
The module supports acceptable AES GCM cipher suites from section 3.3.1 of NIST SP 800-52rev2. The AES GCM IV generation is performed internally, is compliant with the RFC 5288, and shall only be used for the TLS 1.2 protocol to be compliant with scenario 1 in FIPS 140-3 IG C.H; thus, the module is compliant with NIST SP 800-52rev2.
The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. This list allows interested parties to acquire the details of vulnerabilities by referring to a unique identifier known as the CVE ID.
The following table lists the applicable CVEs impacting the module, as well as methods of mitigation. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Table 12
Post-submission, the module has been continually updated to provide mitigations for the CVEs listed above. These mitigations will be included in a future revalidation of the module. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Appendix A. Acronyms and Abbreviations Table 13 below provides definitions for the acronyms and abbreviations used in this document. Table 13
Term Definition GMAC Galois Message Authentication Code GPC General-Purpose Computer HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication TLS Transport Layer Security XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Appendix B. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved service indicator value based on the parameter(s) passed to them.
//Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Prepared by: Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com