| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/21/2029 |
| Entropy | ENT (NP) |
| Caveat | Interim Validation. When operated in approved mode |
| Vendor | Rambus Inc. |
flowchart LR
%% Deterministic review-risk graph for SafeZone FIPS SW Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for SafeZone FIPS SW Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;FIPS 140-3 Non-Proprietary Security Policy SafeZone FIPS SW Cryptographic Module Software Version v2.0 Rambus Global Inc., Finnish branch Sokerilinnantie 11 C FI-02600 Espoo Phone: +358 50 3560966 Rambus Inc. North First Street, Suite 100 San Jose, CA 95134 United States of America https://www.rambus.com/ 2024-11-8
SafeZone SW Cryptographic Module 2.0 11.3.1 11.3.2 11.3.3 11.3.4 11.3.5 11.3.6 11.3.7 11.3.8 11.3.9 FFC) NIST SP 800-56A Rev 3: Pair-Wise Key-Establishment Schemes (KAS-ECC and KAS31 Appendix A. Appendix B.
| Name | ISO Section | Requirement | Level | General | ||
|---|---|---|---|---|---|---|
| 2 | Cryptographic module specification | 2 | Level 1 | |||
| 3 | 3 | Level 1 | Cryptographic module interfaces | |||
| 4 | Roles, services, and authentication | 4 | Level 1 | |||
| 5 | 5 | Level 1 | Software/Firmware security | |||
| 6 | Operational environment | 6 | Level 1 | |||
| 7 | 7 | N/A | Physical security | |||
| 8 | Non-invasive security | 8 | N/A | |||
| 9 | 9 | Level 1 | Sensitive security parameter management | |||
| 10 | Self-tests | 10 | Level 1 | |||
| 11 | 11 | Level 1 | Life-cycle assurance | |||
| 12 | Mitigation of other attacks | 12 | N/A |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # | ||
|---|---|---|---|---|---|---|---|
| 1 | Intel® Atom™ x5-Z8350 | AES-NI, Intel | 1 | Linux Ubuntu 20.04 LTS | AAEON UP Core | ||
| (X86 32-bit) | SHA extensions | (X86 32-bit) | UPC-CHT01-A20-0464-A11 | ||||
| 2 | Linux Ubuntu 20.04 LTS (X86 32-bit) | AAEON UP Core UPC-CHT01-A20-0464-A11 | Intel® Atom™ x5-Z8350 | 2 |
SafeZone SW Cryptographic Module 2.0 This document is the non-proprietary FIPS 140-3 Security Policy for the SafeZone FIPS SW Cryptographic Module version 2.0, hereafter referred to as the module. It contains a specification of the rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 [FIPS 140-3] for a Security It has a one-to-one mapping to the NIST Special Publication 800-140B [NIST SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. N/A N/A N/A Table 1 - Security Levels cryptographic module from Rambus. The module provides a set of commonly used cryptographic primitives by exposing a custom API for a wide range of applications, typically running on a general-purpose operating system. There are 4 different binary versions of the module to suit the target environments. The identification string of the SafeZone FIPS SW Cryptographic Module can be acquired with the FLS_LibDescription function. The returned identification string is:
| Name | Operating System | Hardware Platform | # 1 | |||
|---|---|---|---|---|---|---|
| 2 | 2 | GNU/Linux Debian 10 (aarch64) | Kirin 960, 4 Cortex A73 + 4 Cortex A53 Big.Little CPU | |||
| 3 | GNU/Linux Debian 9.13 (aarch64) | Rockship ROCK64 with a Rockchip RK3328 | 3 |
| Name | AES-CBC [NIST SP 800-38 A] | Encryption and Decryption |
|---|---|---|
| [NIST SP 800-38B] | [NIST SP 800-38B] | Authentication Code |
| [NIST SP 800-38D] | [NIST SP 800-38D] | Authentication Code |
| [NIST SP 800-38F] | [NIST SP 800-38F] | Unwrapping |
| 3 | Linux Ubuntu 20.04 LTS | AAEON UP Core | Intel® Atom™ x5-Z8350 | AES-NI, Intel | ||||
|---|---|---|---|---|---|---|---|---|
| (X86 64-bit) | UPC-CHT01-A20-0464-A11 | SHA extensions | ||||||
| 4 | Linux Ubuntu 20.04 LTS (X86 64-bit) | AAEON UP Core UPC-CHT01-A20-0464-A11 | Intel® Atom™ x5-Z8350 | - | ||||
| 5 | Linux Ubuntu 20.04 LTS (ARMv8-a 64-bit) | Raspberry Pi 4 | Broadcom BCM2711 | NEON, | ||||
| Cryptography | ||||||||
| Extensions | ||||||||
| 6 | Linux Ubuntu 20.04 LTS (ARMv8-a 64-bit) | Raspberry Pi 4 | Broadcom BCM2711 | - | ||||
| 7 | Linux Ubuntu 20.04 LTS | Raspberry Pi 2 | Broadcom BCM2836 | NEON | ||||
| (ARMv7-a 32-bit) |
SafeZone SW Cryptographic Module 2.0 Table 2 - Tested Operational Environments In addition to the tested operational environments the module has been confirmed by the vendor to be operational on the following platforms. # Table 3 - Vendor Affirmed Operational Environments The Table 4 below lists the Approved Algorithms implemented by the module. The CAVP certs may list more algorithms than are actually utilized by the module. Only those listed below are used by the module.
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |
|---|---|---|---|---|---|
| AES-XTS | A2836 | AES-XTS Testing Revision 2.0 [NIST SP 800-38E] | Storage Encryption and Decryption | 2x128 bits (AES- | |
| Counter DRBG | A2836 | Counter DRBG [NIST SP 800-90A-r1] | AES-256 with df and no pr | Random Number Generation | |
| DSA KeyGen | A2836 | DSA KeyGen [FIPS 186-4] | Key Generation | (L,N) = | |
| DSA PQGGen | A2836 | DSA PQGGen [FIPS 186-4] | (L,N) = (2048, 224), (2048, 256), (3072, 256) Hash algorithms: SHA2-2241, SHA2- 256, SHA2-384, SHA2-512 | Domain Parameter Generation | |
| DSA PQGVer | A2836 | DSA PQGVer [FIPS 186-4] | Domain Parameter Verification | (L,N) = | |
| DSA SigGen | A2836 | DSA SigGen [FIPS 186-4] | (L,N) = (2048, 224), (2048, 256), (3072, 256) Hash algorithms: SHA2-224, SHA2- 256, SHA2-384, SHA2-512 | Digital Signatures | |
| DSA SigVer | A2836 | DSA SigVer [FIPS 186-4] | Digital Signatures | (L,N) = | |
| ECDSA KeyGen | A2836 | ECDSA KeyGen [FIPS 186-4] | NIST P-224, P-256, P-384, P-521 curves | Key Generation | |
| ECDSA SigGen | A2836 | ECDSA SigGen [FIPS 186-4] | Digital Signatures | NIST P-224, P-256, | |
| ECDSA SigVer | A2836 | ECDSA SigVer [FIPS 186-4] | NIST P-224, P-256, P-384, P-521 | Digital Signatures | |
| HMAC-SHA-1 | A2836 | HMAC-SHA-1 [FIPS 198-1] | Message Authentication Code | Key Length: 112- | |
| HMAC-SHA2-224 | A2836 | HMAC-SHA2-224 [FIPS 198-1] | Key Length: 112- 512 bits MAC Length: 224 bits | Message Authentication Code | |
| HMAC-SHA2-256 | A2836 | HMAC-SHA2-256 [FIPS 198-1] | Message Authentication Code | Key Length: 112- | |
| HMAC-SHA2-384 | A2836 | HMAC-SHA2-384 [FIPS 198-1] | Key Length: 112- 512 bits MAC Length: 192, 384 bits | Message Authentication Code | |
| HMAC-SHA2-512 | A2836 | HMAC-SHA2-512 [FIPS 198-1] | Message Authentication Code | Key Length: 112- | |
| KAS-ECC CDH- Component | A2836 | KAS-ECC CDH- Component (CVL) [NIST SP 800-56A-r3] | ephemeralUnified NIST P-224, P-256, P-384 and P- 521 curves | Key Agreement Primitives | |
| KAS-ECC-SSC | A2836 | KAS-ECC-SSC [NIST SP 800-56A-r3] | Key Agreement Primitives | ephemeralUnified | |
| KAS-FFC-SSC | A2836 | KAS-FFC-SSC [NIST SP 800-56A-r3] | dhEphem 2048-8192 bit modular Diffie- Hellman groups; including FFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192, MODP2048, MODP3072, MODP4096, MODP6144, MODP8192, FIPS 186-type FFC parameter-size sets FB and FC | Key Agreement Primitives | |
| KDA HKDF | A2836 | KDA HKDF [NIST SP 800-56C-r2] | Key Derivation - Generic | HMAC Algorithm: | |
| KDA TwoStep | A2836 | KDA TwoStep [NIST SP 800-56C-r2] | Two-Step Key Derivation with SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 or | Key Derivation – Generic |
SafeZone SW Cryptographic Module 2.0 (L,N) = (L,N) = (L,N) = (L,N) = (L,N) =
SafeZone SW Cryptographic Module 2.0
| Name | CAVP Cert | Key Size | Use Function | ||||
|---|---|---|---|---|---|---|---|
| A2836 | A2836 | Hash Algorithm: | Key Derivation – Application Specific | KDF IKEv1 (CVL) [NIST SP 800-135-r1] | KDF IKEv1 | ||
| Hash Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 | A2836 | Key Derivation – Application Specific | KDF IKEv2 (CVL) [NIST SP 800-135-r1] | KDF IKEv2 | |||
| A2836 | A2836 | 112-512 bits | Key Derivation – Generic | KDF SP800-108 [NIST SP 800-108-r1] | KDF SP800-108 | ||
| AES Key Length: 128, 192, 256 | A2836 | Key Derivation – Application Specific | KDF SRTP (CVL) [NIST SP 800-135-r1] | KDF SRTP | |||
| A2836 | A2836 | KTS-OAEP-basic | Key Encapsulation and Un-encapsulation | KTS-IFC [NIST SP 800-56B-r2] | KTS-IFC | ||
| SHA-1, SHA2-256 | A2836 | Key Derivation – Application Specific | PBKDF [NIST SP 800-132] | PBKDF | |||
| A2836 | 2048, 3072, 4096 | Key Generation | RSA KeyGen | A2836 | RSA KeyGen | ||
| [FIPS 186-4] | bits | [FIPS 186-4] | |||||
| RSASSA-PKCS1- v1.5 and RSASSA- PSS with SHA2- 224, SHA2-256, SHA2-384, SHA2- 512 and 2048, 3072, 4096 bit modulus | A2836 | Digital Signatures | RSA SigGen [FIPS 186-4] | RSA SigGen | |||
| A2836 | A2836 | RSASSA-PKCS1- | Digital Signatures | RSA SigVer [FIPS 186-4] | RSA SigVer | ||
| SHA-1 | A2836 | Hash Function Not allowed for | SHA-1 [FIPS 180-4] | SHA-1 |
SafeZone SW Cryptographic Module 2.0
| Name | CAVP Cert | Mode Method | Key Size | Use Function | |||||
|---|---|---|---|---|---|---|---|---|---|
| A2836 | SHA2-224 | SHA2-224 | A2836 | SHA2-224 | Hash Function | ||||
| A2836 | A2836 | SHA2-256 [FIPS 180-4] | SHA2-256 | SHA2-256 | Hash Function | ||||
| A2836 | A2836 | SHA2-384 | SHA2-384 | SHA2-384 | Hash Function | ||||
| A2836 | A2836 | SHA2-512 [FIPS 180-4] | SHA2-512 | SHA2-512 | Hash Function | ||||
| A2836 | A2836 | SHA3-224 | SHA3-224 | SHA3-224 | Hash Function | ||||
| A2836 | A2836 | SHA3-256 [FIPS 202] | SHA3-256 | SHA3-256 | Hash Function | ||||
| A2836 | A2836 | SHA3-384 | SHA3-384 | SHA3-384 | Hash Function | ||||
| A2836 | A2836 | SHA3-512 [FIPS 202] | SHA3-512 | SHA3-512 | Hash Function | ||||
| A2836 | A2836 | 128 bits | SHAKE-128 | SHAKE-128 | Extensible Output | ||||
| [FIPS 202] | [FIPS 202] | Function | |||||||
| A2836 | A2836 | SHAKE-256 [FIPS 202] | 256 bits | SHAKE-256 | Extensible Output Function | ||||
| TDES-CBC | 192 bits | A2836 | TDES-CBC | Decryption4 | |||||
| A2836 | A2836 | TDES-ECB [NIST SP 800-67-r2] | 192 bits | TDES-ECB | Decryption4 | ||||
| A2836 | A2836 | TLS v1.2 KDF | TLS v1.2 KDF RFC7627 | Key Derivation – Application Specific | Hash Algorithm: | ||||
| (CVL) | (CVL) | SHA2-256, SHA2- | |||||||
| [NIST SP 800-135-r1] | [NIST SP 800-135-r1] | 384, SHA2-512 | |||||||
| A2890 | A2890 | SHA3-256 [FIPS 202] | N/A | SHA3-256 | Vetted conditioner | ||||
| AES-KW A2836 | AES-KW A2836 | AES-KW (KTS) [NIST SP 800-38F] | SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G. | Key Transport | 128, 192, and 256- | ||||
| AES-KWP A2836 | AES-KWP A2836 | AES-KWP (KTS) [NIST SP 800-38F] | 128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strength | SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G. | Key Transport | ||||
| KTS-IFC A2836 | KTS-IFC A2836 | KTS-IFC (KTS) [NIST SP 800-56B-r2] | SP 800-56Brev2. KTS-IFC (key encapsulation and un-encapsulation) per IG D.G. | Key Transport | 2048, 3072, and |
SafeZone SW Cryptographic Module 2.0 N/A D.G. Legacy usage only. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M
| Name | Use Function | ||||
|---|---|---|---|---|---|
| ENT (NP) [NIST SP 800-90B] | N/A | N/A | N/A | JitterEntropy | |
| CKG [NIST SP 800-133r2] | Cryptographic Key | Vendor Affirmed | Sections 5.1, 5.2 and 6.1 | Key Generation for symmetric and asymmetric keys using unmodified output from the DRBG. | |
| AES-KEY WRAP | Key Wrapping | AES-KEY WRAP | AES-128, AES-192, AES-256 key wrapping superseded | Key Wrapping | |
| Brainpool | Key Establishment | Brainpool | All services applying Brainpool standard curves (P224r1, P256r1, P384r1, P512r1) are non-approved | ||
| ChaCha20-Poly1305 | ChaCha20-Poly1305 | ChaCha20-Poly1305 is not a service in NIST | Symmetric encryption and | ||
| specifications, thus not approved | specifications, thus not approved | decryption | |||
| DSA Key Pair Generation | Digital Signatures | DSA Key Pair Generation | P=1024/N=160 is non-approved since security strength provided is less than 112 | ||
| DSA Signature | P=1024/N=160 is non-approved since security | Digital Signatures | |||
| ECC Diffie-Hellman | Key Establishment | ECC Diffie-Hellman | NIST P-192 curve is non-approved since security strength provided is less than 112 | ||
| ECDSA Key Pair Generation | ECDSA Key Pair Generation | NIST P-192 curve is non-approved since security strength provided is less than 112 | Digital Signatures/Key | ||
| ECDSA Signature Generation | Digital Signatures | ECDSA Signature Generation | NIST P-192 curve is non-approved since security strength provided is less than 112 | ||
| HMAC | Message Authentication Code | HMAC | 80-104 bit keys are non-approved since security | ||
| KDF NIST SP 800-108 | Key Derivation | KDF NIST SP 800-108 | 80-104 bit keys are non-approved since security strength provided is less than 112 | ||
| KTS (KEM NIST SP 800- | RSA-KEM-KWS-basic key wrapping scheme is non- | Key Transport | |||
| 56B) | approved since not compliant with SP 800-56Brev2 | ||||
| KTS (OAEP NIST SP 800- 56B) | Key Transport | KTS (OAEP NIST SP 800- 56B) | 1024 and 1536 bit keys are non-approved for RSA- OAEP scheme key wrapping | ||
| MD5 | Message Digest | MD5 | MD5 is non-approved except for the use in | ||
| RSA Encryption (PKCS #1 v1.5) | Key Wrapping | RSA Encryption (PKCS #1 v1.5) | Non-approved since not compliant with SP 800- 56Brev2 | ||
| RSA Key Pair | Digital Signatures | 1024 and 1536 bit keys are non-approved since | |||
| RSA Private Key Primitives (NIST SP 800- 56B) | Key Transport | RSA Private Key Primitives (NIST SP 800- 56B) | Non-approved since not compliant with SP 800- 56Brev2, including decryption primitives and signature generation primitives | ||
| RSA Public Key | Key Transport | Non-approved since not compliant with SP 800- | |||
| Primitives (NIST SP 800- | 56Brev2, including encryption primitives and | ||||
| 56B) | signature verification primitives | ||||
| RSA Signature | Digital Signatures | RSA Signature | 1024 and 1536 bit keys are non-approved since |
SafeZone SW Cryptographic Module 2.0 N/A N/A N/A Table 4
| Name | Strength | Generation | Digital Signatures | RSA Signature Validation | |
|---|---|---|---|---|---|
| TLS1.0/1.1 KDF NIST SP 800-135rev1 | Deprecated in favor of RFC7627 extended master secret computation | TLS1.0/1.1 KDF NIST SP 800-135rev1 | Key Derivation | ||
| Deprecated by the end of 2023 | Triple-DES Encryption | Symmetric encryption | |||
| X25519 Key Agreement | X25519 key agreement services are non-approved since not included in SP 800-56Arev3 | X25519 Key Agreement | Key Establishment |
SafeZone SW Cryptographic Module 2.0 Table 5 -Non-Approved Algorithms Not Allowed in the Approved Mode of Operation The Finite State Model (FSM) of the module is provided in a separate document SafeZoneFIPS-Lib-2.0-FSM distributed with this security policy. The cryptographic boundary of the module is defined in the Figure 1 below. Control Output Figure 1 - Cryptographic Boundary
By default, the module is in Approved mode once initialized and does not require any special initialization. The module will remain in approved mode of operation and the operator must avoid using any non-approved services. Any use of non-approved services (as determined by the indicator) will move module into the non-approved mode of operation. Any keys generated using non-approved mode or services must not be used in the approved mode of operation. The module needs to be re-initialized in order to move back into the approved mode of operation.
As a software-only module, SafeZone FIPS SW Cryptographic Module provides a Cprogramming language API for invocation of the FIPS 140-3 approved cryptographic functions.
| Name | Physical Port | Logical Interface | Physical port | Logical Interface | API | |
|---|---|---|---|---|---|---|
| N/A - API | N/A - API | Data Input | N/A - API | Data Input | The data read from memory area(s) provided to the invoked | |
| N/A - API | N/A - API | Control Input | The API function invoked and function parameters designated as control inputs. | |||
| N/A - API | N/A - API | Data Output | The data written to memory area(s) provided to the invoked | |||
| N/A - API | N/A - API | Status Output | The return value/data of the invoked API function. |
| Name | Roles | Input | Output | Role | |||
|---|---|---|---|---|---|---|---|
| Get module information | CO, U | FLS_StaticConfig() | Build | CO, U | Get module information | FLS_StaticConfig() FL_IntactID() | |
| FL_IntactID() | FL_IntactID() | configuration, | |||||
| CO, U | CO, U | Get/set information on current module configuration | FLS_RuntimeConfigSetProperty, FLS_RuntimeConfigGetProperty Runrime configuration value | FLR_OK (0), error or current runtime value | |||
| Get crypto module status | FLS_LibStatus() | Module status | CO, U | ||||
| CO, U | CO, U | Get crypto module version | FLS_LibVersion() | Module version | |||
| CO, U | CO, U | FLS_LibDescription() | Module | Get crypto module description | |||
| CO, U | CO, U | Get status of the asset store | FLS_AssetStoreStatus() | Asset store memory status | |||
| Perform module self-tests | CO, U | FLR_OK (0) or | FLS_LibSelfTest() | ||||
| CO | CO | Initialize the module | FLS_LibInit() | FLR_OK (0) or error |
SafeZone SW Cryptographic Module 2.0 The functions shall be called by the application which assumes the operator role during values, defines the four FIPS 140-3 logical interfaces: data input, data output, control input Table 6. Ports and Interfaces
The SafeZone FIPS SW Cryptographic Module supports the Crypto Officer (CO) and User (U) roles. The operator of the module will assume one of these two roles. Only one role may be active at a time. The Crypto Officer role is assumed implicitly upon module installation, uninstallation, initialization, zeroization, and power-up self-testing. If initialization and selftesting are successful, a transition to the User role is allowed and the User will be able to use all keys and cryptographic operations provided by the module, and to create any CSPs (except Trusted Root Key CSPs which may only be created in the Crypto Officer role). The four unique run-time services given only to the Crypto Officer role are the ability to initialize the module, to set-up key material for Trusted Root Key CSP(s), to modify the entropy source, and to switch to the User role to perform any activities allowed for the User role. The SafeZone FIPS SW Cryptographic Module does not support concurrent operators. The module does not authenticate the User or the Crypto Officer role. The roles, services, and the API are described in the table below.
| CO, U | Reset module state | FLS_LibUnInit() | FLR_OK (0) or | |||
|---|---|---|---|---|---|---|
| error | ||||||
| CO | Enter User role | FLS_LibEnterUserRole() | FLR_OK (0) or error | |||
| CO, U | Erase data from memory | FLS_Erase() | FLR_OK (0) or | |||
| Memory area to be erased | error | |||||
| CO, U | Erase asset | FLS_EraseAsset() Asset to be erased | FLR_OK (0) or error | |||
| CO | Install entropy source | FL_RbgInstall | FLR_OK (0) or error | |||
| EntropySource() FLS_RbgRequest | ||||||
| SecurityStrength() | ||||||
| Entropy source | ||||||
| CO | Create trusted root key | FLS_RootKeyAllocateAndLoadValue () Key material | FLR_OK (0) or error | |||
| CO, U | Create key asset | FLS_AssetAllocateBasic() | FLR_OK (0) or error, Created asset | |||
| FLS_AssetAllocate() | ||||||
| FLS_AssetAllocateAnd | ||||||
| AssociateKeyExtra() | ||||||
| FLS_AssetLoadValue() | ||||||
| FLS_AssetLoadMultipart() | ||||||
| FLS_AssetLoadMultipart | ||||||
| ConvertBigInt() | ||||||
| FLS_AssetPoke() | ||||||
| FL_LocalAllocate() | ||||||
| FL_LocalAllocateEx() | ||||||
| Key policy, key value | ||||||
| CO, U | Copy key asset | FLS_AssetCopyValue() Source asset | FLR_OK (0) or error, Target asset | |||
| CO, U | Delete key asset | FLS_AssetFree() | FLR_OK (0) or error | |||
| FLS_LocalFree() | ||||||
| Asset to be deleted | ||||||
| CO, U | Examine key asset policy, size | FLS_AssetShow() FLS_AssetCheck() Asset to be examined | FLR_OK (0) or error, Key policy key size | |||
| CO, U | Get key asset value | FLS_AssetPeek() | FLR_OK (0) or | |||
| Asset to peek | error, Key value | |||||
| CO, U | Generate key | FLS_AssetLoadRandom() | ||||
| CO, U | Encryption and decryption | FLS_CipherInit() | FLR_OK (0) or error, Plaintext / ciphertext | |||
| FLS_CipherContinue() | ||||||
| FLS_CipherFinish() | ||||||
| Key asset, crypto parameters, | ||||||
| plaintext/ciphertext | ||||||
| CO, U | Authenticated encryption and decryption | FLS_CryptAuthInit() FLS_CryptGcmAadContinue() FLS_CryptGcmAadFinish() FLS_CryptAuthContinue() FLS_EncryptAuthFinish() FLS_EncryptAuth PacketFinish() FLS_DecryptAuthFinish() FLS_EncryptAuth InitRandom() FLS_EncryptAuthInitDeterministi c() FLS_CryptAuthInitTls13() FLS_EncryptAuthTls13() FLS_EncryptAuthFinishTls13() FLS_DecryptAuthTls13() FLS_DecryptAuthFinishTls13() FLS_EncryptAuthSrtp() FLS_DecryptAuthSrtp() | FLR_OK (0) or error, Plaintext / ciphertext |
SafeZone SW Cryptographic Module 2.0 () c()
| FLS_EncryptAuthSrtcp() FLS_DecryptAuthSrtcp() Key asset, crypto parameters, additional authenticated data, plaintext/ciphertext | ||||||
|---|---|---|---|---|---|---|
| CO, U | MAC generation | FLS_MacGenerateInit() | FLR_OK (0) or error, MAC | |||
| FLS_MacGenerateContinue() | ||||||
| FLS_MacGenerateFinish() | ||||||
| Key asset, crypto parameters, input data | ||||||
| CO, U | MAC verification | FLS_MacVerifyInit() FLS_MacVerifyContinue() FLS_MacVerifyFinish() Key asset, crypto parameters, input data | FLR_OK (0) or error, Verification status | |||
| CO, U | Random number generation | FLS_RbgGenerateRandom() Random data generation parameters | FLR_OK (0) or | |||
| error, Random | ||||||
| data | ||||||
| CO, U | Random number generator reseeding | FLS_RbgReseed() Seed | FLR_OK (0) or error, | |||
| CO, U | Key derivation | FLS_KeyDeriveKdk() | FLR_OK (0) or | |||
| Key asset, derivation parameters | error, Derived key | |||||
| CO, U | TLS v1.2 key derivation | FLS_DeriveTlsPrf() FLS_KeyDeriveKdk() Key asset, derivation parameters | FLR_OK (0) or error, Derived key | |||
| CO, U | Key Derivation Through Extraction- then-expansion | FLS_HkdfExtract() | FLR_OK (0) or error, Derived key | |||
| FLS_HkdfExpandAsset() | ||||||
| FLS_HkdfExpand() | ||||||
| FLS_Hkdf() | ||||||
| FLS_KeyDeriveKdk() | ||||||
| Derivation parameters, input key material | ||||||
| CO, U | IKEv1 key derivation | FLS_IkePrfExtract() FLS_IKEv1ExtractSKEYID_DSA() FLS_IKEv1ExtractSKEYID_PSK() FLS_IKEv1ExtractSKEYID_PKE() FLS_IKEv1DeriveKeyingMaterial() Derivation parametes, input key material | FLR_OK (0) or error, Derived key | |||
| CO, U | IKEv2 key derivation | FLS_IkePrfExtract() | FLR_OK (0) or error, Derived key | |||
| FLS_IKEv2ExtractSKEYSEED() | ||||||
| FLS_IKEv2DeriveDKM() | ||||||
| FLS_IKEv2ExtractSKEYSEEDrekey() | ||||||
| Derivation parametes, input key material | ||||||
| CO, U | SRTP key derivation | FLS_SrtpKeyDerive() Key asset, derivation paramenters | FLR_OK (0) or error, Derived key | |||
| CO, U | AES key wrapping | FLS_AssetsWrapAes38F() | FLR_OK (0) or error, Derived key | |||
| FLS_AssetsUnwrapAes38F() | ||||||
| Key asset, derivation parameters | ||||||
| CO, U | AES data wrapping | FLS_CryptKw() Key asset, data to be wrapped | FLR_OK (0) or error, Wrapped data | |||
| CO, U | Trusted root key derivation | FLS_TrustedKdkDerive() | FLR_OK (0) or error, Derived key | |||
| FLS_TrustedKekdkDerive() | ||||||
| Key asset, derivation parameters | ||||||
| CO, U | Trusted KDK key derivation | FLS_TrustedKeyDerive() Key asset, derivation parameters | FLR_OK (0) or error, Derived key | |||
| CO, U | Trusted key wrapping | FLS_AssetWrapTrusted() | FLR_OK (0) or | |||
| FLS_AssetUnwrapTrusted() | error, Wrapped | |||||
| Key assets, wrapping parameters | key | |||||
| CO, U | PBKDF2 key derivation | FLS_KeyDerivePbkdf2() Password, key derivation parameters | FLR_OK (0) or error, Derived key | |||
| CO, U | DSA/Diffie-Hellman Domain | FLS_AssetCheck() | FLR_OK (0) or | |||
| Parameter verification | Key asset to be examined | error | ||||
| CO, U | Asymmetric key pair generation | FLS_AssetGenerateKeyPair() FLS_DH_KeyGen() | FLR_OK (0) or error, Generated |
SafeZone SW Cryptographic Module 2.0
| Name | Key Size | Use Function | ||||
|---|---|---|---|---|---|---|
| Key generation parameters | key | |||||
| CO, U | Signature generation | FLR_OK (0) or error, Signature | CO, U | FLS_HashSignFips186() | ||
| FLS_HashVerifyFips186() FLS_HashVerifyRecoverPkcs1() FLS_HashVerifyPkcs1() FLS_HashVerifyPkcs1Pss() Key asset, signature | Signature verification | FLR_OK (0) or error, verification result | CO, U | |||
| FLS_AssetsWrapRsaOaep() FLS_AssetsUnwrapRsaOaep() Key asset, input data / wrapped key | RSA-OAEP key wrapping | CO, U | FLR_OK (0) or | |||
| FLS_DeriveDh() FLS_DH_Derive() Private and public values | Diffie-Hellman key agreement | FLR_OK (0) or error, Derived key | CO, U | |||
| CO, U | Elliptic Curve Diffie-Hellman key | CO, U | FLS_DeriveDh() | FLR_OK (0) or | ||
| agreement | agreement | Private and public values | error, Derived key | |||
| FLS_HashInit() FLS_HashContinue() FLS_HashFinish() FLS_HashSingle() Input data / message | Digest computation | FLR_OK (0) or error, Hash value | CO, U | |||
| FLS_HashSingle() Input data / message | Extensible Output Function | CO, U | FLR_OK (0) or | |||
| FLS_LoadFinishedHash StateAlgo() Digest parameters | Load precomputed digest | FLR_OK (0) or error, Target asset | CO, U | |||
| CO, U | Digest computation (non-approved) | FLR_OK (0) or error, Hash value | CO, U | FLS_HashInit() | ||
| FLS_AssetGenerateKeyPair() FLS_DH_KeyGen() Key generation parameters | Asymmetric key pair generation (non- approved) | FLR_OK (0) or error, Generated key | CO, U | |||
| CO, U | Signature generation (non-approved) | FLR_OK (0) or error, Signature | CO, U | FLS_HashSignFips186() | ||
| FLS_HashVerifyFips186() FLS_HashVerifyRecoverPkcs1() FLS_HashVerifyPkcs1() FLS_HashVerifyPkcs1Pss() Key asset, signature | Signature verification (non-approved) | FLR_OK (0) or error, verification result | CO, U | |||
| CO, U | Elliptic Curve Diffie-Hellman key | CO, U | FLS_DeriveDh() | FLR_OK (0) or | ||
| agreement (non-approved) | agreement (non-approved) | Private and public values | error, Derived key | |||
| FLS_MacGenerateInit() FLS_MacGenerateContinue() FLS_MacGenerateFinish() Key asset, crypto parameters, input data | MAC generation (non-approved) | FLR_OK (0) or error, MAC | CO, U | |||
| CO, U | MAC verification (non-approved) | FLR_OK (0) or error, Verification status | CO, U | FLS_MacVerifyInit() | ||
| FLS_AssetsWrapRsaKem() FLS_AssetsUnwrapRsaKem() Key asset, input data / wrapped | RSA-KEM key wrapping (non- approved) | FLR_OK (0) or error, Wrapped key / unwrapped | CO, U | |||
| FLS_AssetsWrapRsaOaep() FLS_AssetsUnwrapRsaOaep() Key asset, input data / wrapped key | RSA-OAEP key wrapping (non- approved) | CO, U | FLR_OK (0) or | |||
| FLS_KeyDeriveKdk() Key asset, derivation parameters | KDK key derivation (non-approved) | FLR_OK (0) or error, Derived key | CO, U | |||
| CO, U | Trusted key wrapping (non-approved) | CO, U | FLS_AssetWrapTrusted() | FLR_OK (0) or | ||
| FLS_AssetUnwrapTrusted() | FLS_AssetUnwrapTrusted() | error, Wrapped | ||||
| Key assets, wrapping parameters | Key assets, wrapping parameters | key | ||||
| FLS_AssetsWrapPkcs1v15() FLS_AssetsUnwrapPkcs1v15() Key asset, input data /wrapped key | RSA-PKCS#1 v1.5 key wrapping (non- approved) | FLR_OK (0) or error, Wrapped key / unwrapped key asset | CO, U | |||
| CO, U | AES key wrapping (non-approved) | FLR_OK (0) or error, Derived key | CO, U | FLS_AssetsWrapAes38F() | ||
| FLS_CipherInit() FLS_CipherContinue() FLS_CipherFinish() Key asset, crypto parameters, plaintext/ciphertext | Encryption and decryption (non- approved) | FLR_OK (0) or error, Plaintext / ciphertext | CO, U | |||
| CO, U | X25519 (non-approved) | FLR_OK (0) or error, Derived key | CO, U | FLS_X25519_KeyGen() | ||
| FLS_DeriveTlsPrf() FLS_KeyDeriveKdk() Key asset, derivation parameters | TLS v1.0/1.1 key derivation (non- approved) | FLR_OK (0) or error, Derived key | CO, U | |||
| FLS_Pkcs1RSASP1() Key asset, data to be signed | RSA signature generation primitive | FLR_OK (0) or error, Signature | CO, U | |||
| FLS_Pkcs1RSAVP1() Key asset, signature | RSA signature verification primitive (non-approved) | FLR_OK (0) or error, verification result | CO, U | |||
| FLS_Pkcs1RSAEP() Key asset, plaintext | RSA encryption primitive (non- | FLR_OK (0) or error, Ciphertext | CO, U | |||
| FLS_Pkcs1RSADP() Key asset, ciphertext | RSA decryption primitive (non- approved) | FLR_OK (0) or error, Plaintext | CO, U |
SafeZone SW Cryptographic Module 2.0
SafeZone SW Cryptographic Module 2.0 Table 7. Roles, Service Commands, Input and Output The approved services are described in the table below. The indicator column maybe None or ARG. None is used for non-security functions, and they do not utilize the approved indicator. For services utilizing security functions the indicator is specified as ARG. In this case the user of the service or function passes a pointer as argument and the indicator value is returned to that pointer. A value of 0 means that the service is approved and any non-zero value means it is a non-approved service. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| Get module information | CO, U | None | N/A | None | Return basic | |||||
| Get/set information on current module configuration | Return current module configuration | CO,- U | None | N/A | None | |||||
| Get crypto | None | N/A | None | Return state of the | Get crypto | CO, | ||||
| module status | module | module status | U | |||||||
| Get crypto module version | Returns version of the module | CO, U | None | N/A | None | |||||
| Get crypto | Returns description of the module | CO, U | None | N/A | None | Get crypto | ||||
| Get status of the asset store | Returns the status of the asset store | CO, U | None | N/A | None | |||||
| Perform | Execute self-tests | CO, U | None | N/A | None | Perform | ||||
| Initialize the module | Initializes the module | CO | None | N/A | None | |||||
| Reset module state | CO, U | None | N/A | None | Reset, zeroize and | |||||
| Enter User role | Enter regular user mode | CO | None | N/A | None | |||||
| Erase data from | Erase data | Any | N/A | Z | None | Erase data from | CO, | |||
| memory | memory | U | ||||||||
| Erase asset | Erase asset | CO, U | Any | N/A | Z | None | ||||
| Install entropy | CO | None | N/A | None | Install entropy | Install entropy | ||||
| source | source to be used | source | ||||||||
| Create trusted root key | Allocate and set data for new root key asset | CO | Trusted Root Key | KDF SP800-108 | G | ARG | ||||
| Create key asset | CO, U | Any keys | N/A | G, W | ARG | Setup key policy, | ||||
| Copy key asset | Copies key value | CO, U | Any keys | N/A | R, W | ARG | ||||
| Delete key asset | Any keys | N/A | Z | Deletes a key and | CO, | ARG | ||||
| zeroes the data | zeroes the data | U | ||||||||
| Examine key asset policy, size | Get key size and check | CO, U | Any keys | N/A | R | ARG | ||||
| Get key asset | Get key value | Any keys | N/A | R | Get key asset | CO, | ARG | |||
| value | value | U |
SafeZone SW Cryptographic Module 2.0 Z = Zeroize: The module zeroizes the SSP. The previous value is overwritten by zeroes and is no longer accessible. N/A U N/A N/A N/A N/A U U U N/A N/A U U N/A N/A U N/A N/A Z N/A Z N/A U U G N/A U G, W N/A R, W N/A Z N/A U U U R N/A U R module selftests
| Name | Use Function | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| CKG (Section 6.1) | Generate key | Generate random key | AES keys | CO, U | G, W | ARG | |||
| TDES-CBC CKG (Section 6.1) | G, W | Triple-DES | CO, | ARG | |||||
| CKG (Section 6.1) | Key Derivation keys | CO, U | G, W | ARG | |||||
| CKG (Section 6.1) | MAC keys | G, W | CO, | ARG | |||||
| AES-ECB, AES-CBC, AES-CTR, AES- OFB, AES-XTS | Encryption and decryption | Service for data encryption and decryption | AES keys | CO, U | E | ARG | |||
| TDES-CBC, Triple-DES ECB | E | ARG | Triple-DES | CO, | |||||
| AES-CCM, AES-GCM | Authenticated encryption and decryption | Service for data encryption and decryption with added authentication | AES keys | CO, U | E | ARG | |||
| AES-CMAC, AES-GMAC | MAC generation | Service for MAC generation | AES keys | E | ARG | CO, | |||
| HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2- 384, HMAC-SHA2-512 | MAC keys | CO, U | E | ARG | |||||
| AES-CMAC, AES-GMAC | MAC verification | Service for MAC verification | AES keys | E | ARG | CO, | |||
| HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2- 384, HMAC-SHA2-512 | MAC keys | CO, U | E | ARG | |||||
| Counter DRBG | Random number generation | Generate random numbers by DRBG | CO, U | R | None | DRBG CTR- | |||
| Counter DRBG | Random number generator reseeding | Force reseeding of random number generator | DRBG CTR- 256 entropy, DRBG CTR- 256 seed, DRBG CTR- 256 state: Key, DRBG CTR- 256 state: V | CO, U | W | None | |||
| KDF SP800-108 | Key derivation | Key derivation | CO, U | W | ARG | Key | |||
| TLS v1.2 KDF RFC7627 | TLS v1.2 key derivation | Key derivation | Key Derivation keys, KDF | CO, U | W | ARG | |||
| HKDF key derivation or key derivation with two steps | Key Derivation Through Extraction-then- expansion | KDA HKDF, KDA TwoStep | Key | W | CO, U | ARG | |||
| Key derivation for IKEv1 | IKEv1 key derivation | KDF IKEv1 | W | Key Derivation keys, KDF Derived Keys | CO, U | ARG | |||
| Key derivation for IKEv2 | IKEv2 key derivation | KDF IKEv2 | Key | W | CO, U | ARG | |||
| Key derivation for SRTP | SRTP key derivation | KDF SRTP | W | Key Derivation keys, KDF Derived Keys | CO, U | ARG | |||
| Wrap AES key 38F | AES key | AES-KW (KTS), AES-KWP (KTS) | CO, | E | AES keys | ARG | |||
| wrapping | wrapping | U | |||||||
| Wrap AES data 38F | AES data wrapping | AES-KW, AES-KWP | E | AES keys | CO, U | ARG | |||
| Derive root key | Trusted root key derivation | KDF SP800-108 | Trusted | W | CO, U | ARG | |||
| KDK key derivation | Trusted KDK key derivation | KDF SP800-108 | R, E | Key Derivation keys, KDF Derived Keys | CO, U | ARG | |||
| Wrap trusted key | Trusted key wrapping | KDF SP800-108 and AES-KW (KTS)/AES-KWP (KTS)K | Key | R, E | CO, U | ARG | |||
| PBKDF2 key derivation | PBKDF2 key derivation | PBKDF | R, E | KDF Derived Keys, PBKDF password | CO, U | ARG | |||
| DSA/Diffie-Hellman Domain Parameter verification | DSA/Diffie- | DSA PQGVer | E | DSA keys | CO, U | ARG | |||
| Generate asymmetric key pairs and DSA/Diffie-Hellman | Asymmetric key pair generation | RSA KeyGen | E | RSA keys | CO, U | ARG | |||
| DSA KeyGen, DSA PQGGen | DSA KeyGen, DSA PQGGen | CO, | E | DSA keys | ARG |
SafeZone SW Cryptographic Module 2.0 DRBG CTR256 DRBG CTR256 U U U G, W G, W G, W U U U U G, W E E E U U E E U U E E U R U W U W U W
SafeZone SW Cryptographic Module 2.0 Extraction-thenexpansion DSA/DiffieHellman U W U W U W U W U U U E E W U R, E U R, E U R, E U E U U E E
| Name | Key Size | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Domain Parameter | Domain Parameter | ECDSA KeyGen | ECDSA keys | CO, U | E | ARG | |||||
| KTS-IFC | KTS-IFC | RSA keys | E | ARG | CO, | ||||||
| KAS-FFC-SSC | KAS-FFC-SSC | DH keys | CO, U | E | ARG | ||||||
| KAS-ECC-SSC | KAS-ECC-SSC | ECDH keys | E | ARG | CO, | ||||||
| Signature generation | Signature generation | Generate signature | RSA SigGen | RSA keys | CO, U | E | ARG | ||||
| DSA SigGen | DSA SigGen | DSA keys | E | ARG | CO, | ||||||
| ECDSA SigGen | ECDSA SigGen | ECDSA keys | CO, U | E | ARG | ||||||
| Signature verification | Signature verification | Verify signature | RSA SigVer | RSA keys | E | ARG | CO, | ||||
| DSA SigVer | DSA SigVer | DSA keys | CO, U | E | ARG | ||||||
| ECDSA SigVer | ECDSA SigVer | CO, U | E | ARG | ECDSA | ||||||
| RSA-OAEP key wrapping | RSA-OAEP key wrapping | RSA-OAEP key wrap | KTS-IFC (KTS) | RSA keys | CO, U | E | ARG | ||||
| Diffie-Hellman key agreement | Diffie-Hellman key agreement | DH key agreement | KAS-FFC-SSC | CO, U | E | ARG | DH keys, | ||||
| Elliptic Curve Diffie-Hellman key agreement | Elliptic Curve Diffie-Hellman key agreement | Elliptic Curve DH agreement | KAS-ECC-SSC | ECDH keys, ECDH Shared secrets | CO, U | E | ARG | ||||
| SHA-1, SHA2-224, SHA2-256, SHA2- | Digest computation | Compute a digest | None | CO, U | ARG | ||||||
| Extensible Output Function | Extensible Output Function | Compute an extended output | SHAKE-128, SHAKE-256 | None | CO, U | ARG | |||||
| SHA-1, SHA2-224, SHA2-256, SHA2- | None | CO, U | ARG | Load | Load a | ||||||
| 384, SHA2-512, SHA3-224, SHA3- | precomputed | precomputed | |||||||||
| 256, SHA3-384, SHA3-512 | digest | digest |
| Name | Role Access | Approved Functions | |
|---|---|---|---|
| unapproved parameters (e.g., | Generation, DSA | unapproved parameters (e.g., | |
| key lengths and curves) | Signature | key lengths and curves) | |
| verification | verification | unapproved key lengths | |
| wrapping | wrapping | 800-108 | |
| wrapping | wrapping | NIST SP 800-38F | |
| encryption | encryption | Primitives (NIST | |
| primitive | primitive | SP 800-56B) |
SafeZone SW Cryptographic Module 2.0 U U U U U U U U U U E E E E E E E E E E U U E E U E U U U Table 8. Approved Services
SafeZone SW Cryptographic Module 2.0 ECC DiffieHellman, ChaCha20Poly1305, TripleDES Encryption Table 9. Non-approved Services
| Name | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisati on | |
|---|---|---|---|---|---|---|---|---|---|
| AES | 128, 192, 256 bits | AES-ECB, | KDF SP800- | N/A | Memory, plaintext | Symmetric encryption/ decryption, | Plaintext imported from TOEPP | AES keys | Asset deletion, module uninitializ ation |
| AES-CTR, | AES-CTR, | KDF IKEv1, | |||||||
| AES-OFB, | AES-OFB, | KDF IKEv2, | |||||||
| AES-XTS, | AES-XTS, | TLS v1.2 KDF | |||||||
| AES-GCM, | AES-GCM, | RFC7627, | |||||||
| AES-CCM, | AES-CCM, | KDF SRTP, | |||||||
| AES-CMAC, | AES-CMAC, | KDA HKDF, | |||||||
| AES-GMAC, | AES-GMAC, | KDA |
SafeZone SW Cryptographic Module 2.0
The SafeZone FIPS SW Cryptographic Module must be linked with an application to become executable. The software code of the module (libsafezone-sw-fips.so dynamically loadable library) is linked with an end application producing an executable application for the target platform. The application is installed in a platform-specific way, e.g., when purchased from an application store for the platform. In some cases, there is no need for installation, e.g., when a mobile equipment vendor includes the application with the equipment. The SafeZone FIPS SW Cryptographic Module is loaded by loading an application that links the library statically. The SafeZone FIPS SW Cryptographic Module is initialized automatically upon loading. On some platforms the module is implemented as a dynamically loadable module. In this case, the module is loaded as needed by the dynamic linker. The integrity check of the cryptographic module is described in section 10. The SafeZone FIPS SW Cryptographic Module does not support operator authentication and thus does not require any authentication itself.
The operational environments are defined in Table 2 - Tested Operational Environments and Table 3 - Vendor Affirmed Operational Environments. The module runs in a modifiable operating environment and uses modern operating systems, i.e., Linux. All processes spawned by the module are child processes of the module, and ownership of a process cannot be changed.
The cryptographic module is software-only and does not have any physical security mechanisms.
The cryptographic module does not have non-invasive attack mitigation mechanisms.
| Name | Key Size | Use Function | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TwoStep, CKG (SP 800- 133r2 6.1) | AES-KW, | |||||||||||
| KDF SP800- 108, PBKDF, KDF IKEv1, KDF IKEv2, TLS v1.2 KDF RFC7627, KDF SRTP, KDA HKDF, KDA TwoStep, CKG (SP 800- 133r2 6.1) | 192 bits | TDES-ECB Decryption, TDES-CBC Decryption (Cert. A2836) | Triple- DES keys | Plaintext imported from TOEPP | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Symmetric decryption | ||||
| MAC keys | 112- 512 bits | HMAC-SHA- 1, HMAC- SHA2-224, HMAC-SHA2- 256, HMAC- SHA2-384, HMAC-SHA2- 512 (Cert. A2836) | MAC keys | Plaintext imported from TOEPP | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Generating and verifying HMAC authenticati on codes | KDF SP800- | |||
| RSA KeyGen (FIPS 186-4), CKG (SP 800- 133r2 5.1, FIPS 186-4) | 1024, 2048, 3072, 4096 bits | RSA SigGen, RSA SigVer, RSA KeyGen, KTS-IFC, KTS-IFC (KTS) (Cert. A2836) | RSA keys | Plaintext imported from TOEPP/Plai ntext exported to RAM | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Digital signature, Key Transport | ||||
| DSA KeyGen (FIPS 186-4), CKG (SP 800- 133r2 5.1, FIPS 186-4) | DSA SigGen, DSA SigVer, DSA KeyGen (Cert. A2836) | DSA keys | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Digital signature | (L,N) = | Plaintext | ||||
| (2048, | (2048, | imported | ||||||||||
| 224), | 224), | from | ||||||||||
| (2048, | (2048, | TOEPP/Plai | ||||||||||
| 256), | 256), | ntext | ||||||||||
| (3072, | (3072, | exported | ||||||||||
| 256) | 256) | to RAM | ||||||||||
| ECDSA KeyGen (FIPS 186-4), CKG (SP 800- 133r2 5.1, FIPS 186-4) | NIST P- 224, P- 256, P- 384, P- 521 curves | ECDSA SigGen, ECDSA SigVer, ECDSA KeyGen (Cert. A2836) | ECDSA keys | Plaintext imported from TOEPP/Plai ntext exported to RAM | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Digital signature | ||||
| DH keys | 2048- 8192 bits | KAS-FFC-SSC (Cert. A2836) | DH keys | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Key agreement | NIST SP 800- | Plaintext | |||
| 56Ar3 key | 56Ar3 key | imported | ||||||||||
| pair | pair | from | ||||||||||
| CKG (SP 800- | CKG (SP 800- | ntext | ||||||||||
| 133r2 5.2, | 133r2 5.2, | exported |
SafeZone SW Cryptographic Module 2.0 (KTS), AESKWP (KTS) N/A TripleDES 112512 HMAC-SHA1, HMACSHA2-224, HMAC-SHA2256, HMACSHA2-384, N/A N/A (L,N) = NIST P224, P256, P384, P521 N/A (SP 800133r2 5.1, N/A 20488192 N/A
| Name | Key Size | Use Function | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NIST SP 800- | NIST SP 800- | to RAM | |||||||||||
| KAS-ECC-SSC (Cert. A2836) | NIST P- 224, P- 256, P- 384 and P- 521 curves | NIST SP 800- 56Ar3 key pair generation, CKG (SP 800- 133r2 5.2, NIST SP 800- 56Ar3) | Plaintext imported from TOEPP/Plai ntext exported to RAM | ECDH keys | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Key agreement | |||||
| KAS-FFC-SSC (Cert. A2836) | 2048- 8192 bits | N/A | Plaintext exported to RAM | DH Shared secrets | N/A | Memory, plaintext | Key agreement | Asset | |||||
| KAS-ECC-SSC (Cert. A2836) | NIST P- 224, P- 256, P- 384 and P- 521 curves | N/A | Plaintext exported to RAM | ECDH Shared secrets | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Key agreement | |||||
| Key Derivati on keys | 112- 200 bits | N/A | Plaintext imported from TOEPP | Key Derivati on keys | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Key derivation | KDF SP800- | ||||
| KDF SP800- 108, PBKDF, KDF IKEv1, KDF IKEv2, TLS v1.2 KDF RFC7627, KDF SRTP, KDA HKDF (Cert. A2836) | 112- 200 bits | KDF SP800- 108, PBKDF, KDF IKEv1, KDF IKEv2, TLS v1.2 KDF RFC7627, KDF SRTP, KDA HKDF | Plaintext exported to RAM | KDF Derived keys | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | Key derivation | |||||
| Counter DRBG (Cert. A2836) | 256- 1024 bits | ENT (NP) | N/A | DRBG CTR- 256 entropy | N/A | Memory, Plaintext | Entropy input materials | Asset | |||||
| Counter DRBG (Cert. A2836) | 256- 1024 bits | Counter DRBG | N/A | DRBG CTR- 256 seed | N/A | Memory, Plaintext | Asset deletion, module uninitializ ation | Entropy input materials | |||||
| Counter DRBG (Cert. A2836) | 256 bits | Counter DRBG | N/A | N/A | Memory, Plaintext | Asset | DRBG | Key for | |||||
| CTR- | deletion, | CTR- | DRBG used | ||||||||||
| 256 | module | 256 | for random | ||||||||||
| state: | uninitializ | state: | number and |
SafeZone SW Cryptographic Module 2.0 NIST P224, P256, P384 and P521 N/A 20488192 N/A N/A N/A N/A NIST P224, P256, P384 and P521 112200 KDF SP800108, KDF N/A N/A 112200 N/A CTR256 2561024 N/A N/A CTR256 2561024 N/A N/A CTR256 N/A N/A
| Name | Mode Method | Key Size | Use Function | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Counter DRBG (Cert. A2836) | Counter DRBG | 128 bits | V value for DRBG used for random number and key/key pair generation purposes. | DRBG CTR- 256 state: V | N/A | N/A | Memory, Plaintext | Asset deletion, module uninitializ ation | ||
| PBKDF (Cert. A2836) | N/A | varies (at least 12 charact ers) | Password or passphrase | PBKDF passwo rd | Plaintext imported from TOEPP | N/A | Memory, plaintext | Asset | ||
| KDF SP800- 108 (Cert. A2836) | N/A | 256 bits | Key used for deriving other keys as per NIST SP 800-108. Can only derive ‘Trusted KDK’ and ‘Trusted KEKDK’ keys. | Trusted Root Key | Plaintext imported from TOEPP | N/A | Memory, plaintext | Asset deletion, module uninitializ ation | ||
| ECDSA SigVer (Cert. A2836) | N/A | NIST P- 224 | Softwar e Integrit y Public Key (not SSP) | N/A | Embedded in the software, plaintext | Persisten t storage, plaintext | none | Public key |
SafeZone SW Cryptographic Module 2.0 CTR256 N/A N/A N/A N/A N/A N/A e NIST P224 N/A N/A Table 10. SSPs
The cryptographic module contains a Counter DRBG which uses AES-256 and derivation function. By default, the DRBG is seeded with CPU Time Jitter Based Non-Physical True Random Number Generator (JitterEntropy). It is also possible that the crypto officer may install another entropy source to the cryptographic module. The installed entropy source must be NIST SP 800-90B and FIPS 140-3 compliant. Enough bits of entropy must be provided according to the need of cryptographic algorithms. The RBG entropy sources are defined in the table below.
| Name | Key Size | |||
|---|---|---|---|---|
| Entropy sources | Minimum number of | Entropy sources | Details | |
| 256 bits of entropy minimum required to seed Counter DRBG AES-256 | 256 bits of entropy | JitterEntropy ENT (NP) | Implemented by Stephan Mueller. It is an |
SafeZone SW Cryptographic Module 2.0 Table 11. Non-Deterministic Random Number Generation Specification
The SafeZone FIPS SW Cryptographic Module includes the following self-tests:
SafeZone SW Cryptographic Module 2.0
SafeZone SW Cryptographic Module 2.0 The FL_LibStatus API function can be used to obtain the module status. It returns FL_STATUS_INIT when the module has not yet been initialized and FL_STATUS_ERROR when the module is in error state. As it is recommended to self-test cryptographic components (like DRBG) frequently, the module provides the capability to invoke the self-tests manually (on demand) with the FL_LibSelfTest API function. The important difference between the manually invoked self-tests and the automatically invoked self-tests when initializing the module is that the manually invoked self-tests will not cause zeroization of the key material currently loaded in the module, providing the tests execute successfully. In general, if a self-test fails, the module will transition to the error state and the return value (status) of the invoked API function will be something other than FLR_OK, depending on the current situation. Conditional self-tests for manual key entry and software/firmware load or bypass are not provided, as these are not applicable. Any error during the conditional self-tests will result in a module transition to the error state The cryptographic module uses the ECDSA NIST P-224 signature of the module binary for the integrity tests with SHA2-224 as the hash function. The public part of the key is always included with the module. The private part is stored in Rambus version control system and signing of the module is performed automatically by Rambus build system. Before running the integrity test, tests for the signature algorithms are executed. In case of failure in the integrity test the module will immediately transition to error state.
The SafeZone FIPS SW Cryptographic Module source code is maintained in a version control system (Mercurial). Changes are reviewed and automatically built and tested with continuous integration system (Jenkins).
There are no CVE’s which currently affect the module as the module is published.
Some of the FIPS Publications or NIST Special Publications require that the Cryptographic Module Security Policy mentions important configuration items for those algorithms. The user of the module shall observe these rules.
All three key derivation functions, Counter Mode, Feedback Mode and Double-Pipeline Iteration Mode are supported.
| Name | Approved Functions | Length of optional salt (in bits) | The length of optional KDK (in bits) | Security strength s supported (in bits) |
|---|---|---|---|---|
| (HMAC-)SHA- 1 | HMAC-SHA-1 | up-to 512 | 160 | 112 ≤ s ≤ 160 |
| (HMAC-)SHA- 224 | HMAC-SHA- 224 | up-to 512 | 224 | 112 ≤ s ≤ 224 |
| (HMAC-)SHA- 256 | HMAC-SHA- 256 | up-to 512 | 256 | 112 ≤ s ≤ 256 |
| (HMAC-)SHA- 384 | HMAC-SHA- 384 | up-to 1024 | 384 | 112 ≤ s ≤ 384 |
| (HMAC-)SHA- 512 | HMAC-SHA- 512 | up-to 1024 | 512 | 112 ≤ s ≤ 512 |
| AES-128- CMAC | AES-128- CMAC | 128 | 128 | 112 ≤ s ≤ 128 |
| AES-192- CMAC | AES-192- CMAC | 192 | 128 | 112 ≤ s ≤ 128 |
| AES-256- CMAC | AES-256- CMAC | 256 | 128 | 112 ≤ s ≤ 128 |
SafeZone SW Cryptographic Module 2.0
11.3.2 NIST SP 800-56C Rev 2: Key-Derivation Methods in Key-Establishment Schemes
The SafeZone FIPS SW Cryptographic module provides hash and HMAC functions that can be used for One-Step Key Derivation as introduced in NIST SP 800-56C Rev
SafeZone SW Cryptographic Module 2.0 (HMAC-)SHA256 HMAC-SHA256 (HMAC-)SHA384 HMAC-SHA384 (HMAC-)SHA512 HMAC-SHA512 AES-128CMAC AES-128CMAC AES-192CMAC AES-192CMAC AES-256CMAC AES-256CMAC
The SafeZone FIPS SW Cryptographic module provides HMAC-based Key Derivation Function from RFC 5869, known as HKDF. This function is similar to NIST SP 800-56C Rev 2 Two-Step Key Derivation, but not the same.
The key derived using NIST SP 800-132 shall only be used for storage purposes. The options 1a, 1b, 2a and 2b presented in NIST SP 800-132 for deriving the DPK (Data Protection Key) from the MK (Master Key) are supported. The SafeZone FIPS Lib does not limit the length of the password used in NIST SP 800-132 PBKDF key derivation. The upper bound for the strength of passwords usually used is between 5 or 6 bits per character, which indicates the upper bound for the probability of the password being randomly guessed is 1 / (64 ^ length_of_password). To achieve security over 64 bits, the passwords must generally be longer than 12 characters. With compliance to NIST SP 800-132 and the FIPS 140-3 Implementation Guidance D.N, these requirements and limits must be followed by user:
SafeZone SW Cryptographic Module 2.0
The FIPS 140-3 Implementation Guidance C.H applies to AES-GCM and GMAC usage with this module. Scenario/technique 1, 2 and 3 in IG C.H are supported by this module. With compliance to technique 1 in IG C.H, the module supports AES-GCM with IPSec and TLS v1.2, both must be initialized with FLS_EncryptAuthInitDeterministic function for encryption and with FLS_CryptAuthInit for decryption. The FLS_CryptAuthInit function is also used for subsequent encryption operations for operation sequences started with the FLS_EncryptAuthInitDeterministic function (In this case the input IV/Nonce must be NULL since IG C.H forbids using external IV for encryption). With compliance to technique 2 or 3 in IG C.H, the operator must use the FLS_EncryptAuthInitRandom function if random IV generation (IG C.H Technique 2) is required, or in case of deterministic IV generation (IG C.H Technique 3), the FLS_EncryptAuthInitDeterministic function. It is not possible to use random IV generated externally. The module supports AES-GCM with SRTP (RFC 7714). For SRTP, functions FLS_EncryptAuthSrtp, FLS_EncryptAuthSrtcp have been introduced. These functions provide equivalent functionality than FLS_EncryptAuthInitDeterministic, but work with SRTP protocols. SRTP IV consists of 32-bit field, SSRC (synchronization source), which acts like 32-bit Module Name of IG C.H Technique 3. SRTP uses 48-bit counter ROC || SEQ. This counter is incremented internal to the cryptographic module. The module will detect overflow of counter. It is the responsibility of the users to rekey upon counter overflow. In addition, SRTP uses 96-bit Encryption Salt that is XORed with other fields. For control purposes, SRTP has an additional protocol, SRTCP. SRTCP protocol is otherwise identical to SRTP, but it uses different keys, and IV format where ROC || SEQ is replaced by SRTCP index. SRTCP index is incremented internal to the cryptographic module. The module will allow only 2^31 packets to be produced with SRTCP prior rekeying.
SafeZone SW Cryptographic Module 2.0
The module supports XTS Mode for Confidentiality on Storage Devices. Both XTS-AES-128 (256 bit key) and XTS-AES-256 (512 bit key) are supported. The XTS-AES key is parsed as concatenation of two AES keys Key_1 and Key_2. As is explained in FIPS 140-3 Implementation Guidance C.I, it is required that Key_1 ≠ Key_2. If Key_1 = Key_2, attempt to perform XTS-AES encryption or decryption will fail. The XTS Mode is only approved for usage in storage applications.
The module allows key generation and generates keys according to the following NIST SP 800-133-r2 sections: 5.1, 5.2, 6.1. Key generation will use NIST SP 800-90A Rev1 DRBGCTR AES-256. The output of the approved DRBG is used unmodified when symmetric keys are generated. It is also used unmodified as random input for asymmetric key generation.
The module supports truncation of HMAC results for all SHA-1 and SHA-2 family hash functions. These include e.g., HMAC-SHA-1-80, HMAC-SHA-1-96, HMAC-SHA-256-128, HMAC-SHA-384-192 and HMAC-SHA-512-256. Following guidance of NIST SP 800-107 Rev 1, it is not allowed to truncate HMAC to less than 32-bits. Therefore, minimum allowed mac output length argument for the FLS_MacGenerateFinish or FLS_MacVerifyFinish is 4.
11.3.9 NIST SP 800-56A Rev 3: Pair-Wise Key-Establishment Schemes (KAS-ECC and KAS-FFC)
The module provides Discrete Logarithm Cryptographic-based key agreements compliant with NIST SP 800-56A-r3 according to scenario 2 path (1) of FIPS 140-3 Implementation Guidance D.F. The KAS-ECC-SSC schemes provide between 112 and 256 bits of security strength. The KAS-FFC-SSC schemes provide between 112 and 200 bits of security strength.
SafeZone FIPS 140-3 product is typically delivered in binary format. The product in binary format is validated for platforms mentioned in the validation certificate. There is also another product available from Rambus: source code product. This package can be recompiled by the user for their target platform. However, if changes to the module are required, they need to be processed as a revalidation for FIPS 140-3.
SafeZone SW Cryptographic Module 2.0 When ported to an operational environment which is not listed on the validation certificate, no claims can be made as to the correct operation of the module and the security strengths of any keys generated by the module.
The cryptographic module does not implement security mechanisms to mitigate other attacks.
SafeZone SW Cryptographic Module 2.0 Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CO Crypto Officer CTR Counter Mode DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSP Sensitive Security Parameter U User
SafeZone SW Cryptographic Module 2.0 Appendix B. References FIPS 140-3 FIPS PUB 140-3
SafeZone SW Cryptographic Module 2.0 NIST SP 800-38E NIST Special Publication 800-38E
SafeZone SW Cryptographic Module 2.0 NIST SP 800-140B NIST Special Publication 800-140B