All modules
CMVP Validated Module · FIPS 140-3 Security Policy

SafeZone FIPS SW Cryptographic Module

Certificate#4898StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorRambus Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/21/2029
EntropyENT (NP)
CaveatInterim Validation. When operated in approved mode
VendorRambus Inc.

Approved Algorithms (54)

AlgorithmACVP Cert
AES-CBCA2836
AES-CCMA2836
AES-CMACA2836
AES-CTRA2836
AES-ECBA2836
AES-GCMA2836
AES-GMACA2836
AES-KWA2836
AES-KWPA2836
AES-OFBA2836
AES-XTS Testing Revision 2.0A2836
Counter DRBGA2836
DSA KeyGen (FIPS186-4)A2836
DSA PQGGen (FIPS186-4)A2836
DSA PQGVer (FIPS186-4)A2836
DSA SigGen (FIPS186-4)A2836
DSA SigVer (FIPS186-4)A2836
ECDSA KeyGen (FIPS186-4)A2836
ECDSA SigGen (FIPS186-4)A2836
ECDSA SigVer (FIPS186-4)A2836
HMAC-SHA-1A2836
HMAC-SHA2-224A2836
HMAC-SHA2-256A2836
HMAC-SHA2-384A2836
HMAC-SHA2-512A2836
KAS-ECC CDH-ComponentA2836
KAS-ECC-SSC Sp800-56Ar3A2836
KAS-FFC-SSC Sp800-56Ar3A2836
KDA HKDF SP800-56Cr2A2836
KDA TwoStep SP800-56Cr2A2836
KDF IKEv1A2836
KDF IKEv2A2836
KDF SP800-108A2836
KDF SRTPA2836
KTS-IFCA2836
PBKDFA2836
RSA KeyGen (FIPS186-4)A2836
RSA SigGen (FIPS186-4)A2836
RSA SigVer (FIPS186-4)A2836
SHA-1A2836
SHA2-224A2836
SHA2-256A2836
SHA2-384A2836
SHA2-512A2836
SHA3-224A2836
SHA3-256A2836
SHA3-256A2890
SHA3-384A2836
SHA3-512A2836
SHAKE-128A2836
SHAKE-256A2836
TDES-CBCA2836
TDES-ECBA2836
TLS v1.2 KDF RFC7627A2836

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for SafeZone FIPS SW Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for SafeZone FIPS SW Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

FIPS 140-3 Non-Proprietary Security Policy SafeZone FIPS SW Cryptographic Module Software Version v2.0 Rambus Global Inc., Finnish branch Sokerilinnantie 11 C FI-02600 Espoo Phone: +358 50 3560966 Rambus Inc. North First Street, Suite 100 San Jose, CA 95134 United States of America https://www.rambus.com/ 2024-11-8

Page 2

SafeZone SW Cryptographic Module 2.0 11.3.1 11.3.2 11.3.3 11.3.4 11.3.5 11.3.6 11.3.7 11.3.8 11.3.9 FFC) NIST SP 800-56A Rev 3: Pair-Wise Key-Establishment Schemes (KAS-ECC and KAS31 Appendix A. Appendix B.

2 of 36
Page 3
Security level
NameISO SectionRequirementLevelGeneral
2Cryptographic module specification2Level 1
33Level 1Cryptographic module interfaces
4Roles, services, and authentication4Level 1
55Level 1Software/Firmware security
6Operational environment6Level 1
77N/APhysical security
8Non-invasive security8N/A
99Level 1Sensitive security parameter management
10Self-tests10Level 1
1111Level 1Life-cycle assurance
12Mitigation of other attacks12N/A
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Intel® Atom™ x5-Z8350AES-NI, Intel1Linux Ubuntu 20.04 LTSAAEON UP Core
(X86 32-bit)SHA extensions(X86 32-bit)UPC-CHT01-A20-0464-A11
2Linux Ubuntu 20.04 LTS (X86 32-bit)AAEON UP Core UPC-CHT01-A20-0464-A11Intel® Atom™ x5-Z83502

SafeZone SW Cryptographic Module 2.0 This document is the non-proprietary FIPS 140-3 Security Policy for the SafeZone FIPS SW Cryptographic Module version 2.0, hereafter referred to as the module. It contains a specification of the rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 [FIPS 140-3] for a Security It has a one-to-one mapping to the NIST Special Publication 800-140B [NIST SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. N/A N/A N/A Table 1 - Security Levels cryptographic module from Rambus. The module provides a set of commonly used cryptographic primitives by exposing a custom API for a wide range of applications, typically running on a general-purpose operating system. There are 4 different binary versions of the module to suit the target environments. The identification string of the SafeZone FIPS SW Cryptographic Module can be acquired with the FLS_LibDescription function. The returned identification string is:

3 of 36
Page 4
Module configuration
NameOperating SystemHardware Platform# 1
22GNU/Linux Debian 10 (aarch64)Kirin 960, 4 Cortex A73 + 4 Cortex A53 Big.Little CPU
3GNU/Linux Debian 9.13 (aarch64)Rockship ROCK64 with a Rockchip RK33283
Approved algorithm
NameAES-CBC [NIST SP 800-38 A]Encryption and Decryption
[NIST SP 800-38B][NIST SP 800-38B]Authentication Code
[NIST SP 800-38D][NIST SP 800-38D]Authentication Code
[NIST SP 800-38F][NIST SP 800-38F]Unwrapping
3Linux Ubuntu 20.04 LTSAAEON UP CoreIntel® Atom™ x5-Z8350AES-NI, Intel
(X86 64-bit)UPC-CHT01-A20-0464-A11SHA extensions
4Linux Ubuntu 20.04 LTS (X86 64-bit)AAEON UP Core UPC-CHT01-A20-0464-A11Intel® Atom™ x5-Z8350-
5Linux Ubuntu 20.04 LTS (ARMv8-a 64-bit)Raspberry Pi 4Broadcom BCM2711NEON,
Cryptography
Extensions
6Linux Ubuntu 20.04 LTS (ARMv8-a 64-bit)Raspberry Pi 4Broadcom BCM2711-
7Linux Ubuntu 20.04 LTSRaspberry Pi 2Broadcom BCM2836NEON
(ARMv7-a 32-bit)

SafeZone SW Cryptographic Module 2.0 Table 2 - Tested Operational Environments In addition to the tested operational environments the module has been confirmed by the vendor to be operational on the following platforms. # Table 3 - Vendor Affirmed Operational Environments The Table 4 below lists the Approved Algorithms implemented by the module. The CAVP certs may list more algorithms than are actually utilized by the module. Only those listed below are used by the module.

4 of 36
Page 5
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES-XTSA2836AES-XTS Testing Revision 2.0 [NIST SP 800-38E]Storage Encryption and Decryption2x128 bits (AES-
Counter DRBGA2836Counter DRBG [NIST SP 800-90A-r1]AES-256 with df and no prRandom Number Generation
DSA KeyGenA2836DSA KeyGen [FIPS 186-4]Key Generation(L,N) =
DSA PQGGenA2836DSA PQGGen [FIPS 186-4](L,N) = (2048, 224), (2048, 256), (3072, 256) Hash algorithms: SHA2-2241, SHA2- 256, SHA2-384, SHA2-512Domain Parameter Generation
DSA PQGVerA2836DSA PQGVer [FIPS 186-4]Domain Parameter Verification(L,N) =
DSA SigGenA2836DSA SigGen [FIPS 186-4](L,N) = (2048, 224), (2048, 256), (3072, 256) Hash algorithms: SHA2-224, SHA2- 256, SHA2-384, SHA2-512Digital Signatures
DSA SigVerA2836DSA SigVer [FIPS 186-4]Digital Signatures(L,N) =
ECDSA KeyGenA2836ECDSA KeyGen [FIPS 186-4]NIST P-224, P-256, P-384, P-521 curvesKey Generation
ECDSA SigGenA2836ECDSA SigGen [FIPS 186-4]Digital SignaturesNIST P-224, P-256,
ECDSA SigVerA2836ECDSA SigVer [FIPS 186-4]NIST P-224, P-256, P-384, P-521Digital Signatures
HMAC-SHA-1A2836HMAC-SHA-1 [FIPS 198-1]Message Authentication CodeKey Length: 112-
HMAC-SHA2-224A2836HMAC-SHA2-224 [FIPS 198-1]Key Length: 112- 512 bits MAC Length: 224 bitsMessage Authentication Code
HMAC-SHA2-256A2836HMAC-SHA2-256 [FIPS 198-1]Message Authentication CodeKey Length: 112-
HMAC-SHA2-384A2836HMAC-SHA2-384 [FIPS 198-1]Key Length: 112- 512 bits MAC Length: 192, 384 bitsMessage Authentication Code
HMAC-SHA2-512A2836HMAC-SHA2-512 [FIPS 198-1]Message Authentication CodeKey Length: 112-
KAS-ECC CDH- ComponentA2836KAS-ECC CDH- Component (CVL) [NIST SP 800-56A-r3]ephemeralUnified NIST P-224, P-256, P-384 and P- 521 curvesKey Agreement Primitives
KAS-ECC-SSCA2836KAS-ECC-SSC [NIST SP 800-56A-r3]Key Agreement PrimitivesephemeralUnified
KAS-FFC-SSCA2836KAS-FFC-SSC [NIST SP 800-56A-r3]dhEphem 2048-8192 bit modular Diffie- Hellman groups; including FFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192, MODP2048, MODP3072, MODP4096, MODP6144, MODP8192, FIPS 186-type FFC parameter-size sets FB and FCKey Agreement Primitives
KDA HKDFA2836KDA HKDF [NIST SP 800-56C-r2]Key Derivation - GenericHMAC Algorithm:
KDA TwoStepA2836KDA TwoStep [NIST SP 800-56C-r2]Two-Step Key Derivation with SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512 orKey Derivation – Generic

SafeZone SW Cryptographic Module 2.0 (L,N) = (L,N) = (L,N) = (L,N) = (L,N) =

5 of 36
Page 6

SafeZone SW Cryptographic Module 2.0

6 of 36
Page 7
Approved algorithm
NameCAVP CertKey SizeUse Function
A2836A2836Hash Algorithm:Key Derivation – Application SpecificKDF IKEv1 (CVL) [NIST SP 800-135-r1]KDF IKEv1
Hash Algorithm: SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512A2836Key Derivation – Application SpecificKDF IKEv2 (CVL) [NIST SP 800-135-r1]KDF IKEv2
A2836A2836112-512 bitsKey Derivation – GenericKDF SP800-108 [NIST SP 800-108-r1]KDF SP800-108
AES Key Length: 128, 192, 256A2836Key Derivation – Application SpecificKDF SRTP (CVL) [NIST SP 800-135-r1]KDF SRTP
A2836A2836KTS-OAEP-basicKey Encapsulation and Un-encapsulationKTS-IFC [NIST SP 800-56B-r2]KTS-IFC
SHA-1, SHA2-256A2836Key Derivation – Application SpecificPBKDF [NIST SP 800-132]PBKDF
A28362048, 3072, 4096Key GenerationRSA KeyGenA2836RSA KeyGen
[FIPS 186-4]bits[FIPS 186-4]
RSASSA-PKCS1- v1.5 and RSASSA- PSS with SHA2- 224, SHA2-256, SHA2-384, SHA2- 512 and 2048, 3072, 4096 bit modulusA2836Digital SignaturesRSA SigGen [FIPS 186-4]RSA SigGen
A2836A2836RSASSA-PKCS1-Digital SignaturesRSA SigVer [FIPS 186-4]RSA SigVer
SHA-1A2836Hash Function Not allowed forSHA-1 [FIPS 180-4]SHA-1

SafeZone SW Cryptographic Module 2.0

7 of 36
Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
A2836SHA2-224SHA2-224A2836SHA2-224Hash Function
A2836A2836SHA2-256 [FIPS 180-4]SHA2-256SHA2-256Hash Function
A2836A2836SHA2-384SHA2-384SHA2-384Hash Function
A2836A2836SHA2-512 [FIPS 180-4]SHA2-512SHA2-512Hash Function
A2836A2836SHA3-224SHA3-224SHA3-224Hash Function
A2836A2836SHA3-256 [FIPS 202]SHA3-256SHA3-256Hash Function
A2836A2836SHA3-384SHA3-384SHA3-384Hash Function
A2836A2836SHA3-512 [FIPS 202]SHA3-512SHA3-512Hash Function
A2836A2836128 bitsSHAKE-128SHAKE-128Extensible Output
[FIPS 202][FIPS 202]Function
A2836A2836SHAKE-256 [FIPS 202]256 bitsSHAKE-256Extensible Output Function
TDES-CBC192 bitsA2836TDES-CBCDecryption4
A2836A2836TDES-ECB [NIST SP 800-67-r2]192 bitsTDES-ECBDecryption4
A2836A2836TLS v1.2 KDFTLS v1.2 KDF RFC7627Key Derivation – Application SpecificHash Algorithm:
(CVL)(CVL)SHA2-256, SHA2-
[NIST SP 800-135-r1][NIST SP 800-135-r1]384, SHA2-512
A2890A2890SHA3-256 [FIPS 202]N/ASHA3-256Vetted conditioner
AES-KW A2836AES-KW A2836AES-KW (KTS) [NIST SP 800-38F]SP 800-38F. KTS (key wrapping and unwrapping) per IG D.G.Key Transport128, 192, and 256-
AES-KWP A2836AES-KWP A2836AES-KWP (KTS) [NIST SP 800-38F]128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strengthSP 800-38F. KTS (key wrapping and unwrapping) per IG D.G.Key Transport
KTS-IFC A2836KTS-IFC A2836KTS-IFC (KTS) [NIST SP 800-56B-r2]SP 800-56Brev2. KTS-IFC (key encapsulation and un-encapsulation) per IG D.G.Key Transport2048, 3072, and

SafeZone SW Cryptographic Module 2.0 N/A D.G. Legacy usage only. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M

8 of 36
Page 9
Approved algorithm
NameUse Function
ENT (NP) [NIST SP 800-90B]N/AN/AN/AJitterEntropy
CKG [NIST SP 800-133r2]Cryptographic KeyVendor AffirmedSections 5.1, 5.2 and 6.1Key Generation for symmetric and asymmetric keys using unmodified output from the DRBG.
AES-KEY WRAPKey WrappingAES-KEY WRAPAES-128, AES-192, AES-256 key wrapping supersededKey Wrapping
BrainpoolKey EstablishmentBrainpoolAll services applying Brainpool standard curves (P224r1, P256r1, P384r1, P512r1) are non-approved
ChaCha20-Poly1305ChaCha20-Poly1305ChaCha20-Poly1305 is not a service in NISTSymmetric encryption and
specifications, thus not approvedspecifications, thus not approveddecryption
DSA Key Pair GenerationDigital SignaturesDSA Key Pair GenerationP=1024/N=160 is non-approved since security strength provided is less than 112
DSA SignatureP=1024/N=160 is non-approved since securityDigital Signatures
ECC Diffie-HellmanKey EstablishmentECC Diffie-HellmanNIST P-192 curve is non-approved since security strength provided is less than 112
ECDSA Key Pair GenerationECDSA Key Pair GenerationNIST P-192 curve is non-approved since security strength provided is less than 112Digital Signatures/Key
ECDSA Signature GenerationDigital SignaturesECDSA Signature GenerationNIST P-192 curve is non-approved since security strength provided is less than 112
HMACMessage Authentication CodeHMAC80-104 bit keys are non-approved since security
KDF NIST SP 800-108Key DerivationKDF NIST SP 800-10880-104 bit keys are non-approved since security strength provided is less than 112
KTS (KEM NIST SP 800-RSA-KEM-KWS-basic key wrapping scheme is non-Key Transport
56B)approved since not compliant with SP 800-56Brev2
KTS (OAEP NIST SP 800- 56B)Key TransportKTS (OAEP NIST SP 800- 56B)1024 and 1536 bit keys are non-approved for RSA- OAEP scheme key wrapping
MD5Message DigestMD5MD5 is non-approved except for the use in
RSA Encryption (PKCS #1 v1.5)Key WrappingRSA Encryption (PKCS #1 v1.5)Non-approved since not compliant with SP 800- 56Brev2
RSA Key PairDigital Signatures1024 and 1536 bit keys are non-approved since
RSA Private Key Primitives (NIST SP 800- 56B)Key TransportRSA Private Key Primitives (NIST SP 800- 56B)Non-approved since not compliant with SP 800- 56Brev2, including decryption primitives and signature generation primitives
RSA Public KeyKey TransportNon-approved since not compliant with SP 800-
Primitives (NIST SP 800-56Brev2, including encryption primitives and
56B)signature verification primitives
RSA SignatureDigital SignaturesRSA Signature1024 and 1536 bit keys are non-approved since

SafeZone SW Cryptographic Module 2.0 N/A N/A N/A Table 4

9 of 36
Page 10
Sensitive security parameter
NameStrengthGenerationDigital SignaturesRSA Signature Validation
TLS1.0/1.1 KDF NIST SP 800-135rev1Deprecated in favor of RFC7627 extended master secret computationTLS1.0/1.1 KDF NIST SP 800-135rev1Key Derivation
Deprecated by the end of 2023Triple-DES EncryptionSymmetric encryption
X25519 Key AgreementX25519 key agreement services are non-approved since not included in SP 800-56Arev3X25519 Key AgreementKey Establishment

SafeZone SW Cryptographic Module 2.0 Table 5 -Non-Approved Algorithms Not Allowed in the Approved Mode of Operation The Finite State Model (FSM) of the module is provided in a separate document SafeZoneFIPS-Lib-2.0-FSM distributed with this security policy. The cryptographic boundary of the module is defined in the Figure 1 below. Control Output Figure 1 - Cryptographic Boundary

2.1 Approved Mode of Operation

By default, the module is in Approved mode once initialized and does not require any special initialization. The module will remain in approved mode of operation and the operator must avoid using any non-approved services. Any use of non-approved services (as determined by the indicator) will move module into the non-approved mode of operation. Any keys generated using non-approved mode or services must not be used in the approved mode of operation. The module needs to be re-initialized in order to move back into the approved mode of operation.

3 Cryptographic module interfaces

As a software-only module, SafeZone FIPS SW Cryptographic Module provides a Cprogramming language API for invocation of the FIPS 140-3 approved cryptographic functions.

10 of 36
Page 11
Ports and interfaces
NamePhysical PortLogical InterfacePhysical portLogical InterfaceAPI
N/A - APIN/A - APIData InputN/A - APIData InputThe data read from memory area(s) provided to the invoked
N/A - APIN/A - APIControl InputThe API function invoked and function parameters designated as control inputs.
N/A - APIN/A - APIData OutputThe data written to memory area(s) provided to the invoked
N/A - APIN/A - APIStatus OutputThe return value/data of the invoked API function.
Service
NameRolesInputOutputRole
Get module informationCO, UFLS_StaticConfig()BuildCO, UGet module informationFLS_StaticConfig() FL_IntactID()
FL_IntactID()FL_IntactID()configuration,
CO, UCO, UGet/set information on current module configurationFLS_RuntimeConfigSetProperty, FLS_RuntimeConfigGetProperty Runrime configuration valueFLR_OK (0), error or current runtime value
Get crypto module statusFLS_LibStatus()Module statusCO, U
CO, UCO, UGet crypto module versionFLS_LibVersion()Module version
CO, UCO, UFLS_LibDescription()ModuleGet crypto module description
CO, UCO, UGet status of the asset storeFLS_AssetStoreStatus()Asset store memory status
Perform module self-testsCO, UFLR_OK (0) orFLS_LibSelfTest()
COCOInitialize the moduleFLS_LibInit()FLR_OK (0) or error

SafeZone SW Cryptographic Module 2.0 The functions shall be called by the application which assumes the operator role during values, defines the four FIPS 140-3 logical interfaces: data input, data output, control input Table 6. Ports and Interfaces

4 Roles, services, and authentication

The SafeZone FIPS SW Cryptographic Module supports the Crypto Officer (CO) and User (U) roles. The operator of the module will assume one of these two roles. Only one role may be active at a time. The Crypto Officer role is assumed implicitly upon module installation, uninstallation, initialization, zeroization, and power-up self-testing. If initialization and selftesting are successful, a transition to the User role is allowed and the User will be able to use all keys and cryptographic operations provided by the module, and to create any CSPs (except Trusted Root Key CSPs which may only be created in the Crypto Officer role). The four unique run-time services given only to the Crypto Officer role are the ability to initialize the module, to set-up key material for Trusted Root Key CSP(s), to modify the entropy source, and to switch to the User role to perform any activities allowed for the User role. The SafeZone FIPS SW Cryptographic Module does not support concurrent operators. The module does not authenticate the User or the Crypto Officer role. The roles, services, and the API are described in the table below.

11 of 36
Page 12
CO, UReset module stateFLS_LibUnInit()FLR_OK (0) or
error
COEnter User roleFLS_LibEnterUserRole()FLR_OK (0) or error
CO, UErase data from memoryFLS_Erase()FLR_OK (0) or
Memory area to be erasederror
CO, UErase assetFLS_EraseAsset() Asset to be erasedFLR_OK (0) or error
COInstall entropy sourceFL_RbgInstallFLR_OK (0) or error
EntropySource() FLS_RbgRequest
SecurityStrength()
Entropy source
COCreate trusted root keyFLS_RootKeyAllocateAndLoadValue () Key materialFLR_OK (0) or error
CO, UCreate key assetFLS_AssetAllocateBasic()FLR_OK (0) or error, Created asset
FLS_AssetAllocate()
FLS_AssetAllocateAnd
AssociateKeyExtra()
FLS_AssetLoadValue()
FLS_AssetLoadMultipart()
FLS_AssetLoadMultipart
ConvertBigInt()
FLS_AssetPoke()
FL_LocalAllocate()
FL_LocalAllocateEx()
Key policy, key value
CO, UCopy key assetFLS_AssetCopyValue() Source assetFLR_OK (0) or error, Target asset
CO, UDelete key assetFLS_AssetFree()FLR_OK (0) or error
FLS_LocalFree()
Asset to be deleted
CO, UExamine key asset policy, sizeFLS_AssetShow() FLS_AssetCheck() Asset to be examinedFLR_OK (0) or error, Key policy key size
CO, UGet key asset valueFLS_AssetPeek()FLR_OK (0) or
Asset to peekerror, Key value
CO, UGenerate keyFLS_AssetLoadRandom()
CO, UEncryption and decryptionFLS_CipherInit()FLR_OK (0) or error, Plaintext / ciphertext
FLS_CipherContinue()
FLS_CipherFinish()
Key asset, crypto parameters,
plaintext/ciphertext
CO, UAuthenticated encryption and decryptionFLS_CryptAuthInit() FLS_CryptGcmAadContinue() FLS_CryptGcmAadFinish() FLS_CryptAuthContinue() FLS_EncryptAuthFinish() FLS_EncryptAuth PacketFinish() FLS_DecryptAuthFinish() FLS_EncryptAuth InitRandom() FLS_EncryptAuthInitDeterministi c() FLS_CryptAuthInitTls13() FLS_EncryptAuthTls13() FLS_EncryptAuthFinishTls13() FLS_DecryptAuthTls13() FLS_DecryptAuthFinishTls13() FLS_EncryptAuthSrtp() FLS_DecryptAuthSrtp()FLR_OK (0) or error, Plaintext / ciphertext

SafeZone SW Cryptographic Module 2.0 () c()

12 of 36
Page 13
FLS_EncryptAuthSrtcp() FLS_DecryptAuthSrtcp() Key asset, crypto parameters, additional authenticated data, plaintext/ciphertext
CO, UMAC generationFLS_MacGenerateInit()FLR_OK (0) or error, MAC
FLS_MacGenerateContinue()
FLS_MacGenerateFinish()
Key asset, crypto parameters, input data
CO, UMAC verificationFLS_MacVerifyInit() FLS_MacVerifyContinue() FLS_MacVerifyFinish() Key asset, crypto parameters, input dataFLR_OK (0) or error, Verification status
CO, URandom number generationFLS_RbgGenerateRandom() Random data generation parametersFLR_OK (0) or
error, Random
data
CO, URandom number generator reseedingFLS_RbgReseed() SeedFLR_OK (0) or error,
CO, UKey derivationFLS_KeyDeriveKdk()FLR_OK (0) or
Key asset, derivation parameterserror, Derived key
CO, UTLS v1.2 key derivationFLS_DeriveTlsPrf() FLS_KeyDeriveKdk() Key asset, derivation parametersFLR_OK (0) or error, Derived key
CO, UKey Derivation Through Extraction- then-expansionFLS_HkdfExtract()FLR_OK (0) or error, Derived key
FLS_HkdfExpandAsset()
FLS_HkdfExpand()
FLS_Hkdf()
FLS_KeyDeriveKdk()
Derivation parameters, input key material
CO, UIKEv1 key derivationFLS_IkePrfExtract() FLS_IKEv1ExtractSKEYID_DSA() FLS_IKEv1ExtractSKEYID_PSK() FLS_IKEv1ExtractSKEYID_PKE() FLS_IKEv1DeriveKeyingMaterial() Derivation parametes, input key materialFLR_OK (0) or error, Derived key
CO, UIKEv2 key derivationFLS_IkePrfExtract()FLR_OK (0) or error, Derived key
FLS_IKEv2ExtractSKEYSEED()
FLS_IKEv2DeriveDKM()
FLS_IKEv2ExtractSKEYSEEDrekey()
Derivation parametes, input key material
CO, USRTP key derivationFLS_SrtpKeyDerive() Key asset, derivation paramentersFLR_OK (0) or error, Derived key
CO, UAES key wrappingFLS_AssetsWrapAes38F()FLR_OK (0) or error, Derived key
FLS_AssetsUnwrapAes38F()
Key asset, derivation parameters
CO, UAES data wrappingFLS_CryptKw() Key asset, data to be wrappedFLR_OK (0) or error, Wrapped data
CO, UTrusted root key derivationFLS_TrustedKdkDerive()FLR_OK (0) or error, Derived key
FLS_TrustedKekdkDerive()
Key asset, derivation parameters
CO, UTrusted KDK key derivationFLS_TrustedKeyDerive() Key asset, derivation parametersFLR_OK (0) or error, Derived key
CO, UTrusted key wrappingFLS_AssetWrapTrusted()FLR_OK (0) or
FLS_AssetUnwrapTrusted()error, Wrapped
Key assets, wrapping parameterskey
CO, UPBKDF2 key derivationFLS_KeyDerivePbkdf2() Password, key derivation parametersFLR_OK (0) or error, Derived key
CO, UDSA/Diffie-Hellman DomainFLS_AssetCheck()FLR_OK (0) or
Parameter verificationKey asset to be examinederror
CO, UAsymmetric key pair generationFLS_AssetGenerateKeyPair() FLS_DH_KeyGen()FLR_OK (0) or error, Generated

SafeZone SW Cryptographic Module 2.0

13 of 36
Page 14
Approved algorithm
NameKey SizeUse Function
Key generation parameterskey
CO, USignature generationFLR_OK (0) or error, SignatureCO, UFLS_HashSignFips186()
FLS_HashVerifyFips186() FLS_HashVerifyRecoverPkcs1() FLS_HashVerifyPkcs1() FLS_HashVerifyPkcs1Pss() Key asset, signatureSignature verificationFLR_OK (0) or error, verification resultCO, U
FLS_AssetsWrapRsaOaep() FLS_AssetsUnwrapRsaOaep() Key asset, input data / wrapped keyRSA-OAEP key wrappingCO, UFLR_OK (0) or
FLS_DeriveDh() FLS_DH_Derive() Private and public valuesDiffie-Hellman key agreementFLR_OK (0) or error, Derived keyCO, U
CO, UElliptic Curve Diffie-Hellman keyCO, UFLS_DeriveDh()FLR_OK (0) or
agreementagreementPrivate and public valueserror, Derived key
FLS_HashInit() FLS_HashContinue() FLS_HashFinish() FLS_HashSingle() Input data / messageDigest computationFLR_OK (0) or error, Hash valueCO, U
FLS_HashSingle() Input data / messageExtensible Output FunctionCO, UFLR_OK (0) or
FLS_LoadFinishedHash StateAlgo() Digest parametersLoad precomputed digestFLR_OK (0) or error, Target assetCO, U
CO, UDigest computation (non-approved)FLR_OK (0) or error, Hash valueCO, UFLS_HashInit()
FLS_AssetGenerateKeyPair() FLS_DH_KeyGen() Key generation parametersAsymmetric key pair generation (non- approved)FLR_OK (0) or error, Generated keyCO, U
CO, USignature generation (non-approved)FLR_OK (0) or error, SignatureCO, UFLS_HashSignFips186()
FLS_HashVerifyFips186() FLS_HashVerifyRecoverPkcs1() FLS_HashVerifyPkcs1() FLS_HashVerifyPkcs1Pss() Key asset, signatureSignature verification (non-approved)FLR_OK (0) or error, verification resultCO, U
CO, UElliptic Curve Diffie-Hellman keyCO, UFLS_DeriveDh()FLR_OK (0) or
agreement (non-approved)agreement (non-approved)Private and public valueserror, Derived key
FLS_MacGenerateInit() FLS_MacGenerateContinue() FLS_MacGenerateFinish() Key asset, crypto parameters, input dataMAC generation (non-approved)FLR_OK (0) or error, MACCO, U
CO, UMAC verification (non-approved)FLR_OK (0) or error, Verification statusCO, UFLS_MacVerifyInit()
FLS_AssetsWrapRsaKem() FLS_AssetsUnwrapRsaKem() Key asset, input data / wrappedRSA-KEM key wrapping (non- approved)FLR_OK (0) or error, Wrapped key / unwrappedCO, U
FLS_AssetsWrapRsaOaep() FLS_AssetsUnwrapRsaOaep() Key asset, input data / wrapped keyRSA-OAEP key wrapping (non- approved)CO, UFLR_OK (0) or
FLS_KeyDeriveKdk() Key asset, derivation parametersKDK key derivation (non-approved)FLR_OK (0) or error, Derived keyCO, U
CO, UTrusted key wrapping (non-approved)CO, UFLS_AssetWrapTrusted()FLR_OK (0) or
FLS_AssetUnwrapTrusted()FLS_AssetUnwrapTrusted()error, Wrapped
Key assets, wrapping parametersKey assets, wrapping parameterskey
FLS_AssetsWrapPkcs1v15() FLS_AssetsUnwrapPkcs1v15() Key asset, input data /wrapped keyRSA-PKCS#1 v1.5 key wrapping (non- approved)FLR_OK (0) or error, Wrapped key / unwrapped key assetCO, U
CO, UAES key wrapping (non-approved)FLR_OK (0) or error, Derived keyCO, UFLS_AssetsWrapAes38F()
FLS_CipherInit() FLS_CipherContinue() FLS_CipherFinish() Key asset, crypto parameters, plaintext/ciphertextEncryption and decryption (non- approved)FLR_OK (0) or error, Plaintext / ciphertextCO, U
CO, UX25519 (non-approved)FLR_OK (0) or error, Derived keyCO, UFLS_X25519_KeyGen()
FLS_DeriveTlsPrf() FLS_KeyDeriveKdk() Key asset, derivation parametersTLS v1.0/1.1 key derivation (non- approved)FLR_OK (0) or error, Derived keyCO, U
FLS_Pkcs1RSASP1() Key asset, data to be signedRSA signature generation primitiveFLR_OK (0) or error, SignatureCO, U
FLS_Pkcs1RSAVP1() Key asset, signatureRSA signature verification primitive (non-approved)FLR_OK (0) or error, verification resultCO, U
FLS_Pkcs1RSAEP() Key asset, plaintextRSA encryption primitive (non-FLR_OK (0) or error, CiphertextCO, U
FLS_Pkcs1RSADP() Key asset, ciphertextRSA decryption primitive (non- approved)FLR_OK (0) or error, PlaintextCO, U

SafeZone SW Cryptographic Module 2.0

14 of 36
Page 15

SafeZone SW Cryptographic Module 2.0 Table 7. Roles, Service Commands, Input and Output The approved services are described in the table below. The indicator column maybe None or ARG. None is used for non-security functions, and they do not utilize the approved indicator. For services utilizing security functions the indicator is specified as ARG. In this case the user of the service or function passes a pointer as argument and the indicator value is returned to that pointer. A value of 0 means that the service is approved and any non-zero value means it is a non-approved service. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation.

15 of 36
Page 16
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Get module informationCO, UNoneN/ANoneReturn basic
Get/set information on current module configurationReturn current module configurationCO,- UNoneN/ANone
Get cryptoNoneN/ANoneReturn state of theGet cryptoCO,
module statusmodulemodule statusU
Get crypto module versionReturns version of the moduleCO, UNoneN/ANone
Get cryptoReturns description of the moduleCO, UNoneN/ANoneGet crypto
Get status of the asset storeReturns the status of the asset storeCO, UNoneN/ANone
PerformExecute self-testsCO, UNoneN/ANonePerform
Initialize the moduleInitializes the moduleCONoneN/ANone
Reset module stateCO, UNoneN/ANoneReset, zeroize and
Enter User roleEnter regular user modeCONoneN/ANone
Erase data fromErase dataAnyN/AZNoneErase data fromCO,
memorymemoryU
Erase assetErase assetCO, UAnyN/AZNone
Install entropyCONoneN/ANoneInstall entropyInstall entropy
sourcesource to be usedsource
Create trusted root keyAllocate and set data for new root key assetCOTrusted Root KeyKDF SP800-108GARG
Create key assetCO, UAny keysN/AG, WARGSetup key policy,
Copy key assetCopies key valueCO, UAny keysN/AR, WARG
Delete key assetAny keysN/AZDeletes a key andCO,ARG
zeroes the datazeroes the dataU
Examine key asset policy, sizeGet key size and checkCO, UAny keysN/ARARG
Get key assetGet key valueAny keysN/ARGet key assetCO,ARG
valuevalueU

SafeZone SW Cryptographic Module 2.0 Z = Zeroize: The module zeroizes the SSP. The previous value is overwritten by zeroes and is no longer accessible. N/A U N/A N/A N/A N/A U U U N/A N/A U U N/A N/A U N/A N/A Z N/A Z N/A U U G N/A U G, W N/A R, W N/A Z N/A U U U R N/A U R module selftests

16 of 36
Page 17
Approved algorithm
NameUse Function
CKG (Section 6.1)Generate keyGenerate random keyAES keysCO, UG, WARG
TDES-CBC CKG (Section 6.1)G, WTriple-DESCO,ARG
CKG (Section 6.1)Key Derivation keysCO, UG, WARG
CKG (Section 6.1)MAC keysG, WCO,ARG
AES-ECB, AES-CBC, AES-CTR, AES- OFB, AES-XTSEncryption and decryptionService for data encryption and decryptionAES keysCO, UEARG
TDES-CBC, Triple-DES ECBEARGTriple-DESCO,
AES-CCM, AES-GCMAuthenticated encryption and decryptionService for data encryption and decryption with added authenticationAES keysCO, UEARG
AES-CMAC, AES-GMACMAC generationService for MAC generationAES keysEARGCO,
HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2- 384, HMAC-SHA2-512MAC keysCO, UEARG
AES-CMAC, AES-GMACMAC verificationService for MAC verificationAES keysEARGCO,
HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2- 384, HMAC-SHA2-512MAC keysCO, UEARG
Counter DRBGRandom number generationGenerate random numbers by DRBGCO, URNoneDRBG CTR-
Counter DRBGRandom number generator reseedingForce reseeding of random number generatorDRBG CTR- 256 entropy, DRBG CTR- 256 seed, DRBG CTR- 256 state: Key, DRBG CTR- 256 state: VCO, UWNone
KDF SP800-108Key derivationKey derivationCO, UWARGKey
TLS v1.2 KDF RFC7627TLS v1.2 key derivationKey derivationKey Derivation keys, KDFCO, UWARG
HKDF key derivation or key derivation with two stepsKey Derivation Through Extraction-then- expansionKDA HKDF, KDA TwoStepKeyWCO, UARG
Key derivation for IKEv1IKEv1 key derivationKDF IKEv1WKey Derivation keys, KDF Derived KeysCO, UARG
Key derivation for IKEv2IKEv2 key derivationKDF IKEv2KeyWCO, UARG
Key derivation for SRTPSRTP key derivationKDF SRTPWKey Derivation keys, KDF Derived KeysCO, UARG
Wrap AES key 38FAES keyAES-KW (KTS), AES-KWP (KTS)CO,EAES keysARG
wrappingwrappingU
Wrap AES data 38FAES data wrappingAES-KW, AES-KWPEAES keysCO, UARG
Derive root keyTrusted root key derivationKDF SP800-108TrustedWCO, UARG
KDK key derivationTrusted KDK key derivationKDF SP800-108R, EKey Derivation keys, KDF Derived KeysCO, UARG
Wrap trusted keyTrusted key wrappingKDF SP800-108 and AES-KW (KTS)/AES-KWP (KTS)KKeyR, ECO, UARG
PBKDF2 key derivationPBKDF2 key derivationPBKDFR, EKDF Derived Keys, PBKDF passwordCO, UARG
DSA/Diffie-Hellman Domain Parameter verificationDSA/Diffie-DSA PQGVerEDSA keysCO, UARG
Generate asymmetric key pairs and DSA/Diffie-HellmanAsymmetric key pair generationRSA KeyGenERSA keysCO, UARG
DSA KeyGen, DSA PQGGenDSA KeyGen, DSA PQGGenCO,EDSA keysARG

SafeZone SW Cryptographic Module 2.0 DRBG CTR256 DRBG CTR256 U U U G, W G, W G, W U U U U G, W E E E U U E E U U E E U R U W U W U W

17 of 36
Page 18

SafeZone SW Cryptographic Module 2.0 Extraction-thenexpansion DSA/DiffieHellman U W U W U W U W U U U E E W U R, E U R, E U R, E U E U U E E

18 of 36
Page 19
Approved algorithm
NameKey Size
Domain ParameterDomain ParameterECDSA KeyGenECDSA keysCO, UEARG
KTS-IFCKTS-IFCRSA keysEARGCO,
KAS-FFC-SSCKAS-FFC-SSCDH keysCO, UEARG
KAS-ECC-SSCKAS-ECC-SSCECDH keysEARGCO,
Signature generationSignature generationGenerate signatureRSA SigGenRSA keysCO, UEARG
DSA SigGenDSA SigGenDSA keysEARGCO,
ECDSA SigGenECDSA SigGenECDSA keysCO, UEARG
Signature verificationSignature verificationVerify signatureRSA SigVerRSA keysEARGCO,
DSA SigVerDSA SigVerDSA keysCO, UEARG
ECDSA SigVerECDSA SigVerCO, UEARGECDSA
RSA-OAEP key wrappingRSA-OAEP key wrappingRSA-OAEP key wrapKTS-IFC (KTS)RSA keysCO, UEARG
Diffie-Hellman key agreementDiffie-Hellman key agreementDH key agreementKAS-FFC-SSCCO, UEARGDH keys,
Elliptic Curve Diffie-Hellman key agreementElliptic Curve Diffie-Hellman key agreementElliptic Curve DH agreementKAS-ECC-SSCECDH keys, ECDH Shared secretsCO, UEARG
SHA-1, SHA2-224, SHA2-256, SHA2-Digest computationCompute a digestNoneCO, UARG
Extensible Output FunctionExtensible Output FunctionCompute an extended outputSHAKE-128, SHAKE-256NoneCO, UARG
SHA-1, SHA2-224, SHA2-256, SHA2-NoneCO, UARGLoadLoad a
384, SHA2-512, SHA3-224, SHA3-precomputedprecomputed
256, SHA3-384, SHA3-512digestdigest
Service
NameRole AccessApproved Functions
unapproved parameters (e.g.,Generation, DSAunapproved parameters (e.g.,
key lengths and curves)Signaturekey lengths and curves)
verificationverificationunapproved key lengths
wrappingwrapping800-108
wrappingwrappingNIST SP 800-38F
encryptionencryptionPrimitives (NIST
primitiveprimitiveSP 800-56B)

SafeZone SW Cryptographic Module 2.0 U U U U U U U U U U E E E E E E E E E E U U E E U E U U U Table 8. Approved Services

19 of 36
Page 20

SafeZone SW Cryptographic Module 2.0 ECC DiffieHellman, ChaCha20Poly1305, TripleDES Encryption Table 9. Non-approved Services

20 of 36
Page 21
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisati on
AES128, 192, 256 bitsAES-ECB,KDF SP800-N/AMemory, plaintextSymmetric encryption/ decryption,Plaintext imported from TOEPPAES keysAsset deletion, module uninitializ ation
AES-CTR,AES-CTR,KDF IKEv1,
AES-OFB,AES-OFB,KDF IKEv2,
AES-XTS,AES-XTS,TLS v1.2 KDF
AES-GCM,AES-GCM,RFC7627,
AES-CCM,AES-CCM,KDF SRTP,
AES-CMAC,AES-CMAC,KDA HKDF,
AES-GMAC,AES-GMAC,KDA

SafeZone SW Cryptographic Module 2.0

5 Software/Firmware security

The SafeZone FIPS SW Cryptographic Module must be linked with an application to become executable. The software code of the module (libsafezone-sw-fips.so dynamically loadable library) is linked with an end application producing an executable application for the target platform. The application is installed in a platform-specific way, e.g., when purchased from an application store for the platform. In some cases, there is no need for installation, e.g., when a mobile equipment vendor includes the application with the equipment. The SafeZone FIPS SW Cryptographic Module is loaded by loading an application that links the library statically. The SafeZone FIPS SW Cryptographic Module is initialized automatically upon loading. On some platforms the module is implemented as a dynamically loadable module. In this case, the module is loaded as needed by the dynamic linker. The integrity check of the cryptographic module is described in section 10. The SafeZone FIPS SW Cryptographic Module does not support operator authentication and thus does not require any authentication itself.

6 Operational environment

The operational environments are defined in Table 2 - Tested Operational Environments and Table 3 - Vendor Affirmed Operational Environments. The module runs in a modifiable operating environment and uses modern operating systems, i.e., Linux. All processes spawned by the module are child processes of the module, and ownership of a process cannot be changed.

7 Physical security

The cryptographic module is software-only and does not have any physical security mechanisms.

8 Non-invasive security

The cryptographic module does not have non-invasive attack mitigation mechanisms.

9 Sensitive security parameters management
21 of 36
Page 22
Approved algorithm
NameKey SizeUse Function
TwoStep, CKG (SP 800- 133r2 6.1)AES-KW,
KDF SP800- 108, PBKDF, KDF IKEv1, KDF IKEv2, TLS v1.2 KDF RFC7627, KDF SRTP, KDA HKDF, KDA TwoStep, CKG (SP 800- 133r2 6.1)192 bitsTDES-ECB Decryption, TDES-CBC Decryption (Cert. A2836)Triple- DES keysPlaintext imported from TOEPPN/AMemory, plaintextAsset deletion, module uninitializ ationSymmetric decryption
MAC keys112- 512 bitsHMAC-SHA- 1, HMAC- SHA2-224, HMAC-SHA2- 256, HMAC- SHA2-384, HMAC-SHA2- 512 (Cert. A2836)MAC keysPlaintext imported from TOEPPN/AMemory, plaintextAsset deletion, module uninitializ ationGenerating and verifying HMAC authenticati on codesKDF SP800-
RSA KeyGen (FIPS 186-4), CKG (SP 800- 133r2 5.1, FIPS 186-4)1024, 2048, 3072, 4096 bitsRSA SigGen, RSA SigVer, RSA KeyGen, KTS-IFC, KTS-IFC (KTS) (Cert. A2836)RSA keysPlaintext imported from TOEPP/Plai ntext exported to RAMN/AMemory, plaintextAsset deletion, module uninitializ ationDigital signature, Key Transport
DSA KeyGen (FIPS 186-4), CKG (SP 800- 133r2 5.1, FIPS 186-4)DSA SigGen, DSA SigVer, DSA KeyGen (Cert. A2836)DSA keysN/AMemory, plaintextAsset deletion, module uninitializ ationDigital signature(L,N) =Plaintext
(2048,(2048,imported
224),224),from
(2048,(2048,TOEPP/Plai
256),256),ntext
(3072,(3072,exported
256)256)to RAM
ECDSA KeyGen (FIPS 186-4), CKG (SP 800- 133r2 5.1, FIPS 186-4)NIST P- 224, P- 256, P- 384, P- 521 curvesECDSA SigGen, ECDSA SigVer, ECDSA KeyGen (Cert. A2836)ECDSA keysPlaintext imported from TOEPP/Plai ntext exported to RAMN/AMemory, plaintextAsset deletion, module uninitializ ationDigital signature
DH keys2048- 8192 bitsKAS-FFC-SSC (Cert. A2836)DH keysN/AMemory, plaintextAsset deletion, module uninitializ ationKey agreementNIST SP 800-Plaintext
56Ar3 key56Ar3 keyimported
pairpairfrom
CKG (SP 800-CKG (SP 800-ntext
133r2 5.2,133r2 5.2,exported

SafeZone SW Cryptographic Module 2.0 (KTS), AESKWP (KTS) N/A TripleDES 112512 HMAC-SHA1, HMACSHA2-224, HMAC-SHA2256, HMACSHA2-384, N/A N/A (L,N) = NIST P224, P256, P384, P521 N/A (SP 800133r2 5.1, N/A 20488192 N/A

22 of 36
Page 23
Approved algorithm
NameKey SizeUse Function
NIST SP 800-NIST SP 800-to RAM
KAS-ECC-SSC (Cert. A2836)NIST P- 224, P- 256, P- 384 and P- 521 curvesNIST SP 800- 56Ar3 key pair generation, CKG (SP 800- 133r2 5.2, NIST SP 800- 56Ar3)Plaintext imported from TOEPP/Plai ntext exported to RAMECDH keysN/AMemory, plaintextAsset deletion, module uninitializ ationKey agreement
KAS-FFC-SSC (Cert. A2836)2048- 8192 bitsN/APlaintext exported to RAMDH Shared secretsN/AMemory, plaintextKey agreementAsset
KAS-ECC-SSC (Cert. A2836)NIST P- 224, P- 256, P- 384 and P- 521 curvesN/APlaintext exported to RAMECDH Shared secretsN/AMemory, plaintextAsset deletion, module uninitializ ationKey agreement
Key Derivati on keys112- 200 bitsN/APlaintext imported from TOEPPKey Derivati on keysN/AMemory, plaintextAsset deletion, module uninitializ ationKey derivationKDF SP800-
KDF SP800- 108, PBKDF, KDF IKEv1, KDF IKEv2, TLS v1.2 KDF RFC7627, KDF SRTP, KDA HKDF (Cert. A2836)112- 200 bitsKDF SP800- 108, PBKDF, KDF IKEv1, KDF IKEv2, TLS v1.2 KDF RFC7627, KDF SRTP, KDA HKDFPlaintext exported to RAMKDF Derived keysN/AMemory, plaintextAsset deletion, module uninitializ ationKey derivation
Counter DRBG (Cert. A2836)256- 1024 bitsENT (NP)N/ADRBG CTR- 256 entropyN/AMemory, PlaintextEntropy input materialsAsset
Counter DRBG (Cert. A2836)256- 1024 bitsCounter DRBGN/ADRBG CTR- 256 seedN/AMemory, PlaintextAsset deletion, module uninitializ ationEntropy input materials
Counter DRBG (Cert. A2836)256 bitsCounter DRBGN/AN/AMemory, PlaintextAssetDRBGKey for
CTR-deletion,CTR-DRBG used
256module256for random
state:uninitializstate:number and

SafeZone SW Cryptographic Module 2.0 NIST P224, P256, P384 and P521 N/A 20488192 N/A N/A N/A N/A NIST P224, P256, P384 and P521 112200 KDF SP800108, KDF N/A N/A 112200 N/A CTR256 2561024 N/A N/A CTR256 2561024 N/A N/A CTR256 N/A N/A

23 of 36
Page 24
Approved algorithm
NameMode MethodKey SizeUse Function
Counter DRBG (Cert. A2836)Counter DRBG128 bitsV value for DRBG used for random number and key/key pair generation purposes.DRBG CTR- 256 state: VN/AN/AMemory, PlaintextAsset deletion, module uninitializ ation
PBKDF (Cert. A2836)N/Avaries (at least 12 charact ers)Password or passphrasePBKDF passwo rdPlaintext imported from TOEPPN/AMemory, plaintextAsset
KDF SP800- 108 (Cert. A2836)N/A256 bitsKey used for deriving other keys as per NIST SP 800-108. Can only derive ‘Trusted KDK’ and ‘Trusted KEKDK’ keys.Trusted Root KeyPlaintext imported from TOEPPN/AMemory, plaintextAsset deletion, module uninitializ ation
ECDSA SigVer (Cert. A2836)N/ANIST P- 224Softwar e Integrit y Public Key (not SSP)N/AEmbedded in the software, plaintextPersisten t storage, plaintextnonePublic key

SafeZone SW Cryptographic Module 2.0 CTR256 N/A N/A N/A N/A N/A N/A e NIST P224 N/A N/A Table 10. SSPs

9.1 Random bit generators

The cryptographic module contains a Counter DRBG which uses AES-256 and derivation function. By default, the DRBG is seeded with CPU Time Jitter Based Non-Physical True Random Number Generator (JitterEntropy). It is also possible that the crypto officer may install another entropy source to the cryptographic module. The installed entropy source must be NIST SP 800-90B and FIPS 140-3 compliant. Enough bits of entropy must be provided according to the need of cryptographic algorithms. The RBG entropy sources are defined in the table below.

24 of 36
Page 25
Approved algorithm
NameKey Size
Entropy sourcesMinimum number ofEntropy sourcesDetails
256 bits of entropy minimum required to seed Counter DRBG AES-256256 bits of entropyJitterEntropy ENT (NP)Implemented by Stephan Mueller. It is an

SafeZone SW Cryptographic Module 2.0 Table 11. Non-Deterministic Random Number Generation Specification

10 Self-tests

The SafeZone FIPS SW Cryptographic Module includes the following self-tests:

25 of 36
Page 26

SafeZone SW Cryptographic Module 2.0

26 of 36
Page 27

SafeZone SW Cryptographic Module 2.0 The FL_LibStatus API function can be used to obtain the module status. It returns FL_STATUS_INIT when the module has not yet been initialized and FL_STATUS_ERROR when the module is in error state. As it is recommended to self-test cryptographic components (like DRBG) frequently, the module provides the capability to invoke the self-tests manually (on demand) with the FL_LibSelfTest API function. The important difference between the manually invoked self-tests and the automatically invoked self-tests when initializing the module is that the manually invoked self-tests will not cause zeroization of the key material currently loaded in the module, providing the tests execute successfully. In general, if a self-test fails, the module will transition to the error state and the return value (status) of the invoked API function will be something other than FLR_OK, depending on the current situation. Conditional self-tests for manual key entry and software/firmware load or bypass are not provided, as these are not applicable. Any error during the conditional self-tests will result in a module transition to the error state The cryptographic module uses the ECDSA NIST P-224 signature of the module binary for the integrity tests with SHA2-224 as the hash function. The public part of the key is always included with the module. The private part is stored in Rambus version control system and signing of the module is performed automatically by Rambus build system. Before running the integrity test, tests for the signature algorithms are executed. In case of failure in the integrity test the module will immediately transition to error state.

11 Life-cycle assurance
11.1 Version control

The SafeZone FIPS SW Cryptographic Module source code is maintained in a version control system (Mercurial). Changes are reviewed and automatically built and tested with continuous integration system (Jenkins).

11.2 CVE

There are no CVE’s which currently affect the module as the module is published.

11.3 User guidance for specific services

Some of the FIPS Publications or NIST Special Publications require that the Cryptographic Module Security Policy mentions important configuration items for those algorithms. The user of the module shall observe these rules.

11.3.1 NIST SP 800-108 Rev 1: Key Derivation Functions

All three key derivation functions, Counter Mode, Feedback Mode and Double-Pipeline Iteration Mode are supported.

27 of 36
Page 28
Service
NameApproved FunctionsLength of optional salt (in bits)The length of optional KDK (in bits)Security strength s supported (in bits)
(HMAC-)SHA- 1HMAC-SHA-1up-to 512160112 ≤ s ≤ 160
(HMAC-)SHA- 224HMAC-SHA- 224up-to 512224112 ≤ s ≤ 224
(HMAC-)SHA- 256HMAC-SHA- 256up-to 512256112 ≤ s ≤ 256
(HMAC-)SHA- 384HMAC-SHA- 384up-to 1024384112 ≤ s ≤ 384
(HMAC-)SHA- 512HMAC-SHA- 512up-to 1024512112 ≤ s ≤ 512
AES-128- CMACAES-128- CMAC128128112 ≤ s ≤ 128
AES-192- CMACAES-192- CMAC192128112 ≤ s ≤ 128
AES-256- CMACAES-256- CMAC256128112 ≤ s ≤ 128

SafeZone SW Cryptographic Module 2.0

11.3.2 NIST SP 800-56C Rev 2: Key-Derivation Methods in Key-Establishment Schemes

The SafeZone FIPS SW Cryptographic module provides hash and HMAC functions that can be used for One-Step Key Derivation as introduced in NIST SP 800-56C Rev

  1. The module also offers Extraction-then-Expansion function that can be used for Two-Step Key Derivation as introduced in NIST SP 800-56C Rev
  2. The Two-Step Key Derivation function uses HMAC with SHA-1/SHA224/SHA256/SHA384 or AES-CMAC and SHA512 and NIST SP 800-108 Key Derivation Function with Feedback Mode. The construct is compatible with some uses of RFC 5869. The following rules the user of the functions for NIST SP 800-56C Rev 2 Key Derivation functions shall observe: • • • • • • • • • • • • Key derived using NIST SP 800-56C Rev 2 shall only be used as secret keying material — such as a symmetric key used for data encryption or message integrity, a secret initialization vector, or, perhaps, a key-derivation key that will be used to generate additional keying material. The derived keying material shall not be used as a key stream for a stream cipher. When using HMAC algorithm for key derivation, the algorithms require a key. This key corresponds to salt in NIST SP 800-56C Rev
  3. If salt is to be omitted, use allzero-byte key at exactly the bit length of the hash algorithm. HKDF expansion function always uses NIST SP 800-108 Feedback Mode Key Derivation Function with single byte counter. This is interoperable with RFC 5869. The two-part extraction and expansion operation always uses the same underlying hash function or AES-CMAC for both extraction and expansion. AES-CMAC can be used to generate keys up to 128 bit security. For higher security hash- or HMAC-based schemes shall be used. HMAC-SHA-1 and HMAC-SHA-2 functions can be used to generate keys with 112512 bit strength. See table below for details. If HMAC is used for key derivation, salt can be up-to one hash input block. If AES-CMAC is used, the key extraction phase may use 128 bit, 192 bit or 256 bit salt, but the key-expansion step will always use AES-128-CMAC. The module does not support NIST SP 800-56C Rev 2 Single-Step Key Derivation. If the input for NIST SP 800-56C Key Derivation Function is a shared secret, the input must be destroyed after extraction (e.g., with FLS_AssetFree). Two-Step Key Derivation will make use of both salt and KDK. The input attributes and security strength of generated keys follows this table: (HMAC-)SHA1 (HMAC-)SHA224 HMAC-SHA224
28 of 36
Page 29

SafeZone SW Cryptographic Module 2.0 (HMAC-)SHA256 HMAC-SHA256 (HMAC-)SHA384 HMAC-SHA384 (HMAC-)SHA512 HMAC-SHA512 AES-128CMAC AES-128CMAC AES-192CMAC AES-192CMAC AES-256CMAC AES-256CMAC

11.3.3 HMAC-based Extract-and-Expand Key Derivation Function (HKDF)

The SafeZone FIPS SW Cryptographic module provides HMAC-based Key Derivation Function from RFC 5869, known as HKDF. This function is similar to NIST SP 800-56C Rev 2 Two-Step Key Derivation, but not the same.

11.3.4 NIST SP 800-132: PBKDF Function

The key derived using NIST SP 800-132 shall only be used for storage purposes. The options 1a, 1b, 2a and 2b presented in NIST SP 800-132 for deriving the DPK (Data Protection Key) from the MK (Master Key) are supported. The SafeZone FIPS Lib does not limit the length of the password used in NIST SP 800-132 PBKDF key derivation. The upper bound for the strength of passwords usually used is between 5 or 6 bits per character, which indicates the upper bound for the probability of the password being randomly guessed is 1 / (64 ^ length_of_password). To achieve security over 64 bits, the passwords must generally be longer than 12 characters. With compliance to NIST SP 800-132 and the FIPS 140-3 Implementation Guidance D.N, these requirements and limits must be followed by user:

29 of 36
Page 30

SafeZone SW Cryptographic Module 2.0

11.3.5 NIST SP 800-38D: Galois/Counter Mode (GCM) and GMAC

The FIPS 140-3 Implementation Guidance C.H applies to AES-GCM and GMAC usage with this module. Scenario/technique 1, 2 and 3 in IG C.H are supported by this module. With compliance to technique 1 in IG C.H, the module supports AES-GCM with IPSec and TLS v1.2, both must be initialized with FLS_EncryptAuthInitDeterministic function for encryption and with FLS_CryptAuthInit for decryption. The FLS_CryptAuthInit function is also used for subsequent encryption operations for operation sequences started with the FLS_EncryptAuthInitDeterministic function (In this case the input IV/Nonce must be NULL since IG C.H forbids using external IV for encryption). With compliance to technique 2 or 3 in IG C.H, the operator must use the FLS_EncryptAuthInitRandom function if random IV generation (IG C.H Technique 2) is required, or in case of deterministic IV generation (IG C.H Technique 3), the FLS_EncryptAuthInitDeterministic function. It is not possible to use random IV generated externally. The module supports AES-GCM with SRTP (RFC 7714). For SRTP, functions FLS_EncryptAuthSrtp, FLS_EncryptAuthSrtcp have been introduced. These functions provide equivalent functionality than FLS_EncryptAuthInitDeterministic, but work with SRTP protocols. SRTP IV consists of 32-bit field, SSRC (synchronization source), which acts like 32-bit Module Name of IG C.H Technique 3. SRTP uses 48-bit counter ROC || SEQ. This counter is incremented internal to the cryptographic module. The module will detect overflow of counter. It is the responsibility of the users to rekey upon counter overflow. In addition, SRTP uses 96-bit Encryption Salt that is XORed with other fields. For control purposes, SRTP has an additional protocol, SRTCP. SRTCP protocol is otherwise identical to SRTP, but it uses different keys, and IV format where ROC || SEQ is replaced by SRTCP index. SRTCP index is incremented internal to the cryptographic module. The module will allow only 2^31 packets to be produced with SRTCP prior rekeying.

30 of 36
Page 31

SafeZone SW Cryptographic Module 2.0

11.3.6 NIST SP 800-38E: XTS Mode

The module supports XTS Mode for Confidentiality on Storage Devices. Both XTS-AES-128 (256 bit key) and XTS-AES-256 (512 bit key) are supported. The XTS-AES key is parsed as concatenation of two AES keys Key_1 and Key_2. As is explained in FIPS 140-3 Implementation Guidance C.I, it is required that Key_1 ≠ Key_2. If Key_1 = Key_2, attempt to perform XTS-AES encryption or decryption will fail. The XTS Mode is only approved for usage in storage applications.

11.3.7 NIST SP 800-133 Rev 2: Key Generation (CKG)

The module allows key generation and generates keys according to the following NIST SP 800-133-r2 sections: 5.1, 5.2, 6.1. Key generation will use NIST SP 800-90A Rev1 DRBGCTR AES-256. The output of the approved DRBG is used unmodified when symmetric keys are generated. It is also used unmodified as random input for asymmetric key generation.

11.3.8 NIST SP 800-107 Rev 1: Truncated HMAC

The module supports truncation of HMAC results for all SHA-1 and SHA-2 family hash functions. These include e.g., HMAC-SHA-1-80, HMAC-SHA-1-96, HMAC-SHA-256-128, HMAC-SHA-384-192 and HMAC-SHA-512-256. Following guidance of NIST SP 800-107 Rev 1, it is not allowed to truncate HMAC to less than 32-bits. Therefore, minimum allowed mac output length argument for the FLS_MacGenerateFinish or FLS_MacVerifyFinish is 4.

11.3.9 NIST SP 800-56A Rev 3: Pair-Wise Key-Establishment Schemes (KAS-ECC and KAS-FFC)

The module provides Discrete Logarithm Cryptographic-based key agreements compliant with NIST SP 800-56A-r3 according to scenario 2 path (1) of FIPS 140-3 Implementation Guidance D.F. The KAS-ECC-SSC schemes provide between 112 and 256 bits of security strength. The KAS-FFC-SSC schemes provide between 112 and 200 bits of security strength.

11.4 Porting maintaining validation

SafeZone FIPS 140-3 product is typically delivered in binary format. The product in binary format is validated for platforms mentioned in the validation certificate. There is also another product available from Rambus: source code product. This package can be recompiled by the user for their target platform. However, if changes to the module are required, they need to be processed as a revalidation for FIPS 140-3.

31 of 36
Page 32

SafeZone SW Cryptographic Module 2.0 When ported to an operational environment which is not listed on the validation certificate, no claims can be made as to the correct operation of the module and the security strengths of any keys generated by the module.

12 Mitigation of other attacks

The cryptographic module does not implement security mechanisms to mitigate other attacks.

32 of 36
Page 33

SafeZone SW Cryptographic Module 2.0 Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CO Crypto Officer CTR Counter Mode DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KW AES Key Wrap KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSP Sensitive Security Parameter U User

33 of 36
Page 34

SafeZone SW Cryptographic Module 2.0 Appendix B. References FIPS 140-3 FIPS PUB 140-3

34 of 36
Page 35

SafeZone SW Cryptographic Module 2.0 NIST SP 800-38E NIST Special Publication 800-38E

35 of 36
Page 36

SafeZone SW Cryptographic Module 2.0 NIST SP 800-140B NIST Special Publication 800-140B

36 of 36

Referenced URLs