All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Digital.ai Key & Data Protection Module

Certificate#4910StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorDigital.ai Software, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 19 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/2/2026
CaveatInterim Validation; No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorDigital.ai Software, Inc.
Hardware versionsN/A

Approved Algorithms (6)

AlgorithmACVP Cert
AES-ECBA3516
ECDSA SigVer (FIPS186-4)A3516
HMAC-SHA2-256A3516
KAS-ECC CDH-Component SP800-56Ar3A3516
SHA2-256A3516
SHA2-512A3516

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Digital.ai Key & Data Protection Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Recoverable errors from the normal</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test service is</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Digital.ai Key & Data Protection Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Recoverable errors from the normal</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test service is</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C6 clueLow;

Security Policy, page by page

Page 1

Digital.ai Key & Data Protection Module Version 1.0 This document may be freely reproduced and distributed, but only in its entirety and without modification.

Page 2
Table of Contents
#SectionPage
1General Information5
1.1Overview5
1.2Security Levels5
2Cryptographic Module Specification6
2.1Description6
2.2Version Information6
2.3Operating Environment (OE)7
2.3.1Software, Firmware, Hybrid Tested Operating Environment7
2.3.2Executable Code Sets7
2.3.3Vendor Affirmed Operating Environments7
2.4Excluded Components7
2.5Modes of Operation7
2.6Security Functions8
2.6.1Approved Algorithms8
2.6.2Vendor Affirmed Algorithms8
2.6.3Non-Approved Algorithms8
2.6.4Non-Approved, Allowed Algorithms with No Security Claimed8
2.6.5NON-APPROVED9
2.7Security Function Implementations (SFI)9
2.8Algorithm Specific Information9
2.9RNG and Entropy9
2.10Key Generation9
2.11Key Establishment9
2.12Industry Protocols9
2.13Security Design and Rules of Operation10
2.14Initialization10
3Cryptographic Module Interfaces11
3.1Ports & Interfaces11
4Roles, Services, and Authentication11
4.1Authentication Methods11
4.2Roles11
4.3Approved Services12
Non-Approved Services13
4.4External Software Loaded13
5Software/Firmware Security14
5.1Integrity Techniques14
5.2Initiate on Demand14
6Operational Environment14
6.1Operational Environment Type and Requirements14
6.2Configuration Settings and Restriction14
7Physical Security15
8Non-Invasive Security15
9Sensitive Security Parameter (SSP) Management16
9.1SSPs16
9.2Zeroization17
10Self-Tests17
10.1Pre-Operational Self-Tests17
10.2Conditional Self-Tests17
10.3Periodic Self-Tests18
10.4Error States18
11Life-Cycle Assurance18
11.1.1Startup Procedures19
11.1.2Sanitization20
11.2Administrator Guidance20
11.3Non-Administrator Guidance20
12Mitigation of Other Attacks20
13Appendix A: References21
14Appendix B: Abbreviations and Definitions22
1General1
9Sensitive Security Parameter Management1
Page 5
Security level
NameISO SectionRequirementLevel
2General12
33Cryptographic Module Specification1
4Cryptographic Module Interfaces14
55Roles, Services, and Authentication1
6Software/Firmware Security16
77Operational Environment1
8Physical SecurityN/A8
99Non-Invasive SecurityN/A
10Sensitive Security Parameter Management110
1111Self-Tests1
12Life-Cycle Assurance112
Overall Level Mitigation of Other AttacksOverall Level Mitigation of Other AttacksN/A

1. GENERAL INFORMATION 1.1 O VERVIEW 1.2 S ECURITY L EVELS This document defines the Security Policy for the Digital.ai Key & Data Protection Module software cryptographic module. The module is a sophisticated implementation of whitebox cryptography (Class A safety-critical software per IEC 62304) that ingests cryptographic keys for use in the cryptographic operations performed by methods in the module’s libraries. Whitebox cryptography is a field of study and a set of techniques aimed at protecting cryptographic algorithms and keys from being compromised in a hostile environment where an attacker has complete access to the implementation and execution of the cryptographic algorithms. The module is designed to allow a user to use both obfuscation and encryption on sensitive data and chain together to reduce or remove the possibility of a successful attack. The module meets FIPS 140-3 overall Security Level 1 requirements and is intended for use by US Federal agencies and other markets that require FIPS 140-3 validation. The cryptographic boundary of the module is the entire monolithic library file. Table 1

Page 6

2. CRYPTOGRAPHIC MODULE SPECIFICATION 2.1 D ESCRIPTION Purpose and Use: The module is a sophisticated implementation of whitebox cryptography that ingests keys for use in the cryptographic operations performed by methods in the Digital.ai Key & Data Protection Module libraries. Module Type: The module is defined as a software module (refer to ISO/IEC 19790, Section 7.2.2) Module Embodiment: The module and OE are defined as a multi-chip standalone module. Module Characteristics: The module comprises a single, dynamic library built as an object file (libtfit_fips_module.so). Cryptographic Boundary: The cryptographic boundary is defined as the Digital.ai Key & Data Protection Module. The boundary encompasses the entire monolithic library file named ‘libtfit_fips_module.so’. Figure 1

Page 7
ModuleSoftware VersionOperational Environment (OE)
8.3.1
Digital.ai Key & Data Protection(Android v12 on ARMv8.2-A Cortex-A75) Android 64 bit
Operating SystemHardware PlatformProcessor(s)PAA/Acceleration
Package/File NamesSoftware VersionIntegrity Test

Table 2

2.3.1 S OFTWARE , F IRMWARE , H YBRID T ESTED O PERATING E NVIRONMENT

The module’s operational environment (OE) is defined as modifiable and includes all the module’s components, the hardware platform, and the operating system. N/A

2.3.2 E XECUTABLE C ODE S ETS

N/A The module comprises a dynamic library in the form of an object file that can in turn be linked with an executable overarching application. Table 4

2.3.3 V ENDOR A FFIRMED O PERATING E NVIRONMENTS

The module does not support any vendor affirmed operating environments. 2.4 E XCLUDED C OMPONENTS 2.5 M ODES OF O PERATION The module does not exclude any components from the requirements of FIPS 140-3. The Digital.ai Key & Data Protection Module only has an ‘approved’ mode of operation. There are no undefined or ‘non-approved’ modes or services within the module. By default, the approved mode is entered into when powering on the module. When called successfully, each of the approved services returns a ‘0’ integer value. If any other value is returned, the module transitions to its defined error state. The module returns ‘Digital.ai Key & Data Protection Module Version: 8.3.1’ to indicate its approved mode of operation. N.B. The module does not incorporate a degraded mode of operation (refer to ISO/IEC 19790 Section 7.2.4.3).

Page 8
Approved algorithm
NameCAVP CertKey SizeUse FunctionReference
AESA3516256-bitEncryption / Decrypti onFIPS 197, NIST SP 800-38AECB
A3516A3516P-256Signature VerificationFIPS 186-4Sig VerECDSA
HMAC- SHA-256 KAS-ECCA3516 A3516256-bit P-256Software Integrity Check Calculates a Shared Secret (Z)FIPS 198-1 SP 800-56Ar3N/A ECC CDH
CDH Component SHSA3516N/Avalue Digital Signature VerificationFIPS 180-4
AlgorithmCaveatUse/Function
AlgorithmCaveatUse/Function
AlgorithmCaveatUse/Function
2.6 S ECURITY F UNCTIONS
2.6.1 A PPROVED A LGORITHMS

The module implements the following approved cryptographic functions listed in the following table: Table 5

2.6.2 V ENDOR A FFIRMED A LGORITHMS

Hash Generation There are no vendor affirmed algorithms within boundaries of the module. Table 6

2.6.3 N ON -A PPROVED A LGORITHMS

There are no non-approved allowed algorithms within boundaries of the module. Table 7

2.6.4 N ON -A PPROVED , A LLOWED A LGORITHMS WITH N O S ECURITY C LAIMED

There are no non-approved algorithms within boundaries of the module. Table 8

Page 9
Service
NameDescriptionApproved FunctionsType
KAS-ECC CDH-Shared SecretKAS-ECC CDH-Component /KAS-ECC CDH-
AlgorithmCaveatUse/Function
2.6.5 NON-APPROVED

There are no non-approved not allowed algorithms within boundaries of the module. Table 9

2.10 K EY G ENERATION

The module does not support the generation of cryptographic keys. The module does not implement random number generation.

2.11 K EY E STABLISHMENT

The module does not support key establishment methods.

2.12 I NDUSTRY P ROTOCOLS

The module does not support any industry standard protocols.

Page 10
2.13 S ECURITY D ESIGN AND R ULES OF O PERATION

The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module. − − − − − − − − − − − − − The operator shall be capable of commanding the module to perform the power up selftests by power cycling the system or by re-loading the library into the application. Power up self-tests do not require any operator action. Data output shall be inhibited by self-tests, zeroization and error states. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. The module does not support concurrent operators. The module does not support a maintenance interface or role. The module does not support manual key entry. The module does not have any external input/output devices used for entry/output of data. All CSPs are protected from unauthorized access, use, disclosure, modification, and substitution. The module does not persistently store CSPs. CSPs are provided to the module for the purpose of executing cryptographic operation. All PSPs are protected from unauthorized modification and substitution. The module does not output cryptographic keys. The operator can command the module to perform the Pre-Operational and Conditional self-tests at any time by loading the module in memory space of an application requiring its services. When the module is in an error state, the operator shall not have access to any cryptographic service.

2.14 I NITIALIZATION

The module does not require specific initialization as no CSPs are stored within its cryptographic boundary. The module is loaded into an application address space requiring its services. On load, the module immediately performs self-testing of all its cryptographic functions and output status of the tests (refer to Section 10).

Page 11
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AControl input
N/AN/AControl outputN/A
N/AN/AData outputData returned in which is the result of the API service transaction.
N/AN/AData inputData passed in which the API service will be transacted upon.
Service
NameRolesInputOutputInputService
Cryptographic Officer (CO)Cryptographic Officer (CO)Cryptographic Officer (CO)
AES EncryptPlaintext data to encryptStatus & Ciphertext Data
AES DecryptStatus & Plaintext DataCiphertext data to decrypt
ECDSA VerifyPlaintext data and digital signature to be verifiedStatus
Generate Shared SecretOther Party's Public KeyStatus & Shared Secret (Z)Generate Shared Secret
Zeroize Create HashN/A Data to be Hashed, length,Status Status, digest, & length

3.1 P ORTS & I NTERFACES Table 11

Page 12
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputService
Generate HMACData to be input intoStatus & MAC
Verify HMACHMAC algorithm Data to be input into HMAC algorithm & HMACStatus
Load AES Encryption KeyAES KeyStatus
Load AES Decryption KeyAES KeyStatus
Load ECDH Private KeyECDH Priv KeyStatus
Load ECDSA Public KeyECDSA Pub KeyStatusLoad ECDSA Public Key
Load HMAC Generate KeyHMAC KeyStatus
Load HMAC Verification KeyHMAC KeyStatus
Get StatusN/AStatus
Show VersionN/AModule name & Version number
AES EncryptE
AES encryptionAES encryptionCOAES KeyAES Key:
AES DecryptAES decryptionCOAES KeyEncrypt AES ECBE AES Key:Error Code) Integer value (0 = Success or
DecryptDecryptError Code)
ECDSA VerifyE
ECDSA digital signatureECDSA digital signatureInteger value (0 = Verified or
ECDSA Sig VerCOECDSA Pub KeyECDSA Sig VerECDSA Pub Key:
Generate Shared Secretverification Calculates a shared secretCOECDH Pub Key ECDH PrivKAS-ECC CDH- ComponentW, E, Z E, Z ECDH Pub Key: G ECDH Priv:Error Code) Integer value (0 = Success or
Shared Secret (Z)Shared Secret (Z)Shared Secret (Z):Error Code)
ZeroizeZ
Zeroizes all SSPsZeroizes all SSPsCOAll SSPsN/AAll SSPs:
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputService
Generate HMACData to be input intoStatus & MAC
Verify HMACHMAC algorithm Data to be input into HMAC algorithm & HMACStatus
Load AES Encryption KeyAES KeyStatus
Load AES Decryption KeyAES KeyStatus
Load ECDH Private KeyECDH Priv KeyStatus
Load ECDSA Public KeyECDSA Pub KeyStatusLoad ECDSA Public Key
Load HMAC Generate KeyHMAC KeyStatus
Load HMAC Verification KeyHMAC KeyStatus
Get StatusN/AStatus
Show VersionN/AModule name & Version number
AES EncryptE
AES encryptionAES encryptionCOAES KeyAES Key:
AES DecryptAES decryptionCOAES KeyEncrypt AES ECBE AES Key:Error Code) Integer value (0 = Success or
DecryptDecryptError Code)
ECDSA VerifyE
ECDSA digital signatureECDSA digital signatureInteger value (0 = Verified or
ECDSA Sig VerCOECDSA Pub KeyECDSA Sig VerECDSA Pub Key:
Generate Shared Secretverification Calculates a shared secretCOECDH Pub Key ECDH PrivKAS-ECC CDH- ComponentW, E, Z E, Z ECDH Pub Key: G ECDH Priv:Error Code) Integer value (0 = Success or
Shared Secret (Z)Shared Secret (Z)Shared Secret (Z):Error Code)
ZeroizeZ
Zeroizes all SSPsZeroizes all SSPsCOAll SSPsN/AAll SSPs:
Create HashGenerates a SHACON/ASHA-256 orN/AInteger value (0 = Success or
digestdigestSHA-512Error Code)
HMACHMAC-SHA-
Generates HMACGenerates HMACCOHMAC KeyHMAC Key:
Verify HMACVerifies HMACCOHMAC Key256 HMAC-SHA-E HMAC Key:Error Code) Integer value (0 = Verified or
Load AES256Error Code)
EncryptionW
Loads the AES KeyLoads the AES KeyCOAES KeyN/AAES Key:
Load A ES Decryption KeyLoads the AES KeyCOAES KeyN/AW AES Key:Error Code) Integer value (0 = Success or
Load ECDHW
Private KeyLoads the ECECDH Priv KeyECDH Priv Key:Integer value
private key for use in the shared secretprivate key for use in the shared secretCON/A
Load ECDSA Public Keycalculation. Loads the ECDSACOECDSA Pub KeyN/AW ECDSA Pub Key:Error Code) Integer value (0 = Success or
Pub KeyPub KeyError Code)
Generate KeyLoads the HMAC
N/ACOHMAC KeyN/AHMAC Key:
Load HMAC Verification KeyKey Loads the HMACCOHMAC KeyN/AW HMAC Key:Error Code) Integer value (0 = Success or
N/ACON/AN/AN/A
Show Versionof the module Returns the ID and version of theCON/AN/AN/AError Code) Module name &
modulemoduleversion
Self-test service isSelf-test service is<Self-Test Name> +
invoked by loading or reloading theinvoked by loading or reloading theCON/AAllN/A
RoleAuthentication MethodAuthentication Strength

Self-Test N/A N/A N/A N/A Table 13

Page 13

N/A N/A HMAC-SHA256 HMAC-SHA256 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. N ON -A PPROVED S ERVICES The module does not implement any non-Approved services. 4.4 E XTERNAL S OFTWARE L OADED The module does not implement external software loading capabilities.

Page 14
  1. SOFTWARE/FIRMWARE SECURITY The executable code is provided as a dynamic library (libtfit_fips_module.so) to a consuming application which interfaces to the library. The library’s integrity is protected using HMAC-SHA256 at the time of development. The Conditional and Pre-Operational Self-Tests run upon instantiation of the module. All cryptographic algorithm self-tests (CAST) must successfully pass its applicable self-test for the module to transition to its ‘normal’ operation. If a Self-Test fails for any reason, a message is printed to standard error (the assert logcat on Android) and forces termination of the application. 5.1 I NTEGRITY T ECHNIQUES 5.2 I NITIATE ON D EMAND As part of the pre-operational self-tests, a software integrity test comprising HMAC-SHA-256 is performed. If the software integrity test fails, the module does not load and returns an error over stderr (refer to Section 10.1). The module's consuming application can be restarted at any time to perform a periodic self-test.
  2. OPERATIONAL ENVIRONMENT The module’s operational environment supports process isolation. Each process is logically separated from all other processes by the operating system and hardware. The module functions entirely within a single process. The operational environment enforces process separation using virtual memory. The virtual memory system uses the memory management unit (MMU) hardware to prevent processes from accessing the memory image of another process. 6.1 O PERATIONAL E NVIRONMENT T YPE AND REQUIREMENTS 6.2 C ONFIGURATION S ETTINGS AND R ESTRICTION The module is designed to run on an Android v12 operational environment (OE). The OE is classified as modifiable. The tested OE and platforms are detailed in Table
  3. The module has no interaction with the OE, so all requirements for FIPS 140-3 Security Level 1 are satisfied. There are no security rules, settings, or restrictions on the configuration of the operational environment imposed by the module. The module has no interaction with the operational environment.
Page 15

The consuming application may define security rules, configuration settings, or restrictions on the OE.

  1. PHYSICAL SECURITY Physical Security requirements are not applicable, as the module is a FIPS 140-3 Security Level 1 software module.
  2. NON-INVASIVE SECURITY The module does not claim any security from non-invasive attack methods.
Page 16
Sensitive security parameter
NameStrengthGenerationEstablishmentStorageZeroizationUseImport Export
AES Key256 bitsN/AN/ARAMData Encryption / DecryptionAES-ECB (Cert. #A3516)Entry: Plaintext Output: N/A
Entry: PlaintextEntry: Plaintext‘Zeroize’ Service
ECDH Priv Key128 bitsN/AN/ARAMafter use ‘Zeroize’ Service and immediatelyGenerate Shared Secret (Z)ECC CDH Component (Cert. #A3516)Entry: Plaintext Output: N/A
ECDH Pub Key128 bitsN/AN/ARAMGenerate Shared Secret (Z)ECC CDH Component (Cert. #A3516)Entry: Plaintext Output: N/Aafter use
ECDSA Pub Key128 bitsN/AN/ARAMafter use ‘Zeroize’ Service and immediatelyECDSA Digital Signature VerificationECDSA Sig Ver (Cert. #A3516)Entry: Plaintext Output: N/A
HMAC Key256-bitsN/AN/ARAMGenerate and Verify HMACsHMAC-SHA-256 (Cert. #A3516)Entry: Plaintext Output: N/Aafter use
Shared Secret (Z)256 bitsN/AN/ARAMafter use ‘Zeroize’ Service and immediatelyNot used by the moduleECC CDH Component (Cert. #A3516)Entry: N/A Output: Plaintext
  1. SENSITIVE SECURITY PARAMETER (SSP) MANAGEMENT The module incorporates both Critical Security Parameters (CSPs) and Public Security Parameters (PSPs). 9.1 SSP S The module incorporates SSPs as defined with Table
  2. Table 15 – SSPs N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Page 17
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTestConditionIndicator
HMAC-SHA- 256HMAC-SHA- 256KATSoftware IntegrityVerifies the HMAC- SHA-256 message authentication code for the software.Software Integrity Test256-bit
TestTestMethod
SoftwareCASTEncryptSoftwareKATModule load
AES-ECB DecryptAES-ECB DecryptCASTDecryptSoftwareKATModule loadfailed” “aes_KAT passed” or “aes_KAT
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTestConditionIndicator
HMAC-SHA- 256HMAC-SHA- 256KATSoftware IntegrityVerifies the HMAC- SHA-256 message authentication code for the software.Software Integrity Test256-bit
TestTestMethod
SoftwareCASTEncryptSoftwareKATModule load
AES-ECB DecryptAES-ECB DecryptCASTDecryptSoftwareKATModule loadfailed” “aes_KAT passed” or “aes_KAT
SoftwareCASTSoftwareKATModule load
“ecdh_KATPrimitive Shared“ecdh_KAT
passed” or “ecdh_KATSecret (‘Z’) Computationpassed” or “ecdh_KAT
ECDSA Sig VerECDSA Sig VerCASTKAT VerifySoftwareKATModule loadfailed” “ecdsa_KAT passed” or “ecdsa_KAT
HMACHMACfailed”
SoftwareCASTGenerationSoftwareKATModule load
SHASHACASTHashSoftwareKATModule loadfailed” sha_KAT passed or “sha_KAT

9.2 Z EROIZATION 10. SELF-TESTS SSPs are not persistently stored. During normal operation, the module explicitly erases copies of SSPs in volatile memory (e.g., RAM) by overwriting with zeros after their use. SSPs temporarily stored in volatile memory can be zeroized via the ‘Zeroize’ service. On instantiating the consuming application, the module performs the self-tests described in Tables

16 & 17 below. All KATs must be completed successfully prior to any use of cryptography by the

module. If one of the KATs fails, the module transitions to its appropriate error state.

10.1 P RE -O PERATIONAL S ELF -T ESTS

The module implements both preoperational and conditional self-tests. Since the pre-operational Table 16

10.2 C ONDITIONAL S ELF -T ESTS

Table 17

Page 18
Service
NameDescriptionRole AccessIndicatorRecovery Method
Soft ErrorSoft ErrorRecoverable errors from the normal operation of the moduleError conditions from the result of a service callThe module will continue to operate as normal.
Recoverable errors from the normalRecoverable errors from the normalError conditions from the result of aInteger value isThe module will continue to operate as
Hard ErrorHard ErrorA fatal error that ends the current operation of the module.Failure of pre- operational or conditional self-testsThe module aborts service, outputs error indicator, and forces a segmentation fault. The module must beapplication. Error message is output on stderr (standard error)
10.3 P ERIODIC S ELF -T ESTS

The module is designed to meet the requirements of FIPS 140-3 Security Level 1. It does not implement automated periodic self-testing. However, the module's consuming application may be restarted at any time to perform a periodic self-test.

10.4 E RROR S TATES

The module supports the following error states. Table 18

Page 19

Module code utilizes semantic versioning to each release indicating major, minor or patch releases along with release notes providing guidance in the use of each iteration of module’s code. The module has a semantic version number. The Git configuration management system assigned a message digest to each commit which uniquely identifies the version. Configuration management systems retaining module code are periodically backed up using a solution that allows both full and incremental restoration. The procedures for secure installation, initialization, startup, and operation of the module are provided in sections 11.1, 11.2, and 11.3 of this Security Policy and the module’s user guidance. A comprehensive developer guide documenting the entire API is provided. The developer guide provides all Administrator guidance. The developer guide is versioned and managed within the same secure configuration management systems. The configuration management system is protected with user authentication measures to prevent unauthorized access. All changes can be made only by authorized individuals. An automated system is in place to notify other users when any change has been made to prevent unknown changes from being made. All changes are made on development branches in Git and are reviewed by separate people before releasing to production. The only maintenance required is to install new versions of the module when they are made available to fix discrepancies or add features. The update procedure is the same as the installation procedure, with the new module file(s) replacing the existing ones. Any new version of the module is outside the scope of this validation and requires a separate FIPS 140-3 validation. The procedures for secure installation, initialization, startup, and operation of the module are provided in module’s user guidance. Additionally, a comprehensive developer guide documenting the entire API is provided. The developer guide provides all Administrator guidance. The developer guide is versioned and managed within the same secure configuration management system. The configuration management system is protected with user authentication measures to prevent unauthorized access. All changes can be made only by authorized individuals via access rights (i.e., read/write). An automated system is in place to notify other users when any change has been made. All changes are made on development branches in Git and are reviewed by separate people before releasing to production. The only maintenance required is to install new versions of the module when they are made available to fix discrepancies or add features. The update procedure is the same as the installation procedure, with the new module file(s) replacing the existing ones. Any new version of the module is outside the scope of this validation and requires a separate FIPS 140-3 validation. 11.1.1 S TARTUP P ROCEDURES The module does not provide a non-approved mode of operation and is as such always in an approved mode once loaded into memory by the calling application and its automated self-tests are executed successfully. Since the module does not generate keys or support authentication, it does not need to be initialized.

Page 20

11.1.2 S ANITIZATION The module is a software module that does not store any persistent SSPs. The module should be uninstalled from the OE when no longer needed.

11.2 A DMINISTRATOR G UIDANCE

The Crypto Officer shall configure their Android app project according to instructions detailed in the module’s user guidance.

11.3 N ON -A DMINISTRATOR G UIDANCE

There is no authentication component to the Module, so no further setup is required. No zeroization is required during installation. 12. MITIGATION OF OTHER ATTACKS The module does not claim any attack mitigation beyond FIPS 140-3 Security Level 1 requirements.

Page 21
Approved algorithm
NameUse Function
[1][1]NIST2019
[2]FIPS 180-4 – Secure Hash Standard (SHS)[2]NIST2015
FIPS 186-4 – Digital Signature Standard (DSS)[3]NIST2013
[4]FIPS 197 – Advanced Encryption Standard (AES)[4]NIST2023
FIPS 198-1 – The Keyed-Hash Message Authentication Code ISO/IEC 19790 - Information technology - Security techniques[5] [6]NIST ISO/IEC2008 2014
[7]- Security requirements for cryptographic modules[7]ISO/IEC2017
- Test requirements for cryptographic modules NIST SP 800-38A – Recommendation for Block Cipher Modes[8]NIST2001
[9]of Operation: Methods and Techniques[9]NIST2020
Cryptography NIST SP 800-131Ar2 – Transitioning the Use of Cryptographic[10]NIST2019
[11]Algorithms and Key Lengths[11]NIST2020

13. APPENDIX A: REFERENCES Table 19

Page 22
Acronyms
NameTermDefinition
AESAESAdvanced Encryption Standard
APIAPIApplication Programming Interface
CASTCASTCryptographic Algorithm Self-Test
COCOCryptographic Officer
ECBECBElectronic Code Book
ECC CDHECC CDHElliptic Curve Cryptography Cofactor Diffie-Hellman
ECDSAECDSAElliptic Curve Digital Signature Algorithm
EFP/EFTEFP/EFTEnvironment Failure Protection/Environment Failure Testing
FIPSFIPSFederal Information Processing Standards
HMACHMACHashed or Hash-based Message Authentication Code
IECIECInternational Electrotechnical Commission
IGIGImplementation Guidance
ISOISOInternational Standards Organization
KASKASKey Agreement Scheme
KATKATKnown Answer Test
OEOEOperating Environment
SHSSHSSecure Hash Standard
SPSPSecurity Policy

14. APPENDIX B: ABBREVIATIONS AND DEFINITIONS Table 20