| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/2/2026 |
| Caveat | Interim Validation; No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs |
| Vendor | Digital.ai Software, Inc. |
| Hardware versions | N/A |
| Algorithm | ACVP Cert |
|---|---|
| AES-ECB | A3516 |
| ECDSA SigVer (FIPS186-4) | A3516 |
| HMAC-SHA2-256 | A3516 |
| KAS-ECC CDH-Component SP800-56Ar3 | A3516 |
| SHA2-256 | A3516 |
| SHA2-512 | A3516 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for Digital.ai Key & Data Protection Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Recoverable errors from the normal</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test service is</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Digital.ai Key & Data Protection Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Recoverable errors from the normal</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test service is</i><br/>src: securityPolicy.services"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C6 clueLow;Digital.ai Key & Data Protection Module Version 1.0 This document may be freely reproduced and distributed, but only in its entirety and without modification.
| # | Section | Page |
|---|---|---|
| 1 | General Information | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Version Information | 6 |
| 2.3 | Operating Environment (OE) | 7 |
| 2.3.1 | Software, Firmware, Hybrid Tested Operating Environment | 7 |
| 2.3.2 | Executable Code Sets | 7 |
| 2.3.3 | Vendor Affirmed Operating Environments | 7 |
| 2.4 | Excluded Components | 7 |
| 2.5 | Modes of Operation | 7 |
| 2.6 | Security Functions | 8 |
| 2.6.1 | Approved Algorithms | 8 |
| 2.6.2 | Vendor Affirmed Algorithms | 8 |
| 2.6.3 | Non-Approved Algorithms | 8 |
| 2.6.4 | Non-Approved, Allowed Algorithms with No Security Claimed | 8 |
| 2.6.5 | NON-APPROVED | 9 |
| 2.7 | Security Function Implementations (SFI) | 9 |
| 2.8 | Algorithm Specific Information | 9 |
| 2.9 | RNG and Entropy | 9 |
| 2.10 | Key Generation | 9 |
| 2.11 | Key Establishment | 9 |
| 2.12 | Industry Protocols | 9 |
| 2.13 | Security Design and Rules of Operation | 10 |
| 2.14 | Initialization | 10 |
| 3 | Cryptographic Module Interfaces | 11 |
| 3.1 | Ports & Interfaces | 11 |
| 4 | Roles, Services, and Authentication | 11 |
| 4.1 | Authentication Methods | 11 |
| 4.2 | Roles | 11 |
| 4.3 | Approved Services | 12 |
| Non-Approved Services | 13 | |
| 4.4 | External Software Loaded | 13 |
| 5 | Software/Firmware Security | 14 |
| 5.1 | Integrity Techniques | 14 |
| 5.2 | Initiate on Demand | 14 |
| 6 | Operational Environment | 14 |
| 6.1 | Operational Environment Type and Requirements | 14 |
| 6.2 | Configuration Settings and Restriction | 14 |
| 7 | Physical Security | 15 |
| 8 | Non-Invasive Security | 15 |
| 9 | Sensitive Security Parameter (SSP) Management | 16 |
| 9.1 | SSPs | 16 |
| 9.2 | Zeroization | 17 |
| 10 | Self-Tests | 17 |
| 10.1 | Pre-Operational Self-Tests | 17 |
| 10.2 | Conditional Self-Tests | 17 |
| 10.3 | Periodic Self-Tests | 18 |
| 10.4 | Error States | 18 |
| 11 | Life-Cycle Assurance | 18 |
| 11.1.1 | Startup Procedures | 19 |
| 11.1.2 | Sanitization | 20 |
| 11.2 | Administrator Guidance | 20 |
| 11.3 | Non-Administrator Guidance | 20 |
| 12 | Mitigation of Other Attacks | 20 |
| 13 | Appendix A: References | 21 |
| 14 | Appendix B: Abbreviations and Definitions | 22 |
| 1 | General | 1 |
| 9 | Sensitive Security Parameter Management | 1 |
| Name | ISO Section | Requirement | Level | |||
|---|---|---|---|---|---|---|
| 2 | General | 1 | 2 | |||
| 3 | 3 | Cryptographic Module Specification | 1 | |||
| 4 | Cryptographic Module Interfaces | 1 | 4 | |||
| 5 | 5 | Roles, Services, and Authentication | 1 | |||
| 6 | Software/Firmware Security | 1 | 6 | |||
| 7 | 7 | Operational Environment | 1 | |||
| 8 | Physical Security | N/A | 8 | |||
| 9 | 9 | Non-Invasive Security | N/A | |||
| 10 | Sensitive Security Parameter Management | 1 | 10 | |||
| 11 | 11 | Self-Tests | 1 | |||
| 12 | Life-Cycle Assurance | 1 | 12 | |||
| Overall Level Mitigation of Other Attacks | Overall Level Mitigation of Other Attacks | N/A |
1. GENERAL INFORMATION 1.1 O VERVIEW 1.2 S ECURITY L EVELS This document defines the Security Policy for the Digital.ai Key & Data Protection Module software cryptographic module. The module is a sophisticated implementation of whitebox cryptography (Class A safety-critical software per IEC 62304) that ingests cryptographic keys for use in the cryptographic operations performed by methods in the module’s libraries. Whitebox cryptography is a field of study and a set of techniques aimed at protecting cryptographic algorithms and keys from being compromised in a hostile environment where an attacker has complete access to the implementation and execution of the cryptographic algorithms. The module is designed to allow a user to use both obfuscation and encryption on sensitive data and chain together to reduce or remove the possibility of a successful attack. The module meets FIPS 140-3 overall Security Level 1 requirements and is intended for use by US Federal agencies and other markets that require FIPS 140-3 validation. The cryptographic boundary of the module is the entire monolithic library file. Table 1
2. CRYPTOGRAPHIC MODULE SPECIFICATION 2.1 D ESCRIPTION Purpose and Use: The module is a sophisticated implementation of whitebox cryptography that ingests keys for use in the cryptographic operations performed by methods in the Digital.ai Key & Data Protection Module libraries. Module Type: The module is defined as a software module (refer to ISO/IEC 19790, Section 7.2.2) Module Embodiment: The module and OE are defined as a multi-chip standalone module. Module Characteristics: The module comprises a single, dynamic library built as an object file (libtfit_fips_module.so). Cryptographic Boundary: The cryptographic boundary is defined as the Digital.ai Key & Data Protection Module. The boundary encompasses the entire monolithic library file named ‘libtfit_fips_module.so’. Figure 1
| Module | Software Version | Operational Environment (OE) | |
|---|---|---|---|
| 8.3.1 | |||
| Digital.ai Key & Data Protection | (Android v12 on ARMv8.2-A Cortex-A75) Android 64 bit |
| Operating System | Hardware Platform | Processor(s) | PAA/Acceleration |
|---|
| Package/File Names | Software Version | Integrity Test |
|---|
Table 2
The module’s operational environment (OE) is defined as modifiable and includes all the module’s components, the hardware platform, and the operating system. N/A
N/A The module comprises a dynamic library in the form of an object file that can in turn be linked with an executable overarching application. Table 4
The module does not support any vendor affirmed operating environments. 2.4 E XCLUDED C OMPONENTS 2.5 M ODES OF O PERATION The module does not exclude any components from the requirements of FIPS 140-3. The Digital.ai Key & Data Protection Module only has an ‘approved’ mode of operation. There are no undefined or ‘non-approved’ modes or services within the module. By default, the approved mode is entered into when powering on the module. When called successfully, each of the approved services returns a ‘0’ integer value. If any other value is returned, the module transitions to its defined error state. The module returns ‘Digital.ai Key & Data Protection Module Version: 8.3.1’ to indicate its approved mode of operation. N.B. The module does not incorporate a degraded mode of operation (refer to ISO/IEC 19790 Section 7.2.4.3).
| Name | CAVP Cert | Key Size | Use Function | Reference | ||
|---|---|---|---|---|---|---|
| AES | A3516 | 256-bit | Encryption / Decrypti on | FIPS 197, NIST SP 800-38A | ECB | |
| A3516 | A3516 | P-256 | Signature Verification | FIPS 186-4 | Sig Ver | ECDSA |
| HMAC- SHA-256 KAS-ECC | A3516 A3516 | 256-bit P-256 | Software Integrity Check Calculates a Shared Secret (Z) | FIPS 198-1 SP 800-56Ar3 | N/A ECC CDH | |
| CDH Component SHS | A3516 | N/A | value Digital Signature Verification | FIPS 180-4 |
| Algorithm | Caveat | Use/Function |
|---|
| Algorithm | Caveat | Use/Function |
|---|
| Algorithm | Caveat | Use/Function |
|---|
The module implements the following approved cryptographic functions listed in the following table: Table 5
Hash Generation There are no vendor affirmed algorithms within boundaries of the module. Table 6
There are no non-approved allowed algorithms within boundaries of the module. Table 7
There are no non-approved algorithms within boundaries of the module. Table 8
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| KAS-ECC CDH- | Shared Secret | KAS-ECC CDH-Component / | KAS-ECC CDH- |
| Algorithm | Caveat | Use/Function |
|---|
There are no non-approved not allowed algorithms within boundaries of the module. Table 9
The module does not support the generation of cryptographic keys. The module does not implement random number generation.
The module does not support key establishment methods.
The module does not support any industry standard protocols.
The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module. − − − − − − − − − − − − − The operator shall be capable of commanding the module to perform the power up selftests by power cycling the system or by re-loading the library into the application. Power up self-tests do not require any operator action. Data output shall be inhibited by self-tests, zeroization and error states. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. The module does not support concurrent operators. The module does not support a maintenance interface or role. The module does not support manual key entry. The module does not have any external input/output devices used for entry/output of data. All CSPs are protected from unauthorized access, use, disclosure, modification, and substitution. The module does not persistently store CSPs. CSPs are provided to the module for the purpose of executing cryptographic operation. All PSPs are protected from unauthorized modification and substitution. The module does not output cryptographic keys. The operator can command the module to perform the Pre-Operational and Conditional self-tests at any time by loading the module in memory space of an application requiring its services. When the module is in an error state, the operator shall not have access to any cryptographic service.
The module does not require specific initialization as no CSPs are stored within its cryptographic boundary. The module is loaded into an application address space requiring its services. On load, the module immediately performs self-testing of all its cryptographic functions and output status of the tests (refer to Section 10).
| Name | Physical Port | Logical Interface | Data That Passes | |||
|---|---|---|---|---|---|---|
| N/A | N/A | Control input | ||||
| N/A | N/A | Control output | N/A | |||
| N/A | N/A | Data output | Data returned in which is the result of the API service transaction. | |||
| N/A | N/A | Data input | Data passed in which the API service will be transacted upon. |
| Name | Roles | Input | Output | Input | Service | |
|---|---|---|---|---|---|---|
| Cryptographic Officer (CO) | Cryptographic Officer (CO) | Cryptographic Officer (CO) | ||||
| AES Encrypt | Plaintext data to encrypt | Status & Ciphertext Data | ||||
| AES Decrypt | Status & Plaintext Data | Ciphertext data to decrypt | ||||
| ECDSA Verify | Plaintext data and digital signature to be verified | Status | ||||
| Generate Shared Secret | Other Party's Public Key | Status & Shared Secret (Z) | Generate Shared Secret | |||
| Zeroize Create Hash | N/A Data to be Hashed, length, | Status Status, digest, & length |
3.1 P ORTS & I NTERFACES Table 11
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output | Service |
|---|---|---|---|---|---|---|---|---|---|
| Generate HMAC | Data to be input into | Status & MAC | |||||||
| Verify HMAC | HMAC algorithm Data to be input into HMAC algorithm & HMAC | Status | |||||||
| Load AES Encryption Key | AES Key | Status | |||||||
| Load AES Decryption Key | AES Key | Status | |||||||
| Load ECDH Private Key | ECDH Priv Key | Status | |||||||
| Load ECDSA Public Key | ECDSA Pub Key | Status | Load ECDSA Public Key | ||||||
| Load HMAC Generate Key | HMAC Key | Status | |||||||
| Load HMAC Verification Key | HMAC Key | Status | |||||||
| Get Status | N/A | Status | |||||||
| Show Version | N/A | Module name & Version number | |||||||
| AES Encrypt | E | ||||||||
| AES encryption | AES encryption | CO | AES Key | AES Key: | |||||
| AES Decrypt | AES decryption | CO | AES Key | Encrypt AES ECB | E AES Key: | Error Code) Integer value (0 = Success or | |||
| Decrypt | Decrypt | Error Code) | |||||||
| ECDSA Verify | E | ||||||||
| ECDSA digital signature | ECDSA digital signature | Integer value (0 = Verified or | |||||||
| ECDSA Sig Ver | CO | ECDSA Pub Key | ECDSA Sig Ver | ECDSA Pub Key: | |||||
| Generate Shared Secret | verification Calculates a shared secret | CO | ECDH Pub Key ECDH Priv | KAS-ECC CDH- Component | W, E, Z E, Z ECDH Pub Key: G ECDH Priv: | Error Code) Integer value (0 = Success or | |||
| Shared Secret (Z) | Shared Secret (Z) | Shared Secret (Z): | Error Code) | ||||||
| Zeroize | Z | ||||||||
| Zeroizes all SSPs | Zeroizes all SSPs | CO | All SSPs | N/A | All SSPs: |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output | Service |
|---|---|---|---|---|---|---|---|---|---|
| Generate HMAC | Data to be input into | Status & MAC | |||||||
| Verify HMAC | HMAC algorithm Data to be input into HMAC algorithm & HMAC | Status | |||||||
| Load AES Encryption Key | AES Key | Status | |||||||
| Load AES Decryption Key | AES Key | Status | |||||||
| Load ECDH Private Key | ECDH Priv Key | Status | |||||||
| Load ECDSA Public Key | ECDSA Pub Key | Status | Load ECDSA Public Key | ||||||
| Load HMAC Generate Key | HMAC Key | Status | |||||||
| Load HMAC Verification Key | HMAC Key | Status | |||||||
| Get Status | N/A | Status | |||||||
| Show Version | N/A | Module name & Version number | |||||||
| AES Encrypt | E | ||||||||
| AES encryption | AES encryption | CO | AES Key | AES Key: | |||||
| AES Decrypt | AES decryption | CO | AES Key | Encrypt AES ECB | E AES Key: | Error Code) Integer value (0 = Success or | |||
| Decrypt | Decrypt | Error Code) | |||||||
| ECDSA Verify | E | ||||||||
| ECDSA digital signature | ECDSA digital signature | Integer value (0 = Verified or | |||||||
| ECDSA Sig Ver | CO | ECDSA Pub Key | ECDSA Sig Ver | ECDSA Pub Key: | |||||
| Generate Shared Secret | verification Calculates a shared secret | CO | ECDH Pub Key ECDH Priv | KAS-ECC CDH- Component | W, E, Z E, Z ECDH Pub Key: G ECDH Priv: | Error Code) Integer value (0 = Success or | |||
| Shared Secret (Z) | Shared Secret (Z) | Shared Secret (Z): | Error Code) | ||||||
| Zeroize | Z | ||||||||
| Zeroizes all SSPs | Zeroizes all SSPs | CO | All SSPs | N/A | All SSPs: | ||||
| Create Hash | Generates a SHA | CO | N/A | SHA-256 or | N/A | Integer value (0 = Success or | |||
| digest | digest | SHA-512 | Error Code) | ||||||
| HMAC | HMAC-SHA- | ||||||||
| Generates HMAC | Generates HMAC | CO | HMAC Key | HMAC Key: | |||||
| Verify HMAC | Verifies HMAC | CO | HMAC Key | 256 HMAC-SHA- | E HMAC Key: | Error Code) Integer value (0 = Verified or | |||
| Load AES | 256 | Error Code) | |||||||
| Encryption | W | ||||||||
| Loads the AES Key | Loads the AES Key | CO | AES Key | N/A | AES Key: | ||||
| Load A ES Decryption Key | Loads the AES Key | CO | AES Key | N/A | W AES Key: | Error Code) Integer value (0 = Success or | |||
| Load ECDH | W | ||||||||
| Private Key | Loads the EC | ECDH Priv Key | ECDH Priv Key: | Integer value | |||||
| private key for use in the shared secret | private key for use in the shared secret | CO | N/A | ||||||
| Load ECDSA Public Key | calculation. Loads the ECDSA | CO | ECDSA Pub Key | N/A | W ECDSA Pub Key: | Error Code) Integer value (0 = Success or | |||
| Pub Key | Pub Key | Error Code) | |||||||
| Generate Key | Loads the HMAC | ||||||||
| N/A | CO | HMAC Key | N/A | HMAC Key: | |||||
| Load HMAC Verification Key | Key Loads the HMAC | CO | HMAC Key | N/A | W HMAC Key: | Error Code) Integer value (0 = Success or | |||
| N/A | CO | N/A | N/A | N/A | |||||
| Show Version | of the module Returns the ID and version of the | CO | N/A | N/A | N/A | Error Code) Module name & | |||
| module | module | version | |||||||
| Self-test service is | Self-test service is | <Self-Test Name> + | |||||||
| invoked by loading or reloading the | invoked by loading or reloading the | CO | N/A | All | N/A |
| Role | Authentication Method | Authentication Strength |
|---|
Self-Test N/A N/A N/A N/A Table 13
N/A N/A HMAC-SHA256 HMAC-SHA256 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. N ON -A PPROVED S ERVICES The module does not implement any non-Approved services. 4.4 E XTERNAL S OFTWARE L OADED The module does not implement external software loading capabilities.
The consuming application may define security rules, configuration settings, or restrictions on the OE.
| Name | Strength | Generation | Establishment | Storage | Zeroization | Use | Import Export | |||
|---|---|---|---|---|---|---|---|---|---|---|
| AES Key | 256 bits | N/A | N/A | RAM | Data Encryption / Decryption | AES-ECB (Cert. #A3516) | Entry: Plaintext Output: N/A | |||
| Entry: Plaintext | Entry: Plaintext | ‘Zeroize’ Service | ||||||||
| ECDH Priv Key | 128 bits | N/A | N/A | RAM | after use ‘Zeroize’ Service and immediately | Generate Shared Secret (Z) | ECC CDH Component (Cert. #A3516) | Entry: Plaintext Output: N/A | ||
| ECDH Pub Key | 128 bits | N/A | N/A | RAM | Generate Shared Secret (Z) | ECC CDH Component (Cert. #A3516) | Entry: Plaintext Output: N/A | after use | ||
| ECDSA Pub Key | 128 bits | N/A | N/A | RAM | after use ‘Zeroize’ Service and immediately | ECDSA Digital Signature Verification | ECDSA Sig Ver (Cert. #A3516) | Entry: Plaintext Output: N/A | ||
| HMAC Key | 256-bits | N/A | N/A | RAM | Generate and Verify HMACs | HMAC-SHA-256 (Cert. #A3516) | Entry: Plaintext Output: N/A | after use | ||
| Shared Secret (Z) | 256 bits | N/A | N/A | RAM | after use ‘Zeroize’ Service and immediately | Not used by the module | ECC CDH Component (Cert. #A3516) | Entry: N/A Output: Plaintext |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Implementation | Test | Condition | Indicator | |
|---|---|---|---|---|---|---|---|---|---|
| HMAC-SHA- 256 | HMAC-SHA- 256 | KAT | Software Integrity | Verifies the HMAC- SHA-256 message authentication code for the software. | Software Integrity Test | 256-bit | |||
| Test | Test | Method | |||||||
| Software | CAST | Encrypt | Software | KAT | Module load | ||||
| AES-ECB Decrypt | AES-ECB Decrypt | CAST | Decrypt | Software | KAT | Module load | failed” “aes_KAT passed” or “aes_KAT |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Implementation | Test | Condition | Indicator | |
|---|---|---|---|---|---|---|---|---|---|
| HMAC-SHA- 256 | HMAC-SHA- 256 | KAT | Software Integrity | Verifies the HMAC- SHA-256 message authentication code for the software. | Software Integrity Test | 256-bit | |||
| Test | Test | Method | |||||||
| Software | CAST | Encrypt | Software | KAT | Module load | ||||
| AES-ECB Decrypt | AES-ECB Decrypt | CAST | Decrypt | Software | KAT | Module load | failed” “aes_KAT passed” or “aes_KAT | ||
| Software | CAST | Software | KAT | Module load | |||||
| “ecdh_KAT | Primitive Shared | “ecdh_KAT | |||||||
| passed” or “ecdh_KAT | Secret (‘Z’) Computation | passed” or “ecdh_KAT | |||||||
| ECDSA Sig Ver | ECDSA Sig Ver | CAST | KAT Verify | Software | KAT | Module load | failed” “ecdsa_KAT passed” or “ecdsa_KAT | ||
| HMAC | HMAC | failed” | |||||||
| Software | CAST | Generation | Software | KAT | Module load | ||||
| SHA | SHA | CAST | Hash | Software | KAT | Module load | failed” sha_KAT passed or “sha_KAT |
9.2 Z EROIZATION 10. SELF-TESTS SSPs are not persistently stored. During normal operation, the module explicitly erases copies of SSPs in volatile memory (e.g., RAM) by overwriting with zeros after their use. SSPs temporarily stored in volatile memory can be zeroized via the ‘Zeroize’ service. On instantiating the consuming application, the module performs the self-tests described in Tables
16 & 17 below. All KATs must be completed successfully prior to any use of cryptography by the
module. If one of the KATs fails, the module transitions to its appropriate error state.
The module implements both preoperational and conditional self-tests. Since the pre-operational Table 16
Table 17
| Name | Description | Role Access | Indicator | Recovery Method | |||||
|---|---|---|---|---|---|---|---|---|---|
| Soft Error | Soft Error | Recoverable errors from the normal operation of the module | Error conditions from the result of a service call | The module will continue to operate as normal. | |||||
| Recoverable errors from the normal | Recoverable errors from the normal | Error conditions from the result of a | Integer value is | The module will continue to operate as | |||||
| Hard Error | Hard Error | A fatal error that ends the current operation of the module. | Failure of pre- operational or conditional self-tests | The module aborts service, outputs error indicator, and forces a segmentation fault. The module must be | application. Error message is output on stderr (standard error) |
The module is designed to meet the requirements of FIPS 140-3 Security Level 1. It does not implement automated periodic self-testing. However, the module's consuming application may be restarted at any time to perform a periodic self-test.
The module supports the following error states. Table 18
Module code utilizes semantic versioning to each release indicating major, minor or patch releases along with release notes providing guidance in the use of each iteration of module’s code. The module has a semantic version number. The Git configuration management system assigned a message digest to each commit which uniquely identifies the version. Configuration management systems retaining module code are periodically backed up using a solution that allows both full and incremental restoration. The procedures for secure installation, initialization, startup, and operation of the module are provided in sections 11.1, 11.2, and 11.3 of this Security Policy and the module’s user guidance. A comprehensive developer guide documenting the entire API is provided. The developer guide provides all Administrator guidance. The developer guide is versioned and managed within the same secure configuration management systems. The configuration management system is protected with user authentication measures to prevent unauthorized access. All changes can be made only by authorized individuals. An automated system is in place to notify other users when any change has been made to prevent unknown changes from being made. All changes are made on development branches in Git and are reviewed by separate people before releasing to production. The only maintenance required is to install new versions of the module when they are made available to fix discrepancies or add features. The update procedure is the same as the installation procedure, with the new module file(s) replacing the existing ones. Any new version of the module is outside the scope of this validation and requires a separate FIPS 140-3 validation. The procedures for secure installation, initialization, startup, and operation of the module are provided in module’s user guidance. Additionally, a comprehensive developer guide documenting the entire API is provided. The developer guide provides all Administrator guidance. The developer guide is versioned and managed within the same secure configuration management system. The configuration management system is protected with user authentication measures to prevent unauthorized access. All changes can be made only by authorized individuals via access rights (i.e., read/write). An automated system is in place to notify other users when any change has been made. All changes are made on development branches in Git and are reviewed by separate people before releasing to production. The only maintenance required is to install new versions of the module when they are made available to fix discrepancies or add features. The update procedure is the same as the installation procedure, with the new module file(s) replacing the existing ones. Any new version of the module is outside the scope of this validation and requires a separate FIPS 140-3 validation. 11.1.1 S TARTUP P ROCEDURES The module does not provide a non-approved mode of operation and is as such always in an approved mode once loaded into memory by the calling application and its automated self-tests are executed successfully. Since the module does not generate keys or support authentication, it does not need to be initialized.
11.1.2 S ANITIZATION The module is a software module that does not store any persistent SSPs. The module should be uninstalled from the OE when no longer needed.
The Crypto Officer shall configure their Android app project according to instructions detailed in the module’s user guidance.
There is no authentication component to the Module, so no further setup is required. No zeroization is required during installation. 12. MITIGATION OF OTHER ATTACKS The module does not claim any attack mitigation beyond FIPS 140-3 Security Level 1 requirements.
| Name | Use Function | ||||||
|---|---|---|---|---|---|---|---|
| [1] | [1] | NIST | 2019 | ||||
| [2] | FIPS 180-4 – Secure Hash Standard (SHS) | [2] | NIST | 2015 | |||
| FIPS 186-4 – Digital Signature Standard (DSS) | [3] | NIST | 2013 | ||||
| [4] | FIPS 197 – Advanced Encryption Standard (AES) | [4] | NIST | 2023 | |||
| FIPS 198-1 – The Keyed-Hash Message Authentication Code ISO/IEC 19790 - Information technology - Security techniques | [5] [6] | NIST ISO/IEC | 2008 2014 | ||||
| [7] | - Security requirements for cryptographic modules | [7] | ISO/IEC | 2017 | |||
| - Test requirements for cryptographic modules NIST SP 800-38A – Recommendation for Block Cipher Modes | [8] | NIST | 2001 | ||||
| [9] | of Operation: Methods and Techniques | [9] | NIST | 2020 | |||
| Cryptography NIST SP 800-131Ar2 – Transitioning the Use of Cryptographic | [10] | NIST | 2019 | ||||
| [11] | Algorithms and Key Lengths | [11] | NIST | 2020 |
13. APPENDIX A: REFERENCES Table 19
| Name | Term | Definition | ||
|---|---|---|---|---|
| AES | AES | Advanced Encryption Standard | ||
| API | API | Application Programming Interface | ||
| CAST | CAST | Cryptographic Algorithm Self-Test | ||
| CO | CO | Cryptographic Officer | ||
| ECB | ECB | Electronic Code Book | ||
| ECC CDH | ECC CDH | Elliptic Curve Cryptography Cofactor Diffie-Hellman | ||
| ECDSA | ECDSA | Elliptic Curve Digital Signature Algorithm | ||
| EFP/EFT | EFP/EFT | Environment Failure Protection/Environment Failure Testing | ||
| FIPS | FIPS | Federal Information Processing Standards | ||
| HMAC | HMAC | Hashed or Hash-based Message Authentication Code | ||
| IEC | IEC | International Electrotechnical Commission | ||
| IG | IG | Implementation Guidance | ||
| ISO | ISO | International Standards Organization | ||
| KAS | KAS | Key Agreement Scheme | ||
| KAT | KAT | Known Answer Test | ||
| OE | OE | Operating Environment | ||
| SHS | SHS | Secure Hash Standard | ||
| SP | SP | Security Policy |
14. APPENDIX B: ABBREVIATIONS AND DEFINITIONS Table 20