All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]

Certificate#4919StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorApple Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 19 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim validation. When operated in approved mode
VendorApple Inc.

Approved Algorithms (103)

AlgorithmACVP Cert
AES-CBCA3618
AES-CBCA3619
AES-CBCA3620
AES-CBCA3621
AES-CCMA3626
AES-CCMA3627
AES-CFB128A3620
AES-CFB128A3621
AES-CFB8A3620
AES-CFB8A3621
AES-CTRA3620
AES-CTRA3621
AES-CTRA3626
AES-CTRA3627
AES-ECBA3618
AES-ECBA3619
AES-ECBA3620
AES-ECBA3621
AES-ECBA3626
AES-ECBA3627
AES-GCMA3626
AES-GCMA3627
AES-KWA3620
AES-KWA3621
AES-OFBA3620
AES-OFBA3621
AES-XTS Testing Revision 2.0A3618
AES-XTS Testing Revision 2.0A3619
Counter DRBGA3620
Counter DRBGA3621
Counter DRBGA3627
ECDSA KeyGen (FIPS186-4)A3622
ECDSA KeyGen (FIPS186-4)A3623
ECDSA KeyGen (FIPS186-4)A3624
ECDSA KeyVer (FIPS186-4)A3622
ECDSA KeyVer (FIPS186-4)A3623
ECDSA KeyVer (FIPS186-4)A3624
ECDSA SigGen (FIPS186-4)A3622
ECDSA SigGen (FIPS186-4)A3623
ECDSA SigGen (FIPS186-4)A3624
ECDSA SigVer (FIPS186-4)A3622
ECDSA SigVer (FIPS186-4)A3623
ECDSA SigVer (FIPS186-4)A3624
HMAC DRBGA3622
HMAC DRBGA3623
HMAC DRBGA3624
HMAC-SHA-1A3622
HMAC-SHA-1A3623
HMAC-SHA-1A3624
HMAC-SHA-1A3628
HMAC-SHA2-224A3622
HMAC-SHA2-224A3623
HMAC-SHA2-224A3624
HMAC-SHA2-224A3628
HMAC-SHA2-256A3622
HMAC-SHA2-256A3623
HMAC-SHA2-256A3624
HMAC-SHA2-256A3628
HMAC-SHA2-384A3622
HMAC-SHA2-384A3623
HMAC-SHA2-384A3624
HMAC-SHA2-384A3628
HMAC-SHA2-512A3622
HMAC-SHA2-512A3623
HMAC-SHA2-512A3624
HMAC-SHA2-512A3628
HMAC-SHA2-512/256A3622
HMAC-SHA2-512/256A3623
HMAC-SHA2-512/256A3624
KDF SP800-108A3624
RSA KeyGen (FIPS186-4)A3622
RSA KeyGen (FIPS186-4)A3623
RSA KeyGen (FIPS186-4)A3624
RSA SigGen (FIPS186-4)A3622
RSA SigGen (FIPS186-4)A3623
RSA SigGen (FIPS186-4)A3624
RSA SigVer (FIPS186-4)A3622
RSA SigVer (FIPS186-4)A3623
RSA SigVer (FIPS186-4)A3624
SHA-1A3622
SHA-1A3623
SHA-1A3624
SHA-1A3628
SHA2-224A3622
SHA2-224A3623
SHA2-224A3624
SHA2-224A3628
SHA2-256A3622
SHA2-256A3623
SHA2-256A3624
SHA2-256A3628
SHA2-384A3622
SHA2-384A3623
SHA2-384A3624
SHA2-384A3628
SHA2-512A3622
SHA2-512A3623
SHA2-512A3624
SHA2-512A3628
SHA2-512/256A3622
SHA2-512/256A3623
SHA2-512/256A3624
TDES-ECBA3625

Security Levels (Table 1)

Requirement areaLevel
Software/Firmware Security5
Operational Environment6

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-test<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-test<br/>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Apple Inc. Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Document Version 2.0 December 2024 Prepared by: Lightship Security Inc. 1101-150 Isabella Street, Ottawa, ON, K1S 1V7 www.lightshipsec.com This document may be reproduced and distributed only in its original entirety without revision.

Page 2

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Trademarks Apple's trademarks applicable to this document are listed in https://www.apple.com/legal/intellectualproperty/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirety without revision.

Page 3

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Contents 1. 2. 3. 4. 5. 6. 4.1 4.2 5.1 5.2 6.1 7. 8. 9. 9.1 9.2 9.3 9.4 9.5 9.6 10.1 10.2 10.3 11.1 11.2 This document may be reproduced and distributed only in its original entirety without revision.

Page 4

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Tables This document may be reproduced and distributed only in its original entirety without revision.

Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]

  1. This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800-140B. The column names of the tables follow the template tables provided in NIST SP 800-140B. Table 1 describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. N/A N/A N/A Table 1 – Security levels The Module has an overall security level of
  2. This document may be reproduced and distributed only in its original entirety without revision.
Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai
1macOS Ventura v13MacBook Air (2022)Intel i5 (Amber Lake)PAA1
2macOS Ventura v13MacBook Air (2022)Intel i7 (Ice Lake)PAA2
3macOS Ventura v13MacBook Pro (2022)Intel i7 (Coffee Lake)PAA3
4macOS Ventura v13iMac (2022)Intel i7 (Comet Lake)PAA4
5macOS Ventura v13MacBook Pro (2022)Intel i9 (Coffee Lake)PAA5
6macOS Ventura v13iMac Pro (2022)Xeon W SkyLakePAA6
7macOS Ventura v13Mac Pro (2022)Xeon W Cascade LakePAA7
8macOS Ventura v13Mac Pro (2022)Intel i5 (Coffee Lake)PAA8
9macOS Ventura v13MacBook Air (2022)Intel i5 (Amber Lake)No9
10macOS Ventura v13MacBook Air (2022)Intel i7 (Ice Lake)No10
11macOS Ventura v13MacBook Pro (2022)Intel i7 (Coffee Lake)No11
12macOS Ventura v13iMac (2022)Intel i7 (Comet Lake)No12
13macOS Ventura v13MacBook Pro (2022)Intel i9 (Coffee Lake)No13
14macOS Ventura v13iMac Pro (2022)Xeon W SkyLakeNo14
15macOS Ventura v13Mac Pro (2022)Xeon W Cascade LakeNo15
16macOS Ventura v13Mac Pro (2022)Intel i5 (Coffee Lake)No16
1macOS Ventura v13MacBook Pro - i5 (Ice Lake), 2021, 20201
2macOS Ventura v13MacBook Pro - i5 (Coffee Lake), 2021, 2020, 2019, 20182
3macOS Ventura v13MacBook Pro - i7 (Amber Lake), 2021, 2019, 20183
4macOS Ventura v13MacBook Pro - i7 (Coffee Lake), 2021, 2020, 2019, 20184
5macOS Ventura v13MacBook Pro - i7 (Ice Lake), 2021, 20205
6macOS Ventura v13MacBook Pro - i9 (Coffee Lake), 2021, 2019, 20186
7macOS Ventura v13MacBook Air - i5 (Ice Lake), 2021, 20207
8macOS Ventura v13MacBook Air - i7 (Ice Lake), 2021, 20208
9macOS Ventura v13MacBook Air - i5 (Amber Lake), 2021, 2019, 20189
10macOS Ventura v13MacBook Air - i7 (Amber Lake), 2021, 201810
11macOS Ventura v13Mac mini - i5 (Coffee Lake), 2021, 201811
12macOS Ventura v13Mac mini - i7 (Coffee Lake), 2021, 201812
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai
1macOS Ventura v13MacBook Air (2022)Intel i5 (Amber Lake)PAA1
2macOS Ventura v13MacBook Air (2022)Intel i7 (Ice Lake)PAA2
3macOS Ventura v13MacBook Pro (2022)Intel i7 (Coffee Lake)PAA3
4macOS Ventura v13iMac (2022)Intel i7 (Comet Lake)PAA4
5macOS Ventura v13MacBook Pro (2022)Intel i9 (Coffee Lake)PAA5
6macOS Ventura v13iMac Pro (2022)Xeon W SkyLakePAA6
7macOS Ventura v13Mac Pro (2022)Xeon W Cascade LakePAA7
8macOS Ventura v13Mac Pro (2022)Intel i5 (Coffee Lake)PAA8
9macOS Ventura v13MacBook Air (2022)Intel i5 (Amber Lake)No9
10macOS Ventura v13MacBook Air (2022)Intel i7 (Ice Lake)No10
11macOS Ventura v13MacBook Pro (2022)Intel i7 (Coffee Lake)No11
12macOS Ventura v13iMac (2022)Intel i7 (Comet Lake)No12
13macOS Ventura v13MacBook Pro (2022)Intel i9 (Coffee Lake)No13
14macOS Ventura v13iMac Pro (2022)Xeon W SkyLakeNo14
15macOS Ventura v13Mac Pro (2022)Xeon W Cascade LakeNo15
16macOS Ventura v13Mac Pro (2022)Intel i5 (Coffee Lake)No16
1macOS Ventura v13MacBook Pro - i5 (Ice Lake), 2021, 20201
2macOS Ventura v13MacBook Pro - i5 (Coffee Lake), 2021, 2020, 2019, 20182
3macOS Ventura v13MacBook Pro - i7 (Amber Lake), 2021, 2019, 20183
4macOS Ventura v13MacBook Pro - i7 (Coffee Lake), 2021, 2020, 2019, 20184
5macOS Ventura v13MacBook Pro - i7 (Ice Lake), 2021, 20205
6macOS Ventura v13MacBook Pro - i9 (Coffee Lake), 2021, 2019, 20186
7macOS Ventura v13MacBook Air - i5 (Ice Lake), 2021, 20207
8macOS Ventura v13MacBook Air - i7 (Ice Lake), 2021, 20208
9macOS Ventura v13MacBook Air - i5 (Amber Lake), 2021, 2019, 20189
10macOS Ventura v13MacBook Air - i7 (Amber Lake), 2021, 201810
11macOS Ventura v13Mac mini - i5 (Coffee Lake), 2021, 201811
12macOS Ventura v13Mac mini - i7 (Coffee Lake), 2021, 201812

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 2. Cryptographic Module Specification The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] cryptographic module (hereafter referred to as "the Module") is a software module running on a multi-chip standalone general-purpose computing platform. The version of module is 13 written as v13.0. The module provides implementations of low-level cryptographic primitives to the Host OS's (macOS Ventura v13) Security Framework and CommonCrypto. The module has been tested by Lightship Security, Inc. CST lab on the following platforms with and without PAA: # Table 2

Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197] [SP 800-38A]A3618 (asm_aesni) A3619 (asm_x86) A3620 (c_aesni) A3621 (c_asm)CBC128, 192, 256Symmetric encryption and decryption
AES [FIPS 197] [SP 800-38C]A3626 (vng_asm) A3627 (vng_aesni)CCM128, 192, 256Authenticated encryption and decryption
AES [FIPS 197] [SP 800-38A]A3620 (c_aesni) A3621 (c_asm)CFB128128, 192, 256Symmetric encryption and decryption
AES [FIPS 197] [SP 800-38A]A3620 (c_aesni) A3621 (c_asm)CFB8128, 192, 256Symmetric encryption and decryption
AES [FIPS 197] [SP 800-38A]A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni)CTR128, 192, 256Symmetric encryption and decryption
AES [FIPS 197] [SP 800-38A]A3618 (asm_aesni) A3619 (asm_x86) A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni)ECB128, 192, 256Symmetric encryption and decryption
AES [FIPS 197] [SP 800-38D]A3626 (vng_asm) A3627 (vng_aesni)GCM128, 192, 256Authenticated encryption and decryption
AESA3620 (c_aesni)KW128, 192, 256Key wrapping
13macOS Ventura v13iMac - i5 (Comet Lake), 2021, 2020
14macOS Ventura v13iMac - i7 (Comet Lake), 2021, 2020
15macOS Ventura v13iMac - i9 (Comet Lake), 2021, 2020
16macOS Ventura v13iMac - i5 (Coffee Lake), 2021, 2019
17macOS Ventura v13iMac - i7 (Coffee Lake), 2021, 2019
18macOS Ventura v13iMac - i9 (Coffee Lake), 2021, 2019
19macOS Ventura v13iMac - i9 (Comet Lake), 2022

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Table 3

Page 8
Approved algorithm
NameKey SizeUse Function
[FIPS 197] [SP 800-38F]A3621 (c_asm)
AES [FIPS 197] [SP 800-38A]128, 192, 256OFBA3620 (c_aesni) A3621 (c_asm)Symmetric encryption and decryption
XTS-AES [FIPS 197] [SP 800-38E]128, 256XTSA3618 (asm_aesni) A3619 (asm_x86)Symmetric encryption and decryption on storage devices
CTR_DRBG [SP 800-90Ar1]Key Length/ Key Strength: 128, 256 Derivation Function Enabled: YesAES-CTRA3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni)Random Number Generation
ECDSA [FIPS 186-4]Curves: P-224, P-256, P- 384, P-521 Key Strength: from 112 to 256KeyGen, KeyVer, SigGen, SigVerA3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)Digital signatures and asymmetric key generation and verification
CKGKey Pair Generation (CKG) using method in Sections 4 and 5.1 in [SP 800-133r2]Vendor AffirmedCryptographic key generation
HMAC [FIPS 198-1]112 bits or greaterHMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) A3628 (vng_intel)Message authentication
HMAC [FIPS 198-1]112 bits or greaterHMAC-SHA2-512/256A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)Message authentication
HMAC_DRBG [SP 800-90Ar1]112 bits or greaterSHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)Random Number Generation
KBKDF1 [SP 800-108r1]HMAC-SHA-1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512Counter (CTR) FeedbackA3624 (c_sse3)Key-based key derivation
RSA [FIPS 186-4]KeyGen: 2048, 3072, 4096 SigGen: 2048, 3072, 4096 SigVer: 1024 (legacy use), 2048, 3072, 4096KeyGen (ANSI X9.31), SigGen (PKCS#1 v1.5) and (PKCS PSS) SigVer (PKCS#1 v1.5) and (PKCS PSS)A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)Digital signatures and asymmetric key generation and verification
SHS [FIPS 180-4]112 bits or greaterSHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) A3628 (vng_intel)Message digest
SHS [FIPS 180-4]112 bits or greaterSHA2-512/256A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)Message digest
Triple-DESKeying Option: 1ECBA3625 (c_ltc)Symmetric decryption

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] KBKDF: Supported Lengths: 8 to 4096 in increments of 8. Fixed Data Order: Before Fixed Data. When using HMAC as the PRF. This document may be reproduced and distributed only in its original entirety without revision.

Page 9
Approved algorithm
NameUse Function
RSAANSI X9.31 Key Pair Generation Key Size < 2048 PKCS#1 v1.5 and PSS Signature Generation Key Size < 2048 PKCS#1 v1.5 and PSS Signature Verification Key Size< 1024
RSAKey Encapsulation: OAEP, PKCS#1 v1.5 and PSS schemes
X25519Key Agreement Key Generation
Ed25519Key Generation Signature Generation Signature Verification
ANSI X9.63 KDFHash based Key Derivation Function
RFC6637Key Derivation Function
HKDF [SP 800-56C]Key Derivation Function
DESEncryption / Decryption, Key Size: 56-bits
CAST5Encryption / Decryption, Key Sizes: 40 to 128-bits in 8-bit increments
RC4Encryption / Decryption, Key Sizes: 8 to 4096-bits
RC2Encryption / Decryption Key Sizes 8 to 1024-bits
MD2Message Digest, Digest size 128-bit
MD4Message Digest, Digest size 128-bit
MD5Message Digest, Digest size 128-bit
RIPEMDMessage Digest, Digest size 160-bits
ECDSAKey-pair generation: Curve P-192 Public key validation: Curve P-192 Signature Generation: Curve P-192 Signature Verification: Curve P-192 Key Pair Generation for compact point representation of points
Integrated Encryption Scheme on elliptic curves (ECIES)Encryption / Decryption
BlowfishEncryption / Decryption
OMAC (One-Key CBC MAC)MAC generation
Triple-DES [SP 800-67r2]2CBC, ECB: Encryption/Decryption Note: The module does not enforce the limit of 216 encryptions with the same Triple-DES key, as required by FIPS 140-3 IG C.G.

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Table 4

Page 10

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] executes within the kernel space of the computing platforms and operating systems listed in Table 2

Page 11
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputData inputs are provided in the variables passed in the KPI and callable service invocations, generally through caller-supplied buffers
N/AN/AData OutputData outputs are provided in the variables passed in the KPI and callable service invocations, generally through caller-supplied buffers
N/AN/AControl InputControl inputs which control the mode of the module are provided through dedicated parameters, namely the kernel module plist whose information is supplied to the module by the kernel module loader.
N/AN/AControl OutputNot Applicable4
N/AN/AStatus OutputStatus output is provided in return codes and through messages. Documentation for each KPI lists possible return codes. A complete list of all return codes returned by the C language KPIs within the module is provided in the header files and the KPI documentation. Messages are also documented in the KPI documentation.

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 3. Cryptographic Module Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. interfaces are described in the table below. N/A N/A N/A N/A N/A Table 6

Page 12
Service
NameRolesInputOutput
Symmetric encryptionCrypto-Officer (CO)AES Key Plain text dataCipher text
Symmetric decryptionCrypto-Officer (CO)AES Key Cipher text dataPlain text
Key wrappingCrypto-Officer (CO)Key-encryption-key Key to be wrappedWrapped key
Key unwrappingCrypto-Officer (CO)Key-encryption-key Wrapped keyUnwrapped key
Secure HashingCrypto-Officer (CO)MessageMessage digest
Message Authentication Code (MAC) GenerationCrypto-Officer (CO)message, MAC key, MAC algorithmMessage Authentication Code
Message Authentication Code (MAC) VerificationCrypto-Officer (CO)MAC, message, HMAC key, MAC algorithmpass/fail result
Generate asymmetric key pairCrypto-Officer (CO)Random numbers, domain parametersPublic/private key pair
Generate digital signatureCrypto-Officer (CO)private key, message, hash functionDigital signature
Verify digital signatureCrypto-Officer (CO)public keyTrue or False
Generate random numberCrypto-Officer (CO)entropy, seed, V and key valuesrandom bit-string
Derive key via KBKDFCrypto-Officer (CO)KBKDF Key Derivation KeyDerived key
Zeroise symmetric keysCrypto-Officer (CO)Handler of symmetric crypto function contextReleased memory space
Zeroise asymmetric keysCrypto-Officer (CO)Handler of asymmetric crypto function contextReleased memory space
Zeroise hashCrypto-Officer (CO)Handler of hash contextReleased memory space
Self-testCrypto-Officer (CO)InstantiationStatus
Show statusCrypto-Officer (CO)KPI invocationOperational / error status
Show module infoCrypto-Officer (CO)KPI invocationModule base name Module version

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 4. Roles, Services and Authentication The Module supports a single instance of one authorized role, designated as the Crypto-Officer. No support is provided for multiple concurrent operators or a Maintenance Operator. The table below lists the services available to the Crypto-Officer: Table 7

Page 13
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
ECDSA key pair generationGenerate a public/private key pairCOECDSA key pairECDSA5 CKGGR1
ECDSA signature generationGenerate a digital signatureCOECDSA private keyECDSARE1
ECDSA signature verificationVerify a digital signatureCOECDSA public keyECDSARWE1
Derive key via KBKDFDerive keysCOKBKDF Key derivation key KBKDF Derived keyKBKDFWE GRE1
Key wrappingPerform key wrappingCOAES Key-encrypting keyAES-KWWE1
Key unwrappingPerform key unwrappingCOAES Key-encrypting keyAES-KWWE1
HashingCompute a message digestCON/ASHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/256N/A1
MAC GenerationCompute a message authentication codeCOHMAC keyHMACWE1
MAC VerificationVerify a message authentication codeCOHMAC keyHMACWE1
RSA key pair generationGenerate a public/private key pairCORSA key pairRSA6 CKGGR1
RSA signature generationGenerate a digital signatureCORSA private keyRSARE1

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 4.2 Services The module implements a dedicated KPI function to indicate if a requested service utilizes an approved security function. For services listed in Table 8 – Approved services, the indicator function returns

  1. For services listed in Table 9 – Non-approved services, the indicator function returns
  2. The table below lists all approved services that can be used in the approved mode of operation. The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A= The service does not access any SSP during its operation N/A N/A In accordance with Section 4 and 5.1 of NIST [SP 800-133r2] (CKG), the module uses its approved DRBG to generate random bits and seeds used to generate asymmetric keys. Each generated seed is an unmodified output from the DRBG. In accordance with Section 4 and 5.1 of NIST [SP 800-133r2] (CKG), the module uses its approved DRBG to generate random bits and seeds used to generate asymmetric keys. Each generated seed is an unmodified output from the DRBG. This document may be reproduced and distributed only in its original entirety without revision.
Page 14
Approved algorithm
NameMode MethodUse Function
RSA public keyRSARSA signature verificationVerify a digital signatureCORWE1
DRBG entropy input DRBG seed DRBG 'V' value DRBG 'Key' valueCTR_DRBGRandom number generationGenerate a random numberCOInput: WE Seed: GE V: GE Key: GE1
N/AN/ASelf-testPerform pre- operational and algorithm self-testCON/A1
N/AN/AShow statusReturn module statusCON/AN/A
N/AN/AShow module infoReturn module name and versioning informationCON/AN/A
AES Key AES GCM key AES XTS keyAES-CBC AES-CCM AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-OFB AES-GCM XTS-AESSymmetric encryptionEncrypt plaintext dataCOWE1
AES Key AES GCM key AES XTS keyAES-CBC AES-CCM AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-OFB AES-GCM XTS-AESSymmetric decryptionDecrypt ciphertext dataCOWE1
AES Key AES GCM key AES XTS key AES Key-encrypting key KBKDF Key derivation key KBKDF Derived keyN/AZeroise symmetric keysRelease all resources of symmetric crypto function contextCOZ1
RSA key pair ECDSA key pairN/AZeroise asymmetric keysRelease of all resources of asymmetric crypto function contextCOZ1
HMAC keyN/AZeroise hashRelease all resources of hash contextCOZ1
Service
NameDescriptionRolesApproved FunctionsIndicator
Key EncapsulationPerform key wrappingCORSA encrypt0
Key DecapsulationPerform key unwrappingCORSA decrypt0
EdDSA/X25519 key pair generationGenerate a public/private key pair Curve: Ed25519 and Curve25519COEdDSA KeyGen X25519 KeyGen0

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Z N/A Z N/A Z Table 8

Page 15
Approved algorithm
NameKey SizeUse Function
EdDSA SigGenGenerate a digital signature Curve: Ed25519EdDSA signature generationCO0
EdDSA SigVerVerify a digital signature Curve: Ed25519EdDSA signature verificationCO0
X25519 Key agreementPerform key agreementX25519 key agreementCO0
ECDSAGenerate a public/private key pair Curve: P-192ECDSA key pair generationCO0
ECDSAGenerate a digital signature Curve: P-192ECDSA signature generationCO0
ECDSAVerify a digital signature Curve: P-192ECDSA Signature verificationCO0
ANSI X9.31Generate a public/private key pair Key size < 2048RSA key pair generationCO0
PKCS#1 v1.5 PSSGenerate a digital signature Key size < 2048RSA signature generationCO0
PKCS#1 v1.5 PSSVerify a digital signature Key size < 1024RSA Signature verificationCO0
SHA-1Hash-based key derivation Per: ANSI X9.63Key DerivationCO0
SHA-256Hash-based key derivation Per: SP 800-56C HKDFKey DerivationCO0
SHA-256, SHA-512, AES-128, AES-256Hash-based key derivation Per: RFC6637Key DerivationCO0
OMACCompute a message authentication codeGenerate MACCO0
MD2, MD4, MD5, RIPEMDCompute a message digestHashingCO0
Triple-DES, Blowfish, CAST5, DES, ECIES, RC2, RC4Perform symmetric data encryptionSymmetric encryptionCO0
Triple-DES, Blowfish, CAST5, DES, ECIES, RC2, RC4Perform symmetric data decryptionSymmetric decryptionCO0

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Table 9

Page 16

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 5. Software/Firmware Security 5.1 Integrity Techniques The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1], which is made up of a single component, is provided in the form of binary executable code. A software integrity test is performed on the runtime image of the module. The HMAC-SHA2-256 implemented in the module is used as an approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided and data output is prohibited. In this state the module is not operational. 5.2 On Demand Integrity Test Integrity tests are performed as part of the Pre-Operational Self-Tests. The software integrity test is automatically executed at power-on. It can also be invoked by self-test service or powering-off and reloading the module. This document may be reproduced and distributed only in its original entirety without revision.

Page 17

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]

  1. Operational Environment 6.1 Applicability The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module is supplied as part of macOS, a commercially available general-purpose operating system executing on the computing platforms specified in section
  2. This document may be reproduced and distributed only in its original entirety without revision.
Page 18

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 7. Physical Security The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirety without revision.

Page 19

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 8. Non-invasive Security Currently, the ISO/IEC 19790:2012 non-invasive security area is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirety without revision.

Page 20
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageUseImport ExportZeroisation
AES key128 to 256 bitsAES (CBC, CCM, CFB, CTR, ECB, KW, OFB modes) A3618 (asm_aesni) A3619 (asm_x86) A3620 (c_aesni) A3621 (c_asm) A3626 (vng_asm) A3627 (vng_aesni)N/AN/AN/A. The module does not provide persistent keys/SSPs storage.Symmetric Encryption and DecryptionImported from kernel No exportAutomatic zeroisation when structure is deallocated or when the system is powered down
AES Key- encrypting key128 to 256 bitsAES-KW A3620 (c_aesni) A3621 (c_asm)N/AN/AKey Wrapping and Unwrapping (KTS)Imported from kernel No export
AES GCM key128 to 256 bitsAES (GCM mode) A3626 (vng_asm) A3627 (vng_aesni)N/AN/ASymmetric Encryption and DecryptionImported from kernel No export
AES XTS key128 and 256 bitsXTS-AES A3618 (asm_aesni) A3619 (asm_x86)N/AN/ASymmetric Encryption and DecryptionImported from kernel No export
HMAC key>=112 bitsHMAC-SHA-1 HMAC-SHA-2 A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3) A3628 (vng_intel)N/AN/AGenerate and Verify MACImported from kernel No export
ECDSA public key112 to 256 bitsECDSA A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)The key pairs are generated conformant to [SP 800- 133r2] Section 4 (CKG) using FIPS186-4 Key Generation method, and the random value used in the key generation is generated using [SP 800-90Ar1] DRBGN/ASignature verificationImported from or exported to kernel
ECDSA private keyN/ASignature generationExported to kernel Intermediate keygen values are not output
RSA public key112 to 256 bitsRSA A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)The key pairs are generated conformant to [SP 800- 133r2] Section 4 (CKG) using FIPS186-4 Key GenerationN/ASignature verificationImported from or exported to kernel
RSA private keyN/ASignature generationExported to kernel. Intermediate keygen values are not output

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 9. Sensitive Security Parameter Management The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module: N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A This document may be reproduced and distributed only in its original entirety without revision.

Page 21
Approved algorithm
NameKey SizeUse Function
Random Number Generation256 bitsEntropy Input StringN/AImported from entropy sourceN/ARandom Number Generation
CTR_DRBG A3620 (c_aesni) A3621 (c_asm) A3627 (vng_aesni) HMAC_DRBG A3622 (c_avx) A3623 (c_avx2) A3624 (c_sse3)256 bitsDRBG Seed, internal state: V value and KeyInternally generated as defined by [SP 800- 90Ar1]N/AN/ARandom Number Generation
KBKDF A3624 (c_sse3)Min: 112 bitsKBKDF Key derivation keyN/AImported from calling application No exportN/AKey Derivation
KBKDF A3624 (c_sse3)Min: 112 bitsKBKDF Derived keyGenerated via KBKDFNo import Exported to calling applicationN/AKey Derivation
Entropy sourceMinimum number ofDetails
bits of entropy
ESV Cert #E14 (physical source) ESV Cert #E110 (non-physical source)256The seed is provided by post-processed entropy data from two entropy sources. The entropy sources are located within the physical perimeter of the module but outside the

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] N/A N/A N/A N/A N/A N/A N/A Table 10

Page 22

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] cryptographic boundary of the module. Table 11

Page 23

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 9.6 Key / SSP Zeroisation Keys and SSPs are zeroised when the appropriate context object is destroyed or when the system is powered down. Input and output interfaces are inhibited while zeroisation is performed. This document may be reproduced and distributed only in its original entirety without revision.

Page 24
Approved algorithm
NameUse Function
Algorithm(s)Algorithm(s)Notes
HMAC-SHA256CAST (KAT) performed prior to module’s integrity test during POSTs
AES implementations selected by the module for theSeparate encryption / decryption operations are performed

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 10. Self-tests This section specifies the pre-operational and conditional self-tests performed by the module. The preoperational and conditional self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected. The module does not implement a bypass mode nor security functions critical to the secure operation of the cryptographic module and thus, does not implement either a pre-operational bypass test or pre-operational critical functions test. While the module is executing the self-tests, services are not available and input and output are inhibited. If the module fails pre-operational or conditional self-tests fail, it will report an error message indicating the cause of the failure and enters the Error State (See section 10.3). The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by rebooting the system (i.e., power-cycling).

10.1 Pre-operational Software Integrity Test

The module performs a pre-operational software integrity test automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A software integrity test is performed on the runtime image of the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] with HMAC-SHA2-256 used to perform the approved integrity technique. Prior to using HMAC-SHA-256, Conditional Cryptographic Algorithm Self-Test (CAST) is performed. If the CAST on the HMAC-SHA-256 is successful, the HMAC value of the runtime image is recalculated and compared with the stored HMAC value pre-computed at compilation time.

10.2 Conditional Self-Tests

Conditional self-tests are to be performed by a cryptographic module when the conditions specified for the following tests occur: Cryptographic Algorithm Self-Test, Pair-Wise Consistency Test. The module does not implement any functions requiring a Software/Firmware Load Test, Manual Entry Test, Conditional Bypass Test nor Conditional Critical Functions Test; therefore, these tests are not performed by The following sub-sections describe the conditional tests supported by the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1]. 10.2.1. Conditional Cryptographic Algorithm Self-Tests In addition to the pre-operational software integrity test described in Section 10.1, the Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] also runs the Conditional Cryptographic Algorithm Self-Tests (CAST) for all cryptographic functions of each approved cryptographic algorithm implemented by the module during power-up as well. All CASTs are performed prior to the first operational use of the cryptographic algorithm. These tests are detailed in Table 12

Page 25
Approved algorithm
NameUse Function
corresponding environment AES-CCM, AES-GCM, AES-XTS, AES-CBC, AES-ECB, AES-KW using 128-bit key
CTR_DRBG and HMAC_DRBGEach DRBG mode tested separately KAT and Health test per NIST [SP 800-90Ar1] Section 11.3
HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512KAT
SHA-1, SHA2-256, SHA2-512Covered by high level HMAC self-test
RSA, 2048-bit modulus with SHA-256Separate Signature generation/ verification KAT are performed
ECDSA, P-256 curve with SHA-256Signature generation/verification are performed
KBKDF (counter and feedback modes)KAT
Cause of ErrorError indicator
Failed Pre-operational Software Integrity Testprint statement “FAILED: fipspost_post_integrity” to stdout
Failed Conditional CASTprint statement “FAILED: <event>” to stdout (<event> refers to any of the cryptographic functions listed in Table 12 – Conditional Cryptographic Algorithm Self-tests.)
Failed Conditional PCTError code “CCEC_GENERATE_KEY_CONSISTENCY” returned for ECDSA Error code “CCRSA_GENERATE_KEY_CONSISTENCY” returned for RSA

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] The Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] does generate RSA and ECDSA asymmetric keys and performs the required RSA and ECDSA pair-wise consistency tests on the newly generated key pairs.

10.3 Error Handling

If any of the self-tests described in Sections 10.1, 10.2.1 or 10.2.2 fail, the module reports the cause of the error and enters an error state. In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to power cycle the device which results in the module being reloaded into memory and reperforming the pre-operational software integrity test and the Conditional CASTs. The module will only enter into the operational state after successfully passing the preoperational software integrity test and the CASTs. The table below shows the different causes that lead to the Error State and the status indicators reported. Table 13

Page 26

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 11. Life-cycle Assurance

11.1 Delivery and Operation

The module is built into macOS Ventura v13 and delivered with device. There is no standalone delivery of the module as a software library. The vendor's internal development process guarantees that the correct version of module goes with its intended macOS version. For additional assurance, the module is digitally signed by vendor and it is verified during the integration into macOS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-SHA2-256 based integrity check performed by the module itself as part of its pre-operational self-tests.

11.2 Crypto Officer Guidance

The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table 9 – Non-approved services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E14_PublicUse.pdf The ESV Public Use Document (PUD) reference for non-physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E110_PublicUse.pdf Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation. The Crypto Officer shall consider the following requirements and restrictions when using the module: o AES-GCM IV is constructed in compliance with IG C.H scenario

  1. The GCM IV generation follows RFC 4106 and shall only be used for the IPsec protocol version
  2. When the IV in RFC 4106 exhausts the maximum number of possible values for a given security association, either party to the security association that encounters this condition triggers a rekeying with IKEv2 to establish a new encryption key for the security association. The module uses RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES-GCM encryption keys are derived. In case the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the module. This protocol has not been reviewed or tested by the CAVP and CMVP. o AES-XTS mode is only approved for hardware storage applications. The length of the AES-XTS data unit does not exceed 220 blocks. The module checks explicitly that Key_1 ≠ Key_2 before using the keys in the XTS-Algorithm to process data with them compliant with IG C.I. This document may be reproduced and distributed only in its original entirety without revision.
Page 27

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] 12. Mitigation of Attacks The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirety without revision.

Page 28

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CAST Cryptographic Algorithm Self-Test CAST5 A symmetric-key 64-bit block cipher with 128-bit key CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA Elliptic Curve Digital Signature Algorithm ESVP Entropy Source Validation Program FIPS Federal Information Processing Standards GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KBKDF Key Based Key Derivation Function KDF Key Derivation Function KEXT Kernel Extension KW AES Key Wrap MAC Message Authentication Code KPI Kernel Programming Interface NIST National Institute of Standards and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pairwise Consistency Test PKG Key-Pair Generation PKV Public Key Validation PRF Pseudo-Random Function PSS Probabilistic Signature Scheme PUD Public Use Document (ESVP) RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard TOEPP Tested Operational Environment Physical Perimeter This document may be reproduced and distributed only in its original entirety without revision.

Page 29

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] XTS XEX Tweakable Block Ciphertext Stealing This document may be reproduced and distributed only in its original entirety without revision.

Page 30

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/Draft%20FIPS-140-3CMVP%20Management%20Manual%2009-18-2020.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140B CMVP Security Policy Requirements https://csrc.nist.gov/publications/detail/sp/800-140b/final SP 800-140C CMVP Approved Security Functions https://csrc.nist.gov/publications/detail/sp/800-140c/final SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140d/final SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800-140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf This document may be reproduced and distributed only in its original entirety without revision.

Page 31

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP 800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf This document may be reproduced and distributed only in its original entirety without revision.

Page 32

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] SP 800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-57r5 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf SP 800-67r1 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP 800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) October 2009 http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP 800-131Ar2 NIST Special Publication 800-131A - Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf SP 800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf This document may be reproduced and distributed only in its original entirety without revision.

Page 33

Apple corecrypto Module v13.0 [Intel, Kernel, Software, SL1] MACOS macOS Technical Overview https://developer.apple.com/macos/ SEC Apple Platform Security Guide https://support.apple.com/guide/security/welcome/web macOS Product security certifications for macOS https://support.apple.com/HT201159 This document may be reproduced and distributed only in its original entirety without revision.

Referenced URLs