| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/10/2029 |
| Caveat | No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Cohesity, Inc. |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | N/A |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Cohesity FIPS Object Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Self‐test<br/>failure</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Cipher (Unauth)<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Cohesity FIPS Object Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Self‐test<br/>failure</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Cipher (Unauth)<br/>Show status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;Cohesity, Inc. Cohesity FIPS Object Module FIPS 140‐3 Non‐Proprietary Security Policy Document Version 1.1 January 8, 2025 Prepared for: Prepared by: Cohesity, Inc.
Suite 1700 San Jose, CA 95110 cohesity.com KeyPair Consulting Inc.
San Luis Obispo, CA 93401 +1 805.316.5024 keypair.us This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table of Contents 1.1 1.2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 6.1 5.1 5.2 5.3 4.1 4.2 4.3 4.4 4.5 3.1 9.1 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy 9.2 9.3 9.4 9.5 10.1 10.2 10.3 10.4 10.5 11.1 11.2 11.3 11.4 12.1 12.2 12.3 Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module List of Tables List of Figures This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non‐invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self‐tests | 1 |
| 11 | 11 | Life‐cycle assurance | 3 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
This document defines the Non‐Proprietary Security Policy for the Cohesity FIPS Object Module by Cohesity, Inc., hereafter denoted the Module. The Module meets FIPS 140‐3 overall Level 1 requirements, with security levels as shown in Section 1.2. In accordance with AS02.05, ISO/IEC 19790:2012 §7.7 Physical Security is optional and does not apply to the Module.
Purpose and Use: The Module is a cryptographic software library, intended for use by US and Canadian Federal agencies and other markets that require FIPS 140‐3 validated cryptographic functionality. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Embodiment: MultiChipStand This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. The pre‐operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The General Purpose Computer is the TOEPP. Figure 1: Block Diagram This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | N/A | fips.so | HMAC‐SHA2‐256 #A4481 over the | |||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell Inspiron 7591 | 3.0.10 with KP_1.2 | Intel Core i7‐10510U | Yes | ||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell Inspiron 7591 | 3.0.10 with KP_1.2 | Intel Core i7‐10510U | No | ||||
| Red Hat Enterprise Linux 9 | Red Hat Enterprise Linux 9 | HPE ProLiant XL420 Gen10 | 3.0.10 with KP_1.2 | Intel® Xeon® Silver 4214R CPU | Yes | ||||
| Red Hat Enterprise Linux 9 | Red Hat Enterprise Linux 9 | HPE ProLiant XL420 Gen10 | 3.0.10 with KP_1.2 | Intel® Xeon® Silver 4214R CPU | No |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| fips.so | 3.0.10 with KP_1.2 | N/A | fips.so | HMAC‐SHA2‐256 #A4481 over the | |||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell Inspiron 7591 | 3.0.10 with KP_1.2 | Intel Core i7‐10510U | Yes | ||||
| Ubuntu 20.04 LTS | Ubuntu 20.04 LTS | Dell Inspiron 7591 | 3.0.10 with KP_1.2 | Intel Core i7‐10510U | No | ||||
| Red Hat Enterprise Linux 9 | Red Hat Enterprise Linux 9 | HPE ProLiant XL420 Gen10 | 3.0.10 with KP_1.2 | Intel® Xeon® Silver 4214R CPU | Yes | ||||
| Red Hat Enterprise Linux 9 | Red Hat Enterprise Linux 9 | HPE ProLiant XL420 Gen10 | 3.0.10 with KP_1.2 | Intel® Xeon® Silver 4214R CPU | No |
| Name | Description | Type |
|---|---|---|
| Nominal | Approved mode of operation | Approved |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
Tested Module Identification
N/A for this Module. Modes List and Description: Table 4: Modes List and Description The Module only supports an Approved mode of operation. The conditions for using the Module in the Approved mode of operation are: 1. Installation of the Module as described in Section 11.1 results in the settings described below, which are required for operation in the Approved mode: a. security‐checks = 1 Enforce minimum key strengths and approved curve names. b. allow‐plaintext‐csp‐output = 1 Enforce the AS09.16 and AS09.17 requirement for a second independent action to output CSPs as a result of calls that produce CSPs, such as key generation, key unwrap (or decapsulate) and shared secret calculation. c. conditional‐errors = 1 Enforce the Module entering the error state on conditional test errors such as PCT failure. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES‐CBC | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CBC‐CS1 | A4481 | Direction ‐ decrypt, encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CBC‐CS2 | A4481 | Direction ‐ decrypt, encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CBC‐CS3 | A4481 | Direction ‐ decrypt, encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CCM | A4481 | Key Length ‐ 128, 192, 256 | SP 800‐38C |
| AES‐CFB1 | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CFB128 | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CFB8 | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐CTR | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐ECB | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐GCM | A4481 | Direction ‐ Decrypt, Encrypt IV Generation ‐ External, Internal IV Generation Mode ‐ 8.2.1 Key Length ‐ 128, 192, 256 | SP 800‐38D |
| AES‐KW | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38F |
| AES‐KWP | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38F |
| AES‐OFB | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 192, 256 | SP 800‐38A |
| AES‐XTS Testing Revision 2.0 | A4481 | Direction ‐ Decrypt, Encrypt Key Length ‐ 128, 256 | SP 800‐38E |
| KAS‐ECC CDH‐Component | A4481 | Curve ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 | SP 800‐56A Rev. 3 |
| KAS‐ECC‐SSC Sp800‐56Ar3 | A4481 | Domain Parameter Generation Methods ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 Scheme ‐ephemeralUnified ‐ KAS Role ‐ initiator, responder | SP 800‐56A Rev. 3 |
| KAS‐FFC‐SSC Sp800‐56Ar3 | A4481 | Domain Parameter Generation Methods ‐ FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192 Scheme ‐dhEphem ‐ KAS Role ‐ initiator, responder | SP 800‐56A Rev. 3 |
| KAS‐IFC‐SSC | A4481 | Modulo ‐ 2048, 3072, 4096, 6144, 8192 Key Generation Methods ‐ rsakpg1‐basic, rsakpg1‐crt, rsakpg1‐prime‐factor, rsakpg2‐basic, rsakpg2‐crt, rsakpg2‐prime‐factor Scheme ‐KAS1 ‐ KAS Role ‐ initiator, responder Scheme ‐KAS2 ‐ KAS Role ‐ initiator, responder | SP 800‐56A Rev. 3 |
| KDA HKDF SP800‐56Cr2 | A4481 | Derived Key Length ‐ 2048 Shared Secret Length ‐ Shared Secret Length: 224‐8192 Increment 8 HMAC Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256, SHA3‐224, SHA3‐256, SHA3‐384, SHA3‐512 | SP 800‐56C Rev. 2 |
| KDA OneStep SP800‐56Cr2 | A4481 | Derived Key Length ‐ 2048 Shared Secret Length ‐ Shared Secret Length: 224‐8192 Increment 8 | SP 800‐56C Rev. 2 |
| KDA TwoStep SP800‐56Cr2 | A4481 | MAC Salting Methods ‐ default, random KDF Mode ‐ feedback Derived Key Length ‐ 2048 Shared Secret Length ‐ Shared Secret Length: 224‐8192 Increment 8 | SP 800‐56C Rev. 2 |
| KDF ANS 9.42 (CVL) | A4481 | KDF Type ‐ DER Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256, SHA3‐ 224, SHA3‐256, SHA3‐384, SHA3‐512 Key Data Length ‐ Key Data Length: 8‐4096 Increment 8 | SP 800‐135 Rev. 1 |
| KDF ANS 9.63 (CVL) | A4481 | Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512 Key Data Length ‐ Key Data Length: 128, 4096 | SP 800‐135 Rev. 1 |
| KDF SP800‐108 | A4481 | KDF Mode ‐ Counter, Feedback Supported Lengths ‐ Supported Lengths: 8, 72, 128, 776, 3456, 4096 | SP 800‐108 Rev. 1 |
| KDF SSH (CVL) | A4481 | Cipher ‐ AES‐128, AES‐192, AES‐256 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512 | SP 800‐135 Rev. 1 |
| PBKDF | A4481 | Iteration Count ‐ Iteration Count: 1‐10000 Increment 1 Password Length ‐ Password Length: 8‐128 Increment 8 | SP 800‐132 |
| TLS v1.2 KDF RFC7627 (CVL) | A4481 | Hash Algorithm ‐ SHA2‐256, SHA2‐384, SHA2‐512 | SP 800‐135 Rev. 1 |
| TLS v1.3 KDF (CVL) | A4481 | HMAC Algorithm ‐ SHA2‐256, SHA2‐384 KDF Running Modes ‐ DHE, PSK, PSK‐DHE | SP 800‐135 Rev. 1 |
| DSA KeyGen (FIPS186‐4) | A4481 | L ‐ 2048, 3072 N ‐ 224, 256 | FIPS 186‐4 |
| DSA PQGGen (FIPS186‐4) | A4481 | L ‐ 2048, 3072 N ‐ 224, 256 Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | FIPS 186‐4 |
| DSA PQGVer (FIPS186‐4) | A4481 | L ‐ 1024, 2048, 3072 N ‐ 160, 224, 256 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | FIPS 186‐4 |
| ECDSA KeyGen (FIPS186‐4) | A4481 | Curve ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 Secret Generation Mode ‐ Testing Candidates | FIPS 186‐4 |
| ECDSA KeyVer (FIPS186‐4) | A4481 | Curve ‐ B‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521 | FIPS 186‐4 |
| EDDSA KeyGen | A4481 | Curve ‐ ED‐25519, ED‐448 | FIPS 186‐5 |
| EDDSA KeyVer | A4481 | Curve ‐ ED‐25519, ED‐448 | FIPS 186‐5 |
| Safe Primes Key Generation | A4481 | Safe Prime Groups ‐ ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192 | SP 800‐56A Rev. 3 |
| Safe Primes Key Verification | A4481 | Safe Prime Groups ‐ ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, modp‐2048, modp‐3072, modp‐4096, modp‐6144, modp‐8192 | SP 800‐56A Rev. 3 |
| RSA KeyGen (FIPS186‐4) | A4481 | Key Generation Mode ‐ B.3.3 Modulo ‐ 2048, 3072, 4096 Primality Tests ‐ Table C.2 Private Key Format ‐ Standard | FIPS 186‐4 |
| KTS‐IFC | A4481 | Modulo ‐ 2048, 3072, 4096, 6144 Key Generation Methods ‐ rsakpg1‐basic, rsakpg1‐crt, rsakpg1‐prime‐factor, rsakpg2‐basic, rsakpg2‐crt, rsakpg2‐prime‐factor Scheme ‐KTS‐OAEP‐basic ‐ KAS Role ‐ initiator, responder Key Transport Method ‐ Key Length ‐ 1024 | SP 800‐56B Rev. 2 |
| AES‐CMAC | A4481 | Direction ‐ Generation, Verification Key Length ‐ 128, 192, 256 | SP 800‐38B |
| AES‐GMAC | A4481 | Direction ‐ Decrypt, Encrypt IV Generation ‐ External, Internal IV Generation Mode ‐ 8.2.1 Key Length ‐ 128, 192, 256 | SP 800‐38D |
| HMAC‐SHA‐1 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA2‐224 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA2‐256 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA2‐384 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA2‐512 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA2‐512/224 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA2‐512/256 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA3‐224 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA3‐256 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA3‐384 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| HMAC‐SHA3‐512 | A4481 | Key Length ‐ Key Length: 112‐2048 Increment 8 | FIPS 198‐1 |
| KMAC‐128 | A4481 | Message Length ‐ Message Length: 0‐65536 Increment 8 Key Data Length ‐ Key Data Length: 128‐1024 Increment 8 | SP 800‐185 |
| KMAC‐256 | A4481 | Message Length ‐ Message Length: 0‐65536 Increment 8 Key Data Length ‐ Key Data Length: 128‐1024 Increment 8 | SP 800‐185 |
| SHA‐1 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA2‐224 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA2‐256 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA2‐384 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA2‐512 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA2‐512/224 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA2‐512/256 | A4481 | Message Length ‐ Message Length: 0‐65528 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 180‐4 |
| SHA3‐224 | A4481 | Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 202 |
| SHA3‐256 | A4481 | Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 202 |
| SHA3‐384 | A4481 | Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 202 |
| SHA3‐512 | A4481 | Message Length ‐ Message Length: 0‐65536 Increment 8 Large Message Sizes ‐ 1, 2, 4, 8 | FIPS 202 |
| SHAKE‐128 | A4481 | Output Length ‐ Output Length: 16‐65536 Increment 8 | FIPS 202 |
| SHAKE‐256 | A4481 | Output Length ‐ Output Length: 16‐65536 Increment 8 | FIPS 202 |
| Counter DRBG | A4481 | Prediction Resistance ‐ Yes Mode ‐ AES‐128, AES‐192, AES‐256 Derivation Function Enabled ‐ No, Yes | SP 800‐90A Rev. 1 |
| Hash DRBG | A4481 | Prediction Resistance ‐ Yes Mode ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | SP 800‐90A Rev. 1 |
| HMAC DRBG | A4481 | Prediction Resistance ‐ Yes Mode ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | SP 800‐90A Rev. 1 |
| ECDSA SigGen (FIPS186‐4) | A4481 | Component ‐ No, Yes Curve ‐ B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | FIPS 186‐4 |
| ECDSA SigVer (FIPS186‐4) | A4481 | Component ‐ No Curve ‐ B‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | FIPS 186‐4 |
| DSA SigGen (FIPS186‐4) | A4481 | L ‐ 2048, 3072 N ‐ 224, 256 Hash Algorithm ‐ SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | FIPS 186‐4 |
| DSA SigVer (FIPS186‐4) | A4481 | L ‐ 1024, 2048, 3072 N ‐ 160, 224, 256 Hash Algorithm ‐ SHA‐1, SHA2‐224, SHA2‐256, SHA2‐384, SHA2‐512, SHA2‐512/224, SHA2‐512/256 | FIPS 186‐4 |
| EDDSA SigGen | A4481 | Curve ‐ ED‐25519, ED‐448 | FIPS 186‐5 |
| EDDSA SigVer | A4481 | Curve ‐ ED‐25519, ED‐448 | FIPS 186‐5 |
| RSA SigGen (FIPS186‐4) | A4481 | Signature Type ‐ ANSI X9.31, PKCS 1.5, PKCSPSS Modulo ‐ 2048, 3072, 4096 | FIPS 186‐4 |
| RSA SigGen (FIPS186‐5) | A4481 | Modulo ‐ 2048, 3072, 4096 Signature Type ‐ pkcs1v1.5, pss | FIPS 186‐5 |
| RSA Signature Primitive (CVL) | A4481 | Private Key Format ‐ crt | FIPS 186‐4 |
| RSA SigVer (FIPS186‐4) | A4481 | Signature Type ‐ ANSI X9.31, PKCS 1.5, PKCSPSS Modulo ‐ 1024, 2048, 3072, 4096 | FIPS 186‐4 |
| RSA SigVer (FIPS186‐5) | A4481 | Modulo ‐ 2048, 3072, 4096 Signature Type ‐ pkcs1v1.5, pss | FIPS 186‐5 |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module 2. The Module is a cryptographic library used by a calling application. The calling application is responsible for: a. Use of the primitives in the correct sequence. b. Use of keys in accordance with SP 800‐140D Rev. 2 (as the keys used by the Module for cryptographic purposes are provided over the call stack by the calling application). c. Use of a SP 800‐90B compliant entropy source outside the Module boundary with at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met.
Approved Algorithms: Cipher This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 5: Approved Algorithms ‐ Cipher Key agreement Table 6: Approved Algorithms ‐ Key agreement Key derivation This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 7: Approved Algorithms ‐ Key derivation Key management This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 8: Approved Algorithms ‐ Key management Message authentication This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 10: Approved Algorithms ‐ Message authentication Message digest Table 11: Approved Algorithms ‐ Message digest This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Random Table 12: Approved Algorithms ‐ Random Table 13: Approved Algorithms ‐ Signature This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type | Properties | Reference |
|---|---|---|---|---|---|
| CKG Section 4 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐133 Rev. 2 | |||
| CKG Section 5 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐133 Rev. 2 | |||
| CKG Section 6.2 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐133 Rev. 2 | |||
| Hash DRBG with SHA3‐256, SHA3‐512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐90A Rev. 1 | |||
| HMAC DRBG with SHA3‐256, SHA3‐512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐90A Rev. 1 | |||
| Cipher (Unauth) | AES ciphers | AES‐CBC | BC‐UnAuth | ||
| Cipher (Auth) | Authenticated ciphers | AES‐CCM | BC‐Auth | ||
| CKG Section 4 | Using the Output of a Random | CKG Section 4 | CKG |
| Name | Description | Approved Functions | Type | Properties | Reference |
|---|---|---|---|---|---|
| CKG Section 4 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐133 Rev. 2 | |||
| CKG Section 5 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐133 Rev. 2 | |||
| CKG Section 6.2 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐133 Rev. 2 | |||
| Hash DRBG with SHA3‐256, SHA3‐512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐90A Rev. 1 | |||
| HMAC DRBG with SHA3‐256, SHA3‐512 | KeyPair FIPS Provider for OpenSSL 3 | NIST, SP 800‐90A Rev. 1 | |||
| Cipher (Unauth) | AES ciphers | AES‐CBC | BC‐UnAuth | ||
| Cipher (Auth) | Authenticated ciphers | AES‐CCM | BC‐Auth | ||
| CKG Section 4 | Using the Output of a Random | CKG Section 4 | CKG | ||
| CKG Section 5 | Generation of Key Pairs for Asymmetric‐Key Algorithms | CKG Section 5 | CKG | ||
| CKG Section 6.2 | Derivation of Symmetric Keys | CKG Section 6.2 | CKG | ||
| Key agreement | Key agreement | KAS‐ECC CDH‐Component | KAS‐SSC | KAS:KAS‐ECC‐SSC provides between 112 and 256 bits of encryption strength; KAS‐FFC‐ SSC provides between 112 and 200 bits of encryption strength; KAS‐IFC‐SSC provides between 112 and 200 bits of encryption strength | |
| Key derivation | KAS‐KDF HKDF SP800‐56Cr2 | KAS‐135KDF | |||
| KAS‐56CKDF | KAS‐KDF OneStep SP800‐56Cr2 | KAS‐56CKDF | |||
| KBKDF | KAS‐KDF TwoStep SP800‐56Cr2 | KBKDF | |||
| PBKDF | KDF ANS 9.42 | PBKDF | |||
| Key management ECC | ECDSA KeyGen (FIPS186‐4) | AsymKeyPair‐KeyGen | |||
| AsymKeyPair‐KeyVer | ECDSA KeyVer (FIPS186‐4) | AsymKeyPair‐KeyVer | |||
| Key management Edwards | EDDSA KeyGen | AsymKeyPair‐KeyGen | |||
| AsymKeyPair‐KeyVer | EDDSA KeyVer | AsymKeyPair‐KeyVer | |||
| Key management FFC | DSA KeyGen (FIPS186‐4) | AsymKeyPair‐KeyGen | |||
| Key management IFC | RSA KeyGen (FIPS186‐4) | AsymKeyPair‐KeyGen | |||
| Key transport | KTS‐IFC | KTS‐Encap | KTS:2048, 3072, 4096 or 6144‐ bit keys provide between 112 and 176 bits of encryption strength | ||
| KTS (Cipher w/ CMAC, GMAC, HMAC, KMAC) | SP 800‐38F Section 3.1 Provisions | AES‐CBC | BC‐Auth | KTS:128, 192 or 256‐bit keys provide between 128 and 256 bits of encryption strength | |
| BC‐UnAuth | AES‐CBC‐CS1 | BC‐UnAuth | |||
| MAC | AES‐CBC‐CS2 | MAC | |||
| KTS (AES KW, KWP) | AES‐KW | BC‐Auth | KTS:128, 192 or 256‐bit keys provide between 128 and 256 bits of encryption strength | ||
| MAC AES (CMAC, GMAC) | AES‐GMAC | MAC | |||
| MAC HMAC | HMAC‐SHA‐1 | MAC | |||
| MAC KMAC (XOF) | KMAC‐128 | XOF | |||
| Message Digest | SHA‐1 | SHA | |||
| Message Digest (XOF SHAKE) | SHAKE‐128 | XOF | |||
| Random | Counter DRBG | DRBG | |||
| Signature DSA | DSA SigGen (FIPS186‐4) | DigSig‐SigGen | |||
| DigSig‐SigVer | DSA SigVer (FIPS186‐4) | DigSig‐SigVer | |||
| Signature ECDSA | ECDSA SigGen (FIPS186‐4) | DigSig‐SigGen | |||
| DigSig‐SigVer | ECDSA SigVer (FIPS186‐4) | DigSig‐SigVer | |||
| Signature EDDSA | EDDSA SigGen | DigSig‐SigGen | |||
| DigSig‐SigVer | EDDSA SigVer | DigSig‐SigVer | |||
| Signature RSA | RSA SigGen (FIPS186‐4) | DigSig‐SigGen | |||
| DigSig‐SigVer | RSA SigGen (FIPS186‐5) | DigSig‐SigVer |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Vendor‐Affirmed Algorithms: Table 14: Vendor‐Affirmed Algorithms Non‐Approved, Allowed Algorithms: N/A for this module. Non‐Approved, Allowed Algorithms with No Security Claimed: N/A for this Module. Non‐Approved, Not Allowed Algorithms: N/A for this Module.
This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 15: Security Function Implementations This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
AES‐GCM: The Module supports internal IV generation using the Approved DRBG. The IV is at least 96 bits in length per SP 800‐38D Section 8.2.2, and the Approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2‐32 per SP 800‐38D Section 8. AES‐GCM IVs shall be used in compliance with FIPS 140‐3 IG C.H scenario 1a (TLS/DTLS 1.2, per RFC 5288), 1d (SSHv2, per RFC 5647) and 5 (TLS 1.3, per RFC 8446). The Module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES GCM ciphersuites from SP 800‐52 Rev. 1 Section 3.3.1. The Module’s implementation of AES‐GCM is used together with one or more applications outside the Module’s cryptographic boundary that implement the specified protocols; these protocols have not been reviewed or tested by the CAVP and CMVP. In each of the protocols, if the Module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re‐distributed. This condition is not enforced by the Module but is met implicitly. The Module does not retain any state across reset or power‐cycles: AES‐GCM key/IVs are not stored in non‐volatile persistent memory (i.e., disk), hence no re‐connection can occur without a fresh key establishment operation and the associated SSPs. The Module explicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values of 264‐1 for a given session key. If this exhaustion condition is observed, the Module returns an error indication to the calling application, which will then need to either abort the connection, or trigger a handshake to establish a new encryption key. XTS‐AES: In accordance with SP 800‐38E, the XTS‐AES algorithm is to be used for confidentiality on storage devices. The Module complies with FIPS 140‐3 IG C.I by: Generating Key_1 and Key_2 independently according to the rules for component symmetric keys from SP 800‐133 Rev. 2, Section 6.3. Explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS‐AES algorithm to process data with them. Key Agreement: The Module implements the following Approved key agreement methods which have been CAVP tested and validated: KAS‐ECC‐SSC per SP 800‐56A Rev. 3 (FIPS 140‐3 IG D.F Scenario 2, path 1). KAS‐FFC‐SSC per SP 800‐56A Rev. 3 (FIPS 140‐3 IG D.F Scenario 2, path 1). KAS‐IFC‐SSC per SP 800‐56B Rev. 2 (FIPS 140‐3 IG D.F Scenario 1, path 1). The Module obtains the FIPS 140‐3 IG D.F required key agreement assurances: SP 800‐56A Rev. 3 in accordance with Section 5.6.2. SP 800‐56B Rev. 2 in accordance with Section 6.4. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module PBKDF: The implemented PBKDF uses Option 1a specified in SP 800‐132 Section 5.4. FIPS 140‐3 IG D.N SP 800‐132 Password‐Based Key Derivation for Storage Applications notes that: The strength of the Data Protection Key is based on the strength of the Password and/or Passphrase used in key derivation. SP 800‐132 does not impose any strictly defined requirements on the strength of a password. It says that “passwords should be strong enough so that it is infeasible for attackers to get access by guessing a password.” The choice to use the PBKDF with a password or passphrase is entirely outside the scope of the Module, managed by the calling application
FIPS 140‐3 Security Policy Cohesity FIPS Object Module SHA‐3 and SHAKE: The Module complies with FIPS 140‐3 IG C.C as follows: All implemented SHA‐3 and SHAKE functions have been tested and validated on all of the Module’s operating environments. Vendor affirmation is claimed for use of the SHA3‐256 and SHA3‐512 hash functions as part of the Hash DRBG and HMAC DRBG, for which CAVP testing with SHA‐3 is not available.
N/A for this Module. The calling application is responsible for use of a SP 800‐90B compliant entropy source outside the Module boundary providing at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The following caveat applies per FIPS 140‐3 IG 9.3.A: No assurance of the minimum strength of generated SSPs (e.g., keys).
The Module: Produces random values in accordance with SP 800‐133 Rev. 2 Section 4, in that the DRBG output is provided directly as the random output. Does not provide any service beyond random value generation for symmetric key generation. SSPs used with symmetric key algorithms are provided by the calling application. Produces asymmetric keys in accordance with SP 800‐133 Rev. 2 Section 5, in that all asymmetric keys generated by the Module (the Key management service) provide the output of the approved key generation algorithm with no post‐processing or manipulation of the generated key pairs. As noted in the previous item, random values used in the asymmetric key generation algorithms are direct outputs of the DRBG. Keys produced by the Module use an internal Counter DRBG for which the minimum key size and equivalent security strength is 128 bits. Supports symmetric key derivation in accordance with SP 800‐133 Rev. 2 Section 6.2, using the approved and CAVP listed KDF algorithms.
The Module implements key agreement methods compliant with FIPS 140‐3 IG D.F and key transport methods compliant with FIPS 140‐3 IG D.G. Strengths are provided in Section 2.6.
The Module conforms to FIPS 140‐3 IG D.C References to the Support of Industry Protocols: while it provides SP 800‐56A Rev. 3 conformant schemes and API entry points oriented to TLS usage, the Module does not contain the full implementation of TLS. The following caveat is required: No parts of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A (API ‐ input) | N/A (API ‐ input) | Control Input Data Input | API input: stack frame including non‐sensitive parameters. |
| N/A (API ‐ output) | N/A (API ‐ output) | Data Output Status Output | API output: output parameters and return value resulting from call execution. |
| Name | Role Access | Type |
|---|---|---|
| CO | CO | Role |
| Name | Description | Security Function | Input | Output | Access | Ndicator |
|---|---|---|---|---|---|---|
| Cipher | Encrypt or decrypt data, including AEAD modes (CCM, GCM). | Cipher (Unauth) Cipher (Auth) | Encryption or decryption key; | Status return. Plaintext or ciphertext data. | CO | FIPS_OK |
| plaintext or ciphertext data; | plaintext or ciphertext data; | ‐ SC_EDK_AES: W,E | ||||
| flags. | flags. | ‐ SC_EDK_XTS: W,E | ||||
| Get capabilities | Reports information on the requested capabilities. | Provider context, capability, | Description of capabilities. | FIPS_OK |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
Table 16: Ports and Interfaces The Module does not interact with physical ports. The Control Output interface is not applicable, as the Module does not control other components.
Table 17: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified), and does not support a maintenance role or a bypass capability. The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document and in associated Guidance Documentation.
Indicator Inputs This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Initialize | Module initialization, | CO | Random MAC HMAC | FIPS_OK | Core handle, dispatch in and | Initialization status (1 = pass, 0 = fail). |
| including instantiation of | including instantiation of | ‐ DRBG_EI: W,E,Z | out, provider context. | |||
| the opaque (managed | the opaque (managed | ‐ DRBG_Seed: G,E,Z | ||||
| within the module) | within the module) | ‐ DRBG_Key: G,W,E | ||||
| Counter DRBG instance. | Counter DRBG instance. | ‐ DRBG_V: G,W,E | ||||
| Key agreement | Perform key agreement | CO | CKG Section 5 Key agreement | FIPS_OK | Key structs (key agreement | Status return; key agreement shared secret. |
| primitives on behalf of the | primitives on behalf of the | ‐ KAS_Private_ECC: W,E | keys); flags. | |||
| calling process (does not | calling process (does not | ‐ KAS_Public_ECC: W,E | ||||
| establish keys into the | establish keys into the | ‐ KAS_Private_FFC: W,E | ||||
| module). | module). | ‐ KAS_Public_FFC: W,E | ||||
| Key derivation | Derive keying material | CO | Key derivation CKG Section 6.2 | FIPS_OK | Key agreement shared secret; | Status return; derived keying material. |
| from a shared secret. | from a shared secret. | ‐ KD_DKM_KDF: G,R | flags. | |||
| Key management | Generate asymmetric key | CO | Key management ECC Key management Edwards Key management FFC Key management IFC CKG Section 4 | FIPS_OK | ECDSA, EdDSA: curve | Status return; general digital signature private and public keys. |
| pairs. | pairs. | ‐ DRBG_C: G,W,E | identifier. DSA, RSA: domain | |||
| parameter targets. | ‐ DRBG_Key: W,G,E | parameter targets. | ||||
| Key transport | Encapsulate or | CO | CKG Section 5 Key transport KTS (Cipher w/ CMAC, GMAC, HMAC, KMAC) KTS (AES KW, KWP) | FIPS_OK | Key | Status return; key transport shared secret. |
| decapsulate key material | decapsulate key material | ‐ KTS_KDK_IFC: W,E | encapsulation/decapsulation | |||
| on behalf of the calling | on behalf of the calling | ‐ KTS_KEK_IFC: W,E | key or Key wrap/unwrap key. | |||
| process. | process. | ‐ KTS_SS_IFC: G,R | ||||
| Message authentication | Generate or verify data | CO | MAC AES (CMAC, GMAC) MAC HMAC MAC KMAC (XOF) | FIPS_OK | Keyed hash key. | Status return; MAC |
| integrity. | integrity. | ‐ KH_Key_AES‐CMAC: W,E | output value. | |||
| Message digest | Generate a message | Message Digest Message Digest (XOF SHAKE) | FIPS_OK | Message; flags. | Status return; Hash | |
| digest. | digest. | output value. | ||||
| Query | Report available crypto | FIPS_OK | Provider context, operation ID. | Array of available | ||
| operations. | operations. | operations. | ||||
| Random | Generate random bits | CO | Random CKG Section 4 | FIPS_OK | DRBG struct (RBG State); DRBG_Seed. | Status return; Random |
| using the DRBG. | using the DRBG. | ‐ DRBG_C: W,E | value. | |||
| Self‐test | Perform the self‐test | FIPS_OK | Provider context. | Status (1 = pass, 0 = | ||
| sequence. | sequence. | fail). | ||||
| Show module name and versioning information | Return module name and | FIPS_OK | Provider context, parameter types (array). | Parameter types | ||
| versioning information. | versioning information. | (array) with: Name, | ||||
| Show status | OpenSSL core metadata | FIPS_OK | Provider context, parameter types (array). | Parameter types with: | ||
| (Gettable parameters; Get | (Gettable parameters; Get | BuildInfo, Status, | ||||
| parameters). | parameters). | SecurityChecks; Status | ||||
| Signature | Generate or verify digital | CO | CKG Section 5 Signature DSA Signature ECDSA Signature EDDSA Signature RSA | FIPS_OK | Sign: signing key; message. Verify: signature value; flags; sizes. | Status return; |
| signatures. (SSPs are | signatures. (SSPs are | ‐ DS_SGK_ECC: W,E | Signature value. | |||
| passed in by the calling | passed in by the calling | ‐ DS_SVK_ECC: W,E | ||||
| process.) | process.) | ‐ DS_SGK_Edwards: W,E | ||||
| Teardown | Uninstantiate the module; | CO | FIPS_OK | Provider context. | None. | |
| zeroizes internal CTR | zeroizes internal CTR | ‐ DRBG_Key: Z | ||||
| DRBG state (DRBG_Key, | DRBG state (DRBG_Key, | ‐ DRBG_V: Z | ||||
| Zeroize | Zeroization of allocated | CO | FIPS_OK | Memory pointer. | Void. | |
| key structures using | key structures using | ‐ DRBG_C: Z | ||||
| openssl_cleanse. | openssl_cleanse. | ‐ DRBG_EI: Z |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 18: Approved Services All services implemented by the Module correspond to the functionality described by the fips_query function, which returns available services based on an operation_id input. The fips_get_params function provides access to the current status of the Module as well as the name and version; this information correlates to the validation listing. A 1 value returned in status indicates the Module is running without error (FIPS_OK); a 0 return indicates an error (with additional error details indicated as described in the release specific API documentation). Services are only operational in the running state. Any attempts to access services in any other state will result in an error being returned. If the integrity test or any CAST fails then any attempt to access any service will result in an error being returned. The OpenSSL toolkit OSSL_PROVIDER_get_params function is used to invoke fips_get_params, when called with the Module’s global handle and a pointer to a parameter structure (initialized using provider_gettable_params or the equivalent). Regarding the Indicator of approved security services, the Module conforms to FIPS 140‐3 IG 2.4.C Approved Security Service Indicator, similar to example 2. Each service provides context sensitive status responses as described in the OpenSSL 3 API manual pages; generally, functions of return type int return the value 1 for success with other error codes as appropriate for the call (described in API documentation). The Module’s name and version parameters (as cited in Section 2) along with the Module’s internal indicators of the security‐check and conditional‐errors settings are used to confirm the Module is the validated Module operating in the approved mode with only approved security services. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module.
N/A for this Module. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
The Module uses HMAC‐SHA2‐256 as the approved integrity technique; the file fips.so.mac contains the integrity reference value. The Module is provided in an executable form (as fips.so shared object for use in Linux environments).
The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.
In accordance with ISO/IEC 19790:2012 Annex B, as the Module is open source, the tools used to build the Module as tested are: gcc version 9.3.0 perl v5.30.0 gnu make v4.2.1
Type of Operational Environment: Modifiable No operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2.4. The Module conforms to FIPS 140‐3 IG 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES‐NI functions are identified by FIPS 140‐3 IG 2.3.C as a known PAA.
N/A for this Module. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Type | Description | Strength | Generation | Use |
|---|---|---|---|---|---|
| RAM | Dynamic | R: Random access memory | |||
| DRBG_C | Hash_DRBG_C ‐ CSP | Element of Hash DRBG | Size: 440‐888 ‐ | Random | Random |
| state. | state. | Strength: 160 ≤ s ≤ 256 | |||
| DRBG_EI | Other ‐ CSP | Entropy input from an | Size: 128‐2^35 ‐ | Random | |
| external source used | external source used | Strength: 128 ≤ s ≤ 256 | |||
| DRBG_Key | CTR_DRBG_Key, HMAC_DRBG_Key ‐ CSP | Element of CTR DRBG | Size: 128‐256, 128‐256 ‐ | Random | Random |
| or HMAC DRBG state. | or HMAC DRBG state. | Strength: 128 ≤ s ≤ 256, 160 ≤ s ≤ |
| Name | Approved Functions | Type | From | To | Distribution Type |
|---|---|---|---|---|---|
| I | Electronic | Plaintext | Calling process | Call stack (API) input parameters | Manual |
| O | Electronic | Plaintext | Call stack (API) output parameters | Calling process | Manual |
| Name | Type | Description | Strength | Generation | Establishment | Use |
|---|---|---|---|---|---|---|
| RAM | Dynamic | R: Random access memory | ||||
| DRBG_C | Hash_DRBG_C ‐ CSP | Element of Hash DRBG | Size: 440‐888 ‐ | Random | Random | |
| state. | state. | Strength: 160 ≤ s ≤ 256 | ||||
| DRBG_EI | Other ‐ CSP | Entropy input from an | Size: 128‐2^35 ‐ | Random | ||
| external source used | external source used | Strength: 128 ≤ s ≤ 256 | ||||
| DRBG_Key | CTR_DRBG_Key, HMAC_DRBG_Key ‐ CSP | Element of CTR DRBG | Size: 128‐256, 128‐256 ‐ | Random | Random | |
| or HMAC DRBG state. | or HMAC DRBG state. | Strength: 128 ≤ s ≤ 256, 160 ≤ s ≤ | ||||
| DRBG_Seed | Other ‐ CSP | Seed used for DRBG Instantiation and Reseed. | Size: 128‐256 ‐ | Random | Random | |
| DRBG_V | CTR_DRBG_Key, Hash_DRBG_Key, HMAC_DRBG_Key ‐ CSP | Element of CTR, Hash or HMAC DRBG state. | Size: 128‐256, 128‐256, 128‐256 | Random | Random | |
| DS_SGK_ECC | B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ CSP | SigGen (private) key. | Size: 233, 283, 409, 571, 233, | Signature | ||
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | ECDSA | ||||
| DS_SGK_Edwards | Edwards25519, Edwards448 ‐ CSP | SigGen (private) key. | Size: 255, 448 ‐ | Signature | ||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | EDDSA | ||||
| DS_SGK_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ CSP | SigGen (private) key. | Size: 2048, 2048, 3072 ‐ | Signature DSA | ||
| DS_SGK_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 ‐ CSP | SigGen (private) key. | Size: 2048, 3072, 4096, 6144, | Signature RSA | ||
| DS_SVK_ECC | B‐163, B‐233, B‐283, B‐409, B‐571, K‐163, K‐233, K‐283, K‐409, K‐571, P‐192, P‐224, P‐256, P‐384, P‐521 ‐ PSP | SigVer (public) key. | Size: 163, 233, 283, 409, 571, | Signature | ||
| 163, 233, 283, 409, 571, 192, | 163, 233, 283, 409, 571, 192, | ECDSA | ||||
| DS_SVK_Edwards | Edwards25519, Edwards448 ‐ PSP | SigVer (public) key. | Size: 255, 448 ‐ | Signature | ||
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | EDDSA | ||||
| DS_SVK_FFC | L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ PSP | SigVer (public) key. | Size: 1024, 2048, 2048, 3072 ‐ | Signature DSA | ||
| DS_SVK_IFC | k=1024, k=2048, k=3072, k=4096, k=6144, k=8192 ‐ PSP | SigVer (public) key. | Size: 1024, 2048, 3072, 4096, | Signature RSA | ||
| GKP_Private_ECC | B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ CSP | General ECDSA (private) key. | Size: 233, 283, 409, 571, 233, | Key | Key | |
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | management | management | |||
| 521 ‐ | 521 ‐ | ECC | ECC | |||
| GKP_Private_Edwards | Edwards25519, Edwards448 ‐ CSP | General EdDSA (private) key. | Size: 255, 448 ‐ | Key | Key | |
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | management | management | |||
| Edwards | Edwards | Edwards | ||||
| GKP_Private_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ CSP | General FFC (private) key. | Size: 2048, 2048, 3072 ‐ | Key | Key | |
| Strength: s = 112, s = 112, s = | Strength: s = 112, s = 112, s = | management | management | |||
| 128 | 128 | FFC | FFC | |||
| GKP_Private_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 ‐ CSP | General RSA (private) key. | Size: 2048, 3072, 4096, 6144, | Key | Key | |
| 8192 ‐ | 8192 ‐ | management | management | |||
| Strength: s = 112, s = 128, s = | Strength: s = 112, s = 128, s = | IFC | IFC | |||
| GKP_Public_ECC | B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ PSP | General ECDSA (public) key. | Size: 233, 283, 409, 571, 233, | Key | Key | |
| 283, 409, 571, 224, 256, 384, | 283, 409, 571, 224, 256, 384, | management | management | |||
| 521 ‐ | 521 ‐ | ECC | ECC | |||
| GKP_Public_Edwards | Edwards25519, Edwards448 ‐ PSP | General EdDSA (public) key. | Size: 255, 448 ‐ | Key | Key | |
| Strength: s = 128, s = 224 | Strength: s = 128, s = 224 | management | management | |||
| Edwards | Edwards | Edwards | ||||
| GKP_Public_FFC | L=2048/N=224, L=2048/N=256, L=3072/N=256 ‐ PSP | General FFC (public) key. | Size: 2048, 2048, 3072 ‐ | Key | Key | |
| Strength: s = 112, s = 112, s = | Strength: s = 112, s = 112, s = | management | management | |||
| 128 | 128 | FFC | FFC | |||
| GKP_Public_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 ‐ PSP | General RSA (public) key. | Size: 2048, 3072, 4096, 6144, | Key | Key | |
| 8192 ‐ | 8192 ‐ | management | management | |||
| Strength: s = 112, s = 128, s = | Strength: s = 112, s = 128, s = | IFC | IFC | |||
| KAS_Private_ECC | B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ CSP | Key pair component used for shared secret generation. | Size: 233, 283, 409, 571, 233, | Key agreement | ||
| KAS_Private_FFC | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 ‐ CSP | Key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | ||
| KAS_Private_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 ‐ CSP | Key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | ||
| KAS_Public_ECC | B‐233, B‐283, B‐409, B‐571, K‐233, K‐283, K‐409, K‐571, P‐224, P‐256, P‐384, P‐521 ‐ PSP | Peer key pair component used for shared secret generation. | Size: 233, 283, 409, 571, 233, | Key agreement | ||
| KAS_Public_FFC | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 ‐ PSP | Peer key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | ||
| KAS_Public_IFC | k=2048, k=3072, k=4096, k=6144, k=8192 ‐ PSP | Peer key pair component used for shared secret generation. | Size: 2048, 3072, 4096, 6144, | Key agreement | ||
| KAS_SS_ECC | Other ‐ CSP | Shared secret calculation z output value (for KDF). | Size: 112 ‐ 256 ‐ | Key | Key agreement | |
| Strength: 112 ‐ 256 | Strength: 112 ‐ 256 | agreement | ||||
| KAS_SS_FFC | Other ‐ CSP | Shared secret calculation z output value (for KDF). | Size: 112 ‐ 256 ‐ | Key | Key agreement | |
| Strength: 112 ‐ 200 | Strength: 112 ‐ 200 | agreement | ||||
| KAS_SS_IFC | Other ‐ CSP | Shared secret calculation z output value (for KDF). | Size: 112 ‐ 256 ‐ | Key | Key agreement | |
| Strength: 112 ‐ 200 | Strength: 112 ‐ 200 | agreement | ||||
| KD_DKM_KDF | Other ‐ CSP | Key derivation derived keying material. | Size: 128 ‐ 256 ‐ | Key derivation | Key derivation | |
| KD_DKM_PBKDF | Other ‐ CSP | PBKDF derived key material | Size: 128 ‐ | Key derivation | Key derivation | |
| KD_PW_PBKDF | Other ‐ CSP | PBKDF password input. | Size: 128 ‐ | Key derivation | Key derivation | |
| KD_SK | Other ‐ CSP | Key derivation source key material. | Size: 128 ‐ 256 ‐ | Key derivation | ||
| KH_Key_AES‐CMAC | AES‐128, AES‐192, AES‐256 ‐ CSP | Keyed Hash key. | Size: 128, 192, 256 ‐ | MAC AES | ||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (CMAC, GMAC) | ||||
| KH_Key_AES‐GMAC | AES‐128, AES‐192, AES‐256 ‐ CSP | Keyed Hash key. | Size: 128, 192, 256 ‐ | MAC AES | ||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (CMAC, GMAC) | ||||
| KH_Key_HMAC | Other ‐ CSP | Keyed Hash key. | Size: 112 ‐ 2048 ‐ | MAC HMAC | ||
| KH_Key_KMAC | KMAC128, KMAC256 ‐ CSP | Keyed Hash key. | Size: 128, 256 ‐ | MAC KMAC | ||
| Strength: 112 ≤ s ≤ 128, 112 ≤ s ≤ | Strength: 112 ≤ s ≤ 128, 112 ≤ s ≤ | (XOF) | ||||
| KTS_KDK_IFC | Other ‐ CSP | RSA key de‐ encapsulation Key (key transport). | Size: 2048, 3072, 4096, 6144 ‐ | Key transport | ||
| KTS_KEK_IFC | Other ‐ PSP | RSA key encapsulation Key (key transport). | Size: 2048, 3072, 4096, 6144 ‐ | Key transport | ||
| KTS_SS_IFC | Other ‐ CSP | RSA key transport shared secret. | Size: 112 ‐ 256 ‐ | Key | Key transport | |
| Strength: s = 112 ‐ s = 176 | Strength: s = 112 ‐ s = 176 | transport | ||||
| SC_EDK_AES | AES‐128, AES‐192, AES‐256 ‐ CSP | Symmetric encryption and decryption. | Size: 128, 192, 256 ‐ | Cipher | ||
| Strength: s = 128, s = 192, s = | Strength: s = 128, s = 192, s = | (Unauth) | ||||
| 256 | 256 | Cipher (Auth) | ||||
| SC_EDK_XTS | XTS‐128, XTS‐256 ‐ CSP | Symmetric encryption and decryption. | Size: 256, 512 ‐ | Cipher | ||
| Strength: s = 128, s = 256 | Strength: s = 128, s = 256 | (Unauth) |
| Zeroization Method | Description | Rationale | Operator Initiation |
|---|---|---|---|
| C | C (Cleanse): Caller invocation of openssl_cleanse. | Overwrites with zeros | Caller invocation of openssl_cleanse |
| T | T (Teardown): Module unload ‐ invokes cleanse internally. | Overwrites with zeros | Occurs when module is unloaded |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
I O Table 20: SSP Input‐Output Methods
C T Table 21: SSP Zeroization Methods All SSPs are zeroized (overwritten with 0s) when they are no longer needed:
This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 22: SSP Table 1 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Storage | Zeroization | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|
| DRBG_C | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Derived From |
| O | O | DRBG_V:Used with | |||
| DRBG_EI | RAM:Plaintext | C | I | Call lifetime | DRBG_Seed:Constituent |
| DRBG_Key | RAM:Plaintext | C | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From |
| O | T | O | DRBG_V:Used with | ||
| DRBG_Seed | RAM:Plaintext | C | Call lifetime | DRBG_C:Derives | |
| DRBG_V | RAM:Plaintext | C | I | Call lifetime (module up time for internal DRBG) | DRBG_Seed:Derived From |
| O | T | O | DRBG_Key:Used with | ||
| DS_SGK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_ECC:Paired With |
| DS_SGK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SVK_Edwards:Paired With |
| DS_SGK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_FFC:Paired With |
| DS_SGK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SVK_IFC:Paired With |
| DS_SVK_ECC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_ECC:Paired With |
| DS_SVK_Edwards | RAM:Plaintext | C | I | Call lifetime | DS_SGK_Edwards:Paired With |
| DS_SVK_FFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_FFC:Paired With |
| DS_SVK_IFC | RAM:Plaintext | C | I | Call lifetime | DS_SGK_IFC:Paired With |
| GKP_Private_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_ECC:Paired With |
| GKP_Private_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Public_Edwards:Paired With |
| GKP_Private_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_FFC:Paired With |
| GKP_Private_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Public_IFC:Paired With |
| GKP_Public_ECC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_ECC:Paired With |
| GKP_Public_Edwards | RAM:Plaintext | C | O | Call lifetime | GKP_Private_Edwards:Paired With |
| GKP_Public_FFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_FFC:Paired With |
| GKP_Public_IFC | RAM:Plaintext | C | O | Call lifetime | GKP_Private_IFC:Paired With |
| KAS_Private_ECC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_ECC:Paired With |
| KAS_Private_FFC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_FFC:Paired With |
| KAS_Private_IFC | RAM:Plaintext | C | I | Call lifetime | KAS_Public_IFC:Paired With |
| KAS_Public_ECC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_ECC:Paired With |
| KAS_Public_FFC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_FFC:Paired With |
| KAS_Public_IFC | RAM:Plaintext | C | I | Call lifetime | KAS_Private_IFC:Paired With |
| KAS_SS_ECC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_ECC:Calculated From |
| KAS_SS_FFC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_FFC:Calculated From |
| KAS_SS_IFC | RAM:Plaintext | C | O | Call lifetime | KAS_Private_IFC:Calculated From |
| KD_DKM_KDF | RAM:Plaintext | C | O | Call lifetime | KD_SK:Derived From |
| KD_DKM_PBKDF | RAM:Plaintext | C | O | Call lifetime | KD_PW_PBKDF:Derived From |
| KD_PW_PBKDF | RAM:Plaintext | C | I | Call lifetime | KD_DKM_PBKDF:Derives |
| KD_SK | RAM:Plaintext | C | I | Call lifetime | KD_DKM_KDF:Derives |
| KH_Key_AES‐CMAC | RAM:Plaintext | C | I | Call lifetime | |
| KH_Key_AES‐GMAC | RAM:Plaintext | C | I | Call lifetime | |
| KH_Key_HMAC | RAM:Plaintext | C | I | Call lifetime | |
| KH_Key_KMAC | RAM:Plaintext | C | I | Call lifetime | |
| KTS_KDK_IFC | RAM:Plaintext | C | I | Call lifetime | KTS_SS_IFC:Unwraps |
| KTS_KEK_IFC | RAM:Plaintext | C | I | Call lifetime | KTS_SS_IFC:Wraps |
| KTS_SS_IFC | RAM:Plaintext | C | O | Call lifetime | KTS_KDK_IFC:Unwrapped By |
| SC_EDK_AES | RAM:Plaintext | C | I | Call lifetime | |
| SC_EDK_XTS | RAM:Plaintext | C | I | Call lifetime |
FIPS 140‐3 Security Policy I O I I O I O I I I I I I I I O O O O O O O O I I I I I I O Cohesity FIPS Object Module C C C T C C T C C C C C C C C C C C C C C C C C C C C C C C This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module O C O C O O I I I I I I I I O C C C C C C C C C C C Table 23: SSP Table 2 I I C C Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. The Module maintains only the Counter DRBG state used for key generation as a persistent CSP; this DRBG instance is used exclusively for approved services. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
Key/Algorithm Type Equivalent Strengths: Reference sources for the strengths provided in SSP Table 1 are specified below. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). Block Cipher (and related functions): AES (AES‐128, AES‐192, AES‐256): SP 800‐57 Part 1 Rev. 5 Table
| Name | Algorithm Or Test | Test Method | Test Type | Test Properties | Indicator |
|---|---|---|---|---|---|
| SW Integrity | SW Integrity | HMAC over the complete module file image | SW/FW Integrity | HMAC‐SHA2‐256 #A4481 | FIPS_OK or PROV_R_FIPS_MODULE_IN_ERROR_STATE |
| Name | Properties | Test | Indicator | Details | Conditions |
|---|---|---|---|---|---|
| Test | Type | ||||
| AES‐ECB | 128‐bit | CAST | FIPS_OK | Encrypt | Performed on module load. |
| AES‐ECB | 128‐bit | CAST | FIPS_OK | Decrypt | Performed on module load. |
| AES‐GCM | 256‐bit | CAST | FIPS_OK | Encrypt | Performed on module load. |
| AES‐GCM | 256‐bit | CAST | FIPS_OK | Decrypt | Performed on module load. |
| Counter DRBG | AES‐128 with derivation function | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| DSA SigGen | 2048‐bit with SHA2‐384 | CAST | FIPS_OK | Sign | Performed on module load. |
| DSA SigVer | 2048‐bit with SHA2‐384 | CAST | FIPS_OK | Verify | Performed on module load. |
| ECDSA SigGen | P‐224 with SHA2‐512 | CAST | FIPS_OK | Sign | Performed on module load. |
| ECDSA SigVer | P‐224 with SHA2‐512 | CAST | FIPS_OK | Verify | Performed on module load. |
| EDDSA ED448 | Edwards448 SigGen with SHA2‐ 256 | CAST | FIPS_OK | Sign | Performed on module load. |
| EDDSA ED448 | Edwards448 SigVer with SHA2‐ 256 | CAST | FIPS_OK | Verify | Performed on module load. |
| EDDSA ED25519 | Edwards25519 SigGen with SHA2‐512 | CAST | FIPS_OK | Sign | Performed on module load. |
| EDDSA ED25519 | Edwards25519 SigVer with SHA2‐512 | CAST | FIPS_OK | Verify | Performed on module load. |
| Hash DRBG | SHA2‐256 | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| HMAC DRBG | SHA‐1 | CAST | FIPS_OK | Instantiate, Generate, Reseed | Performed on module load. |
| HMAC‐SHA2‐256 | SHA2‐256 with a 256‐bit key | CAST | FIPS_OK | Generate | Performed on module load. |
| Test | Type | ||||
| KAS‐ECC‐SSC | P‐256 | CAST | FIPS_OK | Ephemeral Unified Shared Secret | Performed on module load. |
| Sp800‐56Ar3 | (Z) Computation | ||||
| KAS‐FFC‐SSC | L=2048/N=256 | CAST | FIPS_OK | dhEphem Shared Secret (Z) | Performed on module load. |
| Sp800‐56Ar3 | Computation | ||||
| KAS‐IFC‐SSC | k=2048 | CAST | FIPS_OK | SP 800‐56B Rev. 2 Section 8.2.2 RSA | Performed on module load. |
| KAS‐KDF | SHA2‐224 | CAST | FIPS_OK | SP 800‐56C Rev. 2 Section 4 | Performed on module load. |
| OneStep SP800‐ | OneStep KDF (AKA OpenSSL single‐ | ||||
| 56Cr2 | step or SS‐KDF) | ||||
| KAS‐KDF | SHA2‐256 | CAST | FIPS_OK | SP 800‐56C Rev. 2 Section 5 | Performed on module load. |
| TwoStep SP800‐ | TwoStep KDF (HKDF variant) | ||||
| KDF ANS 9.42 | Fixed input KAT | CAST | FIPS_OK | SP 800‐135 Rev. 1 Section 5.1 ANSI | Performed on module load. |
| KDF ANS 9.63 | Fixed input KAT | CAST | FIPS_OK | SP 800‐135 Rev. 1 Section 5.1 | Performed on module load. |
| KDF SP800‐108 | HMAC‐SHA2‐256 | CAST | FIPS_OK | SP 800‐108 Rev. 1 Section 4.1 KAT | Performed on module load. |
| KDF SSH | Fixed input KAT | CAST | FIPS_OK | SP 800‐135 Rev. 1 Section 5.2 | Performed on module load. |
| KTS‐IFC | k=2048 | CAST | FIPS_OK | SP 800‐56B Rev. 2 Decrypt for CRT | Performed on module load. |
| KTS‐IFC | k=2048 | CAST | FIPS_OK | SP 800‐56B Rev. 2 Encrypt for Basic | Performed on module load. |
| KTS‐IFC | k=2048 | CAST | FIPS_OK | SP 800‐56B Rev. 2 Decrypt for Basic | Performed on module load. |
| PBKDF | SHA2‐256, 24‐byte password, 36‐byte salt, iteration count of 4096 | CAST | FIPS_OK | SP 800‐132 Section 5.3 KAT of | Performed on module load. |
| RSA SigGen | k=2048 with SHA2‐256 | CAST | FIPS_OK | Sign | Performed on module load. |
| RSA SigVer | k=2048 with SHA2‐256 | CAST | FIPS_OK | Verify | Performed on module load. |
| SHA‐1 | SHA‐1 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| SHA2‐512 | SHA2‐512 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| SHA3‐256 | SHA3‐256 | CAST | FIPS_OK | Simple SHA KAT | Performed on module load. |
| TLS v1.2 KDF | Fixed input KAT | CAST | FIPS_OK | SP 800‐135 Rev. 1 Section 4.2.2 TLS | Performed on module load. |
| RFC7627 | 1.2 KAT |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
Table 24: Pre‐Operational Self‐Tests
This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Cohesity FIPS Object Module OneStep SP80056Cr2 TwoStep SP80056Cr2 This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Mode Method | Properties | Test | Indicator | Details | Conditions |
|---|---|---|---|---|---|---|
| Test | Type | |||||
| TLS v1.3 KDF | KAT | Fixed input KAT | CAST | FIPS_OK | RFC8446 Section 7.1 TLS v1.3 KDF KAT | Performed on module load. |
| DSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on FFC (DSA, KAS‐FFC‐SSC) key pair |
| (FIPS186‐4) | generated key pair | generation, prior to returning the key pair on | ||||
| ECDSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on ECC (ECDSA) key pair generation, |
| (FIPS186‐4) | generated key pair | prior to returning the key pair on conclusion of | ||||
| EDDSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on Edwards (EdDSA) key pair |
| generated key pair | generated key pair | generation, prior to returning the key pair on | ||||
| RSA KeyGen | PCT | PCT performed using the | PCT | FIPS_OK | Sign, Verify | Performed on IFC (RSA, KAS‐IFC‐SSC, KTS‐IFC) key |
| (FIPS186‐4) | generated key pair | pair generation, prior to returning the key pair on |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| SW Integrity | SW Integrity | HMAC over the complete module file image | SW/FW Integrity | On demand | Module load |
| AES‐ECB | AES‐ECB | KAT | CAST | On demand | On power on or reset |
| AES‐ECB | AES‐ECB | KAT | CAST | On demand | On power on or reset |
| AES‐GCM | AES‐GCM | KAT | CAST | On demand | On power on or reset |
| AES‐GCM | AES‐GCM | KAT | CAST | On demand | On power on or reset |
| Counter DRBG | Counter DRBG | KAT | CAST | On demand | On power on or reset |
| DSA SigGen (FIPS186‐4) | DSA SigGen (FIPS186‐4) | KAT | CAST | On demand | On power on or reset |
| DSA SigVer (FIPS186‐4) | DSA SigVer (FIPS186‐4) | KAT | CAST | On demand | On power on or reset |
| ECDSA SigGen (FIPS186‐4) | ECDSA SigGen (FIPS186‐4) | KAT | CAST | On demand | On power on or reset |
| ECDSA SigVer (FIPS186‐4) | ECDSA SigVer (FIPS186‐4) | KAT | CAST | On demand | On power on or reset |
| EDDSA ED448 SigGen | EDDSA ED448 SigGen | KAT | CAST | On demand | On power on or reset |
| EDDSA ED448 SigVer | EDDSA ED448 SigVer | KAT | CAST | On demand | On power on or reset |
| EDDSA ED25519 SigGen | EDDSA ED25519 SigGen | KAT | CAST | On demand | On power on or reset |
| EDDSA ED25519 SigVer | EDDSA ED25519 SigVer | KAT | CAST | On demand | On power on or reset |
| Hash DRBG | Hash DRBG | KAT | CAST | On demand | On power on or reset |
| HMAC DRBG | HMAC DRBG | KAT | CAST | On demand | On power on or reset |
| HMAC‐SHA2‐256 | HMAC‐SHA2‐256 | KAT | CAST | On demand | On power on or reset |
| KAS‐ECC‐SSC Sp800‐56Ar3 | KAS‐ECC‐SSC Sp800‐56Ar3 | KAT | CAST | On demand | On power on or reset |
| KAS‐FFC‐SSC Sp800‐56Ar3 | KAS‐FFC‐SSC Sp800‐56Ar3 | KAT | CAST | On demand | On power on or reset |
| KAS‐IFC‐SSC | KAS‐IFC‐SSC | KAT | CAST | On demand | On power on or reset |
| KAS‐KDF OneStep SP800‐56Cr2 | KAS‐KDF OneStep SP800‐56Cr2 | KAT | CAST | On demand | On power on or reset |
| KAS‐KDF TwoStep SP800‐56Cr2 | KAS‐KDF TwoStep SP800‐56Cr2 | KAT | CAST | On demand | On power on or reset |
| KDF ANS 9.42 | KDF ANS 9.42 | KAT | CAST | On demand | On power on or reset |
| KDF ANS 9.63 | KDF ANS 9.63 | KAT | CAST | On demand | On power on or reset |
| KDF SP800‐108 | KDF SP800‐108 | KAT | CAST | On demand | On power on or reset |
| KDF SSH | KDF SSH | KAT | CAST | On demand | On power on or reset |
| KTS‐IFC | KTS‐IFC | KAT | CAST | On demand | On power on or reset |
| KTS‐IFC | KTS‐IFC | KAT | CAST | On demand | On power on or reset |
| KTS‐IFC | KTS‐IFC | KAT | CAST | On demand | On power on or reset |
| PBKDF | PBKDF | KAT | CAST | On demand | On power on or reset |
| RSA SigGen (FIPS186‐4) | RSA SigGen (FIPS186‐4) | KAT | CAST | On demand | On power on or reset |
| RSA SigVer (FIPS186‐4) | RSA SigVer (FIPS186‐4) | KAT | CAST | On demand | On power on or reset |
| SHA‐1 | SHA‐1 | KAT | CAST | On demand | On power on or reset |
| SHA2‐512 | SHA2‐512 | KAT | CAST | On demand | On power on or reset |
| SHA3‐256 | SHA3‐256 | KAT | CAST | On demand | On power on or reset |
| TLS v1.2 KDF RFC7627 | TLS v1.2 KDF RFC7627 | KAT | CAST | On demand | On power on or reset |
| TLS v1.3 KDF | TLS v1.3 KDF | KAT | CAST | On demand | On power on or reset |
| DSA KeyGen (FIPS186‐4) | DSA KeyGen (FIPS186‐4) | PCT | PCT | On demand | On power on or reset |
| ECDSA KeyGen (FIPS186‐4) | ECDSA KeyGen (FIPS186‐4) | PCT | PCT | On demand | On power on or reset |
| EDDSA KeyGen | EDDSA KeyGen | PCT | PCT | On demand | On power on or reset |
| RSA KeyGen (FIPS186‐4) | RSA KeyGen (FIPS186‐4) | PCT | PCT | On demand | On power on or reset |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module Table 25: Conditional Self‐Tests The intended usage of asymmetric key pairs generated by the Module is not known at the time when the key pair is generated and the pairwise consistency test (PCT) is performed. In all cases, a sign and verify PCT is performed.
Table 26: Pre‐Operational Periodic Information This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
FIPS 140‐3 Security Policy Table 27: Conditional Periodic Information Cohesity FIPS Object Module This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Self‐test | The self‐test failure error | If one of the KATs fails or integrity test | PROV_R_FIPS_MODULE_IN_ERROR_STATE | Reload the Module into |
| failure | state | fails | memory |
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. The pre‐operational self‐tests are available on demand by reloading the Module. On instantiation, the Module performs the pre‐operational self‐test and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. The fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11.
During the manufacturing process, Cohesity executes the build and installation instructions for the Module. The Module is pre‐installed and configured in supported Cohesity solutions. The approved mode is enabled by default. There are no additional installation, configuration, or usage instructions for operators intending to use the Module.
Guidance Documentation is inclusive of all information required per ISO/IEC 19790:2012 Section 7.11.9.
The inherent properties of the Module are:
FIPS 140‐3 Security Policy Cohesity FIPS Object Module
The Module implements mitigations for constant‐time implementations and blinding attacks.
Constant‐time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant‐time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.
The mitigation mechanisms described in Section 12.2 are inherent within the validated algorithms. No other guidance or constraints are specified. This non‐proprietary Security Policy document may be freely reproduced and distributed in its entirety without modification.