All modules
CMVP Validated Module · FIPS 140-3 Security Policy

FortiClient Crypto Library

Certificate#4931StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorFortinet Technologies Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 19 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/19/2026
CaveatInterim Validation. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorFortinet Technologies Inc.

Approved Algorithms (31)

AlgorithmACVP Cert
AES-CBCA3419
AES-CBCA4688
AES-ECBA3419
Counter DRBGA3419
ECDSA KeyGen (FIPS186-4)A3419
ECDSA KeyVer (FIPS186-4)A3419
ECDSA SigGen (FIPS186-4)A3419
ECDSA SigVer (FIPS186-4)A3419
HMAC-SHA-1A3419
HMAC-SHA2-256A3419
HMAC-SHA2-256A4688
HMAC-SHA2-384A3419
HMAC-SHA2-384A4688
HMAC-SHA2-512A3419
HMAC-SHA2-512A4688
HMAC-SHA3-512A3419
KAS-ECC-SSC Sp800-56Ar3A3419
KAS-FFC-SSC Sp800-56Ar3A3419
PBKDFA3419
RSA KeyGen (FIPS186-4)A3419
RSA SigGen (FIPS186-4)A3419
RSA SigVer (FIPS186-4)A3419
Safe Primes Key GenerationA3419
SHA-1A3419
SHA2-256A3419
SHA2-256A4688
SHA2-384A3419
SHA2-384A4688
SHA2-512A3419
SHA2-512A4688
SHA3-512A3419

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for FortiClient Crypto Library
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES for Symmetric Encryption/Decryption (FCT…</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for FortiClient Crypto Library
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES for Symmetric Encryption/Decryption (FCT…</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

FortiClient Crypto Library Document Version: 4.1 Publication Date: Thursday, October 3, 2024 Software Version: 7.0.2 Fortinet Technologies Inc.

Page 2

FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://fortiguard.com/ END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com FortiClient Crypto Library FIPS 140-3 Security Policy 04-708-802275-20241003 last page of this document FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 3
Table of Contents
#SectionPage
1.0General6
1.1Overview6
1.2Security Levels6
1.3Additional Information7
2.0Cryptographic Module Specification8
2.1Module Description8
2.1.1Description8
2.1.2Purpose or Use8
2.1.3Module Type8
2.1.4Module Embodiment8
2.1.5Module Characteristics8
2.1.6Cryptographic Boundary8
2.1.7Tested Operational Environment’s Physical Perimeter9
2.1.8Diagram, Schematic, or Photograph9
2.2Version Information10
2.3Operating Environments10
2.3.1Hardware OEs10
2.3.2Software, Firmware, Hybrid OEs10
2.3.3Executable Code List11
2.3.4Vendor Affirmed Operating Environments11
2.4Excluded Components11
2.5Modes of Operation11
2.5.1Modes List and Description11
2.5.2Mode Change Instructions12
2.5.3Degraded Mode12
2.6Algorithms12
2.6.1Approved Algorithms12
2.6.2Vendor Affirmed Algorithms14
2.6.3Non-Approved, Allowed Algorithms14
2.6.4Non-Approved, Allowed Algorithms with No Security Claimed14
2.6.5Non-Approved, Not Allowed Algorithms15
2.7Security Function Implementations15
2.8Algorithm Specific Information20
2.9RNG and Entropy20
2.9.1Entropy Information20
2.9.2RNG Information21
2.10Key Generation21
2.11Key Establishment21
2.11.1Key Agreement Information21
2.11.2Key Transport Information21
2.12Industry Protocols21
2.13Design and Rules21
2.14Initialisation22
2.15Additional Information22
3.0Cryptographic Module Interfaces23
3.1Ports and Interfaces23
3.2Trusted Channel Specification23
3.3Control Interface Not Inhibited23
3.4Additional Information23
4.0Roles, Services, and Authentication24
4.1Authentication Methods24
4.2Roles24
4.3Approved Services24
4.4Non-Approved Services27
4.5External Software/Firmware Loaded27
4.6Bypass Actions and Status27
4.7Cryptographic Output Actions and Status27
4.8Additional Information27
5.0Software/Firmware Security28
5.1Integrity Techniques28
5.2Initiate on Demand28
5.3Open Source Parameters28
5.4Non-Reconfigurable Memory End of Life Procedures28
5.5Additional Information28
6.0Operational Environment29
6.1Operational Environment Type and Requirements29
6.2Configuration Settings and Restrictions29
6.3Additional Information29
7.0Physical Security30
8.0Non-Invasive Security31
9.0Sensitive Security Parameters Management32
9.1Storage Areas32
9.2SSP Input/Output Methods32
9.3SSP Zeroization Methods32
9.4SSPs33
10.0Self-Tests36
10.1Pre-Operational Self-Tests36
10.2Conditional Self-Tests37
10.3Periodic Self-Test Information40
10.4Error States40
10.5Operator Initiation Self-Test40
10.6Additional Information41
11.0Life-Cycle Assurance42
11.1Startup Procedures42
11.2Administrator Guidance43
11.3Non-Administrator Guidance43
11.4Maintenance Requirements43
11.5End of Life43
11.6Additional Information43
12.0Mitigation of Other Attacks44
1General1
2Cryptographic module specification1
3Cryptographic module interfaces1
4Roles, services and authentication1
5Software/Firmware security1
6Operational environment1
9Sensitive security parameter management1
10Self-tests1
11Life-cycle assurance1
Page 4

FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 5

FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 6
Security level
NameISO SectionRequirementLevel
11General1
3Cryptographic module interfaces1
5Software/Firmware security1
7Physical securityN/A
9Sensitive security parameter management1
11Life-cycle assurance1

1.1. Overview This document is a FIPS 140-3 Security Policy for Fortinet's FortiClient Crypto Library, version 7.0.2. This policy describes how the FortiClient Crypto Library (hereafter referred to as the ‘module’) meets the FIPS 140-3 security requirements and how to operate the modules in a FIPS compliant manner. This policy was created as part of the FIPS 140-3 Level 1 validation of the module. The Federal Information Processing Standards Publication 140-3 - Security Requirements for Cryptographic Equipment (FIPS 140-3) details the United States Federal Government requirements for cryptographic equipment. Detailed information about the FIPS 140-3 standard and validation program is available on the NIST (National Institute of Standards and Technology) website at https://csrc.nist.gov/projects/cryptographic-modulevalidation-program. 1.2. Security Levels The module meets the overall requirements for a FIPS 140-3 Level 1 validation . Table 1: Security Levels Roles, services and authentication Operational environment N/A Non-invasive security N/A Self-tests Mitigation of other attacks N/A Overall FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 7

1.3. Additional Information This policy deals specifically with operation and implementation of the modules in the technical terms of the FIPS 140-3 standard and the associated validation program. Other Fortinet product manuals, guides and technical notes can be found at the Fortinet technical documentation website at https://docs.fortinet.com. Additional information on the entire Fortinet product line can be obtained from the following sources:

Page 8
2.0 Cryptographic Module Specification

2.1. Module Description 2.1.1. Description The FortiClient Crypto Library (hereafter referred to as the module) is a software cryptographic module that provides cryptographic services for FortiClient, Fortinet’s endpoint security application. FortiClient and the module are designed to execute on a general purpose computer (GPC) hardware platform. The module has no physical characteristics and relies on the physical characteristics of the GPC on which it runs. The module is a component of the FortiClient software and requires the following:

Page 9

2.1.7. Tested Operational Environment’s Physical Perimeter The TOEPP refers to the physical perimeter of the chassis of the general-purpose computer (GPC) on which the module is running. 2.1.8. Diagram, Schematic, or Photograph Figure 1: Physical Perimeter of the TOEPP The entire box in Figure 1 represents the TOEPP, while the gray boxes within the TOEPP represent the cryptographic boundary. For details on the cryptographic boundary and the Tested Operational Environment's Physical Perimeter, please refer to sections 2.1.6 and 2.1.7, respectively. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 10
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai
Microsoft Windows 10 (64-bit)Microsoft Windows 10 (64-bit)Dell XPS 8700Intel Core i7-4770N/A

2.2. Version Information The validated FortiClient Crypto Library version is 7.0.2. To verify the installed version, open a Windows Command Prompt window as an administrator and run the following command:

Page 11
Module configuration
NameOperating SystemHardware PlatformFirmware VersionPackageIntegrity Test
Fccryptd.exeSoftware version: 7.0.2Fccryptd.exeRSA-3072
Microsoft Windows 10Microsoft Windows 10GPC with x86 or x86-64 bit processor
Module configuration
NameOperating SystemHardware PlatformFirmware VersionPackageIntegrity Test
Fccryptd.exeSoftware version: 7.0.2Fccryptd.exeRSA-3072
Microsoft Windows 10Microsoft Windows 10GPC with x86 or x86-64 bit processor
Fortips.sysSoftware version: 7.0.2RSA-3072

2.3.3. Executable Code List Table 3: Executable Code Sets

Page 12
Service
NameDescriptionIndicatorFIPS
FIPS Deployed PackageThe module is deployed as a FIPSRun the command: fccryptd.exe fips versionApproved
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES-CBCA3419CBCEncryption/DecryptionKey Length: 128, 192, 256
Counter DRBG SP 800-90Arev1A3419Counter-BasedPrediction Resistance: NoRandom Bit Generation
ECDSA KeyVerA3419ECDSA KeyVerCurve: K-233, P-256, P-384, P- 521Public Key Validation
ECDSA SigVerA3419ECDSA SigVerCurve: P-256, P-384, P-521Digital Signature Verification
(FIPS186-4)Hash Algorithms: SHA2-256,
FIPS 186-4SHA2- 384, SHA2-512
HMAC-SHA2-256A3419SHA2-256MAC Length: 256Message Authentication
FIPS PUB 198-1Key Length: 112-1024
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES-CBCA3419CBCEncryption/DecryptionKey Length: 128, 192, 256
Counter DRBG SP 800-90Arev1A3419Counter-BasedPrediction Resistance: NoRandom Bit Generation
ECDSA KeyVerA3419ECDSA KeyVerCurve: K-233, P-256, P-384, P- 521Public Key Validation
ECDSA SigVerA3419ECDSA SigVerCurve: P-256, P-384, P-521Digital Signature Verification
(FIPS186-4)Hash Algorithms: SHA2-256,
FIPS 186-4SHA2- 384, SHA2-512
HMAC-SHA2-256A3419SHA2-256MAC Length: 256Message Authentication
FIPS PUB 198-1Key Length: 112-1024

Table 5: Modes of Operation 2.5.2. Mode Change Instructions The module only supports one mode of operation. 2.5.3. Degraded Mode The module does not support a degraded mode of operation. Table 6: Approved Algorithms for Fccrypd.exe AES-ECB ECDSA KeyGen ECB ECDSA KeyGen ECDSA SigGen ECDSA SigGen HMAC-SHA-1 SHA-1 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 13
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
HMAC-SHA2-512A3419SHA2-512MAC Length: 512Message Authentication
FIPS PUB 198-1Key Length: 112-1024
KAS-ECC-SSCA3419Scheme:P-256, P-384, P-521Shared Secret
SP 800-56Arev3ephemeralUnifiedComputation
PBKDF SP 800-132 (Option 1b)A3419PBKDF2HMAC-SHA-1Password-Based Key Derivation
RSA SigGen (FIPS186-A3419RSA SigGenModulo Sizes: 2048, 3072, 4096Digital Signature Generation
SHA-1A3419SHA-1Message Length: 0-65528Message Digest
FIPS 180-4Increment 8
SHA2-384A3419SHA2-384Message Length: 0-65528Message Digest
FIPS 180-4Increment 8
SHA3-512A34191 SHA3-512Message Length: 0-65528Message Digest
FIPS 180-4Increment 8

Sp800-56Arev3 SHA3-5121 Scheme: dhEphem ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 RSA KeyGen (FIPS1864) RSA KeyGen RSA SigVer Verification SHA3-5121 MODP ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Prime Generation RSA SigVer (FIPS1864) Safe Primes Key Appendix D Note: SHA3-256, SHA3-384, HMAC SHA3-256 and HMAC SHA3-384 are CAVP tested, but not used by any service within the module. Note: Keys derived from passwords, as described in SP 800-132, may only be used in storage applications. Note: The recommended iteration count of 1000 is used, as per SP 800-132. Legacy usage only. These legacy algorithms can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 14
Approved algorithm
NameCAVP CertMode MethodUse Function
AES-CBCA4688CBCEncryption/DecryptionKey Length: 128, 192, 256
SHA2-384A4688Message AuthenticationMAC Length: 384HMAC-SHA2-384
FIPS PUB 198-1Key Length: 112-1024FIPS PUB 198-1
SHA2-256A4688Message DigestMessage Length: 0-65528SHA2-256
FIPS 180-4Increment 8FIPS 180-4
SHA2-512A4688Message DigestMessage Length: 0-65528SHA2-512
FIPS 180-4Increment 8FIPS 180-4
OEAlgorithmReferenceAlgorithm Properties
Microsoft Windows 10 running on a Dell XPS 8700 with an Intel Core i7-4770(Haswell)CKG (Asymmetric)Section 5.1 and 5.2 of SP 800-Key Type: Asymmetric
Approved algorithm
NameCAVP CertMode MethodUse Function
AES-CBCA4688CBCEncryption/DecryptionKey Length: 128, 192, 256
SHA2-384A4688Message AuthenticationMAC Length: 384HMAC-SHA2-384
FIPS PUB 198-1Key Length: 112-1024FIPS PUB 198-1
SHA2-256A4688Message DigestMessage Length: 0-65528SHA2-256
FIPS 180-4Increment 8FIPS 180-4
SHA2-512A4688Message DigestMessage Length: 0-65528SHA2-512
FIPS 180-4Increment 8FIPS 180-4
OEAlgorithmReferenceAlgorithm Properties
Microsoft Windows 10 running on a Dell XPS 8700 with an Intel Core i7-4770(Haswell)CKG (Asymmetric)Section 5.1 and 5.2 of SP 800-Key Type: Asymmetric

Table 7: Approved Algorithms for FortIPS.sys 2.6.2. Vendor Affirmed Algorithms Table 8: Vendor Affirmed Algorithms (Symmetric) 2.6.3. Non-Approved, Allowed Algorithms None. 2.6.4. Non-Approved, Allowed Algorithms with No Security Claimed None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 15
Service
NameDescriptionApproved FunctionsTypePropertiesAlgorithm Properties
AES for Symmetric Encryption/Decryption (FCT Library)Encryption/DecryptionAES-CBCBC-UnAuthPublication: SP 800-38AKey Sizes: AES-CBC: 128, 192, 256 AES-ECB: 128
Approved algorithm
NameKey Size
Counter DRBG (FortiClient 7.0.2 Crypto Library for Windows)Deterministic Random Bit GenerationDRBGDRBGPublication: SP 800- 90Arev1256-bit AES-
ECDSA KeyVerECDSA Public Key VerificationECDSA for Key VerificationAsymKeyPa ir-KeyVerPublication: FIPS 186-4Curve: K-233, P-256, P-384, P-521

2.6.5. Non-Approved, Not Allowed Algorithms None. 2.7. Security Function Implementations Table 9: Security Function Implementations (IPSec Driver) IPSec Crypto ir-KeyGen Key Generation of the ECDSA KeyGen CKG (Asymmetric) ECDSA SigGen DigSigSigGen ECDSA Signature SHA2-256 SHA2-384 SHA2-512 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 16
Approved algorithm
NameKey SizeUse Function
Publication: FIPS 186-4Curve: P-256, P-384, P-521ECDSA for Signature VerificationDigSig- SigVerECDSA Signature Verification for the ECDSA Public KeyECDSA SigVer
NameTypeDescriptionSF PropertiesAlgorithmsAlgorithm Properties

DigSigSigVer HMAC-SHA-1 HMAC for Keyed Hash Operations (FCT MAC Message Authentication HMAC-SHA3-512 MAC Lengths: 160, SHA-1 (FortiClient SHA3-512 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 17
Approved algorithm
NameUse Function
Publication: FIPS 198-1Message AuthenticationHMAC for Keyed Hash Operations (IPSec Driver)MACHMAC-SHA2-256MAC Lengths: 256, 384, 512
Publication: SP 800- 56Arev3DH Shared Secret ComputationFFC-SSCKAS-SSCKAS-FFC-SSC Sp800-56Arev3 (FortiClient 7.0.2 Crypto Library for Windows)Safe Primes:
Sensitive security parameter
NameStrengthGeneration
of the RSA Private(FIPS186-4)of the RSA Private
Key and RSA Public(FortiClient 7.0.2Key and RSA Public

ECC-SSC Curves: P256, P-384, P-521 PBKDF PBKDF PBKDF Password-Based Key Derivation HMAC-SHA-1 HMAC-SHA-1 Password Length: 8-105 SHA-1 (FortiClient FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 18
Approved algorithm
NameUse Function
Publication: FIPS 186-4RSA for Signature VerificationDigSig- SigVerRSA Signature Verification for the RSA Public KeyRSA SigVerModulo Sizes: 1024 [Legacy], 2048, 3072, 4096

RSA SigGen Generation DigSigSigGen DigSigSigVer Digest (FCT Library) Message Digest FIPS 202 Message Length: 065528 Increment 8 FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 19
Approved algorithm
NameUse Function
Publication: SP 800- 56Arev3Safe Prime Key GenerationAsymKeyPa ir- SafePriKey Generation for all module services that utilize KAS-FFC-SSCSafe Primes Key Generation (FortiClient 7.0.2 Crypto Library for Windows)Safe Primes:
NameTypeDescriptionSF PropertiesAlgorithmsAlgorithm Properties
SHA for Message Digest (IPSec Driver)SHAMessage DigestPublication: FIPS 180-4, FIPS 202SHA2-256Message Length: 0- 65528 Increment 8
(FortiClient 7.0.2
IPSec Crypto
Library for
Windows)
SHA2-384
(FortiClient 7.0.2
IPSec Crypto
Library for
Windows)
SHA2-512
(FortiClient 7.0.2
IPSec Crypto
Library for
Windows)

SHA3-512 Length: 065528 RSA and SHA for Integrity Test DigSigSigGen, RSA and SHA for the pre-operational integrity tests. FIPS 186-4 RSA SigVer (FIPS186-4) Modulo Size: FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 20

2.8. Algorithm Specific Information Symmetric Keys: The module generates symmetric keys as per section 6.2.3 of SP 800-133rev2 using PBKDF2 (Password Based Key Derivation Function). PBKDF: PBKDF2 uses HMAC-SHA-1 and a 128-bit salt to derive keys, which are used solely for storage purposes, in accordance with SP 800-132 and IG D.N. The probability of guessing a password at random (S) is equal to the Character Pool Size (C) raised to the power of the number of characters in the password (N). The Character Pool Size (C) is 95, as the password can contain lowercase (a- z) [26], uppercase (A-Z) [26], digits (0-9) [10], and special characters (!"$,) [33]. The minimum password length is 8 characters and is enforced. However, there is no constraint on the number of times a character is used from the character pool. Therefore, the probability of guessing a password (S) is between 95^8 and 95^105

Page 21
Entropy SourcesMinimum Number of Bits of EntropyDetails
Araneus Alea II USB token256The Entropy Input String is 256 bits and expected
to provide Full Entropy.
The module requests 10240 bits of data from the
token and passes it through SHA2-256 (A3419)
before seeding the DRBG with the 256-bit output.
This 256-bit input is expected to provide 256-bits
of entropy from the external token.
No assurance of the minimum strength of
generated SSPs (e.g., keys)
IG 9.3.A Scenario 1c

Table 10: Entropy Sources 2.9.2. RNG Information The module uses the approved Counter DRBG as per section 10.2.1 of SP 800-90Arev1, which is seeded using the entropy source described in section 2.9.1 of the Security Policy to generate random numbers. 2.10. Key Generation The module complies with Section 4, 5, 6.1, and 6.2.3 of SP 800-133rev2, where the module uses its Approved DRBG to generate random values and seeds used for symmetric and asymmetric key generation. The resulting symmetric key or generated seed is an unmodified output from the DRBG. 2.11. Key Establishment 2.11.1. Key Agreement Information For KAS-ECC-SSC, elliptic-curve groups approved for use by the key-establishment schemes specified in SP 800-56Arev3 Appendix D are used. For KAS-FFC-SSC, an approved safe prime group listed in SP 800-56A rev3 Appendix D is used. 2.11.2. Key Transport Information None. 2.12. Industry Protocols None. 2.13. Design and Rules Refer to section 11.1 ‘Startup Procedures’ for Installation process. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 22

2.14. Initialisation Refer to section 11.1 ‘Startup Procedures’ for Installation process. 2.15. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 23
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI input parameters for data- plain text and
N/AControl InputAPI input commands from FortiClient application,
entropy input
3.0 Cryptographic Module Interfaces

3.1. Ports and Interfaces FortiClient is a software module and therefore does not have physical interfaces. FortiClient's logical interfaces and the types of data passed over the interfaces are described below. Table 11: Ports and Interfaces N/A Data Output API output parameters for data- encrypted or decrypted, digital signatures, hashes Status Output API return values to the FortiClient application N/A N/A N/A Note: Data I/O occurs between the FortiClient application and the crypto module. All the data output via data output interface is inhibited when the module is performing pre-operational tests, zeroization, or enters an error state. The module does not support a control output interface 3.2. Trusted Channel Specification Not Applicable (Level 1 Module) 3.3. Control Interface Not Inhibited Not Applicable. Entering the error mode shuts down the module (and the FortiClient application) completely. See 10.4 (Error States) for more information. 3.4. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 24
Service
NameRole AccessTypeAuthentication Methods
Crypto-OfficerCORoleN/A
4.0 Roles, Services, and Authentication

The FortiClient module does not claim any authentication methods as it is a FIPS 140-3 level 1 software module. 4.2. Roles The module provides the following roles:

Page 25
Service
NameDescriptionRolesRole AccessCsps AccessedIndicatorInputOutputDerive Key Via PBKDF2API Call ParametersKey is DerivedPBKDF SHA for Message Digest (FCT Library) HMAC for Keyed Hash Operations (FCT Library)CO
Asymmetric Key GenerationRSA and ECDSA Keys are GeneratedCOECDSA PublicSuccessful completion of service. IG 2.4.C, Scenario 2API Call ParametersAsymmetric Key GeneratedECDSA for Key Generation ECDSA for Key Verification RSA for key Generation
SuccessfulFortiClient module installed on the GPCN/AInstallWindows GUIFortiClient installed on GPCN/ACO
completionSSC andSecret Keys:ECDSA for Key
of service.KAS-ECC-G, EGeneration
IG 2.4.C,SSC areECDH PrivateFFC-SSC
Service
NameDescriptionRolesRole AccessCsps AccessedIndicatorInputOutputDerive Key Via PBKDF2API Call ParametersKey is DerivedPBKDF SHA for Message Digest (FCT Library) HMAC for Keyed Hash Operations (FCT Library)CO
Asymmetric Key GenerationRSA and ECDSA Keys are GeneratedCOECDSA PublicSuccessful completion of service. IG 2.4.C, Scenario 2API Call ParametersAsymmetric Key GeneratedECDSA for Key Generation ECDSA for Key Verification RSA for key Generation
SuccessfulFortiClient module installed on the GPCN/AInstallWindows GUIFortiClient installed on GPCN/ACO
completionSSC andSecret Keys:ECDSA for Key
of service.KAS-ECC-G, EGeneration
IG 2.4.C,SSC areECDH PrivateFFC-SSC

Table 13: Approved Services Backup / Restore Back and Restore configuration Configuration Backed Up or Restored N/A Execute Manual Self-Tests Manual SelfTests are executed generated to provide authentication Initialize CLI Command Self-Test results displayed in Command Prompt Window Integrity Test N/A R, G G, R E E N/A N/A E, G N/A N/A Initialized as startup N/A Software Integrity Key: E G, E FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 26
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorInputRandom Bit GenerationAPI Call ParametersRandom bits generatedDRBGCO
ImplementationsAccessImplementations
using FFC DH and ECC respectivelyusing FFC DH and ECC respectivelyKeys: G, ESafe Prime KeyScenario 2Safe Prime Key Generation
SuccessfulCrypto Module version shownN/AShow Version InformationWindows CLI commandShowN/ACO
completionFortiClient
of service.crypto
IG 2.4.C,module
Scenario 2version
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorInputRandom Bit GenerationAPI Call ParametersRandom bits generatedDRBGCO
ImplementationsAccessImplementations
using FFC DH and ECC respectivelyusing FFC DH and ECC respectivelyKeys: G, ESafe Prime KeyScenario 2Safe Prime Key Generation
SuccessfulCrypto Module version shownN/AShow Version InformationWindows CLI commandShowN/ACO
completionFortiClient
of service.crypto
IG 2.4.C,module
Scenario 2version

G, E Perform Digital Signature Digital Signature using RSA and ECDSA asymmetric ECDSA for Signature Digital Signature Performed ECDSA for Signature Verification ECDSA Public ECDSA G, E RSA Public RSA for Signature RSA Private RSA for Signature Verification A counterbased random G, E G, R Status Module Status Displayed Decryption used to encrypt plaintext and decrypt ciphertext GUI Approved mode Console) N/A N/A N/A N/A Perform Decryption E E All Keys: Z Zeroize All Sensitive GUI/CLI Stored SSPs zeroized and N/A FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 27
Service
NameCsps AccessedApproved Functions
ImplementationsAccessImplementations

Parameters are zeroized of service. IG 2.4.C, Scenario 2 FortiClient restored to factory settings. 4.4. Non-Approved Services None. 4.5. External Software/Firmware Loaded None. The module does not use or require external software or firmware components. 4.6. Bypass Actions and Status None. The module does not implement a bypass mode. 4.7. Cryptographic Output Actions and Status None. The module does not support self-initiated cryptographic output. 4.8. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 28
5.0 Software/Firmware Security

5.1. Integrity Techniques The module uses an RSA PKCS1.5 3072 with SHA2-256 (Cert. #3419) signatures to verify the integrity of its binaries. The integrity check runs automatically when FortiClient starts, but it can also be triggered manually (on demand) from the Windows command prompt using the following command : fccryptd.exe fips kat integrity If the tests passes, the results are output to the command prompt window. If the tests fail, FortiClient will log the failure and shuts down. See Section 10.4 (Error States) for more information. 5.2. Initiate on Demand Refer to section 10.5 (Operator Initiation Self-Test) for more information. 5.3. Open Source Parameters Not Applicable, the module is delivered as a compiled executable. 5.4. Non-Reconfigurable Memory End of Life Procedures Not Applicable. 5.5. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 29
6.0 Operational Environment

6.1. Operational Environment Type and Requirements The FortiClient module operates in a modifiable operational environment and runs on a commercially available GPC. For specific information regarding the operational environment, please refer to section 2.3.1. There are no user-configurable settings for the module. For more details on the installation process, please refer to section 11.1. 6.2. Configuration Settings and Restrictions None. 6.3. Additional Information Since the operating environment (Windows) lets users install new software, the module falls under the category of a modifiable OE. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 30
7.0 Physical Security

Not applicable. FortiClient is a level 1 software module. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 31
8.0 Non-Invasive Security

Not Applicable. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 32
Sensitive security parameter
NameTypeDescription
Plaintext in SDRAMDynamicSystem Memory
Service
NameFromEntry Type
API InputApplicationCryptoPlaintextManualElectronicN/A
Entropy InputEntropy Source (Araneus Alea II)CryptoPlaintextManualElectronicN/A
Module
Software
MethodDescriptionRationaleOperator Initiation
Capability
Procedural Zeroisation1. Uninstalling the Module 2. Overwriting the mass storage 3. Power Cycling the Host ComputerIn accordance with IG 9.7.BYes
Resolution 2, successful
completion of the procedural
zeroisation itself serves as the
implicit indicator that
zeroisation is complete
9.0 Sensitive Security Parameters Management

9.1. Storage Areas Table 14: Storage Areas 9.2. SSP Input/Output Methods Table 15: SSP Input-Output Methods N/A API Output N/A N/A The module does not support manual SSP entry or intermediate key generation output. 9.3. SSP Zeroization Methods As per SP IG 9.3 Resolution 2, Fortinet follows SSP procedural zeroization which is achieved through the following steps: Table 16: SSP Zeroisation Methods 1. 2. 3. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 33
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStrength128 – 256 bitsAsymmetric Public KeyInternal as per SP 800-56 Arev3N/A
AES KeysSymmetricSymmetric Key used to128, 192, 256 bitsInternal as per SP128, 192, 256 bitsN/A
Encrypt and DecryptKeyEncrypt and Decrypt800-133rev2
DataCryptographyDataSection 6.1
HMAC Keys160, 256,Keyed Hash>= 112 bitsMessage AuthenticationExternalN/A
RSA Public Key2048, 3072 bitsAsymmetric Key used112 – 128 bitsPublic Key CryptographyInternal as per FIPS 186-4N/A
Software Integrity Key3072 bitsKey used to ensure the128 bitsAuthenticationN/APre-Loaded
Approved algorithm
NameKey Size
Internal as per SP 800-90Arev1256 bitsDRBG OutputRandom Numbers used256 bitsDRBGN/A
Internal as per SP256 bitsDRBG ‘Key’Internal State Value for256 bitsDRBGN/A
800-90Arev1Valuethe DRBG
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStrength128 – 256 bitsAsymmetric Public KeyInternal as per SP 800-56 Arev3N/A
AES KeysSymmetricSymmetric Key used to128, 192, 256 bitsInternal as per SP128, 192, 256 bitsN/A
Encrypt and DecryptKeyEncrypt and Decrypt800-133rev2
DataCryptographyDataSection 6.1
HMAC Keys160, 256,Keyed Hash>= 112 bitsMessage AuthenticationExternalN/A
RSA Public Key2048, 3072 bitsAsymmetric Key used112 – 128 bitsPublic Key CryptographyInternal as per FIPS 186-4N/A
Software Integrity Key3072 bitsKey used to ensure the128 bitsAuthenticationN/APre-Loaded

9.4. SSPs Table 17: SSPs (Part 1) N/A DH Private N/A N/A DH Shared Secret Keys Shared Secret Computation N/A N/A DRBG Seed Seeding Material for N/A N/A Values N/A N/A ECDH Private Private Key N/A N/A ECDH Shared Secret Keys Shared Secret Computation N/A N/A Private Key Generation Private Key N/A N/A PBKDF2 Derived Keys Derivation Derived via SP N/A N/A RSA Private Private Key N/A N/A FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 34
Sensitive security parameter
NameStorageZeroizationUseInputCategory
N/APlaintext in SDRAMProcedural Zeroization (See Section 9.3)AES for SymmetricAPI Input API OutputAPI Call LifetimeCSP
Sensitive security parameter
NameStorageZeroizationUseInputCategory
N/APlaintext in SDRAMProcedural Zeroization (See Section 9.3)AES for SymmetricAPI Input API OutputAPI Call LifetimeCSP
Approved algorithm
NameUse Function
ECDH PrivateECC-SSCAPI Input API OutputPlaintext in SDRAMAPI Call LifetimeProceduralPSP
Keys: Paired WithECDSA for Key VerificationZeroization (See Section
FFC-SSCAPI Input API OutputPlaintext in SDRAMAPI Call LifetimeProceduralPSPDH Private
Safe Prime Key GenerationZeroization (See SectionKeys: Paired With
DRBGEntropy InputPlaintext in SDRAMAPI Call LifetimeProceduralCSPN/A
Zeroization
(See Section
9.3)
N/AEntropy InputPlaintext in SDRAMAPI Call LifetimeProceduralCSPN/A
Zeroization
(See Section
9.3)
DRBGN/APlaintext in SDRAMAPI Call LifetimeProceduralCSPN/A
Zeroization
(See Section
9.3)

User Password Input to PBKDF2 for Key Derivation

8 – 105
8 – 105

characters Derivation N/A N/A Table 18: SSPs (Part 2) 9.3) N/A 9.3) DH Public 9.3) DH Public Keys: Derived From 9.3) 9.3) N/A N/A 9.3) Input: Derived From N/A 9.3) N/A N/A 9.3) N/A N/A 9.3) N/A 9.3) ECDH Public 9.3) Keys: Derived From FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 35
Sensitive security parameter
NameStorageZeroizationUseInputStorageCategory
ECDSA Private Key: Paired WithAPI Call LifetimeProceduralECDSA for Signature VerificationAPI Input API OutputPlaintext in SDRAMPSP
N/AAPI Call LifetimeProcedural Zeroization (See Section 9.3)HMAC for KeyedAPI Input API OutputPlaintext in SDRAMCSP
RSA Private Key: Paired WithAPI Call LifetimeProceduralRSA for Signature VerificationAPI Input API OutputPlaintext in SDRAMPSP
N/AAPI Call LifetimeAPI CallRSA and SHA forN/APlaintextNon-SSP
Integrity TestLifetimeIntegrity Testin SDRAM

ECC-SSC Generation Generation Generation 9.3) 9.3) 9.3) ECDSA Public 9.3) N/A 9.3) User Password: Derived From 9.3) RSA Public N/A PBKDF2 Derived Keys: Derived By ECDH Public Keys: Derived From ECDH Private Keys: Derived From PBKDF Generation Generation N/A PBKDF FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 36
Self test
NameAlgorithm Or TestTest TypeDetailsImplementation
HMAC-SHA2-256HMAC-SHA2-256Critical Functions TestVerifyFccryptd.exe (Cert. #A3419)Configuration Integrity TestKATPass
Approved algorithm
NameUse Function
SHA2-256 and RSA SigVer (FIPS 186-4)Sign and VerifyFccryptd.exe (Cert. #A3419)RSAKATSoftware Integrity TestPass
PKCS1.5PKCS1.5Indicator
3072 and3072 andError
SHA2-256SHA2-256Indicator
10.0 Self-Tests

10.1. Pre-Operational Self-Tests The cryptographic module’s pre-operational self-tests provide the operator with assurance that no faults have been introduced that could hinder correct operation, as outlined in ISO/IEC 19790:2012, section 7.10.1. Upon successfully passing the self-test, the module logs a pass indicator message in cryptdlog.txt. Refer to section 10.6 for more information. The module performs the startup configuration integrity test by performing the following steps: Upon first startup, fccryptd.exe calculates an HMAC using SHA2-256 for the configuration settings stored in the registry. The calculated HMAC value is then stored in the registry. When authorized configuration changes are made, fccryptd.exe recalculates and stores the new HMAC value. On subsequent startups, fccryptd.exe verifies the integrity by recalculating the HMAC and comparing it with the stored HMAC value. If the stored and recalculated HMAC values don't match, the configuration integrity test fails. The configuration integrity test can be run on demand using fccrypt fips kat configuration at the command line. The following is an example of a successful self-test: In the event that any of the self-tests fail, FortiClient logs an error indicator message for the specific test(s) in cryptdlog.txt. Refer to section 10.4 for examples and more information. Table 19: Pre-Operational Self-Tests FortIPS.sys (Cert. #A4688) FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 37
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTest PropertiesCondition
AES-CBCAES-CBCKATCASTEncryptFccryptd.exe (Cert. #A3419)Key Size: 128PassBoot Up
Approved algorithm
NameKey SizeUse Function
AES-CBCKey Size: 128EncryptFortIPS.sys (Cert. #A4688)KATCASTPassBoot Up
AES-ECBKey Size: 128EncryptFccryptd.exe (Cert. #A3419)KATCASTPassBoot Up
Counter DRBGAES-CBC (256 bit)Instantiate, Generate, and ReseedFccryptd.exe (Cert. #A3419)Health TestsCASTPassBoot Up

10.2. Conditional Self-Tests Cryptographic Algorithm Self Tests (CASTs): The module performs self-tests on approved algorithms, as required by FIPS 140-3 Implementation Guidance (IG) section 10.3.A. If any self-test fails, FortiClient logs the specific test(s) in cryptdlog.txt (refer to Section 10.6 for more information). The module also performs Critical Functions Test (CFT), Continuous Pair-wise Consistency Test (CPCT), as outlined in FIPS 140-3 IG section 10.3.A. Table 20: Conditional Self-Tests ECDH Key Decrypt Decrypt Decrypt Prediction Resistance: No Derivation Function: Yes SP 80056Arev3) ECC Full of a ECDH FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 38
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsImplementationTest Properties
ECDSA KeyGen (FIPS186-4)ECDSA KeyGen (FIPS186-4)PCTPCTKey Pair GenerationFccryptd.exe (Cert. #A3419)P-256PassPrior to the
ErrorErrorOperational
Approved algorithm
NameUse Function
ECDSA SigVer (FIPS186-4)VerifyFccryptd.exe (Cert. #A3419)P-256KATCASTPassBoot Up
HMAC-SHA2- 384VerifyFccryptd.exe (Cert. #A3419)HMAC-SHA2- 384KATCASTPassBoot Up
HMAC-SHA3- 256VerifyFccryptd.exe (Cert. #A3419)HMAC-SHA3- 256KATCASTPassBoot Up
HMAC-SHA3- 512VerifyFccryptd.exe (Cert. #A3419)HMAC-SHA3- 512KATCASTPassBoot Up
HMAC-SHA2- 384VerifyFortips.sys (Cert. #A4688)HMAC-SHA2- 384KATCASTPassBoot Up
KAS-ECC- SSC5VerifyFccryptd.exe (Cert. #A3419)P-256KATCASTPassBoot Up
Errorof sharedError

SigGen HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 HMAC-SHA3256 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA3512 HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA2512 KAS-ECCSSC5 Sign FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 39
Approved algorithm
NameUse Function
HMAC-SHA-1Key DerivationPBKDF2Fccryptd.exe (Cert. #A3419)KATCASTPassBoot Up
2048 bitSignRSA SigGen (FIPS186-4)Fccryptd.exe (Cert. #A3419)KATCASTPassBoot Up
SHA2-256HashingSHA2-256Fccryptd.exe (Cert. #A3419)KATCASTPassBoot Up
SHA2-512HashingSHA2-512Fccryptd.exe (Cert. #A3419)KATCASTPassBoot Up
SHA2-384HashingSHA3-3846Fccryptd.exe (Cert. #A3419)KATCASTPassBoot Up
SHA2-256Implemented Exclusively for Self-TestsTLS KDFN/AKATCASTPassBoot Up

KAS-FFCSSC RSA KeyGen RSA SigVer SHA3-2566 SHA3-5126 N/A MODP-2048 PCT PCT Verify computation of shared secret Z in dhEphem Key Pair Generation Prior to the First Operational Use. Verify Note: SHA3-256, SHA3-386, HMAC SHA3-256 and HMAC SHA3-384 are CAVP tested, but not used by any service within the module. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 40
Service
NameDescriptionRole AccessIndicator
Critical Error StateFortiClient Logs the Specific Test or Tests that failed in cryptdlog.txtBoot Up, ManualCheck LogsPower-Cycle
AlgorithmImplementationTest PropertiesTest MethodTypeIndicatorDetailsCondition
PeriodPeriodic Method
On-DemandPre-Operational Self-Tests:
• Programmatically
Conditional Cryptographic Self-Tests:
• Programmatically
• Manually
Pair-Wise Consistency Test:
• Programmatically

IKEv2 N/A SHA2-256 KAT CAST Pass Implemented Exclusively for Table 21: Periodic Information

Page 41

10.6. Additional Information The results of the self-tests are logged to a file. For a default installation of FortiClient on the C: drive, you can view the Cryptdlog.txt file in: C:\Program Files\Fortinet\FortiClient\logs\fips. When the self-tests are run, each implementation of an algorithm is tested. For example, when the AES self-test is run, all AES implementations are tested. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 42
11.0 Life-Cycle Assurance

11.1. Startup Procedures The FortiClient FIPS 140-3 installer packages are created and deployed using Microsoft's Enterprise Mobility and Security (EMS) platform. Operating the module without following the guidance in Section 11 will result in non-compliant behavior and is outside the scope of this Security Policy. The basic steps in the deployment process are as follows:

  1. Download FortiClient from the Fortinet support site. 32bit and 64bit versions are available: ▪ FortiClientSetup_7.0.8.7048.zip (Vendor Affirmed) ▪ FortiClientSetup_7.0.8.7048_x64.zip
  2. Upload FortiClient to your EMS platform
  3. Create FortiClient installation packages with the desired features and select the ‘FIPS 140-3’ option’.
  4. Install the entropy token on the PC.
  5. Deploy FortiClient using your EMS platform or install FortiClient manually on the PC. It is important to note that the version number on the zip files includes the build number. Thus, to verify the installed version, open a Windows Command Prompt window as an administrator and run the following command: • fccryptd.exe fips version The command runs the software integrity test and displays the module version as shown in the following image. Figure 3: Approved Mode Indicator Launch the FortiClient application as you would launch any other Windows application. Failure to perform the steps outlined in this section will result in the module operating in a non-compliant state. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.
Page 43

11.2. Administrator Guidance FortiClient administrator guidance is publicly available from the Fortinet Technical Documentation site. The key administrator guidance documents are listed below:  FortiClient Administration Guide  EMS Administration Guide  EMS QuickStart Guide 11.3. Non-Administrator Guidance None. Non-Administrator guidance is included in the FortiClient Administration Guide. 11.4. Maintenance Requirements None. 11.5. End of Life Not Applicable. 11.6. Additional Information None. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 44
12.0 Mitigation of Other Attacks

Not Applicable. FortiClient Crypto Library FIPS 140-3 Security Policy Fortinet Technologies Inc.

Page 45

the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the FortiClient Crypto Library FIPS 140-3 Security Policy most current version of the publication shall be applicable. Fortinet Technologies Inc.

Referenced URLs