| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim validation. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Allegro Software Development Corporation |
flowchart LR
%% Deterministic review-risk graph for Allegro Cryptographic Engine
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Allegro Cryptographic Engine
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Allegro Software Development Corporation Allegro Cryptographic Engine Document Revision 1.1 September 2024
| # | Section | Page |
|---|
(Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 7 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 7 |
| Table 4: Modes List and Description | 7 |
| Table 5: Approved Algorithms - Cipher | 8 |
| Table 6: Approved Algorithms - Message Authentication | 8 |
| Table 7: Approved Algorithms - Symmetric Key Wrap | 8 |
| Table 8: Approved Algorithms - Asymmetric Key Generation | 8 |
| Table 9: Approved Algorithms - Asymmetric Key Verification | 9 |
| Table 10: Approved Algorithms - Asymmetric Signature Generation | 9 |
| Table 11: Approved Algorithms - Asymmetric Signature Verification | 9 |
| Table 12: Approved Algorithms - Random Number Generation | 9 |
| Table 13: Approved Algorithms - Shared Secret Computation | 9 |
| Table 14: Approved Algorithms - Key Derivation | 10 |
| Table 15: Approved Algorithms - Hash Function | 10 |
| Table 16: Approved Algorithms - Safe Primes Generation | 10 |
| Table 17: Approved Algorithms - Safe Primes Verification | 10 |
| Table 18: Vendor-Affirmed Algorithms | 10 |
| Table 19: Non-Approved, Allowed Algorithms | 11 |
| Table 20: Non-Approved, Allowed Algorithms with No Security Claimed | 11 |
| Table 21: Security Function Implementations | 13 |
| Table 22: Ports and Interfaces | 16 |
| Table 23: Roles | 16 |
| Table 24: Approved Services | 25 |
| Table 25: Storage Areas | 26 |
| Table 26: SSP Input-Output Methods | 26 |
| Table 27: SSP Zeroization Methods | 26 |
| Table 28: SSP Table 1 | 29 |
| Table 29: SSP Table 2 | 32 |
| Table 30: Pre-Operational Self-Tests | 33 |
| Table 31: Conditional Self-Tests | 36 |
| Table 32: Pre-Operational Periodic Information | 36 |
| Table 33: Conditional Periodic Information | 39 |
| Table 34: Error States | 39 |
| Figure 1: Block Diagram | 6 |
This document is a non-proprietary cryptographic module security policy for the Allegro Cryptographic Engine (Software Version 6.50) from Allegro Software Development Corporation. This security policy contains specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1 Table 1: Security Levels
Purpose and Use: The Allegro Cryptographic Engine (also informally referred to as “ACE,” and in this security policy as “the module”) is a software cryptographic module that runs on a general-purpose computer (GPC). It provides FIPS 140-3 approved cryptography that can be used by calling applications via a C language Application Programming Interface (API). The module meets the overall requirements applicable to a multi-chip stand-alone embodiment at FIPS 1403, Level 1. The module is a shared cryptographic library providing symmetric and asymmetric encryption and decryption, message digest, message authentication, random number generation, key generation, digital signature generation and verification, and other cryptographic functionality. As a software cryptographic module that executes on a general-purpose computer, the module depends upon the physical characteristics of the host platform. The module’s physical perimeter is defined by the enclosure around the host system on which it executes. The logical interface of the module is its Application Programming Interface, which a calling application must utilize to invoke the cryptographic services of the module, pass input data to the module and receive output data and status from the module. The module is packaged as a shared object for Linux 5.15 (Mint 21) and Windows 11 Pro. The module also includes a data file that is used for verifying the integrity of the module. The module has been validated on Linux
(Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
The module meets the overall requirements applicable at Level 1 security of FIPS 140-3. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The module’s cryptographic boundary is comprised of a single binary:
Tested Module Identification
Package or File Name Software/ Firmware Features Integrity Test Version Acelib.so (Linux 5.15) 6.50 PAA Disabled Binary HMAC-SHA2-256 (Mint
There are no components excluded from the module.
Modes List and Description: Mode Name Description Type Status Indicator Approved Mode of operation where only approved security functions and Approved Pass Mode services can be utilized Table 4: Modes List and Description The module supports an approved mode of operation only.
Approved Algorithms: Cipher Algorithm CAVP Cert Properties Reference AES-CBC A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3332 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm CAVP Cert Properties Reference AES-CTR A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-FF1 A3332 Direction - Decrypt, Encrypt SP 800-38G Key Length - 128, 192, 256 AES-GCM A3332 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-OFB A3332 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing Revision 2.0 A3332 Direction - Decrypt, Encrypt SP 800-38E Key Length - 128, 256 Table 5: Approved Algorithms - Cipher Message Authentication Algorithm CAVP Cert Properties Reference AES-CMAC A3332 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-GMAC A3332 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 HMAC-SHA-1 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2-224 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2-256 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2-384 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2-512 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA3-224 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA3-256 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA3-384 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA3-512 A3332 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 Table 6: Approved Algorithms - Message Authentication Symmetric Key Wrap Algorithm CAVP Cert Properties Reference AES-KW A3332 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3332 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 Table 7: Approved Algorithms - Symmetric Key Wrap Asymmetric Key Generation Algorithm CAVP Cert Properties Reference ECDSA KeyGen (FIPS186-4) A3332 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 Secret Generation Mode - Testing Candidates RSA KeyGen (FIPS186-4) A3332 Key Generation Mode - B.3.6 FIPS 186-4 Modulo - 2048, 3072, 4096 Primality Tests - Table C.3 Private Key Format - Standard Table 8: Approved Algorithms - Asymmetric Key Generation (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Asymmetric Key Verification Algorithm CAVP Cert Properties Reference ECDSA KeyVer (FIPS186-4) A3332 Curve - P-192, P-224, P-256, P-384, P-521 FIPS 186-4 Table 9: Approved Algorithms - Asymmetric Key Verification Asymmetric Signature Generation Algorithm CAVP Cert Properties Reference ECDSA SigGen A3332 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 RSA SigGen (FIPS186-4) A3332 Signature Type - ANSI X9.31, PKCSPSS FIPS 186-4 Modulo - 2048, 3072, 4096 Table 10: Approved Algorithms - Asymmetric Signature Generation Asymmetric Signature Verification Algorithm CAVP Cert Properties Reference ECDSA SigVer A3332 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 RSA SigVer (FIPS186-4) A3332 Signature Type - ANSI X9.31, PKCSPSS FIPS 186-4 Modulo - 2048, 3072, 4096 Table 11: Approved Algorithms - Asymmetric Signature Verification Random Number Generation Algorithm CAVP Cert Properties Reference Hash DRBG A3332 Mode - SHA2-256, SHA2-512 SP 800-90A Rev. 1 Table 12: Approved Algorithms - Random Number Generation Shared Secret Computation Algorithm CAVP Properties Reference Cert KAS-ECC-SSC Sp800- A3332 Domain Parameter Generation Methods - P-224, P- SP 800-56A 56Ar3 256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC Sp800- A3332 Domain Parameter Generation Methods - MODP- SP 800-56A 56Ar3 2048, MODP-3072 Rev. 3 Table 13: Approved Algorithms - Shared Secret Computation Key Derivation Algorithm CAVP Properties Reference Cert KDA HKDF Sp800- A3332 Derived Key Length - 2048 SP 800-56C 56Cr1 Shared Secret Length - Shared Secret Length: 224-2048 Rev. 2 Increment 8 HMAC Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 KDF SSH (CVL) A3332 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512 PBKDF A3332 Iteration Count - Iteration Count: 1000-100000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm CAVP Properties Reference Cert TLS v1.2 KDF A3332 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.3 KDF A3332 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - PSK-DHE Rev. 1 Table 14: Approved Algorithms - Key Derivation Hash Function Algorithm CAVP Cert Properties Reference SHA-1 A3332 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-224 A3332 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-256 A3332 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-384 A3332 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-512 A3332 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA3-224 A3332 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 SHA3-256 A3332 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 SHA3-384 A3332 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 SHA3-512 A3332 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 SHAKE-128 A3332 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A3332 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 Table 15: Approved Algorithms - Hash Function Safe Primes Generation Algorithm CAVP Cert Properties Reference Safe Primes Key A3332 Safe Prime Groups - modp-2048, modp- SP 800-56A Rev. Generation 3072 3 Table 16: Approved Algorithms - Safe Primes Generation Safe Primes Verification Algorithm CAVP Cert Properties Reference Safe Primes Key A3332 Safe Prime Groups - modp-2048, modp- SP 800-56A Rev. Verification 3072 3 Table 17: Approved Algorithms - Safe Primes Verification The module’s approved algorithms are specified above. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in this table. Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Section 4 Key Type:Symmetric N/A NIST SP 800-133 Rev. 2 (Section
6.1 6.1)
Table 18: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: Name Properties Implementation Reference Key Unwrap Key Type:Symmetric N/A IG D.G (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Table 19: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Allowed in the approved mode with no security claimed Used for TLS 1.2 interoperability Table 20: Non-Approved, Allowed Algorithms with No Security Claimed Caveats:
Name Type Description Properties Algorithms DRBG DRBG Random Bit Hash DRBG Generation Message Digest SHA Create Message SHA-1 Digest SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-128 SHAKE-256 Generate Digital DigSig-SigGen Create Digital ECDSA SigGen Signature Signatures (FIPS186-4) RSA SigGen (FIPS186-4) Verify Digital DigSig-SigVer Verify Digital ECDSA SigVer Signature Signature (FIPS186-4) RSA SigVer (FIPS186-4) Generate CKG Generate Hash DRBG Symmetric Keys DRBG Symmetric Keys CKG Section 4 Key Type: Symmetric CKG Section 6.1 Key Type: Symmetric (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Type Description Properties Algorithms Generate AsymKeyPair- Generation of ECDSA KeyGen Asymmetric Keys KeyGen Asymmetric Keys (FIPS186-4) CKG RSA KeyGen (FIPS186-4) Hash DRBG CKG Section 4 Key Type: Seed for Asymmetric Key Shared Secret AsymKeyPair- Shared Secret Shared Secret KAS-FFC-SSC Computation (KAS- SafePri Computation (KAS- Computation:Provides Sp800-56Ar3 FFC-SSC) KAS-SSC FFC-SSC) between 112 and 128 Safe Primes Key bits of encryption Generation strength Safe Primes Key Verification Shared Secret AsymKeyPair- NIST SP 800-56Ar3 Shared Secret KAS-ECC-SSC Computation (KAS- DomPar shared secret Computation:Provides Sp800-56Ar3 ECC-SSC) AsymKeyPair- computation (KAS- between 128 and 256 ECDSA KeyGen KeyGen ECC-SSC) bits of encryption (FIPS186-4) AsymKeyPair- strength ECDSA SigGen PubKeyVal (FIPS186-4) DRBG ECDSA SigVer KAS-SSC (FIPS186-4) Hash DRBG Derive Key (HKDF) KAS-56CKDF Key Derivation KDA HKDF Sp800SHA 56Cr1 HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 Derive Key (TLS KAS-135KDF Key Derivation for TLS v1.2 KDF 1.2) SHA TLS 1.2 RFC 7627 RFC7627 SHA2-256 SHA2-384 SHA2-512 Derive Key (TLS KAS-135KDF Key Derivation for TLS v1.3 KDF 1.3) SHA TLS 1.3 SHA2-256 SHA2-384 Derive Key (SSH) KAS-135KDF Key Derivation for KDF SSH SHA SSH SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 Derive Key MAC Password-Based PBKDF (PBKDF) PBKDF Key Derivation HMAC-SHA-1 Message MAC Message HMAC-SHA-1 Authentication Authentication HMAC-SHA2-224 Algorithms HMAC-SHA2-256 (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Type Description Properties Algorithms HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA3-224 HMAC-SHA3-256 HMAC-SHA3-384 HMAC-SHA3-512 AES-CMAC AES-GMAC Hash DRBG CKG Section 4 Key Type: Symmetric CKG Section 6.1 Key Type: Symmetric Symmetric Cipher BC-Auth Encryption & AES-CBC BC-UnAuth Decryption AES-CCM AES-CFB1 AES-CFB128 AES-CFB8 AES-ECB AES-FF1 AES-GCM AES-KW AES-KWP AES-OFB AES-XTS Testing Revision 2.0 AES-CTR Key Wrapping KTS-Wrap Key Wrapping KTS:Key AES-KW Method (SP 800- establishment AES-KWP 38F) (IG D.G) methodology provides between 128 and 256 bits of encryption strength Verify Asymmetric AsymKeyPair- Verify Asymmetric ECDSA KeyVer Keys KeyVer Keys (FIPS186-4) CKG Section 4 CKG NIST SP 800-133 CKG Section 4 Rev. 2 (Section 4) CKG Section 6.1 CKG NIST SP 800-133 CKG Section 6.1 Rev. 2 (Section 6.1) Table 21: Security Function Implementations
SHA-3 & SHAKE (IG C.C) SHA-3 and SHAKE were tested and validated on all of the module’s operating environments. RSA (IG C.F) (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
PBKDF2 (IG D.N) The Allegro Cryptographic Engine requires the password to be at least ten characters in length, the iteration count at least 1000, the salt at least 128 bits in length, and that the master key output from the PBKDF2 is at least 112 bits in length. Master keys may be used as Device Protection Keys (Option 1(a) from Section 5.4 of NIST SP 800132). Alternately, they may be used with a key derivation function to produce a Device Protection Key (Option 1(b) from Section 5.4 of NIST SP 800-132). Passwords passed to the PBKDF2 implemented shall have a length of at least 10 characters and shall consist of upper- and lower-case letters and numbers (52 letters) and digits (0-9) as well as characters from the set ~!@#$%^&*. There are 71 different characters that can be used, in any order. The probability of guessing this password at random is 7110 = 1: 3.3 * 1018. This provides a password search space of more than 60 bits. The length of the random salt used in PBKDF2 must be at least 128 bits. The iteration count used in PBKDF2 must be at least
1000 and should be as large as is tolerable by the calling application. The length of the master key generated by
PBKDF2 must be at least 112 bits. The calling application may use the master key, the Data Protection Key, or it may derive the Data Protection Key from the master key using a key derivation function. The Data Protection Key shall be used for storage purposes only and shall use only approved encryption algorithms.
The entropy for seeding the SP 800-90Ar1 DRBG is determined by the user of the module, which is outside of the module’s cryptographic boundary. To be compliant, the target application shall supply at least 256 bits of entropy in order to meet the security strength required for the random number generation mechanism. Since entropy is loaded passively into the module, there is no assurance of the minimum strength of generated SSPs (e.g., keys).
SSPs that are generated internally by the module, are generated using the module's approved DRBG.
The module is capable of performing key establishment when utilizing the implemented NIST SP 800-56Ar3 shared secret computation methods, with one of the approved key derivation functions. The module also supports key transport methods compliant with NIST SP 800-38F.
While the module does not implement the TLS or SSH protocols, it does implement the key derivation functions for both, per NIST SP 800-135r1.
Please see Section 11 for details regarding the preparation of the operational environments, and installation of the module.
(Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Physical Logical Data That Passes Port Interface(s) N/A Data Input Input data passed via API calls as function arguments or in memory buffers referenced by function arguments N/A Data Output Data returned by API calls using function arguments and related memory buffers N/A Control Input API function calls that initialize and control the operation of the module N/A Status Values returned from API calls Output Table 22: Ports and Interfaces As a software cryptographic module, the module’s physical and electrical characteristics, manual controls and physical indicators are those of the host system. The host system provides physical ports that the operating system or applications may use. The cryptographic module does not access or control the physical interface ports or physical indicators of the GPC. The module does not support a control output interface.
N/A for this module. The module does not identify or authenticate the operator. The Crypto Officer role is assumed by the operator. Only one operator can operate the module at any time.
Name Type Operator Type Authentication Methods CO Role Crypto Officer None Table 23: Roles The Allegro Cryptographic Engine supports only one role, which is the Crypto Officer role.
Name Description Indicato Inputs Outputs Security SSP Access r Functions AcInit() Initialize the Successf N/A Invocation None CO module for ul Success or use in Invocatio Invocation Approved n (Pass) Failure mode AcDeInit() Zeroize all Successf N/A Invocation None CO keys and ul Success or CSPs and Invocatio Invocation disable n (Pass) Failure crypto services AcRunSelfTest() Run Successf N/A Invocation DRBG CO cryptographic ul Success or Message self-tests on Invocatio Invocation Digest demand n (Pass) Failure Generate Digital (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions Signature Verify Digital Signature Generate Asymmetric Keys Shared Secret Computatio n (KASFFC-SSC) Shared Secret Computatio n (KASECC-SSC) Derive Key (HKDF) Derive Key (TLS 1.2) Derive Key (TLS 1.3) Derive Key (SSH) Derive Key (PBKDF) Message Authenticati on Symmetric Cipher Verify Asymmetric Keys AcAceLibraryInfo() Return the Successf N/A Module None CO module name ul Name, Major and version Invocatio Version, n (Pass) Minor Version, Build Number, Invocation Success or Invocation Failure AcGenerateRandomNumb Generate Successf API call Random DRBG CO ers() random data ul paramete Number, Invocatio rs Invocation n (Pass) Success or Invocation Failure (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions AcDigest() AcDigestInit() Create Successf API call Hash, Message CO AcDigestUpdate() message ul paramete Invocation Digest AcDigestFinal() digest from Invocatio rs Success or input data n (Pass) Invocation Failure AcDigestClone() Duplicate a Successf API call Hash, None CO message ul paramete Invocation digest Invocatio rs Success or n (Pass) Invocation Failure AcKeyedDigestInit() Create a Successf API call Digest, Message CO keyed ul paramete Invocation Digest - HMAC Key: message Invocatio rs Success or Message R,E digest of n (Pass) Invocation Authenticati - AES input data Failure on GMAC Key: R,E - AES CMAC Key: R,E AcSign() AcSignInit() Create a Successf API call Signature, Generate CO AcSignUpdate() Digital ul paramete Invocation Digital - RSA AcSignFinal() Signature Invocatio rs Success or Signature Private Key: n (Pass) Invocation R,E Failure - ECDSA Private Key: R,E AcSignDigestBuffer() Create a Successf API call Signature, Generate CO digital ul paramete Invocation Digital - RSA signature for Invocatio rs Success or Signature Private Key: a previously n (Pass) Invocation R,E computed Failure - ECDSA message Private Key: digest R,E AcVerify() AcVerifyInit() Verify a Successf API call Signature, Verify CO AcVerifyUpdate() digital ul paramete Invocation Digital - RSA Public AcVerifyFinal() signature Invocatio rs Success or Signature Key: R,E n (Pass) Invocation Verify - ECDSA Failure Asymmetric Public Key: Keys R,E AcVerifyDigestBuffer() Verify a Successf API call Signature, Verify CO digital ul paramete Invocation Digital - RSA Public signature for Invocatio rs Success or Signature Key: R,E a previously n (Pass) Invocation Verify - ECDSA computed Failure Asymmetric Public Key: digest Keys R,E AcEncryptInit() Encrypt or Successf API call Plaintext, Symmetric CO decrypt a ul paramete Ciphertext, Cipher - AES Key : block of data Invocatio rs Invocation R,E n (Pass) Success or - AES GCM Invocation Key: R,E Failure - AES GCM IV: R,E (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions - AES CCM Key: R,E - AES-XTS Testing Revision 2.0 Key: R,E - AES CMAC Key: R,E - AES GMAC Key: R,E AcEncryptUpdate() Encrypt or Successf API call Plaintext, Symmetric CO decrypt a ul paramete Ciphertext, Cipher - AES Key : block of data Invocatio rs Invocation R,E n (Pass) Success or - AES GCM Invocation Key: R,E Failure - AES GCM IV: R,E - AES CCM Key: R,E - AES-XTS Testing Revision 2.0 Key: R,E - AES CMAC Key: R,E - AES GMAC Key: R,E AcEncryptFinal() Encrypt or Successf API call Plaintext, Symmetric CO decrypt a ul paramete Ciphertext, Cipher - AES Key : block of data Invocatio rs Invocation R,E n (Pass) Success or - AES GCM Invocation Key: R,E Failure - AES GCM IV: R,E - AES CCM Key: R,E - AES-XTS Testing Revision 2.0 Key: R,E - AES CMAC Key: R,E - AES GMAC Key: R,E AcGenerateKey() Generate Successf API call Key, Generate CO symmetric ul paramete Invocation Symmetric - AES Key : keys Invocatio rs Success or Keys G,W n (Pass) Invocation CKG - AES GCM Failure Section 4 Key: G,W (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions CKG - AES CMAC Section 6.1 Key: G,W - AES-XTS Testing Revision 2.0 Key: G,W - Key Encryption Key (KEK): G,W AcGenerateKeyPair() Generate Successf API call KeyPair, Generate CO asymmetric ul paramete Invocation Asymmetric - RSA key pairs Invocatio rs Success or Keys Private Key: n (Pass) Invocation CKG G,W Failure Section 4 - RSA Public Key: G,W - ECDSA Private Key: G,W - ECDSA Public Key: G,W - ECDH Private Components : G,W - ECDH Public Components : G,W - DH Private Components : G,W - DH Public Components : G,W AcBuildKeyPairFromPara Generate Successf API call KeyPair, Generate CO ms() asymmetric ul paramete Invocation Asymmetric - RSA key pairs Invocatio rs Success or Keys Private Key: using specific n (Pass) Invocation Shared G,W key Failure Secret - RSA Public parameters Computatio Key: G,W n (KAS- - ECDSA FFC-SSC) Private Key: Shared G,W Secret - ECDSA Computatio Public Key: n (KAS- G,W ECC-SSC) - ECDH Private Components : G,W (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions - ECDH Public Components : G,W - DH Private Components : G,W - DH Public Components : G,W AcExportKey() Wrap Key Successf API call Key/KeyPair, Key CO ul paramete Invocation Wrapping - Key Invocatio rs Success or Encryption n (Pass) Invocation Key (KEK): Failure R,E AcImportKey() Unwrap Key Successf API call Key/KeyPair, Key CO ul paramete Invocation Wrapping - Key Invocatio rs Success or Encryption n (Pass) Invocation Key (KEK): Failure W,E AcKeySize() Return the Successf API call Key Size, None CO key size for a ul paramete Invocation selected Key Invocatio rs Success or n (Pass) Invocation Failure AcKeyExchange() Establish a Successf API call Shared, Shared CO shared secret ul paramete Secret, Key, Secret - ECDH Invocatio rs Invocation Computatio Private n (Pass) Success or n (KAS- Components Invocation FFC-SSC) : R,E Failure Shared - ECDH Secret Public Computatio Components n (KAS- : R,E ECC-SSC) - DH Private Components : R,E - DH Public Components : R,E AcDeriveKey() Derive a key Successf API call Key, Derive Key CO ul paramete Invocation (TLS 1.2) - TLS Invocatio rs Success or Derive Key Session Key: n (Pass) Invocation (TLS 1.3) G,W Failure Derive Key - PBKDF2 (PBKDF) DPK: G,W - AES Key : G,W - TLS RSA Premaster Secret: G,W - TLS Master (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions Secret: G,W - TLS Integrity Key: G,W - PBKDF2 Password: G,W - TLS Extended Master Secret: G,W AcReleaseHandle() Zeroize Keys Successf API call Invocation None CO ul paramete Success or - AES Key : Invocatio rs Invocation Z n (Pass) Failure - AES GCM Key: Z - AES GCM IV: Z - AES CCM Key: Z - AES-XTS Testing Revision 2.0 Key: Z - AES CMAC Key: Z - AES GMAC Key: Z - HMAC Key: Z - Key Encryption Key (KEK): Z - PBKDF2 DPK: Z - PBKDF2 Password: Z - RSA Private Key: Z - ECDSA Private Key: Z - ECDH Private Components :Z - TLS RSA Premaster Secret: Z - TLS Master (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions Secret: Z - TLS Session Key: Z - TLS Integrity Key: Z - DRBG Entropy: Z - DRBG Seed: Z - DRBG ‘C’ Value: Z - DRBG ‘V’ Value : Z - RSA Public Key: Z - ECDSA Public Key: Z - ECDH Public Components :Z - TLS Extended Master Secret: Z AcAceLibraryStatus() Query Successf API call Invocation None CO whether ul paramete Success or library is in Invocatio rs Invocation the soft error n (Pass) Failure state AcKeyedDigest() Message Successf API call Invocation Message CO authenticatio ul paramete Success or Digest - HMAC Key: n Invocatio rs Invocation Message R,E n (Pass) Failure Authenticati - AES CMAC on Key: R,E - AES GMAC Key: R,E AcDigestSize() Message Successf API call Invocation None CO authenticatio ul paramete Success or n digest size Invocatio rs Invocation n (Pass) Failure AcEncrypt() Encrypt Successf API call Ciphertext, Message CO plaintext ul paramete Invocation Authenticati - AES Key : Invocatio rs Success or on R,E n (Pass) Invocation Symmetric - AES GCM Failure Cipher Key: R,E - AES GCM IV: R,E (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions - AES CCM Key: R,E - AES-XTS Testing Revision 2.0 Key: R,E - AES CMAC Key: R,E - AES GMAC Key: R,E AcEncryptBlockSize() Return size Successf API call Invocation None CO of ciphertext ul paramete Success or Invocatio rs Invocation n (Pass) Failure AcSetOperationParameter Sets/Configur Successf API call Invocation None CO () es non- ul paramete Success or security Invocatio rs Invocation relevant n (Pass) Failure operational parameters AcGetVendorImplementati Returns the Successf API call Invocation None CO on() Module’s ul paramete Success or Algorithm Invocatio rs Invocation capabilities n (Pass) Failure AcAESFpeEncrypt( ) Encrypt Successf API call Ciphertext, Symmetric CO plaintext ul paramete Invocation Cipher - AES Key : Invocatio rs Success or R,E n (Pass) Invocation Failure AsGetCryptoDataPtr() Get Data Successf API call Data Pointer, None CO Pointer ul paramete Invocation Invocatio rs Success or n (Pass) Invocation Failure AcGetAceError() Get Error Successf API call Error None CO Message ul paramete Message, Invocatio rs Invocation n (Pass) Success or Invocation Failure AcGatherSystemNoise() Gather Successf API call Entropy None CO Entropy Input ul paramete Input, - DRBG Invocatio rs Invocation Entropy: n (Pass) Success or G,W,E Invocation - DRBG ‘V’ Failure Value : G,W,E - DRBG ‘C’ Value: G,W,E (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Indicato Inputs Outputs Security SSP Access r Functions AcGetPersonalizationData Get DRBG Successf API call Personalizati None CO () Personalizati ul paramete on Data, - DRBG on Data Invocatio rs Invocation Personalizati n (Pass) Success or on String: R Invocation - DRBG Failure Seed: G,W,E AcEncryptClone() Duplicate an Successf API call Encrypt None CO Encrypt ul paramete Operation, Operation Invocatio rs Invocation n (Pass) Success or Invocation Failure Table 24: Approved Services
The module does not support the external loading of software or firmware.
The module, which is made up of a single component, is provided in the form of binary executable code (Acelib.so for Linux and AceDll.dll for Windows). A software integrity test is performed on the runtime image of the module. The HMAC-SHA2-256 (Cert. #A3332) implemented in the module is used as an approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited. (the module is not operational)
The software integrity test is performed as part of the Pre-Operational self-tests. It is automatically executed at power-on. It can also be invoked by powering-off and reloading the module, or using the AcRunSelfTest() service.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module operates in a modifiable operational environment as described by the FIPS 140-3 definition. The operating systems on which the module was tested run user processes in logically separate process spaces. When (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
the module is present in memory, the operating system protects the module’s memory space from unauthorized access. The module functions entirely within the process space of the calling application.
The physical security requirements of FIPS 140-3 do not apply to software modules.
The module does not implement non-invasive attack mitigations.
Storage Description Persistence Area Type Name RAM Random Access Memory Dynamic Table 25: Storage Areas The module does not persistently store SSPs.
Name From To Format Distribution Entry SFI or Type Type Type Algorithm Input Calling Process Call stack (API) input Plaintext Manual Electronic parameters Output Call stack (API) output Calling Process Plaintext Manual Electronic parameters Table 26: SSP Input-Output Methods Note: To prevent the inadvertent output of sensitive information, two independent internal actions shall be required in order to output any plaintext CSP.
Zeroization Description Rationale Operator Initiation Method Unload Unload module from SSPs no longer present in memory Operator unloads module Module memory after unload API Call API zeroize instruction SSPs no longer present in memory AcDeInit() after API call AcReleaseHandle() Remove Power removed from SSPs no longer present in memory Operator powers off GPC Power host GPC after GPC power loss Table 27: SSP Zeroization Methods SSPs are implicitly zeroized when unloading the module or removing power, and explicitly zeroized when using AcDeInit() and AcReleaseHandle() where SSPs are overwritten with zeros. (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Size - Type - Generated Established Used By Strength Category By By AES Key AES-ECB, 128, 192, Symmetric - Symmetric AES-CBC, 256 bits - CSP Generate Cipher AES-CFB1, 128, 192, Symmetric AES-CFB8, 256 bits Keys AES-CFB128, AES-CTR, AES-OFB, AES-FF1 AES GCM Key AES-GCM 128, 192, Symmetric - Symmetric
256 bits - CSP Generate Cipher
AES GCM IV AES-GCM 96 bits - Initialization DRBG Symmetric
96 bits Vector - CSP Cipher
AES CCM Key AES-CCM 128, 192, Symmetric - Symmetric
256 bits - CSP Generate Cipher
AES-XTS AES-XTS 128, 256 Symmetric - Symmetric Testing Testing bits - 128, CSP Generate Cipher Revision 2.0 Revision 2.0 256 bits Symmetric Key Keys AES CMAC AES-CMAC 128, 192, Message Message Key 256 bits - Authentication - Generate Authentication 128, 192, CSP Symmetric
AES GMAC AES-GMAC 128, 192, Message Message Key 256 bits - Authentication - Generate Authentication 128, 192, CSP Symmetric
HMAC Key HMAC-SHA-1, 160, 224, Message Message Message HMAC-SHA2- 256, 384, Authentication - Authentication Authentication 224, HMAC- 512 bits - CSP SHA2-256, 160, 224, HMAC-SHA2- 256, 384, 384, HMAC- 512 bits SHA2-512, HMAC-SHA3224, HMACSHA3-256, HMAC-SHA3384, HMACSHA3-512 Key Encryption AES-KW, 128, 192, Symmetric Key Generate Key Wrapping Key (KEK) AES-KWP 256 bits - Wrapping Symmetric 128, 192, (KTS) - CSP Keys
PBKDF2 DPK PBKDF 112 bits - Data Protection Derive Key Derive Key
112 bits Key - CSP (PBKDF) (PBKDF)
(Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Size - Type - Generated Established Used By Strength Category By By PBKDF2 PBKDF Greater Password - Derive Key Password Password than or CSP (PBKDF) equal to
data Greater than or equal to
data RSA Private RSA (186-4) 2048, Asymmetric Generate Generate Key 3072, Private Key - Asymmetric Digital
4096 bits CSP Keys Signature
- 112, 128, 150 bits ECDSA Private ECDSA (186- P-224, P- Asymmetric Generate Generate Key 4) 256, P- Private Key - Asymmetric Digital 384, P- CSP Keys Signature
ECDH Private KAS-ECC- P-224, P- Asymmetric Generate Shared Secret Components SSC (NIST 256, P- Private Key - Asymmetric Computation SP 800- 384, P- CSP Keys (KAS-ECC56Ar3) 521 - 112, SSC) 128, 192,
TLS RSA Used to derive 384 bits - Premaster Derive Key Premaster the master 384 bits Secret - CSP (TLS 1.2) Secret secret TLS Master Used to 384 bits - Master Secret - Derive Key Derive Key Secret generate the 384 bits CSP (TLS 1.2) (TLS 1.2) session keys Derive Key Derive Key (TLS 1.3) (TLS 1.3) TLS Session Used for data 128 or Session Key - Derive Key Derive Key Key encryption 256 bits - CSP (TLS 1.2) (TLS 1.2)
128 or Derive Key Derive Key
256 bits (TLS 1.3) (TLS 1.3)
TLS Integrity Used for data 160 bits - Integrity Key - Derive Key Derive Key Key integrity and 160 bits CSP (TLS 1.2) (TLS 1.2) authenticity Derive Key Derive Key (TLS 1.3) (TLS 1.3) DRBG Entropy NIST SP 800- 256 bits - Entropy Input - DRBG 90A DRBG 256 bits CSP Entropy Input DRBG Seed NIST SP 800- 440-888 Seed - CSP DRBG 90A DRBG bits - 440Seed 888 bits (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Description Size - Type - Generated Established Used By Strength Category By By DRBG ‘C’ NIST SP 800- 440-888 Internal State DRBG DRBG Value 90A DRBG ‘C’ bits - 440- Value - CSP Value (IG D.L) 888 bits DRBG ‘V’ NIST SP 800- 440-888 Internal State DRBG DRBG Value 90A DRBG ‘V’ bits - 440- Value - CSP Value (IG D.L) 888 bits RSA Public RSA Public 2048, Asymmetric Generate Verify Digital Key Key 3072, Public Key - Asymmetric Signature
- 112, 128, 150 bits ECDSA Public ECDSA Public P-224, P- Asymmetric Generate Verify Digital Key Key 256, P- Public Key - Asymmetric Signature 384, P- PSP Keys
ECDH Public ECDH Public P-224, P- Key Agreement Generate Shared Secret Components Components 256, P- Components - Asymmetric Computation 384, P- PSP Keys (KAS-ECC-
521 - 112, SSC)
TLS Extended Binds the 384-bits - Extended Derive Key Derive Key Master Secret master secret 384-bits Master Secret - (TLS 1.2) (TLS 1.2) to a log of the CSP full handshake DH Private Private MODP Asymmetric Generate Shared Secret Components components 2048, Private Key - Asymmetric Computation for KAS-FFC- MODP CSP Keys (KAS-FFCSSC 3072 - SSC)
DH Public Public MODP Asymmetric Generate Shared Secret Components components 2048, Public Key - Asymmetric Computation for KAS-FFC- MODP PSP Keys (KAS-FFCSSC 3072 - SSC)
DRBG Optional input 128 to Personalization DRBG Personalization to the DRBG 256 bits - String - Neither String instantiate 128 to function 256 bits Table 28: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES Key Input RAM:Plaintext In volatile Unload memory until Module zeroized API Call (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Input - Storage Storage Zeroization Related SSPs Output Duration Remove Power AES GCM Key Input RAM:Plaintext In volatile Unload AES GCM IV:Used With memory until Module zeroized API Call Remove Power AES GCM IV Output RAM:Plaintext In volatile Unload AES GCM Key:Used With memory until Module zeroized API Call Remove Power AES CCM Key Input RAM:Plaintext In volatile Unload memory until Module zeroized API Call Remove Power AES-XTS Testing Input RAM:Plaintext In volatile Unload Revision 2.0 Key memory until Module zeroized API Call Remove Power AES CMAC Key Input RAM:Plaintext In volatile Unload memory until Module zeroized API Call Remove Power AES GMAC Key Input RAM:Plaintext In volatile Unload memory until Module zeroized API Call Remove Power HMAC Key Input RAM:Plaintext In volatile Unload memory until Module zeroized API Call Remove Power Key Encryption Key Input RAM:Plaintext In volatile Unload (KEK) Output memory until Module zeroized API Call Remove Power PBKDF2 DPK Output RAM:Plaintext In volatile Unload PBKDF2 memory until Module Password:Derived From zeroized API Call Remove Power PBKDF2 Password Input RAM:Plaintext In volatile Unload PBKDF2 DPK:Used With memory until Module zeroized Remove Power (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Input - Storage Storage Zeroization Related SSPs Output Duration RSA Private Key Input RAM:Plaintext In volatile Unload RSA Public Key:Paired Output memory until Module With zeroized API Call Remove Power ECDSA Private Key Input RAM:Plaintext In volatile Unload ECDSA Public Key:Paired Output memory until Module With zeroized API Call Remove Power ECDH Private Input RAM:Plaintext In volatile Unload ECDH Public Components Output memory until Module Components:Paired With zeroized API Call Remove Power TLS RSA Premaster RAM:Plaintext In volatile Unload Secret memory until Module zeroized API Call Remove Power TLS Master Secret RAM:Plaintext In volatile Unload TLS RSA Premaster memory until Module Secret:Derived From zeroized API Call Remove Power TLS Session Key RAM:Plaintext In volatile Unload TLS Master memory until Module Secret:Derived From zeroized API Call Remove Power TLS Integrity Key RAM:Plaintext In volatile Unload TLS Master memory until Module Secret:Derived From zeroized API Call Remove Power DRBG Entropy Input RAM:Plaintext In volatile Unload DRBG Seed:Used With memory until Module zeroized API Call Remove Power DRBG Seed RAM:Plaintext In volatile Unload DRBG Entropy:Derived memory until Module From zeroized Remove Power DRBG ‘C’ Value RAM:Plaintext In volatile Unload DRBG Seed:Derived From memory until Module zeroized API Call Remove Power (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Name Input - Storage Storage Zeroization Related SSPs Output Duration DRBG ‘V’ Value RAM:Plaintext In volatile Unload DRBG Seed:Derived From memory until Module zeroized API Call Remove Power RSA Public Key Input RAM:Plaintext In volatile Unload RSA Private Key:Paired Output memory until Module With zeroized API Call Remove Power ECDSA Public Key Input RAM:Plaintext In volatile Unload ECDSA Private Output memory until Module Key:Paired With zeroized API Call Remove Power ECDH Public Input RAM:Plaintext In volatile Unload ECDH Private Components Output memory until Module Components:Paired With zeroized API Call Remove Power TLS Extended Master RAM:Plaintext In volatile Unload TLS RSA Premaster Secret memory until Module Secret:Derived From zeroized API Call Remove Power DH Private Input RAM:Plaintext In volatile Unload Components Output memory until Module zeroized API Call Remove Power DH Public Input RAM:Plaintext In volatile Unload Components Output memory until Module zeroized API Call Remove Power DRBG Input RAM:Plaintext In volatile Unload Personalization memory until Module String zeroized API Call Remove Power Table 29: SSP Table 2
Algorithm or Test Test Method Test Type Indicator Details Test Properties HMAC-SHA2-256 HMAC-SHA2- Software SW/FW Pass Keyed hash performed on (A3332) 256 Integrity Test Integrity Acelib.so or AceDll.dll (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Table 30: Pre-Operational Self-Tests The module performs the pre-operational software integrity test automatically upon every instantiation. (A CAST for HMAC-SHA2-256 executes prior to the software integrity test.)
Algorithm Test Test Method Test Indicator Details Conditions or Test Properties Type AES-CBC 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-CBC 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-CCM 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-CCM 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-CFB1 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-CFB1 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES- 128, 192, 256 KAT CAST Pass Encrypt Power-On CFB128 bit Key (A3332) AES- 128, 192, 256 KAT CAST Pass Decrypt Power-On CFB128 bit Key (A3332) AES-CFB8 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-CFB8 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-CMAC 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-CMAC 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-CTR 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-CTR 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-ECB 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-ECB 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-FF1 128 bit Key KAT CAST Pass Encrypt Power-On (A3332) AES-GCM 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-GCM 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key AES-OFB 128, 192, 256 KAT CAST Pass Encrypt Power-On (A3332) bit Key AES-OFB 128, 192, 256 KAT CAST Pass Decrypt Power-On (A3332) bit Key (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm Test Test Method Test Indicator Details Conditions or Test Properties Type AES-XTS 128, 256 bit KAT CAST Pass Encrypt Power-On Testing Key Revision 2.0 (A3332) AES-XTS 128, 256 bit KAT CAST Pass Decrypt Power-On Testing Key Revision 2.0 (A3332) ECDSA P-384 Curve KAT CAST Pass Sign Power-On SigGen (FIPS186-4) (A3332) ECDSA P-384 Curve KAT CAST Pass Verify Power-On SigVer (FIPS186-4) (A3332) Hash DRBG SHA2-256, KAT CAST Pass Hash_DRBG
11.3 Health random data is generated 4.
Tests) Reseed: When the reseed counter has reached its predetermined maximum value and the DRBG needs to be reseeded HMAC- 160 bit Hash KAT CAST Pass Keyed Hash Power-On SHA-1 (A3332) HMAC- 224 bit Hash KAT CAST Pass Keyed Hash Power-On SHA2-224 (A3332) HMAC- 256 bit Hash KAT CAST Pass Keyed Hash Power-On SHA2-256 (A3332) HMAC- 384 bit Hash KAT CAST Pass Keyed Hash Power-On SHA2-384 (A3332) HMAC- 512 bit Hash KAT CAST Pass Keyed Hash Power-On SHA2-512 (A3332) HMAC- 224 bit Hash KAT CAST Pass Keyed Hash Power-On SHA3-224 (A3332) HMAC- 256 bit Hash KAT CAST Pass Keyed Hash Power-On SHA3-256 (A3332) HMAC- 384 bit Hash KAT CAST Pass Keyed Hash Power-On SHA3-384 (A3332) (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm Test Test Method Test Indicator Details Conditions or Test Properties Type HMAC- 512 bit Hash KAT CAST Pass Keyed Hash Power-On SHA3-512 (A3332) KAS-ECC- P-384 Curve KAT CAST Pass Primitive "Z" Power-On SSC Sp80056Ar3 (A3332) KAS-FFC- MODP-2048, KAT CAST Pass Primitive "Z" Power-On SSC Sp800- MODP-3072 56Ar3 (A3332) KDA HKDF SHA2-256 KAT CAST Pass Hash Power-On Sp80056Cr1 (A3332) KDF SSH AES-128, KAT CAST Pass Hash Power-On (A3332) AES-192, AES-256, SHA2-256 PBKDF 160 bit Keyed KAT CAST Pass Keyed Hash Power-On (A3332) Hash RSA 2048 bit Key KAT CAST Pass Sign Power-On SigGen (FIPS186-4) (A3332) RSA SigVer 2048 bit Key KAT CAST Pass Verify Power-On (FIPS186-4) (A3332) SHA-1 160 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA2-224 224 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA2-256 256 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA2-384 384 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA2-512 512 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA3-224 224 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA3-256 256 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA3-384 384 bit Hash KAT CAST Pass Hash Power-On (A3332) SHA3-512 512 bit Hash KAT CAST Pass Hash Power-On (A3332) TLS v1.2 SHA2-256 KAT CAST Pass Hash Power-On KDF RFC7627 (A3332) (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm Test Test Method Test Indicator Details Conditions or Test Properties Type TLS v1.3 SHA2-256 KAT CAST Pass Hash Power-On KDF (A3332) AES-XTS 128, 256 bit Key_1 ≠ CAST Pass Check Conditional upon first use of Testing key Key_2 (IG AES-XTS Revision 2.0 C.I) (A3332) KAS-ECC- P-224, P-256, Public Key CAST Pass Check Conditional upon ECDSA SSC Sp800- P-384, P-521 Assurance KeyPair Generation 56Ar3 Test (A3332) ECDSA P-384 Pairwise PCT Pass Sign & Verify Conditional upon ECDSA KeyGen Consistency KeyPair Generation (FIPS186-4) Test (A3332) RSA 2048 bit key Pairwise PCT Pass Sign & Verify Conditional upon RSA KeyGen Consistency KeyPair Generation (FIPS186-4) Test (A3332) Table 31: Conditional Self-Tests Conditional CASTs are performed automatically upon every instantiation. The pairwise consistency tests are performed on the condition that an asymmetric keypair is requested, and the AES-XTS key validation test is performed prior to using the keys, per IG C.I. The DRBG health tests required by NIST SP 800-90A, Section 11.3 (instantiate, generate, reseed) execute upon instantiation of the module and also upon the following conditions:
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Software Integrity SW/FW Integrity On Demand Reload Module or (A3332) Test AcRunSelfTest() Table 32: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CBC (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CCM (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CCM (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CFB1 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm or Test Test Method Test Type Period Periodic Method AES-CFB1 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CFB128 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() AES-CFB128 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() AES-CFB8 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CFB8 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CMAC KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() AES-CMAC KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() AES-CTR (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-CTR (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-ECB (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-ECB (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-FF1 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-GCM (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-GCM (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-OFB (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-OFB (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() AES-XTS Testing KAT CAST On Demand Reload Module or Revision 2.0 AcRunSelfTest() (A3332) AES-XTS Testing KAT CAST On Demand Reload Module or Revision 2.0 AcRunSelfTest() (A3332) ECDSA SigGen KAT CAST On Demand Reload Module or (FIPS186-4) AcRunSelfTest() (A3332) ECDSA SigVer KAT CAST On Demand Reload Module or (FIPS186-4) AcRunSelfTest() (A3332) Hash DRBG KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA-1 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA2-224 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA2-256 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-384 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA2-512 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA3-224 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA3-256 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA3-384 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() HMAC-SHA3-512 KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() KAS-ECC-SSC KAT CAST On Demand Reload Module or Sp800-56Ar3 AcRunSelfTest() (A3332) KAS-FFC-SSC KAT CAST On Demand Reload Module or Sp800-56Ar3 AcRunSelfTest() (A3332) KDA HKDF Sp800- KAT CAST On Demand Reload Module or 56Cr1 (A3332) AcRunSelfTest() KDF SSH (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() PBKDF (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() RSA SigGen KAT CAST On Demand Reload Module or (FIPS186-4) AcRunSelfTest() (A3332) RSA SigVer KAT CAST On Demand Reload Module or (FIPS186-4) AcRunSelfTest() (A3332) SHA-1 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA2-224 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA2-256 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA2-384 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA2-512 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA3-224 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA3-256 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA3-384 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() SHA3-512 (A3332) KAT CAST On Demand Reload Module or AcRunSelfTest() TLS v1.2 KDF KAT CAST On Demand Reload Module or RFC7627 (A3332) AcRunSelfTest() TLS v1.3 KDF KAT CAST On Demand Reload Module or (A3332) AcRunSelfTest() (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
Algorithm or Test Test Method Test Type Period Periodic Method AES-XTS Testing Key_1 ≠ Key_2 (IG CAST N/A N/A Revision 2.0 C.I) (A3332) KAS-ECC-SSC Public Key CAST N/A N/A Sp800-56Ar3 Assurance Test (A3332) ECDSA KeyGen Pairwise PCT N/A N/A (FIPS186-4) Consistency Test (A3332) RSA KeyGen Pairwise PCT N/A N/A (FIPS186-4) Consistency Test (A3332) Table 33: Conditional Periodic Information The pre-operational software integrity test and all conditional CASTs can be executed on-demand by calling the AcRunSelfTest() service.
Name Description Conditions Recovery Method Indicator Hard Error Non-recoverable Result of pre-operational self-test Reload module / Fail State error state failure Reinstall module Result of CAST failure Soft Error Recoverable error Result of RSA pairwise Automatic Fail State state consistency test failure Result of ECDSA pairwise consistency test failure Result of Key_1 ≠ Key_2 for AESXTS Table 34: Error States The module implements two error states. A hard error state, whereby recovery may be attempted by restarting or reinstalling the module, and a software error state whereby conditional self-test failures such as the pairwise tests and the AES-XTS key validation test may be recovered. Self-tests in the module return an indication of whether the invocation passed or failed. If any self-test fails, the module’s data output interfaces will be inhibited, and only control input and status output commands will be allowed to execute. To correct an on-demand or conditional self-test error, the module must be restarted by calling the AllegroTaskInit() service after the module has been de-initialized. To correct a preoperational self-test error, the module must be reloaded into memory by terminating and restarting the host application. If the pre-operational self-test fails after restarting the host application, it will be necessary to re-install the module.
The pre-operational software integrity test and all conditional CASTs can be executed by the operator using the API call AcRunSelfTest().
(Allegro Software Development Corporation. © 2024) Version 1.0 Public Material
When built and executed, the module automatically operates in the approved mode. (Additional guidance is provided in Section 11.2.)
Initial setup for the module consists of:
2 of this security policy, by consulting the build instructions provided in Chapter 5 of the ACE™ Allegro
Cryptography Engine Programming Reference, Version 6.50, included on the DVD. During normal operation, the operator may check the status of the module by attempting to run a service. If the service executes and does not return an error, the module is operating in the approved mode.
The module supports the role of Crypto Officer only, which is an administrative role.
The module may be sanitized by uninstalling the binary and power-cycling the host GPC.
The operator shall adhere to the guidelines of this Security Policy. Operators in the Crypto Officer role are able to use the approved services listed in this security policy. The operator is responsible for monitoring the module for any irregular activity.
The module does not attempt to mitigate specific attacks. (Allegro Software Development Corporation. © 2024) Version 1.0 Public Material