| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 2/18/2027 |
| Entropy | ENT (NP) |
| Caveat | Interim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Dell Australia Pty Limited, BSAFE Product Team |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Dell BSAFE™ Crypto Module for C
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status<br/>Self-test<br/>Self-test Error</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Dell BSAFE™ Crypto Module for C
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status<br/>Self-test<br/>Self-test Error</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;13.02.25 Dell Australia Pty Limited, BSAFE Product Team Dell BSAFE™ Crypto Module for C Module Version 3.0.1 FIPS 140-3 Security Policy Document Version 1.13
for C, version 3.0.1 (BSAFE Crypto Module) from Dell Australia Pty Limited, BSAFE Product Team. This document may be freely reproduced and distributed whole and intact including the Contents:
Preface With the exception of the non-proprietary Dell BSAFE™ Crypto Module for C Security Policy document, the overall FIPS 140-3 Security Level 1 validation submission documentation is proprietary to Dell Australia Pty Limited and is releasable only under appropriate non-disclosure agreements. For access to the documentation, contact Dell Support. This security policy describes how the BSAFE Crypto Module meets the Security Level 1 requirements for all aspects of FIPS 140-3, and how to securely operate it. Federal Information Processing Standards Publication 140-3 - Security Requirements for Cryptographic Modules (FIPS 140-3) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the NIST website. This document deals only with operations and capabilities of the BSAFE Crypto Module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information about BSAFE Crypto Module and the entire BSAFE product line is available from Dell Support. Terminology In this document, the term BSAFE Crypto Module denotes the BSAFE Crypto Module for C, version 3.0.1, FIPS 140-3 validated Cryptographic Module for Overall Security Level 1 for the C language. The BSAFE Crypto Module for C is also referred to as:
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services, and Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security1 | N/A |
| 8 | 8 | Non-invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-Tests | 1 |
| 11 | 11 | Life-cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | 1 |
BSAFE Crypto Module is validated with an overall FIPS 140-3 Security Level 1. Security levels for individual areas are shown in the following table: Table 1 N/A N/A Security Levels 1The module relies on the physical security provided by the host on which it runs.
BSAFE Crypto Module is a software module intended to be used as part of a software system, providing cryptographic services to that system. The module is provided in the following formats:
The module is identified as Dell BSAFE™ Crypto Module for C, version 3.0.1. The constituents of the module are platform-specific:
BSAFE Crypto Module is classified as a multi-chip standalone software cryptographic module for the purposes of FIPS 140-3. As such, it is tested on specific operating systems and computer platforms. The cryptographic boundary includes the module running on selected platforms running selected operating systems. The module is packaged as a library containing the module’s entire executable code. The module relies on the physical security provided by the host computer in which it runs. The tested operational environment physical perimeter of the module is the case of the general-purpose computer, which encloses the hardware running the module. The physical interfaces for the module are the physical interfaces of the computer running the module, such as the keyboard, monitor, and network interface. The cryptographic module boundary is the library. This is a shared library for most platforms, dynamically loaded by the application. For some, it is a static library linked directly into the final application. The underlying logical interface to the module is the API, documented in the Dell BSAFE™ Crypto Module for C Developers Guide. The module provides Control Input through the API calls. Data Input and Output are provided in the variables passed with the API calls. Status Output is provided through the return status codes documented for each call. This is illustrated in Figure 1 Cryptographic boundary.
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Gold 5218 | Yes | 1 |
| 2 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Gold 5218 | No | 2 |
| 3 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Gold 6240L | Yes | 3 |
| 4 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Gold 6240L | No | 4 |
| 5 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Gold 6254 | Yes | 5 |
| 6 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Gold 6254 | No | 6 |
| 7 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Platinum 8280L | Yes | 7 |
| 8 | Dell PowerMaxOS 10 | PowerMax storage array compute node | Intel Xeon Platinum 8280L | No | 8 |
| 9 | Microsoft Windows 11 | VMware ESXi 7.0.2 on Dell PowerEdge R630 | Intel Xeon E5-2620 v4 | Yes | 9 |
| 10 | Microsoft Windows 11 | VMware ESXi 7.0.2 on Dell PowerEdge R630 | Intel Xeon E5-2620 v4 | No | 10 |
| 11 | Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2019) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 11 |
| 12 | Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2019) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 12 |
| 13 | Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2017) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 13 |
| 14 | Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2017) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 14 |
| 15 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | Yes | 15 |
| 16 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | No | 16 |
| 17 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019) | VMware ESXi 6.7.0 on Dell PowerEdge R7425 | AMD EPYC 7451 | Yes | 17 |
| 18 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019) | VMware ESXi 6.7.0 on Dell PowerEdge R7425 | AMD EPYC 7451 | No | 18 |
| 19 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | Yes | 19 |
| 20 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | No | 20 |
| 21 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017) | VMware ESXi 6.7.0 on Dell PowerEdge R7425 | AMD EPYC 7451 | Yes | 21 |
| 22 | Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017) | VMware ESXi 6.7.0 on Dell PowerEdge R7425 | AMD EPYC 7451 | No | 22 |
| 23 | Red Hat Enterprise Linux 8.5 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 23 |
| 24 | Red Hat Enterprise Linux 8.5 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 24 |
| 25 | Red Hat Enterprise Linux 8.5 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 25 |
| 26 | Red Hat Enterprise Linux 8.5 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 26 |
| 27 | Red Hat Enterprise Linux 7.9 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 27 |
| 28 | Red Hat Enterprise Linux 7.9 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 28 |
| 29 | Red Hat Enterprise Linux 7.9 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 29 |
| 30 | Red Hat Enterprise Linux 7.9 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 30 |
| 31 | SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | Yes | 31 |
| 32 | SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | No | 32 |
| 33 | SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R7425 | AMD EPYC 7451 | Yes | 33 |
| 34 | SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R7425 | AMD EPYC 7451 | No | 34 |
| 35 | SUSE Linux Enterprise Server 15 SP3 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | Yes | 35 |
| 36 | SUSE Linux Enterprise Server 15 SP3 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | No | 36 |
| 37 | SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 37 |
| 38 | SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 38 |
| 39 | SUSE Linux Enterprise Server 12 SP5 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 39 |
| 40 | SUSE Linux Enterprise Server 12 SP5 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 40 |
| 1 | Dell PowerProtect™ Data Domain™ OS 8 | x86_64 (64-bit) | 1 | ||
| 2 | Dell PowerProtect Data Domain OS 7 | x86_64 (64-bit) | 2 | ||
| 3 | Dell OneFS 9.8 | x86_64 (64-bit) | 3 | ||
| 4 | Dell OneFS 9.7 | x86_64 (64-bit) | 4 | ||
| 5 | Dell PowerStoreOS 4 (user) | x86_64 (64-bit) | 5 | ||
| 6 | Dell PowerStoreOS 4 (kernel) | x86_64 (64-bit) | 6 | ||
| 7 | Microsoft Windows 10 IoT Enterprise LTSC | x86_64 (64-bit) | 7 | ||
| 8 | Red Hat Enterprise Linux 9.4 | x86_64 (64-bit) | 8 | ||
| 9 | Red Hat Enterprise Linux 8.5 | x86_64 (64-bit) | 9 | ||
| 10 | SUSE Linux Enterprise Server 15 SP6 | x86_64 (64-bit) | 10 | ||
| 11 | SUSE Linux Enterprise Server 15 SP6 | x86 (32-bit) | 11 | ||
| 12 | SUSE Linux Enterprise Server 15 SP5 | x86_64 (64-bit) | 12 | ||
| 13 | SUSE Linux Enterprise Server 15 SP4 | x86_64 (64-bit) | 13 | ||
| 14 | SUSE Linux Enterprise Server 15 SP3 | x86_64 (64-bit) | 14 |
For FIPS 140-3 validation, the module is tested by an accredited FIPS 140-3 testing laboratory on the following operational environments: # Table 2 Tested Operational Environments
# Table 2 Tested Operational Environments (continued)
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 35 | SUSE Linux Enterprise Server 15 SP3 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | Yes | 35 |
| 36 | SUSE Linux Enterprise Server 15 SP3 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6246 | No | 36 |
| 37 | SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 37 |
| 38 | SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 38 |
| 39 | SUSE Linux Enterprise Server 12 SP5 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | Yes | 39 |
| 40 | SUSE Linux Enterprise Server 12 SP5 x86 (32-bit) | VMware ESXi 6.7.0 on Dell PowerEdge R640 | Intel Xeon Gold 6136 | No | 40 |
| 1 | Dell PowerProtect™ Data Domain™ OS 8 | x86_64 (64-bit) | 1 | ||
| 2 | Dell PowerProtect Data Domain OS 7 | x86_64 (64-bit) | 2 | ||
| 3 | Dell OneFS 9.8 | x86_64 (64-bit) | 3 | ||
| 4 | Dell OneFS 9.7 | x86_64 (64-bit) | 4 | ||
| 5 | Dell PowerStoreOS 4 (user) | x86_64 (64-bit) | 5 | ||
| 6 | Dell PowerStoreOS 4 (kernel) | x86_64 (64-bit) | 6 | ||
| 7 | Microsoft Windows 10 IoT Enterprise LTSC | x86_64 (64-bit) | 7 | ||
| 8 | Red Hat Enterprise Linux 9.4 | x86_64 (64-bit) | 8 | ||
| 9 | Red Hat Enterprise Linux 8.5 | x86_64 (64-bit) | 9 | ||
| 10 | SUSE Linux Enterprise Server 15 SP6 | x86_64 (64-bit) | 10 | ||
| 11 | SUSE Linux Enterprise Server 15 SP6 | x86 (32-bit) | 11 | ||
| 12 | SUSE Linux Enterprise Server 15 SP5 | x86_64 (64-bit) | 12 | ||
| 13 | SUSE Linux Enterprise Server 15 SP4 | x86_64 (64-bit) | 13 | ||
| 14 | SUSE Linux Enterprise Server 15 SP3 | x86_64 (64-bit) | 14 | ||
| 15 | SUSE Linux Enterprise Server 15 SP3 | x86 (32-bit) | 15 | ||
| 16 | SUSE Linux Enterprise Server 15 SP2 | x86_64 (64-bit) | 16 | ||
| 17 | SUSE Linux Enterprise Server 15 SP2 | x86 (32-bit) | 17 |
Table 2 # Tested Operational Environments (continued) Dell BSAFE affirms compliance for the following operational environments: # Table 3 Vendor Affirmed Operational Environments
# Table 3 Vendor Affirmed Operational Environments (continued) Note: When running the module on an affirmed platform, no assurances are made about the minimum strength of generated SSPs, such as keys.
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES SP 800-38A | A2308 | CBC, CBC-CS3, CFB128-bit, CTR, ECB, and OFB | 128, 192, 256-bit key sizes | Symmetric encryption |
| AES SP 800-38C | A2308 | CCM | 128, 192, 256-bit key sizes | Symmetric encryption |
| AES SP 800-38D | A2308 | GCM with automatic IV1 generation and TLS partial IV2 generation. | 128, 192, 256-bit key sizes | Symmetric encryption |
| AES SP 800-38E | A2308 | XTS3 | 128, 256-bit key sizes | Symmetric encryption |
| KTS SP 800-38F | A2308 | AES Key Wrap, and Key Wrap with Padding. | 128, 192, and 256-bit key sizes | Key wrapping |
| DSA FIPS 186-4 | A2308 | Domain parameter generation/validation | 2048 and 3072-bit key sizes | Domain parameter generation/validation |
| DSA FIPS 186-4 | A2308 | Key generation. Signature generation and signature verification with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256. Signature verification with SHA-1. | 2048 and 3072-bit key sizes | Key generation, signature generation, and signature verification |
| ECDSA / FIPS 186-4 | A2308 | Key generation. Key validation. Signature generation and signature verification with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512. | 112 to 256 bits strength | Key generation, key validation, signature generation, and signature verification |
| RSA FIPS 186-2 (for legacy use)4 | A2308 | Signature verification with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512. | 2048 to 4096-bit key size | Signature verification |
| RSA FIPS 186-4 | A2308 | Key generation. Signature generation and signature verification with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256. | 2048 to 4096-bit key size | Key generation, signature generation, and signature verification |
| CVL FIPS 186-4 | A2308 | RSASP15 component | 2048 to 4096-bit key size | Signature generation |
| CVL SP 800-56B Rev. 2 | A2308 | RSADP6 component | 2048 to 4096-bit key size | Asymmetric encryption |
| SP 800-56A Rev. 3 | A2308 | Safe Primes Key generation | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | Key generation |
| SP 800-56A Rev. 3 | A2308 | Safe Primes Key validation | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | Key validation |
| KDF SP 800-132 | A2308 | PBKDF27 | 112 to 256 bits strength | Key derivation |
| KDF SP 800-108 | A2308 | KBKDF8 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | 128 to 256 bits strength | Key derivation |
| CVL SP 800-135 Rev. 1 | A2308 | SSH-KDF9 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-22410, SHA3-25610, SHA3-38410, SHA3-51210 | 128 to 256 bits strength | Key derivation |
| CVL SP 800-135 Rev. 1 RFC 7627 | A2308 | TLS v1.2 PRF with SHA2-256, SHA2-384, SHA2-512 | 128 to 256 bits strength | Key derivation |
| CVL RFC 5246 | A2308 | TLS KDF with SHA2-256, SHA2-384, SHA2-512 | 128 to 256 bits strength | Key derivation |
| CVL RFC 8446 | A2308 | TLS v1.3 PRF with HMAC-SHA2-256, HMAC-SHA2-384 | 128 to 256 bits strength | Key derivation |
| CVL SP 800-135 Rev. 1 | A2308 | X9.63 KDF11 with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-22410, SHA3-25610, SHA3-38410, SHA3-51210 | 128 to 256 bits strength | Key derivation |
| DRBG12 SP 800-90A | A2308 | AES-CTR | 128, 192, 256 bits strength | Random bit generation |
| DRBG SP 800-90A | A2308 | HMAC SHA2-512 | 256 bits strength | Random bit generation |
| SHS FIPS 180-4 | A2308 | SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | 112 to 256 bits strength | Message digesting |
| SHA3 FIPS 202 | A2308 | SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE-128, SHAKE-256 | 112 to 256 bits strength | Message digesting |
| HMAC13 FIPS 198-1 | A2308 | HMAC with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | 128 to 256 bits strength | MAC generation |
| AES SP 800-38B | A2308 | CMAC with AES (128, 192, 256) | 128, 192, 256 bits strength | MAC generation |
| AES SP 800-38D | A2308 | GMAC (128, 192, 256) | 128, 192, 256 bits strength | MAC generation |
| KAS-ECC-SSC SP 800-56A Rev. 3 | A2308 | Schemes: Ephemeral Unified Model, One-Pass Diffie-Hellman Model Static Unified Model Curves: P-224, P-256, P-384, P-521, K-233, K-283, K-409, K-571, B-233, B-283, B-409, B-571 | 112 to 256 bits strength | Shared Secret Generation |
| KAS-FFC-SSC SP 800-56A Rev. 3 | A2308 | Schemes: Diffie-Hellman Ephemeral Only, Diffie-Hellman One Flow Diffie-Hellman Static Domain Parameter Generation methods: MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 | 2048 to 8192-bit key size | Shared Secret Generation |
| KAS-IFC-SSC SP 800-56B Rev. 2 | A2308 | Scheme: KAS1 Key Generation methods: An RSA key pair with a private key in the basic format, with a random public exponent. | 2048 to 8192-bit key size | Shared Secret Generation |
| KDA SP 800-56C Rev. 1 | A2308 | HKDF14 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | 128 to 256 bits key strength | Key Derivation |
| KDA SP 800-56C Rev. 1 | A2308 | One-Step KDF with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | 128 to 256 bits strength | Key Derivation |
| CKG of symmetric keys/ SP 800-133 Rev. 2 | VA15 | Direct output of approved DRBG used to generate 128, 192, or 256 bit AES keys. FIPS 140-3 Implementation Guidance, IG D.H. | 128-256 bits strength | Key Generation |
| CKG of asymmetric keys/ SP 800-133 Rev. 2 | VA | Direct output of approved DRBG used to generate prime number seeds and private key values. FIPS 140-3 Implementation Guidance, IG D.H. | 128-256 bits strength | Key Generation |
| AES in CFB in 64-bit mode | Symmetric encryption | |||
| DES31 (three key) in CBC, CFB, ECB and OFB modes | Symmetric encryption | |||
| MD5 | Message Digesting | |||
| RSA-PKCS #1 | Key Encapsulation | |||
| TLS v1.0/1.1 PRF | Key Derivation |
The following table lists the BSAFE Crypto Module Approved algorithms, with the appropriate standards and CAVP validation certificate numbers: Table 4 Approved Algorithms
Table 4 Approved Algorithms (continued)
Table 4 Approved Algorithms (continued)
Table 4 Approved Algorithms (continued)
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| CKG of asymmetric keys/ SP 800-133 Rev. 2 | VA | Direct output of approved DRBG used to generate prime number seeds and private key values. FIPS 140-3 Implementation Guidance, IG D.H. | 128-256 bits strength | Key Generation |
| AES in CFB in 64-bit mode | Symmetric encryption | |||
| DES31 (three key) in CBC, CFB, ECB and OFB modes | Symmetric encryption | |||
| MD5 | Message Digesting | |||
| RSA-PKCS #1 | Key Encapsulation | |||
| TLS v1.0/1.1 PRF | Key Derivation |
Table 4 Approved Algorithms (continued) 1Initialization Vector (IV). 2The TLSv1.2 protocol uses the fragment number as part of the IV. The module generates the remaining IV value using internally managed counter initialized at module load to ensure a probability of 2-32 or less, of reusing the same key and IV together. When using a partial IV, the module limits the use of a key and IV pair to 264 - 1 bytes. 3AES in XTS mode is approved only for hardware storage applications. The two keys concatenated to create the single double-length key must be checked to ensure they are different. 4Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. 5RSA signature primitive 1 (RSASP1). RSA decryption primitive (RSADP). RSADP shall only be used within the context of an SP800-56B rev 2 Key Transport Scheme (KTS). 7Password-based key derivation function 2 (PBKDF2). As defined in SP 800-132, PBKDF2 can be used in the Approved Mode of Operation when used with Approved symmetric key and message digest algorithms. For more information, see Crypto Officer Guidance. Key-based KDF (KBKDF), using pseudo-random functions HMAC-based Feedback Mode. As defined by the HKDF expand step. 9Secure Shell key derivation function (SSH-KDF). SHA3 options for SSH-KDF and X9.63 KDF are vendor affirmed since CAVP testing was not available at the time of module submission. 11ANSI X9.63 KDF. 12Deterministic Random Bit Generator (DRBG). 13Hash-based Message Authentication Code (HMAC). HMAC-based Extract-and-Expand KDF (HKDF). Vendor-affirmed algorithms. The following table lists the BSAFE Crypto Module Non-Approved algorithms, not allowed Table 5 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation 1Triple Data Encryption Standard.
Note: BSAFE Crypto Module does not support any non-approved but allowed algorithms nor non-approved but allowed algorithms with no security claimed.
BSAFE Crypto Module is validated with an overall Security Level 1 for FIPS 140-3, with Security Level 1 for each individual area. See Table 1, Security Levels for additional details.
The module can operate in Approved mode or Non-Approved mode. The mode selected affects which algorithms are available for use. The following section details the algorithms available in each mode:
The module operator must provide a definition of the configuration function BCM_get_config(BCM_CONFIG *config) that is called by the module during startup. The Module mode is set in the operator's function by assigning a value to config->mode. To start the module in the Approved mode of operation, the operator's configuration function should assign the value BCM_MODE_FIPS to the mode member of the configuration structure: BCM_STATUS BCM_get_config(BCM_CONFIG *config) { // Start the module in the Approved mode of operation config->mode = BCM_MODE_FIPS; // ... return BCM_OK; }
To start the module in the Non-Approved mode of operation, the operator's configuration function must assign the value BCM_MODE_NON_FIPS to the mode member of the configuration structure: BCM_STATUS BCM_get_config(BCM_CONFIG *config) { // Start the module in the Non-Approved mode of operation config->mode = BCM_MODE_NON_FIPS; // ... return BCM_OK; } Note: The default value of the mode member is set to BCM_MODE_FIPS. Therefore, if the operator's configuration function does not set the mode, the module starts in the Approved mode of operation. Once the module is initialized and the pre-operational self-tests (POST) have completed successfully, the overall operating mode of the module can be changed by calling the BCM_module_configure() API.
The module uses an approved mode indicator combined with a return status code from an approved security service to indicate the use of an approved service.
The module initializes itself automatically when it is loaded dynamically, or as part of the user software system, and runs the POST automatically, regardless of the mode of operation at startup. See Cryptographic Module Specification for the module file format for the supported platforms. The cryptographic algorithm self-tests are executed when the specific algorithm is accessed for the first time by the user software system. All the cryptographic algorithm self-tests can be run manually by calling BCM_module_selftest(). The module does not support degraded operation. If any self-test fails, the cryptographic services of the module are disabled for both modes of operation.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data input | Service inputs |
| N/A | N/A | Data output | Service outputs |
| N/A | N/A | Control input | Configuration parameters for the API which sets the mode of operation. BCM_module_configure() |
| N/A | N/A | Status output | Mode of operation indicator, from either the or BCM_ctx_is_fips(), BCM_param_is_fips(), APIs. BCM_key_is_fips() The state of the module, from the API . BCM_module_state() For other API status, refer to the Outputs column of Table 4, Approved Algorithms. |
BSAFE Crypto Module is a software module that provides APIs only as logical interfaces. Physical ports and interfaces are not provided by the module. The module conforms to the FIPS 140-3 Security Level 1 requirements for Cryptographic Module Interfaces and does not support a Trusted Channel Interface.
The following table lists the ports and interfaces, and the data that passes over each: N/A N/A N/A N/A Ports and Interfaces Note: The module does not support a Control Output interface.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|---|
| AES Encryption | CO | Plaintext | Ciphertext, Status | |||||
| AES Decryption | CO | Ciphertext | Plaintext, Status | |||||
| Message Digest | CO | Message | Digest, Status | |||||
| MAC Generation | CO | Secret, Message | MAC, Status | |||||
| MAC Verification | CO | Secret, Message, MAC | Verify Status, Status | |||||
| DRBG Initialization | CO | |||||||
| Random Number Generation | CO | Random Bytes, Status | ||||||
| Key Deletion | CO | |||||||
| Key Derivation | CO | Secret | Key text, Status | |||||
| Key Wrap | CO | Wrapped key text, Status | ||||||
| Key Unwrap | CO | Wrapped key text | Status | |||||
| Key Encapsulation (decrypt) | CO | Encapsulated key text | Status | |||||
| Digital Signature Generation | CO | Message Digest | Signature, Status | |||||
| Digital Signature Verification | CO | Message Digest, Signature | Verify Status, Status | |||||
| Key Agreement | CO | Peer public key text | Shared Secret, Status | |||||
| Key Parameter Generation | CO | Status | ||||||
| Key Parameter Validation | CO | Status | ||||||
| Show Module Version Information | CO | Module Version, Status | ||||||
| Show Status | CO | Module Status | ||||||
| Self-test | CO | Status | ||||||
| AES Encryption | Encrypt with symmetric cipher | CO | AES keys | AES | E | K | ||
| AES Decryption | Decrypt with symmetric cipher | CO | AES keys | AES | E | K | ||
| Message Digest | Digest a message | CO | SHS, SHA3 | C |
BSAFE Crypto Module meets all FIPS 140-3 Security Level 1 requirements for Roles, Services and Authentication, implementing only the Crypto Officer role. As allowed by FIPS 140-3, the module does not support identification or authentication of this role. There is no maintenance role, cryptographic bypass capability, or self-initiated cryptographic output. The module does not allow concurrent operators.
The Crypto Officer role is responsible for installing and loading the module and has access to all services provided by the module. This role is assumed automatically once the module has been loaded and the POST have run successfully. The POST are automatically run when the module is first loaded. They can be run manually at any time by calling BCM_module_selftest().
For each service, the Approved Mode indicator is obtained by checking the service status and the Approved mode of the Context, Key, or Key Parameters. A return status code indicates the service status. For information about individual functions that implement each service, see the Dell BSAFE™ Crypto Module for C Developers Guide.
The following is a list of services available to the single Crypto Officer (CO) role. Table 7 Roles, Service Commands, Input and Output
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|---|
| Key Derivation | CO | Secret | Key text, Status | |||||
| Key Wrap | CO | Wrapped key text, Status | ||||||
| Key Unwrap | CO | Wrapped key text | Status | |||||
| Key Encapsulation (decrypt) | CO | Encapsulated key text | Status | |||||
| Digital Signature Generation | CO | Message Digest | Signature, Status | |||||
| Digital Signature Verification | CO | Message Digest, Signature | Verify Status, Status | |||||
| Key Agreement | CO | Peer public key text | Shared Secret, Status | |||||
| Key Parameter Generation | CO | Status | ||||||
| Key Parameter Validation | CO | Status | ||||||
| Show Module Version Information | CO | Module Version, Status | ||||||
| Show Status | CO | Module Status | ||||||
| Self-test | CO | Status | ||||||
| AES Encryption | Encrypt with symmetric cipher | CO | AES keys | AES | E | K | ||
| AES Decryption | Decrypt with symmetric cipher | CO | AES keys | AES | E | K | ||
| Message Digest | Digest a message | CO | SHS, SHA3 | C | ||||
| MAC Generation | Generate a Message Authentication Code | CO | MAC secret | HMAC, AES (CMAC, GMAC) | W, E, Z | C | ||
| MAC Verification | Verify a Message Authentication Code | CO | MAC secret | HMAC, AES (CMAC, GMAC) | W, E, Z | C | ||
| DRBG Initialization | Prepare for random number or key generation | CO | Entropy State, DRBG entropy input, DRBG seed, CTR DRBG key value, CTR DRBG V value, HMAC DRBG key value, HMAC DRBG V value | DRBG | G | C | ||
| Random Number Generation | Generate a random number | CO | DRBG entropy input, DRBG seed, CTR DRBG key value, CTR DRBG V value, HMAC DRBG key value, HMAC DRBG V value | DRBG | E | C | ||
| Key Deletion | Delete a key from the module | CO | AES keys, RSA keys, DH keys, DSA keys, ECC keys | Z | K | |||
| Key Derivation | Derive key text given input secret | CO | KDF secret Derived key text | KDF (PBKDF2, KBKDF) CVL (SSH-KDF, TLS v1.2 PRF, TLS v1.3 PRF, X9.63 KDF) KDA (HKDF, One-Step) | W, E, Z R, Z | C | ||
| Key Wrap | Encrypt an AES key with an AES key encryption key | CO | AES key (wrapping key) AES key (wrapped key) | KTS | E R | K | ||
| Key Unwrap | Decrypt an AES key with an AES key encryption key | CO | AES key (wrapping key) AES key (unwrapped key) | KTS | E W | K | ||
| Key Encapsulation (decrypt) | Decrypt an AES or RSA key with an RSA key encryption key | CO | RSA key (key encryption key) AES key or RSA key (decrypted key) | CVL (RSADP) | E W | K | ||
| Digital Signature Generation | Sign a message | CO | RSA keys, DSA keys, ECC keys (private keys) | RSA, DSA, ECDSA (signature generation) CVL (RSASP1) | E | K | ||
| Digital Signature Verification | Verify the signature for a message | CO | RSA keys, DSA keys, ECC keys (public key) | RSA, DSA, ECDSA. RSA FIPS 186-2 (for legacy use)2 (signature verification) | E | K | ||
| Key Agreement | Establish a shared secret | CO | DH keys, ECC keys (peer public key) DH keys, ECC keys (peer public key, private key) | KAS-ECC-SSC KAS-FFC-SSC KAS-IFC-SSC | W, Z E | K | ||
| Key Parameter Generation | Generate FFC parameters | CO | DSA parameters | DSA domain parameter generation | G | C | ||
| Key Parameter Validation | Validate FFC parameters | CO | DSA parameters | DSA domain parameter validation | R | P | ||
| Show Module Version Information | Provide module version to user | CO | ||||||
| Show Status | Provide module status to user | CO | ||||||
| Self-test | Run module self-tests on-demand | CO | Integrity test key | HMAC | ||||
| Key Derivation | Derive key text given input secret | CO | TLS v1.0/1.1 PRF | C |
The following is a list of approved services provided by the module: E K E K C Table 8 Approved Services
W, E, Z C W, E, Z C G C E C G P W C R K Z K Table 8 Approved Services (continued)
W, E, Z R, Z C E K R E K W E K W E K E K Table 8 Approved Services (continued)
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Key Agreement | Establish a shared secret | CO | DH keys, ECC keys (peer public key) DH keys, ECC keys (peer public key, private key) | KAS-ECC-SSC KAS-FFC-SSC KAS-IFC-SSC | W, Z E | K |
| Key Parameter Generation | Generate FFC parameters | CO | DSA parameters | DSA domain parameter generation | G | C |
| Key Parameter Validation | Validate FFC parameters | CO | DSA parameters | DSA domain parameter validation | R | P |
| Show Module Version Information | Provide module version to user | CO | ||||
| Show Status | Provide module status to user | CO | ||||
| Self-test | Run module self-tests on-demand | CO | Integrity test key | HMAC | ||
| Key Derivation | Derive key text given input secret | CO | TLS v1.0/1.1 PRF | C | ||
| Key Encapsulation | Encrypt or decrypt a key with an RSA key encryption key | CO | RSA-PKCS #1 | K | ||
| Message Digest | Digest a message | CO | MD5 | C | ||
| Symmetric Decryption | Decrypt with symmetric cipher | CO | AES with CFB 64-bit mode, DES3 with CBC, CFB, ECB and OFB modes | K | ||
| Symmetric Encryption | Encrypt with symmetric cipher | CO | AES with CFB 64-bit mode, DES3 with CBC, CFB, ECB and OFB modes | K |
K W, Z E G C R P Table 8 Approved Services (continued) 1The indicator for the service is one of the following: C: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's context by calling BCM_ctx_is_fips(). For approved services, the FIPS indicator function will return
The following is a list of non-approved services provided by the module: C Table 9 Non-Approved Services
K C K K Table 9 Non-Approved Services 1The indicator for the service is one of the following: C: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's context by calling BCM_ctx_is_fips(). For these non-approved services, the FIPS indicator function will return 0. K: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's key by calling BCM_key_is_fips(). For these non-approved services, the FIPS indicator function will return 0.
The module does not implement authentication. The Crypto Officer role is implicitly assumed once the module is loaded, and cleared on module unload.
This section covers integrity measures to demonstrate protection of the software component of BSAFE Crypto Module, which is the whole of the module.
Depending on the platform, the module is either a shared library, dynamic link library or an object file. When the module file is created, a MAC is calculated over the executable code and static data sections, with the resulting integrity block embedded into the object file. The built-in Integrity Test Key is used as the MAC secret. During the pre-operational software integrity test when the module is loaded, a MAC is again calculated over the executable code and static data. The resulting MAC is compared to the integrity block calculated when the module was created. If the MAC differs, the pre-operational software integrity test fails, the POST fails, the module enters the BCM_MODULE_STATE_INTEGRITY_FAILED state and cannot be used for any cryptographic operation. Any operation attempted will return the BCM_ERROR_FIPS_INTEGRITY_FAILURE error status code. The only way to clear this error condition is to unload the module and load it again. The pre-operational software integrity test uses HMAC-SHA2-256. The Cryptographic Algorithm Self-Test (CAST) for HMAC is run prior to the pre-operational software integrity test. This is done to ensure that the MAC implementation used in the integrity test has been self-tested before it is used in the pre-operational software integrity test.
The module provides the BCM_module_selftest() for on-demand integrity testing.
The module is built as either a single shared library, a dynamic link library or an object file that exports symbols for the operations it supports.
BSAFE Crypto Module is FIPS 140-3 validated to operate in a modifiable environment. The module is provided for operating systems running on a general purpose computer platform based on an Intel or AMD CPU.
Each instance of the module that is loaded within an operating system maintains its own instance of internal SSPs. Any additional SSPs loaded into a given instance of the module are not available to other instances. The supported operating environments provide process isolation, with resource and memory protection. Each instance of the module is isolated from others such that SSPs can be accessed or modified only in the module to which they belong. BSAFE Crypto Module does not spawn additional processes.
For FIPS 140-3 validation, the module is tested by an accredited FIPS 140-3 testing laboratory. For the tested operational environments, refer to Table 2, Tested Operational Environments.
For the vendor affirmed operational environments, refer to Table 3, Vendor Affirmed Operational Environments. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when a specific operational environment that is not listed on the validation certificate, is used.
The module runs on a General Purpose Computer running one of the operational environments listed in Tested Operational Environments and Vendor Affirmed Operational Environments. Each supported operational environment manages its own processes and memory in a logically separated manner. The process management setting is not configurable on the supported operational environments.
BSAFE Crypto Module is classified as a multi-chip standalone cryptographic module. The module is comprised of software only, validated at FIPS 140-3 Security Level 1, and does not claim any physical security.
BSAFE Crypto Module does not implement any non-invasive mitigation techniques.
| Name | Type | Description |
|---|---|---|
| VM | Volatile | Memory in the Operational Environment of the module. |
| Name | Type | From | To | Distribution Type | Entry Type |
|---|---|---|---|---|---|
| App Write | Plaintext | Operator Application in TOEPP1 | VM | Manual | Electronic |
| App Read | Plaintext | VM | Operator Application in TOEPP | Manual | Electronic |
| Method | Description | Rationale | Operator Initiated Capability |
|---|---|---|---|
| Immediate | Temporary SSPs are zeroized immediately after use | Intermediate values are zeroised at the end of a calculation | N/A |
| Implicit | SSPs are zeroized when the cryptographic object is deleted by the module | SSPs are zeroized when the BCM_CTX object is deleted | N/A |
| Explict | SSPs are zeroized when the associated key or cryptographic object is deleted by the application | SSPs are zeroized when the application no longer needs them | API call to delete object |
The following tables list the SSPs present in the module, the relevant standards and details of how they are used and accessed. Table 10 Storage Areas isolates the memory of separate processes Table 11 SSP Input-Output Methods 1The module's Tested Operational Environment's Physical Perimeter. The TOEPP for the BSAFE Crypto Module is the host computer. Sensitive security parameters are input and output using the module APIs. No security function or algorithm is used to transport the data. N/A N/A Table 12 SSP Zeroization Methods BSAFE Crypto Module encapsulates symmetric and asymmetric keys as BCM_KEY objects. For multi-part cryptographic operations, the module defines several object types to encapsulate the intermediate state of the operation.
| Name | Strength | Security Function | Generation | Establishment | Storage | Import Export | Key / SSP Name/ Type | Zeroisation |
|---|---|---|---|---|---|---|---|---|
| Signature generation and verification. Key agreement. | 112 - 150 bits | RSA, KAS-IFC-SSC (A2308) | CKG SP 800-133 Rev. 2. FIPS 186-4 RSA key generation method | N/A | VM | App Write, App Read | RSA keys (public key / PSP; private key / CSP) | Explicit |
| Shared secret generation | 112 - 200 bits | KAS-FFC-SSC (A2308) | CKG SP 800-133 Rev. 2. SP 800-56A Rev. 3 Safe Primes Key Generation method | N/A | VM | App Write, App Read | DH keys (public key / PSP; private key / CSP) | Explicit |
| Key generation (DSA keys), Domain parameter validation | 112 and 128 bits | DSA (A2308) | CKG SP 800-133 Rev. 2. FIPS 186-4 DSA domain parameter generation method | N/A | VM | App Write, App Read | DSA parameters (CSP) | Explicit |
| Signature generation and verification | 112 and 128 bits | DSA (A2308) | CKG SP 800-133 Rev. 2. FIPS 186-4 DSA key generation method | N/A | VM | App Write, App Read | DSA keys (public key / PSP; private key / CSP) | Explicit |
| Signature generation and verification for ECDSA. Shared secret generation for ECDH. | 112 - 256 bits | ECDSA, KAS-ECC-SSC (A2308) | CKG SP 800-133 Rev. 2. FIPS 186-4 method for ECDSA key generation, SP 800-56A Rev. 3 method for ECDH key generation | N/A | VM | App Write, App Read | ECC keys (public key / PSP; private key / CSP) | Explicit |
| Symmetric encryption. Key wrapping. | 128, 192, and 256 bits | AES, KTS (A2308) | CKG, SP 800-133 Rev. 2. Direct output of approved DRBG. | N/A | VM | App Write, App Read | AES keys (CSP) | Explicit |
| MAC generation and verification | 128 - 256 bits | HMAC, AES (CMAC), AES (GMAC) (A2308) | N/A (Application input) | N/A | VM | App Write | MAC secret (CSP) | Immediate |
| Key derivation | 112 - 256 bits | KDF (PBKDF2), KDF (KBKDF), CVL (SSH-KDF), CVL (TLS v1.2 PRF), CVL (TLS v1.3 PRF), CVL (X9.63 KDF), KDA (HKDF), KDA (One-step KDF) (A2308) | N/A (Application input) | N/A | VM | App Write | KDF secret (CSP) | Immediate |
| Key derivation | 112 - 256 bits | KDF (PBKDF2), KDF (KBKDF), CVL (SSH-KDF), CVL (TLS v1.2 PRF), CVL (TLS v1.3 PRF), CVL (X9.63 KDF), KDA (HKDF), KDA (One-step KDF) (A2308) | PBKDF2, KBKDF, SSH-KDF, TLS v1.2 PRF, TLS v1.3 PRF, X9.63 KDF | N/A | VM | App Read | Derived key text (CSP) | Immediate |
| Random bit generation | 128, 192, and 256 bits | DRBG, CKG (A2308) | Obtained from SP 800-90B compliant entropy source | N/A | VM | N/A | CTR DRBG key value (CSP) | Implicit |
| Random bit generation | 128 bits | DRBG, CKG (A2308) | Obtained from SP 800-90B compliant entropy source | N/A | VM | N/A | CTR DRBG V value (CSP) | Implicit |
| Random bit generation | 256 bits | DRBG, CKG (A2308) | Obtained from SP 800-90B compliant entropy source | N/A | VM | N/A | HMAC DRBG key value (CSP) | Implicit |
| Random bit generation | 256 bits | DRBG, CKG (A2308) | Obtained from SP 800-90B compliant entropy source | N/A | VM | N/A | HMAC DRBG V value (CSP) | Implicit |
| Random bit generation | 128, 192, and 256 bits | DRBG (A2308) | Obtained from SP 800-90B compliant entropy source | N/A | VM | N/A | DRBG entropy input (CSP) | Implicit |
| Random bit generation | 128, 192, and 256 bits | DRBG (A2308) | Obtained from SP 800-90B compliant entropy source | N/A | VM | N/A | DRBG seed (CSP) | Implicit |
| Random bit generation | 256 bits | DRBG (A2308) | Internal state of SP 800-90B compliant entropy source. Obtained from noise source. | N/A | VM | N/A | Entropy state (CSP) | Implicit |
| Self-test | 144 bits | HMAC (A2308) | Built-in constant value. | N/A | Built into modul e image | N/A | Integrity test key (not considered an SSP) | N/A |
Examples are BCM_CIPHER objects for symmetric ciphers and BCM_MAC objects for message authentication codes. These objects are created explicitly by the user with function calls to the module. The module defines a BCM_CTX object which can contain SSPs in the form of internal random number generator (RNG) state and associated entropy state. A single BCM_CTX is created automatically when the module starts and is retained by the module as the default context. BCM_CTX objects can be created explicitly by the user with function calls to the module. To zeroize all unprotected SSPs and key components, perform the following procedure:
| Name | Key Size |
|---|---|
| DRBG | Entropy Obtained (bits) |
| CTR DRBG with AES-128 | 128 |
| CTR DRBG with AES-192 | 192 |
| CTR DRBG with AES-2561 | 256 |
| HMAC DRBG with SHA2-512 | 256 |
| RSA key-pair generation | Prime generation, and Miller-Rabin prime number testing1 |
| DSA and DH key-pair generation | Generation of public and private values1 |
| FFC (DH, DSA) domain parameter generation | Prime generation, and Miller-Rabin prime number testing1 |
| FFC, ECC and RSA key generation | Blinding of random values |
| RSA key validation | Prime recovery testing2 |
| ECC key generation | Generation of private value1 |
| Symmetric key generation | Direct generation of symmetric keys |
| Initialization vector generation | Direct generation of IVs for symmetric encryption |
| RSA PKCS #1 v1.5 encryption | Generation of random value for message encoding |
| RSA PKCS #1 PSS signing | Generation of random value for message encoding |
BSAFE Crypto Module provides the following approved DRBGs for use in both the Approved Mode of Operation and Non-Approved mode: Table 14 Approved Random Bit Generators 1CTR DRBG with AES-256 is the default DRBG. Table 15 DRBG Output Uses 1All seeds for asymmetric key generation are generated using the direct output of the approved DRBG. 2For details refer to SP 800-56B Rev. 2, Appendix C.
| Name | Key Size | |
|---|---|---|
| Details | Minimum number of bits of entropy | Entropy Sources |
| Instantiation of HMAC DRBG | 256 | Execution time jitter |
| Instantiation of CTR DRBG with AES-128 | 128 | Execution time jitter |
| Instantiation of CTR DRBG with AES-192 | 192 | Execution time jitter |
| Instantiation of CTR DRBG with AES-256 | 256 | Execution time jitter |
| Application calls BCM_random_seed() | DRBG instantiation bits | Execution time jitter |
| Application calls BCM_secure_random_bytes() | 64 | Execution time jitter |
BSAFE Crypto Module for C provides an entropy source that is internal to the module. This entropy source generates entropy that is used to seed the Approved RBGs. The entropy source is provided as an ENT (NP) that is compliant with SP 800-90B, and is estimated to provide a min entropy of 7.96875 bits per byte. Table 16 Non-Deterministic Random Bit Generation Specification The BCM_CTX object manages an approved DRBG and an Entropy NDRBG. The first call to a random number generation service using the BCM_CTX object instantiates the Entropy NDRBG and the DRBG. At instantiation, the DRBG issues a GET call to the Entropy NDRBG for the number of bits of entropy equivalent to the security strength of the DRBG. A call to the BCM_random_seed() API with the BCM_CTX object resets the DRBG seed. The DRBG issues a GET call to the Entropy NDRBG for the number of bits of entropy equivalent to the security strength of the DRBG. A call to the BCM_secure_random_bytes() API with the BCM_CTX object adds a fixed number of bits of entropy to the DRBG state before the DRBG generates output. The DRBG issues a GET call to the Entropy NDRBG for 64 bits of entropy. The entropy is collected from the jitter in the CPU execution time for performing an HMAC over the state and previous noise sample. By collecting multiple jitter samples, a bit stream that meets the statistical measurements which indicate a bit stream is random, is produced and whitened.
| Name | Key Size | ||||
|---|---|---|---|---|---|
| MAC and KDF | Strength | Symmetric | RSA | EC | Hash |
| < 80 | < 80 | 1024 | 160 | SHA-1 | |
| 112 | 112 | 3DES | 2048 | 224 | SHA2-224 SHA2-512/224 SHA3-224 |
| CMAC-AES GMAC-AES SHA-1 | 128 | AES-128 | 3072 | 256 | SHA2-256 SHA2-512/224 SHA3-256 SHAKE-128 |
| MAC and KDF | Strength | Symmetric | RSA | EC | Hash |
| CMAC-AES GMAC-AES SHA2-224 SHA2-512/224 SHA3-224 | 192 | AES-192 | 7680 | 384 | SHA2-384 SHA3-384 |
| CMAC-AES GMAC-AES SHA2-256 SHA2-512/256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 | 256 | AES-256 | 15360 | 521 | SHA2-512 SHA3-512 SHAKE-256 |
| Strength | Last Date Acceptable |
|---|---|
| < 112 | Already disallowed |
| 112 | 31 Dec 2030 |
| >= 128 | Acceptable to 2031 and beyond |
The module addresses the requirements of FIPS 140-3. Transitioning the use of cryptographic algorithms and key lengths (SP 800-131A Rev. 2) provides more specific guidance concerning transition periods and time frames where an algorithm or key length transitions from Approved to Non-Approved. None of the Approved algorithms provided by the module are affected by transition periods or time frames. Recommendation for Key Management Part 1 (SP 800-57 Part 1 Rev. 5) specifies security strengths that are acceptable for protecting data going forward. Application writers should consider the specified acceptable use dates with respect to the expected deployment lifetime of the application and the lifespan of the data being protected. The lifespan depends on the type of key and use, but are from 1-3 years. For more information, refer to SP 800-57, Part 1. Table 17 Security Strength Time Frames The correspondence between security strength, algorithms and key size is specified in the following:
Table 18 Correspondence between Security Strength, Algorithms, and Key Size (continued)
| Name | Algorithm Or Test | Test Type | Details | Test Properties |
|---|---|---|---|---|
| HMAC | HMAC | KAT | Pre-operational software integrity test executes automatically when the module is loaded into memory. | HMAC-SHA2-256 signature:32 bytes HMAC secret:18 bytes |
| Entropy source | Entropy source | RCT and APT | Pre-operational critical functions test runs when a BCM_CTX objects creates an entropy source. | 1024 noise samples |
BSAFE Crypto Module performs a number of pre-operational and conditional self-tests to ensure proper operation. The cryptographic services of the module are disabled when the self-tests are running.
The following table lists the pre-operational self-tests: Table 19 Pre-operational Self-tests
If all POST pass, the cryptographic services of the module are enabled and the module can be used. The BCM_module_state() control interface returns a state of BCM_MODULE_STATE_READY.
| Name | Algorithm Or Test | Test Type | Details | Test | Condition |
|---|---|---|---|---|---|
| AES | AES | KAT | Encrypt and decrypt self-tests | 128, 192 and 256-bit AES keys | Before first use of algorithm |
| AES (CMAC) | AES (CMAC) | KAT | MAC generation and verification self-tests | 128, 192 and 256-bit AES keys | Before first use of algorithm |
| AES (GMAC) | AES (GMAC) | KAT | MAC generation and verification self-tests | 128, 192 and 256-bit AES keys | Before first use of algorithm |
| KTS | KTS | KAT | Wrap and unwrap self-tests | 128, 192 and 256-bit AES keys | Before first use of algorithm |
| DRBG (AES-CTR) | DRBG (AES-CTR) | KAT | Random bit generation self-tests | 128, 192 and 256-bit strength | Before first use of algorithm |
| DRBG (AES-CTR) | DRBG (AES-CTR) | Fault- Detection Test | SP 800-90A Rev. 1 health test. Instantiate, generate, reseed, uninstantiate tests. | 128, 192 and 256-bit strength | Before first use of algorithm |
| DRBG (HMAC SHA2-512) | DRBG (HMAC SHA2-512) | KAT | Random bit generation self-test | 256-bit strength | Before first use of algorithm |
| DRBG (HMAC SHA2-512) | DRBG (HMAC SHA2-512) | Fault- Detection Test | SP 800-90A Rev. 1 health test. Instantiate, generate, reseed, uninstantiate tests. | 256-bit strength | Before first use of algorithm |
| KAS-FFC-SSC | KAS-FFC-SSC | KAT | Shared secret calculation | Key generated from ffdhe2048 | Before first use of algorithm |
| DSA | DSA | KAT | Signature generation and verification self-test | 2048-bit key | Before first use of algorithm |
| ECDSA | ECDSA | KAT | Signature generation and verification self-test | Key generated from P-224 | Before first use of algorithm |
| KAS-ECC-SSC | KAS-ECC-SSC | KAT | ECDH and ECDHC shared secret calculations | Keys generated from P-224 and K-233 | Before first use of algorithm |
| HMAC (SHA-1) | HMAC (SHA-1) | KAT | MAC generation self-test | HMAC with SHA-1 | Before first use of algorithm |
| HMAC (SHA2) | HMAC (SHA2) | KAT | MAC generation self-test | HMAC with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | Before first use of algorithm |
| HMAC (SHA3) | HMAC (SHA3) | KAT | MAC generation self-test | HMAC with SHA3-224, SHA3-256, SHA3-384, SHA3-512 | Before first use of algorithm |
| KDA | KDA | KAT | Expand and extract self-test | HKDF with SHA2-256 | Before first use of algorithm |
| KDA | KDA | KAT | Key derivation self-test | One-step KDF with SHA2-256 | Before first use of algorithm |
| KDF | KDF | KAT | Key derivation self-test | PBKDF2 with SHA2-256, 2 iterations, 32 byte output | Before first use of algorithm |
| RSA | RSA | KAT | RSA encrypt and decrypt self-tests | 2048-bit RSA key | Before first use of algorithm |
| RSA | RSA | KAT | RSA signature and verification self-tests | 2048-bit RSA key | Before first use of algorithm |
| SHS (SHA-1) | SHS (SHA-1) | KAT | Message digest generation self-test | SHA-1 | Before first use of algorithm |
| SHS (SHA2) | SHS (SHA2) | KAT | Message digest generation self-test | SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | Before first use of algorithm |
| SHA3 | SHA3 | KAT | Message digest generation self-test | SHA3-224, SHA3-256, SHA3-384, SHA3-512 | Before first use of algorithm |
| SHA3 (SHAKE) | SHA3 (SHAKE) | KAT | XOF generation self-test | SHAKE-128, SHAKE-256 | Before first use of algorithm |
| CVL (SSH-KDF) | CVL (SSH-KDF) | KAT | Key derivation self-test | SSH KDF with SHA-1 | Before first use of algorithm |
| CVL (TLS v1.2 PRF) | CVL (TLS v1.2 PRF) | KAT | Key derivation self-test | TLS v1.2 PRF with SHA2-256 | Before first use of algorithm |
| CVL (X9.63 KDF) | CVL (X9.63 KDF) | KAT | Key derivation self-test | X9.63 KDF with SHA2-256 | Before first use of algorithm |
| SP 800-56A Rev. 3 (Safe primes key generation) | SP 800-56A Rev. 3 (Safe primes key generation) | PCT | Public key recalculation | 2048-bit to 8192-bit keys | Generation of DH key pair |
| DSA (key generation) | DSA (key generation) | PCT | Sign and verify | 2048-bit and 3072-bit keys | Generation of DSA key pair |
| RSA (key generation) | RSA (key generation) | PCT | RSA sign and verify | 2048-bit to 4096-bit signing keys | Generation of RSA signature key pair |
| RSA (key generation) | RSA (key generation) | PCT | RSA encrypt and decrypt | 2048-bit to 4096-bit encryption keys | Generation of RSA encryption key pair |
| ECC (FIPS 186-4 key generation) | ECC (FIPS 186-4 key generation) | PCT | ECDSA sign and verify | Curves B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | Generation of EC signature key pair |
| ECC (SP 800-56A Rev. 3 key generation) | ECC (SP 800-56A Rev. 3 key generation) | PCT | ECDH public key recalculation | Curves B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | Generation of EC key exchange key pair |
| Entropy source | Entropy source | Fault- Detection Test | Entropy continuous RCT and APT testing, as defined in SP 800-90B | 1 bit of entropy per byte | Creation of new DRBG instance Reseed of DRBG instance Generation of secure random bytes |
If the pre-operational software integrity test fails, the module enters the self-test error state. The repetition count test (RCT) and adaptive proportion test (APT) are defined in SP 800-90B. The pre-operational software integrity tests used are described in detail in Approved Integrity Techniques.
The following table lists the conditional self-tests: FaultDetection FaultDetection Table 20 Conditional Self-tests
Table 20 Conditional Self-tests (continued)
Table 20 Conditional Self-tests (continued)
FaultDetection Table 20 Conditional Self-tests (continued)
For the KATs, the module includes a set of fixed inputs for each algorithm along with corresponding pre-calculated expected outputs. The cryptographic algorithm is run with the fixed inputs and the algorithm outputs are compared with the expected outputs. If there is any difference the algorithm self-test fails, the CAST fail and the module enters the self-test error state. If a pair-wise consistency test fails, the key-generation operation fails and returns an error indicator through a return status code. The error is cleared by reattempting the If the Entropy source self-tests fail then the entropy collection operation returns an error indicator through a return status code. The error cannot be cleared from the NDRBG object. A new NDRBG object must be created to collect entropy.
| Name | Description | Indicator |
|---|---|---|
| Self-test Error | Module pre-operational integrity test failure | Cryptographic services return error BCM_ERROR_FIPS_INTEGRITY_FAILURE code. The control interface BCM_module_state() returns a state of BCM_MODULE_STATE_INTEGRITY_FAILED. |
| Self-test Error | CAST failure | Cryptographic services return error BCM_ERROR_FIPS_SELFTEST_FAILURE code. The control interface BCM_module_state() returns a state of BCM_MODULE_STATE_SELFTEST_FAILED. |
| Self-test Error | On-demand integrity test failure | Cryptographic services return BCM_ERROR_FIPS_INTEGRITY_FAILURE error code. The control interface BCM_module_state() returns a state of . BCM_MODULE_STATE_INTEGRITY_FAILED |
| Self-test Error | On-demand CAST failure | Cryptographic services return error BCM_ERROR_FIPS_SELFTEST_FAILURE code. The control interface BCM_module_state() returns a state of . BCM_MODULE_STATE_SELFTEST_FAILED |
| Self-test Error | On-demand asymmetric key PCT failure | Cryptographic services return error BCM_ERROR_FIPS_SELFTEST_FAILURE code. The control interface BCM_module_state() returns a state of . BCM_MODULE_STATE_SELFTEST_FAILED |
The following table lists the error states: Table 21 Error States module can be re-enabled only by reloading the module.
For the PowerMaxOS platform, the module is linked into the application at compile time, and installed as part of the target application. For Linux and Windows platforms, the module must be installed with the target application. The Crypto Officer should follow a secure installation procedure to install the module. For all target platforms the installation process should check the integrity of the installed files by checking the hash value of the original files and installed files. A minimum privileged user on the operating system should be created solely to execute the application. This user should not share any other roles in the operating system. The installation process should set the minimum execution permission to the installed files for the user. If the module is dynamically loaded into the application, the installation process should ensure that the path to the module cannot be modified by other OS users.
There are no specific initialization steps required for the module.
The module is started by initiating the application that statically or dynamically linked it. The module uses operating system services to perform the module startup when the application is started. This module startup includes running the pre-operational software integrity test. These ensure that the application has made no modification to the module as part of its development or installation. Before cryptographic services are made available by the module, the pre-operational software integrity test must complete successfully. For more information about the pre-operational software integrity test, see Software/Firmware Security.
Maintenance applies only to the application maintainers. If modifications are made to the application, such as a new version or patch to the application, the module’s pre-operational software integrity test ensures that the module contained within, or dynamically loaded, is unaltered. Application writers should not attempt to modify the module library or object file as the module will refuse to load or perform cryptographic operations.
For details of the administrative functions, security parameters, and logical interfaces available to the Crypto Officer, refer to Crypto Officer Role. The following sections detail the requirements for algorithm use in the Approved Mode of Operation.
General Crypto Officer Guidance Users should take care to zeroize SSPs when they are no longer needed. BSAFE Crypto Module objects should be deleted when no longer needed, which will zeroize sensitive data managed by the module. User variables containing SSP data on the stack or heap should be zeroized after use or before going out of scope.
Using the CTR DRBG with AES-256 is recommended as it is fast and because it provides
256 bits of cryptographic strength, it is suitable for all purposes. This is the module default
When using an approved DRBG to generate keys, the security strength of the DRBG must be at least as great as the security strength of the key being generated. For details about the comparable security strengths of symmetric block ciphers and asymmetric key algorithms refer to Table 2 of SP 800-57 Part 1 Rev. 5. The default DRBG provides a security strength as great as that of any supported keys.
GCM Mode Ciphers An AES-GCM IV is constructed in compliance with either IG C.H scenario 1a or IG C.H scenario 2, depending on how the module is used. When using GCM feedback mode for symmetric encryption, the authentication tag length and authenticated data length may be specified as input parameters, but the IV must not be specified. It must be generated internally. IV generation operates in one of two ways:
| Purpose | Curves |
|---|---|
| Protect and Process | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 |
| Process only | B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 |
| Purpose | (prime, subprime) |
|---|---|
| Protect and Process | (2048, 224), (2048, 256), (3072, 256) |
| Process only | (1024,160), (2048, 224), (2048, 256), (3072, 256), |
| Purpose | DH FFC Named domain parameter |
|---|---|
| Protect | FFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192 MODP2048, MODP3072, MODP4096, MODP614 |
The remaining eight bytes of the IV, referred to as nonce_explicit in RFC 5288, are generated deterministically by the module using a 64-bit global counter within the module. The module uses the current system time to initialize the counter when it is first used. The system time must be valid to prevent repetition of IVs. During a TLS connection, if the nonce_explicit part of the IV exhausts the maximum number of possible values for a given session key, a new handshake must be performed to establish a new key. XTS Mode Ciphers AES in XTS mode is approved only for hardware storage applications. The data encryption key and tweak key components of the double-length XTS key must be checked to ensure they are different. This check is performed automatically by the module. Triple DES Triple DES is not available as an approved algorithm in the Approved Mode of Operation. When triple DES is used in Non-Approved mode, the amount of data that can be encrypted is restricted to 216 64-bit blocks.
In the following, Protect refers to cryptographically protecting data for later use, for example, signing, encrypting or wrapping. Process refers to processing previously protected data, for example, verifying, decrypting or unwrapping. Table 22 Supported Elliptic Curves Table 23 Supported DSA key pair sizes Table 24 Supported Diffie-Hellman named domain parameters
| Purpose | RSA modulus length | Note |
|---|---|---|
| Protect and Process | 2048, 3072, 4096 | Sizes approved in FIPS 186-4 and FIPS140-3IG. (CAVP validated) |
| Process only | 1024 | May be used for verification only. |
Table 25 Approved RSA modulus length for digital signatures
Keys used for digital signature generation and verification shall not be used for any other purpose. The module generates or loads keys with a particular purpose that is one of signing, encryption or key exchange. The same purpose must always be used for a given key when exported and loaded into the module again. The length of an RSA key pair for digital signature generation must be greater than or equal to 2048 bits. For digital signature verification, the length must be greater than or equal to 2048 bits, however 1024 bits is allowed for legacy-use only. RSA keys must pass validation before use. Keys generated by the module will pass validation. For RSA PKCS #1 PSS, the size relationship between the hash function output block length (hLen) and the length of the salt (sLen) shall be 0 <= slen <= hLen. Elliptic curve key pairs for digital signature generation must have a strength of 112 bits or stronger. Table 22, Supported Elliptic Curves, lists these in the Protect and Process row. For verification of digital signatures, use curves from the Process only row which includes legacy-use keys of less than 112 bits of strength. For DSA signatures, only key pairs generated with parameters in the Protect and Process row of Table 23, Supported DSA key pair sizes are approved for signature generation. Additionally, parameters from which the keys are derived or the keys must have been validated before use. An approved DRBG must be used for digital signature generation, and this is provided by the module. The SHA-1 digest is disallowed for the generation of digital signatures. The digest must be an approved algorithm. Verification of signatures with a SHA-1 digest is allowed for legacy use. The security strength of both the key and the digest functions shall be chosen to meet or exceed the required security strength for the digital signature. The security strength of the digest function should be stronger or the same as that of the key.
HMACs The key length for an HMAC generation or verification must be between 112 and 256 bits, inclusive. For HMAC verification, a key length greater than or equal to 80 and less than 112 is allowed for legacy-use.
The module does not implement the TLS or SSH protocol, and CAVP and CMVP have not tested TLS PRF or SSH KDF when used as part of such protocols. HMAC-Based Extract-and-Expand Key Derivation Function An approved HMAC must be used for extract and expand operations. A particular key-derivation key must only be used for a single key-expansion step. For more information see SP 800-56C Rev.
112 bits, assuming a randomly selected password using the extended ASCII printable
character set is used.
For random passwords, that is, a string of characters from a given set of characters in which each character is equally likely to be selected, the strength of the password is given by S = L *(log N / log 2) where: • N is the number of possible characters. For example: for the ASCII printable character set N = 95 for the extended ASCII printable character set N = 218. • L is the number of characters. A password of strength S can be guessed at random with the probability of 1 in 2S. The minimum length of the randomly-generated portion of the salt is 16 bytes. The iteration count is as large as possible, with a minimum of 10,000 iterations recommended. The derived key size can range from 1 byte to a maximum of (2 32 - 1) * b, where b is the digest size of the message digest function in bytes. Derived keys can be used as specified in SP 800-132, Section 5.4, option 1a. Secure Shell Key Derivation As defined in SP 800-135 Rev. 1, SSH-KDF can be used in the Approved Mode of Operation when it is used with an Approved hash function. The hash function must meet the security strength required by the cryptographic function for which the keying material is being generated. The security strengths of approved hash functions used in KDFs can be found in SP 800-57 Part 1 Rev.
The derived key must be used only as a secret key. The derived key shall not be used as a key stream for a stream cipher. The length of the derived key shall be less than (232 - 1) x b, where b is the digest size of the message digest function in bytes. The operation must be performed in the context of ANSI X9.63-2001 key agreement scheme.
Key pairs used in key agreement must not also be used to generate a digital signature. The shared secret must be:
Key Wrapping using AES The key establishment methodology provides between 128 and 256 bits (inclusive) of encryption strength. The security strength of the key encryption key must be greater than or equal to the security strength of the key being wrapped.
Asymmetric keys and parameters are validated as they enter the module for use in processing existing data. Before the keys are used to protect data, they must be validated. The module provides services for the validation of RSA, DSA, DH and ECC keys and parameters. Named EC and DH parameters are treated as valid. Only named EC parameters are supported. Key Parameter Generation The generation of DSA parameters is in accordance with the FIPS 186-4 standard for the generation of probable primes.
RSA, EC and DSA key operations implement blinding, a reversible way of modifying the input data, to make the operation immune to timing attacks. Blinding has no effect on the algorithm other than to mitigate attacks on the algorithm. This mitigation is enabled by default. For optimum security, it should not be disabled.
If necessary it can be disabled with BCM_FLAG_KEY_DISABLE_BLINDING. For more information, see Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. RSA signing operations implement a verification step after private key operations. This verification step is in place to prevent potential faults in optimized Chinese Remainder Theorem (CRT) implementations. It has no effect on the signature algorithm. This mitigation is enabled by default. For optimum security, it should not be disabled. If necessary it can be disabled with BCM_FLAG_KEY_DISABLE_SIGNATURE_CHECK. For more information, see Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults: Bao, Deng, Han, Jeng and On the Importance of Eliminating Errors in Cryptographic Computations. RSA PKCS #1 v1.5 encryption padding operations are implemented in constant time in order to make the operation immune to timing attacks. For this mitigation, constant time padding is built-in and cannot be disabled. For more information, see Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.
| Name | Term | Definition |
|---|---|---|
| AES | AES | Advanced Encryption Standard. A fast symmetric key algorithm with a 128-bit block, and keys of lengths 128, 192, and 256 bits. AES replaces DES as the US symmetric encryption standard. |
| API | API | Application Programming Interface. |
| Attack | Attack | An attempt, either a successful or unsuccessful, to break part or all of a cryptosystem. Attack types include an algebraic attack, birthday attack, brute force attack, chosen ciphertext attack, chosen plaintext attack, differential cryptanalysis, known plaintext attack, linear cryptanalysis, and middle person attack. |
| CAST | CAST | Cryptographic Algorithm Self-Tests. A test of all cryptographic functions of an approved cryptographic algorithm that must be performed prior to the first operational use of the cryptographic algorithm. A CAST may be a KAT, a comparison test or a fault-detection test. |
| CBC | CBC | Cipher Block Chaining. A mode of encryption in which each ciphertext depends upon all previous ciphertexts. Changing the IV alters the ciphertext produced by successive encryptions of an identical plaintext. |
| CCM | CCM | Counter with Cipher block chaining Message authentication code. A mode of encryption combining the Counter mode of encryption with Cipher Block Chaining Message Authentication Code (CBC-MAC) for authentication. |
| CFB | CFB | Cipher Feedback. A mode of encryption producing a stream of ciphertext bits rather than a succession of blocks. In other respects, it has similar properties to the CBC mode of operation. |
| CMAC | CMAC | Cipher-based Message Authentication Code. An algorithm for calculating a MAC using a block cipher and a secret key, providing verification of both message integrity and authenticity. |
| CMVP | CMVP | Cryptographic Module Validation Program. |
| CTR | CTR | Counter Mode. A mode of encryption which turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a counter. |
| CTR DRBG | CTR DRBG | Counter mode Deterministic Random Bit Generator. |
| Decryption | Decryption | The conversion of encrypted data, ciphertext, into its original form. Generally, the reverse of encryption. |
| DES | DES | Data Encryption Standard. A symmetric encryption algorithm with a 56-bit key with eight parity bits. |
| DES3 | DES3 | Triple Data Encryption Standard. A symmetric encryption algorithm with three 56-bit keys, with eight parity bits. Also known as Triple-DES and TDEA. |
| DH | DH | Diffie-Hellman. An asymmetric key exchange algorithm. There are many variants, but typically two entities exchange some public information (for example, public keys or random values) and combine them with their own private keys to generate a shared session key. As private keys are not transmitted, eavesdroppers are not privy to all of the information comprising the session key. |
| DRBG | DRBG | Deterministic Random Bit Generator. |
| DSA | DSA | Digital Signature Algorithm. An algorithm for creating digital signatures. |
| EC | EC | Elliptic Curve |
| ECC | ECC | Elliptic Curve Cryptography. A public-key cryptographic approach based on the algebraic structure of elliptic curves over finite fields. It has the advantage of allowing smaller keys to provide equivalent security. |
| ECB | ECB | Electronic Codebook. A mode of encryption which divides a message into blocks and encrypts each block separately. |
| ECDH | ECDH | Elliptic Curve Diffie-Hellman. A key agreement protocol that provides the means for two parties, each with an elliptic-curve public/private key pair, to establish a shared secret over an insecure channel. |
| ECDHC | ECDHC | Elliptic Curve Diffie-Hellman with Cofactor key agreement algorithm. This algorithm employs the CDH primitive. |
| ECDSA | ECDSA | Elliptic Curve Digital Signature Algorithm. A variant of DSA that uses elliptic curve cryptography. |
| Encryption | Encryption | The transformation of plaintext into an apparently less readable form, called ciphertext, using a mathematical process. The ciphertext can be read by anyone who has the key and decrypts (undoes the encryption) the ciphertext. |
| FFC | FFC | Finite Field Cryptography. The public-key cryptographic methods using operations in a multiplicative group of a finite field. See SP 800-56A Rev. 3. Both DH and DSA are based on Finite Field Cryptography. |
| FIPS | FIPS | Federal Information Processing Standards. |
| GCM | GCM | Galois/Counter Mode. A mode of encryption combining the Counter mode of encryption with Galois field multiplication for authentication. |
| GMAC | GMAC | Galois Message Authentication Mode. An authentication-only variant of GCM. |
| HKDF | HKDF | HMAC-based Extract-and Expand KDF. HKDF is a two-step key derivation function, where the first step, extraction, transforms a shared secret into a key-derivation key. The second step, expansion, uses the key-derivation key to derive an output key. |
| HMAC | HMAC | Keyed-Hashing for Message Authentication Code. |
| HMAC DRBG | HMAC DRBG | HMAC Deterministic Random Bit Generator. |
| IV | IV | Initialization Vector. Used as a seed value for an encryption operation. |
| KAT | KAT | Known Answer Test. |
| KBKDF | KBKDF | Key-Based KDF. |
| KDF | KDF | Key Derivation Functions. Deterministic algorithms used to derive cryptographic keying material from a secret value such as a password. |
| Key wrapping | Key wrapping | A method of encrypting key data for protection on untrusted storage devices or during transmission over an insecure channel. |
| MAC | MAC | Message Authentication Code. Apiece of information is attached to a message for verification of the messages authenticity and data integrity. |
| MD5 | MD5 | A message digest algorithm, which hashes an arbitrary-length input into a 16-byte digest. Designed as a replacement for MD4. |
| NDRBG | NDRBG | Non-Deterministic Random Bit Generator. |
| NIST | NIST | National Institute of Standards and Technology. A division of the US Department of Commerce (formerly known as the NBS) which produces security and cryptography-related standards. |
| OAEP | OAEP | Optimal Asymmetric Encryption Padding. A padding scheme often used with RSA encryption to convert the deterministic RSA encryption scheme into a probabilistic scheme. |
| OFB | OFB | Output Feedback. A mode of encryption in which the cipher is decoupled from its ciphertext. |
| OS | OS | Operating System. |
| P_HASH | P_HASH | A function that uses the HMAC-HASH as the core function in its construction. Specified in RFC 2246 and RFC 5246. |
| PBKDF2 | PBKDF2 | Password-based Key Derivation Function 2. A method of password-based key derivation, which applies a MAC algorithm to derive the key. |
| PKCS | PKCS | Public Key Cryptography Standards. A group of public-key cryptography standards devised and published by RSA®. |
| POST | POST | Pre-Operational Self-Tests. |
| PRF | PRF | Pseudo Random Function. A function that can be used to generate output from a random seed and a data variable such that the output is computationally indistinguishable from truly random output. |
| privacy | privacy | The state or quality of being secluded from the view or presence of others. |
| private key | private key | The secret key in public key cryptography. Primarily used for decryption but also used for encryption with digital signatures. |
| PRNG | PRNG | Pseudo-Random Number Generator. |
| PSP | PSP | Public Security Parameters. Security related public information, for example, public keys, whose modification can compromise the security of the cryptographic module. |
| PSS | PSS | Probabilistic Signature Scheme. A cryptographic signature scheme typically used with RSA signatures. |
| RNG | RNG | Random Number Generator. |
| RSA | RSA | Public key, asymmetric, algorithm providing the ability to encrypt data and create and verify digital signatures. RSA stands for Rivest, Shamir, and Adleman, the developers of the RSA public key cryptosystem. |
| SHA | SHA | Secure Hash Algorithm. An algorithm which creates a unique hash value for each possible input. SHA takes an arbitrary input which is hashed into a 160-bit digest. |
| SHA-1 | SHA-1 | A revision to SHA to correct a weakness. It produces 160-bit digests. SHA-1 takes an arbitrary input, which is hashed into a 20-byte digest. |
| SHA-2 | SHA-2 | The NIST-mandated successor to SHA-1, to complement the Advanced Encryption Standard. It is a family of message digest algorithms (SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, and SHA2-512/256), which produce digests of 224, 256, 384, 512, 224, and 256 bits respectively. |
| SHA-3 | SHA-3 | A family of hash algorithms which includes SHA3-224,SHA3-256, SHA3-384 and SHA3-512 bits. It is an alternative to SHA-2,as no significant attacks on SHA-2 are currently known. |
| SHAKE | SHAKE | An extendable output function (XOF) that produces a variable digest size. |
| SSH-KDF | SSH-KDF | Secure Shell Key Derivation Function. Used by the SSH protocol to derive IVs, encryption keys and integrity keys. |
| TLS | TLS | Transport Layer Security. |
| Triple-DES | Triple-DES | See DES3. |
| XTS | XTS | XEX-based Tweaked Codebook mode with ciphertext stealing. A mode of encryption used with AES. |
The following table lists the acronyms and terms used with the module and their definitions: Table 26 Acronyms and Definitions
Table 26 Acronyms and Definitions (continued)
Table 26 Acronyms and Definitions (continued) Australia Pty. Ltd. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
Table 26 Acronyms and Definitions (continued)