All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Dell BSAFE™ Crypto Module for C

Certificate#4967StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorDell Australia Pty Limited, BSAFE Product Team
Low review priority  ·  no TCB surface named  ·  last validated 17 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date2/18/2027
EntropyENT (NP)
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy
VendorDell Australia Pty Limited, BSAFE Product Team

Approved Algorithms (68)

AlgorithmACVP Cert
AES-CBCA2308
AES-CBC-CS3A2308
AES-CCMA2308
AES-CFB128A2308
AES-CMACA2308
AES-CTRA2308
AES-ECBA2308
AES-GCMA2308
AES-GMACA2308
AES-KWA2308
AES-KWPA2308
AES-OFBA2308
AES-XTS Testing Revision 2.0A2308
Counter DRBGA2308
DSA KeyGen (FIPS186-4)A2308
DSA PQGGen (FIPS186-4)A2308
DSA PQGVer (FIPS186-4)A2308
DSA SigGen (FIPS186-4)A2308
DSA SigVer (FIPS186-4)A2308
ECDSA KeyGen (FIPS186-4)A2308
ECDSA KeyVer (FIPS186-4)A2308
ECDSA SigGen (FIPS186-4)A2308
ECDSA SigVer (FIPS186-4)A2308
HMAC DRBGA2308
HMAC-SHA-1A2308
HMAC-SHA2-224A2308
HMAC-SHA2-256A2308
HMAC-SHA2-384A2308
HMAC-SHA2-512A2308
HMAC-SHA2-512/224A2308
HMAC-SHA2-512/256A2308
HMAC-SHA3-224A2308
HMAC-SHA3-256A2308
HMAC-SHA3-384A2308
HMAC-SHA3-512A2308
KAS-ECC-SSC Sp800-56Ar3A2308
KAS-FFC-SSC Sp800-56Ar3A2308
KAS-IFC-SSCA2308
KDA HKDF Sp800-56Cr1A2308
KDA OneStep Sp800-56Cr1A2308
KDF ANS 9.63A2308
KDF SP800-108A2308
KDF SSHA2308
KDF TLSA2308
PBKDFA2308
RSA Decryption PrimitiveA2308
RSA KeyGen (FIPS186-4)A2308
RSA SigGen (FIPS186-4)A2308
RSA Signature PrimitiveA2308
RSA SigVer (FIPS186-2)A2308
RSA SigVer (FIPS186-4)A2308
Safe Primes Key GenerationA2308
Safe Primes Key VerificationA2308
SHA-1A2308
SHA2-224A2308
SHA2-256A2308
SHA2-384A2308
SHA2-512A2308
SHA2-512/224A2308
SHA2-512/256A2308
SHA3-224A2308
SHA3-256A2308
SHA3-384A2308
SHA3-512A2308
SHAKE-128A2308
SHAKE-256A2308
TLS v1.2 KDF RFC7627A2308
TLS v1.3 KDFA2308

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Sensitive Security Parameter Management1
Self-Tests1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Dell BSAFE™ Crypto Module for C
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status<br/>Self-test<br/>Self-test Error</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Dell BSAFE™ Crypto Module for C
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status<br/>Self-test<br/>Self-test Error</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

13.02.25 Dell Australia Pty Limited, BSAFE Product Team Dell BSAFE™ Crypto Module for C Module Version 3.0.1 FIPS 140-3 Security Policy Document Version 1.13

Page 2

for C, version 3.0.1 (BSAFE Crypto Module) from Dell Australia Pty Limited, BSAFE Product Team. This document may be freely reproduced and distributed whole and intact including the Contents:

Page 3

Preface With the exception of the non-proprietary Dell BSAFE™ Crypto Module for C Security Policy document, the overall FIPS 140-3 Security Level 1 validation submission documentation is proprietary to Dell Australia Pty Limited and is releasable only under appropriate non-disclosure agreements. For access to the documentation, contact Dell Support. This security policy describes how the BSAFE Crypto Module meets the Security Level 1 requirements for all aspects of FIPS 140-3, and how to securely operate it. Federal Information Processing Standards Publication 140-3 - Security Requirements for Cryptographic Modules (FIPS 140-3) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the NIST website. This document deals only with operations and capabilities of the BSAFE Crypto Module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information about BSAFE Crypto Module and the entire BSAFE product line is available from Dell Support. Terminology In this document, the term BSAFE Crypto Module denotes the BSAFE Crypto Module for C, version 3.0.1, FIPS 140-3 validated Cryptographic Module for Overall Security Level 1 for the C language. The BSAFE Crypto Module for C is also referred to as:

Page 4
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical Security1N/A
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management1
1010Self-Tests1
1111Life-cycle Assurance1
1212Mitigation of Other Attacks1

BSAFE Crypto Module is validated with an overall FIPS 140-3 Security Level 1. Security levels for individual areas are shown in the following table: Table 1 N/A N/A Security Levels 1The module relies on the physical security provided by the host on which it runs.

Page 5
2 Cryptographic Module Specification

BSAFE Crypto Module is a software module intended to be used as part of a software system, providing cryptographic services to that system. The module is provided in the following formats:

Page 6
2.1 Module Description

The module is identified as Dell BSAFE™ Crypto Module for C, version 3.0.1. The constituents of the module are platform-specific:

2.2 Software Module Cryptographic Boundaries

BSAFE Crypto Module is classified as a multi-chip standalone software cryptographic module for the purposes of FIPS 140-3. As such, it is tested on specific operating systems and computer platforms. The cryptographic boundary includes the module running on selected platforms running selected operating systems. The module is packaged as a library containing the module’s entire executable code. The module relies on the physical security provided by the host computer in which it runs. The tested operational environment physical perimeter of the module is the case of the general-purpose computer, which encloses the hardware running the module. The physical interfaces for the module are the physical interfaces of the computer running the module, such as the keyboard, monitor, and network interface. The cryptographic module boundary is the library. This is a shared library for most platforms, dynamically loaded by the application. For some, it is a static library linked directly into the final application. The underlying logical interface to the module is the API, documented in the Dell BSAFE™ Crypto Module for C Developers Guide. The module provides Control Input through the API calls. Data Input and Output are provided in the variables passed with the API calls. Status Output is provided through the return status codes documented for each call. This is illustrated in Figure 1 Cryptographic boundary.

Page 7
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Gold 5218Yes1
2Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Gold 5218No2
3Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Gold 6240LYes3
4Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Gold 6240LNo4
5Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Gold 6254Yes5
6Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Gold 6254No6
7Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Platinum 8280LYes7
8Dell PowerMaxOS 10PowerMax storage array compute nodeIntel Xeon Platinum 8280LNo8
9Microsoft Windows 11VMware ESXi 7.0.2 on Dell PowerEdge R630Intel Xeon E5-2620 v4Yes9
10Microsoft Windows 11VMware ESXi 7.0.2 on Dell PowerEdge R630Intel Xeon E5-2620 v4No10
11Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2019)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes11
12Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2019)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No12
13Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2017)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes13
14Microsoft Windows 10 Enterprise x86_64 (64-bit) (Visual Studio 2017)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No14
15Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246Yes15
16Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246No16
17Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019)VMware ESXi 6.7.0 on Dell PowerEdge R7425AMD EPYC 7451Yes17
18Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2019)VMware ESXi 6.7.0 on Dell PowerEdge R7425AMD EPYC 7451No18
19Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246Yes19
20Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246No20
21Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017)VMware ESXi 6.7.0 on Dell PowerEdge R7425AMD EPYC 7451Yes21
22Microsoft Windows Server 2019 x86_64 (64-bit) (Visual Studio 2017)VMware ESXi 6.7.0 on Dell PowerEdge R7425AMD EPYC 7451No22
23Red Hat Enterprise Linux 8.5 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes23
24Red Hat Enterprise Linux 8.5 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No24
25Red Hat Enterprise Linux 8.5 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes25
26Red Hat Enterprise Linux 8.5 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No26
27Red Hat Enterprise Linux 7.9 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes27
28Red Hat Enterprise Linux 7.9 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No28
29Red Hat Enterprise Linux 7.9 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes29
30Red Hat Enterprise Linux 7.9 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No30
31SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246Yes31
32SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246No32
33SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R7425AMD EPYC 7451Yes33
34SUSE Linux Enterprise Server 15 SP3 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R7425AMD EPYC 7451No34
35SUSE Linux Enterprise Server 15 SP3 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246Yes35
36SUSE Linux Enterprise Server 15 SP3 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246No36
37SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes37
38SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No38
39SUSE Linux Enterprise Server 12 SP5 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes39
40SUSE Linux Enterprise Server 12 SP5 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No40
1Dell PowerProtect™ Data Domain™ OS 8x86_64 (64-bit)1
2Dell PowerProtect Data Domain OS 7x86_64 (64-bit)2
3Dell OneFS 9.8x86_64 (64-bit)3
4Dell OneFS 9.7x86_64 (64-bit)4
5Dell PowerStoreOS 4 (user)x86_64 (64-bit)5
6Dell PowerStoreOS 4 (kernel)x86_64 (64-bit)6
7Microsoft Windows 10 IoT Enterprise LTSCx86_64 (64-bit)7
8Red Hat Enterprise Linux 9.4x86_64 (64-bit)8
9Red Hat Enterprise Linux 8.5x86_64 (64-bit)9
10SUSE Linux Enterprise Server 15 SP6x86_64 (64-bit)10
11SUSE Linux Enterprise Server 15 SP6x86 (32-bit)11
12SUSE Linux Enterprise Server 15 SP5x86_64 (64-bit)12
13SUSE Linux Enterprise Server 15 SP4x86_64 (64-bit)13
14SUSE Linux Enterprise Server 15 SP3x86_64 (64-bit)14
2.3 Operational Environments

For FIPS 140-3 validation, the module is tested by an accredited FIPS 140-3 testing laboratory on the following operational environments: # Table 2 Tested Operational Environments

Page 8

# Table 2 Tested Operational Environments (continued)

Page 9
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
35SUSE Linux Enterprise Server 15 SP3 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246Yes35
36SUSE Linux Enterprise Server 15 SP3 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6246No36
37SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes37
38SUSE Linux Enterprise Server 12 SP5 x86_64 (64-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No38
39SUSE Linux Enterprise Server 12 SP5 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136Yes39
40SUSE Linux Enterprise Server 12 SP5 x86 (32-bit)VMware ESXi 6.7.0 on Dell PowerEdge R640Intel Xeon Gold 6136No40
1Dell PowerProtect™ Data Domain™ OS 8x86_64 (64-bit)1
2Dell PowerProtect Data Domain OS 7x86_64 (64-bit)2
3Dell OneFS 9.8x86_64 (64-bit)3
4Dell OneFS 9.7x86_64 (64-bit)4
5Dell PowerStoreOS 4 (user)x86_64 (64-bit)5
6Dell PowerStoreOS 4 (kernel)x86_64 (64-bit)6
7Microsoft Windows 10 IoT Enterprise LTSCx86_64 (64-bit)7
8Red Hat Enterprise Linux 9.4x86_64 (64-bit)8
9Red Hat Enterprise Linux 8.5x86_64 (64-bit)9
10SUSE Linux Enterprise Server 15 SP6x86_64 (64-bit)10
11SUSE Linux Enterprise Server 15 SP6x86 (32-bit)11
12SUSE Linux Enterprise Server 15 SP5x86_64 (64-bit)12
13SUSE Linux Enterprise Server 15 SP4x86_64 (64-bit)13
14SUSE Linux Enterprise Server 15 SP3x86_64 (64-bit)14
15SUSE Linux Enterprise Server 15 SP3x86 (32-bit)15
16SUSE Linux Enterprise Server 15 SP2x86_64 (64-bit)16
17SUSE Linux Enterprise Server 15 SP2x86 (32-bit)17

Table 2 # Tested Operational Environments (continued) Dell BSAFE affirms compliance for the following operational environments: # Table 3 Vendor Affirmed Operational Environments

Page 10

# Table 3 Vendor Affirmed Operational Environments (continued) Note: When running the module on an affirmed platform, no assurances are made about the minimum strength of generated SSPs, such as keys.

Page 11
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES SP 800-38AA2308CBC, CBC-CS3, CFB128-bit, CTR, ECB, and OFB128, 192, 256-bit key sizesSymmetric encryption
AES SP 800-38CA2308CCM128, 192, 256-bit key sizesSymmetric encryption
AES SP 800-38DA2308GCM with automatic IV1 generation and TLS partial IV2 generation.128, 192, 256-bit key sizesSymmetric encryption
AES SP 800-38EA2308XTS3128, 256-bit key sizesSymmetric encryption
KTS SP 800-38FA2308AES Key Wrap, and Key Wrap with Padding.128, 192, and 256-bit key sizesKey wrapping
DSA FIPS 186-4A2308Domain parameter generation/validation2048 and 3072-bit key sizesDomain parameter generation/validation
DSA FIPS 186-4A2308Key generation. Signature generation and signature verification with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256. Signature verification with SHA-1.2048 and 3072-bit key sizesKey generation, signature generation, and signature verification
ECDSA / FIPS 186-4A2308Key generation. Key validation. Signature generation and signature verification with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512.112 to 256 bits strengthKey generation, key validation, signature generation, and signature verification
RSA FIPS 186-2 (for legacy use)4A2308Signature verification with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512.2048 to 4096-bit key sizeSignature verification
RSA FIPS 186-4A2308Key generation. Signature generation and signature verification with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256.2048 to 4096-bit key sizeKey generation, signature generation, and signature verification
CVL FIPS 186-4A2308RSASP15 component2048 to 4096-bit key sizeSignature generation
CVL SP 800-56B Rev. 2A2308RSADP6 component2048 to 4096-bit key sizeAsymmetric encryption
SP 800-56A Rev. 3A2308Safe Primes Key generationffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192Key generation
SP 800-56A Rev. 3A2308Safe Primes Key validationffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192Key validation
KDF SP 800-132A2308PBKDF27112 to 256 bits strengthKey derivation
KDF SP 800-108A2308KBKDF8 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512128 to 256 bits strengthKey derivation
CVL SP 800-135 Rev. 1A2308SSH-KDF9 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-22410, SHA3-25610, SHA3-38410, SHA3-51210128 to 256 bits strengthKey derivation
CVL SP 800-135 Rev. 1 RFC 7627A2308TLS v1.2 PRF with SHA2-256, SHA2-384, SHA2-512128 to 256 bits strengthKey derivation
CVL RFC 5246A2308TLS KDF with SHA2-256, SHA2-384, SHA2-512128 to 256 bits strengthKey derivation
CVL RFC 8446A2308TLS v1.3 PRF with HMAC-SHA2-256, HMAC-SHA2-384128 to 256 bits strengthKey derivation
CVL SP 800-135 Rev. 1A2308X9.63 KDF11 with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-22410, SHA3-25610, SHA3-38410, SHA3-51210128 to 256 bits strengthKey derivation
DRBG12 SP 800-90AA2308AES-CTR128, 192, 256 bits strengthRandom bit generation
DRBG SP 800-90AA2308HMAC SHA2-512256 bits strengthRandom bit generation
SHS FIPS 180-4A2308SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256112 to 256 bits strengthMessage digesting
SHA3 FIPS 202A2308SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE-128, SHAKE-256112 to 256 bits strengthMessage digesting
HMAC13 FIPS 198-1A2308HMAC with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512128 to 256 bits strengthMAC generation
AES SP 800-38BA2308CMAC with AES (128, 192, 256)128, 192, 256 bits strengthMAC generation
AES SP 800-38DA2308GMAC (128, 192, 256)128, 192, 256 bits strengthMAC generation
KAS-ECC-SSC SP 800-56A Rev. 3A2308Schemes: Ephemeral Unified Model, One-Pass Diffie-Hellman Model Static Unified Model Curves: P-224, P-256, P-384, P-521, K-233, K-283, K-409, K-571, B-233, B-283, B-409, B-571112 to 256 bits strengthShared Secret Generation
KAS-FFC-SSC SP 800-56A Rev. 3A2308Schemes: Diffie-Hellman Ephemeral Only, Diffie-Hellman One Flow Diffie-Hellman Static Domain Parameter Generation methods: MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe81922048 to 8192-bit key sizeShared Secret Generation
KAS-IFC-SSC SP 800-56B Rev. 2A2308Scheme: KAS1 Key Generation methods: An RSA key pair with a private key in the basic format, with a random public exponent.2048 to 8192-bit key sizeShared Secret Generation
KDA SP 800-56C Rev. 1A2308HKDF14 with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512128 to 256 bits key strengthKey Derivation
KDA SP 800-56C Rev. 1A2308One-Step KDF with SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512128 to 256 bits strengthKey Derivation
CKG of symmetric keys/ SP 800-133 Rev. 2VA15Direct output of approved DRBG used to generate 128, 192, or 256 bit AES keys. FIPS 140-3 Implementation Guidance, IG D.H.128-256 bits strengthKey Generation
CKG of asymmetric keys/ SP 800-133 Rev. 2VADirect output of approved DRBG used to generate prime number seeds and private key values. FIPS 140-3 Implementation Guidance, IG D.H.128-256 bits strengthKey Generation
AES in CFB in 64-bit modeSymmetric encryption
DES31 (three key) in CBC, CFB, ECB and OFB modesSymmetric encryption
MD5Message Digesting
RSA-PKCS #1Key Encapsulation
TLS v1.0/1.1 PRFKey Derivation
2.4 Cryptographic Algorithms

The following table lists the BSAFE Crypto Module Approved algorithms, with the appropriate standards and CAVP validation certificate numbers: Table 4 Approved Algorithms

Page 12

Table 4 Approved Algorithms (continued)

Page 13

Table 4 Approved Algorithms (continued)

Page 14

Table 4 Approved Algorithms (continued)

Page 15
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
CKG of asymmetric keys/ SP 800-133 Rev. 2VADirect output of approved DRBG used to generate prime number seeds and private key values. FIPS 140-3 Implementation Guidance, IG D.H.128-256 bits strengthKey Generation
AES in CFB in 64-bit modeSymmetric encryption
DES31 (three key) in CBC, CFB, ECB and OFB modesSymmetric encryption
MD5Message Digesting
RSA-PKCS #1Key Encapsulation
TLS v1.0/1.1 PRFKey Derivation

Table 4 Approved Algorithms (continued) 1Initialization Vector (IV). 2The TLSv1.2 protocol uses the fragment number as part of the IV. The module generates the remaining IV value using internally managed counter initialized at module load to ensure a probability of 2-32 or less, of reusing the same key and IV together. When using a partial IV, the module limits the use of a key and IV pair to 264 - 1 bytes. 3AES in XTS mode is approved only for hardware storage applications. The two keys concatenated to create the single double-length key must be checked to ensure they are different. 4Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. 5RSA signature primitive 1 (RSASP1). RSA decryption primitive (RSADP). RSADP shall only be used within the context of an SP800-56B rev 2 Key Transport Scheme (KTS). 7Password-based key derivation function 2 (PBKDF2). As defined in SP 800-132, PBKDF2 can be used in the Approved Mode of Operation when used with Approved symmetric key and message digest algorithms. For more information, see Crypto Officer Guidance. Key-based KDF (KBKDF), using pseudo-random functions HMAC-based Feedback Mode. As defined by the HKDF expand step. 9Secure Shell key derivation function (SSH-KDF). SHA3 options for SSH-KDF and X9.63 KDF are vendor affirmed since CAVP testing was not available at the time of module submission. 11ANSI X9.63 KDF. 12Deterministic Random Bit Generator (DRBG). 13Hash-based Message Authentication Code (HMAC). HMAC-based Extract-and-Expand KDF (HKDF). Vendor-affirmed algorithms. The following table lists the BSAFE Crypto Module Non-Approved algorithms, not allowed Table 5 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation 1Triple Data Encryption Standard.

Page 16

Note: BSAFE Crypto Module does not support any non-approved but allowed algorithms nor non-approved but allowed algorithms with no security claimed.

2.5 Certification Levels

BSAFE Crypto Module is validated with an overall Security Level 1 for FIPS 140-3, with Security Level 1 for each individual area. See Table 1, Security Levels for additional details.

2.6 Modes of Operation

The module can operate in Approved mode or Non-Approved mode. The mode selected affects which algorithms are available for use. The following section details the algorithms available in each mode:

2.6.1 Module Mode Configuration

The module operator must provide a definition of the configuration function BCM_get_config(BCM_CONFIG *config) that is called by the module during startup. The Module mode is set in the operator's function by assigning a value to config->mode. To start the module in the Approved mode of operation, the operator's configuration function should assign the value BCM_MODE_FIPS to the mode member of the configuration structure: BCM_STATUS BCM_get_config(BCM_CONFIG *config) { // Start the module in the Approved mode of operation config->mode = BCM_MODE_FIPS; // ... return BCM_OK; }

Page 17

To start the module in the Non-Approved mode of operation, the operator's configuration function must assign the value BCM_MODE_NON_FIPS to the mode member of the configuration structure: BCM_STATUS BCM_get_config(BCM_CONFIG *config) { // Start the module in the Non-Approved mode of operation config->mode = BCM_MODE_NON_FIPS; // ... return BCM_OK; } Note: The default value of the mode member is set to BCM_MODE_FIPS. Therefore, if the operator's configuration function does not set the mode, the module starts in the Approved mode of operation. Once the module is initialized and the pre-operational self-tests (POST) have completed successfully, the overall operating mode of the module can be changed by calling the BCM_module_configure() API.

2.6.2 Approved Mode Indicator

The module uses an approved mode indicator combined with a return status code from an approved security service to indicate the use of an approved service.

2.7 Operating the Cryptographic Module

The module initializes itself automatically when it is loaded dynamically, or as part of the user software system, and runs the POST automatically, regardless of the mode of operation at startup. See Cryptographic Module Specification for the module file format for the supported platforms. The cryptographic algorithm self-tests are executed when the specific algorithm is accessed for the first time by the user software system. All the cryptographic algorithm self-tests can be run manually by calling BCM_module_selftest(). The module does not support degraded operation. If any self-test fails, the cryptographic services of the module are disabled for both modes of operation.

Page 18
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData inputService inputs
N/AN/AData outputService outputs
N/AN/AControl inputConfiguration parameters for the API which sets the mode of operation. BCM_module_configure()
N/AN/AStatus outputMode of operation indicator, from either the or BCM_ctx_is_fips(), BCM_param_is_fips(), APIs. BCM_key_is_fips() The state of the module, from the API . BCM_module_state() For other API status, refer to the Outputs column of Table 4, Approved Algorithms.
3 Cryptographic Module Interfaces

BSAFE Crypto Module is a software module that provides APIs only as logical interfaces. Physical ports and interfaces are not provided by the module. The module conforms to the FIPS 140-3 Security Level 1 requirements for Cryptographic Module Interfaces and does not support a Trusted Channel Interface.

3.1 Ports and Interfaces

The following table lists the ports and interfaces, and the data that passes over each: N/A N/A N/A N/A Ports and Interfaces Note: The module does not support a Control Output interface.

Page 19
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
AES EncryptionCOPlaintextCiphertext, Status
AES DecryptionCOCiphertextPlaintext, Status
Message DigestCOMessageDigest, Status
MAC GenerationCOSecret, MessageMAC, Status
MAC VerificationCOSecret, Message, MACVerify Status, Status
DRBG InitializationCO
Random Number GenerationCORandom Bytes, Status
Key DeletionCO
Key DerivationCOSecretKey text, Status
Key WrapCOWrapped key text, Status
Key UnwrapCOWrapped key textStatus
Key Encapsulation (decrypt)COEncapsulated key textStatus
Digital Signature GenerationCOMessage DigestSignature, Status
Digital Signature VerificationCOMessage Digest, SignatureVerify Status, Status
Key AgreementCOPeer public key textShared Secret, Status
Key Parameter GenerationCOStatus
Key Parameter ValidationCOStatus
Show Module Version InformationCOModule Version, Status
Show StatusCOModule Status
Self-testCOStatus
AES EncryptionEncrypt with symmetric cipherCOAES keysAESEK
AES DecryptionDecrypt with symmetric cipherCOAES keysAESEK
Message DigestDigest a messageCOSHS, SHA3C
4 Roles, Services and Authentication

BSAFE Crypto Module meets all FIPS 140-3 Security Level 1 requirements for Roles, Services and Authentication, implementing only the Crypto Officer role. As allowed by FIPS 140-3, the module does not support identification or authentication of this role. There is no maintenance role, cryptographic bypass capability, or self-initiated cryptographic output. The module does not allow concurrent operators.

4.1 Crypto Officer Role

The Crypto Officer role is responsible for installing and loading the module and has access to all services provided by the module. This role is assumed automatically once the module has been loaded and the POST have run successfully. The POST are automatically run when the module is first loaded. They can be run manually at any time by calling BCM_module_selftest().

4.2 Services

For each service, the Approved Mode indicator is obtained by checking the service status and the Approved mode of the Context, Key, or Key Parameters. A return status code indicates the service status. For information about individual functions that implement each service, see the Dell BSAFE™ Crypto Module for C Developers Guide.

4.2.1 Roles, Services, Inputs and Outputs

The following is a list of services available to the single Crypto Officer (CO) role. Table 7 Roles, Service Commands, Input and Output

Page 20
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Key DerivationCOSecretKey text, Status
Key WrapCOWrapped key text, Status
Key UnwrapCOWrapped key textStatus
Key Encapsulation (decrypt)COEncapsulated key textStatus
Digital Signature GenerationCOMessage DigestSignature, Status
Digital Signature VerificationCOMessage Digest, SignatureVerify Status, Status
Key AgreementCOPeer public key textShared Secret, Status
Key Parameter GenerationCOStatus
Key Parameter ValidationCOStatus
Show Module Version InformationCOModule Version, Status
Show StatusCOModule Status
Self-testCOStatus
AES EncryptionEncrypt with symmetric cipherCOAES keysAESEK
AES DecryptionDecrypt with symmetric cipherCOAES keysAESEK
Message DigestDigest a messageCOSHS, SHA3C
MAC GenerationGenerate a Message Authentication CodeCOMAC secretHMAC, AES (CMAC, GMAC)W, E, ZC
MAC VerificationVerify a Message Authentication CodeCOMAC secretHMAC, AES (CMAC, GMAC)W, E, ZC
DRBG InitializationPrepare for random number or key generationCOEntropy State, DRBG entropy input, DRBG seed, CTR DRBG key value, CTR DRBG V value, HMAC DRBG key value, HMAC DRBG V valueDRBGGC
Random Number GenerationGenerate a random numberCODRBG entropy input, DRBG seed, CTR DRBG key value, CTR DRBG V value, HMAC DRBG key value, HMAC DRBG V valueDRBGEC
Key DeletionDelete a key from the moduleCOAES keys, RSA keys, DH keys, DSA keys, ECC keysZK
Key DerivationDerive key text given input secretCOKDF secret Derived key textKDF (PBKDF2, KBKDF) CVL (SSH-KDF, TLS v1.2 PRF, TLS v1.3 PRF, X9.63 KDF) KDA (HKDF, One-Step)W, E, Z R, ZC
Key WrapEncrypt an AES key with an AES key encryption keyCOAES key (wrapping key) AES key (wrapped key)KTSE RK
Key UnwrapDecrypt an AES key with an AES key encryption keyCOAES key (wrapping key) AES key (unwrapped key)KTSE WK
Key Encapsulation (decrypt)Decrypt an AES or RSA key with an RSA key encryption keyCORSA key (key encryption key) AES key or RSA key (decrypted key)CVL (RSADP)E WK
Digital Signature GenerationSign a messageCORSA keys, DSA keys, ECC keys (private keys)RSA, DSA, ECDSA (signature generation) CVL (RSASP1)EK
Digital Signature VerificationVerify the signature for a messageCORSA keys, DSA keys, ECC keys (public key)RSA, DSA, ECDSA. RSA FIPS 186-2 (for legacy use)2 (signature verification)EK
Key AgreementEstablish a shared secretCODH keys, ECC keys (peer public key) DH keys, ECC keys (peer public key, private key)KAS-ECC-SSC KAS-FFC-SSC KAS-IFC-SSCW, Z EK
Key Parameter GenerationGenerate FFC parametersCODSA parametersDSA domain parameter generationGC
Key Parameter ValidationValidate FFC parametersCODSA parametersDSA domain parameter validationRP
Show Module Version InformationProvide module version to userCO
Show StatusProvide module status to userCO
Self-testRun module self-tests on-demandCOIntegrity test keyHMAC
Key DerivationDerive key text given input secretCOTLS v1.0/1.1 PRFC
4.2.2 Approved Services

The following is a list of approved services provided by the module: E K E K C Table 8 Approved Services

Page 21

W, E, Z C W, E, Z C G C E C G P W C R K Z K Table 8 Approved Services (continued)

Page 22

W, E, Z R, Z C E K R E K W E K W E K E K Table 8 Approved Services (continued)

Page 23
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Key AgreementEstablish a shared secretCODH keys, ECC keys (peer public key) DH keys, ECC keys (peer public key, private key)KAS-ECC-SSC KAS-FFC-SSC KAS-IFC-SSCW, Z EK
Key Parameter GenerationGenerate FFC parametersCODSA parametersDSA domain parameter generationGC
Key Parameter ValidationValidate FFC parametersCODSA parametersDSA domain parameter validationRP
Show Module Version InformationProvide module version to userCO
Show StatusProvide module status to userCO
Self-testRun module self-tests on-demandCOIntegrity test keyHMAC
Key DerivationDerive key text given input secretCOTLS v1.0/1.1 PRFC
Key EncapsulationEncrypt or decrypt a key with an RSA key encryption keyCORSA-PKCS #1K
Message DigestDigest a messageCOMD5C
Symmetric DecryptionDecrypt with symmetric cipherCOAES with CFB 64-bit mode, DES3 with CBC, CFB, ECB and OFB modesK
Symmetric EncryptionEncrypt with symmetric cipherCOAES with CFB 64-bit mode, DES3 with CBC, CFB, ECB and OFB modesK

K W, Z E G C R P Table 8 Approved Services (continued) 1The indicator for the service is one of the following: C: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's context by calling BCM_ctx_is_fips(). For approved services, the FIPS indicator function will return

  1. K: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's key by calling BCM_key_is_fips(). For approved services, the FIPS indicator function will return
  2. P: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's key parameters by calling BCM_param_is_fips(). For approved services, the FIPS indicator function will return
  3. Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.
4.2.3 Non-Approved Services

The following is a list of non-approved services provided by the module: C Table 9 Non-Approved Services

Page 24

K C K K Table 9 Non-Approved Services 1The indicator for the service is one of the following: C: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's context by calling BCM_ctx_is_fips(). For these non-approved services, the FIPS indicator function will return 0. K: The Approved Mode indicator is obtained by checking the service return status code and the mode of the operation's key by calling BCM_key_is_fips(). For these non-approved services, the FIPS indicator function will return 0.

4.3 Operation Authentication

The module does not implement authentication. The Crypto Officer role is implicitly assumed once the module is loaded, and cleared on module unload.

Page 25
5 Software/Firmware Security

This section covers integrity measures to demonstrate protection of the software component of BSAFE Crypto Module, which is the whole of the module.

5.1 Approved Integrity Techniques

Depending on the platform, the module is either a shared library, dynamic link library or an object file. When the module file is created, a MAC is calculated over the executable code and static data sections, with the resulting integrity block embedded into the object file. The built-in Integrity Test Key is used as the MAC secret. During the pre-operational software integrity test when the module is loaded, a MAC is again calculated over the executable code and static data. The resulting MAC is compared to the integrity block calculated when the module was created. If the MAC differs, the pre-operational software integrity test fails, the POST fails, the module enters the BCM_MODULE_STATE_INTEGRITY_FAILED state and cannot be used for any cryptographic operation. Any operation attempted will return the BCM_ERROR_FIPS_INTEGRITY_FAILURE error status code. The only way to clear this error condition is to unload the module and load it again. The pre-operational software integrity test uses HMAC-SHA2-256. The Cryptographic Algorithm Self-Test (CAST) for HMAC is run prior to the pre-operational software integrity test. This is done to ensure that the MAC implementation used in the integrity test has been self-tested before it is used in the pre-operational software integrity test.

5.2 On Demand Integrity Test Method

The module provides the BCM_module_selftest() for on-demand integrity testing.

5.3 Executable Module Form

The module is built as either a single shared library, a dynamic link library or an object file that exports symbols for the operations it supports.

Page 26
6 Operational Environment

BSAFE Crypto Module is FIPS 140-3 validated to operate in a modifiable environment. The module is provided for operating systems running on a general purpose computer platform based on an Intel or AMD CPU.

6.1 Compliance

Each instance of the module that is loaded within an operating system maintains its own instance of internal SSPs. Any additional SSPs loaded into a given instance of the module are not available to other instances. The supported operating environments provide process isolation, with resource and memory protection. Each instance of the module is isolated from others such that SSPs can be accessed or modified only in the module to which they belong. BSAFE Crypto Module does not spawn additional processes.

6.2 Laboratory Validated Operational Environments

For FIPS 140-3 validation, the module is tested by an accredited FIPS 140-3 testing laboratory. For the tested operational environments, refer to Table 2, Tested Operational Environments.

6.3 Affirmation of Compliance for Other Operational Environments

For the vendor affirmed operational environments, refer to Table 3, Vendor Affirmed Operational Environments. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when a specific operational environment that is not listed on the validation certificate, is used.

6.4 Configuration Restrictions

The module runs on a General Purpose Computer running one of the operational environments listed in Tested Operational Environments and Vendor Affirmed Operational Environments. Each supported operational environment manages its own processes and memory in a logically separated manner. The process management setting is not configurable on the supported operational environments.

Page 27
7 Physical Security

BSAFE Crypto Module is classified as a multi-chip standalone cryptographic module. The module is comprised of software only, validated at FIPS 140-3 Security Level 1, and does not claim any physical security.

8 Non-invasive Security

BSAFE Crypto Module does not implement any non-invasive mitigation techniques.

Page 28
Sensitive security parameter
NameTypeDescription
VMVolatileMemory in the Operational Environment of the module.
Service
NameTypeFromToDistribution TypeEntry Type
App WritePlaintextOperator Application in TOEPP1VMManualElectronic
App ReadPlaintextVMOperator Application in TOEPPManualElectronic
MethodDescriptionRationaleOperator Initiated Capability
ImmediateTemporary SSPs are zeroized immediately after useIntermediate values are zeroised at the end of a calculationN/A
ImplicitSSPs are zeroized when the cryptographic object is deleted by the moduleSSPs are zeroized when the BCM_CTX object is deletedN/A
ExplictSSPs are zeroized when the associated key or cryptographic object is deleted by the applicationSSPs are zeroized when the application no longer needs themAPI call to delete object
9 Sensitive Security Parameters Management

The following tables list the SSPs present in the module, the relevant standards and details of how they are used and accessed. Table 10 Storage Areas isolates the memory of separate processes Table 11 SSP Input-Output Methods 1The module's Tested Operational Environment's Physical Perimeter. The TOEPP for the BSAFE Crypto Module is the host computer. Sensitive security parameters are input and output using the module APIs. No security function or algorithm is used to transport the data. N/A N/A Table 12 SSP Zeroization Methods BSAFE Crypto Module encapsulates symmetric and asymmetric keys as BCM_KEY objects. For multi-part cryptographic operations, the module defines several object types to encapsulate the intermediate state of the operation.

Page 29
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey / SSP Name/ TypeZeroisation
Signature generation and verification. Key agreement.112 - 150 bitsRSA, KAS-IFC-SSC (A2308)CKG SP 800-133 Rev. 2. FIPS 186-4 RSA key generation methodN/AVMApp Write, App ReadRSA keys (public key / PSP; private key / CSP)Explicit
Shared secret generation112 - 200 bitsKAS-FFC-SSC (A2308)CKG SP 800-133 Rev. 2. SP 800-56A Rev. 3 Safe Primes Key Generation methodN/AVMApp Write, App ReadDH keys (public key / PSP; private key / CSP)Explicit
Key generation (DSA keys), Domain parameter validation112 and 128 bitsDSA (A2308)CKG SP 800-133 Rev. 2. FIPS 186-4 DSA domain parameter generation methodN/AVMApp Write, App ReadDSA parameters (CSP)Explicit
Signature generation and verification112 and 128 bitsDSA (A2308)CKG SP 800-133 Rev. 2. FIPS 186-4 DSA key generation methodN/AVMApp Write, App ReadDSA keys (public key / PSP; private key / CSP)Explicit
Signature generation and verification for ECDSA. Shared secret generation for ECDH.112 - 256 bitsECDSA, KAS-ECC-SSC (A2308)CKG SP 800-133 Rev. 2. FIPS 186-4 method for ECDSA key generation, SP 800-56A Rev. 3 method for ECDH key generationN/AVMApp Write, App ReadECC keys (public key / PSP; private key / CSP)Explicit
Symmetric encryption. Key wrapping.128, 192, and 256 bitsAES, KTS (A2308)CKG, SP 800-133 Rev. 2. Direct output of approved DRBG.N/AVMApp Write, App ReadAES keys (CSP)Explicit
MAC generation and verification128 - 256 bitsHMAC, AES (CMAC), AES (GMAC) (A2308)N/A (Application input)N/AVMApp WriteMAC secret (CSP)Immediate
Key derivation112 - 256 bitsKDF (PBKDF2), KDF (KBKDF), CVL (SSH-KDF), CVL (TLS v1.2 PRF), CVL (TLS v1.3 PRF), CVL (X9.63 KDF), KDA (HKDF), KDA (One-step KDF) (A2308)N/A (Application input)N/AVMApp WriteKDF secret (CSP)Immediate
Key derivation112 - 256 bitsKDF (PBKDF2), KDF (KBKDF), CVL (SSH-KDF), CVL (TLS v1.2 PRF), CVL (TLS v1.3 PRF), CVL (X9.63 KDF), KDA (HKDF), KDA (One-step KDF) (A2308)PBKDF2, KBKDF, SSH-KDF, TLS v1.2 PRF, TLS v1.3 PRF, X9.63 KDFN/AVMApp ReadDerived key text (CSP)Immediate
Random bit generation128, 192, and 256 bitsDRBG, CKG (A2308)Obtained from SP 800-90B compliant entropy sourceN/AVMN/ACTR DRBG key value (CSP)Implicit
Random bit generation128 bitsDRBG, CKG (A2308)Obtained from SP 800-90B compliant entropy sourceN/AVMN/ACTR DRBG V value (CSP)Implicit
Random bit generation256 bitsDRBG, CKG (A2308)Obtained from SP 800-90B compliant entropy sourceN/AVMN/AHMAC DRBG key value (CSP)Implicit
Random bit generation256 bitsDRBG, CKG (A2308)Obtained from SP 800-90B compliant entropy sourceN/AVMN/AHMAC DRBG V value (CSP)Implicit
Random bit generation128, 192, and 256 bitsDRBG (A2308)Obtained from SP 800-90B compliant entropy sourceN/AVMN/ADRBG entropy input (CSP)Implicit
Random bit generation128, 192, and 256 bitsDRBG (A2308)Obtained from SP 800-90B compliant entropy sourceN/AVMN/ADRBG seed (CSP)Implicit
Random bit generation256 bitsDRBG (A2308)Internal state of SP 800-90B compliant entropy source. Obtained from noise source.N/AVMN/AEntropy state (CSP)Implicit
Self-test144 bitsHMAC (A2308)Built-in constant value.N/ABuilt into modul e imageN/AIntegrity test key (not considered an SSP)N/A

Examples are BCM_CIPHER objects for symmetric ciphers and BCM_MAC objects for message authentication codes. These objects are created explicitly by the user with function calls to the module. The module defines a BCM_CTX object which can contain SSPs in the form of internal random number generator (RNG) state and associated entropy state. A single BCM_CTX is created automatically when the module starts and is retained by the module as the default context. BCM_CTX objects can be created explicitly by the user with function calls to the module. To zeroize all unprotected SSPs and key components, perform the following procedure:

  1. For each object, delete all: a. BCM_CIPHER cryptographic objects with a call to BCM_cipher_delete(). b. BCM_MAC cryptographic objects with a call to BCM_mac_delete(). c. BCM_DIGEST cryptographic objects with a call to BCM_digest_delete(). d. BCM_KEY objects with a call to BCM_key_delete(). e. BCM_PARAM objects with a call to BCM_param_delete(). f. BCM_CTX objects with a call to BCM_ctx_delete().
  2. Delete the default context created at startup. To do this, unload the module or call BCM_module_unload(). N/A N/A N/A N/A N/A N/A Table 13 SSPs
Page 31
Approved algorithm
NameKey Size
DRBGEntropy Obtained (bits)
CTR DRBG with AES-128128
CTR DRBG with AES-192192
CTR DRBG with AES-2561256
HMAC DRBG with SHA2-512256
RSA key-pair generationPrime generation, and Miller-Rabin prime number testing1
DSA and DH key-pair generationGeneration of public and private values1
FFC (DH, DSA) domain parameter generationPrime generation, and Miller-Rabin prime number testing1
FFC, ECC and RSA key generationBlinding of random values
RSA key validationPrime recovery testing2
ECC key generationGeneration of private value1
Symmetric key generationDirect generation of symmetric keys
Initialization vector generationDirect generation of IVs for symmetric encryption
RSA PKCS #1 v1.5 encryptionGeneration of random value for message encoding
RSA PKCS #1 PSS signingGeneration of random value for message encoding
9.1 Deterministic Random Bit Generator

BSAFE Crypto Module provides the following approved DRBGs for use in both the Approved Mode of Operation and Non-Approved mode: Table 14 Approved Random Bit Generators 1CTR DRBG with AES-256 is the default DRBG. Table 15 DRBG Output Uses 1All seeds for asymmetric key generation are generated using the direct output of the approved DRBG. 2For details refer to SP 800-56B Rev. 2, Appendix C.

Page 32
Approved algorithm
NameKey Size
DetailsMinimum number of bits of entropyEntropy Sources
Instantiation of HMAC DRBG256Execution time jitter
Instantiation of CTR DRBG with AES-128128Execution time jitter
Instantiation of CTR DRBG with AES-192192Execution time jitter
Instantiation of CTR DRBG with AES-256256Execution time jitter
Application calls BCM_random_seed()DRBG instantiation bitsExecution time jitter
Application calls BCM_secure_random_bytes()64Execution time jitter

BSAFE Crypto Module for C provides an entropy source that is internal to the module. This entropy source generates entropy that is used to seed the Approved RBGs. The entropy source is provided as an ENT (NP) that is compliant with SP 800-90B, and is estimated to provide a min entropy of 7.96875 bits per byte. Table 16 Non-Deterministic Random Bit Generation Specification The BCM_CTX object manages an approved DRBG and an Entropy NDRBG. The first call to a random number generation service using the BCM_CTX object instantiates the Entropy NDRBG and the DRBG. At instantiation, the DRBG issues a GET call to the Entropy NDRBG for the number of bits of entropy equivalent to the security strength of the DRBG. A call to the BCM_random_seed() API with the BCM_CTX object resets the DRBG seed. The DRBG issues a GET call to the Entropy NDRBG for the number of bits of entropy equivalent to the security strength of the DRBG. A call to the BCM_secure_random_bytes() API with the BCM_CTX object adds a fixed number of bits of entropy to the DRBG state before the DRBG generates output. The DRBG issues a GET call to the Entropy NDRBG for 64 bits of entropy. The entropy is collected from the jitter in the CPU execution time for performing an HMAC over the state and previous noise sample. By collecting multiple jitter samples, a bit stream that meets the statistical measurements which indicate a bit stream is random, is produced and whitened.

Page 33
Approved algorithm
NameKey Size
MAC and KDFStrengthSymmetricRSAECHash
< 80< 801024160SHA-1
1121123DES2048224SHA2-224 SHA2-512/224 SHA3-224
CMAC-AES GMAC-AES SHA-1128AES-1283072256SHA2-256 SHA2-512/224 SHA3-256 SHAKE-128
MAC and KDFStrengthSymmetricRSAECHash
CMAC-AES GMAC-AES SHA2-224 SHA2-512/224 SHA3-224192AES-1927680384SHA2-384 SHA3-384
CMAC-AES GMAC-AES SHA2-256 SHA2-512/256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512256AES-25615360521SHA2-512 SHA3-512 SHAKE-256
StrengthLast Date Acceptable
< 112Already disallowed
11231 Dec 2030
>= 128Acceptable to 2031 and beyond
9.3 Transition periods

The module addresses the requirements of FIPS 140-3. Transitioning the use of cryptographic algorithms and key lengths (SP 800-131A Rev. 2) provides more specific guidance concerning transition periods and time frames where an algorithm or key length transitions from Approved to Non-Approved. None of the Approved algorithms provided by the module are affected by transition periods or time frames. Recommendation for Key Management Part 1 (SP 800-57 Part 1 Rev. 5) specifies security strengths that are acceptable for protecting data going forward. Application writers should consider the specified acceptable use dates with respect to the expected deployment lifetime of the application and the lifespan of the data being protected. The lifespan depends on the type of key and use, but are from 1-3 years. For more information, refer to SP 800-57, Part 1. Table 17 Security Strength Time Frames The correspondence between security strength, algorithms and key size is specified in the following:

Page 34

Table 18 Correspondence between Security Strength, Algorithms, and Key Size (continued)

Page 35
Self test
NameAlgorithm Or TestTest TypeDetailsTest Properties
HMACHMACKATPre-operational software integrity test executes automatically when the module is loaded into memory.HMAC-SHA2-256 signature:32 bytes HMAC secret:18 bytes
Entropy sourceEntropy sourceRCT and APTPre-operational critical functions test runs when a BCM_CTX objects creates an entropy source.1024 noise samples
10 Self-tests

BSAFE Crypto Module performs a number of pre-operational and conditional self-tests to ensure proper operation. The cryptographic services of the module are disabled when the self-tests are running.

10.1 Pre-operational Self-tests

The following table lists the pre-operational self-tests: Table 19 Pre-operational Self-tests

10.1.1 Pre-operational Self-test Notes

If all POST pass, the cryptographic services of the module are enabled and the module can be used. The BCM_module_state() control interface returns a state of BCM_MODULE_STATE_READY.

Page 36
Self test
NameAlgorithm Or TestTest TypeDetailsTestCondition
AESAESKATEncrypt and decrypt self-tests128, 192 and 256-bit AES keysBefore first use of algorithm
AES (CMAC)AES (CMAC)KATMAC generation and verification self-tests128, 192 and 256-bit AES keysBefore first use of algorithm
AES (GMAC)AES (GMAC)KATMAC generation and verification self-tests128, 192 and 256-bit AES keysBefore first use of algorithm
KTSKTSKATWrap and unwrap self-tests128, 192 and 256-bit AES keysBefore first use of algorithm
DRBG (AES-CTR)DRBG (AES-CTR)KATRandom bit generation self-tests128, 192 and 256-bit strengthBefore first use of algorithm
DRBG (AES-CTR)DRBG (AES-CTR)Fault- Detection TestSP 800-90A Rev. 1 health test. Instantiate, generate, reseed, uninstantiate tests.128, 192 and 256-bit strengthBefore first use of algorithm
DRBG (HMAC SHA2-512)DRBG (HMAC SHA2-512)KATRandom bit generation self-test256-bit strengthBefore first use of algorithm
DRBG (HMAC SHA2-512)DRBG (HMAC SHA2-512)Fault- Detection TestSP 800-90A Rev. 1 health test. Instantiate, generate, reseed, uninstantiate tests.256-bit strengthBefore first use of algorithm
KAS-FFC-SSCKAS-FFC-SSCKATShared secret calculationKey generated from ffdhe2048Before first use of algorithm
DSADSAKATSignature generation and verification self-test2048-bit keyBefore first use of algorithm
ECDSAECDSAKATSignature generation and verification self-testKey generated from P-224Before first use of algorithm
KAS-ECC-SSCKAS-ECC-SSCKATECDH and ECDHC shared secret calculationsKeys generated from P-224 and K-233Before first use of algorithm
HMAC (SHA-1)HMAC (SHA-1)KATMAC generation self-testHMAC with SHA-1Before first use of algorithm
HMAC (SHA2)HMAC (SHA2)KATMAC generation self-testHMAC with SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256Before first use of algorithm
HMAC (SHA3)HMAC (SHA3)KATMAC generation self-testHMAC with SHA3-224, SHA3-256, SHA3-384, SHA3-512Before first use of algorithm
KDAKDAKATExpand and extract self-testHKDF with SHA2-256Before first use of algorithm
KDAKDAKATKey derivation self-testOne-step KDF with SHA2-256Before first use of algorithm
KDFKDFKATKey derivation self-testPBKDF2 with SHA2-256, 2 iterations, 32 byte outputBefore first use of algorithm
RSARSAKATRSA encrypt and decrypt self-tests2048-bit RSA keyBefore first use of algorithm
RSARSAKATRSA signature and verification self-tests2048-bit RSA keyBefore first use of algorithm
SHS (SHA-1)SHS (SHA-1)KATMessage digest generation self-testSHA-1Before first use of algorithm
SHS (SHA2)SHS (SHA2)KATMessage digest generation self-testSHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256Before first use of algorithm
SHA3SHA3KATMessage digest generation self-testSHA3-224, SHA3-256, SHA3-384, SHA3-512Before first use of algorithm
SHA3 (SHAKE)SHA3 (SHAKE)KATXOF generation self-testSHAKE-128, SHAKE-256Before first use of algorithm
CVL (SSH-KDF)CVL (SSH-KDF)KATKey derivation self-testSSH KDF with SHA-1Before first use of algorithm
CVL (TLS v1.2 PRF)CVL (TLS v1.2 PRF)KATKey derivation self-testTLS v1.2 PRF with SHA2-256Before first use of algorithm
CVL (X9.63 KDF)CVL (X9.63 KDF)KATKey derivation self-testX9.63 KDF with SHA2-256Before first use of algorithm
SP 800-56A Rev. 3 (Safe primes key generation)SP 800-56A Rev. 3 (Safe primes key generation)PCTPublic key recalculation2048-bit to 8192-bit keysGeneration of DH key pair
DSA (key generation)DSA (key generation)PCTSign and verify2048-bit and 3072-bit keysGeneration of DSA key pair
RSA (key generation)RSA (key generation)PCTRSA sign and verify2048-bit to 4096-bit signing keysGeneration of RSA signature key pair
RSA (key generation)RSA (key generation)PCTRSA encrypt and decrypt2048-bit to 4096-bit encryption keysGeneration of RSA encryption key pair
ECC (FIPS 186-4 key generation)ECC (FIPS 186-4 key generation)PCTECDSA sign and verifyCurves B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521Generation of EC signature key pair
ECC (SP 800-56A Rev. 3 key generation)ECC (SP 800-56A Rev. 3 key generation)PCTECDH public key recalculationCurves B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521Generation of EC key exchange key pair
Entropy sourceEntropy sourceFault- Detection TestEntropy continuous RCT and APT testing, as defined in SP 800-90B1 bit of entropy per byteCreation of new DRBG instance Reseed of DRBG instance Generation of secure random bytes

If the pre-operational software integrity test fails, the module enters the self-test error state. The repetition count test (RCT) and adaptive proportion test (APT) are defined in SP 800-90B. The pre-operational software integrity tests used are described in detail in Approved Integrity Techniques.

10.2 Conditional Self-tests

The following table lists the conditional self-tests: FaultDetection FaultDetection Table 20 Conditional Self-tests

Page 37

Table 20 Conditional Self-tests (continued)

Page 38

Table 20 Conditional Self-tests (continued)

Page 39

FaultDetection Table 20 Conditional Self-tests (continued)

10.2.1 Conditional Self-test Notes

For the KATs, the module includes a set of fixed inputs for each algorithm along with corresponding pre-calculated expected outputs. The cryptographic algorithm is run with the fixed inputs and the algorithm outputs are compared with the expected outputs. If there is any difference the algorithm self-test fails, the CAST fail and the module enters the self-test error state. If a pair-wise consistency test fails, the key-generation operation fails and returns an error indicator through a return status code. The error is cleared by reattempting the If the Entropy source self-tests fail then the entropy collection operation returns an error indicator through a return status code. The error cannot be cleared from the NDRBG object. A new NDRBG object must be created to collect entropy.

Page 40
Service
NameDescriptionIndicator
Self-test ErrorModule pre-operational integrity test failureCryptographic services return error BCM_ERROR_FIPS_INTEGRITY_FAILURE code. The control interface BCM_module_state() returns a state of BCM_MODULE_STATE_INTEGRITY_FAILED.
Self-test ErrorCAST failureCryptographic services return error BCM_ERROR_FIPS_SELFTEST_FAILURE code. The control interface BCM_module_state() returns a state of BCM_MODULE_STATE_SELFTEST_FAILED.
Self-test ErrorOn-demand integrity test failureCryptographic services return BCM_ERROR_FIPS_INTEGRITY_FAILURE error code. The control interface BCM_module_state() returns a state of . BCM_MODULE_STATE_INTEGRITY_FAILED
Self-test ErrorOn-demand CAST failureCryptographic services return error BCM_ERROR_FIPS_SELFTEST_FAILURE code. The control interface BCM_module_state() returns a state of . BCM_MODULE_STATE_SELFTEST_FAILED
Self-test ErrorOn-demand asymmetric key PCT failureCryptographic services return error BCM_ERROR_FIPS_SELFTEST_FAILURE code. The control interface BCM_module_state() returns a state of . BCM_MODULE_STATE_SELFTEST_FAILED
10.3 Error States

The following table lists the error states: Table 21 Error States module can be re-enabled only by reloading the module.

Page 41
11 Life-cycle Assurance
11.1 Installation, Initialization, Startup, Operation and Maintenance
11.1.1 Installation

For the PowerMaxOS platform, the module is linked into the application at compile time, and installed as part of the target application. For Linux and Windows platforms, the module must be installed with the target application. The Crypto Officer should follow a secure installation procedure to install the module. For all target platforms the installation process should check the integrity of the installed files by checking the hash value of the original files and installed files. A minimum privileged user on the operating system should be created solely to execute the application. This user should not share any other roles in the operating system. The installation process should set the minimum execution permission to the installed files for the user. If the module is dynamically loaded into the application, the installation process should ensure that the path to the module cannot be modified by other OS users.

11.1.2 Initialization

There are no specific initialization steps required for the module.

11.1.3 Startup

The module is started by initiating the application that statically or dynamically linked it. The module uses operating system services to perform the module startup when the application is started. This module startup includes running the pre-operational software integrity test. These ensure that the application has made no modification to the module as part of its development or installation. Before cryptographic services are made available by the module, the pre-operational software integrity test must complete successfully. For more information about the pre-operational software integrity test, see Software/Firmware Security.

11.1.4 Maintenance

Maintenance applies only to the application maintainers. If modifications are made to the application, such as a new version or patch to the application, the module’s pre-operational software integrity test ensures that the module contained within, or dynamically loaded, is unaltered. Application writers should not attempt to modify the module library or object file as the module will refuse to load or perform cryptographic operations.

Page 42
11.2 Crypto Officer Guidance

For details of the administrative functions, security parameters, and logical interfaces available to the Crypto Officer, refer to Crypto Officer Role. The following sections detail the requirements for algorithm use in the Approved Mode of Operation.

11.2.1 Module Management

General Crypto Officer Guidance Users should take care to zeroize SSPs when they are no longer needed. BSAFE Crypto Module objects should be deleted when no longer needed, which will zeroize sensitive data managed by the module. User variables containing SSP data on the stack or heap should be zeroized after use or before going out of scope.

11.2.2 Random Number Generation Operations

Using the CTR DRBG with AES-256 is recommended as it is fast and because it provides

256 bits of cryptographic strength, it is suitable for all purposes. This is the module default

11.2.3 Key Generation

When using an approved DRBG to generate keys, the security strength of the DRBG must be at least as great as the security strength of the key being generated. For details about the comparable security strengths of symmetric block ciphers and asymmetric key algorithms refer to Table 2 of SP 800-57 Part 1 Rev. 5. The default DRBG provides a security strength as great as that of any supported keys.

11.2.4 Symmetric Key Operations

GCM Mode Ciphers An AES-GCM IV is constructed in compliance with either IG C.H scenario 1a or IG C.H scenario 2, depending on how the module is used. When using GCM feedback mode for symmetric encryption, the authentication tag length and authenticated data length may be specified as input parameters, but the IV must not be specified. It must be generated internally. IV generation operates in one of two ways:

Page 43
PurposeCurves
Protect and ProcessB-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521
Process onlyB-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521
Purpose(prime, subprime)
Protect and Process(2048, 224), (2048, 256), (3072, 256)
Process only(1024,160), (2048, 224), (2048, 256), (3072, 256),
PurposeDH FFC Named domain parameter
ProtectFFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192 MODP2048, MODP3072, MODP4096, MODP614

The remaining eight bytes of the IV, referred to as nonce_explicit in RFC 5288, are generated deterministically by the module using a 64-bit global counter within the module. The module uses the current system time to initialize the counter when it is first used. The system time must be valid to prevent repetition of IVs. During a TLS connection, if the nonce_explicit part of the IV exhausts the maximum number of possible values for a given session key, a new handshake must be performed to establish a new key. XTS Mode Ciphers AES in XTS mode is approved only for hardware storage applications. The data encryption key and tweak key components of the double-length XTS key must be checked to ensure they are different. This check is performed automatically by the module. Triple DES Triple DES is not available as an approved algorithm in the Approved Mode of Operation. When triple DES is used in Non-Approved mode, the amount of data that can be encrypted is restricted to 216 64-bit blocks.

11.2.5 Asymmetric Key Operations

In the following, Protect refers to cryptographically protecting data for later use, for example, signing, encrypting or wrapping. Process refers to processing previously protected data, for example, verifying, decrypting or unwrapping. Table 22 Supported Elliptic Curves Table 23 Supported DSA key pair sizes Table 24 Supported Diffie-Hellman named domain parameters

Page 44
PurposeRSA modulus lengthNote
Protect and Process2048, 3072, 4096Sizes approved in FIPS 186-4 and FIPS140-3IG. (CAVP validated)
Process only1024May be used for verification only.

Table 25 Approved RSA modulus length for digital signatures

11.2.6 Digital Signatures

Keys used for digital signature generation and verification shall not be used for any other purpose. The module generates or loads keys with a particular purpose that is one of signing, encryption or key exchange. The same purpose must always be used for a given key when exported and loaded into the module again. The length of an RSA key pair for digital signature generation must be greater than or equal to 2048 bits. For digital signature verification, the length must be greater than or equal to 2048 bits, however 1024 bits is allowed for legacy-use only. RSA keys must pass validation before use. Keys generated by the module will pass validation. For RSA PKCS #1 PSS, the size relationship between the hash function output block length (hLen) and the length of the salt (sLen) shall be 0 <= slen <= hLen. Elliptic curve key pairs for digital signature generation must have a strength of 112 bits or stronger. Table 22, Supported Elliptic Curves, lists these in the Protect and Process row. For verification of digital signatures, use curves from the Process only row which includes legacy-use keys of less than 112 bits of strength. For DSA signatures, only key pairs generated with parameters in the Protect and Process row of Table 23, Supported DSA key pair sizes are approved for signature generation. Additionally, parameters from which the keys are derived or the keys must have been validated before use. An approved DRBG must be used for digital signature generation, and this is provided by the module. The SHA-1 digest is disallowed for the generation of digital signatures. The digest must be an approved algorithm. Verification of signatures with a SHA-1 digest is allowed for legacy use. The security strength of both the key and the digest functions shall be chosen to meet or exceed the required security strength for the digital signature. The security strength of the digest function should be stronger or the same as that of the key.

11.2.7 Message Authentication Code Operations

HMACs The key length for an HMAC generation or verification must be between 112 and 256 bits, inclusive. For HMAC verification, a key length greater than or equal to 80 and less than 112 is allowed for legacy-use.

Page 45
11.2.8 Key Derivation Function Operations

The module does not implement the TLS or SSH protocol, and CAVP and CMVP have not tested TLS PRF or SSH KDF when used as part of such protocols. HMAC-Based Extract-and-Expand Key Derivation Function An approved HMAC must be used for extract and expand operations. A particular key-derivation key must only be used for a single key-expansion step. For more information see SP 800-56C Rev.

  1. The derived key must be used only as a secret key. The derived key shall not be used as a key stream for a stream cipher. When selecting an HMAC hash, the digest size must be equal to or greater than the desired security strength of the derived key. The pseudo-random key input to the expansion and the keying material output from the expansion must have lengths that are equal to or greater than the desired security strength of the derived key. One-Step Key Derivation Function An approved hash function must be used to derive key materials. The hash function must meet the security strength required by the cryptographic function for which the keying material is being generated. The security strengths of approved hash functions used in KDFs can be found in SP 800-57 Part 1 Rev.
  2. When selecting a hash algorithm, the digest size must be equal to or greater than the desired security strength of the derived key. The derived key must be used only as a secret key. The derived key shall not be used as a key stream for a stream cipher. The secret data input into this KDF must have a length equal to or greater than the desired security strength of the derived key. The maximum length of a derived secret key is (232 - 1) * b, where b is the digest size of the message digest function in bytes. Password-based Key Derivation Keys generated using PBKDF2 shall only be used in data storage applications. The minimum password length is 14 characters, which has a strength of approximately

112 bits, assuming a randomly selected password using the extended ASCII printable

character set is used.

Page 46

For random passwords, that is, a string of characters from a given set of characters in which each character is equally likely to be selected, the strength of the password is given by S = L *(log N / log 2) where: • N is the number of possible characters. For example: for the ASCII printable character set N = 95 for the extended ASCII printable character set N = 218. • L is the number of characters. A password of strength S can be guessed at random with the probability of 1 in 2S. The minimum length of the randomly-generated portion of the salt is 16 bytes. The iteration count is as large as possible, with a minimum of 10,000 iterations recommended. The derived key size can range from 1 byte to a maximum of (2 32 - 1) * b, where b is the digest size of the message digest function in bytes. Derived keys can be used as specified in SP 800-132, Section 5.4, option 1a. Secure Shell Key Derivation As defined in SP 800-135 Rev. 1, SSH-KDF can be used in the Approved Mode of Operation when it is used with an Approved hash function. The hash function must meet the security strength required by the cryptographic function for which the keying material is being generated. The security strengths of approved hash functions used in KDFs can be found in SP 800-57 Part 1 Rev.

  1. The operation must be performed in the context of the SSH protocol. TLS PRF Key Derivation Function TLS v1.2 PRF KDF is allowed only when the following conditions are satisfied: • The KDF is performed in the context of the TLS protocol. • HMAC is as specified in FIPS 198-1. • P_HASH uses either SHA2-256, SHA2-384, or SHA2-512. For more information, see SP 800-135 Rev.
  2. X9.63 Key Derivation Function As defined in SP 800-135 Rev. 1, X9.63 KDF can be used in the Approved Mode of Operation when it is used with an Approved hash function. The hash function must meet the security strength required by the cryptographic function for which the keying material is being generated. The security strengths of approved hash functions used in KDFs can be found in SP 800-57 Part 1 Rev.
  3. When selecting a hash algorithm, the digest size must be equal to or greater than the desired security strength of the derived key.
Page 47

The derived key must be used only as a secret key. The derived key shall not be used as a key stream for a stream cipher. The length of the derived key shall be less than (232 - 1) x b, where b is the digest size of the message digest function in bytes. The operation must be performed in the context of ANSI X9.63-2001 key agreement scheme.

11.2.9 Key Agreement Schemes

Key pairs used in key agreement must not also be used to generate a digital signature. The shared secret must be:

Page 48
11.2.10 Key Transport Schemes

Key Wrapping using AES The key establishment methodology provides between 128 and 256 bits (inclusive) of encryption strength. The security strength of the key encryption key must be greater than or equal to the security strength of the key being wrapped.

11.2.11 Key Validation

Asymmetric keys and parameters are validated as they enter the module for use in processing existing data. Before the keys are used to protect data, they must be validated. The module provides services for the validation of RSA, DSA, DH and ECC keys and parameters. Named EC and DH parameters are treated as valid. Only named EC parameters are supported. Key Parameter Generation The generation of DSA parameters is in accordance with the FIPS 186-4 standard for the generation of probable primes.

12 Mitigation of Other Attacks

RSA, EC and DSA key operations implement blinding, a reversible way of modifying the input data, to make the operation immune to timing attacks. Blinding has no effect on the algorithm other than to mitigate attacks on the algorithm. This mitigation is enabled by default. For optimum security, it should not be disabled.

Page 49

If necessary it can be disabled with BCM_FLAG_KEY_DISABLE_BLINDING. For more information, see Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. RSA signing operations implement a verification step after private key operations. This verification step is in place to prevent potential faults in optimized Chinese Remainder Theorem (CRT) implementations. It has no effect on the signature algorithm. This mitigation is enabled by default. For optimum security, it should not be disabled. If necessary it can be disabled with BCM_FLAG_KEY_DISABLE_SIGNATURE_CHECK. For more information, see Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults: Bao, Deng, Han, Jeng and On the Importance of Eliminating Errors in Cryptographic Computations. RSA PKCS #1 v1.5 encryption padding operations are implemented in constant time in order to make the operation immune to timing attacks. For this mitigation, constant time padding is built-in and cannot be disabled. For more information, see Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.

Page 50
Acronyms
NameTermDefinition
AESAESAdvanced Encryption Standard. A fast symmetric key algorithm with a 128-bit block, and keys of lengths 128, 192, and 256 bits. AES replaces DES as the US symmetric encryption standard.
APIAPIApplication Programming Interface.
AttackAttackAn attempt, either a successful or unsuccessful, to break part or all of a cryptosystem. Attack types include an algebraic attack, birthday attack, brute force attack, chosen ciphertext attack, chosen plaintext attack, differential cryptanalysis, known plaintext attack, linear cryptanalysis, and middle person attack.
CASTCASTCryptographic Algorithm Self-Tests. A test of all cryptographic functions of an approved cryptographic algorithm that must be performed prior to the first operational use of the cryptographic algorithm. A CAST may be a KAT, a comparison test or a fault-detection test.
CBCCBCCipher Block Chaining. A mode of encryption in which each ciphertext depends upon all previous ciphertexts. Changing the IV alters the ciphertext produced by successive encryptions of an identical plaintext.
CCMCCMCounter with Cipher block chaining Message authentication code. A mode of encryption combining the Counter mode of encryption with Cipher Block Chaining Message Authentication Code (CBC-MAC) for authentication.
CFBCFBCipher Feedback. A mode of encryption producing a stream of ciphertext bits rather than a succession of blocks. In other respects, it has similar properties to the CBC mode of operation.
CMACCMACCipher-based Message Authentication Code. An algorithm for calculating a MAC using a block cipher and a secret key, providing verification of both message integrity and authenticity.
CMVPCMVPCryptographic Module Validation Program.
CTRCTRCounter Mode. A mode of encryption which turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a counter.
CTR DRBGCTR DRBGCounter mode Deterministic Random Bit Generator.
DecryptionDecryptionThe conversion of encrypted data, ciphertext, into its original form. Generally, the reverse of encryption.
DESDESData Encryption Standard. A symmetric encryption algorithm with a 56-bit key with eight parity bits.
DES3DES3Triple Data Encryption Standard. A symmetric encryption algorithm with three 56-bit keys, with eight parity bits. Also known as Triple-DES and TDEA.
DHDHDiffie-Hellman. An asymmetric key exchange algorithm. There are many variants, but typically two entities exchange some public information (for example, public keys or random values) and combine them with their own private keys to generate a shared session key. As private keys are not transmitted, eavesdroppers are not privy to all of the information comprising the session key.
DRBGDRBGDeterministic Random Bit Generator.
DSADSADigital Signature Algorithm. An algorithm for creating digital signatures.
ECECElliptic Curve
ECCECCElliptic Curve Cryptography. A public-key cryptographic approach based on the algebraic structure of elliptic curves over finite fields. It has the advantage of allowing smaller keys to provide equivalent security.
ECBECBElectronic Codebook. A mode of encryption which divides a message into blocks and encrypts each block separately.
ECDHECDHElliptic Curve Diffie-Hellman. A key agreement protocol that provides the means for two parties, each with an elliptic-curve public/private key pair, to establish a shared secret over an insecure channel.
ECDHCECDHCElliptic Curve Diffie-Hellman with Cofactor key agreement algorithm. This algorithm employs the CDH primitive.
ECDSAECDSAElliptic Curve Digital Signature Algorithm. A variant of DSA that uses elliptic curve cryptography.
EncryptionEncryptionThe transformation of plaintext into an apparently less readable form, called ciphertext, using a mathematical process. The ciphertext can be read by anyone who has the key and decrypts (undoes the encryption) the ciphertext.
FFCFFCFinite Field Cryptography. The public-key cryptographic methods using operations in a multiplicative group of a finite field. See SP 800-56A Rev. 3. Both DH and DSA are based on Finite Field Cryptography.
FIPSFIPSFederal Information Processing Standards.
GCMGCMGalois/Counter Mode. A mode of encryption combining the Counter mode of encryption with Galois field multiplication for authentication.
GMACGMACGalois Message Authentication Mode. An authentication-only variant of GCM.
HKDFHKDFHMAC-based Extract-and Expand KDF. HKDF is a two-step key derivation function, where the first step, extraction, transforms a shared secret into a key-derivation key. The second step, expansion, uses the key-derivation key to derive an output key.
HMACHMACKeyed-Hashing for Message Authentication Code.
HMAC DRBGHMAC DRBGHMAC Deterministic Random Bit Generator.
IVIVInitialization Vector. Used as a seed value for an encryption operation.
KATKATKnown Answer Test.
KBKDFKBKDFKey-Based KDF.
KDFKDFKey Derivation Functions. Deterministic algorithms used to derive cryptographic keying material from a secret value such as a password.
Key wrappingKey wrappingA method of encrypting key data for protection on untrusted storage devices or during transmission over an insecure channel.
MACMACMessage Authentication Code. Apiece of information is attached to a message for verification of the messages authenticity and data integrity.
MD5MD5A message digest algorithm, which hashes an arbitrary-length input into a 16-byte digest. Designed as a replacement for MD4.
NDRBGNDRBGNon-Deterministic Random Bit Generator.
NISTNISTNational Institute of Standards and Technology. A division of the US Department of Commerce (formerly known as the NBS) which produces security and cryptography-related standards.
OAEPOAEPOptimal Asymmetric Encryption Padding. A padding scheme often used with RSA encryption to convert the deterministic RSA encryption scheme into a probabilistic scheme.
OFBOFBOutput Feedback. A mode of encryption in which the cipher is decoupled from its ciphertext.
OSOSOperating System.
P_HASHP_HASHA function that uses the HMAC-HASH as the core function in its construction. Specified in RFC 2246 and RFC 5246.
PBKDF2PBKDF2Password-based Key Derivation Function 2. A method of password-based key derivation, which applies a MAC algorithm to derive the key.
PKCSPKCSPublic Key Cryptography Standards. A group of public-key cryptography standards devised and published by RSA®.
POSTPOSTPre-Operational Self-Tests.
PRFPRFPseudo Random Function. A function that can be used to generate output from a random seed and a data variable such that the output is computationally indistinguishable from truly random output.
privacyprivacyThe state or quality of being secluded from the view or presence of others.
private keyprivate keyThe secret key in public key cryptography. Primarily used for decryption but also used for encryption with digital signatures.
PRNGPRNGPseudo-Random Number Generator.
PSPPSPPublic Security Parameters. Security related public information, for example, public keys, whose modification can compromise the security of the cryptographic module.
PSSPSSProbabilistic Signature Scheme. A cryptographic signature scheme typically used with RSA signatures.
RNGRNGRandom Number Generator.
RSARSAPublic key, asymmetric, algorithm providing the ability to encrypt data and create and verify digital signatures. RSA stands for Rivest, Shamir, and Adleman, the developers of the RSA public key cryptosystem.
SHASHASecure Hash Algorithm. An algorithm which creates a unique hash value for each possible input. SHA takes an arbitrary input which is hashed into a 160-bit digest.
SHA-1SHA-1A revision to SHA to correct a weakness. It produces 160-bit digests. SHA-1 takes an arbitrary input, which is hashed into a 20-byte digest.
SHA-2SHA-2The NIST-mandated successor to SHA-1, to complement the Advanced Encryption Standard. It is a family of message digest algorithms (SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, and SHA2-512/256), which produce digests of 224, 256, 384, 512, 224, and 256 bits respectively.
SHA-3SHA-3A family of hash algorithms which includes SHA3-224,SHA3-256, SHA3-384 and SHA3-512 bits. It is an alternative to SHA-2,as no significant attacks on SHA-2 are currently known.
SHAKESHAKEAn extendable output function (XOF) that produces a variable digest size.
SSH-KDFSSH-KDFSecure Shell Key Derivation Function. Used by the SSH protocol to derive IVs, encryption keys and integrity keys.
TLSTLSTransport Layer Security.
Triple-DESTriple-DESSee DES3.
XTSXTSXEX-based Tweaked Codebook mode with ciphertext stealing. A mode of encryption used with AES.
13 Acronyms and terms

The following table lists the acronyms and terms used with the module and their definitions: Table 26 Acronyms and Definitions

Page 51

Table 26 Acronyms and Definitions (continued)

Page 52

Table 26 Acronyms and Definitions (continued) Australia Pty. Ltd. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Page 53

Table 26 Acronyms and Definitions (continued)