All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Keeper Security Cryptographic Module v2

Certificate#4976StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorKeeper Security, Inc.
Medium review priority  ·  exposes network crypto parser/protocol  ·  last validated 17 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/28/2029
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorKeeper Security, Inc.

Approved Algorithms (83)

AlgorithmACVP Cert
AES-CBCA4399
AES-CBC-CS1A4399
AES-CBC-CS2A4399
AES-CBC-CS3A4399
AES-CCMA4399
AES-CFB128A4399
AES-CFB8A4399
AES-CMACA4399
AES-CTRA4399
AES-ECBA4399
AES-FF1A4399
AES-GCMA4399
AES-GMACA4399
AES-KWA4399
AES-KWPA4399
AES-OFBA4399
Counter DRBGA4399
cSHAKE-128A4399
cSHAKE-256A4399
DSA KeyGen (FIPS186-4)A4399
DSA PQGGen (FIPS186-4)A4399
DSA PQGVer (FIPS186-4)A4399
DSA SigGen (FIPS186-4)A4399
DSA SigVer (FIPS186-4)A4399
ECDSA KeyGen (FIPS186-4)A4399
ECDSA KeyVer (FIPS186-4)A4399
ECDSA SigGen (FIPS186-4)A4399
ECDSA SigVer (FIPS186-4)A4399
Hash DRBGA4399
HMAC DRBGA4399
HMAC-SHA-1A4399
HMAC-SHA2-224A4399
HMAC-SHA2-256A4399
HMAC-SHA2-384A4399
HMAC-SHA2-512A4399
HMAC-SHA2-512/224A4399
HMAC-SHA2-512/256A4399
HMAC-SHA3-224A4399
HMAC-SHA3-256A4399
HMAC-SHA3-384A4399
HMAC-SHA3-512A4399
KAS-ECC Sp800-56Ar3A4399
KAS-FFC Sp800-56Ar3A4399
KAS-IFCA4399
KDA HKDF SP800-56Cr2A4399
KDA OneStep SP800-56Cr2A4399
KDA TwoStep SP800-56Cr2A4399
KDF ANS 9.63A4399
KDF IKEv2A4399
KDF SNMPA4399
KDF SP800-108A4399
KDF SRTPA4399
KDF SSHA4399
KDF TLSA4399
KMAC-128A4399
KMAC-256A4399
KTS-IFCA4399
ParallelHash-128A4399
ParallelHash-256A4399
PBKDFA4399
RSA Decryption PrimitiveA4399
RSA KeyGen (FIPS186-4)A4399
RSA SigGen (FIPS186-4)A4399
RSA Signature PrimitiveA4399
RSA SigVer (FIPS186-2)A4399
RSA SigVer (FIPS186-4)A4399
Safe Primes Key GenerationA4399
Safe Primes Key VerificationA4399
SHA-1A4399
SHA2-224A4399
SHA2-256A4399
SHA2-384A4399
SHA2-512A4399
SHA2-512/224A4399
SHA2-512/256A4399
SHA3-224A4399
SHA3-256A4399
SHA3-384A4399
SHA3-512A4399
SHAKE-128A4399
SHAKE-256A4399
TupleHash-128A4399
TupleHash-256A4399

Security Levels (Table 1)

Requirement areaLevel
Roles, Services, and Authentication4
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Keeper Security Cryptographic Module v2
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Keeper Security Cryptographic Module v2
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Keeper Security, Inc. Keeper Security Cryptographic Module v2 Non-Proprietary FIPS 140-3 Cryptographic Module Security Policy Software Version: 2.0.0 Date: 11/26/24 Prepared by: Corsec Security, Inc. Keeper Security, Inc.

12600 Fair Lakes Circle, Suite 210
820 W. Jackson Blvd, Suite 400

Chicago, Ill 60607 www.corsec.com https://www.keepersecurity.com/ only in its original entirety (without revision).

Page 2
Table of Contents
#SectionPage
1General4
1.1Confirming the Module Checksum, Functionality, and Versioning4
2Cryptographic Module Specification5
2.1Basic Enforcement18
2.2Enforcement and Guidance for GCM IVs19
2.3Enforcement and Guidance for use of the Approved PBKDF20
2.4Rules for setting the N and the S String in cSHAKE21
2.5Guidance for the use of Format-Preserving Encryption21
2.6Cryptographic Key Generation21
3Cryptographic Module Interfaces21
4Roles, Services, and Authentication22
4.1Basic Guidance22
4.2Assumption of Roles23
4.3Services24
5Software/Firmware Security32
6Operational Environment33
6.1Use of External RNG33
6.2Additional Enforcement with a Java SecurityManager33
6.3Approved Mode Configuration33
6.4Guidance for the use of DRBGs and Configuring the JVM's Entropy Source35
7Physical Security35
8Non-Invasive Security35
9Sensitive Security Parameter Management35
9.1RBG Entropy Sources46
10Self-Tests46
10.1Pre-Operational Self-Tests46
10.2Conditional Self-Tests46
10.3Error Handling47
11Life-Cycle Assurance48
12Mitigation of Other Attacks48
Appendix: References and Definitions50
Claimed16
radix in range of 2..216 in range of 2216
Page 3
List of Tables
ItemPage
Table 1 - Security Levels4
Table 2 - Tested Operational Environments6
Table 3 - Vendor Affirmed Operational Environments9
Table 4 - Approved Algorithms16
Claimed16
Table 6 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation18
Table 7 - Ports and Interfaces22
Table 8 - Roles, Service Commands, Input and Output23
Table 9 - Roles and Authentication24
Table 10 - Approved Services31
Table 11 - Non-Approved Services32
Table 12 - SSPs45
Table 13 - Non-Deterministic Random Number Generation Specification46
Figure 1- Cryptographic boundary5
Page 4
ISO/IEC 24759FIPS 140-3 Section TitleSecurity
Section 6. NumberLevel
1General1
2Cryptographic Module Specification1
3Cryptographic Module Interfaces1
4Roles, Services, and Authentication1
5Software/Firmware Security1
6Operational Environment1
7Physical SecurityN/A
8Non-Invasive SecurityN/A
9Sensitive Security Parameter Management1
10Self-Tests1
11Life-Cycle Assurance1
12Mitigation of Other Attacks1

This document defines the Security Policy for the Keeper Security, Inc.'s Keeper Security Cryptographic Module v2, hereafter denoted as the Module. The Module is a cryptographic library and has a Multi-Chip Stand Alone embodiment. The Module meets FIPS 140- 3 overall Level 1 requirements. The SW version is 2.0.0. The FIPS 140-3 security levels for the Module are given in Table 1 as follows: N/A N/A Table 1 - Security Levels 1.1 Confirming the Module Checksum, Functionality, and Versioning The module checksum, functionality, and versioning can be confirmed by executing the command: java -cp bc-fips-2.0.0.jar org.bouncycastle.util.DumpInfo which should display: Version Info: BouncyCastle Security Provider (FIPS edition) v2.0.0 FIPS Ready Status: READY Module SHA-256 HMAC: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e Indicating the jar represents the software release BC-FJA 2.0.0 (correlating to “Keeper Security Cryptographic Module v2”), that it has successfully passed all its startup tests, and that the software release is confirmed to have a HMAC of: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e only in its original entirety (without revision).

Page 5

Cryptographic Module Specification The Module is intended for use by US Federal agencies and other markets that require a FIPS 140-3 validated Cryptographic Library. The Module is of type software and the module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips2.0.0.jar. This module is the only software component within the Cryptographic Boundary and the only software component that carries out cryptographic functions covered by FIPS 140-3. Figure 1 shows the logical relationship of the cryptographic module to the other software and hardware components of the computer. The BC classes are executed on the Java Virtual Machine (JVM) using the classes of the Java Runtime Environment (JRE). The JVM is the interface to the computer’s Operating System (OS) that is the interface to the various physical components of the computer. Figure 1- Cryptographic boundary The cryptographic module was tested on the following operational environments on the generalpurpose computer (GPC) platforms detailed in Table 2, which is also the TOEPP (Tested Operational Environment’s Physical Perimeter) of the module. only in its original entirety (without revision).

Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1VMware Photon OS 4.0 with JRE 8 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA1
2VMware Photon OS 4.0 with JRE 11 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA2
3VMware Photon OS 4.0 with JRE 17 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA3
4VMware Photon OS 5.0 with JRE 21 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA4
1Java SE Runtime Environment v8 (1.8) with HP-UXGeneric Hardware Platform1
2Java SE Runtime Environment v11 (1.11) with HP-UXGeneric Hardware Platform2
3Java SE Runtime Environment v17 (1.17) with HP-UXGeneric Hardware Platform3
4Java SE Runtime Environment v21 (21) with HP-UXGeneric Hardware Platform4
5Java SE Runtime Environment v8 (1.8) with Linux CentosGeneric Hardware Platform5
6Java SE Runtime Environment v11 (1.11) with Linux CentosGeneric Hardware Platform6
7Java SE Runtime Environment v17 (1.17) with Linux CentosGeneric Hardware Platform7
8Java SE Runtime Environment v21 (21) with Linux CentosGeneric Hardware Platform8
9Java SE Runtime Environment v8 (1.8) with Red Hat Enterprise LinuxGeneric Hardware Platform9
10Java SE Runtime Environment v11 (1.11) with Red Hat Enterprise LinuxGeneric Hardware Platform10
11Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise LinuxGeneric Hardware Platform11
12Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric Hardware Platform12
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1VMware Photon OS 4.0 with JRE 8 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA1
2VMware Photon OS 4.0 with JRE 11 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA2
3VMware Photon OS 4.0 with JRE 17 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA3
4VMware Photon OS 5.0 with JRE 21 on VMware ESXi 8.0Dell PowerEdge R650Intel Xeon Gold 6330Without PAA4
1Java SE Runtime Environment v8 (1.8) with HP-UXGeneric Hardware Platform1
2Java SE Runtime Environment v11 (1.11) with HP-UXGeneric Hardware Platform2
3Java SE Runtime Environment v17 (1.17) with HP-UXGeneric Hardware Platform3
4Java SE Runtime Environment v21 (21) with HP-UXGeneric Hardware Platform4
5Java SE Runtime Environment v8 (1.8) with Linux CentosGeneric Hardware Platform5
6Java SE Runtime Environment v11 (1.11) with Linux CentosGeneric Hardware Platform6
7Java SE Runtime Environment v17 (1.17) with Linux CentosGeneric Hardware Platform7
8Java SE Runtime Environment v21 (21) with Linux CentosGeneric Hardware Platform8
9Java SE Runtime Environment v8 (1.8) with Red Hat Enterprise LinuxGeneric Hardware Platform9
10Java SE Runtime Environment v11 (1.11) with Red Hat Enterprise LinuxGeneric Hardware Platform10
11Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise LinuxGeneric Hardware Platform11
12Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric Hardware Platform12
13Java SE Runtime Environment v8 (1.8) with Linux DebianGeneric Hardware Platform13
14Java SE Runtime Environment v11 (1.11) with Linux DebianGeneric Hardware Platform14
15Java SE Runtime Environment v17 (1.17) with Linux DebianGeneric Hardware Platform15
16Java SE Runtime Environment v21 (21) with Linux DebianGeneric Hardware Platform16
17Java SE Runtime Environment v8 (1.8) with Linux FedoraGeneric Hardware Platform17
18Java SE Runtime Environment v11 (1.11) with Linux FedoraGeneric Hardware Platform18
19Java SE Runtime Environment v17 (1.17) with Linux FedoraGeneric Hardware Platform19
20Java SE Runtime Environment v21 (21) with Linux FedoraGeneric Hardware Platform20
21Java SE Runtime Environment v8 (1.8) with Linux Oracle RHCGeneric Hardware Platform21
22Java SE Runtime Environment v11 (1.11) with Linux Oracle RHCGeneric Hardware Platform22
23Java SE Runtime Environment v17 (1.17) with Linux Oracle RHCGeneric Hardware Platform23
24Java SE Runtime Environment v21 (21) with Linux Oracle RHCGeneric Hardware Platform24
25Java SE Runtime Environment v8 (1.8) with Linux Oracle UEKGeneric Hardware Platform25
26Java SE Runtime Environment v11 (1.11) with Linux Oracle UEKGeneric Hardware Platform26
27Java SE Runtime Environment v17 (1.17) with Linux Oracle UEKGeneric Hardware Platform27
28Java SE Runtime Environment v21 (21) with Linux Oracle UEKGeneric Hardware Platform28
29Java SE Runtime Environment v17 (1.8) with Linux PhotonGeneric Hardware Platform29
30Java SE Runtime Environment v17 (1.11) with Linux PhotonGeneric Hardware Platform30
31Java SE Runtime Environment v17 (1.17) with Linux PhotonGeneric Hardware Platform31
32Java SE Runtime Environment v21 (21) with Linux PhotonGeneric Hardware Platform32
33Java SE Runtime Environment v8 (1.8) with Linux SUSEGeneric Hardware Platform33
34Java SE Runtime Environment v11 (1.11) with Linux SUSEGeneric Hardware Platform34
35Java SE Runtime Environment v17 (1.17) with Linux SUSEGeneric Hardware Platform35
36Java SE Runtime Environment v21 (21) with Linux SUSEGeneric Hardware Platform36
37Java SE Runtime Environment v8 (1.8) with Linux UbuntuGeneric Hardware Platform37
38Java SE Runtime Environment v11 (1.11) with Linux UbuntuGeneric Hardware Platform38
39Java SE Runtime Environment v17 (1.17) with Linux UbuntuGeneric Hardware Platform39
40Java SE Runtime Environment v21 (21) with Linux UbuntuGeneric Hardware Platform40
41Java SE Runtime Environment v8 (1.8) with Mac OS XGeneric Hardware Platform41
42Java SE Runtime Environment v11 (1.11) with Mac OS XGeneric Hardware Platform42
43Java SE Runtime Environment v8 (1.8) with Microsoft WindowsGeneric Hardware Platform43
44Java SE Runtime Environment v11 (1.11) with Microsoft WindowsGeneric Hardware Platform44
45Java SE Runtime Environment v17 (1.17) with Microsoft WindowsGeneric Hardware Platform45
46Java SE Runtime Environment v21 (21) with Microsoft WindowsGeneric Hardware Platform46
47Java SE Runtime Environment v8 (1.8) with Microsoft Windows ServerGeneric Hardware Platform47
48Java SE Runtime Environment v11 (1.11) with Microsoft Windows ServerGeneric Hardware Platform48
49Java SE Runtime Environment v17 (1.17) with Microsoft Windows ServerGeneric Hardware Platform49
50Java SE Runtime Environment v21 (21) with Microsoft Windows ServerGeneric Hardware Platform50
51Java SE Runtime Environment v8 (1.8) with Microsoft Windows XPGeneric Hardware Platform51
52Java SE Runtime Environment v11 (1.11) with Microsoft Windows XPGeneric Hardware Platform52
53Java SE Runtime Environment v17 (1.17) with Microsoft Windows XPGeneric Hardware Platform53
54Java SE Runtime Environment v21 (21) with Microsoft Windows XPGeneric Hardware Platform54
55Java SE Runtime Environment v8 (1.8) with SolarisGeneric Hardware Platform55
56Java SE Runtime Environment v11 (1.11) with SolarisGeneric Hardware Platform56
57Java SE Runtime Environment v17 (1.17) with SolarisGeneric Hardware Platform57
58Java SE Runtime Environment v21 (21) with SolarisGeneric Hardware Platform58
59Java SE Runtime Environment v8 (1.8) with AIXGeneric Hardware Platform59
60Java SE Runtime Environment v11 (1.11) with AIXGeneric Hardware Platform60
61Java SE Runtime Environment v17 (1.17) with AIXGeneric Hardware Platform61
62Java SE Runtime Environment v21 (21) with AIXGeneric Hardware Platform62
63Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise LinuxGeneric hardware platform with Intel Cascade Lakes63
64Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric hardware platform with Intel Cascade Lakes64
65Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise LinuxGeneric hardware platform with Intel Sapphire Rapids65
66Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric hardware platform with Intel Sapphire Rapids66
67Java SE Runtime Environment v17 (1.17) with UbuntuGeneric hardware platform with Intel Cascade Lakes67
68Java SE Runtime Environment v21 (21) with UbuntuGeneric hardware platform with Intel Cascade Lakes68
69Java SE Runtime Environment v17 (1.17) with UbuntuGeneric hardware platform with Intel Sapphire Rapids69
70Java SE Runtime Environment v21 (21) with UbuntuGeneric hardware platform with Intel Sapphire Rapids70
71Java SE Runtime Environment v17 (1.17) with ClevOSGeneric hardware platform with Intel Cascade Lake71
72Java SE Runtime Environment v21 (21) with ClevOSGeneric hardware platform with Intel Cascade Lake72
73Java SE Runtime Environment v17 (1.17) with ClevOSGeneric hardware platform with Intel Sapphire Rapids73
74Java SE Runtime Environment v21 (21) with ClevOSGeneric hardware platform with Intel Sapphire Rapids74
75Java SE Runtime Environment v17 (1.17) with ClevOSGeneric hardware platform with Intel Haswell75
76Java SE Runtime Environment v21 (21) with ClevOSGeneric hardware platform with Intel Haswell76
77Java SE Runtime Environment v17 (1.17) with ClevOSGeneric hardware platform with Intel Broadwell77
78Java SE Runtime Environment v21 (21) with ClevOSGeneric hardware platform with Intel Broadwell78

# Table 2 - Tested Operational Environments The cryptographic module will remain compliant with the FIPS 140-3 validation when operating on any general-purpose computer (GPC) provided that:

  1. No source code has been modified.
  2. The GPC uses the specified single-user platform, or another compatible single-user platform such as one of the Java SE Runtime Environments listed on any of the following: # only in its original entirety (without revision).
Page 7

only in its original entirety (without revision).

Page 8

only in its original entirety (without revision).

Page 9

Table 3 - Vendor Affirmed Operational Environments For the avoidance of doubt, it is hereby stated that the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. The Module implements the Approved and Non-Approved but Allowed cryptographic functions with no security claimed listed in Tables 4 and 5 below. There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. The Module supports both Approved and Non-Approved mode of operation. Please see Section 6.3 for configuration of the Module in Approved mode of operation. Please see Section 11 for initialization steps. only in its original entirety (without revision).

Page 10
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionUse / Function
AES [FIPS 197, SP 800-38A], AES- FF1 Format Preserving Encryption [SP 800-38G]A4399ECB, CBC, OFB, CFB8, CFB128, CTR, FF1Key sizes: 128, 192, 256 bitsEncryption, Decryption
AES-CBC Ciphertext Stealing (CS) [Addendum to SP 800-38A, Oct 2010]A4399CBC-CS1, CBC-CS2, CBC-CS3Key sizes: 128, 192, 256 bitsEncryption, Decryption
CCM [SP 800-38C]A4399N/AKey sizes: 128, 192, 256 bitsGeneration, Authentication
CMAC [SP 800-38B]A4399AESKey sizes: AES with 128, 192, 256 bitsGeneration, Authentication
GCM/GMAC1 [SP 800-38D]A4399N/AKey sizes: 128, 192, 256 bitsGeneration, Authentication
Counter DRBG [SP 800-90Ar1]A4399N/AAES-128, AES-192, AES- 256AES-CTR DRBG.
Hash DRBG [SP 800-90Ar1]A4399N/ASHA sizes: SHA-1, SHA2- 224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256Hash DRBG
HMAC DRBG [SP 800-90Ar1]A4399N/ASHA sizes: SHA-1, SHA2- 224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256HMAC DRBG
DSA2 [FIPS 186-4]A4399N/AKey sizes: 1024, 2048, 3072 bits (1024 only for SigVer)PQG Generation, PQG Verification, Key Pair Generation, Signature Generation, Signature Verification
ECDSA [FIPS 186-4]A4399N/ACurves/Key sizes: P-192*, P- 224, P-256, P-384, P-521, K- 163*, K-233, K-283, K-409, K-571, B-163*, B-233, B- 283, B-409, B-571 * Curves only used for Signature Verification and Public Key ValidationPublic Key Generation, Signature Generation, Signature Verification, Public Key Validation
KDA-HKDF [SP 800-56C- rev2]A4399N/APRFs: HMAC SHA-1, HMAC SHA-224, HMAC SHA-256, HMAC SHA-384, HMAC SHA-512, HMAC SHA-512/224, HMAC SHA- 512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3- 512Key Derivation
HMAC [FIPS 198-1]A4399N/ASHA sizes: SHA-1, SHA- 224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512Generation, Authentication
KAS-FFC3 [SP 800-56A- rev3]A4399N/ADomain Parameter Generation Methods/Scheme: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 dhHybrid1, MQV2, dhEphem, dhHybrid, OneFlow, MQV1, dhOneFlow, dhStatic Groups specified above providing between 112 and 200 bits of encryption strengthKey Agreement
KAS-ECC3 [SP 800-56A- rev3]A4399N/ADomain Parameter Generation Methods/Scheme: P-224, P- 256, P-384, P-521,K-233, K- 283, K-409, K-571, B-233, B-283, B-409, B-571 ephemeralUnified, fullMqv, fullUnified, onePassDh, onePassMqv, onePassUnified, staticUnified Curves specified above providing between 112 and 256 bits of encryption strengthKey Agreement
KDA, One Step [SP 800-56C- rev2]A4399N/APRFs: SHA-1, SHA-224, SHA-256, SHA-384, SHA- 512, SHA-512/224, SHA- 512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512, HMAC SHA-1, HMAC SHA-224, HMAC SHA-256, HMAC SHA-384, HMAC SHA-512, HMAC SHA- 512/224, HMAC SHA- 512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3- 512, KMAC-128, KMAC- 256Key Derivation
KDA, Two Step [SP 800-56C- rev2]A4399N/APRFs: HMAC SHA-1, HMAC SHA-224, HMAC SHA-256, HMAC SHA-384, HMAC SHA-512, HMAC SHA-512/224, HMAC SHA- 512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3- 512, KMAC-128, KMAC- 256Key Derivation
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/ATLS v1.0/1.1 KDF SHA sizes: SHA2-256 , SHA2-384, SHA2-512Key Derivation
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/ATLS 1.2 KDF SHA sizes: SHA2-256, SHA2-384, SHA2-512Key Derivation
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/ASNMP KDF Password Length: 64, 8192Key Derivation
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/ASSH KDF SHA sizes: SHA2-224Key Derivation
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/AX9.63 KDF SHA sizes: SHA2-224, SHA2-256, SHA2-384, SHA2-512Key Derivation Can be used along with KAS- SSC
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/AIKEv2 KDF SHA sizes:SHA-1, SHA2- 224, SHA2-256, SHA2-384, SHA2-512Key Derivation
KDF, Existing Application- Specific4 [SP 800-135- rev1]CVL A4399N/ASRTP KDFKey Derivation
KDF, Password- Based [SP 800-132]A4399N/AOptions: PBKDF with Option 1a Types: HMAC-based KDF using SHA-1, SHA-224, SHA-256, SHA-384, SHA- 512Key Derivation
KDF, using Pseudorandom Functions5 [SP 800-108- rev1]A4399Counter Mode, Feedback Mode, Double- Pipeline Iteration ModeTypes: CMAC-based KBKDF with AES, HMAC- based KBKDF with SHA-1, SHA-224, SHA-256, SHA- 384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512Key Derivation
Key Wrapping Using Block Ciphers6 [SP 800-38F]A4399AES KW, KWPKey sizes: 128, 192, 256 bits (Key establishment methodology providing 128, 192 or 256 bits of encryption strength)Key Wrapping
RSA [FIPS 186-4, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]A4399N/AKey sizes: 2048, 3072, 4096Key Pair Generation
RSA [FIPS 186-4, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]A4399N/AKey sizes: 2048, 3072, 4096Signature Generation
RSA [FIPS 186-4, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]A4399N/AKey sizes: 1024, 2048, 3072, 4096Signature Verification
RSA [FIPS 186- 2, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]A4399N/AKey sizes: 1024, 1536, 2048, 3072, 4096Signature Verification
RSA Decryption PrimitiveCVL A4399N/A2048Component Test
RSA Signature PrimitiveCVL A4399N/A2048Component Test
KTS-IFC [SP 800-56B- rev2, Section 7.2.2]A4399N/ARSA-OAEP with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength Key Generation Method: rsakpg2-crtKey Transport
KAS-IFC [SP 800-56B- rev2, Section 7.2.1]A4399N/ARSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strengthKey Agreement
Safe Primes [SP 800-56A- rev3]A4399N/AParameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192Key Generation, Key Verification
SHS [FIPS 180-4]A4399N/ASHA sizes: SHA-1, SHA- 224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
SHA-3, SHAKE [FIPS 202]A4399N/ASHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
SHA-3 Derived Functions [SP 800-185]A4399N/ATypes: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash-128, cSHAKE- 256, KMAC-256, TupleHash-256, ParallelHash-256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
CKG using output from DRBG7 [SP 800-133- rev2]Vendor Affirmed IG D.HN/ASection 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG)Key Generation
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake
AES (non-compliant8)Non-approved modes for AES
ARC4 (RC4)ARC4/RC4 stream cipher
BlowfishBlowfish block cipher
CamelliaCamellia block cipher
CAST5CAST5 block cipher
ChaCha20ChaCha20 stream cipher
ChaCha20-Poly1305AEAD ChaCha20 using Poly1305 as the MAC
DESDES block cipher
Diffie-Hellman KAS (non- compliant9)non-compliant key agreement methods

N/A N/A N/A N/A N/A GCM encryption with an internally generated IV, see section 2.2 concerning external IVs. IV generation is compliant with IG C.H. only in its original entirety (without revision).

Page 11

N/A N/A N/A N/A only in its original entirety (without revision).

Page 12

N/A N/A N/A Keys are not established directly into the module using the key agreement algorithms. only in its original entirety (without revision).

Page 13

N/A ApplicationSpecific4 N/A ApplicationSpecific4 N/A ApplicationSpecific4 N/A ApplicationSpecific4 N/A ApplicationSpecific4 N/A ApplicationSpecific4 N/A No parts of the protocols (TLS, SSHv2, X9.63, IKEv2, SRTP, SNMPv3), other than the approved cryptographic algorithms and the KDFs, have been reviewed or tested by the CAVP and CMVP. only in its original entirety (without revision).

Page 14

ApplicationSpecific4 N/A KDF, PasswordBased N/A Mode, DoublePipeline N/A N/A Note: CAVP testing is not provided for use of the PRFs SHA-512/224 and SHA-512/256. These must not be used in approved mode. Keys are not established directly into the module using key unwrapping. only in its original entirety (without revision).

Page 15

N/A N/A N/A N/A 7.2.2] N/A 7.2.1] N/A N/A N/A only in its original entirety (without revision).

Page 16
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionUse / Function
SHA-3, SHAKE [FIPS 202]A4399N/ASHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
SHA-3 Derived Functions [SP 800-185]A4399N/ATypes: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash-128, cSHAKE- 256, KMAC-256, TupleHash-256, ParallelHash-256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
CKG using output from DRBG7 [SP 800-133- rev2]Vendor Affirmed IG D.HN/ASection 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG)Key Generation
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake
AES (non-compliant8)Non-approved modes for AES
ARC4 (RC4)ARC4/RC4 stream cipher
BlowfishBlowfish block cipher
CamelliaCamellia block cipher
CAST5CAST5 block cipher
ChaCha20ChaCha20 stream cipher
ChaCha20-Poly1305AEAD ChaCha20 using Poly1305 as the MAC
DESDES block cipher
Diffie-Hellman KAS (non- compliant9)non-compliant key agreement methods
Approved algorithm
NameCAVP CertMode MethodKey SizeUse FunctionUse / Function
SHA-3, SHAKE [FIPS 202]A4399N/ASHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
SHA-3 Derived Functions [SP 800-185]A4399N/ATypes: cSHAKE-128, KMAC-128, TupleHash-128, ParallelHash-128, cSHAKE- 256, KMAC-256, TupleHash-256, ParallelHash-256Digital Signature Generation, Digital Signature Verification, non- Digital Signature Applications
CKG using output from DRBG7 [SP 800-133- rev2]Vendor Affirmed IG D.HN/ASection 5.1 (Asymmetric from DRBG) Section 6.1 (Symmetric from DRBG)Key Generation
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake
AES (non-compliant8)Non-approved modes for AES
ARC4 (RC4)ARC4/RC4 stream cipher
BlowfishBlowfish block cipher
CamelliaCamellia block cipher
CAST5CAST5 block cipher
ChaCha20ChaCha20 stream cipher
ChaCha20-Poly1305AEAD ChaCha20 using Poly1305 as the MAC
DESDES block cipher
Diffie-Hellman KAS (non- compliant9)non-compliant key agreement methods
DSA (non-compliant10)non-approved digest signatures using DSA
DSTU4145DSTU4145 EC algorithm
ECDSA (non-compliant10)non-approved digest signatures using ECDSA
EdDSAEd25519 and Ed448 signature algorithms
ElGamalElGamal key transport algorithm
FF3-1Format Preserving Encryption – AES FF3-1
GOST28147GOST-28147 block cipher
GOST3410-1994GOST-3410-1994 algorithm
GOST3410-2001GOST-3410-2001 EC algorithm
GOST3410-2012GOST-3410-2012 EC algorithm
GOST3411GOST-3411-1994 message digest
GOST3411-2012-256GOST-3411-2012 256-bit message digest
GOST3411-2012-512GOST-3411-2012 512-bit message digest
HMAC-GOST3411GOST-3411 HMAC
HMAC-MD5MD5 HMAC
HMAC-RIPEMD128RIPEMD128 HMAC
HMAC-RIPEMD160RIPEMD160 HMAC
HMAC-RIPEMD256RIPEMD256HMAC
HMAC-RIPEMD320RIPEMD320 HMAC
HMAC-TIGERTIGER HMAC
HMAC-WHIRLPOOLWHIRLPOOL HMAC
HSSHSS signature scheme (RFC 8708)
IDEAIDEA block cipher
KAS11 using SHA-512/224 or SHA-512/256Key Agreement using SHA-512/224 and SHA-512/256 based KDFs
KBKDF using SHA-512/224 or SHA-512/256 (non-compliant)PBKDF2 using the PRFs SHA-512/224 and SHA- 512/256
LMSLMS signature scheme (RFC 8708)
MD5MD5 message digest
OpenSSL PBKDF (non- compliant)OpenSSL PBE key derivation scheme
PKCS#12 PBKDF (non- compliant)PKCS#12 PBE key derivation scheme
PKCS#5 Scheme 1 PBKDF (non- compliant)PKCS#5 PBE key derivation scheme
Poly1305Poly1305 message MAC
PRNG X9.31X9.31 PRNG
RC2RC2 block cipher
RIPEMD128RIPEMD128 message digest
RIPEMD160RIPEMD160 message digest
RIPEMD256RIPEMD256 message digest
RIPEMD320RIPEMD320 message digest
RSA (non-compliant12)Non-compliant RSA signature schemes
RSA KTS (non-compliant13)Non-compliant RSA key transport schemes
SCrypt (non-compliant)Scrypt using non-compliant PBKDF2
SEEDSEED block cipher
SerpentSerpent block cipher
SipHashSipHash MAC
SHACAL-2SHACAL2 block cipher
TIGERTIGER message digest
Triple-DESTriple-DES cipher
TwofishTwofish block cipher
WHIRLPOOLWHIRLPOOL message digest
XDHX25519 and X448 key agreement algorithms

N/A N/A N/A Table 4 - Approved Algorithms Table 5 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No The resulting key or a generated seed is an unmodified output from a DRBG. Support for additional modes of operation. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. only in its original entirety (without revision).

Page 17

Deterministic signature calculation, support for additional digests, and key sizes. Keys are not directly established into the module using key agreement or transport techniques. only in its original entirety (without revision).

Page 18

Table 6 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation 2.1 Basic Enforcement The module design corresponds to the Module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module:

  1. The module shall provide two distinct operator roles: User and Cryptographic Officer.
  2. The module does not provide authentication.
  3. The operator shall be capable of commanding the module to perform the power up self-tests by cycling power or resetting the module.
  4. Power up self-tests do not require any operator action.
  5. Data output shall be inhibited during self-tests, zeroization, and error states. Output related to keys and their use is inhibited until the key concerned has been fully generated.
  6. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  7. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  8. The module does not support concurrent operators.
  9. The module does not have any external input/output devices used for entry/output of data.
  10. The module does not enter or output plaintext CSPs from the module’s physical perimeter. Support for additional digests and signature formats, PKCS#1 1.5 key wrapping, support for additional key sizes. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. only in its original entirety (without revision).
Page 19

11. The module does not output intermediate key values. HMAC algorithms specified in the Approved Algorithms table produce truncated versions of the HMAC in question. The right most bits are truncated as per the NIST SP 800-107 rev1. When the module is used within the context of Java Security Manager or the system/security property org.bouncycastle.fips.approved_only is set to true, the module will start in approved mode and non-approved services are not accessible in this mode. When the module is not used within the context of Java Security Manager, the module will start in a non-approved mode by default. From non-approved mode to approved mode: It is a combination of granted permission (a) and request to change mode (b): a. org.bouncycastle.crypto.CryptoServicesPermission “changeToApprovedModeEnabled” b. CryptoServicesRegistrar.setApprovedMode(true) The CSPs made available in non-approved mode will not be accessible, once the thread transitions into approved mode. The CSPs generated using the non-approved mode cannot be passed or shared with algorithms operating in approved mode, and vice-versa. This is done by indicating within the class (object), instantiating the key, as being created in an approved mode or non-approved mode. Any attempt by a thread within the execution of the module to use the key in an opposite mode will result in an exception being generated by the module. For example, if an RSA private key has been created in either approved or non-approved mode, then any request to access that key will first need to see if the thread making the request is in the same mode. From approved mode to non-approved mode: The module cannot transition from approved mode to non-approved mode. To initiate the module in non-approved mode, either it should not be used in the context of Java Security Manager, or the module should have the permission “org.bouncycastle.crypto.CryptoServicesPermission unapprovedModeEnabled” granted by the Java Security Manager. 2.2 Enforcement and Guidance for GCM IVs IVs for GCM can be generated randomly, or via a FipsNonceGenerator. Where an IV is not generated within the module the module supports the importing of GCM IVs. In approved mode, when a GCM IV is generated randomly, the module enforces the use of an approved DRBG in line with Section 8.2.2 of SP 800-38D. In approved mode, when a GCM IV is generated using the FipsNonceGenerator a counter is used as the basis for the nonce and the IV is generated in accordance with TLS protocol. Rollover of the counter in the FipsNonceGenerator will result in an IllegalStateException indicating the FipsNonceGenerator is exhausted and, as per IG C.H, where used for TLS 1.2, rollover will terminate any TLS session in process using the current key and the exception can only be recovered from by using a new handshake and creating a new FipsNonceGenerator. In approved mode, importing a GCM IV for encryption that originates from outside the module is non-conformant. A service indicator for IV usage is provided in the module through Java logging. Setting the logging level to Level.FINE for the named logger “org.bouncycastle.jcajce.provider.BaseCipher” will produce a log message when an IV which may have been produced outside the module and/or not from a compliant source is detected. The log message will be of the standard form including the detail: only in its original entirety (without revision).

Page 20

FINE: Passed in GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Setting the logging level to Level.FINER will produce an additional log message for any GCM IV which is used if the previous Level.FINE message is not activated. Log messages in this case will show the detail as: FINER: GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Per IG C.H, in the event module power is lost and restored the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The AES-GCM Mode falls under: 2.3

Page 21

For users interested in introducing memory hardness as a layer on top of the PBKDF the scrypt augmentation to PBDKF based on HMAC SHA-256 (as described in RFC 7914) is also available. 2.4 Rules for setting the N and the S String in cSHAKE The cSHAKE algorithm offers to input string for customizing the output of the cSHAKE function, the Function-Name input (N) and the Customization String (S). The Function-Name input (N) is reserved for values specified by NIST and should only be set to the appropriate NIST specified value. Any other use of N is non-conformant. The Customization String (S) is available to allow users to customize the cSHAKE function as they wish. The length of S is limited to the available size of a byte array in the JVM running the module. 2.5 Guidance for the use of Format-Preserving Encryption The module supports both FF1 and, in non-approved mode, FF3-1 format preserving encryption. Below shows the parameter constraints applicable to the module’s implementation. SP800-38G Format-Preserving Encryption Constraints radix in range of 2..216 in range of 2..216 radixminlen >= 1000000 >= 1000000 minlen >= 2 octets

2 octets
2 * floor(logradix(296)) octets
8 octets (fixed)

An attempt to use the FF1 or FF3-1 without meeting the radixminlen constraint or by exceeding maxlen will result in an IllegalArgumentException. Note: only FF1 should be used in approved mode. 2.6 Cryptographic Key Generation The module performs Cryptographic Key Generation in conformance to FIPS 140-3 IG D.H. The CKG for symmetric keys and seeds used for generating asymmetric keys is performed as per Section 4 of the SP800-133r2 and compliant with FIPS 186-4 and SP800-90Arev1 for DRBG. The seed used in asymmetric key generation is the direct output of SP800-90Arev1 DRBG. Cryptographic Module Interfaces The Keeper Security Cryptographic Module v2is a software module, and, therefore, control of the physical ports is outside of the module’s scope. The module does provide a set of logical interfaces which are mapped to the following FIPS 140-3 defined logical interfaces: data input, data output, control input, status output, and power. When the module performs self-tests, is in an error state, is generating keys, or performing zeroization, the module prevents all output on the logical data output interface as only the thread performing the operation has access to the data. The module only in its original entirety (without revision).

Page 22
Ports and interfaces
NamePhysical PortLogical Interface
Data InputAPI input parameters – plaintext and/or ciphertext data.Data Input
Data OutputAPI output parameters and return values – plaintext and/or ciphertext data.Data Output
Control InputAPI method calls – method calls, or input parameters, that specify commands and/or control data used to control the operation of the module.Control Input
Status OutputAPI output parameters and return/error codes that provide status information used to indicate the state of the module.Status Output
Service
NameRolesInputOutput
Initialize Module and Run Self-Tests on DemandCO/UserN/AException in case of failure
Show StatusCO/UserN/ABoolean
Info ServiceCO/UserN/AModule name and version
Zeroize / Power-offCO/UserN/AShutdown indication
Data EncryptionCO/UserKey, PlaintextCiphertext
Data DecryptionCO/UserKey, CiphertextPlaintext
MAC CalculationCO/UserKey, MessageMAC
Signature AuthenticationCO/UserKey, MessageSignature
Signature VerificationCO/UserKey, Message, SignatureBoolean
DRBG (SP800-90Arev1) OutputCO/UserN/AData
Message HashingCO/UserMessageHash
Keyed Message HashingCO/UserKey, MessageHash
TLS Key Derivation FunctionCO/UserTLS ParametersData
SP 800-108-rev1 KDFCO/UserKDF ParametersData
SSH Derivation FunctionCO/UserSSH ParametersData
X9.63 Derivation FunctionCO/UserX9.63 ParametersData
SP 800-56C-rev2 OneStep/TwoStep Key Derivation Function (KDM)CO/UserKDM ParametersData
IKEv2 Derivation FunctionCO/UserIKEv2 ParametersData
SRTP Derivation FunctionCO/UserSRTP ParametersData
PBKDFCO/UserPassword, PBKDF ParametersData
Key Agreement SchemesCO/UserKey Agreement keys, parametersData
Key WrappingCO/UserWrapping key, KeyWrapped key
Key UnwrappingCO/UserUnwrapping Key, Wrapped keyKey
Key VerificationCO/UserKey PairBoolean
Entropy CallbackCO/UserN/ARandom bits
DRBG Health-TestsCO/UserN/AN/A
SSP Export OperationCO/UserSSPData
UtilityCO/UserN/AN/A

is single-threaded, and in an error state, the module does not return any output data, only an error value. The module does not implement control output interface. The mapping of the FIPS 140-3 logical interfaces to the module is described in Table 7. Table 7 - Ports and Interfaces Roles, Services, and Authentication 4.1 Basic Guidance The jar file representing the module needs to be installed in a JVM’s class path in a manner appropriate to its use in applications running on the JVM. Functionality in the module is provided in two ways. At the lowest level there are distinct classes that provide access to the approved and non-approved services provided by the module. A more abstract level of access can also be gained using strings providing operation names passed into the module’s Java cryptography provider through the APIs described in the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). When the module is being used in approved mode, classes providing implementations of algorithms which are not approved, or allowed, are explicitly disabled. SSPs such as private and secret keys implement the Destroyable interface. Where appropriate these SSPs can be zeroized on demand by invoking the destroy() method. The return of the destroy() method indicates that the zeroization is complete. Roles, with corresponding service with input and output is specified in Table 8 below: N/A N/A N/A N/A only in its original entirety (without revision).

Page 23

N/A N/A N/A N/A N/A N/A Table 8 - Roles, Service Commands, Input and Output 4.2 Assumption of Roles The module supports two distinct operator roles, User and Cryptographic Officer (CO). The cryptographic module implicitly maps the two roles to the services. A user is considered the owner of the thread that instantiates the module and, therefore, only one concurrent user is allowed. only in its original entirety (without revision).

Page 24
RoleAuthentication MethodAuthentication Strength
CON/A – Authentication not required for Level 1N/A
UserN/A – Authentication not required for Level 1N/A

Table 9 lists all operator roles supported by the module. The module does not support a maintenance role and/or bypass capability. The module does not support authentication. 4.3 N/A N/A Table 9 - Roles and Authentication Services Table 10 lists the services and a description of each service with the usage and roles. Services in the module are accessed via the public APIs of the jar file. The ability of a thread to invoke non-approved services depends on whether it has been registered with the module as approved mode only. In approved only mode no non-approved services are accessible. In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific permissions to be configured in the JVM configuration by the Cryptographic Officer or User. In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols. only in its original entirety (without revision).

Page 25
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Initialize Module and Run Self- Tests on DemandThe JRE will call the static constructor for self-tests on module initializationCO/UserN/AN/AN/AFlag
Show StatusA user can call FipsStatus.IsReady() at any time to determine if the module is ready. CryptoServicesRegistrar.IsIn ApprovedOnlyMode() can be called to determine the approved mode of operationCO/UserN/AN/AN/AFlag
Info ServiceA user can call DumpInfo.main() at any time to display the module version, checksum, and status informationCO/UserN/AN/AN/AFlag
Zeroize / Power- offSSPs can be zeroized on demand by invoking the destroy() method or power cycle the module.CO/UserAll SSPsN/AZFlag
Data EncryptionUsed to encrypt dataCO/UserAES Encryption KeyAES-ECB, AES- CBC, AES-OFB, AES-CFB8, AES-CFB128, AES-CTR, AES- CBC-CS, CCM, GCM, FF1EFlag
Data DecryptionUsed to decrypt dataCO/UserAES Decryption KeyAES-ECB, AES- CBC, AES-OFB, AES-CFB8, AES-CFB128, AES-CTR, AES- CBC-CS, CCM, GCM, FF1EFlag
MAC CalculationUsed to calculate data integrity codes with CMACCO/UserAES Authentication Key, HMAC Authentication Key, KMAC Authentication KeyCMAC, GMACEFlag
Signature AuthenticationUsed to generate signatures (DSA, ECDSA, RSA)CO/UserDSA Signing Key, EC Signing Key, RSA Signing KeyDSA, ECDSA, RSAEFlag
Signature VerificationUsed to verify digital signaturesCO/UserDSA Verification Key, EC Verification Key, RSA Verification KeyDSA, ECDSA, RSAEFlag
DRBG (SP800- 90Arev1) outputUsed for random number, IV and key generationCO/UserAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DRBG Seed, Internal State V and C value, and DRBG Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public KeyCounter DRBG, Hash DRBG, HMAC DRBGGFlag
DRBG Seed, Internal State V and C value, and DRBG KeyCO/UserDRBG Seed, Internal State V and C value, and DRBG KeyE
Message HashingUsed to generate message digest, SHAKE outputCO/UserN/ASHS, SHA-3, SHAKE, SHA-3 Derived Functions (cSHAKE, TupleHash, ParallelHash)N/AFlag
Keyed Message HashingUsed to calculate data integrity codes with HMAC and KMACCO/UserHMAC Authentication Key, KMAC Authentication KeyHMAC, SHA-3 Derived Functions (KMAC)EFlag
TLS Key Derivation FunctionUsed to calculate a value suitable to be used for a master secret in TLSCO/UserTLS KDF Secret ValueHKDF, KDF, Existing Application- Specific (TLS KDF)EFlag
SP 800-108-rev1 KDFUsed to calculate a value suitable to be used for a secret keyCO/UserSP800-108-rev1 KDF Secret ValueKBKDF, using Pseudorandom FunctionsEFlag
SSH Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO/UserSSH KDF Secret ValueExisting Application- Specific (SSH KDF)EFlag
X9.63 Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO/UserDH Agreement Private Key, EC Agreement Private Key, RSA Signing KeyExisting Application- Specific (X9.63 KDF)GFlag
X9.63 KDF Secret ValueCO/UserX9.63 KDF Secret ValueE
SP 800-56C-rev2 OneStep/TwoStep Key Derivation Function (KDM)Used to calculate a value suitable to be used for a secret keyCO/UserDH Agreement Private Key, EC Agreement Private Key, RSA Signing KeyHKDF, KDF One Step, KDF Two Step.GFlag
SP800-56C-rev2 KDF Secret ValueCO/UserSP800-56C-rev2 KDF Secret ValueE
IKEv2 Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO/UserIKEv2 KDF Secret ValueExisting Application- Specific (IKEv2)EFlag
SRTP Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO/UserSRTP KDF Secret ValueExisting Application- Specific (SRTP)EFlag
PBKDFUsed to generate a key using an encoding of a password and message hashCO/UserHMAC Authentication Key, KMAC Authentication KeyKDF, Password- BasedGFlag
HMAC Authentication Key, KMAC Authentication Key, PBDKF SecretCO/UserHMAC Authentication Key, KMAC Authentication Key, PBDKF SecretE
Key Agreement SchemesUsed to calculate key agreement values (SP800- 56A-rev3, Diffie-Hellman)CO/UserAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, HMAC Authentication Key, KMAC Authentication KeyKAS-FFC, KAS- ECC, KAS-IFC, SafePrimesGFlag
DH Agreement Private Key, EC Agreement Private Key, RSA Key Transport Private KeyCO/UserDH Agreement Private Key, EC Agreement Private Key, RSA Key Transport Private KeyE
Key WrappingUsed to encrypt a key value (RSA, AES)CO/UserAES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key, RSA Key Transport Private KeyAES KW, AES KWP, KTS-IFCEFlag
Key UnwrappingUsed to decrypt a key value (RSA, AES)CO/UserAES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key, RSA Key Transport Public KeyAES KW, AES KWP, KTS-IFCEFlag
Key VerificationUsed to verify key pairCO/UserEC Signing Key, EC Verification KeyECDSA KeyVerEFlag
Entropy CallbackGathers entropy in a passive manner from a user-provided functionCO/UserDRBG Seed, Internal State V and C value, and DRBG KeyDRBG, CKGGFlag
DRBG Health- TestsUsed to perform checks of incoming entropy against Section 4.4 of SP800-90BCO/UserN/ADRBGN/AFlag
SSP Export OperationReturns a CSP as data that can be used for later outputCO/UserAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public KeyN/ARFlag
UtilityMiscellaneous utility functions, does not access CSPsCO/UserN/AN/AN/AFlag

N/A N/A N/A N/A N/A N/A N/A N/A N/A Zeroize / Poweroff Z N/A Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved mode, false otherwise. in its original entirety (without revision).

Page 26

E E E E E in its original entirety (without revision).

Page 27

G E N/A N/A in its original entirety (without revision).

Page 28

E E E ApplicationSpecific (SSH E G E G E ApplicationSpecific (TLS in its original entirety (without revision).

Page 29

ApplicationSpecific (IKEv2) E ApplicationSpecific (SRTP) E PasswordBased G E G E E in its original entirety (without revision).

Page 30

E E E G DRBG HealthTests N/A N/A in its original entirety (without revision).

Page 31

N/A R N/A N/A N/A Table 10 - Approved Services The modes of access shown in the table above are defined as:

Page 32
Service
NameDescriptionRolesApproved FunctionsIndicator
Data EncryptionUsed to encrypt dataCO/UserTriple-DESFlag
Data DecryptionUsed to decrypt dataCO/UserTriple-DESFlag
MAC CalculationUsed to calculate data integrity codes with CMACCO/UserTriple-DES CMACFlag
DRBG (SP800- 90Arev1) outputUsed for random number, IV and key generationCO/UserctrDRBG-Triple-DESFlag
Key Agreement SchemesUsed to calculate key agreement valuesCO/UserTriple-DESFlag
Key WrappingUsed to encrypt a key value (Triple- DES)CO/UserTriple-DES KWFlag
Key UnwrappingUsed to decrypt a key value (Triple- DES)CO/UserTriple-DES KWFlag
Page 33

CASTs are preformed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target. Operational Environment The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module runs on a GPC running one of the operating systems specified in the approved operational environment list in Table 2. Each approved operating system manages processes and threads in a logically separated manner. The Module’s user is considered the owner of the calling application that instantiates the Module within the process space of the Java Virtual Machine. The module optionally uses the Java Security Manager and starts in approved mode by default when used with the Java Security Manager. 6.1 Use of External RNG The module makes use of the JVM's configured SecureRandom entropy source to provide entropy when required. The module will request entropy as appropriate to the security strength and seeding configuration for the DRBG that is using it and for the default DRBG will request a minimum of

256 bits of entropy. In approved mode the minimum amount of entropy that can be requested by a

DRBG is 112 bits. The module will wait until the SecureRandom.generateSeed() returns the requested amount of entropy, blocking if necessary. The JVMs entropy source can be configured through setting the security property: securerandom.strongAlgorithms in the JVM's java.security file. 6.2 Additional Enforcement with a Java SecurityManager In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific policy permissions to be configured in the JVM configuration by the Cryptographic Officer or User. The SecurityManager can also be used to restrict the ability of particular code bases to examine CSPs. See Section 6.3 for further advice. In the absence of a Java SecurityManager, specific services related to protocols such as TLS are available, however must only be used in relation to those protocols. 6.3 Approved Mode Configuration In default operation the module will start with all algorithms and services enabled. If the module detects that the system property org.bouncycastle.fips.approved_only is set to true the module will start in approved mode and non-approved mode functionality will not be available. If the underlying JVM is running with a Java Security Manager installed the module will be running in approved mode with secret and private key export disabled. When the module is not used within the context of the Java Security Manager, it will start by default in the non-approved mode. Use of the module with a Java Security manager requires the setting of some basic permissions to allow the module HMAC-SHA-256 software integrity test to take place as well as to allow the in its original entirety (without revision).

Page 34
PermissionSettingsReqUsage

module itself to examine secret and private keys. The basic permissions required for the module to operate correctly with a Java Security manager are indicated by a Y: Available Java Permissions RuntimePermission “getProtectionDomain” Y Allows checksum to be carried out on jar. RuntimePermission “accessDeclaredMembers” Y Allows use of reflection API within the provider. PropertyPermission “java.runtime.name”, “read” N Only if configuration properties are used. SecurityPermission "putProviderProperty.BCFIPS" N Only if provider installed during execution. CryptoServicesPermission “unapprovedModeEnabled” N Only if non-approved mode algorithms required. CryptoServicesPermission “changeToApprovedModeEnabled” N Only if threads allowed to change modes. CryptoServicesPermission “exportSecretKey” N To allow export of secret keys only. CryptoServicesPermission “exportPrivateKey” N To allow export of private keys only. CryptoServicesPermission “exportKeys” Y Required to be applied for the module itself. Optional for any other codebase. CryptoServicesPermission “tlsNullDigestEnabled” N Only required for TLS digest calculations. CryptoServicesPermission “tlsPKCS15KeyWrapEnabled” N Only required if TLS is used with RSA encryption. CryptoServicesPermission “tlsAlgorithmsEnabled” N Enables both NullDigest and PKCS15KeyWrap. CryptoServicesPermission “defaultRandomConfig” N Allows setting of default SecureRandom. CryptoServicesPermission “threadLocalConfig” N Required to set a thread local property in the CryptoServicesRegistrar CryptoServicesPermission “globalConfig” N Required to set a global property in the CryptoServicesRegistrar. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2) by default. These values can also be configured by the Cryptographic Officer using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H. in its original entirety (without revision).

Page 35

6.4 Guidance for the use of DRBGs and Configuring the JVM's Entropy Source A user can instantiate the default Approved DRBG for the module explicitly by using SecureRandom.getInstance("DEFAULT", "BCFIPS"), or by using a BouncyCastleFipsProvider object instead of the provider name as appropriate. This will seed the Approved DRBG from the live entropy source of the JVM with a number of bits of entropy appropriate to the security strength of the default Approved DRBG configured for the module. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2). These values can also be configured by the user using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H. For the default the property would be set as: org.bouncycastle.entropy.factors: 4, 13, 8.0 in the java.security property file. An additional option is available using the Approved Hash_DRBG and the process outlined in SP800 90A, Section 8.6.5. This can be turned on by following the instructions in Section 2.3 of the User Guide. The two DRBGs are instantiated in a chain as a "Source DRBG" to seed the "Target DRBG" in accordance with Section 7 of Draft NIST SP 800-90C, where the Target DRBG is the default Approved DRBG used by the module. The initial seed and the subsequent reseeds for the DRBG chain come from the live entropy source configured for the JVM. The DRBG chain will reseed automatically by pausing for 20 requests (which will usually equate to 5120 bytes). An entropy gathering thread reseeds the DRBG chain when it has gathered sufficient entropy (currently 256 bits) from the live entropy source. Once reseeded, the request counter is reset and the reseed process begins again. The “Source DRBG” in the chain is internal to the module and inaccessible to the user to ensure it is only used for generating seeds for the default Approved DRBG of the module. The user shall ensure that the entropy source is configured per Section 6.1 of this Security Policy and will block, or fail, if it is unable to provide the amount of entropy requested. Physical Security This section is not applicable as the module is a software module. Non-Invasive Security This section is not applicable to this module. Sensitive Security Parameter Management All Sensitive Security Parameters (SSPs) used by the Module are described in this section in Table

  1. All usage of these SSPs by the Module (including all SSP lifecycle states) is described in the services detailed in Section
  2. Please note that the module does not perform automatic SSP establishment, it only provides the components to the calling application which can be used in SSP establishment. in its original entirety (without revision).
Page 36
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey/SSP Name/TypeZeroisation
AES encryption19128, 192, 256 bitsAES ECB, CBC, OFB, CFB8, CFB128, CTR, FF1, CBC- CS1, CBC- CS2, CBC- CS3, GCM, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18AES Encryption Keydestroy() service call or host platform power cycle
AES decryption128, 192, 256 bitsAES ECB, CBC, OFB, CFB8, CFB128, CTR, FF1, CBC- CS1, CBC- CS2, CBC- CS3, GCM, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18AES Decryption Keydestroy() service call or host platform power cycle
AES CMAC/GMAC128, 192, 256 bitsAES CMAC, GMAC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18AES Authentication Keydestroy() service call or host platform power cycle
AES (128/192/256) key wrapping key for KTS128, 192, 256 bitsAES KW, KWP, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18AES Wrapping Keydestroy() service call or host platform power cycle
Diffie-Hellman key agreement112, 128, 152, 176, 200 bitsKAS-FFC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18DH Agreement Private Keydestroy() service call or host platform power cycle
Diffie-Hellman key agreement112, 128, 152, 176, 200 bitsKAS-FFC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18DH Agreement Public KeyNot zeroized, public key value known outside of module
DSA signature generation112, 128 bitsDSA Signature Generation, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18DSA Signing Keydestroy() service call or host platform power cycle
DSA signature verification80, 112, 128 bitsDSA Signature Verification, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18DSA Verification KeyNot zeroized, public key value known outside of module
EC (P-224, P- 256, P-384, P- 521, K-233, K- 283, K-409, K- 571, B-233, B- 283, B-409 and B-571) key agreement112, 128, 192, 256 bitsKAS-ECC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18EC Agreement Private Keydestroy() service call or host platform power cycle
EC (P-224, P- 256, P-384, P- 521, K-233, K- 283, K-409, K- 571, B-233, B- 283, B-409 and B-571) key agreement112, 128, 192, 256 bitsKAS-ECC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18EC Agreement Public KeyNot zeroized, public key value known outside of module
ECDSA (P-224, P-256, P-384, P-521, K-233, K-283, K-409, K-571, B-233, B-283, B-409 and B-571) signature generation.112, 128, 192, 256 bitsECDSA Signature Generation, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18EC Signing Keydestroy() service call or host platform power cycle
ECDSA (P-192, P-224, P-256, P-384, P-521, K-163, K-233, K-283, K-409, K-571, B-163, B-233, B-283, B-409 and B- 571) signature verification.80, 112, 128, 192, 256 bitsECDSA Signature Verification, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18EC Verification KeyNot zeroized, public key value known outside of module
Keyed-Hash calculation (SHA-1, SHA- 2, SHA-3, KMAC).112-256 bitsSHA-1, SHA2, SHA3, KMAC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18HMAC/KMA C Authentication Keydestroy() service call or host platform power cycle
RSA signature generation112, 128, 152 bitsRSA Signature Generation, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18RSA Signing Keydestroy() service call or host platform power cycle
RSA signature verification80, 112, 128, 152 bitsRSA Signature Verification, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18RSA Verification KeyNot zeroized, public key value known outside of module
RSA key transport and decryption112, 128, 152 bitsKTS-IFC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18RSA Key Transport Private Key20destroy() service call or host platform power cycle
RSA key transport112, 128, 152 bitsKTS-IFC, CKG A4399DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18RSA Key Transport Public Key20Not zeroized, public key value known outside of module
Key Derivation112, 128, 192, 256 bitsKDF IKEv2 A4399Generated as output of an IKEv2 agreement schemeN/AN/A, the module does not provide persistent storageN/AIKEv2 KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation112-256 bitsPBKDF A4399Generated as output of a PBE key and a PRFN/AN/A, the module does not provide persistent storageN/APBKDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsKDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 A4399Generated as output of an agreement schemeN/AN/A, the module does not provide persistent storageN/ASP 800-56C- rev2 OneStep/TwoS tep KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsKDF SP800- 108 A4399Generated as output of an agreement schemeN/AN/A, the module does not provide persistent storageN/ASP 800-108- rev1 KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation128, 192, 256 bitsKDF SRTP A4399Generated as output of an SRTP agreement schemeN/AN/A, the module does not provide persistent storageN/ASRTP KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation80, 112, 128, 192, 256 bitsKDF SSH A4399Generated as output of an SSH agreement schemeN/AN/A, the module does not provide persistent storageN/ASSH KDF Secret Valuedestroy() service call or host platform power cycle
Used to derive keys using TLS KDF384 bitsKDF TLS A4399Protocol version (2 bytes) and 46 bytes from a DRBG16N/AN/A, the module does not provide persistent storageImport17, Export18TLS Premaster Secret Valuedestroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsKDF TLS A4399Generated as output of TLS agreement schemeN/AN/A, the module does not provide persistent storageN/ATLS KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsKDF ANS 9.63 A4399Generated as output of an agreement schemeN/AN/A, the module does not provide persistent storageN/AX9.63 KDF Secret Valuedestroy() service call or host platform power cycle
Random Number Generation>128 bitsN/AN/AN/AN/A, the module does not provide persistent storageObtained from the entropy sourceEntropy Input Stringdestroy() service call or host platform power cycle
Internal use128, 192, 256 bitsN/AN/AN/AN/A, the module does not provide persistent storageObtained from the entropy sourceCTR DRBG SeedImmediately after use or host platform power cycle
Internal use128 bitsN/AFrom seed valueN/AN/A, the module does not provide persistent storageN/ACTR DRBG V Valuereseed() service call or host platform power cycle
Internal use128, 192, 256 bitsN/AFrom DRBG V valueN/AN/A, the module does not provide persistent storageN/ACTR DRBG Keyreseed() service call or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AN/AN/AN/A, the module does not provide persistent storageFrom external entropy sourceHash DRBG SeedImmediately after use or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AFrom seed valueN/AN/A, the module does not provide persistent storageN/AHash DRBG V Valuereseed() service call or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AFrom DRBG V valueN/AN/A, the module does not provide persistent storageN/AHash DRBG C Valuereseed() service call or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AN/AN/AN/A, the module does not provide persistent storageFrom external entropy sourceHMAC DRBG SeedImmediately after use or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AFrom seed valueN/AN/A, the module does not provide persistent storageN/AHMAC DRBG V Valuereseed() service call or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AFrom DRBG V valueN/AN/A, the module does not provide persistent storageN/AHMAC DRBG Keyreseed() service call or host platform power cycle
Used as seed for asymmetric key generation or for symmetric key generation128, 192, 256 bitsN/ADRBGN/AN/A, the module does not provide persistent storageN/ADRBG Outputdestroy() service call or host platform power cycle

FF1, CBCCS1, CBCCS2, CBCCS3, GCM, N/A FF1, CBCCS1, CBCCS2, CBCCS3, GCM, N/A Key generator used in conjunction with an approved DRBG. Import done via key constructor and/or factory (Electronic Entry). Export done via key recovery using getEncoded() method and followed by separate step to export key details as either plaintext or encrypted (Electronic Entry). The AES-GCM key and IV is generated randomly per IG C.H, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. in its original entirety (without revision).

Page 37

N/A N/A N/A N/A in its original entirety (without revision).

Page 38

N/A N/A N/A EC (P-224, P256, P-384, P521, K-233, K283, K-409, K571, B-233, B283, B-409 and N/A EC (P-224, P256, P-384, P521, K-233, K283, K-409, K571, B-233, B283, B-409 and in its original entirety (without revision).

Page 39

N/A N/A C N/A in its original entirety (without revision).

Page 40

N/A N/A N/A N/A RSA key transport using PKCS#1 1.5 padding is deprecated through 2023 and disallowed after 2023. in its original entirety (without revision).

Page 41

N/A N/A N/A N/A N/A N/A KDF SP800108 N/A N/A N/A N/A in its original entirety (without revision).

Page 42

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A in its original entirety (without revision).

Page 43

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A in its original entirety (without revision).

Page 44

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A in its original entirety (without revision).

Page 45

Table 12 - SSPs in its original entirety (without revision).

Page 46
Approved algorithm
NameKey Size
DetailsMinimum number of bits ofEntropy sources
entropyentropy
As per FIPS 140-3 IG 9.3.A Section 2b, a minimum of 16 bytes is required from the source configured for seed generation for the JVM. The entropy reader will block until the seed generator has provided the minimum number of bytes.128Passive Entropy

9.1 The module’s use of Non-Deterministic Random Number Generators is determined by the settings described in Section 6.1. Table 13 - Non-Deterministic Random Number Generation Specification Self-Tests CASTs are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target. 10.1 Pre-Operational Self-Tests Each time the module is powered up, it performs the pre-operational self-tests to confirm that sensitive data have not been damaged. The pre-operational tests include the Software Integrity test, which verifies the module using HMAC-SHA2-256, and the HMAC and SHS Conditional Cryptographic Algorithm Self-Tests (CAST) which are run prior to the Software Integrity test to ensure the correctness of the HMAC used. Pre-operational self–tests are available on demand by power cycling the module. 10.2 Conditional Self-Tests The module performs conditional self-tests when the conditions specified for cryptographic algorithm self-test and pair-wise consistency tests occur. Below are the self-tests implemented: Conditional Cryptographic Algorithm Self-Test:

Page 47
Page 48

Life-Cycle Assurance Vulnerabilities found in the module will be reported on the National Vulnerability Database, located at https://nvd.nist.gov/. Researchers and users are encouraged to report any security related concerns to feedbackcrypto@bouncycastle.org. A PGP public key can be provided if confidentiality is required around the report. Please find the procedures for secure installation, initialization, startup and operation of the module: The module exists as part of the running JVM as such:

Page 49

advantage of undetected errors in the use of RSA private keys with CRT values and, if exploitable, can be used to discover the private value of the RSA key. its original entirety (without revision).

Page 50

Appendix: References and Definitions The following standards are referred to in this Security Policy. ANSI X9.31 X9.31-1998, Digital Signatures using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), September 9, 1998 FIPS 140-3 Security Requirements for Cryptographic modules, March 22, 2019 FIPS 180-4 Secure Hash Standard (SHS) FIPS 186-3 Digital Signature Standard (DSS) FIPS 186-4 Digital Signature Standard (DSS) FIPS 197 Advanced Encryption Standard FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program PKCS#1 v2.1 RSA Cryptography Standard PKCS#5 Password-Based Cryptography Standard PKCS#12 Personal Information Exchange Syntax StandardRecommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication SP 800-38C Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping SP 800-38G Recommendation for Block Cipher Modes of Operation: Methods for FormatPreserving Encryption SP 800-56A-rev3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography SP 800-56B-rev2 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography SP 800-56C-rev2 Recommendation for Key Derivation through Extraction-then-Expansion SP 800-67-rev2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications SP 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation SP 800-108-rev1 Recommendation for Key Derivation Using Pseudorandom Functions SP 800-132 Recommendation for Password-Based Key Derivation SP 800-133-rev2 Recommendation for Cryptographic Key Generation SP 800-135-rev1 Recommendation for Existing Application

Page 51

The following are acronyms used in this Security Policy: AES Advanced Encryption Standard API Application Programming Interface BC Bouncy Castle BC-FJA Bouncy Castle FIPS Java API CBC Cipher-Block Chaining CCM Counter with CBC-MAC CDH Computational Diffie-Hellman CFB Cipher Feedback Mode CMAC Cipher-based Message Authentication Code CMVP Crypto Module Validation Program CO Cryptographic Officer CPU Central Processing Unit CS Ciphertext Stealing CSP Critical Security Parameter CTR Counter-mode CVL Component Validation List DES Data Encryption Standard DH Diffie-Hellman DRAM Dynamic Random Access Memory DRBG Deterministic Random Bit Generator DSA Digital Signature Authority DSTU4145 Ukrainian DSTU-4145-2002 Elliptic Curve Scheme EC Elliptic Curve ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Authority EdDSA Edwards Curve DSA using Ed25519, Ed448 EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standards GCM Galois/Counter Mode GMAC Galois Message Authentication Code GOST Gosudarstvennyi Standard Soyuza SSR/Government Standard of the Union of Soviet Socialist Republics GPC General Purpose Computer HMAC key-Hashed Message Authentication Code IG See References JAR Java ARchive JCA JCE Java Cryptography Architecture Java Cryptography Extension its original entirety (without revision).

Page 52

JDK Java Development Kit JRE Java Runtime Environment JVM Java Virtual Machine IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KW Key Wrap KWP Key Wrap with Padding KMAC KECCAK Message Authentication Code MAC Message Authentication Code MD5 Message Digest algorithm MD5 N/A Non Applicable OCB Offset Codebook Mode OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PKCS Public Key Cryptography Standards PQG Diffie-Hellman Parameters P, Q and G RC Rivest Cipher, Ron’s Code RIPEMD RACE Integrity Primitives Evaluation Message Digest RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter TCBC TDEA Cipher-Block Chaining TCFB TDEA Cipher Feedback Mode TDEA Triple Data Encryption Algorithm TDES Triple Data Encryption Standard TECB TDEA Electronic Codebook TOFB TDEA Output Feedback TLS Transport Layer Security USB Universal Serial Bus XDH XOF Edwards Curve Diffie-Hellman using X25519, X448 Extendable-Output Function its original entirety (without revision).

Referenced URLs