| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/28/2029 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Broadcom Inc. |
flowchart LR
%% Deterministic review-risk graph for VMware's BC-FJA (Bouncy Castle FIPS Java API)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for VMware's BC-FJA (Bouncy Castle FIPS Java API)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Show Status<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;3401 Hillview Ave VMware's BC-FJA (Bouncy Castle FIPS Java API)
Palo Alto, CA 94304, USA Tel: 877-486-9273 Email: vcf.fips@broadcom.com www.broadcom.com VMware's BC-FJA (Bouncy Castle FIPS Java API) Software Version: 2.0.0 FIPS Security Level: 1 Document Version: 1.7 Date: March 31, 2025 © 2025 Broadcom Inc. 1
VMware's BC-FJA (Bouncy Castle FIPS Java API) Table of Contents © 2025 Broadcom Inc. 2
VMware's BC-FJA (Bouncy Castle FIPS Java API) List of Tables List of Figures © 2025 Broadcom Inc. 3
VMware's BC-FJA (Bouncy Castle FIPS Java API)
This document defines the Security Policy for the VMware’s BC-FJA (Bouncy Castle FIPS Java API) Module from Broadcom Inc., hereafter denoted the Module. The Module is a cryptographic library and has a Multi-Chip Stand Alone embodiment. The Module meets FIPS 140-3 overall Level 1 requirements. The SW version is 2.0.0. The FIPS 140-3 security levels for the Module are given in Table 1as follows: ISO/IEC 24759 Security Security Requirement Section 6. Number Level
Attacks Table 1: Security Levels
The module checksum, functionality, and versioning can be confirmed by executing the command: java -cp bc-fips-2.0.0.jar org.bouncycastle.util.DumpInfo which should display: Version Info: BouncyCastle Security Provider (FIPS edition) v2.0.0 FIPS Ready Status: READY © 2025 Broadcom Inc. 4
VMware's BC-FJA (Bouncy Castle FIPS Java API) Module SHA-256 HMAC: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e Indicating the jar represents the software release VMware’s BC-FJA 2.0.0, that it has successfully passed all its startup tests, and that the software release is confirmed to have a HMAC of: 164c8ae41945cb85fdc65666fc4de7301a65d29659ecd455ee5199c7d42d107e © 2025 Broadcom Inc. 5
VMware's BC-FJA (Bouncy Castle FIPS Java API)
The Module is intended for use by US Federal agencies and other markets that require a FIPS 140-3 validated Cryptographic Library. The Module is of type software and the module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips2.0.0.jar. This module is the only software component within the Cryptographic Boundary and the only software component that carries out cryptographic functions covered by FIPS 140-3. Figure 1 shows the logical relationship of the cryptographic module to the other software and hardware components of the computer. The BC classes are executed on the Java Virtual Machine (JVM) using the classes of the Java Runtime Environment (JRE). The JVM is the interface to the computer’s Operating System (OS) that is the interface to the various physical components of the computer. Figure 1: Cryptographic Boundary The cryptographic module was tested on the following operational environments on the generalpurpose computer (GPC) platforms detailed in Table 2, which is also the TOEPP (Tested Operational Environment’s Physical Perimeter) of the module. © 2025 Broadcom Inc. 6
VMware's BC-FJA (Bouncy Castle FIPS Java API) # Operating System Hardware Platform Processor PAA/Accelera tion
1 VMware Photon OS 4.0 Dell PowerEdge Intel Xeon Gold Without PAA
with JRE 8 on VMware R650 6330 ESXi 8.0
2 VMware Photon OS 4.0 Dell PowerEdge Intel Xeon Gold Without PAA
with JRE 11 on VMware R650 6330 ESXi 8.0
3 VMware Photon OS 4.0 Dell PowerEdge Intel Xeon Gold Without PAA
with JRE 17 on VMware R650 6330 ESXi 8.0
4 VMware Photon OS 5.0 Dell PowerEdge Intel Xeon Gold Without PAA
with JRE 21 on VMware R650 6330 ESXi 8.0
5 VMware Photon OS 3.0 Dell PowerEdge Intel Xeon Gold Without PAA
with Java SE Runtime R650 6330 Environment v11 on VMware ESXi 8.0
6 VMware Photon OS 5.0 Dell PowerEdge Intel Xeon Gold Without PAA
with Java SE Runtime R650 6330 Environment v11 on VMware ESXi 8.0
7 Ubuntu 22.04 with Java Dell PowerEdge Intel Xeon Gold Without PAA
SE Runtime R650 6330 Environment v11 on VMware ESXi 8.0
8 Amazon Linux 2023 Dell PowerEdge Intel Xeon Gold Without PAA
with Java SE Runtime R650 6330 Environment v17 on VMware ESXi 8.0 © 2025 Broadcom Inc. 7
VMware's BC-FJA (Bouncy Castle FIPS Java API)
9 CentOS 9.0 with Java SE Dell PowerEdge Intel Xeon Gold Without PAA
Runtime Environment R650 6330 v17 on VMware ESXi 8.0
10 VMware Photon OS 5.0 Dell PowerEdge Intel Xeon Gold Without PAA
with Java SE Runtime R650 6330 Environment v17 on VMware ESXi 8.0
11 Red Hat Enterprise Dell PowerEdge Intel Xeon Gold Without PAA
Linux 9.3 with Java SE R650 6330 Runtime Environment v17 on VMware ESXi 8.0
12 VMware Photon OS 4.0 Dell PowerEdge Intel Xeon Gold Without PAA
with Java SE Runtime R650 6330 Environment v21 on VMware ESXi 8.0 Table 2: Tested Operational Environments The cryptographic module will remain compliant with the FIPS 140-3 validation when operating on any general-purpose computer (GPC) provided that:
1 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
2 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
3 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
4 Java SE Runtime Environment v21 (21) Generic Hardware Platform
5 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
6 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Linux Centos © 2025 Broadcom Inc. 8
VMware's BC-FJA (Bouncy Castle FIPS Java API)
7 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
8 Java SE Runtime Environment v21 (21) Generic Hardware Platform
9 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
with Red Hat Enterprise Linux
10 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Red Hat Enterprise Linux
11 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
with Red Hat Enterprise Linux
12 Java SE Runtime Environment v21 (21) Generic Hardware Platform
with Red Hat Enterprise Linux
13 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
14 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
15 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
16 Java SE Runtime Environment v21 (21) Generic Hardware Platform
17 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
18 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
19 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
20 Java SE Runtime Environment v21 (21) Generic Hardware Platform
21 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
with Linux Oracle RHC
22 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Linux Oracle RHC
23 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
with Linux Oracle RHC
24 Java SE Runtime Environment v21 (21) Generic Hardware Platform
with Linux Oracle RHC
25 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
with Linux Oracle UEK
26 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Linux Oracle UEK
27 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
with Linux Oracle UEK
28 Java SE Runtime Environment v21 (21) Generic Hardware Platform
with Linux Oracle UEK
29 Java SE Runtime Environment v17 (1.8) Generic Hardware Platform
30 Java SE Runtime Environment v17 (1.11) Generic Hardware Platform
31 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
with Linux Photon © 2025 Broadcom Inc. 9
VMware's BC-FJA (Bouncy Castle FIPS Java API)
32 Java SE Runtime Environment v21 (21) Generic Hardware Platform
33 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
34 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
35 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
36 Java SE Runtime Environment v21 (21) Generic Hardware Platform
37 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
38 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
39 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
40 Java SE Runtime Environment v21 (21) Generic Hardware Platform
41 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
42 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
43 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
44 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
45 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
46 Java SE Runtime Environment v21 (21) Generic Hardware Platform
47 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
with Microsoft Windows Server
48 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Microsoft Windows Server
49 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
with Microsoft Windows Server
50 Java SE Runtime Environment v21 (21) Generic Hardware Platform
with Microsoft Windows Server
51 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
with Microsoft Windows XP
52 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Microsoft Windows XP
53 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
with Microsoft Windows XP
54 Java SE Runtime Environment v21 (21) Generic Hardware Platform
with Microsoft Windows XP
55 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
56 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
with Solaris © 2025 Broadcom Inc. 10
VMware's BC-FJA (Bouncy Castle FIPS Java API)
57 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
58 Java SE Runtime Environment v21 (21) Generic Hardware Platform
59 Java SE Runtime Environment v8 (1.8) Generic Hardware Platform
60 Java SE Runtime Environment v11 (1.11) Generic Hardware Platform
61 Java SE Runtime Environment v17 (1.17) Generic Hardware Platform
62 Java SE Runtime Environment v21 (21) Generic Hardware Platform
63 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Cascade
with Red Hat Enterprise Linux Lakes
64 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Cascade
with Red Hat Enterprise Linux Lakes
65 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Sapphire
with Red Hat Enterprise Linux Rapids
66 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Sapphire
with Red Hat Enterprise Linux Rapids
67 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Cascade
68 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Cascade
69 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Sapphire
70 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Sapphire
71 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Cascade
72 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Cascade
73 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Sapphire
74 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Sapphire
75 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Haswell
76 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Haswell
77 Java SE Runtime Environment v17 (1.17) Generic hardware platform with Intel Broadwell
78 Java SE Runtime Environment v21 (21) Generic hardware platform with Intel Broadwell
with ClevOS Table 3: Vendor Affirmed Operational Environments © 2025 Broadcom Inc. 11
VMware's BC-FJA (Bouncy Castle FIPS Java API) For the avoidance of doubt, it is hereby stated that the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. The Module implements the Approved and Non-Approved but Allowed cryptographic functions with no security claimed listed in Table 4 and 5 below. There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. The Module supports both Approved and Non-Approved mode of operation. Please see Section 6.3 for configuration of the Module in Approved mode of operation. Please see Section 11 for initialization steps. CAVP Algorithm Mode/Method Description/Key Sizes(s)/Key Use/Function Cert and Standard Strength(s) A4399, AES ECB, CBC, Key sizes: 128, 192, 256 bits Encryption, A5205 [FIPS 197, SP 800- OFB, CFB8, Decryption 38A], AES-FF1 CFB128, CTR, Format Preserving FF1 Encryption [SP 800-38G] A4399, AES-CBC CBC-CS1, Key sizes: 128, 192, 256 bits Encryption, A5205 Ciphertext CBC-CS2, Decryption Stealing (CS) CBC-CS3 [Addendum to SP 800-38A, Oct 2010] A4399, CCM N/A Key sizes: 128, 192, 256 bits Generation, A5205 [SP 800-38C] Authentication A4399, CMAC AES Key sizes: AES with 128, 192, Generation, A5205 [SP 800-38B] 256 bits Authentication A4399, GCM/GMAC1 N/A Key sizes: 128, 192, 256 bits Generation, A5205 [SP 800-38D] Authentication A4399, Counter DRBG N/A AES-128, AES-192, AES-256 AES-CTR DRBG. A5205 [SP 800-90Ar1] A4399, Hash DRBG N/A SHA sizes: SHA-1, SHA2-224, Hash DRBG. A5205 [SP 800-90Ar1] SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2512/256 A4399, HMAC DRBG N/A SHA sizes: SHA-1, SHA2-224, HMAC DRBG. A5205 [SP 800-90Ar1] SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2512/256 GCM encryption with an internally generated IV, see section 8.4 concerning external IVs. IV generation is compliant with IG C.H. © 2025 Broadcom Inc. 12
VMware's BC-FJA (Bouncy Castle FIPS Java API) CAVP Algorithm Mode/Method Description/Key Sizes(s)/Key Use/Function Cert and Standard Strength(s) A4399, DSA2 N/A Key sizes: 1024, 2048, 3072 PQG Generation, A5205 [FIPS 186-4] bits (1024 only for SigVer) PQG Verification, Key Pair Generation, Signature Generation, Signature Verification A4399, ECDSA N/A Curves/Key sizes: P-192*, P- Public Key A5205 [FIPS 186-4] 224, P-256, P-384, P-521, K- Generation, 163*, K-233, K-283, K-409, K- Signature 571, B-163*, B-233, B-283, B- Generation, 409, B-571 Signature Verification, Public Key Validation * Curves only used for Signature Verification and Public Key Validation A4399, KDA-HKDF N/A PRFs: HMAC SHA-1, HMAC Key Derivation A5205 [SP 800-56C, Rev SHA-224, HMAC SHA-256, 2] HMAC SHA-384, HMAC SHA512, HMAC SHA-512/224, HMAC SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3A4399, HMAC N/A SHA sizes: SHA-1, SHA-224, Generation, A5205 [FIPS 198-1] SHA-256, SHA-384, SHA-512, Authentication SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 DSA signature generation with SHA-1 is only for use with protocols. © 2025 Broadcom Inc. 13
VMware's BC-FJA (Bouncy Castle FIPS Java API) CAVP Algorithm Mode/Method Description/Key Sizes(s)/Key Use/Function Cert and Standard Strength(s) A4399, KAS-FFC3 N/A Domain Parameter Generation Key Agreement A5205 [SP 800-56A-rev3] Methods/Scheme: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP4096, MODP-6144, MODP8192 dhHybrid1, MQV2, dhEphem, dhHybrid, OneFlow, MQV1, dhOneFlow, dhStatic Groups specified above providing between 112 and 200 bits of encryption strength A4399, KAS-ECC3 N/A Domain Parameter Generation Key Agreement A5205 [SP 800-56A-rev3] Methods/Scheme: P-224, P256, P-384, P-521, K-233, K283, K-409, K-571, B-233, B283, B-409, B-571 ephemeralUnified, fullMqv, fullUnified, onePassDh, onePassMqv, onePassUnified, staticUnified Curves specified above providing between 112 and 256 bits of encryption strength A4399, KDA, One Step N/A PRFs: SHA-1, SHA-224, SHA- Key Derivation A5205 [SP 800-56C-rev2] 256, SHA-384, SHA-512, SHA512/224, SHA-512/256, SHA3224, SHA3-256, SHA3-384, SHA3-512, HMAC SHA-1, HMAC SHA-224, HMAC SHA256, HMAC SHA-384, HMAC SHA-512, HMAC SHA-512/224, HMAC SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3512, KMAC-128, KMAC-256 A4399, KDA, Two Step N/A PRFs: HMAC SHA-1, HMAC Key Derivation A5205 [SP 800-56C-rev2] SHA-224, HMAC SHA-256, HMAC SHA-384, HMAC SHA512, HMAC SHA-512/224, HMAC SHA-512/256, HMAC SHA3-224, HMAC SHA3-256, HMAC SHA3-384, HMAC SHA3512, KMAC-128, KMAC-256 Keys are not established directly into the module using the key agreement algorithms. © 2025 Broadcom Inc. 14
VMware's BC-FJA (Bouncy Castle FIPS Java API) CAVP Algorithm Mode/Method Description/Key Sizes(s)/Key Use/Function Cert and Standard Strength(s) CVL KDF, Existing N/A TLS v1.0/1.1 KDF Key Derivation A4399, ApplicationA5205 Specific4 SHA sizes: SHA2-256, SHA2384, SHA2-512 [SP 800-135-rev1] CVL KDF, Existing N/A TLS 1.2 KDF Key Derivation A4399, ApplicationA5205 Specific SHA sizes: SHA2-256, SHA2384, SHA2-512 [SP 800-135-rev1] CVL KDF, Existing N/A SNMP KDF Key Derivation A4399, ApplicationA5205 Specific4 Password Length: 64, 8192 [SP 800-135-rev1] CVL KDF, Existing N/A SSH KDF Key Derivation A4399, ApplicationA5205 Specific4 SHA sizes: SHA2-224 [SP 800-135-rev1] CVL KDF, Existing N/A X9.63 KDF Key Derivation A4399, Application- Can be used A5205 Specific4 SHA sizes: SHA2-224, SHA2- along with KAS256, SHA2-384, SHA2-512 SSC [SP 800-135-rev1] CVL KDF, Existing N/A IKEv2 KDF Key Derivation A4399, ApplicationA5205 Specific4 SHA sizes: SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2[SP 800-135-rev1] 512 CVL KDF, Existing N/A SRTP KDF Key Derivation A4399, ApplicationA5205 Specific4 [SP 800-135-rev1] A4399, KDF, Password- N/A Options: PBKDF with Option 1a Key Derivation A5205 Based Types: HMAC-based KDF using [SP 800-132] SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 No parts of the protocols (TLS, SSHv2, X9.63, IKEv2, SRTP, SNMPv3), other than the approved cryptographic algorithms and the KDFs, have been reviewed or tested by the CAVP and CMVP. © 2025 Broadcom Inc. 15
VMware's BC-FJA (Bouncy Castle FIPS Java API) CAVP Algorithm Mode/Method Description/Key Sizes(s)/Key Use/Function Cert and Standard Strength(s) A4399, KDF, using Counter Mode, Types: CMAC-based KBKDF Key Derivation A5205 Pseudorandom Feedback with AES, HMAC-based KBKDF Functions5 Mode, Double- with SHA-1, SHA-224, SHA[SP 800-108] Pipeline 256, SHA-384, SHA-512, SHA3Iteration Mode 224, SHA3-256, SHA3-384, SHA3-512 A4399, Key Wrapping AES KW, KWP Key sizes: 128, 192, 256 bits Key Wrapping A5205 Using Block (Key establishment Ciphers6 methodology providing 128, [SP 800-38F] 192 or 256 bits of encryption strength) A4399, RSA N/A Key sizes: 2048, 3072, 4096 Key Pair A5205 [FIPS 186-4, ANSI Generation X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)] A4399, RSA N/A Key sizes: 2048, 3072, 4096 Signature A5205 [FIPS 186-4, ANSI Generation X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)] A4399, RSA N/A Key sizes: 1024, 2048, 3072, Signature A5205 [FIPS 186-4, ANSI 4096 Verification X9.31-1998 and PKCS #1 v2.1 (PSS and PKCS1.5)] A4399, RSA [FIPS 186-2, N/A Key sizes: 1024, 1536, 2048, Signature A5205 ANSI X9.31- 3072, 4096 Verification
#1 v2.1 (PSS and PKCS1.5)] CVL RSA Decryption N/A Key size: 2048 Component Test A4399, Primitive A5205 CVL RSA Signature N/A Key size: 2048 Component Test A4399, Primitive A5205 Note: CAVP testing is not provided for use of the PRFs SHA-512/224 and SHA-512/256. These must not be used in approved mode. Keys are not established directly into the module using key unwrapping. © 2025 Broadcom Inc. 16
VMware's BC-FJA (Bouncy Castle FIPS Java API) CAVP Algorithm Mode/Method Description/Key Sizes(s)/Key Use/Function Cert and Standard Strength(s) A4399, KTS-IFC N/A RSA-OAEP with, and without, Key Transport A5205 [SP 800-56B-rev2, key confirmation. Section 7.2.2] Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength Key Generation Method: rsakpg2-crt A4399, KAS-IFC N/A RSASVE with, and without, key Key Agreement A5205 [SP 800-56B-rev2, confirmation. Section 7.2.1] Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength A4399, Safe Primes N/A Parameter sets: ffdhe2048, Key Generation, A5205 [SP 800-56A-rev3] ffdhe3072, ffdhe4096, Key Verification ffdhe6144, ffdhe8192, MODP2048, MODP-3072, MODP4096, MODP-6144, MODP8192 A4399, SHS N/A SHA sizes: SHA-1, SHA-224, Digital Signature A5205 [FIPS 180-4] SHA-256, SHA-384, SHA-512, Generation, SHA-512/224, SHA-512/256 Digital Signature Verification, nonDigital Signature Applications A4399, SHA-3, SHAKE N/A SHA3-224, SHA3-256, SHA3- Digital Signature A5205 [FIPS 202] 384, SHA3-512, SHAKE128, Generation, SHAKE256 Digital Signature Verification, nonDigital Signature Applications A4399, SHA-3 Derived N/A Types: cSHAKE-128, KMAC- Digital Signature A5205 Functions 128, TupleHash-128, Generation, [SP 800-185] ParallelHash-128, cSHAKE- Digital Signature 256, KMAC-256, TupleHash- Verification, non256, ParallelHash-256 Digital Signature Applications Vendor CKG using output N/A Section 6.1 (Asymmetric from Key Generation Affirm from DRBG7 DRBG) ed IG [SP 800-133-rev2] Section 6.1 (Symmetric from D.H DRBG) Table 4: Approved Algorithms The resulting key or a generated seed is an unmodified output from a DRBG © 2025 Broadcom Inc. 17
VMware's BC-FJA (Bouncy Castle FIPS Java API) Algorithm Caveat Description MD5 within TLS Allowed per IG 2.4.A, no MD5 used within a TLS handshake. security claimed Table 5: Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Algorithm/Function Use/Function AES (non-compliant8) Non-FIPS modes for AES ARC4 (RC4) ARC4/RC4 stream cipher Blowfish Blowfish block cipher Camellia Camellia block cipher CAST5 CAST5 block cipher ChaCha20 ChaCha20 stream cipher ChaCha20-Poly1305 AEAD ChaCha20 using Poly1305 as the MAC DES DES block cipher Diffie-Hellman KAS (non- non-compliant key agreement methods compliant9) DSA (non-compliant10) non-approved digest signatures using DSA DSTU4145 DSTU4145 EC algorithm ECDSA (non-compliant ) non-approved digest signatures using ECDSA EdDSA Ed25519 and Ed448 signature algorithms ElGamal ElGamal key transport algorithm FF3-1 Format Preserving Encryption
VMware's BC-FJA (Bouncy Castle FIPS Java API) Algorithm/Function Use/Function HMAC-RIPEMD160 RIPEMD160 HMAC HMAC-RIPEMD256 RIPEMD256HMAC HMAC-RIPEMD320 RIPEMD320 HMAC HMAC-TIGER TIGER HMAC HMAC-WHIRLPOOL WHIRLPOOL HMAC HSS HSS signature scheme (RFC 8708) IDEA IDEA block cipher KAS using SHA-512/224 or Key Agreement using SHA-512/224 and SHA-512/256 SHA-512/256 based KDFs KBKDF using SHA-512/224 or PBKDF2 using the PRFs SHA-512/224 and SHASHA-512/256 (non-compliant) 512/256 LMS LMS signature scheme (RFC 8708) MD5 MD5 message digest OpenSSL PBKDF (non- OpenSSL PBE key derivation scheme compliant) PKCS#12 PBKDF (non- PKCS#12 PBE key derivation scheme compliant) PKCS#5 Scheme 1 PBKDF (non- PKCS#5 PBE key derivation scheme compliant) Poly1305 Poly1305 message MAC PRNG X9.31 X9.31 PRNG RC2 RC2 block cipher RIPEMD128 RIPEMD128 message digest RIPEMD160 RIPEMD160 message digest RIPEMD256 RIPEMD256 message digest RIPEMD320 RIPEMD320 message digest RSA (non-compliant ) 12 Non-compliant RSA signature schemes RSA KTS (non-compliant ) 13 Non-compliant RSA key transport schemes SCrypt (non-compliant) SCrypt using non-compliant PBKDF2 SEED SEED block cipher Serpent Serpent block cipher SipHash SipHash MAC SHACAL-2 SHACAL2 block cipher TIGER TIGER message digest Keys are not directly established into the module using key agreement or transport techniques. Support for additional digests and signature formats, PKCS#1 1.5 key wrapping, support for additional key sizes. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. © 2025 Broadcom Inc. 19
VMware's BC-FJA (Bouncy Castle FIPS Java API) Algorithm/Function Use/Function Triple-DES Triple-DES cipher Twofish Twofish block cipher WHIRLPOOL WHIRLPOOL message digest XDH X25519 and X448 key agreement algorithms Table 6: Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
The module design corresponds to the Module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.
VMware's BC-FJA (Bouncy Castle FIPS Java API) result in an exception being generated by the module. For example, if an RSA private key has been created in either approved or non-approved mode, then any request to access that key will first need to see if the thread making the request is in the same mode. From approved mode to non-approved mode: The module cannot transition from approved mode to non-approved mode. To initiate the module in non-approved mode, either it should not be used in the context of Java Security Manager, or the module should have the permission “org.bouncycastle.crypto.CryptoServicesPermission unapprovedModeEnabled” granted by the Java Security Manager
IVs for GCM can be generated randomly, or via a FipsNonceGenerator. Where an IV is not generated within the module the module supports the importing of GCM IVs. In approved mode, when a GCM IV is generated randomly, the module enforces the use of an approved DRBG in line with Section 8.2.2 of SP 800-38D. In approved mode, when a GCM IV is generated using the FipsNonceGenerator a counter is used as the basis for the nonce and the IV is generated in accordance with TLS protocol. Rollover of the counter in the FipsNonceGenerator will result in an IllegalStateException indicating the FipsNonceGenerator is exhausted and, as per IG C.H, where used for TLS 1.2, rollover will terminate any TLS session in process using the current key and the exception can only be recovered from by using a new handshake and creating a new FipsNonceGenerator. In approved mode, importing a GCM IV for encryption that originates from outside the module is non-conformant. A service indicator for IV usage is provided in the module through Java logging. Setting the logging level to Level.FINE for the named logger “org.bouncycastle.jcajce.provider.BaseCipher” will produce a log message when an IV which may have been produced outside the module and/or not from a compliant source is detected. The log message will be of the standard form including the detail: FINE: Passed in GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Setting the logging level to Level.FINER will produce an additional log message for any GCM IV which is used if the previous Level.FINE message is not activated. Log messages in this case will show the detail as: FINER: GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Per IG C.H, in the event module power is lost and restored the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The AES-GCM Mode falls under:
VMware's BC-FJA (Bouncy Castle FIPS Java API)
In line with the requirements for SP 800-132, keys generated using the approved PBKDF must only be used for storage applications. Any other use of the approved PBKDF is non-conformant. In approved mode the module enforces that any password used must encode to at least 14 bytes (112 bits) and that the salt is at least 16 bytes (128 bits) long. The iteration count associated with the PBKDF should be as large as practical. As the module is a general-purpose software module, it is not possible to anticipate all the levels of use for the PBKDF, however a user of the module should also note that a password should at least contain enough entropy to be unguessable and also contain enough entropy to reflect the security strength required for the key being generated. In the event a password encoding is simply based on ASCII a 14 byte password is unlikely to contain sufficient entropy for most purposes as the standard set of printable characters only allows for as much as 6 bits of entropy per byte, giving a password which for the case of 14 bytes, yields a key that has been generated using 14 * 6 bits, giving only 84 bits of security, well below what is required for a key with the same level of hardness as a 112 bit one. Users are referred to Appendix A, “Security Considerations” of SP 800-132 for further information on password, salt, and iteration count selection. The iteration count value is provided by the user
The cSHAKE algorithm offers to input string for customizing the output of the cSHAKE function, the Function-Name input (N) and the Customization String (S). The Function-Name input (N) is reserved for values specified by NIST and should only be set to the appropriate NIST specified value. Any other use of N is non-conformant. The Customization String (S) is available to allow users to customize the cSHAKE function as they wish. The length of S is limited to the available size of a byte array in the JVM running the module. © 2025 Broadcom Inc. 22
VMware's BC-FJA (Bouncy Castle FIPS Java API)
The module supports both FF1 and, in non-approved mode, FF3-1 format preserving encryption. Below shows the parameter constraints applicable to the module’s implementation. SP800-38G Format-Preserving Encryption Constraints radix in range of 2..216 in range of 2..216 radixminlen >= 1000000 >= 1000000 minlen >= 2 octets 2 octets maxlen < 232 octets 2 * floor(logradix(296)) octets maxTlen >= 0 octets 8 octets (fixed) An attempt to use the FF1 or FF3-1 without meeting the radixminlen constraint or by exceeding maxlen will result in an IllegalArgumentException. Note: only FF1 should be used in approved mode.
The module performs Cryptographic Key Generation in conformance to FIPS 140-3 IG D.H. The CKG for symmetric keys and seeds used for generating asymmetric keys is performed as per Section 4 of the SP800-133r2 and compliant with FIPS 186-4 and SP800-90Arev1 for DRBG. The seed used in asymmetric key generation is the direct output of SP800-90Arev1 DRBG.
The VMware’s BC-FJA (Bouncy Castle FIPS Java API) Module is a software module, and therefore, control of the physical ports is outside of the module’s scope. The module does provide a set of logical interfaces which are mapped to the following FIPS 140-3 defined logical interfaces: data input, data output, control input, status output, and power. When the module performs selftests, is in an error state, is generating keys, or performing zeroization, the module prevents all output on the logical data output interface as only the thread performing the operation has access to the data. The module is single-threaded, and in an error state, the module does not return any output data, only an error value. The module does not implement control output interface. The mapping of the FIPS 140-3 logical interfaces to the module is described in Table 7. Interface Module Equivalent Data Input API input parameters
VMware's BC-FJA (Bouncy Castle FIPS Java API) Interface Module Equivalent Status Output API output parameters and return/error codes that provide status information used to indicate the state of the module. Table 7: Ports and Interfaces
The jar file representing the module needs to be installed in a JVM’s class path in a manner appropriate to its use in applications running on the JVM. Functionality in the module is provided in two ways. At the lowest level there are distinct classes that provide access to the approved and non-approved services provided by the module. A more abstract level of access can also be gained using strings providing operation names passed into the module’s Java cryptography provider through the APIs described in the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). When the module is being used in approved mode, classes providing implementations of algorithms which are not approved, or allowed, are explicitly disabled. SSPs such as private and secret keys implement the Destroyable interface. Where appropriate these SSPs can be zeroized on demand by invoking the destroy() method. The return of the destroy() method indicates that the zeroization is complete. Roles, with corresponding service with input and output is specified in Table 8 below: Role Service Input Output CO/User Initialize Module and Run N/A Exception in case of failure Self-Tests on Demand CO/User Show Status N/A Boolean CO/User Info Service N/A Module name and version CO/User Zeroize / Power-off N/A Shutdown indication CO/User Data Encryption Key, Plaintext Ciphertext CO/User Data Decryption Key, Ciphertext Plaintext CO/User MAC Calculation Key, Message MAC CO/User Signature Authentication Key, Message Signature CO/User Signature Verification Key, Message, Boolean Signature CO/User DRBG (SP800-90Arev1) N/A Data Output © 2025 Broadcom Inc. 24
VMware's BC-FJA (Bouncy Castle FIPS Java API) Role Service Input Output CO/User Message Hashing Message Hash CO/User Keyed Message Hashing Key, Message Hash CO/User TLS Key Derivation TLS Data Function Parameters CO/User SP 800-108-rev1 KDF KDF Data Parameters CO/User SSH Derivation Function SSH Data Parameters CO/User X9.63 Derivation Function X9.63 Data Parameters CO/User SP 800-56C-rev2 KDM Data OneStep/TwoStep Key Parameters Derivation Function (KDM) CO/User IKEv2 Derivation Function IKEv2 Data Parameters CO/User SRTP Derivation Function SRTP Data Parameters CO/User PBKDF Password, Data PBKDF Parameters CO/User Key Agreement Schemes Key Agreement Data keys, parameters CO/User Key Wrapping Wrapping key, Wrapped key Key CO/User Key Unwrapping Unwrapping Key Key, Wrapped key CO/User Key Generation Key Generation Key Pair Parameters CO/User Key Verification Key Pair Boolean CO/User Entropy Callback N/A Random bits CO/User DRBG Health-Tests N/A N/A CO/User SSP Export Operation SSP Data CO/User Utility N/A N/A Table 8: Roles, Service Commands, Input and Output © 2025 Broadcom Inc. 25
VMware's BC-FJA (Bouncy Castle FIPS Java API)
The module supports two distinct operator roles, User and Cryptographic Officer (CO). The cryptographic module implicitly maps the two roles to the services. A user is considered the owner of the thread that instantiates the module and, therefore, only one concurrent user is allowed. Table
9 lists all operator roles supported by the module. The module does not support a maintenance role
and/or bypass capability. The module does not support authentication. Role Authentication Method Authentication Strength CO N/A
Table 10 lists the services and a description of each service with the usage and roles. Services in the module are accessed via the public APIs of the Jar file. The ability of a thread to invoke non-approved services depends on whether it has been registered with the module as approved mode only. In approved only mode no non-approved services are accessible. In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific permissions to be configured in the JVM configuration by the Cryptographic Officer or User. In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols. © 2025 Broadcom Inc. 26
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs Initialize Module The JRE will call the static N/A N/A CO/User N/A Flag and Run Self-Tests constructor for self-tests on on Demand module initialization. Show Status A user can call N/A N/A CO/User N/A Flag FipsStatus.IsReady() at any time to determine if the module is ready. CryptoServicesRegistrar.IsI nApprovedOnlyMode() can be called to determine the approved mode of operation. Info Service A user can call N/A N/A CO/User N/A Flag DumpInfo.main() at any time to display the module version, checksum, and status information. Zeroize / Power-off SSPs can be zeroized on N/A All SSPs CO/User Z Flag demand by invoking the destroy() method or power cycle the module Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved mode, false otherwise. © 2025 Broadcom Inc. 27
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs Data Encryption Used to encrypt data. AES-ECB, AES- AES Encryption Key CO/User E Flag CBC, AES-OFB, AES-CFB8, AESCFB128, AES-CTR, AES-CBC-CS, CCM, GCM, FF1 Data Decryption Used to decrypt data. AES-ECB, AES- AES Decryption Key CO/User E Flag CBC, AES-OFB, AES-CFB8, AESCFB128, AES-CTR, AES-CBC-CS, CCM, GCM, FF1 MAC Calculation Used to calculate data CMAC, GMAC AES Authentication Key, CO/User E Flag integrity codes with HMAC Authentication Key, CMAC. KMAC Authentication Key Signature Used to generate signatures DSA, ECDSA, RSA DSA Signing Key, EC CO/User E Flag Authentication (DSA, ECDSA, RSA). Signing Key, RSA Signing Key Signature Used to verify digital DSA, ECDSA, RSA DSA Verification Key, EC CO/User E Flag Verification signatures. Verification Key, RSA Verification Key © 2025 Broadcom Inc. 28
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs DRBG (SP800- Used for random number, Counter DRBG, AES Encryption Key, AES CO/User G Flag 90Arev1) output IV and key generation. Hash DRBG, HMAC Decryption Key, AES DRBG Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DRBG Seed, Internal State V and C value, and DRBG Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public Key DRBG Seed, Internal State V CO/User E and C value, and DRBG Key Message Hashing Used to generate message SHS, SHA-3, N/A CO/User N/A Flag digest, SHAKE output SHAKE, SHA-3 Derived Functions (cSHAKE, TupleHash, ParallelHash) © 2025 Broadcom Inc. 29
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs Keyed Message Used to calculate data HMAC, SHA-3 HMAC Authentication Key, CO/User E Flag Hashing integrity codes with HMAC Derived Functions KMAC Authentication Key and KMAC. (KMAC) TLS Key Used to calculate a value HKDF, KDF, TLS KDF Secret Value CO/User E Flag Derivation suitable to be used for a Existing ApplicationFunction master secret in TLS. Specific (TLS KDF) SP 800-108-rev1 Used to calculate a value KBKDF, using SP800-108-rev1 KDF Secret CO/User E Flag KDF suitable to be used for a Pseudorandom Value secret key Functions SSH Derivation Used to calculate a value Existing Application- SSH KDF Secret Value CO/User E Flag Function suitable to be used for a Specific (SSH KDF) secret key X9.63 Derivation Used to calculate a value Existing Application- DH Agreement Private Key, CO/User G Flag Function suitable to be used for a Specific (X9.63 EC Agreement Private Key, secret key KDF) RSA Signing Key X9.63 KDF Secret Value CO/User E SP 800-56C Used to calculate a value HKDF, KDF One DH Agreement Private Key, CO/User G Flag OneStep/TwoStep suitable to be used for a Step, KDF Two Step. EC Agreement Private Key, Key Derivation secret key RSA Signing Key Function (KDM) SP800-56C-rev2 KDF Secret CO/User E Value IKEv2 Derivation Used to calculate a value Existing Application- IKEv2 KDF Secret Value CO/User E Flag Function suitable to be used for a Specific (IKEv2) secret key © 2025 Broadcom Inc. 30
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs SRTP Derivation Used to calculate a value Existing Application- SRTP KDF Secret Value CO/User E Flag Function suitable to be used for a Specific (SRTP) secret key PBKDF Used to generate a key KDF, Password- HMAC Authentication Key, CO/User G Flag using an encoding of a Based KMAC Authentication Key password and message hash HMAC Authentication Key, CO/User E KMAC Authentication Key, PBKDF Secret Key Agreement Used to calculate key KAS-FFC, KAS- AES Encryption Key, AES CO/User G Flag Schemes agreement values (SP 800- ECC, KAS-IFC, Decryption Key, AES 56A-rev3, Diffie-Hellman). SafePrimes Authentication Key, AES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key DH Agreement Private Key, CO/User E EC Agreement Private Key, RSA Key Transport Private Key Key Wrapping Used to encrypt a key value. AES KW, AES KWP, AES Wrapping Key, HMAC CO/User E Flag (RSA, AES) KTS-IFC Authentication Key, KMAC Authentication Key, RSA Key Transport Private Key © 2025 Broadcom Inc. 31
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs Key Unwrapping Used to decrypt a key value. AES KW, AES KWP, AES Wrapping Key, HMAC CO/User E Flag (RSA, AES) KTS-IFC Authentication Key, KMAC Authentication Key, RSA Key Transport Public Key Key Generation Used to generate key pair RSA KeyGen, DSA DRBG Output, DSA Signing CO/User E Flag KeyGen, ECDSA Key, EC Signing Key, RSA KeyGen, CKG Signing Key, DSA Verification Key, EC Verification Key, RSA Verification Key Key Verification Used to verify key pair ECDSA KeyVer EC Signing Key, EC CO/User E Flag Verification Key Entropy Callback Gathers entropy in a passive DRBG, CKG DRBG Seed, Internal State V CO/User G Flag manner from a user- and C value, and DRBG Key provided function DRBG Health- Used to perform checks of DRBG N/A CO/User N/A Flag Tests incoming entropy against Section 4.4. of SP 800-90B © 2025 Broadcom Inc. 32
VMware's BC-FJA (Bouncy Castle FIPS Java API) Access Approved Security rights to Service Description Keys and/or SSPs Roles Indicator14 Functions Keys and/or SSPs SSP Export Returns a CSP as data that N/A AES Encryption Key, AES CO/User R Flag Operation can be used for later output Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Verification Key, RSA Key Transport Private Key, RSA Key Transport Public Key Utility Miscellaneous utility N/A N/A CO/User N/A Flag functions, does not access CSPs Table 10: Approved Services The modes of access shown in the table above are defined as:
VMware's BC-FJA (Bouncy Castle FIPS Java API)
VMware's BC-FJA (Bouncy Castle FIPS Java API)
The Module type is software. The module has a Multi-Chip Stand Alone embodiment; the cryptographic boundary is the Java Archive (JAR) file, bc-fips-2.0.0.jar. Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Self–tests are available on demand by power cycling the module. The integrity is verified using HMAC-SHA2-256. The HMAC of the module JAR file excluding directories and metadata is calculated and compared to the expected value embedded within the module’s properties. If the calculated value does not match the expected value, the module raises an error and fails to load. The integrity test can be performed on demand by power cycling the host platform. CASTs are preformed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target.
The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module runs on a GPC running one of the operating systems specified in the approved operational environment list in Table 2. Each approved operating system manages processes and threads in a logically separated manner. The Module’s user is considered the owner of the calling application that instantiates the Module within the process space of the Java Virtual Machine. The module optionally uses the Java Security Manager and starts in approved mode by default when used with the Java Security Manager.
The module makes use of the JVM's configured SecureRandom entropy source to provide entropy when required. The module will request entropy as appropriate to the security strength and seeding configuration for the DRBG that is using it and for the default DRBG will request a minimum of
256 bits of entropy. In approved mode the minimum amount of entropy that can be requested by a
DRBG is 112 bits. The module will wait until the SecureRandom.generateSeed() returns the requested amount of entropy, blocking if necessary. The JVMs entropy source can be configured through setting the security property: securerandom.strongAlgorithms in the JVM's java.security file.
In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific policy permissions to be configured in the JVM configuration by the Cryptographic Officer or User. The SecurityManager can also be used to restrict the ability of particular code bases to examine CSPs. See Section 6.3 for further advice. © 2025 Broadcom Inc. 35
VMware's BC-FJA (Bouncy Castle FIPS Java API) In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.
In default operation the module will start with all algorithms and services enabled. If the module detects that the system property org.bouncycastle.fips.approved_only is set to true the module will start in approved mode and non-approved mode functionality will not be available. If the underlying JVM is running with a Java Security Manager installed the module will be running in approved mode with secret and private key export disabled. When the module is not used within the context of the Java Security Manager, it will start by default in the non-approved mode. Use of the module with a Java Security manager requires the setting of some basic permissions to allow the module HMAC-SHA-256 software integrity test to take place as well as to allow the module itself to examine secret and private keys. The basic permissions required for the module to operate correctly with a Java Security manager are indicated by a Y: Available Java Permissions Permission Settings Req Usage RuntimePermission “getProtectionDomain” Y Allows checksum to be carried out on jar. RuntimePermission “accessDeclaredMembers” Y Allows use of reflection API within the provider. PropertyPermission “java.runtime.name”, “read” N Only if configuration properties are used. SecurityPermission "putProviderProperty.BCFIPS" N Only if provider installed during execution. CryptoServicesPermission “unapprovedModeEnabled” N Only if non-approved mode algorithms required. CryptoServicesPermission “changeToApprovedModeEnabled” N Only if threads allowed to change modes. CryptoServicesPermission “exportSecretKey” N To allow export of secret keys only. CryptoServicesPermission “exportPrivateKey” N To allow export of private keys only. CryptoServicesPermission “exportKeys” Y Required to be applied for the module itself. Optional for any other codebase. CryptoServicesPermission “tlsNullDigestEnabled” N Only required for TLS digest calculations. CryptoServicesPermission “tlsPKCS15KeyWrapEnabled” N Only required if TLS is used with RSA encryption. © 2025 Broadcom Inc. 36
VMware's BC-FJA (Bouncy Castle FIPS Java API) CryptoServicesPermission “tlsAlgorithmsEnabled” N Enables both NullDigest and PKCS15KeyWrap. CryptoServicesPermission “defaultRandomConfig” N Allows setting of default SecureRandom. CryptoServicesPermission “threadLocalConfig” N Required to set a thread local property in the CryptoServicesRegistrar CryptoServicesPermission “globalConfig” N Required to set a global property in the CryptoServicesRegistrar. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2) by default. These values can also be configured by the Cryptographic Officer using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H.
Source A user can instantiate the default Approved DRBG for the module explicitly by using SecureRandom.getInstance("DEFAULT", "BCFIPS"), or by using a BouncyCastleFipsProvider object instead of the provider name as appropriate. This will seed the Approved DRBG from the live entropy source of the JVM with a number of bits of entropy appropriate to the security strength of the default Approved DRBG configured for the module. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggest C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2). These values can also be configured by the user using the security property: “org.bouncycastle.entropy.factors” which takes a comma separated list of C values, one for 4.4.1 and one for 4.4.2, and a value of H. For the default the property would be set as org.bouncycastle.entropy.factors: 4, 13, 8.0 in the java.security property file. An additional option is available using the Approved Hash_DRBG and the process outlined in SP-
800 90A, Section 8.6.5. This can be turned on by following the instructions in Section 2.3 of the
User Guide. The two DRBGs are instantiated in a chain as a "Source DRBG" to seed the "Target DRBG" in accordance with Section 7 of Draft NIST SP 800-90C, where the Target DRBG is the default Approved DRBG used by the module. The initial seed and the subsequent reseeds for the DRBG chain come from the live entropy source configured for the JVM. The DRBG chain will reseed automatically by pausing for 20 requests (which will usually equate to 5120 bytes). An entropy gathering thread reseeds the DRBG chain when it has gathered sufficient entropy (currently 256 bits) from the live entropy source. Once reseeded, the request counter is reset and the reseed process begins again. © 2025 Broadcom Inc. 37
VMware's BC-FJA (Bouncy Castle FIPS Java API) The “Source DRBG” in the chain is internal to the module and inaccessible to the user to ensure it is only used for generating seeds for the default Approved DRBG of the module. The user shall ensure that the entropy source is configured per Section 6.1 this Security Policy and will block, or fail, if it is unable to provide the amount of entropy requested.
This section is not applicable as the module is a software module.
This section is not applicable to this module. © 2025 Broadcom Inc. 38
VMware's BC-FJA (Bouncy Castle FIPS Java API)
All Sensitive Security Parameters (SSPs) used by the Module are described in this section in Table 12. All usage of these SSPs by the Module (including all SSP lifecycle states) is described in the services detailed in Section 4.3. Please note that the module does not perform automatic SSP establishment, it only provides the components to the calling application which can be used in SSP establishment. Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys AES Encryption 128, 192, AES ECB, CBC, DRBG16 Import17, N/A N/A, the module destroy() service AES Key 256 bits OFB, CFB8, Export18 does not provide call or host encryption19 CFB128, CTR, persistent storage platform power FF1, CBC-CS1, cycle CBC-CS2, CBCCS3, GCM, CKG A4399, A5205 AES Decryption 128, 192, AES ECB, CBC, DRBG16 Import17, N/A N/A, the module destroy() service AES decryption Key 256 bits OFB, CFB8, Export18 does not provide call or host CFB128, CTR, persistent storage platform power FF1, CBC-CS1, cycle CBC-CS2, CBCCS3, GCM, CKG A4399, A5205 AES 128, 192, AES CMAC, DRBG16 Import17, N/A N/A, the module destroy() service AES Authentication 256 bits GMAC, CKG does not provide call or host CMAC/GMAC Export18 Key A4399, A5205 persistent storage platform power cycle Key generator used in conjunction with an approved DRBG. Import done via key constructor and/or factory Export done via key recovery using getEncoded() method and followed by separate step to export key details as either plaintext or encrypted The AES-GCM key and IV is generated randomly per IG C.H, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. © 2025 Broadcom Inc. 39
VMware's BC-FJA (Bouncy Castle FIPS Java API) Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys 128, 192, AES KW, KWP, DRBG16 Import17, N/A N/A, the module destroy() service AES AES Wrapping 256 bits CKG Export18 does not provide call or host (128/192/256) Key A4399, A5205 persistent storage platform power key wrapping cycle key for KTS DH Agreement 112, 128, KAS-FFC, CKG DRBG16 Import17, N/A N/A, the module destroy() service Diffie-Hellman Private Key 152, 176, A4399, A5205 Export18 does not provide call or host key agreement
200 bits persistent storage platform power
cycle DH Agreement 112, 128, KAS-FFC, CKG DRBG16 Import17, N/A N/A, the module Not zeroized, Diffie-Hellman Public Key 152, 176, A4399, A5205 Export18 does not provide public key value key agreement
200 bits persistent storage known outside of
module DSA Signing 112, 128 DSA Signature DRBG16 Import17, N/A N/A, the module destroy() service DSA signature Key bits Generation, CKG Export18 does not provide call or host generation A4399, A5205 persistent storage platform power cycle DSA 80, 112, DSA Signature DRBG16 Import17, N/A N/A, the module Not zeroized, DSA signature Verification Key 128 bits Verification, CKG Export18 does not provide public key value verification A4399, A5205 persistent storage known outside of module EC Agreement 112. 128. KAS-ECC, CKG DRBG16 Import17, N/A N/A, the module destroy() service EC (P-224, PPrivate Key 192. 256 A4399, A5205 Export18 does not provide call or host 256, P-384, Pbits persistent storage platform power 521, K-233, Kcycle 283, K-409, K571, B-233, B283, B-409 and B-571) key agreement © 2025 Broadcom Inc. 40
VMware's BC-FJA (Bouncy Castle FIPS Java API) Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys EC Agreement 112. 128. KAS-ECC, CKG DRBG16 Import17, N/A N/A, the module Not zeroized, EC (P-224, PPublic Key 192. 256 A4399, A5205 Export18 does not provide public key value 256, P-384, Pbits persistent storage known outside of 521, K-233, Kmodule 283, K-409, K571, B-233, B283, B-409 and B-571) key agreement EC Signing Key 112. 128. ECDSA Signature DRBG16 Import17, N/A N/A, the module destroy() service ECDSA (P-224, 192. 256 Generation, CKG Export18 does not provide call or host P-256, P-384, Pbits A4399, A5205 persistent storage platform power 521, K-233, Kcycle 283, K-409, K571, B-233, B283, B-409 and B-571) signature generation. EC Verfication 80, 112. ECDSA Signature DRBG16 Import17, N/A N/A, the module Not zeroized, ECDSA (P-224, Key 128. 192. Verification, CKG Export18 does not provide public key value P-256, P-384, P-
256 bits A4399, A5205 persistent storage known outside of 521, K-233, K-
module 283, K-409, K571, B-233, B283, B-409 and B-571) signature verification. HMAC/KMAC 112-256 SHA-1, SHA2, DRBG16 Import17, N/A N/A, the module destroy() service Keyed-Hash Authentication bits SHA3, KMAC, Export18 does not provide call or host calculation Key CKG persistent storage platform power (SHA-1, SHA-2, A4399, A5205 cycle SHA-3, KMAC). © 2025 Broadcom Inc. 41
VMware's BC-FJA (Bouncy Castle FIPS Java API) Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys RSA Signing 112, 128, RSA Signature DRBG16 Import17, N/A N/A, the module destroy() service RSA signature Key 152 bits Generation, does not provide call or host generation Export18 CKG persistent storage platform power cycle A4399, A5205 RSA 80, 112, RSA Signature DRBG16 Import17, N/A N/A, the module Not zeroized, RSA signature Verification Key 128, 152 Verfication, does not provide public key value verification Export18 bits CKG persistent storage known outside of module A4399, A5205 RSA Key 112, 128, KTS-IFC, CKG DRBG16 Import17, N/A N/A, the module destroy() service RSA key Transport 152 bits A4399, A5205 does not provide call or host transport and Export18 Private Key20 persistent storage platform power decryption cycle RSA Key 112, 128, KTS-IFC, CKG DRBG16 Import17, N/A N/A, the module Not zeroized, RSA key Transport Public 152 bits A4399, A5205 does not provide public key value transport Export18 Key20 persistent storage known outside of module 128, 192 KDF IKEv2 Generated N/A N/A N/A, the module destroy() service Key Derivation bits A4399, A5205 as output of does not provide call or host IKEv2 KDF an IKEv2 persistent storage platform power Secret Value agreement cycle scheme
192 bits PBKDF Generated N/A N/A N/A, the module destroy() service Key Derivation
PBKDF Secret A4399, A5205 as output of does not provide call or host Value a PBE key persistent storage platform power and a PRF cycle RSA key transport using PKCS#1 1.5 padding is deprecated through 2023 and disallowed after 2023. © 2025 Broadcom Inc. 42
VMware's BC-FJA (Bouncy Castle FIPS Java API) Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys SP 800-56C-rev2 112, 128, KDA OneStep Generated N/A N/A N/A, the module destroy() service Key Derivation OneStep/TwoStep 192, 256 SP800-56Cr2, as output of does not provide call or host KDF Secret Value bits KDA TwoStep an persistent storage platform power SP800-56Cr2 agreement cycle A4399, A5205 scheme SP 800-108- 112, 128, KDF SP800-108 Generated N/A N/A N/A, the module destroy() service Key Derivation rev1 KDF 192, 256 as output of does not provide call or host Secret Value A4399, A5205 bits an persistent storage platform power agreement cycle scheme SRTP KDF 128, 192, KDF SRTP Generated N/A N/A N/A, the module destroy() service Key Derivation Secret Value 256 bits as output of does not provide call or host A4399, A5205 an SRTP persistent storage platform power agreement cycle scheme SSH KDF 80, 112, KDF SSH Generated N/A N/A N/A, the module destroy() service Key Derivation Secret Value 128, 192, as output of does not provide call or host A4399, A5205
256 bits an SSH persistent storage platform power
agreement cycle scheme TLS Premaster 384 bits KDF TLS Protocol Import17, N/A N/A, the module destroy() service Used to derive Secret Value version (2 does not provide call or host keys using TLS A4399, A5205 Export18 bytes) and persistent storage platform power KDF
from a DRBG16 TLS KDF 112, 128, KDF TLS Generated N/A N/A N/A, the module destroy() service Key Derivation Secret Value 192, 256 as output of does not provide call or host A4399, A5205 bits a TLS persistent storage platform power agreement cycle scheme © 2025 Broadcom Inc. 43
VMware's BC-FJA (Bouncy Castle FIPS Java API) Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys X9.63 KDF 112, 128, KDF ANS 9.63 Generated N/A N/A N/A, the module destroy() service Key Derivation Secret Value 192, 256 as output of does not provide call or host A4399, A5205 bits an persistent storage platform power agreement cycle scheme Entropy Input >128 bits N/A N/A Obtained N/A N/A, the module destroy() service Random String from the does not provide call or host Number entropy persistent storage platform power Generation source cycle CTR DRBG 128, 192, N/A N/A Obtained N/A N/A, the module Immediately after Internal use Seed 256 bits from the does not provide use or host entropy persistent storage platform power source cycle CTR DRBG V 128 bits N/A From seed N/A N/A N/A, the module reseed() service Internal use Value value does not provide call or host persistent storage platform power cycle CTR DRBG 128, 192, N/A From N/A N/A N/A, the module reseed() service Internal use Key 256 bits DRBG V does not provide call or host value persistent storage platform power cycle Hash DRBG 112, 128, N/A N/A From N/A N/A, the module Immediately after Internal use Seed 192, 256 external does not provide use or host bits entropy persistent storage platform power source cycle Hash DRBG V 112, 128, N/A From seed N/A N/A N/A, the module reseed() service Internal use Value 192, 256 value does not provide call or host bits persistent storage platform power cycle © 2025 Broadcom Inc. 44
VMware's BC-FJA (Bouncy Castle FIPS Java API) Key/SSP Name/ Strength Security Function Import/ Use & related Generation Establishment Storage Zeroisation Type and Cert. Number Export keys Hash DRBG C 112, 128, N/A From N/A N/A N/A, the module reseed() service Internal use Value 192, 256 DRBG V does not provide call or host bits value persistent storage platform power cycle HMAC DRBG 112, 128, N/A N/A From N/A N/A, the module Immediately after Internal use Seed 192, 256 external does not provide use or host bits entropy persistent storage platform power source cycle HMAC DRBG 112, 128, N/A From seed N/A N/A N/A, the module reseed() service Internal use V Value 192, 256 value does not provide call or host bits persistent storage platform power cycle HMAC DRBG 112, 128, N/A From N/A N/A N/A, the module reseed() service Internal use Key 192, 256 DRBG V does not provide call or host bits value persistent storage platform power cycle DRBG Output 128, 192, N/A DRBG N/A N/A N/A, the module destroy() service Used as seed for
256 bits does not provide call or host asymmetric key
persistent storage platform power generation or for cycle symmetric key generation Table 12: SSPs © 2025 Broadcom Inc. 45
VMware's BC-FJA (Bouncy Castle FIPS Java API)
The module's use of Non-Deterministic Random Number Generators is determined by the settings described in Section 6.1. Minimum Entropy number of bits Details Sources of entropy Passive Entropy 128 As per FIPS 140-3 IG 9.3.A Section 2b, a minimum of 16 bytes is required from the source configured for seed generation for the JVM. The entropy reader will block until the seed generator has provided the minimum number of bytes. Table 13: Non-Deterministic Random Number Generation Specification
CASTs are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Initial CAST self–tests are available on demand by power cycling the module and then invoking the service related to the test target.
Each time the module is powered up, it performs the pre-operational self-tests to confirm that sensitive data have not been damaged. The pre-operational tests include the Software Integrity test, which verifies the module using HMAC-SHA2-256, and the HMAC and SHS Conditional Cryptographic Algorithm Self-Tests (CAST) which are run prior to the Software Integrity test to ensure the correctness of the HMAC used. Pre-operational self–tests are available on demand by power cycling the module.
The module performs conditional self-tests when the conditions specified for cryptographic algorithm self-test and pair-wise consistency tests occur. Below are the self-tests implemented: Conditional Cryptographic Algorithm Self-Test:
VMware's BC-FJA (Bouncy Castle FIPS Java API)
VMware's BC-FJA (Bouncy Castle FIPS Java API)
If any of the above-mentioned self-tests fail, the module enters an error state called “Hard Error” state. Upon entering the error state, the module outputs status by way of an exception. An example exception for AES Encryption failure is mentioned below: “Failed self-test on encryption: AES” The module can be recovered by power cycling the module which results in execution of preoperational self-tests and conditional cryptographic algorithm self-tests. If the tests pass, then the module will be available for use.
Vulnerabilities found in the module will be reported on the National Vulnerability Database, located at https://nvd.nist.gov/. Researchers and users are encouraged to report any security related concerns to feedbackcrypto@bouncycastle.org. A PGP public key can be provided if confidentiality is required around the report. Please find the procedures for secure installation, initialization, startup and operation of the module: The module exists as part of the running JVM as such:
VMware's BC-FJA (Bouncy Castle FIPS Java API) health tests and then provide a service object to the user capable of performing the requested service. BC-FJA 2.0.0 User guide can be downloaded here: https://downloads.bouncycastle.org/fipsjava/BC-FJA-UserGuide-2.0.0.pdf
The Module implements basic protections to mitigate against timing based attacks against its internal implementations. There are two counter-measures used. The first is Constant Time Comparisons, which protect the digest and integrity algorithms by strictly avoiding “fast fail” comparison of MACs, signatures, and digests so the time taken to compare a MAC, signature, or digest is constant regardless of whether the comparison passes or fails. The second is made up of Numeric Blinding and decryption/signing verification which both protect the RSA algorithm. Numeric Blinding prevents timing attacks against RSA decryption and signing by providing a random input into the operation which is subsequently eliminated when the result is produced. The random input makes it impossible for a third party observing the private key operation to attempt a timing attack on the operation as they do not have knowledge of the random input and consequently the time taken for the operation tells them nothing about the private value of the RSA key. Decryption/signing verification is carried out by calculating a primitive encryption or signature verification operation after a corresponding decryption or signing operation before the result of the decryption or signing operation is returned. The purpose of this is to protect against Lenstra's CRT attack by verifying the correctness the private key calculations involved. Lenstra's CRT attack takes advantage of undetected errors in the use of RSA private keys with CRT values and, if exploitable, can be used to discover the private value of the RSA key. © 2025 Broadcom Inc. 49
VMware's BC-FJA (Bouncy Castle FIPS Java API) Appendix: References and Definitions The following standards are referred to in this Security Policy. X9.31-1998, Digital Signatures using Reversible Public Key ANSI X9.31 Cryptography for the Financial Services Industry (rDSA), September 9, 1998 FIPS 140-3 Security Requirements for Cryptographic modules, March 22, 2019 FIPS 180-4 Secure Hash Standard (SHS) FIPS 186-3 Digital Signature Standard (DSS) FIPS 186-4 Digital Signature Standard (DSS) FIPS 197 Advanced Encryption Standard FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) SHA-3 Standard: Permutation-Based Hash and Extendable-Output FIPS 202 Functions Implementation Guidance for FIPS PUB 140-3 and the Cryptographic IG Module Validation Program PKCS#1 v2.1 RSA Cryptography Standard PKCS#5 Password-Based Cryptography Standard Personal Information Exchange Syntax StandardRecommendation for PKCS#12 the Triple Data Encryption Algorithm (TDEA) Block Cipher Recommendation for Block Cipher Modes of Operation: Three SP 800-38A Variants of Ciphertext Stealing for CBC Mode Recommendation for Block Cipher Modes of Operation: The CMAC SP 800-38B Mode for Authentication Recommendation for Block Cipher Modes of Operation: The CCM SP 800-38C Mode for Authentication and Confidentiality Recommendation for Block Cipher Modes of Operation: SP 800-38D Galois/Counter Mode (GCM) and GMAC Recommendation for Block Cipher Modes of Operation: Methods for SP 800-38F Key Wrapping Recommendation for Block Cipher Modes of Operation: Methods for SP 800-38G Format-Preserving Encryption Recommendation for Pair-Wise Key Establishment Schemes Using SP 800-56A-rev3 Discrete Logarithm Cryptography Recommendation for Pair-Wise Key Establishment Schemes Using SP 800-56B-rev2 Integer Factorization Cryptography Recommendation for Key Derivation through Extraction-thenSP 800-56C-rev2 Expansion Recommendation for the Triple Data Encryption Algorithm (TDEA) SP 800-67-rev2 Block Cipher © 2025 Broadcom Inc. 50
VMware's BC-FJA (Bouncy Castle FIPS Java API) X9.31-1998, Digital Signatures using Reversible Public Key ANSI X9.31 Cryptography for the Financial Services Industry (rDSA), September 9, 1998 Recommendation for Obtaining Assurances for Digital Signature SP 800-89 Applications Recommendation for Random Number Generation Using Deterministic SP 800-90A Random Bit Generators Recommendation for the Entropy Sources Used for Random Bit SP 800-90B Generation SP 800-108-rev1 Recommendation for Key Derivation Using Pseudorandom Functions SP 800-132 Recommendation for Password-Based Key Derivation SP 800-133-rev2 Recommendation for Cryptographic Key Generation Recommendation for Existing Application
VMware's BC-FJA (Bouncy Castle FIPS Java API) AES Advanced Encryption Standard DRAM Dynamic Random Access Memory DRBG Deterministic Random Bit Generator DSA Digital Signature Authority DSTU4145 Ukrainian DSTU-4145-2002 Elliptic Curve Scheme EC Elliptic Curve ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Authority EdDSA Edwards Curve DSA using Ed25519, Ed448 EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standards GCM Galois/Counter Mode GMAC Galois Message Authentication Code GOST Gosudarstvennyi Standard Soyuza SSR/Government Standard of the Union of Soviet Socialist Republics GPC General Purpose Computer HMAC key-Hashed Message Authentication Code IG See References JAR Java ARchive JCA Java Cryptography Architecture JCE Java Cryptography Extension JDK Java Development Kit JRE Java Runtime Environment JVM Java Virtual Machine IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KW Key Wrap KWP Key Wrap with Padding KMAC KECCAK Message Authentication Code MAC Message Authentication Code MD5 Message Digest algorithm MD5 © 2025 Broadcom Inc. 52
VMware's BC-FJA (Bouncy Castle FIPS Java API) AES Advanced Encryption Standard N/A Non Applicable OCB Offset Codebook Mode OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PKCS Public Key Cryptography Standards PQG Diffie-Hellman Parameters P, Q and G RC Rivest Cipher, Ron’s Code RIPEMD RACE Integrity Primitives Evaluation Message Digest RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter TCBC TDEA Cipher-Block Chaining TCFB TDEA Cipher Feedback Mode TDEA Triple Data Encryption Algorithm TDES Triple Data Encryption Standard TECB TDEA Electronic Codebook TOFB TDEA Output Feedback TLS Transport Layer Security USB Universal Serial Bus XDH Edwards Curve Diffie-Hellman using X25519, X448 XOF Extendable-Output Function © 2025 Broadcom Inc. 53