| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 3/23/2027 |
| Entropy | ENT (NP) |
| Caveat | Interim Validation. When operated in approved mode |
| Vendor | Icom Inc. |
| Hardware versions | Rev1.2, Rev1.3, Rev2.2, Rev2.3 |
| Algorithm | ACVP Cert |
|---|---|
| AES-OFB | A1399 |
| HMAC-SHA-1 | A1399 |
| SHA-1 | A1399 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for UT-125 FIPS #31 and #41 Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>Rev1.6</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Firmware Update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C6 clue;
class I1,I2,I3,I6 infer;
class R1,R2,R3,R6 risk;
class E1,E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for UT-125 FIPS #31 and #41 Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>Rev1.6</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Firmware Update</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3 clueHigh;
class C6 clueLow;UT-125 FIPS #31 and #41 Cryptographic Module Hardware versions 1.2, 1.3, 2.2 and 2.3 Firmware version 1.6 Document Revision 2.7 Icom Inc. 1-1-32, Kamiminami, Hirano-ku Osaka 547-0003 Japan
| # | Section | Page |
|---|---|---|
| 1 | General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 2 | Cryptographic Module Specification | 5 |
| 2.1 | Description | 5 |
| 2.2 | Tested Module Version and Identification | 8 |
| 2.3 | Excluded Components | 8 |
| 2.4 | Modes of Operation | 8 |
| 2.5 | Algorithms | 8 |
| 3 | Cryptographic Module Interfaces | 9 |
| 3.1 | Ports and Interfaces | 9 |
| 3.2 | Trusted Channel Specification | 10 |
| 3.3 | Control Interface Not Inhibited | 10 |
| 4 | Roles, Services, and Authentication | 10 |
| 4.1 | Authentication Methods | 10 |
| 4.2 | Roles | 10 |
| 4.3 | Approved Services | 11 |
| 4.4 | Non-Approved Services | 12 |
| 4.5 | External Software/Firmware Loaded | 12 |
| 4.6 | Bypass Actions and Status | 12 |
| 4.7 | Cryptographic Output Actions and Status | 12 |
| 5 | Software/Firmware Security | 13 |
| 5.1 | Integrity Techniques | 13 |
| 5.2 | Initiate on Demand | 13 |
| 6 | Operational Environment | 13 |
| 6.1 | Operational Environment Type and Requirements | 13 |
| 6.2 | Configuration Settings and Restrictions | 13 |
| 7 | Physical Security | 13 |
| 7.1 | Mechanisms and Actions Required | 13 |
| 8 | Non-Invasive Security | 13 |
| 9 | Sensitive Security Parameters Management | 14 |
| 9.1 | Storage Areas | 14 |
| 9.2 | SSP Input-Output Methods | 14 |
| 9.3 | SSP Zeroization Methods | 14 |
| 9.4 | SSPs | 14 |
| 9.5 | Transitions | 15 |
| 9.6 | Additional Information | 15 |
| 10 | Self-Tests | 15 |
| 10.1 | Pre-Operational Self-Tests | 15 |
| 10.2 | Conditional Self-Tests | 15 |
| 10.3 | Periodic Self-Test Information | 15 |
| 10.4 | Error States | 15 |
| 10.5 | Operator Initiation of Self-Tests | 16 |
| 11 | Life-Cycle Assurance | 16 |
| 11.1 | Installation, Initialization, and Startup Procedures | 16 |
| 11.2 | Administrator Guidance | 16 |
| 11.3 | Non-Administrator Guidance | 16 |
| 11.4 | Design and Rules | 17 |
| 11.5 | Maintenance Requirements | 17 |
| 11.6 | End of Life | 17 |
| 12 | Mitigation of Other Attacks | 17 |
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Cryptographic Module Tested Configuration | 8 |
| Table 3: Approved Algorithms | 9 |
| Table 4: Non-Approved Algorithms Not Allowed in the Approved Mode of Operation | 9 |
| Table 5: Ports and Interfaces | 10 |
| Table 6: Roles, Service Commands, Input and Output | 11 |
| Table 7: Approved Services | 12 |
| Table 8: Non-Approved Services | 12 |
| Table 9: Storage Areas | 14 |
| Table 10: SSP Input-Output | 14 |
| Table 11: SSP Zeroization Methods | 14 |
| Table 12: SSPs | 14 |
| Table 13: Error Indicators | 16 |
| Table 14: Error Status | 16 |
| Figure 1 – Block Diagram | 6 |
| Figure 2 – Representative Images | 7 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| Section 6. | Section 6. | ||
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | 1 |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
This document details the security policy for the cryptographic module UT-125 FIPS #31 Hardware revision 1.2 and Hardware revision 1.3, UT-125 FIPS #41 Hardware revision 2.2 and Hardware revision
2.3 implementing firmware version 1.6, herein identified as the optional encryption unit, UT-125 FIPS #31
distributed only in its entirety without revision.
[Number Below] N/A Table 1: Security Levels N/A
Purpose and Use: The UT-125 FIPS #31 and #41 are multi-chip embedded cryptographic modules as defined by FIPS 1403. The cryptographic module can be incorporated into any Icom Inc. radio which requires FIPS 140-3 level 1 Module Type: Hardware Module Embodiment: Multi-chip Embedded
Cryptographic Boundary: The cryptographic boundary consists of the entire printed circuit board, as depicted in Figures 1 and 2. Cryptographic Boundary UT-125 FIPS EEPROM FLASH ROM Digital Signal Processor (DSP) Data Input/Output Control Input Radio’s DSP Figure 1
Figure 2 contains representative images of the cryptographic module. Other than the labels, Rev 1.2 and
1.3 of the UT-125 #31 are externally identical. Likewise, Rev 2.2 and 2.3 of UT-125 #41 are also
externally identical. #31 #41 Top Bottom Figure 2
| Name | Model | Hardware Version | Firmware Version | Features |
|---|---|---|---|---|
| UT-125 #31 | UT-125 #31 | Rev1.2 | Rev.1.6 | Seal, Display on the radio display. |
| UT-125 #31 | UT-125 #31 | Rev1.3 | Rev.1.6 | Seal, Display on the radio display. |
| UT-125 #41 | UT-125 #41 | Rev2.2 | Rev.1.6 | Seal, Display on the radio display. |
| UT-125 #41 | UT-125 #41 | Rev2.3 | Rev.1.6 | Seal, Display on the radio display. |
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES-OFB (SP 800-38A) | A1399 | AES-OFB | 256 bits | Voice Encryption / Decryption |
| HMAC-SHA-1 (FIPS 198-1) | A1399 | HMAC-SHA-1 | MAC: 160 bits Key Length: 512 bits | Firmware Integrity, Firmware Load Test |
Tested Module Identification
The cryptographic module does not have any Excluded components.
Modes List and Description: This UT-125 FIPS cryptographic module supports both approved mode and non-approved mode as explained below. Mode Change Instructions and Status: The cryptographic module supports both approved, and non-approved modes depending on the McBSP interface commands being invoked. Approved algorithms output the signal of GPIO port when running. The signal of GPIO9 indicates the module is using an approved security function. The cryptographic module does not support degraded operation.
Approved Algorithms: The module’s CAVP certificates includes algorithms/options that are not utilized by the module in the approved mode. Only the algorithms/options listed in the table below are utilized by the module in the approved mode.
| Name | Use Function |
|---|---|
| AES-CBC-MAC | Message Authentication |
| AES-ECB | Data Encryption / Decryption |
| CTR_DRBG | Pseudo-Random Number Generator |
| DES-ECB | Crypto Key Encryption / Decryption |
| DES-OFB | Voice Encryption / Decryption |
| PRNG | Pseudo-Random Number Generator |
| Name | Logical Interface | Data That Passes | UT-125 FIPS Physical |
|---|---|---|---|
| I/O Ports | port/interface | I/O Ports | |
| #31:1 DGND #41:1 GND | Power | Ground | #31:1 DGND #41:1 GND |
| 2 CCLKO | Data Output | McBSP clock output | 2 CCLKO |
| #31: 3 DGND #41: 3 GND | Power | Ground | #31: 3 DGND #41: 3 GND |
| 4 CFSO | Data Output | McBSP frame sync output | 4 CFSO |
| 5 CFSI | Data Input or Control Input | McBSP frame sync input | 5 CFSI |
| 6 CDO | Data Output or Status Output | McBSP data output | 6 CDO |
| 7 CCLKI | Data Input or Control Input | McBSP clock input | 7 CCLKI |
| 8 DRESET | Control Input | Reset signal | 8 DRESET |
| 9 CDI | Data Input or Control Input | McBSP data input | 9 CDI |
| 10 CACT | Control Input | Wake up signal | 10 CACT |
| 11 DVDD_3.3V | #31: Power #41: Power | #31: External electrical power (+3.3V power line) #41: GND | 11 DVDD_3.3V |
| 12 DGND | Power | #31: Ground #41: External electrical power (+3.3V power line) | 12 DGND |
| 13 - | #31: N/A #41: Power | #31: Non-connection #41: External electrical power (+3.3V power line) | 13 - |
| 14 DGND | #31: Power #41: N/A | #31: Ground #41: Non-connection | 14 DGND |
| A1399 | SHA-1 (FIPS 180-4) | SHA-1 | N/A | Hash function for HMAC |
|---|
Table 3: Approved Algorithms N/A Vendor-Affirmed Algorithms: This cryptographic module does not have a Vendor-Affirmed Algorithms algorithm. Non-Approved, Allowed Algorithms: This module does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Allowed Algorithms with No Security Claimed: This module does not implement any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Table 4: Non-Approved Algorithms Not Allowed in the Approved Mode of Operation
Table 5: Ports and Interfaces
This module does not support a trusted channel.
This module does not have control output interface.
This module does not support operator authentication.
The UT-125 FIPS #31 and #41 support the roles of Crypto Officer and User. Crypto Officer: Assumption of the Crypto Officer role is implied when any of the services specific to a Crypto Officer are executed. The Crypto Officer role is responsible for the keys and firmware of the UT-125 FIPS #31 and #41. The management of keys, such as loading, reading and writing, is the domain of the Crypto Officer. The main tool for key management utilized by the Crypto Officer is an approved key loading device. The Crypto Officer role will also manage firmware updating and checking procedures. User: Assumption of the User role is implied when any of the services specific to a User are executed. The User role is primarily consists of the services which conduct the encryption and decryption of communication, invoke self-tests, and indicate the status of the UT-125 FIPS #31 and #41.
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Decryption | Decoding from ciphertext to plaintext | O/U | TEK | AES-OFB | E | Port Output (GPIO9) |
| Encryption | Encoding from plaintext to ciphertext | O/U | TEK | AES-OFB | E | Port Output (GPIO9) |
| Firmware Update | Updating the firmware in the crypto module | O | HMAC Key | HMAC-SHA-1 | E, W | Port Output (GPIO9) |
| Key Load | Loading crypto key using Key Fill Device Interface Protocol | O/U | TEK | N/A | W | N/A |
| Key Zeroisation | Zeroising crypto key using Key Fill Device Interface Protocol | O/U | TEK | N/A | Z | N/A |
| Power-Off | Turning the power off on the module | O/U | N/A | N/A | N/A | N/A |
| Self-Tests | Self-testing the operation of the crypto functions | O/U | N/A | AES-OFB HMAC-SHA-1 | N/A | N/A |
| Show Key Status | Providing the crypto parameter. | O/U | N/A | N/A | N/A | N/A |
| Show Status | Showing current status | O/U | N/A | N/A | N/A | N/A |
| Show Version | Show module’s versioning information | O/U | N/A | N/A | N/A | N/A |
| System Management | Zeroising various setting values | O | TEK, HMAC Key | N/A | Z | N/A |
| Decryption (non-approved) | Decoding from ciphertext to plaintext | O/U | DES-OFB | N/A | ||
| Encryption (non-approved) | Encoding from plaintext to ciphertext | O/U | DES-OFB | N/A | ||
| Key Management | Changing/Adding/Gen erating/Zeroising crypto key and module parameter. | O/U | AES-CBC-MAC AES-ECB CTR_DRBG DES-ECB PRNG | N/A |
| User/Crypto Officer | Decryption | McBSP command:Control Input or Data Input (Request Command) | McBSP command:Status Output or Data Output (Response Command) |
|---|---|---|---|
| User/Crypto Officer | Encryption | McBSP command:Control Input or Data Input (Request Command) | McBSP command:Status Output or Data Output (Response Command) |
| Crypto Officer | Firmware Update | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command, Indicate Command) |
| User/Crypto Officer | Key Load | McBSP command:Control Input or Data Input (Request Command) | McBSP command:Status Output (Response Command, Indicate Command) |
| User/Crypto Officer | Key Zeroisation | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command) |
| User/Crypto Officer | Power-Off | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command, Indicate Command) |
| User/Crypto Officer | Self-Tests | Reset signal (Physical port): Control Input | McBSP command: Status Output |
| User/Crypto Officer | Show Key Status | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command) |
| User/Crypto Officer | Show Status | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command) |
| User/Crypto Officer | Show Version | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command) |
| Crypto Officer | System Management | McBSP command:Control Input (Request Command) | McBSP command:Status Output (Response Command) |
| User/Crypto Officer | Key Management | McBSP command:Control Input or Data Input (Request Command) | McBSP command:Status Output or Data Output (Response Command) |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Show Key Status | Providing the crypto parameter. | O/U | N/A | N/A | N/A | N/A |
| Show Status | Showing current status | O/U | N/A | N/A | N/A | N/A |
| Show Version | Show module’s versioning information | O/U | N/A | N/A | N/A | N/A |
| System Management | Zeroising various setting values | O | TEK, HMAC Key | N/A | Z | N/A |
| Decryption (non-approved) | Decoding from ciphertext to plaintext | O/U | DES-OFB | N/A | ||
| Encryption (non-approved) | Encoding from plaintext to ciphertext | O/U | DES-OFB | N/A | ||
| Key Management | Changing/Adding/Gen erating/Zeroising crypto key and module parameter. | O/U | AES-CBC-MAC AES-ECB CTR_DRBG DES-ECB PRNG | N/A |
N/A N/A O/U N/A N/A N/A N/A O/U N/A N/A N/A N/A O/U N/A N/A N/A O Z N/A Table 7: Approved Services O = Crypto Officer U = User G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 8: Non-Approved Services O/U N/A O/U N/A O/U N/A
The firmware update is performed via the Firmware Update service, which executes the firmware load test.
This module does not support a bypass capability.
This module does not support a self-initiated cryptographic output capability.
The module’s firmware is provided as the 3059C3_16.MOT (boot and application firmware) or 3059C3_16(F).MOT (just application firmware) binary images.
The module uses CRC-32 as EDC method for the integrity testing.
The software/firmware integrity test is performed every time the module is started / rebooted.
Type of Operational Environment: Limited How Requirements are Satisfied: As shown in Table 1 this cryptographic module operates at security level 1. The module maintains control of its own SSPs retained within the module. The module’s operational environment consists of firmware with access to SSPs managed wholly by the module itself. Please see Section 9 for SSP details.
This module is a hardware module with a limited operational environment. Cryptographic module stores firmware to flash ROM within cryptographic boundary. .
This is multi-chip embedded cryptographic module. The circuitry uses standard passivation techniques and meets Security Level 1. This plug-in module is contained within a production grade radio enclosure and uses commercially available IC chips.
The cryptographic module does not have the non-invasive mitigation techniques.
| Name | Type | Description | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation |
|---|---|---|---|---|---|---|---|---|---|---|
| EEPROM | Static | For Cryptographic key | ||||||||
| DSP RAM | Dynamic | For Temporary SSPs | ||||||||
| TEK (Traffic Encryption Key) | 256-bits | AES-OFB A1399 | N/A | N/A | EEPROM (Plaintext) | Used for encryption/ decryption of voice traffic through the module's host radio. | KFD* Protocol | Zeroise command from McBSP interface | ||
| HMAC Key | 256-bits | HMAC- SHA-1 A1399 | Manufactur er pre- loaded | N/A | EEPROM (Plaintext) | Used for updating the firmware. | N/A | Zeroise command from McBSP interface |
| Name | Approved Functions | Type | From | To | Distribution Type | Entry Type |
|---|---|---|---|---|---|---|
| KFD* Protocol | None | Plaintext | Key Fill Device | EEPROM or DSP RAM | Manual | Electronic |
| Name | Type | Description | Strength | Security Function | Generation | Establishment | Storage | Use | Import Export | Zeroisation |
|---|---|---|---|---|---|---|---|---|---|---|
| EEPROM | Static | For Cryptographic key | ||||||||
| DSP RAM | Dynamic | For Temporary SSPs | ||||||||
| TEK (Traffic Encryption Key) | 256-bits | AES-OFB A1399 | N/A | N/A | EEPROM (Plaintext) | Used for encryption/ decryption of voice traffic through the module's host radio. | KFD* Protocol | Zeroise command from McBSP interface | ||
| HMAC Key | 256-bits | HMAC- SHA-1 A1399 | Manufactur er pre- loaded | N/A | EEPROM (Plaintext) | Used for updating the firmware. | N/A | Zeroise command from McBSP interface |
| Method | Description | Rationale | Operator Initiation Capability |
|---|---|---|---|
| Zeroise command | McBSP Command: Control Input / Status Output | Zeroising Key in EEPROM or DSP RAM | Starting with Operator's invocation. Determining whether the procedures were successful with Status Output. |
| Power lost | Module power lost | Zeroising SSP in volatile memory | Operator's invocation. |
Table 11: SSP Zeroization Methods h N/A er preloaded N/A Table 12: SSPs
| Number | Byte Size | Information | Logical Interface |
|---|---|---|---|
| $01 | 1 | Show Status (see Table 7) $00=Program Running $01=Initial Sequence | Status Output |
*Key Fill Device (Key Loader)
The cryptographic module is not subject to transitions.
Keys/SSPs used in the approved mode shall not be used in the non-approved mode and vice-versa. The cryptographic module does not support manual key entry. Please note that Zeroise command from McBSP interface is used for changing the key data in DSP RAM. Then, those updated key data will be written to EEPROM.
Pre-Operational self-tests: Pre-Operational software/firmware integrity test; Firmware Integrity Test (CRC-32)
Conditional self-tests: Cryptographic Algorithm Self-Tests AES-ECB Encrypt Known Answer Test (256-bit key)* AES-ECB Decrypt Known Answer Test (256-bit key)* AES-CBC Encrypt Known Answer Test (256-bit key)* AES-CBC Decrypt Known Answer Test (256-bit key)* AES-OFB Encrypt Known Answer Test (256-bit key) AES-OFB Decrypt Known Answer Test (256-bit key) HMAC-SHA-1 Known Answer Test *Algorithm only used for self-tests in approved mode. Conditional software/firmware load test; Firmware load test (HMAC-SHA1 w/ 512-bit key) Conditional Critical Functions Test 32-bit CRC check on Electronically Entered keys
The module does not perform periodic self-tests.
| Value | Status | Finite State Model |
|---|---|---|
| $00 | Program Running | Idle |
| $01 | Initial Sequence | Application Initialization, Application Self-Test, Database Load |
| $02 | Firmware Update | Firmware Update |
| $03 | EEPROM Error | Boot EEPROM Error, Application EEPROM Error |
| $04 | Boot Self-Test Error | Boot Self-Test Error |
| $05 | Application Self-Test Error | Application Self-Test Error |
Table 13: Error Indicators Table 14: Error Status
The module’s pre-operational self-tests and conditional CASTs can be performed on demand by power cycling the module.
Install For the cryptographic module installation, refer the radio service manual. Secure Initialization Proper keys must be loaded into the module. Key Loading Instructions Crypto-Officer may load keys into the modules using the key loader devices. The radio hardware communicates with the module through the defined ports. Each key loaded into the module has an associated key ID which is used to associate the key with a given radio channel. Operation of the module The cryptographic module contains non-approved security functions. Only services which utilize approved security functions are indicated as such by the module.
Please refer to the McBSP command guidance.
Please refer to the McBSP command guidance.
The security rules presented below are a combination of those required by FIPS140-3 for Level 1 secure use and the security rules separately implemented by Icom Inc. FIPS 140-3 Security Rules: Only approved algorithms can be used, and the use of RNG, DES is not allowed in the approved mode of operation.
The cryptographic module is composed of production grade components which do not require any maintenance or inspection by the user to ensure security.
When distributing or discarding the cryptographic module to other operators, send the McBSP command "All Key Zeroise" ($ 77) to initialize and sanitize all cryptographic keys (SSPs). (Since the cryptographic module does not perform Operator Authentication, it does not retain authentication data.)
This module does not support other attack mitigation.